PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB`  $^c @@s(ddlmZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddl Z ddl ZddlmZddlmZddlmZddlmZddlmZdd lmZejeZd ZdZdZ ee dZ!ej"ddZ#e#e$dddZ&e#e$e'e'e(ej)ej*ej+ej,ej-ej.hZ/e#e$e'e'e(ej)hZ0e#e$e'e$e(ej)hZ1edZ2ddZ3dZ4dZ5dZ6de7fdYZ8dS(i(tabsolute_importN(tNamedTemporaryFile(t constants(tpaths(tDN(t Principal(tipautil(tx509s %s IPA CAscert8.dbskey3.dbs secmod.dbscert9.dbskey4.dbs pkcs11.txts pwdfile.txtt TrustFlagsshas_key trusted ca usagescC@s||S(N((trealmtformat((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytget_ca_nicknameKscC@s|jd|}|jd|}|dkr=|d}n|dksU|dkrdtdntj|||!jd}||fS(s Given a cert blob (str) which may or may not contian leading and trailing text, pull out just the certificate part. This will return the FIRST cert in a stream of data. :returns: a tuple (IPACertificate, last position in cert) s-----BEGIN CERTIFICATE-----s-----END CERTIFICATE-----iisUnable to find certificatesutf-8(tfindt RuntimeErrorRtload_pem_x509_certificatetencode(tcerttstarttste((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytfind_cert_from_txtOs  cC@srd|k}d|krXd|ks<d|ks<d|krKtdntd d fSd|kspd|krd|krtdnt}n+d|krt}nt|d d tS|jd}t}x\tt j t j t j fD]<\}}d||ks"d||kr|j |qqWd|d krY|j t jnt|t|t|S( s< Convert certutil trust flags to TrustFlags object. tutptCtPtTs&cannot be both trusted and not trustedscannot be both CA and not CAt,iN(t ValueErrortFalsetNonetTrueRt frozensettsplittsett enumerateRtEKU_SERVER_AUTHtEKU_EMAIL_PROTECTIONtEKU_CODE_SIGNINGtaddtEKU_CLIENT_AUTH(t trust_flagsthas_keytcat ext_key_usagetitkp((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytparse_trust_flagscs,  $        cC@s`|\}}}}|tkr/|r(dSdSn]|dksG|dkrX|rQdSdSn4|dkr|r{|rtdSdSq|rdSdSnd d d g}xWttjtjtjfD]7\}}||kr||c|rd nd 7(Rmtargststdintkwargstnew_args((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt run_certutils  cK@sDtjddj|j|jg}|j|tj|||S(Ns-ds{}:{}(RtPK12UTILR RgR`RxRR>(RmRyRzR{R|((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt run_pk12utils cC@s0|dk r)|}|d@}|d@}nd}d}d}d}d} |dk rhtj|j}n|dk rtj|j} n|rx9|jD]+} tj j |j | } t j | qWntj j|j stj|j |ntj j|jshtjtj|jtjtjB|ddt$} | jt j| jWdQXn|jd d |jgtj|j || tj|j |x|jD]t} tj j |j | } tj j| rtj| || | |jkr|} n|} tj| | qqWdS( sCreate cert DB :param user: User owner the secdir :param group: Group owner of the secdir :param mode: Mode of the secdir :param backup: Backup the sedir files iiiiitwtclosefdNs-Ns-f(Rtpwdtgetpwnamtpw_uidtgrptgetgrnamtgr_gidRkRcRdR1R`Rt backup_filetexiststmakedirsRftiotopentO_CREATtO_WRONLYRR7tipa_generate_passwordR;R}tchowntchmod(Rmtusertgrouptmodetbackuptdirmodetfilemodet pwdfilemodetuidtgidtfilenameRdtftnew_mode((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt create_db#sH       c C@s|jdks3tjjtjj|jdrNtdj|jntj ddj|jdd|j d|j g}t j |dddf}x|D]\}}tjj|j|}tjj|j|}tj |}tj|t j|jtj||j|jqW|jd|j|rxC|D]8\}}tjj|j|}tj||dqLWndS(sConvert DBM database format to SQL database format **WARNING** **WARNING** **WARNING** **WARNING** **WARNING** The caller must ensure that no other process or service is accessing the NSSDB during migration. The DBM format does not support multiple processes. If more than one process opens a DBM NSSDB for writing, the database will become **irreparably corrupted**. **WARNING** **WARNING** **WARNING** **WARNING** **WARNING** R\scert9.dbs$NSS DB {} has been migrated already.s-dssql:{}s-Ns-fs-@scert8.dbskey3.dbskey4.dbs secmod.dbs pkcs11.txts .migratedN(scert8.dbscert9.db(skey3.dbskey4.db(s secmod.dbs pkcs11.txt(RgRcRdReR1R`RR RRwRfRR>tstatRtS_IMODEtst_modeRtst_uidtst_gidRlt list_certstrename(Rmt rename_oldRyt migrationtoldnametnewnametoldstatt_((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt convert_dbZs. $    cC@sx|jD]}tjj|j|}|d}|d}yNtjj|rdtj||ntjj|rtj||nWq tk r}tj d|q Xq WdS(Ns.origs.ipasaves%s( RkRcRdR1R`RRtOSErrortloggertdebug(RmRRdt backup_patht save_pathR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytrestores  cC@s|jdgdt}|jj}g}x`|D]X}tjd|}|r4|jd}t|jd}|j||fq4q4Wt |S(s{Return nicknames and cert flags for all certs in the database :return: List of (name, trust_flags) tuples s-LR5s^(.