o

�hِ�	@
spdd
lm
Z

ddlZddlZddlZddlZddlZddlmZ
ddl	m
Z
ddlm
Z
mZ
ddlmZmZmZmZmZmZmZmZ
ddlmZmZmZ
ddlmZmZmZm Z 
dd	l!m"Z"m#Z#
dd
l$m%Z%
e�ddd�Z&ej'e
j(e
j)e
j*e
j+e
j,e
j-e
j.e
j/fZ0Gd
d�de1�Z2d?dd�Z3d@dd�Z4dAdd �Z5Gd!d"�d"�Z6Gd#d$�d$�Z7Gd%d&�d&ej8�Z9Gd'd(�d(e1�Z:Gd)d*�d*ej;d+�Z<e<�=ej<�

Gd,d-�d-ej;d+�Z>e>�=ej>�

Gd.d/�d/e>�Z?Gd0d1�d1ej;d+�Z@e@�=ej@�

Gd2d3�d3ej;d+�ZAeA�=ejA�

ejBZBejCZCejDZDejEZEejFZFejGZGejHZHGd4d5�d5�ZIGd6d7�d7�ZJGd8d9�d9�ZKGd:d;�d;�ZLdBd=d>�ZMdS)C�)
�annotationsN)
�utils)
�x509)�hashes�
serialization)�dsa�ec�ed448�ed25519�padding�rsa�x448�x25519)� CertificateIssuerPrivateKeyTypes�CertificateIssuerPublicKeyTypes�CertificatePublicKeyTypes)�	Extension�
Extensions�
ExtensionType�_make_sequence_methods)�Name�	_ASN1Type)
�ObjectIdentifieri��
c
�eZ
dZd	�f
dd�Z�ZS)
�AttributeNotFound�msg�str�oidr�return�Nonec
�t��
|
�

||_dS�
N)�super�__init__r)�selfrr�
�	__class__��I/usr/local/CyberCP/lib/python3.10/site-packages/cryptography/x509/base.pyr$9�


zAttributeNotFound.__init__)rrrrrr ��__name__�
__module__�__qualname__r$�
__classcell__r(r(r&r)r8�
r�	extension�Extension[ExtensionType]�
extensions�list[Extension[ExtensionType]]rr cC
s"|
D]}|j|jkrt
d
�
�
qdS)Nz$This extension has already been set.)r�
ValueError)r1r3�
er(r(r)�_reject_duplicate_extension>s


��r7rr�
attributes�0list[tuple[ObjectIdentifier, bytes, int | None]]cC
s$|
D]
\}}}||krtd
�
�
qdS)Nz$This attribute has already been set.)
r5)rr8�attr_oid�
_r(r(r)�_reject_duplicate_attributeHs


��r<�time�datetime.datetimec
C
s6|jd
u
r|�
�}
|
r
|
nt��}
|jd
d�
|
S|S)z�Normalizes a datetime to a naive datetime in UTC.

    time -- datetime to normalize. Assumed to be in UTC if not timezone
            aware.
    N�
�tzinfo)r@�	utcoffset�datetime�	timedelta�replace)r=�offsetr(r(r)�_convert_to_naive_utc_timeRs




rFc@
sXeZ
dZejjf
dd	d
�Zeddd��
Zedd
d��
Zddd�Z	ddd�Z
ddd�ZdS) �	Attributerr�value�bytes�_type�intrr cC
�|
|_||_
||_dSr")�_oid�_valuerJ)r%rrHrJr(r(r)r$a�


zAttribute.__init__c


C
�|jSr")
rM�
r%r(r(r)rk�z
Attribute.oidc


C
rPr")
rNrQr(r(r)rHorRzAttribute.valuerc

C
sd
|j�d|j
�d�S)Nz<Attribute(oid=z, value=�)>)rrHrQr(r(r)�__repr__s�
zAttribute.__repr__�other�object�boolcC
s2t|
t
�stS|j|
jko|j|
jko|j|
jkSr")�
isinstancerG�NotImplementedrrHrJ�r%rVr(r(r)�__eq__vs




