HOME


Mini Shell 1.0
DIR: /snap/certbot/4482/lib/python3.12/site-packages/cryptography/x509/__pycache__/
Upload File :
Current File : //snap/certbot/4482/lib/python3.12/site-packages/cryptography/x509/__pycache__/base.cpython-312.pyc
�

�S�gِ�	��ddlmZddlZddlZddlZddlZddlZddlmZddl	m
Zddlm
Z
mZddlmZmZmZmZmZmZmZmZddlmZmZmZddlmZmZmZm Z dd	l!m"Z"m#Z#dd
l$m%Z%ejddd�Z&ejNe
jPe
jRe
jTe
jVe
jXe
jZe
j\e
j^fZ0Gd
�de1�Z2						d.d�Z3						d/d�Z4d0d�Z5Gd�d�Z6Gd�d�Z7Gd�dejp�Z9Gd�de1�Z:Gd�dejv��Z<e<j{ejx�Gd�dejv��Z>e>j{ej|�Gd�d e>�Z?Gd!�d"ejv��Z@e@j{ej��Gd#�d$ejv��ZAeAj{ej��ej�ZBej�ZCej�ZDej�ZEej�ZFej�ZGej�ZHGd%�d&�ZIGd'�d(�ZJGd)�d*�ZKGd+�d,�ZLd1d-�ZMy)2�)�annotationsN)�utils)�x509)�hashes�
serialization)�dsa�ec�ed448�ed25519�padding�rsa�x448�x25519)� CertificateIssuerPrivateKeyTypes�CertificateIssuerPublicKeyTypes�CertificatePublicKeyTypes)�	Extension�
Extensions�
ExtensionType�_make_sequence_methods)�Name�	_ASN1Type)�ObjectIdentifieri��c� ��eZdZd�fd�Z�xZS)�AttributeNotFoundc�2��t�|�|�||_y�N)�super�__init__�oid)�self�msgr!�	__class__s   ���/build/snapcraft-certbot-29b1212f749eeba2f1dece1adfe9a83a/parts/certbot/install/lib/python3.12/site-packages/cryptography/x509/base.pyr zAttributeNotFound.__init__9s���
��������)r#�strr!r�return�None��__name__�
__module__�__qualname__r �
__classcell__�r$s@r%rr8s
����r&rc�Z�|D]&}|j|jk(s�td��y)Nz$This extension has already been set.)r!�
ValueError)�	extension�
extensions�es   r%�_reject_duplicate_extensionr5>s1��
�E���5�5�I�M�M�!��C�D�D�Er&c�:�|D]\}}}||k(s�
td��y)Nz$This attribute has already been set.)r1)r!�
attributes�attr_oid�_s    r%�_reject_duplicate_attributer:Hs.��
%�E���!�Q��s�?��C�D�D�Er&c��|j�=|j�}|r|ntj�}|j	d��|z
S|S)z�Normalizes a datetime to a naive datetime in UTC.

    time -- datetime to normalize. Assumed to be in UTC if not timezone
            aware.
    N��tzinfo)r=�	utcoffset�datetime�	timedelta�replace)�time�offsets  r%�_convert_to_naive_utc_timerDRsG���{�{�����!��!��x�'9�'9�';���|�|�4�|�(�6�1�1��r&c��eZdZejj
f							dd�Zed	d��Zed
d��Zdd�Z	dd�Z
d
d�Zy)�	Attributec�.�||_||_||_yr)�_oid�_value�_type)r"r!�valuerJs    r%r zAttribute.__init__as����	������
r&c��|jSr)rH�r"s r%r!z
Attribute.oidks���y�y�r&c��|jSr)rIrMs r%rKzAttribute.valueos���{�{�r&c�<�d|j�d|j�d�S)Nz<Attribute(oid=z, value=�)>)r!rKrMs r%�__repr__zAttribute.__repr__ss�� ����
�(�4�:�:�.��C�Cr&c���t|t�stS|j|jk(xr4|j|jk(xr|j
|j
k(Sr)�
isinstancerF�NotImplementedr!rKrJ�r"�others  r%�__eq__zAttribute.__eq__vsS���%��+�!�!�
�H�H��	�	�!�
*��
�
�e�k�k�)�
*��
�
�e�k�k�)�	
r&c�Z�t|j|j|jf�Sr)�hashr!rKrJrMs r%�__hash__zAttribute.__hash__�s ���T�X�X�t�z�z�4�:�:�6�7�7r&N)r!rrK�bytesrJ�intr(r)�r(r�r(r[�r(r'�rV�objectr(�bool�r(r\)r+r,r-r�
UTF8StringrKr �propertyr!rQrWrZ�r&r%rFrF`sv��
�)�)�/�/�	�
�����	�

����������D�
�8r&rFc�D�eZdZ				dd�Zed�\ZZZdd�Zdd�Z	y)	�
Attributesc�$�t|�|_yr)�list�_attributes)r"r7s  r%r zAttributes.__init__�s�� �
