M/eFndZddlZddlZddlZddlZddlZddlZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z ddlmZdd lmZdd lmZdd lmZddlZdd lmZdd lmZddlmZej2eZej8ZGddZGddZddeddfde de de!de!de!dee"e!fde ee dejFfdZ$ d4de d e eee"e e"fd!e%d"e e eejLejNfde f d#Z(d$eejFejRfde e"fd%Z*d&eejFejRfde e"fd'Z+d&eejFejRfde e"fd(Z,d&eejFejRfde e"fd)Z- d5d*ej\d e e e"d+e e!d,e!d-e%d.e e ej^d/e e eejLejNfdejFfd0Z0ejbfd1ee ejde ejFfd2e!de fd3Z3y)6zCrypto utilities.N)Any)Callable)List)Mapping)Optional)Sequence)Set)Tuple)Union)crypto)SSL)errorsceZdZdeeeejejfffdZ de jde eejejffdZ y)_DefaultCertSelectioncertsc||_yN)r)selfrs 2/usr/lib/python3/dist-packages/acme/crypto_util.py__init__z_DefaultCertSelection.__init__&s  connectionreturnc`|j}|r|jj|dSyr)get_servernamerget)rr server_names r__call__z_DefaultCertSelection.__call__)s+ //1 ::>>+t4 4rN)__name__ __module__ __qualname__rbytesr r PKeyX509rr Connectionrrrrrr%s[geU6;; 3K-L&LM3>>huV[[RXR]R]E]?^6_rrczeZdZdZdeddfdej deeee e je jffde deeej eegefdeeej gee e je jffddf d Zd edefd Zd ej ddfd ZGddZde eeffdZy) SSLSocketaSSL wrapper for sockets. :ivar socket sock: Original wrapped socket. :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. :ivar alpn_selection: Hook to select negotiated ALPN protocol for connection. :ivar cert_selection: Hook to select certificate for connection. If given, `certs` parameter would be ignored, and therefore must be empty. Nsockrmethodalpn_selectioncert_selectionrc||_||_||_|s |s td|r |r td|}|t |r|ni}||_y)Nz*Neither cert_selection or certs specified.z(Both cert_selection and certs specified.)r)r+r* ValueErrorrr,)rr)rr*r+r,actual_cert_selections rrzSSLSocket.__init__=sg , eIJ J eGH HTb  ! ($95%b$Q !3rnamec.t|j|Sr)getattrr)rr0s r __getattr__zSSLSocket.__getattr__Tstyy$''rrc|j|}|%tjd|jy|\}}t j |j }|jtj|jtj|j||j||j|j|j|j|y)aSNI certificate callback. This method will set a new OpenSSL context object for this connection when an incoming connection provides an SNI name (in order to serve the appropriate certificate, if any). :param connection: The TLS connection object on which the SNI extension was received. :type connection: :class:`OpenSSL.Connection` Nz=Certificate selection for server name %s failed, dropping SSL)r,loggerdebugrr Contextr* set_options OP_NO_SSLv2 OP_NO_SSLv3use_privatekeyuse_certificater+set_alpn_select_callback set_context)rrpairkeycert new_contexts r_pick_certificate_cbzSSLSocket._pick_certificate_cbWs"":. < LLX#224 6  Tkk$++. 00""3'##D)    *  0 01D1D E{+rcTeZdZdZdej ddfdZdedefdZ dede fd Z y) SSLSocket.FakeConnectionzFake OpenSSL.SSL.Connection.rrNc||_yr)_wrapped)rrs rrz!SSLSocket.FakeConnection.__init__ws &DMrr0c.t|j|Sr)r2rHr3s rr4z$SSLSocket.FakeConnection.__getattr__zs4==$/ /r unused_argsc |jjS#tj$r}t j |d}~wwxYwr)rHshutdownr Errorsocketerror)rrJrOs rrLz!SSLSocket.FakeConnection.shutdown}s? *}}--//99 * ll5))  *sA AA ) rr r!