�
�zAttribute.__eq__c

C
st|j
|j|jf�
Sr")�hashrrHrJrQr(r(r)�__hash__�s
zAttribute.__hash__N)rrrHrIrJrKrr �rr�rrI�rr�rVrWrrX�rrK)r,r-r.r�
UTF8StringrHr$�propertyrrTr\r^r(r(r(r)rG`s�





rGc@
s8eZ
dZddd�Zed�
\ZZZdd	d
�Zddd�Z	dS)�
Attributesr8�typing.Iterable[Attribute]rr cC
st|
�
|_
dSr")�list�_attributes)r%r8r(r(r)r$�szAttributes.__init__rirc

C
sd
|j�d�S)Nz<Attributes(rS)
rirQr(r(r)rT�s
zAttributes.__repr__rrrGcC
s.|D]}|j|
kr
|
Sqt
d
|
�d�|
��
)NzNo z attribute was found)rr)r%r�attrr(r(r)�get_attribute_for_oid�s




�z Attributes.get_attribute_for_oidN)r8rgrr ra)rrrrG)
r,r-r.r$r�__len__�__iter__�__getitem__rTrkr(r(r(r)rf�s



rfc
@
seZ
dZd
ZdZdS)�Versionr
�N)r,r-r.�v1�v3r(r(r(r)ro�s

roc
r)
�InvalidVersionrr�parsed_versionrKrr c
r!r")r#r$rt)r%rrtr&r(r)r$�r*zInvalidVersion.__init__)rrrtrKrr r+r(r(r&r)rs�r0rsc@
s�
eZ
dZejdBdd��
ZeejdCdd	��
�
ZeejdDdd��
�
ZejdEdd��
Z	eejdFdd��
�
Z
eejdGdd��
�
ZeejdGdd��
�
ZeejdGdd��
�
Z
eejdGdd��
�
ZeejdHdd��
�
ZeejdHdd ��
�
ZeejdId"d#��
�
ZeejdFd$d%��
�
ZeejdJd'd(��
�
ZeejdKd*d+��
�
ZeejdLd,d-��
�
ZeejdLd.d/��
�
ZeejdLd0d1��
�
ZejdMd5d6��
ZejdCd7d8��
ZejdNd;d<��
ZejdOd?d@��
ZdAS)P�Certificate�	algorithm�hashes.HashAlgorithmrrIc
C
�d
S�z4
        Returns bytes using digest passed.
        Nr(�r%rvr(r(r)�fingerprint��zCertificate.fingerprintrKc


C
rx)z3
        Returns certificate serial number
        Nr(rQr(r(r)�
serial_number�r|zCertificate.serial_numberroc


C
rx)z1
        Returns the certificate version
        Nr(rQr(r(r)�version�r|zCertificate.versionrc


C
rx�z(
        Returns the public key
        Nr(rQr(r(r)�
public_key�r|zCertificate.public_keyrc


C
rx)zA
        Returns the ObjectIdentifier of the public key.
        Nr(rQr(r(r)�public_key_algorithm_oid�r|z$Certificate.public_key_algorithm_oidr>c


C
rx)z?
        Not before time (represented as UTC datetime)
        Nr(rQr(r(r)�not_valid_before�r|zCertificate.not_valid_beforec


C
rx)zK
        Not before time (represented as a non-naive UTC datetime)
        Nr(rQr(r(r)�not_valid_before_utc�r|z Certificate.not_valid_before_utcc


C
rx)z>
        Not after time (represented as UTC datetime)
        Nr(rQr(r(r)�not_valid_after�r|zCertificate.not_valid_afterc


C
rx)zJ
        Not after time (represented as a non-naive UTC datetime)
        Nr(rQr(r(r)�not_valid_after_utc�r|zCertificate.not_valid_after_utcrc


C
rx)z1
        Returns the issuer name object.
        Nr(rQr(r(r)�issuer�r|zCertificate.issuerc


C
rx�z2
        Returns the subject name object.
        Nr(rQr(r(r)�subject�r|zCertificate.subject�hashes.HashAlgorithm | Nonec


C
rx�zt
        Returns a HashAlgorithm corresponding to the type of the digest signed
        in the certificate.
        Nr(rQr(r(r)�signature_hash_algorithm�r|z$Certificate.signature_hash_algorithmc


C
rx�zJ
        Returns the ObjectIdentifier of the signature algorithm.
        Nr(rQr(r(r)�signature_algorithm_oid�r|z#Certificate.signature_algorithm_oid�0None | padding.PSS | padding.PKCS1v15 | ec.ECDSAc


C
rx�z=
        Returns the signature algorithm parameters.
        Nr(rQr(r(r)�signature_algorithm_parameters
r|z*Certificate.signature_algorithm_parametersrc


C
rx)z/
        Returns an Extensions object.
        Nr(rQr(r(r)r3	
r|zCertificate.extensionsc


C
rx�z.
        Returns the signature bytes.
        Nr(rQr(r(r)�	signature
r|zCertificate.signaturec


C
rx)zR
        Returns the tbsCertificate payload bytes as defined in RFC 5280.
        Nr(rQr(r(r)�tbs_certificate_bytes
r|z!Certificate.tbs_certificate_bytesc


C
rx)zh
        Returns the tbsCertificate payload bytes with the SCT list extension
        stripped.
        Nr(rQr(r(r)�tbs_precertificate_bytes
r|z$Certificate.tbs_precertificate_bytesrVrWrXc
C
rx�z"
        Checks equality.
        Nr(r[r(r(r)r\&
r|zCertificate.__eq__c


C
rx�z"
        Computes a hash.
        Nr(rQr(r(r)r^,
r|zCertificate.__hash__�encoding�serialization.Encodingc
C
rx)zB
        Serializes the certificate to PEM or DER format.
        Nr(�r%r�r(r(r)�public_bytes2
r|zCertificate.public_bytesr�r c
C
rx)z�
        This method verifies that certificate issuer name matches the
        issuer subject name and that the certificate is signed by the
        issuer's private key. No other validation is performed.
        Nr()r%r�r(r(r)�verify_directly_issued_by8
r|z%Certificate.verify_directly_issued_byN�rvrwrrIrc)rro�rrr_�rr>�rr�rr��rr��rrr`rb�r�r�rrI)r�rurr )r,r-r.�abc�abstractmethodr{rer}r~r�r�r�r�r�r�r�r�r�r�r�r3r�r�r�r\r^r�r�r(r(r(r)ru�sz






































ru)
�	metaclassc@
s\eZ
dZeejddd��
�
Zeejddd��
�
Zeejddd	��
�
Zeejddd��
�
Z	d
S)�RevokedCertificaterrKc


C
rx)zG
        Returns the serial number of the revoked certificate.
        Nr(rQr(r(r)r}F
r|z RevokedCertificate.serial_numberr>c


C
rx)zH
        Returns the date of when this certificate was revoked.
        Nr(rQr(r(r)�revocation_dateM
r|z"RevokedCertificate.revocation_datec


C
rx)zl
        Returns the date of when this certificate was revoked as a non-naive
        UTC datetime.
        Nr(rQr(r(r)�revocation_date_utcT
r|z&RevokedCertificate.revocation_date_utcrc


C
rx)zW
        Returns an Extensions object containing a list of Revoked extensions.
        Nr(rQr(r(r)r3\
r|zRevokedCertificate.extensionsNrcr�r�)
r,r-r.rer�r�r}r�r�r3r(r(r(r)r�E
s








r�c@
sNeZ
dZddd�Zedd
d��
Zeddd
��
Zeddd��
Zeddd��
ZdS)�_RawRevokedCertificater}rKr�r>r3rcC
rLr"��_serial_number�_revocation_date�_extensions�r%r}r�r3r(r(r)r$i
rOz_RawRevokedCertificate.__init__rc


C
rPr")
r�rQr(r(r)r}s
rRz$_RawRevokedCertificate.serial_numberc

C
stj
d
tjdd�
|jS)NukProperties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.rp)
�
stacklevel)�warnings�warnr�DeprecatedIn42r�rQr(r(r)r�w
s

�z&_RawRevokedCertificate.revocation_datec

C
s|jj
tjjd
�
S)Nr?)r�rDrB�timezone�utcrQr(r(r)r��
sz*_RawRevokedCertificate.revocation_date_utcc


C
rPr")
r�rQr(r(r)r3�
rRz!_RawRevokedCertificate.extensionsN)r}rKr�r>r3rrcr�r�)	r,r-r.r$rer}r�r�r3r(r(r(r)r�h
s




