File: //lib/python3.9/site-packages/certbot/__pycache__/crypto_util.cpython-39.opt-1.pyc
a
����}|�g�]������������������� ���@���s`���d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�m�Z���d�d�l�m�Z���d�d�l�m Z ��d�d�l�m
Z
��d�d�l�m�Z���d�d�l�m�Z���d�d l
m�Z���d�d
l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d
l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m Z ��d�d�l!m"Z"��d�d�l#m$Z$��d�d�l#m%Z%��d�d�l#m&Z&��d�d�l'Z'd�d�l(m)Z)��d�d�l(m*Z*��d�d�l+m,Z-��d�d�l.m/Z/��d�d�l.m0Z0��d�d�l.m1Z1��d�d�l2m3Z3��e���r�d�d l4m5Z5��d�d!l6m7Z7��d�d"l8m9Z9��d�d#l:m;Z;��e��<e=��Z>doe?e�e@��e@e@e@eAe1jBd(��d)d*��ZCdpe1jBe�e�e@��e e@��f���e�e@��eAeAe1jDd,��d-d.��ZEeFeAd/��d0d1��ZGeFeFeAd2��d3d4��ZHe@eFe
e-jIe1jDe�e@��f���d5��d6d7��ZJdqe?e@e�e@��eFd9��d:d;��ZKe�e@eFf���eAd<��d=d>��ZLe0jMd�d?��d@dA��ZNe0jMd�d?��dBdC��ZOe�e�dDdEe�e"dFdGf���eFeFe�jPd�dH��dIdJ��ZQe@e@d�dK��dLdM��ZRe0jMd�d?��dNdO��ZSeFe
e)jTe?f���dP��dQdR��ZUe-jIjVf�eFe�e-jIe?f���e�e@��dS��dTdU��ZWe-jIjVf�eFe�e-jIe?f���e�e@��dS��dVdW��ZXe-jIjVf�eFe�e-jIe?f���e�e@��dX��dYdZ��ZYe-jIjVf�e�e�e)jT��e�e'jZ��f���e�e-jIe?f���eFd[��d\d]��Z[e@e�j�d^��d_d`��Z\e@e�j�d^��dadb��Z]e@e@dc��ddde��Z^e��_dfe�j`��Zae@e
e@e@f���dg��dhdi��Zbe@e?d^��djdk��Zcdre�e@��e@eAe@dl��dmdn��Zdd�S�)sz�Certbot client crypto utility functions.
.. todo:: Make the transition to use PSS rather than PKCS1_v1_5 when the server
is capable of handling the signatures.
�����N)���List)���Optional)���Set)���Tuple)��
TYPE_CHECKING)���Union)���x509)���InvalidSignature)���UnsupportedAlgorithm)���default_backend)���hashes)��
serialization)���ec)���rsa)���DSAPublicKey)���ECDSA)���EllipticCurvePublicKey)���PKCS1v15)���RSAPublicKey)���Encoding)���NoEncryption)��
PrivateFormat)���crypto)���SSL)���crypto_util)���errors)��
interfaces)���util)���os)���Ed448PublicKey)���Ed25519PublicKey)��
X448PublicKey)���X25519PublicKeyr����� secp256r1��key-certbot.pemT)���key_size��key_dir��key_type��elliptic_curve��keyname��strict_permissions��returnc������������
���
���C���s����z�t�|�|�p�d�|�d���}�W�nF��t�y\��}���z.t�j�d�d�d�����t���d�t�|�������|���W�Y�d�}�~�n
d�}�~�0�0�d�}�|�r�t���|�d�|�����t���t j
��|�|���d d
��\�} }�| ����| ��|�����W�d���������n�1�s�0�������Y���|�d�k�r�t���d�|�|�����n�t���d
|�|�����t��
|�|���S�)�a$���Initializes and saves a privkey.
Inits key and saves it in PEM format on the filesystem.
.. note:: keyname is the attempted filename, it may be different if a file
already exists at the path.
:param int key_size: key size in bits if key size is rsa.
:param str key_dir: Optional key save directory.
:param str key_type: Key Type [rsa, ecdsa]
:param str elliptic_curve: Name of the elliptic curve if key type is ecdsa.
:param str keyname: Filename of key
:param bool strict_permissions: If true and key_dir exists, an exception is raised if
the directory doesn't have 0700 permissions or isn't owned by the current user.
:returns: Key
:rtype: :class:`certbot.util.Key`
:raises ValueError: If unable to generate the key given key_size.
r#���)���bitsr(���r'�����T����exc_infoz&Encountered error while making key: %sNi����i������wbr����z Generating RSA key (%d bits): %sz"Generating ECDSA key (%d bits): %s)���make_key�
ValueError��logger��debug��error��strr������make_or_verify_dir��unique_filer������path��join��write��Key)
r%���r&���r'���r(���r)���r*���Z�key_pem��err��key_pathZ�key_f��r?����7/usr/lib/python3.9/site-packages/certbot/crypto_util.py��generate_key9���s(���������
�
�����������������������(�������rA���F)���privkey��namesr9�����must_stapler*���r+���c��������������������C���s����t�j�|�j�|�|�d���}�d�}�|�r~t���|�d�|�����t���t�j���|�d���d�d���\�}�}�|�����|�� |�����W�d���������n�1�sh0�������Y���t
��d�|�����t���|�|�d���S�) aC���Initialize a CSR with the given private key.
:param privkey: Key to include in the CSR
:type privkey: :class:`certbot.util.Key`
:param set names: `str` names to include in the CSR
:param str path: Optional certificate save directory.
:param bool must_staple: If true, include the TLS Feature extension "OCSP Must-Staple"
:param bool strict_permissions: If true and path exists, an exception is raised if
the directory doesn't have 0755 permissions or isn't owned by the current user.
:returns: CSR
:rtype: :class:`certbot.util.CSR`
)�rD���Ni����z�csr-certbot.pemi����r0���z�Creating CSR: %s��pem)
��acme_crypto_utilZ�make_csrrE���r����r7���r8���r����r9���r:���r;���r3���r4�����CSR)�rB���rC���r9���rD���r*���Z�csr_pemZ�csr_filenameZ�csr_fr?���r?���r@�����generate_csrj���s��������������������������(���rH���)���csrr+���c���������������� ���C���s>���z�t���|���}�|�j�W�S���t�t�f�y8������t�j�d�d�d�����Y�d�S�0�d�S�)�z�Validate CSR.
Check if `csr` is a valid CSR with a correct self-signed signature.
:param bytes csr: CSR in PEM.
:returns: Validity of CSR.
:rtype: bool
r-���Tr.���FN)�r������load_pem_x509_csr��is_signature_validr2���� TypeErrorr3���r4���)�rI�����reqr?���r?���r@���� valid_csr����s��������
�������rN���)�rI���rB���r+���c��������������������C���sN���t���|���}�t�j�|�d�d���}�|�j�oL|�������t�j�j�t�j j
��|�������t�j�j�t�j j
��k�S�)�z�Does private key correspond to the subject public key in the CSR?
:param bytes csr: CSR in PEM.
:param bytes privkey: Private key file contents (PEM)
:returns: Correspondence of private key to CSR subject public key.
:rtype: bool
N����password)�r����rJ���r
�����load_pem_private_keyrK����
public_key��public_bytesr����Z�DERZ�PublicFormatZ�SubjectPublicKeyInfo)�rI���rB���rM���Z�pkeyr?���r?���r@�����csr_matches_pubkey����s�����
���������������rT���)���csrfile��datar+���c��������������������C���s����z�t���|���}�W�nD��t�yR������z�t���|���}�W�n"��t�yL������t���d���|�������Y�n�0�Y�n�0�t���|�j |�j
��}�|���t�j
j���}�t�j�j�t�j�|�|�d�d���|�f�S�)�a9���Import a CSR file, which can be either PEM or DER.
:param str csrfile: CSR filename
:param bytes data: contents of the CSR file
:returns: (`acme_crypto_util.Format.PEM`,
util.CSR object representing the CSR,
list of domains requested in the CSR)
:rtype: tuple
z�Failed to parse CSR file: {0}rE���)���filerV���Z�form)�r������load_der_x509_csrr2���rJ���r������Error��formatrF����%get_names_from_subject_and_extensions��subject�
extensionsrS���r
���r������PEM��Formatr����rG���)�rU���rV���rI���Z�domainsZ�data_pemr?���r?���r@�����import_csr_file����s������������������������������r`��������)�r,���r'���r(���r+���c����������������
���C���s����|�d�k�r0|�d�k�r t���d���|�������t�j�d�|�d���}�n�|�d�k�r�|�sFt���d�����zZ|�����}�|�d�v�r�t�t�|�������}�|�szt���d |���������t�j�|���t���d
��}�n�t���d���|�������W�nT��t y�������t���d���|�������Y�n4��t
y���}���z�|�t���t�|�������W�Y�d�}�~�n
d�}�~�0�0�n�t���d
��|�������|�j�t
j�t�j�t���d���S�)�a����Generate PEM encoded RSA|EC key.
:param int bits: Number of bits if key_type=rsa. At least 2048 for RSA.
:param str key_type: The type of key to generate, but be rsa or ecdsa
:param str elliptic_curve: The elliptic curve to use.
:returns: new RSA or ECDSA key in PEM form with specified number of bits
or of type ec_curve when key_type ecdsa is used.
:rtype: str
r����ra���z�Unsupported RSA key length: {}i����)�Z�public_exponentr%���Z�ecdsaz3When key_type == ecdsa, elliptic_curve must be set.)�Z SECP256R1Z SECP384R1Z SECP521R1z�Invalid curve type: )���curveZ�backendz�Unsupported elliptic curve: {}Nz0Invalid key_type specified: {}. Use [rsa|ecdsa])���encodingrZ���Z�encryption_algorithm)�r����rY���rZ���r����Z�generate_private_key��upper��getattrr����r����rL���r
���r6���Z
private_bytesr����r^���r����Z�TraditionalOpenSSLr����)�r,���r'���r(�����key��namerb�����er?���r?���r@���r1�������s8����
������������
�����������������������������(�����������r1���)�rB���r+���c��������������������C���sB���t�|�t���r�|�����}�z�t�j�|�d�d�����W�n���t�y8������Y�d�S�0�d�S�d�S�)�z�Is valid RSA private key?
:param privkey: Private key file contents in PEM
:returns: Validity of private key.
:rtype: bool
NrO���FT)��
isinstancer6�����encoder
���rQ���r2���)�rB���r?���r?���r@����
valid_privkey����s�����
�����������rk���)���renewable_certr+���c��������������������C���s"���t�|�����t�|�����t�|�j�|�j�����d�S�)�a����For checking that your certs were not corrupted on disk.
Several things are checked:
1. Signature verification for the cert.
2. That fullchain matches cert and chain when concatenated.
3. Check that the private key matches the certificate.
:param renewable_cert: cert to verify
:type renewable_cert: certbot.interfaces.RenewableCert
:raises errors.Error: If verification fails.
N)���verify_renewable_cert_sig��verify_fullchain��verify_cert_matches_priv_key� cert_pathr>���)�rl���r?���r?���r@�����verify_renewable_cert����s�����
����rq���c����������������
���C���s����z�t�|�j�d����"}�t���|�����t�����}�W�d���������n�1�s60�������Y���t�|�j�d����"}�t���|�����t�����}�W�d���������n�1�st0�������Y���|�����}�t�|�|�j |�j
|�j�����W�nL��t�t
t�f�y���}���z.d���|�j�|���}�t���|�����t���|�����W�Y�d�}�~�n
d�}�~�0�0�d�S�)�z�Verifies the signature of a RenewableCert object.
:param renewable_cert: cert to verify
:type renewable_cert: certbot.interfaces.RenewableCert
:raises errors.Error: If signature verification fails.
��rbNzbverifying the signature of the certificate located at {0} has failed. Details: {1})���open�
chain_pathr������load_pem_x509_certificate��readr����rp���rR�����verify_signed_payload� signatureZ�tbs_certificate_bytes��signature_hash_algorithm��OSErrorr2���r ���rZ���r3���� exceptionr����rY���)�rl����
chain_file��chain� cert_file��certZ�pkrh���� error_strr?���r?���r@���rm���+���s����������0���0�����������������
�rm���r ���r����r"���r!���)�rR���rx�����payloadry���r+���c��������������������C���sJ���t�|�t���r�|���|�|�t���|�����n(t�|�t���r<|���|�|�t�|�������n
t���d�����d�S�)�a����Check the signature of a payload.
:param RSAPublicKey/EllipticCurvePublicKey public_key: the public_key to check signature
:param bytes signature: the signature bytes
:param bytes payload: the payload bytes
:param hashes.HashAlgorithm signature_hash_algorithm: algorithm used to hash the payload
:raises InvalidSignature: If signature verification fails.
:raises errors.Error: If public key type is not supported
z�Unsupported public key type.N)�ri���r����Z�verifyr����r����r����r����rY���)�rR���rx���r����ry���r?���r?���r@���rw���C���s������
���
���
���
���rw���)�rp���r>���r+���c����������������
���C���s~���z,t���t�j���}�|���|�����|���|�����|�������W�nL��t�t�j�f�yx��}���z.d���|�|�|���}�t �
|�����t���|�����W�Y�d�}�~�n
d�}�~�0�0�d�S�)�z� Verifies that the private key and cert match.
:param str cert_path: path to a cert in PEM format
:param str key_path: path to a private key file
:raises errors.Error: If they don't match.
z�verifying the certificate located at {0} matches the private key located at {1} has failed. Details: {2}N)�r����Z�ContextZ
SSLv23_METHODZ�use_certificate_fileZ�use_privatekey_fileZ�check_privatekeyrz���rY���rZ���r3���r{���r����)�rp���r>�����contextrh���r����r?���r?���r@���ro���^���s����������
�
�������������
�ro���c������������ ���
���C���s4���z�t�|�j�����}�|�����}�W�d���������n�1�s*0�������Y���t�|�j�����}�|�����}�W�d���������n�1�s\0�������Y���t�|�j�����}�|�����}�W�d���������n�1�s�0�������Y���|�|���|�k�r�d�}�|���|�j���}�t���|�����W�nn��t ��y���}���z*d���|���}�t
��|�����t���|�����W�Y�d�}�~�n4d�}�~�0���t�j���y.��}���z�|���W�Y�d�}�~�n
d�}�~�0�0�d�S�)�z� Verifies that fullchain is indeed cert concatenated with chain.
:param renewable_cert: cert to verify
:type renewable_cert: certbot.interfaces.RenewableCert
:raises errors.Error: If cert and chain do not combine to fullchain.
Nz.fullchain does not match cert + chain for {0}!z8reading one of cert, chain, or fullchain has failed: {0})�rs���rt���rv���rp���Z�fullchain_pathrZ���Z�lineagenamer����rY���rz���r3���r{���) rl���r|���r}���r~���r���Z�fullchain_fileZ fullchainr����rh���r?���r?���r@���rn���t���s"���������&���&���&�����������
�
�����rn���)�rV���r+���c��������������������C���s����g�}�t�j�t�j�f�D�]L}�z�t���|�|���|�f�W�����S���t�j�yZ��}���z�|���|�����W�Y�d�}�~�q�d�}�~�0�0�q�t���d���d���d�d���|�D�����������d�S�)�z:Load PEM/DER certificate.
:raises errors.Error:
Nz�Unable to load: {0}��,c��������������������s���s����|�]�}�t�|���V���q�d�S�)�N)�r6���)���.0r5���r?���r?���r@���� <genexpr>����s������z-pyopenssl_load_certificate.<locals>.<genexpr>) r����Z�FILETYPE_PEMZ
FILETYPE_ASN1Z�load_certificaterY�����appendr����rZ���r:���)�rV���Z�openssl_errorsZ file_typer5���r?���r?���r@�����pyopenssl_load_certificate����s����������������"�����r����)�r�����typr+���c��������������������C���sf���t���|���}�|�t�j�j�k�r"t���|���}�n
t���|���}�z�|�j���t�j���}�W�n���t�j yV������g���Y�S�0�|�j
��t�j���S�)�z�Get a list of Subject Alternative Names from a certificate.
:param str cert: Certificate (encoded).
:param Format typ: Which format the `cert` bytes are in.
:returns: A list of Subject Alternative Names.
:rtype: list
)
rF���r_���r^���r����ru�����load_der_x509_certificater]���Z�get_extension_for_classZ�SubjectAlternativeNameZ�ExtensionNotFound��valueZ�get_values_for_typeZ�DNSName)�r���r����� x509_certZ�san_extr?���r?���r@�����get_sans_from_cert����s������
�����
�����������
�r����c��������������������C���s<���t���|���}�|�t�j�j�k�r"t���|���}�n
t���|���}�t���|�j�|�j���S�)�z�Get a list of domains from a cert, including the CN if it is set.
:param str cert: Certificate (encoded).
:param Format typ: Which format the `cert` bytes are in.
:returns: A list of domain names.
:rtype: list
) rF���r_���r^���r����ru���r����r[���r\���r]���)�r���r����r����r?���r?���r@�����get_names_from_cert����s������
�����
�����r����)�rI���r����r+���c��������������������C���s<���t���|���}�|�t�j�j�k�r"t���|���}�n
t���|���}�t���|�j�|�j���S�)�z�Get a list of domains from a CSR, including the CN if it is set.
:param str csr: CSR (encoded).
:param acme_crypto_util.Format typ: Which format the `csr` bytes are in.
:returns: A list of domain names.
:rtype: list
) rF���r_���r^���r����rJ���rX���r[���r\���r]���)�rI���r����Z�x509_reqr?���r?���r@�����get_names_from_req����s������
�����
�����r����)�r}�����filetyper+���c��������������������C���s����t���|�|���S�)�z�Dump certificate chain into a bundle.
:param list chain: List of `crypto.X509` (or wrapped in
:class:`josepy.util.ComparableX509`).
)�rF�����dump_pyopenssl_chain)�r}���r����r?���r?���r@���r��������s������r����)�rp���r+���c��������������������C���s����t�|�d�����}�t���|�������}�W�d���������n�1�s.0�������Y���t������0��t�j�d�d�d�����|�j�j�t j
j�d���W���d���������S�1�sv0�������Y���d�S�)�z�When does the cert at cert_path start being valid?
:param str cert_path: path to a cert in PEM format
:returns: the notBefore value from the cert at cert_path
:rtype: :class:`datetime.datetime`
rr���N��ignore�'Properties that return.*datetime object����message��Z�tzinfo)�rs���r����ru���rv�����warnings��catch_warnings��filterwarningsZ�not_valid_before��replace��datetime��timezone��utc��rp�����fr���r?���r?���r@���� notBefore����s
���� ��,�
���r����c��������������������C���s����t�|�d�����}�t���|�������}�W�d���������n�1�s.0�������Y���t������0��t�j�d�d�d�����|�j�j�t j
j�d���W���d���������S�1�sv0�������Y���d�S�)�z�When does the cert at cert_path stop being valid?
:param str cert_path: path to a cert in PEM format
:returns: the notAfter value from the cert at cert_path
:rtype: :class:`datetime.datetime`
rr���Nr����r����r����r����)�rs���r����ru���rv���r����r����r����Z�not_valid_afterr����r����r����r����r����r?���r?���r@�����notAfter
���s
���� ��,�
���r����)���filenamer+���c��������������������C���sN���t�����}�t�|�d����$}�|���|�������d�������W�d���������n�1�s<0�������Y���|�����S�)�aN���Compute a sha256sum of a file.
NB: In given file, platform specific newlines characters will be converted
into their equivalent unicode counterparts before calculating the hash.
:param str filename: path to the file whose hash will be computed
:returns: sha256 digest of the file in hexadecimal
:rtype: str
��rz�UTF-8N)���hashlib��sha256rs�����updaterv���rj���Z hexdigest)�r����r����Z�file_dr?���r?���r@���� sha256sum ���s����������2�r����s@���-----BEGIN CERTIFICATE-----
?
.+?
?
-----END CERTIFICATE-----
?
)��
fullchain_pemr+���c��������������������C���sp���t���|�������}�t�|���d�k�r$t���d�����g�}�|�D�](}�t���|���}�|���t j
��}�|���|���������q,|�d���d��
|�d�d�������f�S�)�a����Split fullchain_pem into cert_pem and chain_pem
:param str fullchain_pem: concatenated cert + chain
:returns: tuple of string cert_pem and chain_pem
:rtype: tuple
:raises errors.Error: If there are less than 2 certificates in the chain.
�����zPfailed to parse fullchain into cert and chain: less than 2 certificates in chainr����r-��������N)���CERT_PEM_REGEX��findallrj�����lenr����rY���r����ru���rS���r����r^���r������decoder:���)�r������certsZ�certs_normalizedZ�cert_pemr���r?���r?���r@�����cert_and_chain_from_fullchain;���s����������
�����
�����r����c��������������������C���s>���t�|�d�����}�t���|�������}�W�d���������n�1�s.0�������Y���|�j�S�)�z�Retrieve the serial number of a certificate from certificate path
:param str cert_path: path to a cert in PEM format
:returns: serial number of the certificate
:rtype: int
rr���N)�rs���r����ru���rv���Z
serial_numberr����r?���r?���r@�����get_serial_from_certZ���s��������,�r����)��
fullchains� issuer_cn��warn_on_no_matchr+���c��������������������C���sl���|�D�]N}�t���|�������}�t���|�d���t�����}�|�j���t�j�j ��}�|�r�|�d���j
|�k�r�|�����S�q�|�rdt���d�|�����|�d���S�)�a'���Chooses the first certificate chain from fullchains whose topmost
intermediate has an Issuer Common Name matching issuer_cn (in other words
the first chain which chains to a root whose name matches issuer_cn).
:param fullchains: The list of fullchains in PEM chain format.
:type fullchains: `list` of `str`
:param `str` issuer_cn: The exact Subject Common Name to match against any
issuer in the certificate chain.
:returns: The best-matching fullchain, PEM-encoded, or the first if none match.
:rtype: `str`
���r����z�Certbot has been configured to prefer certificate chains with issuer '%s', but no chain from the CA matched this issuer. Using the default certificate chain instead.)
r����r����rj���r����ru���r����Z�issuerZ�get_attributes_for_oidZ�NameOIDZ�COMMON_NAMEr����r3���Z�warning)�r����r����r����r}���r����Z�top_certZ
top_issuer_cnr?���r?���r@�����find_chain_with_issuerg���s����������������
���������r����)�r����r#���r$���T)�FT)�ra���r����N)�F)e��__doc__r����r����Z�logging��rer������typingr����r����r����r����r����r����Z�cryptographyr����Z�cryptography.exceptionsr ���r
���Z�cryptography.hazmat.backendsr����Z�cryptography.hazmat.primitivesr����r
���Z)cryptography.hazmat.primitives.asymmetricr����r����Z-cryptography.hazmat.primitives.asymmetric.dsar����Z,cryptography.hazmat.primitives.asymmetric.ecr����r����Z1cryptography.hazmat.primitives.asymmetric.paddingr����Z-cryptography.hazmat.primitives.asymmetric.rsar����Z,cryptography.hazmat.primitives.serializationr����r����r����Z�josepyZ�OpenSSLr����r����Z�acmer����rF���Z�certbotr����r����r����Z�certbot.compatr����Z/cryptography.hazmat.primitives.asymmetric.ed448r����Z1cryptography.hazmat.primitives.asymmetric.ed25519r ���Z.cryptography.hazmat.primitives.asymmetric.x448r!���Z0cryptography.hazmat.primitives.asymmetric.x25519r"���Z getLogger��__name__r3�����intr6�����boolr<���rA���rG���rH�����bytesrN���rT���r_���r`���r1���rk���Z
RenewableCertrq���rm���Z
HashAlgorithmrw���ro���rn���Z�X509r����r^���r����r����r����Z�ComparableX509r����r����r����r������compile��DOTALLr����r����r����r����r?���r?���r?���r@�����<module>����s��������������������������������������������������������������������������������������
��������������2�������%���������!���������.��������������������������������������������������������������������������������� ������
���