o &zhxM@sdZddlZddlZddlmZddlmZmZddlmZm Z m Z ddl m Z m Z ddlmZgd Zegd Z ed d Z ed dGdddZejGdddejZed dGdddZeejejZ eejejdZ eejejeejejedZ ejGdddejZ ed dGdddZ!dee"dee"dee"fddZ#ed dGd d!d!Z$ed dGd"d#d#Z%Gd$d%d%ej&Z'Gd&d'd'e'Z(Gd(d)d)e'Z)dS)*z .. versionadded:: 0.20.0 N) dataclass)datetime timedelta) FrozenSetIterableOptional)algoskeys) PKIXSubtrees) RevocationCheckingRuleRevocationCheckingPolicyFreshnessReqTypeCertRevTrustPolicyPKIXValidationParamsAlgorithmUsageConstraintAlgorithmUsagePolicyDisallowWeakAlgorithmsPolicyAcceptAllAlgorithmsNonRevokedStatusAssertionDEFAULT_WEAK_HASH_ALGOSREQUIRE_REVINFO NO_REVOCATION)md2md5sha1)minutesT)frozenc@s$eZdZUdZeed< eed<dS)rzG Assert that a certificate was not revoked at some given date. cert_sha256atN)__name__ __module__ __qualname____doc__bytes__annotations__rr'r'\/var/www/html/kangema/venv/lib/python3.10/site-packages/pyhanko_certvalidator/policy_decl.pyr-s rc@seZdZdZdZ dZ dZ dZ dZ dZ dZ e d e fd d Z e d e fd d Ze d e fddZe d e fddZe d e fddZe d e fddZdS)r zg Rules determining in what circumstances revocation data has to be checked, and what kind. clrcheck ocspcheck bothcheck eitherchecknocheckifdeclaredcheckifdeclaredsoftcheckreturncCs|tjtjtjfvSN)r CHECK_IF_DECLAREDCHECK_IF_DECLARED_SOFTNO_CHECKselfr'r'r(strict{s zRevocationCheckingRule.strictcC|tjtjfvSr1)r r3r4r5r'r'r(tolerantzRevocationCheckingRule.tolerantcCr8r1)r CRL_REQUIREDCRL_AND_OCSP_REQUIREDr5r'r'r( crl_mandatoryr:z$RevocationCheckingRule.crl_mandatorycC|tjtjfvSr1)r r4 OCSP_REQUIREDr5r'r'r( crl_relevantr:z#RevocationCheckingRule.crl_relevantcCr8r1)r r?r<r5r'r'r(ocsp_mandatoryr:z%RevocationCheckingRule.ocsp_mandatorycCr>r1)r r4r;r5r'r'r( ocsp_relevantr:z$RevocationCheckingRule.ocsp_relevantN)r!r"r#r$r;r?r<CRL_OR_OCSP_REQUIREDr4r2r3propertyboolr7r9r=r@rArBr'r'r'r(r >s8  r c@sJeZdZUdZeed< eed< edefddZe de fdd Z d S) r zu Class describing a revocation checking policy based on the types defined in the ETSI TS 119 172 series. ee_certificate_ruleintermediate_ca_cert_rulepolicycCs*zt|WStytd|dw)N'z ' is not a valid revocation mode)LEGACY_POLICY_MAPKeyError ValueError)clsrHr'r'r( from_legacys   z$RevocationCheckingPolicy.from_legacyr0cCs|jjo|jj Sr1)rFr9r5r'r'r( essentialsz"RevocationCheckingPolicy.essentialN) r!r"r#r$r r& classmethodstrrNrDrErOr'r'r'r(r s r )rFrG)z soft-failz hard-failrequirec@s,eZdZdZeZ eZ eZdS)rz% Freshness requirement type. N) r!r"r#r$enumautoDEFAULTMAX_DIFF_REVOCATION_VALIDATIONTIME_AFTER_SIGNATUREr'r'r'r(rsrc@s\eZdZUdZeed< dZeeed< e j Z e ed< dZ eeed< dZ eed<dS) rzz Class describing conditions for trusting revocation info. Based on CertificateRevTrust in ETSI TS 119 172-3. revocation_checking_policyN freshnessfreshness_req_type!expected_post_expiry_revinfo_timeFretroactive_revinfo)r!r"r#r$r r&rYrrrrUrZr[r\rEr'r'r'r(rs  ra_polsb_polsr0cCs:d|v}d|v}|r|rtdgS|r|S|r|S||@S)z Intersect two sets of policies, taking into account the special 'any_policy'. :param a_pols: A set of policies. :param b_pols: Another set of policies. :return: The intersection of both. any_policy) frozenset)r]r^a_anyb_anyr'r'r(intersect_policy_sets8s rcc@szeZdZUedgZeed< dZeed< dZeed< dZ eed< dZ e e ed< dZ e e ed < dd d ZdS)rr_user_initial_policy_setFinitial_policy_mapping_inhibitinitial_explicit_policyinitial_any_policy_inhibitNinitial_permitted_subtreesinitial_excluded_subtreesotherr0cCsdd|jvr |j}nd|jvr|j}n|j|j@}|jo|j}|jo#|j}|jo)|j}t||||dS)aa Combine the conditions of these PKIX validation params with another set of parameters, producing the most lenient set of parameters that is stricter than both inputs. :param other: Another set of PKIX validation parameters. :return: A combined set of PKIX validation parameters. r_)rdrgrfre)rdrgrfrer)r6rjinit_policy_setrgrfrer'r'r(merges&     zPKIXValidationParams.merge)rjrr0r)r!r"r#r`rdr&rerErfrgrhrr rirlr'r'r'r(rTs      rc@sHeZdZUdZeed< dZeeed< dZ ee ed< ddZ dS)rzh Expression of a constraint on the usage of an algorithm (possibly with parameter choices). allowedNnot_allowed_afterfailure_reasoncCs|jSr1rmr5r'r'r(__bool__sz!AlgorithmUsageConstraint.