%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python2.7/site-packages/salt/modules/
Upload File :
Create Path :
Current File : //lib/python2.7/site-packages/salt/modules/x509.pyc

�
���^c@@sOdZddlmZmZmZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlZddlZddlZddlZddlZddlZddlZddlmZddlmZddlmZddlmZyddl Z e!Z"Wne#k
r]e$Z"nXyddl%Z%e!Z&Wne#k
r�e$Z&nXdZ'ej(e)�Z*ed	d
fddfd
dfddfddfddfddfddfddfddfddfdd fd!d"fd#d$fd%d&fd'd(fd)d*fg�Z+id+d,6d-d.6d/d06d1d26Z,d3�Z-d4e
j.fd5��YZ/e0d6�Z1de0d7d8�Z2d9�Z3d:�Z4d;�Z5d<�Z6d=�Z7d>�Z8d?�Z9d@�Z:dA�Z;dB�Z<e0dC�Z=dD�Z>dE�Z?dF�Z@dG�ZAdH�ZBe0dI�ZCdJ�ZDdK�ZEdL�ZFdM�ZGdN�ZHe0e$dO�ZIe0dP�ZJe!e0dQ�ZKe0e$dRe0dSe!dT�ZLe0e$e0e0e0e0e$dUdVdW�	ZMdX�ZNdY�ZOe0e$e!e0dZ�ZPe0e$d[�ZQe0d\�ZRe0e0d]�ZSd^�ZTd_�ZUd`�ZVdS(auK
Manage X509 certificates

.. versionadded:: 2015.8.0

:depends: M2Crypto

i(tabsolute_importtunicode_literalstprint_functionN(tsix(tOrderedDict(trange(tSTATE_INTERNAL_KEYWORDSux509ubasicConstraintsuX509v3 Basic ConstraintsukeyUsageuX509v3 Key UsageuextendedKeyUsageuX509v3 Extended Key UsageusubjectKeyIdentifieruX509v3 Subject Key IdentifieruauthorityKeyIdentifieruX509v3 Authority Key IdentifieruissuserAltNameuX509v3 Issuer Alternative NameuauthorityInfoAccessuX509v3 Authority Info AccessusubjectAltNameuX509v3 Subject Alternative NameucrlDistributionPointsuX509v3 CRL Distribution PointsuissuingDistributionPointu!X509v3 Issuing Distribution PointucertificatePoliciesuX509v3 Certificate PoliciesupolicyConstraintsuX509v3 Policy ConstraintsuinhibitAnyPolicyuX509v3 Inhibit Any PolicyunameConstraintsuX509v3 Name ConstraintsunoCheckuX509v3 OCSP No Checku	nsCommentuNetscape Commentu
nsCertTypeuNetscape Certificate Typeimu
days_validiuversioni@userial_bitsusha256u	algorithmcC@str
tStdfSdS(u8
    only load this module if m2crypto is available
    u0Could not load x509 module, m2crypto unavailableN(tHAS_M2t__virtualname__tFalse(((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt__virtual__Sst_CtxcB@sheZdZdejfdejfdejfdejfdejfdejfdejfgZRS(u�
    This is part of an ugly hack to fix an ancient bug in M2Crypto
    https://bugzilla.osafoundation.org/show_bug.cgi?id=7530#c13
    uflagsuissuer_certusubject_certusubject_requcrludb_methudb(t__name__t
__module__t__doc__tctypestc_inttc_void_pt_fields_(((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyR]scC@sgtjt|��}d|_d|_d|_d|_|dkrQd|_nt|j	�|_dS(u�
    This is part of an ugly hack to fix an ancient bug in M2Crypto
    https://bugzilla.osafoundation.org/show_bug.cgi?id=7530#c13
    iN(
Rtfrom_addresstinttflagstNonetsubject_certtsubject_reqtcrltissuer_certtx509(tm2_ctxtissuertctx((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_fix_ctxns				ic	C@sl|dkr6|jd�dk	r6tjjd��ntjjj|�}tjjj|�}y\tjj	�}t
||�|dkr�td��ntjj
d|||�}d}WnZtk
rtjj�}tjj|�}t
||�tjj
||||�}nX|dkrFtjjdj||���ntjj||�}|j|�|S(u�
    Create new X509_Extension, This is required because M2Crypto
    doesn't support getting the publickeyidentifier from the issuer
    to create the authoritykeyidentifier extension.
    usubjectKeyIdentifieru0123456789abcdefABCDEF:uuvalue must be precomputed hashu4Not enough memory when creating a new X509 extensionu<Cannot create X509_Extension with name '{0}' and value '{1}'N(tstriptsaltt
exceptionstSaltInvocationErrortutilststringutilstto_strtM2Cryptotm2tx509v3_set_nconfRRtMemoryErrortx509v3_ext_conftAttributeErrortx509v3_lhashtx509v3_set_conf_lhashtX509t	X509ErrortformattX509_Extensiontset_critical(	tnametvaluetcriticalRt_pyfreeRtx509_ext_ptrtlhashtx509_ext((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_new_extensions6	


