U ;gxM @sdZddlZddlZddlmZddlmZmZddlmZm Z m Z ddl m Z m Z ddlmZd d d d d ddddddddg ZedddgZeddZeddGdddZejGdd d ejZeddGdd d ZeejejZeejejd Zeejejeejejed!ZejGd"d d ejZ eddGd#d d Z!ee"ee"ee"d$d%d&Z#eddGd'd d Z$eddGd(ddZ%Gd)ddej&Z'Gd*dde'Z(Gd+dde'Z)dS),z .. versionadded:: 0.20.0 N) dataclass)datetime timedelta) FrozenSetIterableOptional)algoskeys) PKIXSubtreesRevocationCheckingRuleRevocationCheckingPolicyFreshnessReqTypeCertRevTrustPolicyPKIXValidationParamsAlgorithmUsageConstraintAlgorithmUsagePolicyDisallowWeakAlgorithmsPolicyAcceptAllAlgorithmsNonRevokedStatusAssertionDEFAULT_WEAK_HASH_ALGOSREQUIRE_REVINFO NO_REVOCATIONZmd2md5sha1)minutesT)frozenc@s"eZdZUdZeed<eed<dS)rzG Assert that a certificate was not revoked at some given date. Z cert_sha256atN)__name__ __module__ __qualname____doc__bytes__annotations__rr%r%E/tmp/pip-unpacked-wheel-hgp_x7fx/pyhanko_certvalidator/policy_decl.pyr-s c@seZdZdZdZdZdZdZdZdZ dZ e e d d d Z e e d d d Ze e d ddZe e d ddZe e d ddZe e d ddZdS)r zg Rules determining in what circumstances revocation data has to be checked, and what kind. ZclrcheckZ ocspcheckZ bothcheckZ eithercheckZnocheckZifdeclaredcheckZifdeclaredsoftcheckreturncCs|tjtjtjfkSN)r CHECK_IF_DECLAREDCHECK_IF_DECLARED_SOFTNO_CHECKselfr%r%r&strict{s zRevocationCheckingRule.strictcCs|tjtjfkSr))r r+r,r-r%r%r&tolerantszRevocationCheckingRule.tolerantcCs|tjtjfkSr))r CRL_REQUIREDCRL_AND_OCSP_REQUIREDr-r%r%r& crl_mandatorysz$RevocationCheckingRule.crl_mandatorycCs|tjtjfkSr))r r, OCSP_REQUIREDr-r%r%r& crl_relevantsz#RevocationCheckingRule.crl_relevantcCs|tjtjfkSr))r r4r2r-r%r%r&ocsp_mandatorysz%RevocationCheckingRule.ocsp_mandatorycCs|tjtjfkSr))r r,r1r-r%r%r& ocsp_relevantsz$RevocationCheckingRule.ocsp_relevantN)rr r!r"r1r4r2CRL_OR_OCSP_REQUIREDr,r*r+propertyboolr/r0r3r5r6r7r%r%r%r&r >s( c@sFeZdZUdZeed<eed<eedddZe e ddd Z d S) r zu Class describing a revocation checking policy based on the types defined in the ETSI TS 119 172 series. ee_certificate_ruleintermediate_ca_cert_rule)policycCs4z t|WStk r.td|dYnXdS)N'z ' is not a valid revocation mode)LEGACY_POLICY_MAPKeyError ValueError)clsr=r%r%r& from_legacys z$RevocationCheckingPolicy.from_legacyr'cCs|jjo|jj Sr))r;r0r-r%r%r& essentialsz"RevocationCheckingPolicy.essentialN) rr r!r"r r$ classmethodstrrCr9r:rDr%r%r%r&r s )r;r<)z soft-failz hard-failrequirec@s(eZdZdZeZeZeZdS)rz% Freshness requirement type. N) rr r!r"enumautoDEFAULTZMAX_DIFF_REVOCATION_VALIDATIONZTIME_AFTER_SIGNATUREr%r%r%r&rs c@sTeZdZUdZeed<dZeeed<e j Z e ed<dZ eeed<dZ eed<dS) rzz Class describing conditions for trusting revocation info. Based on CertificateRevTrust in ETSI TS 119 172-3. Zrevocation_checking_policyN freshnessfreshness_req_type!expected_post_expiry_revinfo_timeFretroactive_revinfo)rr r!r"r r$rKrrrrJrLrMrNr:r%r%r%r&rs   )a_polsb_polsr(cCs>d|k}d|k}|r"|r"tdgS|r*|S|r2|S||@SdS)z Intersect two sets of policies, taking into account the special 'any_policy'. :param a_pols: A set of policies. :param b_pols: Another set of policies. :return: The intersection of both. any_policyN) frozenset)rOrPZa_anyZb_anyr%r%r&intersect_policy_sets8s rSc@steZdZUedgZeed<dZeed<dZeed<dZ eed<dZ e e ed<dZ e e ed <ddd d d ZdS) rrQuser_initial_policy_setFinitial_policy_mapping_inhibitinitial_explicit_policyinitial_any_policy_inhibitNinitial_permitted_subtreesinitial_excluded_subtrees)otherr(cCsdd|jkr|j}nd|jkr$|j}n |j|j@}|jo:|j}|joF|j}|joR|j}t||||dS)aa Combine the conditions of these PKIX validation params with another set of parameters, producing the most lenient set of parameters that is stricter than both inputs. :param other: Another set of PKIX validation parameters. :return: A combined set of PKIX validation parameters. rQ)rTrWrVrU)rTrWrVrUr)r.rZZinit_policy_setrWrVrUr%r%r&merges&     zPKIXValidationParams.merge)rr r!rRrTr$rUr:rVrWrXrr rYr[r%r%r%r&rTs     c@sBeZdZUdZeed<dZeeed<dZ ee ed<ddZ dS)rzh Expression of a constraint on the usage of an algorithm (possibly with parameter choices). allowedNnot_allowed_afterfailure_reasoncCs|jSr)r\r-r%r%r&__bool__sz!AlgorithmUsageConstraint.