o %zhRn@stdZddlmZmZmZmZddlmZddlm Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZdd lmZdd lmZmZmZdd lmZmZmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>ddl?m@Z@mAZAmBZBmCZCGddde*ZDGddde*ZEGddde*ZFGddde0ZGGddde3ZHGddde4ZIGddde"ZJGddde3ZKGdd d e7ZLed!d"ZMGd#d$d$e%ZNGd%d&d&e.ZOGd'd(d(e3ZPGd)d*d*e6ZQGd+d,d,e4ZRGd-d.d.e%ZSGd/d0d0e3ZTGd1d2d2e%ZUGd3d4d4e%ZVGd5d6d6e%ZWGd7d8d8e5ZXGd9d:d:e5ZYGd;d<dd>e4Z[Gd?d@d@e3Z\GdAdBdBe3Z]GdCdDdDe4Z^GdEdFdFe3Z_GdGdHdHe4Z`GdIdJdJe%ZaGdKdLdLe%ZbGdMdNdNe5ZcGdOdPdPe4ZdGdQdRdRe5ZeGdSdTdTe3ZfGdUdVdVe6ZgGdWdXdXe3ZhGdYdZdZe%ZiGd[d\d\e+ZjGd]d^d^e+ZkGd_d`d`e3ZlGdadbdbe4ZmGdcdddde3ZnGdedfdfe3ZoGdgdhdhe%ZpGdidjdje4ZqGdkdldle%ZrGdmdndne3ZsGdodpdpe3ZtGdqdrdre3ZuGdsdtdte%ZvGdudvdve"ZwGdwdxdxe3ZxGdydzdze4ZyGd{d|d|e3ZzGd}d~d~e3Z{Gddde4Z|Gddde%Z}Gddde4Z~Gddde3ZGddde3ZGddde.ZGddde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde4ZGddde3ZGddde.ZGddde4ZGddde.ZGddde3ZGddde4ZGddde4ZGddde4ZGddde3ZGddde"ZGddde+ZGddde3ZGddde6ZGddde3ZGddde3ZGddde6ZGddde'ZGddde'ZGddde'ZGddde'ZGdd„de'ZGddĄde'ZGddƄde3ZGddȄde3ZGddʄde'ZGdd̄de3ZGdd΄de3ZGddЄde6ZGdd҄de.ZGddԄde6ZGddքde6ZGdd؄de6ZGddڄde3ZGdd܄de6ZGddބde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde3ZGddde4ZGddde4ZGddde3ZGddde&ZdS)z ASN.1 type classes for X.509 certificates. Exports the following items: - Attributes() - Certificate() - Extensions() - GeneralName() - GeneralNames() - Name() Other type classes are defined that help compose the types listed above. )unicode_literalsdivisionabsolute_importprint_function)contextmanager)idnaN)unwrap) iri_to_uri uri_to_iri) OrderedDict) type_namestr_cls bytes_to_list)AlgorithmIdentifierAnyAlgorithmIdentifierDigestAlgorithmSignedDigestAlgorithm)Any BitString BMPStringBooleanChoiceConcat EnumeratedGeneralizedTime GeneralString IA5StringIntegerNull NumericStringObjectIdentifierOctetBitString OctetStringParsableOctetStringPrintableStringSequence SequenceOfSetSetOf TeletexStringUniversalStringUTCTime UTF8String VisibleStringVOID) PublicKeyInfo) int_to_bytesint_from_bytes inet_ntop inet_ptonc@s,eZdZdZdZddZddZddZd S) DNSNamer cC ||k SNselfotherr;r;J/var/www/html/kangema/venv/lib/python3.10/site-packages/asn1crypto/x509.py__ne__L zDNSName.__ne__cCs&t|tsdS||kS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.2 :param other: Another DNSName object :return: A boolean F) isinstancer5 __unicode__lowerr<r;r;r?__eq__O zDNSName.__eq__cCs|t|tsttdt|t||dr#d|dd|j}n||j}||_||_ d|_ |j dkr other_mailboxother_hostnamerlrmr;r;r?rEs     zEmailAddress.__eq__) rVrWrXrdrerYpropertyrPsetterrUrCr@rEr;r;r;r?rcs    rcc@s:eZdZd ddZddZeddZdd Zd d ZdS) IPAddressNcCs ttd)z? This method is not applicable to IP addresses z= IP address values can not be parsed ) ValueErrorr )r=spec spec_paramsr;r;r?parse'szIPAddress.parsec CsTt|tsttdt|t||}|ddk}d}|r;|dd}|d}t|d}|dkr;ttdt||ddkrUt j }|dkrRttd t|d}nt j }|d krettd t|d }d }|rd |} | d|t | 7} t t| d}d|dt ||}||_t||||_|j|_d|_|jd krd |_dSdS)z Sets the value of the object :param value: A unicode string containing an IPv4 address, IPv4 address with CIDR, an IPv6 address or IPv6 address with CIDR rG/rgrrzT %s value contains a CIDR range less than 0 :z %s value contains a CIDR range bigger than 128, the maximum value for an IPv6 address z %s value contains a CIDR range bigger than 32, the maximum value for an IPv4 address rJ10N)rBrrKr r rjsplitintrusocketAF_INET6AF_INETlenr1_nativer4rP_bytesrQrR) r=rSoriginal_valuehas_cidrcidrpartsfamily cidr_size cidr_bytes cidr_maskr;r;r?rU2s\     z IPAddress.setcCs|jdurdS|jdurp|}t|}d}d}|tddgvr7ttj|dd}|dkr6t|dd}n|tddgvrUttj |dd}|dkrUt|dd}|durmd |}t| d}|d t |}||_|jS) z The native Python datatype representation of this value :return: A unicode string or None Nr|rrz{0:b}r~ry) rPr __bytes__rrUr3rrr2rformatrstripr)r= byte_stringbyte_lenrScidr_int cidr_bitsrr;r;r?r]ys,   zIPAddress.nativecCr9r:r;r<r;r;r?r@rAzIPAddress.__ne__cCst|tsdS||kS)zl :param other: Another IPAddress object :return: A boolean F)rBrtrr<r;r;r?rEs zIPAddress.__eq__)NN) rVrWrXrxrUrrr]r@rEr;r;r;r?rt&s  G  rtc@s"eZdZdefdedeifgZdS) AttributetypevaluesrvN)rVrWrXr!r)r_fieldsr;r;r;r?r rc@eZdZeZdS) AttributesN)rVrWrXr _child_specr;r;r;r?rrc @$eZdZddddddddd d Zd S) KeyUsagedigital_signaturenon_repudiationkey_enciphermentdata_encipherment key_agreement key_cert_signcrl_sign encipher_only decipher_only rrrrrNrVrWrX_mapr;r;r;r?r rc@,eZdZdedddfdedddfgZdS)PrivateKeyUsagePeriod not_beforerTimplicitoptional not_afterrN)rVrWrXrrr;r;r;r?rrc@seZdZdZdZddZdS)NotReallyTeletexStringa6 OpenSSL (and probably some other libraries) puts ISO-8859-1 into TeletexString instead of ITU T.61. We use Windows-1252 when decoding since it is a superset of ISO-8859-1, and less likely to cause encoding issues, but we stay strict with encoding to prevent us from creating bad data. rncCs0|jdurdS|jdur||j|_|jSr^)rPrOraro_decoding_encodingrbr;r;r?rCs  z"NotReallyTeletexString.