		
		
cC@s�tjjjd�s*tjjd��ndj|�}td|�}tj	dd|�}tj	dd|�}tjj
jtjjj
|��S(	u}
    Parses openssl command line output, this is a workaround for M2Crypto's
    inability to get them from CSR objects.
    uopensslu openssl binary not found in pathu openssl req -text -noout -in {0}ucmd.run_stdoutu: rsaEncryptionu:u[0-9a-f]{2}:u(R!R$tpathtwhichR"R#R1t__salt__tretsubtdatatdecodetyamlt	safe_load(tcsr_filenametcmdtoutput((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_parse_openssl_req�s	cC@s�t�}tj�}|j|j��|j�t|j�}|j�|r�d|ddkr�|ddd}|s�|SxCt	j
t�D]/\}}|r�||kr�||||<q�q�Wn|S(u
    Returns a list of dicts containing the name, value and critical value of
    any extension contained in a csr object.
    uRequested ExtensionsuCertificate RequestuData(RttempfiletNamedTemporaryFiletwritetas_pemtflushRHR4tcloseRt	iteritemstEXT_NAME_MAPPINGS(tcsrtrettcsrtempfiletcsryamltcsrextst
short_namet	long_name((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_get_csr_extensions�s	

	cC@sGtjjjd�s*tjjd��ndj|�}td|�}i}x�|jd�D]�}|j	�}|j
d�r�|jdd�|d<n|j
d	�r�|jd	d�|d
<n|j
d�r?|jdd�}i}xG|jd�D]6}d
|kr�|jd
�}|d||d<q�q�W||d<n|j
d�r�|jdd�|d<tjj
|dd�}|jd�|d<n|j
d�r�|jdd�|d<tjj
|dd�}|jd�|d<n|j
d�r_Pq_q_Wd|krg|d<|S|jd�d}|jd�d}g}	x�|jd�D]�}
|
j	�slqTn|
jd�dj	�}|ddj|
jd�d�}
tjjjtjjj|
��}xXtj|�D]G\}
}d|kr�tjj
|dd�}|jd�|d<q�q�W|	j|�qTW|	|d<|S(u}
    Parses openssl command line output, this is a workaround for M2Crypto's
    inability to get them from CSR objects.
    uopensslu openssl binary not found in pathu openssl crl -text -noout -in {0}ucmd.run_stdoutu
uVersion uuVersionuSignature Algorithm: uSignature AlgorithmuIssuer: u/u=iiuIssueru
Last Update: uLast Updateu%b %d %H:%M:%S %Y %Zu%Y-%m-%d %H:%M:%Su
Next Update: uNext UpdateuRevoked Certificates:uNo Revoked Certificates.uRevoked CertificatesuSignature Algorithm:uSerial Number: u:
uRevocation Date(R!R$R<R=R"R#R1R>tsplitR t
startswithtreplacetdatetimetstrptimetstrftimetjoinRARBRCRDRROtappend(tcrl_filenameRFRGRtlinetsubjectt	sub_entrytlast_updatetnext_updatetrevtrevokedtrev_sntrev_yamltrev_itemt
rev_valuestrev_date((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_parse_openssl_crl�sl	
		
