�

N�hj&����dZd
dl
Z
d
dlmZmZmZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlm	Z	
d
dlm
Z

d
dlmZ
d
dl
mZmZ
d
d	lmZmZmZmZmZmZ
d
d
lmZ
d
dlmZ
ej6e�
ZGd�d
e
j<�Zej@ejBejDejFejHfZ%			d$de&de	e
e'e(e)e(fde*de	e)e
ejVejXfde&f
d�Z-dej\dej^de)e(fd�Z0de
ejbejdfde)e(fd�Z3defd�Z4					d%dejjde	e)e(de	ede	ede*de	e)ejlde	e)e
ejVejXfdejbfd �Z7ejpf
d!e)ejbd"eejpejrfde&fd#�Z:y)&zCrypto utilities.�N)�datetime�	timedelta�timezone)
�Literal)
�Optional)
�Union)
�x509)�hashes�
serialization)�dsa�rsa�ec�ed25519�ed448�types)
�Encoding)
�cryptoc�L�eZ
dZd
Zej
ZejZde	fd�Z
y)�Formatz�File format to be used when parsing or serializing X.509 structures.

    Backwards compatible with the `FILETYPE_ASN1` and `FILETYPE_PEM` constants
    from pyOpenSSL.
    �returnc
�h�|tjk(rtjStjS)
zJConverts the Format to the corresponding cryptography `Encoding`.
        )r�DERr�PEM)
�selfs
 ��/build/snapcraft-certbot-c9561b03ef7f16aa90eb6754ca5f17a1/parts/certbot/install/lib/python3.12/site-packages/acme/crypto_util.py�to_cryptography_encodingzFormat.to_cryptography_encodings$���6�:�:���<�<���<�<��N)�__name__�
__module__�__qualname__�__doc__r�
FILETYPE_ASN1r�FILETYPE_PEMrrr�rrrrs+���
�
�
�C�
�
�
�C� �(� rr�private_key_pem�domains�must_staple�ipaddrsrc�2�t
j|d
��}t|t�st	dt|�
���
�
|
�g}
|�g}t
|
�
t
|�
zdk(rt	d�
�
tj�jtjg�
�
jtj|
D�cgc]}tj|�
��c}|D�cgc]}tj|�
��c}z�
d��}|r?|jtjtj j"g
�
d��}|j%|t'j(��}|j+t,j.�
Sc
c}wc
c}w)a�Generate a CSR containing domains or IPs as subjectAltNames.

    Parameters are ordered this way for backwards compatibility when called using positional
    arguments.

    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
    :param list domains: List of DNS names to include in subjectAltNames of CSR.
    :param bool must_staple: Whether to include the TLS Feature extension (aka
        OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
    :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
        names to include in subbjectAltNames of CSR.

    :returns: buffer PEM-encoded Certificate Signing Request.

    N)
�passwordzInvalid private key type: rzAAt least one of domains or ipaddrs parameter need to be not emptyF�
�critical)r�load_pem_private_key�
isinstance�#CertificateIssuerPrivateKeyTypesTpl�
ValueError�type�lenr	� CertificateSigningRequestBuilder�subject_name�Name�
add_extension�SubjectAlternativeName�DNSName�	IPAddress�
TLSFeature�TLSFeatureType�status_request�signr
�SHA256�public_bytesrr)	r%r&r'r(�private_key�
d�
i�builder�csrs	         r�make_csrrE7s[
��* �4�4�_�t�T�K��k�#F�G��5�d�;�6G�5H�I�J�J���������
�7�|�c�'�l�"�a�'��O�
�	
�
	
�-�-�/�	��d�i�i��m�	$�	���'�'�*1�2�Q����a��2�.5�6��4�>�>�!�$�6�
7�
��
�

����'�'�
�O�O�T�0�0�?�?�@�A��	(�
���,�,�{�F�M�M�O�
4�C����H�L�L�)�)��3��6s�>F� F�subject�extsc��
�|j
tjj�
D�cgc]&}t	j
t|j���(}}	|
jtj�
}|jjtj�
}|s|S|d
g
|D�cgc]
}||d
k7s
�|��c}zSc
c}w#tj$r
g}Y�@wxYw
c
c}w)a�
Gets all DNS SAN names as well as the first Common Name from subject.

