HEX
Server: LiteSpeed
System: Linux s1049.use1.mysecurecloudhost.com 4.18.0-477.27.2.lve.el8.x86_64 #1 SMP Wed Oct 11 12:32:56 UTC 2023 x86_64
User: xedaptot (3356)
PHP: 8.3.31
Disabled: NONE
Upload Files
File: //proc/self/root/lib/python3.6/site-packages/ipalib/install/__pycache__/certstore.cpython-36.pyc
3

�d[e�8�@s�dZddlmZddlmZddlmZmZddlm	Z	m
Z
ddlmZdd�Z
d	d
�Zdd�Zd
d�Zd%dd�Zd&dd�Zd'dd�Zdd�Zd(dd�Zdd�Zdd�Zd)dd �Zd*d!d"�Zd#d$�ZdS)+z 
LDAP shared certificate store.
�)�PyAsn1Error)�DN)�get_ca_nickname�
TrustFlags)�errors�x509)�	IPA_CA_CNcCs�y$t|j�}t|j�}|j}|j}Wn2ttfk
rV}ztd|��WYdd}~XnXt|�jdd�}t|�jdd�}d||f}|||fS)Nz failed to decode certificate: %sz\;z\3bz%s;%s)	r�subject�issuer�
serial_numberZpublic_key_info_bytes�
ValueErrorr�str�replace)�certr	r
rZpublic_key_info�e�
issuer_serial�r�/usr/lib/python3.6/certstore.py�_parse_cert!s


rc
Cst|�\}}}|dk	r�y
|j}Wn.tk
rN}	ztd|	��WYdd}	~	XnX|dk	r�|tjtjtjtjtjtj	h8}||B}dddg|d<|g|d<|g|d<|g|d	<|g|d
<|g|d<|dk	r�|r�dnd
g|d<|dk	�rt
|�}|s�|jtj	�||d<dS)zB
    Initialize certificate store entry for a CA certificate.
    Nz failed to decode certificate: %sZipaCertificate�pkiCAZipaKeyPolicy�objectClass�cn�ipaCertSubject�ipaCertIssuerSerial�ipaPublicKeyzcACertificate;binary�trusted�
distrusted�ipaKeyTrust�ipaKeyExtUsage)rZextended_key_usagerr�EKU_SERVER_AUTH�EKU_CLIENT_AUTH�EKU_EMAIL_PROTECTION�EKU_CODE_SIGNINGZEKU_ANY�EKU_PLACEHOLDER�list�append)
�entryr�nicknamer�
ext_key_usager	r�
public_keyZcert_ekurrrr�
init_ca_entry1s0







r*cCs�tddd
|�}y(|j|dgd�}||jd<|j|�Wn^tjk
r�|j|�}ddg|d	<d|jd<||jd<|j|�Yntjk
r�YnXd
S)zF
    Update the CA certificate in cn=CAcert,cn=ipa,cn=etc,SUFFIX.
    r�CAcert�ipa�etczcACertificate;binary)�
attrs_listZnsContainerrrN)rr+)rr,)rr-)	r�	get_entry�single_value�update_entryr�NotFound�
make_entry�	add_entry�EmptyModlist)�ldap�base_dnr�dnr&rrr�update_compat_caSs



r9c	Cs�|r|rdSy$|jtddd
|�ddgd�\}}Wntjk
rJdSXx�|D]�}|j|krbqRxRt|d�D]B}|j�d	kr�|r�|dj|�qp|j�d
krp|rp|dj|�qpWy|j|�WqRtj	k
r�YqRXqRWdS)zG
    Remove ipaCA and compatCA flags from their previous carriers.
    Nr�certificatesr,r-z4(|(ipaConfigString=ipaCA)(ipaConfigString=compatCA))�ipaConfigString)r7�filterr.�ipaca�compatca)rr:)rr,)rr-)
�find_entriesrrr2r8r$�lower�remover1r5)	r6r7r8�
config_ipa�
config_compat�result�
_truncatedr&�configrrr�clean_old_configfs,

rGNFcCs�td	d
d|�}td|f|�}	|j|	�}
t|
||||�|rL|
jdg�jd�|rb|
jdg�jd�|rrt|||�|j|
�t|||	||�dS)zF
    Add new entry for a CA certificate to the certificate store.
    rr:r,r-r;�ipaCA�compatCAN)rr:)rr,)rr-)rr3r*�
setdefaultr%r9r4rG)r6r7rr'rr(rBrC�container_dnr8r&rrr�add_ca_cert�s

