o )%a]@sddlZddlZddlmZmZddlmZmZmZddl m Z ddl m Z m Z mZddZdd Zd d Zd d ZddZddZddZddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Z d*d+Z!d,d-Z"d.d/Z#d0d1Z$d2d3Z%d4d5Z&d6d7Z'd8d9Z(d:d;Z)dd?Z+ej,j-d@ej,j.dAej,j/dBej,j0dCej,j1dDej,j2dEej,j3dFej,j4dGiZ5dHdIZ6dJdKZ7dLdMZ8dNdOZ9dPdQZ:dRdSZ;dTdUZie j?e$e j@e(e jAe"e jBe'e jCe'e jDe+e jEe#e jFee jGe%e jHe%e jIe9e jJe9e jKee jLe!e jMe:e jNe;e jOe=ZPe jCe'e jEe#e jGe%e jQee jRee jSee jJe9iZTe jUe'e jVee jWeiZXejYe>iZZejYe>iZ[dS)ZN)utilsx509)_CRL_ENTRY_REASON_ENUM_TO_CODE_DISTPOINT_TYPE_FULLNAME_DISTPOINT_TYPE_RELATIVENAME) _ASN1Type)CRLEntryExtensionOID ExtensionOIDOCSPExtensionOIDcCsD||}|j||jj}|j||jj}|||jjk|S)a Converts a python integer to an ASN1_INTEGER. The returned ASN1_INTEGER will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. ) _int_to_bn_ffigc_libBN_freeBN_to_ASN1_INTEGERNULLopenssl_assertbackendxirR/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/encode_asn1.py_encode_asn1_ints rcC t||}|j||jj}|SN)rr r rASN1_INTEGER_freerrrr_encode_asn1_int_gc+ rcCs0|j}|j||t|}||dk|S)z@ Create an ASN1_OCTET_STRING from a Python byte string. )rASN1_OCTET_STRING_newASN1_OCTET_STRING_setlenr)rdatasresrrr_encode_asn1_str1s r&cCs<|j}|j||dt|d}||dk|S)z Create an ASN1_UTF8STRING from a Python unicode string. This object will be an ASN1_STRING with UTF8 type in OpenSSL and can be decoded with ASN1_STRING_to_UTF8. utf8r)rASN1_UTF8STRING_newASN1_STRING_setencoder"r)rstringr$r%rrr_encode_asn1_utf8_str;s r,cCrr)r&r r rASN1_OCTET_STRING_free)rr#r$rrr_encode_asn1_str_gcIrr.cC t||jSr)r skip_certs)rinhibit_any_policyrrr_encode_inhibit_any_policyO r2cCsh|j}|jD])}d}|D]"}t||}|j||jj}|j||d|}||dkd}qq|S)zP The X509_NAME created will not be gc'd. Use _encode_name_gc if needed. rr) r X509_NAME_newrdns_encode_name_entryr r X509_NAME_ENTRY_freeX509_NAME_add_entryr)rnamesubjectrdnset_flag attribute name_entryr%rrr _encode_nameSs    r@cCrr)r@r r rX509_NAME_free)r attributesr;rrr_encode_name_gchrrCcCs>|j}|D]}t||}|j||}||dkq|S)z: The sk_X509_NAME_ENTRY created will not be gc'd. r)rsk_X509_NAME_ENTRY_new_nullr7sk_X509_NAME_ENTRY_pushr)rrBstackr>r?r%rrr_encode_sk_name_entryns  rGcCsr|jtjur |jd}n|jtjur|jd}n|jd}t||jj}|j |j j ||jj|t |}|S)N utf_16_be utf_32_ber')_typer BMPStringvaluer*UniversalString _txt2obj_gcoid dotted_stringrX509_NAME_ENTRY_create_by_OBJr rr")rr>rLobjr?rrrr7zs   r7cCr/r)r crl_numberrextrrr&_encode_crl_number_delta_crl_indicatorr3rVcCs|j}|||jjk|j||jj}|jrdnd|_|j r$dnd|_ |j r,dnd|_ |j r4dnd|_|jrAt||j|_|jrKt||j|_|jrUt||j|_|SNr)rISSUING_DIST_POINT_newrr rr ISSUING_DIST_POINT_freeonly_contains_user_certsonlyuseronly_contains_ca_certsonlyCA indirect_crl indirectCRLonly_contains_attribute_certsonlyattronly_some_reasons_encode_reasonflagsonlysomereasons full_name_encode_full_name distpoint relative_name_encode_relative_name)rrUidprrr_encode_issuing_dist_points rlcCsT|j}|||jjk|j||jj}|j|t|j }||dk|SNr) rASN1_ENUMERATED_newrr rr ASN1_ENUMERATED_freeASN1_ENUMERATED_setrreason)r crl_reasonasn1enumr%rrr_encode_crl_reasons  rtcCsF|j|jjt|j}|||jjk|j ||jj }|Sr) rASN1_GENERALIZEDTIME_setr rcalendartimegminvalidity_date timetuplerr ASN1_GENERALIZEDTIME_free)rrxtimerrr_encode_invalidity_datesr|c Cs|j}|||jjk|j||jj}|D]}|j}|||jjk|j||}||dkt ||j j }||_ |j r|j}|||jjk|j D]i}|j} || |jjk|j|| }||dkt|trt |tjj | _t||d| j_qUt|tjsJt |tjj | _|j} || |jjk| | j_|jrt||j| _ t!