3
�گa�g��������������� ���@���s&���d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m Z ��d�d�l�m
Z
��d�d�l�m�Z���d�d l�m�Z���d�d�l
Z
d�d
l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d
l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l m!Z!��d�d�l"m#Z#��d�d�l"m$Z$��d�d�l"m%Z%��d�d�l&Z&d�d�l'm(Z(��d�d�l'm)Z)��d�d�l*Z*d�d�l+Z,d�d�l-m.Z/��d�d�l0m1Z1��d�d�l0m2Z2��d�d�l0m3Z3��d�d�l4m5Z5��e���r�d�d�l6m7Z7��d�d l8m9Z9��e�j:e;��Z<d~e=e>e>e>e>e?e3j@d%��d&d'��ZAde=e>e>e>e>e3j@d(��d)d*��ZBd�e3j@e�e�e>��e e>��f���e>e?e?e3jCd,��d-d.��ZDe3j@e e>��e>e3jCd/��d0d1��ZEeFe?d2��d3d4��ZGeFeFe?d5��d6d7��ZHe>eFe
e=e3jCe�e>��f���d8��d9d:��ZId�e=e>e�e>��eFd<��d=d>��ZJe>e?d?��d@dA��ZKe2jLd�dB��dCdD��ZMe2jLd�dB��dEdF��ZNe�e�dGdHe�e!f���eFeFe�jOd�dI��dJdK��ZPe>e>d�dL��dMdN��ZQe2jLd�dB��dOdP��ZReFe
e(jSe=f���dQ��dRdS��ZTe(jUf�eFe�e=eFg�e�e(jSe(jVf���f���e=e�e(jSe(jVf���dT��dUdV��ZWe(jUf�eFe�e=eFg�e�e(jSe(jVf���f���e=e�e>��dT��dWdX��ZXe(jUf�eFe=e�e>��dY��dZd[��ZYeFe�e=eFg�e�e(jSe(jVf���f���e=e�e>��d\��d]d^��ZZe�e(jSe(jVf���e�e>��d_��d`da��Z[e(jUf�eFe=e�e>��dY��dbdc��Z\e(jUf�eFe=e�e>��dd��dedf��Z]e(jUf�e�e�e(jS��e�e&j^��f���e=eFdg��dhdi��Z_e>e�j�dj��dkdl��Z`e>e�j�dj��dmdn��Zae>e�e(jSg�e�eF��f���e�j�do��dpdq��Zbe>e>dr��dsdt��Zce�jddue�je��Zfe>e
e>e>f���dv��dwdx��Zge>e=dj��dydz��Zhd�e�e>��e>e?e>d{��d|d}��Zid�S�)�z�Certbot client crypto utility functions.
.. todo:: Make the transition to use PSS rather than PKCS1_v1_5 when the server
is capable of handling the signatures.
�����N)���Callable)���List)���Optional)���Set)���Tuple)��
TYPE_CHECKING)���Union)���x509)���InvalidSignature)���UnsupportedAlgorithm)���default_backend)���hashes)���ec)���DSAPublicKey)���ECDSA)���EllipticCurvePublicKey)���PKCS1v15)���RSAPublicKey)���Encoding)���NoEncryption)��
PrivateFormat)���crypto)���SSL)���crypto_util)���errors)��
interfaces)���util)���os)���Ed448PublicKey)���Ed25519PublicKey��rsa� secp256r1��key-certbot.pemT)���key_size��key_dir��key_type��elliptic_curve��keyname��strict_permissions��returnc��������
�������C���s����y�t�|�|�p�d�|�d���}�W�nD��t�k
rZ��}���z(t�j�d�d�d�����t�j�d�t�|�������|���W�Y�d�d�}�~�X�n�X�t�j�|�d�|�����t�j�t j
j�|�|���d d
��\�}�} |�����|�j�|�����W�d�Q�R�X�|�d�k�r�t�j�d�|�| ����n�t�j�d
|�| ����t�j
| |���S�)�a����Initializes and saves a privkey.