rLcCs0t|�\}}}	|jd|i�}
|jtddd|�|
dddddd	d
dgd�\}}|d
}
|
j}xj|
dD]}||krbPqbW|
jdj�|j�kr�td��|
jd|	kr�td��|
dj|�|
dj|�|dk	�r|
jj	d�}|r�dnd}|dk	�r|j�|k�rtd��||
jd<|dk	�rh|dk	�rtt
|
j	d	g��}|jtj
�||B}|�sZ|jtj
�t|�|
d	<n|
jd	d�d}d}x<|
j	d
g�D],}|j�dk�r�d}n|j�dk�r�d}�q�W|�r�|�r�|
jd
g�jd�|�r�|�r�|
jd
g�jd�|�s|�rt|||�|j|
�t|||||�dS)zN
    Update existing entry for a CA certificate in the certificate store.
    rrr:r,r-rrrrr;zcACertificate;binary)r7r<r.rzsubject name mismatchz subject public key info mismatchNrrzinconsistent trustFr=Tr>rHrI)rr:)rr,)rr-)r�make_filterr?rr8r0r@rr%�get�set�discardrr#�addr$�poprJr9r1rG)r6r7rrr(rBrCr	rr)r<rDrEr&r8Zold_certZ	old_trustZ	new_trustZold_ekuZnew_ekuZis_ipaZ	is_compatrFrrr�update_ca_cert�sd





rScCsbyt|||||||d�WnBtjk
rHt||||||||d�Yntjk
r\YnXdS)zm
    Add or update entry for a CA certificate in the certificate store.

    :param cert: IPACertificate
    )rBrCN)rSrr2rLr5)r6r7rr'rr(rBrCrrr�put_ca_cert�srTc
Cs�g}xv|D]n}t|�\}}}t|�}|dk	rV|t|�krVt|�}tjtjtjtjh}	nt|�}tjh}	|j	||d|	f�q
W|S)zO
    Make CA certificates and associated key policy from DER certificates.
    NT)
rrrrrr r!r"r
r%)
�certsZrealmZipa_ca_subjectrDrr	�_issuer_serial�_public_key_infor'r(rrr�make_compat_ca_certs�s

rXcCsP|dk	r&t|t�s|g}dd�|D�}g}tdd|�}td|�}�y$dd	g}|rh|jd
|i�}	|j|	�|j||j||j�dd
ddd
ddgd�\}
}x�|
D]�}|jd}
|jj	d
d�j
�}|dkr�d}n|dkr�d}nd}|j	d�}|dk	�rtdd�|D��}|jt
j�xR|j	dg�D]B}yt|�Wntk
�rFg}PYnX|j||
||f��qWq�WWn�tjk
�r4y|j|dg�Wn�tjk
�r.td |�}|j|dg�}|jd}yt|�\}}}Wntk
�r�Yn@X|dk	�r||k�rtjdd��|�r|}nd}t|g||�}YnXYnX|�r@|Stjdd��dS)!zS
    Get CA certificates and associated key policy from the certificate store.
    NcSsg|]}t|�jdd��qS)z\;z\3b)r
r)�.0Zsubjrrr�
<listcomp>sz get_ca_certs.<locals>.<listcomp>rr,r-r:z(objectClass=ipaCertificate)z(objectClass=pkiCA)rrrrrzcACertificate;binary)r7r<r.�unknownrTrFcss|]}t|�VqdS)N)r
)rY�prrr�	<genexpr>3szget_ca_certs.<locals>.<genexpr>�r+zno matching entry found)�reasonz
no such entry)rr,)rr-)rr:)rr+)�
isinstancer$rrMr%r?Zcombine_filtersZ	MATCH_ALLr0rNr@rOrPrr#rrrr2r/rX)r6r7�compat_realm�
compat_ipa_ca�filter_subjectrUZ	config_dnrK�filtersr<rDrEr&r'rr(rr8r	rVrWZ
ca_subjectrrr�get_ca_certs
st






 

recCs|dd�S)zG
    Convert certutil trust flags to certificate store key policy.
    �Nr)�trust_flagsrrr�trust_flags_to_key_policyZsrhcCstd|||�S)zG
    Convert certificate store key policy to certutil trust flags.
    F)r)r�car(rrr�key_policy_to_trust_flagsasrjc
	Cs8t|�\}}}	|dkrtd��t||||||	||�dS)zm
    Add or update entry for a CA certificate in the certificate store.

    :param cert: IPACertificate
    Fzmust be CA certificateN)rhrrT)
r6r7rr'rgrBrCrrir(rrr�put_ca_cert_nsshs
rkcCsLg}t|||||d�}x0|D](\}}}	}
t|	d|
�}|j|||f�qW|S)zT
    Get CA certificates and associated trust flags from the certificate store.
    )rcT)rerjr%)r6r7rarbrcZ	nss_certsrUrr'rr(rgrrr�get_ca_certs_nssws
rlcCsbtdtf||�}y|j|�dd}Wn6tjk
r\|j�}|jd�d}td|�}YnX|S)z2
    Look for the IPA CA certificate subject.
    rZipacasubjectdnrZipacertificatesubjectbase�CN�Certificate Authority)rmrn)rrr/rr2Zget_ipa_configrN)r6Zcontainer_car7r8Zcacert_subjectZattrsZsubject_baserrr�get_ca_subject�sro)NNFF)NNFF)NNFF)N)FF)N)�__doc__Zpyasn1.errorrZipapython.dnrZipapython.certdbrrZipalibrrZipalib.constantsrrr*r9rGrLrSrTrXrerhrjrkrlrorrrr�<module>s,"

F

L