WwgDVddlZddlZddlmZddlmZmZmZmZm Z m Z ddl m Z ddl mZddlmZmZddlmZdd lmZdd lmZdd lmZmZGd d ej6ZGddeej6ZGddeZee e j>efZ GddZ!Gdde!Z"GddeZ#GddZ$GddZ%GddZ&GddeeZ'Gd d!eZ(y)"N) defaultdict)AsyncGeneratorIterableIteratorListOptionalUnion)x509) trust_list)CertTrustAnchor TrustAnchor)PathBuildingError)CertificateFetcher)ValidationPath)CancelableAsyncIteratorConsListcNeZdZdZdefdZdefdZdejfdZ dZ y) CertificateCollectionzS Abstract base class for read-only access to a collection of certificates. key_identifierc4|j|}|sy|dS)z Retrieves a cert via its key identifier :param key_identifier: A byte string of the key identifier :return: None or an asn1crypto.x509.Certificate object Nr)retrieve_many_by_key_identifier)selfr candidatess U/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko_certvalidator/registry.pyretrieve_by_key_identifierz0CertificateCollection.retrieve_by_key_identifiers$99.I a= ct)z Retrieves possibly multiple certs via the corresponding key identifiers :param key_identifier: A byte string of the key identifier :return: A list of asn1crypto.x509.Certificate objects NotImplementedErrorrrs rrz5CertificateCollection.retrieve_many_by_key_identifier' "!rnamect)z Retrieves a list certs via their subject name :param name: An asn1crypto.x509.Name object :return: A list of asn1crypto.x509.Certificate objects rrr#s rretrieve_by_namez&CertificateCollection.retrieve_by_name3r"rct)a] Retrieve a certificate by its ``issuer_serial`` value. :param issuer_serial: The ``issuer_serial`` value of the certificate. :return: The certificate corresponding to the ``issuer_serial`` key passed in. :return: None or an asn1crypto.x509.Certificate object rr issuer_serials rretrieve_by_issuer_serialz/CertificateCollection.retrieve_by_issuer_serial? "!rN) __name__ __module__ __qualname____doc__bytesrrr Namer&r*rrrrs4!! "e " "TYY " "rrc\eZdZdejdefdZdeejfdZdZ y)CertificateStorecertreturnct) Register a single certificate. :param cert: Certificate to add. :return: ``True`` if the certificate was added, ``False`` if it already existed in this store. rrr5s rregisterzCertificateStore.registerOr"rcertsc@d}|D]}||j|z}|S)a Register multiple certificates. :param certs: Certificates to register. :return: ``True`` if at least one certificate was added, ``False`` if all certificates already existed in this store. Fr:)rr;addedr5s rregister_multiplez"CertificateStore.register_multiple[s0 )D T]]4( (E ) rctNrrs r__iter__zCertificateStore.__iter__ks!!rN) r,r-r.r Certificateboolr:rr?rCr2rrr4r4Ns7 "T-- "$ "x0@0@'A "rr4ceZdZdZedZdZdejde fdZ dZ dZ d e fd Zd ejfd Zd Zy)SimpleCertificateStorez- Simple trustless certificate store. cD|}|D]}|j||SrAr=)clsr;resultr5s r from_certsz!SimpleCertificateStore.from_certsts) "D OOD ! " rcbi|_tt|_tt|_yrA)r;rlist _subject_map_key_identifier_maprBs r__init__zSimpleCertificateStore.__init__{s# '-#.t#4 rr5r6c|j|jvry||j|j<|j|jjj ||j r)|j|j j |y|j|jjj |y)r8FT) r)r;rNsubjecthashableappendrrO public_keysha1r9s rr:zSimpleCertificateStore.registers    +)- 4%%& $,,//077=     $ $T%8%8 9 @ @ F  $ $T__%9%9 : A A$ Grc |j|SrA)r;)ritems r __getitem__z"SimpleCertificateStore.__getitem__szz$rcHt|jjSrA)iterr;valuesrBs rrCzSimpleCertificateStore.