PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB`  #^c@s%ddlmZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ddlmZddlmZmZddlmZmZmZmZddlmZmZdd lmZmZddlZdd lm Z dd l!m"Z"ej#r6e$Z%nd Z&d Z'ej(dej)Z*dZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3dZ4e j5e j6de7fdYZ8dZ9dZ:dZ;e<dZ=dZ>d Z?e&d!Z@d"ZAd#ZBd$ZCe<d%ZDd&ejEfd'YZFd(ejEfd)YZGd*ZHd+e jIjJfd,YZKd-e jIjJfd.YZLieKe46eLe36ZMd/ZNd0ZOd1ZPd2ZQd3ZRd4ZSd5ZTd6ZUd7ZVd8ejWfd9YZXd:ZYdS(;i(tprint_functionN(tx509(tutils(tdefault_backend(tEncodingt PublicFormat(tunivtchart namedtypettag(tdecodertencoder(trfc2315trfc2459(terrors(tDNSNameiis7-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----s1.3.6.1.5.5.7.3.1s1.3.6.1.5.5.7.3.2s1.3.6.1.5.5.7.3.3s1.3.6.1.5.5.7.3.4s1.3.6.1.5.2.3.4s1.3.6.1.5.2.3.5s 2.5.29.37.0s1.3.6.1.4.1.3319.6.10.16s1.3.6.1.4.1.311.20.2.3s 1.3.6.1.5.2.2tIPACertificatecBseZdZd#dZdZdZdZdZdZ dZ dZ d Z d Z d Zd Zed ZedZedZedZedZedZedZedZedZedZedZedZedZedZdZedZ edZ!edZ"edZ#d Z$ed!Z%d"Z&RS($sj A proxy class wrapping a python-cryptography certificate representation for FreeIPA purposes cCsd||_|dkrtn||_|jd|_|jd|_|jd|_dS(s :param cert: A python-cryptography Certificate object :param backend: A python-cryptography Backend object tsubjecttissuert serialNumberN(t_certtNoneRtbackendt_IPACertificate__get_der_fieldt_subjectt_issuert_serial_number(tselftcertR((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt__init__Vs  !cCs;i|jtjd6|jd6|jd6|jd6}|S(NRRRR(t public_bytesRtDERt subject_bytest issuer_bytesR(Rtstate((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt __getstate__es    cCsJ|d|_|d|_|d|_tj|ddt|_dS(NRRRRR(RRt crypto_x509tload_der_x509_certificateRR(RR"((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt __setstate__ns    cCsgt|tjtfr:|jtj|jtjkSt|tr_|jtj|kStSdS(s Checks equality. :param other: either cryptography.Certificate or IPACertificate or bytes representing a DER-formatted certificate N( t isinstanceR$t CertificateRRRRtbytestFalse(Rtother((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt__eq__us cCs|j| S(s# Checks not equal. (R,(RR+((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt__ne__scCs t|jS(sJ Computes a hash of the wrapped cryptography.Certificate. (thashR(R((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt__hash__scCsjtj}tj||ds( RRQtget_extension_for_oidR$R9t ExtensionOIDtEXTENDED_KEY_USAGER:tExtensionNotFoundRtset(Rt ext_key_usage((s//usr/lib/python2.7/site-packages/ipalib/x509.pytextended_key_usage s  cCs}|j}|dkrdStj}x-t|D]\}}tj|||}|j}||krY|j|||jqYqYW|S( s Return SAN general names from a python-cryptography certificate object. If the SAN extension is not present, return an empty sequence. Because python-cryptography does not yet provide a way to handle unrecognised critical extensions (which may occur), we must parse the certificate and extract the General Names. For uniformity with other code, we manually construct values of python-crytography GeneralName subtypes. python-cryptography does not yet provide types for ediPartyName or x400Address, so we drop these name types. otherNames are NOT instantiated to more specific types where the type is known. Use ``process_othernames`` to do that. When python-cryptography can handle certs with unrecognised critical extensions and implements ediPartyName and x400Address, this function (and helpers) will be redundant and should go away. cSstjt|S(N(R$t RFC822Nametunicode(tx((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt<st rfc822NamecSstjt|S(N(R$RRh(Ri((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRj=stdNSNamet directoryNamet registeredIDt iPAddresscSstjt|S(N(R$tUniformResourceIdentifierRh(Ri((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRjBstuniformResourceIdentifiert otherName(t-_IPACertificate__pyasn1_get_san_general_namest%_pyasn1_to_cryptography_directorynamet$_pyasn1_to_cryptography_registeredidt!_pyasn1_to_cryptography_ipaddresst!