__unicode__N)rVrWrX__doc__rrCr;r;r;r?rs rccs$z dt_dVWdt_dSdt_w)Nteletexrn)rrr;r;r;r?strict_teletexs rc@s4eZdZdefdefdefdefdefdefgZ dS)DirectoryStringteletex_stringprintable_stringuniversal_string utf8_string bmp_string ia5_stringN) rVrWrXrr%r+r-rr _alternativesr;r;r;r?rsrc@seZdZiddddddddd d d d d ddddddddddddddddddd d!d"id#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;d<d=d>d?d@dAdBdCdDZgdEZedFdGZedHdIZdJS)KNameTypez2.5.4.3 common_namez2.5.4.4surnamez2.5.4.5 serial_numberz2.5.4.6 country_namez2.5.4.7 locality_namez2.5.4.8state_or_province_namez2.5.4.9street_addressz2.5.4.10organization_namez2.5.4.11organizational_unit_namez2.5.4.12titlez2.5.4.15business_categoryz2.5.4.17 postal_codez2.5.4.20telephone_numberz2.5.4.41namez2.5.4.42 given_namez2.5.4.43initialsz2.5.4.44generation_qualifierz2.5.4.45unique_identifierz2.5.4.46 dn_qualifierz2.5.4.65 pseudonymz2.5.4.97organization_identifierz 2.23.133.2.1tpm_manufacturerz 2.23.133.2.2 tpm_modelz 2.23.133.2.3 tpm_versionz 2.23.133.2.4platform_manufacturerz 2.23.133.2.5platform_modelz 2.23.133.2.6platform_versionz1.2.840.113549.1.9.1 email_addressz1.3.6.1.4.1.311.60.2.1.1incorporation_localityz1.3.6.1.4.1.311.60.2.1.2incorporation_state_or_provincez1.3.6.1.4.1.311.60.2.1.3incorporation_countryz0.9.2342.19200300.100.1.1user_idz0.9.2342.19200300.100.1.25domain_componentz0.2.262.1.10.7.20name_distinguisher)!rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrcCs:||}||jvr|j|}||fSt|j}||fS)z Returns an ordering value for a particular attribute key. Unrecognized attributes and OIDs will be sorted lexically at the end. :return: An orderable value. )mappreferred_orderindexr)cls attr_nameordinalr;r;r?preferred_ordinalKs   zNameType.preferred_ordinalcCsiddddddddd d d d d ddddddddddddddddddd d!d"id#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;d<d=d>d?d@dAdBdCdD|j|jS)EzZ :return: A human-friendly unicode string to display to users rz Common NamerSurnamerz Serial NumberrCountryrLocalityrzState/ProvincerzStreet Addressr OrganizationrzOrganizational UnitrTitlerzBusiness Categoryrz Postal CoderzTelephone NumberrNamerz Given NamerInitialsrzGeneration QualifierrzUnique Identifierrz DN Qualifierr Pseudonymrz Email AddressrzIncorporation LocalityrzIncorporation State/ProvincerzIncorporation CountryrzDomain ComponentrzName DistinguisherrzOrganization IdentifierrzTPM Manufacturerrz TPM Modelrz TPM VersionrzPlatform ManufacturerrzPlatform ModelrzPlatform VersionrzUser ID)getr]rbr;r;r?human_friendly_s      !" #zNameType.human_friendlyN) rVrWrXrr classmethodrrrrr;r;r;r?rs      !"$&(.$ rc@seZdZdefdefgZdZidededededed ed ed ed ed edededededededeide dedede dededede dedede d e d!e d"e d#e d$e d%eZ d&Zed'd(Zd)d*Zd+d,Zd-d.Zd&S)/NameTypeAndValuerrSrrSrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrNcCs"|jdur||dj|_|jS)z Returns the value after being processed by the internationalized string preparation as specified by RFC 5280 :return: A unicode string NrS)_prepped_ldap_string_prepr]rbr;r;r? prepped_values zNameTypeAndValue.prepped_valuecCr9r:r;r<r;r;r?r@rAzNameTypeAndValue.__ne__cCs2t|tsdS|dj|djkrdS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another NameTypeAndValue object :return: A boolean Fr)rBrr]rr<r;r;r?rEs  zNameTypeAndValue.__eq__cCstdd|}tdd|}tjdkrtdd|}ntdd|}tdd|}|d d}td d|}dttj|}t d |}|D]C}t |rTt t d t|r_t t d t|rjt t dt|rut t dt|rt t d|dkrt t dqGd}d}|D]}t|rd}qt|rd}q|rt|d}t|d}|s|r|st t ddtdd|d}|S)a" Implements the internationalized string preparation algorithm from RFC 4518. https://tools.ietf.org/html/rfc4518#section-2 :param string: A unicode string to prepare :return: A prepared unicode string, ready for comparison u[­᠆͏᠋-᠍️-＀]+r`u [ …] iu[-]|[-]|󠀁u[𝅳-𝅺󠀠-󠁿󠀁]u?[---„†-Ÿ۝܏᠎‌-‏‪-‮⁠-⁣--]+u​u[   - 
-
   ]NFKCzc X.509 Name objects may not contain unassigned code points z X.509 Name objects may not contain change display or zzzzdeprecated characters zc X.509 Name objects may not contain private use characters zf X.509 Name objects may not contain non-character code points zb X.509 Name objects may not contain surrogate code points u�zf X.509 Name objects may not contain the replacement character FTrrgz{ X.509 Name object contains a malformed bidirectional sequence z +z )resubsys maxunicodereplacejoinr stringprep map_table_b2 unicodedata normalize in_table_a1rur in_table_c8 in_table_c3 in_table_c4 in_table_c5 in_table_d1 in_table_d2strip)r=stringcharhas_r_and_al_cat has_l_catfirst_is_r_and_allast_is_r_and_alr;r;r?rsr             z"NameTypeAndValue._ldap_string_prep)rVrWrXrrr _oid_pairrr%r"rcr5r- _oid_specsrrrrr@rErr;r;r;r?rs      !"#$'   rc@s<eZdZeZeddZddZddZddZ d d Z d S) RelativeDistinguishedNamecCs@g}||}t|D] }|d|||fq d|S)b :return: A unicode string that can be used as a dict key or in a set %s: %s) _get_valuessortedkeysappendr )r=outputrkeyr;r;r?hashablePs   z"RelativeDistinguishedName.hashablecCr9r:r;r<r;r;r?r@`rAz RelativeDistinguishedName.__ne__cCszt|tsdSt|t|krdS||}||}||kr!dS||}||}|D] }||||kr:dSq-dS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RelativeDistinguishedName object :return: A boolean FT)rBr"r _get_typesr&)r=r> self_types other_types self_values other_values type_name_r;r;r?rEcs     z RelativeDistinguishedName.__eq__cCstdd|DS)z Returns a set of types contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A set object with unicode strings of NameTypeAndValue type field values cSsg|]}|djqSrr].0ntvr;r;r? z8RelativeDistinguishedName._get_types..)rUr=rdnr;r;r?r-s z$RelativeDistinguishedName._get_typescsifdd|DS)a$ Returns a dict of prepped values contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A dict object with unicode strings of NameTypeAndValue value field values that have been prepped for comparison cs$g|]}|dj|jfgqSr3)updater]rr5r*r;r?r8s$z9RelativeDistinguishedName._get_values..r;r:r;r=r?r&s z%RelativeDistinguishedName._get_valuesN) rVrWrXrrrrr,r@rEr-r&r;r;r;r?r"Ms  r"c@s,eZdZeZeddZddZddZdS) RDNSequencecCsddd|DS)r#css|]}|jVqdSr:)r,)r6r;r;r;r? sz'RDNSequence.hashable..)r rbr;r;r?r,s zRDNSequence.hashablecCr9r:r;r<r;r;r?r@rAzRDNSequence.