U-fF^dZddlZddlZddlZddlZddlZddlZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z ddlmZdd lmZdd lmZdd lmZddlZdd lmZdd lmZddlmZejeZejZGddZGddZddeddfde de de!de!de!dee"e!fde ee dej#fdZ$ d7d e d!e eee"e e"fd"e%d#e e eej&ej'fde f d$Z(d%eej#ej)fde e"fd&Z*d'eej#ej)fde e"fd(Z+d'eej#ej)fde e"fd)Z,d'eej#ej)fde e"fd*Z- d8d-ej.d!e e e"d.e e!d/e!d0e%d1e e ej/d2e e eej&ej'fdej#fd3Z0ej1fd4ee ej2e ej#fd5e!de fd6Z3dS)9zCrypto utilities.N)Any)Callable)List)Mapping)Optional)Sequence)Set)Tuple)Union)crypto)SSL)errorsceZdZdeeeejejfffdZ de j de eejejffdZ dS)_DefaultCertSelectioncertsc||_dSN)r)selfrs _/home/cdr/domains/dharristours.com/map/certbot/lib/python3.11/site-packages/acme/crypto_util.py__init__z_DefaultCertSelection.__init__&s  connectionreturnch|}|r|j|dSdSr)get_servernamerget)rr server_names r__call__z_DefaultCertSelection.__call__)s6 //11  5:>>+t44 4trN)__name__ __module__ __qualname__rbytesr r PKeyX509rr Connectionrrrrrr%sgeU6; 3K-L&LM3>huV[RXR]E]?^6_rrcteZdZdZdeddfdejdeeee e j e j ffde deeejeegefdeeejgee e j e j ffddf d Zd edefd Zd ejddfd ZGddZde eeffdZdS) SSLSocketaSSL wrapper for sockets. :ivar socket sock: Original wrapped socket. :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. :ivar alpn_selection: Hook to select negotiated ALPN protocol for connection. :ivar cert_selection: Hook to select certificate for connection. If given, `certs` parameter would be ignored, and therefore must be empty. Nsockrmethodalpn_selectioncert_selectionrc||_||_||_|s|std|r|rtd|}|t |r|ni}||_dS)Nz*Neither cert_selection or certs specified.z(Both cert_selection and certs specified.)r)r+r* ValueErrorrr,)rr)rr*r+r,actual_cert_selections rrzSSLSocket.__init__=s ,  Ke KIJJ J  Ie IGHH HTb  ! ($95:P%%b$Q$Q !3rnamec,t|j|Sr)getattrr)rr0s r __getattr__zSSLSocket.__getattr__Tsty$'''rrc ||}|/td|dS|\}}t j|j}|tj|tj | || ||j | |j ||dS)aSNI certificate callback. This method will set a new OpenSSL context object for this connection when an incoming connection provides an SNI name (in order to serve the appropriate certificate, if any). :param connection: The TLS connection object on which the SNI extension was received. :type connection: :class:`OpenSSL.Connection` Nz=Certificate selection for server name %s failed, dropping SSL)r,loggerdebugrr Contextr* set_options OP_NO_SSLv2 OP_NO_SSLv3use_privatekeyuse_certificater+set_alpn_select_callback set_context)rrpairkeycert new_contexts r_pick_certificate_cbzSSLSocket._pick_certificate_cbWs"":.. < LLX#2244 6 6 6 F Tk$+.. 000000""3'''##D)))   *  0 01D E E E{+++++rcLeZdZdZdejddfdZdedefdZ dede fd Z dS) SSLSocket.FakeConnectionzFake OpenSSL.SSL.Connection.rrNc||_dSr)_wrapped)rrs rrz!SSLSocket.FakeConnection.__init__ws &DMMMrr0c,t|j|Sr)r2rHr3s rr4z$SSLSocket.FakeConnection.__getattr__zs4=$// /r unused_argsc |jS#tj$r}t j|d}~wwxYwr)rHshutdownr Errorsocketerror)rrJrOs rrLz!SSLSocket.FakeConnection.shutdown}sN *}--///9 * * * l5)))  *sA>A) rr r!