	

r�c@
s�
eZ
dZejdFdd��
ZejdGd	d
��
ZejdHdd��
ZeejdIdd��
�
Z	eejdJdd��
�
Z
eejdKdd��
�
ZeejdLdd��
�
ZeejdMdd��
�
Z
eejdMdd ��
�
ZeejdNd"d#��
�
ZeejdNd$d%��
�
ZeejdOd'd(��
�
ZeejdPd)d*��
�
ZeejdPd+d,��
�
ZejdQd0d1��
ZejdRd2d3��
ZejdSd6d7��
ZejdTd:d7��
ZejdUd=d7��
ZejdVd?d@��
ZejdWdCdD��
ZdES)X�CertificateRevocationListr�r�rrIc
C
rx)z:
        Serializes the CRL to PEM or DER format.
        Nr(r�r(r(r)r��
r|z&CertificateRevocationList.public_bytesrvrwc
C
rxryr(rzr(r(r)r{�
r|z%CertificateRevocationList.fingerprintr}rK�RevokedCertificate | Nonec
C
rx)zs
        Returns an instance of RevokedCertificate or None if the serial_number
        is not in the CRL.
        Nr()r%r}r(r(r)�(get_revoked_certificate_by_serial_number�
r|zBCertificateRevocationList.get_revoked_certificate_by_serial_numberr�c


C
rxr�r(rQr(r(r)r��
r|z2CertificateRevocationList.signature_hash_algorithmrc


C
rxr�r(rQr(r(r)r��
r|z1CertificateRevocationList.signature_algorithm_oidr�c


C
rxr�r(rQr(r(r)r��
r|z8CertificateRevocationList.signature_algorithm_parametersrc


C
rx)zC
        Returns the X509Name with the issuer of this CRL.
        Nr(rQr(r(r)r��
r|z CertificateRevocationList.issuer�datetime.datetime | Nonec


C
rx)z?
        Returns the date of next update for this CRL.
        Nr(rQr(r(r)�next_update�
r|z%CertificateRevocationList.next_updatec


C
rx)zc
        Returns the date of next update for this CRL as a non-naive UTC
        datetime.
        Nr(rQr(r(r)�next_update_utc�
r|z)CertificateRevocationList.next_update_utcr>c


C
rx)z?
        Returns the date of last update for this CRL.
        Nr(rQr(r(r)�last_update�
r|z%CertificateRevocationList.last_updatec


C
rx)zc
        Returns the date of last update for this CRL as a non-naive UTC
        datetime.
        Nr(rQr(r(r)�last_update_utc�
r|z)CertificateRevocationList.last_update_utcrc


C
rx)zS
        Returns an Extensions object containing a list of CRL extensions.
        Nr(rQr(r(r)r3�
r|z$CertificateRevocationList.extensionsc


C
rxr�r(rQr(r(r)r��
r|z#CertificateRevocationList.signaturec


C
rx)zO
        Returns the tbsCertList payload bytes as defined in RFC 5280.
        Nr(rQr(r(r)�tbs_certlist_bytes�
r|z,CertificateRevocationList.tbs_certlist_bytesrVrWrXc
C
rxr�r(r[r(r(r)r\�
r|z CertificateRevocationList.__eq__c


C
rx)z<
        Number of revoked certificates in the CRL.
        Nr(rQr(r(r)rl�
r|z!CertificateRevocationList.__len__�idxr�c
C
�dSr"r(�r%r�r(r(r)rn�
z%CertificateRevocationList.__getitem__�slice�list[RevokedCertificate]c
C
r�r"r(r�r(r(r)rnr��int | slice�-RevokedCertificate | list[RevokedCertificate]c
C
rx)zS
        Returns a revoked certificate (or slice of revoked certificates).
        Nr(r�r(r(r)rnr|�#typing.Iterator[RevokedCertificate]c


