o ^@s^dZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddlZ ddlZ ddlZ ddlZ ddl mZddl mZmZmZmZddlmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&e j'(rddl)m*Z*nddl+m*Z*zddl,m-Z-e.e-doe-/Z0Wn e1yd Z0Ynwd Z2d Z3dddddgd Z4gd Z5dZ6dZ7dZ8dZ9dZ:dZ;dZGddde?de4@ZAGddde?dgdZBGdddeCZDd^ddZEddZFd d!ZGd"d#ZHd$d%ZId&d'ZJd(d)ZKd*d+ZLd,d-ZMe"d.d.d d/ZNe d0d1ZOe$d2d3d4ZPe d5d6ZQe#d7d8ZRe$d9d9d:ZSe"d;d.d d/ZTe"dd?ZWe"d@dAd d/ZXe$dBdBdCZYe d9d9ZZe dDdEZ[e dFdGZ\e$dHdHdCZ]e dIdJdKdLdMZ^e!dNdOZ_GdPdQdQeZ`GdRdSdSe`ZaGdTdUdUe`ZbGdVdWdWeZcGdXdYdYeZddZd[Zed\d]ZfeaZgdS)_a Parsing for Tor hidden service descriptors as described in Tor's `version 2 `_ and `version 3 `_ rend-spec. Unlike other descriptor types these describe a hidden service rather than a relay. They're created by the service, and can only be fetched via relays with the HSDir flag. These are only available through the Controller's :func:`~stem.control.Controller.get_hidden_service_descriptor` method. **Module Overview:** :: BaseHiddenServiceDescriptor - Common parent for hidden service descriptors |- HiddenServiceDescriptorV2 - Version 2 hidden service descriptor +- HiddenServiceDescriptorV3 - Version 3 hidden service descriptor |- address_from_identity_key - convert an identity key to address |- identity_key_from_address - convert an address to identity key +- decrypt - decrypt and parse encrypted layers OuterLayer - First encrypted layer of a hidden service v3 descriptor InnerLayer - Second encrypted layer of a hidden service v3 descriptor .. versionadded:: 1.4.0 N)CertType) ExtensionTypeEd25519ExtensionEd25519CertificateEd25519CertificateV1) PGP_BLOCK_END Descriptor_descriptor_content_descriptor_components_read_until_keywords_bytes_for_block_value_values_parse_simple_line_parse_if_present_parse_int_line_parse_timestamp_line_parse_key_block _random_date_random_crypto_blob) lru_cache)backendx25519_supportedF)rendezvous-service-descriptorversion permanent-keysecret-id-partpublication-timeprotocol-versions signature hs-descriptordescriptor-lifetimedescriptor-signing-key-certrevision-countersuperencryptedr) identifieraddressport onion_key service_keyZintro_authentication)introduction-point ip-address onion-port onion-key service-keys.onion checksum c@eZdZdZdS)DecryptionFailurezM Failure to decrypt the hidden service descriptor's introduction-points. N__name__ __module__ __qualname____doc__r;r;@/usr/lib/python3/dist-packages/stem/descriptor/hidden_service.pyr5r5c@r4)IntroductionPointsa Introduction point for a v2 hidden service. :var str identifier: hash of this introduction point's identity key :var str address: address of this introduction point :var int port: port where this introduction point is listening :var str onion_key: public key for communicating with this introduction point :var str service_key: public key for communicating with this hidden service :var list intro_authentication: tuples of the form (auth_type, auth_data) for establishing a connection Nr6r;r;r;r<r>r=r>c@seZdZdZeddZedddZedddZd d Zd d Z d dZ ddZ ddZ edddZ eddZddZddZddZdS) IntroductionPointV3a Introduction point for a v3 hidden service. .. versionadded:: 1.8.0 :var list link_specifiers: :class:`~stem.client.datatype.LinkSpecifier` where this service is reachable :var unicode onion_key_raw: base64 ntor introduction point public key :var stem.descriptor.certificate.Ed25519Certificate auth_key_cert: cross-certifier of the signing key with the auth key :var unicode enc_key_raw: base64 introduction request encryption key :var stem.descriptor.certificate.Ed25519Certificate enc_key_cert: cross-certifier of the signing key by the encryption key :var str legacy_key_raw: base64 legacy introduction point RSA public key :var str legacy_key_cert: base64 cross-certifier of the signing key by the legacy key c Cst|d}ttd|}td|}|dr|ddnd}|dd\}}}t|}|d kr7td |td |}|drG|ddnd} |d d\}}} t| } |d kratd |d|vrm|dddnd} d|vr{|dddnd} t|||| | | | S)a Parses an introduction point from its descriptor content. :param str content: descriptor content to parse :returns: :class:`~stem.descriptor.hidden_service.IntroductionPointV3` for the descriptor content :raises: **ValueError** if descriptor content is malformed Fr+r.zntor Nzauth-keyrz ED25519 CERTz!z.IntroductionPointV3.encode..zintroduction-point %szonion-key ntor %sz auth-key TZpemzenc-key ntor %sz enc-key-cert z legacy-key zlegacy-key-cert  )rVr^r_SizeCHARrtlenrFjoinappendrZrkrlrmrn onion_key_rawrI to_base64 enc_key_rawrKlegacy_key_rawrM)selflinesZ link_countrFr;r;r<encodes zIntroductionPointV3.encodecCtj|jddS)a- Provides our ntor introduction point public key. :returns: ntor :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` :raises: * **ImportError** if required the cryptography module is unavailable * **EnvironmentError** if OpenSSL x25519 unsupported Tx25519)r?_key_asrrr;r;r<r)3 zIntroductionPointV3.onion_keycCstj|jjddS)a/ Provides our authentication certificate's public key. :returns: :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` :raises: * **ImportError** if required the cryptography module is unavailable * **EnvironmentError** if OpenSSL x25519 unsupported TrO)r?rrIkeyrr;r;r<rT@s zIntroductionPointV3.auth_keycCr)a Provides our encryption key. :returns: encryption :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` :raises: * **ImportError** if required the cryptography module is unavailable * **EnvironmentError** if OpenSSL x25519 unsupported Tr)r?rrrr;r;r<rJMrzIntroductionPointV3.enc_keycCr)a1 Provides our legacy introduction point public key. :returns: legacy :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` :raises: * **ImportError** if required the cryptography module is unavailable * **EnvironmentError** if OpenSSL x25519 unsupported Tr)r?rrrr;r;r<rLZrzIntroductionPointV3.legacy_keyFcCs|dus|s |s |Stjstd|r)tstdddlm}|t |S|rAtjjdds6tdddl m }||SdS) Nzcryptography module unavailablezOpenSSL x25519 unsupportedr)X25519PublicKeyTrOz cryptography ed25519 unsupported)Ed25519PublicKey) rVrWrXrYX25519_AVAILABLEEnvironmentErrorrgrZfrom_public_bytesrm b64decoderfr)valuerrPrrr;r;r<rgs    zIntroductionPointV3._key_asc Cszt|}Wnty}ztd||fd}~wwg}tjjjj |\}}t |D]}tjjj |\}}| |q-|rGtd||S)Nz3Unable to base64 decode introduction point (%s): %sz*Introduction point had excessive data (%s)) rmr ExceptionrCrVr^r_r{r|poprangeZ LinkSpecifierr)rDexcrFcountiZlink_specifierr;r;r<rAs   z*IntroductionPointV3._parse_link_specifierscCst|ds t||_|jS)N_hash)hasattrhashrrrr;r;r<__hash__s zIntroductionPointV3.__hash__cCt|tr t|t|kSdSNF) isinstancer?rrotherr;r;r<__eq__zIntroductionPointV3.__eq__cC ||k SNr;rr;r;r<__ne__ zIntroductionPointV3.