3 l_\ @sddlmZmZmZddlZddlZddlZddlmZm Z ddl m Z m Z m Z ddlmZddlmZmZmZddZd d Zd d Zd dZddZddZddZddZddZddZddZddZdd Z d!d"Z!d#d$Z"d%d&Z#d'd(Z$d)d*Z%d+d,Z&d-d.Z'd/d0Z(d1d2Z)d3d4Z*d5d6Z+d7d8Z,d9d:Z-d;d<Z.d=d>Z/d?d@Z0e j1j2dAe j1j3dBe j1j4dCe j1j5dDe j1j6dEe j1j7dFe j1j8dGe j1j9dHiZ:dIdJZ;dKdLZdQdRZ?dSdTZ@dUdVZAdWdXZBejCe)ejDe-ejEe'ejFe,ejGe,ejHe0ejIe(ejJe"ejKe*ejLe*ejMe>ejNe>ejOeejPe&ejQe?ejRe@iZSejGe,ejIe(ejKe*ejTeejUeejVeejNe>iZWejXe,ejYe ejZe!iZ[ej\eBiZ]ej\eBiZ^dS)Y)absolute_importdivisionprint_functionN)utilsx509)_CRL_ENTRY_REASON_ENUM_TO_CODE_DISTPOINT_TYPE_FULLNAME_DISTPOINT_TYPE_RELATIVENAME) _ASN1Type)CRLEntryExtensionOID ExtensionOIDOCSPExtensionOIDcCsD|j|}|jj||jj}|jj||jj}|j||jjk|S)a Converts a python integer to an ASN1_INTEGER. The returned ASN1_INTEGER will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. )Z _int_to_bn_ffigc_libZBN_freeZBN_to_ASN1_INTEGERNULLopenssl_assert)backendxir#/usr/lib64/python3.6/encode_asn1.py_encode_asn1_ints rcCs t||}|jj||jj}|S)N)rrrrZASN1_INTEGER_free)rrrrrr_encode_asn1_int_gc.s rcCs0|jj}|jj||t|}|j|dk|S)z@ Create an ASN1_OCTET_STRING from a Python byte string. )rZASN1_OCTET_STRING_newZASN1_OCTET_STRING_setlenr)rdatasresrrr_encode_asn1_str4s rcCs<|jj}|jj||jdt|jd}|j|dk|S)z Create an ASN1_UTF8STRING from a Python unicode string. This object will be an ASN1_STRING with UTF8 type in OpenSSL and can be decoded with ASN1_STRING_to_UTF8. utf8r)rZASN1_UTF8STRING_newASN1_STRING_setencoderr)rstringrrrrr_encode_asn1_utf8_str>s  r$cCs t||}|jj||jj}|S)N)rrrrZASN1_OCTET_STRING_free)rrrrrr_encode_asn1_str_gcLs r%cCs t||jS)N)rZ skip_certs)rZinhibit_any_policyrrr_encode_inhibit_any_policyRsr&cCsp|jj}x`|jD]V}d}xL|D]D}t||}|jj||jj}|jj||d|}|j|dkd}q WqW|S)zP The X509_NAME created will not be gc'd. Use _encode_name_gc if needed. rrr') rZ X509_NAME_newZrdns_encode_name_entryrrZX509_NAME_ENTRY_freeZX509_NAME_add_entryr)rnamesubjectZrdnZset_flag attribute name_entryrrrr _encode_nameVs       r-cCs t||}|jj||jj}|S)N)r-rrrZX509_NAME_free)r attributesr*rrr_encode_name_gcks r/cCsB|jj}x2|D]*}t||}|jj||}|j|dkqW|S)z: The sk_X509_NAME_ENTRY created will not be gc'd. r)rZsk_X509_NAME_ENTRY_new_nullr(Zsk_X509_NAME_ENTRY_pushr)rr.stackr+r,rrrr_encode_sk_name_entryqs    r1cCsr|jtjkr|jjd}n&|jtjkr4|jjd}n |jjd}t||jj}|j j |j j ||jj|t |}|S)N utf_16_be utf_32_ber )Z_typer Z BMPStringvaluer"ZUniversalString _txt2obj_gcoid dotted_stringrZX509_NAME_ENTRY_create_by_OBJrrr)rr+r4objr,rrrr(}s   r(cCs t||jS)N)rZ crl_number)rextrrr&_encode_crl_number_delta_crl_indicatorsr:cCs|jj}|j||jjk|jj||jj}|jr8dnd|_|j rHdnd|_ |j rXdnd|_ |j rhdnd|_|jrt||j|_|jrt||j|_|jrt||j|_|S)Nr)rZISSUING_DIST_POINT_newrrrrZISSUING_DIST_POINT_freeZonly_contains_user_certsZonlyuserZonly_contains_ca_certsZonlyCAZ indirect_crlZ indirectCRLZonly_contains_attribute_certsZonlyattrZonly_some_reasons_encode_reasonflagsZonlysomereasons full_name_encode_full_name distpoint relative_name_encode_relative_name)rr9Zidprrr_encode_issuing_dist_points  rBcCsT|jj}|j||jjk|jj||jj}|jj|t|j }|j|dk|S)Nr) rZASN1_ENUMERATED_newrrrrZASN1_ENUMERATED_freeZASN1_ENUMERATED_setrreason)rZ crl_reasonZasn1enumrrrr_encode_crl_reasons rDcCsF|jj|jjtj|jj}|j||jjk|jj ||jj }|S)N) rZASN1_GENERALIZEDTIME_setrrcalendarZtimegminvalidity_dateZ timetuplerrZASN1_GENERALIZEDTIME_free)rrFZtimerrr_encode_invalidity_dates rGc Cs|jj}|j||jjk|jj||jj}xh|D]^}|jj}|j||jjk|jj||}|j|dkt ||j j }||_ |j r6|jj}|j||jjkx|j D]}|jj} |j| |jjk|jj|| }|j|dkt|tjr"t |tjj | _t||jd| j_qt|tjs4tt |tjj | _|jj} |j| |jjk| | j_|j r~t!||j | _"t#||j$| _%qW||_&q6W|S)Nrascii)'rZsk_POLICYINFO_new_nullrrrrZsk_POLICYINFO_freeZPOLICYINFO_newZsk_POLICYINFO_push_txt2objZpolicy_identifierr7ZpolicyidZpolicy_qualifiersZsk_POLICYQUALINFO_new_nullZPOLICYQUALINFO_newZsk_POLICYQUALINFO_push isinstancesixZ text_typerZOID_CPS_QUALIFIERZpqualidrr"dZcpsuriZ UserNoticeAssertionErrorZOID_CPS_USER_NOTICEZUSERNOTICE_newZ usernoticeZ explicit_textr$Zexptext_encode_notice_referenceZnotice_referenceZ noticerefZ qualifiers) rZcertificate_policiesZcpZ policy_infoZpirr6ZpqisZ qualifierZpqiZunrrr_encode_certificate_policiessJ        rOcCs|dkr|jjS|jj}|j||jjkt||j|_|jj}||_x4|j D]*}t ||}|jj ||}|j|dkqRW|SdS)Nr) rrrZ NOTICEREF_newrr$Z organizationZsk_ASN1_INTEGER_new_nullZ noticenosZnotice_numbersrZsk_ASN1_INTEGER_push)rZnoticeZnrZ notice_stackZnumberZnumrrrrrNs    rNcCs.|jd}|jj|d}|j||jjk|S)z_ Converts a Python string with an ASN.1 object ID in dotted form to a ASN1_OBJECT. rHr)r"r OBJ_txt2objrrr)rr)r8rrrrIs rIcCs t||}|jj||jj}|S)N)rIrrrZASN1_OBJECT_free)rr)r8rrrr5 s r5cCs |jjS)N)rZ ASN1_NULL_new)rr9rrr_encode_ocsp_nochecksrQcCsb|jj}|jj}|jj||jj}||d|j}|j|dk||d|j}|j|dk||d|j }|j|dk||d|j }|j|dk||d|j }|j|dk||d|j }|j|dk||d|j }|j|dk|j r*||d|j}|j|dk||d |j}|j|dkn4||dd}|j|dk||d d}|j|dk|S) Nrr)rASN1_BIT_STRING_set_bitASN1_BIT_STRING_newrrZASN1_BIT_STRING_freeZdigital_signaturerZcontent_commitmentZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_only)rZ key_usageZset_bitZkurrrr_encode_key_usages6   