__doc__r r%rstrrr4boolrLr&rrFakeConnectionrFrs** 's~ '$ ' ' ' ' 0C 0C 0 0 0 0 * * * * * * * *rrSc|j\}} tj|j}|tj|tj||j |j | |j | tj ||}|td| |n+#tj$r}t'j|d}~wwxYw||fS#|xYw)NzPerforming handshake with %s)r)acceptr r8r*r9r:r;set_tlsext_servername_callbackrDr+r>rSr%set_accept_stater6r7 do_handshakerMrNrOclose)rr)addrcontextssl_sockrOs rrUzSSLSocket.acceptsNY%%'' d k$+..G    0 0 0    0 0 0  2 243L M M M".001DEEE**3>'4+H+HIIH  % % ' ' ' LL7 > > > *%%''''9 * * *l5))) * T> !  JJLLL s0C)E DE E,EEE E#)rr r!rP_DEFAULT_SSL_METHODrNrrr"r r r#r$intrr r%rrrQrr4rDrSrUr&rrr(r(0s  UY2\`UY 44V]4 fk6;6N0O)O!PQ44"*(CNDK3PRW3W*X!Y4"*(CN3C3;E&+BH+CN=O4P4P+Q"R 44444.((((((,s~,$,,,,6********,nc12rr(ii,)rr0hostporttimeoutr*source_addressalpn_protocolsrc `tj|}||d|i} td||t |r"d|d|dnd||f} tj| fi|} n+#tj $r} tj | d} ~ wwxYwtj | 5} tj|| } | | ||| | | | n+#tj $r} tj | d} ~ wwxYw dddn #1swxYwY| }|sJ|S)a Probe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the client hello message. :param bytes host: Host to connect to. :param int port: Port to connect to. :param int timeout: Timeout in seconds. :param method: See `OpenSSL.SSL.Context` for allowed values. :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. :param alpn_protocols: Protocols to request using ALPN. :type alpn_protocols: `Sequence` of `bytes` :raises acme.errors.Error: In case of any problems. :returns: SSL certificate presented by the server. :rtype: OpenSSL.crypto.X509 rcz!Attempting to connect to %s:%d%s.z from {0}:{1}rr_N)r r8 set_timeoutr6r7anyformatrNcreate_connectionrOrrM contextlibclosingr%set_connect_stateset_tlsext_host_nameset_alpn_protosrXrLget_peer_certificate)r0r`rarbr*rcrdr[ socket_kwargs socket_tupler)rOclient client_sslrBs r probe_snirus .k&!!G    %~6M " /t^$$ -O " "q!q!   +-    ,0, ' FF FF <"""l5!!!"  D ! ! &V^GV44 $$&&&''---  %  & &~ 6 6 6 &  # # % % %    ! ! ! !y & & &,u%% % & " & & & & & & & & & & & & & & &  * * , ,D KKK KsOA$BB<#B77B<AF *(EF E;"E66E;;F  FFFprivate_key_pemdomains must_stapleipaddrsctjtj|}tj}g}|g}|g}t |t |zdkrt d|D]}|d|z|D]}|d|jz d| d} tj dd | g} |r*| tj d d d | | | || d||d tjtj|S)aGenerate a CSR containing domains or IPs as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address) names to include in subbjectAltNames of CSR. params ordered this way for backward competablity when called by positional argument. :returns: buffer PEM-encoded Certificate Signing Request. NrzAAt least one of domains or ipaddrs parameter need to be not emptyDNS:IP:, asciisubjectAltNameFcriticalvalues1.3.6.1.5.5.7.1.24sDER:30:03:02:01:05sha256)r load_privatekey FILETYPE_PEMX509Reqlenr.appendexplodedjoinencode X509Extensionadd_extensions set_pubkey set_versionsigndump_certificate_request) rvrwrxry private_keycsrsanlistaddressips san_string extensionss rmake_csrrs(_..K .  CG 7||CLL A%%\]]]))v'((((--us|+,,,,7##**733J     J*&. !'))) * * *z"""NN;OOAHH[(###  *S " ""rloaded_cert_or_reqc|jt|}|Sgfd|DzS)Nc g|] }|k| Sr&r&).0d common_names r z4_pyopenssl_cert_or_req_all_names.. s#@@@!qK/?/?A/?/?/?r) get_subjectCN_pyopenssl_cert_or_req_san)rsansrs @r _pyopenssl_cert_or_req_all_namesrsT%00225K %&8 9 9D =@@@@t@@@ @@r cert_or_reqcPddzt|}fd|DS)aGet Subject Alternative Names from certificate or CSR using pyOpenSSL. .. todo:: Implement directly in PyOpenSSL! .. note:: Although this is `acme` internal API, it is used by `letsencrypt`. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names that is DNS. :rtype: `list` of `str` :DNScpg|]2}||d3S)rf) startswithsplit)rpartpart_separatorprefixs rrz._pyopenssl_cert_or_req_san..:sJ ? ? ?doof&=&= ?DJJ~ & &q ) ? ? ?r_pyopenssl_extract_san_list_raw)r sans_partsrrs @@rrr#sR$N ^ #F0==J ? ? ? ? ?" ? ? ??rcLd}d|zt|}fd|DS)aeGet Subject Alternative Names IPs from certificate or CSR using pyOpenSSL. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names that are IP Addresses. :rtype: `list` of `str`. note that this returns as string, not IPaddress object rz IP Addresschg|].}||td/Sr)rr)rrrs rrz1_pyopenssl_cert_or_req_san_ip..Os9 Q Q Q49P9P QDV  Q Q Qrr)rrrrs @r_pyopenssl_cert_or_req_san_ipr>s;N N *F0==J Q Q Q Q: Q Q QQrct|tjr3tjtj|d}n2tjtj|d}tjd|}d}|gn'| d |}|S)aGet raw SAN string from cert or csr, parse it as UTF-8 and return. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: raw san strings, parsed byte as utf-8 :rtype: `list` of `str` zutf-8z5X509v3 Subject Alternative Name:(?: critical)?\s*(.*)r}Nrf) isinstancer r$dump_certificate FILETYPE_TEXTdecoderresearchgroupr)rtextraw_sanparts_separatorrs rrrRs+v{++b&v';[IIPPQXYY.v/C[QQXXY`aaiPRVWWGOGMM!,<,<,B,B?,S,SJ r: TrA not_beforevalidity force_sanrrc n|s |s Jdtj}|tt jt jdd|d|g}|g}|g}| tj dddt|dkr|d| _ || g}|D]} | d | z|D]} | d | jz d |d } |s&t|d kst|dkr*| tj dd| ||||dn|||||||d|S)atGenerate new self-signed certificate. :type domains: `list` of `str` :param OpenSSL.crypto.PKey key: :param bool force_san: :param extensions: List of additional extensions to include in the cert. :type extensions: `list` of `OpenSSL.crypto.X509Extension` :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`) If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the subject CN. If only one domain is provided no ``subjectAltName`` extension is used, unless `force_san` is ``True``. z7Must provide one or more hostnames or IPs for the cert.NsbasicConstraintsTsCA:TRUE, pathlen:0rr{r|r}r~rfrFrr)r r$set_serial_numberr^binasciihexlifyosurandomrrrrrr set_issuerrrrrgmtime_adj_notBeforegmtime_adj_notAfterrr) rArwrrrrrrBrriprs r gen_ss_certrqsK* TcTTTTTT ;==D3x/ 2??DDEEEQ  { '< > >  7||a ' OOD$$&&'''G))v'((((,,ur{*++++7##**733J CLL1$$C1 &.         ###:#5aa:FFFX&&&OOCIIc8 Krchainfiletypecdttjtjfdt ffd dfd|DS)zDump certificate chain into a bundle. :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). :returns: certificate chain bundle :rtype: bytes rBrct|tjr:t|jtjrt jd|j}t j|S)NzUnexpected CSR provided.) rjoseComparableX509wrappedr rrrMr)rBrs r _dump_certz(dump_pyopenssl_chain.._dump_certsY dD/ 0 0 $,77 ?l#=>>>z'dump_pyopenssl_chain..s-77JJt$$777777r)r rrr r$r"r)rrrs `@rdump_pyopenssl_chainrsh7t2FK?@7U777777 887777777 7 77r)NFN)NNrTNN)4rPrrk ipaddressloggingrrrNtypingrrrrrrr r r josepyrOpenSSLr r acmer getLoggerrr6 SSLv23_METHODr]rr(r"r^rQr$rurR IPv4Address IPv6Addressrrrrrrr#rrrrrr&rrrs   8 $ $'uuuuuuuup58/SZ:>66E66c6#66AFsCx6&x76CI;6666rVZ!&\`4"4"e4"huSXtCy=P7Q.R4"4"tE)*?AV*V$WXY4"4"4"4"4"nAv{FN?Z9[A*.s)AAAA?E&+v~2M,N?SWX[S\????6RuV[&.5P/QRVZ[^V_RRRR(v{FN7R1SX\]`Xa>BF,0FJCG[_ ??V[?8DI+>?$SM???C?%T&*>%?@?d5)> @U)U#VWX ? [ ????F*0)<88d4+>&?fkAR&R S8#&8AF888888r