JFIF$        dd7 

Viewing File: /usr/lib/python3.9/site-packages/acme/__pycache__/crypto_util.cpython-39.pyc

a

}|�gD�@s�dZddlZddlZddlZddlZddlZddlZddlZddlZddlm	Z	ddlm
Z
ddlmZddlmZddlm
Z
ddlmZdd	lmZdd
lmZddlmZddlmZdd
lmZmZddlmZmZmZmZmZddlZddlm Z ddlm!Z!ddl"m#Z#e�$e%�Z&e!j'Z(Gdd�dej)�Z*Gdd�d�Z+Gdd�d�Z,dde(ddfe-e-e.e.e.ee/e.fe
ee-e j0d�dd�Z1d3e-e
eee/ee/fe2e
eeej3ej4fe-d�d d!�Z5ej6ej7ee/d"�d#d$�Z8ee j0e j9fee/d%�d&d'�Z:ee j0e j9fee/d(�d)d*�Z;d4e j<e
ee/e
e.e.e2e
ee j=e
eeej3ej4fe j0d-�d.d/�Z>e*j?feeej@ee j0fee*e.fe-d0�d1d2�ZAdS)5zCrypto utilities.�N)�Any)�Callable)�List)�Mapping)�Optional)�Sequence)�Set)�Tuple)�Union)�x509)�hashes�
serialization)�dsa�rsa�ec�ed25519�ed448)�crypto)�SSL)�errorsc@s,eZdZdZejZejZe	j
d�dd�ZdS)�Formatz�File format to be used when parsing or serializing X.509 structures.

    Backwards compatible with the `FILETYPE_ASN1` and `FILETYPE_PEM` constants
    from pyOpenSSL.
    ��returncCs|tjkrtjjStjjSdS)zJConverts the Format to the corresponding cryptography `Encoding`.
        N)r�DERr
�Encoding�PEM)�self�r�4/usr/lib/python3.9/site-packages/acme/crypto_util.py�to_cryptography_encoding2s
zFormat.to_cryptography_encodingN)�__name__�
__module__�__qualname__�__doc__rZ
FILETYPE_ASN1rZFILETYPE_PEMrr
rrrrrrr)src@sPeZdZeeeejejffd�dd�Z	e
jeeejejfd�dd�Z
dS)�_DefaultCertSelection��certscCs
||_dS�Nr%)rr&rrr�__init__<sz_DefaultCertSelection.__init__��
connectionrcCs|��}|r|j�|d�SdSr')�get_servernamer&�get)rr*Zserver_namerrr�__call__?sz_DefaultCertSelection.__call__N)r r!r"r�bytesr	r�PKey�X509r(r�
Connectionrr-rrrrr$;s"r$c@s�eZdZdZdeddfejeeee	e
je
jffe
eeejeegefeeejgee	e
je
jffdd�dd�Zeed�dd�Zejdd	�d
d�ZGdd
�d
�Ze	eefd�dd�ZdS)�	SSLSocketa�SSL wrapper for sockets.

    :ivar socket sock: Original wrapped socket.
    :ivar dict certs: Mapping from domain names (`bytes`) to
        `OpenSSL.crypto.X509`.
    :ivar method: See `OpenSSL.SSL.Context` for allowed values.
    :ivar alpn_selection: Hook to select negotiated ALPN protocol for
        connection.
    :ivar cert_selection: Hook to select certificate for connection. If given,
        `certs` parameter would be ignored, and therefore must be empty.

    N)�sockr&�method�alpn_selection�cert_selectionrcCsT||_||_||_|s"|s"td��|r2|r2td��|durJt|rD|ni�}||_dS)Nz*Neither cert_selection or certs specified.z(Both cert_selection and certs specified.)r3r5r4�
ValueErrorr$r6)rr3r&r4r5r6rrrr(SszSSLSocket.__init__��namercCst|j|�Sr')�getattrr3�rr9rrr�__getattr__fszSSLSocket.__getattr__r)cCs�|�|�}|dur&t�d|���dS|\}}t�|j�}|�tj�|�tj	�|�
|�|�|�|jdur||�
|j�|�|�dS)a�SNI certificate callback.

        This method will set a new OpenSSL context object for this
        connection when an incoming connection provides an SNI name
        (in order to serve the appropriate certificate, if any).

