o  `L~@sddlmZmZmZddlZddlZddlZddlmZddl m Z m Z m Z m Z ddlmZddlmZddlmZmZmZmZdd Zd d Zd d ZddZddZddZddZddZGdddeZ ddZ!ddZ"ddZ#d d!Z$d"d#Z%d$d%Z&d&d'Z'd(d)Z(d*d+Z)d,d-Z*d.d/Z+d0d1Z,d2d3Z-d4d5Z.d6d7Z/d8d9Z0d:d;Z1dZ2dZ4ej5j6ej5j7ej5j8ej5j9ej5j:ej5j;ej5jd@dAZ?dBdCZ@dDdEZAdFdGZBdHdIZCdJdKZDdLdMZEdNdOZFej5jGej5j6ej5j7ej5j8ej5j9ej5j:ej5j;ej5jHej5jKsz$_decode_x509_name..) rZX509_NAME_entry_countrangeZX509_NAME_get_entryr'ZX509_NAME_ENTRY_setappendaddrName) rZ x509_namecount attributesZ prev_set_idxentry attributeZset_idrrr_decode_x509_name<s    r5cCsR|j|}g}t|D]}|j||}|||jjk|t||q |Sr ) rZsk_GENERAL_NAME_numr,Zsk_GENERAL_NAME_valuerrrr-_decode_general_name)rgnsnumnamesignrrr_decode_general_namesNs  r<c Cs |j|jjkrt||jjd}tj |S|j|jj kr.t||jj d}tj |S|j|jj krDt||jj}tt|S|j|jjkrt||jj}t|}|dks^|dkrt|d|d}t||dd}tt|dd}|d}|dkrt|}d||dvrtdt|jd |} nt|} t| S|j|jjkrt t!||jj"S|j|jj#krt||jj$d}tj% |S|j|jj&krt||jj'j(} t)||jj'j*} t+t| | St,d tj-.|j|j|j) Nutf8 0r(1zInvalid netmaskz/{}z{} is not a supported type)/r"rZGEN_DNS_asn1_string_to_bytesdZdNSNamerrZDNSNameZ_init_without_validationZGEN_URIZuniformResourceIdentifierZUniformResourceIdentifierZGEN_RIDrZ registeredIDZ RegisteredIDr#Z GEN_IPADDZ iPAddresslen ipaddressZ ip_addressbinintfind ValueErrorZ ip_networkZexplodedformatZ IPAddressZ GEN_DIRNAMEZ DirectoryNamer5Z directoryNameZ GEN_EMAILZ rfc822NameZ RFC822NameZ GEN_OTHERNAMEZ otherNametype_id _asn1_to_derr%Z OtherNameZUnsupportedGeneralNameTypeZ_GENERAL_NAMESget) rr;r$r&Zdata_lenbaseZnetmaskbitsprefixiprLr%rrrr6YsZ       r6cCstSr )rZ OCSPNoCheckrextrrr_decode_ocsp_no_checksrUcC0|jd|}|j||jj}tt||SNzASN1_INTEGER *)rcastgcrASN1_INTEGER_freerZ CRLNumber_asn1_integer_to_intrrTasn1_intrrr_decode_crl_numberr^cCrVrW)rrXrYrrZrZDeltaCRLIndicatorr[r\rrr_decode_delta_crl_indicatorr_r`c@seZdZddZddZdS)_X509ExtensionParsercCs||_||_||_||_dSr ) ext_countget_exthandlers_backend)selfrrbrcrdrrr__init__s z_X509ExtensionParser.__init__c Csbg}t}t||D]}|||}|j||jjjk|jj |}|dk}t t |j|jj |}||vrFt d|||tjkr|jj|} t|j| } t| t} g} | ss| | t| ret dd| D} |t ||| ||q |tjkr|jj|} tt|j| }|t |t ||t !||q z|j"|}Wn9t#y|jj|} |j| |jjjk|jj$| j%| j&dd}t '||}|t |||Yn,w|jj(|}||jjjkr|j)t*d|||j|} |t ||| ||q t +|S)NrzDuplicate {} extension foundcSsg|]}t|qSrr )r*r2rrr sz._X509ExtensionParser.parse..z/The {} extension is invalid and can't be parsed),setr,rbrcrerrrrZX509_EXTENSION_get_criticalrr#rZX509_EXTENSION_get_objectZDuplicateExtensionrKrZ TLS_FEATUREZX509_EXTENSION_get_datarCrZread_single_elementr Zis_emptyr-Z read_elementrZ as_integerZ TLSFeature Extensionr.ZPRECERT_POISONZ check_emptyZ PrecertPoisonrdKeyErrorrr$lengthZUnrecognizedExtensionZX509V3_EXT_d2iZ_consume_errorsrJZ Extensions)rfZx509_obj extensionsZ seen_oidsr:rTZcritcriticalr&r$Z data_bytesfeaturesparsedr%readerhandlerZderZ unrecognizedZext_datarrrparsesx               z_X509ExtensionParser.parseN)__name__ __module__ __qualname__rgrsrrrrras racCs2|jd|}|j||jj}|j|}g}t|D]w}d}|j||}t t ||j }|j |jj kr|j|j }g}t|D]E} |j|j | } t t || j} | tjkrv|j| jjj| jjjddd} || qD| tjks}Jt|| jj} || qD|t||qt|S)Nz"Cryptography_STACK_OF_POLICYINFO *ascii)rrXrYrZCERTIFICATEPOLICIES_freeZsk_POLICYINFO_numr,Zsk_POLICYINFO_valuerr#rZpolicyid qualifiersrZsk_POLICYQUALINFO_numZsk_POLICYQUALINFO_valuepqualidrZ CPS_QUALIFIERrrDcpsurir$rlrr-ZCPS_USER_NOTICE_decode_user_noticeZ usernoticeZPolicyInformationZCertificatePolicies)rcpr8Zcertificate_policiesr:rxpir&ZqnumjZpqiryrzZ user_noticerrr_decode_certificate_policiess<       rc Csd}d}|j|jjkrt||j}|j|jjkrIt||jj}|j|jj}g}t |D]}|j |jj|}t ||} | | q-t ||}t ||Sr )Zexptextrrr!Z noticeref organizationrZsk_ASN1_INTEGER_numZ noticenosr,Zsk_ASN1_INTEGER_valuer[r-rZNoticeReferenceZ UserNotice) rZunZ explicit_textZnotice_referencerr8Znotice_numbersr:r]Z notice_numrrrr{)s       r{cCsB|jd|}|j||jj}|jdk}t||j}t ||S)NzBASIC_CONSTRAINTS *) rrXrYrZBASIC_CONSTRAINTS_freeca_asn1_integer_to_int_or_nonepathlenrZBasicConstraints)rZbc_stZbasic_constraintsrZ path_lengthrrr_decode_basic_constraintsAs  rcCs@|jd|}|j||jj}t|j|j|j ddSNzASN1_OCTET_STRING *) rrXrYrASN1_OCTET_STRING_freerZSubjectKeyIdentifierrr$rlr asn1_stringrrr_decode_subject_key_identifierQsrcCs|jd|}|j||jj}d}d}|j|jjkr*|j|jj|jj dd}|j |jjkr7t ||j }t ||j }t|||S)NzAUTHORITY_KEYID *)rrXrYrZAUTHORITY_KEYID_freeZkeyidrrr$rlZissuerr<rserialrZAuthorityKeyIdentifier)rZakidZkey_identifierZauthority_cert_issuerZauthority_cert_serial_numberrrr _decode_authority_key_identifier[s$  rcsjd|}j|fdd}j|}g}t|D]5}j||}|jjj kt t |j}|j jj kt|j }|t ||q|S)Nz*Cryptography_STACK_OF_ACCESS_DESCRIPTION *csj|jjjdS)NZACCESS_DESCRIPTION_free)rZsk_ACCESS_DESCRIPTION_pop_freer addressofZ _original_lib)r2rrrvs z,_decode_information_access..)rrXrYrZsk_ACCESS_DESCRIPTION_numr,Zsk_ACCESS_DESCRIPTION_valuermethodrrr#rlocationr6r-ZAccessDescription)riar8access_descriptionsr:adr&r;rrr_decode_information_accessrs    rcCt||}t|Sr )rrZAuthorityInformationAccessrZaiarrrr$_decode_authority_information_access  rcCrr )rrZSubjectInformationAccessrrrr"_decode_subject_information_accessrrc Cs|jd|}|j||jj}|jj}||ddk}||ddk}||ddk}||ddk}||ddk}||ddk}||ddk} ||d dk} ||d dk} t||||||| | | S) NzASN1_BIT_STRING *rrr@r>)rrXrYrZASN1_BIT_STRING_freeASN1_BIT_STRING_get_bitrZKeyUsage) rZ bit_stringZget_bitZdigital_signatureZcontent_commitmentZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_onlyrrr_decode_key_usages.rcCs.