3
5lc^A���������������
���@���s\��d�Z�ddlZddlZddlZddlZddlZddlZddlZddlm Z �ddlm
Z
�ddlm
Z
�ddlm
Z
�ddlm
Z
�ddlmZ�dd lmZ�dd
lmZ�ddlZdd
lmZ�dd
lmZ�dd
lmZ�eje�ZejZ
G�dd��d�Z
G�dd��d�Z
dde
d0dfe e e e e ee!e f�e
e
e!��ej"d�dd�Z#d1e e
eee!�e
e!�f��e$e
e
eej%ej&f���e d�dd�Z'eej"ej(f�e
e!�d
�d
d
�Z)eej"ej(f�e
e!�d �d d!�Z*eej"ej(f�e
e!�d �d"d#�Z+eej"ej(f�e
e!�d �d$d%�Z,d5ej-e
e
e!��e
e �e e$e
e
ej.��e
e
eej%ej&f���ej"d*�d+d,�Z/ej0fe
ej"�e e d-�d.d/�Z1dS�)6zCrypto utilities.�����N)�Any)�Callable)�List)�Mapping)�Optional)�Set)�Tuple)�Union)�crypto)�SSL)�errorsc���������������@���sP���e�Zd�Zeeeejejf�f�d�dd�Z e
j
e
eejejf��d�dd�Z
dS�)�_DefaultCertSelection)�certsc�������������C���s
���||�_�d�S�)N)r���)�selfr�����r����!/usr/lib/python3.6/crypto_util.py�__init__%���s����z
_DefaultCertSelection.__init__)�
connection�returnc�������������C���s���|j���}|�jj|d��S�)N)�get_servernamer����get)r���r���Z
server_namer���r���r����__call__(���s����z
_DefaultCertSelection.__call__N)�__name__�
__module__�
__qualname__r����bytesr���r
����PKey�X509r���r
����
Connectionr���r���r���r���r���r���r
���$���s���"r
���c������������
���@���s����e�Zd�ZdZdeddfejeeee e
j
e
j
f�f��e
eeejee�gef��eeejge e
j
e
j
f�f��dd�dd�Zeed�dd�Zejdd �d
d
�ZG�d
d
��d
�Ze eef�d�dd�ZdS�)� SSLSocketa���SSL wrapper for sockets.
:ivar socket sock: Original wrapped socket.
:ivar dict certs: Mapping from domain names (`bytes`) to
`OpenSSL.crypto.X509`.
:ivar method: See `OpenSSL.SSL.Context` for allowed values.
:ivar alpn_selection: Hook to select negotiated ALPN protocol for
connection.
:ivar cert_selection: Hook to select certificate for connection. If given,
`certs` parameter would be ignored, and therefore must be empty.
N)�sockr����method�alpn_selection�cert_selectionr���c�������������C���s\���||�_�||�_||�_|
�r&|
�r&td��|r6|r6td��|}|d�krRt|rL|ni��}||�_d�S�)Nz*Neither cert_selection or certs specified.z(Both cert_selection and certs specified.)r ���r"���r!����
ValueErrorr
���r#���)r���r ���r���r!���r"���r#���Zactual_cert_selectionr���r���r���r���:���s����
zSSLSocket.__init__)�namer���c�������������C���s
���t�|�j|�S�)N)�getattrr ���)r���r%���r���r���r����
__getattr__P���s����zSSLSocket.__getattr__)r���r���c�������������C���s����|�j�|�}|dkr&tjd|j����dS�|\}}tj|�j�}|jtj��|jtj ��|j
|��|j
|��|�j
dk r||j
|�j
��|j|��dS�)a���SNI certificate callback.
This method will set a new OpenSSL context object for this
connection when an incoming connection provides an SNI name
(in order to serve the appropriate certificate, if any).
:param connection: The TLS connection object on which the SNI
extension was received.
