ai_v/venv/Lib/site-packages/cryptography/x509/name.py

# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.

from __future__ import annotations

import binascii
import re
import sys
import typing
import warnings

from cryptography import utils
from cryptography.hazmat.bindings._rust import x509 as rust_x509
from cryptography.x509.oid import NameOID, ObjectIdentifier


class _ASN1Type(utils.Enum):
    BitString = 3
    OctetString = 4
    UTF8String = 12
    NumericString = 18
    PrintableString = 19
    T61String = 20
    IA5String = 22
    UTCTime = 23
    GeneralizedTime = 24
    VisibleString = 26
    UniversalString = 28
    BMPString = 30


_ASN1_TYPE_TO_ENUM = {i.value: i for i in _ASN1Type}
_NAMEOID_DEFAULT_TYPE: dict[ObjectIdentifier, _ASN1Type] = {
    NameOID.COUNTRY_NAME: _ASN1Type.PrintableString,
    NameOID.JURISDICTION_COUNTRY_NAME: _ASN1Type.PrintableString,
    NameOID.SERIAL_NUMBER: _ASN1Type.PrintableString,
    NameOID.DN_QUALIFIER: _ASN1Type.PrintableString,
    NameOID.EMAIL_ADDRESS: _ASN1Type.IA5String,
    NameOID.DOMAIN_COMPONENT: _ASN1Type.IA5String,
}

# Type alias
_OidNameMap = typing.Mapping[ObjectIdentifier, str]
_NameOidMap = typing.Mapping[str, ObjectIdentifier]

#: Short attribute names from RFC 4514:
#: https://tools.ietf.org/html/rfc4514#page-7
_NAMEOID_TO_NAME: _OidNameMap = {
    NameOID.COMMON_NAME: "CN",
    NameOID.LOCALITY_NAME: "L",
    NameOID.STATE_OR_PROVINCE_NAME: "ST",
    NameOID.ORGANIZATION_NAME: "O",
    NameOID.ORGANIZATIONAL_UNIT_NAME: "OU",
    NameOID.COUNTRY_NAME: "C",
    NameOID.STREET_ADDRESS: "STREET",
    NameOID.DOMAIN_COMPONENT: "DC",
    NameOID.USER_ID: "UID",
}
_NAME_TO_NAMEOID = {v: k for k, v in _NAMEOID_TO_NAME.items()}

_NAMEOID_LENGTH_LIMIT = {
    NameOID.COUNTRY_NAME: (2, 2),
    NameOID.JURISDICTION_COUNTRY_NAME: (2, 2),
    NameOID.COMMON_NAME: (1, 64),
}


def _escape_dn_value(val: str | bytes) -> str:
    """Escape special characters in RFC4514 Distinguished Name value."""

    if not val:
        return ""

    # RFC 4514 Section 2.4 defines the value as being the # (U+0023) character
    # followed by the hexadecimal encoding of the octets.
    if isinstance(val, bytes):
        return "#" + binascii.hexlify(val).decode("utf8")

    # See https://tools.ietf.org/html/rfc4514#section-2.4
    val = val.replace("\\", "\\\\")
    val = val.replace('"', '\\"')
    val = val.replace("+", "\\+")
    val = val.replace(",", "\\,")
    val = val.replace(";", "\\;")
    val = val.replace("<", "\\<")
    val = val.replace(">", "\\>")
    val = val.replace("\0", "\\00")

    if val[0] in ("#", " "):
        val = "\\" + val
    if val[-1] == " ":
        val = val[:-1] + "\\ "

    return val


def _unescape_dn_value(val: str) -> str:
    if not val:
        return ""

    # See https://tools.ietf.org/html/rfc4514#section-3

    # special = escaped / SPACE / SHARP / EQUALS
    # escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE
    def sub(m):
        val = m.group(1)
        # Regular escape
        if len(val) == 1:
            return val
        # Hex-value scape
        return chr(int(val, 16))

    return _RFC4514NameParser._PAIR_RE.sub(sub, val)


class NameAttribute:
    def __init__(
        self,
        oid: ObjectIdentifier,
        value: str | bytes,
        _type: _ASN1Type | None = None,
        *,
        _validate: bool = True,
    ) -> None:
        if not isinstance(oid, ObjectIdentifier):
            raise TypeError(
                "oid argument must be an ObjectIdentifier instance."
            )
        if _type == _ASN1Type.BitString:
            if oid != NameOID.X500_UNIQUE_IDENTIFIER:
                raise TypeError(
                    "oid must be X500_UNIQUE_IDENTIFIER for BitString type."
                )
            if not isinstance(value, bytes):
                raise TypeError("value must be bytes for BitString")
        else:
            if not isinstance(value, str):
                raise TypeError("value argument must be a str")