        :param connection: The TLS connection object on which the SNI
            extension was received.
        :type connection: :class:`OpenSSL.Connection`

        Nz=Certificate selection for server name %s failed, dropping SSL)r6�logger�debugr+r�Contextr4�set_options�OP_NO_SSLv2�OP_NO_SSLv3Zuse_privatekeyZuse_certificater5�set_alpn_select_callbackZset_context)rr*Zpair�key�certZnew_contextrrr�_pick_certificate_cbis
�


zSSLSocket._pick_certificate_cbc@sBeZdZdZejdd�dd�Zeed�dd�Z	ee
d	�d
d�ZdS)zSSLSocket.FakeConnectionzFake OpenSSL.SSL.Connection.Nr)cCs
||_dSr')�_wrapped)rr*rrrr(�sz!SSLSocket.FakeConnection.__init__r8cCst|j|�Sr')r:rGr;rrrr<�sz$SSLSocket.FakeConnection.__getattr__)�unused_argsrc
Gs@z|j��WStjy:}zt|��WYd}~n
d}~00dSr')rG�shutdownr�Error�OSError)rrH�errorrrrrI�sz!SSLSocket.FakeConnection.shutdown)r r!r"r#rr1r(�strrr<�boolrIrrrr�FakeConnection�srOrc
Cs�|j��\}}z�t�|j�}|�tj�|�tj�|�|j	�|j
durV|�|j
�|�t�
||��}|��t�d|�z|��Wn.tjy�}zt|��WYd}~n
d}~00||fWS|���Yn0dS)NzPerforming handshake with %s)r3�acceptrr?r4r@rArBZset_tlsext_servername_callbackrFr5rCrOr1Zset_accept_stater=r>�do_handshakerJrK�close)rr3�addr�contextZssl_sockrLrrrrP�s&

zSSLSocket.accept)r r!r"r#�_DEFAULT_SSL_METHOD�socketrrr.r	rr/r0�intrrr1rr(rMrr<rFrOrPrrrrr2Fs(
�
���r2i�i,)�r)r9�host�port�timeoutr4�source_address�alpn_protocolsrcCsPt�|�}|�|�d|i}zJt�d||t|�rDd�|d|d�nd�||f}	tj|	fi|��}
Wn.t	y�}zt
�|��WYd}~n
d}~00t�
|
���}t�||�}
|
��|
�|�|dur�|
�|�z|
��|
��Wn2tj�y}zt
�|��WYd}~n
d}~00Wd�n1�s00Y|
��}|�sLJ�|S)a	Probe SNI server for SSL certificate.

    :param bytes name: Byte string to send as the server name in the
        client hello message.
    :param bytes host: Host to connect to.
    :param int port: Port to connect to.
    :param int timeout: Timeout in seconds.
    :param method: See `OpenSSL.SSL.Context` for allowed values.
    :param tuple source_address: Enables multi-path probing (selection
        of source interface). See `socket.creation_connection` for more
        info. Available only in Python 2.7+.
    :param alpn_protocols: Protocols to request using ALPN.
    :type alpn_protocols: `Sequence` of `bytes`

    :raises acme.errors.Error: In case of any problems.

    :returns: SSL certificate presented by the server.
    :rtype: OpenSSL.crypto.X509

    r\z!Attempting to connect to %s:%d%s.z
 from {0}:{1}r�rXN)rr?Zset_timeoutr=r>�any�formatrVZcreate_connectionrKrrJ�
contextlib�closingr1Zset_connect_stateZset_tlsext_host_nameZset_alpn_protosrQrIZget_peer_certificate)r9rYrZr[r4r\r]rTZ
socket_kwargsZsocket_tupler3rLZclientZ
client_sslrErrr�	probe_sni�s>

��� 

@
rcF)�private_key_pem�domains�must_staple�ipaddrsrcCs�tj|dd�}t|tjtjtjt	j
tjf�s>t
dt|�����|durJg}|durVg}t|�t|�dkrrt
d��t���t�g��jt�dd�|D�dd�|D��d	d
�}|r�|jt�tjjg�d	d
�}|�|t���}|�tjj�S)a�Generate a CSR containing domains or IPs as subjectAltNames.

    Parameters are ordered this way for backwards compatibility when called using positional
    arguments.

    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
    :param list domains: List of DNS names to include in subjectAltNames of CSR.
    :param bool must_staple: Whether to include the TLS Feature extension (aka
        OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
    :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
        names to include in subbjectAltNames of CSR.

    :returns: buffer PEM-encoded Certificate Signing Request.

