_c@sdZddlZddlZddlZddlZddlmZddlmZm Z ddl m Z ddl m Z ddlmZmZddlmZdd lmZdd lmZmZmZdd lmZdd lmZddlZddlZddlZdd l m!Z"ddl#m$Z$ddl%m&Z&ddl%m'Z'ddl%m(Z(ddl)m*Z*ej+e,Z-ddddZ.dZ/dZ0dZ1dZ2ddddZ4dZ5dZ6dZ7d Z8d!Z9d"Z:d#Z;ej<d$Z=ej<d%Z>ej<d&Z?d'Z@d(ZAej<d)ZBej<d*ZCd+ZDd,ZEd-ZFd.ZGejHd/ejIZJd0ZKd1ZLeMd2ZNdS(3sCertbot client crypto utility functions. .. todo:: Make the transition to use PSS rather than PKCS1_v1_5 when the server is capable of handling the signatures. iN(tx509(tInvalidSignaturetUnsupportedAlgorithm(tdefault_backend(tec(tECDSAtEllipticCurvePublicKey(tPKCS1v15(t RSAPublicKey(tEncodingt NoEncryptiont PrivateFormat(tcrypto(tSSL(t crypto_util(tIO(terrors(t interfaces(tutil(tostrsat secp256r1skey-certbot.pemc Csy%td|d|pdd|}Wn,tk rS}tjddt|nXtjjtj }t j |d|j t j tjj||dd \}} ||j|Wd QX|d krtjd || ntjd || t j| |S(siInitializes and saves a privkey. Inits key and saves it in PEM format on the filesystem. .. note:: keyname is the attempted filename, it may be different if a file already exists at the path. :param int key_size: key size in bits if key size is rsa. :param str key_dir: Key save directory. :param str key_type: Key Type [rsa, ecdsa] :param str elliptic_curve: Name of the elliptic curve if key type is ecdsa. :param str keyname: Filename of key :returns: Key :rtype: :class:`certbot.util.Key` :raises ValueError: If unable to generate the key given key_size. tbitstelliptic_curveRtkey_typettexc_infoiitwbNRs Generating RSA key (%d bits): %ss"Generating ECDSA key (%d bits): %s(tmake_keyt ValueErrortloggerterrortTruetzopet componentt getUtilityRtIConfigRtmake_or_verify_dirtstrict_permissionst unique_fileRtpathtjointwritetdebugtKey( tkey_sizetkey_dirRRtkeynametkey_pemterrtconfigtkey_ftkey_path((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt init_save_key's  $ cCstjjtj}tj|j|d|j}t j |d|j t j t jj|ddd\}}||j|WdQXtjd|t j||dS( s2Initialize a CSR with the given private key. :param privkey: Key to include in the CSR :type privkey: :class:`certbot.util.Key` :param set names: `str` names to include in the CSR :param str path: Certificate save directory. :returns: CSR :rtype: :class:`certbot.util.CSR` t must_stapleiscsr-certbot.pemiRNsCreating CSR: %stpem(R!R"R#RR$tacme_crypto_utiltmake_csrR7R6RR%R&R'RR(R)R*RR+tCSR(tprivkeytnamesR(R2tcsr_pemtcsr_ft csr_filename((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt init_save_csrTs$cCs[y,tjtj|}|j|jSWn(tjk rVtjddtt SXdS(sValidate CSR. Check if `csr` is a valid CSR for the given domains. :param str csr: CSR in PEM. :returns: Validity of CSR. :rtype: bool RRN( R tload_certificate_requestt FILETYPE_PEMtverifyt get_pubkeytErrorRR+R tFalse(tcsrtreq((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt valid_csrws cCsjtjtj|}tjtj|}y|j|SWn(tjk retjddtt SXdS(sDoes private key correspond to the subject public key in the CSR? :param str csr: CSR in PEM. :param str privkey: Private key file contents (PEM) :returns: Correspondence of private key to CSR subject public key. :rtype: bool RRN( R RARBtload_privatekeyRCRERR+R RF(RGR;RHtpkey((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytcsr_matches_pubkeys cCstj}tj}y|tj|}WnVtjk ry|||}Wqtjk r|tjdj|qXnXt|}tj||}|t j d|d|dd|fS(s/Import a CSR file, which can be either PEM or DER. :param str csrfile: CSR filename :param str data: contents of the CSR file :returns: (`crypto.FILETYPE_PEM`, util.CSR object representing the CSR, list of domains requested in the CSR) :rtype: tuple