U ;gn3@sddlZddlZddlmZddlmZmZddlmZm Z m Z m Z m Z m Z mZddlmZddlmZeeZGdddeZeeed d d Zd d ZeeedddZeedddZeedddZejejdddZ Gdddej!Z"e"j#e e"j$ee"j%ee"j&eiZ'Gddde(Z)ej*dddZ+ej,dd d!Z-Gd"d#d#Z.ed$d%Gd&d'd'Z/e e"e e/fZ0e eje0d(d)d*Z1e e/e0d+d,d-Z2ej3e0d.d/d0Z4Gd1d2d2Z5Gd3d4d4Z6Gd5d6d6Z7e0d7d8d9Z8e0d7d:d;Z9dS)<N) dataclass) IPv4Address IPv6Address)CallableDictIterableListOptionalSetUnion)x509)urisplitc@s eZdZdS)NameConstraintErrorN)__name__ __module__ __qualname__rrD/tmp/pip-unpacked-wheel-hgp_x7fx/pyhanko_certvalidator/name_trees.pyr sr) base_host other_hostreturncCs:|ddkr.||\}}}t|o,t| S||kSdS)Nr.) rpartitionbool)rrpre_postrrrhost_tree_containss rcCs^t|}|rt|ttfrZ|dk r2d|dnd}d|d|d}t|t||S)Nz has host rzis not a well-formed URI.zCURI constraints require URIs with a host specified as a FQDN; URI 'z' )r Zgethost isinstancerrloggerwarningr)Zcand_uriZ cand_hostZhost_errmsgrrr _host_regnames  r")baseotherrcCst|}t||SN)r"r)r#r$rrrruri_tree_contains,sr&)r#r$cCsX|d}|d}t|t|kr(dSt|t|koVtddtt|t|DS)NrFcss|]\}}||kVqdSr%r.0xyrrr 9sz$dns_tree_contains..)splitlenallzipreversed)r#r$Z base_labelsZ other_labelsrrrdns_tree_contains2s  r1cCs:|d\}}}|d\}}}|r,||kSt||SdS)N@)rr)r#r$Z base_mailboxrZbase_host_or_domainZ other_mailboxZother_host_or_domainrrremail_tree_contains>s r3cCs4|j}|j}t|t|ko2tddt||DS)Ncss|]\}}||kVqdSr%rr'rrrr+Osz(dirname_tree_contains..)chosenr-r.r/)r#r$Zbase_rdn_sequenceZother_rdn_sequencerrrdirname_tree_containsKs r5c@seZdZeZeZeZeZeZ eZ eZ eZ eZ eeeeeejfeeejfgefdddZeddddZdS)GeneralNameTypercCs t|dSr%)_name_type_checkersgetselfrrrcheck_membershipbsz GeneralNameType.check_membershipcCst||Sr%)getattrupper)clschoicerrr from_choicejszGeneralNameType.from_choiceN)rrrenumautoZ OTHER_NAME RFC822_NAMEDNS_NAMEZ X400_ADDRESSDIRECTORY_NAMEZEDI_PARTY_NAMEUNIFORM_RESOURCE_IDENTIFIERZ IP_ADDRESSZ REGISTERED_IDpropertyr rr strr Namerr< classmethodrArrrrr6Ws "r6cs"eZdZedfdd ZZS)UnsupportedNameTypeError) name_typecst|jdSr%)super__init__namelower)r;rM __class__rrrOxsz!UnsupportedNameTypeError.__init__)rrrr6rO __classcell__rrrRrrLwsrL)gnamecCs*t|j}|j}|tjkr"|j}||fSr%)r6rArPr4rFnative)rUZ gname_typevaluerrr_interpret_general_name|s   rX)certccszt|jjrtj|jfV|j}|dkrb|jjD].}|D]$}|djdkr8tj|djfVq8q0n|D]}t|VqfdS)NtypeZ email_addressrW) r-subjectr4r6rFZsubject_alt_name_valuerVrDrX)rYZsubject_alt_namesrdnZ name_pairrPrrr_enumerate_names_in_certs  r]c@s@eZdZeeejfdddZeddZ ddZ dd Z d S) _StringOrNamerWcCs ||_dSr%r_)r;rWrrrrOsz_StringOrName.__init__cCs*|j}t|tjrd|fSd|fSdS)Nr)rWrr rJdump)r;valrrr_codes  z_StringOrName._codecCs t|jSr%)hashrcr:rrr__hash__sz_StringOrName.__hash__cCst|to|j|jkSr%)rr^rc)r;r$rrr__eq__sz_StringOrName.__eq__N) rrrr rIr rJrOrHrcrerfrrrrr^s  r^T)frozenc@seZdZUeed<eeed<dZeed<dZ eeed<e e e j feddd Zeee e e j fd d d Zedd ddZeeddddZdS) NameSubtreerM tree_baserminNmax)itemrcCsX|jdkrdS|jdks"|jdk r*td|jj}|dkrJtd|j||jj|S)NTrzuThe minimum/maximum fields on a name constraint are not meaningful in the PKIX (RFC 5280) profile --- not processing.z%No containment checker available for )rirjrkNotImplementedErrorrMr<rW)r;rlcheckerrrr __contains__s  zNameSubtree.