r[cCsz|jj}|j||jjk|jj||jj}|jdk rFt||j|_ |j dk r^t ||j |_ |j dk rvt||j |_|S)N)rZAUTHORITY_KEYID_newrrrrZAUTHORITY_KEYID_freeZkey_identifierrZkeyidZauthority_cert_issuer_encode_general_namesZissuerZauthority_cert_serial_numberrserial)rZauthority_keyidZakidrrr _encode_authority_key_identifier8s       r^cCsN|jj}|jj||jj}|jr&dnd|_|jrJ|jdk rJt||j|_|S)Nr;r) rZBASIC_CONSTRAINTS_newrrZBASIC_CONSTRAINTS_freeZcaZ path_lengthrZpathlen)rZbasic_constraintsZ constraintsrrr_encode_basic_constraintsOs   r_csjj}j|jjkjj|fdd}xV|D]N}jj}t|jj }t |j |j ||_ jj||}j|dkq8W|S)Ncsjj|jjjjdS)NZACCESS_DESCRIPTION_free)rZsk_ACCESS_DESCRIPTION_pop_freerZ addressofZ _original_lib)r)rrrbsz,_encode_information_access..r)rZsk_ACCESS_DESCRIPTION_new_nullrrrrZACCESS_DESCRIPTION_newrIZ access_methodr7!_encode_general_name_preallocatedZaccess_locationlocationmethodZsk_ACCESS_DESCRIPTION_push)rZ info_accessZaiaZaccess_descriptionZadrcrr)rr_encode_information_access]s    rdcCsT|jj}|j||jjkx2|D]*}t||}|jj||}|j|dkq"W|S)Nr)rZGENERAL_NAMES_newrrr_encode_general_nameZsk_GENERAL_NAME_push)rnames general_namesr)gnrrrrr\xs   r\cCs t||}|jj||jj}|S)N)r\rrrZGENERAL_NAMES_free)rZsanrgrrr_encode_alt_names  ricCs t||jS)N)r%Zdigest)rZskirrr_encode_subject_key_identifiersrjcCs|jj}t||||S)N)rZGENERAL_NAME_newra)rr)rhrrrres  recCsRt|tjr~|j||jjk|jj|_|jj }|j||jjk|j j d}|jj ||t |}|j|dk||j_nt|tjr|j||jjk|jj|_|jj|j jj dd}|j||jjk||j_nrt|tjr|j||jjkt||j }|jj|_||j_n0t|tjr|j||jjkt|j tjrn|j jjtjd |j j d}n|j j d}n|j j}t"||} |jj#|_| |j_$nt|tj%r|j||jjk|jj&} |j| |jjk|jj|j'jj dd} |j| |jjk|jj(d|j } |jj(d } | | d <|jj)|jj| t |j }||jjkr|j*t+d | | _'|| _ |jj,|_| |j_-nt|tj.r|j||jjk|j j d} t"|| }|jj/|_||j_0nXt|tj1r@|j||jjk|j j d} t"|| }|jj2|_||j_3nt+d j4|dS)Nr rrH rTzunsigned char[]zunsigned char **rzInvalid ASN.1 dataz!{} is an unknown GeneralName typel)5rJrZDNSNamerrrrZGEN_DNStypeZASN1_IA5STRING_newr4r"r!rrLZdNSNameZ RegisteredIDZGEN_RIDrPr7Z registeredIDZ DirectoryNamer-Z GEN_DIRNAMEZ directoryNameZ IPAddress ipaddressZ IPv4NetworkZnetwork_addresspackedrZ int_to_bytesZ num_addressesZ IPv6NetworkrZ GEN_IPADDZ iPAddressZ OtherNameZ OTHERNAME_newtype_idnewZ d2i_ASN1_TYPEZ_consume_errors ValueErrorZ GEN_OTHERNAMEZ otherNameZ RFC822NameZ GEN_EMAILZ rfc822NameZUniformResourceIdentifierZGEN_URIZuniformResourceIdentifierformat)rr)rhZia5r4rr8Zdir_namerpZipaddrZ other_namerqrZ data_ptr_ptrZasn1_strrrrras                            racCsV|jj}|jj||jj}x4|D],}t||j}|jj||}|j|dkq"W|S)Nr) rZsk_ASN1_OBJECT_new_nullrrZsk_ASN1_OBJECT_freerIr7Zsk_ASN1_OBJECT_pushr)rZextended_key_usageZekur6r8rrrr_encode_extended_key_usages   rurrRrSrTrUrVrWrXcCsP|jj}|j||jjkx.