o cE@sdZddlZddlZddlZddlZddlZddlZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z ddlmZdd lmZdd lmZdd lmZddlZdd lmZdd lmZddlmZeeZejZGdddZGdddZddeddfde de de!de!de!dee"e!fde ee dej#fddZ$  d?d!e d"e eee"e e"fd#e%d$e e eej&ej'fde f d%d&Z(d'eej#ej)fde e"fd(d)Z*d*eej#ej)fde e"fd+d,Z+d*eej#ej)fde e"fd-d.Z,d*eej#ej)fde e"fd/d0Z-   2  d@d3ej.d"e e e"d4e e!d5e!d6e%d7e e ej/d8e e eej&ej'fdej#fd9d:Z0ej1fd;ee ej2e ej#fdZ3dS)AzCrypto utilities.N)Any)Callable)List)Mapping)Optional)Sequence)Set)Tuple)Union)crypto)SSL)errorsc@sReZdZdeeeejejfffddZ de j de eejejffddZ dS) _DefaultCertSelectioncertscC ||_dSN)r)selfrr=/opt/certbot/lib/python3.10/site-packages/acme/crypto_util.py__init__& z_DefaultCertSelection.__init__ connectionreturncCs|}|r |j|dSdSr)get_servernamerget)rr server_namerrr__call__)sz_DefaultCertSelection.__call__N)__name__ __module__ __qualname__rbytesr r PKeyX509rr Connectionrrrrrrr%s"(rc@seZdZdZdeddfdejdeeee e j e j ffde deeejeegefdeeejgee e j e j ffddf d d Zd edefd d ZdejddfddZGdddZde eeffddZdS) SSLSocketaSSL wrapper for sockets. :ivar socket sock: Original wrapped socket. :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. :ivar alpn_selection: Hook to select negotiated ALPN protocol for connection. :ivar cert_selection: Hook to select certificate for connection. If given, `certs` parameter would be ignored, and therefore must be empty. Nsockrmethodalpn_selectioncert_selectionrcCsX||_||_||_|s|std|r|rtd|}|dur't|r$|ni}||_dS)Nz*Neither cert_selection or certs specified.z(Both cert_selection and certs specified.)r%r'r& ValueErrorrr()rr%rr&r'r(actual_cert_selectionrrrr=s zSSLSocket.__init__namecC t|j|Sr)getattrr%rr+rrr __getattr__T zSSLSocket.__getattr__rcCs||}|durtd|dS|\}}t|j}|tj|tj | || ||j dur>| |j ||dS)aSNI certificate callback. This method will set a new OpenSSL context object for this connection when an incoming connection provides an SNI name (in order to serve the appropriate certificate, if any). :param connection: The TLS connection object on which the SNI extension was received. :type connection: :class:`OpenSSL.Connection` Nz=Certificate selection for server name %s failed, dropping SSL)r(loggerdebugrr Contextr& set_options OP_NO_SSLv2 OP_NO_SSLv3use_privatekeyuse_certificater'set_alpn_select_callback set_context)rrpairkeycert new_contextrrr_pick_certificate_cbWs        zSSLSocket._pick_certificate_cbc@sHeZdZdZdejddfddZdedefdd Z d ede fd d Z dS) zSSLSocket.FakeConnectionzFake OpenSSL.SSL.Connection.rrNcCrr)_wrapped)rrrrrrwrz!SSLSocket.FakeConnection.__init__r+cCr,r)r-r@r.rrrr/zr0z$SSLSocket.FakeConnection.__getattr__ unused_argsc Gs2z|jWStjy}zt|d}~wwr)r@shutdownr Errorsocketerror)rrArErrrrB}s   z!SSLSocket.FakeConnection.shutdown) rrr__doc__r r#rstrrr/boolrBrrrrFakeConnectionrs rIc Cs|j\}}t|j}|tj|tj||j |j dur*| |j | t ||}|td|z |W||fStjyX}zt|d}~ww)NzPerforming handshake with %s)r%acceptr r3r&r4r5r6set_tlsext_servername_callbackr?r'r9rIr#set_accept_stater1r2 do_handshakerCrDrE)rr%addrcontextssl_sockrErrrrJs"         zSSLSocket.accept)rrrrF_DEFAULT_SSL_METHODrDrrr r r r!r"intrr r#rrrGrr/r?rIrJrrrrr$0s2    r$ii,)rr+hostporttimeoutr&source_addressalpn_protocolsrc Cs4t|}||d|i}z%td||t|r"d|d|dnd||f} tj| fi|} Wntj yE} zt | d} ~ wwt | =} t|| } | | ||durd| |z | | Wntj y} zt | d} ~ wwWdn1swY| }|sJ|S)a Probe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the client hello message. :param bytes host: Host to connect to. :param int port: Port to connect to. :param int timeout: Timeout in seconds. :param method: See `OpenSSL.SSL.Context` for allowed values. :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. :param alpn_protocols: Protocols to request using ALPN. :type alpn_protocols: `Sequence` of `bytes` :raises acme.errors.Error: In case of any problems. :returns: SSL certificate presented by the server. :rtype: OpenSSL.crypto.X509 rWz!Attempting to connect to %s:%d%s.z from {0}:{1}rrSN)r r3 set_timeoutr1r2anyformatrDcreate_connectionrEr rC