__iter__sDJJ%%'((rrc |j|SrA)rOr!s rrz6SimpleCertificateStore.retrieve_many_by_key_identifiers''77rr#c4|j|jSrA)rNrSr%s rr&z'SimpleCertificateStore.retrieve_by_names  //rc, ||S#t$rYywxYwrA)KeyErrorr(s rr*z0SimpleCertificateStore.retrieve_by_issuer_serials$  & &  s  N)r,r-r.r/ classmethodrKrPr rDrEr:rYrCr0rr1r&r*r2rrrGrGosd 5 T--$( )8e80TYY0rrGc^eZdZdZdej defdZdej dee fdZ y) TrustManagerz% Abstract trust manager API. r5r6ctz Checks if a certificate is in the list of trust roots in this registry :param cert: An asn1crypto.x509.Certificate object :return: A boolean - if the certificate is in the CA list rr9s ris_rootzTrustManager.is_rootr"rct)z Find potential issuers that might have (directly) issued a particular certificate. :param cert: Issued certificate. :return: An iterator with potentially relevant trust anchors. rr9s rfind_potential_issuersz#TrustManager.find_potential_issuersr+rN) r,r-r.r/r rDrErfrrrhr2rrrcrcs@ "D,, " " "$$ " +  "rrcceZdZdZdZe ddeedeeddfdZde e e jffd Z d e jfd Zdee jfd Zd e jdee fd Zy)SimpleTrustManagerzk Trust manager backed by a list of trust roots, possibly in addition to the system trust list. cJt|_tt|_yrA)set_rootsrrM_root_subject_maprBs rrPzSimpleTrustManager.__init__se !,T!2rN trust_rootsextra_trust_rootsr6c|%tjDcgc]}|d }}n t|}||j|t }|D]}|j ||Scc}w)a :param trust_roots: If the operating system's trust list should not be used, instead pass a list of asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of asn1crypto.x509.Certificate objects. :return: r)r get_listrMextendrj_register_root)rIrorpemanager trust_roots rbuildzSimpleTrustManager.buildsy&  )3)<)<)>?A1Q4?K?{+K  (   0 1$&% /J  " ": . /@s A*rwct|tr|}n t|}||jvrZ|j}|jj ||j |jjj|yyrA) isinstancerr rm authorityaddrnr#rSrT)rrwanchorr{s rrtz!SimpleTrustManager._register_rootsj j+ .F$Z0F  $((I KKOOF #  " "9>>#:#: ; B B6 J %rr5c0t||jvSre)r rmr9s rrfzSimpleTrustManager.is_rootst$ 33rc(d|jDS)Nc3TK|] }t|tr|j"ywrA)rzr certificate).0roots r z0SimpleTrustManager.iter_certs.. s( $0    s&()rmrBs r iter_certszSimpleTrustManager.iter_certs s    rc#K|jj}|j|D]"}|jj |s|$ywrA)issuerrSrnr{is_potential_issuer_of)rr5issuer_hashablers rrhz)SimpleTrustManager.find_potential_issuerssH++..**?; D~~44T:  s AAA)NN)r,r-r.r/rPrar TrustRootListrxr rr rDrtrfrrrhr2rrrjrjs 30459m,$M2  >K{Ds+B7B5BB7cK|jy|jj|2cgc3d{}| 76ncc}w}}|j||D]}| ywrA)rfetch_cert_issuersr?)rr5rissuerss rfetch_missing_potential_issuersz3CertificateRegistry.fetch_missing_potential_issuersxsr <<  (,||'F'Ft'L  #F     w' FL s&+A$?=; =?=?&A$)r2rA)r,r-r.r/rrrPrarr rDrxr1r&rcrr rrhr __classcell__)rs@rrrs HL$1C(D$-/6: (()12 :9=ii$D$4$45<$$5A % T%5%556 70 $:J:J rrcpeZdZdZdedefdZdZdejfdZ dejde e fd Z y ) PathBuilderz( Class to handle path building. rregistryc ||_||_yrA)rr)rrrs rrPzPathBuilder.__init__s+  rcJtj|j|S)a Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate .. note:: This is a synchronous equivalent of :meth:`async_build_paths` that calls the latter in a new event loop. As such, it can't be used from within asynchronous code. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. )asynciorunasync_build_paths)rend_entity_certs r build_pathszPathBuilder.build_pathss&{{411/BCCrrcpKg}|j|23d{}|j|76|Sw)a1 Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, returning all paths in a single list. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. N)async_build_paths_lazyrT)rrpathsrJs rrzPathBuilder.async_build_pathssC ') 77H ! !& LL  !H s6313636r6ct|tj|tj|jg}t ||S)a Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, and emit them as an asynchronous generator. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: An asynchronous iterator that yields pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs, and raises PathBuildingError if no paths could be built )path certs_seen failed_paths) _PathWalkerrsingr)LazyPathIterator)rrwalkers rrz"PathBuilder.async_build_paths_lazysA( /}}_%B%BC    88rN)r,r-r.r/rcrrPrr rDrrrrr2rrrrsT!)