_pyasn1_to_cryptography_othernametgetNametappendt getComponent(RtgnstGENERAL_NAME_CONSTRUCTORStresulttgntgn_type((s//usr/lib/python2.7/site-packages/ipalib/x509.pytsan_general_names s         cCs|jdpg}tjd}g}xd|D]\}|d|kr1tj|ddtjd}tj|dtjd}Pq1q1W|S(NRQs 2.5.29.17R0R2tasn1Speci(RCRR4R R>R8R tSubjectAltName(RRQtOID_SANR{R;tder((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt__pyasn1_get_san_general_namesPs cCsU|j}g}x<|D]4}|jdkr|jt|jqqW|S(NRl(RsRxRyRhRz(RR{R}R~((s//usr/lib/python2.7/site-packages/ipalib/x509.pytsan_a_label_dns_names^s    c Csi}g|d<}xl|jjjD][}g}x?|D]7}|jtjjjkr7|jd|jfq7q7W|j|q$W|j }|rg|d<}x$|D]} |jd| fqWnt j |t |j dS(NRt commonNametsubjectAltNametDNS(RRtrdnsR9R$tNameOIDt COMMON_NAMERyR:Rtssltmatch_hostnameRtToASCII( Rthostnamet match_certt match_subjecttrdnt match_rdntavatvaluest match_sanR:((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRis   N('t__name__t __module__t__doc__RRR#R&R,R-R/RaRCRRRFRGtpropertyRIRJRKRR RLRMRNRR!RORPR=RQRRRUR^RfRRsRR(((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRPsF            0  cCsttj|dtS(s Load an X.509 certificate in PEM format. :returns: a ``IPACertificate`` object. :raises: ``ValueError`` if unable to load the certificate. R(RR$tload_pem_x509_certificateR(tdata((s//usr/lib/python2.7/site-packages/ipalib/x509.pyR}scCsttj|dtS(s Load an X.509 certificate in DER format. :returns: a ``IPACertificate`` object. :raises: ``ValueError`` if unable to load the certificate. R(RR$R%R(R((s//usr/lib/python2.7/site-packages/ipalib/x509.pyR%scCs-yt|SWntk r(t|SXdS(s Only use this function when you can't be sure what kind of format does your certificate have, e.g. input certificate files in installers :returns: a ``IPACertificate`` object. :raises: ``ValueError`` if unable to load the certificate. N(Rt ValueErrorR%(R((s//usr/lib/python2.7/site-packages/ipalib/x509.pytload_unknown_x509_certificates cCs/t|dd}t|jSWdQXdS(sh Load a certificate from a PEM file. Returns a python-cryptography ``Certificate`` object. tmodetrbN(topenRtread(tfilenametdbdirtf((s//usr/lib/python2.7/site-packages/ipalib/x509.pytload_certificate_from_filescCs,tj|}g|D]}t|^qS(s Load a certificate list from a sequence of concatenated PEMs. Return a list of python-cryptography ``Certificate`` objects. (t PEM_REGEXtfindallR(RtcertsR((s//usr/lib/python2.7/site-packages/ipalib/x509.pytload_certificate_listscCs,t|d}t|jSWdQXdS(sv Load a certificate list from a PEM file. Return a list of python-cryptography ``Certificate`` objects. RN(RRR(RR((s//usr/lib/python2.7/site-packages/ipalib/x509.pytload_certificate_list_from_filescCs-|tkrTtjd|tj}|s9tdntj|jd}ntj |t j \}}|rtdn|dt j krtdntj t |dt j\}}|rtdng}x:|d D].}tj|}t|}|j|qW|S( sn Extract certificates from a PKCS #7 object. :returns: a ``list`` of ``IPACertificate`` objects. s------BEGIN PKCS7-----(.*?)-----END PKCS7-----snot a valid PKCS#7 PEMisnot a valid PKCS#7 messaget contentTypes not a PKCS#7 signed data messagetcontents&not a valid PKCS#7 signed data messaget certificates(tPEMtretmatchtDOTALLRtbase64t b64decodetgroupR R>R t ContentInfot signedDataR)t SignedDataR R7R%Ry(RtdatatypeRt content_infottailt signed_dataR}t certificate((s//usr/lib/python2.7/site-packages/ipalib/x509.pytpkcs7_to_certss.   cCs@yt|Wn+tk r;}tjdt|nXdS(sO Perform cert validation by trying to load it via python-cryptography. terrorN(RRRtCertificateFormatErrortstr(Rte((s//usr/lib/python2.7/site-packages/ipalib/x509.pytvalidate_pem_x509_certificatescCs@yt|Wn+tk r;}tjdt|nXdS(sO Perform cert validation by trying to load it via python-cryptography. RN(R%RRRR(RR((s//usr/lib/python2.7/site-packages/ipalib/x509.pytvalidate_der_x509_certificatescCsmy5t|d }|j|jtjWdQXWn1ttfk rh}tjdt |nXdS(s Write the certificate to a file in PEM format. The cert value can be either DER or PEM-encoded, it will be normalized to DER regardless, then back out to PEM. twbNtreason( RtwriteRRRtIOErrortOSErrorRt FileErrorR(RRtfpR((s//usr/lib/python2.7/site-packages/ipalib/x509.pytwrite_certificates #cCsykt|dV}|dk r:tj|j|nx'|D]}|j|jtjqAWWdQXWn1t t fk r}t j dt |nXdS(s Write a list of certificates to a file in PEM