a O–c1ã@sþdZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ddl m Z ddlmZddlmZddlmZe e¡Ze jZGd d „d eƒZGd d „d eƒZd deddfdd„Zddd„Zdd„Zdd„Zd dd„Ze jfdd„Z dS)!zCrypto utilities.éN)Úcrypto)ÚSSL)Úerrors)ÚCallable)ÚTuple)ÚUnionc@seZdZdd„Zdd„ZdS)Ú_DefaultCertSelectioncCs ||_dS©N)Úcerts)Úselfr ©r ú2/usr/lib/python3/dist-packages/acme/crypto_util.pyÚ__init__sz_DefaultCertSelection.__init__cCs| ¡}|j |d¡Sr )Úget_servernamer Úget)r Ú connectionZ server_namer r r Ú__call__"sz_DefaultCertSelection.__call__N)Ú__name__Ú __module__Ú __qualname__rrr r r r rsrc@sJeZdZdZdeddfdd„Zdd„Zdd„ZGd d „d eƒZ d d „Z dS) Ú SSLSocketaÝSSL wrapper for sockets. :ivar socket sock: Original wrapped socket. :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. :ivar alpn_selection: Hook to select negotiated ALPN protocol for connection. :ivar cert_selection: Hook to select certificate for connection. If given, `certs` parameter would be ignored, and therefore must be empty. NcCsL||_||_||_|s"|s"tdƒ‚|r2|r2tdƒ‚|durBt|ƒ}||_dS)Nz*Neither cert_selection or certs specified.z(Both cert_selection and certs specified.)ÚsockÚalpn_selectionÚmethodÚ ValueErrorrÚcert_selection)r rr rrrr r r r4szSSLSocket.__init__cCs t|j|ƒSr )Úgetattrr©r Únamer r r Ú __getattr__BszSSLSocket.__getattr__cCsŠ| |¡}|dur&t d| ¡¡dS|\}}t |j¡}| tj¡| tj ¡|  |¡|  |¡|j dur||  |j ¡| |¡dS)aSNI certificate callback. This method will set a new OpenSSL context object for this connection when an incoming connection provides an SNI name (in order to serve the appropriate certificate, if any). :param connection: The TLS connection object on which the SNI extension was received. :type connection: :class:`OpenSSL.Connection` Nz=Certificate selection for server name %s failed, dropping SSL)rÚloggerÚdebugrrÚContextrÚ set_optionsÚ OP_NO_SSLv2Ú OP_NO_SSLv3Zuse_privatekeyZuse_certificaterÚset_alpn_select_callbackZ set_context)r rZpairÚkeyÚcertZ new_contextr r r Ú_pick_certificate_cbEs ÿ       zSSLSocket._pick_certificate_cbc@s(eZdZdZdd„Zdd„Zdd„ZdS) zSSLSocket.FakeConnectionzFake OpenSSL.SSL.Connection.cCs ||_dSr )Ú_wrapped)r rr r r resz!SSLSocket.FakeConnection.__init__cCs t|j|ƒSr )rr*rr r r rhsz$SSLSocket.FakeConnection.__getattr__cGs |j ¡Sr )r*Úshutdown)r Z unused_argsr r r r+ksz!SSLSocket.FakeConnection.shutdownN)rrrÚ__doc__rrr+r r r r ÚFakeConnection`sr-c CsÀ|j ¡\}}t |j¡}| tj¡| tj¡| |j ¡|j durT|  |j ¡|  t  ||¡¡}| ¡t d|¡z | ¡Wn0tjy¶}zt |¡‚WYd}~n d}~00||fS)NzPerforming handshake with %s)rÚacceptrr"rr#r$r%Zset_tlsext_servername_callbackr)rr&r-Ú ConnectionZset_accept_stater r!Ú do_handshakeÚErrorÚsocketÚerror)r rZaddrÚcontextZssl_sockr3r r r r.os         zSSLSocket.accept) rrrr,Ú_DEFAULT_SSL_METHODrrr)Úobjectr-r.r r r r r's þ ri»i,)Úrc CsDt |¡}| |¡d|i}zJt d||t|ƒrDd |d|d¡nd¡||f} tj| fi|¤Ž} Wn0tj y–} zt   | ¡‚WYd} ~ n d} ~ 00t   | ¡ˆ} t || ¡} |  ¡|  |¡|durÔ|  |¡z|  ¡|  ¡Wn2tj y} zt   | ¡‚WYd} ~ n d} ~ 00Wdƒn1s20Y|  ¡S)aProbe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the client hello message. :param bytes host: Host to connect to. :param int port: Port to connect to. :param int timeout: Timeout in seconds. :param method: See `OpenSSL.SSL.Context` for allowed values. :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. :param alpn_protocols: Protocols to request using ALPN. :type alpn_protocols: `list` of `bytes` :raises acme.errors.Error: In case of any problems. :returns: SSL certificate presented by the server. :rtype: OpenSSL.crypto.X509 Úsource_addressz!Attempting to connect to %s:%d%s.z from {0}:{1}rér7N)rr"Z set_timeoutr r!