Wwg1bFddlZddlZddlZddlmZmZddlmZmZddlm Z m Z m Z m Z m Z mZddlmZmZmZddlmZddlmZmZdd lmZmZmZdd lmZdd lmZdd l m!Z!m"Z"dd l#m$Z$ddl%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+ddl,m-Z-m.Z.m/Z/m0Z0m1Z1ddl2m3Z3m4Z4m5Z5m6Z6ddl7m8Z8edGddZ9GddZ:edGddZ;edddddfdeeedfde e3de e4de ejxde ed e e)d!e;fd"Z=edGd#d$Z>y)%N) dataclassfield)datetime timedelta)DictIterableListOptionalSetUnion)crlocspx509)timezone)AuthorityWithCertCertTrustAnchor)FetcherBackendFetchersdefault_fetcher_backend)RequestsFetcherBackend) POEManager)ValidationTimingInfoValidationTimingParams)ValidationPath)AlgorithmUsagePolicyCertRevTrustPolicyDisallowWeakAlgorithmsPolicyNonRevokedStatusAssertionPKIXValidationParamsRevocationCheckingPolicy)CertificateRegistry PathBuilderSimpleTrustManager TrustManager TrustRootList) CRLContainer OCSPContainerprocess_legacy_crl_inputprocess_legacy_ocsp_input)RevinfoManagerT)frozenceZdZUdZeeZeeje d< eeZ eeje d<y)ACTargetDescriptiona_ Value type to guide attribute certificate targeting checks, for attribute certificates that use the target information extension. As stipulated in RFC 5755, an AC targeting check passes if the information in the relevant :class:`.AATargetDescription` matches at least one ``Target`` in the AC's target information extension. )default_factoryvalidator_namesgroup_membershipsN) __name__ __module__ __qualname____doc__rlistr0r r GeneralName__annotations__r1T/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko_certvalidator/context.pyr.r.)sJ/4D.IOT$**+I16d0KtD,,-Kr:r.c.eZdZddddddddddddeddddddddddfdeedeedeeejd eee e e fd ee d ee d e d eee e ejfdeee e ej"fde deedeee dede deedeedeedeedeedeedeedeef,dZedefdZedefdZede fd Zedefd!Z ede fd"Z!ede fd#Z"ede fd$Z#ede$ejfd%Z%ede$ej"fd&Z&ed'Z'd(Z(d)e)fd*Z*d+Z+d,Z,d-Z-d.Z.d/Z/d0Z0d1Z1edeefd2Z2y)3ValidationContextNFz soft-failrseconds trust_rootsextra_trust_roots other_certswhitelisted_certsmomentbest_signature_timeallow_fetchingcrlsocspsrevocation_moderevinfo_policyweak_hash_algostime_toleranceretroactive_revinfofetcher_backendacceptable_ac_targets poe_managerrevinfo_managercertificate_registry trust_manageralgorithm_usage_policyfetchersc| !ttj| |} n| j t d| |_| j j}|s|s|| |r td|&tjtj}d}n|j tdd}||}n|j tdt|_||D]}t!|t"r|j%d }|j'd d j'd d }|jj)t+j,|j/d |!| t1t3| }n t1}||_d}|r+|| t7}|j9}|j:}nd}|t=j>|xsd |}||_ |tCj>||}t!|tBr&|jED]}|jG|tI|||_%|r tM|nd }| r tO| nd } |tQ||xs tS|| |}||_*i|_+g|_,| r t[| n t]d} t_ta|||| |_1||_2y)a :param trust_roots: If the operating system's trust list should not be used, instead pass a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. :param other_certs: A list of byte strings containing DER or PEM-encoded X.509 certificates, or a list of asn1crypto.x509.Certificate objects. These other certs are usually provided by the service/item being validated. In TLS, these would be intermediate chain certs. :param whitelisted_certs: None or a list of byte strings or unicode strings of the SHA-1 fingerprint of one or more certificates. The fingerprint is a hex encoding of the SHA-1 byte string, optionally separated into pairs by spaces or colons. These whilelisted certificates will not be checked for validity dates. If one of the certificates is an end-entity certificate in a certificate path, any TLS hostname mismatches, key usage errors or extended key usage errors will also be ignored. :param moment: If certificate validation should be performed based on a date and time other than right now. A datetime.datetime object with a tzinfo value. If this parameter is specified, then the only way to check OCSP and CRL responses is to pass them via the crls and ocsps parameters. Can not be combined with allow_fetching=True. :param best_signature_time: The presumptive time at which the certificate was used. Assumed equal to :class:`moment` if unspecified. .. note:: The difference is significant in some point-in-time validation models, where the signature is validated after a "cooldown period" of sorts. :param crls: None or a list/tuple of asn1crypto.crl.CertificateList objects of pre-fetched/cached CRLs to be