1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090 |
- # This file is dual licensed under the terms of the Apache License, Version
- # 2.0, and the BSD License. See the LICENSE file in the root of this repository
- # for complete details.
- import abc
- import datetime
- import os
- import typing
- from cryptography import utils
- from cryptography.hazmat.bindings._rust import x509 as rust_x509
- from cryptography.hazmat.primitives import hashes, serialization
- from cryptography.hazmat.primitives.asymmetric import (
- dsa,
- ec,
- ed25519,
- ed448,
- rsa,
- x25519,
- x448,
- )
- from cryptography.hazmat.primitives.asymmetric.types import (
- CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES,
- CERTIFICATE_PRIVATE_KEY_TYPES,
- CERTIFICATE_PUBLIC_KEY_TYPES,
- )
- from cryptography.x509.extensions import (
- Extension,
- ExtensionType,
- Extensions,
- _make_sequence_methods,
- )
- from cryptography.x509.name import Name, _ASN1Type
- from cryptography.x509.oid import ObjectIdentifier
- _EARLIEST_UTC_TIME = datetime.datetime(1950, 1, 1)
- class AttributeNotFound(Exception):
- def __init__(self, msg: str, oid: ObjectIdentifier) -> None:
- super(AttributeNotFound, self).__init__(msg)
- self.oid = oid
- def _reject_duplicate_extension(
- extension: Extension[ExtensionType],
- extensions: typing.List[Extension[ExtensionType]],
- ) -> None:
- # This is quadratic in the number of extensions
- for e in extensions:
- if e.oid == extension.oid:
- raise ValueError("This extension has already been set.")
- def _reject_duplicate_attribute(
- oid: ObjectIdentifier,
- attributes: typing.List[
- typing.Tuple[ObjectIdentifier, bytes, typing.Optional[int]]
- ],
- ) -> None:
- # This is quadratic in the number of attributes
- for attr_oid, _, _ in attributes:
- if attr_oid == oid:
- raise ValueError("This attribute has already been set.")
- def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime:
- """Normalizes a datetime to a naive datetime in UTC.
- time -- datetime to normalize. Assumed to be in UTC if not timezone
- aware.
- """
- if time.tzinfo is not None:
- offset = time.utcoffset()
- offset = offset if offset else datetime.timedelta()
- return time.replace(tzinfo=None) - offset
- else:
- return time
- class Attribute:
- def __init__(
- self,
- oid: ObjectIdentifier,
- value: bytes,
- _type: int = _ASN1Type.UTF8String.value,
- ) -> None:
- self._oid = oid
- self._value = value
- self._type = _type
- @property
- def oid(self) -> ObjectIdentifier:
- return self._oid
- @property
- def value(self) -> bytes:
- return self._value
- def __repr__(self) -> str:
- return "<Attribute(oid={}, value={!r})>".format(self.oid, self.value)
- def __eq__(self, other: object) -> bool:
- if not isinstance(other, Attribute):
- return NotImplemented
- return (
- self.oid == other.oid
- and self.value == other.value
- and self._type == other._type
- )
- def __hash__(self) -> int:
- return hash((self.oid, self.value, self._type))
- class Attributes:
- def __init__(
- self,
- attributes: typing.Iterable[Attribute],
- ) -> None:
- self._attributes = list(attributes)
- __len__, __iter__, __getitem__ = _make_sequence_methods("_attributes")
- def __repr__(self) -> str:
- return "<Attributes({})>".format(self._attributes)
- def get_attribute_for_oid(self, oid: ObjectIdentifier) -> Attribute:
- for attr in self:
- if attr.oid == oid:
- return attr
- raise AttributeNotFound("No {} attribute was found".format(oid), oid)
- class Version(utils.Enum):
- v1 = 0
- v3 = 2
- class InvalidVersion(Exception):
- def __init__(self, msg: str, parsed_version: int) -> None:
- super(InvalidVersion, self).__init__(msg)
- self.parsed_version = parsed_version
- class Certificate(metaclass=abc.ABCMeta):
- @abc.abstractmethod
- def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes:
- """
- Returns bytes using digest passed.
- """
- @abc.abstractproperty
- def serial_number(self) -> int:
- """
- Returns certificate serial number
- """
- @abc.abstractproperty
- def version(self) -> Version:
- """
- Returns the certificate version
- """
- @abc.abstractmethod
- def public_key(self) -> CERTIFICATE_PUBLIC_KEY_TYPES:
- """
- Returns the public key
- """
- @abc.abstractproperty
- def not_valid_before(self) -> datetime.datetime:
- """
- Not before time (represented as UTC datetime)
- """
- @abc.abstractproperty
- def not_valid_after(self) -> datetime.datetime:
- """
- Not after time (represented as UTC datetime)
- """
- @abc.abstractproperty
- def issuer(self) -> Name:
- """
- Returns the issuer name object.
- """
- @abc.abstractproperty
- def subject(self) -> Name:
- """
- Returns the subject name object.
- """
- @abc.abstractproperty
- def signature_hash_algorithm(
- self,
- ) -> typing.Optional[hashes.HashAlgorithm]:
- """
- Returns a HashAlgorithm corresponding to the type of the digest signed
- in the certificate.
- """
- @abc.abstractproperty
- def signature_algorithm_oid(self) -> ObjectIdentifier:
- """
- Returns the ObjectIdentifier of the signature algorithm.
- """
- @abc.abstractproperty
- def extensions(self) -> Extensions:
- """
- Returns an Extensions object.
- """
- @abc.abstractproperty
- def signature(self) -> bytes:
- """
- Returns the signature bytes.
- """
- @abc.abstractproperty
- def tbs_certificate_bytes(self) -> bytes:
- """
- Returns the tbsCertificate payload bytes as defined in RFC 5280.
- """
- @abc.abstractmethod
- def __eq__(self, other: object) -> bool:
- """
- Checks equality.
- """
- @abc.abstractmethod
- def __hash__(self) -> int:
- """
- Computes a hash.
- """
- @abc.abstractmethod
- def public_bytes(self, encoding: serialization.Encoding) -> bytes:
- """
- Serializes the certificate to PEM or DER format.
- """
- # Runtime isinstance checks need this since the rust class is not a subclass.
- Certificate.register(rust_x509.Certificate)
- class RevokedCertificate(metaclass=abc.ABCMeta):
- @abc.abstractproperty
- def serial_number(self) -> int:
- """
- Returns the serial number of the revoked certificate.
- """
- @abc.abstractproperty
- def revocation_date(self) -> datetime.datetime:
- """
- Returns the date of when this certificate was revoked.
- """
- @abc.abstractproperty
- def extensions(self) -> Extensions:
- """
- Returns an Extensions object containing a list of Revoked extensions.
- """
- # Runtime isinstance checks need this since the rust class is not a subclass.
- RevokedCertificate.register(rust_x509.RevokedCertificate)
- class _RawRevokedCertificate(RevokedCertificate):
- def __init__(
- self,
- serial_number: int,
- revocation_date: datetime.datetime,
- extensions: Extensions,
- ):
- self._serial_number = serial_number
- self._revocation_date = revocation_date
- self._extensions = extensions
- @property
- def serial_number(self) -> int:
- return self._serial_number
- @property
- def revocation_date(self) -> datetime.datetime:
- return self._revocation_date
- @property
- def extensions(self) -> Extensions:
- return self._extensions
- class CertificateRevocationList(metaclass=abc.ABCMeta):
- @abc.abstractmethod
- def public_bytes(self, encoding: serialization.Encoding) -> bytes:
- """
- Serializes the CRL to PEM or DER format.
- """
- @abc.abstractmethod
- def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes:
- """
- Returns bytes using digest passed.
- """
- @abc.abstractmethod
- def get_revoked_certificate_by_serial_number(
- self, serial_number: int
- ) -> typing.Optional[RevokedCertificate]:
- """
- Returns an instance of RevokedCertificate or None if the serial_number
- is not in the CRL.
- """
- @abc.abstractproperty
- def signature_hash_algorithm(
- self,
- ) -> typing.Optional[hashes.HashAlgorithm]:
- """
- Returns a HashAlgorithm corresponding to the type of the digest signed
- in the certificate.
- """
- @abc.abstractproperty
- def signature_algorithm_oid(self) -> ObjectIdentifier:
- """
- Returns the ObjectIdentifier of the signature algorithm.
- """
- @abc.abstractproperty
- def issuer(self) -> Name:
- """
- Returns the X509Name with the issuer of this CRL.
- """
- @abc.abstractproperty
- def next_update(self) -> typing.Optional[datetime.datetime]:
- """
- Returns the date of next update for this CRL.
