Wwg ddlZddlZddlZddlmZddlmZmZmZm Z m Z m Z ddl m Z mZmZmZddlmZddlmZddlmZdd lmZmZdd lmZmZdd lmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2dd l3m4Z4m5Z5m6Z6m7Z7m8Z8ddl9m:Z:m;Z;ddlZ>m?Z?m@Z@ddlAmBZBmCZCmDZDmEZEmFZFmGZGddlHmIZIddlJmKZKddlLmMZMddlNmOZOmPZPmQZQmRZRmSZSejeUZV dEde e>fdZW dEdede;de e>fdZXdedejdeZfdZ[dedejde eZde eZde\f d Z] dEdedejde e eZfd!Z^d"ejd#efd$Z`eagd%Zbd&ejd'eZd(edfd)Zed*ejfd+Zgd"ejd,eIfd-Zhd"ejd.ejdefd/Zid0ejd1ejfd2Zked34Gd5d6Zle>dfd"ejded7e>d0e ejd(elf d8ZmeGd9d:Zneagd;Zo dEdede;dfd=Zpd>edsingintl_validate_path)rHrIrCrQs rKrGrGrs<@hmmD.ABJ#DZJ  s 2;9;certhostnamecV|j|ry|j|s+td|ddj|jd|j xrd|j j v}|jxrd|jj v}|s|r tdy) a  Validates the end-entity certificate from a pyhanko_certvalidator.path.ValidationPath object to ensure that the certificate is valid for the hostname provided and that the certificate is valid for the purpose of a TLS connection. THE CERTIFICATE PATH MUST BE VALIDATED SEPARATELY VIA validate_path()! :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for configuring validation behavior :param cert: An asn1crypto.x509.Certificate object returned from validate_path() :param hostname: A unicode string of the TLS server hostname :raises: pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for TLS or the hostname Nz0The X.509 certificate provided is not valid for z. Valid hostnames include: , .digital_signature server_authzHThe X.509 certificate provided is not valid for securing TLS connections)is_whitelistedis_valid_domain_iprjoin valid_domainskey_usage_valuenativeextended_key_usage_value)rHrTrU bad_key_usagebad_ext_key_usages rKvalidate_tls_hostnamerds2((.  " "8 ,%>xjI((, $2D2D(E'Fa I   C t';';'B'B B %% F !>!>!E!E E )%   *rM key_usageextended_key_usageextended_optionalc|j|ry| t}| t}|}|jr||jjz }t}|dur|js|}n.|j"|t|jjz }|s|rkt ||zdkDrdnd}g}t ||zD]#} |j| jdd%td|d d j|y) a Validates the end-entity certificate from a pyhanko_certvalidator.path.ValidationPath object to ensure that the certificate is valid for the key usage and extended key usage purposes specified. THE CERTIFICATE PATH MUST BE VALIDATED SEPARATELY VIA validate_path()! :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for configuring validation behavior :param cert: An asn1crypto.x509.Certificate object returned from validate_path() :param key_usage: A set of unicode strings of the required key usage purposes :param extended_key_usage: A set of unicode strings of the required extended key usage purposes :param extended_optional: A bool - if the extended_key_usage extension may be omitted and still considered valid :raises: pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for the usages specified NFrs_ z;The X.509 certificate provided is not valid for the purposez of rW) r[setr_r`ralensortedappendreplacerr]) rHrTrerfrgmissing_key_usagemissing_extended_key_usagepluralfriendly_purposespurposes rKvalidate_usagerws>H((.E ! U! %(<(<(C(CC!