a

�N(i�w�@sdd
lm
Z

ddlZddlZddlZddlZddlZddlZddlZddl	m
Z
ddlm
Z

ddlmZ
ddlmZmZmZmZ
ddlZddlZddlmZmZmZmZ
ddlmZmZ
dd	lm Z m!Z!
ddl"Z"zdd
l#m$Z$
Wne%y�


dd
l&m$Z$
Yn0ddl'm(Z(
ddl)m*Z*
dZ+d
Z,e�-dej.�Z/e�-dej.�Z0dZ1dZ2dZ3dZ4dZ5dZ6dZ7dZ8dZ9dZ:Gdd�d�Z;dd�Z<dd�Z=d d!�Z>d"d#�Z?d$d%�Z@d&d'�ZAdbd(d)�
ZBe+f
d*d+�
ZCd,d-�ZDd.d/�ZEd0d1�ZFdcd2d3�
ZGddd4d5�
ZHGd6d7�d7ejI�ZJGd8d9�d9ejI�ZKd:d;�ZLGd<d=�d=ejMjN�ZOGd>d?�d?ejMjN�ZPe:eOe9ePiZQd@dA�ZRdBdC�ZSdDdE�ZTdFdG�ZUdHdI�ZVdJdK�ZWdLdM�ZXdNdO�ZYdPdQ�ZZGdRdS�dSej[�Z\dTdU�Z]GdVdW�dWej^�Z_GdXdY�dY�Z`GdZd[�d[e`�ZaGd\d]�d]ea�ZbGd^d_�d_ea�ZcGd`da�daejI�ZddS)e�)
�print_functionN)
�x509)
�default_backend)
�
serialization)�Encoding�PublicFormat�
PrivateFormat�load_pem_private_key)�univ�char�	namedtype�tag)�decoder�encoder)�rfc2315�rfc2459)
�ssl_match_hostname)
�errors)
�DNSName�
s;(-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----)s�-----BEGIN(?: ENCRYPTED)?(?: (?:RSA|DSA|DH|EC))? PRIVATE KEY-----.*?-----END(?: ENCRYPTED)?(?: (?:RSA|DSA|DH|EC))? PRIVATE KEY-----z1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2z1.3.6.1.5.5.7.3.3z1.3.6.1.5.5.7.3.4z1.3.6.1.5.2.3.4z1.3.6.1.5.2.3.5z2.5.29.37.0z1.3.6.1.4.1.3319.6.10.16z1.3.6.1.4.1.311.20.2.3z
1.3.6.1.5.2.2c@seZ
dZd
Zd[dd�
Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zedd��
Zedd��
Zedd ��
Zed!d"��
Zed#d$��
Zed%d&��
Zed'd(��
Zed)d*��
Zeejd+�r�ed,d-��
Zed.d/��
Zed0d1��
Zed2d3��
Zed4d5��
Z ed6d7��
Z!eejd8��
rJed9d:��
Z"ed;d<��
Z#ned=d:��
Z"ed>d<��
Z#eejd?��
r|ed@dA��
Z$edBdC��
Z%edDdE��
Z&dFdG�Z'edHdI��
Z(edJdK��
Z)edLdM��
Z*edNdO��
Z+dPdQ�Z,edRdS��
Z-dTdU�Z.edVdW��
Z/eejdX��r
dYdZ�Z0dS)\�IPACertificatezf
    A proxy class wrapping a python-cryptography certificate representation for
    IPA purposes
    NcCs`|
|_|d
urt
�n|�|_|�d�
|_|�d�
|_|�d�
|_|jjdkr\t	d|jj�
�
d
S)z�
        :param cert: A python-cryptography Certificate object
        :param backend: A python-cryptography Backend object
        N�subject�issuerZserialNumberZv3zX.509 %s is not supported)
�_certr�backend�_IPACertificate__get_der_field�_subject�_issuer�_serial_number�version�name�
ValueError)�self�certr�r$�//usr/lib/python3.9/site-packages/ipalib/x509.py�__init__`s