__ne__cCsJt|tsdSt|t|krdSt|D] \}}|||kr"dSqdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RDNSequence object :return: A boolean FT)rBr>r enumerate)r=r>rself_rdnr;r;r?rEs  zRDNSequence.__eq__N) rVrWrXr"rrrr,r@rEr;r;r;r?r>s   r>c@seZdZdefgZdZdZdZedddZ e ddZ dd Z d d Z d d Ze ddZe ddZddZe ddZe ddZdS)rr`NFc Csg}|s d}t}nd}t}tt|ddd}|D]A\}}t|}|dkr/t|}n"|dkr8t|}n|t gdvrIt dt|d }nt |||d }| t t ||d gq|d t|d S) aY Creates a Name object from a dict of unicode string keys and values. The keys should be from NameType._map, or a dotted-integer OID unicode string. :param name_dict: A dict of name information, e.g. {"common_name": "Will Bond", "country_name": "US", "organization_name": "Codex Non Sufficit LC"} :param use_printable: A bool - if PrintableString should be used for encoding instead of UTF8String. This is for backwards compatibility with old software. :return: An x509.Name object rrcSst|dS)Nr)rr)itemr;r;r?szName.build..)r+rr)rrr)rrSrr`)r-r%r r'itemsrrrcr5rUrr)r"rr>) r name_dict use_printablerdns encoding_nameencoding_classattribute_nameattribute_valuerSr;r;r?buildsD    z Name.buildcCs|jjS)r#)chosenr,rbr;r;r?r,sz Name.hashablecCs t|jSr:)rrNrbr;r;r?__len__rAz Name.__len__cCr9r:r;r<r;r;r?r@rAz Name.__ne__cCst|tsdS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another Name object :return: A boolean F)rBrrNr<r;r;r?rE!s  z Name.__eq__cCs|jdur?t|_|jjD]1}|D],}|d}||jvr6|j|}t|ts.|g}|j|<||dq|d|j|<qq |jS)NrrS)rr rNr]rBlistr))r=r;type_val field_nameexistingr;r;r?r]0s      z Name.nativecCs|jdurt}d}|jD])}|D]$}|dj}|}||vr/||g||<|||dq|d||<qq g}|}|dkrGtt|}|D]}||} || } |d|| fqId} |D] } | ddkrod } nqb| std nd } | |ddd|_|jS) zg :return: A human-friendly unicode string containing the parts of the name NrrSrr$F,rgT, z; ) _human_friendlyr rNrr)r(reversedrP_recursive_humanizerjr )r=data last_fieldr;rQrRto_joinr(r+rS native_value has_commaelement separatorr;r;r?r@s:      zName.human_friendlycs,t|trdtfdd|DS|jS)z Recursively serializes data compiled from the RDNSequence :param value: An Asn1Value object, or a list of Asn1Value objects :return: A unicode string rUcsg|]}|qSr;)rX)r6 sub_valuerbr;r?r8tr9z,Name._recursive_humanize..)rBrPr rWr]r\r;rbr?rXgs zName._recursive_humanizecC$|jdurt||_|jS)zZ :return: The SHA1 hash of the DER-encoded bytes of this name N_sha1hashlibsha1dumpdigestrbr;r;r?rex z Name.sha1cCra)z] :return: The SHA-256 hash of the DER-encoded bytes of this name N_sha256rdsha256rfrgrbr;r;r?rkrhz Name.sha256)F)rVrWrXr>rrVrcrjrrMrrr,rOr@rEr]rrXrerkr;r;r;r?rs, <   &  rc@"eZdZdefdeddifgZdS) AnotherNametype_idrSexplicitrN)rVrWrXr!rrr;r;r;r?rmrrmc@s$eZdZdZdZdefdefgZdS) CountryNamer x121_dcc_codeiso_3166_alpha2_codeNrVrWrXclass_tagr r%rr;r;r;r?rp rpc@s$eZdZdZdZdefdefgZdS)AdministrationDomainNamerrnumeric printableNrsr;r;r;r?rwrvrwc@eZdZdefdefgZdS)PrivateDomainNamerxryNrVrWrXr r%rr;r;r;r?r{r{c@FeZdZdeddifdedddfded ddfd ed ddfgZd S) PersonalNamerrrrrTrrrrrNrVrWrXr%rr;r;r;r?r  rc@r~) TeletexPersonalNamerrrrrTrrrrrNrVrWrXr*rr;r;r;r?rrrc@r)OrganizationalUnitNamesNrVrWrXr%rr;r;r;r?rrrc@r)TeletexOrganizationalUnitNamesN)rVrWrXr*rr;r;r;r?rrrc @seZdZdeddifdeddifdedddfded ddfd ed dd fd edddfdedddfdedddfde dddfg Z dS)BuiltInStandardAttributesrrTadministration_domain_namenetwork_addressrrterminal_identifierrprivate_domain_namerrorrrnumeric_user_identifierr personal_namerorganizational_unit_namesrN) rVrWrXrprwr r%r{rrrr;r;r;r?rs  rc@eZdZdefdefgZdS)BuiltInDomainDefinedAttributerrSNrr;r;r;r?rr}rc@r)BuiltInDomainDefinedAttributesN)rVrWrXrrr;r;r;r?rrrc@r)TeletexDomainDefinedAttributerrSNrr;r;r;r?rr}rc@r)TeletexDomainDefinedAttributesN)rVrWrXrrr;r;r;r?rrrc@rz)PhysicalDeliveryCountryNamerqrrNr|r;r;r;r?rr}rc@rz) PostalCode numeric_codeprintable_codeNr|r;r;r;r?rr}rc@(eZdZdeddifdeddifgZdS) PDSParameterrrTrN)rVrWrXr%r*rr;r;r;r?r  rc@r)PrintableAddressNrr;r;r;r?rrrc@r)UnformattedPostalAddressprintable_addressrTrN)rVrWrXrr*rr;r;r;r?rrrc@s*eZdZdeddifdedddfgZdS) E1634Addressnumberrr sub_addressrTrN)rVrWrXr rr;r;r;r?rs rc@r) NAddressesN)rVrWrXr#rr;r;r;r?rrrc@sFeZdZdedddfdedddfdedddfd ed d ifgZd S) PresentationAddress p_selectorrTr s_selectorr t_selectorr n_addressesrorN)rVrWrXr#rrr;r;r;r?rs  rc@rl)ExtendedNetworkAddresse163_4_address psap_addressrrN)rVrWrXrrrr;r;r;r?r#rrc@seZdZdddddddZdS) TerminalTypetelexr g3_facsimile g4_facsimile ia5_terminalvideotex)rrrrrrNrr;r;r;r?r*s rc@seZdZiddddddddd d d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)Zd*S)+ExtensionAttributeTyperrrteletex_common_namerteletex_organization_namerteletex_personal_namerteletex_organization_unit_namesr!teletex_domain_defined_attributesrpds_namerphysical_delivery_country_name r physical_delivery_office_name physical_delivery_office_numberr7extension_of_address_components physical_delivery_personal_name#physical_delivery_organization_name.extension_physical_delivery_address_componentsrunformatted_postal_addressrpost_office_box_addressposte_restante_addressunique_postal_namelocal_postal_attributesextended_network_address terminal_type)r8Nrr;r;r;r?r5sV      rc@seZdZdeddifdeddifgZdZided ed ed e d e d e dede de dedededededededeeeeeeedZdS)ExtensionAttributeextension_attribute_typerrextension_attribute_valueror)rrrrrrrrrrrrrrrrrrr)rrrrrrN)rVrWrXrrrr r%r*rrrrrrrrrr!r;r;r;r?rQs^        rc@r)ExtensionAttributesN)rVrWrXrrr;r;r;r?rsrrc@.eZdZdefdeddifdeddifgZdS) ORAddressbuilt_in_standard_attributes"built_in_domain_defined_attributesrTextension_attributesN)rVrWrXrrrrr;r;r;r?rw   rc@s*eZdZdedddfdeddifgZdS) EDIPartyName name_assignerrTr party_namerrN)rVrWrXrrr;r;r;r?rs rc @seZdZdeddifdeddifdeddifdedd ifd ed d ifd eddifde ddifde ddifde ddifg Z ddZ ddZdS) GeneralName other_namerr rfc822_namerdns_namer x400_addressrdirectory_nameroredi_party_nameruniform_resource_identifierr ip_addressr registered_idrcCr9r:r;r<r;r;r?r@rAzGeneralName.