$E!$*G*G%7" & & 2%7#  ) ) 0 0; & "6$'AABQF   /2LLM @G  $ $W__S#%> ? @%XT$)),=">!? A  7rMc|j|ryt||dh|xs t|du|j}|t |dr t dyy)u Validate AA certificate profile conditions in RFC 5755 § 4.5 :param validation_context: :param cert: :param extended_key_usage: :return: NrY)rerfrgcazlThe X.509 certificate provided is a CA certificate, so it cannot be used to validate attribute certificates.)r[rwrmbasic_constraints_valueboolr)rHrTrfbcs rKvalidate_aa_usager}ss((. &'-6,D8   % %B ~$r$x.% D  )~rM attr_certacceptable_targetsc t|d}|y|D]}|D]}|jdk(r|j}|j}nL|jdk(r|j}|j}n$t j d|jdw ||v}|sytd#t$r7|j|Dchc]}|jncc}wc}v}YSwxYw)Ntarget_information target_name target_group'z1' is not supported as a targeting mode; ignoring.zAC targeting check failed) r@namechosenvalidator_namesgroup_membershipsloggerinfo ValueErrordumpr) r~r target_infotargetstargetgen_name valid_names target_okns rK_validate_ac_targetingr4s)4HIK F{{m+!==0@@ .!==0BB   }% ! O$ 3 - 4 &&A BB O %MMO+/NQ/N/NN  OsB''C'C  C'&C')authority_information_accessauthority_key_identifiercrl_distribution_points freshest_crlkey_identifier no_rev_availraudit_identity iss_serialerr_msg_prefixreturncd|d}t||}d|j|djfz}|S)zp Render a cms.IssuerSerial value into something that matches x509.Certificate.issuer_serial output. issuer%s:%dserial)r?sha256r`)rr issuer_namesissuer_dirname result_bytess rK_parse_iss_serialrnsHh'L%lNCN8##L rMaki_extc|dj}dx}}t|dtjs1t |dd}|dj}|d|j |fz}|||fS)Nrauthority_cert_issuerz2Could not decode authority issuer in AKI extensionauthority_cert_serial_numberr)r` isinstancer Voidr?r)raki auth_iss_serauth_iss_dirnameauth_sers rK_process_aki_extr~s " # * *C&**L# g56 B+ + , @ 9:AA  #x&AAL  , ..rMregistryc#K|dd}d}d}|jdk(r |j}n|j}t|dtjs|d}t|dtjst |dd}t|dtjs t dt|d }|&t|\}}} | ||| k7r td | }nd}d } d} | t|d } ||j|} | | f} n| |j| } | D]*} | | j| k7r|| j|k7r'| ,yw) Nac_inforv1_form issuer_namebase_certificate_idz3Could not identify AA issuer in base_certificate_idobject_digest_infoz9Could not identify AA; objectDigestInfo is not supported.rz\AC's AKI extension and issuer include conflicting identifying information for the issuing AAzCould not identify AA by name)rrrr rrNotImplementedErrorr@rrr?retrieve_by_issuer_serialretrieve_by_namesubjectr)r~r issuer_recaa_names aa_iss_serialissuerv2rr aa_issueraki_aa_iss_serial candidatesaa_name exact_cert aa_candidates rK_candidate_ac_issuersrs 9%h/J,0H%)M)#$$)00(=1499= .H(#89499E../EM(#78$))D%K  %Y0JKG,O-O1A !2 -/JG"8-LM 77 F  !$J  ..w7 "  <#7#77#B  ?