a

�N(i���@s�
dd
lm
Z

ddlZddlZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
mZ
ddlmZ
ddlZddlmZ
ddlmZ
ddlmZ
ddlmZ
dd	lmZ
dd
lmZ
e�e�
Z dZ!dZ"d
Z#e"e#dZ$e�%dd�Z&e&dddd�Z'e&ddde(ej)ej*ej+ej,ej-ej.h�
�Z/e&ddde(ej)h
�
�Z0e&ddde(ej)h
�
�Z1dd�Z2e!f
dd�
Z3d)dd�
Z4dd�Z5dd�Z6dd�Z7e	�8d�
Z9e	�8d �
Z:Gd!d"�d"e;�Z<Gd#d$�d$e;�Z=Gd%d&�d&e;�Z>Gd'd(�d(�Z?dS)*�)
�absolute_importN)
�find_library)
�NamedTemporaryFile)
�paths)
�tasks)
�DN)
�	Principal)
�ipautil)
�x509z	%s IPA CA)�cert8.db�key3.db�	secmod.db)�cert9.db�key4.db�
pkcs11.txt)
�pwdfile.txt�
TrustFlagszhas_key trusted ca usagesFTcCstt
d
�
�
S)NZnssdbm3)�boolr�rr�4/usr/lib/python3.9/site-packages/ipapython/certdb.py�nss_supports_dbmMs
rcCs|
|S�
Nr)�realm�formatrrr�get_ca_nicknameQs
rcCs`|�d
|
�}|�d|�}|dkr(|d}|dks8|dkr@t
d�
�
t�|||��d�
�
}||fS)z�
    Given a cert blob (str) which may or may not contian leading and
    trailing text, pull out just the certificate part. This will return
    the FIRST cert in a stream of data.

    :returns: a tuple (IPACertificate, last position in cert)
    z-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----r
�zUnable to find certificatezutf-8)�find�RuntimeErrorr
�load_pem_x509_certificate�encode)�cert�start�
s�
errr�find_cert_from_txtUs




r$c
Cs�d
|v}
d|vr4d|vs(d|vs(d|vr0td�
�
dSd|vsDd|vrZd|vrTtd�
�
d	}nd|vrhd
}nt
|
ddt��S|�d�
}t�}ttjtjtj	f�
D]*\}}d||vs�d||vr�|�
|�

q�d|d
vr�|�
tj�

t
|
d	|t|�
�S)z<
    Convert certutil trust flags to TrustFlags object.
    �
u�
p�
C�
P�
Tz&cannot be both trusted and not trusted)FNNzcannot be both CA and not CATFN�
,r
)�
ValueErrorr�	frozenset�split�set�	enumerater
�EKU_SERVER_AUTH�EKU_EMAIL_PROTECTION�EKU_CODE_SIGNING�add�EKU_CLIENT_AUTH)�trust_flags�has_key�ca�
ext_key_usage�
i�kprrr�parse_trust_flagsis.













�


r;c
Cs�|\}
}}}|d
ur"|
rdSdSnD|dus2|dur@|
r:dSdSn&|durf|rZ|
rTdSdSn|
rbd	Sd
Sgd�
}tt
jt
jt
jf�
D](\}}||vr�|||r�dnd
7<q�|r�t
j|vr�|dd7<|
r�td�
D]}||d7<q�d�|�
}|S)z<
    Convert TrustFlags object to certutil trust flags.
    Fzpu,pu,puzp,p,pNzu,u,uz,,z	CTu,Cu,CuzCT,C,CzPu,Pu,PuzP,P,P)�r<r<r'r(r
r)�r%r*)r/r
r0r1r2r4�range�join)r5r6Ztrustedr7r8r9r:rrr�unparse_trust_flags�s>












�







r@c
Cs�
t��
�h}t��
�>}|�
|�tjj�
�

|��
t�|
|j�
|��
z"t	j
tjd
d|j|jgdd�
Wn0t	j
y�
}
zt|j�
�
WYd}~n
d}~00z.|j�tjj�
}t|j�
�tj�tj�
�

