WwgxMrdZddlZddlZddlmZddlmZmZddlmZm Z m Z ddl m Z m Z ddlmZgd Zegd Z ed Z ed GddZej*Gddej,Zed GddZeej2ej2Z eej6ej6Z eej:ej:eej<ej<edZ ej*Gddej,Z ed GddZ!dee"dee"dee"fdZ#ed Gdd Z$ed Gd!d"Z%Gd#d$ejLZ'Gd%d&e'Z(Gd'd(e'Z)y))z .. versionadded:: 0.20.0 N) dataclass)datetime timedelta) FrozenSetIterableOptional)algoskeys) PKIXSubtrees) RevocationCheckingRuleRevocationCheckingPolicyFreshnessReqTypeCertRevTrustPolicyPKIXValidationParamsAlgorithmUsageConstraintAlgorithmUsagePolicyDisallowWeakAlgorithmsPolicyAcceptAllAlgorithmsNonRevokedStatusAssertionDEFAULT_WEAK_HASH_ALGOSREQUIRE_REVINFO NO_REVOCATION)md2md5sha1)minutesT)frozenc(eZdZUdZeed< eed<y)rzG Assert that a certificate was not revoked at some given date. cert_sha256atN)__name__ __module__ __qualname____doc__bytes__annotations__rX/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko_certvalidator/policy_decl.pyrr-s  Lr*rceZdZdZdZ dZ dZ dZ dZ dZ dZ e d e fd Z e d e fd Ze d e fd Ze d e fd Ze d e fdZe d e fdZy)r zg Rules determining in what circumstances revocation data has to be checked, and what kind. clrcheck ocspcheck bothcheck eitherchecknocheckifdeclaredcheckifdeclaredsoftcheckreturncd|tjtjtjfvSN)r CHECK_IF_DECLAREDCHECK_IF_DECLARED_SOFTNO_CHECKselfs r+strictzRevocationCheckingRule.strict{s1 " 4 4 " 9 9 " + +   r*cF|tjtjfvSr6)r r8r9r:s r+tolerantzRevocationCheckingRule.tolerants& " 9 9 " + +   r*cF|tjtjfvSr6)r CRL_REQUIREDCRL_AND_OCSP_REQUIREDr:s r+ crl_mandatoryz$RevocationCheckingRule.crl_mandatorys& " / / " 8 8   r*cF|tjtjfvSr6)r r9 OCSP_REQUIREDr:s r+ crl_relevantz#RevocationCheckingRule.crl_relevants& " + + " 0 0   r*cF|tjtjfvSr6)r rDrAr:s r+ocsp_mandatoryz%RevocationCheckingRule.ocsp_mandatorys& " 0 0 " 8 8   r*cF|tjtjfvSr6)r r9r@r:s r+ ocsp_relevantz$RevocationCheckingRule.ocsp_relevants& " + + " / /   r*N)r#r$r%r&r@rDrACRL_OR_OCSP_REQUIREDr9r7r8propertyboolr<r>rBrErGrIr)r*r+r r >sL M()H* 3     $   t   d      t  r*r cVeZdZUdZeed< eed< edefdZe de fdZ y) rzu Class describing a revocation checking policy based on the types defined in the ETSI TS 119 172 series. ee_certificate_ruleintermediate_ca_cert_rulepolicycN t|S#t$rtd|dwxYw)N'z ' is not a valid revocation mode)LEGACY_POLICY_MAPKeyError ValueError)clsrPs r+ from_legacyz$RevocationCheckingPolicy.from_legacys9 K$V, , Kq(HIJ J Ks $r4c`|jjxr|jj Sr6)rNr>r:s r+ essentialz"RevocationCheckingPolicy.essentials1  $ $ - - 2((11  r*N) r#r$r%r&r r( classmethodstrrWrKrLrYr)r*r+rrsZ 0/ 65KKK  4  r*r)rNrO)z soft-failz hard-failrequireczeZdZdZej Z ej Z ej Zy)rz% Freshness requirement type. N) r#r$r%r&enumautoDEFAULTMAX_DIFF_REVOCATION_VALIDATIONTIME_AFTER_SIGNATUREr)r*r+rrsEdiikG &/TYY[" %499;r*rc|eZdZUdZeed< dZeeed< e jZ e ed< dZ eeed< dZ eed<y) rzz Class describing conditions for trusting revocation info. Based on CertificateRevTrust in ETSI TS 119 172-3. revocation_checking_policyN freshnessfreshness_req_type!expected_post_expiry_revinfo_timeFretroactive_revinfo)r#r$r%r&rr(rerrrr`rfrgrhrLr)r*r+rrsm !98&*Ix "),<+C+C(C >B%x ':A !&% r*ra_polsb_polsr4cLd|v}d|v}|r|r tdgS|r|S|r|S||zS)z Intersect two sets of policies, taking into account the special 'any_policy'. :param a_pols: A set of policies. :param b_pols: Another set of policies. :return: The intersection of both. any_policy) frozenset)rirja_anyb_anys r+intersect_policy_setsrp8sD F "E F "E ,((   r*ceZdZUedgZeed< dZeed< dZeed< dZ eed< dZ e e ed< dZ e e ed < d d Zy) rrluser_initial_policy_setFinitial_policy_mapping_inhibitinitial_explicit_policyinitial_any_policy_inhibitNinitial_permitted_subtreesinitial_excluded_subtreescZd|jvr |j}n4d|jvr |j}n|j|jz}|jxr |j}|jxr |j}|jxr |j}t ||||S)aa Combine the conditions of these PKIX validation params with another set of parameters, producing the most lenient set of parameters that is stricter than both inputs. :param other: Another set of PKIX validation parameters. :return: A combined set of PKIX validation parameters. rl)rrrurtrs)rrrurtrsr)r;otherinit_policy_setrurtrss r+mergezPKIXValidationParams.merges 477 7#;;O U:: :"::O--0L0LL   + + P0P0P #  ( ( JU-J-J   / / 544 '$$3'A$;+I   r*)ryrr4r)r#r$r%rmrrr(rsrLrtrurvrr rwr{r)r*r+rrTs)2L>)BYB ,1"D0%*T)"(-, :> 6=9=x 5<$ r*rcPeZdZUdZeed< dZeeed< dZ ee ed< dZ y)rzh Expression of a constraint on the usage of an algorithm (possibly with parameter choices). allowedNnot_allowed_afterfailure_reasonc|jSr6r}r:s r+__bool__z!AlgorithmUsageConstraint.