||j"| _#qU||_$q|S)Nrascii)%rsk_POLICYINFO_new_nullrr rr sk_POLICYINFO_freePOLICYINFO_newsk_POLICYINFO_push_txt2objpolicy_identifierrPpolicyidpolicy_qualifierssk_POLICYQUALINFO_new_nullPOLICYQUALINFO_newsk_POLICYQUALINFO_push isinstancestrrOID_CPS_QUALIFIERpqualidr&r*dcpsuri UserNoticeOID_CPS_USER_NOTICEUSERNOTICE_new usernotice explicit_textr,exptext_encode_notice_referencenotice_reference noticeref qualifiers) rcertificate_policiescp policy_infopir%rOpqis qualifierpqiunrrr_encode_certificate_policiessV        rcCs|dur|jjS|j}|||jjkt||j|_|j}||_|j D]}t ||}|j ||}||dkq(|Srm) r rr NOTICEREF_newrr, organizationsk_ASN1_INTEGER_new_null noticenosnotice_numbersrsk_ASN1_INTEGER_push)rnoticenr notice_stacknumbernumr%rrrrs    rcCs.|d}|j|d}|||jjk|S)z_ Converts a Python string with an ASN.1 object ID in dotted form to a ASN1_OBJECT. r}r)r*r OBJ_txt2objrr rrr:rRrrrrs rcCrr)rr r rASN1_OBJECT_freerrrrrN rrNcCs |jSr)r ASN1_NULL_newrTrrr_encode_ocsp_nochecks rcCsb|jj}|j}|j||jj}||d|j}||dk||d|j}||dk||d|j }||dk||d|j }||dk||d|j }||dk||d|j }||dk||d|j }||dk|j r||d|j}||dk||d |j}||dk|S||dd}||dk||d d}||dk|S) Nrr)rASN1_BIT_STRING_set_bitASN1_BIT_STRING_newr r ASN1_BIT_STRING_freedigital_signaturercontent_commitmentkey_enciphermentdata_encipherment key_agreement key_cert_signcrl_sign encipher_only decipher_only)r key_usageset_bitkur%rrr_encode_key_usages8   rcCsz|j}|||jjk|j||jj}|jdur#t||j|_ |j dur/t ||j |_ |j dur;t||j |_|Sr)rAUTHORITY_KEYID_newrr rr AUTHORITY_KEYID_freekey_identifierr&keyidauthority_cert_issuer_encode_general_namesissuerauthority_cert_serial_numberrserial)rauthority_keyidakidrrr _encode_authority_key_identifier5s"    rcCsN|j}|j||jj}|jrdnd|_|jr%|jdur%t||j|_|SrW) rBASIC_CONSTRAINTS_newr r BASIC_CONSTRAINTS_freeca path_lengthrpathlen)rbasic_constraints constraintsrrr_encode_basic_constraintsLs rcsj}|jjkj|fdd}|D]'}j}t|jj }t |j |j ||_ j||}|dkq|S)Ncsj|jjjdS)NACCESS_DESCRIPTION_free)rsk_ACCESS_DESCRIPTION_pop_freer addressof _original_lib)rrrr_s z,_encode_information_access..r)rsk_ACCESS_DESCRIPTION_new_nullrr rr ACCESS_DESCRIPTION_newr access_methodrP!_encode_general_name_preallocatedaccess_locationlocationmethodsk_ACCESS_DESCRIPTION_push)r info_accessaiaaccess_descriptionadrr%rrr_encode_information_accessZs$    rcCsP|j}|||jjk|D]}t||}|j||}||dkq|S)Nr)rGENERAL_NAMES_newrr r_encode_general_namesk_GENERAL_NAME_push)rnames general_namesr:gnr%rrrrus  rcCrr)rr r rGENERAL_NAMES_free)rsanrrrr_encode_alt_names rcCr/r)r.digest)rskirrr_encode_subject_key_identifierr3rcCs|j}t||||Sr)rGENERAL_NAME_newr)rr:rrrrrs  rcCsLt|tjr?|||jjk|jj|_|j }|||jjk|j d}|j ||t |}||dk||j_dSt|tjrn|||jjk|jj|_|j|j j dd}|||jjk||j_dSt|tjr|||jjkt||j }|jj|_||j_dSt|tjr|||jjkt|j tjr|j jjtd|j j d}nt|j tj!r|j jjtdd>|j j d}n|j j}t"||} |jj#|_| |j_$dSt|tj%rS|||jjk|j&} || |jjk|j|j'j dd} || |jjk|j(d|j } |j(d } | | d <|j)|jj| t |j }||jjkrB|*t+d | | _'|| _ |jj,|_| |j_-dSt|tj.ry|||jjk|j d} t"|| }|jj/|_||j_0dSt|tj1r|||jjk|j d} t"|| }|jj2|_||j_3dSt+d 4|) Nr'rr}lrzunsigned char[]zunsigned char **rzInvalid ASN.1 dataz!