o )%a}@sddlZddlZddlmZddlmZmZmZmZddl m Z ddl m Z ddl mZmZmZmZddZd d Zd d Zd dZddZddZddZddZGdddeZddZddZddZdd Zd!d"Z d#d$Z!d%d&Z"d'd(Z#d)d*Z$d+d,Z%d-d.Z&d/d0Z'd1d2Z(d3d4Z)d5d6Z*d7d8Z+d9d:Z,dZ-d;Z.dZ9d?d@Z:dAdBZ;dCdDZdIdJZ?dKdLZ@dMdNZAej0jBej0j1ej0j2ej0j3ej0j4ej0j5ej0j6ej0jCej0j7ej0j8dO ZDej0jBdej0j1d;ej0j2dPej0j3dQej0j4dRej0j5dSej0j6dTej0jCdUej0j7dVej0j8dWi ZEdXdYZFdZd[ZGd\d]ZHd^d_ZId`daZJdbdcZKdddeZLdfdgZMdheNfdidjZOdkdlZPdmdnZQdodpZRiejSeejTeejUe$ejVe&ejWe,ejXe ejYe"ejZe#ej[eej\e<ej]e=ej^eej_e>ej`e'ejae(ejbe+Zcejde@iZeejfeFejgeGejheHiZiejjeejkeejXe ej`e'ejYe"ejle*ej]e=iZmejneRiZoejneRiZpejqeAiZrdS)qN)x509) DERReaderINTEGERNULLSEQUENCE_TLS_FEATURE_TYPE_TO_ENUM)_ASN1_TYPE_TO_ENUM)CRLEntryExtensionOIDCertificatePoliciesOID ExtensionOIDOCSPExtensionOIDcCsd}|jd|}|j|||d}||dkr,|d}|jd|}|j|||d}||dk|j||ddS)NPzchar[]r)_ffinew_lib OBJ_obj2txtopenssl_assertbufferdecode)backendobjbuf_lenbufresrR/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/decode_asn1.py_obj2txts  rcCsn|j|}|||jjk|j|}|||jjkt||}t||}t|j }t t |||SN) rX509_NAME_ENTRY_get_objectrrrX509_NAME_ENTRY_get_data_asn1_string_to_utf8rr typer NameAttributeObjectIdentifier)rx509_name_entryrdatavalueoidr#rrr_decode_x509_name_entry-s     r*c Cs|j|}g}d}t|D](}|j||}t||}|j|}||kr-||hn|d||}qt dd|DS)Ncss|]}t|VqdSr)rRelativeDistinguishedName).0rdnrrr Hsz$_decode_x509_name..) rX509_NAME_entry_countrangeX509_NAME_get_entryr*X509_NAME_ENTRY_setappendaddrName) r x509_namecount attributes prev_set_idxentry attributeset_idrrr_decode_x509_name9s    r?cCsR|j|}g}t|D]}|j||}|||jjk|t||q |Sr) rsk_GENERAL_NAME_numr1sk_GENERAL_NAME_valuerrrr4_decode_general_name)rgnsnumnamesignrrr_decode_general_namesKs  rHc Cs |j|jjkrt||jjd}tj |S|j|jj kr.t||jj d}tj |S|j|jj krDt||jj}tt|S|j|jjkrt||jj}t|}|dks^|dkrt|d|d}t||dd}tt|dd}|d}|dkrt|}d||dvrtdt|jd |} nt|} t| S|j|jjkrt t!||jj"S|j|jj#krt||jj$d}tj% |S|j|jj&krt||jj'j(} t)||jj'j*} t+t| | St,d tj-.|j|j|j) Nutf8 0r+1zInvalid netmaskz/{}z{} is not a supported type)/r#rGEN_DNS_asn1_string_to_bytesddNSNamerrDNSName_init_without_validationGEN_URIuniformResourceIdentifierUniformResourceIdentifierGEN_RIDr registeredID RegisteredIDr% GEN_IPADD iPAddresslen ipaddress ip_addressbinintfind ValueError ip_networkexplodedformat IPAddress GEN_DIRNAME DirectoryNamer? directoryName GEN_EMAIL rfc822Name RFC822Name GEN_OTHERNAME otherNametype_id _asn1_to_derr( OtherNameUnsupportedGeneralNameType_GENERAL_NAMESget) rrGr'r)data_lenbasenetmaskbitsprefixiprpr(rrrrBVsZ       rBcCstSr)r OCSPNoCheckrextrrr_decode_ocsp_no_checksrcC0|jd|}|j||jj}tt||SNzASN1_INTEGER *)rcastgcrASN1_INTEGER_freer CRLNumber_asn1_integer_to_intrr~asn1_intrrr_decode_crl_numberrcCrr)rrrrrrDeltaCRLIndicatorrrrrr_decode_delta_crl_indicatorrrc@seZdZddZddZdS)_X509ExtensionParsercCs||_||_||_||_dSr) ext_countget_exthandlers_backend)selfrrrrrrr__init__s z_X509ExtensionParser.