:type connection: :class:`OpenSSL.Connection`
Nz=Certificate selection for server name %s failed, dropping SSL)r#����logger�debugr���r
����Contextr!����
set_options�
OP_NO_SSLv2�
OP_NO_SSLv3Zuse_privatekeyZuse_certificater"����set_alpn_select_callbackZ
set_context)r���r���Zpair�key�certZ
new_contextr���r���r����_pick_certificate_cbS���s
����
z
SSLSocket._pick_certificate_cbc���������������@���sB���e�Zd�ZdZejdd�dd�Zeed�dd�Z ee
d �d
d
�Z
dS�)
zSSLSocket.FakeConnectionz
Fake OpenSSL.SSL.Connection.N)r���r���c�������������C���s
���||�_�d�S�)N)�_wrapped)r���r���r���r���r���r���s���s����z!SSLSocket.FakeConnection.__init__)r%���r���c�������������C���s
���t�|�j|�S�)N)r&���r2���)r���r%���r���r���r���r'���v���s����z$SSLSocket.FakeConnection.__getattr__)�
unused_argsr���c�������������G���s
���|�j�j��S�)N)r2����shutdown)r���r3���r���r���r���r4���y���s����z!SSLSocket.FakeConnection.shutdown)
r���r���r����__doc__r
���r
���r����strr���r'����boolr4���r���r���r���r����FakeConnectionn���s���r8���)r���c�������������C���s����|�j�j��\}}tj|�j�}|jtj��|jtj��|j|�j ��|�j
d�k rT|j
|�j
��|�j
tj
||��}|j���tjd|��y
|j���W�n.�tjk
r��}�ztj|��W�Y�d�d�}~X�nX�||fS�)Nz
Performing handshake with %s)r ����acceptr
���r*���r!���r+���r,���r-���Z
set_tlsext_servername_callbackr1���r"���r.���r8���r
���Zset_accept_stater(���r)����
do_handshake�Error�socket�error)r���r ���Zaddr�contextZssl_sockr=���r���r���r���r9���}���s
����
zSSLSocket.accept)r���r���r���r5����_DEFAULT_SSL_METHODr<���r���r���r���r���r
���r
���r
����intr���r
���r
���r���r���r6���r���r'���r1���r8���r9���r���r���r���r���r ���-���s���
Zr ���i���i,����)r%����host�port�timeoutr!����source_address�alpn_protocolsr���c����������%���C���s&��t�j|�}|j|��d|i}yFtjd||t|�rDdj|d�|d��nd��||f} tj| f|�}
W�n.�tj k
r��}
�zt
j
|
��W�Y�dd}
~
X�nX�t
j
|
��|}
t�j||
�}
|
j���|
j|���|dk r�|
j|��y|
j���|
j���W�n0�t�j
k
�r�}
�zt
j
|
��W�Y�dd}
~
X�nX�W�dQ�R�X�|
j��S�)a��Probe SNI server for SSL certificate.
:param bytes name: Byte string to send as the server name in the
client hello message.
:param bytes host: Host to connect to.
:param int port: Port to connect to.
:param int timeout: Timeout in seconds.
:param method: See `OpenSSL.SSL.Context` for allowed values.
:param tuple source_address: Enables multi-path probing (selection
of source interface). See `socket.creation_connection` for more
info. Available only in Python 2.7+.
:param alpn_protocols: Protocols to request using ALPN.
:type alpn_protocols: `list` of `str`
:raises acme.errors.Error: In case of any problems.
:returns: SSL certificate presented by the server.
