ó Á£ô_c@s\dZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ddl m Z ddlmZddlmZddlmZejeƒZe jZd efd „ƒYZd efd „ƒYZd deddd„Zed„Zd„Zd„Zdde dd„Z!e j"d„Z#dS(sCrypto utilities.iÿÿÿÿN(tcrypto(tSSL(terrors(tCallable(tTuple(tUniont_DefaultCertSelectioncBseZd„Zd„ZRS(cCs ||_dS(N(tcerts(tselfR((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt__init__scCs|jƒ}|jj|dƒS(N(tget_servernameRtgettNone(Rt connectiont server_name((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt__call__"s (t__name__t __module__R R(((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyRs t SSLSocketcBsTeZdZdeddd„Zd„Zd„Zdefd„ƒYZ d„Z RS(sÝSSL wrapper for sockets. :ivar socket sock: Original wrapped socket. :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. :ivar alpn_selection: Hook to select negotiated ALPN protocol for connection. :ivar cert_selection: Hook to select certificate for connection. If given, `certs` parameter would be ignored, and therefore must be empty. cCs{||_||_||_| r8| r8tdƒ‚n|rS|rStdƒ‚n|dkrnt|ƒ}n||_dS(Ns*Neither cert_selection or certs specified.s(Both cert_selection and certs specified.(tsocktalpn_selectiontmethodt ValueErrorR Rtcert_selection(RRRRRR((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyR 4s     cCst|j|ƒS(N(tgetattrR(Rtname((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt __getattr__BscCsÀ|j|ƒ}|dkr5tjd|jƒƒdS|\}}tj|jƒ}|jtj ƒ|jtj ƒ|j |ƒ|j |ƒ|j dk r¯|j|j ƒn|j|ƒdS(sSNI certificate callback. This method will set a new OpenSSL context object for this connection when an incoming connection provides an SNI name (in order to serve the appropriate certificate, if any). :param connection: The TLS connection object on which the SNI extension was received. :type connection: :class:`OpenSSL.Connection` s=Certificate selection for server name %s failed, dropping SSLN(RR tloggertdebugR RtContextRt set_optionst OP_NO_SSLv2t OP_NO_SSLv3tuse_privatekeytuse_certificateRtset_alpn_select_callbackt set_context(RR tpairtkeytcertt new_context((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt_pick_certificate_cbEs       tFakeConnectioncBs)eZdZd„Zd„Zd„ZRS(sFake OpenSSL.SSL.Connection.cCs ||_dS(N(t_wrapped(RR ((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyR escCst|j|ƒS(N(RR+(RR((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyRhscGs |jjƒS(N(R+tshutdown(Rt unused_args((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyR,ks(RRt__doc__R RR,(((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyR*`s  cCsî|jjƒ\}}tj|jƒ}|jtjƒ|jtjƒ|j|j ƒ|j dk ry|j |j ƒn|j tj||ƒƒ}|jƒtjd|ƒy|jƒWn%tjk rã}tj|ƒ‚nX||fS(NsPerforming handshake with %s(RtacceptRRRRRR tset_tlsext_servername_callbackR)RR R#R*t Connectiontset_accept_stateRRt do_handshaketErrortsocketterror(RRtaddrtcontexttssl_sockR6((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyR/os N( RRR.R t_DEFAULT_SSL_METHODR RR)tobjectR*R/(((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyR's   i»i,tic CsPtj|ƒ}|j|ƒi|d6}yXtjd|||r[dj|d|dƒndƒ||f} tj| |} Wn%tjk r¨} t j | ƒ‚nXt j | ƒŒ} tj || ƒ} | jƒ| j|ƒ|dk r| j|ƒny| jƒ| jƒWn%tj k r?} t j | ƒ‚nXWdQX| jƒS(sProbe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the client hello message. :param bytes host: Host to connect to. :param int port: Port to connect to. :param int timeout: Timeout in seconds. :param method: See `OpenSSL.SSL.Context` for allowed values. :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. :param alpn_protocols: Protocols to request using ALPN. :type alpn_protocols: `list` of `bytes` :raises acme.errors.Error: In case of any problems. :returns: SSL certificate presented by the server. :rtype: OpenSSL.crypto.X509 tsource_addresss!Attempting to connect to %s:%d%s.s from {0}:{1}iiR<N(RRt set_timeoutRRtformatR5tcreate_connectionR6RR4t contextlibtclosingR1tset_connect_statetset_tlsext_host_nameR tset_alpn_protosR3R,tget_peer_certificate(RthosttportttimeoutRR=talpn_protocolsR8t socket_kwargst socket_tupleRR6tclientt client_ssl((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt probe_sni‡s.   '     cCsÐtjtj|ƒ}tjƒ}tjddtddjd„|Dƒƒjdƒƒg}|r†|jtjddtddƒƒn|j |ƒ|j |ƒ|j d ƒ|j |d ƒtj tj|ƒS( s©Generate a CSR containing a list of domains as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :returns: buffer PEM-encoded Certificate Signing Request. tsubjectAltNametcriticaltvalues, css|]}d|VqdS(sDNS:N((t.0td((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pys Îstasciis1.3.6.1.5.5.7.1.24sDER:30:03:02:01:05itsha256(Rtload_privatekeyt FILETYPE_PEMtX509Reqt X509ExtensiontFalsetjointencodetappendtadd_extensionst set_pubkeyt set_versiontsigntdump_certificate_request(tprivate_key_pemtdomainst must_staplet private_keytcsrt extensions((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pytmake_csr¾s$  (     cCsU|jƒj}t|ƒ}|dkr+|S|gg|D]}||kr8|^q8S(N(t get_subjecttCNt_pyopenssl_cert_or_req_sanR (tloaded_cert_or_reqt common_nametsansRT((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt _pyopenssl_cert_or_req_all_namesÞs   c CsÇd}d}d|}t|tjƒr4tj}n tj}|tj|ƒjdƒ}tjd|ƒ}|dkr|gn|j dƒj |ƒ}g|D](}|j |ƒr›|j |ƒd^q›S(s¡Get Subject Alternative Names from certificate or CSR using pyOpenSSL. .. todo:: Implement directly in PyOpenSSL! .. note:: Although this is `acme` internal API, it is used by `letsencrypt`. :param cert_or_req: Certificate or CSR. :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`. :returns: A list of Subject Alternative Names. :rtype: `list` of `unicode` t:s, tDNSsutf-8s5X509v3 Subject Alternative Name:(?: critical)?\s*(.*)iN( t isinstanceRtX509tdump_certificateRct FILETYPE_TEXTtdecodetretsearchR tgrouptsplitt startswith( t cert_or_reqtpart_separatortparts_separatortprefixtfuncttexttmatcht sans_partstpart((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyRmçs   *iii<c CsBtjƒ}|jttjtjdƒƒdƒƒ|jdƒ|d krVg}n|j tj dt dƒƒ|d|j ƒ_|j|j ƒƒ|s°t|ƒdkrè|j tj ddtd d jd „|Dƒƒƒƒn|j|ƒ|j|d kr dn|ƒ|j|ƒ|j|ƒ|j|d ƒ|S(s*Generate new self-signed certificate. :type domains: `list` of `unicode` :param OpenSSL.crypto.PKey key: :param bool force_san: :param extensions: List of additional extensions to include in the cert. :type extensions: `list` of `OpenSSL.crypto.X509Extension` If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the subject CN. If only one domain is provided no ``subjectAltName`` extension is used, unless `force_san` is ``True``. iitbasicConstraintssCA:TRUE, pathlen:0iiRPRQRRs, css|]}d|jƒVqdS(sDNS:N(R](RSRT((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pys 7sRVN(RRutset_serial_numbertinttbinasciithexlifytosturandomRaR R^RZtTrueRkRlt set_issuertlenR[R\R_tgmtime_adj_notBeforetgmtime_adj_notAfterR`Rb(R&Ret not_beforetvalidityt force_sanRiR'((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt gen_ss_certs* (        cs,‡fd†‰dj‡fd†|DƒƒS(sØDump certificate chain into a bundle. :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). :returns: certificate chain bundle :rtype: bytes cs.t|tjƒr|j}ntjˆ|ƒS(N(RttjosetComparableX509twrappedRRv(R'(tfiletype(s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyt _dump_certQs R<c3s|]}ˆ|ƒVqdS(N((RSR'(R›(s4/usr/lib/python2.7/site-packages/acme/crypto_util.pys Xs(R\(tchainRš((R›Ršs4/usr/lib/python2.7/site-packages/acme/crypto_util.pytdump_pyopenssl_chainDs (R<ii¨i`'i€: ($R.RŠRAtloggingRŒRyR5tjosepyR—tOpenSSLRRtacmeRtacme.magic_typingRRRt getLoggerRRt SSLv23_METHODR:R;RRR ROR[RjRqRmRŽR–RXR(((s4/usr/lib/python2.7/site-packages/acme/crypto_util.pyts4         ` 5 +1