__ne__)NNNNNFF)r7r8r9r: staticmethodrNrar`rr)rTrJrLrrArrrr;r;r;r<r?s( %  %      r?)rFrrIrrKrrMc@s2eZdZdZd ddZddZddZd d ZdS) AuthorizedClientz Client authorized to use a v3 hidden service. .. versionadded:: 1.8.0 :var str id: base64 encoded client id :var str iv: base64 encoded randomized initialization vector :var str cookie: base64 encoded authentication cookie NcCstjj|r|n ttdd|_ tjj|r|n ttdd|_ tjj|r2|n ttdd|_ dS)N=r2) rVrZrkrlrmrnosurandomrstripidivcookie)rrrrr;r;r<__init__s**.zAuthorizedClient.__init__cCstjj|dddddS)NrrrT)cache)rVrZZ _hash_attrrr;r;r<rszAuthorizedClient.__hash__cCrr)rrrrr;r;r<rrzAuthorizedClient.__eq__cCrrr;rr;r;r<rrzAuthorizedClient.__ne__)NNN)r7r8r9r:rrrrr;r;r;r<rs   rcks|durt} td|d}|tkr"tddd}|t||d7}|r@|ddr1|dd}|td||fi|VndSq) as Iterates over the hidden service descriptors in a file. :param file descriptor_file: file with descriptor content :param class desc_type: BaseHiddenServiceDescriptor subclass :param bool validate: checks the validity of the descriptor's content if **True**, skips these checks otherwise :param dict kwargs: additional arguments for the descriptor constructor :returns: iterator for :class:`~stem.descriptor.hidden_service.HiddenServiceDescriptorV2` instances in the file :raises: * **ValueError** if the contents is malformed and validate is **True** * **IOError** if the file can't be read NTr r0rs@typers)HiddenServiceDescriptorV2r rsplitrBbytesr~)Zdescriptor_fileZ desc_typevalidatekwargsZdescriptor_contentZblock_end_prefixr;r;r< _parse_files  rc Cs|dr|dr|dd}zt|}Wntdt|ttkr/tdt||dt}|tt }|t d}t|||||\} } || |kr]td|| |f| } | || } t j j| S)Nz-----BEGIN MESSAGE----- z -----END MESSAGE-----iz*Unable to decode encrypted block as base64z)Encrypted block malformed (only %i bytes)z'Malformed mac (expected %s, but was %s))rBendswithrmrrCr}SALT_LENMAC_LEN _layer_cipher decryptorupdatefinalizerVrZrkrl) Zencrypted_blockconstantrevision_counter subcredential blinded_key encryptedsalt ciphertextZ expected_macciphermac_forr plaintextr;r;r<_decrypt_layers"   rc Cshtd}t|||||\}}|}|||} t|| || } ddt j j | dS)Nr2s0-----BEGIN MESSAGE----- %s -----END MESSAGE----- @) rrr encryptorrrrmrnr~rVrZrkZ_split_by_length) rrrrrrrrrrZencodedr;r;r<_encrypt_layers rcsddlm}m}m}ddlm}t||t d|||} | t t t } | dt } | t t t } | t t d} ||| || |}t dt| | t dt|||fddfS)NrCipher algorithmsmodesdefault_backendz>Qcst|Sr)hashlibsha3_256digest)rZ mac_prefixr;r<sz_layer_cipher..)&cryptography.hazmat.primitives.ciphersrrrcryptography.hazmat.backendsrrZ shake_256structrtr S_KEY_LENS_IV_LENrAESCTRr})rrrrrrrrrZkdfkeysZ secret_keyZ secret_ivZmac_keyrr;rr<rs " (rcCsftd|}z dd|dD}Wn tytd|w|D] }|dkr-td|q!||_dS)NrcSsg|]}t|qSr;)int)rurEr;r;r<rwrxz1_parse_protocol_versions_line..,zEprotocol-versions line has non-numeric versoins: protocol-versions %srz/protocol-versions must be positive integers: %s)r rrCprotocol_versions)rientriesrZversionsvr;r;r<_parse_protocol_versions_lines     rcCsb|dd\}}}|r|dkrtd|||_g|_zt||_WdSty0td|w)Nintroduction-pointsrMESSAGEzI'introduction-points' should be followed by a MESSAGE block, but was a %sz6'introduction-points' isn't base64 encoded content: %s)rCintroduction_points_encodedintroduction_points_authr introduction_points_content TypeError)rirrGrHblock_contentsr;r;r<_parse_introduction_points_line's    rcCs^i}td|D]"}|}t|dkrtd|t|d|d|d||d<q||_dS)N auth-clientzCauth-client should have a client-id, iv, and cookie: auth-client %srr0r1)rrr}rCrclients)rirrrZ value_compr;r;r<_parse_v3_outer_clients6s  " rcCsLtd|g}}|dD]}|std||t|q ||_dS)Ncreate2-formatsrz:create2-formats should only contain