WwgQ$ ddlZddlZddlmZddlmZmZddlmZddlm Z m Z m Z m Z m Z mZddlmZmZmZddlmZddlmZdd lmZmZdd lmZdd lmZmZmZm Z m!Z!m"Z"m#Z#dd l$m%Z%dd l&m'Z'ddl(m)Z)ddl*m+Z+ddl,m-Z-ddl.m/Z/m0Z0ddl1m2Z2m3Z3m4Z4ddl5m6Z6ddl7m8Z8m9Z9m:Z:m;Z;ejxe=Z>edGddZ?dejdejdede+de ejf dZCeGdd ZDd!e'd"ed#eEd$efd%ZFdejdejd&eejejfded'e'd(e+d)eEd$ede e e'eDffd*ZHdejdejd&eejejfded'e'd"ed)eEd$ede'fd+ZIeGd,d-e-ZJd.e e/dejd/ejd0e eLde e/f d1ZMd/ejd2e ejd3ejdejdeEf d4ZOd&ejdejd3ejd/ejdejd5eJdeEfd6ZPdejd2e ejd3ejd/ejdejd5eJdeEfd7ZQd8e/d9e)d:e%d5eJd;eEf d<ZRd&eejejfded8e/d=e'd"ed>e eSe e/fd?eEd5eJd$ede e eSfd@ZTd8e/dAejd(e+d5eJde eEejff dBZU dZdejd3ejd>e eSe e/fd5eJd:e e%dCe e)de e/fdDZVd8e/d5eJd;eEfdEZWd3ejd&eejejfd8e/d)eEd5eJde e eSf dFZXd3ejd&eejejfd8e/dGe e/d5eJf dHZY d[dIe6d&ejd5eJdJe efdKZZdLe eSdMe[d5eJd$efdNZ\ d\d&eejejfd=e'd"ed$e efdOZ]edGdPdQZ^edGdRdSZ_edGdTdUZ`d&eejejfded8e/d=e'dIe6d>e eSe e/fd?eEd5eJd$ede e_fdVZa d\d&eejejfd=e'dIe6dJed$e ede`f dWZbdXZcd&eejejfdAejdejdejfdYZdy)]N) defaultdict) dataclassfield)datetime)DictListOptionalSetTupleUnion)cmscrlx509)InvalidSignature) ValProcState) AuthorityAuthorityWithCert)ValidationContext)CertificateFetchErrorCRLNoMatchesErrorCRLValidationErrorCRLValidationIndeterminateErrorPathValidationErrorPSSParameterMismatch RevokedError)ValidationTimingParams)ValidationPath)CertRevTrustPolicy)CertificateRegistry)Errors) CRLContainerRevinfoUsabilityRating)KNOWN_CRL_ENTRY_EXTENSIONSKNOWN_CRL_EXTENSIONSVALID_REVOCATION_REASONS)RevinfoManager)ConsListget_ac_extension_value get_issuer_dn validate_sigT)frozenc,eZdZUdZeed<eeed<y) CRLWithPathsz0 A CRL with a number of candidate paths rpathsN)__name__ __module__ __qualname____doc__r!__annotations__rra/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko_certvalidator/revinfo/validate_crl.pyr-r-0s   r5r-crl_authority_namecertificate_listcert_issuer_auth cert_registryreturncK|j}d}t|tr |j}|j ||}|s!||jk7r|j ||}|sX|j Lg}||h}|j j |23d{}|j|vs|jd|+|S7(6w)Nr) issuer isinstancer certificateretrieve_by_namefetcherfetch_crl_issuerssubjectinsert) r7r8r9r:delegated_issuercert_issuer_cert candidates valid_namescerts r6 _find_candidate_crl_issuer_certsrJ:s(.."$56+77//*J ,0@0G0GG#33  0  -//; )+;< (//AA   + +$||{*!!!T*   + s0BCCB>CC)C>CCcxeZdZUeed<dZeed<dZeed<dZeed<dZeed<e e Z e e ed<d Zy ) _CRLIssuerSearchErrscandidate_issuersrcandidates_skippedsignatures_failedunauthorized_certspath_building_failures)default_factoryexplicit_errorsc@|jdkD}|jr|j|jk(r tS|j|jk(r t dS|j |jk(rt |rdSdS|j |jk(rt |rdSdS|jr't|jdk(r|jdSd}|d jd |jDz }t |S) Nz#CRL signature could not be verifiedzDThe CRL issuers that were identified are not authorized to sign CRLszAThe CRL issuer that was identified is not authorized to sign CRLszSThe chain of trust for the CRL issuers that were identified could not be determinedzQThe chain of trust for the CRL issuer that was identified could not be determinedrz&Unable to determine CRL trust status. z; c32K|]}t|ywN)str).0es r6 z/_CRLIssuerSearchErrs.get_exc..sBSVBs) rMrNrrOrrPrQrSlenjoin)selfpluralmsgs r6get_excz_CRLIssuerSearchErrs.get_excis+''!