U ;gDV@s`ddlZddlZddlmZddlmZmZmZmZm Z m Z ddl m Z ddl mZddlmZmZddlmZdd lmZdd lmZdd lmZmZGd d d ejZGdddeejZGdddeZee e jefZ GdddZ!Gddde!Z"GdddeZ#GdddZ$GdddZ%GdddZ&GdddeeZ'Gd d!d!eZ(dS)"N) defaultdict)AsyncGeneratorIterableIteratorListOptionalUnion)x509) trust_list)CertTrustAnchor TrustAnchor)PathBuildingError)CertificateFetcher)ValidationPath)CancelableAsyncIteratorConsListc@sDeZdZdZedddZedddZejddd Z d d Z d S) CertificateCollectionzS Abstract base class for read-only access to a collection of certificates. key_identifiercCs||}|sdS|dSdS)z Retrieves a cert via its key identifier :param key_identifier: A byte string of the key identifier :return: None or an asn1crypto.x509.Certificate object Nr)retrieve_many_by_key_identifier)selfr candidatesrB/tmp/pip-unpacked-wheel-hgp_x7fx/pyhanko_certvalidator/registry.pyretrieve_by_key_identifiers z0CertificateCollection.retrieve_by_key_identifiercCstdS)z Retrieves possibly multiple certs via the corresponding key identifiers :param key_identifier: A byte string of the key identifier :return: A list of asn1crypto.x509.Certificate objects NNotImplementedErrorrrrrrr's z5CertificateCollection.retrieve_many_by_key_identifiernamecCstdS)z Retrieves a list certs via their subject name :param name: An asn1crypto.x509.Name object :return: A list of asn1crypto.x509.Certificate objects Nrrr rrrretrieve_by_name3s z&CertificateCollection.retrieve_by_namecCstdS)a] Retrieve a certificate by its ``issuer_serial`` value. :param issuer_serial: The ``issuer_serial`` value of the certificate. :return: The certificate corresponding to the ``issuer_serial`` key passed in. :return: None or an asn1crypto.x509.Certificate object Nrr issuer_serialrrrretrieve_by_issuer_serial?s z/CertificateCollection.retrieve_by_issuer_serialN) __name__ __module__ __qualname____doc__bytesrrr Namer"r%rrrrrs   rc@s:eZdZejedddZeejdddZddZ d S) CertificateStorecertreturncCstdS) Register a single certificate. :param cert: Certificate to add. :return: ``True`` if the certificate was added, ``False`` if it already existed in this store. Nrrr.rrrregisterOs zCertificateStore.registercertscCs d}|D]}|||O}q|S)a Register multiple certificates. :param certs: Certificates to register. :return: ``True`` if at least one certificate was added, ``False`` if all certificates already existed in this store. Fr2)rr4addedr.rrrregister_multiple[s z"CertificateStore.register_multiplecCstdSNrrrrr__iter__kszCertificateStore.__iter__N) r&r'r(r Certificateboolr2rr7r:rrrrr,Ns r,c@sleZdZdZeddZddZeje dddZ d d Z d d Z e d ddZejdddZddZdS)SimpleCertificateStorez- Simple trustless certificate store. cCs|}|D]}||q |Sr8r5)clsr4resultr.rrr from_certsts z!SimpleCertificateStore.from_certscCsi|_tt|_tt|_dSr8)r4rlist _subject_map_key_identifier_mapr9rrr__init__{s zSimpleCertificateStore.__init__r-cCsb|j|jkrdS||j|j<|j|jj||jrJ|j|j|n|j|jj |dS)r0FT) r$r4rBsubjecthashableappendrrC public_keysha1r1rrrr2s  zSimpleCertificateStore.registercCs |j|Sr8r3)ritemrrr __getitem__sz"SimpleCertificateStore.__getitem__cCst|jSr8)iterr4valuesr9rrrr:szSimpleCertificateStore.__iter__rcCs |j|Sr8)rCrrrrrsz6SimpleCertificateStore.retrieve_many_by_key_identifierrcCs |j|jSr8)rBrFr!rrrr"sz'SimpleCertificateStore.retrieve_by_namecCs&z ||WStk r YdSXdSr8)KeyErrorr#rrrr%s z0SimpleCertificateStore.retrieve_by_issuer_serialN)r&r'r(r) classmethodr@rDr r;r<r2rKr:r*rr+r"r%rrrrr=os r=c@s8eZdZdZejedddZejee dddZ dS) TrustManagerz% Abstract trust manager API. r-cCstdS) Checks if a certificate is in the list of trust roots in this registry :param cert: An asn1crypto.x509.Certificate object :return: A boolean - if the certificate is in the CA list Nrr1rrris_roots zTrustManager.is_rootcCstdS)z Find potential issuers that might have (directly) issued a particular certificate. :param cert: Issued certificate. :return: An iterator with potentially relevant trust anchors. Nrr1rrrfind_potential_issuerss z#TrustManager.find_potential_issuersN) r&r'r(r)r r;r<rRrr rSrrrrrPs  rPc@seZdZdZddZedeeeeddddZe e e j fdd d Z e j d d d Zee j dddZe j ee dddZdS)SimpleTrustManagerzk Trust manager backed by a list of trust roots, possibly in addition to the system trust list. cCst|_tt|_dSr8)set_rootsrrA_root_subject_mapr9rrrrDszSimpleTrustManager.__init__N) trust_rootsextra_trust_rootsr/cCsT|dkrddtD}nt|}|dk r6||t}|D]}||q@|S)a :param trust_roots: If the operating system's trust list should not be used, instead pass a list of asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of asn1crypto.x509.Certificate objects. :return: NcSsg|] }|dqS)rr).0errr sz,SimpleTrustManager.build..)r Zget_listrAextendrT_register_root)r>rXrYmanager trust_rootrrrbuilds  zSimpleTrustManager.build)r`cCsLt|tr|}nt|}||jkrH|j}|j||j|jj |dSr8) isinstancer r rV authorityaddrWr rFrG)rr`anchorrcrrrr^s   z!SimpleTrustManager._register_rootr.cCst||jkS)rQ)r rVr1rrrrRs zSimpleTrustManager.is_rootr/cCsdd|jDS)Ncss|]}t|tr|jVqdSr8)rbr certificate)rZrootrrr s z0SimpleTrustManager.iter_certs..)rVr9rrr iter_certs szSimpleTrustManager.iter_certsr-ccs.|jj}|j|D]}|j|r|VqdSr8)issuerrFrWrcZis_potential_issuer_of)rr.issuer_hashablerirrrrSs z)SimpleTrustManager.find_potential_issuers)NN)r&r'r(r)rDrOr TrustRootListrarr r r;r^rRrrkrSrrrrrTs   rTcseZdZdZddeedfddZedddee j eeddd Z de j ee j d fd d Z e j eeeee j fd ddZe j dddZZS)CertificateRegistryz Contains certificate lists used to build validation paths, and is also capable of fetching missing certificates if a certificate fetcher is supplied. N cert_fetchercst||_dSr8)superrDfetcher)rrq __class__rrrD#s zCertificateRegistry.__init__r)r4rqcCs(||d}|D]}||q||_|S)a Convenience method to set up a certificate registry and import certs into it. :param certs: Initial list of certificates to import. :param cert_fetcher: Certificate fetcher to handle retrieval of missing certificates (in situations where that is possible). :return: A populated certificate registry. rp)r2rs)r>r4rqr?r.rrrra's   zCertificateRegistry.build)r first_certificatecsNg}d}t|D]$}|r.|j|jkr.|}q||q|rJ|d||S)af Retrieves a list certs via their subject name :param name: An asn1crypto.x509.Name object :param first_certificate: An asn1crypto.x509.Certificate object that if found, should be placed first in the result list :return: A list of asn1crypto.x509.Certificate objects Nr)rrr"sha256rGinsert)rr rvoutputfirstr.rtrrr"Bs  z$CertificateRegistry.retrieve_by_name)r. trust_managerr/ccsn|jj}||EdH|j|D]F}||r2q"|jrN|jrN|j|jkrbq"n|jrb|j|jkrbq"|Vq"dSr8) rlrFrSrBrRZauthority_key_identifierrZauthority_issuer_serialr$)rr.r{rmrlrrrrS`s    z*CertificateRegistry.find_potential_issuersrfcCsH|jdkrdSdd|j|2IdH}|||D] }|Vq8dS)Ncsg|z3dHW}|q6Sr8r)rZrlrrrr\|szGCertificateRegistry.fetch_missing_potential_issuers..)rsZfetch_cert_issuersr7)rr.Zissuersrlrrrfetch_missing_potential_issuersxs   z3CertificateRegistry.fetch_missing_potential_issuers)r)N)r&r'r(r)rrrDrOrr r;rar+r"rPrrr rSr| __classcell__rrrtrros( roc@sNeZdZdZeedddZddZej ddd Z ej e e d d d Z d S) PathBuilderz( Class to handle path building. r{registrycCs||_||_dSr8r)rr{rrrrrDszPathBuilder.__init__cCst||S)a Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate .. note:: This is a synchronous equivalent of :meth:`async_build_paths` that calls the latter in a new event loop. As such, it can't be used from within asynchronous code. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. )asynciorunasync_build_paths)rend_entity_certrrr build_pathsszPathBuilder.build_paths)rcs,g}||2z3dHW}||q6|S)a1 Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, returning all paths in a single list. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. N)async_build_paths_lazyrG)rrpathsr?rrrrszPathBuilder.async_build_paths)rr/cCs(t|t|t|jgd}t||S)a Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, and emit them as an asynchronous generator. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: An asynchronous iterator that yields pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs, and raises PathBuildingError if no paths could be built )path certs_seen failed_paths) _PathWalkerrZsingr$LazyPathIterator)rrwalkerrrrrs z"PathBuilder.async_build_paths_lazyN)r&r'r(r)rProrDrr r;rrrrrrrrr~s r~c@sxeZdZdejeedddZeddZ ddZ d d Z e e ejfd d d Ze e ejfd ddZddZdS)_IssuerFetcherr~) path_builderr.rcCsL||_||_||_|jj||jj}t||_d|_d|_ d|_ d|_ dS)NrF) r.rrrrSr{rLlocal_iss_iterlocal_issuers_foundfetched_issuers_found _fetched_cas_fetching_done)rrr.rZ local_issuersrrrrDs z_IssuerFetcher.__init__cCs |j|jSr8)rrr9rrr issuers_foundsz_IssuerFetcher.issuers_foundcCs|Sr8rr9rrr __aiter__sz_IssuerFetcher.__aiter__cCs|Sr8rr9rrrr:sz_IssuerFetcher.__iter__rgcCsF|jD]6}t|tjr(|j}||jkr(q|jd7_|StdS)Nr )rrbr r;r$rr StopIterationrrlZcert_idrrr__next__s   z_IssuerFetcher.__next__csz t|WStk rYnX|jdkrH|jsH|jsH|jj|j|_|jdk r|j2z23dHW}|j }||j krvqX|j d7_ |S6d|_t dS)Nr T) nextrrrrrrr|r.r$rrStopAsyncIterationrrrr __anext__s.    z_IssuerFetcher.__anext__cs*|jdk r&|jIdHd|_d|_dS)NT)racloserr9rrrcancels z_IssuerFetcher.cancelN)r&r'r(r r;rr*rDpropertyrrr:rr rrrrrrrrs   rc@sLeZdZdeejeeeeejdddZddZ ddZ d d Z d S) rr~)rrrrcCsF||_||_||_|j}t|tjs(tt||||_ ||_ d|_ dSr8) rrrheadrbr r;AssertionErrorr_issuer_fetcherr _next_level)rrrrrr.rrrrD%sz_PathWalker.__init__csD|jdk r |jIdHd|_|jdk r@|jIdHd|_dSr8)rrrr9rrrr5s   z_PathWalker.cancelcCs|Sr8rr9rrrr=sz_PathWalker.__aiter__c s|jdkrtd}|dkr|jdkrz|jIdH}WnBtk r|}z$|jjsb|j|jd|_|W5d}~XYnXt|t rt |j}t ||dd|dSt |j |j||j|j|j|_z|jIdH}Wqtk rd|_YqXq|S)N)rrrrrrrGrrbr rArrrZconsrr$)r next_pathZ next_issuerr[r4rrrr@s4       z_PathWalker.__anext__N) r&r'r(rr r;r*rrDrrrrrrrr$s rc@sNeZdZUdZeeed<eej dddZ ddZ dd Z ed d d Z dS) rN_as_root)rr.cCs:|jj|r tt|gd|_||_d|_|jj |_ dS)Nr) rr{rRrr r_walker emitted_countrEhuman_friendly_name)rrr.rrrrDfs zLazyPathIterator.__init__cs|jdk r|jIdHdSr8)rrr9rrrrns zLazyPathIterator.cancelcCs|Sr8rr9rrrrrszLazyPathIterator.__aiter__rgcs|jdkrtn$|jdk r4|jd7_d|_|jSz$|jIdH}|jd7_|WStk rlYnX|jdkr|jjdj}t|tj st |j j }d|_t d|jd|dtdS)Nr rz7Unable to build a validation path for the certificate "z" - no issuer matching "z " was found)rrrrrrrrbr r;rrlrrr)rrZ path_headZmissing_issuer_namerrrrus*   zLazyPathIterator.__anext__)r&r'r(rrr__annotations__rr r;rDrrrrrrrrcs rc@sHeZdZdZeedddZedddZe j dd d Z d d Z d S)LayeredCertificateStorezi Trustless certificate store that looks up certificates in other stores in a specific order. )storescCs ||_dSr8)_stores)rrrrrrDsz LayeredCertificateStore.__init__rcsfdd}t|S)Nc3s jD]}|EdHqdSr8)rrstorerrrr_gens zELayeredCertificateStore.retrieve_many_by_key_identifier.._genrA)rrrrrrrsz7LayeredCertificateStore.retrieve_many_by_key_identifierrcsfdd}t|S)Nc3s jD]}|EdHqdSr8)rr"rr rrrrs z6LayeredCertificateStore.retrieve_by_name.._genr)rr rrrrr"sz(LayeredCertificateStore.retrieve_by_namecCs*|jD]}||}|dk r|SqdSr8)rr%)rr$rr?rrrr%s    z1LayeredCertificateStore.retrieve_by_issuer_serialN) r&r'r(r)rrrDr*rr r+r"r%rrrrrs r))abcr collectionsrtypingrrrrrrZ asn1cryptor Zoscryptor rcr r errorsrZfetchersrrrutilrrABCrr,r=r;rnrPrTror~rrrrrrrrs,       <!8 RiSL?.