�zIPACertificate.__init__c
Cs |�t
j�
|j|j|jd
�}
|
S)N)rrrr)�public_bytesr�DER�
subject_bytes�issuer_bytesr�r"�stater$r$r%�__getstate__ss



�zIPACertificate.__getstate__cCs8|
d
|_|
d|_
|
d|_
tj|
dt�d�|_dS)Nrrrr�
r)rr�crypto_x509�load_der_x509_certificaterrr+r$r$r%�__setstate__|s








�zIPACertificate.__setstate__cCsJt|
t
jtf�r(|�tj�
|
�tj�
kSt|
t�rB|�tj�
|
kSd
SdS)z�
        Checks equality.

        :param other: either cryptography.Certificate or IPACertificate or
                      bytes representing a DER-formatted certificate
        FN)�
isinstancer/�Certificaterr'rr(�bytes�r"�otherr$r$r%�__eq__�s



�

zIPACertificate.__eq__cCs|�|
�
S)
z#
        Checks not equal.
        )
r7r5r$r$r%�__ne__�szIPACertificate.__ne__c

Cs
t|j
�
S)
zJ
        Computes a hash of the wrapped cryptography.Certificate.
        )�hashr�
r"r$r$r%�__hash__�szIPACertificate.__hash__cCs\t�
�}t�|
�
|d
<t�|�
|d<tj�d�
r@t�	t�
|�
�
}t�|�
|d<t�	|�
}|S)N�extnID�critical�0.3�	extnValue)rZ	Extensionr
�ObjectIdentifierZBoolean�pyasn1�__version__�
startswithr�encode�OctetString�Any)r"�oidr=�value�extr$r$r%Z__encode_extension�s





z!IPACertificate.__encode_extensioncCs&|j}t
�|t���d
}||
}
|
S)zO
        :returns: a field of the certificate in pyasn1 representation
        r
)�tbs_certificate_bytesr�decoderZTBSCertificate)r"�fieldZ
cert_bytesr#r$r$r%Z__get_pyasn1_field�s


z!IPACertificate.__get_pyasn1_fieldcCst�
|�|
�
�
S)
z�
        :field: the name of the field of the certificate
        :returns: bytes representing the value of a certificate field
        )rrD�!_IPACertificate__get_pyasn1_field)r"rLr$r$r%Z__get_der_field�szIPACertificate.__get_der_fieldcCs|j�
|
�
S)
zB
        Serializes the certificate to PEM or DER format.
        )rr')r"�encodingr$r$r%r'�szIPACertificate.public_bytesc

Cs|jj
|jjkS)
zT
        :returns: True if this certificate is self-signed, False otherwise
        )rrrr:r$r$r%�is_self_signed�szIPACertificate.is_self_signedcCs|j�
|
�
S)
zL
        Counts fingerprint of the wrapped cryptography.Certificate
        )r�fingerprint)r"�	algorithmr$r$r%rP�szIPACertificate.fingerprintc


Cs|jS�
N)
rr:r$r$r%r#�szIPACertificate.certc


Cs|jj
SrR)r�
serial_numberr:r$r$r%rS�szIPACertificate.serial_numberc


Cs|jSrR)
rr:r$r$r%�serial_number_bytes�sz"IPACertificate.serial_number_bytesc


Cs|jj
SrR)rrr:r$r$r%r�szIPACertificate.versionc


Cs|jj
SrR)rrr:r$r$r%r�szIPACertificate.subjectc


Cs|jSrR)
rr:r$r$r%r)�szIPACertificate.subject_bytesc


Cs|jj
S)
zt
        Returns a HashAlgorithm corresponding to the type of the digest signed
        in the certificate.
        )r�signature_hash_algorithmr:r$r$r%rU�sz'IPACertificate.signature_hash_algorithmc


Cs|jj
S)
zJ
        Returns the ObjectIdentifier of the signature algorithm.
        )r�signature_algorithm_oidr:r$r$r%rV�sz&IPACertificate.signature_algorithm_oid�signature_algorithm_parametersc