C
rx)z8
        Iterator over the revoked certificates
        Nr(rQr(r(r)rmr|z"CertificateRevocationList.__iter__r�rc
C
rx)zQ
        Verifies signature of revocation list against given public key.
        Nr()r%r�r(r(r)�is_signature_validr|z,CertificateRevocationList.is_signature_validNr�r�)r}rKrr�r�r_r�r�)rr�r�r�r`rbrc)r�rKrr�)r�r�rr�)r�r�rr�)rr�)r�rrrX)r,r-r.r�r�r�r{r�rer�r�r�r�r�r�r�r�r3r�r�r\rl�typing�overloadrnrmr�r(r(r(r)r��
sl
































r�c@
s
eZ
dZejd.dd��
Zejd/dd	��
Zejd0dd��
Zeejd1dd��
�
Z	eejd2dd��
�
Z
eejd3dd��
�
Zeejd4dd��
�
Zeejd5dd��
�
Z
eejd6dd��
�
Zejd7d"d#��
Zeejd8d$d%��
�
Zeejd8d&d'��
�
Zeejd9d(d)��
�
Zejd:d+d,��
Zd-S);�CertificateSigningRequestrVrWrrXc
C
rxr�r(r[r(r(r)r\!r|z CertificateSigningRequest.__eq__rKc


C
rxr�r(rQr(r(r)r^'r|z"CertificateSigningRequest.__hash__rc


C
rxrr(rQr(r(r)r�-r|z$CertificateSigningRequest.public_keyrc


C
rxr�r(rQr(r(r)r�3r|z!CertificateSigningRequest.subjectr�c


C
rxr�r(rQr(r(r)r�:r|z2CertificateSigningRequest.signature_hash_algorithmrc


C
rxr�r(rQr(r(r)r�Dr|z1CertificateSigningRequest.signature_algorithm_oidr�c


C
rxr�r(rQr(r(r)r�Kr|z8CertificateSigningRequest.signature_algorithm_parametersrc


C
rx)z@
        Returns the extensions in the signing request.
        Nr(rQr(r(r)r3Tr|z$CertificateSigningRequest.extensionsrfc


C
rx)z/
        Returns an Attributes object.
        Nr(rQr(r(r)r8[r|z$CertificateSigningRequest.attributesr�r�rIc
C
rx)z;
        Encodes the request to PEM or DER format.
        Nr(r�r(r(r)r�br|z&CertificateSigningRequest.public_bytesc


C
rxr�r(rQr(r(r)r�hr|z#CertificateSigningRequest.signaturec


C
rx)zd
        Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC
        2986.
        Nr(rQr(r(r)�tbs_certrequest_bytesor|z/CertificateSigningRequest.tbs_certrequest_bytesc


C
rx)z8
        Verifies signature of signing request.
        Nr(rQr(r(r)r�wr|z,CertificateSigningRequest.is_signature_validrc
C
rx)z:
        Get the attribute value for a given OID.
        Nr()r%rr(r(r)rk~r|z/CertificateSigningRequest.get_attribute_for_oidNrbrcr�r�r�r_r�r�)rrfr�r`)rrX)rrrrI)r,r-r.r�r�r\r^r�rer�r�r�r�r3r8r�r�r�r�rkr(r(r(r)r� sL























r�c@
sVeZ
dZd
ggfd*dd	�Zd+d
d�Zd,dd�Zd
d�
d-dd�Z	
d.d
d�
d/d(d)�Zd
S)0� CertificateSigningRequestBuilderN�subject_name�Name | Noner3r4r8r9cC
s|
|_||_
||_d
S)zB
        Creates an empty X.509 certificate request (v1).
        N)�
_subject_namer�ri)r%r�r3r8r(r(r)r$�s	


z)CertificateSigningRequestBuilder.__init__�namerrcC
s4t|
t
�s	td
�
�
|jdu
rtd�
�
t|
|j|j�S)zF
        Sets the certificate requestor's distinguished name.
        �Expecting x509.Name object.N�&The subject name may only be set once.)rYr�	TypeErrorr�r5r�r�ri�r%r�r(r(r)r��s







�z-CertificateSigningRequestBuilder.subject_name�extvalr�criticalrXcC
sFt|
t
�s	td
�
�
t|
j||
�}t||j�
t|jg|j�
|�
|j	�S)zE
        Adds an X.509 extension to the certificate request.
        �"extension must be an ExtensionType)
rYrr�rrr7r�r�r�ri�r%r�r�r1r(r(r)�
add_extension�s