format. :param certs: a list of IPACertificate objects to be written to a file :param filename: a path to the file the certificates should be written into RNR(RRtostfchmodtfilenoRRRRRRRRR(RRRRRR((s//usr/lib/python2.7/site-packages/ipalib/x509.pytwrite_certificate_list s  't_PrincipalNamec BseZejejdejjdej ej ej dejdej e jjdej ej ej dZRS(s name-typet explicitTagis name-stringi(RRRt NamedTypest NamedTypeRtIntegertsubtypeR tTagttagClassContextttagFormatSimplet SequenceOfRt GeneralStringt componentType(((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRs !t_KRB5PrincipalNamec Bs}eZejejdejjdej ej ej dejde jdej ej ej dZ RS(trealmRit principalNamei(RRRRRRRRR RRRRR(((s//usr/lib/python2.7/site-packages/ipalib/x509.pyR(s cCstj|dtd}t|djddjdd}|dd }d jd |D}d ||f}|S( NRiRs\s\\t@s\@Rs name-stringu/css?|]5}t|jddjddjddVqdS(s\s\\t/s\/Rs\@N(Rhtreplace(RWtn((s//usr/lib/python2.7/site-packages/ipalib/x509.pys 8su%s@%s(R R>RRhRtjoin(Rt principalRtname((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt_decode_krb5principalname3s   tKRB5PrincipalNamecBseZdZRS(cCs,tt|j||t||_dS(N(tsuperRRRR(Rttype_idR:((s//usr/lib/python2.7/site-packages/ipalib/x509.pyR@s(RRR(((s//usr/lib/python2.7/site-packages/ipalib/x509.pyR?stUPNcBseZdZRS(cCsEtt|j||ttj|dtjd|_dS(NRi( RRRRhR R>Rt UTF8StringR(RRR:((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRFs(RRR(((s//usr/lib/python2.7/site-packages/ipalib/x509.pyREsccsdx]|D]U}t|tjjrWtj|jjtjj}||j|jVq|VqWdS(s Process python-cryptography GeneralName values, yielding OtherName values of more specific type if type is known. N( R'R$t general_namet OtherNametOTHERNAME_CLASS_MAPtgetRRVR:(R{R~tcls((s//usr/lib/python2.7/site-packages/ipalib/x509.pytprocess_othernamesRs  cCsg}xe|jD]W}xN|D]F}tjt|dttj|dd}|j|q WqWtjtj |S(NttypeR:i( RzR$t NameAttributet_pyasn1_to_cryptography_oidRhR R>Ryt DirectoryNametName(tdntattrsRRtattr((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRtbs   cCstjt|S(N(R$t RegisteredIDR(R9((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRuqscCstjtjt|S(N(R$t IPAddresst ipaddresst ip_addressR)(t octet_string((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRvuscCs$tjt|dt|dS(Nstype-idR:(R$RRR)(ton((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRwzs cCstjt|S(N(R$R4R(R9((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRscCs'dtjjt|g|DS(sYield chunks of the specified size from the given string. The input must be a multiple of the chunk size (otherwise trailing characters are dropped). Works on character strings only. css|]}dj|VqdS(uN(R(RWtspan((s//usr/lib/python2.7/site-packages/ipalib/x509.pys s(tsixtmovestziptiter(tsizets((s//usr/lib/python2.7/site-packages/ipalib/x509.pytchunks cCsdjtd|S(s4Add colons between each nibble pair in a hex string.u:i(RR (R((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt add_colonsscCsttj|jdS(s*Convert bytes to a hex string with colons.sutf-8(R tbinasciithexlifyR>(tbs((s//usr/lib/python2.7/site-packages/ipalib/x509.pytto_hex_with_colonsstUTCcBs2eZejdZdZdZdZRS(icCsdS(NR((Rtdt((s//usr/lib/python2.7/site-packages/ipalib/x509.pyttznamescCs|jS(N(tZERO(RR((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt utcoffsetscCs|jS(N(R(RR((s//usr/lib/python2.7/site-packages/ipalib/x509.pytdsts(RRtdatetimet timedeltaRRRR(((s//usr/lib/python2.7/site-packages/ipalib/x509.pyRs  cCs:|jdkr'|jdt}nt|jdS(Nttzinfos%a %b %d %H:%M:%S %Y %Z(RRRRRhtstrftime(tt((s//usr/lib/python2.7/site-packages/ipalib/x509.pytformat_datetimes(Zt __future__RR RRRRRRt cryptographyRR$Rt crypto_utilstcryptography.hazmat.backendsRt,cryptography.hazmat.primitives.serializationRRt pyasn1.typeRRRR tpyasn1.codec.derR R tpyasn1_modulesR R RtipalibRtipapython.dnsutilRtPY3RRhRRtcompileRRtEKU_SERVER_AUTHtEKU_CLIENT_AUTHtEKU_CODE_SIGNINGtEKU_EMAIL_PROTECTIONtEKU_PKINIT_CLIENT_AUTHtEKU_PKINIT_KDCRbtEKU_PLACEHOLDERtSAN_UPNtSAN_KRB5PRINCIPALNAMEtregister_interfaceR(tobjectRRR%RRRRRRRRRRtSequenceRRRRRRRRRRtRuRvRwRR R RRRR(((s//usr/lib/python2.7/site-packages/ipalib/x509.pyt s       "    -  &