integers, but was '%s')r risdigitrCrrformats)rirrrrEr;r;r<_parse_v3_inner_formatsFs   rcCszt|dr;g}|j}|r4|dd}|dkr$|d|||ddfn|df\}}|t||s ||_|`dSdS)N_unparsed_introduction_points introduction-point r0)rrfindrr?rNintroduction_points)rirrZ remainingdivrDr;r;r<_parse_v3_introduction_pointsRs  0rr)Zallow_negativer descriptor_idr permanent_keyRSA PUBLIC KEYrsecret_id_partr publishedr SIGNATUREr!r"lifetimer# signing_certr$rr%rdesc-auth-type auth_typedesc-auth-ephemeral-key ephemeral_keyrintro-auth-required intro_authcCs |dS)Nr)r)rr;r;r<rss r)funcsingle-onion-serviceis_single_servicec@r4)BaseHiddenServiceDescriptorz; Hidden service descriptor. .. versionadded:: 1.8.0 Nr6r;r;r;r<rwr=rc seZdZdZdZdefdefdefdefde fge fde fge fde fde fd Z eeeee e e e dZeddd Zedd d Zdfd d ZedddZeddZeddZeddZZS)ra Version 2 hidden service descriptor. :var str descriptor_id: **\*** identifier for this descriptor, this is a base32 hash of several fields :var int version: **\*** hidden service descriptor version :var str permanent_key: **\*** long term key of the hidden service :var str secret_id_part: **\*** hash of the time period, cookie, and replica values so our descriptor_id can be validated :var datetime published: **\*** time in UTC when this descriptor was made :var list protocol_versions: **\*** list of **int** versions that are supported when establishing a connection :var str introduction_points_encoded: raw introduction points blob :var list introduction_points_auth: **\*** tuples of the form (auth_method, auth_data) for our introduction_points_content (**deprecated**, always **[]**) :var bytes introduction_points_content: decoded introduction-points content without authentication data, if using cookie authentication this is encrypted :var str signature: signature of the descriptor content **\*** attribute is either required when we're parsed with validation or has a default value, others are left as **None** if undefined .. versionchanged:: 1.6.0 Moved from the deprecated `pycrypto `_ module to `cryptography `_ for validating signatures. .. versionchanged:: 1.6.0 Added the **skip_crypto_validation** constructor argument. zhidden-service-descriptorN) rrrr r rrrrr)rrrrrrrrr;Fc CsF|r td|jt||dddtdfddtfdd fd td ffS) NzSigning of %s not implemented)rZ y3olqqblqw2gbh6phimfuiroechjjafa)r2rr)rZ e24kgecavwsznj7gpbktqsiwgvngsf4er)rz2,3)rz. -----BEGIN MESSAGE----- -----END MESSAGE-----rr )NotImplementedErrorr7r rr)clsattrexcludesignr;r;r<rDs  z!HiddenServiceDescriptorV2.contentTcCs||||||| dS)N)rskip_crypto_validationrD)rrrrrr;r;r<createsz HiddenServiceDescriptorV2.createc stt|j|| dt||dd}|rtD]}||vr"td|||vr4t||dkr4td|qdt|dkrCtd d t|d krQtd | |||st j r| |j|j}|d d}t|}||krtd||fdSdSdS||_dS)NZ lazy_loadr)Znon_ascii_fields0Hidden service descriptor must have a '%s' entryr0BThe '%s' entry can only appear once in a hidden service descriptorrrzQHidden service descriptor must start with a 'rendezvous-service-descriptor' entryrr;Hidden service descriptor must end with a 'signature' entryzrendezvous-service-descriptor z signature zHDecrypted digest does not match local digest (calculated: %s, local: %s))superrrr REQUIRED_V2_FIELDSrCr}listr_parserVrWrXZ_digest_for_signaturerrZ_content_rangersha1Z hexdigestupper_entries) r raw_contentsrrrkeywordZ signed_digestZdigest_contentZcontent_digest __class__r;r<rs.     z"HiddenServiceDescriptorV2.