�z.CertificateSigningRequestBuilder.add_extension)
�_tagrrrHrIr��_ASN1Type | Nonec
C
s~t|
t
�s	td
�
�
t|t�std�
�
|du
rt|t�std�
�
t|
|j�
|du
r-|j}nd}t|j	|j
g|j�
|
||f�
�S)zK
        Adds an X.509 attribute with an OID and associated value.
        zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type)rYrr�rIrr<rirHr�r�r�)r%rrHr��tagr(r(r)�
add_attribute�s









�z.CertificateSigningRequestBuilder.add_attribute�
�rsa_padding�private_keyrrv�_AllowedHashTypes | None�backend�
typing.Anyr��%padding.PSS | padding.PKCS1v15 | Noner�c
C
sX|jd
ur	t
d�
�
|d
u
r$t|tjtjf�std�
�
t|
tj�s$td�
�
t	�
||
||�S)zF
        Signs the request using the requestor's private key.
        Nz/A CertificateSigningRequest must have a subject�Padding must be PSS or PKCS1v15�&Padding is only supported for RSA keys)r�r5rYr�PSS�PKCS1v15r�r�
RSAPrivateKey�	rust_x509�create_x509_csr�r%r�rvr�r�r(r(r)�sign�s






�z%CertificateSigningRequestBuilder.sign)r�r�r3r4r8r9)r�rrr�)r�rr�rXrr�)rrrHrIr�r�rr�r")
r�rrvr�r�r�r�r�rr�)r,r-r.r$r�r�r�r�r(r(r(r)r��s

�

�$��r�c@
s�eZ
dZUd
ed<ddddddgfd9dd�Zd:dd�Zd:dd�Zd;dd�Zd<dd �Zd=d#d$�Z	d=d%d&�Z
d>d+d,�Z	d?dd-�
d@d7d8�ZdS)A�CertificateBuilderr4r�N�issuer_namer�r�r�� CertificatePublicKeyTypes | Noner}�
int | Noner�r�r�r3rr cC
s6tj
|_|
|_||_||_||_||_||_||_	dSr")
rorr�_version�_issuer_namer��_public_keyr��_not_valid_before�_not_valid_afterr�)r%r�r�r�r}r�r�r3r(r(r)r$�s








zCertificateBuilder.__init__r�rcC
sDt|
t
�s	td
�
�
|jdu
rtd�
�
t|
|j|j|j|j	|j
|j�S)z3
        Sets the CA's distinguished name.
        r�N�%The issuer name may only be set once.)rYrr�r�r5r�r�r�r�r�r�r�r�r(r(r)r�s












�zCertificateBuilder.issuer_namecC
sDt|
t
�s	td
�
�
|jdu
rtd�
�
t|j|
|j|j|j	|j
|j�S)z:
        Sets the requestor's distinguished name.
        r�Nr�)rYrr�r�r5r�r�r�r�r�r�r�r�r(r(r)r�"s












�zCertificateBuilder.subject_name�keyrc	C
s`t|
t
jtjtjtjt	j
tjt
jf�std
�
�
|jdu
r td�
�
t|j|j|
|j|j|j|j�S)zT
        Sets the requestor's public key (as found in the signing request).
        z�Expecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rYr�DSAPublicKeyr�RSAPublicKeyr�EllipticCurvePublicKeyr
�Ed25519PublicKeyr	�Ed448PublicKeyr�X25519PublicKeyr
�
X448PublicKeyr�r�r5r�r�r�r�r�r�r�)r%r�r(r(r)r�4s2






��
�









�zCertificateBuilder.public_key�numberrKcC
sht|
t
�s	td
�
�
|jdu
rtd�
�
|
dk
rtd�
�
|
��dkr$td�
�
t|j|j|j	|
|j
|j|j�S)z5
        Sets the certificate serial number.
        �'Serial number must be of integral type.N�'The serial number may only be set once.r
z%The serial number should be positive.��3The serial number should not be more than 159 bits.)
rYrKr�r�r5�
bit_lengthr�r�r�r�r�r�r��r%r

r(r(r)r}Ys&








�






�z CertificateBuilder.serial_numberr=r>cC
szt|
t
j
�s
td
�
�
|jdu
rtd�
�
t|
�
}
|
tkrtd�
�
|jdu
r-|
|jkr-td�
�
t|j	|j
|j|j|
|j|j
�S)z7
        Sets the certificate activation time.
        �Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rYrBr�r�r5rF�_EARLIEST_UTC_TIMEr�r�r�r�r�r�r��r%r=r(r(r)r�ts,