+?)\s+(\w*,\w*,\w*)\s*$ii( R}RRAt splitlinestretmatchRR.tappendttuple(RmtresulttcertstcertlistRRtnicknameR(((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyRs c C@s|jdgdtdt}|jdkr1dSg}xu|jjD]d}tjd|}|dk rG|j \}}}}|j t ||||j fqGqGWt |S(Ns-Kt raiseonerrR5is)^<\s*(\d+)>\s+(\w+)\s+([0-9a-z]+)\s+(.*)$((R}RRt returncodeRARRRRtgroupsRtinttstripR( RmRtkeylisttlinetmotslottalgotkeyidtnick((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt list_keyss ,cC@sFg}x9|jD]+\}}|jr|j||fqqW|S(sReturn nicknames and cert flags for server certs in the database Server certs have an "u" character in the trust flags. :return: List of (name, trust_flags) tuples (RR)R(Rmt server_certsR=tflags((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytfind_server_certss  cC@s}g}|jddd|gdt}|jj}x@|D]8}tjd|}|r=|j|jdq=q=W|S(sReturn names of certs in a given cert's trust chain :param nickname: Name of the cert :return: List of certificate names s-Os--simple-self-signeds-nR5s\s*"(.*)" \[.*i(R}RRARRRRR(RmRtroot_nicknamesRtchaintctm((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytget_trust_chains  cC@sd|d|d|jg}d}|dk rYtj|d}|jd|jgnzy|j|Wnjtjk r}|jdkrt d|q|jdkrt d |qt d |nXWd|dk r|j nXdS( Ns-os-ns-ks s-wis&incorrect password for pkcs#12 file %si sFailed to open %ss'unknown error exporting pkcs#12 file %s( RfRRtwrite_tmp_fileRxR=RR@RR Rr(RmRtpkcs12_filenamet pkcs12_passwdRytpkcs12_password_fileR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt export_pkcs12s(   cC@sd|d|jdg}d}|dk rVtj|d}|jd|jgnzy|j|Wnjtjk r}|jdkrt d|q|jdkrt d |qt d |nXWd|dk r|j nXdS( Ns-is-ks-vs s-wis&incorrect password for pkcs#12 file %si sFailed to open %ss$unknown error import pkcs#12 file %s( RfRRRRxR=RR@RR Rr(RmRRRyRR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt import_pkcs12s(     cC@sd}d}g}x7|D]/}y(t|d} | j} WdQXWn,tk ru} td|| jfnXttjd| tj } | r%t } xc| D][}|j }|j d}t | |j d j}|d)kr^ytj|}Wn;tk rD} |dkr[tjd ||| qq[q^X|j|t} qn|d*krytj|}WnTtjk r} |dkrtjd ||| qtjd ||| qqX|j|t} qn|d+kr|sqn|r$td||fntjdddddddd|jg }|d kra|sm|dkrtj|}|dd|jg7}nytj|d|dt}Wn/tjk r} tjd||| qqX|j }|}t} qqqW| rqntd|nytj!| }Wntk rKnX|j|q|r8y|j"||Wntk rq8X|rtd||fn|}|j#}|rxn|D]\}}||krPqqWtd ||fqt |dkrtd!t ||fqqntd|qW|ru| rutd"d#j$|nx6|D].}t%t&|j'}|j(||t)q|W|rt*j+}t*j+}x*|D]"}|j,|j-tj.j/qW|j,||j0tj1}tj|}tjd$d%d&|jd'|jdd|jdd|jg }ytj|Wn&tjk r} td(|nX|j"|j|WdQXWdQXndS(,s Import certificates and a single private key from multiple files The files may be in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. :param files: Names of files to import :param import_keys: Whether to import private keys :param key_password: Password to decrypt private keys :param key_nickname: Nickname of the private key to import from PKCS#12 files trbNsFailed to open %s: %ss*-----BEGIN (.+?)-----(.*?)