U ;gM$@sddlmZddlmZmZmZmZmZddlmZm Z m Z ddl m Z ddl mZddlmZddlmZmZmZmZmZmZddlmZdd lmZdd lmZmZmZGd d d Z d S))datetime)DictIterableListOptionalSet)crlocspx509) Authority)OCSPFetchError)Fetchers)KnownPOE POEManagerPOETypeValidationObjectValidationObjectTypedigest_for_poe)NonRevokedStatusAssertion)CertificateRegistry) CRLContainer OCSPContainersort_freshest_firstc@s@eZdZdZd(eeeeeeee e e dddZ e eddd Ze edd d Ze edd d Ze eejdddZe eejdddZe eejdddZedddZddZe ejdddZeedddZe eedddZ!e"e#d d!d"Z$e"e#d d#d$Z%eje&ed%d&d'Z'dS))RevinfoManagera .. versionadded:: 0.20.0 Class to manage and potentially fetch revocation information. :param certificate_registry: The associated certificate registry. :param poe_manager: The proof-of-existence (POE) data manager. :param crls: CRL data. :param ocsps: OCSP response data. :param fetchers: Fetchers for collecting revocation information. If ``None``, no fetching will be performed. N)certificate_registry poe_managercrlsocsps assertionsfetcherscCsr||_||_i|_i|_g|_|r,t||_g|_|rXt||_}|D]}||qH||_dd|D|_ dS)NcSsi|] }|j|qSr)Z cert_sha256).0Z assertionrrI/tmp/pip-unpacked-wheel-hgp_x7fx/pyhanko_certvalidator/revinfo/manager.py Gsz+RevinfoManager.__init__..) _certificate_registry _poe_manager_revocation_certs_crl_issuer_map_crlsr_ocsps_extract_ocsp_certs _fetchers _assertions)selfrrrrrr ocsp_responserrr"__init__-s   zRevinfoManager.__init__)returncCs|jS)z< The proof-of-existence (POE) data manager. )r%r-rrr"rKszRevinfoManager.poe_managercCs|jS)z6 The associated certificate registry. )r$r1rrr"rRsz#RevinfoManager.certificate_registrycCs |jdk S)zA Boolean indicating whether fetching is allowed. N)r+r1rrr"fetching_allowedYszRevinfoManager.fetching_allowedcCs.dd|jD}|js|St|jj|S)zK A list of all cached :class:`crl.CertificateList` objects cSsg|] }|jqSr)crl_datar!Zcontrrr" fsz'RevinfoManager.crls..)r(r+list crl_fetcherZ fetched_crls)r-Zraw_crlsrrr"r`szRevinfoManager.crlscCs.dd|jD}|js|St|jj|S)zI A list of all cached :class:`ocsp.OCSPResponse` objects cSsg|] }|jqSr)ocsp_response_datar4rrr"r5qsz(RevinfoManager.ocsps..)r)r+r6 ocsp_fetcherZfetched_responses)r-Z raw_ocspsrrr"rkszRevinfoManager.ocspscCst|jS)z A list of newly-fetched :class:`x509.Certificate` objects that were obtained from OCSP responses and CRLs )r6r&valuesr1rrr"new_revocation_certswsz#RevinfoManager.new_revocation_certs)r.c Cs|j}||}|j}|j}|}|dk r~|dr~|dD]B}||r:|||j<|ttj t | |t t j|ddq:dS)z Extracts any certificates included with an OCSP response and adds them to the certificate registry :param ocsp_response: An asn1crypto.ocsp.OCSPResponse object to look for certs inside of Ncerts)Z object_typevalue)Zpoe_typedigestZpoe_timeZvalidation_object)r%r$r&Zextract_basic_ocsp_responseregisterZ issuer_serialZregister_known_poerrZ VALIDATIONrdumprr CERTIFICATE)r-r.Zpoe_manZ ocsp_poe_timeregistryZ revo_certsbasicZ other_certrrr"r*s(     z"RevinfoManager._extract_ocsp_certscCs||j|j<dS)aU Records the certificate that issued a certificate list. Used to reduce processing code when dealing with self-issued certificates and multiple CRLs. :param certificate_list: An ans1crypto.crl.CertificateList object :param cert: An ans1crypto.x509.Certificate object N)r' signature)r-certificate_listcertrrr"record_crl_issuers z RevinfoManager.record_crl_issuercCs|j|jS)a3 Checks to see if the certificate that signed a certificate list has been found :param certificate_list: An ans1crypto.crl.CertificateList object :return: None if not found, or an asn1crypto.x509.Certificate object of the issuer )r'getrD)r-rErrr"check_crl_issuers zRevinfoManager.check_crl_issuercsb|js |jS|j}z|j|}Wn&tk rH|j|IdH}YnXdd|D}||jS)z .. versionadded:: 0.20.0 :param cert: An asn1crypto.x509.Certificate object :return: A list of :class:`CRLContainer` objects NcSsg|] }t|qSr)r)r!r3rrr"r5sz6RevinfoManager.async_retrieve_crls..)r+r(r7Zfetched_crls_for_certKeyErrorfetch)r-rFr rZcontsrrr"async_retrieve_crlss z"RevinfoManager.async_retrieve_crls) authorityr0c s|js |jS|j}dd|j|D}|s|j||IdH}t|}|D]0}z||WqNtk r|t dYqNXqN||jS)a  .. versionadded:: 0.20.0 :param cert: An asn1crypto.x509.Certificate object :param authority: The issuing authority for the certificate :return: A list of :class:`OCSPContainer` objects cSsg|] }t|qSr)r)r!resprrr"r5sz7RevinfoManager.async_retrieve_ocsps..Nz9Failed to extract certificates from fetched OCSP response) r+r)r9Zfetched_responses_for_certrKrZ load_multir* ValueErrorr )r-rFrMr rr8rNrrr"async_retrieve_ocspss(    z#RevinfoManager.async_retrieve_ocspshashes_to_evictcs(tdfdd }tt||j|_dS)z Internal API to eliminate local OCSP records from consideration. :param hashes_to_evict: A collection of OCSP response hashes; see :func:`.digest_for_poe`.  containercst|j}|kSN)rr8r@rTr>rQrr"p sz%RevinfoManager.evict_ocsps..pN)rr6filterr)r-rRrWrrQr" evict_ocspsszRevinfoManager.evict_ocspscs(tdfdd }tt||j|_dS)z Internal API to eliminate local CRLs from consideration. :param hashes_to_evict: A collection of CRL hashes; see :func:`.digest_for_poe`. rScst|j}|kSrU)rr3r@rVrQrr"rWsz$RevinfoManager.evict_crls..pN)rr6rXr(rYrrQr" evict_crlsszRevinfoManager.evict_crls)rFatr0cCs0z||j|jjkWStk r*YdSXdS)NF)r,sha256r\rJ)r-rFr\rrr"check_asserted_unrevokedsz'RevinfoManager.check_asserted_unrevoked)rN)(__name__ __module__ __qualname____doc__rrrrrrrr r/propertyrrboolr2rrZCertificateListrr OCSPResponserr Certificater;r*rGrIrLr rPrbytesrZr[rr^rrrr"rsH   " ,rN)!rtypingrrrrrZ asn1cryptorr r Zpyhanko_certvalidator.authorityr Zpyhanko_certvalidator.errorsr Zpyhanko_certvalidator.fetchersr Zpyhanko_certvalidator.ltv.poerrrrrrZ!pyhanko_certvalidator.policy_declrZpyhanko_certvalidator.registryrZ&pyhanko_certvalidator.revinfo.archivalrrrrrrrr"s