HEX

File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/__pycache__/x509.cpython-310.pyc
o

�N�g�'�@sNddlZddlZddlZddlZddlZddlZddlmZmZm	Z	ddl
mZddlm
Z
mZddlZddlmZddlmZddlmZmZddlmZmZmZmZmZdd	lmZmZdd
l m!Z!ddl"Z#ddl$m%m&Z&ddl'Z#ddl(Z#ddl)m*Z*m+Z+ddl,m-Z-zddl.Z.d
Z/Wne0y�dZ/Ynwe1dd�ej2�3d�D��Z4e�5e6�Z7e&�8dddddddddd�	�Z9e&�8e-dej:j;fdej:j<fdej:j=fdej:j>fd ej:j?fd!ej:j@fd"ej:jAfd#ej:jBfd$ej:jCfd%ej:jDfd&ej:jEfd'ej:jFfg��ZGe&�8id(d)�d*d+�d,d-�d.d/�d0d1�d2d3�d4d5�d6d7�d8d9�d:d;�d<d=�d>d?�d@dA�dBdC�dDdE�dFdG�dHdI�dJdKdLdMdN���ZHe&�8id(ejIjJ�d*ejIjK�d,ejIjL�d.ejIjM�d0ejIjN�d2ejIjO�d4ejIjP�d6ejIjQ�d8ejIjR�d:ejIjS�d<ejIjT�d>ejIjU�d@ejIjV�dBejIjW�dDejIjX�dFejIjY�dHd�dejIjZejIj[ejIj\dN���Z]e&�8ej^j_ej^j`ej^jadO��Zbe&�8e�cdP�e�cdQ�e�cdR�e�cdS�e�cdT�e�cdU�e�cdV�e�cdW�e�cdX�e�cdY�e�cdZ�e�cd[�e�cd\�d]�
�Zde&�8ejejfejejge!jhd^��Zid_Zjd`ZkdaZlGdbdc�dce�ZmddZndeZodfZpdgdh�Zq												i�ddjdk�Zr�ddldm�Zs				n	�ddodp�Zt�ddrds�Zu�ddudv�Zvdwdx�Zwdydz�Zxd{d|�Zy�dd}d~�Zzdd��Z{d�d��Z|d�d��Z}d�d��Z~d�d��Z�dd�d��Z��dd�d��Z��dd�d��Z��dd�d��Z��dd�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z��dd�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�dZ�d�dĄZ�d�dƄZ�d�dȄZ�d�dʄZ�d�d̄Z�d�d΄Z�d�dЄZ�e&�8id(e��d*e��d,e��d.e��d0e��d2e��d�e��d4e��d6e��d8e��d�e��d:e��d<e��d>e��d@e��dBe��dDe��e�e�e�e�e�e�e�dӜ��Z��dd�dՄZ�d�dׄZ�d�dلZ�d�dۄZ�d�d݄Z��dd�d߄Z�d�d�Z�d�d�Z�d�d�Z�d�d�Z�d�d�Z�d�d�Z�d�d�Z�d�d�Z�d�d�Z�d�d�Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z��d�d�Z��d�d�Z��d�d�Z��d�d�Z��d�d	�Z��d
�d�Z��d�d
�Z�e&�8iej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e��ej�e�ej�e�ej�e�ej�e�ej�e�i��Z�dS(�N)�datetime�	timedelta�timezone)�Enum)�urlparse�
urlunparse)�x509)�InvalidSignature)�hashes�
serialization)�ec�ed448�ed25519�padding�rsa)�pkcs7�pkcs12)�SubjectInformationAccessOID)�CommandExecutionError�SaltInvocationError)�OrderedDictTFccs�|]}t|�VqdS�N)�int��.0�x�r�C/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/x509.py�	<genexpr>!��r�.)�
commonName)ZlocalityName)ZstateOrProvinceName)ZorganizationName)ZorganizationUnitName)Z	givenName)Zsurname)ZEmailZemailAddress)ZserialNumber)	�CN�L�ST�O�OU�GN�SN�MAIL�SERIALNUMBER�Cr$r#ZSTREETr%r&r"r)r(r'ZUIDr*�basicConstraints)zX509v3 Basic Constraints�keyUsage)zX509v3 Key Usage�extendedKeyUsage)zX509v3 Extended Key Usage�subjectKeyIdentifier)zX509v3 Subject Key Identifier�authorityKeyIdentifier)zX509v3 Authority Key Identifier�
issuerAltName)zX509v3 Issuer Alternative NameZissuserAltName�authorityInfoAccess)zAuthority Information Access�subjectAltName)zX509v3 Subject Alternative Name�crlDistributionPoints)zX509v3 CRL Distribution Points�issuingDistributionPoint)z!X509v3 Issuing Distribution Point�certificatePolicies)zX509v3 Certificate Policies�policyConstraints)zX509v3 Policy Constraints�inhibitAnyPolicy)zX509v3 Inhibit Any Policy�nameConstraints)zX509v3 Name Constraints�noCheck)z
OCSP No Check�
tlsfeature)zTLS Feature�	nsComment)zNetscape Comment)zNetscape Certificate Type)zX509v3 CRLNumber)zX509v3 Delta CRL Indicator)zx509v3 Freshest CRL)�
nsCertType�	cRLNumber�deltaCRLIndicator�freshestCRL)�certificateIssuer�	CRLReason�invalidityDatez1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2z1.3.6.1.5.5.7.3.3z1.3.6.1.5.5.7.3.4z1.3.6.1.5.5.7.3.8z1.3.6.1.5.5.7.3.9z1.3.6.1.4.1.311.20.2.2z1.3.6.1.5.2.3.5z1.3.6.1.5.5.7.3.17z1.3.6.1.4.1.311.2.1.21z1.3.6.1.4.1.311.2.1.22z1.3.6.1.4.1.311.10.3.1z1.3.6.1.4.1.311.10.3.4)
Z
serverAuthZ
clientAuthZcodeSigningZemailProtectionZtimeStampingZOCSPSigningZmsSmartcardLoginZ	pkInitKDCZipsecIKEZ	msCodeIndZ	msCodeComZ	msCTLSignZmsEFS)�OCSPZ	caIssuersZcaRepository)r,r-r.r/r0r1r2r3r4r6r7r8r9r:r;r<r=)r0r2r>r?r@r1r5)r2r0r1r4c@seZdZdZdZdZdZdS)�KEY_TYPE����N)�__name__�
__module__�__qualname__�RSA�EC�ED25519�ED448rrrrrE�s
rEs
-----BEGINs-----ENDz%Y-%m-%d %H:%M:%Sc	Cs�t��D]"\}}|D]}||vr%tjj�dd|�d|���|�|�||<q
qt��D]"\}}|D]}||vrLtjj�dd|�d|���|�|�||<q1q+|S)z�
    Ensures the deprecated long form of Name Attribute and
    extension definitions is still recognized, but warned about.
    �	Potassium�Found �4 in keyword args. Please migrate to the short name: )�NAME_ATTRS_ALT_NAMES�items�salt�utils�versions�
warn_until�pop�EXTENSIONS_ALT_NAMES)�kwargs�name�
long_names�	long_name�extnamerrr�ensure_cert_kwargs_compat�s*������ra�c
	Ks*d}d}|s
t||d�}nd}t|	�}	d}|rt|�}|r"t|�}nd}|��}|}|r-n|r:t||d�}|��}n|rAt|�}n|rH|��}ntd��|s[|s[t|��|�s[td��tj	|	|d�}t
|pf|
�}|�|��|sr|j
n|�}|
r�t�|
t�jtjd�ntjtjd	�}
|r�t�|t�jtjd�ntjtjd	�t|d
�}|�|
��|�}g}tD]+}|tvr�q�||
vr�|
|}|dur�q�t|||||d�\}}|j||d�}|�|�q�|�rt��D]-\}}t||v|tv|tvf�r�q�z|j �!|�}|�|j"|j#�}Wq�tj$�yYq�w||||fS)
z�
    Parse the input into a CertificateBuilder, which can be used
    to sign the certificate or be inspected for changes.