__init__c Cs|j}|sgS|rctjstdz tjj|}Wnty-}ztd|d}~wwt t |ddd}|t krEt ||}n|tkrPt ||}n td|t tf|dsbtd n |dsltd t |S) a Provided this service's introduction points. :returns: **list** of :class:`~stem.descriptor.hidden_service.IntroductionPoints` :raises: * **ValueError** if the our introduction-points is malformed * **DecryptionFailure** if unable to decrypt this field z?Decrypting introduction-points requires the cryptography modulez:authentication_cookie must be a base64 encoded string (%s)Nrr0r2zfUnrecognized authentication type '%s', currently we only support basic auth (%s) and stealth auth (%s)introduction-point zGUnable to decrypt the introduction-points, maybe this is the wrong key?zWintroduction-points content is encrypted, you need to provide its authentication_cookie)rrVrWrXr5rZrkZ _decode_b64rrbinasciihexlify BASIC_AUTHr_decrypt_basic_auth STEALTH_AUTH_decrypt_stealth_authrB_parse_introduction_points)rauthentication_cookierDrZauthentication_typer;r;r<rs0      z-HiddenServiceDescriptorV2.introduction_pointsc sddlm}m}m}ddlm}ztt|ddd}Wnt y2t dt|ddw|dd}|dd|fd d t d|dD}|d|d|d} |d|dd} t || dd } |D]J\} } | | kr|qs||||d t| |}|}|| |}||||| |}|}|| |}|d r|Sqs|S)Nrrrr0r1r2zaWhen using basic auth the content should start with a number of blocks but wasn't a hex digit: %scs0g|]}||d|d|dfqS)r9r;rurZclient_entriesr;r<rw#s0zAHiddenServiceDescriptorV2._decrypt_basic_auth..r:r0)rrrrrrrr1r2rCr5rrr)rrrr}rrrrB)rDr8rrrrZ client_blocksZclient_entries_lengthZ client_keysrrZ client_idZentry_idZencrypted_session_keyrrZ session_keyZ decryptedr;r<r<r4s4    " z-HiddenServiceDescriptorV2._decrypt_basic_authc Csnddlm}m}m}ddlm}|dd|dd}}||||||}|} | || S)Nrrrr0) rrrrrrrrrrr) rDr8rrrrrrrrr;r;r<r6As  z/HiddenServiceDescriptorV2._decrypt_stealth_authcCsg}t|} dtd|dd}|s |Stt}t|d}t|D]\}}|d\}}} |t vrEt |dkrEt d|t |f|dkrN||d <q&|d krdt j j|s_t d |||d <q&|d kr|t j j|sut d|t||d<q&|dkr| |d<q&|dkr| |d<q&|dkrg} |D]!\} } } d| vrt d| | ddd\} }| | |fqq&|tdi|q)zU Provides the parsed list of IntroductionPoints for the unencrypted content. Trsr+)Z ignore_firstFrr0zO'%s' can only appear once in an introduction-point block, but appeared %i timesr&r,z'%s' is an invalid IPv4 addressr'r-rRr(r.r)r/r*zintro-authenticationrzHWe expected 'intro-authentication [auth_type] [auth_data]', but had '%s'Nr1r;)ioBytesIOr~r dictINTRODUCTION_POINTS_ATTRr r'items SINGLE_INTRODUCTION_POINT_FIELDSr}rCrVrZr[r]r\rrrr>)rDrZ content_iorrr-valuesrrHrZ auth_entriesZ auth_valuerGrZ auth_datar;r;r<r7MsJ '        z4HiddenServiceDescriptorV2._parse_introduction_points)Nr;F)Nr;TFrr)r7r8r9r:TYPE_ANNOTATION_NAME)_parse_rendezvous_service_descriptor_line_parse_v2_version_line_parse_permanent_key_line_parse_secret_id_part_line_parse_publication_time_linerr_parse_v2_signature_line ATTRIBUTESPARSER_FOR_LINE classmethodrDr rrrrr4r6r7 __classcell__r;r;r.r<rsH   ( +  rcseZdZdZdZdefdefdefdefde fde fdZ eeeee e dZ e ddd Ze dd d Zdfd d ZddZedddZeddZeddZZS)HiddenServiceDescriptorV3a Version 3 hidden service descriptor. :var int version: **\*** hidden service descriptor version :var int lifetime: **\*** minutes after publication this descriptor is valid :var stem.descriptor.certificate.Ed25519Certificate signing_cert: **\*** cross-certifier for the short-term descriptor signing key :var int revision_counter: **\*** descriptor revision number :var str superencrypted: **\*** encrypted HS-DESC-ENC payload :var str signature: **\*** signature of this descriptor **\*** attribute is either required when we're parsed with validation or has a default value, others are left as **None** if undefined .. versionadded:: 1.8.0 zhidden-service-descriptor-3N)rr r rr%rr r;Fc Cstjjdds tdtjstd| r$t| dkr$tdt| ddlm} |r.