    :param subject: Name of the x509 object, which may include Common Name
    :type subject: `cryptography.x509.Name`
    :param exts: Extensions of the x509 object, which may include SANs
    :type exts: `cryptography.x509.Extensions`

    :returns: List of DNS Subject Alternative Names and first Common Name
    :rtype: `list` of `str`
    r)
�get_attributes_for_oidr	�NameOID�COMMON_NAME�typing�cast�str�value�get_extension_for_classr7�get_values_for_typer8�ExtensionNotFound)rFrG�
c�cns�san_ext�	dns_namesrAs       r�%get_names_from_subject_and_extensionsrWos���"�/�/����0H�0H�I��
�	���C����!��C��D
��.�.�t�/J�/J�K���M�M�5�5�d�l�l�C�	�����A��x�i�?��1��A��;�1�?�?�?��!���!�!�
��	�
��@
s#�+C�C�/
C&�=C&�C#�"
C#�cert_or_reqc
���|j}
	|
jtj�
}|j
j
tj�
S#tj$r
gcYSwxYw
)
a�
Get Subject Alternative Names from certificate or CSR using cryptography.

    .. note:: Although this is `acme` internal API, it is used by
        `letsencrypt`.

    :param cert_or_req: Certificate or CSR.
    :type cert_or_req: `x509.Certificate` or `x509.CertificateSigningRequest`.

    :returns: A list of Subject Alternative Names that is DNS.
    :rtype: `list` of `str`

    Deprecated
    .. deprecated: 3.2.1
    )�
extensionsrPr	r7rRrOrQr8)rXrGrUs   r�_cryptography_cert_or_req_sanr[�sa��$�!�!�D���.�.�t�/J�/J�K���=�=�,�,�T�\�\�:�:���!�!�
��	�
�s�A�A.�-
A.c�J�t
jtj�
�
S)N)
�tz)r�nowr�utcr$rr�_nowr`�s���<�<�8�<�<�(�(rr@�
not_before�validity�	force_sanrZ�ipsc��|
s	|sJd
��
t
j�}|jt
j��
}|�-|D](}|j	|j
|j�}�*|
�g}
|�g}|j	t
jdd��d��}g}	t|
�
dkDr6|	jt
jtj|
d��

|jt
j|	�
�
}|jt
j|	�
�
}g}
|
D]&}|
jt
j|�
�

�(|D]&}|
jt
j |�
�

�(|st|
�
dkDst|�
dkDr&|j	t
j"|
�
d��}|�
t%�}|�t'd�	�
}|j)|�
}|j+||z�
}|j-�}
|j-|
�
}|j/|t1j2��S)
a9Generate new self-signed certificate.
    :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
    :type domains: `list` of `str`
    :param int not_before: A datetime after which the cert is valid. If no
    timezone is specified, UTC is assumed
    :type not_before: `datetime.datetime`
    :param validity: Duration for which the cert will be valid. Defaults to 1
    week
    :type validity: `datetime.timedelta`
    :param buffer private_key_pem: One of
    `cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`
    :param bool force_san:
    :param extensions: List of additional extensions to include in the cert.
    :type extensions: `list` of `x509.Extension[x509.ExtensionType]`
    :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`)
    If more than one domain is provided, all of the domains are put into
    ``subjectAltName`` X.509 extension and first domain is set as the
    subject CN. If only one domain is provided no ``subjectAltName``
    extension is used, unless `force_san` is ``True``.
    z7Must provide one or more hostnames or IPs for the cert.Tr)�ca�path_lengthr+�
Fi�:	)
�seconds)r	�CertificateBuilder�
serial_number�random_serial_numberr6rOr,�BasicConstraintsr2�append�
NameAttribute�OID_COMMON_NAMEr4r5�issuer_namer8r9r7r`r�not_valid_before�not_valid_after�
public_keyr=r
r>)r@r&rarbrcrZrdrC�ext�
name_attrs�sanlist�address�iprts              r�make_self_signed_certrz�s��8�c�T�T�T�>��%�%�'�G��#�#�D�$=�$=�$?�@�G����
	E
�C��+�+�C�I�I�s�|�|�D�G�
	E
�����
�{����#�#�D�$9�$9�T�q�$Q�\`�#�a�G��J�
�7�|�a�����$�,�,�� � ��A�J�
�	�
�"�"�4�9�9�Z�#8�9�G��!�!�$�)�)�J�"7�8�G�&(�G��
.�����t�|�|�G�,�-�
.��
+�����t�~�~�b�)�*�
+��C��L�1�$��C��1���'�'��'�'��0��(�
��
���V�
����%5�6���&�&�z�2�G��%�%�j�8�&;�<�G��'�'�)�J�� � ��,�G��<�<��V�]�]�_�5�5r�chain�encodingc�r�
��d
tjdtf�
f
d��dj�f
d�|D��
S)z�Dump certificate chain into a bundle.

    :param list chain: List of `cryptography.x509.Certificate`.

    :returns: certificate chain bundle
    :rtype: bytes

    Deprecated
    .. deprecated: 3.2.1
    �certrc
�&�
�|j
�
�
S�
N)
r?)r~r|s �r�
_dump_certz+dump_cryptography_chain.<locals>._dump_cert

s���� � ��*�*rrc
3�.�
K
�|]}
�|
�
�
�

�y�w
r�r$)�.0r~r�s  �r�	<genexpr>z*dump_cryptography_chain.<locals>.<genexpr>
s�����7��J�t�$�7�s�
)r	�Certificate�bytes�join)r{r|r�s `@r�dump_cryptography_chainr��s3���"
+��)�)�
+�e�
+�
�8�8�7��7�7�7r)NFN)NNNTNN);r!�enumrrr�	ipaddress�loggingrLrrr�cryptographyr	�cryptography.hazmat.primitivesr
r�)cryptography.hazmat.primitives.asymmetricrr
rrrr�,cryptography.hazmat.primitives.serializationr�OpenSSLr�	getLoggerr�logger�IntEnumr�
DSAPrivateKey�
RSAPrivateKey�EllipticCurvePrivateKey�Ed25519PrivateKey�Ed448PrivateKeyr/r��setrN�list�bool�IPv4Address�IPv6AddressrEr5�
ExtensionsrWr��CertificateSigningRequestr[r`� CertificateIssuerPrivateKeyTypes�	Extensionrzrrr�r$rr�<module>r�
sw�


���2�2���
�����@�Y�Y�A��	��	�	�8�	$��
 �T�\�\�
 �6������������	���'�#�59��SW�	5
*��5
*�
�e�C��H�d�3�i�/�0�
1�5
*��5
*��d�5��!6�!6�	�8M�8M�!M�N�O�
P�	5
*�
�5
*�p

@
�
�Y�Y�
@
�"�o�o�
@
�	�#�Y�
@
�D

;��t�'�'��)G�)G�G�H�
;�	�#�Y�
;�8

)�h�

)�
:>�;?�RV�GK�NR�
H

6�u�'M�'M�H

6�#+�D��I�#6�H

6�&.�x�&8�H

6�%-�Y�$7�H

6�L
P
�H

6�'/�t�D�N�N�/C�&D�	H

6�
 (��U�9�3H�3H�3<�3H�3H�
4I
�
.J
�
)K
�
 L
�H

6� $�/�/�H

6�Z5=�L�L�
8��� � �!�
8��h�l�l�H�L�L�0�1�
8��
8r