sFailed to parse CSR file: {0}tfiletdatatformR7( R RBRAt FILETYPE_ASN1RERtformatt"_get_names_from_loaded_cert_or_reqtdump_certificate_requestRR:(tcsrfileRNtPEMtloadRGtdomainstdata_pem((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytimport_csr_files    icCs|dkrU|dkr3tjdj|ntj}|jtj|n)|dkrfyg|j}|dkrtj dt t|jdd t }ntjd j|Wn\t k rtjd j|n4tk r&}tj|tjt|nX|jd tjd tjd t}tjtj|}ntjdj|tjtj|S(sDGenerate PEM encoded RSA|EC key. :param int bits: Number of bits if key_type=rsa. At least 1024 for RSA. :param str ec_curve: The elliptic curve to use. :returns: new RSA or ECDSA key in PEM form with specified number of bits or of type ec_curve when key_type ecdsa is used. :rtype: str RisUnsupported RSA key length: {}tecdsat SECP256R1t SECP384R1t SECP512R1tcurvetbackendsUnsupported elliptic curve: {}tencodingRQtencryption_algorithms0Invalid key_type specified: {}. Use [rsa|ecdsa](R[R\R]N(RRERQR tPKeyt generate_keytTYPE_RSAtupperRtgenerate_private_keytgetattrtNoneRt TypeErrorRtsixt raise_fromtstrt private_bytesR RUR tTraditionalOpenSSLR RJRBtdump_privatekey(RRRtkeytnamet_keytet_key_pem((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyRs0        %    cCs?ytjtj|jSWnttjfk r:tSXdS(sIs valid RSA private key? :param str privkey: Private key file contents in PEM :returns: Validity of private key. :rtype: bool N(R RJRBtcheckRiRERF(R;((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt valid_privkeys cCs+t|t|t|j|jdS(sFor checking that your certs were not corrupted on disk. Several things are checked: 1. Signature verification for the cert. 2. That fullchain matches cert and chain when concatenated. 3. Check that the private key matches the certificate. :param renewable_cert: cert to verify :type renewable_cert: certbot.interfaces.RenewableCert :raises errors.Error: If verification fails. N(tverify_renewable_cert_sigtverify_fullchaintverify_cert_matches_priv_keyt cert_pathR4(trenewable_cert((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytverify_renewable_certs  c Csyt|jd"}tj|jt}WdQXt|jd"}tj|jt}WdQX|j}tj !t ||j |j |j WdQXWnMtttfk r}dj|j|}tj|tj|nXdS(sVerifies the signature of a RenewableCert object. :param renewable_cert: cert to verify :type renewable_cert: certbot.interfaces.RenewableCert :raises errors.Error: If signature verification fails. trbNsbverifying the signature of the certificate located at {0} has failed. Details: {1}(topent chain_pathRtload_pem_x509_certificatetreadRRzt public_keytwarningstcatch_warningstverify_signed_payloadt signaturettbs_certificate_bytestsignature_hash_algorithmtIOErrorRRRQRt exceptionRRE(R{t chain_filetchaint cert_filetcerttpkRst error_str((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyRws!!   cCstjtjdt|tr[|j|t|}|j||jnPt|t r|j|t |}|j||jnt j dWdQXdS(sCheck the signature of a payload. :param RSAPublicKey/EllipticCurvePublicKey public_key: the public_key to check signature :param bytes signature: the signature bytes :param bytes payload: the payload bytes :param cryptography.hazmat.primitives.hashes.HashAlgorithm signature_hash_algorithm: algorithm used to hash the payload :raises InvalidSignature: If signature verification fails. :raises errors.Error: If public key type is not supported tignoresUnsupported public key typeN( RRt simplefiltert isinstanceRtverifierRtupdateRCRRRRE(RRtpayloadRR((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyR s      cCsy:tjtj}|j||j||jWnMttjfk r}dj|||}t j |t j|nXdS(s Verifies that the