Cs|jj
SrR)rrWr:r$r$r%rW�sz-IPACertificate.signature_algorithm_parametersc


Cs|jj
S)
z.
        Returns the signature bytes.
        )r�	signaturer:r$r$r%rX�szIPACertificate.signaturec


Cs|jj
SrR)rrr:r$r$r%r
szIPACertificate.issuerc


Cs|jSrR)
rr:r$r$r%r*
szIPACertificate.issuer_bytesc

Cs|jj
jtjjd
�
S�N�
�tzinfo�r�not_valid_before�replace�datetime�timezone�utcr:r$r$r%r]
szIPACertificate.not_valid_beforec

Cs|jj
jtjjd
�
SrY�r�not_valid_afterr^r_r`rar:r$r$r%rc
szIPACertificate.not_valid_after�not_valid_before_utcc


Cs|jj
SrR)rrdr:r$r$r%rd
sz#IPACertificate.not_valid_before_utcc


Cs|jj
SrR)r�not_valid_after_utcr:r$r$r%re
sz"IPACertificate.not_valid_after_utcc

Cs|jj
jtjjd
�
SrYr\r:r$r$r%rd
s
�c

Cs|jj
jtjjd
�
SrYrbr:r$r$r%re$
s
��public_key_algorithm_oidc


Cs|jj
S)
zI
            Returns the ObjectIdentifier of the public key.
            )rrfr:r$r$r%rf,
sz'IPACertificate.public_key_algorithm_oidc


Cs|jj
SrR)rrJr:r$r$r%rJ3
sz$IPACertificate.tbs_certificate_bytesc


Cs|jj
SrR)r�
extensionsr:r$r$r%rg7
szIPACertificate.extensionsc

Cs
|j�
�SrR)r�
public_keyr:r$r$r%rh=
s
zIPACertificate.public_keyc

Cs|j�
�jtjtjd
�S)N)rN�format)rrhr'rr(rZSubjectPublicKeyInfor:r$r$r%�public_key_info_bytes@
s

�z$IPACertificate.public_key_info_bytesc
CsDz|jj
�tjjj�
j}
Wntjy0


YdS0t	d
d�|
D�
�
S)Nc
ss|]}
|
jV
qdSrR)
�
dotted_string)�.0rGr$r$r%�	<genexpr>M
�z4IPACertificate.extended_key_usage.<locals>.<genexpr>)
rrgZget_extension_for_oidr/rGZExtensionOIDZEXTENDED_KEY_USAGErHZExtensionNotFound�set)r"Z
ext_key_usager$r$r%�extended_key_usageE
s

�

z!IPACertificate.extended_key_usagec
CsZ|j}
|
durdSt
��}tt|
�
�
D]\}}t�|�
||<q&t�|�
}|�	d
t
|
v
|�S)Nz	2.5.29.37)rprZExtKeyUsageSyntax�	enumerate�sortedr
r@rrD�!_IPACertificate__encode_extension�EKU_ANY)r"ZekuZekurfc�
irGr$r$r%�extended_key_usage_bytesO
s






z'IPACertificate.extended_key_usage_bytesc
Cs`|��}
d
d�dd�t
ttdd�td�}g}|
D]*}|��}||vr0|�|||���
�

q0|S)a�
        Return SAN general names from a python-cryptography
        certificate object.  If the SAN extension is not present,
        return an empty sequence.

        Because python-cryptography does not yet provide a way to
        handle unrecognised critical extensions (which may occur),
        we must parse the certificate and extract the General Names.
        For uniformity with other code, we manually construct values
        of python-crytography GeneralName subtypes.

        python-cryptography does not yet provide types for
        ediPartyName or x400Address, so we drop these name types.

        otherNames are NOT instantiated to more specific types where
        the type is known.  Use ``process_othernames`` to do that.