+&&&&$*@*@@$& &  # #t'='= =%&KL L  $ $(>(> >% .   ( (D,B,B B%* *   ! !c$*>*>&?1&D''* *:C 499BT-A-ABB BC%c* *r5N)r/r0r1intr3rNrOrPrQrlistrSrrrar4r5r6rLrL`sNs"#C#05d0KOT,-K+r5rLcandidate_crl_issuer_pathvalidation_contextissuing_authority_identical proc_statecK|j|jry |j}|s|jddz}ddlm}|j j|}|||t||d{y7#t$rN}|j}tjd|jjd | td |d}~wwxYww) NT) never_defz CRL issuerr)intl_validate_path)ee_name_overridecert_path_stack)rgzPath for CRL issuer z could not be validated.exc_infoz8The CRL issuer certificate path could not be validated. )check_validationlastrk describe_certpyhanko_certvalidator.validaterjrlconsrrloggerwarningrChuman_friendlyr) rdrerfrg temp_overriderj new_stackrZiss_certs r6_validate_crl_issuer_pathrzs**+D+I+IJ "33 *((4(8=H  F..334MN   %#!.       ,11"8#3#3#B#B"CD   !Fqc J    s<CAB=B>BCB CA CCCrI cert_pathcertificate_registry is_indirectc Ktj|jj}t ||||d{} |j } t t| } g} | D]} | j| k(}| j| k(xr| j|k7}|s|s|s| xjdz c_ N| j}|r$d|jvr| xjdz c_ t|| j|j%| }|s |j'| }| j-|| | fS7#t $r| xj"dz c_YwxYw#t($r| xj*dz c_YwxYww)N)r9r:)rMrUcrl_sign)hashlibsha256dumpdigestrJnamerLr\rCr=rNkey_usage_valuenativerP_verify_crl_signature public_keyrrOcheck_path_verif_recursiontruncate_to_issuer_and_append LookupErrorrQappend)r7r8rIr9r{r|r}rg cert_sha256candidate_crl_issuerscert_issuer_nameerrscandidate_pathscandidate_crl_issuer direct_issuerindirect_issuerr cand_paths r6_find_candidate_crl_pathsrs..-446K"B)* # (,, #6K2L MDO 5,*,448HH  ! ' '+; ; ;$++{:  _[  # #q ( # .>> z1G1GG  # #q ( #   " "6"A"A 99:NO  %CC( y)Y,*Z D  oR"   " "a ' "   ++q0+ s[AFEB)F1EFE),FE&#F%E&&F)F F F  Fc ~Kt||||||j||d{\}} |D]} | j} |j| r |jj || | cS|j | } | xr;|duxr5|jj| jjk(} t| || |d{|jj || | cS| j777#t$r&} | jj| Yd} ~ d} ~ wwxYww)NrIr9r{r|r}rg)rdrerfrg)rr|rprrevinfo_managerrecord_crl_issuerrrrrzrrSrra)r7r8rIr9r{rer}rgrrrdrrfrZs r6_find_crl_issuerrsv#< )/DD # OT&5*!8==  0 01E F  . . @ @ "6 - ,%.$K$K % !  /:/+ ,:$//446'22779: ( ,*C#5,G%     . . @ @ "6 - ,O*V ,,.m R "   ' ' *  sM!D=DAD=?AD D !D 3D= D  D:D5/D=5D::D=ceZdZUdZeed<y)_CRLErrsrissuer_failuresN)r/r0r1rrbr3r4r5r6rr@s OSr5r delta_listscrl_idpparent_crl_akic|D]b}|j}|j|k7r|j}||||4||j|jk7rP||jk7r`|cSyrW)crl_datar= issuing_distribution_point_valuerauthority_key_identifier)rr7rrcandidate_delta_cl_contcandidate_delta_cl delta_crl_idps r6_find_matching_delta_crlrEs $/'4==  $ $(: : +KK O 9  M$9   7>>]5I5I#I  /HH H &&)'* r5crl_dps crl_issuercPd}d}d}g}|d}|rd}|jdk(r#|jD]} |j| ns|jj } | jj|jj |jt jd| |r|D]} |rn| d} | rd}| jdk(r| jD] } | |vsd}79|jj } | jj| jj t jd| } | |vsd}| dsd}| dD] }||vsd}nd}t jd|} | |vrd}|xs| xs| S)NFdistribution_pointT full_namedirectory_namervaluer)rchosenrrCcopyuntagr GeneralName)rrrr7 has_idp_name has_dp_name idp_dp_matchidp_general_names idp_dp_name general_nameinner_extended_issuer_namedpdp_namedp_extended_issuer_namedp_crl_authority_names r6_match_dps_idp_namesrcsLKL./K   { * + 2 2 7 !((6 7*4););)@)@)B & & - - 4 4[5G5G5M5M5O P  $ $  )1K   B-.G" <<;.(/" '+<<+/L!" 2<1C1C1H1H1J..55<<,,./3.>.>-5O/+/2CC'+ L!" -/ -=),0AA'+ 3 > ''!);  , ,L  >|+ >;>r5rct||j||}|s(|jd||xjdz c_y|djr8|j r,|j djr|jd|y|djr:|j r|j djdur|jd |y|d jr|jd |yy ) Nrrrr7z{The CRL issuing distribution point extension does not share any names with the certificate CRL distribution point extensionrUFonly_contains_user_certscazMCRL only contains end-entity certificates and certificate is a CA certificateonly_contains_ca_certszNCRL only contains CA certificates and certificate is an end-entity certificateonly_contains_attribute_certsz(CRL only contains attribute certificatesT)rcrl_distribution_points_valuerrrbasic_constraints_value)rIr8rrr7rmatchs r6_handle_crl_idp_ext_constraintsrs !22-  E      !)*11  ( (,,T299 KK2   '(//,,++D188EA KK/   ./66 68H  r5ct||||}|s(|jd||xjdz c_y|djxs|dj}|r|jd|yy) NrzThe CRL issuing distribution point extension does not share any names with the attribute certificate's CRL distribution point extensionrUFrrzVCRL only contains public-key certificates, but certificate is an attribute certificateT)rrrr)r8rrrr7rrpkc_onlys r6)_handle_attr_cert_crl_idp_ext_constraintsrs !-  E   /   ! *+22 4 + , 3 3   6   r5certificate_list_contrevinfo_policy timing_paramsis_deltacB|j||}|rdnd}|j}|tjk7rg|tjk(r!|d}|j |j n|tjk(r|d}n|d}|j||dy y) N)policyrz Delta CRLCRLz is not recent enoughz is too recentz# freshness could not be establishedT)is_freshness_failureF) usable_atratingr"OKSTALE update_stalelast_usable_atTOO_NEWr) rrrrrfreshness_resultprefixrr`s r6_check_crl_freshnessr s-66#7%[%F  $ $F '*** +11 1H12C   .== > -55 5HN+CH?@C C.T J r5pathdelta_lists_by_issuer use_deltasc nK|j} t||j|j|\} } |j j | } | s( t| | ||||| |d{} | j} t| ||| |}|yt!||j"|j$|dsy|r&t'| | |j"|j$||}nd} t)| |||| \}}|j$}|j,r |j.nd}|r |||krt1j2||d | |S#t$rYywxYw7#t$r|xjdz c_ Yyttf$r)}|j|jd| Yd}~yd}~wwxYw#t*$rYywxYww) Nr|r)rIr9r{rer}rgrUrrrIrr}rFr)r8rrrrr)rrIrdelta_certificate_list_contrr)reason revocation_dt revinfo_typerg)r_get_crl_authority_namerr|rrcheck_crl_issuerrrprrrrrargs!_get_crl_scope_assuming_authorityrrr_maybe_get_delta_crl_check_cert_on_crl_and_deltaNotImplementedErrorpoint_in_time_validationvalidation_timerformat)rIr9rrrerrrrgr8r}r7rcrl_issuer_pathrZinterim_reasonsr revoked_daterevoked_reasontiming control_times r6_handle_single_crlr&s-55 *A !  ! !!3!H!H + ' '$33DDJ  $4" !1#5'% % O)--J8 3  O ))((   &:-!%44,::"7 ' #'+# 'C!"7(C ( $ n - -F"("A"At</<,3N!!!&!   m  !   A % %'9:  KKq #3 4 Z s F5&D;F5E *E +E ;A"F5F&1A F5; EF5EF5 E F#*F5,F#:FF5F##F5& F2/F51F22F5rc|j}|j}t|xr|dj}|s|j}||fS|d}|rc|j dk(r|j dj }||fS|jj j|j }||fS|jr+|j|j} | j}||fS|jd|t)zR Figure out the name of the entity on behalf of which the CRL was issued. indirect_crlrrrzcCRL is marked as an indirect CRL, but provides no mechanism for locating the CRL issuer certificate) rrboolrr=rrrrrretrieve_by_key_identifierrCr) rrr|rr8rr}r7 crl_idp_nametmp_crl_issuers r6rrs4-55 99 wA7>#:#A#ABK -44, * **)34   K/%1%8%8%;%B%B"" * **&6%:%:%<%C%C%J%J ''&" * ** 6 61LL 99N"0!7!7  * ** KKD%   r5rc|jrt|jdk(ry|j}|j}|j |j g}t ||||j} | sy| j} t| |dsy t| |j|r|rt| |||dr| Sy#t$r|jd| YywxYw)Nr)rr7rrTrz)Delta CRL signature could not be verified)freshest_crl_valuer\rCrgethashablerrr&_verify_no_unknown_critical_extensionsrrrrr) r8rrrrrr7rcandidate_delta_listsrdelta_certificate_lists r6rrs   / / 22 3q 8#++99 255##R#;)-'@@ # '8AA 1#TD 4j6K6KL-  '     / . !  7 '  sB??CCcv|jj}|tz r|jd|rdnd|yy)Nz@One or more unrecognized critical extensions are present in the z delta CRLrFT)rcritical_extensionsr$r)rrr extensionss r6rrsI'//CCJ(( "*;6 8 !  r5c|j}|j}t|tj}d}d} |r |j } n t |d} | r:tjd|j} | D]} | ds d}| | dvsd} |j} t|}| |k(}|xr| xr|}|xr| xs| }|j|k(}|s|s|r|r|xjdz c_ y|(|rt||||| |}nt| |||| | }|syd}|r|d j|d j}d}|r|}|tj }n|}t#||d sy|S) NFcrl_distribution_pointsrrrTrU)rIr8rrr7r)rr8rrr7ronly_some_reasonsr)rrr>r Certificaterr(rrCr)r=rrrrr%rr)rrIrr}rr8ris_pkchas_dp_crl_issuerdp_matchrcrl_issuer_general_namerr7r same_issuerindirect_match missing_idpindirect_crl_issuer crl_idp_match idp_reasons reason_keysrs r6rrs-5599 d.. /FH 44(/HI"&"2"2!););#  $B,$(!*b.>>#H  $ $++$T*$(88K&C8C N#IX)H[K$++/?? 7J  ! ;!1%#5 MF!1%#5 MK7./66B1299 K! 2779% 2te  r5rcz|j}d}d}t|}|r(|j} t||| |j\}}| t||||j\}}|r|j dk(rd}d}||fS#t$r|j d|wxYw#t$r|j d|wxYw)Nz]One or more unrecognized critical extensions are present in the CRL entry for the certificateremove_from_crl)rr)find_cert_in_listrCrrr) rrIrrrr8rrrr s r6rrhs-55NL$T*"!>O99A(9@@)&o6==)'/4 $%: ::?H6 /CC MM# * KK- . . /s;D CAD 6A C D  D+D=D DD checked_reasons total_crlscD|dhz}|tk7r||jk(rtd|jdS|js|j ddt d|jd|j|jr|jSdSy)Nunusedz%No CRLs were issued by the issuer of z, or any indirect CRL issuerz6The available CRLs do not cover all revocation reasonszUnable to determine if z; is revoked due to insufficient information from known CRLs)failures suspect_stale) r%rrrqr0rrfreshness_failures_onlystale_last_usable_at)r,r-rrgs r6_process_crl_completenessr4sz!O22 -- -$7++-./  }} KKH$ /%j&>&>&@%ABI J]]//))    3r5c Kt|tj}|xs$tt j ||sdnd}|j }t}t|||d{\}} |j|} g} |jD]} | j| t| } t!