    N)�passwordzInvalid private key type: rzAAt least one of domains or ipaddrs parameter need to be not emptycSsg|]}t�|��qSr)r�DNSName��.0�drrr�
<listcomp>$�zmake_csr.<locals>.<listcomp>cSsg|]}t�|��qSr)rZ	IPAddress)rk�irrrrm%rnF)�critical)r
Zload_pem_private_key�
isinstancerZ
DSAPrivateKeyrZ
RSAPrivateKeyrZEllipticCurvePrivateKeyrZEd25519PrivateKeyrZEd448PrivateKeyr7�type�lenrZ CertificateSigningRequestBuilderZsubject_name�Name�
add_extension�SubjectAlternativeNameZ
TLSFeatureZTLSFeatureTypeZstatus_request�signrZSHA256�public_bytesrr)rdrerfrgZprivate_keyZbuilderZcsrrrr�make_csr�sJ��
�������ry)�subject�extsrcsxdd�|�tjj�D��z|�tj�}Wntjy@g}Yn0|j�tj	�}�sX|S�dg�fdd�|D�SdS)a�Gets all DNS SAN names as well as the first Common Name from subject.

    :param subject: Name of the x509 object, which may include Common Name
    :type subject: `cryptography.x509.Name`
    :param exts: Extensions of the x509 object, which may include SANs
    :type exts: `cryptography.x509.Extensions`

    :returns: List of DNS Subject Alternative Names and first Common Name
    :rtype: `list` of `str`
    cSsg|]}t�t|j��qSr)�typing�castrM�value)rk�crrrrmEs�z9get_names_from_subject_and_extensions.<locals>.<listcomp>rcsg|]}|�dkr|�qS)rrrj�ZcnsrrrmUrnN)
Zget_attributes_for_oidrZNameOIDZCOMMON_NAME�get_extension_for_classrv�ExtensionNotFoundr~�get_values_for_typeri)rzr{�san_extZ	dns_namesrr�r�%get_names_from_subject_and_extensions6s�
r�)�loaded_cert_or_reqrcCs|��}t|j|j�Sr')�to_cryptographyr�rz�
extensions)r��cert_or_reqrrr� _pyopenssl_cert_or_req_all_namesXs�r�)r�rcCsB|��j}z|�tj�}Wntjy2gYS0|j�tj�S)ayGet Subject Alternative Names from certificate or CSR using pyOpenSSL.

    .. note:: Although this is `acme` internal API, it is used by
        `letsencrypt`.

    :param cert_or_req: Certificate or CSR.
    :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.

    :returns: A list of Subject Alternative Names that is DNS.
    :rtype: `list` of `str`

    )	r�r�r�rrvr�r~r�ri)r�r{r�rrr�_pyopenssl_cert_or_req_san`s

r��:	T)rDre�
not_before�validity�	force_sanr��ipsrcCsb|s|sJd��t��}|�tt�t�d��d��|�d�|durJg}|durVg}|durbg}|�	t�
ddd��t|�dkr�|d|��_
|�|���g}|D]}	|�	d	|	�q�|D]}
|�	d
|
j�q�d�|��d�}|�st|�d
k�st|�dk�r|�	tj
dd|d��|�|�|�|du�r8dn|�|�|�|�|�|�|d�|S)atGenerate new self-signed certificate.

    :type domains: `list` of `str`
    :param OpenSSL.crypto.PKey key:
    :param bool force_san:
    :param extensions: List of additional extensions to include in the cert.
    :type extensions: `list` of `OpenSSL.crypto.X509Extension`
    :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`)

    If more than one domain is provided, all of the domains are put into
    ``subjectAltName`` X.509 extension and first domain is set as the
    subject CN. If only one domain is provided no ``subjectAltName``
    extension is used, unless `force_san` is ``True``.

    z7Must provide one or more hostnames or IPs for the cert.��NsbasicConstraintsTsCA:TRUE, pathlen:0rzDNS:zIP:z, �asciir^ssubjectAltNameF)rpr~Zsha256)rr0Zset_serial_numberrW�binasciiZhexlify�os�urandomZset_version�append�
X509ExtensionrsZget_subjectZCNZ
set_issuer�exploded�join�encodeZadd_extensionsZgmtime_adj_notBeforeZgmtime_adj_notAfterZ
set_pubkeyrw)rDrer�r�r�r�r�rEZsanlist�address�ipZ
san_stringrrr�gen_ss_certvsH
��"�


r�)�chain�filetypercs@t���ttjtjftd��fdd��d��fdd�|D��S)z�Dump certificate chain into a bundle.

    :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in
        :class:`josepy.util.ComparableX509`).