|jd|}|j||jj}t||}|SNzGENERAL_NAMES *)rrXrYrGENERAL_NAMES_freer<rr7Z general_namesrrr_decode_general_names_extensions rcCtt||Sr )rZSubjectAlternativeNamerrSrrr_decode_subject_alt_namercCrr )rZIssuerAlternativeNamerrSrrr_decode_issuer_alt_namerrcCsF|jd|}|j||jj}t||j}t||j}tj ||dS)NzNAME_CONSTRAINTS *)Zpermitted_subtreesZexcluded_subtrees) rrXrYrZNAME_CONSTRAINTS_free_decode_general_subtreesZpermittedSubtreesZexcludedSubtreesrZNameConstraints)rZncZ permittedZexcludedrrr_decode_name_constraintss  rcCsh||jjkrdS|j|}g}t|D]}|j||}|||jjkt||j}| |q|Sr ) rrrZsk_GENERAL_SUBTREE_numr,Zsk_GENERAL_SUBTREE_valuerr6rOr-)rZstack_subtreesr8Zsubtreesr:rnamerrrrs     rc Cs|jd|}|j||jj}|j|jjkr t||j\}}nd}d}|jdk}|j dk}|j dk}|j dk}|j |jjkrFt ||j }nd}t|||||||S)NzISSUING_DIST_POINT *r)rrXrYrZISSUING_DIST_POINT_free distpointr_decode_distpointZonlyuserZonlyCAZ indirectCRLZonlyattrZonlysomereasons_decode_reasonsrZIssuingDistributionPoint) rZidp full_name relative_nameZ only_userZonly_caZ indirect_crlZ only_attrZonly_some_reasonsrrr_decode_issuing_dist_points,    rcCsD|jd|}|j||jj}t||j}t||j}t ||S)NzPOLICY_CONSTRAINTS *) rrXrYrZPOLICY_CONSTRAINTS_freerZrequireExplicitPolicyZinhibitPolicyMappingrZPolicyConstraints)rZpcZrequire_explicit_policyZinhibit_policy_mappingrrr_decode_policy_constraintssrcCs|jd|}|j||jj}|j|}g}t|D]}|j||}|||jj kt t ||}| |qt |S)Nz#Cryptography_STACK_OF_ASN1_OBJECT *)rrXrYrZsk_ASN1_OBJECT_freeZsk_ASN1_OBJECT_numr,Zsk_ASN1_OBJECT_valuerrrr#rr-ZExtendedKeyUsage)rskr8Zekusr:rr&rrr_decode_extended_key_usages    rrc Cs|jd|}|j||jj}|j|}g}t|D]E}d}d}d}d}|j||} | j|jj kr:t || j}| j |jj krGt || j }| j |jj krVt|| j \}}|t||||q|S)Nz"Cryptography_STACK_OF_DIST_POINT *)rrXrYrZCRL_DIST_POINTS_freeZsk_DIST_POINT_numr,Zsk_DIST_POINT_valuereasonsrrZ CRLissuerr<rrr-rZDistributionPoint) rcdpsr8 dist_pointsr:rrZ crl_issuerrZcdprrr_decode_dist_pointss0    r)rr@rrrrrr>cCs8g}ttD]\}}|j||r||qt|Sr )sixZ iteritems_REASON_BIT_MAPPINGrrr- frozenset)rrZ enum_reasonsZ bit_positionreasonrrrrSs  rc Cs|jtkrt||jj}|dfS|jj}|j|}t}t |D]}|j ||}| ||j j k|t||q!t|}d|fSr )r"_DISTPOINT_TYPE_FULLNAMEr<rfullnameZ relativenamerZsk_X509_NAME_ENTRY_numrir,Zsk_X509_NAME_ENTRY_valuerrrr.r'rr)) rrrZrnsZrnumr1r:Zrnrrrrr]s    rcCrr )rrZCRLDistributionPointsrrrrrr_decode_crl_distribution_pointsvrrcCrr )rrZ FreshestCRLrrrr_decode_freshest_crl{rrcC4|jd|}|j||jj}t||}t|SrW)rrXrYrrZr[rZInhibitAnyPolicy)rr]Z skip_certsrrr_decode_inhibit_any_policy  rcCsjddlm}|jd|}|j||jj}g}t|j|D]}|j ||}| ||||q |S)Nr)_SignedCertificateTimestampzCryptography_STACK_OF_SCT *) Z)cryptography.hazmat.backends.openssl.x509rrrXrYrZ SCT_LIST_freer,Z sk_SCT_numZ sk_SCT_valuer-)r asn1_sctsrZsctsr:Zsctrrr _decode_sctss rcCrr )rZ)PrecertificateSignedCertificateTimestampsrrrrrr-_decode_precert_signed_certificate_timestampsrrcCrr )rZSignedCertificateTimestampsrrrrr%_decode_signed_certificate_timestampsr) rrr@rrrrr> r@rrrrr>rrcCsZ|jd|}|j||jj}|j|}ztt|WSt y,t d |w)NzASN1_ENUMERATED *zUnsupported reason code: {}) rrXrYrZASN1_ENUMERATED_freeZASN1_ENUMERATED_getrZ CRLReason_CRL_ENTRY_REASON_CODE_TO_ENUMrkrJrK)renumcoderrr_decode_crl_reasons  rcCrV)NzASN1_GENERALIZEDTIME *)rrXrYrASN1_GENERALIZEDTIME_freerZInvalidityDate_parse_asn1_generalized_time)rZinv_dategeneralized_timerrr_decode_invalidity_datesrcCrr)rrXrYrrr<rZCertificateIssuerrrrr_decode_cert_issuerrrcsnjd}j||}|dk|djjkj|fdd}j|d|ddS)Nunsigned char **rcj|dSNrrZ OPENSSL_freerrrrrz_asn1_to_der..)rrrZ i2d_ASN1_TYPErrrYr)rZ asn1_typerrrrrrMs  rMcCs@|j||jj}|||jjk|j||jj}||Sr )rZASN1_INTEGER_to_BNrrrrYZBN_freeZ _bn_to_int)rr]Zbnrrrr[s r[cCs||jjkrdSt||Sr )rrr[)rr]rrrrs  rcCs|j|j|jddSr )rrr$rlrrrrrCsrCcCst||dS)Nrw)rCrrrrr_asn1_string_to_asciirrcs~jd}j||}|dkrtd|j|djjkj |fdd}j |d|dd dS)Nrr(z&Unsupported ASN1 string type. Type: {}rcrrrrrrrrrz&_asn1_string_to_utf8..r=) rrrZASN1_STRING_to_UTF8rJrKr"rrrYrr)rrrrrrrr!s    r!cCs`|||jjk|j||jj}||jjkr"tdt|||j||jj }t ||S)Nz1Couldn't parse ASN.1 time as generalizedtime {!r}) rrrrZASN1_TIME_to_generalizedtimerJrKrCrYrr)rZ asn1_timerrrr_parse_asn1_times  rcCs"t||jd|}tj|dS)Nz ASN1_STRING *z %Y%m%d%H%M%SZ)rrrXdatetimestrptime)rrtimerrrr'srcCs0|jd|}|j||jj}tt||Sr)rrXrYrrrZ OCSPNoncerC)rZnoncerrr _decode_nonce.r_r)w __future__rrrrrFr cryptographyrZcryptography.hazmat._derrrrr Zcryptography.x509.extensionsr Zcryptography.x509.namer Zcryptography.x509.oidr rrrrr'r5r<r6rUr^r`objectrarr{rrrrrrrrrrrrrrrrZ_DISTPOINT_TYPE_RELATIVENAMErZ ReasonFlagsZkey_compromiseZ ca_compromiseZaffiliation_changedZ supersededZcessation_of_operationZcertificate_holdZprivilege_withdrawnZ aa_compromiserrrrrrrrr unspecifiedZremove_from_crlrZ_CRL_ENTRY_REASON_ENUM_TO_CODErrrrMr[rrCrr!rrrZBASIC_CONSTRAINTSZSUBJECT_KEY_IDENTIFIERZ KEY_USAGEZSUBJECT_ALTERNATIVE_NAMEZEXTENDED_KEY_USAGEZAUTHORITY_KEY_IDENTIFIERZAUTHORITY_INFORMATION_ACCESSZSUBJECT_INFORMATION_ACCESSZCERTIFICATE_POLICIESZCRL_DISTRIBUTION_POINTSZ FRESHEST_CRLZ OCSP_NO_CHECKZINHIBIT_ANY_POLICYZISSUER_ALTERNATIVE_NAMEZNAME_CONSTRAINTSZPOLICY_CONSTRAINTSZ_EXTENSION_HANDLERS_BASEZ%PRECERT_SIGNED_CERTIFICATE_TIMESTAMPSZ_EXTENSION_HANDLERS_SCTZ CRL_REASONZINVALIDITY_DATEZCERTIFICATE_ISSUERZ_REVOKED_EXTENSION_HANDLERSZ CRL_NUMBERZDELTA_CRL_INDICATORZISSUING_DISTRIBUTION_POINTZ_CRL_EXTENSION_HANDLERSZNONCEZ_OCSP_REQ_EXTENSION_HANDLERSZ"_OCSP_BASICRESP_EXTENSION_HANDLERSZSIGNED_CERTIFICATE_TIMESTAMPSZ'_OCSP_SINGLERESP_EXTENSION_HANDLERS_SCTrrrrs&     NQ!  -