        length_limits = _NAMEOID_LENGTH_LIMIT.get(oid)
        if length_limits is not None:
            min_length, max_length = length_limits
            assert isinstance(value, str)
            c_len = len(value.encode("utf8"))
            if c_len < min_length or c_len > max_length:
                msg = (
                    f"Attribute's length must be >= {min_length} and "
                    f"<= {max_length}, but it was {c_len}"
                )
                if _validate is True:
                    raise ValueError(msg)
                else:
                    warnings.warn(msg, stacklevel=2)

        # The appropriate ASN1 string type varies by OID and is defined across
        # multiple RFCs including 2459, 3280, and 5280. In general UTF8String
        # is preferred (2459), but 3280 and 5280 specify several OIDs with
        # alternate types. This means when we see the sentinel value we need
        # to look up whether the OID has a non-UTF8 type. If it does, set it
        # to that. Otherwise, UTF8!
        if _type is None:
            _type = _NAMEOID_DEFAULT_TYPE.get(oid, _ASN1Type.UTF8String)

        if not isinstance(_type, _ASN1Type):
            raise TypeError("_type must be from the _ASN1Type enum")

        self._oid = oid
        self._value = value
        self._type = _type

    @property
    def oid(self) -> ObjectIdentifier:
        return self._oid

    @property
    def value(self) -> str | bytes:
        return self._value

    @property
    def rfc4514_attribute_name(self) -> str:
        """
        The short attribute name (for example "CN") if available,
        otherwise the OID dotted string.
        """
        return _NAMEOID_TO_NAME.get(self.oid, self.oid.dotted_string)

    def rfc4514_string(
        self, attr_name_overrides: _OidNameMap | None = None
    ) -> str:
        """
        Format as RFC4514 Distinguished Name string.

        Use short attribute name if available, otherwise fall back to OID
        dotted string.
        """
        attr_name = (
            attr_name_overrides.get(self.oid) if attr_name_overrides else None
        )
        if attr_name is None:
            attr_name = self.rfc4514_attribute_name

        return f"{attr_name}={_escape_dn_value(self.value)}"

    def __eq__(self, other: object) -> bool:
        if not isinstance(other, NameAttribute):
            return NotImplemented

        return self.oid == other.oid and self.value == other.value

    def __hash__(self) -> int:
        return hash((self.oid, self.value))

    def __repr__(self) -> str:
        return f"<NameAttribute(oid={self.oid}, value={self.value!r})>"


class RelativeDistinguishedName:
    def __init__(self, attributes: typing.Iterable[NameAttribute]):
        attributes = list(attributes)
        if not attributes:
            raise ValueError("a relative distinguished name cannot be empty")
        if not all(isinstance(x, NameAttribute) for x in attributes):
            raise TypeError("attributes must be an iterable of NameAttribute")

        # Keep list and frozenset to preserve attribute order where it matters
        self._attributes = attributes
        self._attribute_set = frozenset(attributes)

        if len(self._attribute_set) != len(attributes):
            raise ValueError("duplicate attributes are not allowed")

    def get_attributes_for_oid(
        self, oid: ObjectIdentifier
    ) -> list[NameAttribute]:
        return [i for i in self if i.oid == oid]

    def rfc4514_string(
        self, attr_name_overrides: _OidNameMap | None = None
    ) -> str:
        """
        Format as RFC4514 Distinguished Name string.

        Within each RDN, attributes are joined by '+', although that is rarely
        used in certificates.
        """
        return "+".join(
            attr.rfc4514_string(attr_name_overrides)
            for attr in self._attributes
        )

    def __eq__(self, other: object) -> bool:
        if not isinstance(other, RelativeDistinguishedName):
            return NotImplemented

        return self._attribute_set == other._attribute_set

    def __hash__(self) -> int:
        return hash(self._attribute_set)

    def __iter__(self) -> typing.Iterator[NameAttribute]:
        return iter(self._attributes)

    def __len__(self) -> int:
        return len(self._attributes)

    def __repr__(self) -> str:
        return f"<RelativeDistinguishedName({self.rfc4514_string()})>"


class Name:
    @typing.overload
    def __init__(self, attributes: typing.Iterable[NameAttribute]) -> None: ...