!5H! D*t7G7G,9#//9  09rrceZdZdddejdeefdZedZ dZ dZ d e e ejffd Zd e e ejffd Zd Zy )_IssuerFetcher path_builderrr5rc||_||_||_|jjj ||jj }t ||_d|_d|_ d|_ d|_ y)NrF) r5rrrrhrr[local_iss_iterlocal_issuers_foundfetched_issuers_found _fetched_cas_fetching_done)rrr5r local_issuerss rrPz_IssuerFetcher.__init__s{  ($))22II $##11 #=1#$ %&"  $rc4|j|jzSrA)rrrBs r issuers_foundz_IssuerFetcher.issuers_founds''$*D*DDDrc|SrAr2rBs r __aiter__z_IssuerFetcher.__aiter__ rc|SrAr2rBs rrCz_IssuerFetcher.__iter__rrr6c|jD]O}t|tjr|j}||j vr8|xj dz c_|cSt)Nr )rrzr rDr)rr StopIterationrrcert_ids r__next__z_IssuerFetcher.__next__s_)) F&$"2"23 ..doo-  $ $ ) $M  rcK t|S#t$rYnwxYw|jL|js@|js4|j j j|j|_|jR|j23d{7}|j}||jvr%|xjdz c_ |cS6d|_tw)Nr T) nextrrrrrrrr5r)rrStopAsyncIterationrs r __anext__z_IssuerFetcher.__anext__s :        %,,''!!**JJII      ( $ 1 1  f ..doo-**a/* !2 #'D   s:C C CA3CC BC ACcK|j1|jjd{d|_d|_yy7w)NT)racloserrBs rcancelz_IssuerFetcher.cancelsB    (##**, , , $D "&D  ) ,s*AAAN)r,r-r.r rDrr0rPpropertyrrrCr rrrrr2rrrrs$#$$UO $(EE% T-=-= =>!{D4D4D'D!E!8'rrc veZdZdddeej deedeeej fdZdZ dZ d Z y ) rrrrrrc||_||_||_|j}t |t j sJt||||_||_ d|_ yrA) rrrheadrzr rDr_issuer_fetcherr _next_level)rrrrrr5s rrPz_PathWalker.__init__%sZ ($yy$ 0 0111-lD*M(26rcK|j)|jjd{d|_|j*|jjd{d|_yy7B7wrA)rrrrBs rrz_PathWalker.cancel5sn    +&&--/ / /#'D    '""))+ + +#D  ( 0 ,s!*A3A/4A3!A1"A31A3c|SrAr2rBs rrz_PathWalker.__aiter__=rrcK|jtd}||j |jjd{}t|tr(t|j}t||dd|dSt|j|jj||jj|j |j |_ |jjd{}||S7#t$rI}|jjs%|j j |jd|_|d}~wwxYw7`#t$r d|_YpwxYww)N)rrrrrrrTrrzrrMrrrconsrr))r next_path next_issuerrur;s rrz_PathWalker.__anext__@sW    '$ $ '(,(<(<(F(F(H"HK k;7 OE)+uSbz59MM(3)) {3,,[-F-FG)) (D$ ("&"2"2"<"<">> 381#I)//==))00;+/D(G (?% (#'  (sx#E:D D D BE:$E$E"E$E: E: D EAEEE:"E$$E74E:6E77E:N) r,r-r.rr rDr0rrPrrrr2rrrr$s[7#7t''(7UO 7 8D$4$456 7 $ rrc^eZdZUdZeeed<dedejfdZ dZ dZ defd Z y) rN_as_rootrr5c|jjj|rtt |gd|_||_d|_|jj|_ y)Nr) rrrfrr r_walker emitted_countrRhuman_friendly_name)rrr5s rrPzLazyPathIterator.__init__fsQ    , , 4 4T :*?4+@"dKDM.4 \\00 rcnK|j#|jjd{yy7wrA)rrrBs rrzLazyPathIterator.cancelns. << #,,%%' ' ' $ 's *535c|SrAr2rBs rrzLazyPathIterator.__aiter__rrrr6cFK|jt|j(|xjdz c_d|_|jS |jj d{}|xjdz c_|S7#t$rYnwxYw|jdk(rx|jj dj }t|tjsJ|jj}d|_td|jd|dtw)Nr rz7Unable to build a validation path for the certificate "z" - no issuer matching "z " was found)rrrrrrrrzr rDrrrr)rr path_headmissing_issuer_names rrzLazyPathIterator.__anext__us << $ $ ]] &   ! # DL==  "ll4466I   ! #  7"       " 11!499Ii)9)9: ::"+"2"2"A"A DL#ZZL!()7  ! s=AD! B'B(BD!B BD!BBD!)r,r-r.rrr__annotations__rr rDrPrrrr2rrrrcs@)-Hh~&-1{1$2B2B1(!!rrcTeZdZdZdeefdZdefdZde jfdZ dZ y ) LayeredCertificateStorezi Trustless certificate store that looks up certificates in other stores in a specific order. storesc||_yrA)_stores)rrs rrPz LayeredCertificateStore.__init__s  rrc2fd}t|S)Nc3fKjD]}|jEd{y7wrA)rr)storerrs r_genzELayeredCertificateStore.retrieve_many_by_key_identifier.._gens3 Q @@PPP QP $1/1rM)rrrs`` rrz7LayeredCertificateStore.retrieve_many_by_key_identifiers QDF|rr#c2fd}t|S)Nc3fKjD]}|jEd{y7wrA)rr&)rr#rs rrz6LayeredCertificateStore.retrieve_by_name.._gens1 8 11$777 87rr)rr#rs`` rr&z(LayeredCertificateStore.retrieve_by_names 8DF|rcT|jD]}|j|}||cSyrA)rr*)rr)rrJs rr*z1LayeredCertificateStore.retrieve_by_issuer_serials5\\ E44]CF!  rN) r,r-r.r/rrrPr0rr r1r&r*r2rrrrs: t$9:eTYYrr))abcr collectionsrtypingrrrrrr asn1cryptor oscryptor r{r rerrorsrfetchersrrrutilrrABCrr4rGrDrrcrjrrrrrrr2rrrs #LL3%( 39"CGG9"x",cgg"B5-5pt//<=> ""@OOdf0fRP9P9fI'I'X<<~+!.~>+!\3r