__ne__cCsP|jdvr ttd|j|jdvrttd|j|j|jkr"dS|j|jkS)z Does not support other_name, x400_address or edi_party_name :param other: The other GeneralName to compare to :return: A boolean )rrrzr Comparison is not supported for GeneralName objects of choice %s za Comparison is not supported for GeneralName objects of choice %sF)rrur rNr<r;r;r?rEs    zGeneralName.__eq__N)rVrWrXrmrcr5rrrrZrtr!rr@rEr;r;r;r?rs          rc@r) GeneralNamesN)rVrWrXrrr;r;r;r?rrrc@rz)Timeutc_time general_timeN)rVrWrXr,rrr;r;r;r?rr}rc@r)ValidityrrN)rVrWrXrrr;r;r;r?rr}rc@s(eZdZdeddifdeddifgZdS)BasicConstraintscadefaultFpath_len_constraintrTN)rVrWrXrrrr;r;r;r?rrrc@s:eZdZdedddfdedddfdedddfgZd S) AuthorityKeyIdentifierkey_identifierrTrauthority_cert_issuerrauthority_cert_serial_numberrN)rVrWrXr#rrrr;r;r;r?rs rc@s(eZdZdeddifdeddifgZdS)DistributionPointName full_namerrname_relative_to_crl_issuerrN)rVrWrXrr"rr;r;r;r?rrrc @r) ReasonFlagsunusedkey_compromise ca_compromiseaffiliation_changed supersededcessation_of_operationcertificate_holdprivilege_withdrawn aa_compromiserNrr;r;r;r?rrrc@s2eZdZdefdedddfdedddfgZd S) GeneralSubtreebaseminimumrrrmaximumrTrN)rVrWrXrrrr;r;r;r?r rc@r)GeneralSubtreesN)rVrWrXrrr;r;r;r?r rr c@r)NameConstraintspermitted_subtreesrTrexcluded_subtreesrN)rVrWrXr rr;r;r;r?r rr c@sJeZdZdedddfdedddfded ddfgZd Zed d Z d S)DistributionPointdistribution_pointrTrreasonsrr crl_issuerrFcCsl|jdur3d|_|d}|jdkrttd|jD]}|jdkr2|j}|dr2||_|jSq|jS)z_ :return: None or a unicode string of the distribution point's URL FNrrz CRL distribution points that are relative to the issuer are not supported rzhttp://zhttps://zldap://zldaps://)_urlrrur rNr]rDrL)r=r general_nameurlr;r;r?r s    zDistributionPoint.urlN) rVrWrXrrrrrrrrr;r;r;r?r sr c@r)CRLDistributionPointsN)rVrWrXr rr;r;r;r?r&rrc@s(eZdZdefdefdefdefgZdS) DisplayTextrvisible_stringrrN)rVrWrXrr.rr-rr;r;r;r?r*s rc@r) NoticeNumbersNrVrWrXrrr;r;r;r?r3rrc@rz)NoticeReference organizationnotice_numbersN)rVrWrXrrrr;r;r;r?r7r}rc@r) UserNotice notice_refrT explicit_textN)rVrWrXrrrr;r;r;r?r>rrc@seZdZdddZdS)PolicyQualifierId certification_practice_statement user_notice)z1.3.6.1.5.5.7.2.1z1.3.6.1.5.5.7.2.2Nrr;r;r;r?r Es r c@s*eZdZdefdefgZdZeedZ dS)PolicyQualifierInfopolicy_qualifier_id qualifier)r$r%)r!r"N) rVrWrXr rrr rrr!r;r;r;r?r#Ls r#c@r)PolicyQualifierInfosN)rVrWrXr#rr;r;r;r?r&Yrr&c@seZdZddiZdS)PolicyIdentifierz 2.5.29.32.0 any_policyNrr;r;r;r?r']sr'c@rl)PolicyInformationpolicy_identifierpolicy_qualifiersrTN)rVrWrXr'r&rr;r;r;r?r)crr)c@r)CertificatePoliciesN)rVrWrXr)rr;r;r;r?r,jrr,c@r) PolicyMappingissuer_domain_policysubject_domain_policyN)rVrWrXr'rr;r;r;r?r-nr}r-c@r)PolicyMappingsN)rVrWrXr-rr;r;r;r?r0urr0c@r)PolicyConstraintsrequire_explicit_policyrTrinhibit_policy_mappingrNrVrWrXrrr;r;r;r?r1yrr1c@seZdZiddddddddd d d d d ddddddddddddddddddd d!d"id#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;d<d=d>d?d@dAdBdCdDidEdFdGdHdIdJdKdLdMdNdOdPdQdRdSdTdUdVdWdXdYdZd[d\d]d^d_d`dadbdcdddedfidgdhdidjdkdldmdndodpdqdrdsdtdudvdwdxdydzd{d|d}d~ddddddddddiddddddddddddddddddddddddddddddddddZdS) KeyPurposeIdz 2.5.29.37.0any_extended_key_usagez1.3.6.1.5.5.7.3.1 server_authz1.3.6.1.5.5.7.3.2 client_authz1.3.6.1.5.5.7.3.3 code_signingz1.3.6.1.5.5.7.3.4email_protectionz1.3.6.1.5.5.7.3.5ipsec_end_systemz1.3.6.1.5.5.7.3.6 ipsec_tunnelz1.3.6.1.5.5.7.3.7 ipsec_userz1.3.6.1.5.5.7.3.8 time_stampingz1.3.6.1.5.5.7.3.9 ocsp_signingz1.3.6.1.5.5.7.3.10dvcsz1.3.6.1.5.5.7.3.13 eap_over_pppz1.3.6.1.5.5.7.3.14 eap_over_lanz1.3.6.1.5.5.7.3.15 scvp_serverz1.3.6.1.5.5.7.3.16 scvp_clientz1.3.6.1.5.5.7.3.17 ipsec_ikez1.3.6.1.5.5.7.3.18 capwap_acz1.3.6.1.5.5.7.3.19 capwap_wtpz1.3.6.1.5.5.7.3.20 sip_domainz1.3.6.1.5.5.7.3.21secure_shell_clientz1.3.6.1.5.5.7.3.22secure_shell_serverz1.3.6.1.5.5.7.3.23 send_routerz1.3.6.1.5.5.7.3.24send_proxied_routerz1.3.6.1.5.5.7.3.25 send_ownerz1.3.6.1.5.5.7.3.26send_proxied_ownerz1.3.6.1.5.5.7.3.27cmc_caz1.3.6.1.5.5.7.3.28cmc_raz1.3.6.1.5.5.7.3.29 cmc_archivez1.3.6.1.5.5.7.3.30bgpspec_routerz1.3.6.1.5.5.8.2.2ike_intermediatez1.3.6.1.4.1.311.10.3.1microsoft_trust_list_signingz1.3.6.1.4.1.311.10.3.2microsoft_time_stamp_signingz1.3.6.1.4.1.311.10.3.3microsoft_server_gatedz1.3.6.1.4.1.311.10.3.3.1microsoft_serializedz1.3.6.1.4.1.311.10.3.4 microsoft_efsz1.3.6.1.4.1.311.10.3.4.1microsoft_efs_recoveryz1.3.6.1.4.1.311.10.3.5microsoft_whqlz1.3.6.1.4.1.311.10.3.6 microsoft_nt5z1.3.6.1.4.1.311.10.3.7microsoft_oem_whqlz1.3.6.1.4.1.311.10.3.8microsoft_embedded_ntz1.3.6.1.4.1.311.10.3.9microsoft_root_list_signerz1.3.6.1.4.1.311.10.3.10!microsoft_qualified_subordinationz1.3.6.1.4.1.311.10.3.11microsoft_key_recoveryz1.3.6.1.4.1.311.10.3.12microsoft_document_signingz1.3.6.1.4.1.311.10.3.13microsoft_lifetime_signingz1.3.6.1.4.1.311.10.3.14 