- """
- @abc.abstractproperty
- def last_update(self) -> datetime.datetime:
- """
- Returns the date of last update for this CRL.
- """
- @abc.abstractproperty
- def extensions(self) -> Extensions:
- """
- Returns an Extensions object containing a list of CRL extensions.
- """
- @abc.abstractproperty
- def signature(self) -> bytes:
- """
- Returns the signature bytes.
- """
- @abc.abstractproperty
- def tbs_certlist_bytes(self) -> bytes:
- """
- Returns the tbsCertList payload bytes as defined in RFC 5280.
- """
- @abc.abstractmethod
- def __eq__(self, other: object) -> bool:
- """
- Checks equality.
- """
- @abc.abstractmethod
- def __len__(self) -> int:
- """
- Number of revoked certificates in the CRL.
- """
- @typing.overload
- def __getitem__(self, idx: int) -> RevokedCertificate:
- ...
- @typing.overload
- def __getitem__(self, idx: slice) -> typing.List[RevokedCertificate]:
- ...
- @abc.abstractmethod
- def __getitem__(
- self, idx: typing.Union[int, slice]
- ) -> typing.Union[RevokedCertificate, typing.List[RevokedCertificate]]:
- """
- Returns a revoked certificate (or slice of revoked certificates).
- """
- @abc.abstractmethod
- def __iter__(self) -> typing.Iterator[RevokedCertificate]:
- """
- Iterator over the revoked certificates
- """
- @abc.abstractmethod
- def is_signature_valid(
- self, public_key: CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES
- ) -> bool:
- """
- Verifies signature of revocation list against given public key.
- """
- CertificateRevocationList.register(rust_x509.CertificateRevocationList)
- class CertificateSigningRequest(metaclass=abc.ABCMeta):
- @abc.abstractmethod
- def __eq__(self, other: object) -> bool:
- """
- Checks equality.
- """
- @abc.abstractmethod
- def __hash__(self) -> int:
- """
- Computes a hash.
- """
- @abc.abstractmethod
- def public_key(self) -> CERTIFICATE_PUBLIC_KEY_TYPES:
- """
- Returns the public key
- """
- @abc.abstractproperty
- def subject(self) -> Name:
- """
- Returns the subject name object.
- """
- @abc.abstractproperty
- def signature_hash_algorithm(
- self,
- ) -> typing.Optional[hashes.HashAlgorithm]:
- """
- Returns a HashAlgorithm corresponding to the type of the digest signed
- in the certificate.
- """
- @abc.abstractproperty
- def signature_algorithm_oid(self) -> ObjectIdentifier:
- """
- Returns the ObjectIdentifier of the signature algorithm.
- """
- @abc.abstractproperty
- def extensions(self) -> Extensions:
- """
- Returns the extensions in the signing request.
- """
- @abc.abstractproperty
- def attributes(self) -> Attributes:
- """
- Returns an Attributes object.
- """
- @abc.abstractmethod
- def public_bytes(self, encoding: serialization.Encoding) -> bytes:
- """
- Encodes the request to PEM or DER format.
- """
- @abc.abstractproperty
- def signature(self) -> bytes:
- """
- Returns the signature bytes.
- """
- @abc.abstractproperty
- def tbs_certrequest_bytes(self) -> bytes:
- """
- Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC
- 2986.
- """
- @abc.abstractproperty
- def is_signature_valid(self) -> bool:
- """
- Verifies signature of signing request.
- """
- @abc.abstractmethod
- def get_attribute_for_oid(self, oid: ObjectIdentifier) -> bytes:
- """
- Get the attribute value for a given OID.
- """
- # Runtime isinstance checks need this since the rust class is not a subclass.
- CertificateSigningRequest.register(rust_x509.CertificateSigningRequest)
- # Backend argument preserved for API compatibility, but ignored.
- def load_pem_x509_certificate(
- data: bytes, backend: typing.Any = None
- ) -> Certificate:
- return rust_x509.load_pem_x509_certificate(data)
- # Backend argument preserved for API compatibility, but ignored.
- def load_der_x509_certificate(
- data: bytes, backend: typing.Any = None
- ) -> Certificate:
- return rust_x509.load_der_x509_certificate(data)
- # Backend argument preserved for API compatibility, but ignored.