__init__c Csbg}t}t||D]}|||}|j||jjjk|jj |}|dk}t t |j|jj |}||vrFt d|||tjkr|jj|} t|j| } t| t} g} | ss| | t| ret dd| D} |t ||| ||q |tjkr|jj|} tt|j| }|t |t ||t !||q z|j"|}Wn9t#y|jj|} |j| |jjjk|jj$| j%| j&dd}t '||}|t |||Yn,w|jj(|}||jjjkr|j)t*d|||j|} |t ||| ||q t +|S)NrzDuplicate {} extension foundcSsg|]}t|qSrr)r-r;rrr sz._X509ExtensionParser.parse..z/The {} extension is invalid and can't be parsed),setr1rrrrrrrX509_EXTENSION_get_criticalrr%rX509_EXTENSION_get_objectDuplicateExtensionrfr TLS_FEATUREX509_EXTENSION_get_datarPrread_single_elementris_emptyr4 read_elementr as_integer TLSFeature Extensionr5PRECERT_POISON check_empty PrecertPoisonrKeyErrorrr'lengthUnrecognizedExtensionX509V3_EXT_d2i_consume_errorsrc Extensions)rx509_obj extensions seen_oidsrFr~critcriticalr)r' data_bytesfeaturesparsedr(readerhandlerder unrecognizedext_datarrrparsesx               z_X509ExtensionParser.parseN)__name__ __module__ __qualname__rrrrrrrs rcCs2|jd|}|j||jj}|j|}g}t|D]w}d}|j||}t t ||j }|j |jj kr|j|j }g}t|D]E} |j|j | } t t || j} | tjkrv|j| jjj| jjjddd} || qD| tjks}Jt|| jj} || qD|t||qt|S)Nz"Cryptography_STACK_OF_POLICYINFO *ascii)rrrrCERTIFICATEPOLICIES_freesk_POLICYINFO_numr1sk_POLICYINFO_valuerr%rpolicyid qualifiersrsk_POLICYQUALINFO_numsk_POLICYQUALINFO_valuepqualidr CPS_QUALIFIERrrQcpsurir'rrr4CPS_USER_NOTICE_decode_user_notice usernoticePolicyInformationCertificatePolicies)rcprDcertificate_policiesrFrpir)qnumjpqirr user_noticerrr_decode_certificate_policiess<       rc Csd}d}|j|jjkrt||j}|j|jjkrIt||jj}|j|jj}g}t |D]}|j |jj|}t ||} | | q-t ||}t ||Sr)exptextrrr" noticeref organizationrsk_ASN1_INTEGER_num noticenosr1sk_ASN1_INTEGER_valuerr4rNoticeReference UserNotice) run explicit_textnotice_referencerrDnotice_numbersrFr notice_numrrrr&s       rcCsB|jd|}|j||jj}|jdk}t||j}t ||S)NzBASIC_CONSTRAINTS *) rrrrBASIC_CONSTRAINTS_freeca_asn1_integer_to_int_or_nonepathlenrBasicConstraints)rbc_stbasic_constraintsr path_lengthrrr_decode_basic_constraints>s  rcCs@|jd|}|j||jj}t|j|j|j ddSNzASN1_OCTET_STRING *) rrrrASN1_OCTET_STRING_freerSubjectKeyIdentifierrr'rr asn1_stringrrr_decode_subject_key_identifierNsrcCs|jd|}|j||jj}d}d}|j|jjkr*|j|jj|jj dd}|j |jjkr7t ||j }t ||j }t|||S)NzAUTHORITY_KEYID *)rrrrAUTHORITY_KEYID_freekeyidrrr'rissuerrHrserialrAuthorityKeyIdentifier)rakidkey_identifierauthority_cert_issuerauthority_cert_serial_numberrrr _decode_authority_key_identifierXs$  rcsjd|}j|fdd}j|}g}t|D]5}j||}|jjj kt t |j}|j jj kt|j }|t ||q|S)Nz*Cryptography_STACK_OF_ACCESS_DESCRIPTION *csj|jjjdS)NACCESS_DESCRIPTION_free)rsk_ACCESS_DESCRIPTION_pop_freer addressof _original_lib)r;rrrss z,_decode_information_access..)rrrrsk_ACCESS_DESCRIPTION_numr1sk_ACCESS_DESCRIPTION_valuermethodrrr%rlocationrBr4AccessDescription)riarDaccess_descriptionsrFadr)rGrrr_decode_information_accessos    rcCt||}t|Sr)rrAuthorityInformationAccessraiarrrr$_decode_authority_information_access  