U ;g/@sddlZddlmZddlmZmZmZmZmZddl m Z m Z ddl m Z ddlmZmZmZmZddlmZmZed d Gd d d Zee je jfZGd ddZdS)N) dataclass) FrozenSetIterableIteratorOptionalUnion)cmsx509) AAControls) AuthorityAuthorityWithCertCertTrustAnchor TrustAnchor)get_ac_extension_value get_issuer_dnT)frozenc@s&eZdZUeed<eed<eed<dS)QualifiedPolicyZissuer_domain_policy_idZuser_domain_policy_idZ qualifiersN)__name__ __module__ __qualname__str__annotations__ frozensetrr>/tmp/pip-unpacked-wheel-hgp_x7fx/pyhanko_certvalidator/path.pyrs rc@seZdZUdZdZeeeed<dZ e e e j eedddZee ddd Zed d Zeeedd d ZeedddZee j dddZee j dddZe edddZedddZe j edddZe j dddZedddZddd d!Zd"d#Zeeedd$d%Z e!j"e#d&d'd(Z$ed)d*Z%d+d,Z&d-d.Z'e#e(e j d/d0d1Z)d2d3Z*d4d5Z+dS)6ValidationPathza Represents a path going towards an end-entity certificate or attribute certificate. N_qualified_policies trust_anchorintermleafcCs*|r|stdt||_||_||_dS)Nz-Leafless paths cannot have intermediate certs) ValueErrorlist_interm_root_leaf)selfrr r!rrr__init__1s  zValidationPath.__init__)returncCs|jSN)r%r'rrrr=szValidationPath.trust_anchorcCs@|jj}t|tr|jS|jr(|jdSt|jtjr<|jSdS)a Returns the current beginning of the path - for a path to be complete, this certificate should be a trust root .. warning:: This is a compatibility property, and will return the first non-root certificate if the trust root is not provisioned as a certificate. If you want the trust root itself (even when it doesn't have a certificate), use :attr:`trust_anchor`. :return: The first asn1crypto.x509.Certificate object in the path rN) r% authority isinstancer certificater$r&r Certificate)r'rootrrrfirstAs  zValidationPath.firstcCs.|jdk r|jS|js*t|jtr*|jjSdS)a< Returns the current leaf certificate (AC or public-key). The trust root's certificate will be returned if there is one and there are no other certificates in the path. If the trust root is certificate-less and there are no certificates, the result will be ``None``. N)r&r$r-r%rr.r+rrrr!Xs zValidationPath.leafcCs2|j}t|tjr|jjSt|tjr*dSdSdS)Nz)r!r-r r/subjectZhuman_friendlyrAttributeCertificateV2r'r!rrr describe_leafis   zValidationPath.describe_leafcCs|j}t|tjr|SdSdS)z Returns the current leaf certificate if it is an X.509 public-key certificate, and ``None`` otherwise. :return: N)r!r-r r/r4rrrget_ee_cert_safers zValidationPath.get_ee_cert_safecCs|}|r|StdS)z Returns the last certificate in the path if it is an X.509 public-key certificate, and throws an error otherwise. :return: The last asn1crypto.x509.Certificate object in the path N)r6 LookupErrorr'certrrrlasts zValidationPath.lastccs$|jjV|jD]}t|VqdS)zU Iterate over all authorities in the path, including the trust root. N)r%r,r$r r8rrriter_authoritiess  zValidationPath.iter_authorities)r9cCs|t|}t|tjr|j}nt|d}|r4|djnd}|D].}|j|kr@|j }|rf|rf||krfq@|Sq@t ddS)aK Return the issuer of the cert specified, as defined by this path :param cert: A certificate to get the issuer of :raises: LookupError - when the issuer of the certificate could not be found :return: An asn1crypto.x509.Certificate object of the issuer authority_key_identifierkey_identifierN6Unable to find the issuer of the certificate specified) rr-r r/r<rZnativer;namekey_idr7)r'r9 issuer_nameZakiZaki_extr,Zkeyidrrrfind_issuing_authoritys     z%ValidationPath.find_issuing_authority)r9new_leafcCst|jtr,|jjj|jkr,t|jg|dS|j}d}t|D]\}}|j|jkr>|}q\q>|dkrltdt|j|d|d|dS)a Remove all certificates in the path after the cert specified and return them in a new path. Internal API. :param cert: An asn1crypto.x509.Certificate object to find :param new_leaf: A new leaf certificate to append. :raises: LookupError - when the certificate could not be found :return: The current ValidationPath object, for chaining r r!Nz(Unable to find the certificate specifiedr ) r-r%rr.Z issuer_serialrr$ enumerater7)r'r9rCcertsZ cert_indexindexentryrrrtruncate_to_and_appends   z%ValidationPath.truncate_to_and_appendcCsd}|jj|r<|jdkr,t|jgddSt|jg|dS|j}t|D]>\}}|j|j krJ|j r|j r|j |j kr|}qqJ|}qqJ|dkrt dt|j|d|d|dS)a Remove all certificates in the path after the issuer of the cert specified, as defined by this path, and append a new one. Internal API. :param cert: A new leaf certificate to append. :raises: LookupError - when the issuer of the certificate could not be found :return: The current ValidationPath object, for chaining NmayberDr>r )r!) rr,Zis_potential_issuer_ofZ self_signedrr%r$rEr2issuerr=r<r7)r'r9Z issuer_indexrFrGrHrrrtruncate_to_issuer_and_appends&    z,ValidationPath.truncate_to_issuer_and_appendcCs0|jdd}|jr ||jt|j||dS)Nr)r$r&appendrr%)r'r9Z new_certsrrrcopy_and_append s zValidationPath.copy_and_appendcCs<t|jdkrt|jdd|jd}}t|j||dS)z Drop the leaf cert from this path and return a new path with the last intermediate certificate set as the leaf. rNr)lenr$ IndexErrorrr%)r'Z new_intermrCrrrcopy_and_drop_leafsz!ValidationPath.copy_and_drop_leafcCs ||_dSr*r)r'policiesrrr_set_qualified_policies!sz&ValidationPath._set_qualified_policiescCs|jSr*rSr+rrrqualified_policies$sz!ValidationPath.qualified_policies)attr_idr)csBdd|D}tdd|D}|s(dStfdd|DSdS)NcSsg|]}t|qSr)r Zread_extension_value).0r9rrr (sz3ValidationPath.aa_attr_in_scope..css|]}|dk VqdSr*r)rXxrrr +sz2ValidationPath.aa_attr_in_scope..Tc3s |]}|dk r|VqdSr*)accept)rXZctrlrWrrr[5s)anyall)r'rWZaa_controls_extensionsZaa_controls_usedrr]raa_attr_in_scope's zValidationPath.aa_attr_in_scopecCst|j|jrdndS)Nr r)rPr$r&r+rrrpkix_len=szValidationPath.pkix_lencCs d|jS)Nr )rar+rrr__len__AszValidationPath.__len__cCs\|dkrs