- def load_pem_x509_csr(
- data: bytes, backend: typing.Any = None
- ) -> CertificateSigningRequest:
- return rust_x509.load_pem_x509_csr(data)
- # Backend argument preserved for API compatibility, but ignored.
- def load_der_x509_csr(
- data: bytes, backend: typing.Any = None
- ) -> CertificateSigningRequest:
- return rust_x509.load_der_x509_csr(data)
- # Backend argument preserved for API compatibility, but ignored.
- def load_pem_x509_crl(
- data: bytes, backend: typing.Any = None
- ) -> CertificateRevocationList:
- return rust_x509.load_pem_x509_crl(data)
- # Backend argument preserved for API compatibility, but ignored.
- def load_der_x509_crl(
- data: bytes, backend: typing.Any = None
- ) -> CertificateRevocationList:
- return rust_x509.load_der_x509_crl(data)
- class CertificateSigningRequestBuilder:
- def __init__(
- self,
- subject_name: typing.Optional[Name] = None,
- extensions: typing.List[Extension[ExtensionType]] = [],
- attributes: typing.List[
- typing.Tuple[ObjectIdentifier, bytes, typing.Optional[int]]
- ] = [],
- ):
- """
- Creates an empty X.509 certificate request (v1).
- """
- self._subject_name = subject_name
- self._extensions = extensions
- self._attributes = attributes
- def subject_name(self, name: Name) -> "CertificateSigningRequestBuilder":
- """
- Sets the certificate requestor's distinguished name.
- """
- if not isinstance(name, Name):
- raise TypeError("Expecting x509.Name object.")
- if self._subject_name is not None:
- raise ValueError("The subject name may only be set once.")
- return CertificateSigningRequestBuilder(
- name, self._extensions, self._attributes
- )
- def add_extension(
- self, extval: ExtensionType, critical: bool
- ) -> "CertificateSigningRequestBuilder":
- """
- Adds an X.509 extension to the certificate request.
- """
- if not isinstance(extval, ExtensionType):
- raise TypeError("extension must be an ExtensionType")
- extension = Extension(extval.oid, critical, extval)
- _reject_duplicate_extension(extension, self._extensions)
- return CertificateSigningRequestBuilder(
- self._subject_name,
- self._extensions + [extension],
- self._attributes,
- )
- def add_attribute(
- self,
- oid: ObjectIdentifier,
- value: bytes,
- *,
- _tag: typing.Optional[_ASN1Type] = None,
- ) -> "CertificateSigningRequestBuilder":
- """
- Adds an X.509 attribute with an OID and associated value.
- """
- if not isinstance(oid, ObjectIdentifier):
- raise TypeError("oid must be an ObjectIdentifier")
- if not isinstance(value, bytes):
- raise TypeError("value must be bytes")
- if _tag is not None and not isinstance(_tag, _ASN1Type):
- raise TypeError("tag must be _ASN1Type")
- _reject_duplicate_attribute(oid, self._attributes)
- if _tag is not None:
- tag = _tag.value
- else:
- tag = None
- return CertificateSigningRequestBuilder(
- self._subject_name,
- self._extensions,
- self._attributes + [(oid, value, tag)],
- )
- def sign(
- self,
- private_key: CERTIFICATE_PRIVATE_KEY_TYPES,
- algorithm: typing.Optional[hashes.HashAlgorithm],
- backend: typing.Any = None,
- ) -> CertificateSigningRequest:
- """
- Signs the request using the requestor's private key.
- """
- if self._subject_name is None:
- raise ValueError("A CertificateSigningRequest must have a subject")
- return rust_x509.create_x509_csr(self, private_key, algorithm)
- class CertificateBuilder:
- _extensions: typing.List[Extension[ExtensionType]]
- def __init__(
- self,
- issuer_name: typing.Optional[Name] = None,
- subject_name: typing.Optional[Name] = None,
- public_key: typing.Optional[CERTIFICATE_PUBLIC_KEY_TYPES] = None,
- serial_number: typing.Optional[int] = None,
- not_valid_before: typing.Optional[datetime.datetime] = None,
- not_valid_after: typing.Optional[datetime.datetime] = None,
- extensions: typing.List[Extension[ExtensionType]] = [],
- ) -> None:
- self._version = Version.v3
- self._issuer_name = issuer_name
- self._subject_name = subject_name
- self._public_key = public_key
- self._serial_number = serial_number
- self._not_valid_before = not_valid_before
- self._not_valid_after = not_valid_after
- self._extensions = extensions
- def issuer_name(self, name: Name) -> "CertificateBuilder":
- """
- Sets the CA's distinguished name.