�+��r&rkc�"�d|j�d�S)Nz<Attributes(rP)rkrMs r%rQzAttributes.__repr__�s���d�.�.�/�r�2�2r&c�V�|D]}|j|k(s�|cStd|�d�|��)NzNo z attribute was found)r!r)r"r!�attrs   r%�get_attribute_for_oidz Attributes.get_attribute_for_oid�s:���	�D��x�x�3����	� �#�c�U�*>� ?��E�Er&N)r7ztyping.Iterable[Attribute]r(r)r_)r!rr(rF)
r+r,r-r r�__len__�__iter__�__getitem__rQrorfr&r%rhrh�s7��,�.�,�
�,�&<�M�%J�"�G�X�{�3�Fr&rhc��eZdZdZdZy)�Versionr�N)r+r,r-�v1�v3rfr&r%rtrt�s��	
�B�	
�Br&rtc� ��eZdZd�fd�Z�xZS)�InvalidVersionc�2��t�|�|�||_yr)rr �parsed_version)r"r#r{r$s   �r%r zInvalidVersion.__init__�s���
�����,��r&)r#r'r{r\r(r)r*r/s@r%ryry�s
���-�-r&ryc��eZdZejdd��Zeejdd���Zeejdd���Zejdd��Z	eejdd���Z
eejdd���Zeejdd���Zeejdd���Z
eejdd	���Zeejdd
���Zeejdd���Zeej		dd���Zeejdd
���Zeej		d d���Zeejd!d���Zeejd"d���Zeejd"d���Zeejd"d���Zejd#d��Zejdd��Zejd$d��Zejd%d��Zy)&�Certificatec��y�z4
        Returns bytes using digest passed.
        Nrf�r"�	algorithms  r%�fingerprintzCertificate.fingerprint���r&c��y)z3
        Returns certificate serial number
        NrfrMs r%�
serial_numberzCertificate.serial_number�r�r&c��y)z1
        Returns the certificate version
        NrfrMs r%�versionzCertificate.version�r�r&c��y�z(
        Returns the public key
        NrfrMs r%�
public_keyzCertificate.public_key�r�r&c��y)zA
        Returns the ObjectIdentifier of the public key.
        NrfrMs r%�public_key_algorithm_oidz$Certificate.public_key_algorithm_oid�r�r&c��y)z?
        Not before time (represented as UTC datetime)
        NrfrMs r%�not_valid_beforezCertificate.not_valid_before�r�r&c��y)zK
        Not before time (represented as a non-naive UTC datetime)
        NrfrMs r%�not_valid_before_utcz Certificate.not_valid_before_utc�r�r&c��y)z>
        Not after time (represented as UTC datetime)
        NrfrMs r%�not_valid_afterzCertificate.not_valid_after�r�r&c��y)zJ
        Not after time (represented as a non-naive UTC datetime)
        NrfrMs r%�not_valid_after_utczCertificate.not_valid_after_utc�r�r&c��y)z1
        Returns the issuer name object.
        NrfrMs r%�issuerzCertificate.issuer�r�r&c��y�z2
        Returns the subject name object.
        NrfrMs r%�subjectzCertificate.subject�r�r&c��y�zt
        Returns a HashAlgorithm corresponding to the type of the digest signed
        in the certificate.
        NrfrMs r%�signature_hash_algorithmz$Certificate.signature_hash_algorithm�r�r&c��y�zJ
        Returns the ObjectIdentifier of the signature algorithm.
        NrfrMs r%�signature_algorithm_oidz#Certificate.signature_algorithm_oid�r�r&c��y�z=
        Returns the signature algorithm parameters.
        NrfrMs r%�signature_algorithm_parametersz*Certificate.signature_algorithm_parametersr�r&c��y)z/
        Returns an Extensions object.
        NrfrMs r%r3zCertificate.extensions	r�r&c��y�z.
        Returns the signature bytes.
        NrfrMs r%�	signaturezCertificate.signaturer�r&c��y)zR
        Returns the tbsCertificate payload bytes as defined in RFC 5280.