:rtype: OpenSSL.crypto.X509
rE���z!Attempting to connect to %s:%d%s.z
from {0}:{1}r�������rA���N)r
���r*���Z
set_timeoutr(���r)����any�formatr<���Zcreate_connectionr=���r
���r;����
contextlib�closingr
���Zset_connect_stateZset_tlsext_host_nameZset_alpn_protosr:���r4���Zget_peer_certificate)r%���rB���rC���rD���r!���rE���rF���r>���Z
socket_kwargsZ
socket_tupler ���r=���ZclientZ
client_sslr���r���r���� probe_sni����s.����
"
&rL���F)�private_key_pem�domains�
must_staple�ipaddrsr���c�������
������C���s����t�jt�j|��}t�j��}g�}|dkr&g�}|dkr2g�}t|�t|��dkrNtd��x|D�]}|jd|���qTW�x
|D�]}|jd|j���qpW�dj|�j d�} t�j
dd | d
�g}
|r�|
jt�j
d
d d
d
���|j
|
��|j
|��|j
d��|j|d
��t�jt�j|�S�)a���Generate a CSR containing domains or IPs as subjectAltNames.
:param buffer private_key_pem: Private key, in PEM PKCS#8 format.
:param list domains: List of DNS names to include in subjectAltNames of CSR.
:param bool must_staple: Whether to include the TLS Feature extension (aka
OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
:param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
names to include in subbjectAltNames of CSR.
params ordered this way for backward competablity when called by positional argument.
:returns: buffer PEM-encoded Certificate Signing Request.
Nr���zAAt least one of domains or ipaddrs parameter need to be not emptyzDNS:zIP:z, �asciis���subjectAltNameF)�critical�values���1.3.6.1.5.5.7.1.24s���DER:30:03:02:01:05�sha256)r
���Zload_privatekey�
FILETYPE_PEM�X509Req�lenr$����append�exploded�join�encode�
X509Extension�add_extensions�
set_pubkey�
set_version�sign�dump_certificate_request)
rM���rN���rO���rP���Z
private_keyZcsr�sanlist�address�ips�
san_string�
extensionsr���r���r����make_csr����s<����
rg���)�loaded_cert_or_reqr���c����������������s6���|�j���j��t|��}��d�kr
|S���g��fdd�|D���S�)Nc����������������s���g�|�]}|��kr|�qS�r���r���)�.0�d)�
common_namer���r����
<listcomp>
��s����z4_pyopenssl_cert_or_req_all_names.<locals>.<listcomp>)�
get_subject�CN�_pyopenssl_cert_or_req_san)rh���Zsansr���)rk���r���� _pyopenssl_cert_or_req_all_names��s
����
rp���)�
cert_or_reqr���c����������������s(���d��d����t�|��}���fdd�|D��S�)a���Get Subject Alternative Names from certificate or CSR using pyOpenSSL.
.. todo:: Implement directly in PyOpenSSL!
.. note:: Although this is `acme` internal API, it is used by
`letsencrypt`.
:param cert_or_req: Certificate or CSR.
:type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
:returns: A list of Subject Alternative Names that is DNS.
:rtype: `list` of `unicode`
�:ZDNSc����������������s$���g�|�]
}|j���r|j���d���qS�)rG���)�
startswith�split)ri����part)�part_separator�prefixr���r���rl���$��s���z._pyopenssl_cert_or_req_san.<locals>.<listcomp>)� _pyopenssl_extract_san_list_raw)rq����
sans_partsr���)rv���rw���r���ro���
��s
����
ro���c����������������s&���d}d|���t�|��}��fdd�|D��S�)ai��Get Subject Alternative Names IPs from certificate or CSR using pyOpenSSL.
:param cert_or_req: Certificate or CSR.
:type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
:returns: A list of Subject Alternative Names that are IP Addresses.
:rtype: `list` of `unicode`. note that this returns as string, not IPaddress object
rr���z
IP Addressc����������������s&���g�|�]
}|j����r|t���d����qS�)N)rs���rW���)ri���ru���)rw���r���r���rl���9��s����z1_pyopenssl_cert_or_req_san_ip.<locals>.<listcomp>)rx���)rq���rv���ry���r���)rw���r����
_pyopenssl_cert_or_req_san_ip(��s����
rz���c�������������C���sf���t�|�tj�r"tjtj|��jd�}ntjtj|��jd�}tjd|�}d}|dkrRg�n|j d�j
|�}|S�)a��Get raw SAN string from cert or csr, parse it as UTF-8 and return.