    Also returns signing private key (if available), associated private key
    and associated signing certificate.
    NF��
passphraseTz�This certificate is not self-signed (signing_cert is set) and thus needs public_key, private_key or csr to derive public key to sign�?Signing private key does not match the certificate's public key)�
serial_number�
public_key��tzinfo��tz��days)�ca_crt�subject_pubkey�ca_pub��critical)%�load_privkey�_get_serial_number�load_csr�	load_certrg�load_pubkeyr�is_pair�cx509ZCertificateBuilder�_get_dn�subject_name�issuer_name�subjectr�strptime�TIME_FMT�replacer�utc�nowrZnot_valid_before�not_valid_after�EXTENSIONS_OID�	CERT_EXTS�_create_extension�
add_extension�appendrU�any�
CSR_FORBIDDEN�
extensionsZget_extension_for_oid�valuerr�ExtensionNotFound)�signing_private_keyZskip_load_signing_private_key�signing_private_key_passphrase�signing_certrg�private_key�private_key_passphrase�csrr}rfZ
not_before�	not_after�
days_validr\rpZself_signedZprivate_key_loaded�builderr{Zext_presentr`�val�extrr�oidrrr�	build_crt�s��
�


������
�����
��
����r�cKs�t||d�}|��}t��}t|p|�}|�|�}t��D]%\}}t|t	v|t
vf�r,q||vrBt||||d�\}	}
|j|	|
d�}q||fS)z�
    Parse the input into a CertificateSigningRequestBuilder, which can be used
    to sign the CSR or be inspected for changes.

    Also returns associated private key.
    rc)rorq)
rsrgryZ CertificateSigningRequestBuilderrzr{r�rUr�r�r�r�r�)r�r�r}r\rgr�r{r`r�r�rrrrr�	build_csrns,
��

���r��dc	Cs0|pi}|r
t|�}t||d�}|rt|��|�std��t��}|r)|�|j�}|�	t
jtj
d��}|�t
jtj
d�t|d��}|D]�}d}	}
}d|vr]t
�|dt�jtj
d�}
d|vre|d}	d	|vr�t|d	�}|j}	z|j}
Wnty�|jjtj
d�}
Ynw|	s�td
��t|	�}	|
r�|s�t
jtj
d�|
kr�qDd|vr�t
�|dt�jtj
d�}nt
jtj
d�}tj|	|d�}
|�d
i���D]\}}|tvr�t�d|�q�t||�\}}|
j||d�}
q�|� |
�!��}qD|��D] \}}|t"v�rt�d|�q�t|||d�\}}|j||d�}q�||fS)z�
    Parse the input into a CertificateRevocationListBuilder, which can be used
    to sign the CRL or be inspected for changes.

    Also returns signing private key.
    rcrerjrlNr�rhrf�certificatez!Need serial_number or certificate�revocation_date)rfr�r�z(Ignoring invalid CRL entry extension: %srqz"Ignoring invalid CRL extension: %s)rn)#rvrsrxrgrryZ CertificateRevocationListBuilderr|r}Zlast_updaterr�rr�Znext_updaterr~rr�rfZnot_valid_after_utc�AttributeErrorr�rtZRevokedCertificateBuilder�getrU�EXTENSIONS_CRL_ENTRY_OID�log�warningr�r�Zadd_revoked_certificate�build�CRL_EXTS)r�Zrevokedr�r�Zinclude_expiredr�r�r�Zrevrfr�r�Zrev_certZrevoked_certr`r�r�rrrrr�	build_crl�s�����
����
�r��cCs|dvrtd��tjd|d�S)z%
    Generate an RSA private key
    )r�iiz4RSA key size must be either 2048, 3072 or 4096 bits.i)Zpublic_exponentZkey_size)rr�generate_private_key�Zkeysizerrr�generate_rsa_privkey�s
�r��cCs*|dvrtd��t�ttd|�d����S)z0
    Generate an elliptic curve private key
    )r�i�i	z.EC key size must be either 256, 384, 521 bits.ZSECPZR1)rrr��getattrr�rrr�generate_ec_privkey�sr�cC�
tj��S)z)
    Generate an ed25519 private key
    )r�Ed25519PrivateKey�generaterrrr�generate_ed25519_privkey��
r�cCr�)z'
    Generate an ed448 private key
    )r
�Ed448PrivateKeyr�rrrr�generate_ed448_privkey�r�r�c
Cs6z	tt|����WSty}ztd�|�d}~ww)zB
    Returns an instance of a hashing algorithm, if available
    zPThe selected hashing algorithm does not exist in the cryptography python libraryN)r�r
�upperr�r)�digest�errrrr�get_hashing_algorithms����r�cCszd}t|tjtjf�r
d}t|tjtjf�rd}t|tjtj	f�r#d}t|t
jt
jf�r.d}|dus4|r6|St
t|���S)zq
    Checks which type of private/public key a class instance is.
    Returns None if it is not a valid key.
    Nrrrr
)�
isinstancer�
RSAPrivateKey�RSAPublicKeyr�EllipticCurvePrivateKey�EllipticCurvePublicKeyrr��Ed25519PublicKeyr
r��Ed448PublicKeyr�rEr�)�key�	as_string�key_typerrr�get_key_typesr�cCs&t|�}|durtd��t||���S)z>
    Checks whether a public key belongs to a private key
    N�Did not recognize key type)r�r�match_pubkeyrg)�pubkeyZprivkeyZprivkey_typerrrrx"srxcCsdt|�}t|�}|dus|durtd��||krdS|tjtjfvr*|��|��kSt|�t|�kS)z5
    Checks whether two public keys are the same
    Nr�F)r�rrErMrNZpublic_numbers�to_pem)Zpubkey_aZpubkey_bZ
pubkey_a_typeZ
pubkey_b_typerrrr�,sr�csp�s|St����t��D]"\}}|D]}||vr.tjj�dd|�d|���|�|�||<qq
t	��D]"\}}|D]}||vrUtjj�dd|�d|���|�|�||<q:q4d|vr�t
�fdd�tD��rl|�d�nEd�vsyt�dt
tf�szn7z|d��d���d�Wn&ttfy�z�d|d|d<��d�Wn	ty�YnwYnw|���|S)z�
    Merge a signing policy, taking care that the different methods
    of specifying RDN do not lead to unexpected results.