�

�






�z#CertificateBuilder.not_valid_beforecC
szt|
t
j
�s
td
�
�
|jdu
rtd�
�
t|
�
}
|
tkrtd�
�
|jdu
r-|
|jkr-td�
�
t|j	|j
|j|j|j|
|j
�S)z7
        Sets the certificate expiration time.
        r
Nz)The not valid after may only be set once.z<The not valid after date must be on or after 1950 January 1.zAThe not valid after date must be after the not valid before date.)rYrBr�r�r5rFr	
r�r�r�r�r�r�r�r

r(r(r)r��s.







�



�






�z"CertificateBuilder.not_valid_afterr�rr�rXc	C
sVt|
t
�s	td
�
�
t|
j||
�}t||j�
t|j|j	|j
|j|j|j
g|j�
|�
�S)z=
        Adds an X.509 extension to the certificate.
        r�)rYrr�rrr7r�r�r�r�r�r�r�r�r�r(r(r)r��s









�z CertificateBuilder.add_extensionr�r�rrvr�r�r�r�r�ruc
C
s�|jd
ur	t
d�
�
|jd
urt
d�
�
|jd
urt
d�
�
|jd
ur$t
d�
�
|jd
ur-t
d�
�
|jd
ur6t
d�
�
|d
u
rQt|tj	tj
f�sGtd�
�
t|
tj
�sQtd	�
�
t�||
||�S)
zC
        Signs the certificate using the CA's private key.
        Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public keyr�r�)r�r5r�r�r�r�r�rYrr�r�r�rr�r��create_x509_certificater�r(r(r)r��s(
















�zCertificateBuilder.sign)r�r�r�r�r�r�r}r�r�r�r�r�r3r4rr )r�rrr�)r�rrr�)r

rKrr�)r=r>rr�)r�rr�rXrr�r")
r�rrvr�r�r�r�r�rru)
r,r-r.�__annotations__r$r�r�r�r}r�r�r�r�r(r(r(r)r��s*







�



%


 ��r�c@
szeZ
dZUd
ed<ded<dddggfd.d
d�Zd/dd�Zd0dd�Zd1dd�Zd2dd�Zd3d d!�Z		d4dd"�
d5d,d-�Z
dS)6� CertificateRevocationListBuilderr4r�r��_revoked_certificatesNr�r�r�r�r�r3�revoked_certificatescC
s"|
|_||_
||_||_||_dSr")r��_last_update�_next_updater�r
)r%r�r�r�r3r
r(r(r)r$�s





z)CertificateRevocationListBuilder.__init__rrcC
s<t|
t
�s	td
�
�
|jdu
rtd�
�
t|
|j|j|j|j	�S)Nr�r�)
rYrr�r�r5r

r
r
r�r
)r%r�r(r(r)r�
s










�z,CertificateRevocationListBuilder.issuer_namer>cC
srt|
t
j
�s
td
�
�
|jdu
rtd�
�
t|
�
}
|
tkrtd�
�
|jdu
r-|
|jkr-td�
�
t|j	|
|j|j
|j�S)Nr
�!Last update may only be set once.�8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.)rYrBr�r
r5rFr	
r
r

r�r�r
)r%r�r(r(r)r�s(







�

�




�z,CertificateRevocationListBuilder.last_updatecC
srt|
t
j
�s
td
�
�
|jdu
rtd�
�
t|
�
}
|
tkrtd�
�
|jdu
r-|
|jkr-td�
�
t|j	|j|
|j
|j�S)Nr
r
r
z8The next update date must be after the last update date.)rYrBr�r
r5rFr	
r
r

r�r�r
)r%r�r(r(r)r�(s(







�

�




�z,CertificateRevocationListBuilder.next_updater�rr�rXcC
sNt|
t
�s	td
�
�
t|
j||
�}t||j�
t|j|j	|j
g|j�
|�
|j�S)zM
        Adds an X.509 extension to the certificate revocation list.
        r�)rYrr�rrr7r�r