Wn"tjjtfy�


td�
�
Yn0ttd|g|��
}t�|j�
}|D]&}	t|	tj��
r|	j|k�
r
�
qB�
qtd|�
�
Wd�
n1�
sX0


Y
Wd�
n1�
sx0


Y
dS)	z�
    Verifies the validity of a kdc_cert, ensuring it is trusted by
    the ca_certs chain, has a PKINIT_KDC extended key usage support,
    and verify it applies to the given realm.
    Zverifyz-CAfileT�
�capture_outputNzinvalid for a KDCZkrbtgtzinvalid for realm %s) r�write�public_bytesr
�Encoding�PEM�flushZwrite_certificate_list�namer	�runr�OPENSSL�CalledProcessErrorr+�output�
extensions�get_extension_for_class�cryptographyZExtendedKeyUsage�list�value�indexZObjectIdentifier�EKU_PKINIT_KDC�ExtensionNotFound�strrZprocess_othernamesZsan_general_names�
isinstanceZKRB5PrincipalName)
Zkdc_certZca_certsrZkdc_fileZca_filer#ZekuZ	principalZgnsZgnrrr�verify_kdc_cert_validity�s>






��

 

�

�
�





rWz+^(?P<nick>.+?)\s+(?P<flags>\w*,\w*,\w*)\s*$zN^<\s*(?P<slot>\d+)>\s+(?P<algo>\w+)\s+(?P<keyid>[0-9a-z]+)\s+(?P<nick>.*?)\s*$c
@seZ
dZd
ZdS)�"Pkcs12ImportIncorrectPasswordErrorzB Raised when import_pkcs12 fails because of a wrong password.
    N��__name__�
__module__�__qualname__�__doc__rrrrrX�s
rXc
@seZ
dZd
ZdS)�Pkcs12ImportOpenErrorz> Raised when import_pkcs12 fails trying to open the file.
    NrYrrrrr^�s
r^c
@seZ
dZd
ZdS)�Pkcs12ImportUnknownErrorzB Raised when import_pkcs12 fails because of an unknown error.
    NrYrrrrr_�s
r_c@s:
eZ
dZd
ZdJdd�
Zdd�Zdd	�Zd
d�Zdd
�Zdd�Z	dd�Z
dKdd�
ZdLdd�
Zdd�Z
dMdd�
ZdNdd�
Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�ZdOd(d)�
ZdPd*d+�
Zdddefd,d-�
Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Zd<d=�Z d>d?�Z!d@dA�Z"dBdC�Z#dDdE�Z$dQdFdG�
Z%dHdI�Z&dS)R�NSSDatabaseaI
A general-purpose wrapper around a NSS cert database

    For permanent NSS databases, pass the cert DB directory to __init__

    For temporary databases, do not pass nssdir, and call close() when done
    to remove the DB. Alternatively, a NSSDatabase can be used as a
    context manager that calls close() automatically.
    N�autocCs�|
du
r$|
|_d
|_
|dkr$|��}|dkrBt�sBtd|
�d��
�
|
durZt��|_d|_
|durvtj�	|jd�|_
n||_
d|_d|_|_
|_||_d|_d|_|�|�

dS)	NFra�dbmzDNSS is built without support of the legacy database(DBM) directory '�
'Trr)�secdir�
_is_temporary�_detect_dbtyperr+�tempfileZmkdtemp�os�pathr?�pwd_file�dbtype�certdb�keydb�secmod�token�	filenames�backup_filenames�_set_filenames)�selfZnssdirrkrorjrrr�__init__
s.







��







zNSSDatabase.__init__c

Cs@tj
�tj
�|jd
��
rdStj
�tj
�|jd��
r8dSdSdS)Nr�sqlrrbra)rhri�isfiler?rd�
rsrrrrf!
s




zNSSDatabase._detect_dbtypecCs�|
|_t
j�|jd
�t
j�|jd�t
j�|jd�f}t
j�|jd�t
j�|jd�t
j�|jd�f}|
dkr�|\|_|_|_||jf
|_	nR|
dkr�|\|_|_|_||jf
|_	n*|
d	kr�d|_|_|_d|_	nt
|
�
�
|jf
|||_dS)
Nrrr
rrrrbrura)rkrhrir?rdrlrmrnrjrpr+rq)rsrkZdbmfilesZsqlfilesrrrrr)
s2