|nt j |d }|r8|n| }|r@|n| }| rH| nt t } | rUt|| nd } t|| } |rhd |vrh|d nd }|svtj ||| | | d }|sttjd | g}ttj||d}| rt||| | nd|_t||dddd|jddfdt| fdd|| | | ffdd}|r|dtj j!"|7}|Sd |vrtj#j$j%|}|dt&'|(|)d7}|S)a' Hidden service v3 descriptors consist of three parts: * InnerLayer, which most notably contain introduction points where the service can be reached. * OuterLayer, which encrypts the InnerLayer among other paremters. * HiddenServiceDescriptorV3, which contains the OuterLayer and plaintext parameters. Construction through this method can supply any or none of these, with omitted parameters populated with randomized defaults. Ed25519 key blinding adds an additional ~20 ms, and as such is disabled by default. To blind with a random nonce simply call... :: HiddenServiceDescriptorV3.create(blinding_nonce = os.urandom(32)) :param dict attr: keyword/value mappings to be included in plaintext descriptor :param list exclude: mandatory keywords to exclude from the descriptor, this results in an invalid descriptor :param bool sign: includes cryptographic signatures and digests if True :param stem.descriptor.hidden_service.InnerLayer inner_layer: inner encrypted layer :param stem.descriptor.hidden_service.OuterLayer outer_layer: outer encrypted layer :param cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey identity_key: service identity key :param cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey signing_key: service signing key :param stem.descriptor.Ed25519CertificateV1 signing_cert: certificate signing this descriptor :param int revision_counter: descriptor revision number :param bytes blinding_nonce: 32 byte blinding factor to derive the blinding key :returns: **str** with the content of a descriptor :raises: * **ValueError** if parameters are malformed * **ImportError** if cryptography is unavailable TrOzDHidden service descriptor creation requires cryptography version 2.6zoHidden service descriptor creation requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)r3z+Blinding nonce must be 32 bytes, but was %irrb)rs aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaarN)r inner_layerrrr)Z cert_typerrrs@bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb)r!3)r"Z180r#rzryr$r%rr;s signature %sr)*rVrWrXrY_is_sha3_availabler}rCrfrc InnerLayerr rprtime_blinded_pubkeyrQ_subcredentialr OuterLayerrrrqrrZHS_V3_DESC_SIGNING _blinded_signrtrr rstr_encryptrZrk _to_bytesrirjZSIG_PREFIX_HS_V3rmrnrr)rrrrrR outer_layer identity_keyrUr rblinding_noncercrrZ custom_sigrrZ desc_contentZ sig_contentr;r;r<rDsX/    z!HiddenServiceDescriptorV3.contentTc Cs$|||||||||| | | |dSN)rr) rrrrrrRr^r_rUr rr`r;r;r<r  s$z HiddenServiceDescriptorV3.createcstt|j|| dd|_t||}|rntD]}||vr#td|||vr5t||dkr5td|qdt| dkrDtddt| d krRtd | |||j rjt j jd d rl|j |dSdSdS||_dS) Nr!r"r0r#r!rzAHidden service descriptor must start with a 'hs-descriptor' entryrrr$TrO)r%rQr _inner_layerr REQUIRED_V3_FIELDSrCr}r'rr(r rVrWrXrr+)rr,rrr-r.r;r<rs&     z"HiddenServiceDescriptorV3.__init__cCstjjdds tdtjstd|jdurH|jr!