        NrfrMs r%�tbs_certificate_bytesz!Certificate.tbs_certificate_bytesr�r&c��y)zh
        Returns the tbsCertificate payload bytes with the SCT list extension
        stripped.
        NrfrMs r%�tbs_precertificate_bytesz$Certificate.tbs_precertificate_bytesr�r&c��y�z"
        Checks equality.
        NrfrUs  r%rWzCertificate.__eq__&r�r&c��y�z"
        Computes a hash.
        NrfrMs r%rZzCertificate.__hash__,r�r&c��y)zB
        Serializes the certificate to PEM or DER format.
        Nrf�r"�encodings  r%�public_byteszCertificate.public_bytes2r�r&c��y)z�
        This method verifies that certificate issuer name matches the
        issuer subject name and that the certificate is signed by the
        issuer's private key. No other validation is performed.
        Nrf)r"r�s  r%�verify_directly_issued_byz%Certificate.verify_directly_issued_by8r�r&N�r�zhashes.HashAlgorithmr(r[rc)r(rt�r(rr]�r(�datetime.datetime�r(r�r(zhashes.HashAlgorithm | None�r(z0None | padding.PSS | padding.PKCS1v15 | ec.ECDSA�r(rr^r`�r�zserialization.Encodingr(r[)r�r}r(r))r+r,r-�abc�abstractmethodr�rer�r�r�r�r�r�r�r�r�r�r�r�r�r3r�r�r�rWrZr�r�rfr&r%r}r}�s���������
��������
��������
	������
��������
��������
��������
��������
��������
��������
��������
�����	$�������������
�����	9�������������
��������
��������
��������	������
	������
	������
	�����r&r})�	metaclassc���eZdZeej
dd���Zeej
dd���Zeej
dd���Zeej
dd���Z	y)	�RevokedCertificatec��y)zG
        Returns the serial number of the revoked certificate.
        NrfrMs r%r�z RevokedCertificate.serial_numberFr�r&c��y)zH
        Returns the date of when this certificate was revoked.
        NrfrMs r%�revocation_datez"RevokedCertificate.revocation_dateMr�r&c��y)zl
        Returns the date of when this certificate was revoked as a non-naive
        UTC datetime.
        NrfrMs r%�revocation_date_utcz&RevokedCertificate.revocation_date_utcTr�r&c��y)zW
        Returns an Extensions object containing a list of Revoked extensions.
        NrfrMs r%r3zRevokedCertificate.extensions\r�r&Nrcr�r�)
r+r,r-rer�r�r�r�r�r3rfr&r%r�r�Es���
��������
��������
���������������r&r�c�h�eZdZ						dd�Zedd��Zed	d��Zed	d��Zed
d��Zy)�_RawRevokedCertificatec�.�||_||_||_yr��_serial_number�_revocation_date�_extensions�r"r�r�r3s    r%r z_RawRevokedCertificate.__init__i���,��� /���%��r&c��|jSr)r�rMs r%r�z$_RawRevokedCertificate.serial_numberss���"�"�"r&c�f�tjdtjd��|jS)NukProperties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.ru)�
stacklevel)�warnings�warnr�DeprecatedIn42r�rMs r%r�z&_RawRevokedCertificate.revocation_datews.���
�
�
@�� � ��		
��$�$�$r&c�j�|jjtjj��S)Nr<)r�rAr?�timezone�utcrMs r%r�z*_RawRevokedCertificate.revocation_date_utc�s(���$�$�,�,�H�4E�4E�4I�4I�,�J�Jr&c��|jSr)r�rMs r%r3z!_RawRevokedCertificate.extensions�s�����r&N)r�r\r�r�r3rrcr�r�)	r+r,r-r rer�r�r�r3rfr&r%r�r�hsu��&��&�+�&��	&��#��#��%��%��K��K�� �� r&r�c��eZdZejdd��Zejdd��Zej				dd��Zeej		dd���Z	eejdd���Z
eej		dd���Zeejdd���Zeejdd���Z
eejdd	���Zeejdd
���Zeejdd���Zeejd d���Zeejd!d
���Zeejd!d���Zejd"d��Zejd#d��Zej.d$d��Zej.d%d��Zej				d&d��Zejd'd��Zej				d(d��Zy))�CertificateRevocationListc��y)z:
        Serializes the CRL to PEM or DER format.