        When python-cryptography can handle certs with unrecognised
        critical extensions and implements ediPartyName and
        x400Address, this function (and helpers) will be redundant
        and should go away.

        c

Sst�
t|�
�
SrR)r/Z
RFC822Name�str�
�
xr$r$r%�<lambda>w
rnz2IPACertificate.san_general_names.<locals>.<lambda>c

Sst�
t|�
�
SrR)r/rrwrxr$r$r%rzx
rnc

Sst�
t|�
�
SrR)r/ZUniformResourceIdentifierrwrxr$r$r%rz}
s
�)Z
rfc822Name�dNSNameZ
directoryNameZregisteredIDZ	iPAddressZuniformResourceIdentifierZ	otherName)�-_IPACertificate__pyasn1_get_san_general_names�%_pyasn1_to_cryptography_directoryname�$_pyasn1_to_cryptography_registeredid�!_pyasn1_to_cryptography_ipaddress�!_pyasn1_to_cryptography_othername�getName�append�getComponent)r"�gnsZGENERAL_NAME_CONSTRUCTORS�result�gnZgn_typer$r$r%�san_general_names[
s"



�



�z IPACertificate.san_general_namesc
Csz|�d
�
pg}
t
�d�
}g}|
D]T}|d|kr |d}tj�d�
rZtj|t
��d�d}tj|t	�
�d�d}
qvq |S)Nrgz	2.5.29.17r<r?r>�
Zasn1Specr
)rMr
r@rArBrCrrKrErZSubjectAltName)r"rgZOID_SANr�rIZderr$r$r%Z__pyasn1_get_san_general_names�
s









z-IPACertificate.__pyasn1_get_san_general_namesc
Cs8|��}
g}|
D]"}|�
�d
kr|�t|���
�

q|S)Nr{)r|r�r�rwr�)r"r�r�r�r$r$r%�san_a_label_dns_names�
s


z$IPACertificate.san_a_label_dns_namesc
Cs�i}g|d
<}|jj
jD]<}g}|D]$}|jtjjjkr&|�d|jf�

q&|�|�

q|j	}|r�g|d<}|D]}	|�d|	f�

qrt
�|t|
�
�
��
dS)NrZ
commonNameZsubjectAltNameZDNS)rrZrdnsrGr/ZNameOIDZCOMMON_NAMEr�rHr�r�match_hostnamerZToASCII)
r"�hostnameZ
match_certZ
match_subject�rdnZ	match_rdn�ava�valuesZ	match_sanrHr$r$r%r��
s 










�zIPACertificate.match_hostnamec


Cs|jj
SrR)r�tbs_precertificate_bytesr:r$r$r%r��
sz'IPACertificate.tbs_precertificate_bytes�verify_directly_issued_bycCs|j�
|
�
SrR)rr�)r"rr$r$r%r��
s
z(IPACertificate.verify_directly_issued_by)
N)1�__name__�
__module__�__qualname__�__doc__r&r-r1r7r8r;rsrMrr'rOrP�propertyr#rSrTrrr)rUrV�hasattrr/r3rWrXrr*r]rcrdrerfrJrgrhrjrprvr�r|r�r�r�r�r$r$r$r%r[s�

		












































	



0




rc

Cs"t|t
�r|St
tj|t�d
��
S)z�
    Load an X.509 certificate in PEM format.

    :returns: a ``IPACertificate`` object.
    :raises: ``ValueError`` if unable to load the certificate.
    r.)r2rr/�load_pem_x509_certificater�
�datar$r$r%r��
s




�r�c

Cs"t|t
�r|St
tj|t�d
��
S)z�
    Load an X.509 certificate in DER format.

    :returns: a ``IPACertificate`` object.
    :raises: ``ValueError`` if unable to load the certificate.
    r.)r2rr/r0rr�r$r$r%r0�
s




�r0c

Cs*z
t|�
WSt
y$


t|�
YS0d
S)a


    Only use this function when you can't be sure what kind of format does
    your certificate have, e.g. input certificate files in installers

    :returns: a ``IPACertificate`` object.
    :raises: ``ValueError`` if unable to load the certificate.
    N)r�r!r0r�r$r$r%�load_unknown_x509_certificate�
s



r�c
Cs<t|d
d��}
t
|
���
Wd�
S1s.0


Y
dS)zh
    Load a certificate from a PEM file.