|jnd}|s)tdt |}t ||}t |j|j||}t ||j|||_|jS)a  Decrypt this descriptor. Hidden serice descriptors contain two encryption layers (:class:`~stem.descriptor.hidden_service.OuterLayer` and :class:`~stem.descriptor.hidden_service.InnerLayer`). :param str onion_address: hidden service address this descriptor is from :returns: :class:`~stem.descriptor.hidden_service.InnerLayer` with our decrypted content :raises: * **ImportError** if required cryptography or sha3 module is unavailable * **ValueError** if unable to decrypt or validation fails TrOzFHidden service descriptor decryption requires cryptography version 2.6zqHidden service descriptor decryption requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)NzNo signing key is present)rVrWrXrYrTrbr rUrCrQidentity_key_from_addressrXrY_decryptr%rrU)r onion_addressrZidentity_public_keyrr^r;r;r<decrypt(s    z!HiddenServiceDescriptorV3.decryptcCstjs tdtj|}tjjjj d}t t ||dd}t|||}tjj|r=|dS|S)a Converts a hidden service identity key into its address. This accepts all key formats (private, public, or public bytes). :param Ed25519PublicKey,Ed25519PrivateKey,bytes key: hidden service identity key :param bool suffix: includes the '.onion' suffix if true, excluded otherwise :returns: **unicode** hidden service address :raises: **ImportError** if sha3 unsupported nHidden service address conversion requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)rNr1s.onion)rVrWrTrYrZror^r_r{r|rtrrCHECKSUM_CONSTANTrrmZ b32encoderkrllower)rsuffixrchecksumrfr;r;r<address_from_identity_keyKs  $z3HiddenServiceDescriptorV3.address_from_identity_keycCstjs td|dr|dd}tjjj|dds#td|t | }|dd}|dd }|d d }t t||dd }||krktjjt|}tjjt|}td ||f|S) aB Converts a hidden service address into its public identity key. :param str onion_address: hidden service address :returns: **bytes** for the hidden service's public identity key :raises: * **ImportError** if sha3 unsupported * **ValueError** if address malformed or checksum is invalid rhz.onionNir)rz2'%s.onion' isn't a valid hidden service v3 addressr3"#r1z%Bad checksum (expected %s but was %s))rVrWrTrYrrZZ tor_toolsZis_valid_hidden_service_addressrCrmZ b32decoder*rrrirrkrlr1r2)rfZdecoded_addressZpubkeyZexpected_checksumrrlZ checksum_strZexpected_checksum_strr;r;r<rdds       z3HiddenServiceDescriptorV3.identity_key_from_addresscCs0tdtj|}td||fS)Ns credential%sssubcredential%s%s)rrrVrZror)r_rZ credentialr;r;r<rXsz(HiddenServiceDescriptorV3._subcredential) Nr;FNNNNNNN) Nr;TFNNNNNNNF)T)r7r8r9r:rF_parse_v3_version_line_parse_lifetime_line_parse_signing_cert_parse_revision_counter_line_parse_superencrypted_line_parse_v3_signature_linerMrNrOrDr rrgrrmrdrXrPr;r;r.r<rQs:  _ #  )rQcs~eZdZdZdefdefiefdefdZeeeedZ e ddZ ddZ e dd d Ze dddZdfdd ZZS)rYa Initial encryped layer of a hidden service v3 descriptor (`spec `_). .. versionadded:: 1.8.0 :var str auth_type: **\*** encryption scheme used for descriptor authorization :var str ephemeral_key: **\*** base64 encoded x25519 public key :var dict clients: **\*** mapping of authorized client ids to their :class:`~stem.descriptor.hidden_service.AuthorizedClient` :var str encrypted: **\*** encrypted descriptor inner layer **\*** attribute is either required when we're parsed with validation or has a default value, others are left as **None** if undefined N)rrrr)rrrrcCst|d|||}t|S)Nhsdir-superencrypted-data)rrY)rrrrrr;r;r<reszOuterLayer._decryptcCs,|dt|d}t|d|||S)Nr=i'rw) get_bytesr}r)rrrrrDr;r;r<r\szOuterLayer._encryptr;TFc Cstjjdds tdtjstd|rd|vrtdddlm} dd lm } |r.