a á `ÓRã@s$dZddlZddlZddlZddlZddlmZddlmZm Z ddl m Z ddl m Z ddlmZmZddlmZdd lmZdd lmZmZmZdd lmZdd lmZddlZddlZddlZdd l m!Z"ddl#m$Z$ddl%m&Z&ddl%m'Z'ddl%m(Z(ddl)m*Z*e +e,¡Z-dOdd„Z.dd„Z/dd„Z0dd„Z1dd„Z2dPd!d"„Z3d#d$„Z4d%d&„Z5d'd(„Z6d)d*„Z7d+d,„Z8d-d.„Z9d/d0„Z:ej;fd1d2„Zd7d8„Z?d9d:„Z@ej;fd;d<„ZAej;fd=d>„ZBd?d@„ZCdAdB„ZDdCdD„ZEdEdF„ZFe GdGejH¡ZIdHdI„ZJdJdK„ZKdQdMdN„ZLdS)Rz¦Certbot client crypto utility functions. .. todo:: Make the transition to use PSS rather than PKCS1_v1_5 when the server is capable of handling the signatures. éN)Úx509)ÚInvalidSignatureÚUnsupportedAlgorithm)Údefault_backend)Úec)ÚECDSAÚEllipticCurvePublicKey)ÚPKCS1v15)Ú RSAPublicKey)ÚEncodingÚ NoEncryptionÚ PrivateFormat)Úcrypto)ÚSSL)Ú crypto_util)ÚIO)Úerrors)Ú interfaces)Úutil)ÚosÚrsaÚ secp256r1úkey-certbot.pemc Csèzt||p d|d}Wn6tyL}ztjddd|‚WYd}~n d}~00tj tj¡}t   |d|j ¡t   t j ||¡dd ¡\}} || |¡Wdƒn1s¬0Y|d krÎt d || ¡nt d || ¡t  | |¡S) aiInitializes and saves a privkey. Inits key and saves it in PEM format on the filesystem. .. note:: keyname is the attempted filename, it may be different if a file already exists at the path. :param int key_size: key size in bits if key size is rsa. :param str key_dir: Key save directory. :param str key_type: Key Type [rsa, ecdsa] :param str elliptic_curve: Name of the elliptic curve if key type is ecdsa. :param str keyname: Filename of key :returns: Key :rtype: :class:`certbot.util.Key` :raises ValueError: If unable to generate the key given key_size. r)ÚbitsÚelliptic_curveÚkey_typeÚT©Úexc_infoNiÀi€Úwbrz Generating RSA key (%d bits): %sz"Generating ECDSA key (%d bits): %s)Úmake_keyÚ ValueErrorÚloggerÚerrorÚzopeÚ componentÚ getUtilityrÚIConfigrÚmake_or_verify_dirÚstrict_permissionsÚ unique_filerÚpathÚjoinÚwriteÚdebugZKey) Zkey_sizeZkey_dirrrZkeynameZkey_pemÚerrÚconfigZkey_fÚkey_path©r2ú5/usr/lib/python3/dist-packages/certbot/crypto_util.pyÚ init_save_key's$ ÿ ÿ(r4cCs–tj tj¡}tj|j||jd}t   |d|j ¡t   t j |d¡dd¡\}}|| |¡Wdƒn1sr0Yt d|¡t  ||d¡S) a2Initialize a CSR with the given private key. :param privkey: Key to include in the CSR :type privkey: :class:`certbot.util.Key` :param set names: `str` names to include in the CSR :param str path: Certificate save directory. :returns: CSR :rtype: :class:`certbot.util.CSR` )Ú must_stapleiízcsr-certbot.pemi¤rNzCreating CSR: %sÚpem)r$r%r&rr'Úacme_crypto_utilZmake_csrr6r5rr(r)r*rr+r,r-r"r.ÚCSR)ÚprivkeyÚnamesr+r0Zcsr_pemZcsr_fZ csr_filenamer2r2r3Ú init_save_csrTs ÿÿ( r;cCsHzt tj|¡}| | ¡¡WStjyBtjdddYdS0dS)zŸValidate CSR. Check if `csr` is a valid CSR for the given domains. :param str csr: CSR in PEM. :returns: Validity of CSR. :rtype: bool rTrFN)rÚload_certificate_requestÚ FILETYPE_PEMÚverifyZ get_pubkeyÚErrorr"r.)ÚcsrÚreqr2r2r3Ú valid_csrws ÿrBcCsRt tj|¡}t tj|¡}z | |¡WStjyLtjdddYdS0dS)zùDoes private key correspond to the subject public key in the CSR? :param str csr: CSR in PEM. :param str privkey: Private key file contents (PEM) :returns: Correspondence of private key to CSR subject public key. :rtype: bool rTrFN)rr<r=Úload_privatekeyr>r?r"r.)r@r9rAZpkeyr2r2r3Úcsr_matches_pubkey‹s ÿ rDc Cstj}tj}z|tj|ƒ}WnHtjydz|||ƒ}Wn$tjy^t d |¡¡‚Yn0Yn0t|ƒ}t ||¡}|t j ||dd|fS)a/Import a CSR file, which can be either PEM or DER. :param str csrfile: CSR filename :param str data: contents of the CSR file :returns: (`crypto.FILETYPE_PEM`, util.CSR object representing the CSR, list of domains requested in the CSR) :rtype: tuple zFailed to parse CSR file: {0}r6)ÚfileÚdataZform) rr=r<Ú FILETYPE_ASN1r?rÚformatÚ"_get_names_from_loaded_cert_or_reqZdump_certificate_requestrr8)ZcsrfilerFÚPEMÚloadr@ZdomainsZdata_pemr2r2r3Úimport_csr_fileŸs  rLéc Cs&|dkr8|dkr t d |¡¡‚t ¡}| tj|¡nà|dkrzD| ¡}|dvrttj t t| ¡dƒƒt ƒd}nt d |¡¡‚WnZt y¨t d |¡¡‚Yn:t yà}z"t |t t|ƒ¡¡‚WYd}~n d}~00|jtjtjtƒd }t tj|¡}nt d  |¡¡‚t tj|¡S) aDGenerate PEM encoded RSA|EC key. :param int bits: Number of bits if key_type=rsa. At least 1024 for RSA. :param str ec_curve: The elliptic curve to use. :returns: new RSA or ECDSA key in PEM form with specified number of bits or of type ec_curve when key_type ecdsa is used. :rtype: str rrMzUnsupported RSA key length: {}Zecdsa)Z SECP256R1Z SECP384R1Z SECP521R1N)ZcurveZbackendzUnsupported elliptic curve: {})ÚencodingrHZencryption_algorithmz0Invalid key_type specified: {}. Use [rsa|ecdsa])rr?rHrZPKeyZ generate_keyZTYPE_RSAÚupperrZgenerate_private_keyÚgetattrrÚ TypeErrorrÚsixZ raise_fromÚstrZ private_bytesr rJr ZTraditionalOpenSSLr rCr=Zdump_privatekey)rrrÚkeyÚnameZ_keyÚeZ_key_pemr2r2r3r ¼s4  þ ,ýr c Cs4zt tj|¡ ¡WSttjfy.YdS0dS)z’Is valid RSA private key? :param str privkey: Private key file contents in PEM :returns: Validity of private key. :rtype: bool FN)rrCr=ZcheckrQr?)r9r2r2r3Ú valid_privkeyæs ÿ rWcCs"t|ƒt|ƒt|j|jƒdS)a©For checking that your certs were not corrupted on disk. Several things are checked: 1. Signature verification for the cert. 2. That fullchain matches cert and chain when concatenated. 3. Check that the private key matches the certificate. :param renewable_cert: cert to verify :type renewable_cert: certbot.interfaces.RenewableCert :raises errors.Error: If verification fails. N)Úverify_renewable_cert_sigÚverify_fullchainÚverify_cert_matches_priv_keyÚ cert_pathr1)Úrenewable_certr2r2r3Úverify_renewable_certös r]c CszÄt|jdƒ"}t | ¡tƒ¡}Wdƒn1s60Yt|jdƒ"}t | ¡tƒ¡}Wdƒn1st0Y| ¡}t  ¡$t ||j |j |j ƒWdƒn1s¸0YWnNtttfy}z.d |j|¡}t |¡t |¡‚WYd}~n d}~00dS)zØVerifies the signature of a RenewableCert object. :param renewable_cert: cert to verify :type renewable_cert: certbot.interfaces.RenewableCert :raises errors.Error: If signature verification fails. ÚrbNzbverifying the signature of the certificate located at {0} has failed. Details: {1})ÚopenÚ chain_pathrÚload_pem_x509_certificateÚreadrr[Ú public_keyÚwarningsÚcatch_warningsÚverify_signed_payloadÚ signatureZtbs_certificate_bytesÚsignature_hash_algorithmÚIOErrorr!rrHr"Ú exceptionrr?)r\Ú chain_fileÚchainÚ cert_fileÚcertZpkrVÚ error_strr2r2r3rXs 00  ÿ&ÿ rXcCsœt ¡€t d¡t|tƒrB| |tƒ|¡}| |¡| ¡n8t|t ƒrp| |t |ƒ¡}| |¡| ¡n t   d¡‚Wdƒn1sŽ0YdS)aåCheck the signature of a payload. :param RSAPublicKey/EllipticCurvePublicKey public_key: the public_key to check signature :param bytes signature: the signature bytes :param bytes payload: the payload bytes :param cryptography.hazmat.primitives.hashes.HashAlgorithm signature_hash_algorithm: algorithm used to hash the payload :raises InvalidSignature: If signature verification fails. :raises errors.Error: If public key type is not supported ÚignorezUnsupported public key typeN) rdreÚ simplefilterÚ isinstancer Úverifierr Úupdater>rrrr?)rcrgZpayloadrhrsr2r2r3rf s   ÿ   ÿ  rfc Cs~z,t tj¡}| |¡| |¡| ¡WnLttjfyx}z.d |||¡}t   |¡t  |¡‚WYd}~n d}~00dS)zÏ Verifies that the private key and cert match. :param str cert_path: path to a cert in PEM format :param str key_path: path to a private key file :raises errors.Error: If they don't match. zˆverifying the certificate located at {0} matches the private key located at {1} has failed. Details: {2}N) rZContextZ SSLv23_METHODZuse_certificate_fileZuse_privatekey_fileZcheck_privatekeyrir?rHr"rjr)r[r1ÚcontextrVror2r2r3rZ?s    ý rZc Cs4zÀt|jƒ}| ¡}Wdƒn1s*0Yt|jƒ}| ¡}Wdƒn1s\0Yt|jƒ}| ¡}Wdƒn1sŽ0Y|||kr¾d}| |j¡}t |¡‚Wnnt y}z*d |¡}t   |¡t |¡‚WYd}~n4d}~0tjy.}z|‚WYd}~n d}~00dS)zõ Verifies that fullchain is indeed cert concatenated with chain. :param renewable_cert: cert to verify :type renewable_cert: certbot.interfaces.RenewableCert :raises errors.Error: If cert and chain do not combine to fullchain. Nz.fullchain does not match cert + chain for {0}!z8reading one of cert, chain, or fullchain has failed: {0}) r_r`rbr[Zfullchain_pathrHZ lineagenamerr?rir"rj) r\rkrlrmrnZfullchain_fileZ fullchainrorVr2r2r3rYUs" & & &    rYc Cs‚g}tjtjfD]L}zt ||¡|fWStjyZ}z| |¡WYd}~qd}~00qt d d dd„|Dƒ¡¡¡‚dS)z:Load PEM/DER certificate. :raises errors.Error: NzUnable to load: {0}ú,css|]}t|ƒVqdS©N)rS)Ú.0r#r2r2r3Ú ~sz-pyopenssl_load_certificate..) rr=rGÚload_certificater?ÚappendrrHr,)rFZopenssl_errorsZ file_typer#r2r2r3Úpyopenssl_load_certificateps"ÿr|cCs6z |||ƒWStjy0tjddd‚Yn0dS)NrTr)rr?r"r#©Zcert_or_req_strÚ load_funcÚtypr2r2r3Ú_load_cert_or_req‚s  r€cCst t|||ƒ¡Srw)r7Z_pyopenssl_cert_or_req_sanr€r}r2r2r3Ú_get_sans_from_cert_or_req‹sÿrcCst|tj|ƒS)zóGet a list of Subject Alternative Names from a certificate. :param str cert: Certificate (encoded). :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1` :returns: A list of Subject Alternative Names. :rtype: list )rrrz)rnrr2r2r3Úget_sans_from_cert’s ÿr‚cCst|||ƒ}t|ƒSrw)r€rI)Z cert_or_reqr~rÚloaded_cert_or_reqr2r2r3Ú_get_names_from_cert_or_req s r„cCs t |¡Srw)r7Z _pyopenssl_cert_or_req_all_names)rƒr2r2r3rI¥srIcCst|tj|ƒS)zìGet a list of domains from a cert, including the CN if it is set. :param str cert: Certificate (encoded). :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1` :returns: A list of domain names. :rtype: list )r„rrz)r@rr2r2r3Úget_names_from_certªs ÿr…cCs t ||¡S)z–Dump certificate chain into a bundle. :param list chain: List of `crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). )r7Údump_pyopenssl_chain)rlZfiletyper2r2r3r†¸s r†cCst|tjjƒS)zÕWhen does the cert at cert_path start being valid? :param str cert_path: path to a cert in PEM format :returns: the notBefore value from the cert at cert_path :rtype: :class:`datetime.datetime` )Ú_notAfterBeforerÚX509Z get_notBefore©r[r2r2r3Ú notBeforeÄs rŠcCst|tjjƒS)zÓWhen does the cert at cert_path stop being valid? :param str cert_path: path to a cert in PEM format :returns: the notAfter value from the cert at cert_path :rtype: :class:`datetime.datetime` )r‡rrˆZ get_notAfterr‰r2r2r3ÚnotAfterÐs r‹c Cs¸t|dƒ"}t tj| ¡¡}Wdƒn1s20Y||ƒ}|dd…d|dd…d|dd…d|dd …d |d d …d |d d…g }d  |¡}tjrª| d ¡}n|}t   |¡S)aPInternal helper function for finding notbefore/notafter. :param str cert_path: path to a cert in PEM format :param function method: one of ``crypto.X509.get_notBefore`` or ``crypto.X509.get_notAfter`` :returns: the notBefore or notAfter value from the cert at cert_path :rtype: :class:`datetime.datetime` r^Nréó-ééóTé ó:é óÚascii) r_rrzr=rbr,rRZPY3ÚdecodeÚ pyrfc3339Úparse)r[ÚmethodÚfrZ timestampZreformatted_timestampZtimestamp_bytesZ timestamp_strr2r2r3r‡Üs 0þ  r‡cCsNt ¡}t|dƒ$}| | ¡ d¡¡Wdƒn1s<0Y| ¡S)aNCompute a sha256sum of a file. NB: In given file, platform specific newlines characters will be converted into their equivalent unicode counterparts before calculating the hash. :param str filename: path to the file whose hash will be computed :returns: sha256 digest of the file in hexadecimal :rtype: str ÚrzUTF-8N)ÚhashlibÚsha256r_rtrbÚencodeZ hexdigest)ÚfilenamerZfile_dr2r2r3Ú sha256sumús  2r s@-----BEGIN CERTIFICATE----- ? .+? ? -----END CERTIFICATE----- ? cCsLt | ¡¡}t|ƒdkr$t d¡‚dd„|Dƒ}|dd |dd…¡fS) aSplit fullchain_pem into cert_pem and chain_pem :param str fullchain_pem: concatenated cert + chain :returns: tuple of string cert_pem and chain_pem :rtype: tuple :raises errors.Error: If there are less than 2 certificates in the chain. ézPfailed to parse fullchain into cert and chain: less than 2 certificates in chainc Ss(g|] }t tjt tj|¡¡ ¡‘qSr2)rZdump_certificater=rzr–)rxrnr2r2r3Ú *sÿ ÿz1cert_and_chain_from_fullchain..rréN)ÚCERT_PEM_REGEXÚfindallržÚlenrr?r,)Z fullchain_pemÚcertsZcerts_normalizedr2r2r3Úcert_and_chain_from_fullchains  ÿr¨cCsDt|dƒ"}t tj| ¡¡}Wdƒn1s20Y| ¡S)z¾Retrieve the serial number of a certificate from certificate path :param str cert_path: path to a cert in PEM format :returns: serial number of the certificate :rtype: int r^N)r_rrzr=rbZget_serial_number)r[ršrr2r2r3Úget_serial_from_cert1s 0r©FcCsl|D]N}t | ¡¡}t |dtƒ¡}|j tjj ¡}|r|dj |kr|Sq|rdt   d|¡|dS)a'Chooses the first certificate chain from fullchains whose topmost intermediate has an Issuer Common Name matching issuer_cn (in other words the first chain which chains to a root whose name matches issuer_cn). :param fullchains: The list of fullchains in PEM chain format. :type fullchains: `list` of `str` :param `str` issuer_cn: The exact Subject Common Name to match against any issuer in the certificate chain. :returns: The best-matching fullchain, PEM-encoded, or the first if none match. :rtype: `str` éÿÿÿÿrz¥Certbot has been configured to prefer certificate chains with issuer '%s', but no chain from the CA matched this issuer. Using the default certificate chain instead.) r¤r¥ržrrarZissuerZget_attributes_for_oidZNameOIDZ COMMON_NAMEÚvaluer"Úinfo)Z fullchainsZ issuer_cnZwarn_on_no_matchrlr§Ztop_certZ top_issuer_cnr2r2r3Úfind_chain_with_issuer?s  þr­)rrr)rMrN)F)MÚ__doc__rœZloggingrdÚreZ cryptographyrZcryptography.exceptionsrrZcryptography.hazmat.backendsrZ)cryptography.hazmat.primitives.asymmetricrZ,cryptography.hazmat.primitives.asymmetric.ecrrZ1cryptography.hazmat.primitives.asymmetric.paddingr Z-cryptography.hazmat.primitives.asymmetric.rsar Z,cryptography.hazmat.primitives.serializationr r r ZOpenSSLrrr—rRZzope.componentr$Zacmerr7Zacme.magic_typingrZcertbotrrrZcertbot.compatrZ getLoggerÚ__name__r"r4r;rBrDrLr rWr]rXrfrZrYr|r=r€rr‚r„rIr…r†rŠr‹r‡r ÚcompileÚDOTALLr¤r¨r©r­r2r2r2r3Úst              ÿ -# *ÿ ÿ    û