    @typing.overload
    def __init__(
        self, attributes: typing.Iterable[RelativeDistinguishedName]
    ) -> None: ...

    def __init__(
        self,
        attributes: typing.Iterable[NameAttribute | RelativeDistinguishedName],
    ) -> None:
        attributes = list(attributes)
        if all(isinstance(x, NameAttribute) for x in attributes):
            self._attributes = [
                RelativeDistinguishedName([typing.cast(NameAttribute, x)])
                for x in attributes
            ]
        elif all(isinstance(x, RelativeDistinguishedName) for x in attributes):
            self._attributes = typing.cast(
                typing.List[RelativeDistinguishedName], attributes
            )
        else:
            raise TypeError(
                "attributes must be a list of NameAttribute"
                " or a list RelativeDistinguishedName"
            )

    @classmethod
    def from_rfc4514_string(
        cls,
        data: str,
        attr_name_overrides: _NameOidMap | None = None,
    ) -> Name:
        return _RFC4514NameParser(data, attr_name_overrides or {}).parse()

    def rfc4514_string(
        self, attr_name_overrides: _OidNameMap | None = None
    ) -> str:
        """
        Format as RFC4514 Distinguished Name string.
        For example 'CN=foobar.com,O=Foo Corp,C=US'

        An X.509 name is a two-level structure: a list of sets of attributes.
        Each list element is separated by ',' and within each list element, set
        elements are separated by '+'. The latter is almost never used in
        real world certificates. According to RFC4514 section 2.1 the
        RDNSequence must be reversed when converting to string representation.
        """
        return ",".join(
            attr.rfc4514_string(attr_name_overrides)
            for attr in reversed(self._attributes)
        )

    def get_attributes_for_oid(
        self, oid: ObjectIdentifier
    ) -> list[NameAttribute]:
        return [i for i in self if i.oid == oid]

    @property
    def rdns(self) -> list[RelativeDistinguishedName]:
        return self._attributes

    def public_bytes(self, backend: typing.Any = None) -> bytes:
        return rust_x509.encode_name_bytes(self)

    def __eq__(self, other: object) -> bool:
        if not isinstance(other, Name):
            return NotImplemented

        return self._attributes == other._attributes

    def __hash__(self) -> int:
        # TODO: this is relatively expensive, if this looks like a bottleneck
        # for you, consider optimizing!
        return hash(tuple(self._attributes))

    def __iter__(self) -> typing.Iterator[NameAttribute]:
        for rdn in self._attributes:
            yield from rdn

    def __len__(self) -> int:
        return sum(len(rdn) for rdn in self._attributes)

    def __repr__(self) -> str:
        rdns = ",".join(attr.rfc4514_string() for attr in self._attributes)
        return f"<Name({rdns})>"


class _RFC4514NameParser:
    _OID_RE = re.compile(r"(0|([1-9]\d*))(\.(0|([1-9]\d*)))+")
    _DESCR_RE = re.compile(r"[a-zA-Z][a-zA-Z\d-]*")

    _PAIR = r"\\([\\ #=\"\+,;<>]|[\da-zA-Z]{2})"
    _PAIR_RE = re.compile(_PAIR)
    _LUTF1 = r"[\x01-\x1f\x21\x24-\x2A\x2D-\x3A\x3D\x3F-\x5B\x5D-\x7F]"
    _SUTF1 = r"[\x01-\x21\x23-\x2A\x2D-\x3A\x3D\x3F-\x5B\x5D-\x7F]"
    _TUTF1 = r"[\x01-\x1F\x21\x23-\x2A\x2D-\x3A\x3D\x3F-\x5B\x5D-\x7F]"
    _UTFMB = rf"[\x80-{chr(sys.maxunicode)}]"
    _LEADCHAR = rf"{_LUTF1}|{_UTFMB}"
    _STRINGCHAR = rf"{_SUTF1}|{_UTFMB}"
    _TRAILCHAR = rf"{_TUTF1}|{_UTFMB}"
    _STRING_RE = re.compile(
        rf"""
        (
            ({_LEADCHAR}|{_PAIR})
            (
                ({_STRINGCHAR}|{_PAIR})*
                ({_TRAILCHAR}|{_PAIR})
            )?
        )?
        """,
        re.VERBOSE,
    )
    _HEXSTRING_RE = re.compile(r"#([\da-zA-Z]{2})+")

