o &zhV(@sddlmZddlmZmZmZmZmZmZmZm Z ddl m Z m Z m Z ddlmZddlmZmZddlmZddlmZmZmZmZmZmZddlmZdd lmZdd l m!Z!m"Z"m#Z#Gd d d Z$d S))datetime)AsyncGenerator AsyncIterable AsyncIteratorDictIterableListOptionalSet)crlocspx509) Authority) CRLFetchErrorOCSPFetchError)Fetchers)KnownPOE POEManagerPOETypeValidationObjectValidationObjectTypedigest_for_poe)NonRevokedStatusAssertion)CertificateRegistry) CRLContainer OCSPContainersort_freshest_firstc@sxeZdZdZ  d2dededeedeedee d e e f d d Z e d efd dZe d efddZe d efddZe d eejfddZe d eejfddZe d eejfddZdefddZddZd e ejfddZd eefd d!Zd eefd"d#Z d eefd$d%Z!d&e"d eefd'd(Z#d)e$e%fd*d+Z&d)e$e%fd,d-Z'd.ejd/e(d efd0d1Z)dS)3RevinfoManagera .. versionadded:: 0.20.0 Class to manage and potentially fetch revocation information. :param certificate_registry: The associated certificate registry. :param poe_manager: The proof-of-existence (POE) data manager. :param crls: CRL data. :param ocsps: OCSP response data. :param fetchers: Fetchers for collecting revocation information. If ``None``, no fetching will be performed. Ncertificate_registry poe_managercrlsocsps assertionsfetcherscCsr||_||_i|_i|_g|_|rt||_g|_|r,t||_}|D]}||q$||_dd|D|_ dS)NcSsi|]}|j|qSr) cert_sha256).0 assertionrr`/var/www/html/kangema/venv/lib/python3.10/site-packages/pyhanko_certvalidator/revinfo/manager.py Osz+RevinfoManager.__init__..) _certificate_registry _poe_manager_revocation_certs_crl_issuer_map_crlsr_ocsps_extract_ocsp_certs _fetchers _assertions)selfrr r!r"r#r$ ocsp_responserrr(__init__5s     zRevinfoManager.__init__returncC|jS)z< The proof-of-existence (POE) data manager. )r+r3rrr(r SzRevinfoManager.poe_managercCr7)z6 The associated certificate registry. )r*r8rrr(rZr9z#RevinfoManager.certificate_registrycCs |jduS)zA Boolean indicating whether fetching is allowed. N)r1r8rrr(fetching_allowedas zRevinfoManager.fetching_allowedcC.dd|jD}|js |St|jj|S)zK A list of all cached :class:`crl.CertificateList` objects cSg|]}|jqSr)crl_datar&contrrr( nz'RevinfoManager.crls..)r.r1list crl_fetcher fetched_crls)r3raw_crlsrrr(r!hszRevinfoManager.crlscCr;)zI A list of all cached :class:`ocsp.OCSPResponse` objects cSr<r)ocsp_response_datar>rrr(r@yrAz(RevinfoManager.ocsps..)r/r1rB ocsp_fetcherfetched_responses)r3 raw_ocspsrrr(r"sszRevinfoManager.ocspscCst|jS)z A list of newly-fetched :class:`x509.Certificate` objects that were obtained from OCSP responses and CRLs )rBr,valuesr8rrr(new_revocation_certssz#RevinfoManager.new_revocation_certsr4c Cs|j}||}|j}|j}|}|dur?|drA|dD]%}||r>|||j<|ttj t | |t t j|ddqdSdSdS)z Extracts any certificates included with an OCSP response and adds them to the certificate registry :param ocsp_response: An asn1crypto.ocsp.OCSPResponse object to look for certs inside of Ncerts) object_typevalue)poe_typedigestpoe_timevalidation_object)r+r*r,extract_basic_ocsp_responseregister issuer_serialregister_known_poerr VALIDATIONrdumprr CERTIFICATE)r3r4poe_man ocsp_poe_timeregistry revo_certsbasic other_certrrr(r0s.     z"RevinfoManager._extract_ocsp_certscCs||j|j<dS)aU Records the certificate that issued a certificate list. Used to reduce processing code when dealing with self-issued