�

�>b0n��L�dd
lZdd
l
Z
dd
lZdd
lZddlmZ
ddlmZmZ
ddl	m
Z

ddlmZm
Z

ddlmZmZmZmZmZ
ddlmZmZmZ
ddlmZ
dd	lmZ
e
jd
dd�ZGd�d
e�Zdedej>efd�Z dedej>ejBee"ffd�Z#de
jde
jfd�Z$Gd�dejJ�Z&Gd�de�Z'Gd�dejP��Z)Gd�dejP��Z*Gd �d!ejP��Z+Gd"�d#ejP��Z,d4d$e"de)fd%�Z-d4d$e"de)fd&�Z.d4d$e"de,fd'�Z/d4d$e"de,fd(�Z0d4d$e"de+fd)�Z1d4d$e"de+fd*�Z2Gd+�d,e3�Z4Gd-�d.e3�Z5Gd/�d0e3�Z6Gd1�d2e3�Z7de8fd3�Z9y
)5�N)
�utils)�_PRIVATE_KEY_TYPES�_PUBLIC_KEY_TYPES)
�_get_backend)�hashes�
serialization)�dsa�ec�ed25519�ed448�rsa)�	Extension�
ExtensionType�
Extensions)
�Name)
�ObjectIdentifieri��
c���eZ
dZ�f
d
�Z�x
ZS)�AttributeNotFoundc�:�
�tt|�|
�

||_y�
N)�superr�__init__�oid)�self�msgr�	__class__s   ��8/usr/lib/python3/dist-packages/cryptography/x509/base.pyrzAttributeNotFound.__init__s���
���/��4������__name__�
__module__�__qualname__r�
__classcell__�
rs
@rrrs
����rr�	extension�
extensionsc�Z�|
D]&}|j|jk(s
�td
�
�
y)Nz$This extension has already been set.)r�
ValueError)r&r'�
es   r�_reject_duplicate_extensionr+$s*���
��5�5�I�M�M�!��C�D�D�rr�
attributesc�8�|
D]\}}||k(s
�t
d
�
�
y)Nz$This attribute has already been set.)
r))rr,�attr_oid�
_s    r�_reject_duplicate_attributer0-s%��
"���!��s�?��C�D�D�"r�time�returnc
��|j�=|j�}
|
r|
ntj�}
|j	d
��
|
z
S|S)z�Normalizes a datetime to a naive datetime in UTC.

    time -- datetime to normalize. Assumed to be in UTC if not timezone
            aware.
    N)
�tzinfo)r4�	utcoffset�datetime�	timedelta�replace)r1�offsets  r�_convert_to_naive_utc_timer:7sG���{�{�����!��!��x�'9�'9�';���|�|�4�|�(�6�1�1��rc
��eZ
dZd
ZdZy)�Versionr�N)r!r"r#�v1�v3�rrr<r<Es��	
�B�	
�Brr<c���eZ
dZ�f
d
�Z�x
ZS)�InvalidVersionc�:�
�tt|�|
�

||_yr)rrBr�parsed_version)rrrDrs   �rrzInvalidVersion.__init__Ks���
�n�d�,�S�1�,��rr r%s
@rrBrBJs
���-�-rrBc�d�eZ
dZejd
ejdefd��Zejde
fd��Zejdefd��Z
ejdefd��Zejdej fd��Zejdej fd��Zejdefd	��Zejdefd
��Zejdej.ejfd��Zejdefd��Zejdefd
��Zejdefd��Zejdefd��Zejdede fd��Z!ejdede fd��Z"ejde
fd��Z#ejde$jJdefd��Z&y)�Certificate�	algorithmr2c��y
�z4
        Returns bytes using digest passed.
        Nr@�rrGs  r�fingerprintzCertificate.fingerprintQ��rc
��y
)z3
        Returns certificate serial number
        Nr@�
rs
 r�
serial_numberzCertificate.serial_numberWrLrc
��y
)z1
        Returns the certificate version
        Nr@rNs
 r�versionzCertificate.version]rLrc
��y
�z(
        Returns the public key
        Nr@rNs
 r�
public_keyzCertificate.public_keycrLrc
��y
)z?
        Not before time (represented as UTC datetime)
        Nr@rNs
 r�not_valid_beforezCertificate.not_valid_beforeirLrc
��y
)z>
        Not after time (represented as UTC datetime)
        Nr@rNs
 r�not_valid_afterzCertificate.not_valid_afterorLrc
��y
)z1
        Returns the issuer name object.
        Nr@rNs
 r�issuerzCertificate.issuerurLrc
��y
�z2
        Returns the subject name object.
        Nr@rNs
 r�subjectzCertificate.subject{rLrc
��y
�zt
        Returns a HashAlgorithm corresponding to the type of the digest signed
        in the certificate.
        Nr@rNs
 r�signature_hash_algorithmz$Certificate.signature_hash_algorithm�rLrc
��y
�zJ
        Returns the ObjectIdentifier of the signature algorithm.
        Nr@rNs
 r�signature_algorithm_oidz#Certificate.signature_algorithm_oid�rLrc
��y
)z/
        Returns an Extensions object.
        Nr@rNs
 rr'zCertificate.extensions�rLrc
��y
�z.
        Returns the signature bytes.
        Nr@rNs
 r�	signaturezCertificate.signature�rLrc
��y
)zR
        Returns the tbsCertificate payload bytes as defined in RFC 5280.
        Nr@rNs
 r�tbs_certificate_bytesz!Certificate.tbs_certificate_bytes�rLr�otherc��y
�z"
        Checks equality.
        Nr@�rrjs  r�__eq__zCertificate.__eq__�rLrc��y
�z#
        Checks not equal.
        Nr@rms  r�__ne__zCertificate.__ne__�rLrc
��y
�z"
        Computes a hash.
        Nr@rNs
 r�__hash__zCertificate.__hash__�rLr�encodingc��y
)zB
        Serializes the certificate to PEM or DER format.
        Nr@�rrus  r�public_byteszCertificate.public_bytes�rLrN)'r!r"r#�abc�abstractmethodr�
HashAlgorithm�bytesrK�abstractproperty�intrOr<rQrrTr6rVrXrrZr]�typing�Optionalr`rrcrr'rgri�object�boolrnrqrtr�Encodingrxr@rrrFrFPsw������V�%9�%9��e����
	����s����
	��������
	����-����
	����(�"3�"3����
	�����!2�!2����
	��������
	��������
	����	����-�-�	.����	����)9����
	����J����
	����5����
	����u����
	����F��t����
	����F��t����
	����#����
	����]�%;�%;�����rrF)
�	metaclassc��eZ
dZejd
efd��Zejd
ejfd��Zejd
e	fd��Z
y)�RevokedCertificater2c
��y
)zG
        Returns the serial number of the revoked certificate.
        Nr@rNs
 rrOz RevokedCertificate.serial_number�rLrc
��y
)zH
        Returns the date of when this certificate was revoked.
        Nr@rNs
 r�revocation_datez"RevokedCertificate.revocation_date�rLrc
��y
)zW
        Returns an Extensions object containing a list of Revoked extensions.
        Nr@rNs
 rr'zRevokedCertificate.extensions�rLrN)r!r"r#ryr}r~rOr6r�rr'r@rrr�r��si������s����
	�����!2�!2����
	����J���rr�c�`�eZ
dZejd
ejdefd��Zejde	jdefd��Zejdede
jefd��Zej"de	jfd��Zej"defd	��Zej"defd
��Zej"dej.fd��Zej"dej.fd��Zej"defd
��Zej"defd��Zej"defd��Zejdedefd��Z ejdedefd��Z!ejdefd��Z"ejd��Z#ejd��Z$ejde%defd��Z&y)�CertificateRevocationListrur2c��y
)z:
        Serializes the CRL to PEM or DER format.
        Nr@rws  rrxz&CertificateRevocationList.public_bytes�rLrrGc��y
rIr@rJs  rrKz%CertificateRevocationList.fingerprint�rLrrOc��y
)zs
        Returns an instance of RevokedCertificate or None if the serial_number
        is not in the CRL.
        Nr@)rrOs  r�(get_revoked_certificate_by_serial_numberzBCertificateRevocationList.get_revoked_certificate_by_serial_number�rLrc
��y
r_r@rNs
 rr`z2CertificateRevocationList.signature_hash_algorithm�rLrc
��y
rbr@rNs
 rrcz1CertificateRevocationList.signature_algorithm_oid�rLrc
��y
)zC
        Returns the X509Name with the issuer of this CRL.
        Nr@rNs
 rrZz CertificateRevocationList.issuer�rLrc
��y
)z?
        Returns the date of next update for this CRL.
        Nr@rNs
 r�next_updatez%CertificateRevocationList.next_update�rLrc
��y
)z?
        Returns the date of last update for this CRL.
        Nr@rNs
 r�last_updatez%CertificateRevocationList.last_update�rLrc
��y
)zS
        Returns an Extensions object containing a list of CRL extensions.
        Nr@rNs
 rr'z$CertificateRevocationList.extensions
rLrc
��y
rfr@rNs
 rrgz#CertificateRevocationList.signature

rLrc
��y
)zO
        Returns the tbsCertList payload bytes as defined in RFC 5280.
        Nr@rNs
 r�tbs_certlist_bytesz,CertificateRevocationList.tbs_certlist_bytes
rLrrjc��y
rlr@rms  rrnz CertificateRevocationList.__eq__
rLrc��y
rpr@rms  rrqz CertificateRevocationList.__ne__
rLrc
��y
)z<
        Number of revoked certificates in the CRL.
        Nr@rNs
 r�__len__z!CertificateRevocationList.__len__"
rLrc��y
)zS
        Returns a revoked certificate (or slice of revoked certificates).
        Nr@)r�idxs  r�__getitem__z%CertificateRevocationList.__getitem__(
rLrc
��y
)z8
        Iterator over the revoked certificates
        Nr@rNs
 r�__iter__z"CertificateRevocationList.__iter__.
rLrrTc��y
)zQ
        Verifies signature of revocation list against given public key.
        Nr@)rrTs  r�is_signature_validz,CertificateRevocationList.is_signature_valid4
rLrN)'r!r"r#ryrzrr�r|rxrr{rKr~rr�r�r�r}r`rrcrrZr6r�r�rr'rgr�r�r�rnrqr�r�r�rr�r@rrr�r��sy������]�%;�%;������
	����V�%9�%9��e����
	���� ��	���+�	,����	����&�*>�*>����	����)9����
	��������
	����X�.�.����
	����X�.�.����
	����J����
	����5����
	����E����
	����F��t����
	����F��t����
	��������
	������
	������
	����->��4���rr�c�f�eZ
dZejd
edefd��Zejd
edefd��Zejde	fd��Z
ejdefd��Zejdefd��Zejdej"fd��Zejdefd	��Zejdefd
��Zejdej0defd��Zejdefd
��Zejdefd��Zejdefd��Zejdedefd��Zy)�CertificateSigningRequestrjr2c��y
rlr@rms  rrnz CertificateSigningRequest.__eq__<
rLrc��y
rpr@rms  rrqz CertificateSigningRequest.__ne__B
rLrc
��y
rsr@rNs
 rrtz"CertificateSigningRequest.__hash__H
rLrc
��y
rSr@rNs
 rrTz$CertificateSigningRequest.public_keyN
rLrc
��y
r\r@rNs
 rr]z!CertificateSigningRequest.subjectT
rLrc
��y
r_r@rNs
 rr`z2CertificateSigningRequest.signature_hash_algorithmZ
rLrc
��y
rbr@rNs
 rrcz1CertificateSigningRequest.signature_algorithm_oida
rLrc
��y
)z@
        Returns the extensions in the signing request.
        Nr@rNs
 rr'z$CertificateSigningRequest.extensionsg
rLrruc��y
)z;
        Encodes the request to PEM or DER format.
        Nr@rws  rrxz&CertificateSigningRequest.public_bytesm
rLrc
��y
rfr@rNs
 rrgz#CertificateSigningRequest.signatures
rLrc
��y
)zd
        Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC
        2986.
        Nr@rNs
 r�tbs_certrequest_bytesz/CertificateSigningRequest.tbs_certrequest_bytesy
rLrc
��y
)z8
        Verifies signature of signing request.
        Nr@rNs
 rr�z,CertificateSigningRequest.is_signature_valid�
rLrrc��y
)z:
        Get the attribute value for a given OID.
        Nr@)rrs  r�get_attribute_for_oidz/CertificateSigningRequest.get_attribute_for_oid�
rLrN)r!r"r#ryrzr�r�rnrqr~rtrrTr}rr]rr{r`rrcrr'rr�r|rxrgr�r�r�r@rrr�r�;
s�
������F��t����
	����F��t����
	����#����
	����-����
	��������
	����&�*>�*>����	����)9����
	����J����
	����]�%;�%;������
	����5����
	����u����	����D����
	����)9��e���rr��datac�:�t
|
�
}
|
j|�
Sr)r�load_pem_x509_certificate�r��backends  rr�r��
����7�#�G��,�,�T�2�2rc�:�t
|
�
}
|
j|�
Sr)r�load_der_x509_certificater�s  rr�r��
r�rc�:�t
|
�
}
|
j|�
Sr)r�load_pem_x509_csrr�s  rr�r��
����7�#�G��$�$�T�*�*rc�:�t
|
�
}
|
j|�
Sr)r�load_der_x509_csrr�s  rr�r��
r�rc�:�t
|
�
}
|
j|�
Sr)r�load_pem_x509_crlr�s  rr�r��
r�rc�:�t
|
�
}
|
j|�
Sr)r�load_der_x509_crlr�s  rr�r��
r�rc�r�eZ
dZd
ggfd�
Zdefd�Zdedefd�Zde	d	e
fd
�Z	ddede
jd
efd�Zy
)� CertificateSigningRequestBuilderNc�.�|
|_||_
||_y
)zB
        Creates an empty X.509 certificate request (v1).
        N)�
_subject_name�_extensions�_attributes)r�subject_namer'r,s    rrz)CertificateSigningRequestBuilder.__init__�
s��*���%���%��r�namec��t
|
t�std
�
�
|j�t	d�
�
t|
|j|j�S)zF
        Sets the certificate requestor's distinguished name.
        �Expecting x509.Name object.�&The subject name may only be set once.)�
isinstancer�	TypeErrorr�r)r�r�r��rr�s  rr�z-CertificateSigningRequestBuilder.subject_name�
sR���$��%��9�:�:����)��E�F�F�/��$�"�"�D�$4�$4�
�	
r�extval�criticalc���t
|
t�std
�
�
t|
j||
�}t||j�
t|j|j|g
z|j�S)zE
        Adds an X.509 extension to the certificate request.
        �"extension must be an ExtensionType)
r�rr�rrr+r�r�r�r��rr�r�r&s    r�
add_extensionz.CertificateSigningRequestBuilder.add_extension�
sk���&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�/�������	�{�*����
�	
rr�valuec��t
|
t�std
�
�
t
|t�std�
�
t	|
|j
�
t
|j|j|j
|
|fg
z�S)zK
        Adds an X.509 attribute with an OID and associated value.
        zoid must be an ObjectIdentifierzvalue must be bytes)	r�rr�r|r0r�r�r�r�)rrr�s   r�
add_attributez.CertificateSigningRequestBuilder.add_attribute�
st���#�/�0��=�>�>��%��'��1�2�2�#�C��)9�)9�:�/�����������e��~�-�
�	
r�private_keyrGr2c�l�t
|�
}|j�td
�
�
|j||
|�S)zF
        Signs the request using the requestor's private key.
        z/A CertificateSigningRequest must have a subject)rr�r)�create_x509_csr�rr�rGr�s    r�signz%CertificateSigningRequestBuilder.sign�
s;���w�'�����%��N�O�O��&�&�t�[�)�D�Drr)r!r"r#rrr�rr�r�rr|r�rrr{r�r�r@rrr�r��
sq��$(�R�B�&�

��

�
�M�
�T�
� 
�!1�
�%�
�,�	E
�'�E
��'�'�E
�

#�E
rr�c���eZ
dZd
d
d
d
d
d
gfd�
Zdefd�Zdefd�Zdefd�Zde	fd	�Z
d
ejfd�Zd
ejfd�Z
d
edefd�Z	ddedej&defd�Zy
)�CertificateBuilderNc��tj|_|
|_||_||_||_||_||_||_	yr)
r<r?�_version�_issuer_namer��_public_key�_serial_number�_not_valid_before�_not_valid_afterr�)r�issuer_namer�rTrOrVrXr's        rrzCertificateBuilder.__init__�
sG�� �
�
��
�'���)���%���+���!1��� /���%��rr�c	�
�t
|
t�std
�
�
|j�t	d�
�
t|
|j|j|j|j|j|j�S)z3
        Sets the CA's distinguished name.
        r��%The issuer name may only be set once.)r�rr�r�r)r�r�r�r�r�r�r�r�s  rr�zCertificateBuilder.issuer_namesx���$��%��9�:�:����(��D�E�E�!������������"�"��!�!����
�	
rc	�
�t
|
t�std
�
�
|j�t	d�
�
t|j|
|j|j|j|j|j�S)z:
        Sets the requestor's distinguished name.
        r�r�)r�rr�r�r)r�r�r�r�r�r�r�r�s  rr�zCertificateBuilder.subject_namesx���$��%��9�:�:����)��E�F�F�!������������"�"��!�!����
�	
r�keyc	�
�t
|
tjtjt
jtjtjf�std
�
�
|j�td�
�
t|j|j |
|j"|j$|j&|j(�S)zT
        Sets the requestor's public key (as found in the signing request).
        zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.z$The public key may only be set once.)r�r	�DSAPublicKeyr
�RSAPublicKeyr
�EllipticCurvePublicKeyr�Ed25519PublicKeyr�Ed448PublicKeyr�r�r)r�r�r�r�r�r�r�)rr�s  rrTzCertificateBuilder.public_key)s������ � �� � ��)�)��(�(��$�$�
�	
��#��
�
���'��C�D�D�!������������"�"��!�!����
�	
r�numberc	�\
�t
|
t�std
�
�
|j�t	d�
�
|
dkrt	d�
�
|
j�dk\rt	d�
�
t
|j|j|j|
|j|j|j�S)z5
        Sets the certificate serial number.
        �'Serial number must be of integral type.�'The serial number may only be set once.rz%The serial number should be positive.��3The serial number should not be more than 159 bits.)
r�r~r�r�r)�
bit_lengthr�r�r�r�r�r�r��rr�s  rrOz CertificateBuilder.serial_numberKs����&�#�&��E�F�F����*��F�G�G��Q�;��D�E�E�����#�%��H��
�"������������"�"��!�!����
�	
rr1c	�
�t
|
tj�std
�
�
|j�t	d�
�
t|
�
}
|
tkrt	d�
�
|j�|
|jkDrt	d�
�
t|j|j|j|j|
|j|j�S)z7
        Sets the certificate activation time.
        �Expecting datetime object.z*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)r�r6r�r�r)r:�_EARLIEST_UTC_TIMEr�r�r�r�r�r�r��rr1s  rrVz#CertificateBuilder.not_valid_beforefs����$�� 1� 1�2��8�9�9��!�!�-��I�J�J�)�$�/���$�$��
$��
�� � �,���8M�8M�1M��
��
�"���������������!�!����
�	
rc	�
�t
|
tj�std
�
�
|j�t	d�
�
t|
�
}
|
tkrt	d�
�
|j�|
|jkrt	d�
�
t|j|j|j|j|j|
|j�S)z7
        Sets the certificate expiration time.
        r
z)The not valid after may only be set once.z<The not valid after date must be on or after 1950 January 1.zAThe not valid after date must be after the not valid before date.)r�r6r�r�r)r:r
r�r�r�r�r�r�r�r
s  rrXz"CertificateBuilder.not_valid_after�s����$�� 1� 1�2��8�9�9�� � �,��H�I�I�)�$�/���$�$��
#��
�

�"�"�.��t�-�-�-��
��
�"��������������"�"�����
�	
rr�r�c
�H
�t
|
t�std
�
�
t|
j||
�}t||j�
t|j|j|j|j|j|j|j|g
z�S)z=
        Adds an X.509 extension to the certificate.
        r�)r�rr�rrr+r�r�r�r�r�r�r�r�r�s    rr�z CertificateBuilder.add_extension�s����&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�!��������������"�"��!�!����	�{�*�
�	
rr�rGr2c�R
�t
|�
}|j�td
�
�
|j�td�
�
|j�td�
�
|j
�td�
�
|j�td�
�
|j�td�
�
|j||
|�S)zC
        Signs the certificate using the CA's private key.
        z&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public key)	rr�r)r�r�r�r�r��create_x509_certificater�s    rr�zCertificateBuilder.sign�s����w�'�����%��E�F�F����$��E�F�F����&��F�G�G��!�!�)��N�O�O�� � �(��M�N�N����#��C�D�D��.�.�t�[�)�L�Lrr)r!r"r#rrr�r�rrTr~rOr6rVrXrr�r�rrr{rFr�r@rrr�r��
s����������&�&
��
�$
��
�$ 
�
� 
�D

�C�
�6
�X�%6�%6�
�:
�H�$5�$5�
�@

�M�
�T�
�0�	M
�'�M
��'�'�M
�

�M
rr�c��eZ
dZd
d
d
ggfd�
Zdefd�Zdejfd�Zdejfd�Zd	e	d
e
fd�Zdefd
�Z
	ddedej defd�Zy
)� CertificateRevocationListBuilderNc�J�|
|_||_
||_||_||_yr)r��_last_update�_next_updater��_revoked_certificates)rr�r�r�r'�revoked_certificatess      rrz)CertificateRevocationListBuilder.__init__�s,��(���'���'���%���%9��"rr�c���t
|
t�std
�
�
|j�t	d�
�
t|
|j|j|j|j�S)Nr�r�)
r�rr�r�r)r

r
r

r�r
)rr�s  rr�z,CertificateRevocationListBuilder.issuer_name�sd���+�t�,��9�:�:����(��D�E�E�/������������&�&�
�	
rr�c�r
�t
|
tj�std
�
�
|j�t	d�
�
t|
�
}
|
tkrt	d�
�
|j�|
|jkDrt	d�
�
t|j|
|j|j|j�S)Nr
�!Last update may only be set once.�8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.)r�r6r�r
r)r:r
r

r

r�r�r
)rr�s  rr�z,CertificateRevocationListBuilder.last_update�s����+�x�'8�'8�9��8�9�9����(��@�A�A�0��=���+�+��M��
����(�[�4�;L�;L�-L��K��
�0������������&�&�
�	
rr�c�r
�t
|
tj�std
�
�
|j�t	d�
�
t|
�
}
|
tkrt	d�
�
|j�|
|jkrt	d�
�
t|j|j|
|j|j�S)Nr
r
r
z8The next update date must be after the last update date.)r�r6r�r

r)r:r
r
r

r�r�r
)rr�s  rr�z,CertificateRevocationListBuilder.next_updates����+�x�'8�'8�9��8�9�9����(��@�A�A�0��=���+�+��M��
����(�[�4�;L�;L�-L��J��
�0������������&�&�
�	
rr�r�c�
�t
|
t�std
�
�
t|
j||
�}t||j�
t|j|j|j|j|g
z|j�S)zM
        Adds an X.509 extension to the certificate revocation list.
        r�)r�rr�rrr+r�r

r�r
r

r
r�s    rr�z.CertificateRevocationListBuilder.add_extensions}���&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�/�������������	�{�*��&�&�
�	
r�revoked_certificatec���t
|
t�std
�
�
t|j|j
|j|j|j|
g
z�S)z8
        Adds a revoked certificate to the CRL.
        z)Must be an instance of RevokedCertificate)	r�r�r�r

r�r
r

r�r
)rr
s  r�add_revoked_certificatez8CertificateRevocationListBuilder.add_revoked_certificate/s_���-�/A�B��G�H�H�/��������������&�&�*=�)>�>�
�	
rr�rGr2c���t
|�
}|j�td
�
�
|j�td�
�
|j�td�
�
|j||
|�S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rr�r)r
r

�create_x509_crlr�s    rr�z%CertificateRevocationListBuilder.sign>sk���w�'�����$��=�>�>����$��A�B�B����$��A�B�B��&�&�t�[�)�D�Drr)r!r"r#rrr�r6r�r�rr�r�r�r
rrr{r�r�r@rrr

r

�s��������
:�
�t�
�
�x�'8�'8�
�,
�x�'8�'8�
�,
�M�
�T�
�"

�;M�

�&�	E
�'�E
��'�'�E
�

#�E
rr

c�d�eZ
dZd
d
gfd�
Zdefd�Zdejfd�Zdede	fd	�Z
dd
efd�Zy
)
�RevokedCertificateBuilderNc�.�|
|_||_
||_yr)r��_revocation_dater�)rrOr�r's    rrz"RevokedCertificateBuilder.__init__Rs��,��� /���%��rr�c�
�t
|
t�std
�
�
|j�t	d�
�
|
dkrt	d�
�
|
j�dk\rt	d�
�
t
|
|j|j�S)Nr�r�rz$The serial number should be positiver�r�)	r�r~r�r�r)r�r
r
r�r
s  rrOz'RevokedCertificateBuilder.serial_numberYs����&�#�&��E�F�F����*��F�G�G��Q�;��C�D�D�����#�%��H��
�)��D�)�)�4�+;�+;�
�	
rr1c��t
|
tj�std
�
�
|j�t	d�
�
t|
�
}
|
tkrt	d�
�
t|j|
|j�S)Nr
z)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.)
r�r6r�r
r)r:r
r
r�r�r
s  rr�z)RevokedCertificateBuilder.revocation_dateks{���$�� 1� 1�2��8�9�9�� � �,��H�I�I�)�$�/���$�$��L��
�)�����t�'7�'7�
�	
rr�r�c���t
|
t�std
�
�
t|
j||
�}t||j�
t|j|j|j|g
z�S)Nr�)
r�rr�rrr+r�r
r�r
r�s    rr�z'RevokedCertificateBuilder.add_extensionysi���&�-�0��@�A�A��f�j�j�(�F�;�	�#�I�t�/?�/?�@�(�����!�!����	�{�*�
�	
rr2c��t
|
�
}
|j�td
�
�
|j�td�
�
|
j	|�
S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr�r)r
�create_x509_revoked_certificate)rr�s  r�buildzRevokedCertificateBuilder.build�sS���w�'�����&��N�O�O�� � �(��C��
��6�6�t�<�<rr)
r!r"r#rr~rOr6r�rr�r�r�r$
r@rrr
r
QsL�� �$�2�&�
�C�
�$
�H�$5�$5�
�

�M�

�T�

�	=�%7�	=rr
c�Z�tjtjd
�
d�dz	S)N��bigr)r~�
from_bytes�os�urandomr@rr�random_serial_numberr+
�s ���>�>�"�*�*�R�.�%�0�A�5�5rr):ryr6r)
r�cryptographyr�cryptography.hazmat._typesrr�cryptography.hazmat.backendsr�cryptography.hazmat.primitivesrr�)cryptography.hazmat.primitives.asymmetricr	r
rrr
�cryptography.x509.extensionsrrr�cryptography.x509.namer�cryptography.x509.oidrr
�	Exceptionr�Listr+�Tupler|r0r:�Enumr<rB�ABCMetarFr�r�r�r�r�r�r�r�r�r�r�r�r

r
r~r+
r@rr�<module>r9

s�
�


�
��	�
��L�5�@�
�
�
N
�M�'�2�'�X�&�&�t�Q�
�2��
�	�
�
E
��
E
�&,�k�k�)�&<�
E
�
E
�	�
E
����F�L�L�)9�5�)@�A�B�
E
�
�X�%6�%6�
�8�;L�;L�
�
�e�j�j�
�

-�Y�
-�h

�C�K�K�h

�V
�3�;�;�
�(i

�#�+�+�i

�XO

�#�+�+�O

�d
3�E�
3�K�
3�

3�E�
3�K�
3�

+�E�
+�4M�
+�

+�E�
+�4M�
+�

+�E�
+�4M�
+�

+�E�
+�4M�
+�
C

E
�v�C

E
�Lb
M
��b
M
�Jx

E
�v�x

E
�v=
=��=
=�@

6�c�

6r