    def __init__(self, data: str, attr_name_overrides: _NameOidMap) -> None:
        self._data = data
        self._idx = 0

        self._attr_name_overrides = attr_name_overrides

    def _has_data(self) -> bool:
        return self._idx < len(self._data)

    def _peek(self) -> str | None:
        if self._has_data():
            return self._data[self._idx]
        return None

    def _read_char(self, ch: str) -> None:
        if self._peek() != ch:
            raise ValueError
        self._idx += 1

    def _read_re(self, pat) -> str:
        match = pat.match(self._data, pos=self._idx)
        if match is None:
            raise ValueError
        val = match.group()
        self._idx += len(val)
        return val

    def parse(self) -> Name:
        """
        Parses the `data` string and converts it to a Name.

        According to RFC4514 section 2.1 the RDNSequence must be
        reversed when converting to string representation. So, when
        we parse it, we need to reverse again to get the RDNs on the
        correct order.
        """

        if not self._has_data():
            return Name([])

        rdns = [self._parse_rdn()]

        while self._has_data():
            self._read_char(",")
            rdns.append(self._parse_rdn())

        return Name(reversed(rdns))

    def _parse_rdn(self) -> RelativeDistinguishedName:
        nas = [self._parse_na()]
        while self._peek() == "+":
            self._read_char("+")
            nas.append(self._parse_na())

        return RelativeDistinguishedName(nas)

    def _parse_na(self) -> NameAttribute:
        try:
            oid_value = self._read_re(self._OID_RE)
        except ValueError:
            name = self._read_re(self._DESCR_RE)
            oid = self._attr_name_overrides.get(
                name, _NAME_TO_NAMEOID.get(name)
            )
            if oid is None:
                raise ValueError
        else:
            oid = ObjectIdentifier(oid_value)

        self._read_char("=")
        if self._peek() == "#":
            value = self._read_re(self._HEXSTRING_RE)
            value = binascii.unhexlify(value[1:]).decode()
        else:
            raw_value = self._read_re(self._STRING_RE)
            value = _unescape_dn_value(raw_value)

        return NameAttribute(oid, value)
feat(api): 实现图像生成及后台同步功能 - 新增图像生成接口，支持试用、积分和自定义API Key模式 - 实现生成图片结果异步上传至MinIO存储，带重试机制 - 优化积分预扣除和异常退还逻辑，保障用户积分准确 - 添加获取生成历史记录接口，支持时间范围和分页 - 提供本地字典配置接口，支持模型、比例、提示模板和尺寸 - 实现图片批量上传接口，支持S3兼容对象存储 feat(admin): 增加管理员角色管理与权限分配接口 - 实现角色列表查询、角色创建、更新及删除功能 - 增加权限列表查询接口 - 实现用户角色分配接口，便于统一管理用户权限 - 增加系统字典增删查改接口，支持分类过滤和排序 - 权限控制全面覆盖管理接口，保证安全访问 feat(auth): 完善用户登录注册及权限相关接口与页面 - 实现手机号验证码发送及校验功能，保障注册安全 - 支持手机号注册、登录及退出接口，集成日志记录 - 增加修改密码功能，验证原密码后更新 - 提供动态导航菜单接口，基于权限展示不同菜单 - 实现管理界面路由及日志、角色、字典管理页面访问权限控制 - 添加系统日志查询接口，支持关键词和等级筛选 feat(app): 初始化Flask应用并配置蓝图与数据库 - 创建应用程序工厂，加载配置，初始化数据库和Redis客户端 - 注册认证、API及管理员蓝图，整合路由 - 根路由渲染主页模板 - 应用上下文中自动创建数据库表，保证运行环境准备完毕 feat(database): 提供数据库创建与迁移支持脚本 - 新增数据库创建脚本，支持自动检测是否已存在 - 添加数据库表初始化脚本，支持创建和删除所有表 - 实现RBAC权限初始化，包含基础权限和角色创建 - 新增字段手动修复脚本，添加用户API Key和积分字段 - 强制迁移脚本支持清理连接和修复表结构，初始化默认数据及角色分配 feat(config): 新增系统配置参数 - 配置数据库、Redis、Session和MinIO相关参数 - 添加AI接口地址及试用Key配置 - 集成阿里云短信服务配置及开发模式相关参数 feat(extensions): 初始化数据库、Redis和MinIO客户端 - 创建全局SQLAlchemy数据库实例和Redis客户端 - 配置基于boto3的MinIO兼容S3客户端 chore(logs): 添加示例系统日志文件 - 记录用户请求、验证码发送成功与失败的日志信息 2026-01-12 00:53:31 +08:00			`# This file is dual licensed under the terms of the Apache License, Version`
			`# 2.0, and the BSD License. See the LICENSE file in the root of this repository`
			`# for complete details.`