__contains__rMrPcCst|t|dS)NrMri)rhr^)r?rMrPrrr from_nameszNameSubtree.from_namer7cCs4|d}t|\}}t|t||dj|djdS)Nr#Zminimummaximum)rjrk)rXrhr^rV)r?subtreerUrMZname_objrrrfrom_general_subtrees z NameSubtree.from_general_subtreerMrcCs t|ddS)z Tree that contains all names of a given type. :param name_type: The name type to use. :return: Nrq)rh)r?rMrrruniversal_trees zNameSubtree.universal_tree)rrrr6__annotations__r r^rjintrkr rIr rJrrorKrrrurwrrrrrhs    rh)namesrcs(tjdddtjfdd|DiS)NrPcSstjtj|dS)Nrp)rhrrr6rFr{rrr_subtreesz(x509_names_to_subtrees.._subtreecsh|] }|qSrr)r(nr|rr sz)x509_names_to_subtrees..)r rJr6rF)rzrr~rx509_names_to_subtreessr)treesrc CsHi}|D]:}z||j|Wqtk r@|h||j<YqXq|Sr%)rMaddKeyError)rresulttreerrr_group_subtreessr)subtreesrcCstdd|DS)Ncss|]}t|VqdSr%)rhru)r(rtrrrr+sz+process_general_subtrees..)r)rrrrprocess_general_subtreessrc@sBeZdZd eeeeejdfdddZ ddZ e ddZ dS) NameConstraintValidationResultNfailing_name_type failing_namecCs||_||_dSr%r)r;rrrrrrOsz'NameConstraintValidationResult.__init__cCs |jdkSr%)rr:rrr__bool__ sz'NameConstraintValidationResult.__bool__cCsD|jdk st|j}t|tjr&|j}|jj}d|d|dS)Nz The name 'z ' of type z is not allowed.) rAssertionErrorrrr rJZhuman_friendlyrPrQ)r;Zname_strrMrrr error_messages   z,NameConstraintValidationResult.error_message)NN) rrrr r6r rIr rJrOrrHrrrrrrs rc@sJeZdZedddZedddZeeddd Ze j e d d d Z d S)PermittedSubtreesinitial_permitted_subtreescsfddtD}||_dS)Ncs i|]}|t|dgqS)r)setr9r(rMrrr 'sz.PermittedSubtrees.__init__..)r6_trees)r;rrrrrrOs zPermittedSubtrees.__init__rcCs&|D]\}}|j||qdSr%)itemsrappend)r;rrMZ new_permittedrrrintersect_with-sz PermittedSubtrees.intersect_withrvcs>z"tfddt|j|DWStk r8YdSXdS)Nc3s$|]}tfdd|DVqdS)c3s|]}|kVqdSr%rr(rr{rrr+9sz:PermittedSubtrees.accept_name...N)any)r(Ztrees_in_generationr{rrr+8sz0PermittedSubtrees.accept_name..F)r.r0rrr;rMrPrr{r accept_name2s   zPermittedSubtrees.accept_namerYrcsLz,tfddt|D\}}t||dWStk rFtYSXdS)Nc3s&|]\}}||s||fVqdSr%)rr(rMrPr:rrr+Cs z0PermittedSubtrees.accept_cert..rnextr]r StopIterationr;rYrrrr:r accept_cert?s  zPermittedSubtrees.accept_certN) rrr PKIXSubtreesrOrr6rrr Certificaterrrrrrrs rc@sJeZdZedddZedddZeeddd Ze j e d d d Z d S)ExcludedSubtrees)initial_excluded_subtreescCsdd|D|_dS)NcSsi|]\}}|t|qSrr)r(rMZtree_setrrrrUsz-ExcludedSubtrees.__init__..)rr)r;rrrrrOPszExcludedSubtrees.__init__rcCs&|D]\}}|j||qdSr%)rrupdate)r;rrMZ new_excludedrrr union_withZszExcludedSubtrees.union_withrvcs:ztfdd|j|DWStk r4YdSXdS)Nc3s|]}|kVqdSr%rrr{rrr+asz/ExcludedSubtrees.reject_name..T)rrrrrr{r reject_name_szExcludedSubtrees.reject_namercsLz,tfddt|D\}}t||dWStk rFtYSXdS)Nc3s&|]\}}||r||fVqdSr%)rrr:rrr+is z/ExcludedSubtrees.accept_cert..rrrrr:rres  zExcludedSubtrees.accept_certN) rrrrrOrr6rrr rrrrrrrrOs  rr7cCsddtDS)NcSsi|]}|t|hqSr)rhrwrrrrrvsz.default_permitted_subtrees..r6rrrrdefault_permitted_subtreesusrcCsddtDS)NcSsi|] }|tqSrrrrrrr}sz-default_excluded_subtrees..rrrrrdefault_excluded_subtrees|sr):rBlogging dataclassesr ipaddressrrtypingrrrrr r r Z asn1cryptor Zuritoolsr getLoggerrr ValueErrorrrIrrr"r&r1r3rJr5Enumr6rFrDrErGr8rmrL GeneralNamerXrr]r^rhrrrZGeneralSubtreesrrrrrrrrrrsN $        3  6&