Inits key and saves it in PEM format on the filesystem.
.. note:: keyname is the attempted filename, it may be different if a file
already exists at the path.
:param int key_size: key size in bits if key size is rsa.
:param str key_dir: Key save directory.
:param str key_type: Key Type [rsa, ecdsa]
:param str elliptic_curve: Name of the elliptic curve if key type is ecdsa.
:param str keyname: Filename of key
:param bool strict_permissions: If true and key_dir exists, an exception is raised if
the directory doesn't have 0700 permissions or isn't owned by the current user.
:returns: Key
:rtype: :class:`certbot.util.Key`
:raises ValueError: If unable to generate the key given key_size.
r!���)���bitsr&���r%�����T)���exc_infoz&Encountered error while making key: %sNi����i������wbr ���z Generating RSA key (%d bits): %sz"Generating ECDSA key (%d bits): %s)���make_key�
ValueError��logger��debug��error��strr������make_or_verify_dir��unique_filer������path��join��write��Key)
r#���r$���r%���r&���r'���r(���Z�key_pem��errZ�key_f��key_path��r<����!/usr/lib/python3.6/crypto_util.py��generate_key8���s �����������������������������������r>���)�r#���r$���r%���r&���r'���r)���c����������������C���s0���t�j�d�t�����t�j�j�t�j���}�t�|�|�|�|�|�|�j d���S�)�a����Initializes and saves a privkey.
Inits key and saves it in PEM format on the filesystem.
.. note:: keyname is the attempted filename, it may be different if a file
already exists at the path.
.. deprecated:: 1.16.0
Use :func:`generate_key` instead.
:param int key_size: key size in bits if key size is rsa.
:param str key_dir: Key save directory.
:param str key_type: Key Type [rsa, ecdsa]
:param str elliptic_curve: Name of the elliptic curve if key type is ecdsa.
:param str keyname: Filename of key
:returns: Key
:rtype: :class:`certbot.util.Key`
:raises ValueError: If unable to generate the key given key_size.
zecertbot.crypto_util.init_save_key is deprecated, please use certbot.crypto_util.generate_key instead.)�r%���r&���r'���r(���)
��warnings��warn��DeprecationWarning��zope� component�
getUtilityr������IConfigr>���r(���)�r#���r$���r%���r&���r'�����configr<���r<���r=����
init_save_keyh���s
�����������
�rG���F)���privkey��namesr6�����must_stapler(���r)���c����������������C���sp���t�j�|�j�|�|�d���}�t�j�|�d�|�����t�j�t�j�j�|�d���d�d���\�}�}�|�����|�j |�����W�d�Q�R�X�t
j�d�|�����t�j�|�|�d���S�) a:���Initialize a CSR with the given private key.
:param privkey: Key to include in the CSR
:type privkey: :class:`certbot.util.Key`
:param set names: `str` names to include in the CSR
:param str path: Certificate save directory.
:param bool must_staple: If true, include the TLS Feature extension "OCSP Must Staple"
:param bool strict_permissions: If true and path exists, an exception is raised if
the directory doesn't have 0755 permissions or isn't owned by the current user.
:returns: CSR
:rtype: :class:`certbot.util.CSR`
)�rJ���i����z�csr-certbot.pemi����r-���Nz�Creating CSR: %s��pem)
��acme_crypto_utilZ�make_csrrK���r����r4���r5���r����r6���r7���r8���r0���r1�����CSR)�rH���rI���r6���rJ���r(���Z�csr_pemZ�csr_fZ�csr_filenamer<���r<���r=�����generate_csr����s����������������������rN���)�rH���rI���r6���r)���c����������������C���s0���t�j�d�t�����t�j�j�t�j���}�t�|�|�|�|�j |�j
d���S�)�aw���Initialize a CSR with the given private key.
.. deprecated:: 1.16.0
Use :func:`generate_csr` instead.
:param privkey: Key to include in the CSR
:type privkey: :class:`certbot.util.Key`
:param set names: `str` names to include in the CSR
:param str path: Certificate save directory.