|::cA  sEEaa_certc|d}|dd}|j}|jj|||j}|j|jk7r t d|s*t d|djdd d |j  t|dj|dj|j||dd  y#t$r t dt$r t dwxYw)Nsignature_algorithmr signature public_keyz{Signature algorithm declaration in signed portion of AC does not match the signature algorithm declaration on the envelope.zoThe attribute certificate could not be validated because the signature uses the disallowed signature algorithm algorithmz. TF) is_ee_certis_side_validation banned_sincerCr signed_datapublic_key_infosigned_digest_algorithmrCzgThe signature parameters for the attribute certificate do not match the constraints on the public key. z]The attribute certificate could not be validated because the signature could not be verified.) best_signature_timealgorithm_policysignature_algorithm_allowedrr`rrnot_allowed_afterrBrr'r)r~rrHsd_algoembedded_sd_algouse_timedigest_alloweds rK_check_ac_signaturersF -.G +K8!55H++GG X'*<*< H  ~~)000) I  & E{#**+2 /$'99     ,33!),113 $..$+ !67 E   ) ?    ) /   s >C(C: holder_certholderc|d}t}t|tjs,t |d}||j k7r|j d|d}t|tjs,t|d}||jk7r|j d|d}t|tjs td|S)a Match a candidate holder certificate against the holder entry of an attribute certificate. :param holder_cert: Candidate holder certificate. :param holder: Holder value to match against. :return: Return the parts of the holder entry that mismatched as a set. Possible values are `'base_certificate_id'`, `'entity_name'` and `'object_digest_info'`. If the returned set is empty, all entries in the holder entry matched the information in the certificate. rz,Could not identify holder certificate issuer entity_namezCould not identify AC holder DNrz-Object digest info is currently not supported) rmrr rr issuer_serialaddr?rr)rr base_cert_id mismatchesdesignated_iss_serialr holder_dnobj_digest_infos rKcheck_ac_holder_matchrs"/0LJ lDII .!2 H!  !K$=$= = NN0 1'K k499 -$ :   ++ + NN= )12O otyy 1! ;   rMT)frozenceZdZUdZej ed< ejed< e ed< e e ejfed<y)ACValidationResultzF The result of a successful attribute certificate validation. r~raa_pathapproved_attributesN) __name__ __module__ __qualname____doc__r AttributeCertificateV2__annotations__r Certificater0rstrAttCertAttributerrMrKrr0sW)))  c3#7#7788rMraa_pkix_paramsc hK|ddDcic]}|djt|d }}|jDchc]\}}|r |tvr|}}}|r:t dt |dk7rdndd d j t|d d |vr%|j}| tdt|||dd} t | dk(r td|+t|| } | rtdd j | |j} t||j} g} d }| D]i} t|| | j#|d {}|D];} t'|||t)t+j,|dd {|}ik|| s t%d| d|j0}t3||||dd}|j5|}t)t+j,|dd}t7t9|d|dd|j:|j<|d|vrt?|||| d {|dd!Dcic]&}|jA|d"r|d"j|(}}tC||||#Scc}wcc}}w#t$r}| j!|Yd }~d }~wwxYw7w#t$$r}| j!|Yd }~d }~wwxYw7g#t.$r}| j!|Yd }~d }~wwxYw7cc}ww)$a Validate an attribute certificate with respect to a given validation context. :param attr_cert: The attribute certificate to validate. :param validation_context: The validation context to validate against. :param aa_pkix_params: PKIX validation parameters to supply to the path validation algorithm applied to the attribute authority's certificate. :param holder_cert: Certificate of the presumed holder to match against the AC's holder entry. If not provided, the holder check is left to the caller to perform. .. note:: This is a convenience option in case there's only one reasonable candidate holder certificate (e.g. when the attribute certificates are part of a CMS SignedData value with only a single signer). :return: An :class:`.ACValidationResult` detailing the