Your IP : 216.73.217.13

Current Path : /snap/certbot/current/lib64/python3.12/site-packages/acme/__pycache__/
Upload File :
Current File : //snap/certbot/current/lib64/python3.12/site-packages/acme/__pycache__/crypto_util.cpython-312.pyc

�

'�jo/��h�dZddlZddlmZmZmZddlZddlZddlmZddl	Z	ddl	m
Z
ddl	mZddl	mZddl
Z
ddlZddlmZdd	lmZmZdd
lmZmZmZmZmZmZddlmZddlmZej<e�Z Gd
�de�Z!e!ejDe�ejDe<Gd�dejF�Z$ejJejLejNejPejRfZ*			d(de+deee,e-e.e-fde/dee.eej`ejbfde+f
d�Z2dejfdejhde.e-fd�Z5dejfdejhde6e.e-e.e-ffd�Z7deejpejrfde.e-fd�Z:defd�Z;					d)dejxdee.e-deed eed!e/d"ee.ejzd#ee.eej`ejbfdejpfd$�Z>ej~fd%e.ejpd&ede+fd'�Z@y)*zCrypto utilities.�N)�datetime�	timedelta�timezone)�
ModuleType)�Any)�Optional)�Union)�x509)�hashes�
serialization)�dsa�rsa�ec�ed25519�ed448�types)�Encoding)�cryptoc�r��eZdZdZdeddf�fd�Zdedefd�Zdededdfd	�Z	deddfd
�Z
deefd�Z�xZ
S)�_ClientDeprecationModulez�
    Internal class delegating to a module, and displaying warnings when attributes
    related to deprecated attributes in the acme.client module.
    �module�returnNc�V��t�|�|j�||jd<y�N�_module)�super�__init__�__name__�__dict__)�selfr�	__class__s  ���/build/snapcraft-certbot-54d6d23c1eba5f776fc280588daee8b3/parts/certbot/install/lib/python3.12/site-packages/acme/crypto_util.pyrz!_ClientDeprecationModule.__init__s"���
������)�#)��
�
�i� ��attrc�l�|dk(rtjdt�t|j|�S)N�FormatzTacme.crypto_util.Format is deprecated and will be removed in the next major release.)�warnings�warn�DeprecationWarning�getattrr�r r$s  r"�__getattr__z$_ClientDeprecationModule.__getattr__!s/���8���M�M�*�+=�
?��t�|�|�T�*�*r#�valuec�2�t|j||�y�N)�setattrr)r r$r-s   r"�__setattr__z$_ClientDeprecationModule.__setattr__'s������d�E�*r#c�0�t|j|�yr/)�delattrrr+s  r"�__delattr__z$_ClientDeprecationModule.__delattr__*s������d�#r#c�4�dgt|j�zSr)�dirr�r s r"�__dir__z _ClientDeprecationModule.__dir__-s���{�S����.�.�.r#)r�
__module__�__qualname__�__doc__rr�strrr,r1r4�listr8�
__classcell__)r!s@r"rrsk����*�z�*�d�*�+��+��+�+��+�C�+�D�+�$��$��$�/��c��/r#rc�L�eZdZdZej
ZejZde	fd�Z
y)r&z�File format to be used when parsing or serializing X.509 structures. Deprecated.

    Backwards compatible with the `FILETYPE_ASN1` and `FILETYPE_PEM` constants
    from pyOpenSSL.
    rc�h�|tjk(rtjStjS)zJConverts the Format to the corresponding cryptography `Encoding`.
        )r&�DERr�PEMr7s r"�to_cryptography_encodingzFormat.to_cryptography_encoding>s$���6�:�:���<�<���<�<�r#N)rr9r:r;r�
FILETYPE_ASN1rA�FILETYPE_PEMrBrrC�r#r"r&r&5s+���
�
�
�C�
�
�
�C� �(� r#r&�private_key_pem�domains�must_staple�ipaddrsrc�2�tj|d��}t|t�st	dt|�����|�g}|�g}t
|�t
|�zdk(rt	d��tj�jtjg��jtj|D�cgc]}tj|���c}|D�cgc]}tj|���c}z�d��}|r?|jtjtj j"g�d��}|j%|t'j(��}|j+t,j.�Scc}wcc}w)a�Generate a CSR containing domains or IPs as subjectAltNames.

    Parameters are ordered this way for backwards compatibility when called using positional
    arguments.

    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
    :param list domains: List of DNS names to include in subjectAltNames of CSR.
    :param bool must_staple: Whether to include the TLS Feature extension (aka
        OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
    :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
        names to include in subbjectAltNames of CSR.

    :returns: buffer PEM-encoded Certificate Signing Request.