�

�







���zNSSDatabase._set_filenamesc

Cs|jrt
�|j�

dSr)re�shutil�rmtreerdrwrrr�closeD
s

zNSSDatabase.closec


Cs|Srrrwrrr�	__enter__H
s
zNSSDatabase.__enter__cCs|��
dSr)
rz)rs�typerQ�tbrrr�__exit__K
s
zNSSDatabase.__exit__c

Cs|jdurt
d
�|j�
�
�
dS)NzNSSDB '{}' not initialized.)rprrrdrwrrr�	_check_dbN
s




�zNSSDatabase._check_dbcKsj|��
t
jd
d�|j|j�g}|�|
�

|jr@|�d|jg�

|�d|jg�

t	j
||fd|ji
|�
�
S)N�-d�{}:{}z-h�-f�cwd)rr�CERTUTILrrkrd�extendrorjr	rI�rs�args�stdin�kwargs�new_argsrrr�run_certutilT
s

�



zNSSDatabase.run_certutilcKs>|��
t
jd
d�|j|j�g}|�|
�

tj||fi|�
�
S)Nr�r�)	rrZPK12UTILrrkrdr�r	rIr�rrr�run_pk12utilb
s

�

zNSSDatabase.run_pk12utilc

Cs"|jd
urdSt
dd�|jD�
�
S)z0Check DB exists (all files are present)
        NFc
ss|]}
tj
�|
�
V
qdSr)rhrirv)�.0�filenamerrr�	<genexpr>p
�z%NSSDatabase.exists.<locals>.<genexpr>)rp�allrwrrr�existsk
s


zNSSDatabase.existsFcCs|d
u
r|}|d@}|d@}nd}d}d}d}d}	|
d
u
rFt�
|
�
j}|d
u
rZt�|�
j}	|rt|jD]}
t�|
�

qdt	j
�|j�
s�t	�
|j|�
t	j
�|j�
�
stjt	�|jt	jt	jB|�ddd	��4}|�t���

|��
t	�|���

Wd
�
n1s�0


Y
|jd
k�
r|j}nd�|j|j�}tjd|d
d|jd|jg}
tj|
d
|jd�
|�|���

|jd
u�
r�t d�|j�
�
�
t	�!|j||	�
t	�"|j|�
t#j$|jdd�
|jD]R}
t	j
�|
�
�
r�t	�!|
||	�
|
|jk�
r�|}n|}t	�"|
|�
t#j$|
dd�
�
q�d
S)z�Create cert DB

        :param user: User owner the secdir
        :param group: Group owner of the secdir
        :param mode: Mode of the secdir
        :param backup: Backup the sedir files
        Ni�
i�
i�
i�
����
wT)
�closefdrar�r��-Nr��-@�r�r�zFailed to create NSSDB at '{}'�
�force)%�pwd�getpwnam�pw_uid�grp�getgrnam�gr_gidrqr	Zbackup_filerhrir�rd�makedirsrj�io�open�O_CREAT�O_WRONLYrC�ipa_generate_passwordrG�fsync�filenorkrrr�rIrrrfrpr+�chown�chmodr�restore_context)rs�user�group�modeZbackupZdirmode�filemodeZpwdfilemode�uid�gidr��
fZdbdirr�Znew_moderrr�	create_dbr
sn

















��

,



�



�









zNSSDatabase.create_dbTcCs 
|jd
ks"t
j�t
j�|jd��
r2td�|j�
�
�
tj	dd�|j�
dd|j
d|j
g}tj|d	|jd
�
d}|D]f\}}t
j�|j|�}t
j�|j|�}t
�
|�
}t
�|t
�|j�
�
t
�||j|j�
tj|dd
�
qn|�d
�

|��
|
�
r|D](\}}t
j�|j|�}t
�||d�
q�d	S)a�
Convert DBM database format to SQL database format

        **WARNING** **WARNING** **WARNING** **WARNING** **WARNING**

        The caller must ensure that no other process or service is
        accessing the NSSDB during migration. The DBM format does not support
        multiple processes. If more than one process opens a DBM NSSDB for
        writing, the database will become **irreparably corrupted**.