validation result, if successful. r extensionsextn_idcriticalz^The AC could not be validated because it contains the following unsupported critical extensionrrirj: rWrXrNzkThe attribute certificate is targeted, but no targeting information is available in the validation context.rrzAC holder entry is emptyzYCould not match AC holder entry against supplied holder certificate; mismatched entries: zAA certificate)rOee_name_overriderPz:Could not find a suitable AA for the attribute certificateatt_cert_validity_periodFzthe attribute certificate)rOrrnot_before_timenot_after_time) not_before not_aftervaliditymoment tolerancerQrrQ attributestype)r~rrr)"r`r{itemsSUPPORTED_AC_EXTENSIONSrrnr]roacceptable_ac_targetsrrr path_builderrcertificate_registryr}rpasync_build_pathsr%rSrr>rRr)lastrcopy_and_append_check_validityrr time_tolerance_check_revocationaa_attr_in_scoper)r~rHrrextextensions_presentcritunsupported_critical_extensions targ_desc ac_holderrr aa_candidates exceptionsrrepathscandidate_pathrrac_pathrQattrok_attrss rKasync_validate_acr(LsHY' 5  ItC O44 ,113' C C66 '#' '% 79:a?sRHyy ?@AB! E  11&<<  -F  y)4)$X.I 9~)*DEE*; B -448IIj4I3JL  &22L)%::M#%J(,G%%   0, ? &88FFE $ %N %(&"-+(0 n(E)9  ) %%8#L Q- llG 7,>?#$>?H%%i0G g. 4J &'89%&67  "(($33 // )7z   i(6   # #DL 1 V T!H $  k'V+    a  G     a   # %!!!$$ %L s L2#J"L2J'C!L2= J- KKK#L2)0LLL B7L2L+L2&+L-L2- K6K L2 KL2K K=!K82L28K==L2L L( L#L2#L((L2-L2cNeZdZUdZeded<eed<eed<eed<eed<eed<ejed <ejed <e ed <e ed <d Z e ed<ededeefdZdej$fdZdedefdZdefdZdej$dededej0fdZy)_PathValidationStatez^ State variables that need to be maintained while traversing a certification path r6valid_policy_treeexplicit_policyinhibit_any_policypolicy_mappingmax_path_lengthmax_aa_path_lengthworking_public_keyworking_issuer_namepermitted_subtreesexcluded_subtreesFaa_controls_used trust_anchorrCc |j}|x}}|j |j}|j |j}|j}||t |j |j }|j xr |j }|jxr |j} |jxr |j} t|jxs t} |j| j|jt|jxs t} |j| j!|jn|xs|xs t#}|j }|j} |j }|j} t|jxs t} t|jxs t} t%t'j(dt+dh| | | rdn|dz|rdn|dz| rdn|dz|j,j.|j,j0|| } | |fS)N any_policyrr) r+r3r4r,r-r.r1r2r/r0)trust_qualifiersr/r0standard_parametersr4user_initial_policy_setinitial_any_policy_inhibitinitial_explicit_policyinitial_policy_mapping_inhibitr+initial_permitted_subtreesr-intersect_withr*initial_excluded_subtreesr, union_withr2r*r6init_policy_treerm authorityrr) path_lengthr6rCtrust_anchor_qualsr/r0trust_anchor_paramsacceptable_policiesr<r=r>r?rAstates rKinit_pkix_validation_statez/_PathValidationState.init_pkix_validation_statesz *::/::,  - - 90@@O  - - 9!3!F!F 0DD  !&9&E"722#;;#  55:99 ' 22766 $ 99>== +*;550-/* &#==I*99'BB)944/,.) %#<<H)44'AA K1K5I5K #-"D"D &0&H&H #)3)N)N &99 +*;550-/* &)944/,.) % %,==cel^ :7"9Q{Q/[1_4q ,55@@ , 6 6 ; ;+ 25 8)))rMrTc8|jsl|jdk7r|xjdzc_|jdk7r|xjdzc_|jdk7r|xjdzc_|j}|rX|dj }|t |j||_|dj }|t |j||_|j0t |jj |j|_yy)Nrrrequire_explicit_policyinhibit_policy_mapping) self_issuedr,r.r-policy_constraints_valuer`mininhibit_any_policy_value)selfrTpolicy_constraintsrLrMs rKupdate_policy_restrictionsz/_PathValidationState.update_policy_restrictionsas##q($$)$""a'##q(#&&!