private key and cert match. :param str cert_path: path to a cert in PEM format :param str key_path: path to a private key file :raises errors.Error: If they don't match. sverifying the certificate located at {0} matches the private key located at {1} has failed. Details: {2}N( R tContextt SSLv23_METHODtuse_certificate_filetuse_privatekey_filetcheck_privatekeyRRERQRRR(RzR4tcontextRsR((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyRy?s     c Cs yt|j}|j}WdQXt|j}|j}WdQXt|j}|j}WdQX|||krd}|j|j}tj|nWnYt k r}dj|}t j |tj|ntjk r}|nXdS(s Verifies that fullchain is indeed cert concatenated with chain. :param renewable_cert: cert to verify :type renewable_cert: certbot.interfaces.RenewableCert :raises errors.Error: If cert and chain do not combine to fullchain. Ns.fullchain does not match cert + chain for {0}!s8reading one of cert, chain, or fullchain has failed: {0}( R~RRRztfullchain_pathRQt lineagenameRRERRR( R{RRRRtfullchain_filet fullchainRRs((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyRxUs" cCsg}xZtjtjfD]F}ytj|||fSWqtjk r^}|j|qXqWtjdjdjd|DdS(s:Load PEM/DER certificate. :raises errors.Error: sUnable to load: {0}t,css|]}t|VqdS(N(Rl(t.0R((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pys sN( R RBRPtload_certificateREtappendRRQR)(RNtopenssl_errorst file_typeR((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytpyopenssl_load_certificatepscCsBy|||SWn*tjk r=tjddtnXdS(NRR(R RERRR (tcert_or_req_strt load_functtyp((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt_load_cert_or_reqs cCstjt|||S(N(R8t_pyopenssl_cert_or_req_sanR(RRR((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt_get_sans_from_cert_or_reqs cCst|tj|S(sGet a list of Subject Alternative Names from a certificate. :param str cert: Certificate (encoded). :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1` :returns: A list of Subject Alternative Names. :rtype: list (RR R(RR((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytget_sans_from_certs cCst|||}t|S(N(RRR(t cert_or_reqRRtloaded_cert_or_req((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt_get_names_from_cert_or_reqscCs tj|S(N(R8t _pyopenssl_cert_or_req_all_names(R((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyRRscCst|tj|S(sGet a list of domains from a cert, including the CN if it is set. :param str cert: Certificate (encoded). :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1` :returns: A list of domain names. :rtype: list (RR R(RGR((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytget_names_from_certs cCstj||S(sDump certificate chain into a bundle. :param list chain: List of `crypto.X509` (or wrapped in :class:`josepy.util.ComparableX509`). (R8tdump_pyopenssl_chain(Rtfiletype((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyRs cCst|tjjS(sWhen does the cert at cert_path start being valid? :param str cert_path: path to a cert in PEM format :returns: the notBefore value from the cert at cert_path :rtype: :class:`datetime.datetime` (t_notAfterBeforeR tX509t get_notBefore(Rz((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt notBefores cCst|tjjS(sWhen does the cert at cert_path stop being valid? :param str cert_path: path to a cert in PEM format :returns: the notAfter value from the cert at cert_path :rtype: :class:`datetime.datetime` (RR Rt get_notAfter(Rz((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytnotAfters c Cst|d"}tjtj|j}WdQX||}|dd!d|dd!d|dd!d|dd !d |d d !d |d g }d j|}tjr|jd }n|}t j |S(sPInternal helper function for finding notbefore/notafter. :param str cert_path: path to a cert in PEM format :param function method: one of ``crypto.X509.get_notBefore`` or ``crypto.X509.get_notAfter`` :returns: the notBefore or notAfter value from the cert at cert_path :rtype: :class:`datetime.datetime` R}Niit-iitTi t:i Rtascii( R~R RRBRR)RjtPY3tdecodet pyrfc3339tparse(RztmethodtfRt timestamptreformatted_timestampttimestamp_bytest timestamp_str((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyRs !  cCsJtj}t|d#}|j|jjdWdQX|jS(sNCompute a sha256sum of a file. NB: In given file, platform specific newlines characters will be converted into their equivalent unicode counterparts before calculating the hash. :param str filename: path to the file whose hash will be computed :returns: sha256 digest of the file in hexadecimal :rtype: str trsUTF-8N(thashlibtsha256R~RRtencodet hexdigest(tfilenameRtfile_d((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pyt sha256sums "s@-----BEGIN CERTIFICATE----- ? .+? ? -----END CERTIFICATE----- ? cCstj|j}t|dkr=tjddng|D]0}tjtjtj tj|j ^qD}|ddj |dfS(sSplit fullchain_pem into cert_pem and chain_pem :param str fullchain_pem: concatenated cert + chain :returns: tuple of string cert_pem and chain_pem :rtype: tuple :raises errors.Error: If there are less than 2 certificates in the chain. is/failed to parse fullchain into cert and chain: s!less than 2 certificates in chainiRi( tCERT_PEM_REGEXtfindallRtlenRRER tdump_certificateRBRRR)(t fullchain_pemtcertsRtcerts_normalized((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytcert_and_chain_from_fullchains  :cCs=t|d"}tjtj|j}WdQX|jS(sRetrieve the serial number of a certificate from certificate path :param str cert_path: path to a cert in PEM format :returns: serial number of the certificate :rtype: int R}N(R~R RRBRtget_serial_number(RzRR((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytget_serial_from_cert1s !cCsx|D]}gtj|jD]}tj|t^q#}xC|D];}|jjtjj }|rK|dj |krK|SqKWqW|rt j d|n|dS(sChooses the first certificate chain from fullchains which contains an Issuer Subject Common Name matching issuer_cn. :param fullchains: The list of fullchains in PEM chain format. :type fullchains: `list` of `str` :param `str` issuer_cn: The exact Subject Common Name to match against any issuer in the certificate chain. :returns: The best-matching fullchain, PEM-encoded, or the first if none match. :rtype: `str` isCertbot has been configured to prefer certificate chains with issuer '%s', but no chain from the CA matched this issuer. Using the default certificate chain instead.( RRRRRRtissuertget_attributes_for_oidtNameOIDt COMMON_NAMEtvalueRtinfo(t fullchainst issuer_cntwarn_on_no_matchRRRtcert_issuer_cn((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytfind_chain_with_issuer?s 4    (Ot__doc__RtloggingRtret cryptographyRtcryptography.exceptionsRRtcryptography.hazmat.backendsRt)cryptography.hazmat.primitives.asymmetricRt,cryptography.hazmat.primitives.asymmetric.ecRRt1cryptography.hazmat.primitives.asymmetric.paddingRt-cryptography.hazmat.primitives.asymmetric.rsaRt,cryptography.hazmat.primitives.serializationR R R tOpenSSLR R RRjtzope.componentR!tacmeRR8tacme.magic_typingRtcertbotRRRtcertbot.compatRt getLoggert__name__RR5R@RIRLRYRhRRvR|RwRRyRxRRBRRRRRRRRRRRRtcompiletDOTALLRRRRFR(((s7/usr/lib/python2.7/site-packages/certbot/crypto_util.pytsl       , #   *