        **WARNING** **WARNING** **WARNING** **WARNING** **WARNING**
        rurz$NSS DB {} has been migrated already.r�zsql:{}r�r�r�Nr�))rr)rr)r
rTr�z	.migrated)rkrhrirvr?rdr+rrr�rjr	rI�statr��S_IMODE�st_moder��st_uid�st_gidrr�rr�
list_certs�rename)rsZ
rename_oldr�Z	migrationZoldnameZnewnameZoldstat�
_rrr�
convert_db�
s2

�

�

�











zNSSDatabase.convert_dbc
Cs�|jD]z}
|
d
}|
d}z4t
j�|
�
r4t
�|
|�
t
j�|�
rLt
�||
�
Wqty~
}
zt�d|�
WYd}~qd}~00qdS)Nz.origz.ipasavez%s)rqrhrir�r��OSError�logger�debug)rsr�Zbackup_pathZ	save_pathr#rrr�restore�
s










zNSSDatabase.restorec
	Cshd
g
}
|j|
dd�}|j
��}g}|D]8}t�|�
}|r&|�d�
}t|�d�
�
}|�||f�

q&t|�
S)z{Return nicknames and cert flags for all certs in the database

        :return: List of (name, trust_flags) tuples
        �-LTrA�nick�flags)	r�rL�
splitlines�CERT_RE�matchr�r;�append�tuple)	rsr��result�certs�certlistr r��nicknamer5rrrr��
s










zNSSDatabase.list_certsc
	Cs||jd
g
ddd�}
|
j
dkr dSg}|
j��D]D}t�|�
}|du
r.|�t|�d�
�
|�d�
|�d	�
|�d
�
f�

q.t	|�
S)Nz-KFT)Z
raiseonerrrB�rZslotZalgo�keyidr�)
r��
returncoderLr��KEY_REr�r��intr�r�)rsr�Zkeylist�line�morrr�	list_keyss 

�











�zNSSDatabase.list_keysc
Cs.g}
|��D]\}}|j
r|
�||f�

q|
S)
z�Return nicknames and cert flags for server certs in the database

        Server certs have an "u" character in the trust flags.

        :return: List of (name, trust_flags) tuples
        )r�r6r�)rs�server_certsrHr�rrr�find_server_certs#s



zNSSDatabase.find_server_certscCsTg}|jd
dd|
gdd�}|j
��}|D]&}t�d|�}|r(|�|��d�

q(|S)z�Return names of certs in a given cert's trust chain

        The list starts with root ca, then first intermediate CA, second
        intermediate, and so on.

        :param nickname: Name of the cert
        :return: List of certificate names
        z-Oz--simple-self-signed�-nTrAz\s*"(.*)" \[.*r
)r�rLr��rer�r��groups)rsr�Zroot_nicknamesr��chain�
c�
mrrr�get_trust_chain1s	



�



zNSSDatabase.get_trust_chainc
Cs�d
|d|
d|jg}d}|du
r<t
�|d�
}|�d|jg�

z�z|�|�

Wnbt
jy�
}
zH|jdkrvtd|�
�
n$|jdkr�td	|�
�
ntd
|�
�
WYd}~n
d}~00W|du
r�|�	�
n|du
r�|�	�
0dS)Nz-or��-k�

�-w��&incorrect password for pkcs#12 file %s�
�Failed to open %sz'unknown error exporting pkcs#12 file %s)
rjr	�write_tmp_filer�rHr�rKr�rrz)rsr��pkcs12_filename�
pkcs12_passwdr��pkcs12_password_filer#rrr�
export_pkcs12Gs0

�









�


�

�
zNSSDatabase.export_pkcs12c
Cs�d
|
d|jdg}d}|du
r:t
�|d�
}|�d|jg�

z�z|�|�

Wnbt
jy�
}
zH|jdvrttd|
�
�
n$|jdkr�t	d	|
�
�
nt
d
|
�
�
WYd}~n
d}~00W|du
r�|��
n|du
r�|��
0dS)Nz-ir�z-vr�r�)r��r�r�r�z$unknown error import pkcs#12 file %s)rjr	r�r�rHr�rKr�rXr^r_rz)rsr�r�r�r�r#rrr�
import_pkcs12`s8