    N)�passwordzInvalid private key type: rzAAt least one of domains or ipaddrs parameter need to be not emptyF��critical)r�load_pem_private_key�
isinstance�#CertificateIssuerPrivateKeyTypesTpl�
ValueError�type�lenr
� CertificateSigningRequestBuilder�subject_name�Name�
add_extension�SubjectAlternativeName�DNSName�	IPAddress�
TLSFeature�TLSFeatureType�status_request�signr�SHA256�public_bytesrrB)	rGrHrIrJ�private_key�d�i�builder�csrs	         r"�make_csrrgXs[��* �4�4�_�t�T�K��k�#F�G��5�d�;�6G�5H�I�J�J���������
�7�|�c�'�l�"�a�'��O�
�	
�
	
�-�-�/�	��d�i�i��m�	$�	���'�'�*1�2�Q����a��2�.5�6��4�>�>�!�$�6�7�
��
�

����'�'�
�O�O�T�0�0�?�?�@�A��	(�
���,�,�{�F�M�M�O�
4�C����H�L�L�)�)��3��6s�>F� F�subject�extsc�$�t||�\}}|S)a�Gets all DNS SANs as well as the first Common Name from subject.

    :param subject: Name of the x509 object, which may include Common Name
    :type subject: `cryptography.x509.Name`
    :param exts: Extensions of the x509 object, which may include SANs
    :type exts: `cryptography.x509.Extensions`

    :returns: List of DNS Subject Alternative Names and first Common Name
    :rtype: `list` of `str`
    )�get_identifiers_from_x509)rhri�	dns_names�_s    r"�%get_names_from_subject_and_extensionsrn�s��-�W�d�;�L�I�q��r#c�j�|jtjj�D�cgc]&}t	j
t|j���(}}	|jtj�}|jjtj�}|jjtj�D�cgc]
}t
|���}}|s||fS|dg|D�cgc]
}||dk7s�|��c}z|fScc}wcc}w#tj$rg}g}Y�KwxYwcc}w)a�Gets all DNS and/or IP address SANs as well as the first Common Name from subject.

    The CN will be first in the list of DNS names, if present.

    :param subject: Name of the x509 object, which may include Common Name
    :type subject: `cryptography.x509.Name`
    :param exts: Extensions of the x509 object, which may include SANs
    :type exts: `cryptography.x509.Extensions`

    :returns: Tuple containing DNS names and IP addresses.
    r)�get_attributes_for_oidr
�NameOID�COMMON_NAME�typing�castr<r-�get_extension_for_classrY�get_values_for_typerZr[�ExtensionNotFound)	rhri�c�cns�san_extrl�ip�ip_addressesrcs	         r"rkrk�s��$�/�/����0H�0H�I��
�	���C����!��C��]��.�.�t�/J�/J�K��
�M�M�5�5�d�l�l�C�	�*1�-�-�*K�*K�D�N�N�*[�\�B��B��\��\���,�&�&��A��x�i�?��1��A��;�1�?�?��M�M��%��]���!�!���	�����@s)�+D	�D�
D�0
D0�>D0�D-�,D-�cert_or_reqc���|j}	|jtj�}|j
j
tj�S#tj$rgcYSwxYw)a�Get Subject Alternative Names from certificate or CSR using cryptography.

    .. note:: Although this is `acme` internal API, it is used by
        `letsencrypt`.

    :param cert_or_req: Certificate or CSR.
    :type cert_or_req: `x509.Certificate` or `x509.CertificateSigningRequest`.

    :returns: A list of Subject Alternative Names that is DNS.
    :rtype: `list` of `str`