    Returns a python-cryptography ``Certificate`` object.
    �rb)
�modeN)�openr��read��filename�
fr$r$r%�load_certificate_from_file�
s
r�c
Cst�
|�
}
d
d�|
D�
S)z�
    Load a certificate list from a sequence of concatenated PEMs.

    Return a list of python-cryptography ``Certificate`` objects.
    c
Ssg|]}
t|
d�
�qS)
r
)
r�)rlr#r$r$r%�
<listcomp>rnz)load_certificate_list.<locals>.<listcomp>)�PEM_CERT_REGEX�findall)r��certsr$r$r%�load_certificate_list�
s

r�c
Cs:t|d
��}
t
|
���
Wd�
S1s,0


Y
dS)zv
    Load a certificate list from a PEM file.

    Return a list of python-cryptography ``Certificate`` objects.

    r�N)r�r�r�r�r$r$r%�load_certificate_list_from_files
r�cCsvt�}g}t
�t|�D]Z}t
�d
|���du
rX|
dur>td�
�
|�t|��|
|d��

q|�t|��d|d��

q|S)a

    Load a private key list from a sequence of concatenated PEMs.

    :param data: bytes containing the private keys
    :param password: bytes, the password to encrypted keys in the bundle

    :returns: List of python-cryptography ``PrivateKey`` objects
    s	ENCRYPTEDNz:Password is required for the encrypted keys in the bundle.r.)	r�re�finditer�PEM_PRIV_REGEX�search�group�RuntimeErrorr�r	)r��passwordZcrypto_backendZ	priv_keys�matchr$r$r%�load_private_key_lists"	






��


��r�cCs�|
tkr4t
�d
|t
j�}|s$td�
�
t�|�d�
�
}t�	|t
���\}}|rTtd�
�
|dt
jkrjtd�
�
t�	t
|d�
t
���\}}|r�td�
�
g}|d	D] }t�|�
}t|�
}|�|�

q�|S)
zn
    Extract certificates from a PKCS #7 object.

    :returns: a ``list`` of ``IPACertificate`` objects.
    s------BEGIN PKCS7-----(.*?)-----END PKCS7-----znot a valid PKCS#7 PEMrznot a valid PKCS#7 messageZcontentTypez not a PKCS#7 signed data messageZcontentz&not a valid PKCS#7 signed data messageZcertificates)�PEMr�r��DOTALLr!�base64Z	b64decoder�rrKrZContentInfoZ
signedDatar4Z
SignedDatarrDr0r�)r�Zdatatyper�Zcontent_info�tailZsigned_datar�Zcertificater$r$r%�pkcs7_to_certs/s2



�




�




r�c

CsFzt|�

Wn4t
y@
}

ztjt|
�
d
�
�
WYd}
~
n
d}
~
00dS�zO
    Perform cert validation by trying to load it via python-cryptography.
    )
�errorN)r�r!r�CertificateFormatErrorrw�r#�
er$r$r%�validate_pem_x509_certificateUs


r�c

CsFzt|�

Wn4t
y@
}

ztjt|
�
d
�
�
WYd}
~
n
d}
~
00dSr�)r0r!rr�rwr�r$r$r%�validate_der_x509_certificate_s


r�c
Cs~z@t|
d
��"}|�
|�tj�
�

Wd�
n1s40


Y
Wn8ttfyx
}
ztjt	|�
d�
�
WYd}~n
d}~00dS)zm
    Write the certificate to a file in PEM format.

    :param cert: cryptograpy ``Certificate`` object
    �wbN�
�reason)
r��writer'rr��IOError�OSErrorr�	FileErrorrw)r#r��fpr�r$r$r%�write_certificateis


4

r�c
Cs�zbt|
d
��D}|du
r&t
�|��|�
|D]}|�|�tj�
�

q*Wd�
n1sV0


Y
Wn8tt	fy�
}
zt
jt|�
d�
�
WYd}~n
d}~00dS)z�
    Write a list of certificates to a file in PEM format.