utilized during validation of paths :param ocsps: None or a list/tuple of asn1crypto.ocsp.OCSPResponse objects of pre-fetched/cached OCSP responses to be utilized during validation of paths :param allow_fetching: A bool - if HTTP requests should be made to fetch CRLs and OCSP responses. If this is True and certificates contain the location of a CRL or OCSP responder, an HTTP request will be made to obtain information for revocation checking. :param revocation_mode: A unicode string of the revocation mode to use: "soft-fail" (the default), "hard-fail" or "require". In "soft-fail" mode, any sort of error in fetching or locating revocation information is ignored. In "hard-fail" mode, if a certificate has a known CRL or OCSP and it can not be checked, it is considered a revocation failure. In "require" mode, every certificate in the certificate path must have a CRL or OCSP. :param weak_hash_algos: A set of unicode strings of hash algorithms that should be considered weak. :param time_tolerance: Time delta tolerance allowed in validity checks. Defaults to one second. :param retroactive_revinfo: Treat revocation info as retroactively valid, i.e. ignore the ``this_update`` field in CRLs and OCSP responses. Defaults to ``False``. .. warning:: Be careful with this option, since it will cause incorrect behaviour for CAs that make use of certificate holds or other reversible revocation methods. :param revinfo_manager: Internal API, to be elaborated. :param trust_manager: Internal API, to be elaborated. :param certificate_registry: Internal API, to be elaborated. :param algorithm_usage_policy: Internal API, to be elaborated. N)rMzFDealing with post-expiry revocation info has not been implemented yet.zrevocation data is not optional and allow_fetching is False, however crls and ocsps are both None, meaning that no validation can happenFz^moment is a naive datetime object, meaning the tzinfo attribute is not set to a valid timezoneTzkbest_signature_time is a naive datetime object, meaning the tzinfo attribute is not set to a valid timezoneascii :r9 cert_fetcher)r@rA)rSregistry)rRrPrGrHrUr)validation_timerEpoint_in_time_validation)rL)3rr! from_legacy!expected_post_expiry_revinfo_timeNotImplementedError_revinfo_policyrevocation_checking_policy essential ValueErrorrnowrutc utcoffsetset_whitelisted_certs isinstancebytesdecodereplaceaddbinascii unhexlifyencoder frozensetalgorithm_policyr get_fetchersr\r"buildrRr$ iter_certsregisterr# path_builderr)r*r+r_revinfo_manager _validate_map_soft_fail_exceptionsabsrrr timing_params_acceptable_ac_targets)selfr@rArBrCrDrErFrGrHrIrJrKrLrMrNrOrPrQrRrSrTrU rev_essentialr_whitelisted_certr\roots r;__init__zValidationContext.__init__Fs0t  !/(44_E$7N = = I%#  .&AAKK #  0  >\\(,,/F', $     ';  (, $  &"(  * * , 4;  /2e  ($5  .6'7'>'>w'G$$4#;#;C#D#L#L$ ''++&&'7'>'>w'GH  " )*)Eo.*&*F)G& 6 #*'>&?O*779#00LH  '#6#<#<!r $ :N!  .44';LM m%7 8%002 4$--d3 4('2F 26'-249)%0r  ",%9'7:<! O!0:<68"0>^,IaL3 &$7)A  *  '<#r:returnc|jSN)r{rs r;rQz!ValidationContext.revinfo_managerBs$$$r:c|jSr)rcrs r;rJz ValidationContext.revinfo_policyFs###r:c.|jjSr)rcrMrs r;rMz%ValidationContext.retroactive_revinfoJs##777r:c.|jjSr)rrLrs r;rLz ValidationContext.time_toleranceNs!!000r:c.|jjSr)rr^rs r;rDzValidationContext.momentRs!!111r:c.|jjSr)rrErs r;rEz%ValidationContext.best_signature_timeVs!!555r:c.|jjSr)rQfetching_allowedrs r;rz"ValidationContext.fetching_allowedZs##444r:c.|jjS)zK A list of all cached :class:`crl.CertificateList` objects )r{rGrs r;rGzValidationContext.crls^s $$)))r:c.|jjS)zI A list of all cached :class:`ocsp.OCSPResponse` objects )r{rHrs r;rHzValidationContext.ocspses $$***r:c|jS)zP A list of soft-fail exceptions that were ignored during checks )r}rs r;soft_fail_exceptionsz&ValidationContext.soft_fail_exceptionsms )))r:c2|j|jvS)z Checks to see if a certificate has been whitelisted :param cert: An asn1crypto.x509.Certificate object :return: A bool - if the certificate is whitelisted )sha1rkrcerts r;is_whitelistedz ValidationContext.is_whitelistedusyyD3333r:ec:|jj|yr)r}append)rrs r;_report_soft_failz#ValidationContext._report_soft_fails ""))!,r:cK|jj|d{}|Dcgc]}|jc}S7cc}ww)z :param cert: An asn1crypto.x509.Certificate object :return: A list of asn1crypto.crl.CertificateList objects N)r{async_retrieve_crlscrl_data)rrresultsress r;rz%ValidationContext.async_retrieve_crlss?