contextlibclosingr#set_connect_stateset_tlsext_host_nameset_alpn_protosrMrBget_peer_certificate)r+rTrUrVr&rWrXrO socket_kwargs socket_tupler%rEclient client_sslr=rrr probe_snisJ          rhFprivate_key_pemdomains must_stapleipaddrsc Csttj|}t}g}|durg}|durg}t|t|dkr'td|D] }|d|q)|D] }|d|jq5d| d} tj dd | d g} |r^| tj d d d d | | | || d||d ttj|S)aGenerate a CSR containing domains or IPs as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address) names to include in subbjectAltNames of CSR. params ordered this way for backward competablity when called by positional argument. :returns: buffer PEM-encoded Certificate Signing Request. NrzAAt least one of domains or ipaddrs parameter need to be not emptyDNS:IP:, asciisubjectAltNameFcriticalvalues1.3.6.1.5.5.7.1.24sDER:30:03:02:01:05sha256)r load_privatekey FILETYPE_PEMX509Reqlenr)appendexplodedjoinencode X509Extensionadd_extensions set_pubkey set_versionsigndump_certificate_request) rirjrkrl private_keycsrsanlistaddressips san_string extensionsrrrmake_csrsF    rloaded_cert_or_reqcs6|jt|}dur|Sgfdd|DS)Ncsg|]}|kr|qSrr).0d common_namerr sz4_pyopenssl_cert_or_req_all_names..) get_subjectCN_pyopenssl_cert_or_req_san)rsansrrr _pyopenssl_cert_or_req_all_namess r cert_or_reqcs(ddt|}fdd|DS)aGet Subject Alternative Names from certificate or CSR using pyOpenSSL. .. todo:: Implement directly in PyOpenSSL! .. note:: Although this is `acme` internal API, it is used by `letsencrypt`. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names that is DNS. :rtype: `list` of `str` :DNScs$g|]}|r|dqS)rY) startswithsplitrpartpart_separatorprefixrrr4s z._pyopenssl_cert_or_req_san.._pyopenssl_extract_san_list_raw)r sans_partsrrrrs  rcs&d}d|t|}fdd|DS)aeGet Subject Alternative Names IPs from certificate or CSR using pyOpenSSL. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names that are IP Addresses. :rtype: `list` of `str`. note that this returns as string, not IPaddress object rz IP Addresscs&g|]}|r|tdqSr)rryrrrrrIs&z1_pyopenssl_cert_or_req_san_ip..r)rrrrrr_pyopenssl_cert_or_req_san_ip8s rcCsjt|tjrttj|d}n ttj|d}td|}d}|dur+g}|S| d |}|S)aGet raw SAN string from cert or csr, parse it as UTF-8 and return. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: raw san strings, parsed byte as utf-8 :rtype: `list` of `str` zutf-8z5X509v3 Subject Alternative Name:(?: critical)?\s*(.*)roNrY) isinstancer r"dump_certificate FILETYPE_TEXTdecoderresearchgroupr)rtextraw_sanparts_separatorrrrrrLs   r: Tr< not_beforevalidity force_sanrrc CsZ|s|sJdt}|tttdd|d|dur%g}|dur+g}|dur1g}| t dddt |dkrH|d| _ || g}|D] } | d | qS|D] } | d | jq_d |d } |st |d kst |dkr| tj dd| d||||durdn|||||||d|S)atGenerate new self-signed certificate. :type domains: `list` of `str` :param OpenSSL.crypto.PKey key: :param bool force_san: :param extensions: List of additional extensions to include in the cert. :type extensions: `list` of `OpenSSL.crypto.X509Extension` :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`) If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the subject CN. If only one domain is provided no ``subjectAltName`` extension is used, unless `force_san` is ``True``. z7Must provide one or more hostnames or IPs for the cert.NsbasicConstraintsTsCA:TRUE, pathlen:0rrmrnrorprYrqFrrru)r r"set_serial_numberrRbinasciihexlifyosurandomrrzr~ryrr set_issuerr{r|r}rgmtime_adj_notBeforegmtime_adj_notAfterrr) r<rjrrrrrr=rriprrrr gen_ss_certksH      rchainfiletypecs:dttjtjfdtffdd dfdd|DS)zDump certificate chain into a bundle. :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). :returns: certificate chain bundle :rtype: bytes r=rcs6t|tjrt|jtjrtd|j}t|S)NzUnexpected CSR provided.) rjoseComparableX509wrappedr rxr rCr)r=)rrr _dump_certs   z(dump_pyopenssl_chain.._dump_certc3s|]}|VqdSrr)rr=)rrr sz'dump_pyopenssl_chain..)r rrr r"r r|)rrr)rrrdump_pyopenssl_chains" r)NFN)NNrTNN)4rFrr^ ipaddressloggingrrrDtypingrrrrrrrr r josepyrOpenSSLr r acmer getLoggerrr1 SSLv23_METHODrQrr$r rRrGr"rhrH IPv4Address IPv6Addressrrxrrrrr!r~rrwrrrrrrs               r   9  7 " ""  C