- """
- if not isinstance(name, Name):
- raise TypeError("Expecting x509.Name object.")
- if self._issuer_name is not None:
- raise ValueError("The issuer name may only be set once.")
- return CertificateBuilder(
- name,
- self._subject_name,
- self._public_key,
- self._serial_number,
- self._not_valid_before,
- self._not_valid_after,
- self._extensions,
- )
- def subject_name(self, name: Name) -> "CertificateBuilder":
- """
- Sets the requestor's distinguished name.
- """
- if not isinstance(name, Name):
- raise TypeError("Expecting x509.Name object.")
- if self._subject_name is not None:
- raise ValueError("The subject name may only be set once.")
- return CertificateBuilder(
- self._issuer_name,
- name,
- self._public_key,
- self._serial_number,
- self._not_valid_before,
- self._not_valid_after,
- self._extensions,
- )
- def public_key(
- self,
- key: CERTIFICATE_PUBLIC_KEY_TYPES,
- ) -> "CertificateBuilder":
- """
- Sets the requestor's public key (as found in the signing request).
- """
- if not isinstance(
- key,
- (
- dsa.DSAPublicKey,
- rsa.RSAPublicKey,
- ec.EllipticCurvePublicKey,
- ed25519.Ed25519PublicKey,
- ed448.Ed448PublicKey,
- x25519.X25519PublicKey,
- x448.X448PublicKey,
- ),
- ):
- raise TypeError(
- "Expecting one of DSAPublicKey, RSAPublicKey,"
- " EllipticCurvePublicKey, Ed25519PublicKey,"
- " Ed448PublicKey, X25519PublicKey, or "
- "X448PublicKey."
- )
- if self._public_key is not None:
- raise ValueError("The public key may only be set once.")
- return CertificateBuilder(
- self._issuer_name,
- self._subject_name,
- key,
- self._serial_number,
- self._not_valid_before,
- self._not_valid_after,
- self._extensions,
- )
- def serial_number(self, number: int) -> "CertificateBuilder":
- """
- Sets the certificate serial number.
- """
- if not isinstance(number, int):
- raise TypeError("Serial number must be of integral type.")
- if self._serial_number is not None:
- raise ValueError("The serial number may only be set once.")
- if number <= 0:
- raise ValueError("The serial number should be positive.")
- # ASN.1 integers are always signed, so most significant bit must be
- # zero.
- if number.bit_length() >= 160: # As defined in RFC 5280
- raise ValueError(
- "The serial number should not be more than 159 " "bits."
- )
- return CertificateBuilder(
- self._issuer_name,
- self._subject_name,
- self._public_key,
- number,
- self._not_valid_before,
- self._not_valid_after,
- self._extensions,
- )
- def not_valid_before(
- self, time: datetime.datetime
- ) -> "CertificateBuilder":
- """
- Sets the certificate activation time.
- """
- if not isinstance(time, datetime.datetime):
- raise TypeError("Expecting datetime object.")
- if self._not_valid_before is not None:
- raise ValueError("The not valid before may only be set once.")
- time = _convert_to_naive_utc_time(time)
- if time < _EARLIEST_UTC_TIME:
- raise ValueError(
- "The not valid before date must be on or after"
- " 1950 January 1)."
- )
- if self._not_valid_after is not None and time > self._not_valid_after:
- raise ValueError(
- "The not valid before date must be before the not valid after "
- "date."
- )
- return CertificateBuilder(
- self._issuer_name,
- self._subject_name,
- self._public_key,
- self._serial_number,
- time,
- self._not_valid_after,
- self._extensions,
- )
- def not_valid_after(self, time: datetime.datetime) -> "CertificateBuilder":
- """
- Sets the certificate expiration time.
- """
- if not isinstance(time, datetime.datetime):
- raise TypeError("Expecting datetime object.")
- if self._not_valid_after is not None:
- raise ValueError("The not valid after may only be set once.")
- time = _convert_to_naive_utc_time(time)
- if time < _EARLIEST_UTC_TIME:
- raise ValueError(
- "The not valid after date must be on or after"
- " 1950 January 1."