microsoft_mobile_device_softwarez1.3.6.1.4.1.311.20.2.2microsoft_smart_card_logonz1.2.840.113635.100.1.2apple_x509_basicz1.2.840.113635.100.1.3 apple_sslz1.2.840.113635.100.1.4apple_local_cert_genz1.2.840.113635.100.1.5 apple_csr_genz1.2.840.113635.100.1.6apple_revocation_crlz1.2.840.113635.100.1.7apple_revocation_ocspz1.2.840.113635.100.1.8 apple_smimez1.2.840.113635.100.1.9 apple_eapz1.2.840.113635.100.1.10apple_software_update_signingz1.2.840.113635.100.1.11 apple_ipsecz1.2.840.113635.100.1.12 apple_ichatz1.2.840.113635.100.1.13apple_resource_signingz1.2.840.113635.100.1.14apple_pkinit_clientz1.2.840.113635.100.1.15apple_pkinit_serverz1.2.840.113635.100.1.16apple_code_signingz1.2.840.113635.100.1.17apple_package_signingz1.2.840.113635.100.1.18apple_id_validationz1.2.840.113635.100.1.20apple_time_stampingz1.2.840.113635.100.1.21apple_revocationz1.2.840.113635.100.1.22apple_passbook_signingz1.2.840.113635.100.1.23apple_mobile_storez1.2.840.113635.100.1.24apple_escrow_servicez1.2.840.113635.100.1.25apple_profile_signerz1.2.840.113635.100.1.26apple_qa_profile_signerz1.2.840.113635.100.1.27apple_test_mobile_storez1.2.840.113635.100.1.28apple_otapki_signerz1.2.840.113635.100.1.29apple_test_otapki_signerz1.2.840.113625.100.1.30)apple_id_validation_record_signing_policyz1.2.840.113625.100.1.31apple_smp_encryptionz1.2.840.113625.100.1.32apple_test_smp_encryptionz1.2.840.113635.100.1.33apple_server_authenticationz1.2.840.113635.100.1.34apple_pcs_escrow_servicez2.16.840.1.101.3.6.8piv_card_authenticationz2.16.840.1.101.3.6.7piv_content_signingz1.3.6.1.5.2.3.4pkinit_kpclientauthz1.3.6.1.5.2.3.5 pkinit_kpkdcz1.2.840.113583.1.1.5adobe_authentic_documents_trustz2.16.840.1.101.3.8.7fpki_pivi_content_signingNrr;r;r;r?r5sX     !"$%&(*-./0123456789:;<>BCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`acdfgik r5c@r)ExtKeyUsageSyntaxNrVrWrXr5rr;r;r;r?rrrc@eZdZdddddZdS) AccessMethodocsp ca_issuersr> ca_repository)z1.3.6.1.5.5.7.48.1z1.3.6.1.5.5.7.48.2z1.3.6.1.5.5.7.48.3z1.3.6.1.5.5.7.48.5Nrr;r;r;r?r  rc@rz)AccessDescription access_methodaccess_locationN)rVrWrXrrrr;r;r;r?rr}rc@r)AuthorityInfoAccessSyntaxNrVrWrXrrr;r;r;r?rrrc@r)SubjectInfoAccessSyntaxNrr;r;r;r?rrrc@r)FeaturesNrr;r;r;r?r rrc@rz)EntrustVersionInfo entrust_versentrust_info_flagsN)rVrWrXrrrr;r;r;r?rr}rc @s"eZdZddddddddd Zd S) NetscapeCertificateType ssl_client ssl_serveremailobject_signingreservedssl_caemail_caobject_signing_ca)rrrrrrrrNrr;r;r;r?rs rc@eZdZddddZdS)Versionv1v2v3rrrNrr;r;r;r?r%  rc@s"eZdZdefdefdefgZdS)TPMSpecificationrlevelrevisionN)rVrWrXr-rrr;r;r;r?r- rc@r)SetOfTPMSpecificationN)rVrWrXrrr;r;r;r?r5rrc@s"eZdZdefdefdefgZdS)TCGSpecificationVersion major_version minor_versionrNr4r;r;r;r?r9rrc@rz)TCGPlatformSpecificationversionplatform_classN)rVrWrXrr#rr;r;r;r?rAr}rc@r)SetOfTCGPlatformSpecificationN)rVrWrXrrr;r;r;r?rHrrc@r)EKGenerationTypeinternalinjectedinternal_revocableinjected_revocable)rrrrNrr;r;r;r?rLrrc@r)EKGenerationLocationrrek_cert_signerrNrr;r;r;r?rUrrc@r)EKCertificateGenerationLocationrrrrNrr;r;r;r?r]rrc@s eZdZddddddddZd S) EvaluationAssuranceLevellevel1level2level3level4level5level6level7)rrrrrrrNrr;r;r;r?res rc@r)EvaluationStatusdesigned_to_meetevaluation_in_progressevaluation_completedrNrr;r;r;r?rqrrc@r)StrengthOfFunctionbasicmediumhighrNrr;r;r;r?ryrrc@r) URIReferencerhash_algorithmrT hash_valueN)rVrWrXrrrrr;r;r;r?rrrc @steZdZdefdefdefdeddifdedd d fd ed d d fd e dd d fdedd d fde dd d fg Z dS)CommonCriteriaMeasuresrassurance_levelevaluation_statusplusrFstrengh_of_functionrTr profile_oidr profile_urlr target_oidr target_urirN) rVrWrXrrrrrr!rrr;r;r;r?rs rc@r) SecurityLevelrrrr)rrrrNrr;r;r;r?rrrc@s(eZdZdefdefdeddifgZdS) FIPSLevelrrrrFN)rVrWrXrrrrr;r;r;r?rs  rc @seZdZdeddifdeddifdeddd fd ed dd fd ed dd fdeddd fde ddd fdedddfde ddifg Z dS)TPMSecurityAssertionsrrrfield_upgradableFek_generation_typerTrek_generation_locationr"ek_certificate_generation_locationrcc_infor fips_levelriso_9000_certifiedrr iso_9000_urirN) rVrWrXrrrrrrrrrr;r;r;r?rs   rc@r)SetOfTPMSecurityAssertionsN)rVrWrXrrr;r;r;r?rrrc @s&eZdZddddddddd d d Zd S) SubjectDirectoryAttributeIdsupported_algorithmstpm_specificationtcg_platform_specificationtpm_security_assertionspda_date_of_birthpda_place_of_birth pda_genderpda_country_of_citizenshippda_country_of_residenceentrust_user_role) z2.5.4.52z 2.23.133.2.16z 2.23.133.2.17z 2.23.133.2.18z1.3.6.1.5.5.7.9.1z1.3.6.1.5.5.7.9.2z1.3.6.1.5.5.7.9.3z1.3.6.1.5.5.7.9.4z1.3.6.1.5.5.7.9.5z1.2.840.113533.7.68.29Nrr;r;r;r?rs rc@r)SetOfGeneralizedTimeN)rVrWrXrrr;r;r;r?rrrc@r)SetOfDirectoryStringN)rVrWrXrrr;r;r;r?rrrc@r)SetOfPrintableStringNrr;r;r;r?rrrc@s2eZdZdefdedddfdedddfgZdS) SupportedAlgorithmalgorithm_identifierintended_usagerTrintended_certificate_policiesrN)rVrWrXrrr,rr;r;r;r?rrrc@r)SetOfSupportedAlgorithmN)rVrWrXrrr;r;r;r?rrrc @sHeZdZdefdefgZdZeee e e e e e e d ZddZdeiZdS)SubjectDirectoryAttributerr)rr) rrrrrrrrrcCs"|dj}||jvr|j|StS)Nr)r]r!r))r=type_r;r;r? _values_specs   z&SubjectDirectoryAttribute._values_specN)rVrWrXrrrr rrrrrrrr!r_spec_callbacksr;r;r;r?rs$ rc@r)SubjectDirectoryAttributesN)rVrWrXrrr;r;r;r?rrrc @seZdZiddddddddd d d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*Zd+S), ExtensionIdz2.5.29.9subject_directory_attributesz 2.5.29.14rz 2.5.29.15 key_usagez 2.5.29.16private_key_usage_periodz 2.5.29.17subject_alt_namez 2.5.29.18issuer_alt_namez 2.5.29.19basic_constraintsz 2.5.29.30name_constraintsz 2.5.29.31crl_distribution_pointsz 2.5.29.32certificate_policiesz 2.5.29.33policy_mappingsz 2.5.29.35authority_key_identifierz 2.5.29.36policy_constraintsz 2.5.29.37extended_key_usagez 2.5.29.46 freshest_crlz 2.5.29.54inhibit_any_policyz1.3.6.1.5.5.7.1.1authority_information_accesssubject_information_access tls_feature ocsp_no_checkentrust_version_extensionnetscape_certificate_type!signed_certificate_timestamp_listmicrosoft_enroll_certtype)z1.3.6.1.5.5.7.1.11z1.3.6.1.5.5.7.1.24z1.3.6.1.5.5.7.48.1.5z1.2.840.113533.7.65.0z2.16.840.1.113730.1.1z1.3.6.1.4.1.11129.2.4.2z1.3.6.1.4.1.311.20.2Nrr;r;r;r?rsX      rc @seZdZdefdeddifdefgZdZidede d e d e d e d e d e dedededededededededeeeeeee edZdS) Extensionextn_idcriticalrF extn_value)rrrrrrrrrrr r r r r rrrr)rrrrrrrN)rVrWrXrrr$rr rr#rrrrr rr,r0rr1rrrrrrrrrr!r;r;r;r?r'sb       rc@r) ExtensionsN)rVrWrXrrr;r;r;r?rMrrc@sleZdZdedddfdefdefdefdefd efd efd e d d dfde dd dfde dd dfg Z dS)TbsCertificaterrr)rorr signatureissuervaliditysubjectsubject_public_key_infoissuer_unique_idrTrsubject_unique_idr extensionsrrN) rVrWrXrrrrrr0r"rrr;r;r;r?rQsrc@seZdZdefdefdefgZdZdZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&ddZ'e(dd Z)e(d d Z*e(d d Z+e(ddZ,e(ddZ-e(ddZ.e(ddZ/e(ddZ0e(ddZ1e(ddZ2e(ddZ3e(ddZ4e(d d!Z5e(d"d#Z6e(d$d%Z7e(d&d'Z8e(d(d)Z9e(d*d+Z:e(d,d-Z;e(d.d/Ze(d4d5Z?e(d6d7Z@e(d8d9ZAe(d:d;ZBe(dd?ZDe(d@dAZEe(dBdCZFe(dDdEZGe(dFdGZHe(dHdIZIe(dJdKZJe(dLdMZKe(dNdOZLdPdQZMe(dRdSZNe(dTdUZOe(dVdWZPe(dXdYZQe(dZd[ZRe(d\d]ZSe(d^d_ZTe(d`daZUe(dbdcZVe(dddeZWe(dfdgZXdhdiZYdjdkZZdldmZ[dS)n Certificatetbs_certificatesignature_algorithmsignature_valueFNcCsht|_|ddD]$}|dj}d|}t||r#t|||dj|djr.|j|q d|_dS) zv Sets common named extensions to private attributes and creates a list of critical extensions r(r&rz _%s_valuerrTN)rU_critical_extensionsr]hasattrsetattrparsedadd_processed_extensions)r= extensionrrKr;r;r?_set_extensionss     zCertificate._set_extensionscC|js||jS)z Returns a set of the names (or OID if not a known extension) of the extensions marked as critical :return: A set of unicode strings )r0r2r+rbr;r;r?critical_extensions zCertificate.critical_extensionscCr3)z This extension is used to constrain the period over which the subject private key may be used :return: None or a PrivateKeyUsagePeriod object )r0r2_private_key_usage_period_valuerbr;r;r?private_key_usage_period_valuer5z*Certificate.private_key_usage_period_valuecCr3)z This extension is used to contain additional identification attributes about the subject. :return: None or a SubjectDirectoryAttributes object )r0r2#_subject_directory_attributes_valuerbr;r;r?"subject_directory_attributes_valuer5z.Certificate.subject_directory_attributes_valuecCr3)z This extension is used to help in creating certificate validation paths. It contains an identifier that should generally, but is not guaranteed to, be unique. :return: None or an OctetString object )r0r2_key_identifier_valuerbr;r;r?key_identifier_value z Certificate.key_identifier_valuecCr3)z This extension is used to define the purpose of the public key contained within the certificate. :return: None or a KeyUsage )r0r2_key_usage_valuerbr;r;r?key_usage_valuer5zCertificate.key_usage_valuecCr3)aT This extension allows for additional names to be associate with the subject of the certificate. While it may contain a whole host of possible names, it is usually used to allow certificates to be used with multiple different domain names. :return: None or a GeneralNames object )r0r2_subject_alt_name_valuerbr;r;r?subject_alt_name_value z"Certificate.subject_alt_name_valuecCr3)z This extension allows associating one or more alternative names with the issuer of the certificate. :return: None or an x509.GeneralNames object )r0r2_issuer_alt_name_valuerbr;r;r?issuer_alt_name_valuer5z!Certificate.issuer_alt_name_valuecCr3)a' This extension is used to determine if the subject of the certificate is a CA, and if so, what the maximum number of intermediate CA certs after this are, before an end-entity certificate is found. :return: None or a BasicConstraints object )r0r2_basic_constraints_valuerbr;r;r?basic_constraints_valuer<z#Certificate.basic_constraints_valuecCr3)z This extension is used in CA certificates, and is used to limit the possible names of certificates issued. :return: None or a NameConstraints object )r0r2_name_constraints_valuerbr;r;r?name_constraints_value r5z"Certificate.name_constraints_valuecCr3)z This extension is used to help in locating the CRL for this certificate. :return: None or a CRLDistributionPoints object extension )r0r2_crl_distribution_points_valuerbr;r;r?crl_distribution_points_value r5z)Certificate.crl_distribution_points_valuecCr3)a; This extension defines policies in CA certificates under which certificates may be issued. In end-entity certificates, the inclusion of a policy indicates the issuance of the certificate follows the policy. :return: None or a CertificatePolicies object )r0r2_certificate_policies_valuerbr;r;r?certificate_policies_value* rAz&Certificate.certificate_policies_valuecCr3)z This extension allows mapping policy OIDs to other OIDs. This is used to allow different policies to be treated as equivalent in the process of validation. :return: None or a PolicyMappings object )r0r2_policy_mappings_valuerbr;r;r?policy_mappings_value: r<z!Certificate.policy_mappings_valuecCr3)z This extension helps in identifying the public key with which to validate the authenticity of the certificate. :return: None or an AuthorityKeyIdentifier object )r0r2_authority_key_identifier_valuerbr;r;r?authority_key_identifier_valueI r5z*Certificate.authority_key_identifier_valuecCr3)z This extension is used to control if policy mapping is allowed and when policies are required. :return: None or a PolicyConstraints object )r0r2_policy_constraints_valuerbr;r;r?policy_constraints_valueW r5z$Certificate.policy_constraints_valuecCr3)z This extension is used to help locate any available delta CRLs :return: None or an CRLDistributionPoints object )r0r2_freshest_crl_valuerbr;r;r?freshest_crl_valuee s zCertificate.freshest_crl_valuecCr3)z This extension is used to prevent mapping of the any policy to specific requirements :return: None or a Integer object )r0r2_inhibit_any_policy_valuerbr;r;r?inhibit_any_policy_valuer r5z$Certificate.inhibit_any_policy_valuecCr3)z This extension is used to define additional purposes for the public key beyond what is contained in the basic constraints. :return: None or an ExtKeyUsageSyntax object )r0r2_extended_key_usage_valuerbr;r;r?extended_key_usage_value r5z$Certificate.extended_key_usage_valuecCr3)z This extension is used to locate the CA certificate used to sign this certificate, or the OCSP responder for this certificate. :return: None or an AuthorityInfoAccessSyntax object )r0r2#_authority_information_access_valuerbr;r;r?"authority_information_access_value r5z.Certificate.authority_information_access_valuecCr3)z This extension is used to access information about the subject of this certificate. :return: None or a SubjectInfoAccessSyntax object )r0r2!_subject_information_access_valuerbr;r;r? subject_information_access_value r5z,Certificate.subject_information_access_valuecCr3)z This extension is used to list the TLS features a server must respond with if a client initiates a request supporting them. :return: None or a Features object )r0r2_tls_feature_valuerbr;r;r?tls_feature_value r5zCertificate.tls_feature_valuecCr3)a- This extension is used on certificates of OCSP responders, indicating that revocation information for the certificate should never need to be verified, thus preventing possible loops in path validation. :return: None or a Null object (if present) )r0r2_ocsp_no_check_valuerbr;r;r?ocsp_no_check_value r<zCertificate.ocsp_no_check_valuecC |djS)zE :return: A byte string of the signature r*r4rbr;r;r?r  zCertificate.signaturecCr`)zj :return: A unicode string of "rsassa_pkcs1v15", "rsassa_pss", "dsa", "ecdsa" r))signature_algorbr;r;r?rb razCertificate.signature_algocCr`)z :return: A unicode string of "md2", "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256" r)) hash_algorbr;r;r?rc s zCertificate.hash_algocC |ddS)zT :return: The PublicKeyInfo object for this certificate r(r#r;rbr;r;r? public_key  zCertificate.public_keycCrd)zZ :return: The Name object for the subject of this certificate r(r"r;rbr;r;r?r" rfzCertificate.subjectcCrd)zY :return: The Name object for the issuer of this certificate r(r r;rbr;r;r?r  rfzCertificate.issuercCs|ddjS)zT :return: An integer of the certificate's serial number r(rr4rbr;r;r?r szCertificate.serial_numbercCs|jsdS|jjS)z :return: None or a byte string of the certificate's key identifier from the key identifier extension N)r;r]rbr;r;r?r szCertificate.key_identifiercCs.|jdur|jjdt|jd|_|jS)z :return: A byte string of the SHA-256 hash of the issuer concatenated with the ascii character ":", concatenated with the serial number as an ascii string N:rh)_issuer_serialr rkrrrMrbr;r;r? issuer_serial s zCertificate.issuer_serialcC|dddjS)zd :return: A datetime of latest time when the certificate is still valid r(r!rr4rbr;r;r?not_valid_after! zCertificate.not_valid_aftercCrj)zd :return: A datetime of the earliest time when the certificate is valid r(r!rr4rbr;r;r?not_valid_before) rlzCertificate.not_valid_beforecCs|jsdS|jdjS)z :return: None or a byte string of the key_identifier from the authority key identifier extension Nr)rOr]rbr;r;r?r 1 s z$Certificate.authority_key_identifiercCsn|jdur4|j}|r1|djr1|jddj}|}|jdj}|jdt|d|_|jSd|_|jS)a; :return: None or a byte string of the SHA-256 hash of the isser from the authority key identifier extension concatenated with the ascii character ":", concatenated with the serial number from the authority key identifier extension as an ascii string FrrrrgrhN)_authority_issuer_serialrOr]rNuntagrkrrM)r=akivr authority_serialr;r;r?authority_issuer_serial> s  z#Certificate.authority_issuer_serialcC|jdur ||j|_|jS)z Returns complete CRL URLs - does not include delta CRLs :return: A list of zero or more DistributionPoint objects N)_crl_distribution_points!_get_http_crl_distribution_pointsrIrbr;r;r?r T  z#Certificate.crl_distribution_pointscCrs)z Returns delta CRL URLs - does not include complete CRLs :return: A list of zero or more DistributionPoint objects N)_delta_crl_distribution_pointsrurSrbr;r;r?delta_crl_distribution_pointsa rvz)Certificate.delta_crl_distribution_pointscCs\g}|durgS|D]!