			`from __future__ import annotations`

			`import binascii`
			`import re`
			`import sys`
			`import typing`
			`import warnings`

			`from cryptography import utils`
			`from cryptography.hazmat.bindings._rust import x509 as rust_x509`
			`from cryptography.x509.oid import NameOID, ObjectIdentifier`


			`class _ASN1Type(utils.Enum):`
			`BitString = 3`
			`OctetString = 4`
			`UTF8String = 12`
			`NumericString = 18`
			`PrintableString = 19`
			`T61String = 20`
			`IA5String = 22`
			`UTCTime = 23`
			`GeneralizedTime = 24`
			`VisibleString = 26`
			`UniversalString = 28`
			`BMPString = 30`


			`_ASN1_TYPE_TO_ENUM = {i.value: i for i in _ASN1Type}`
			`_NAMEOID_DEFAULT_TYPE: dict[ObjectIdentifier, _ASN1Type] = {`
			`NameOID.COUNTRY_NAME: _ASN1Type.PrintableString,`
			`NameOID.JURISDICTION_COUNTRY_NAME: _ASN1Type.PrintableString,`
			`NameOID.SERIAL_NUMBER: _ASN1Type.PrintableString,`
			`NameOID.DN_QUALIFIER: _ASN1Type.PrintableString,`
			`NameOID.EMAIL_ADDRESS: _ASN1Type.IA5String,`
			`NameOID.DOMAIN_COMPONENT: _ASN1Type.IA5String,`
			`}`

			`# Type alias`
			`_OidNameMap = typing.Mapping[ObjectIdentifier, str]`
			`_NameOidMap = typing.Mapping[str, ObjectIdentifier]`

			`#: Short attribute names from RFC 4514:`
			`#: https://tools.ietf.org/html/rfc4514#page-7`
			`_NAMEOID_TO_NAME: _OidNameMap = {`
			`NameOID.COMMON_NAME: "CN",`
			`NameOID.LOCALITY_NAME: "L",`
			`NameOID.STATE_OR_PROVINCE_NAME: "ST",`
			`NameOID.ORGANIZATION_NAME: "O",`
			`NameOID.ORGANIZATIONAL_UNIT_NAME: "OU",`
			`NameOID.COUNTRY_NAME: "C",`
			`NameOID.STREET_ADDRESS: "STREET",`
			`NameOID.DOMAIN_COMPONENT: "DC",`
			`NameOID.USER_ID: "UID",`
			`}`
			`_NAME_TO_NAMEOID = {v: k for k, v in _NAMEOID_TO_NAME.items()}`

			`_NAMEOID_LENGTH_LIMIT = {`
			`NameOID.COUNTRY_NAME: (2, 2),`
			`NameOID.JURISDICTION_COUNTRY_NAME: (2, 2),`
			`NameOID.COMMON_NAME: (1, 64),`
			`}`


			`def _escape_dn_value(val: str \| bytes) -> str:`
			`"""Escape special characters in RFC4514 Distinguished Name value."""`

			`if not val:`
			`return ""`

			`# RFC 4514 Section 2.4 defines the value as being the # (U+0023) character`
			`# followed by the hexadecimal encoding of the octets.`
			`if isinstance(val, bytes):`
			`return "#" + binascii.hexlify(val).decode("utf8")`

			`# See https://tools.ietf.org/html/rfc4514#section-2.4`
			`val = val.replace("\\", "\\\\")`
			`val = val.replace('"', '\\"')`
			`val = val.replace("+", "\\+")`
			`val = val.replace(",", "\\,")`
			`val = val.replace(";", "\\;")`
			`val = val.replace("<", "\\<")`
			`val = val.replace(">", "\\>")`
			`val = val.replace("\0", "\\00")`

			`if val[0] in ("#", " "):`
			`val = "\\" + val`
			`if val[-1] == " ":`
			`val = val[:-1] + "\\ "`