:returns: CSR
:rtype: :class:`certbot.util.CSR`
zecertbot.crypto_util.init_save_csr is deprecated, please use certbot.crypto_util.generate_csr instead.)�rJ���r(���)�r?���r@���rA���rB���rC���rD���r����rE���rN���rJ���r(���)�rH���rI���r6���rF���r<���r<���r=����
init_save_csr����s
�������������rO���)���csrr)���c����������������C���sF���y�t�j�t�j�|���}�|�j�|�j�����S���t�j�k
r@������t�j�d�d�d�����d�S�X�d�S�)�z�Validate CSR.
Check if `csr` is a valid CSR for the given domains.
:param bytes csr: CSR in PEM.
:returns: Validity of CSR.
:rtype: bool
r+���T)�r,���FN)�r������load_certificate_request��FILETYPE_PEM��verifyZ
get_pubkey��Errorr0���r1���)�rP�����reqr<���r<���r=���� valid_csr����s����������
�������rV���)�rP���rH���r)���c����������������C���sP���t�j�t�j�|���}�t�j�t�j�|���}�y
|�j�|���S���t�j�k
rJ������t�j�d�d�d�����d�S�X�d�S�)�z�Does private key correspond to the subject public key in the CSR?
:param bytes csr: CSR in PEM.
:param bytes privkey: Private key file contents (PEM)
:returns: Correspondence of private key to CSR subject public key.
:rtype: bool
r+���T)�r,���FN)�r����rQ���rR�����load_privatekeyrS���rT���r0���r1���)�rP���rH���rU���Z�pkeyr<���r<���r=�����csr_matches_pubkey����s�����
��
�����
�����rX���)���csrfile��datar)���c����������������C���s����t�j�}�t�j�}�y�|�t�j�|���}�W�nL��t�j�k
rh������y�|�|�|���}�W�n&��t�j�k
rb������t�j�d�j�|�������Y�n�X�Y�n�X�t�|���}�t�j�|�|���}�|�t j
|�|�d�d���|�f�S�)�a1���Import a CSR file, which can be either PEM or DER.
:param str csrfile: CSR filename
:param bytes data: contents of the CSR file
:returns: (`crypto.FILETYPE_PEM`,
util.CSR object representing the CSR,
list of domains requested in the CSR)
:rtype: tuple
z�Failed to parse CSR file: {0}rK���)���filerZ���Z�form)�r����rR���rQ����
FILETYPE_ASN1rT���r������format�"_get_names_from_loaded_cert_or_reqZ�dump_certificate_requestr����rM���)�rY���rZ�����PEM��loadrP���Z�domainsZ�data_pemr<���r<���r=�����import_csr_file����s����������������������������ra��������)�r*���r%���r&���r)���c����������������C���s.���|�d�k�r8|�d�k�r t�j�d�j�|�������t�j���}�|�j�t�j�|�����n�|�d�k���r�|�sPt�j�d�����yD|�j���}�|�d�k�r�t�j t
t�|�j���d ����t���d
��}�n�t�j�d�j�|�������W�nT��t�k
r�������t�j�d�j�|�������Y�n2��t
k
r���}���z�|�t�j�t�|�������W�Y�d d }�~�X�n�X�|�j�t�j�t�j�t���d���}�t�j�t�j�|���}�n�t�j�d
j�|�������t�j�t�j�|���S�)�a����Generate PEM encoded RSA|EC key.
:param int bits: Number of bits if key_type=rsa. At least 1024 for RSA.
:param str key_type: The type of key to generate, but be rsa or ecdsa
:param str elliptic_curve: The elliptic curve to use.
:returns: new RSA or ECDSA key in PEM form with specified number of bits
or of type ec_curve when key_type ecdsa is used.