$$	
cC@sOtddd�}|r5|j|�}|r5|Sntddi�j|�S(Nu
pillar.getux509_signing_policiesu
config.get(R>Rtget(R4tpoliciestsigning_policy((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_get_signing_policy&scC@sft|�ddkr#d|}ndjgtdt|�d�D]}|||d!^qB�j�S(u$
    Nicely formats hex strings
    iiu0u:(tlenR_Rtupper(thex_strti((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_pretty_hex/s
cC@stdj|��S(uA
    Converts decimal values to nicely formatted hex strings
    u{0:X}(RwR1(tdecval((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_dec2hex9scC@s,ytjj|�SWntk
r'nXtS(u�
    A wrapper around os.path.isfile that ignores ValueError exceptions which
    can be raised if the input to isfile is too long.
    (tosR<tisfilet
ValueErrorR	(R<((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_isfile@s

cC@s]t|�rFtjjj|�� }tjjj|j��SWdQXntjjj|�SdS(ua
    Determines if input is a path to a file, or a string with the
    content to be parsed.
    N(R}R!R$tfilestfopenR%R&tread(tinput_tfp_((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt
_text_or_fileLs"cC@s�i}g}x�tj|j�D]z\}}||kr=qny3t||�}|ro|||<|j|�nWqtk
r�}tjd||�qXqW|S(uA
    Returns a dict containing all values in an X509 Subject
    u!Missing attribute '%s'. Error: %s(RROtnidtgetattrR`t	TypeErrortlogttrace(RcRRtnidstnid_nametnid_numtvalterr((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_parse_subjectXs
cC@sGt|tjj�r|St|�}t|dd�}tjj|�S(u9
    Returns a certificate object based on PEM text.
    tpem_typeuCERTIFICATE(t
isinstanceR'R/R�t
get_pem_entrytload_cert_string(tcertttext((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_get_certificate_objls
cC@s\t|�}t|dd�}tjj|dt|��}tjj�}|j|�|S(u9
    Returns a private key object based on PEM text.
    R�u(?:RSA )?PRIVATE KEYtcallback(	R�R�R'tRSAtload_key_stringt_passphrase_callbacktEVPtPKeyt
assign_rsa(tprivate_keyt
passphraset
rsaprivkeyt
evpprivkey((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_get_private_key_objws	
c@s�fd�}|S(uR
    Returns a callback function used to supply a passphrase for private keys
    c@stjjj��S(N(R!R$R%tto_bytes(targs(R�(s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytf�s((R�R�((R�s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyR��scC@s.t|�}t|dd�}tjj|�S(u1
    Returns a CSR object based on PEM text.
    R�uCERTIFICATE REQUEST(R�R�R'R/tload_request_string(RQR�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_get_request_obj�scC@s+tj|j�j��j�}t|�S(ux
    Returns the sha1 hash of the modulus of a public key in a cert
    Used for generating subject key identifiers
    (thashlibtsha1t
get_pubkeytget_modulust	hexdigestRw(R�tsha_hash((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_get_pubkey_hash�s!cC@sdS(uz
    Replacement keygen callback function which silences the output
    sent to stdout by the default keygen function
    N((((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_keygen_callback�scC@stjdj||�tj�S(u8
    Dynamically generate a regex to match pem_type
    u�\s*(?P<pem_header>-----BEGIN {0}-----)\s+(?:(?P<proc_type>Proc-Type: 4,ENCRYPTED)\s*)?(?:(?P<dek_info>DEK-Info: (?:DES-[3A-Z\-]+,[0-9A-F]{{16}}|[0-9A-Z\-]+,[0-9A-F]{{32}}))\s*)?(?P<pem_body>.+?)\s+(?P<pem_footer>-----END {1}-----)\s*(R?tcompileR1tDOTALL(R�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt_make_regex�s	cC@s�t|�}|jdd�}d}t|j��dkrB|jd�rB|jd�rBg}|}x�t|�dkr/|jd�r�|j||jdd�d �||jdd�d}qi|d j	d�dkr�|j|d �|d}qi|j||jd� �||jd�}qiWdj
|�}ntd	�}d
j|�}|r�t|�}dj||�}nx!|j
|�D]}|r�Pq�q�W|s�tjj|��n|j�}|d}|d
}	|d}
|d}|d}dj
|j��}|d}
|	r7|
|	d7}
n|
rR|
|
dd7}
nx9tdt|�d�D]}|
|||d!d7}
qkW|
|d7}
tjjj|
dd�S(u'
    Returns a properly formatted PEM string from the input text fixing
    any whitespace or line-break issues