- )
- if (
- self._not_valid_before is not None
- and time < self._not_valid_before
- ):
- raise ValueError(
- "The not valid after date must be after the not valid before "
- "date."
- )
- return CertificateBuilder(
- self._issuer_name,
- self._subject_name,
- self._public_key,
- self._serial_number,
- self._not_valid_before,
- time,
- self._extensions,
- )
- def add_extension(
- self, extval: ExtensionType, critical: bool
- ) -> "CertificateBuilder":
- """
- Adds an X.509 extension to the certificate.
- """
- if not isinstance(extval, ExtensionType):
- raise TypeError("extension must be an ExtensionType")
- extension = Extension(extval.oid, critical, extval)
- _reject_duplicate_extension(extension, self._extensions)
- return CertificateBuilder(
- self._issuer_name,
- self._subject_name,
- self._public_key,
- self._serial_number,
- self._not_valid_before,
- self._not_valid_after,
- self._extensions + [extension],
- )
- def sign(
- self,
- private_key: CERTIFICATE_PRIVATE_KEY_TYPES,
- algorithm: typing.Optional[hashes.HashAlgorithm],
- backend: typing.Any = None,
- ) -> Certificate:
- """
- Signs the certificate using the CA's private key.
- """
- if self._subject_name is None:
- raise ValueError("A certificate must have a subject name")
- if self._issuer_name is None:
- raise ValueError("A certificate must have an issuer name")
- if self._serial_number is None:
- raise ValueError("A certificate must have a serial number")
- if self._not_valid_before is None:
- raise ValueError("A certificate must have a not valid before time")
- if self._not_valid_after is None:
- raise ValueError("A certificate must have a not valid after time")
- if self._public_key is None:
- raise ValueError("A certificate must have a public key")
- return rust_x509.create_x509_certificate(self, private_key, algorithm)
- class CertificateRevocationListBuilder:
- _extensions: typing.List[Extension[ExtensionType]]
- _revoked_certificates: typing.List[RevokedCertificate]
- def __init__(
- self,
- issuer_name: typing.Optional[Name] = None,
- last_update: typing.Optional[datetime.datetime] = None,
- next_update: typing.Optional[datetime.datetime] = None,
- extensions: typing.List[Extension[ExtensionType]] = [],
- revoked_certificates: typing.List[RevokedCertificate] = [],
- ):
- self._issuer_name = issuer_name
- self._last_update = last_update
- self._next_update = next_update
- self._extensions = extensions
- self._revoked_certificates = revoked_certificates
- def issuer_name(
- self, issuer_name: Name
- ) -> "CertificateRevocationListBuilder":
- if not isinstance(issuer_name, Name):
- raise TypeError("Expecting x509.Name object.")
- if self._issuer_name is not None:
- raise ValueError("The issuer name may only be set once.")
- return CertificateRevocationListBuilder(
- issuer_name,
- self._last_update,
- self._next_update,
- self._extensions,
- self._revoked_certificates,
- )
- def last_update(
- self, last_update: datetime.datetime
- ) -> "CertificateRevocationListBuilder":
- if not isinstance(last_update, datetime.datetime):
- raise TypeError("Expecting datetime object.")
- if self._last_update is not None:
- raise ValueError("Last update may only be set once.")
- last_update = _convert_to_naive_utc_time(last_update)
- if last_update < _EARLIEST_UTC_TIME:
- raise ValueError(
- "The last update date must be on or after" " 1950 January 1."
- )
- if self._next_update is not None and last_update > self._next_update:
- raise ValueError(
- "The last update date must be before the next update date."
- )
- return CertificateRevocationListBuilder(
- self._issuer_name,
- last_update,
- self._next_update,
- self._extensions,
- self._revoked_certificates,
- )
- def next_update(
- self, next_update: datetime.datetime
- ) -> "CertificateRevocationListBuilder":
- if not isinstance(next_update, datetime.datetime):
- raise TypeError("Expecting datetime object.")
- if self._next_update is not None:
- raise ValueError("Last update may only be set once.")
- next_update = _convert_to_naive_utc_time(next_update)
- if next_update < _EARLIEST_UTC_TIME:
- raise ValueError(
- "The last update date must be on or after" " 1950 January 1."
- )
- if self._last_update is not None and next_update < self._last_update:
- raise ValueError(
- "The next update date must be after the last update date."
- )
- return CertificateRevocationListBuilder(
- self._issuer_name,
- self._last_update,
- next_update,
- self._extensions,
- self._revoked_certificates,
- )
- def add_extension(
- self, extval: ExtensionType, critical: bool
- ) -> "CertificateRevocationListBuilder":
- """
- Adds an X.509 extension to the certificate revocation list.
- """
- if not isinstance(extval, ExtensionType):
- raise TypeError("extension must be an ExtensionType")
- extension = Extension(extval.oid, critical, extval)
- _reject_duplicate_extension(extension, self._extensions)
- return CertificateRevocationListBuilder(
- self._issuer_name,
- self._last_update,
- self._next_update,
- self._extensions + [extension],
- self._revoked_certificates,
- )
- def add_revoked_certificate(
- self, revoked_certificate: RevokedCertificate
- ) -> "CertificateRevocationListBuilder":
- """
- Adds a revoked certificate to the CRL.
- """
- if not isinstance(revoked_certificate, RevokedCertificate):
- raise TypeError("Must be an instance of RevokedCertificate")
- return CertificateRevocationListBuilder(
- self._issuer_name,
- self._last_update,
- self._next_update,
- self._extensions,
- self._revoked_certificates + [revoked_certificate],
- )
- def sign(
- self,
- private_key: CERTIFICATE_PRIVATE_KEY_TYPES,
- algorithm: typing.Optional[hashes.HashAlgorithm],
- backend: typing.Any = None,
- ) -> CertificateRevocationList:
- if self._issuer_name is None:
- raise ValueError("A CRL must have an issuer name")
- if self._last_update is None:
- raise ValueError("A CRL must have a last update time")
- if self._next_update is None:
- raise ValueError("A CRL must have a next update time")
- return rust_x509.create_x509_crl(self, private_key, algorithm)
- class RevokedCertificateBuilder:
- def __init__(
- self,
- serial_number: typing.Optional[int] = None,
- revocation_date: typing.Optional[datetime.datetime] = None,
- extensions: typing.List[Extension[ExtensionType]] = [],
- ):
- self._serial_number = serial_number
- self._revocation_date = revocation_date
- self._extensions = extensions
- def serial_number(self, number: int) -> "RevokedCertificateBuilder":
- if not isinstance(number, int):
- raise TypeError("Serial number must be of integral type.")
- if self._serial_number is not None:
- raise ValueError("The serial number may only be set once.")
- if number <= 0:
- raise ValueError("The serial number should be positive")
- # ASN.1 integers are always signed, so most significant bit must be
- # zero.
- if number.bit_length() >= 160: # As defined in RFC 5280
- raise ValueError(
- "The serial number should not be more than 159 " "bits."
- )
- return RevokedCertificateBuilder(
- number, self._revocation_date, self._extensions
- )
- def revocation_date(
- self, time: datetime.datetime
- ) -> "RevokedCertificateBuilder":
- if not isinstance(time, datetime.datetime):
- raise TypeError("Expecting datetime object.")
- if self._revocation_date is not None:
- raise ValueError("The revocation date may only be set once.")
- time = _convert_to_naive_utc_time(time)
- if time < _EARLIEST_UTC_TIME:
- raise ValueError(
- "The revocation date must be on or after" " 1950 January 1."
- )
- return RevokedCertificateBuilder(
- self._serial_number, time, self._extensions
- )
- def add_extension(
- self, extval: ExtensionType, critical: bool
- ) -> "RevokedCertificateBuilder":
- if not isinstance(extval, ExtensionType):
- raise TypeError("extension must be an ExtensionType")
- extension = Extension(extval.oid, critical, extval)
- _reject_duplicate_extension(extension, self._extensions)
- return RevokedCertificateBuilder(
- self._serial_number,
- self._revocation_date,
- self._extensions + [extension],
- )
- def build(self, backend: typing.Any = None) -> RevokedCertificate:
- if self._serial_number is None:
- raise ValueError("A revoked certificate must have a serial number")
- if self._revocation_date is None:
- raise ValueError(
- "A revoked certificate must have a revocation date"
- )
- return _RawRevokedCertificate(
- self._serial_number,
- self._revocation_date,
- Extensions(self._extensions),
- )
- def random_serial_number() -> int:
- return int.from_bytes(os.urandom(20), "big") >> 1
|