:rtype: str
r ���i����z�Unsupported RSA key length: {}Z�ecdsaz3When key_type == ecdsa, elliptic_curve must be set.� SECP256R1� SECP384R1� SECP521R1N)�Z�curveZ�backendz�Unsupported elliptic curve: {})���encodingr]���Z�encryption_algorithmz0Invalid key_type specified: {}. Use [rsa|ecdsa])�rc���rd���re���)�r����rT���r]���r����Z�PKeyr>���Z�TYPE_RSA��upperr����Z�generate_private_key��getattrr����� TypeErrorr����r3���Z
private_bytesr����r_���r����Z�TraditionalOpenSSLr����rW���rR���Z�dump_privatekey)�r*���r%���r&�����key��nameZ�_key��eZ�_key_pemr<���r<���r=���r.���
���s4���������������
���
���������������������"�������
�����r.���)�rH���r)���c����������������C���s2���y�t�j�t�j�|���j���S���t�t�j�f�k
r,������d�S�X�d�S�)�z�Is valid RSA private key?
:param str privkey: Private key file contents in PEM
:returns: Validity of private key.
:rtype: bool
FN)�r����rW���rR���Z�checkri���rT���)�rH���r<���r<���r=����
valid_privkey>���s
���� ��������rm���)���renewable_certr)���c����������������C���s"���t�|�����t�|�����t�|�j�|�j�����d�S�)�a����For checking that your certs were not corrupted on disk.
Several things are checked:
1. Signature verification for the cert.
2. That fullchain matches cert and chain when concatenated.
3. Check that the private key matches the certificate.
:param renewable_cert: cert to verify
:type renewable_cert: certbot.interfaces.RenewableCert
:raises errors.Error: If verification fails.
N)���verify_renewable_cert_sig��verify_fullchain��verify_cert_matches_priv_key� cert_pathr;���)�rn���r<���r<���r=�����verify_renewable_certN���s�����
����rs���c����������������C���s����ytt�|�j�d�����}�t�j�|�j���t�����}�W�d�Q�R�X�t�|�j�d�����}�t�j�|�j���t�����}�W�d�Q�R�X�|�j���}�t�|�|�j |�j
|�j�����W�nJ��t�t
t�f�k
r���}���z(d�j�|�j�|���}�t�j�|�����t�j�|�����W�Y�d�d�}�~�X�n�X�d�S�)�z�Verifies the signature of a RenewableCert object.
:param renewable_cert: cert to verify
:type renewable_cert: certbot.interfaces.RenewableCert
:raises errors.Error: If signature verification fails.
��rbNzbverifying the signature of the certificate located at {0} has failed. Details: {1})���open�
chain_pathr �����load_pem_x509_certificate��readr����rr����
public_key��verify_signed_payload� signatureZ�tbs_certificate_bytes��signature_hash_algorithm��IOErrorr/���r
���r]���r0���� exceptionr����rT���)�rn����
chain_file��chain� cert_file��certZ�pkrl���� error_strr<���r<���r=���ro���`���s��������������������������
�ro���r����r����)�ry���r{�����payloadr|���r)���c����������������C���sJ���t�|�t���r�|�j�|�|�t���|�����n(t�|�t���r<|�j�|�|�t�|�������n
t�j�d�����d�S�)�a����Check the signature of a payload.
:param RSAPublicKey/EllipticCurvePublicKey public_key: the public_key to check signature
:param bytes signature: the signature bytes
:param bytes payload: the payload bytes
:param hashes.HashAlgorithm signature_hash_algorithm: algorithm used to hash the payload
:raises InvalidSignature: If signature verification fails.
:raises errors.Error: If public key type is not supported
z�Unsupported public key type.N)��
isinstancer����rS���r����r����r����r����rT���)�ry���r{���r����r|���r<���r<���r=���rz���w���s������
�����
�����rz���)�rr���r;���r)���c����������������C���s|���y,t�j�t�j���}�|�j�|�����|�j�|�����|�j�����W�nJ��t�t�j�f�k
rv��}���z(d�j�|�|�|���}�t j
|�����t�j�|�����W�Y�d�d�}�~�X�n�X�d�S�)�z� Verifies that the private key and cert match.