}| D]&} t#|| |||| ||| d{}|||z}(t-|| ||}||y7#t$rtd|jdwxYw7L#t$$r5}d}t'j(|||j+||Yd}~d}~wwxYww) a Verifies a certificate against a list of CRLs, checking to make sure the certificate has not been revoked. Uses the algorithm from https://tools.ietf.org/html/rfc5280#section-6.3 as a basis, but the implementation differs to allow CRLs from unrecorded locations. :param cert: An asn1crypto.x509.Certificate or asn1crypto.cms.AttributeCertificateV2 object to check for in the CRLs :param path: A pyhanko_certvalidator.path.ValidationPath object of the cert's validation path, or in the case of an AC, the AA's validation path. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for caching validation information :param use_deltas: A boolean indicating if delta CRLs should be used :param proc_state: Internal state for error reporting and policy application decisions. :raises: pyhanko_certvalidator.errors.CRLNoMatchesError - when none of the CRLs match the certificate pyhanko_certvalidator.errors.CRLValidationError - when any error occurs trying to verify the CertificateList pyhanko_certvalidator.errors.RevokedError - when the CRL indicates the certificate has been revoked zattribute certificateN)rlrk+Could not determine issuer certificate for in path.) rIr9rrrerrrrg.Generic processing error while validating CRL.rm)r>rrrr'singrrr+find_issuing_authorityrrrqvaluesextendr\setrr$r%r&rr4)rIrrerrgrrrr(rr9crls_to_process issuer_crlsr-r,rrrZr`excs r6 verify_crlrAsJd.. /F| d+8>0D J )88O :D&otTBB  66t<O/668, {+,_%JeO!04 4$6!1&;#5&;%% % O*?24* $T: C  W C  9'')*) 5   "  4BC MM# * KK2 3 3 4sgA)E/+D,E/4DAE/D.D, D.+E/'D))E/,D.. E,7+E'"E/'E,,E/c.eZdZUdZeed< eeed<y)ProvisionalCRLTrustz_ A provisional CRL path, together with an optional delta CRL that may be relevant. rdeltaN)r/r0r1r2rr3r r!r4r5r6rCrCJs&  L !!r5rCcZeZdZUdZeed< eeed< eed< e jed<y) CRLOfInterestz A CRL of interest. r prov_pathsr}r7N) r/r0r1r2r!r3rrCrrNamer4r5r6rFrF]sE ())  !r5rFc4eZdZUdZeeed< eeed<y)CRLCollectionResultzb The result of a CRL collection operation for AdES point-in-time validation purposes. crls failure_msgsN)r/r0r1r2rrFr3rXr4r5r6rJrJys* } s)r5rJc `K|j} |j} t||j| |\} } t | | |||| | |d{\} }g}| D]S}|j}t|||| |}|"|rt| |||}nd}t||}|j|U|syt!||| | S#t$rYywxYw7#t $r|xjdz c_Yyttf$r)}|j|jd| Yd}~yd}~wwxYww) NrrrUrr)r8rrr)rrD)rrGr}r7)rr|rrrrrrrrrrrprrrCrF)rIr9rrrrrrrgr8registryr}r7r_rZprovisional_resultsrputative_issuerrrDprovs r6_assess_crl_relevancerSs}-5533H *A !  ! !!) + ' '#<  -!)#! $  $$) #..;&"7#    "  (!1*&; EE" ?""4(/)2   !&-  g     ! !#5 6 AFF1I/0sjD.CCCCA,D. C D.CD.CD+2D.4D+D&!D.&D++D.c K|xsttj|}t}t ||||}|d{\}} g} |j D]} | j |  |j|} g} | D]2} t|| ||| |||| d{}|| j|4t!