__bool__) rr r!r"r:r$r]rrr^rFr`r%r%r%r&rs c@sHeZdZdZejeeedddZ ej eeee j edddZ dS) rzR Abstract interface defining a usage policy for cryptographic algorithms. algomomentr(cCstdS)a Determine if the indicated digest algorithm can be used at the point in time indicated. :param algo: A digest algorithm description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. NNotImplementedErrorr.rbrcr%r%r&digest_algorithm_allowedsz-AlgorithmUsagePolicy.digest_algorithm_allowedrbrc public_keyr(cCstdS)a' Determine if the indicated signature algorithm (including the associated digest function and any parameters, if applicable) can be used at the point in time indicated. :param algo: A signature mechanism description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :param public_key: The public key associated with the operation, if available. .. note:: This parameter can be used to enforce key size limits or to filter out keys with known structural weaknesses. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. Nrdr.rbrcrir%r%r&signature_algorithm_allowedsz0AlgorithmUsagePolicy.signature_algorithm_allowedN)rr r!r"rDigestAlgorithmrrrrgSignedDigestAlgorithmr PublicKeyInforkr%r%r%r&rs c@s\eZdZdZeeddfddZeje e e dddZ ej e e e eje d d d Zd S) ra Primitive usage policy that forbids a list of user-specified "weak" algorithms and allows everything else. It also ignores the time parameter completely. .. note:: This denial-based strategy is supplied to provide a backwards-compatible default. In many scenarios, an explicit allow-based strategy is more appropriate. Users with specific security requirements are encouraged to implement :class:`.AlgorithmUsagePolicy` themselves. :param weak_hash_algos: The list of digest algorithms considered weak. Defaults to :const:`.DEFAULT_WEAK_HASH_ALGOS`. :param weak_signature_algos: The list of digest algorithms considered weak. Defaults to the empty set. :param rsa_key_size_threshold: The key length threshold for RSA keys, in bits. :param dsa_key_size_threshold: The key length threshold for DSA keys, in bits. iix cCs||_||_||_||_dSr))weak_hash_algosweak_signature_algosrsa_key_size_thresholddsa_key_size_threshold)r.rorprqrrr%r%r&__init__)sz%DisallowWeakAlgorithmsPolicy.__init__racCst|dj|jkS)N algorithm)rnativerorfr%r%r&rg6sz5DisallowWeakAlgorithmsPolicy.digest_algorithm_allowedrhc Cs|j}||jk}|d}|dk}|r|dk r|s6|r|j}d} |rV||jkrV|j} n|rj||jkrj|j} | dk rtdd|d|d| dSz |j} Wntk rd} YnX|r| dk r| t d|ji|} | stdd | d |dj d | j d St|d S)NrsadsaFz Key size z for algorithm z- is considered too small; policy mandates >= )r\r^rtzDigest algorithm z< is not allowed, which disqualifies the signature mechanism z as well.)r\r^r]r_)Zsignature_algorp startswithZbit_sizerqrrr hash_algorArgrrlrur]) r.rbrcriZ algo_nameZ algo_allowedZis_rsaZis_dsaZkey_szZfailed_thresholdryZdigest_allowedr%r%r&rk=s@     z8DisallowWeakAlgorithmsPolicy.signature_algorithm_allowedN)rr r!r"rrRrsrrlrrrrgrmr rnrkr%r%r%r&rs  c@sDeZdZejeeedddZej eeee j edddZ dS)rracCs tddSNTr_rrfr%r%r&rgmsz,AcceptAllAlgorithms.digest_algorithm_allowedrhcCs tddSrzr{rjr%r%r&rkrsz/AcceptAllAlgorithms.signature_algorithm_allowedN) rr r!rrlrrrrgrmr rnrkr%r%r%r&rls )*r"abcrH dataclassesrrrtypingrrrZ asn1cryptorr Z name_treesr __all__rRrZ#FRESHNESS_FALLBACK_VALIDITY_DEFAULTruniqueEnumr r r8rr,rr+r*r?rrrFrSrrABCrrrr%r%r%r&s|   i  0 n2\