}|d}|turq |jdkrq |jD] }|jdkr*||qq |S)a? Fetches the DistributionPoint object for non-relative, HTTP CRLs referenced by the certificate :param crl_distribution_points: A CRLDistributionPoints object to grab the DistributionPoints from :return: A list of zero or more DistributionPoint objects Nrrr)r/rrNr))r=r r*rdistribution_point_namerr;r;r?run s     z-Certificate._get_http_crl_distribution_pointscCs^|jsgSg}|jD]"}|djdkr,|d}|jdkrq |j}|dr,||q |S)zx :return: A list of zero or more unicode strings of the OCSP URLs for this cert rrrrr)rYr]rrDrLr))r=r*entrylocationrr;r;r? ocsp_urls s   zCertificate.ocsp_urlscCs|jdurNg|_|jr&|jD]}|jdkr"|j|jvr"|j|jq|jStd}|jjD]}|D]}|djdkrL|dj}| |rL|j|q3q/|jS)z :return: A list of unicode strings of valid domain names for the certificate. Wildcard certificates will have a domain in the form: *.example.com NrzE^(\*\.)?(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$rrrS) _valid_domainsr@rr]r)rcompiler"rNmatch)r=rpatternr;name_type_valuerSr;r;r? valid_domains s$      zCertificate.valid_domainscCs@|jdurg|_|jr|jD]}|jdkr|j|jq|jS)zj :return: A list of unicode strings of valid IP addresses for the certificate Nr) _valid_ipsr@rr)r])r=rr;r;r? valid_ips s   zCertificate.valid_ipscCs|jo|jdjS)zW :return; A boolean - if the certificate is marked as a CA r)rEr]rbr;r;r?r szCertificate.cacCs|jsdS|jdjS)zT :return; None or an integer of the maximum path length Nr)rrEr]rbr;r;r?max_path_length s zCertificate.max_path_lengthcCs|jdur |j|jk|_|jS)zx :return: A boolean - if the certificate is self-issued, as defined by RFC 5280 N) _self_issuedr"r rbr;r;r? self_issued s zCertificate.self_issuedcCsR|jdur&d|_|jr&|jr#|jsd|_|jS|j|jkr d|_|jSd|_|jS)a :return: A unicode string of "no" or "maybe". The "maybe" result will be returned if the certificate issuer and subject are the same. If a key identifier and authority key identifier are present, they will need to match otherwise "no" will be returned. To verify is a certificate is truly self-signed, the signature will need to be verified. See the certvalidator package for one possible solution. Nnomaybe) _self_signedrrr rbr;r;r? self_signed s  zCertificate.self_signedcCra)zk :return: The SHA-1 hash of the DER-encoded bytes of this complete certificate Nrbrbr;r;r?re rhzCertificate.sha1cCdddt|jDS)z :return: A unicode string of the SHA-1 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcs|]}d|VqdSz%02XNr;r6cr;r;r?r@$ z/Certificate.sha1_fingerprint..)r rrerbr;r;r?sha1_fingerprint zCertificate.sha1_fingerprintcCra)zy :return: The SHA-256 hash of the DER-encoded bytes of this complete certificate Nrirbr;r;r?rk& s zCertificate.sha256cCr)z :return: A unicode string of the SHA-256 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcsrrr;rr;r;r?r@: rz1Certificate.sha256_fingerprint..)r rrkrbr;r;r?sha256_fingerprint2 rzCertificate.sha256_fingerprintcCsHt|tsttdt||dd}|ddk}| o't d|}| o-| }|rq|j s5dS| d}|j D]1}|dd}| d} t | t |krWq=| |kr^d S||} | rn||| rnd Sq=dS|jsvdS|r{tjntj} t| |} |jD]} | ddkrtjntj}t|| }|| krd SqdS) a Check if a domain name or IP address is valid according to the certificate :param domain_ip: A unicode string of a domain name or IP address :return: A boolean - if the domain or IP is valid for the certificate zL domain_ip must be a unicode string, not %s rrhrzrgz^\d+\.\d+\.\d+\.\d+$FrHT)rBrrKr r rMrorDrjrrrrr_is_wildcard_domain_is_wildcard_matchrrrrr4)r= domain_ipencoded_domain_ipis_ipv6is_ipv4 is_domain domain_labels valid_domainencoded_valid_domainvalid_domain_labels is_wildcardr normalized_ipvalid_ip valid_familynormalized_valid_ipr;r;r?is_valid_domain_ip< sH         zCertificate.is_valid_domain_ipcCsZ|ddkr dS|d}|sdS|dddkrdS|ddddkr+dSd S) af Checks if a domain is a valid wildcard according to https://tools.ietf.org/html/rfc6125#section-6.4.3 :param domain: A unicode string of the domain name, where any U-labels from an IDN have been converted to A-labels :return: A boolean - if the domain is a valid wildcard domain *rFrHrrgrzxn--T)countrDrrj)r=domainlabelsr;r;r?r~ szCertificate._is_wildcard_domaincCsl|d}|dd}|d}|dd}||krdS|dkr dStd|ddd }||r4dSdS) a Determines if the labels in a domain are a match for labels from a wildcard valid domain name :param domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in the domain name to check :param valid_domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in a wildcard domain pattern :return: A boolean - if the domain matches the valid domain rrNFrT^z.*$)rr~r r)r=rrfirst_domain_labelother_domain_labelswildcard_labelother_valid_domain_labelswildcard_regexr;r;r?r s   zCertificate._is_wildcard_match)\rVrWrXrrr"rr0r+r8r:r=r?rBrDrFrHrJrLrNrPrRrTrVrXrZr6r\r^rhrnrtrwr}rrrrcrjr2rrr4r7r9r;r>r@rCrErGrIrKrMrOrQrSrUrWrYr[r]r_rrbrcrer"r rrrirkrmr rrr rxrur|rrrrrrrerrkrrrrr;r;r;r?r'`s                                       "          B !r'c@r)KeyPurposeIdentifiersNrr;r;r;r?r rrc@r)SequenceOfAlgorithmIdentifiersN)rVrWrXrrr;r;r;r?r rrc @sPeZdZdeddifdedddfdeddifdeddifd ed ddfgZd S) CertificateAuxtrustrTrejectrraliaskeyidr>rN)rVrWrXrr-r#rrr;r;r;r?r s   rc@seZdZeegZdS)TrustedCertificateN)rVrWrXr'r _child_specsr;r;r;r?r s r)r __future__rrrr contextlibr encodingsrrdrrrr r_errorsr _irir r _ordereddictr _typesr rralgosrrrrcorerrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r(r0utilr1r2r3r4r5rZrcrtrrrrrrrrrr"r>rrmrprwr{rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r r rrrrrr r#r&r'r)r,r-r0r1r5rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr'rrrrr;r;r;r?s    x 59q  BU*D      "2%  p      &o