    This is found in utils since the state module needs
    access as well to check for expected changes.
    rQrRrSr}c3s�|]}|�vVqdSrrr��policyrrr_rz'merge_signing_policy.<locals>.<genexpr>)�copy�deepcopyrTrUrVrWrXrYrZr[r��NAME_ATTRS_OIDr��dict�list�updater��
ValueError�	TypeError)r�r\r]r^r_r`rr�r�merge_signing_policy<sT
���	������
r�c	C�^z|jtjjtjjd�WSttfyYnwz|�tjj�WSttfy.Ytd��w)z�
    Returns the PEM-encoded serialization of a public key, certificate,
    certificate signing request or certificate revocation list.
    This does not work for private keys.
    ��formatz$Could not serialize parameter to PEM)	�public_bytesr�EncodingZPEM�PublicFormat�SubjectPublicKeyInfor�r�r�Zpub_or_certrrrr�t����r�c	Cr�)z�
    Returns the DER-encoded serialization of a public key, certificate,
    certificate signing request or certificate revocation list.
    This does not work for private keys.
    r�z$Could not serialize parameter to DER)	r�rr�ZDERr�r�r�r�rr�rrr�to_der�r�r�c
Cs�t|d�r$t|tjtjtjtj	f�r|r|ddfS|St
d|jj����t
|�}|dur0|��nd}t|vr�ztj||d�}|rF|ddfWS|WStyd}zdt|�vr[t
d�|�td�|�d}~wty�}zd	t|�vrvt
d
�|�dt|�vr�t
d�|�td�|�d}~wwztj||d�}|r�|d
dfWS|WSty�}zdt|�vr�t
d�|�WYd}~n!d}~wty�}zd	t|�vr�t
d
�|�WYd}~nd}~wwztj||d�}|js�td��|r�|jd|fWS|jWSt�y}zdt|�v�rt
d�|�WYd}~t
d��d}~wt�y5}zd	t|�v�r(t
d
�|�WYd}~t
d��d}~wt�yAYt
d��w)z�
    Return a private key instance from
    * a class instance
    * a file path on the local system
    * a string (PEM)
    * bytes (hex, base64, raw)

    Valid encodings are PEM, DER and PKCS12.
    Z
private_bytesNz.Passed object is not a known private key, but )�password�pemzBad decryptz&Bad decrypt - is the password correct?z&Could not load PEM-encoded private keyzprivate key is encryptedz4Private key is encrypted. Please provide a password.z but private key is not encryptedzPrivate key is unencrypted�derz3PKCS12-encoded blob does not contain a private key.rz>Could not deserialize binary data, neither as DER nor PKCS#12.)�hasattrr�rr�rr�rr�r
r�r�	__class__rJ�load_file_or_bytes�encode�	PEM_BEGINrZload_pem_private_keyr��strrr�Zload_der_private_keyr�load_pkcs12r�r�)�pkrd�get_encodingr��loadedrrrrs�s�

��	
��������
����
��������

�
�����
������rsc
Cs�t|d�rt|tjtjtjtj	f�r|St
d|jj����t
|�}t|vr=zt�|�WSty<}ztd�|�d}~wwzt�|�WStyT}ztd�|�d}~ww)z�
    Return a public key instance from
    * a class instance
    * a file path on the local system
    * a string (PEM)
    * bytes (hex, base64, raw)

    Valid encodings are PEM and DER.
    r�z'Passed object is not a public key, but z&Could not load PEM-encoded public key.Nz&Could not load DER-encoded public key.)r�r�rr�rr�rr�r
r�rr�rJr�r�rZload_pem_public_keyr�rZload_der_public_key)r�r�r�rrrrw�s>

��	�����
��rwc	
Cs�t|tj�r|r|gfS|r|ddfS|St|�}t|vr�t|�}d|dvrtz9t�|�d��}|s4|rNg}|D]}z
|�t�|��Wq8t	yMYq8w|rU||fWS|r^|d|dfWS|WSt	t
fys}ztd�|�d}~wwz#t�
|d�}|r�|�d�|fWS|r�|�d�d|dfWS|�d�WSt	y�}ztd�|�d}~wwzt�|�}|r�|dddfWS|r�|gfWS|WSt	y�Ynwz8|dur�t|t�s�|��}t�||�}|s�|r�d	d
�|jD�}|r�|jj|fWS|r�|jjd||fWS|jjWStt	f�yYnwz"t�|�}|�r!|�d�|fWS|�r.|�d�d|dfWS|dWSt	�y?Ytd
��w)z�
    Return a certificate instance from
    * a class instance
    * a file path on the local system
    * a string (PEM)
    * bytes (hex, base64, raw)

    Valid encodings are PEM, DER, PKCS7 (as PEM and DER) and PKCS12.
    Ns-----BEGIN PKCS7rr�z'Could not load PEM-encoded certificate.Z	pkcs7_pemz&Could not load PEM-encoded PKCS#7 blobr�cS�g|]}|j�qSr)r�rrrr�
<listcomp>d�zload_cert.<locals>.<listcomp>rZ	pkcs7_derzFCould not deserialize binary data, neither as DER nor PKCS#7, PKCS#12.)r�ry�Certificater�r��
split_pemsZload_pem_x509_certificaterZr�r��
IndexErrorrrZload_pem_pkcs7_certificatesZload_der_x509_certificate�bytesr�rr�Zadditional_certs�certr�r�Zload_der_pkcs7_certificatesr)	r�rdZ
load_chainr��pemsr��chainr�r�rrrrv s�

�
��������

�
�

��rvc
C�t|tj�r|r
|ddfS|St|�}t|vr8zt�|�}|r$|dfWS|WSty7}ztd�|�d}~wwzt�|�}|rE|dfWS|WStyX}ztd�|�d}~ww)z�
    Return a CRL instance from
    * a class instance
    * a file path on the local system
    * a string (PEM)
    * bytes (hex, base64, raw)

    Valid encodings are PEM and DER.
    Nr�z7Could not load PEM-encoded certificate revocation list.r�z7Could not load DER-encoded certificate revocation list.)	r�ryZCertificateRevocationListr�r�Zload_pem_x509_crlr�rZload_der_x509_crl)Zcrlr�r�r�rrr�load_crl}�@



����

����r�c
Cr�)z�
    Return a CSR instance from
    * a class instance
    * a file path on the local system
    * a string (PEM)
    * bytes (hex, base64, raw)

    Valid encodings are PEM and DER.
    Nr�z7Could not load PEM-encoded certificate signing request.r�z7Could not load DER-encoded certificate signing request.)	r�ryZCertificateSigningRequestr�r�Zload_pem_x509_csrr�rZload_der_x509_csr)r�r�r�r�rrrru�r�ruc	Cst|�}|tjkrBz.|jjdkr(|�|j|jt�	t�
|j�tj	j�|j�WdS|�|j|jt�
�|j�WdStyAYdSw|tjkrbz|�|j|jt�|j��WdStyaYdSw|tjtjfvr�z|�|j|j�WdStyYdSwtd��)z�
    Verifies that the signature on a certificate was made
    by a public key.

    This functionality is currently not exposed by cryptography
    since it does not imply the certificate chain is valid.
    z1.2.840.113549.1.1.10TFzAInvalid public key type, can only process rsa, ec, ed25519, ed448)r�rErMZsignature_algorithm_oid�
dotted_stringZverifyZ	signatureZtbs_certificate_bytesrZPSSZMGF1Zsignature_hash_algorithmZAUTOZPKCS1v15r	rNrZECDSArOrPr)r�r�r�rrr�verify_signature�sX
�����

����r�c	Cs(ztj�|�WSttfyYdSw)z�
    A wrapper around os.path.isfile that ignores ValueError exceptions which
    can be raised if the input to isfile is too long.
    F)�os�path�isfiler�r�)r�rrrr��s�r�cCsntjj�|�}g}g}|�d�D]$}|��sq|�t�r |g}q|�|�|�t	�r4|�d�
|��g}q|S)zH
    Returns a list of PEM strings from a possibly concatenated one
    T�)rVrWZstringutils�to_bytes�
splitlines�strip�
startswithr�r��PEM_END�join)r��splitsZcur�linerrrr�s


�r�cCs�t|�r tjj�|d��}|��}Wd�n1swYt|t�ra|�d�r4t	�
|dd��}n-t��|vr?|�
�}n"zt�|�}Wnty`zt	�
|�}Wn	ty]YnwYnwt|t�sjtd��|S)z�
    Tries to load a reference and return its bytes.
    Can be a file path on the local system, a string and bytes (hex/base64-encoded, raw)
    �rbNzb64:rIzpCould not load provided source. You need to pass an existing file, (PEM|hex|base64)-encoded string or raw bytes.)r�rVrW�filesZfopen�readr�r�r�base64�	b64decoder��decoder�r��fromhexr�r)Zfob�frrrr�s0
�


���
�r�cCs*|tvrtd|����t|||||d�S)NzUnknown extension )rornrp)�EXTENSION_BUILDERSr)r]r�rornrprrrr�8s
�r�c
Ksz|�dd�}Wntyd}Ynwt|t�rNzt|���\}}|ddk|d<d|vr6t|d�|d<WnttfyM}zt	d|���|�d}~wwzt
�|d|�d��|fWStyp}zt	d|���|�d}~wttfy�}zt	|�|�d}~ww)NrrF�ca�true�pathlenz+Invalid configuration for basicContraints: z-Undefined required key for basicConstraints: )
r�r�r�r��_deserialize_openssl_confstring�lowerr�KeyErrorr�rry�BasicConstraintsr��r�r\rrr�rrr�_create_basic_constraints@sF�
���������
��rc
Ks~d|v}d|vd|vd|vd|vd|vd|vd|vd	|vd
|vd�	}ztjdi|��|fWSty>}zt|�|�d}~ww)
Nrr�digitalSignature�nonRepudiation�keyEncipherment�dataEncipherment�keyAgreement�keyCertSign�cRLSign�encipherOnly�decipherOnly)	�digital_signature�content_commitment�key_encipherment�data_encipherment�
key_agreement�
key_cert_sign�crl_sign�
encipher_only�
decipher_onlyr)ry�KeyUsager�r�r�r\rr�argsr�rrr�_create_key_usage\s"�
��r,cKsxd|v}t|t�rt|�\}}t|�}t|t�s|g}g}|D]}|dkr&q|�t�|�p2tt|���qt�	|�|fS�Nrr)
r�r�rr�r��EXTENDED_KEY_USAGE_OIDr��_get_oidry�ExtendedKeyUsage)r�r\rr�usages�usagerrr�_create_extended_key_usageos

r3c
Ks�d|vrtd��|dkr-|std��z	tj�|�dfWSty,}ztd�|�d}~wwt|t�rOzt�	|�
dd��}WntyN}ztd	�|�d}~wwt|t�sXtd
��t�|�dfS)Nrrz3subjectKeyIdentifier must be marked as non-critical�hashz@Cannot calculate digest for subjectKeyIdentifier: missing pubkeyFz5subjectKeyIdentifier: subject_pubkey was not a pubkey�:�zValue must be precomputed hashz&Value must be a (hex-)digest or pubkey)r�RuntimeErrorry�SubjectKeyIdentifierZfrom_public_keyr�r�r�r�rr�r�)r�ror\r�rrr�_create_subject_key_identifier~s:�
�����

��
r9c
Ks�d|vrtd��|s|std��t|t�rt|�\}}dddd�}d|vr}|rRz
|j�tj�j	j
|d<WntjyItj�
|���j|d<Yn	tyQYnw|dsm|rmztj�
|�j|d<Wn	tylYnw|ddkr}|ddur}td��|�d	�dks�d	|vr�|ddur�zt�|j�g|d
<|j|d<Wn'ttfy�}zd|d
<|d<|d	dkr�td�|�WYd}~nd}~ww|s�td
��tjdi|��dfS)Nrrz5authorityKeyIdentifier must be marked as non-criticalzDNeed CA certificate or CA pubkey to calculate authorityKeyIdentifier)�key_identifier�authority_cert_issuer�authority_cert_serial_number�keyidr:�alwayszICould not retrieve authorityKeyIdentifier keyid, but it was set to always�issuerr;r<z\Could not add authority_cert_issuer and authority_cert_serial_number, but was set to always.z'authorityKeyIdentifier cannot be empty.Fr)rr7r�r�rr��get_extension_for_classryr8r�r�r��AuthorityKeyIdentifierZfrom_issuer_public_keyrgr:�	Exceptionrr��
DirectoryNamer?rfr�r�)r�rnrpr\�_r+r�rrr� _create_authority_key_identifier�s���
��
��
���
��������	rEcK�t||�\}}t�|�|fSr)�_parse_issuer_general_namery�IssuerAlternativeName�r�rnr\�parsedrrrrr�_create_issuer_alt_name��rKcKrFr)rGry�CertificateIssuerrIrrr�_create_certificate_issuer�rLrNc	
CsVd|v}t|t�rAg}|D].}t|t�r-d|vr-|jddd�\}}|�|��|��f�q
t|t�r;|�t|����q
t	|�}nt|t�rRt
|dd�\}}t	|�}g}tdd�|D��r�|sctd	��z|�t
�|j�tj�jj��t	d
d�|D��}Wn"tjy�}zt|�|�d}~wty�}ztd�|�d}~ww|�t|��||fS)Nrrr5rF��maxsplitT��multiplecss�|]}|dkVqdS))r?r�Nrrrrrr�rz-_parse_issuer_general_name.<locals>.<genexpr>z,Need CA certificate to copy to issuerAltNamecss �|]}|ddkr|VqdS)rr?Nrrrrrrs�zpIt seems your version of cryptography does not have an internal API that the issuer:copy functionality relies on)r�r�r��splitr�r�r��extendrU�tuplerr�r7r�r�r�r@ry�SubjectAlternativeName�_general_namesr�rr��_parse_general_names)	r�rnrr�list_r�k�vrJr�rrrrG�sR

�

���
�����rGcKs�t|t�rdd�|�d�D�}nt|t�rdd�|��D�}nt|t�r+dd�|D�}g}|D]3\}}z
t�|�p>tt|��}Wnt	yT}zt	d|���|�d}~wwt
|�}|�t�
||��q/t�|�dfS)Ncss*�|]}|��dkr|���d�VqdS)rr�;N�r�rSrrrrrs�(z0_create_authority_info_access.<locals>.<genexpr>�,css$�|]
\}}|dkr||fVqdS�rrNr�rrZr[rrrrs�"css2�|]}|��D]
\}}|dkr||fVqqdSr_)rU)rrrZr[rrrrs�0zUnknown access OID: F)r�r�rSr�rUr��
ACCESS_OIDr�r/r�_get_gnr�ryZAccessDescription�AuthorityInformationAccess)r�r\rJr��general_namer�rrr�_create_authority_info_accesss"


��recKs�d|v}t|t�rAg}|D].}t|t�r-d|vr-|jddd�\}}|�|��|��f�q
t|t�r;|�t|����q
t	|�}n
t|t�rNt
|dd�\}}t|�}t�
|�|fS)Nrrr5rFrOTrQ)r�r�r�rSr�r�r�rTrUrUrrXryrV)r�r\rrrYrrZr[rJrrr�_create_subject_alt_name"s

�

rfcKst|�\}}t�|�|fSr)�_parse_distribution_pointsry�CRLDistributionPoints)r�r\rJrrrrr�_create_crl_distribution_points5�ricKst|�\}}t�|�dfS�NF)rgry�FreshestCRL)r�r\rJrDrrr�_create_freshest_crl:rjrmc
Cs�d|v}t|t�rt|dd�\}}n7t|t�rIg}|D])}t|t�r;d|vr;|jddd�\}}|�|��|��f�q|dkrD|�|�qt|�}g}|D]�}d}}	}
}t|t�r�|�	d�}|�	d�}	|�	d	�}
|�	d
�}|r�t|t�sz|g}dd�|D�}|	r�t
|	�}	|
r�t|
t�s�|
g}
td
d�|
D��}
|r�ztdd�|D��}Wnt
y�}zt|�|�d}~wwn|f}|r�t|�}z|�tj||	||
d��WqMt
tfy�}zt|�|�d}~ww||fS)NrrTrQr5rFrO�fullname�relativename�	crlissuer�reasonscs��|]
}|jddd�VqdS�r5rFrON�rSrrrrrW��z-_parse_distribution_points.<locals>.<genexpr>csrrrsrtrrrrr]s�
�cs��|]}t�|�VqdSr�ry�ReasonFlagsrrrrrb��)�	full_name�
relative_namerq�
crl_issuer)r�r�rr�rSr�r�rUr�r��_get_rdnrX�	frozensetr�rryZDistributionPointr�)
r�rrrYrrZr[rJ�dpointrnrorprqr�rrrrg?st


�






�
�����
��rgc
Ks&t|t�s	td��|�dd�}|�dd�}|�dd�}|�dd�}|�dd�}|�d�}|�d	�}|�d
�}	|rKt|t�s@|g}dd�|D�}t|�}|rQt|�}|	rpztd
d�|	D��}	Wntyo}
zt|
�|
�d}
~
wwzt	j
|||||	||d�|fWSttfy�}
zt|
�|
�d}
~
ww)Nz-issuingDistributionPoint must be a dictionaryrrF�onlyuser�onlyCA�onlyAA�indirectCRLrnro�onlysomereasonscsrrrsrtrrrrr�ruz5_create_issuing_distribution_point.<locals>.<genexpr>csrvrrwrrrrr�ry)rzr{�only_contains_user_certs�only_contains_ca_certs�only_some_reasons�indirect_crl�only_contains_attribute_certs)r�r�rr�r�rXr}r~r�ry�IssuingDistributionPointr�)r�r\rrr�ZonlycaZonlyaaZindirectcrlrnror�r�rrr�"_create_issuing_distribution_pointwsP