__doc__r r%rstrrr4boolrLr&rrFakeConnectionrFrsB* 's~~ '$ ' 0C 0C 0 * * *rrSc|jj\}} tj|j}|j tj |j tj|j|j|j|j|j|jtj||}|jtj!d| |j#||fS#tj$$r}t'j(|d}~wwxYw#|j+xYw)NzPerforming handshake with %s)r)acceptr r8r*r9r:r;set_tlsext_servername_callbackrDr+r>rSr%set_accept_stater6r7 do_handshakerMrNrOclose)rr)addrcontextssl_sockrOs rrUzSSLSocket.acceptsYY%%' d kk$++.G    0    0  2 243L3L M"".001D1DE**3>>'4+HIH  % % ' LL7 > *%%' T> ! 99 *ll5)) *   JJL s0C*E DEE 1EE  EE!)rr r!rP_DEFAULT_SSL_METHODrNrrr"r r r#r$intrr r%rrrQrr4rDrSrUr&rrr(r(0s# UY2\`UY 4V]]4 fkk6;;6N0O)O!PQ44"*(CNNDK3PRW3W*X!Y4"*(CNN3C3;E&++BH++CN=O4P4P+Q"R 44.(((,s~~,$,6**,nc12rr(ii,)rr0hostporttimeoutr*source_addressalpn_protocolsrc tj|}|j|d|i} tj d||t |rdj |d|dnd||f} tj| fi|} tj| 5} tj|| } | j| j!||| j#| | j%| j' ddd j)}|sJ|S#tj$r} tj| d} ~ wwxYw#tj$r} tj| d} ~ wwxYw#1swYxYw)a Probe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the client hello message. :param bytes host: Host to connect to. :param int port: Port to connect to. :param int timeout: Timeout in seconds. :param method: See `OpenSSL.SSL.Context` for allowed values. :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. :param alpn_protocols: Protocols to request using ALPN. :type alpn_protocols: `Sequence` of `bytes` :raises acme.errors.Error: In case of any problems. :returns: SSL certificate presented by the server. :rtype: OpenSSL.crypto.X509 rcz!Attempting to connect to %s:%d%s.z from {0}:{1}rr_N)r r8 set_timeoutr6r7anyformatrNcreate_connectionrOrrM contextlibclosingr%set_connect_stateset_tlsext_host_nameset_alpn_protosrXrLget_peer_certificate)r0r`rarbr*rcrdr[ socket_kwargs socket_tupler)rOclient client_sslrBs r probe_snirusx.kk&!G  %~6M " /t^$  " "q!q! +-  ,0, '' F F   D ! &V^^GV4 $$&''-  %  & &~ 6 &  # # %    ! &  * * ,D K4 K! <<"ll5!!"yy &,,u% % & & &sCAD!A F" E!E4E  EE>$E99E>>FF private_key_pemdomains must_stapleipaddrsctjtj|}tj}g}|g}|g}t |t |zdk(r t d|D]}|j d|z|D] }|j d|jz"dj|jd} tjdd| g} |r'| j tjd dd |j| |j||jd|j|d tjtj|S) aGenerate a CSR containing domains or IPs as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address) names to include in subbjectAltNames of CSR. params ordered this way for backward competablity when called by positional argument. :returns: buffer PEM-encoded Certificate Signing Request. rzAAt least one of domains or ipaddrs parameter need to be not emptyDNS:IP:, asciisubjectAltNameFcriticalvalues1.3.6.1.5.5.7.1.24sDER:30:03:02:01:05sha256)r load_privatekey FILETYPE_PEMX509Reqlenr.appendexplodedjoinencode X509Extensionadd_extensions set_pubkey set_versionsigndump_certificate_request) rvrwrxry private_keycsrsanlistaddressips san_string extensionss rmake_csrrsa((_.K .. CG 7|CL A%\]])v'()-us||+,-7#**73J   J&.. !') *z"NN;OOAHH[(#  * *S ""rloaded_cert_or_reqc|jj}t|}||S|g|Dcgc] }||k7s | c}zScc}wr) get_subjectCN_pyopenssl_cert_or_req_san)r common_namesansds r _pyopenssl_cert_or_req_all_namesrsP%00255K %&8 9D =t@!qK/?A@ @@@s AA cert_or_reqcd}d|z}t|}|Dcgc]'}|j|r|j|d)c}Scc}w)aGet Subject Alternative Names from certificate or CSR using pyOpenSSL. .. todo:: Implement directly in PyOpenSSL! .. note:: Although this is `acme` internal API, it is used by `letsencrypt`. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names that is DNS. :rtype: `list` of `str` :DNSrf)_pyopenssl_extract_san_list_raw startswithsplitrpart_separatorprefix sans_partsparts rrr#sX$N ^ #F0=J# ?doof&= JJ~ &q ) ?? ?s,Acd}d|z}t|}|Dcgc]"}|j|s|t|d$c}Scc}w)aeGet Subject Alternative Names IPs from certificate or CSR using pyOpenSSL. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names that are IP Addresses. :rtype: `list` of `str`. note that this returns as string, not IPaddress object rz IP AddressN)rrrrs r_pyopenssl_cert_or_req_san_ipr>sGN N *F0=J+5 Q49PDV  QQ Qs AAct|tjr4tjtj|j d}n3tj tj|j d}tjd|}d}|g}|S|jdj|}|S)aGet raw SAN string from cert or csr, parse it as UTF-8 and return. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: raw san strings, parsed byte as utf-8 :rtype: `list` of `str` zutf-8z5X509v3 Subject Alternative Name:(?: critical)?\s*(.*)r}rf) isinstancer r$dump_certificate FILETYPE_TEXTdecoderresearchgroupr)rtextraw_sanparts_separatorrs rrrRs+v{{+&&v';';[IPPQXY..v/C/C[QXXY`aiiPRVWGOJ -4MM!,<,B,B?,SJ rrA not_beforevalidity force_sanrrc |s |sJdtj}|jtt j t jdd|jd|g}|g}|g}|jtjdddt|dkDr|d|j_ |j|jg}|D]} |jd| z|D] } |jd | jz"d j!|j#d } |st|d kDst|dkDr'|jtjd d| |j%||j'|dn||j)||j+||j-|d|S)atGenerate new self-signed certificate. :type domains: `list` of `str` :param OpenSSL.crypto.PKey key: :param bool force_san: :param extensions: List of additional extensions to include in the cert. :type extensions: `list` of `OpenSSL.crypto.X509Extension` :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`) If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the subject CN. If only one domain is provided no ``subjectAltName`` extension is used, unless `force_san` is ``True``. z7Must provide one or more hostnames or IPs for the cert.sbasicConstraintsTsCA:TRUE, pathlen:0rr{r|r}r~rfrFrr)r r$set_serial_numberr^binasciihexlifyosurandomrrrrrr set_issuerrrrrgmtime_adj_notBeforegmtime_adj_notAfterrr) rArwrrrrrrBrriprs r gen_ss_certrqs* cTTT> ;;=D3x// 2?DEQ  { '< >  7|a ' OOD$$&'G)v'(),ur{{*+,7#**73JCL1$C1 &..     #:#5a:FX&OOCIIc8 Krchainfiletypecdttjtjfdt ffd dj fd|DS)zDump certificate chain into a bundle. :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). :returns: certificate chain bundle :rtype: bytes rBrct|tjrEt|jtj rt jd|j}t j|S)NzUnexpected CSR provided.) rjoseComparableX509wrappedr rrrMr)rBrs r _dump_certz(dump_pyopenssl_chain.._dump_certsQ dD// 0$,,7ll#=>><z'dump_pyopenssl_chain..s7Jt$7s)r rrr r$r"r)rrrs `@rdump_pyopenssl_chainrsA7t22FKK?@7U7 8877 77r)NFN)NNi: TNN)4rPrrk ipaddressloggingrrrNtypingrrrrrrr r r josepyrOpenSSLr r acmer getLoggerrr6 SSLv23_METHODr]rr(r"r^rQr$rurR IPv4Address IPv6Addressrrrrrrr#rrrrrr&rrrs    8 $''uup58/SZ:>6E66c6#66AFsCx6&x76CI;;6rVZ!&\`4"e4"huSXtCy=P7Q.R4"4"tE)*?*?AVAV*V$WXY4"4"nAv{{FNN?Z9[A*.s)A?E&++v~~2M,N?SWX[S\?6RuV[[&..5P/QRVZ[^V_R(v{{FNN7R1SX\]`Xa>BF,0FJCG[_ ?V[[?8DI+>?$SM???C?%T&*>*>%?@?d5)>)> @U@U)U#VWX ? [[ ?F*0)<)<8d4+>+>&?fkkAR&R S8#&8AF8r