__bool__) r!r"r#r$rEr&rnrrrorQrqr'r'r'r(rs  rc@sReZdZdZdejdeedefddZ dej deedee j defdd Z d S) rzR Abstract interface defining a usage policy for cryptographic algorithms. algomomentr0cCt)a Determine if the indicated digest algorithm can be used at the point in time indicated. :param algo: A digest algorithm description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. NotImplementedErrorr6rrrsr'r'r(digest_algorithm_allowedsz-AlgorithmUsagePolicy.digest_algorithm_allowed public_keycCrt)a' Determine if the indicated signature algorithm (including the associated digest function and any parameters, if applicable) can be used at the point in time indicated. :param algo: A signature mechanism description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :param public_key: The public key associated with the operation, if available. .. note:: This parameter can be used to enforce key size limits or to filter out keys with known structural weaknesses. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. rur6rrrsryr'r'r(signature_algorithm_allowedsz0AlgorithmUsagePolicy.signature_algorithm_allowedN)r!r"r#r$rDigestAlgorithmrrrrxSignedDigestAlgorithmr PublicKeyInfor{r'r'r'r(rs$ rc@sfeZdZdZeeddfddZdejde e de fd d Z dej de e d e ejde fd d ZdS)ra Primitive usage policy that forbids a list of user-specified "weak" algorithms and allows everything else. It also ignores the time parameter completely. .. note:: This denial-based strategy is supplied to provide a backwards-compatible default. In many scenarios, an explicit allow-based strategy is more appropriate. Users with specific security requirements are encouraged to implement :class:`.AlgorithmUsagePolicy` themselves. :param weak_hash_algos: The list of digest algorithms considered weak. Defaults to :const:`.DEFAULT_WEAK_HASH_ALGOS`. :param weak_signature_algos: The list of digest algorithms considered weak. Defaults to the empty set. :param rsa_key_size_threshold: The key length threshold for RSA keys, in bits. :param dsa_key_size_threshold: The key length threshold for DSA keys, in bits. iix cCs||_||_||_||_dSr1)weak_hash_algosweak_signature_algosrsa_key_size_thresholddsa_key_size_threshold)r6rrrrr'r'r(__init__)s z%DisallowWeakAlgorithmsPolicy.__init__rrrsr0cCst|dj|jvS)N algorithm)rnativerrwr'r'r(rx6sz5DisallowWeakAlgorithmsPolicy.digest_algorithm_allowedryc Cs|j}||jv}|d}|dk}|rH|durH|s|rH|j}d} |r+||jkr+|j} n |r5||jkr5|j} | durHtdd|d|d| dSz|j} Wn tyXd} Ynw|r| dur| t d|ji|} | stdd | d |dj d | j d St|d S)NrsadsaFz Key size z for algorithm z- is considered too small; policy mandates >= )rmrorzDigest algorithm z< is not allowed, which disqualifies the signature mechanism z as well.)rmrornrp)signature_algor startswithbit_sizerrr hash_algorLrxrr|rrn) r6rrrsry algo_name algo_allowedis_rsais_dsakey_szfailed_thresholdrdigest_allowedr'r'r(r{=sH      z8DisallowWeakAlgorithmsPolicy.signature_algorithm_allowedN)r!r"r#r$rr`rrr|rrrrxr}r r~r{r'r'r'r(rs.   rc@sNeZdZdejdeedefddZdej deedee j defddZ d S) rrrrsr0cC tddSNTrprrwr'r'r(rxms z,AcceptAllAlgorithms.digest_algorithm_allowedrycCrrrrzr'r'r(r{rs z/AcceptAllAlgorithms.signature_algorithm_allowedN) r!r"r#rr|rrrrxr}r r~r{r'r'r'r(rls" r)*r$abcrS dataclassesrrrtypingrrr asn1cryptorr name_treesr __all__r`r#FRESHNESS_FALLBACK_VALIDITY_DEFAULTruniqueEnumr r rCrr4rr3r2rJrrrQrcrrABCrrrr'r'r'r(st    i / n2\