ÚanyÚformatr2Zcreate_connectionr3rr1Ú contextlibÚclosingr/Zset_connect_stateZset_tlsext_host_nameZset_alpn_protosr0r+Zget_peer_certificate)rZhostZportZtimeoutrr8Zalpn_protocolsr4Z socket_kwargsZ socket_tuplerr3ZclientZ client_sslr r r Ú probe_sni‡s:  ýþû      @r>FcCst tj|¡}t ¡}tjddd dd„|Dƒ¡ d¡dg}|rX| tjddd d¡| |¡|  |¡|  d ¡|  |d ¡t  tj|¡S) a©Generate a CSR containing a list of domains as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :returns: buffer PEM-encoded Certificate Signing Request. ósubjectAltNameFú, css|]}d|VqdS)zDNS:Nr ©Ú.0Údr r r Ú Îózmake_csr..Úascii©ZcriticalÚvalues1.3.6.1.5.5.7.1.24sDER:30:03:02:01:05rÚsha256) rZload_privatekeyÚ FILETYPE_PEMZX509ReqÚ X509ExtensionÚjoinÚencodeÚappendÚadd_extensionsÚ set_pubkeyÚ set_versionÚsignÚdump_certificate_request)Zprivate_key_pemÚdomainsZ must_stapleZ private_keyZcsrÚ extensionsr r r Úmake_csr¾s. ÿýÿý    ÿrVcs6| ¡j‰t|ƒ}ˆdur|Sˆg‡fdd„|DƒS)Ncsg|]}|ˆkr|‘qSr r rA©Z common_namer r Ú årEz4_pyopenssl_cert_or_req_all_names..)Ú get_subjectÚCNÚ_pyopenssl_cert_or_req_san)Zloaded_cert_or_reqZsansr rWr Ú _pyopenssl_cert_or_req_all_namesßs  r\csxd‰d}dˆ‰t|tjƒr$tj}ntj}|tj|ƒ d¡}t d|¡}|durTgn|  d¡  |¡}‡‡fdd „|DƒS) a¡Get Subject Alternative Names from certificate or CSR using pyOpenSSL. .. todo:: Implement directly in PyOpenSSL! .. note:: Although this is `acme` internal API, it is used by `letsencrypt`. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names. :rtype: `list` of `unicode` ú:r@ZDNSzutf-8z5X509v3 Subject Alternative Name:(?: critical)?\s*(.*)Nr9cs$g|]}| ˆ¡r| ˆ¡d‘qS)r9)Ú startswithÚsplit)rBÚpart©Zpart_separatorÚprefixr r rXs ÿz._pyopenssl_cert_or_req_san..) Ú isinstancerÚX509Údump_certificaterSZ FILETYPE_TEXTÚdecodeÚreÚsearchÚgroupr_)Z cert_or_reqZparts_separatorÚfuncÚtextÚmatchZ sans_partsr rar r[ès   ÿr[é€: Tc Csð|s Jdƒ‚t ¡}| tt t d¡¡dƒ¡| d¡|durFg}|  t  ddd¡¡|d|  ¡_ |  |  ¡¡|s†t|ƒd kr¬|  tj d d d  d d„|Dƒ¡d¡| |¡| |durÆdn|¡| |¡| |¡| |d¡|S)a*Generate new self-signed certificate. :type domains: `list` of `unicode` :param OpenSSL.crypto.PKey key: :param bool force_san: :param extensions: List of additional extensions to include in the cert. :type extensions: `list` of `OpenSSL.crypto.X509Extension` If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the subject CN. If only one domain is provided no ``subjectAltName`` extension is used, unless `force_san` is ``True``. z0Must provide one or more hostnames for the cert.ééNsbasicConstraintsTsCA:TRUE, pathlen:0rr9r?Fs, css|]}d| ¡VqdS)sDNS:N)rMrAr r r rD8rEzgen_ss_cert..rGrI)rrdZset_serial_numberÚintÚbinasciiZhexlifyÚosÚurandomrQrNrKrYrZZ set_issuerÚlenrLrOZgmtime_adj_notBeforeZgmtime_adj_notAfterrPrR)r'rTZ not_beforeZvalidityZ force_sanrUr(r r r Ú gen_ss_certs2  ÿÿý    rucs$‡fdd„‰d ‡fdd„|Dƒ¡S)zØDump certificate chain into a bundle. :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). :returns: certificate chain bundle :rtype: bytes cst|tjƒr|j}t ˆ|¡Sr )rcÚjoseZComparableX509Úwrappedrre)r()Úfiletyper r Ú _dump_certRs z(dump_pyopenssl_chain.._dump_certrEc3s|]}ˆ|ƒVqdSr r )rBr()ryr r rDYrEz'dump_pyopenssl_chain..)rL)Úchainrxr )ryrxr Údump_pyopenssl_chainEs r{)F)NrmTN)!r,rqr<Zloggingrrrgr2ZjosepyrvZOpenSSLrrZacmerZacme.magic_typingrrrZ getLoggerrr Z SSLv23_METHODr5r6rrr>rVr\r[rurJr{r r r r Ús8        `þ 7 ! +ÿ 2