r cCr r)rrSubjectInformationAccessr rrr"_decode_subject_information_accessrrc Cs|jd|}|j||jj}|jj}||ddk}||ddk}||ddk}||ddk}||ddk}||ddk}||ddk} ||d dk} ||d dk} t||||||| | | S) NzASN1_BIT_STRING *rrrLrJ)rrrrASN1_BIT_STRING_freeASN1_BIT_STRING_get_bitrKeyUsage) r bit_stringget_bitdigital_signaturecontent_commitmentkey_enciphermentdata_encipherment key_agreement key_cert_signcrl_sign encipher_only decipher_onlyrrr_decode_key_usages.r$cCs.|jd|}|j||jj}t||}|SNzGENERAL_NAMES *)rrrrGENERAL_NAMES_freerHrrC general_namesrrr_decode_general_names_extensions r)cCtt||Sr)rSubjectAlternativeNamer)r}rrr_decode_subject_alt_namer,cCr*r)rIssuerAlternativeNamer)r}rrr_decode_issuer_alt_namer-r/cCsF|jd|}|j||jj}t||j}t||j}tj ||dS)NzNAME_CONSTRAINTS *)permitted_subtreesexcluded_subtrees) rrrrNAME_CONSTRAINTS_free_decode_general_subtreespermittedSubtreesexcludedSubtreesrNameConstraints)rnc permittedexcludedrrr_decode_name_constraintss  r:cCsh||jjkrdS|j|}g}t|D]}|j||}|||jjkt||j}| |q|Sr) rrrsk_GENERAL_SUBTREE_numr1sk_GENERAL_SUBTREE_valuerrBrwr4)rstack_subtreesrDsubtreesrFrnamerrrr3s     r3c Cs|jd|}|j||jj}|j|jjkr t||j\}}nd}d}|jdk}|j dk}|j dk}|j dk}|j |jjkrFt ||j }nd}t|||||||S)NzISSUING_DIST_POINT *r)rrrrISSUING_DIST_POINT_free distpointr_decode_distpointonlyuseronlyCA indirectCRLonlyattronlysomereasons_decode_reasonsrIssuingDistributionPoint) ridp full_name relative_name only_useronly_ca indirect_crl only_attronly_some_reasonsrrr_decode_issuing_dist_points,    rRcCsD|jd|}|j||jj}t||j}t||j}t ||S)NzPOLICY_CONSTRAINTS *) rrrrPOLICY_CONSTRAINTS_freerrequireExplicitPolicyinhibitPolicyMappingrPolicyConstraints)rpcrequire_explicit_policyinhibit_policy_mappingrrr_decode_policy_constraintssrZcCs|jd|}|j||jj}|j|}g}t|D]}|j||}|||jj kt t ||}| |qt |S)Nz#Cryptography_STACK_OF_ASN1_OBJECT *)rrrrsk_ASN1_OBJECT_freesk_ASN1_OBJECT_numr1sk_ASN1_OBJECT_valuerrrr%rr4ExtendedKeyUsage)rskrDekusrFrr)rrr_decode_extended_key_usages    rarc Cs|jd|}|j||jj}|j|}g}t|D]E}d}d}d}d}|j||} | j|jj kr:t || j}| j |jj krGt || j }| j |jj krVt|| j \}}|t||||q|S)Nz"Cryptography_STACK_OF_DIST_POINT *)rrrrCRL_DIST_POINTS_freesk_DIST_POINT_numr1sk_DIST_POINT_valuereasonsrrH CRLissuerrHrArBr4rDistributionPoint) rcdpsrD dist_pointsrFrKrL crl_issuerrecdprrr_decode_dist_pointss0    rl)rrLrrrrrrJcCs6g}tD]\}}|j||r||qt|Sr)_REASON_BIT_MAPPINGitemsrrr4 frozenset)rre enum_reasons bit_positionreasonrrrrHPs  rHc Cs|jtkrt||jj}|dfS|jj}|j|}t}t |D]}|j ||}| ||j j k|t||q!t|}d|fSr)r#_DISTPOINT_TYPE_FULLNAMErHr?fullname relativenamersk_X509_NAME_ENTRY_numrr1sk_X509_NAME_ENTRY_valuerrrr5r*rr,) rrArKrnsrnumr9rFrnrLrrrrBZs    rBcCr r)rlrCRLDistributionPointsrrhrirrr_decode_crl_distribution_pointssrr}cCr r)rlr FreshestCRLr|rrr_decode_freshest_crlxrrcC4|jd|}|j||jj}t||}t|Sr)rrrrrrrInhibitAnyPolicy)rr skip_certsrrr_decode_inhibit_any_policy}  rcCsjddlm}|jd|}|j||jj}g}t|j|D]}|j ||}| ||||q |S)Nr)_SignedCertificateTimestampzCryptography_STACK_OF_SCT *) )cryptography.hazmat.backends.openssl.x509rrrrr SCT_LIST_freer1 sk_SCT_num sk_SCT_valuer4)r asn1_sctsrsctsrFsctrrr _decode_sctss rcCr*r)r)PrecertificateSignedCertificateTimestampsrrrrrr-_decode_precert_signed_certificate_timestampsr-rcCr*r)rSignedCertificateTimestampsrrrrr%_decode_signed_certificate_timestampsr) rrrLrrrrrJ rLrrrrrJrrcCsZ|jd|}|j||jj}|j|}ztt|WSt y,t d |w)NzASN1_ENUMERATED *zUnsupported reason code: {}) rrrrASN1_ENUMERATED_freeASN1_ENUMERATED_getr CRLReason_CRL_ENTRY_REASON_CODE_TO_ENUMrrcrf)renumcoderrr_decode_crl_reasons  rcCr)NzASN1_GENERALIZEDTIME *)rrrrASN1_GENERALIZEDTIME_freerInvalidityDate_parse_asn1_generalized_time)rinv_dategeneralized_timerrr_decode_invalidity_datesrcCrr%)rrrrr&rHrCertificateIssuerr'rrr_decode_cert_issuerrrcsnjd}j||}|dk|djjkj|fdd}j|d|ddS)Nunsigned char **rcj|dSNrr OPENSSL_freerrrrrz_asn1_to_der..)rrr i2d_ASN1_TYPErrrr)r asn1_typerrrrrrqs  rqcCs@|j||jj}|||jjk|j||jj}||Sr)rASN1_INTEGER_to_BNrrrrBN_free _bn_to_int)rrbnrrrrs rcCs||jjkrdSt||Sr)rrr)rrrrrrs  rcCs|j|j|jddSr)rrr'rrrrrrPsrPcCst||dS)Nr)rPrrrrr_asn1_string_to_asciirrreturncs~jd}j||}|dkrtd|j|djjkj |fdd}j |d|dd dS)Nrr+z&Unsupported ASN1 string type. Type: {}rcrrrrrrrr rz&_asn1_string_to_utf8..rI) rrrASN1_STRING_to_UTF8rcrfr#rrrrr)rrrrrrrr"s    r"cCs`|||jjk|j||jj}||jjkr"tdt|||j||jj }t ||S)Nz1Couldn't parse ASN.1 time as generalizedtime {!r}) rrrrASN1_TIME_to_generalizedtimercrfrPrrr)r asn1_timerrrr_parse_asn1_times  rcCs"t||jd|}tj|dS)Nz ASN1_STRING *z %Y%m%d%H%M%SZ)rrrdatetimestrptime)rrtimerrrr$srcCs0|jd|}|j||jj}tt||Sr)rrrrrr OCSPNoncerP)rnoncerrr _decode_nonce+rr)srr^ cryptographyrcryptography.hazmat._derrrrrcryptography.x509.extensionsrcryptography.x509.namer cryptography.x509.oidr r r r rr*r?rHrBrrrobjectrrrrrrrr rr$r)r,r/r:r3rRrZrars_DISTPOINT_TYPE_RELATIVENAMErl ReasonFlagskey_compromise ca_compromiseaffiliation_changed supersededcessation_of_operationcertificate_holdprivilege_withdrawn aa_compromisermrHrBr}rrrrr unspecifiedremove_from_crlr_CRL_ENTRY_REASON_ENUM_TO_CODErrrrqrrrPrstrr"rrrBASIC_CONSTRAINTSSUBJECT_KEY_IDENTIFIER KEY_USAGESUBJECT_ALTERNATIVE_NAMEEXTENDED_KEY_USAGEAUTHORITY_KEY_IDENTIFIERAUTHORITY_INFORMATION_ACCESSSUBJECT_INFORMATION_ACCESSCERTIFICATE_POLICIESCRL_DISTRIBUTION_POINTS FRESHEST_CRL OCSP_NO_CHECKINHIBIT_ANY_POLICYISSUER_ALTERNATIVE_NAMENAME_CONSTRAINTSPOLICY_CONSTRAINTS_EXTENSION_HANDLERS_BASE%PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_EXTENSION_HANDLERS_SCT CRL_REASONINVALIDITY_DATECERTIFICATE_ISSUER_REVOKED_EXTENSION_HANDLERS CRL_NUMBERDELTA_CRL_INDICATORISSUING_DISTRIBUTION_POINT_CRL_EXTENSION_HANDLERSNONCE_OCSP_REQ_EXTENSION_HANDLERS"_OCSP_BASICRESP_EXTENSION_HANDLERSSIGNED_CERTIFICATE_TIMESTAMPS'_OCSP_SINGLERESP_EXTENSION_HANDLERS_SCTrrrrs"     NQ!  -