:param str cert_path: path to a cert in PEM format
:param str key_path: path to a private key file
:raises errors.Error: If they don't match.
z�verifying the certificate located at {0} matches the private key located at {1} has failed. Details: {2}N)�r����Z�ContextZ
SSLv23_METHODZ�use_certificate_fileZ�use_privatekey_fileZ�check_privatekeyr}���rT���r]���r0���r~���r����)�rr���r;�����contextrl���r����r<���r<���r=���rq�������s����������
�
���������
�rq���c�������� �������C���s����y�t�|�j�����}�|�j���}�W�d�Q�R�X�t�|�j�����}�|�j���}�W�d�Q�R�X�t�|�j�����}�|�j���}�W�d�Q�R�X�|�|���|�k�r�d�}�|�j�|�j���}�t�j�|�����W�nf��t k
r���}���z$d�j�|���}�t
j�|�����t�j�|�����W�Y�d�d�}�~�X�n(��t�j�k
r���}���z
|���W�Y�d�d�}�~�X�n�X�d�S�)�z� Verifies that fullchain is indeed cert concatenated with chain.
:param renewable_cert: cert to verify
:type renewable_cert: certbot.interfaces.RenewableCert
:raises errors.Error: If cert and chain do not combine to fullchain.
Nz.fullchain does not match cert + chain for {0}!z8reading one of cert, chain, or fullchain has failed: {0})�ru���rv���rx���rr���Z�fullchain_pathr]���Z�lineagenamer����rT���r}���r0���r~���) rn���r���r����r����r����Z�fullchain_fileZ fullchainr����rl���r<���r<���r=���rp�������s"�����������������������������
�
�����rp���)�rZ���r)���c����������������C���s~���g�}�xTt�j�t�j�f�D�]D}�y�t�j�|�|���|�f�S���t�j�k
rT��}���z�|�j�|�����W�Y�d�d�}�~�X�q�X�q�W�t�j�d�j�d�j�d�d���|�D�����������d�S�)�z:Load PEM/DER certificate.
:raises errors.Error:
Nz�Unable to load: {0}��,c����������������s���s����|�]�}�t�|���V���q�d�S�)�N)�r3���)���.0r2���r<���r<���r=���� <genexpr>����s������z-pyopenssl_load_certificate.<locals>.<genexpr>) r����rR���r\�����load_certificaterT�����appendr����r]���r7���)�rZ���Z�openssl_errorsZ file_typer2���r<���r<���r=�����pyopenssl_load_certificate����s���������������� ���r����)���cert_or_req_str� load_func��typr)���c����������������C���sT���y
|�|�|���S���t�j�k
rN��}���z&t�j�d�d�d�����t�j�d�t�|���������W�Y�d�d�}�~�X�n�X�d�S�)�Nr+���T)�r,���z6Encountered error while loading certificate or csr: %s)�r����rT���r0���r1���r2���r3���)�r����r����r����r:���r<���r<���r=�����_load_cert_or_req����s��������
�������r����c����������������C���s����t�j�t�|�|�|�����S�)�N)�rL���Z�_pyopenssl_cert_or_req_sanr����)�r����r����r����r<���r<���r=�����_get_sans_from_cert_or_req����s��������r����)�r����r����r)���c����������������C���s����t�|�t�j�|���S�)�z�Get a list of Subject Alternative Names from a certificate.
:param str cert: Certificate (encoded).
:param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`
:returns: A list of Subject Alternative Names.
:rtype: list
)�r����r����r����)�r����r����r<���r<���r=�����get_sans_from_cert����s�����
��r����)���cert_or_reqr����r����r)���c����������������C���s����t�|�|�|���}�t�|���S�)�N)�r����r^���)�r����r����r������loaded_cert_or_reqr<���r<���r=�����_get_names_from_cert_or_req����s��������r����)�r����r)���c����������������C���s
���t�j�|���S�)�N)�rL���Z _pyopenssl_cert_or_req_all_names)�r����r<���r<���r=���r^�������s������r^���c����������������C���s����t�|�t�j�|���S�)�z�Get a list of domains from a cert, including the CN if it is set.