    :param certs: a list of IPACertificate objects to be written to a file
    :param filename: a path to the file the certificates should be written into
    r�Nr�)
r��os�fchmod�filenor�r'rr�r�r�rr�rw)r�r�r�r�r#r�r$r$r%�write_certificate_listws




6

r�c
Cs�|d
u
rt�
|�
}nt��}zXt|
d��:}t�|��d�
|�|jt	j
tj|d��

Wd
�
n1sh0


Y
Wn8t
tfy�
}
ztjt|�
d�
�
WYd
}~n
d
}~00d
S)a

    Write a private key to a file in PEM format. Will force 0x600 permissions
    on file.

    :param priv_key: cryptography ``PrivateKey`` object
    :param passwd: ``bytes`` representing the password to store the
                    private key with
    Nr�i�
)
Zencryption_algorithmr�)rZBestAvailableEncryptionZNoEncryptionr�r�r�r�r�Z
private_bytesrr�rZPKCS8r�r�rr�rw)Zpriv_keyr��passwdZenc_algr�r�r$r$r%�write_pem_private_key�s	







�*
r�c@sbeZ
dZe�e�d
e��je	�
e	je	jd�d�
�e�de�
e���
je	�
e	je	jd�d�
��ZdS)�_PrincipalNamez	name-typer
�
ZexplicitTag�name-stringrN)r�r�r�r�
NamedTypes�	NamedTyper
�Integer�subtyper
�Tag�tagClassContext�tagFormatSimpleZ
SequenceOfr�
GeneralString�
componentTyper$r$r$r%r��s


�
��r�c@sZeZ
dZe�e�d
e��je	�
e	je	jd�d�
�e�de
�je	�
e	je	jd�d�
��ZdS)�_KRB5PrincipalName�realmr
r��
principalNamerN)r�r�r�rr�r�rr�r�r
r�r�r�r�r�r$r$r$r%r��s


�
��r�c
Cs`tj
|t�d
�d}
t|
d�
�dd��dd�}|
dd	}d
�dd�|D�
�
}d
||f}|S)Nr�r
r��
\�\\�
@�\@r�r��
/c
ss.|]&}
t|
�
�
dd
��
dd��
dd�V
qdS)r�r�r�z\/r�r�N)rwr^)rl�
nr$r$r%rm�s�
��z,_decode_krb5principalname.<locals>.<genexpr>z%s@%s)rrKr�rwr^�join)r�Z	principalr�r r$r$r%�_decode_krb5principalname�s


�

�
r�cseZ
dZ�f
d
d�Z�ZS)�KRB5PrincipalNamecs tt
|��|
|�
t|�
|_dSrR)�superr�r&r�r �r"�type_idrH�
�	__class__r$r%r&�s

zKRB5PrincipalName.__init__�r�r�r�r&�
__classcell__r$r$r�r%r��s
r�cseZ
dZ�f
d
d�Z�ZS)�UPNcs2tt
|��|
|�
ttj|t��d
�d�
|_dS)Nr�r
)	r�r�r&rwrrKrZ
UTF8Stringr r�r�r$r%r&�s


�zUPN.__init__r�r$r$r�r%r��s
r�c
csH|D]>}
t|
t
jj�r<t�|
jjt
jj�}||
j|
j�V
q|
V
qd
S)z�
    Process python-cryptography GeneralName values, yielding
    OtherName values of more specific type if type is known.

    N)	r2r/�general_name�	OtherName�OTHERNAME_CLASS_MAP�getr�rkrH)r�r��clsr$r$r%�process_othernames�s



�r�c

Cs\g}
|��D]>}|D]4}t
�t|d
�
tt�|d�
d�
�}|
�|�

qqt
�t
�	|
�
�
S)N�typerHr
)
r�r/Z
NameAttribute�_pyasn1_to_cryptography_oidrwrrKr�Z
DirectoryName�Name)Zdn�attrsr�r��attrr$r$r%r}�s





�r}c

Cst�
t|�
�
SrR)r/ZRegisteredIDr��
rGr$r$r%r~�s
r~c

Cst�
t�t|�
�
�
SrR)r/Z	IPAddress�	ipaddress�
ip_addressr4)
Zoctet_stringr$r$r%r�s

�rc

Cst�
t|d
�
t|d�
�S)Nztype-idrH)r/r�r�r4)
Zonr$r$r%r��s




�r�c

Cst�
t|�
�
SrR)r/r@rwr�r$r$r%r�s
r�cCs d
d�tj
jt|
�
g
|�D�
S)z�Yield chunks of the specified size from the given string.