    text:
        Text containing the X509 PEM entry to be returned or path to
        a file containing the text.

    pem_type:
        If specified, this function will only return a pem of a certain type,
        for example 'CERTIFICATE' or 'CERTIFICATE REQUEST'.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST"
    u\nu
iu-----iii@u-u
[0-9A-Z ]+uPEM text not valid:
{0}u4PEM does not contain a single entry of type {0}:
{1}u
pem_headeru	proc_typeudek_infou
pem_footerupem_bodyutencodinguasciiN(R�R[RRst
splitlinesRZtendswithR`tindextcountR_R�R1tfinditerR!R"R#t	groupdictRYRR$R%R�(R�R�t_matcht	pem_fixedtpem_tempt_dregexterrmsgt_match_dictt
pem_headert	proc_typetdek_infot
pem_footertpem_bodyRRRv((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyR��sX!






cC@sdi}xWtj|�D]F}tjj|�rytd|�||<Wq\tk
rXq\XqqW|S(u�
    Returns a dict containing PEM entries in files matching a glob

    glob_path:
        A path to certificates to be read and returned.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.get_pem_entries "/etc/pki/*.crt"
    R�(tglobRzR<R{R�R|(t	glob_pathRRR<((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytget_pem_entriess

cC@s�t|�}i
|j�dd6|j�j�dd6t|j��d6t|jdd��d6t|jdd	��d
6t|jdd��d6t|j	��d
6t|j	�j
��d6t|j��d6t|j�j
��d6|j�j
�jd�d6|j�j
�jd�d6t|�d6}t�}xgtd|j��D]P}|j|�}|j�}|j�}|j�r�d|}n|||<qTW|r�||d<n|S(uv
    Returns a dict containing details of a certificate. Input can be a PEM
    string or file path.

    certificate:
        The certificate to be read. Can be a path to a certificate file, or
        a string containing the PEM formatted text of the certificate.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.read_certificate /etc/pki/mycert.crt
    iuVersioniuKey Sizeu
Serial Numbertmdusha256uSHA-256 Finger Printumd5uMD5 Finger Printusha1uSHA1 Finger PrintuSubjectuSubject HashuIssueruIssuer Hashu%Y-%m-%d %H:%M:%Su
Not Beforeu	Not Afteru
Public Keyiu	critical uX509v3 Extensions(R�tget_versionR�tsizeRytget_serial_numberRwtget_fingerprintR�tget_subjecttas_hasht
get_issuertget_not_beforetget_datetimeR^t
get_not_aftertget_public_keyRRt
get_ext_countt
get_ext_attget_namet	get_valuetget_critical(tcertificateR�RRtextst	ext_indextextR4R�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytread_certificates4	

cC@sdi}xWtj|�D]F}tjj|�rytd|�||<Wq\tk
rXq\XqqW|S(u�
    Returns a dict containing details of a all certificates matching a glob

    glob_path:
        A path to certificates to be read and returned.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.read_certificates "/etc/pki/*.crt"
    R�(R�RzR<R{R�R|(R�RRR<((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytread_certificatesTs

cC@s�t|�}i|j�dd6t|j��d6t|j�j��d6tj|j�j	��j
�d6}t|�|d<|S(u
    Returns a dict containing details of a certificate request.