        Nrfr�s  r%r�z&CertificateRevocationList.public_bytes�r�r&c��yrrfr�s  r%r�z%CertificateRevocationList.fingerprint�r�r&c��y)zs
        Returns an instance of RevokedCertificate or None if the serial_number
        is not in the CRL.
        Nrf)r"r�s  r%�(get_revoked_certificate_by_serial_numberzBCertificateRevocationList.get_revoked_certificate_by_serial_number�r�r&c��yr�rfrMs r%r�z2CertificateRevocationList.signature_hash_algorithm�r�r&c��yr�rfrMs r%r�z1CertificateRevocationList.signature_algorithm_oid�r�r&c��yr�rfrMs r%r�z8CertificateRevocationList.signature_algorithm_parameters�r�r&c��y)zC
        Returns the X509Name with the issuer of this CRL.
        NrfrMs r%r�z CertificateRevocationList.issuer�r�r&c��y)z?
        Returns the date of next update for this CRL.
        NrfrMs r%�next_updatez%CertificateRevocationList.next_update�r�r&c��y)zc
        Returns the date of next update for this CRL as a non-naive UTC
        datetime.
        NrfrMs r%�next_update_utcz)CertificateRevocationList.next_update_utc�r�r&c��y)z?
        Returns the date of last update for this CRL.
        NrfrMs r%�last_updatez%CertificateRevocationList.last_update�r�r&c��y)zc
        Returns the date of last update for this CRL as a non-naive UTC
        datetime.
        NrfrMs r%�last_update_utcz)CertificateRevocationList.last_update_utc�r�r&c��y)zS
        Returns an Extensions object containing a list of CRL extensions.
        NrfrMs r%r3z$CertificateRevocationList.extensions�r�r&c��yr�rfrMs r%r�z#CertificateRevocationList.signature�r�r&c��y)zO
        Returns the tbsCertList payload bytes as defined in RFC 5280.
        NrfrMs r%�tbs_certlist_bytesz,CertificateRevocationList.tbs_certlist_bytes�r�r&c��yr�rfrUs  r%rWz CertificateRevocationList.__eq__�r�r&c��y)z<
        Number of revoked certificates in the CRL.
        NrfrMs r%rpz!CertificateRevocationList.__len__�r�r&c��yrrf�r"�idxs  r%rrz%CertificateRevocationList.__getitem__s��;>r&c��yrrfr�s  r%rrz%CertificateRevocationList.__getitem__s��CFr&c��y)zS
        Returns a revoked certificate (or slice of revoked certificates).
        Nrfr�s  r%rrz%CertificateRevocationList.__getitem__r�r&c��y)z8
        Iterator over the revoked certificates
        NrfrMs r%rqz"CertificateRevocationList.__iter__r�r&c��y)zQ
        Verifies signature of revocation list against given public key.
        Nrf)r"r�s  r%�is_signature_validz,CertificateRevocationList.is_signature_validr�r&Nr�r�)r�r\r(zRevokedCertificate | Noner�r]r�r�)r(�datetime.datetime | Noner�r�r^r`rc)r�r\r(r�)r��slicer(�list[RevokedCertificate])r�zint | slicer(z-RevokedCertificate | list[RevokedCertificate])r(z#typing.Iterator[RevokedCertificate])r�rr(rb)r+r,r-r�r�r�r�r�rer�r�r�r�r�r�r�r�r3r�r�rWrp�typing�overloadrrrqr�rfr&r%r�r��s���������
	������
	���� ��	"���������	$�������������
�����	9�������������
��������
����������������
����������������
��������
��������
	������
	������
�_�_�>��>��_�_�F��F�������	6����	������
	����9��	
���r&r�c��eZdZejdd��Zejdd��Zejdd��Zeejdd���Z	eej		dd���Z
eejdd���Zeej		dd���Zeejdd���Z
eejdd	���Zejdd
��Zeejdd���Zeejdd���Zeejdd
���Zejdd��Zy)�CertificateSigningRequestc��yr�rfrUs  r%rWz CertificateSigningRequest.__eq__!r�r&c��yr�rfrMs r%rZz"CertificateSigningRequest.__hash__'r�r&c��yr�rfrMs r%r�z$CertificateSigningRequest.public_key-r�r&c��yr�rfrMs r%r�z!CertificateSigningRequest.subject3r�r&c��yr�rfrMs r%r�z2CertificateSigningRequest.signature_hash_algorithm:r�r&c��yr�rfrMs r%r�z1CertificateSigningRequest.signature_algorithm_oidDr�r&c��yr�rfrMs r%r�z8CertificateSigningRequest.signature_algorithm_parametersKr�r&c��y)z@
        Returns the extensions in the signing request.