:param str cert: Certificate (encoded).
:param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`
:returns: A list of domain names.
:rtype: list
)�r����r����r����)�r����r����r<���r<���r=�����get_names_from_cert����s�����
��r����)�rP���r����r)���c����������������C���s����t�|�t�j�|���S�)�z�Get a list of domains from a CSR, including the CN if it is set.
:param str csr: CSR (encoded).
:param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`
:returns: A list of domain names.
:rtype: list
)�r����r����rQ���)�rP���r����r<���r<���r=�����get_names_from_req����s����� r����)�r������filetyper)���c����������������C���s����t�j�|�|���S�)�z�Dump certificate chain into a bundle.
:param list chain: List of `crypto.X509` (or wrapped in
:class:`josepy.util.ComparableX509`).
)�rL�����dump_pyopenssl_chain)�r����r����r<���r<���r=���r��������s�����
r����)�rr���r)���c����������������C���s����t�|�t�j�j���S�)�z�When does the cert at cert_path start being valid?
:param str cert_path: path to a cert in PEM format
:returns: the notBefore value from the cert at cert_path
:rtype: :class:`datetime.datetime`
)���_notAfterBeforer������X509Z
get_notBefore)�rr���r<���r<���r=���� notBefore+���s����� r����c����������������C���s����t�|�t�j�j���S�)�z�When does the cert at cert_path stop being valid?
:param str cert_path: path to a cert in PEM format
:returns: the notAfter value from the cert at cert_path
:rtype: :class:`datetime.datetime`
)�r����r����r����Z�get_notAfter)�rr���r<���r<���r=�����notAfter7���s����� r����)�rr�����methodr)���c����������������C���s����t�|�d�����}�t�j�t�j�|�j�����}�W�d�Q�R�X�|�|���}�|�s>t�j�d�����|�d�d�����d�|�d�d�����d�|�d�d�����d |�d�d
����d�|�d
d�����d�|�d�d�����g�}�d
j�|���}�|�j�d���}�t j
|���S�)�aP���Internal helper function for finding notbefore/notafter.
:param str cert_path: path to a cert in PEM format
:param function method: one of ``crypto.X509.get_notBefore``
or ``crypto.X509.get_notAfter``
:returns: the notBefore or notAfter value from the cert at cert_path
:rtype: :class:`datetime.datetime`
rt���Nz>Error while invoking timestamp method, None has been returned.r��������������-���������������T�
��������:������������ascii)�ru���r����r����rR���rx���r����rT���r7�����decode� pyrfc3339��parse)�rr���r������fr ���Z timestampZ�reformatted_timestampZ�timestamp_bytesZ
timestamp_strr<���r<���r=���r����C���s�����
��������
�������
�
�r����)���filenamer)���c������������
���C���s:���t�j���}�t�|�d�����}�|�j�|�j���j�d�������W�d�Q�R�X�|�j���S�)�aN���Compute a sha256sum of a file.
NB: In given file, platform specific newlines characters will be converted
into their equivalent unicode counterparts before calculating the hash.
:param str filename: path to the file whose hash will be computed
:returns: sha256 digest of the file in hexadecimal
:rtype: str
��rz�UTF-8N)���hashlib��sha256ru�����updaterx�����encodeZ hexdigest)�r����r����Z�file_dr<���r<���r=���� sha256sum_���s������������r����s@���-----BEGIN CERTIFICATE-----
?
.+?
?
-----END CERTIFICATE-----
?
)��
fullchain_pemr)���c����������������C���sL���t�j�|�j�����}�t�|���d�k�r$t�j�d
����d�d���|�D���}�|�d���d�j�|�d�d ������f�S�)�a����Split fullchain_pem into cert_pem and chain_pem
:param str fullchain_pem: concatenated cert + chain
:returns: tuple of string cert_pem and chain_pem
:rtype: tuple
:raises errors.Error: If there are less than 2 certificates in the chain.
