e>e>fdv�dwdx�Zge>e=dj�dydz�Zhd�ee>e>e?e>d{�d|d}�ZidS)�z�Certbot client crypto utility functions.

.. todo:: Make the transition to use PSS rather than PKCS1_v1_5 when the server
    is capable of handling the signatures.

interfaces)�util)�os)�Ed448PublicKey)�Ed25519PublicKey�rsa�	secp256r1�key-certbot.pemT)�key_size�key_dir�key_type�elliptic_curve�keyname�strict_permissions�returnc
|	|�S)aInitializes and saves a privkey.

    Inits key and saves it in PEM format on the filesystem.

    .. note:: keyname is the attempted filename, it may be different if a file
        already exists at the path.

    :param int key_size: key size in bits if key size is rsa.
    :param str key_dir: Key save directory.
    :param str key_type: Key Type [rsa, ecdsa]
    :param str elliptic_curve: Name of the elliptic curve if key type is ecdsa.
    :param str keyname: Filename of key
    :param bool strict_permissions: If true and key_dir exists, an exception is raised if
        the directory doesn't have 0700 permissions or isn't owned by the current user.

    :returns: Key
    :rtype: :class:`certbot.util.Key`

    :raises ValueError: If unable to generate the key given key_size.

    Inits key and saves it in PEM format on the filesystem.

    .. note:: keyname is the attempted filename, it may be different if a file
        already exists at the path.

    .. deprecated:: 1.16.0
       Use :func:`generate_key` instead.

    :param int key_size: key size in bits if key size is rsa.
    :param str key_dir: Key save directory.
    :param str key_type: Key Type [rsa, ecdsa]
    :param str elliptic_curve: Name of the elliptic curve if key type is ecdsa.
    :param str keyname: Filename of key

    :returns: Key
    :rtype: :class:`certbot.util.Key`

    :raises ValueError: If unable to generate the key given key_size.

    zecertbot.crypto_util.init_save_key is deprecated, please use certbot.crypto_util.generate_key instead.)r%r&r'r()
    :param privkey: Key to include in the CSR
    :type privkey: :class:`certbot.util.Key`
    :param set names: `str` names to include in the CSR
    :param str path: Certificate save directory.
    :param bool must_staple: If true, include the TLS Feature extension "OCSP Must Staple"
    :param bool strict_permissions: If true and path exists, an exception is raised if
        the directory doesn't have 0755 permissions or isn't owned by the current user.

    :returns: CSR
    :rtype: :class:`certbot.util.CSR`

    )rJi�zcsr-certbot.pemi�r-NzCreating CSR: %s�pem)
    .. deprecated:: 1.16.0
       Use :func:`generate_csr` instead.

    :param privkey: Key to include in the CSR
    :type privkey: :class:`certbot.util.Key`

    :param set names: `str` names to include in the CSR

    :param str path: Certificate save directory.

    :returns: CSR
    :rtype: :class:`certbot.util.CSR`

    Check if `csr` is a valid CSR for the given domains.

    :param bytes csr: CSR in PEM.

    :returns: Validity of CSR.
    :rtype: bool

    r+T)r,FN)r�load_certificate_request�FILETYPE_PEM�verifyZ
get_pubkey�Errorr0r1)rP�reqr<r<r=�	valid_csr�s
rJtjddd�dSXdS)z�Does private key correspond to the subject public key in the CSR?

    :param bytes csr: CSR in PEM.
    :param bytes privkey: Private key file contents (PEM)

    :returns: Correspondence of private key to CSR subject public key.
    :rtype: bool


    :param str csrfile: CSR filename
    :param bytes data: contents of the CSR file

    :returns: (`crypto.FILETYPE_PEM`,
               util.CSR object representing the CSR,
               list of domains requested in the CSR)
    :rtype: tuple

    zFailed to parse CSR file: {0}rK)�filerZZform)rrRrQ�
    :param int bits: Number of bits if key_type=rsa. At least 1024 for RSA.
    :param str key_type: The type of key to generate, but be rsa or ecdsa
    :param str elliptic_curve: The elliptic curve to use.

    :returns: new RSA or ECDSA key in PEM form with specified number of bits
              or of type ec_curve when key_type ecdsa is used.
    :rtype: str
    r izUnsupported RSA key length: {}Zecdsaz3When key_type == ecdsa, elliptic_curve must be set.�	SECP256R1�	SECP384R1�	SECP521R1N)ZcurveZbackendzUnsupported elliptic curve: {})�encodingr]Zencryption_algorithmz0Invalid key_type specified: {}.  Use [rsa|ecdsa])rcrdre)rrTr]rZPKeyr>ZTYPE_RSA�upperrZgenerate_private_key�getattrr�	TypeErrorrr3Z

    :param str privkey: Private key file contents in PEM

    :returns: Validity of private key.
    :rtype: bool

	rm)�renewable_certr)cCs"t|�t|�t|j|j�dS)a�For checking that your certs were not corrupted on disk.

    Several things are checked:
        1. Signature verification for the cert.
        2. That fullchain matches cert and chain when concatenated.
        3. Check that the private key matches the certificate.