    The input must be a multiple of the chunk size (otherwise
    trailing characters are dropped).

    Works on character strings only.

    c
ss|]}
d�|
�
V
qd
S)�N)
r�)rl�spanr$r$r%rmrnzchunk.<locals>.<genexpr>)�sixZmoves�zip�iter)�size�
sr$r$r%�chunk	s	r
c

Csd
�t
d|��
S)z4Add colons between each nibble pair in a hex string.�
:�)r�r
)
r

r$r$r%�
add_colonssr
c

Cstt
�|�
�d
�
�
S)z*Convert bytes to a hex string with colons.zutf-8)r
�binasciiZhexlifyrK)
�bsr$r$r%�to_hex_with_colonssr
c@s.eZ
dZe�d
�
Zdd�Zdd�Zdd�ZdS)	�UTCr
c
Csd
S)Nr	
r$�r"Zdtr$r$r%�tzname"s
z
UTC.tznamec
Cs|jSrR�
�ZEROr

r$r$r%�	utcoffset%s
z
UTC.utcoffsetc
Cs|jSrRr
r

r$r$r%�dst(s
zUTC.dstN)	r�r�r�r_Z	timedeltar

r
r
r
r$r$r$r%r	
s

r	
c

Cs&|jdur|j
t�d
�
}t|�d�
�
S)NrZz%a %b %d %H:%M:%S %Y %Z)r[r^r	
rw�strftime)
�
tr$r$r%�format_datetime,s



r
c
@seZ
dZd
ZdZdS)�ExternalCATypeZgenericzms-csN)r�r�r�ZGENERIC�MS_CSr$r$r$r%r
2s

r
csBeZ
dZd
Zddd�
Ze�Zd�f
dd�	Zdd�Zd	d
�Z	�Z
S)
�ExternalCAProfilea#

    An external CA profile configuration.  Currently the only
    subclasses are for Microsoft CAs, for providing data in the
    "Certificate Template" extension.

    Constructing this class will actually return an instance of a
    subclass.

    Subclasses MUST set ``valid_for``.

    NcCs
|
|_dSrR�
Zunparsed_input)r"r

r$r$r%r&Cs
zExternalCAProfile.__init__csv|tu
rt
t|��|�
S|
d
ur(td�
�
|
�d�
}zt�|d�
}t�t|
�WStj	j
yp


t�t|
�YS0d
S)z�Construct the ExternalCAProfile value.

        Return an instance of a subclass determined by
        the format of the argument.

        Nzstring argument is requiredr
r
)r
r��__new__r!�splitr
r@�MSCSTemplateV2rAr��PyAsn1Error�MSCSTemplateV1)r�r

�partsZ_oidr�r$r%r
Js	


zExternalCAProfile.__new__c


Cs|jSrRr
r:r$r$r%r-is
zExternalCAProfile.__getstate__cCs|�|
�

dSrR)
r&r+r$r$r%r1lszExternalCAProfile.__setstate__)
N)
N)r�r�r�r�r&ro�	valid_forr
r-r1r�r$r$r�r%r
7s

r
c@s.eZ
dZd
Zeejjg
�
ZdZ	dZ
dd�ZdS)�MSCSTemplatez�
    An Microsoft AD-CS Template specifier.

    Subclasses MUST set ext_oid.

    Subclass constructors MUST set asn1obj.