    :returns: certificate chain bundle
    :rtype: bytes

    )rErcs<t|tj�r*t|jtj�r$t�d��|j}|���	��
��S)NzUnexpected CSR provided.)rq�jose�ComparableX509�wrappedr�X509ReqrrJr�rxr)rE)r�rr�
_dump_cert�s

z(dump_pyopenssl_chain.<locals>._dump_certrnc3s|]}�|�VqdSr'r)rkrE)r�rr�	<genexpr>�rnz'dump_pyopenssl_chain.<locals>.<genexpr>)rr
r�r�rr0r.r�)r�r�r)r�r�r�dump_pyopenssl_chain�s 
r�)NFN)NNr�TNN)Br#r�ra�enum�	ipaddressZloggingr�rVr|rrrrrrrr	r
ZcryptographyrZcryptography.hazmat.primitivesrr
Z)cryptography.hazmat.primitives.asymmetricrrrrrZjosepyr�ZOpenSSLrrZacmerZ	getLoggerr r=Z
SSLv23_METHODrU�IntEnumrr$r2r.rWrMr0rcrN�IPv4Address�IPv6AddressryrtZ
Extensionsr�r�r�r�r/r�r�rr�r�rrrr�<module>s�
	t�
�;��D�"� ��C��
Back to Directory  nL+D550H?Mx ,D"v]qv;6*Zqn)ZP0!1 A "#a$2Qr D8 a Ri[f\mIykIw0cuFcRı?lO7к_f˓[C$殷WF<_W ԣsKcëIzyQy/_LKℂ;C",pFA:/]=H  ~,ls/9ć:[=/#f;)x{ٛEQ )~ =𘙲r*2~ a _V=' kumFD}KYYC)({ *g&f`툪ry`=^cJ.I](*`wq1dđ#̩͑0;H]u搂@:~וKL Nsh}OIR*8:2 !lDJVo(3=M(zȰ+i*NAr6KnSl)!JJӁ* %݉?|D}d5:eP0R;{$X'xF@.ÊB {,WJuQɲRI;9QE琯62fT.DUJ;*cP A\ILNj!J۱+O\͔]ޒS߼Jȧc%ANolՎprULZԛerE2=XDXgVQeӓk yP7U*omQIs,K`)6\G3t?pgjrmۛجwluGtfh9uyP0D;Uڽ"OXlif$)&|ML0Zrm1[HXPlPR0'G=i2N+0e2]]9VTPO׮7h(F*癈'=QVZDF,d߬~TX G[`le69CR(!S2!P <0x<!1AQ "Raq02Br#SCTb ?Ζ"]mH5WR7k.ۛ!}Q~+yԏz|@T20S~Kek *zFf^2X*(@8r?CIuI|֓>^ExLgNUY+{.RѪ τV׸YTD I62'8Y27'\TP.6d&˦@Vqi|8-OΕ]ʔ U=TL8=;6c| !qfF3aů&~$l}'NWUs$Uk^SV:U# 6w++s&r+nڐ{@29 gL u"TÙM=6(^"7r}=6YݾlCuhquympǦ GjhsǜNlɻ}o7#S6aw4!OSrD57%|?x>L |/nD6?/8w#[)L7+6〼T ATg!%5MmZ/c-{1_Je"|^$'O&ޱմTrb$w)R$& N1EtdU3Uȉ1pM"N*(DNyd96.(jQ)X 5cQɎMyW?Q*!R>6=7)Xj5`J]e8%t!+'!1Q5 !1 AQaqё#2"0BRb?Gt^## .llQT $v,,m㵜5ubV =sY+@d{N! dnO<.-B;_wJt6;QJd.Qc%p{ 1,sNDdFHI0ГoXшe黅XۢF:)[FGXƹ/w_cMeD,ʡcc.WDtA$j@:) -# u c1<@ۗ9F)KJ-hpP]_x[qBlbpʖw q"LFGdƶ*s+ډ_Zc"?%t[IP 6J]#=ɺVvvCGsGh1 >)6|ey?Lӣm,4GWUi`]uJVoVDG< SB6ϏQ@ TiUlyOU0kfV~~}SZ@*WUUi##; s/[=!7}"WN]'(L! ~y5g9T̅JkbM' +s:S +B)v@Mj e Cf jE 0Y\QnzG1д~Wo{T9?`Rmyhsy3!HAD]mc1~2LSu7xT;j$`}4->L#vzŏILS ֭T{rjGKC;bpU=-`BsK.SFw4Mq]ZdHS0)tLg