			`return val`


			`def _unescape_dn_value(val: str) -> str:`
			`if not val:`
			`return ""`

			`# See https://tools.ietf.org/html/rfc4514#section-3`

			`# special = escaped / SPACE / SHARP / EQUALS`
			`# escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE`
			`def sub(m):`
			`val = m.group(1)`
			`# Regular escape`
			`if len(val) == 1:`
			`return val`
			`# Hex-value scape`
			`return chr(int(val, 16))`

			`return _RFC4514NameParser._PAIR_RE.sub(sub, val)`


			`class NameAttribute:`
			`def __init__(`
			`self,`
			`oid: ObjectIdentifier,`
			`value: str \| bytes,`
			`_type: _ASN1Type \| None = None,`
			`*,`
			`_validate: bool = True,`
			`) -> None:`
			`if not isinstance(oid, ObjectIdentifier):`
			`raise TypeError(`
			`"oid argument must be an ObjectIdentifier instance."`
			`)`
			`if _type == _ASN1Type.BitString:`
			`if oid != NameOID.X500_UNIQUE_IDENTIFIER:`
			`raise TypeError(`
			`"oid must be X500_UNIQUE_IDENTIFIER for BitString type."`
			`)`
			`if not isinstance(value, bytes):`
			`raise TypeError("value must be bytes for BitString")`
			`else:`
			`if not isinstance(value, str):`
			`raise TypeError("value argument must be a str")`

			`length_limits = _NAMEOID_LENGTH_LIMIT.get(oid)`
			`if length_limits is not None:`
			`min_length, max_length = length_limits`
			`assert isinstance(value, str)`
			`c_len = len(value.encode("utf8"))`
			`if c_len < min_length or c_len > max_length:`
			`msg = (`
			`f"Attribute's length must be >= {min_length} and "`
			`f"<= {max_length}, but it was {c_len}"`
			`)`
			`if _validate is True:`
			`raise ValueError(msg)`
			`else:`
			`warnings.warn(msg, stacklevel=2)`

			`# The appropriate ASN1 string type varies by OID and is defined across`
			`# multiple RFCs including 2459, 3280, and 5280. In general UTF8String`
			`# is preferred (2459), but 3280 and 5280 specify several OIDs with`
			`# alternate types. This means when we see the sentinel value we need`
			`# to look up whether the OID has a non-UTF8 type. If it does, set it`
			`# to that. Otherwise, UTF8!`
			`if _type is None:`
			`_type = _NAMEOID_DEFAULT_TYPE.get(oid, _ASN1Type.UTF8String)`

			`if not isinstance(_type, _ASN1Type):`
			`raise TypeError("_type must be from the _ASN1Type enum")`

			`self._oid = oid`
			`self._value = value`
			`self._type = _type`

			`@property`
			`def oid(self) -> ObjectIdentifier:`
			`return self._oid`

			`@property`
			`def value(self) -> str \| bytes:`
			`return self._value`

			`@property`
			`def rfc4514_attribute_name(self) -> str:`
			`"""`
			`The short attribute name (for example "CN") if available,`
			`otherwise the OID dotted string.`
			`"""`
			`return _NAMEOID_TO_NAME.get(self.oid, self.oid.dotted_string)`

			`def rfc4514_string(`
			`self, attr_name_overrides: _OidNameMap \| None = None`
			`) -> str:`
			`"""`
			`Format as RFC4514 Distinguished Name string.`

			`Use short attribute name if available, otherwise fall back to OID`
			`dotted string.`
			`"""`
			`attr_name = (`
			`attr_name_overrides.get(self.oid) if attr_name_overrides else None`
			`)`
			`if attr_name is None:`
			`attr_name = self.rfc4514_attribute_name`

			`return f"{attr_name}={_escape_dn_value(self.value)}"`

			`def __eq__(self, other: object) -> bool:`
			`if not isinstance(other, NameAttribute):`
			`return NotImplemented`

			`return self.oid == other.oid and self.value == other.value`

			`def __hash__(self) -> int:`
			`return hash((self.oid, self.value))`

			`def __repr__(self) -> str:`
			`return f"<NameAttribute(oid={self.oid}, value={self.value!r})>"`


			`class RelativeDistinguishedName:`
			`def __init__(self, attributes: typing.Iterable[NameAttribute]):`
			`attributes = list(attributes)`
			`if not attributes:`
			`raise ValueError("a relative distinguished name cannot be empty")`
			`if not all(isinstance(x, NameAttribute) for x in attributes):`
			`raise TypeError("attributes must be an iterable of NameAttribute")`