{} is an unknown GeneralName type)5rrDNSNamerr rrGEN_DNStypeASN1_IA5STRING_newrLr*r)r"rdNSName RegisteredIDGEN_RIDrrP registeredID DirectoryNamer@ GEN_DIRNAME directoryName IPAddress ipaddress IPv4Networknetwork_addresspackedr int_to_bytes num_addresses IPv6Networkr& GEN_IPADD iPAddress OtherName OTHERNAME_newtype_idnew d2i_ASN1_TYPE_consume_errors ValueError GEN_OTHERNAME otherName RFC822Name GEN_EMAIL rfc822NameUniformResourceIdentifierGEN_URIuniformResourceIdentifierformat)rr:ria5rLr%rRdir_nameripaddr other_namerr# data_ptr_ptrasn1_strrrrrs                               rcCsR|j}|j||jj}|D]}t||j}|j||}||dkq|Srm) rsk_ASN1_OBJECT_new_nullr r sk_ASN1_OBJECT_freerrPsk_ASN1_OBJECT_pushr)rextended_key_usageekurOrRr%rrr_encode_extended_key_usages  r/rrrrrrrrcCsL|j}|||jjk|D]}|j|t|d}||dkq|Srm)rrrr rr_CRLREASONFLAGS)rreasonsbitmaskrqr%rrrrds  rdcC4|j}|||jjkt|_t|||j_ |Sr) rDIST_POINT_NAME_newrr rrrrr:fullname)rrfdpnrrrrg  rgcCr3r) rr4rr rrrrGr: relativename)rrir6rrrrjr7rjcCs|j}|j||jj}|D]F}|j}|||jjk|jr*t ||j|_|j r4t ||j |_ |j r>t||j |_ |jrHt||j|_|j||}||dkq|Srm)rsk_DIST_POINT_new_nullr r sk_DIST_POINT_freeDIST_POINT_newrrr1rdrfrgrhrirj crl_issuerr CRLissuersk_DIST_POINT_push)rcdpscdppointdpr%rrr_encode_cdps_freshest_crls  rCcCsV|j}|||jjk|j||jj}t||j}||_ t||j }||_ |Sr) rNAME_CONSTRAINTS_newrr rr NAME_CONSTRAINTS_free_encode_general_subtreepermitted_subtreespermittedSubtreesexcluded_subtreesexcludedSubtrees)rname_constraintsnc permittedexcludedrrr_encode_name_constraints2s rOcCsb|j}|||jjk|j||jj}|jdur#t||j|_ |j dur/t||j |_ |Sr) rPOLICY_CONSTRAINTS_newrr rr POLICY_CONSTRAINTS_freerequire_explicit_policyrrequireExplicitPolicyinhibit_policy_mappinginhibitPolicyMapping)rpolicy_constraintspcrrr_encode_policy_constraintsBs   rXcCsZ|dur|jjS|j}|D]}|j}t|||_|j||}||dkq|Srm) r rrsk_GENERAL_SUBTREE_new_nullGENERAL_SUBTREE_newrbasesk_GENERAL_SUBTREE_pushr)rsubtreesgeneral_subtreesr:gsr%rrrrFSs   rFcCsZ|j}|||jjk|j||jj}|D]}|j||j}||dkq|Srm) rsk_SCT_new_nullrr rr sk_SCT_free sk_SCT_push_sct)rscts sct_stacksctr%rrr-_encode_precert_signed_certificate_timestampsas rgcCr/r)r.nonce)rrhrrr _encode_noncekr3ri)\rvr  cryptographyrr0cryptography.hazmat.backends.openssl.decode_asn1rrrcryptography.x509.namercryptography.x509.oidrr r rrr&r,r.r2r@rCrGr7rVrlrtr|rrrrNrrrrrrrrrrr/ ReasonFlagskey_compromise ca_compromiseaffiliation_changed supersededcessation_of_operationcertificate_holdprivilege_withdrawn aa_compromiser0rdrgrjrCrOrXrFrgriBASIC_CONSTRAINTSSUBJECT_KEY_IDENTIFIER KEY_USAGESUBJECT_ALTERNATIVE_NAMEISSUER_ALTERNATIVE_NAMEEXTENDED_KEY_USAGEAUTHORITY_KEY_IDENTIFIERCERTIFICATE_POLICIESAUTHORITY_INFORMATION_ACCESSSUBJECT_INFORMATION_ACCESSCRL_DISTRIBUTION_POINTS FRESHEST_CRLINHIBIT_ANY_POLICY OCSP_NO_CHECKNAME_CONSTRAINTSPOLICY_CONSTRAINTS%PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_EXTENSION_ENCODE_HANDLERS CRL_NUMBERDELTA_CRL_INDICATORISSUING_DISTRIBUTION_POINT_CRL_EXTENSION_ENCODE_HANDLERSCERTIFICATE_ISSUER CRL_REASONINVALIDITY_DATE$_CRL_ENTRY_EXTENSION_ENCODE_HANDLERSNONCE'_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS)_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERSrrrrs     1   T