    Deprecated
    .. deprecated: 3.2.1
    )�
extensionsrur
rYrwr-rvrZ)r}rirzs   r"�_cryptography_cert_or_req_sanr��sa��$�!�!�D���.�.�t�/J�/J�K���=�=�,�,�T�\�\�:�:���!�!���	��s�A�A.�-A.c�J�tjtj��S)N)�tz)r�nowr�utcrFr#r"�_nowr��s���<�<�8�<�<�(�(r#rb�
not_before�validity�	force_sanr�ipsc���tjdt�|s	|sJd��tj�}|jtj��}|�-|D](}|j|j|j�}�*|�g}|�g}|jtjdd��d��}g}	t|�dkDr6|	jtjtj|d��|jtj |	��}|j#tj |	��}g}
|D]&}|
jtj$|���(|D]&}|
jtj&|���(|st|�dkDst|�dkDr&|jtj(|
�d��}|�
t+�}|�t-d	�
�}|j/|�}|j1||z�}|j3�}
|j3|
�}|j5|t7j8��S)a9Generate new self-signed certificate.
    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
    :type domains: `list` of `str`
    :param int not_before: A datetime after which the cert is valid. If no
    timezone is specified, UTC is assumed
    :type not_before: `datetime.datetime`
    :param validity: Duration for which the cert will be valid. Defaults to 1
    week
    :type validity: `datetime.timedelta`
    :param buffer private_key_pem: One of
    `cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`
    :param bool force_san:
    :param extensions: List of additional extensions to include in the cert.
    :type extensions: `list` of `x509.Extension[x509.ExtensionType]`
    :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`)
    If more than one domain is provided, all of the domains are put into
    ``subjectAltName`` X.509 extension and first domain is set as the
    subject CN. If only one domain is provided no ``subjectAltName``
    extension is used, unless `force_san` is ``True``.
    zNmake_self_signed_cert is deprecated and will be removed in an upcoming releasez7Must provide one or more hostnames or IPs for the cert.Tr)�ca�path_lengthrM�Fi�:	)�seconds)r'r(r)r
�CertificateBuilder�
serial_number�random_serial_numberrXr-rN�BasicConstraintsrT�append�
NameAttribute�OID_COMMON_NAMErVrW�issuer_namerZr[rYr�r�not_valid_before�not_valid_after�
public_keyr_rr`)rbrHr�r�r�rr�re�ext�
name_attrs�sanlist�addressr{r�s              r"�make_self_signed_certr��s,��8
�M�M�(�);�=��c�T�T�T�>��%�%�'�G��#�#�D�$=�$=�$?�@�G����	E�C��+�+�C�I�I�s�|�|�D�G�	E�����
�{����#�#�D�$9�$9�T�q�$Q�\`�#�a�G��J�
�7�|�a�����$�,�,�� � ��A�J�
�	�
�"�"�4�9�9�Z�#8�9�G��!�!�$�)�)�J�"7�8�G�&(�G��.�����t�|�|�G�,�-�.��+�����t�~�~�b�)�*�+��C��L�1�$��C��1���'�'��'�'��0��(�
��
���V�
����%5�6���&�&�z�2�G��%�%�j�8�&;�<�G��'�'�)�J�� � ��,�G��<�<��V�]�]�_�5�5r#�chain�encodingc������tjtjfvrtd��dtj
dtf�fd��dj�fd�|D��S)z�Dump certificate chain into a bundle.

    :param list chain: List of `cryptography.x509.Certificate`.

    :returns: certificate chain bundle
    :rtype: bytes

    Deprecated
    .. deprecated: 3.2.1
    zEncoding must be PEM or DER�certrc�&��|j��Sr/)ra)r�r�s �r"�
_dump_certz+dump_cryptography_chain.<locals>._dump_certFs���� � ��*�*r#r#c3�.�K�|]}�|����y�wr/rF)�.0r�r�s  �r"�	<genexpr>z*dump_cryptography_chain.<locals>.<genexpr>Ks�����7��J�t�$�7�s�)rrBrArRr
�Certificate�bytes�join)r�r�r�s `@r"�dump_cryptography_chainr�3sV��� ����h�l�l�3�3��6�7�7�+��)�)�+�e�+�
�8�8�7��7�7�7r#)NFN)NNNTNN)Ar;�enumrrr�	ipaddress�loggingrrrsrrr	r'�sys�cryptographyr
�cryptography.hazmat.primitivesrr�)cryptography.hazmat.primitives.asymmetricr
rrrr�,cryptography.hazmat.primitives.serializationr�OpenSSLr�	getLoggerr�loggerr�modules�IntEnumr&�
DSAPrivateKey�
RSAPrivateKey�EllipticCurvePrivateKey�Ed25519PrivateKey�Ed448PrivateKeyrQr��setr<r=�bool�IPv4Address�IPv6AddressrgrW�
Extensionsrn�tuplerkr��CertificateSigningRequestr�r�� CertificateIssuerPrivateKeyTypes�	Extensionr�rBr�rFr#r"�<module>r�s�����2�2����
�����
��@�Y�Y�A��	��	�	�8�	$��/�z�/�41����X�1F�G����H�� �T�\�\� �6������������	���'�#�59��SW�	5*��5*�
�e�C��H�d�3�i�/�0�
1�5*��5*��d�5��!6�!6�	�8M�8M�!M�N�O�
P�	5*�
�5*�p�
�Y�Y��"�o�o��	�#�Y��""N�
�Y�Y�"N�"�o�o�"N�
�4��9�d�3�i�� �"N�J;��t�'�'��)G�)G�G�H�;�	�#�Y�;�8)�h�)�
:>�;?�RV�GK�NR�
J6�u�'M�'M�J6�#+�D��I�#6�J6�&.�x�&8�J6�%-�Y�$7�J6�LP�J6�'/�t�D�N�N�/C�&D�	J6�
 (��U�9�3H�3H�3<�3H�3H�4I�.J�)K� L�J6� $�/�/�J6�^"���8��� � �!�8��8��8r#