���	�
��r�cKsPt|t�r5z|�d�}dd�|�d�D�}dd�|D�}t�|�|fWSty4}ztd�|�d}~ww|�dd�}g}|�	�D]_\}}|dkrJqAg}	|D]E}
t|
t�r[|	�
|
�qNd}|
�d	�}|
�d
�}
|
�d�}|
r�z	tj||
d�}Wnty�}zt|�|�d}~ww|	�
tj
||d
��qN|�
tjt|�|	d��qAt�|�|fS)Nrrcss(�|]}|��dkrt|���VqdSr_)r�r/rrrrr�s��z/_create_certificate_policies.<locals>.<genexpr>r^cSsg|]	}tj|dd��qS)N��policy_identifier�policy_qualifiers)ry�PolicyInformation)r�prrrr��s��z0_create_certificate_policies.<locals>.<listcomp>zLcertificatePolicies defined as string must be a comma-separated list of OID.F�organizationZ
noticeNumbers�text)r��notice_numbers)�notice_reference�
explicit_textr�)r�r�rrSry�CertificatePoliciesrrr�rUr�ZNoticeReferencer�Z
UserNoticer�r/)r�r\rrZpolicy_identifiersZpolicy_informationr�rJ�polid�
qualifiersZparsed_qualifiersZqual�noticer�r�r�rrr�_create_certificate_policies�sh

������





�
������r�c
Ks�d|v}t|t�rt|�\}}d|vrt|d�ndd|vr$t|d�ndd�}ztjdi|��|fWSttfyF}zt|�|�d}~ww)Nrr�requireExplicitPolicy�inhibitPolicyMapping)�require_explicit_policy�inhibit_policy_mappingr)	r�r�rrry�PolicyConstraintsr�r�rr*rrr�_create_policy_constraints�s
��

��r�c
Ks�t|t�s	d|vnd}t|t�rt|�\}}ttt|���}zt�t|t�r(|n|d�|fWStyC}zt	d|���|�d}~wt
tfyU}zt	|�|�d}~ww)NrrFr�z-Undefined required key for inhibitAnyPolicy: )r�rr�r�next�iterry�InhibitAnyPolicyrrr�r�rrrr�_create_inhibit_any_policy�s&
����
��r�cKs:d|v}t|t�rPi}|��D]=\}}|dvrqg}|D])}t|t�r<d|vr<|jddd�\}}	|�|��|	��f�q|dkrE|�|�qt|�||<q|}n t|t�rptdd�|�d�D��}
d	d
�|
D�dd
�|
D�d�}d|vrzt|d�ndd
|vr�t|d
�ndd�}t	|�
��s�td��tj
di|��|fS)Nrr)�	permitted�excludedr5rFrOcss�|]
}|���d�VqdS)r\Nr]rrrrrruz+_create_name_constraints.<locals>.<genexpr>r^cS�*g|]}|ddkr|djddd��qS)rr�rFr5rOrtrrrrr�
�$z,_create_name_constraints.<locals>.<listcomp>cSr�)rr�rFr5rOrtrrrrr�r�r�r�)�permitted_subtrees�excluded_subtreesz-nameConstraints needs at least one definitionr)r�r�rUr�rSr�r�rUrXr��valuesrry�NameConstraints)r�r\rrrJZscopeZconstraintsrYrrZr[rUr+rrr�_create_name_constraints�s>

�
���
�r�cKst��dt|�vfSr-)ry�OCSPNoCheckr��r�r\rrr�_create_no_check!sr�c
Ksjt|t�rdd�|�d�D�}d|v}z	dd�|D�}Wnty-}zt|�|�d}~wwt�|�|fS)NcSsg|]}|���qSr�r�rrrrr�'�z&_create_tlsfeature.<locals>.<listcomp>r^rrcSs g|]}|dkrttj|��qSrq)r�ryZTLSFeatureTyperrrrr�*s )r�r�rSr�rry�
TLSFeature)r�r\rr�typesr�rrr�_create_tlsfeature%s

��r�cK�td��)Nz'nsComment is currently not implemented.�rr�rrr�_create_ns_comment0�r�cKr�)Nz(nsCertType is currently not implemented.r�r�rrr�_create_ns_cert_type4r�r�c
Ks8z
t�t|��dfWSty}ztd�|�d}~ww)NFz?cRLNumber must be an integer and must be marked as non-critical)ry�	CRLNumberrr�r)r�r\r�rrr�_create_crl_number8s����r�cKsFdt|�v}t�dt|��}t|�dkrtd��t�t|d��|fS)Nrrz[\d]+rFzGdeltaCRLIndicator must contain a single integer pointing to a cRLNumberr)r��re�findall�lenrry�DeltaCRLIndicatorr)r�r\rrrrr�_create_delta_crl_indicatorAs�r�c
Ks|d}t|t�rt|�\}}n
d|vrd}dd�|D�}zt�t�tt|����|fWSty=}zt	t|��|�d}~ww)NFrrTcSsg|]}|dkr|�qSrqrrrrrr�Rsz&_create_crl_reason.<locals>.<listcomp>)
r�r�rryrBrxr�r�r�rrrrr�_create_crl_reasonKs
��r�c
Ksrt|t�s	td��|�d�}|r|jddd�d}zt�t�|t	��|fWSt
y8}ztt|��|�d}~ww)NzinvalidityDate must be a stringrr� rFrO)r�r�rrrSry�InvalidityDaterr~rr�rrrr�_create_invalidity_dateZs