�����z/failed to parse fullchain into cert and chain: z!less than 2 certificates in chainc����������������S���s(���g�|�] }�t�j�t�j�t�j�t�j�|�����j�����q�S�r<���)�r����Z�dump_certificaterR���r����r����)�r����r����r<���r<���r=����
<listcomp>����s������z1cert_and_chain_from_fullchain.<locals>.<listcomp>r����r+��������NzPfailed to parse fullchain into cert and chain: less than 2 certificates in chain)���CERT_PEM_REGEX��findallr������lenr����rT���r7���)�r������certsZ�certs_normalizedr<���r<���r=�����cert_and_chain_from_fullchainz���s������������������r����c������������
���C���s0���t�|�d�����}�t�j�t�j�|�j�����}�W�d�Q�R�X�|�j���S�)�z�Retrieve the serial number of a certificate from certificate path
:param str cert_path: path to a cert in PEM format
:returns: serial number of the certificate
:rtype: int
rt���N)�ru���r����r����rR���rx���Z�get_serial_number)�rr���r����r ���r<���r<���r=�����get_serial_from_cert����s����� ����r����)��
fullchains� issuer_cn��warn_on_no_matchr)���c����������������C���sl���xR|�D�]J}�t�j�|�j�����}�t�j�|�d���t�����}�|�j�j�t�j�j ��}�|�r�|�d���j
|�k�r�|�S�q�W�|�rdt�j�d�|�����|�d���S�)�a'���Chooses the first certificate chain from fullchains whose topmost
intermediate has an Issuer Common Name matching issuer_cn (in other words
the first chain which chains to a root whose name matches issuer_cn).
:param fullchains: The list of fullchains in PEM chain format.
:type fullchains: `list` of `str`
:param `str` issuer_cn: The exact Subject Common Name to match against any
issuer in the certificate chain.
:returns: The best-matching fullchain, PEM-encoded, or the first if none match.
:rtype: `str`
r����r����z�Certbot has been configured to prefer certificate chains with issuer '%s', but no chain from the CA matched this issuer. Using the default certificate chain instead.���)
r����r����r����r ���rw���r����Z�issuerZ�get_attributes_for_oidZ�NameOIDZ�COMMON_NAME��valuer0���Z�warning)�r����r����r����r����r����Z�top_certZ
top_issuer_cnr<���r<���r=�����find_chain_with_issuer����s������
�����������������r����)�r ���r!���r"���T)�r ���r!���r"���)�FT)�rb���r ���N)�F)j��__doc__Z�datetimer����Z�logging��reZ�typingr����r����r����r����r����r����r����r?���Z�cryptographyr ���Z�cryptography.exceptionsr
���r����Z�cryptography.hazmat.backendsr����Z�cryptography.hazmat.primitivesr
���Z)cryptography.hazmat.primitives.asymmetricr����Z-cryptography.hazmat.primitives.asymmetric.dsar����Z,cryptography.hazmat.primitives.asymmetric.ecr����r����Z1cryptography.hazmat.primitives.asymmetric.paddingr����Z-cryptography.hazmat.primitives.asymmetric.rsar����Z,cryptography.hazmat.primitives.serializationr����r����r����Z�josepyZ�OpenSSLr����r����r����Z�zope.componentrB���Z�acmer����rL���Z�certbotr����r����r����Z�certbot.compatr����Z/cryptography.hazmat.primitives.asymmetric.ed448r����Z1cryptography.hazmat.primitives.asymmetric.ed25519r����Z getLogger��__name__r0�����intr3�����boolr9���r>���rG���rM���rN���rO�����bytesrV���rX���ra���r.���rm���Z
RenewableCertrs���ro���Z
HashAlgorithmrz���rq���rp���r����r����rR���Z�X509Reqr����r����r����r����r^���r����r����Z�ComparableX509r����r����r����r����r������compile��DOTALLr����r����r����r����r<���r<���r<���r=�����<module>����s������������������������������������������������������������������������������������
������.�����!.�������"����0��������������������>�6������������������
,�������"�������������