+''1,'":: &8)'f $'2'*((*A($&8(&f #&1&)'')?'#  ( ( 4&)--44d6M6M'D # 5rMindexrQc|r+|jt||j|||_n |d|_|j7|jdkr'tjd|j |yy)N)depthany_policy_uninhibitedrNThe path could not be validated because there is no valid set of policies for )r+r:r,r& from_state describe_cert)rRrUcertificate_policiesrXrQs rKprocess_policiesz%_PathValidationState.process_policiess D$:$:$F%7$&&'= &D "" )%)D "  ! ! )d.B.Ba.G%00##-#;#;#=">@ /H )rMcH|jj|}|s4tjd|j d|j ||j j|}|s4tjd|j d|j |y)Nz9The path could not be validated because not all names of z: are in the permitted namespace of the issuing authority. z6The path could not be validated because some names of z; are excluded from the namespace of the issuing authority. )r3 accept_certr&rZr[ error_messager4)rRrTrQwhitelist_resultblacklist_results rKcheck_name_constraintsz+_PathValidationState.check_name_constraintss22>>tD%00K++-./--=-K-K,LN    11==dC%00H++-./7#1124   rMrr cd|d}|dj}|j|||j}|sXd|jd|d}|j|d|jdz }t j |||j t|d j|d j|j||dd  y#t$r)tj d |jd|t$r)tj d|jd|wxYw)Nrrrz9The path could not be validated because the signature of z) uses the disallowed signature mechanism rXz Reason: )rsignature_valuetbs_certificaterCrzThe signature parameters for z0 do not match the constraints on the public key.z could not be verified) r`rr1r[failure_reasonrrZrrBrr'r&r) rRrTrrQr r sd_algo_namesig_algo_allowedmsgs rKcheck_certificate_signaturez0_PathValidationState.check_certificate_signatures044I/J{+22 +GG V(?(?H   ..012''3nA7   ..:#3#B#B"C1EE*55-??    0188 !2388: $ 7 7(/ 56|D  $ %00/ 0H0H0J/KL?@    %00K++-..DF  s >C A"D/N)rrrrrrintr PublicKeyInfoNamer+r*r5r{ staticmethodrr2rJrrTrr]rcr1datetimerkrrMrKr*r*s  011***"))''"d"`*!`*12`*`*D%t/?/?%N ! 6|(--/-! - !! -rMr*)rrbasic_constraintsrrfrrre ocsp_no_checkr\policy_mappingsrSr-name_constraintssubject_alt_name aa_controlsrQc HK|j}|j}|j}tj |||\}}t |gd} t |tr)|j|j| |j} nd} d} |j} t |jtjr| j|j|} td|dzD]} || } |xj dz c_|j#| |j$||j&|j)| s#|j*}| dd}t-||||| s)| j| |st/| |||d{| j0|j2k7r(t5j6d |j9d || |k(s | j:s|j=| | |j?| | j@|jBd kDxs| |kxr | j:| | |krtE| | || tG| || | | jHtJz }|rUt5j6d |j9dtM|dk7rdndddjOtQ|||s| jS| } |j| | | 2tU|| |||}|jW|| jW|| S7w)az Internal copy of validate_path() that allows overriding the name of the end-entity certificate as used in exception messages. This functionality is used during chain validation when dealing with indirect CRLs issuer or OCSP responder certificates. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for configuring validation behavior :param path: A pyhanko_certvalidator.path.ValidationPath object of the path to validate :param proc_state: Internal state for error reporting and policy application decisions. :param parameters: Additional input parameters to the PKIX validation algorithm. These are not used when validating CRLs and OCSP responses. :return: The final certificate in the path - an instance of asn1crypto.x509.Certificate N)intermleafFrrfrr)rTrHrIrQ(The path could not be validated because z! issuer name could not be matchedr r)rXrQz6 contains the following unsupported critical extensionrirjrrW)rIrTrHrErQ),r r6pkix_lenr*rJr0rrrecord_validation certificaterevinfo_managerryr rcheck_asserted_unrevokedrangerUrkrrr[rrrrr2r&rZr[rNrcr]certificate_policies_valuer-_prepare_next_step_check_aa_controlscritical_extensionsSUPPORTED_EXTENSIONSrnr]ror_finish_policy_processing_set_qualified_policies)rHrIrQrCr r6rErIrHcompleted_pathrTleaf_asserted_nonrevokedr~rUr rrqualified_policiess rKrSrSsy> & &F$$L--K 77\:   &4Rd&N ,0,,  $ $n '' %(88O$))T--.#2#K#K IIv$  q+/*WGE{A ))   / /   2 2  "006*99I-.z:H !#%  )#<K'!C3LTYYv&EFGH J     ,;;DAN  0 0~ FoWG~ 6 3#!   $$%78../AB K_ sFL"LD9L"AL"rc||dj|z kr$tj|dj|||dj|zkDr$tj|dj|y)Nr) valid_fromrQr) expired_dtrQ)r`r formatrrs rKrrs&-- 99%% -44  %,,y88!! ,33   9rMc|jdk7r|xjdzc_|jr#|jdjdk(rd|_|jdn*|dhk(r |jnt |j|t }&dt tffd }t |}|S|jdk(r(tjd|jd||S) NrrrLr8rc3KJjD]Y}|j}|dk7r!td|jD}nd}t ||t |j [yw)Nr8c3fK|])}|jjdk(r|j+yw)r8N)parent valid_policy).0ancestors rK zD_finish_policy_processing.._enum_policies..s01$#??77<G!--1s/1)user_domain_policy_idissuer_domain_policy_id qualifiers)at_depthrnext path_to_rootr/ frozenset qualifier_set)accepted_policy listed_polr intersectionrEs rK_enum_policiesz1_finish_policy_processing.._enum_policiess+ ++#/#8#8#E ,99 --11(7(D(D(F1-)-9)%*?,6()F)FG% sA3A6rYrX) r,rOr`r+r9rrr/r&rZr[)rIrTrHrErQrrrs ` @rKrrs ! " $$  ( ()B C J Ja O$%E ! &   ... 3 002E 6?[  9 6'~'78    ! #!,,&4467q :   rMcFKd}d}d}d}d}g} t|\} } | xs| } |jj} |jr | jn | j }d}|j r| r t||||d{d}d}|sS|j&rG| rdj)d| D}nd}t+j,d|j/d |||xr|t0j2k7}d}d}|j4xs| xr|t0j6k(}|j8xr| }|s|r |s t;||||d{d}d}d}|sS|j4rG| rdj)d | D}nd }t+j,d |j/d |||jBxs| xr|t0jDk(}|xs|}| xr|}|s|sr|rp|rnd |j/dddj)| }|xs|}|r)|r|r tG||n|}tIjJ|||t+j,|||r't+j,d|j/|yy7#t$rM}| j|jDcgc]}|d ncc}wc}d}d}|j}Yd}~Fd}~wt$rYUt$rK}|jrd}|j|n | j!|j"dd}Yd}~d}~wt$$r-}| j!|j"dd}d}Yd}~d}~wwxYw7 #t<$rM}| j|jDcgc]}|d ncc}wc}d}d}|j}Yd}~id}~wt>$rYxt@$rK}|jrd}|j|n | j!|j"dd}Yd}~d}~wwxYww)NFr Trz; c32K|]}t|ywNrrfs rKrz$_check_revocation..591A9z.an applicable OCSP response could not be foundzHThe path could not be validated because the mandatory OCSP check(s) for z failed: c32K|]}t|ywrrrs rKrz$_check_revocation..drrz$an applicable CRL could not be foundzGThe path could not be validated because the mandatory CRL check(s) for rz) def_intermz revocation checks failed: zUThe path could not be validated because no revocation information could be found for )&rArevinfo_policyrevocation_checking_policyree_certificate_ruleintermediate_ca_cert_rule ocsp_relevantr=r$extendfailures suspect_staler"r!tolerant_report_soft_failrpargsr#ocsp_mandatoryr]rrZr[r3CRL_AND_OCSP_REQUIRED crl_mandatoryCRL_OR_OCSP_REQUIRED