HEX
Server: LiteSpeed
System: Linux s1049.use1.mysecurecloudhost.com 4.18.0-477.27.2.lve.el8.x86_64 #1 SMP Wed Oct 11 12:32:56 UTC 2023 x86_64
User: xedaptot (3356)
PHP: 8.3.31
Disabled: NONE
Upload Files
File: //lib/python3.6/site-packages/ipalib/__pycache__/x509.cpython-36.pyc
3

�d[e�r�@s�ddlmZddlZddlZddlZddlZddlZddlZddlZddl	Z	ddl
mZddl
mZddlmZddlmZmZmZmZddlZddlZddlmZmZmZmZddlmZmZdd	l m!Z!m"Z"ddl#Z#dd
l$m%Z%ddl&m'Z'e#j(r�e)Z*dZ+dZ,e	j-d
e	j.�Z/e	j-de	j.�Z0dZ1dZ2dZ3dZ4dZ5dZ6dZ7dZ8dZ9dZ:Gdd�dej;�Z<dd�Z=dd�Z>dd �Z?d!d"�Z@d#d$�ZAd%d&�ZBdad'd(�ZCe+fd)d*�ZDd+d,�ZEd-d.�ZFd/d0�ZGdbd1d2�ZHdcd3d4�ZIGd5d6�d6ejJ�ZKGd7d8�d8ejJ�ZLd9d:�ZMGd;d<�d<ejNjO�ZPGd=d>�d>ejNjO�ZQe:ePe9eQiZRd?d@�ZSdAdB�ZTdCdD�ZUdEdF�ZVdGdH�ZWdIdJ�ZXdKdL�ZYdMdN�ZZdOdP�Z[GdQdR�dRej\�Z]dSdT�Z^GdUdV�dVej_�Z`GdWdX�dX�ZaGdYdZ�dZea�ZbGd[d\�d\eb�ZcGd]d^�d^eb�ZdGd_d`�d`ejJ�ZedS)d�)�print_functionN)�x509)�default_backend)�
serialization)�Encoding�PublicFormat�
PrivateFormat�load_pem_private_key)�univ�char�	namedtype�tag)�decoder�encoder)�rfc2315�rfc2459)�errors)�DNSName�s;(-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----)s�-----BEGIN(?: ENCRYPTED)?(?: (?:RSA|DSA|DH|EC))? PRIVATE KEY-----.*?-----END(?: ENCRYPTED)?(?: (?:RSA|DSA|DH|EC))? PRIVATE KEY-----z1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2z1.3.6.1.5.5.7.3.3z1.3.6.1.5.5.7.3.4z1.3.6.1.5.2.3.4z1.3.6.1.5.2.3.5z2.5.29.37.0z1.3.6.1.4.1.3319.6.10.16z1.3.6.1.4.1.311.20.2.3z
1.3.6.1.5.2.2c@s�eZdZdZdOdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zedd��Zedd��Zedd ��Zed!d"��Zed#d$��Zed%d&��Zed'd(��Zeejd)�r�ed*d+��Zed,d-��Zed.d/��Zed0d1��Zed2d3��Zed4d5��Z ed6d7��Z!ed8d9��Z"d:d;�Z#ed<d=��Z$ed>d?��Z%ed@dA��Z&edBdC��Z'dDdE�Z(edFdG��Z)dHdI�Z*edJdK��Z+eejdL��r�dMdN�Z,dS)P�IPACertificatezf
    A proxy class wrapping a python-cryptography certificate representation for
    IPA purposes
    NcCs`||_|dkrt�n|�|_|jd�|_|jd�|_|jd�|_|jjdkr\t	d|jj��dS)z�
        :param cert: A python-cryptography Certificate object
        :param backend: A python-cryptography Backend object
        N�subject�issuerZserialNumberZv3zX.509 %s is not supported)
�_certr�backend�_IPACertificate__get_der_field�_subject�_issuer�_serial_number�version�name�
ValueError)�self�certr�r#�/usr/lib/python3.6/x509.py�__init___szIPACertificate.__init__cCs |jtj�|j|j|jd�}|S)N)rrrr)�public_bytesr�DER�
subject_bytes�issuer_bytesr)r!�stater#r#r$�__getstate__rs


zIPACertificate.__getstate__cCs8|d|_|d|_|d|_tj|dt�d�|_dS)Nrrrr)r)rr�crypto_x509�load_der_x509_certificaterr)r!r*r#r#r$�__setstate__{s



zIPACertificate.__setstate__cCsJt|tjtf�r(|jtj�|jtj�kSt|t�rB|jtj�|kSdSdS)z�
        Checks equality.

        :param other: either cryptography.Certificate or IPACertificate or
                      bytes representing a DER-formatted certificate
        FN)�
isinstancer,�Certificaterr&rr'�bytes)r!�otherr#r#r$�__eq__�s

zIPACertificate.__eq__cCs|j|�S)z#
        Checks not equal.
        )r3)r!r2r#r#r$�__ne__�szIPACertificate.__ne__cCs
t|j�S)zJ
        Computes a hash of the wrapped cryptography.Certificate.
        )�hashr)r!r#r#r$�__hash__�szIPACertificate.__hash__cCs\tj�}tj|�|d<tj|�|d<tjjd�r@tj	tj
|��}tj|�|d<tj	|�}|S)N�extnID�criticalz0.3�	extnValue)rZ	Extensionr
�ObjectIdentifierZBoolean�pyasn1�__version__�
startswithr�encode�OctetStringZAny)r!�oidr8�value�extr#r#r$Z__encode_extension�s
z!IPACertificate.__encode_extensioncCs&|j}tj|tj��d}||}|S)zO
        :returns: a field of the certificate in pyasn1 representation
        r)�tbs_certificate_bytesr�decoderZTBSCertificate)r!�fieldZ
cert_bytesr"r#r#r$Z__get_pyasn1_field�sz!IPACertificate.__get_pyasn1_fieldcCstj|j|��S)z�
        :field: the name of the field of the certificate
        :returns: bytes representing the value of a certificate field
        )rr>�!_IPACertificate__get_pyasn1_field)r!rEr#r#r$Z__get_der_field�szIPACertificate.__get_der_fieldcCs|jj|�S)zB
        Serializes the certificate to PEM or DER format.
        )rr&)r!�encodingr#r#r$r&�szIPACertificate.public_bytescCs|jj|jjkS)zT
        :returns: True if this certificate is self-signed, False otherwise
        )rrr)r!r#r#r$�is_self_signed�szIPACertificate.is_self_signedcCs|jj|�S)zL
        Counts fingerprint of the wrapped cryptography.Certificate
        )r�fingerprint)r!�	algorithmr#r#r$rI�szIPACertificate.fingerprintcCs|jjS)N)r�
serial_number)r!r#r#r$rK�szIPACertificate.serial_numbercCs|jS)N)r)r!r#r#r$�serial_number_bytes�sz"IPACertificate.serial_number_bytescCs|jjS)N)rr)r!r#r#r$r�szIPACertificate.versioncCs|jjS)N)rr)r!r#r#r$r�szIPACertificate.subjectcCs|jS)N)r)r!r#r#r$r(�szIPACertificate.subject_bytescCs|jjS)zt
        Returns a HashAlgorithm corresponding to the type of the digest signed
        in the certificate.
        )r�signature_hash_algorithm)r!r#r#r$rM�sz'IPACertificate.signature_hash_algorithmcCs|jjS)zJ
        Returns the ObjectIdentifier of the signature algorithm.
        )r�signature_algorithm_oid)r!r#r#r$rN�sz&IPACertificate.signature_algorithm_oid�signature_algorithm_parameterscCs|jjS)N)rrO)r!r#r#r$rO�sz-IPACertificate.signature_algorithm_parameterscCs|jjS)z.
        Returns the signature bytes.
        )r�	signature)r!r#r#r$rP�szIPACertificate.signaturecCs|jjS)N)rr)r!r#r#r$r�szIPACertificate.issuercCs|jS)N)r)r!r#r#r$r)szIPACertificate.issuer_bytescCs|jjS)N)r�not_valid_before)r!r#r#r$rQszIPACertificate.not_valid_beforecCs|jjS)N)r�not_valid_after)r!r#r#r$rRszIPACertificate.not_valid_aftercCs|jjS)N)rrC)r!r#r#r$rCsz$IPACertificate.tbs_certificate_bytescCs|jjS)N)r�
extensions)r!r#r#r$rSszIPACertificate.extensionscCs
|jj�S)N)r�
public_key)r!r#r#r$rTszIPACertificate.public_keycCs|jj�jtjtjd�S)N)rG�format)rrTr&rr'rZSubjectPublicKeyInfo)r!r#r#r$�public_key_info_bytess
z$IPACertificate.public_key_info_bytescCsDy|jjjtjjj�j}Wntjk
r0dSXt	dd�|D��S)Ncss|]}|jVqdS)N)�
dotted_string)�.0r@r#r#r$�	<genexpr>)sz4IPACertificate.extended_key_usage.<locals>.<genexpr>)
rrSZget_extension_for_oidr,r@ZExtensionOIDZEXTENDED_KEY_USAGErAZExtensionNotFound�set)r!Z
ext_key_usager#r#r$�extended_key_usage!sz!IPACertificate.extended_key_usagecCs^|j}|dkrdStj�}x&tt|��D]\}}tj|�||<q(Wtj|�}|j	dt
|k|�S)Nz	2.5.29.37)r[rZExtKeyUsageSyntax�	enumerate�sortedr
r:rr>�!_IPACertificate__encode_extension�EKU_ANY)r!ZekuZekurfc�ir@r#r#r$�extended_key_usage_bytes+s
z'IPACertificate.extended_key_usage_bytescCsd|j�}dd�dd�tttdd�td�}g}x2|D]*}|j�}||kr2|j|||j���q2W|S)a�
        Return SAN general names from a python-cryptography
        certificate object.  If the SAN extension is not present,
        return an empty sequence.

        Because python-cryptography does not yet provide a way to
        handle unrecognised critical extensions (which may occur),
        we must parse the certificate and extract the General Names.
        For uniformity with other code, we manually construct values
        of python-crytography GeneralName subtypes.

        python-cryptography does not yet provide types for
        ediPartyName or x400Address, so we drop these name types.

        otherNames are NOT instantiated to more specific types where
        the type is known.  Use ``process_othernames`` to do that.

        When python-cryptography can handle certs with unrecognised
        critical extensions and implements ediPartyName and
        x400Address, this function (and helpers) will be redundant
        and should go away.

        cSstjt|��S)N)r,Z
RFC822Name�unicode)�xr#r#r$�<lambda>Ssz2IPACertificate.san_general_names.<locals>.<lambda>cSstjt|��S)N)r,rrb)rcr#r#r$rdTscSstjt|��S)N)r,ZUniformResourceIdentifierrb)rcr#r#r$rdYs)Z
rfc822Name�dNSNameZ
directoryNameZregisteredIDZ	iPAddressZuniformResourceIdentifierZ	otherName)�-_IPACertificate__pyasn1_get_san_general_names�%_pyasn1_to_cryptography_directoryname�$_pyasn1_to_cryptography_registeredid�!_pyasn1_to_cryptography_ipaddress�!_pyasn1_to_cryptography_othername�getName�append�getComponent)r!�gnsZGENERAL_NAME_CONSTRUCTORS�result�gnZgn_typer#r#r$�san_general_names7s
z IPACertificate.san_general_namescCs||jd�pg}tjd�}g}xZ|D]R}|d|kr"|d}tjjd�r\tj|tj�d�d}tj|t	j
�d�d}Pq"W|S)NrSz	2.5.29.17r7r9z0.3)�asn1Specr)rFr
r:r;r<r=rrDr?rZSubjectAltName)r!rSZOID_SANrnrBZderr#r#r$Z__pyasn1_get_san_general_namesgs

z-IPACertificate.__pyasn1_get_san_general_namescCs<|j�}g}x*|D]"}|j�dkr|jt|j���qW|S)Nre)rfrkrlrbrm)r!rnrorpr#r#r$�san_a_label_dns_namesxs
z$IPACertificate.san_a_label_dns_namesc
Cs�i}g|d<}xN|jjjD]@}g}x,|D]$}|jtjjjkr*|jd|jf�q*W|j|�qW|j	}|r�g|d<}x|D]}	|jd|	f�q|Wt
j|t|�j
��dS)NrZ
commonNameZsubjectAltNameZDNS)rrZrdnsr@r,ZNameOIDZCOMMON_NAMErlrArs�ssl�match_hostnamerZToASCII)
r!ZhostnameZ
match_certZ
match_subject�rdnZ	match_rdn�ava�valuesZ	match_sanrAr#r#r$ru�s

zIPACertificate.match_hostnamecCs|jjS)N)r�tbs_precertificate_bytes)r!r#r#r$ry�sz'IPACertificate.tbs_precertificate_bytes�verify_directly_issued_bycCs|jj|�S)N)rrz)r!rr#r#r$rz�sz(IPACertificate.verify_directly_issued_by)N)-�__name__�
__module__�__qualname__�__doc__r%r+r.r3r4r6r^rFrr&rHrI�propertyrKrLrrr(rMrN�hasattrr,r0rOrPrr)rQrRrCrSrTrVr[rarqrfrsruryrzr#r#r#r$rZsP
		
0rcCsttj|t�d��S)z�
    Load an X.509 certificate in PEM format.

    :returns: a ``IPACertificate`` object.
    :raises: ``ValueError`` if unable to load the certificate.
    )r)rr,�load_pem_x509_certificater)�datar#r#r$r��sr�cCsttj|t�d��S)z�
    Load an X.509 certificate in DER format.

    :returns: a ``IPACertificate`` object.
    :raises: ``ValueError`` if unable to load the certificate.
    )r)rr,r-r)r�r#r#r$r-�sr-cCs&yt|�Stk
r t|�SXdS)a
    Only use this function when you can't be sure what kind of format does
    your certificate have, e.g. input certificate files in installers

    :returns: a ``IPACertificate`` object.
    :raises: ``ValueError`` if unable to load the certificate.
    N)r�r r-)r�r#r#r$�load_unknown_x509_certificate�sr�c	Cs$t|dd��}t|j��SQRXdS)zh
    Load a certificate from a PEM file.

    Returns a python-cryptography ``Certificate`` object.
    �rb)�modeN)�openr��read)�filename�fr#r#r$�load_certificate_from_file�sr�cCstj|�}dd�|D�S)z�
    Load a certificate list from a sequence of concatenated PEMs.

    Return a list of python-cryptography ``Certificate`` objects.
    cSsg|]}t|d��qS)r)r�)rXr"r#r#r$�
<listcomp>�sz)load_certificate_list.<locals>.<listcomp>)�PEM_CERT_REGEX�findall)r��certsr#r#r$�load_certificate_list�s
r�c	Cs"t|d��}t|j��SQRXdS)zv
    Load a certificate list from a PEM file.

    Return a list of python-cryptography ``Certificate`` objects.

    r�N)r�r�r�)r�r�r#r#r$�load_certificate_list_from_file�sr�cCszt�}g}xjtjt|�D]Z}tjd|j��dk	rZ|dkr@td��|jt|j�||d��q|jt|j�d|d��qW|S)a
    Load a private key list from a sequence of concatenated PEMs.

    :param data: bytes containing the private keys
    :param password: bytes, the password to encrypted keys in the bundle

    :returns: List of python-cryptography ``PrivateKey`` objects
    s	ENCRYPTEDNz:Password is required for the encrypted keys in the bundle.)r)	r�re�finditer�PEM_PRIV_REGEX�search�group�RuntimeErrorrlr	)r�ZpasswordZcrypto_backendZ	priv_keys�matchr#r#r$�load_private_key_list�s	

r�cCs�|tkr4tjd|tj�}|s$td��tj|jd��}tj	|t
j��\}}|rTtd��|dt
jkrjtd��tj	t
|d�t
j��\}}|r�td��g}x,|d	D] }tj|�}t|�}|j|�q�W|S)
zn
    Extract certificates from a PKCS #7 object.

    :returns: a ``list`` of ``IPACertificate`` objects.
    s------BEGIN PKCS7-----(.*?)-----END PKCS7-----znot a valid PKCS#7 PEMrznot a valid PKCS#7 messageZcontentTypez not a PKCS#7 signed data messageZcontentz&not a valid PKCS#7 signed data messageZcertificates)�PEMr�r��DOTALLr �base64Z	b64decoder�rrDrZContentInfoZ
signedDatar1Z
SignedDatarr>r-rl)r�Zdatatyper�Zcontent_info�tailZsigned_dataroZcertificater#r#r$�pkcs7_to_certss.
r�cCsDyt|�Wn2tk
r>}ztjt|�d��WYdd}~XnXdS)zO
    Perform cert validation by trying to load it via python-cryptography.
    )�errorN)r�r r�CertificateFormatError�str)r"�er#r#r$�validate_pem_x509_certificate,sr�cCsDyt|�Wn2tk
r>}ztjt|�d��WYdd}~XnXdS)zO
    Perform cert validation by trying to load it via python-cryptography.
    )r�N)r-r rr�r�)r"r�r#r#r$�validate_der_x509_certificate6sr�cCshy,t|d��}|j|jtj��WdQRXWn6ttfk
rb}ztjt	|�d��WYdd}~XnXdS)zm
    Write the certificate to a file in PEM format.

    :param cert: cryptograpy ``Certificate`` object
    �wbN)�reason)
r��writer&rr��IOError�OSErrorr�	FileErrorr�)r"r��fpr�r#r#r$�write_certificate@s
 r�cCs�yRt|d��>}|dk	r&tj|j�|�x|D]}|j|jtj��q,WWdQRXWn6tt	fk
r�}zt
jt|�d��WYdd}~XnXdS)z�
    Write a list of certificates to a file in PEM format.

    :param certs: a list of IPACertificate objects to be written to a file
    :param filename: a path to the file the certificates should be written into
    r�N)r�)
r��os�fchmod�filenor�r&rr�r�r�rr�r�)r�r�r�r�r"r�r#r#r$�write_certificate_listNs
$r�cCs�|dk	rtj|�}ntj�}yDt|d��0}tj|j�d�|j|jt	j
tj|d��WdQRXWn6t
tfk
r�}ztjt|�d��WYdd}~XnXdS)a
    Write a private key to a file in PEM format. Will force 0x600 permissions
    on file.

    :param priv_key: cryptography ``PrivateKey`` object
    :param passwd: ``bytes`` representing the password to store the
                    private key with
    Nr�i�)Zencryption_algorithm)r�)rZBestAvailableEncryptionZNoEncryptionr�r�r�r�r�Z
private_bytesrr�rZPKCS8r�r�rr�r�)Zpriv_keyr�ZpasswdZenc_algr�r�r#r#r$�write_pem_private_key`s	r�c	@sbeZdZejejdej�je	j
e	je	jd�d��ejdej
ej��je	j
e	je	jd�d���ZdS)�_PrincipalNamez	name-typer)�explicitTagzname-stringrN)r{r|r}r�
NamedTypes�	NamedTyper
�Integer�subtyper
�Tag�tagClassContext�tagFormatSimpleZ
SequenceOfr�
GeneralString�
componentTyper#r#r#r$r�xs
r�c	@sZeZdZejejdej�je	j
e	je	jd�d��ejde
�je	j
e	je	jd�d���ZdS)�_KRB5PrincipalName�realmr)r��
principalNamerN)r{r|r}rr�r�rr�r�r
r�r�r�r�r�r#r#r#r$r��s
r�cCs`tj|t�d�d}t|d�jdd�jdd�}|dd	}d
jdd�|D��}d
||f}|S)N)rrrr��\z\\�@z\@r�zname-string�/css.|]&}t|�jdd�jdd�jdd�VqdS)r�z\\r�z\/r�z\@N)rb�replace)rX�nr#r#r$rY�sz,_decode_krb5principalname.<locals>.<genexpr>z%s@%s)rrDr�rbr��join)r�Z	principalr�rr#r#r$�_decode_krb5principalname�s

r�cseZdZ�fdd�Z�ZS)�KRB5PrincipalNamecs tt|�j||�t|�|_dS)N)�superr�r%r�r)r!�type_idrA)�	__class__r#r$r%�szKRB5PrincipalName.__init__)r{r|r}r%�
__classcell__r#r#)r�r$r��sr�cseZdZ�fdd�Z�ZS)�UPNcs2tt|�j||�ttj|tj�d�d�|_dS)N)rrr)	r�r�r%rbrrDrZ
UTF8Stringr)r!r�rA)r�r#r$r%�szUPN.__init__)r{r|r}r%r�r#r#)r�r$r��sr�ccsLxF|D]>}t|tjj�r>tj|jjtjj�}||j|j�Vq|VqWdS)z�
    Process python-cryptography GeneralName values, yielding
    OtherName values of more specific type if type is known.

    N)	r/r,�general_name�	OtherName�OTHERNAME_CLASS_MAP�getr�rWrA)rnrp�clsr#r#r$�process_othernames�s

r�cCsdg}xN|j�D]B}x<|D]4}tjt|d�ttj|d�d��}|j|�qWqWtjtj	|��S)N�typerAr)
rmr,Z
NameAttribute�_pyasn1_to_cryptography_oidrbrrDrlZ
DirectoryName�Name)ZdnZattrsrvrw�attrr#r#r$rg�s

rgcCstjt|��S)N)r,ZRegisteredIDr�)r@r#r#r$rh�srhcCstjtjt|���S)N)r,Z	IPAddress�	ipaddressZ
ip_addressr1)Zoctet_stringr#r#r$ri�sricCstjt|d�t|d��S)Nztype-idrA)r,r�r�r1)Zonr#r#r$rj�s
rjcCstjt|��S)N)r,r:r�)r@r#r#r$r��sr�cCs dd�tjjt|�g|�D�S)z�Yield chunks of the specified size from the given string.

    The input must be a multiple of the chunk size (otherwise
    trailing characters are dropped).

    Works on character strings only.

    css|]}dj|�VqdS)�N)r�)rX�spanr#r#r$rY�szchunk.<locals>.<genexpr>)�sixZmoves�zip�iter)�size�sr#r#r$�chunk�s	r�cCsdjtd|��S)z4Add colons between each nibble pair in a hex string.�:�)r�r�)r�r#r#r$�
add_colons�sr�cCsttj|�jd��S)z*Convert bytes to a hex string with colons.zutf-8)r��binasciiZhexlifyrD)Zbsr#r#r$�to_hex_with_colons�sr�c@s.eZdZejd�Zdd�Zdd�Zdd�ZdS)	�UTCrcCsdS)Nr�r#)r!�dtr#r#r$�tzname�sz
UTC.tznamecCs|jS)N)�ZERO)r!r�r#r#r$�	utcoffset�sz
UTC.utcoffsetcCs|jS)N)r�)r!r�r#r#r$�dst�szUTC.dstN)	r{r|r}�datetimeZ	timedeltar�r�r�r�r#r#r#r$r��s
r�cCs&|jdkr|jt�d�}t|jd��S)N)�tzinfoz%a %b %d %H:%M:%S %Y %Z)r�r�r�rbZstrftime)�tr#r#r$�format_datetimes
r�c@seZdZdZdZdS)�ExternalCATypeZgenericzms-csN)r{r|r}ZGENERIC�MS_CSr#r#r#r$r�	sr�csBeZdZdZddd�Ze�Zd�fdd�	Zdd�Zd	d
�Z	�Z
S)
�ExternalCAProfilea#
    An external CA profile configuration.  Currently the only
    subclasses are for Microsoft CAs, for providing data in the
    "Certificate Template" extension.

    Constructing this class will actually return an instance of a
    subclass.

    Subclasses MUST set ``valid_for``.

    NcCs
||_dS)N)�unparsed_input)r!r�r#r#r$r%szExternalCAProfile.__init__csr|tk	rtt|�j|�S|dkr(td��|jd�}ytj|d�}tjt|�Stj	j
k
rltjt|�SXdS)z�Construct the ExternalCAProfile value.

        Return an instance of a subclass determined by
        the format of the argument.

        Nzstring argument is requiredr�r)r�r��__new__r �splitr
r:�MSCSTemplateV2r;r��PyAsn1Error�MSCSTemplateV1)r�r��partsZ_oid)r�r#r$r�!s	
zExternalCAProfile.__new__cCs|jS)N)r�)r!r#r#r$r+@szExternalCAProfile.__getstate__cCs|j|�dS)N)r%)r!r*r#r#r$r.CszExternalCAProfile.__setstate__)N)N)r{r|r}r~r%rZ�	valid_forr�r+r.r�r#r#)r�r$r�s
r�c@s.eZdZdZeejjg�ZdZ	dZ
dd�ZdS)�MSCSTemplatez�
    An Microsoft AD-CS Template specifier.