			`# Keep list and frozenset to preserve attribute order where it matters`
			`self._attributes = attributes`
			`self._attribute_set = frozenset(attributes)`

			`if len(self._attribute_set) != len(attributes):`
			`raise ValueError("duplicate attributes are not allowed")`

			`def get_attributes_for_oid(`
			`self, oid: ObjectIdentifier`
			`) -> list[NameAttribute]:`
			`return [i for i in self if i.oid == oid]`

			`def rfc4514_string(`
			`self, attr_name_overrides: _OidNameMap \| None = None`
			`) -> str:`
			`"""`
			`Format as RFC4514 Distinguished Name string.`

			`Within each RDN, attributes are joined by '+', although that is rarely`
			`used in certificates.`
			`"""`
			`return "+".join(`
			`attr.rfc4514_string(attr_name_overrides)`
			`for attr in self._attributes`
			`)`

			`def __eq__(self, other: object) -> bool:`
			`if not isinstance(other, RelativeDistinguishedName):`
			`return NotImplemented`

			`return self._attribute_set == other._attribute_set`

			`def __hash__(self) -> int:`
			`return hash(self._attribute_set)`

			`def __iter__(self) -> typing.Iterator[NameAttribute]:`
			`return iter(self._attributes)`

			`def __len__(self) -> int:`
			`return len(self._attributes)`

			`def __repr__(self) -> str:`
			`return f"<RelativeDistinguishedName({self.rfc4514_string()})>"`


			`class Name:`
			`@typing.overload`
			`def __init__(self, attributes: typing.Iterable[NameAttribute]) -> None: ...`

			`@typing.overload`
			`def __init__(`
			`self, attributes: typing.Iterable[RelativeDistinguishedName]`
			`) -> None: ...`

			`def __init__(`
			`self,`
			`attributes: typing.Iterable[NameAttribute \| RelativeDistinguishedName],`
			`) -> None:`
			`attributes = list(attributes)`
			`if all(isinstance(x, NameAttribute) for x in attributes):`
			`self._attributes = [`
			`RelativeDistinguishedName([typing.cast(NameAttribute, x)])`
			`for x in attributes`
			`]`
			`elif all(isinstance(x, RelativeDistinguishedName) for x in attributes):`
			`self._attributes = typing.cast(`
			`typing.List[RelativeDistinguishedName], attributes`
			`)`
			`else:`
			`raise TypeError(`
			`"attributes must be a list of NameAttribute"`
			`" or a list RelativeDistinguishedName"`
			`)`

			`@classmethod`
			`def from_rfc4514_string(`
			`cls,`
			`data: str,`
			`attr_name_overrides: _NameOidMap \| None = None,`
			`) -> Name:`
			`return _RFC4514NameParser(data, attr_name_overrides or {}).parse()`

			`def rfc4514_string(`
			`self, attr_name_overrides: _OidNameMap \| None = None`
			`) -> str:`
			`"""`
			`Format as RFC4514 Distinguished Name string.`
			`For example 'CN=foobar.com,O=Foo Corp,C=US'`

			`An X.509 name is a two-level structure: a list of sets of attributes.`
			`Each list element is separated by ',' and within each list element, set`
			`elements are separated by '+'. The latter is almost never used in`
			`real world certificates. According to RFC4514 section 2.1 the`
			`RDNSequence must be reversed when converting to string representation.`
			`"""`
			`return ",".join(`
			`attr.rfc4514_string(attr_name_overrides)`
			`for attr in reversed(self._attributes)`
			`)`

			`def get_attributes_for_oid(`
			`self, oid: ObjectIdentifier`
			`) -> list[NameAttribute]:`
			`return [i for i in self if i.oid == oid]`

			`@property`
			`def rdns(self) -> list[RelativeDistinguishedName]:`
			`return self._attributes`

			`def public_bytes(self, backend: typing.Any = None) -> bytes:`
			`return rust_x509.encode_name_bytes(self)`

			`def __eq__(self, other: object) -> bool:`
			`if not isinstance(other, Name):`
			`return NotImplemented`

			`return self._attributes == other._attributes`

			`def __hash__(self) -> int:`
			`# TODO: this is relatively expensive, if this looks like a bottleneck`
			`# for you, consider optimizing!`
			`return hash(tuple(self._attributes))`

			`def __iter__(self) -> typing.Iterator[NameAttribute]:`
			`for rdn in self._attributes:`
			`yield from rdn`