        NrfrMs r%r3z$CertificateSigningRequest.extensionsTr�r&c��y)z/
        Returns an Attributes object.
        NrfrMs r%r7z$CertificateSigningRequest.attributes[r�r&c��y)z;
        Encodes the request to PEM or DER format.
        Nrfr�s  r%r�z&CertificateSigningRequest.public_bytesbr�r&c��yr�rfrMs r%r�z#CertificateSigningRequest.signaturehr�r&c��y)zd
        Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC
        2986.
        NrfrMs r%�tbs_certrequest_bytesz/CertificateSigningRequest.tbs_certrequest_bytesor�r&c��y)z8
        Verifies signature of signing request.
        NrfrMs r%r�z,CertificateSigningRequest.is_signature_validwr�r&c��y)z:
        Get the attribute value for a given OID.
        Nrf)r"r!s  r%roz/CertificateSigningRequest.get_attribute_for_oid~r�r&Nr`rcr�r�r�r]r�r�)r(rhr�r^)r(rb)r!rr(r[)r+r,r-r�r�rWrZr�rer�r�r�r�r3r7r�r�rr�rorfr&r%rr s���������
	������
	������
��������
�����	$�������������
�����	9�������������
��������
	������
��������
����������������
	�����r&rc��eZdZdggf					d	d�Zd
d�Z						dd�Zdd�							dd�Z	d
dd�									dd�Zy)� CertificateSigningRequestBuilderNc�.�||_||_||_y)zB
        Creates an empty X.509 certificate request (v1).
        N)�
_subject_namer�rk)r"�subject_namer3r7s    r%r z)CertificateSigningRequestBuilder.__init__�s��*���%���%��r&c��t|t�std��|j�t	d��t||j|j�S)zF
        Sets the certificate requestor's distinguished name.
        �Expecting x509.Name object.�&The subject name may only be set once.)rSr�	TypeErrorrr1rr�rk�r"�names  r%rz-CertificateSigningRequestBuilder.subject_name�sR���$��%��9�:�:����)��E�F�F�/��$�"�"�D�$4�$4�
�	
r&c���t|t�std��t|j||�}t||j�t|jg|j�|�|j�S)zE
        Adds an X.509 extension to the certificate request.
        �"extension must be an ExtensionType)
rSrrrr!r5r�rrrk�r"�extval�criticalr2s    r%�
add_extensionz.CertificateSigningRequestBuilder.add_extension�sn���&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�/����*�d���*�	�*����
�	
r&)�_tagc�Z�t|t�std��t|t�std��|�t|t�std��t||j�|�
|j}nd}t|j|jg|j�|||f��S)zK
        Adds an X.509 attribute with an OID and associated value.
        zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type)rSrrr[rr:rkrKrrr�)r"r!rKr#�tags     r%�
add_attributez.CertificateSigningRequestBuilder.add_attribute�s����#�/�0��=�>�>��%��'��1�2�2���J�t�Y�$?��3�4�4�#�C��)9�)9�:����*�*�C��C�/�������2�d���2��e�S� 1�2�
�	
r&��rsa_paddingc��|j�td��|�Zt|tjtj
f�st
d��t|tj�st
d��tj||||�S)zF
        Signs the request using the requestor's private key.
        z/A CertificateSigningRequest must have a subject�Padding must be PSS or PKCS1v15�&Padding is only supported for RSA keys)rr1rSr�PSS�PKCS1v15rr
�
RSAPrivateKey�	rust_x509�create_x509_csr�r"�private_keyr��backendr(s     r%�signz%CertificateSigningRequestBuilder.sign�s�����%��N�O�O��"��k�G�K�K��9I�9I�+J�K�� A�B�B��k�3�+<�+<�=�� H�I�I��(�(��+�y�+�
�	
r&)r�Name | Noner3�list[Extension[ExtensionType]]r7�0list[tuple[ObjectIdentifier, bytes, int | None]])rrr(r)r rr!rbr(r)r!rrKr[r#z_ASN1Type | Noner(rr)
r2rr��_AllowedHashTypes | Noner3�
typing.Anyr(�%padding.PSS | padding.PKCS1v15 | Noner(r)r+r,r-r rr"r&r4rfr&r%rr�s���%)�57�GI�	&�!�&�3�&�E�	&�

�
�#�
�/3�
�	)�
�."&�
�
�
��
�
�
�
*�

�H#�	
�>B�

�5�
�,�
��	
�;�

�
#�
r&rc��eZdZUded<ddddddgf															dd�Zdd�Zdd�Z				dd�Zdd�Zdd	�Z	dd
�Z
						dd�Z	ddd�									dd
�Zy)�CertificateBuilderr6r�Nc��tj|_||_||_||_||_||_||_||_	yr)
rtrw�_version�_issuer_namer�_public_keyr��_not_valid_before�_not_valid_afterr�)r"�issuer_namerr�r�r�r�r3s        r%r zCertificateBuilder.__init__�sG�� �
�
��
�'���)���%���+���!1��� /���%��r&c	��t|t�std��|j�t	d��t||j|j|j|j|j|j�S)z3
        Sets the CA's distinguished name.