    :param renewable_cert: cert to verify
    :type renewable_cert: certbot.interfaces.RenewableCert

    :raises errors.Error: If verification fails.
    N)�verify_renewable_cert_sig�verify_fullchain�verify_cert_matches_priv_key�	cert_pathr;)rnr<r<r=�verify_renewable_certNs
    :param renewable_cert: cert to verify
    :type renewable_cert: certbot.interfaces.RenewableCert

    :raises errors.Error: If signature verification fails.
    �rbNzbverifying the signature of the certificate located at {0} has failed.                 Details: {1})�open�
    :param RSAPublicKey/EllipticCurvePublicKey public_key: the public_key to check signature
    :param bytes signature: the signature bytes
    :param bytes payload: the payload bytes
    :param hashes.HashAlgorithm signature_hash_algorithm: algorithm used to hash the payload

    :raises InvalidSignature: If signature verification fails.
    :raises errors.Error: If public key type is not supported
    :param str cert_path: path to a cert in PEM format
    :param str key_path: path to a private key file

    :raises errors.Error: If they don't match.
    z�verifying the certificate located at {0} matches the                 private key located at {1} has failed.                 Details: {2}N)rZContextZ

    :param renewable_cert: cert to verify
    :type renewable_cert: certbot.interfaces.RenewableCert

    :raises errors.Error: If cert and chain do not combine to fullchain.
    Nz.fullchain does not match cert + chain for {0}!z8reading one of cert, chain, or fullchain has failed: {0})rurvrxrrZfullchain_pathr]ZlineagenamerrTr}r0r~)	rnrr�r�r�Zfullchain_fileZ	fullchainr�rlr<r<r=rp�s"

rT}z|j|�WYdd}~XqXqWtjdjdjdd�|D�����dS)z:Load PEM/DER certificate.

    :raises errors.Error:

    :param str cert: Certificate (encoded).
    :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`

    :returns: A list of Subject Alternative Names.
    :rtype: list

r�)�cert_or_reqr�r�r)cCst|||�}t|�S)N)r�r^)r�r�r��loaded_cert_or_reqr<r<r=�_get_names_from_cert_or_req�sr�)r�r)cCs
tj|�S)N)rLZ _pyopenssl_cert_or_req_all_names)r�r<r<r=r^�sr^cCst|tj|�S)z�Get a list of domains from a cert, including the CN if it is set.

    :param str cert: Certificate (encoded).
    :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`

    :returns: A list of domain names.
    :rtype: list

r�)rPr�r)cCst|tj|�S)z�Get a list of domains from a CSR, including the CN if it is set.

    :param str csr: CSR (encoded).
    :param typ: `crypto.FILETYPE_PEM` or `crypto.FILETYPE_ASN1`
    :returns: A list of domain names.
    :rtype: list

    )r�rrQ)rPr�r<r<r=�get_names_from_reqs	r�)r��filetyper)cCstj||�S)z�Dump certificate chain into a bundle.

    :param list chain: List of `crypto.X509` (or wrapped in

r�)rrr)cCst|tjj�S)z�When does the cert at cert_path start being valid?

    :param str cert_path: path to a cert in PEM format

    :returns: the notBefore value from the cert at cert_path
    :rtype: :class:`datetime.datetime`

get_notBefore)rrr<r<r=�	notBefore+s	r�cCst|tjj�S)z�When does the cert at cert_path stop being valid?

    :param str cert_path: path to a cert in PEM format

    :returns: the notAfter value from the cert at cert_path
    :rtype: :class:`datetime.datetime`

    )r�rr�Zget_notAfter)rrr<r<r=�notAfter7s	r�)rr�methodr)cCs�t|d��}tjtj|j��}WdQRX||�}|s>tjd��|dd�d|dd�d|dd�d	|dd
    :param str cert_path: path to a cert in PEM format
    :param function method: one of ``crypto.X509.get_notBefore``
        or ``crypto.X509.get_notAfter``

    :returns: the notBefore or notAfter value from the cert at cert_path
    :rtype: :class:`datetime.datetime`

    NB: In given file, platform specific newlines characters will be converted
    into their equivalent unicode counterparts before calculating the hash.

    :param str filename: path to the file whose hash will be computed

    :returns: sha256 digest of the file in hexadecimal
    :rtype: str
    �rzUTF-8N)�hashlib�sha256ru�updaterx�encodeZ	hexdigest)r�r�Zfile_dr<r<r=�	sha256sum_sr�s@-----BEGIN CERTIFICATE-----
��dd�|D�}|ddj|dd	��fS)aSplit fullchain_pem into cert_pem and chain_pem

    :param str fullchain_pem: concatenated cert + chain

    :returns: tuple of string cert_pem and chain_pem
    :rtype: tuple

    :raises errors.Error: If there are less than 2 certificates in the chain.

    �z/failed to parse fullchain into cert and chain: z!less than 2 certificates in chaincSs(g|] }tjtjtjtj|��j��qSr<)rZdump_certificaterRr�r�)r�r�r<r<r=�
<listcomp>�sz1cert_and_chain_from_fullchain.<locals>.<listcomp>rr+�NzPfailed to parse fullchain into cert and chain: less than 2 certificates in chain)�CERT_PEM_REGEX�findallr��lenrrTr7)r��certsZcerts_normalizedr<r<r=�cert_and_chain_from_fullchainzsr�c
Cs0t|d��}tjtj|j��}WdQRX|j�S)z�Retrieve the serial number of a certificate from certificate path

    :param str cert_path: path to a cert in PEM format

    :returns: serial number of the certificate
    :rtype: int
    rtN)rurr�rRrxZget_serial_number)rrr�r	r<r<r=�get_serial_from_cert�s	r�)�
    intermediate has an Issuer Common Name matching issuer_cn (in other words
    the first chain which chains to a root whose name matches issuer_cn).

    :param fullchains: The list of fullchains in PEM chain format.
    :type fullchains: `list` of `str`
    :param `str` issuer_cn: The exact Subject Common Name to match against any
        issuer in the certificate chain.

    :returns: The best-matching fullchain, PEM-encoded, or the first if none match.
    :rtype: `str`