__bool__s ||r*) r#r$r%r&rLr(r~rrrr[rr)r*r+rrsD M-1x)0 %)NHSM(r*rceZdZdZdej deedefdZ dejdeedee jdefdZ y) rzR Abstract interface defining a usage policy for cryptographic algorithms. algomomentr4ct)a Determine if the indicated digest algorithm can be used at the point in time indicated. :param algo: A digest algorithm description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. NotImplementedErrorr;rrs r+digest_algorithm_allowedz-AlgorithmUsagePolicy.digest_algorithm_alloweds "!r* public_keyct)a' Determine if the indicated signature algorithm (including the associated digest function and any parameters, if applicable) can be used at the point in time indicated. :param algo: A signature mechanism description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :param public_key: The public key associated with the operation, if available. .. note:: This parameter can be used to enforce key size limits or to filter out keys with known structural weaknesses. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. rr;rrrs r+signature_algorithm_allowedz0AlgorithmUsagePolicy.signature_algorithm_alloweds 2"!r*N)r#r$r%r&r DigestAlgorithmrrrrSignedDigestAlgorithmr PublicKeyInforr)r*r+rrsp"))"3;H3E" !"""))"""T//0 " " "r*rceZdZdZeeddfdZdejde e de fdZ dejde e d e ejde fd Zy ) ra Primitive usage policy that forbids a list of user-specified "weak" algorithms and allows everything else. It also ignores the time parameter completely. .. note:: This denial-based strategy is supplied to provide a backwards-compatible default. In many scenarios, an explicit allow-based strategy is more appropriate. Users with specific security requirements are encouraged to implement :class:`.AlgorithmUsagePolicy` themselves. :param weak_hash_algos: The list of digest algorithms considered weak. Defaults to :const:`.DEFAULT_WEAK_HASH_ALGOS`. :param weak_signature_algos: The list of digest algorithms considered weak. Defaults to the empty set. :param rsa_key_size_threshold: The key length threshold for RSA keys, in bits. :param dsa_key_size_threshold: The key length threshold for DSA keys, in bits. iix c<||_||_||_||_yr6)weak_hash_algosweak_signature_algosrsa_key_size_thresholddsa_key_size_threshold)r;rrrrs r+__init__z%DisallowWeakAlgorithmsPolicy.__init__)s$ /$8!&<#&<#r*rrr4cJt|dj|jvS)N algorithm)rnativerrs r+rz5DisallowWeakAlgorithmsPolicy.digest_algorithm_allowed6s*(   $ $D,@,@ @  r*rc N|j}||jv}|jd}|dk(}|rg|e|s|ra|j}d} |r||jkr |j} n|r||j kr |j } | t dd|d|d| S |j} |ra| _|jtjd|ji|} | s,t dd | d |djd | j St | S#t$rd} Y|wxYw)NrsadsaFz Key size z for algorithm z- is considered too small; policy mandates >= )r}rrzDigest algorithm z< is not allowed, which disqualifies the signature mechanism z as well.)r}rr~r)signature_algor startswithbit_sizerrr hash_algorUrr rrr~) r;rrr algo_name algo_allowedis_rsais_dsakey_szfailed_thresholdrdigest_alloweds r+rz8DisallowWeakAlgorithmsPolicy.signature_algorithm_allowed=sm ''  (A(AA %%e,e# J2&((F# &4#>#>>#'#>#> FT%@%@@#'#>#> +/!#F8?9+F..>-?A I I1!::%%{DNN&CDfN"/!+N+;)),>",>T//0 ,> " ,>r*rceZdZdejdeedefdZdejdeedee jdefdZ y)rrrr4ctdSNTrrrs r+rz,AcceptAllAlgorithms.digest_algorithm_allowedms(55r*rctdSrrrs r+rz/AcceptAllAlgorithms.signature_algorithm_allowedrs (55r*N) r#r$r%r rrrrrrr rrr)r*r+rrlsk6))63;H3E6 !6 6))6"6T//0 6 " 6r*r)*r&abcr^ dataclassesrrrtypingrrr asn1cryptor r name_treesr __all__rmr#FRESHNESS_FALLBACK_VALIDITY_DEFAULTruniqueEnumr rrJrr9rr8r7rSrrr[rprrABCrrrr)r*r+rs !(00"$ "$$:;'0&;# $    f TYYf  f R $   >+//// ).774==  *5555*0000  tyy 6 $,,,^ cN$-cNs^8 $k k k \ $4/"377/"dY>#7Y>x 6. 6r*