-----END \1-----it CERTIFICATEsX509 CERTIFICATEsX.509 CERTIFICATEs)Skipping certificate in %s at line %s: %stPKCS7sPKCS #7 SIGNED DATAs$Skipping PKCS#7 in %s at line %s: %ss PRIVATE KEYsENCRYPTED PRIVATE KEYsRSA PRIVATE KEYsDSA PRIVATE KEYsEC PRIVATE KEYs*Can't load private key from both %s and %stpkcs8s-topk8s-v2taes256s-v2prfthmacWithSHA256s-passoutsfile:s-passinRzR5s)Skipping private key in %s at line %s: %ssFailed to load %ss'Server certificate "%s" not found in %ss6%s server certificates found in %s, expecting only ones"No server certificates found in %ss, tpkcs12s-exports-ins-outs5No matching certificate found for private key from %s(RsX509 CERTIFICATEsX.509 CERTIFICATE(RsPKCS #7 SIGNED DATAR(s PRIVATE KEYsENCRYPTED PRIVATE KEYsRSA PRIVATE KEYsDSA PRIVATE KEYsEC PRIVATE KEY(2RRtreadtIOErrorR tstrerrorRFRtfinditertDOTALLRRtlenRRRRRRtwarningRRtpkcs7_to_certsRR@RxRR?RfRR=R>t raw_outputtload_der_x509_certificateRRR1RLRtsubjecttadd_certtEMPTY_TRUST_FLAGSR^RR7R8R9R:R;R(Rmtfilest import_keyst key_passwordt key_nicknametkey_filet extracted_keytextracted_certsRRtdataRtmatchestloadedRtbodytlabelRRRRyt key_pwdfileRRRt _trust_flagstin_filetout_filet out_passwordt out_pwdfile((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt import_files s                                    cC@sz|d dkr#tjd|nSt|}y |jdd|d|gWn$tjk rutd|nXdS(NitBuiltins7No need to add trust for built-in root CAs, skipping %ss-Ms-ns-tsSetting trust on %s failed(RRR3R}RR@R (Rmt root_nicknameR(((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyttrust_root_certs  cC@sqdd|dg}y|j|dt}Wn$tjk rQtd|nXt|jdd\}}|S(s :param nickname: nickname of the certificate in the NSS database :returns: string in Python2 bytes in Python3 s-Ls-ns-aR5sFailed to get %sRi(R}RRR@R RRA(RmRRyRRt_start((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytget_certscC@s.y|j|Wntk r%tSXtSdS(N(RR RR(RmR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt has_nicknames  cC@sW|j|}t|d#}|j|jtjjWdQXtj|ddS(s7Export the given cert to PEM file in the given locationtwbNi$( RRR7R8RR9R:RcR(RmRtlocationRtfd((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytexport_pem_certs"c C@sy%t|}|j}WdQXWn,tk rS}td||jfnXt|\}}|j|||yt||Wntk rnXtd|dS(sgImport a cert form the given PEM file. The file must contain exactly one certificate. NsFailed to open %s: %ss%%s contains more than one certificate(RRRR RRRR( RmRRRRRRRtst((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytimport_pem_certs cC@sJt|}dd|d|dg}|j|d|jtjjdS(Ns-As-ns-ts-aRz(R3R}R8RR9R:(RmRRRRy((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyRs cC@s|jdd|gdS(Ns-Ds-n(R}(RmR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyt delete_certscC@s|j|}y&|jdd|ddgdtWn%tjk r\}t|jnXy|j|Wn!tk rtd|nXdS(sVerify a certificate is valid for a SSL server with given hostname Raises a ValueError if the certificate is invalid. s-Vs-ns-utVR5sinvalid for server %sN(RR}RRR@RRAtmatch_hostname(RmRthostnameRR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytverify_server_cert_validitys  cC@s|j|}|js'tdny|jjtjj}Wn#tjjk rhtdnX|j j stdny|jjtjj Wn#tjjk rtdnXy&|j dd|ddgd t Wn%tjk r}t|jnXdS( Nshas empty subjectsmissing basic constraintssnot a CA certificates(missing subject key identifier extensions-Vs-ns-utLR5(RRRRBRCRDRtBasicConstraintsRKRGR*tSubjectKeyIdentifierR}RRR@RA(RmRRtbcR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytverify_ca_cert_validity0s(     cC@sM|j|}g|D]}|j|^q}t|d|d |dS(Ni(RRRY(RmRR t nicknamesR((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyRYMs"N(!t__name__t __module__t__doc__RRoRlRrRsRvR}RRRRRRRRRRRRRRRRRR RR RRRY(((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pyRZs:     7 2              (scert8.dbskey3.dbs secmod.db(scert9.dbskey4.dbs pkcs11.txt(s pwdfile.txt(9t __future__Rt collectionstloggingRcRRRRRR^RRptcryptography.x509RDtipaplatform.constantsRtipaplatform.pathsRt ipapython.dnRtipapython.kerberosRt ipapythonRtipalibRt getLoggerRRtCA_NICKNAME_FMTt NSS_DBM_FILESt NSS_SQL_FILESt NSS_FILESt namedtupleRRRRRRR#R'R%R$tEKU_PKINIT_CLIENT_AUTHRJtIPA_CA_TRUST_FLAGStEXTERNAL_CA_TRUST_FLAGStTRUSTED_PEER_TRUST_FLAGSR RR.R3RYtobjectRZ(((s4/usr/lib/python2.7/site-packages/ipapython/certdb.pytsV               , !