�









�


�

��

�
zNSSDatabase.import_pkcs12cCsrd
}d
}g}|
D�]�}	z6t|	d��}
|
�
�}Wd
�
n1s@0


Y
Wn6ty�
}
ztd|	|jf�
�
WYd
}~n
d
}~00tt�d|tj��
}
|
�r�d}|
D�]&}|�	�}|�	d�
}t
|d
|��d����
}|dv�
r`zt
�|�
}Wn\t�
yN
}
zB|dk�
r*t�d	|	||�
WYd
}~q�t�d
|	||�
WYd
}~nd
}~00|�|�

d}q�|dv�
r�zt
�|�
}Wn`tj�
y�
}
zD|dk�
r�t�d	|	||�
nt�d
|	||�
WYd
}~q�WYd
}~nd
}~00|�|�

d}q�|dvr�|�
s�q�|�rtd||	f�
�
tjdddddddd|jg	}|dk�r>|�sH|dk�rdt�|�
}|dd|jg7}ztj||dd�}WnDtj�y�
}
z(t�d|	||�
WYd
}~q�WYd
}~q�d
}~00|j}|	}d}q�q�|�r�qtd|	�
�
zt
�|�
}Wnt�y


Yn0|�|�

q|�r�z|� |	|�
WnLt!�y>


Yn�t�yv
}
z td|	t"|�
f�
�
WYd
}~n�d
}~00|�r�td||	f�
�
|	}|�#�}|�r�|D]\}}||k�r�
�q�q�td||	f�
�
qt
|�
dkrtd t
|�
|	f�
�
qtd!|	�
�
q|�r |�s td"d#�$|
�
�
�
|D]"}t"t%|j&�
�
}|�'|||�
�q$|�rnt(�)��
�}t(�)���}|D]}|�*|�+t
j,j-�
�

�qh|�*|�

|�.�
t�/�}t�|�
}tjd$d%d&|jd'|jdd|jdd|jd(d)d*d)g}zt�|�

Wn4tj�y
}
ztd+|�
�
WYd
}~n
d
}~00|� |j|�
Wd
�
n1�sD0


Y
Wd
�
n1�sd0


Y
d
S),a�

        Import certificates and a single private key from multiple files

        The files may be in PEM and DER certificate, PKCS#7 certificate chain,
        PKCS#8 and raw private key and PKCS#12 formats.

        :param files: Names of files to import
        :param import_keys: Whether to import private keys
        :param key_password: Password to decrypt private keys
        :param key_nickname: Nickname of the private key to import from PKCS#12
            files
        N�rb�Failed to open %s: %ss*-----BEGIN (.+?)-----(.*?)-----END \1-----F�
)�CERTIFICATEsX509 CERTIFICATEsX.509 CERTIFICATEr�z)Skipping certificate in %s at line %s: %sz/Failed to load certificate in %s at line %s: %sT)sPKCS7sPKCS #7 SIGNED DATAr�z$Skipping PKCS#7 in %s at line %s: %s)�PRIVATE KEY�ENCRYPTED PRIVATE KEYsRSA PRIVATE KEYsDSA PRIVATE KEYsEC PRIVATE KEYz*Can't load private key from both %s and %sZpkcs8z-topk8z-v2Zaes256z-v2prfZhmacWithSHA256z-passoutzfile:r�r�z-passin)r�rBz)Skipping private key in %s at line %s: %szFailed to load %szFailed to load %s: %sz'Server certificate "%s" not found in %sz6%s server certificates found in %s, expecting only onez&Failed to load %s: unrecognized formatz"No server certificates found in %sz, Zpkcs12z-exportz-inz-outz-certpbezaes-128-cbcz-keypbez5No matching certificate found for private key from %s)0r��read�IOErrorr�strerrorrPr��finditer�DOTALLr��lenr!r�r
rr+r�Zwarning�errorr�Zpkcs7_to_certsr	rKr�rrJrjr�rHrIZ
raw_outputZload_der_x509_certificater�r_rUr�r?r�subject�add_certrgrrCrDrErFrGr�)rs�filesZimport_keysZkey_passwordZkey_nicknamer5Zkey_fileZ
extracted_keyZextracted_certsr�r��datar#�matchesZloadedr��bodyZlabelr�r r�r�Zkey_pwdfiler�r�r�Z_trust_flagsZin_fileZout_fileZout_passwordZout_pwdfilerrr�import_files{sX