|nt }|r6|nd }| r<| ntj | } |rH|nt| | }|shg}|r[d|vr[n td D]} |tq_t||d d ttj | fgdd|Ddd|||| ffS)NTrOz?Hidden service layer creation requires cryptography version 2.6zjHidden service layer creation requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)rzOAuthorized clients cannot be specified through both attr and authorized_clientsrrbrdr0r2)rrrcSs$g|]}dd|j|j|jffqS)rz%s %s %s)rrr)rucr;r;r<rwsz&OuterLayer.content..rr)rVrWrXrYrTrCrfrcrgrerUr rZrorprQrXrrrr rmrnr\) rrrrrrRrauthorized_clientsrrrcrerr;r;r<rDs:       zOuterLayer.contentc Cs"||||||||||| |dSrar) rrrrrrRrrzrrr;r;r<r s"zOuterLayer.createcsRtjj|d}tt|j|| dt||}|r$| ||dS||_ dS)Nr=r!) rVrZrkr]rr%rYrr r(r+)rrDrrr.r;r<rs   zOuterLayer.__init__) Nr;TFNNNNNrp)r7r8r9r:_parse_v3_outer_auth_type_parse_v3_outer_ephemeral_keyr_parse_v3_outer_encryptedrMrNrrer\rOrDr rrPr;r;r.r<rYs(  " rYcs|eZdZdZgefgefdefgefdZeeedZ e ddZ ddZ e dd d Ze dddZdfdd ZZS)rUaM Second encryped layer of a hidden service v3 descriptor (`spec `_). .. versionadded:: 1.8.0 :var stem.descriptor.hidden_service.OuterLayer outer: enclosing encryption layer :var list formats: **\*** recognized CREATE2 cell formats :var list intro_auth: **\*** introduction-layer authentication types :var bool is_single_service: **\*** **True** if this is a `single onion service `_, **False** otherwise :var list introduction_points: :class:`~stem.descriptor.hidden_service.IntroductionPointV3` where this service is reachable **\*** attribute is either required when we're parsed with validation or has a default value, others are left as **None** if undefined F)rrrr)rrrcCs t|jd|||}t|d|dS)Nhsdir-encrypted-dataT)rr^)rrrU)r^rrrrr;r;r<reszInnerLayer._decryptcCst|d|||S)Nr~)rrx)rrrrr;r;r<r\szInnerLayer._encryptNr;cCs:|rddttj|}nd}t||dtjj|S)Nrzr))rr) r~mapr?rr rVrZrkr])rrrrrrkr;r;r<rD!s   zInnerLayer.contentTcCs|||||||dSrar)rrrrrrr;r;r<r ,szInnerLayer.createcstt|j|| d||_tjj|}|d}|dkr.||dd|_ |d|}nd|_ t ||}|rE| ||t ||dS||_ dS)Nr!rrr0)r%rUrZouterrVrZrkr]rrr r(rr+)rrDrr^rrr.r;r<r0s    zInnerLayer.__init__)Nr;FN)Nr;TFN)FN)r7r8r9r:r_parse_v3_inner_intro_auth_parse_v3_inner_single_servicerrMrNrrer\rOrDr rrPr;r;r.r<rUs&   rUcsbddlmdjdtfddtdjdD}tj|}  ||S)NrrOr1c3$|] }d||VqdSr1Nbitr;r`rPr;r< L"z"_blinded_pubkey..r) stem.utilrPbsumrZ decodepointrVrZro encodepoint scalarmult)r_r`multPr;rr<rWIs 2rWc sddlm}ddlm|j|jj|jj|d} |dj dt fddt dj dD}d fd d t j d j d D}||}dj dt fddt dj dD} |dd} | | j} |dd} d|dd} | | dd}d fdd t j d j d D|} j| }| ||||j}||S)Nr) serializationrO)encodingformatZencryption_algorithmr1c3s$|] }d||VqdSrrr;)rPhr;r<r^rz _blinded_sign..rrscg|] }||dqSr0r;r;)rr;r<rw_z!_blinded_sign..rr:c3rrrr;rr;r<rdrr3s'Derive temporary signing key hash inputcrrr;r;) blinded_eskr;r<rwnr)Zcryptography.hazmat.primitivesrrrPZ private_bytesZEncodingZRawZ PrivateFormatZ NoEncryptionHrrrr~Z encodeintZ decodeintrvZHintrBr)msgr_rr`rZidentity_key_bytesakZeskrsZs_primeZk_primerRSr;)rr`rPrr<rZQs,   2*2 4&rZr)hr:rmr1 collectionsrhrr?rrrVZstem.client.datatyperVZstem.descriptor.certificateZ stem.prereqrZstem.util.connectionZstem.util.str_toolsZstem.util.tor_toolsrrrrrZstem.descriptorrrr r r r r rrrrrrrrrWZ_is_lru_cache_available functoolsrZstem.util.lru_cacheZ,cryptography.hazmat.backends.openssl.backendrrrrrYr&rcrBrDr3r5rirrrrrr5 namedtuplerr>r?objectrrrrrrrrrrrHrGrIrJrKrLrqrrZ_from_descriptorrsrtrurvr{r|r}rrrrrQrYrUrWrZZHiddenServiceDescriptorr;r;r;r<s D        (               aQ&