        r�%The issuer name may only be set once.)rSrrr?r1r<rr@r�rArBr�rs  r%rCzCertificateBuilder.issuer_namesx���$��%��9�:�:����(��D�E�E�!������������"�"��!�!����
�	
r&c	��t|t�std��|j�t	d��t|j||j|j|j|j|j�S)z:
        Sets the requestor's distinguished name.
        rr)rSrrrr1r<r?r@r�rArBr�rs  r%rzCertificateBuilder.subject_name"sx���$��%��9�:�:����)��E�F�F�!������������"�"��!�!����
�	
r&c
���t|tjtjt
jtjtjtjtjf�std��|j �t#d��t%|j&|j(||j*|j,|j.|j0�S)zT
        Sets the requestor's public key (as found in the signing request).
        z�Expecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.z$The public key may only be set once.)rSr�DSAPublicKeyr
�RSAPublicKeyr	�EllipticCurvePublicKeyr�Ed25519PublicKeyr
�Ed448PublicKeyr�X25519PublicKeyr�
X448PublicKeyrr@r1r<r?rr�rArBr�)r"�keys  r%r�zCertificateBuilder.public_key4s������ � �� � ��)�)��(�(��$�$��&�&��"�"�
�
��!��
����'��C�D�D�!������������"�"��!�!����
�	
r&c	�\�t|t�std��|j�t	d��|dkrt	d��|j�dk\rt	d��t
|j|j|j||j|j|j�S)z5
        Sets the certificate serial number.
        �'Serial number must be of integral type.�'The serial number may only be set once.rz%The serial number should be positive.��3The serial number should not be more than 159 bits.)
rSr\rr�r1�
bit_lengthr<r?rr@rArBr��r"�numbers  r%r�z CertificateBuilder.serial_numberYs����&�#�&��E�F�F����*��F�G�G��Q�;��D�E�E�����#�%��E��
�"������������"�"��!�!����
�	
r&c	��t|tj�std��|j�t	d��t|�}|tkrt	d��|j�||jkDrt	d��t|j|j|j|j||j|j�S)z7
        Sets the certificate activation time.
        �Expecting datetime object.z*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rSr?rrAr1rD�_EARLIEST_UTC_TIMErBr<r?rr@r�r��r"rBs  r%r�z#CertificateBuilder.not_valid_beforets����$�� 1� 1�2��8�9�9��!�!�-��I�J�J�)�$�/���$�$��$��
�� � �,���8M�8M�1M����
�"���������������!�!����
�	
r&c	��t|tj�std��|j�t	d��t|�}|tkrt	d��|j�||jkrt	d��t|j|j|j|j|j||j�S)z7
        Sets the certificate expiration time.
        rYz)The not valid after may only be set once.z<The not valid after date must be on or after 1950 January 1.zAThe not valid after date must be after the not valid before date.)rSr?rrBr1rDrZrAr<r?rr@r�r�r[s  r%r�z"CertificateBuilder.not_valid_after�s����$�� 1� 1�2��8�9�9�� � �,��H�I�I�)�$�/���$�$��#��
�

�"�"�.��t�-�-�-����
�"��������������"�"�����
�	
r&c
�H�t|t�std��t|j||�}t||j�t|j|j|j|j|j|jg|j�|��S)z=
        Adds an X.509 extension to the certificate.
        r)rSrrrr!r5r�r<r?rr@r�rArBrs    r%r"z CertificateBuilder.add_extension�s����&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�!��������������"�"��!�!�*�d���*�	�*�
�	
r&r'c��|j�td��|j�td��|j�td��|j�td��|j
�td��|j�td��|�Zt|tjtjf�std��t|tj�std��tj||||�S)	zC
        Signs the certificate using the CA's private key.