    Nc

Cst�
|j�
S)
z"Return DER-encoded extension data.)rrD�asn1objr:r$r$r%�get_ext_dataszMSCSTemplate.get_ext_data)r�r�r�r�ror
r
rHr
�ext_oidr
r 
r$r$r$r%r
qs


r
cs$eZ
dZd
ZdZ�f
dd�Z�ZS)r
a

    A v1 template specifier, per
    https://msdn.microsoft.com/en-us/library/cc250011.aspx.

    ::

        CertificateTemplateName ::= SEQUENCE {
           Name            UTF8String
        }

    But note that a bare BMPString is used in practice.

    z1.3.6.1.4.1.311.20.2csFtt
|��|
�

|
�d
�
}t|�
dkr.td�
�
t�t|d�
�
|_	dS)Nr
rz<Cannot specify certificate template version when using name.r
)
r�r
r&r
�lenr!rZ	BMPStringrwr
)r"r

r
r�r$r%r&�s





�zMSCSTemplateV1.__init__)r�r�r�r�r!
r&r�r$r$r�r%r
�s

r
cs0eZ
dZd
ZdZedd��
Z�f
dd�Z�ZS)r
a�

    A v2 template specifier, per
    https://msdn.microsoft.com/en-us/library/windows/desktop/aa378274(v=vs.85).aspx

    ::

        CertificateTemplate ::= SEQUENCE {
            templateID              EncodedObjectID,
            templateMajorVersion    TemplateVersion,
            templateMinorVersion    TemplateVersion OPTIONAL
        }

        TemplateVersion ::= INTEGER (0..4294967295)

    z1.3.6.1.4.1.311.21.7cCs"|
d
ks|
dkrtd�
|�
�
�
dS)Nr
lz2Template {} version must be in range 0..4294967295)r!ri)Zdescr�r$r$r%�check_version_in_range�s


��z%MSCSTemplateV2.check_version_in_rangecs�tt
|��|
�

|
�d
�
}t�}t|�
dks8t|�
dkr@td�
�
zjt�|d�
|d<t	|d�
}|�
d|�
||d	<t|�
dkr�t	|d�
}|�
d
|�
t	|d�
|d<Wntjj
y�


td�
�
Yn0||_dS)
Nr
r
�z[Incorrect template specification; required format is: <oid>:<majorVersion>[:<minorVersion>]r
�
templateIDr�major�templateMajorVersion�minor�templateMinorVersionz/Could not parse certificate template specifier.)r�r
r&r
�CertificateTemplateV2r"
r!r
r@�intr#
rAr�r
r
)r"r

r
�objr&
r(
r�r$r%r&�s&




�







zMSCSTemplateV2.__init__)	r�r�r�r�r!
�staticmethodr#
r&r�r$r$r�r%r
�s



r
c	@s>eZ
dZe�e�d
e���e�de���e�	de����Z
dS)r*
r%
r'
r)
N)r�r�r�rr�r�r
r@r�ZOptionalNamedTyper�r$r$r$r%r*
�s




�r*
)
N)
N)
N)eZ
__future__rr�r
r_�enumr�r�r�Zcryptographyrr/Zcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrZ,cryptography.hazmat.primitives.serializationrrrr	rAZpyasn1.errorZpyasn1.typer
rrr
Zpyasn1.codec.derrrZpyasn1_modulesrrr�Zurllib3.utilr�ImportErrorZurllib3.packagesZipalibrZipapython.dnsutilrr�r(�compiler�r�r�ZEKU_SERVER_AUTHZEKU_CLIENT_AUTHZEKU_CODE_SIGNINGZEKU_EMAIL_PROTECTIONZEKU_PKINIT_CLIENT_AUTHZEKU_PKINIT_KDCrtZEKU_PLACEHOLDERZSAN_UPNZSAN_KRB5PRINCIPALNAMErr�r0r�r�r�r�r�r�r�r�r�r�r��Sequencer�r�r�r�r�r�r�r�r�r}r~rr�r�r
r
r
r[r	
r
�Enumr
r
r
r
r
r*
r$r$r$r%�<module> s�




















�
�







p


&




�
:4