:param cert_or_req: Certificate or CSR.
:type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
:returns: raw san strings, parsed byte as utf-8
:rtype: `list` of `unicode`
zutf-8z5X509v3 Subject Alternative Name:(?: critical)?\s*(.*)z, NrG���)
�
isinstancer
���r
����dump_certificateZ
FILETYPE_TEXT�decodera����re�search�grouprt���)rq����textZraw_sanZparts_separatorry���r���r���r���rx���<��s����
rx������������<���T)r/���rN����
not_before�validity� force_sanrf���rd���r���c�������
������C���sV��t�j��}|jttjtjd��d���|jd��|dkr:g�}|dkrFg�}|dkrRg�}|j t�j
ddd���t
|�dkr�|d�|j
��_
|j|j
����g�}x|D�]} |j d| ���q�W�x
|D�]}
|j d |
j���q�W�d
j|�jd
�}
|s�t
|�d
ks�t
|�dk�r|j t�j
d
d|
d���|j|��|j|dk�r,dn|��|j|��|j|���|j|�d��|S�)ax��Generate new self-signed certificate.
:type domains: `list` of `unicode`
:param OpenSSL.crypto.PKey key:
:param bool force_san:
:param extensions: List of additional extensions to include in the cert.
:type extensions: `list` of `OpenSSL.crypto.X509Extension`
:type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`)
If more than one domain is provided, all of the domains are put into
``subjectAltName`` X.509 extension and first domain is set as the
subject CN. If only one domain is provided no ``subjectAltName``
extension is used, unless `force_san` is ``True``.
��������Ns���basicConstraintsTs���CA:TRUE, pathlen:0r���zDNS:zIP:z, rQ���rG���s���subjectAltNameF)rR���rS���rT���)r
���r
���Zset_serial_numberr@����binasciiZhexlify�os�urandomr_���rX���r\���rW���rm���rn���Z
set_issuerrY���rZ���r[���r]���Zgmtime_adj_notBeforeZgmtime_adj_notAfterr^���r`���)
r/���rN���r����r����r����rf���rd���r0���rb���rc���Zipre���r���r���r����
gen_ss_cert[��s@����
r����)�chain�filetyper���c����������������s8���t�tjtjf�td��fdd�
��dj��fdd�|�D���S�)z�Dump certificate chain into a bundle.
:param list chain: List of `OpenSSL.crypto.X509` (or wrapped in
:class:`josepy.util.ComparableX509`).
:returns: certificate chain bundle
:rtype: bytes
)r0���r���c����������������s
���t�|�tj�r|�j}�tj��|��S�)N)r{����jose�ComparableX509�wrappedr
���r|���)r0���)r����r���r����
_dump_cert���s����
z(dump_pyopenssl_chain.<locals>._dump_cert�����c�������������3���s���|�]}��|�V��qd�S�)Nr���)ri���r0���)r����r���r���� <genexpr>���s����z'dump_pyopenssl_chain.<locals>.<genexpr>)r ���r����r����r
���r
���r���rZ���)r����r����r���)r����r����r����dump_pyopenssl_chain���s����
r����)rA���r���)NFN����i`'���: �)NNr����TNN)2r5���r����rJ���Z ipaddressZloggingr����r~���r<���Ztypingr���r���r���r���r���r���r���r ���Zjosepyr����ZOpenSSLr
���r
���Zacmer
���Z getLoggerr���r(���Z
SSLv23_METHODr?���r
���r ���r���r@���r6���r
���rL���r7���Z
IPv4AddressZ
IPv6Addressrg���rV���rp���ro���rz���rx���r
���r\���r����rU���r����r���r���r���r����<module>���sT���
h25��23
����<=