|D]&}|jj|t|d}|j|dkq"W|S)Nr)rrZrrrrY_CRLREASONFLAGS)rreasonsZbitmaskrCrrrrr<s  r<cCs4|jj}|j||jjkt|_t|||j_ |S)N) rDIST_POINT_NAME_newrrrrrnr\r)fullname)rr=dpnrrrr> s  r>cCs4|jj}|j||jjkt|_t|||j_ |S)N) rrxrrrr rnr1r)Z relativename)rr@rzrrrrAs  rAcCs|jj}|jj||jj}x|D]}|jj}|j||jjk|jrVt ||j|_|j rjt ||j |_ |j r~t||j |_ |jrt||j|_|jj||}|j|dkq"W|S)Nr)rZsk_DIST_POINT_new_nullrrZsk_DIST_POINT_freeZDIST_POINT_newrrrwr<r=r>r?r@rAZ crl_issuerr\Z CRLissuerZsk_DIST_POINT_push)rZcdpsZcdpZpointZdprrrr_encode_cdps_freshest_crls    r{cCsV|jj}|j||jjk|jj||jj}t||j}||_ t||j }||_ |S)N) rZNAME_CONSTRAINTS_newrrrrZNAME_CONSTRAINTS_free_encode_general_subtreeZpermitted_subtreesZpermittedSubtreesZexcluded_subtreesZexcludedSubtrees)rZname_constraintsZncZ permittedZexcludedrrr_encode_name_constraints5s   r}cCsb|jj}|j||jjk|jj||jj}|jdk rFt||j|_ |j dk r^t||j |_ |S)N) rZPOLICY_CONSTRAINTS_newrrrrZPOLICY_CONSTRAINTS_freeZrequire_explicit_policyrZrequireExplicitPolicyZinhibit_policy_mappingZinhibitPolicyMapping)rZpolicy_constraintsZpcrrr_encode_policy_constraintsEs     r~cCs`|dkr|jjS|jj}x<|D]4}|jj}t|||_|jj||}|dks tq W|SdS)Nr) rrrZsk_GENERAL_SUBTREE_new_nullZGENERAL_SUBTREE_newrebaseZsk_GENERAL_SUBTREE_pushrM)rZsubtreesZgeneral_subtreesr)Zgsrrrrr|Vs    r|cCs t||jS)N)r%nonce)rrrrr _encode_noncedsr)_Z __future__rrrrErorKZ cryptographyrrZ0cryptography.hazmat.backends.openssl.decode_asn1rrr Zcryptography.x509.namer Zcryptography.x509.oidr r r rrrr$r%r&r-r/r1r(r:rBrDrGrOrNrIr5rQr[r^r_rdr\rirjreraruZ ReasonFlagsZkey_compromiseZ ca_compromiseZaffiliation_changedZ supersededZcessation_of_operationZcertificate_holdZprivilege_withdrawnZ aa_compromiservr<r>rAr{r}r~r|rZBASIC_CONSTRAINTSZSUBJECT_KEY_IDENTIFIERZ KEY_USAGEZSUBJECT_ALTERNATIVE_NAMEZISSUER_ALTERNATIVE_NAMEZEXTENDED_KEY_USAGEZAUTHORITY_KEY_IDENTIFIERZCERTIFICATE_POLICIESZAUTHORITY_INFORMATION_ACCESSZSUBJECT_INFORMATION_ACCESSZCRL_DISTRIBUTION_POINTSZ FRESHEST_CRLZINHIBIT_ANY_POLICYZ OCSP_NO_CHECKZNAME_CONSTRAINTSZPOLICY_CONSTRAINTSZ_EXTENSION_ENCODE_HANDLERSZ CRL_NUMBERZDELTA_CRL_INDICATORZISSUING_DISTRIBUTION_POINTZ_CRL_EXTENSION_ENCODE_HANDLERSZCERTIFICATE_ISSUERZ CRL_REASONZINVALIDITY_DATEZ$_CRL_ENTRY_EXTENSION_ENCODE_HANDLERSZNONCEZ'_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERSZ)_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERSrrrrs     1   T