HEX
Server: LiteSpeed
System: Linux shams.tasjeel.ae 5.14.0-611.5.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 11 08:09:09 EST 2025 x86_64
User: infowars (1469)
PHP: 8.2.29
Disabled: NONE
$ pwd: /usr/lib/python3.9/site-packages/ipalib/install/__pycache__/
Upload Files
File: //usr/lib/python3.9/site-packages/ipalib/install/__pycache__/certstore.cpython-39.pyc
a

�N(il=�@s�dZddlmZddlmZddlmZmZddlm	Z	m
Z
ddlmZdd�Z
d	d
�Zdd�Zd
d�Zd'dd�Zd(dd�Zdd�Zd)dd�Zdd�Zd*dd�Zdd�Zdd �Zd+d!d"�Zd,d#d$�Zd%d&�ZdS)-z 
LDAP shared certificate store.
�)�PyAsn1Error)�DN)�get_ca_nickname�
TrustFlags)�errors�x509)�	IPA_CA_CNc
Cs�z$t|j�}t|j�}|j}|j}Wn4ttfyX}ztd|��WYd}~n
d}~00t|��dd�}t|��dd�}d||f}|||fS)N� failed to decode certificate: %s�\;�\3bz%s;%s)	r�subject�issuer�
serial_numberZpublic_key_info_bytes�
ValueErrorr�str�replace)�certrr
rZpublic_key_info�e�
issuer_serial�r�</usr/lib/python3.9/site-packages/ipalib/install/certstore.py�_parse_cert!s


"rc

Cst|�\}}}|dur�z
|j}Wn0tyP}	ztd|	��WYd}	~	n
d}	~	00|dur�|tjtjtjtjtjtj	h8}||B}gd�|d<|g|d<|g|d<|g|d<|g|d<|g|d	<|dur�|r�d
ndg|d<|du�rt
|�}|s�|�tj	�||d
<dS)zB
    Initialize certificate store entry for a CA certificate.
    Nr	)ZipaCertificate�pkiCAZipaKeyPolicy�objectClass�cn�ipaCertSubject�ipaCertIssuerSerial�ipaPublicKey�cACertificate;binary�trusted�
distrusted�ipaKeyTrust�ipaKeyExtUsage)rZextended_key_usagerr�EKU_SERVER_AUTH�EKU_CLIENT_AUTH�EKU_EMAIL_PROTECTION�EKU_CODE_SIGNINGZEKU_ANY�EKU_PLACEHOLDER�list�append)
�entryr�nicknamer�
ext_key_usagerr�
public_keyZcert_ekurrrr�
init_ca_entry1s2
"
�





r.cCs�tddd|�}z(|j|dgd�}||jd<|�|�WnZtjy~|�|�}ddg|d<d	|jd
<||jd<|�|�Yntjy�Yn0dS)zF
    Update the CA certificate in cn=CAcert,cn=ipa,cn=etc,SUFFIX.
    �r�CAcert�rZipa�r�etcr)�
attrs_listZnsContainerrrr0rN)	r�	get_entry�single_value�update_entryr�NotFound�
make_entry�	add_entry�EmptyModlist)�ldap�base_dnr�dnr*rrr�update_compat_caSs



r?c		Cs�|s|sdSz$|jtddd|�ddgd�\}}WntjyFYdS0|D]�}|j|kr\qLt|d�D]B}|��dkr�|r�|d�|�qh|��d	krh|rh|d�|�qhz|�|�WqLtj	y�YqL0qLdS)
zG
    Remove ipaCA and compatCA flags from their previous carriers.
    N�rZcertificatesr1r2z4(|(ipaConfigString=ipaCA)(ipaConfigString=compatCA))�ipaConfigString�r=�filterr4�ipaca�compatca)
�find_entriesrrr8r>r(�lower�remover7r;)	r<r=r>�
config_ipa�
config_compat�result�
_truncatedr*�configrrr�clean_old_configfs0��
rNNFcCs�tddd|�}td|f|�}	|�|	�}
t|
||||�|rL|
�dg��d�|rb|
�dg��d�|rrt|||�|�|
�t|||	||�dS)	zF
    Add new entry for a CA certificate to the certificate store.
    r@r1r2rrA�ipaCA�compatCAN)rr9r.�
setdefaultr)r?r:rN)r<r=rr+rr,rIrJ�container_dnr>r*rrr�add_ca_cert�s�

rScCst|�\}}}	|�d|i�}
|jtddd|�|
gd�d�\}}|d}
|
j}|
dD]}||krTq�qT|
jd��|��kr�td	��|
d
�|�|
d�|�|
d�|	�|dur�|
j�	d
�}|r�dnd}|dur�|��|kr�td��||
jd
<|du�rL|du�rXt
|
�	dg��}|�tj
�||B}|�s>|�tj
�t|�|
d<n|
�dd�d}d}|
�	dg�D],}|��dk�r�d}n|��dk�rld}�ql|�r�|�s�|
�dg��d�|�r�|�s�|
�dg��d�|�s�|�r�t|||�|�|
�t|||||�dS)zN
    Update existing entry for a CA certificate in the certificate store.
    rr@r1r2�rrrrr!r"rArrBrrzsubject name mismatchrrNr!rr zinconsistent trustFr"rArDTrErOrP)r�make_filterrFrr>r6rGrr)�get�set�discardrr'�addr(�poprQr?r7rN)r<r=rrr,rIrJrrr-rCrKrLr*r>�old_certZ	old_trustZ	new_trustZold_ekuZnew_ekuZis_ipaZ	is_compatrMrrr�update_ca_cert�sb��




r\cCs�t|�\}}}|�d|i�}|jtddd|�|gd�d�\}}|d}	|	dD]}
|
|krNqhqNtd	��|	d
�|�|	d�|�t|	d
�dkr�|�|	j�n
|�	|	�dS)z;
    Remove a CA certificate in the certificate store.
    rr@r1r2rTrBrrzcertificate not foundrN)
rrUrFrrrH�lenZdelete_entryr>r7)r<r=rrrZ_public_keyrCrKrLr*r[rrr�delete_ca_cert�s&��
r^c
Cs^zt|||||||d�Wn>tjyFt||||||||d�YntjyXYn0dS)�m
    Add or update entry for a CA certificate in the certificate store.

    :param cert: IPACertificate
    )rIrJN)r\rr8rSr;)r<r=rr+rr,rIrJrrr�put_ca_certs�
�
r`c
Cs|g}|D]n}t|�\}}}t|�}|durT|t|�krTt|�}tjtjtjtjh}	nt|�}tjh}	|�	||d|	f�q|S)zO
    Make CA certificates and associated key policy from DER certificates.
    NT)
rrrrr#r$r%r&rr))
�certsZrealmZipa_ca_subjectrKrr�_issuer_serial�_public_key_infor+r,rrr�make_compat_ca_certss�rdcCsN|dur&t|t�s|g}dd�|D�}g}tdd|�}td|�}�z(ddg}|rh|�d	|i�}	|�|	�|j||�||j�gd
�d�\}
}|
D]�}|jd}
|j�	d
d��
�}|dkr�d}n|dkr�d}nd}|�	d�}|dur�tdd�|D��}|�t
j�|�	dg�D]Z}zt|�\}}}Wnt�y>g}Yq�Yn0|�d�d}|�||
|||f��q
q�Wn�tj�y2z|�|dg�Wn�tj�y,td|�}|�|dg�}|jd}zt|�\}}}Wnt�y�Yn@0|du�r
||v�r
tjdd��|�r|}nd}t|g||�}Yn0Yn0|�r>|Stjdd��dS)zS
    Get CA certificates and associated key policy from the certificate store.
    NcSsg|]}t|��dd��qS)r
r)rr)�.0Zsubjrrr�
<listcomp>4s�z get_ca_certs.<locals>.<listcomp>r1r2r@z(objectClass=ipaCertificate)z(objectClass=pkiCA)r)rrrrr!r"rrBrr!�unknownrTr Fr"css|]}t|�VqdS)N)r)re�prrr�	<genexpr>R�zget_ca_certs.<locals>.<genexpr>r�;��r/zno matching entry found)�reasonz
no such entry)�
isinstancer(rrUr)rFZcombine_filtersZ	MATCH_ALLr6rVrGrWrXrr'rr�splitrr8r5rd)r<r=�compat_realm�
compat_ipa_ca�filter_subjectraZ	config_dnrR�filtersrCrKrLr*r+rr,rZ_subjectrZ_pkinforr>rrbrcZ
ca_subjectrrr�get_ca_certs,sz
�

�


�

rucCs|dd�S)zG
    Convert certutil trust flags to certificate store key policy.
    rlNr)�trust_flagsrrr�trust_flags_to_key_policy|srwcCstd|||�S)zG
    Convert certificate store key policy to certutil trust flags.
    F)r)r�car,rrr�key_policy_to_trust_flags�sryc
	Cs8t|�\}}}	|durtd��t||||||	||�dS)r_Fzmust be CA certificateN)rwrr`)
r<r=rr+rvrIrJrrxr,rrr�put_ca_cert_nss�s�rzc
CsLg}t|||||d�}|D],\}}}	}
}t|	d|
�}|�||||f�q|S)zT
    Get CA certificates and associated trust flags from the certificate store.
    )rsT)ruryr))
r<r=rqrrrsZ	nss_certsrarr+rr,Z_serial_numberrvrrr�get_ca_certs_nss�s
�r{cCs`tdtf||�}z|�|�dd}Wn4tjyZ|��}|�d�d}td|�}Yn0|S)z2
    Look for the IPA CA certificate subject.
    rZipacasubjectdnrZipacertificatesubjectbase)ZCNzCertificate Authority)rrr5rr8Zget_ipa_configrV)r<Zcontainer_car=r>Zcacert_subject�attrsZsubject_baserrr�get_ca_subject�sr})NNFF)NNFF)NNFF)N)FF)N)�__doc__Zpyasn1.errorrZipapython.dnrZipapython.certdbrrZipalibrrZipalib.constantsrrr.r?rNrSr\r^r`rdrurwryrzr{r}rrrr�<module>s:"�
�
F �
�
P�
�

@ Telegram