--AA$GG(/0 00H0sAAAAAActjdt|jjs|jj St j|j|S)z .. deprecated:: 0.17.0 Use :meth:`async_retrieve_crls` instead. :param cert: An asn1crypto.x509.Certificate object :return: A list of asn1crypto.crl.CertificateList objects z@'retrieve_crls' is deprecated, use 'async_retrieve_crls' instead) warningswarnDeprecationWarningrQrrGasynciorunrrs r; retrieve_crlszValidationContext.retrieve_crlssS  N  ##44'',, ,{{433D9::r:cK|jj|t|d{}|Dcgc]}|jc}S7cc}ww)z :param cert: An asn1crypto.x509.Certificate object :param issuer: An asn1crypto.x509.Certificate object of cert's issuer :return: A list of asn1crypto.ocsp.OCSPResponse objects N)r{async_retrieve_ocspsrocsp_response_data)rrissuerrrs r;rz&ValidationContext.async_retrieve_ocspssQ--BB #F+  3::3&&:: ;s )AA AA A Actjdt|jjs|jj St j|j||S)aN .. deprecated:: 0.17.0 Use :meth:`async_retrieve_ocsps` instead. :param cert: An asn1crypto.x509.Certificate object :param issuer: An asn1crypto.x509.Certificate object of cert's issuer :return: A list of asn1crypto.ocsp.OCSPResponse objects zB'retrieve_ocsps' is deprecated, use 'async_retrieve_ocsps' instead) rrrrQrrHrrr)rrrs r;retrieve_ocspsz ValidationContext.retrieve_ocspssW   -  ##44''-- -{{444T6BCCr:c6||j|j<y)a Records that a certificate has been validated, along with the path that was used for validation. This helps reduce duplicate work when validating a ceritifcate and related resources such as CRLs and OCSPs. :param cert: An ans1crypto.x509.Certificate object :param path: A pyhanko_certvalidator.path.ValidationPath object N)r| signature)rrpaths r;record_validationz#ValidationContext.record_validations.24>>*r:c"|jjj|rF|j|jvr.t t |gd|j|j<|jj|jS)a] Checks to see if a certificate has been validated, and if so, returns the ValidationPath used to validate it. :param cert: An asn1crypto.x509.Certificate object :return: None if not validated, or a pyhanko_certvalidator.path.ValidationPath object of the validation path N) trust_anchorintermleaf)rzrSis_rootrr|rrgetrs r;check_validationz"ValidationContext.check_validationsr    + + 3 3D 9d&8&881?,T22D2D  t~~ .!!%%dnn55r:cd|j|jvr|j|j=yy)z Clears the record that a certificate has been validated :param cert: An ans1crypto.x509.Certificate object N)rr|rs r;clear_validationz"ValidationContext.clear_validations- >>T// /""4>>2 0r:c|jSr)rrs r;rOz'ValidationContext.acceptable_ac_targetss***r:)3r2r3r4rr r&rr Certificater rmstrrboolr CertificateListr OCSPResponserrr.rr+r"r%rrrpropertyrQrJrMrLrDrErr rGrHrr ExceptionrrrrrrrrrOr9r:r;r=r=Es[0459<@CG%)26$FJEI*7;37$-a$8$)48?C,048>B04AE'+/z<m,z<$M2z<ht'7'789 z< $HU5#:->$?@ z< " z<&h/z<z<xeS-@-@&@ ABCz<ud.?.?'?!@ABz<z<!!34z<"(3-0z<"z<"z< ".1!z<" ((;<#z<$j)%z<&".1'z<('':;)z<* -+z<,!))= >-z<.8$/zrLNrO)defaultrTpkix_validation_params timing_infohandlersrc b|$t}t}t||gg}n$|j}|j}|j }t |j|j||||j|j|j|j|j|j S)a Build a validation context from this policy, validation timing info and a set of validation data handlers. :param timing_info: Timing settings. :param handlers: Optionally specify validation data handlers. A reasonable default will be supplied if absent. :return: A new :class:`ValidationContext` reflecting the parameters. )rRrPrGrH) rSrJrQrRrPrTrDrErLrOrF)r"rr+rrPrQr=rSrJrTr^rErLrOr)rrrrrPrQs r;build_validation_contextz1CertValidationPolicySpec.build_validation_contexts$  /1M$,K,%2' O%22M"..K&66O ,,..+!.##'#>#>.. + ? ?.."&"<"<*;;  r:)r2r3r4r5r%r8rrrLrOr r.rrrTrrr rrr=rr9r:r;rr\s" '& !*! 4NI4<@8$78?>C,.>H%9: >BH%9:A, ), 12,   , r:r)?rrqr dataclassesrrrrtypingrrr r r r asn1cryptor rrasn1crypto.utilr authorityrrrUrrrfetchers.requests_fetchersrltv.poer ltv.typesrrrr policy_declrrrrr r!r]r"r#r$r%r&revinfo.archivalr'r(r)r*revinfo.managerr+r.r=rrrrr9r:r;rsQ((==&&$9GG>C  , $6{+{+|  $:7M6N#%%'(*(,AC 9Hnd239 < 9 M "9 D$$ % 9 *% 9 $$=> 99x $` ` ` r: