U ±*Pd†+ã@sødZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ddl m Z ddlmZddlmZddlmZdd lmZe e¡Ze jZGd d „d eƒZd d edfdd„Zddd„Zdd„Zdd„Zddd„Ze jfdd„Z dS) zCrypto utilities.éN)Úcrypto)ÚSSL)Úerrors)ÚCallable)ÚOptional)ÚTuple)ÚUnionc@sDeZdZdZefdd„Zdd„Zdd„ZGdd „d eƒZ d d „Z d S) Ú SSLSocketzëSSL wrapper for sockets. :ivar socket sock: Original wrapped socket. :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. cCs||_||_||_dS©N)ÚsockÚcertsÚmethod)Úselfr r r ©rú2/usr/lib/python3/dist-packages/acme/crypto_util.pyÚ__init__(szSSLSocket.__init__cCs t|j|ƒSr )Úgetattrr ©rÚnamerrrÚ __getattr__-szSSLSocket.__getattr__cCs„| ¡}z|j|\}}Wn"tk r<t d|¡YdSXt |j¡}| tj ¡| tj ¡|  |¡|  |¡|  |¡dS)aSNI certificate callback. This method will set a new OpenSSL context object for this connection when an incoming connection provides an SNI name (in order to serve the appropriate certificate, if any). :param connection: The TLS connection object on which the SNI extension was received. :type connection: :class:`OpenSSL.Connection` z-Server name (%s) not recognized, dropping SSLN)Zget_servernamer ÚKeyErrorÚloggerÚdebugrÚContextr Ú set_optionsÚ OP_NO_SSLv2Ú OP_NO_SSLv3Zuse_privatekeyZuse_certificateZ set_context)rÚ connectionZ server_nameÚkeyÚcertZ new_contextrrrÚ_pick_certificate_cb0s ÿ     zSSLSocket._pick_certificate_cbc@s(eZdZdZdd„Zdd„Zdd„ZdS) zSSLSocket.FakeConnectionzFake OpenSSL.SSL.Connection.cCs ||_dSr )Ú_wrapped)rrrrrrOsz!SSLSocket.FakeConnection.__init__cCs t|j|ƒSr )rr!rrrrrRsz$SSLSocket.FakeConnection.__getattr__cGs |j ¡Sr )r!Úshutdown)rZ unused_argsrrrr"Usz!SSLSocket.FakeConnection.shutdownN)Ú__name__Ú __module__Ú __qualname__Ú__doc__rrr"rrrrÚFakeConnectionJsr'c Cs¨|j ¡\}}t |j¡}| tj¡| tj¡| |j ¡|  t  ||¡¡}|  ¡t  d|¡z | ¡Wn.tjk rž}zt |¡‚W5d}~XYnX||fS)NzPerforming handshake with %s)r Úacceptrrr rrrZset_tlsext_servername_callbackr r'Ú ConnectionZset_accept_staterrÚ do_handshakeÚErrorÚsocketÚerror)rr ZaddrÚcontextZssl_sockr-rrrr(Ys      zSSLSocket.acceptN) r#r$r%r&Ú_DEFAULT_SSL_METHODrrr Úobjectr'r(rrrrr s  r i»i,)Úrc Cst |¡}| |¡d|i}zBt d|||r@d |d|d¡nd¡||f}tj|f|Ž} Wn.tjk rŒ} zt   | ¡‚W5d} ~ XYnXt   | ¡h} t  || ¡} |  ¡|  |¡z|  ¡|  ¡Wn.tj k rú} zt   | ¡‚W5d} ~ XYnXW5QRX|  ¡S)aProbe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the client hello message. :param bytes host: Host to connect to. :param int port: Port to connect to. :param int timeout: Timeout in seconds. :param method: See `OpenSSL.SSL.Context` for allowed values. :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. :raises acme.errors.Error: In case of any problems. :returns: SSL certificate presented by the server. :rtype: OpenSSL.crypto.X509 Úsource_addressz!Attempting to connect to %s:%d%s.z from {0}:{1}rér1N)rrZ set_timeoutrrÚformatr,Zcreate_connectionr-rr+Ú contextlibÚclosingr)Zset_connect_stateZset_tlsext_host_namer*r"Zget_peer_certificate) rZhostZportZtimeoutr r2r.Z socket_kwargsZ socket_tupler r-ZclientZ client_sslrrrÚ probe_snios:  ýþû    &r7FcCst tj|¡}t ¡}tjddd dd„|Dƒ¡ d¡dg}|rX| tjddd d¡| |¡|  |¡|  d ¡|  |d ¡t  tj|¡S) a©Generate a CSR containing a list of domains as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :returns: buffer PEM-encoded Certificate Signing Request. ósubjectAltNameFú, css|]}d|VqdS)zDNS:Nr©Ú.0ÚdrrrÚ °szmake_csr..Úascii©ZcriticalÚvalues1.3.6.1.5.5.7.1.24sDER:30:03:02:01:05rÚsha256) rZload_privatekeyÚ FILETYPE_PEMZX509ReqÚ X509ExtensionÚjoinÚencodeÚappendÚadd_extensionsÚ set_pubkeyÚ set_versionÚsignÚdump_certificate_request)Zprivate_key_pemÚdomainsZ must_stapleZ private_keyZcsrÚ extensionsrrrÚmake_csr s2 ÿýÿý    ÿrNcs6| ¡j‰t|ƒ}ˆdkr|Sˆg‡fdd„|DƒS)Ncsg|]}|ˆkr|‘qSrrr:©Z common_namerrÚ Æsz4_pyopenssl_cert_or_req_all_names..)Ú get_subjectÚCNÚ_pyopenssl_cert_or_req_san)Zloaded_cert_or_reqZsansrrOrÚ _pyopenssl_cert_or_req_all_namesÀs  rTcsxd‰d}dˆ‰t|tjƒr$tj}ntj}|tj|ƒ d¡}t d|¡}|dkrTgn|  d¡  |¡}‡‡fdd „|DƒS) a¡Get Subject Alternative Names from certificate or CSR using pyOpenSSL. .. todo:: Implement directly in PyOpenSSL! .. note:: Although this is `acme` internal API, it is used by `letsencrypt`. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names. :rtype: `list` of `unicode` ú:r9ZDNSzutf-8z5X509v3 Subject Alternative Name:(?: critical)?\s*(.*)Nr3cs$g|]}| ˆ¡r| ˆ¡d‘qS)r3)Ú startswithÚsplit)r;Úpart©Zpart_separatorÚprefixrrrPïs ÿz._pyopenssl_cert_or_req_san..) Ú isinstancerÚX509Údump_certificaterKZ FILETYPE_TEXTÚdecodeÚreÚsearchÚgrouprW)Z cert_or_reqZparts_separatorÚfuncÚtextÚmatchZ sans_partsrrYrrSÈs   ÿrSé€: Tc Csà|s tdƒ‚t ¡}| tt t d¡¡dƒ¡|  d¡t  ddd¡g}|d|  ¡_ |  |  ¡¡|svt|ƒdkrœ| tj d d d  d d „|Dƒ¡d¡| |¡| |dkr¶dn|¡| |¡| |¡| |d¡|S)ažGenerate new self-signed certificate. :type domains: `list` of `unicode` :param OpenSSL.crypto.PKey key: :param bool force_san: If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the subject CN. If only one domain is provided no ``subjectAltName`` extension is used, unless `force_san` is ``True``. z0Must provide one or more hostnames for the cert.éésbasicConstraintsTsCA:TRUE, pathlen:0rr3r8Fs, css|]}d| ¡VqdS)sDNS:N)rEr:rrrr=szgen_ss_cert..r?NrA)ÚAssertionErrorrr\Zset_serial_numberÚintÚbinasciiZhexlifyÚosÚurandomrIrCrQrRZ set_issuerÚlenrFrDrGZgmtime_adj_notBeforeZgmtime_adj_notAfterrHrJ)rrLZ not_beforeZvalidityZ force_sanrrMrrrÚ gen_ss_certós0  ÿÿý    rncs$‡fdd„‰d ‡fdd„|Dƒ¡S)zØDump certificate chain into a bundle. :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). :returns: certificate chain bundle :rtype: bytes cst|tjƒr|j}t ˆ|¡Sr )r[ÚjoseZComparableX509Úwrappedrr])r)ÚfiletyperrÚ _dump_cert,s z(dump_pyopenssl_chain.._dump_certóc3s|]}ˆ|ƒVqdSr r)r;r)rrrrr=4sz'dump_pyopenssl_chain..)rD)Úchainrqr)rrrqrÚdump_pyopenssl_chains ru)F)NreT)!r&rjr5Zloggingrkr_r,ZjosepyroZOpenSSLrrZacmerZacme.magic_typingrrrrZ getLoggerr#rZ SSLv23_METHODr/r0r r7rNrTrSrnrBrurrrrÚs:        Pÿ 1 +ÿ ,