certificates and multiple CRLs. :param certificate_list: An ans1crypto.crl.CertificateList object :param cert: An ans1crypto.x509.Certificate object N)r- signature)r3certificate_listcertrrr(record_crl_issuers z RevinfoManager.record_crl_issuercCs|j|jS)a3 Checks to see if the certificate that signed a certificate list has been found :param certificate_list: An ans1crypto.crl.CertificateList object :return: None if not found, or an asn1crypto.x509.Certificate object of the issuer )r-getr`)r3rarrr(check_crl_issuers zRevinfoManager.check_crl_issuercCs4t|j}|jr|jj}|dd|D|S)z .. versionadded:: 0.27.0 Return all currently available CRLs. :return: A list of :class:`CRLContainer` objects css|]}t|VqdSNrr&r=rrr( sz:RevinfoManager.currently_available_crls..)rBr.r1rCrDextend)r3resultr!rrr(currently_available_crlss  z'RevinfoManager.currently_available_crlscs^|jstd|j}z|j|}Wnty%|j|IdH}Ynwdd|D}|S)z .. versionadded:: 0.27.0 Download all relevant CRLs for a given certificate. :param cert: An asn1crypto.x509.Certificate object :return: A list of :class:`CRLContainer` objects zNo CRL fetcher availableNcSg|]}t|qSrrgrhrrr(r@sz-RevinfoManager.fetch_crls..)r1rrCfetched_crls_for_certKeyErrorfetch)r3rbr$r!contsrrr( fetch_crlss  zRevinfoManager.fetch_crlscs*|}|jr|||IdH|S)z .. versionadded:: 0.20.0 :param cert: An asn1crypto.x509.Certificate object :return: A list of :class:`CRLContainer` objects N)rlr1rjrr)r3rbr!rrr(async_retrieve_crlss  z"RevinfoManager.async_retrieve_crls authorityc s|js|jS|j}dd|j|D}|s=|j||IdH}t|}|D]}z||Wq(ty<t dw||jS)a  .. versionadded:: 0.20.0 :param cert: An asn1crypto.x509.Certificate object :param authority: The issuing authority for the certificate :return: A list of :class:`OCSPContainer` objects cSrmr)r)r&resprrr(r@sz7RevinfoManager.async_retrieve_ocsps..Nz9Failed to extract certificates from fetched OCSP response) r1r/rGfetched_responses_for_certrpr load_multir0 ValueErrorr)r3rbrtr$r"rFrurrr(async_retrieve_ocspss*    z#RevinfoManager.async_retrieve_ocspshashes_to_evictc(dtffdd }tt||j|_dS)z Internal API to eliminate local OCSP records from consideration. :param hashes_to_evict: A collection of OCSP response hashes; see :func:`.digest_for_poe`. containerct|j}|vSrf)rrFrXr|rPrzrr(p1z%RevinfoManager.evict_ocsps..pN)rrBfilterr/r3rzrrrr( evict_ocsps)zRevinfoManager.evict_ocspscr{)z Internal API to eliminate local CRLs from consideration. :param hashes_to_evict: A collection of CRL hashes; see :func:`.digest_for_poe`. r|cr}rf)rr=rXr~rrr(r?rz$RevinfoManager.evict_crls..pN)rrBrr.rrrr( evict_crls7rzRevinfoManager.evict_crlsrbatcCs*z ||j|jjkWStyYdSw)NF)r2sha256rro)r3rbrrrr(check_asserted_unrevokedEs  z'RevinfoManager.check_asserted_unrevoked)rN)*__name__ __module__ __qualname____doc__rrrrrrr rr5propertyr rboolr:rr CertificateListr!r OCSPResponser"r CertificaterKr0rcrerlrrrsrryr bytesrrrrrrrr(r"sb   " ,rN)%rtypingrrrrrrr r asn1cryptor r r pyhanko_certvalidator.authorityrpyhanko_certvalidator.errorsrrpyhanko_certvalidator.fetchersrpyhanko_certvalidator.ltv.poerrrrrr!pyhanko_certvalidator.policy_declrpyhanko_certvalidator.registryr&pyhanko_certvalidator.revinfo.archivalrrrrrrrr(s (