        z&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public keyr*r+)rr1r?r�rArBr@rSrr,r-rr
r.r/�create_x509_certificater1s     r%r4zCertificateBuilder.sign�s������%��E�F�F����$��E�F�F����&��F�G�G��!�!�)��N�O�O�� � �(��M�N�N����#��C�D�D��"��k�G�K�K��9I�9I�+J�K�� A�B�B��k�3�+<�+<�=�� H�I�I��0�0��+�y�+�
�	
r&)rCr5rr5r�z CertificatePublicKeyTypes | Noner��
int | Noner�r�r�r�r3r6r(r))rrr(r<)rOrr(r<)rWr\r(r<)rBr�r(r<)r rr!rbr(r<r)
r2rr�r8r3r9r(r:r(r})
r+r,r-�__annotations__r rCrr�r�r�r�r"r4rfr&r%r<r<�s��/�/�$(�$(�7;�$(�59�48�57�&� �&�"�&�5�	&�
"�&�3�
&�2�&�3�&�
�&�&
�$
�$#
�
&�#
�
�#
�J
�6
�:
�@
�#�
�/3�
�	�
�4#�	%
�>B�
%
�5�%
�,�%
��	%
�;�
%
�
�%
r&r<c��eZdZUded<ded<dddggf									dd�Z				dd�Z				dd�Z				dd	�Z						dd
�Z				dd�Z		ddd�									dd
�Z
y)� CertificateRevocationListBuilderr6r�r��_revoked_certificatesNc�J�||_||_||_||_||_yr)r?�_last_update�_next_updater�rd)r"rCr�r�r3�revoked_certificatess      r%r z)CertificateRevocationListBuilder.__init__�s,��(���'���'���%���%9��"r&c���t|t�std��|j�t	d��t||j|j|j|j�S)NrrE)
rSrrr?r1rcrfrgr�rd)r"rCs  r%rCz,CertificateRevocationListBuilder.issuer_namesf���+�t�,��9�:�:����(��D�E�E�/������������&�&�
�	
r&c�r�t|tj�std��|j�t	d��t|�}|tkrt	d��|j�||jkDrt	d��t|j||j|j|j�S)NrY�!Last update may only be set once.�8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.)rSr?rrfr1rDrZrgrcr?r�rd)r"r�s  r%r�z,CertificateRevocationListBuilder.last_updates����+�x�'8�'8�9��8�9�9����(��@�A�A�0��=���+�+��J��
����(�[�4�;L�;L�-L��K��
�0������������&�&�
�	
r&c�r�t|tj�std��|j�t	d��t|�}|tkrt	d��|j�||jkrt	d��t|j|j||j|j�S)NrYrkrlz8The next update date must be after the last update date.)rSr?rrgr1rDrZrfrcr?r�rd)r"r�s  r%r�z,CertificateRevocationListBuilder.next_update(s����+�x�'8�'8�9��8�9�9����(��@�A�A�0��=���+�+��J��
����(�[�4�;L�;L�-L��J��
�0������������&�&�
�	
r&c��t|t�std��t|j||�}t||j�t|j|j|jg|j�|�|j�S)zM
        Adds an X.509 extension to the certificate revocation list.
        r)rSrrrr!r5r�rcr?rfrgrdrs    r%r"z.CertificateRevocationListBuilder.add_extension@s����&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�/����������*�d���*�	�*��&�&�
�	
r&c���t|t�std��t|j|j
|j|jg|j�|��S)z8
        Adds a revoked certificate to the CRL.