r�r
r
r
r�r(r(r)r�@s








�z.CertificateRevocationListBuilder.add_extension�revoked_certificater�cC
s4t|
t
�s	td
�
�
t|j|j|j|jg|j�
|
�
�S)z8
        Adds a revoked certificate to the CRL.
        z)Must be an instance of RevokedCertificate)	rYr�r�r

r�r
r
r�r
)r%r
r(r(r)�add_revoked_certificateSs






�z8CertificateRevocationListBuilder.add_revoked_certificater�r�rrvr�r�r�r�r�r�c
C
s||jdur	t
d
�
�
|jdurt
d�
�
|jdurt
d�
�
|du
r6t|tjtjf�s,td�
�
t|
t	j
�s6td�
�
t�||
||�S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update timer�r�)
r�r5r
r
rYrr�r�r�rr�r��create_x509_crlr�r(r(r)r�ds










�z%CertificateRevocationListBuilder.sign)
r�r�r�r�r�r�r3r4r
r�)r�rrr

)r�r>rr

)r�r>rr

)r�rr�rXrr

)r
r�rr

r")
r�rrvr�r�r�r�r�rr�)r,r-r.r
r$r�r�r�r�r
r�r(r(r(r)r

�s$






�




��r

c@
sHeZ
dZd
d
gfddd	�Zdd
d�Zd dd�Zd!dd�Zd"d#dd�Zd
S)$�RevokedCertificateBuilderNr}r�r�r�r3r4cC
rLr"r�r�r(r(r)r$�rOz"RevokedCertificateBuilder.__init__r

rKrcC
sXt|
t
�s	td
�
�
|jdu
rtd�
�
|
dk
rtd�
�
|
��dkr$td�
�
t|
|j|j�S)Nr
r
r
z$The serial number should be positiver
r
)	rYrKr�r�r5r
r
r�r�r
r(r(r)r}�s









�

�z'RevokedCertificateBuilder.serial_numberr=r>cC
sNt|
t
j
�s
td
�
�
|jdu
rtd�
�
t|
�
}
|
tkrtd�
�
t|j|
|j	�S)Nr
z)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.)
rYrBr�r�r5rFr	
r
r�r�r

r(r(r)r��s







�

�z)RevokedCertificateBuilder.revocation_dater�rr�rXcC
sFt|
t
�s	td
�
�
t|
j||
�}t||j�
t|j|j	g|j�
|�
�S)Nr�)
rYrr�rrr7r�r
r�r�r�r(r(r)r��s






�z'RevokedCertificateBuilder.add_extensionr�r�r�cC
s:|jdur	t
d
�
�
|jdurt
d�
�
t|j|jt|j�
�S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)r�r5r�r�rr�)r%r�r(r(r)�build�s






�


�zRevokedCertificateBuilder.build)r}r�r�r�r3r4)r

rKrr
)r=r>rr
)r�rr�rXrr
r")r�r�rr�)r,r-r.r$r}r�r�r
r(r(r(r)r
�s

�



r
rKcC
st�
t�d
�
d�d?S)N��bigr)rK�
from_bytes�os�urandomr(r(r(r)�random_serial_number�rUr
)r1r2r3r4rr )rrr8r9rr )r=r>rr>rc)N�
__future__rr�rBr
r�r��cryptographyr�"cryptography.hazmat.bindings._rustrr��cryptography.hazmat.primitivesrr�)cryptography.hazmat.primitives.asymmetricrrr	r
rrr
r�/cryptography.hazmat.primitives.asymmetric.typesrrr�cryptography.x509.extensionsrrrr�cryptography.x509.namerr�cryptography.x509.oidrr	
�Union�SHA224�SHA256�SHA384�SHA512�SHA3_224�SHA3_256�SHA3_384�SHA3_512�_AllowedHashTypes�	Exceptionrr7r<rFrGrf�Enumrors�ABCMetaru�registerr�r�r�r��load_pem_x509_certificate�load_der_x509_certificate�load_pem_x509_certificates�load_pem_x509_csr�load_der_x509_csr�load_pem_x509_crl�load_der_x509_crlr�r�r

r
r
r(r(r(r)�<module>
sv





(










��




$  "f


evI