| |j"Dcgc]}|d  c} S7#t$rtd|jdwxYw7m#t$r5}d}tj|||j||Yd}~d}~wwxYwcc}ww) ah Collect potentially relevant CRLs with the associated validation paths. Will not perform actual path validation. :param cert: The certificate under scrutiny. :param path: The path currently being evaluated. :param revinfo_manager: The revocation info manager. :param control_time: The control time before which the validation info should have been issued. :param use_deltas: Whether to include delta CRLs. :param proc_state: The state of any prior validation process. :return: A :class:`.CRLCollectionResult`. )rl)rNr6r7) rIr9rrrrrrrgr8rmr)rKrL)rr'r9rr+r;r<r:rrrqrSrr$r%r&rJr0)rIrrrrrgr classify_jobr(rr>r?r9 relevant_crlsrresultrZr`fs r6 collect_relevant_crls_with_pathsrYs:P|HMM$>@&$45J$K'(=>|L    =     C   s7: A' AA'c|dd}t|tjr |j}n|ddj}|}|D]}|j t z r t|jr|j|k7r |j}||k7rM|dj|k7r`|jstjd}n |j}|dj|fcSy) a! Looks for a cert in the list of revoked certificates :param cert: An asn1crypto.x509.Certificate object of the cert being checked, or an asn1crypto.cms.AttributeCertificateV2 object in the case of an attribute certificate. :param cert_issuer_name: The certificate issuer's distinguished name :param certificate_list: An ans1crypto.crl.CertificateList object to look in for the cert :param crl_authority_name: The distinguished name of the default authority for which the CRL issues certificates. :return: A tuple of (None, None) if not present, otherwise a tuple of (asn1crypto.x509.Time object, asn1crypto.crl.CRLReason object) representing the date/time the object was revoked and why r\revoked_certificatesac_info serial_numberuser_certificate unspecifiedrevocation_dateNN) r>rrrerr r#r issuer_namecrl_reason_valuer CRLReason) rIrr8r7rc cert_seriallast_issuer_name revoked_cert crl_reasons r6rrFs<,O<$(()(( 9oo6== ),B  + +.H H%' '  $ $((,<<+77  / /  * + 2 2k A ,,}5J%66J-.55zAA+B. r5rirW)TN)err% collectionsr dataclassesrrrtypingrrr r r r asn1cryptor rrcryptography.exceptionsrpyhanko_certvalidator._staterpyhanko_certvalidator.authorityrrpyhanko_certvalidator.contextrpyhanko_certvalidator.errorsrrrrrrrpyhanko_certvalidator.ltv.typesrpyhanko_certvalidator.pathr!pyhanko_certvalidator.policy_declrpyhanko_certvalidator.registryr)pyhanko_certvalidator.revinfo._err_gatherr &pyhanko_certvalidator.revinfo.archivalr!r"'pyhanko_certvalidator.revinfo.constantsr#r$r%%pyhanko_certvalidator.revinfo.managerr&pyhanko_certvalidator.utilr'r(r)r* getLoggerr/rtr-rHCertificateListrrJrLrrzAttributeCertificateV2rrrIssuingDistributionPointbytesrCRLDistributionPointsrrrrrXrrrrrrr+rbr4rArCrFrJrSrYrrr4r5r6rs#(::%%45H;C5@>< A   8 $ $   # #))# # ' #  $   #L '+'+ '+T' -' *' "& '  ' TD! D!))D!   #"<"<< = D!  D!  D!.D!D!D! 4 !5 56D!NA A))A   #"<"<< = A  A  A*AAAAH v l#  ) )UO  l