        z)Must be an instance of RevokedCertificate)	rSr�rrcr?rfrgr�rd)r"�revoked_certificates  r%�add_revoked_certificatez8CertificateRevocationListBuilder.add_revoked_certificateSsa���-�/A�B��G�H�H�/�������������>�d�(�(�>�*=�>�
�	
r&r'c�t�|j�td��|j�td��|j�td��|�Zt	|t
jt
jf�std��t	|tj�std��tj||||�S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update timer*r+)
r?r1rfrgrSrr,r-rr
r.r/�create_x509_crlr1s     r%r4z%CertificateRevocationListBuilder.signds������$��=�>�>����$��A�B�B����$��A�B�B��"��k�G�K�K��9I�9I�+J�K�� A�B�B��k�3�+<�+<�=�� H�I�I��(�(��+�y�+�
�	
r&)
rCr5r�r�r�r�r3r6rhr�)rCrr(rc)r�r�r(rc)r�r�r(rc)r rr!rbr(rc)rpr�r(rcr)
r2rr�r8r3r9r(r:r(r�)r+r,r-rar rCr�r�r"rqr4rfr&r%rcrc�s
��/�/�3�3�$(�04�04�57�9;�
:� �:�.�:�.�	:�
3�:�7�
:�

��

�	)�

�
�,�
�	)�
�0
�,�
�	)�
�0
�#�
�/3�
�	)�
�&
�#5�
�	)�
�*#�	
�>B�

�5�
�,�
��	
�;�

�
#�
r&rcc�\�eZdZddgf					dd�Zdd�Z				d	d�Z						d
d�Zddd�Zy)
�RevokedCertificateBuilderNc�.�||_||_||_yrr�r�s    r%r z"RevokedCertificateBuilder.__init__�r�r&c��t|t�std��|j�t	d��|dkrt	d��|j�dk\rt	d��t
||j|j�S)NrQrRrz$The serial number should be positiverSrT)	rSr\rr�r1rUrur�r�rVs  r%r�z'RevokedCertificateBuilder.serial_number�s����&�#�&��E�F�F����*��F�G�G��Q�;��C�D�D�����#�%��E��
�)��D�)�)�4�+;�+;�
�	
r&c��t|tj�std��|j�t	d��t|�}|tkrt	d��t|j||j�S)NrYz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.)
rSr?rr�r1rDrZrur�r�r[s  r%r�z)RevokedCertificateBuilder.revocation_date�s}���$�� 1� 1�2��8�9�9�� � �,��H�I�I�)�$�/���$�$��I��
�)�����t�'7�'7�
�	
r&c���t|t�std��t|j||�}t||j�t|j|jg|j�|��S)Nr)
rSrrrr!r5r�rur�r�rs    r%r"z'RevokedCertificateBuilder.add_extension�sn���&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�(�����!�!�*�d���*�	�*�
�	
r&c���|j�td��|j�td��t|j|jt	|j
��S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)r�r1r�r�rr�)r"r3s  r%�buildzRevokedCertificateBuilder.build�se�����&��N�O�O�� � �(��C��
�&�����!�!��t�'�'�(�
�	
r&)r�r`r�r�r3r6)rWr\r(ru)rBr�r(ru)r rr!rbr(rur)r3r9r(r�)r+r,r-r r�r�r"r{rfr&r%ruru�sj��%)�48�57�	&�!�&�2�&�3�	&�
�$
�%�
�	"�
� 
�#�
�/3�
�	"�
�
r&ruc�Z�tjtjd�d�dz	S)N��bigr)r\�
from_bytes�os�urandomrfr&r%�random_serial_numberr��s ���>�>�"�*�*�R�.�%�0�A�5�5r&)r2zExtension[ExtensionType]r3r6r(r))r!rr7r7r(r))rBr�r(r�rc)N�
__future__rr�r?r�r�r��cryptographyr�"cryptography.hazmat.bindings._rustrr/�cryptography.hazmat.primitivesrr�)cryptography.hazmat.primitives.asymmetricrr	r
rrr
rr�/cryptography.hazmat.primitives.asymmetric.typesrrr�cryptography.x509.extensionsrrrr�cryptography.x509.namerr�cryptography.x509.oidrrZ�Union�SHA224�SHA256�SHA384�SHA512�SHA3_224�SHA3_256�SHA3_384�SHA3_512�_AllowedHashTypes�	Exceptionrr5r:rDrFrh�Enumrtry�ABCMetar}�registerr�r�r�r�load_pem_x509_certificate�load_der_x509_certificate�load_pem_x509_certificates�load_pem_x509_csr�load_der_x509_csr�load_pem_x509_crl�load_der_x509_crlrr<rcrur�rfr&r%�<module>r�s{��
#�
��	�
���@�@�	�	�	���
��3�2�&�X�&�&�t�Q��2���L�L�
�M�M�
�M�M�
�M�M�
�M�M�
�O�O�
�O�O�
�O�O�
�O�O��	���	��E�'�E�.�E�
�E�E�	�E�@�E�
�E��!8�!8�HF�F�(�e�j�j��
-�Y�-�[�C�K�K�[�~���Y�*�*�+��3�;�;��@���I�8�8�9� �/� �DP�#�+�+�P�f�"�"�9�#F�#F�G�b�#�+�+�b�L�"�"�9�#F�#F�G�&�?�?��%�?�?��&�A�A���/�/���/�/���/�/���/�/��b
�b
�Jr
�r
�jN
�N
�bF
�F
�R6r&