crl_relevantr<rrrstrictCHECK_IF_DECLAREDmaxr(r)rTrHrIrQocsp_status_goodrevocation_check_failed ocsp_matched crl_matched soft_failr cert_has_crl cert_has_ocsprevinfo_declaredrev_check_policyrev_ruleocsp_suspect_stale_sincer"failureerr_str status_goodcrl_status_goodcrl_suspect_stale_sincecrl_required_by_policy crl_fetchableexpected_revinfomatchedexpected_revinfo_not_foundrjmaybe_stale_cutoff stale_cutoffs rKrrs #LKIH"6t"<L-#4}))DD   ,,  7 7 $- &d.:   $ L&  7 7 ii999GFG&11&4467y  K    E .DD D O"&33  D .CC C)):lM-  /d.:  ', #"OK x55 ii999G""&))H"5!68  )C,C "04K02IJ+ (..sL*MM.99 &*5522<2J2J2L1MO  &- {  0 7 OOqzzBGWQZBB C&* #L'( $!   /   "44Q7q **.'" OOAFF1I &&* #L <  / 6 OOqzzBGWQZBB C&* #K&'oo #    /   "44Q7q **.'  /sA+P!.I>I;I> B,P!6M+M( M+D(P!;I>> M%K J- ,K P! M%P!M%&AL,&P!, M%8"M P! M%%P!(M++ P4N< N N<6P!< PP! PAPP!PP!rIcntj|}|j|js-|dkDr(tjd|j d|d|_|dj }|||jkr||_yyy|jr(tjd|j d|y)NrzEAA controls extension only present on part of the certificate chain: z6 has AA controls while preceding certificates do not. Tpath_len_constraintz has no AA controls )rread_extension_valuer5r&rZr[r`r0)rTrIrUrQrvnew_max_aa_path_lengths rKrrs 11$7K%%%!)%00&&0&>&>&@%ABAB   "&!,-B!C!J!J " .&)A)AA'=E $B /   !,,"",":":"" #     rMc|jrNt|j|}|j+t||j||jdkD|_|j |_d}|jjdk(rQ|jj;|jjdk(r"|jd}|dj}|r*|jj}||dd<||_ n|j|_ |j}||d} t| tjr$|j j#t%| |d} t| tjr$|j&j)t%| |j+||j,s(t/j0d |j3d ||j4st|j6dk(rt/j0d ||xj6d zc_|j8dk(rt/j0d ||xj8d zc_|j6*|j6|j6kr|j6|_|j:rAd|j:j<vr(t/j0d |j3d|yy)Nr r)rWpolicy_mapping_uninhibiteddsarrCr3r4rzz is not a CAzJThe path could not be validated because it exceeds the maximum path lengthrz`The path could not be validated because it exceeds the maximum path length for an AA certificate key_cert_signz$ is not allowed to sign certificates)policy_mappings_valuer8r+r7r.rr2rr hash_algor1copyname_constraints_valuerr GeneralSubtreesr3r@r.r4rBrTryr&rZr[rNr/r0r_r`) rUrTrIrQ policy_map copy_paramskey_algr1nc_valuenew_permitted_subtreesnew_excluded_subtreess rKrrs  !!.  & &:  " " .&:''+0+?+?!+C 'E #!% EK   E)doo.G.G.O  # # - - 6..{;G!,/446K!__1138C;' 5#5 #'?? &*%@%@H!)*>!? ,d.B.B C  $ $ 3 3()?@ !))< = +T-A-A B  # # . .()>?   $$T* 77!,,6'')*, 8        A %%00&  "  # #q (%00<    A%  (  5#8#8 8 $ 4 4  4#7#7#>#> >!,, 6'')**N P    ? rMr)vrErplogging dataclassesrtypingrrrrrr asn1cryptor r r r asn1crypto.x509rcryptography.exceptionsr_stater asn1_typesrrrDrrcontextrrerrorsrrrrrrrrr r!r"r#r$r%r&r'r(r) name_treesr*r+r,r-r.rIr/r0 policy_declr1r2r3r4 policy_treer5r6r7r8r9r:rr;revinfo.validate_crlr<revinfo.validate_ocspr=utilr>r?r@rArB getLoggerrrrLrGrrrdr{rwr}rrrr IssuerSerialbytesrAuthorityKeyIdentifierrrrHolderrrr(r*rrSrrrrrrrMrKrs!AA--$4 *3;(2 ,,7   8 $LP&*23G*H&X26#)# #-.#L/ )/ 151A1A/ MP/ dE )E   E 3xE C E  E V.2 )    !S* D$C))$C+$CN$&    25    /d99 /<))<5J<~1 ))1   1 *1 h-t'7'7--` $<,@+A.2 \))\)\)\$**+ \  \~ xx xx!426 q)q qq-. qh    7C  ??K?DS)S S Sl       @e   e  e  e rM