    Subclasses MUST set ext_oid.

    Subclass constructors MUST set asn1obj.

    NcCstj|j�S)z"Return DER-encoded extension data.)rr>�asn1obj)r!r#r#r$�get_ext_dataVszMSCSTemplate.get_ext_data)r{r|r}r~rZr�r�rAr��ext_oidr�r�r#r#r#r$r�Hs
r�cs$eZdZdZdZ�fdd�Z�ZS)r�a
    A v1 template specifier, per
    https://msdn.microsoft.com/en-us/library/cc250011.aspx.

    ::

        CertificateTemplateName ::= SEQUENCE {
           Name            UTF8String
        }

    But note that a bare BMPString is used in practice.

    z1.3.6.1.4.1.311.20.2csFtt|�j|�|jd�}t|�dkr.td��tjt|d��|_	dS)Nr�rz<Cannot specify certificate template version when using name.r)
r�r�r%r��lenr rZ	BMPStringr�r�)r!r�r�)r�r#r$r%ks
zMSCSTemplateV1.__init__)r{r|r}r~r�r%r�r#r#)r�r$r�[s
r�cs0eZdZdZdZedd��Z�fdd�Z�ZS)r�a�
    A v2 template specifier, per
    https://msdn.microsoft.com/en-us/library/windows/desktop/aa378274(v=vs.85).aspx

    ::

        CertificateTemplate ::= SEQUENCE {
            templateID              EncodedObjectID,
            templateMajorVersion    TemplateVersion,
            templateMinorVersion    TemplateVersion OPTIONAL
        }

        TemplateVersion ::= INTEGER (0..4294967295)

    z1.3.6.1.4.1.311.21.7cCs"|dks|dkrtdj|���dS)Nrr�� z2Template {} version must be in range 0..4294967295l)r rU)Zdescr�r#r#r$�check_version_in_range�sz%MSCSTemplateV2.check_version_in_rangecs�tt|�j|�|jd�}t�}t|�dks8t|�dkr@td��yjtj|d�|d<t	|d�}|j
d|�||d	<t|�dkr�t	|d�}|j
d
|�t	|d�|d<Wn tjj
k
r�td��YnX||_dS)
Nr�r��z[Incorrect template specification; required format is: <oid>:<majorVersion>[:<minorVersion>]r�
templateIDr�major�templateMajorVersion�minor�templateMinorVersionz/Could not parse certificate template specifier.)r�r�r%r��CertificateTemplateV2r�r r
r:�intr�r;r�r�r�)r!r�r��objrr)r�r#r$r%�s$
zMSCSTemplateV2.__init__)	r{r|r}r~r��staticmethodr�r%r�r#r#)r�r$r�tsr�c@s>eZdZejejdej��ejdej��ej	dej���Z
dS)rrrrN)r{r|r}rr�r�r
r:r�ZOptionalNamedTyper�r#r#r#r$r�sr)N)N)N)fZ
__future__rr�r�r��enumr�rtr�r�Zcryptographyrr,Zcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrZ,cryptography.hazmat.primitives.serializationrrrr	r;Zpyasn1.errorZpyasn1.typer
rrr
Zpyasn1.codec.derrrZpyasn1_modulesrrr�ZipalibrZipapython.dnsutilrZPY3r�rbr�r'�compiler�r�r�ZEKU_SERVER_AUTHZEKU_CLIENT_AUTHZEKU_CODE_SIGNINGZEKU_EMAIL_PROTECTIONZEKU_PKINIT_CLIENT_AUTHZEKU_PKINIT_KDCr_ZEKU_PLACEHOLDERZSAN_UPNZSAN_KRB5PRINCIPALNAMEr0rr�r-r�r�r�r�r�r�r�r�r�r�r��Sequencer�r�r�r�r�r�r�r�r�rgrhrirjr�r�r�r�r�r�r��Enumr�r�r�r�r�rr#r#r#r$�<module> s�L


&




:4