			`def __len__(self) -> int:`
			`return sum(len(rdn) for rdn in self._attributes)`

			`def __repr__(self) -> str:`
			`rdns = ",".join(attr.rfc4514_string() for attr in self._attributes)`
			`return f"<Name({rdns})>"`


			`class _RFC4514NameParser:`
			`_OID_RE = re.compile(r"(0\|([1-9]\d))(\.(0\|([1-9]\d)))+")`
			`_DESCR_RE = re.compile(r"[a-zA-Z][a-zA-Z\d-]*")`

			`_PAIR = r"\\([\\ #=\"\+,;<>]\|[\da-zA-Z]{2})"`
			`_PAIR_RE = re.compile(_PAIR)`
			`_LUTF1 = r"[\x01-\x1f\x21\x24-\x2A\x2D-\x3A\x3D\x3F-\x5B\x5D-\x7F]"`
			`_SUTF1 = r"[\x01-\x21\x23-\x2A\x2D-\x3A\x3D\x3F-\x5B\x5D-\x7F]"`
			`_TUTF1 = r"[\x01-\x1F\x21\x23-\x2A\x2D-\x3A\x3D\x3F-\x5B\x5D-\x7F]"`
			`_UTFMB = rf"[\x80-{chr(sys.maxunicode)}]"`
			`_LEADCHAR = rf"{_LUTF1}\|{_UTFMB}"`
			`_STRINGCHAR = rf"{_SUTF1}\|{_UTFMB}"`
			`_TRAILCHAR = rf"{_TUTF1}\|{_UTFMB}"`
			`_STRING_RE = re.compile(`
			`rf"""`
			`(`
			`({_LEADCHAR}\|{_PAIR})`
			`(`
			`({_STRINGCHAR}\|{_PAIR})*`
			`({_TRAILCHAR}\|{_PAIR})`
			`)?`
			`)?`
			`""",`
			`re.VERBOSE,`
			`)`
			`_HEXSTRING_RE = re.compile(r"#([\da-zA-Z]{2})+")`

			`def __init__(self, data: str, attr_name_overrides: _NameOidMap) -> None:`
			`self._data = data`
			`self._idx = 0`

			`self._attr_name_overrides = attr_name_overrides`

			`def _has_data(self) -> bool:`
			`return self._idx < len(self._data)`

			`def _peek(self) -> str \| None:`
			`if self._has_data():`
			`return self._data[self._idx]`
			`return None`

			`def _read_char(self, ch: str) -> None:`
			`if self._peek() != ch:`
			`raise ValueError`
			`self._idx += 1`

			`def _read_re(self, pat) -> str:`
			`match = pat.match(self._data, pos=self._idx)`
			`if match is None:`
			`raise ValueError`
			`val = match.group()`
			`self._idx += len(val)`
			`return val`

			`def parse(self) -> Name:`
			`"""`
			Parses the `data` string and converts it to a Name.

			`According to RFC4514 section 2.1 the RDNSequence must be`
			`reversed when converting to string representation. So, when`
			`we parse it, we need to reverse again to get the RDNs on the`
			`correct order.`
			`"""`

			`if not self._has_data():`
			`return Name([])`

			`rdns = [self._parse_rdn()]`

			`while self._has_data():`
			`self._read_char(",")`
			`rdns.append(self._parse_rdn())`

			`return Name(reversed(rdns))`

			`def _parse_rdn(self) -> RelativeDistinguishedName:`
			`nas = [self._parse_na()]`
			`while self._peek() == "+":`
			`self._read_char("+")`
			`nas.append(self._parse_na())`

			`return RelativeDistinguishedName(nas)`

			`def _parse_na(self) -> NameAttribute:`
			`try:`
			`oid_value = self._read_re(self._OID_RE)`
			`except ValueError:`
			`name = self._read_re(self._DESCR_RE)`
			`oid = self._attr_name_overrides.get(`
			`name, _NAME_TO_NAMEOID.get(name)`
			`)`
			`if oid is None:`
			`raise ValueError`
			`else:`
			`oid = ObjectIdentifier(oid_value)`

			`self._read_char("=")`
			`if self._peek() == "#":`
			`value = self._read_re(self._HEXSTRING_RE)`
			`value = binascii.unhexlify(value[1:]).decode()`
			`else:`
			`raw_value = self._read_re(self._STRING_RE)`
			`value = _unescape_dn_value(raw_value)`

			`return NameAttribute(oid, value)`