*


�


��













�
�









�

�"






��



�
�



�

�



�"

















�


��







��


��
�

�



�

















�





��zNSSDatabase.import_filescCsd|
dd
�dkrt�
d|
�
nBt|�
}z|�dd|
d|g�

Wn tjy^


td|
�
�
Yn0dS)N�ZBuiltinz7No need to add trust for built-in root CAs, skipping %sz-Mr��-tzSetting trust on %s failed)r�r�r@r�r	rKr)rsZ
root_nicknamer5rrr�trust_root_certJs



�



�


�zNSSDatabase.trust_root_certcCsVd
d|
dg}z|j|dd�}Wn t
jy>


td|
�
�
Yn0t|jdd�\}}|S)	z�
        :param nickname: nickname of the certificate in the NSS database
        :returns: string in Python2
                  bytes in Python3
        r�r��-aTrA�Failed to get %sr
�
r!)r�r	rKrr$rL)rsr�r�r�r Z_startrrr�get_certXs





zNSSDatabase.get_certcCs�d
d|
dg}z|j|dd�}Wn t
jy>


td|
�
�
Yn0g}d}zt|j|d�\}}Wntyt


Yq�Yn0|�|�

qH|S)	z�
        :param nickname: nickname of the certificate in the NSS database
        :returns: list of bytes of all certificates for the nickname
        r�r�r
TrAr
r
r
)r�r	rKrr$rLr�)rsr�r�r�r��str rrr�
get_all_certsfs










zNSSDatabase.get_all_certscCs,z|�|
�

Wnt
y"


Yd
S0dSdS)NFT)r
r)rsr�rrr�has_nickname{s



zNSSDatabase.has_nicknamecCsX|�|
�
}t
|d
��$}|�|�tjj�
�

Wd�
n1s>0


Y
t�|d�
dS)z7Export the given cert to PEM file in the given location�wbNi$
)	r
r�rCrDr
rErFrhr�)rsr��locationr �fdrrr�export_pem_cert�s


2
zNSSDatabase.export_pem_certc	
Cs�z4t|�
�}|�
�}Wd
�
n1s(0


Y
Wn6tyj
}
ztd||jf�
�
WYd
}~n
d
}~00t|�
\}}|�||
|�
zt||�
Wnty�


Yn0td|�
�
d
S)zgImport a cert form the given PEM file.

        The file must contain exactly one certificate.
        Nr�z%%s contains more than one certificate)r�r�r�rr�r$r�r+)	rsr�r�r
r
r�r#r r
rrr�import_pem_cert�s 


*


�




�zNSSDatabase.import_pem_certcCs4t|�
}d
d|d|dg}|j
||
�tjj�
d�
dS)Nz-Ar�r

r
)
r�)r@r�rDr
rErF)rsr r�r�r�rrrr��s


zNSSDatabase.add_certcCs|�d
d|
g�

dS)Nz-Dr�)
r�)rsr�rrr�delete_cert�s
zNSSDatabase.delete_certcCs:|��}|D](\}}}}||
kr|�
d
d|g�


q6qdS)zpDelete the key with provided nick

        This commands removes the key but leaves the cert in the DB.
        �-Fr�N)r�r�)rsr��keysZ_slotZ_algor�r�rrr�delete_key_only�s


zNSSDatabase.delete_key_onlycCs\z|�d
d|
g�

Wnt
jy2


|�|
�

Yn0|��D]\}}||
kr<|�|
�

q<dS)z%Delete a cert and its key from the DBr
r�N)r�r	rKr
r�r
)rsr�ZcertnameZ_flagsrrr�delete_key_and_cert�s



zNSSDatabase.delete_key_and_certcCsvtjj
tjjd
�
}|
j|kr.td|
j�d��
�
|
j|krJtd|
j�d��
�
|
jtjdd�
|krrtd|
j�d	��
�
d
S)z(Common checks for cert validity
        )
Ztzznot valid before z UTC is in the future.zhas expired z UTCr�)
Zhourszexpires in less than one hour (z UTC)N)�datetimeZnow�timezoneZutcZnot_valid_before_utcr+Znot_valid_after_utcZ	timedelta)rsr Zutcnowrrr�_verify_cert_validity�s



�


�

�z!NSSDatabase._verify_cert_validityc
Cs�|�|
�
}|�
|�

z|jd
d|
dddgdd�
Wn0tjyb
}
zt|j�
�
WYd}~n
d}~00z|�|�

Wnty�


td	|�
�
Yn0dS)
z�Verify a certificate is valid for a SSL server with given hostname

        Raises a ValueError if the certificate is invalid.
        �-Vr��-u�
V�-eTrANzinvalid for server %s)r
r
r�r	rKr+rLZmatch_hostname)rsr��hostnamer r#rrr�verify_server_cert_validity�s"






��
	 


z'NSSDatabase.verify_server_cert_validitycs0�f
d
d�}��|
�
}|D]}|||
|�
qdS)Nc
s.
��|�

|j
std
�
�
z|j�tjj�
}WntjjyJ


td�
�
Yn0|j	j
s\td�
�
|du
r�|j	j}|du
r�||kr�td�||��
�
z|j�tjj
�
}Wntjjy�


td�
�
Yn0t|j	j�
dkr�td�
�
z�jdd	|
d
ddgd
d�
Wn2tj�
y(
}
zt|j�
�
WYd}~n
d}~00dS)Nzhas empty subjectzmissing basic constraintsznot a CA certificatez/basic contraint pathlen {}, must be at least {}z(missing subject key identifier extensionr
z(subject key identifier must not be emptyr
r�r
�
Lr
TrA)r
r�r+rMrNrOr
ZBasicConstraintsrTrQr7Zpath_lengthrZSubjectKeyIdentifierr�Zdigestr�r	rKrL)r r��
minpathlenZbc�plZskir#rwrr�verify_ca_cert�sL




�





��

�





��
	z;NSSDatabase.verify_ca_cert_validity.<locals>.verify_ca_cert)
r
)rsr�r
r 
r�r rrwr�verify_ca_cert_validity�s
1


z#NSSDatabase.verify_ca_cert_validitycs8��|
�
}�f
d
d�|D�
}t
|d|dd�|�
dS)Nc
sg|]}
��|
�
�qSr)
r
)r�r�rwrr�
<listcomp>-r�z8NSSDatabase.verify_kdc_cert_validity.<locals>.<listcomp>r�)r�rW)rsr�rZ	nicknamesr�rrwrrW+s


z$NSSDatabase.verify_kdc_cert_validity)NraNN)
N)
N)NNNF)
T)
N)
N)
N)'rZr[r\r]rtrfrrrzr{r~rr�r�r�r�r�r�r�r�r�r�r�r��EMPTY_TRUST_FLAGSr�r
r
r
r	
r

r
r�r
r
r
r
r
r!
rWrrrrr`�sL



	
M
2


�
P	


6r`)
r
)@Z
__future__r�collectionsr
Zloggingrhr�r�r�r�rxr�rgZctypes.utilrrZcryptography.x509rOZipaplatform.pathsrZipaplatform.tasksrZipapython.dnrZipapython.kerberosrZ	ipapythonr	Zipalibr
Z	getLoggerrZr�ZCA_NICKNAME_FMTZ
NSS_DBM_FILESZ
NSS_SQL_FILESZ	NSS_FILES�
namedtuplerr#
r,r0r4r2r1ZEKU_PKINIT_CLIENT_AUTHrSZIPA_CA_TRUST_FLAGSZEXTERNAL_CA_TRUST_FLAGSZTRUSTED_PEER_TRUST_FLAGSrrr$r;r@rW�compiler�r�rrXr^r_r`rrrr�<module>sv


























��
�
�
 ,&
�
