@OOfQ vddlZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddl mZddl mZddl mZddlZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddl m!Z!ejDdZ#ejDdZ$dZ%Gdde!jLZ'dejPde)e*e+e+ffdZ,de+de+de-de*ej\ej^ffdZ0d eejbe)e+zdejdfd!Z3 d0d"ejhd#ej^d$e+dzd eejbde+dzde'f d%Z5e d&'Gd(d)Z6e+Z7e*ee+ejdfZ8ee7e8fZ9ed*e:Z;Gd+d,Z)altnamesstrvaluecn)rxr's r__repr__z Cert.__repr__>s?*.--8QCL88477+[ B??9sAc6|jjSr)r__hash__rs rr.z Cert.__hash__Bszz""$$r!c$|j|Sr)from_pem)clsstates r from_statezCert.from_stateEs||E""r!c"|jSr)to_pemr/s r get_statezCert.get_stateIs{{}r!c8tj||_yr)r load_pem_x509_certificater)rr3s r set_statezCert.set_stateLs33E: r!datareturnc<tj|}||Sr)r r9)r2r;rs rr1z Cert.from_pemOs--d34yr!ch|jjtjjSr)r public_bytesr EncodingPEMr/s rr6z Cert.to_pemTs#zz&&}'='='A'ABBr!r c6t|jSr)rto_cryptography)rr s rfrom_pyopensslzCert.from_pyopensslWs(D((*++r!chtjjj|jSr)OpenSSLcryptoX509from_cryptographyrr/s r to_pyopensslzCert.to_pyopenssl[s!~~""44TZZ@@r!c\|jjtjSr)rr#r SHA256r/s rr#zCert.fingerprint^szz%%fmmo66r!c@t|jjSr)_name_to_keyvalrissuerr/s rrOz Cert.issuerastzz0011r!c |jjS#t$rA|jjj t j jcYSwxYwN)tzinfo)rnot_valid_before_utcAttributeErrornot_valid_beforereplacedatetimetimezoneutcr/s r notbeforezCert.notbeforeesS U::22 2 U::..66h>O>O>S>S6T T UAA"!A"c |jjS#t$rA|jjj t j jcYSwxYwrQ)rnot_valid_after_utcrTnot_valid_afterrVrWrXrYr/s rnotafterz Cert.notafternsS T::11 1 T::--55X=N=N=R=R5S S Tr[c$tjdkrDtjjtjj |j kDStjjtj|j kDS)N) )sys version_inforWnowrXrYr_UTCr/s r has_expiredzCert.has_expiredus`   g %$$(():):)>)>?$--O O  $$X\\2T]]BBr!c@t|jjSr)rNrsubjectr/s rriz Cert.subjectzstzz1122r!c.|jjSr)r serial_numberr/s rserialz Cert.serial~szz'''r!c|jj}t|tjrd|j fSt|t jrd|j fSt|tjr&d|jjd|j fS|jjjddjddt|dd fS) NRSADSAzEC () PublicKey_key_size)r public_keyrr RSAPublicKeyrtr DSAPublicKeyrEllipticCurvePublicKeycurvename __class____name__rVgetattr)rrvs rkeyinfoz Cert.keyinfosZZ**, j#"2"2 3*--- - j#"2"2 3*--- - j"";"; <***//02J4G4GG G  ) ) 1 1+r B J J3PR S J B /  r!Nc|jjjtjj }|rt t|djSyNr) rriget_attributes_for_oidr r COMMON_NAMErr(r)rattrss rr*zCert.cnsA ""99$,,:R:RS U1X^^, ,r!c|jjjtjj }|rt t|djSyr) rrirr rORGANIZATION_NAMErr(r)rs r organizationzCert.organizationsF ""99 LL * *  U1X^^, ,r!c |jjjtjj }tj |S#tj$rtj gcYSwxYw)z> Get all SubjectAlternativeName DNS altnames. )r extensionsget_extension_for_classr SubjectAlternativeNamer) GeneralNamesExtensionNotFound)rsanss rr'z Cert.altnamessm  +::((@@++e  $$T* *%% )$$R( ( )s=A(A?>A?)*r} __module__ __qualname____doc__r r__annotations__r r%r,r. classmethodr4r7r:bytesr1r6rFrGrHrDrJr#propertylisttupler(rOrWrZr_boolrgriintrlrr*rrr'r!rrr2s0   T--9@%##;EfCC,7>>#6#6,6,,Agnn11A7U72U38_-22U8,,UUT(++TT CTC 3eCHo.33(((  sCx    C$J cDj +$++ + +r!rr{r<cg}|D]Q}|jjdd}tt|j}|j ||fS|S)N=r)rfc4514_string partitionrr(r)append)r{partsattrkvs rrNrNs[ E    ! + +C 0 3 djj ! aV Lr!rr*rtc xtjj}tjd|}t j t j tj|t j tj|g}t j}|jt j}|j|}|j|tjdz }|j!|t"z}|j%|}|j'|j'}|j)t j*ddd}|j)t j,t.j0gd}|j)t j2ddddddddd d}|j)tj4j7|j'd}|j9|t;j< }||fS) Ni)public_exponentrtrT)ca path_lengthcriticalF) digital_signaturecontent_commitmentkey_enciphermentdata_encipherment key_agreement key_cert_signcrl_sign encipher_only decipher_only private_key algorithm)rWrergenerate_private_keyr Name NameAttributerrrCertificateBuilderrkrandom_serial_number subject_namerU timedeltar^ CA_EXPIRY issuer_namerv add_extensionBasicConstraintsExtendedKeyUsager SERVER_AUTHKeyUsageSubjectKeyIdentifierfrom_public_keysignr rL)rr*rtrerr{builderrs r create_cars      !C**K 99   w22B 7   w88, G  D %%'G##D$=$=$?@G""4(G&&sX-?-?Q-G'GHG%%cIo6G!!$'G  !7!7!9:G## 484$G## 2>>?@5$G## #$"# $ G## !!11+2H2H2JK$G <tj|Stj|S#t$rF|jdj!}|jtj"|YwxYw)z SANs used to be a list of strings in mitmproxy 10.1 and below, but now they're a list of GeneralNames. This function converts the old format to the new one. rz0Passing SANs as a list of strings is deprecated.r) stacklevelidna)rr rrlenr(warningswarnDeprecationWarningr ipaddress ip_addressr IPAddress ValueErrorencodedecodeDNSName)rssr+ips r_fix_legacy_sansrs $))* 43t9q=ZQ5M >  &(d3i& .A .))!,  $..,- .  $$  && +HHV$++- $,,q/* +sC,,A D;:D;privkeycacert commonnamectj}|j|j}|j tj t jgd}|j|j}tjj}|j|tjdz }|j|tz}g}|duxrt|dk}|r7|J|j!tj"t$j&||7|J|j!tj"t$j(||j+tj,|}|j/tj0}|j tj2t5|| }|j tj6j9|jd}|j;|t=j>} tA| S)aB Generates a dummy certificate. privkey: CA private key cacert: CA certificate commonname: Common name for the generated certificate. sans: A list of Subject Alternate Names. organization: Organization name for the generated certificate. Returns cert if operation succeeded, None if not. FrrrN@r)!r rrrirrrrrvrWrerUrr^ CERT_EXPIRYrrrrrrrrrkrrrAuthorityKeyIdentifierfrom_issuer_public_keyrr rLr) rrrrrrreriis_valid_commonnamers r dummy_certr s$%%'G!!&..1G## 2>>?@5$G  !2!2!45G      !C&&sX-?-?Q-G'GHG%%cK&78GG$D0IS_r5I%%%t))'*=*=zJK'''t))'*C*C\RS""499W#56G##D$=$=$?@G## ##$4T$:;(($G ## ##::6;L;L;NO$G <&-JJ3J++r!c#Ktjd}tj|dz dtj|y#tj|wxYww)z Context to temporarily set umask to its original value bitor 0o77. Useful when writing private keys to disk so that only the owner will be able to read them. r?N)osumask)original_umasks r umask_secretzCertStore.umask_secretsF! $&' %  HH^ $BHH^ $s.A%A A% A""A%c |jdd|xs|}|xs|}t|||\}}tj5||dz j |j t jjt jjt j|jt jjz||dz j tj|j||dt jddd|jt jj}||dz j |||d z j |||d z j tj|jd|dt j||d z j t y#1swYxYw) NT)parentsexist_ok)rr*rtr)encodingformatencryption_algorithmz-ca.p12)r{r$rcasr0z -ca-cert.pemz -ca-cert.cerz -ca-cert.p12r)mkdirrrr*r private_bytesr r@rA PrivateFormatTraditionalOpenSSL NoEncryptionr?rserialize_key_and_certificatesrr)rrrtrr*r$rpem_certs rrzCertStore.create_stores 4$ /#/x ^8"xPR # # %  xj( ( 5 5!!*3377(66II)6)C)C)E" //-"8"8"<"<= > xj( ( 5 555!*)6)C)C)E   .??=#9#9#=#=> 8*L) )66x@ 8*L) )66x@ 8*L) )66  1 1__&%2%?%?%A    8*L) )66GO  s C%G44G=specc|j}tj|} t||}|j t||||g|y#t$r|j }Y7wxYw)N)password)rrr1r"rradd_certr)rr9rrr#rr$s r add_cert_filezCertStore.add_cert_fileshoo}}S! *&sZ@C nT3tf=tD *))C *s AA,+A,namesc|jjr#||j|jj<|jjD]$}||jt |j <&|D]}||j|<y)z Adds a cert to the certstore. We register the CN in the cert plus any SANs, and also the list of names provided as an argument. N)rr*rr'r(r))rrr>is rr<zCertStore.add_certsp ::==(-DJJuzz}} %$$ -A',DJJs177| $ - "A!DJJqM "r!dnc lt|trV|jd}|g}tdt |D](}|j ddj ||dz*|St|tjrtj|jSt|jgS)z Return all asterisk forms for a domain. For example, for www.example.com this will return [b"www.example.com", b"*.example.com", b"*.com"]. The single wildcard "*" is omitted. .r!z*.N) rr(splitrangerrjoinr rrasterisk_formsr))rArretr@s rrGzCertStore.asterisk_forms s b# HHSME$C1c%j) 7 4#((59"556 7J DLL )++BHH5 5M? "r!rrrc Ht|}g}|r |jj||D]"}|jj|$|jd|j||ft t fd|d}|rj |}|Sttjjj|||jjj}|j ||f<j||S)a commonname: Common name for the generated certificate. Must be a valid, plain-ASCII, IDNA-encoded domain name. sans: A list of Subject Alternate Names. organization: Organization name for the generated certificate. *c |jvSr)r)r$rs rz$CertStore.get_cert..4ssdjj'8r!N)rrrr)rextendrGrnextfilterrrrrrrrrr)rrrrpotential_keyssr{rs` rget_certzCertStore.get_certs %(*   ! !$"5"5j"A B :A  ! !$"5"5a"8 9 :c"z401F8.I4P JJt$E" #++OO))  2222 44 E.3DJJ D) * KK  r!r)NN)$r}rrrrdictTCertIdrrrrrrrrr r staticmethodrrr(rrrr contextlibcontextmanagerr*rr=r<r GeneralNamerGrrRrr!rrrUsLI ' ((~&&--!4K   &INItI 747H77. $( ASj A A A DL A  A AKO , ,*. ,rVrWrr'rcrcollections.abcr dataclassesrpathlibrtypingrrrr rF cryptographyr cryptography.hazmat.primitivesr r )cryptography.hazmat.primitives.asymmetricr rr,cryptography.hazmat.primitives.serializationrcryptography.x509rrmitmproxy.coretypesrrrrr Serializablerrrrr(rNrRSAPrivateKeyWithSerializationrrrXrrrrr TCustomCertIdTGeneratedCertIdrTrrrr"rr!rris $!18989?1%, H  H -  h  c* "z+< $ $z+z$))U38_(=11 11 3 - -t/?/? ?@ 1h'8D$4$45S A'dFWFW'F $ 9   9   9d 9 4## $ 9 * 9  9x $ #(9(99:  // 0 :u %rrj u  ARAR r!