���r�rAr@)r;r<r=r>r?rBrCcCst|�d�}|r|dd��d���}dd�|�d�D�}|r,dd�dd�|D�D�|fSdd	�d
d�|D�D�|fS)Nrr�r^css�|]}|��VqdSrr�rrrrr�rz2_deserialize_openssl_confstring.<locals>.<genexpr>css$�|]
\}}|��|��fVqdSrr�r`rrrr�s
��
�cs�.�|]}d|vr|jddd�n|dfVqdS�r5rFrOZ__present__Nrtrrrrr�s
��
�cSsi|]\}}|��|���qSrr�r`rrr�
<dictcomp>�s��z3_deserialize_openssl_confstring.<locals>.<dictcomp>csr�r�rtrrrrr�s�
�)rr�rS)ZconfrRrrrUrrrr�s&
������rcCs�ddd�}tjjtjjtjjtjjtjjtjjd�}g}|D]�\}}|��}|dkr/t	|�}n�|dkr8t
|�}n�|dkrjzt�|�}Wn�t
yizt�|�}Wnt
yf}z	td|�d	��|�d}~wwYn_w|d
kr�|jddd
�}t|�dkr�|\}}	||	�}	d�||	f�}n=||ddd�}n4|dkr�t|�}
|
jr�||
j�}	t|
j|	|
j|
j|
j|
jf�}n|dkr�||ddd�}n|dkr�td��||vr�z|�|||��Wqt
tfy�}zt|�|�d}~wwtd|�d���|S)NFc	
Ss�z|�d�}Wntytdt|�j�d|�d���w|r*|s%td��|�d�}|�d�}|rL|s7td��|r=td��|d	d�}|�d�rLtd
��trlz	t�	|��
�}Wnhtjyk}ztt|��|�d}~ww|srtd��z|j	dd
�Wnt
y�}ztd�|�d}~ww|�d�D],}|s�td��t�d|�}|dur�tdtt|����d	d��d|���d|�d���q�|}|r�d|��S|r�d|��S|S)Nr zExpected string value, got z: `�`z,Leading dots are not allowed in this contextz*.z)Wildcards are not allowed in this contextz5Wildcards and leading dots cannot be present togetherrGzEmpty labelzEmpty domain�ascii)�encodingz^Cannot encode non-ASCII strings to internationalized domain name format, missing library: idnazEmpty Labelz[^A-Za-z\d\-\.]zCodepoint U+00z
 at position z of 'z
' not allowed)rr�r�typerJr�lstrip�HAS_IDNA�idnar�r
Z	IDNAErrorr��UnicodeEncodeErrorrSr��search�hex�ord�group�end)	r��allow_leading_dot�allow_wildcardZhas_dotZhas_wildcard�retr��elem�invalidrrr�idna_encode�st���

�
������.��

z)_parse_general_names.<locals>.idna_encode)�email�uri�dns�rid�ip�dirnamer�r�r�zProvided value z4 does not seem to be an IP address or network range.r��@rFrOrT)r�r�r�)r�r�Z	othernamez&otherName is currently not implementedzGeneralName type z is invalid)FF)ryrd�
RFC822Name�UniformResourceIdentifier�DNSName�RegisteredID�	IPAddressrCrrzr/�	ipaddress�
ip_addressr��
ip_networkr�rsplitr�rr�netlocr�schemer��params�query�fragmentrr�r�)r�r�Zvalid_typesrJ�typr[r�r�user�domain�urlrrrrX�sx
9�



������
��
��rXcCs4t|��d�rt|��d�rtd|����t�|�S)N)�0�1�2z0123456789.z
Invalid oid: )r�rr�rry�ObjectIdentifier)r�rrrr/s
r/c
Csvztj�|�j}t|�dkrtd��|dWSty*}ztd|���|�d}~wty:}ztd�|�d}~ww)NrFzPSpecified string is not a Relative Distinguished Name, but a Distinguished Name.rzFailed parsing rdn string: �BAt least cryptography v37 is required for parsing RFC4514 strings.)	ry�Name�from_rfc4514_string�rdnsr�rr�rr�)Zrdnr�r�rrrr}s$�
�����r}cCst|jddd�f�dS)Nr5rFrOr)rXrS��gnrrrrb)srbc
Csr|durt��St|t�r|Szt�|�dd��}Wnttt	fy&Ynwt|t�r2t�
|d�Std|����)Nr5r6�bigzCould not parse serial number )ryZrandom_serial_numberr�rr�rr�r�r�r��
from_bytesr)Zsnrrrrt-s
�
rtc
Cs�t|t�rBztj�|�}tddkrt�|jddd��WS|WSty1}ztd�|�d}~wt	yA}ztd�|�d}~wwt|t
�rQt�dd�|D��St|t�rug}t�
�D]\}}||vro|�t�|||��q\t�|�Std��)	Nr�%���z%Failed parsing rfc4514 dirName stringr�cS�g|]}t|��qSr)r}rrrrr�Kr�z_get_dn.<locals>.<listcomp>z6Need string, list or dict to parse distinguished names)r�r�ryr�r��CRYPTOGRAPHY_VERSIONr�r�rr�r�r�r�rUr�Z
NameAttributer)�dnrJr�r]r�rrrrz;s>
�������

�
rzcsRt�t�r	����t��ddkrd��d��fdd�tdt��d�D����S)z$
    Nicely formats hex strings
    rGrr�r5csg|]
}�||d��qS)rGr)r�i��hex_strrrr�^szpretty_hex.<locals>.<listcomp>)r�r�r�r�r�ranger�rrrr�
pretty_hexVs

(rcCst|d��S)zA
    Converts decimal values to nicely formatted hex strings
    �X)r)Zdecvalrrr�dec2hexasr
cCs�t|tj�rd|j��St|tj�rd|j����St|tj�r'd|jj��St|tj�r3d|j��St|tj	�r@d|jj
��St|tj�rLd|j��St|�S)zC
    Returns a valid OpenSSL string for a GeneralName instance
    zDNS:zdirName:zIP:zmail:zRID:zURI:)
r�ryr�r�rC�rfc4514_stringr��explodedr�r�r�r�r�r�rrr�	render_gnhsrcCsDd|ji}t|j�}|tvr|�t||��|St|j�|d<|S)zK
    Render an Extension instance to a dict for informational purposes
    rrr�)rrr�r��EXTENSION_RENDERERSr�r�)r�r�r�rrr�render_extension{s

�rcC�|jj|jjd�S)N)rr)r�rZpath_length�r�rrr�_render_basic_constraints��rc
CsT|jj|jj|jjr|jjnd|jj|jjr|jjnd|jj|jj|jj|jj	d�	S)NF)	rrrrrrrrr)
r�r&r#r$r(r r'r%r"r!rrrr�_render_key_usage�s�rcCsZzdd�|jjp	gD�}Wd|iSty,t�dt|j��}dd�|D�}Yd|iSw)NcSs"g|]
}|jdkr|jn|j�qS)�Unknown OID)�_namer�rrrrr��s��z._render_extended_key_usage.<locals>.<listcomp>z1\<ObjectIdentifier\(oid=[\d\.]+, name=([\w]+)\)\>cSs(g|]}d|dkr|dn|d�qS)rrFrrrrrrr��s(r�)r�Z_usagesr�r�r�r�)r�r1rrr�_render_extended_key_usage�s
�
�
��rcCsdt|jj�iS�Nr�)rr�r�rrrr�_render_subject_key_identifier�srcCsN|jjr
t|jj�nddd�|jjpgD�pd|jjr#t|jj�d�Sdd�S)NcSrr�rrrrrr��r�z4_render_authority_key_identifier.<locals>.<listcomp>)r=r?Z	issuer_sn)r�r:rr;r<r
rrrr� _render_authority_key_identifier�s���rc
s|zdd�|jjjp
gD�}Wd|iSty=ddddddd	���fd
d�t�dd����d
�t|j��D�}Yd|iSw)NcSrrrrrrrr��r�z)_render_general_names.<locals>.<listcomp>r�r�r�r�r�ZdirName)r�r�r�r�r�rCcs"g|]
\}}�|�d|���qS)r5r)rr�r���prefixesrrr��s��z\<(�|z)\(value='([^']+)'\)\>r�)r�rWr�r�r�rr�)r��renderedrrr�_render_general_names�s&��
���r#cCsng}z#|jjD]}|�|jjdkr|jjn|jjt|jj�i�qWd|iSty6t	|j�}Yd|iSw)Nrr�)
r�Z
_descriptionsr�Z
access_methodrr�rZaccess_locationr�r�)r�r"�descriptionrrr�_render_authority_info_access�s �
�����r%c	Cs�g}z:|jjD]0}|�dd�|jpgD�dd�|jpgD�ttdd�|jp&gD���|jr2|j�	�ndd��qWd|iSt
yMt|j�}Yd|iSw)NcSrrrrrrrr��r�z/_render_distribution_points.<locals>.<listcomp>cSrrrrrrrr��r�cs��|]}|jVqdSr�r�rrrrr���z._render_distribution_points.<locals>.<genexpr>)rprnrqror�)r�Z_distribution_pointsr�r|rzr��sortedrqr{rr�r�)r�Zdpointsrrrr�_render_distribution_points�s$������r*cCsddd�|jjpgD�ttdd�|jjpgD���|jjr"|jj��nd|jj|jj|jj	|jj
d�S)NcSrrrrrrrr��r�z6_render_issuing_distribution_point.<locals>.<listcomp>csr&rr'rrrrr�r(z5_render_issuing_distribution_point.<locals>.<genexpr>)rnZonysomereasonsror�r�r�r�)r�rzr�r)r�r{rr�r�r�r�rrrr�"_render_issuing_distribution_point�s���r+cCs�g}zO|jjD]E}|jj}|dkr|jj}g}|jpgD](}t|t�r+|�d|i�qd}}|j	r:|j	j
}|j	j}|�|||jd��q|�||i�qWd|iSt
ybt|j�}Yd|iSw)NrZpractice_statement)Z
organizataionr�r�r�)r�Z	_policiesr�rr�r�r�r�r�r�r�r�r�r�)r�Zpoliciesr�r�r�r�r�r�rrr�_render_certificate_policies
s8
�����r,cCr)N)r�r�)r�r�r�rrrr�_render_policy_constraints*s�r-cC�d|jjiSr)r�Z
skip_certsrrrr�_render_inhibit_any_policy1�r/cCs.dd�|jjpgD�dd�|jjpgD�d�S)NcSrrrrrrrr�7r�z,_render_name_constraints.<locals>.<listcomp>cSrrrrrrrr�8r�)r�r�)r�r�r�rrrr�_render_name_constraints5s�r1cCsddiS)Nr�Trrrrr�_render_no_check<r�r2cCstzdd�|jjD�}Wd|iSty9g}dt|j�vr#|�d�dt|j�vr4|�d�Yd|iSYd|iSw)NcSr�r)r]rrrrr�Br�z&_render_tlsfeature.<locals>.<listcomp>Zstatus_requestZstatus_request_v2r�)r�Z	_featuresr�r�r�)r�Zfeaturesrrr�_render_tlsfeature@s�
��r3cCr.r)r�Z
crl_numberrrrr�_render_crl_numberLr0r4cCsd|jjjiSr)r��reasonrrrr�_render_crl_reasonPsr6cCsd|jj�t�iSr)r�Zinvalidity_date�strftimerrrrr�_render_invalidity_dateTrr8)FNNNNNNNNNNrb)NN)NNFr�N)r�)r�)Frk)NFF)NNNr)�rr�r��loggingZos.pathr�r�rrr�enumr�urllib.parserrZcryptographyrryZcryptography.exceptionsr	Zcryptography.hazmat.primitivesr
rZ)cryptography.hazmat.primitives.asymmetricrr
rrrZ,cryptography.hazmat.primitives.serializationrrZcryptography.x509.oidrZsalt.utils.filesrVZsalt.utils.immutabletypesrWZimmutabletypesZsalt.utils.stringutilsZsalt.utils.versionsZsalt.exceptionsrrZsalt.utils.odictrr�r��ImportErrorrU�__version__rSr�	getLoggerrJr�ZfreezerTZNameOIDZCOUNTRY_NAMEZSTATE_OR_PROVINCE_NAMEZ
LOCALITY_NAMEZSTREET_ADDRESSZORGANIZATION_NAMEZORGANIZATIONAL_UNIT_NAMEZCOMMON_NAMEZ
EMAIL_ADDRESSZSURNAMEZ
GIVEN_NAMEZUSER_IDZ
SERIAL_NUMBERr�r[ZExtensionOIDZBASIC_CONSTRAINTSZ	KEY_USAGEZEXTENDED_KEY_USAGEZSUBJECT_KEY_IDENTIFIERZAUTHORITY_KEY_IDENTIFIERZISSUER_ALTERNATIVE_NAMEZAUTHORITY_INFORMATION_ACCESSZSUBJECT_ALTERNATIVE_NAMEZCRL_DISTRIBUTION_POINTSZISSUING_DISTRIBUTION_POINTZCERTIFICATE_POLICIESZPOLICY_CONSTRAINTSZINHIBIT_ANY_POLICYZNAME_CONSTRAINTSZ
OCSP_NO_CHECKZTLS_FEATUREZ
CRL_NUMBERZDELTA_CRL_INDICATORZFRESHEST_CRLr�ZCRLEntryExtensionOIDZCERTIFICATE_ISSUERZ
CRL_REASONZINVALIDITY_DATEr�r�r.ZAuthorityInformationAccessOIDrDZ
CA_ISSUERSZ
CA_REPOSITORYrar�r�r�rEr�rrrar�r�r�r�r�r�r�r�r�rxr�r�r�r�rsrwrvr�rur�r�r�r�r�rr,r3r9rErKrNrGrerfrirmrgr�r�r�r�r�r�r�r�r�r�r�r�r�r
rrXr/r}rbrtrzrr
rrrrrrrr#r%r*r+r,r-r/r1r2r3r4r6r8rr)r0r8rArHrMrcrVrhrlr�r�r�r�r�r�r�r�r�rBr�rrrrr�<module>s��
��











����������	�
���
����������������	�
���
���������	����
�"�S	

8^&]$$5C(8(3'	
��������	�
���
�������r
��������	�
���
�������