    :depends:   - OpenSSL command line tool

    csr:
        A path or PEM encoded string containing the CSR to read.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.read_csr /etc/pki/mycert.csr
    iuVersionuSubjectuSubject HashuPublic Key HashuX509v3 Extensions(R�R�R�R�RyR�R�R�R�R�R�RX(RQRR((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytread_csrms%cC@smt|�}t|dd�}tj�}|jtjjj|��|j	�t
|j�}|j�|S(uP
    Returns a dict containing details of a certificate revocation list.
    Input can be a PEM string or file path.

    :depends:   - OpenSSL command line tool

    csl:
        A path or PEM encoded string containing the CSL to read.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.read_crl /etc/pki/mycrl.crl
    R�uX509 CRL(
R�R�RIRJRKR!R$R%R&RMRnR4RN(RR�tcrltempfilet	crlparsed((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytread_crl�s

c	C@s�t|tjj�r0|j�j�}d}nt|�}t|�}|jd�r�|sa|Stjj	�}|j
|�tjj|�}ntjj	�}|jd�r�tjj
|�}|j�j�}n|jd�r
tjj|�}|j�j�}n|jd�s+|jd�rLtjj|dt|��}n|rrtjj�}|j|�|S|j|�|j�S(u7
    Returns a string containing the public key in PEM format.

    key:
        A path or PEM encoded string containing a CSR, Certificate or
        Private Key from which a public key can be retrieved.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.get_public_key /etc/pki/mycert.cer
    ts-----BEGIN PUBLIC KEY-----s-----BEGIN CERTIFICATE-----s#-----BEGIN CERTIFICATE REQUEST-----s-----BEGIN PRIVATE KEY-----s-----BEGIN RSA PRIVATE KEY-----R�(R�R'R/R�tget_rsaR�R�RZtBIOtMemoryBufferRKR�tload_pub_key_bioR�R�R�R�R�R�R�tsave_pub_key_biotread_all(	tkeyR�tasObjtrsaR�tbioR�RQt	evppubkey((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyR��s8	
	

cC@st||�j�dS(u�
    Returns the bit length of a private key in PEM format.

    private_key:
        A path or PEM encoded string containing a private key.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.get_private_key_size /etc/pki/mycert.key
    i(R�R�(R�R�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytget_private_key_size�s
c	C@s�tjjjd���t|d|�}d}d}|r|dkrtjj|�r|rt|�}yt|d�}Wn<tj	j
k
r�}tjd|�tj
|d|�nXyt|d�}Wqtj	j
k
r}tjd	|�tj
|d|�qXntjjj|d
���}|rd|dkrd|rd|jtjjj|��n|jtjjj|��|r�|dkr�|r�|jtjjj|��nWdQXWdQXdj|�S(
u�
    Writes out a PEM string fixing any formatting or whitespace
    issues before writing.

    text:
        PEM string input to be written out.

    path:
        Path of the file to write the pem out to.

    overwrite:
        If True(default), write_pem will overwrite the entire pem file.
        Set False to preserve existing private keys and dh params that may
        exist in the pem file.

    pem_type:
        The PEM type to be saved, for example ``CERTIFICATE`` or
        ``PUBLIC KEY``. Adding this will allow the function to take
        input that may contain multiple pem types.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt
    i?R�uuCERTIFICATEu
DH PARAMETERSu$Error when getting DH PARAMETERS: %stexc_infou(?:RSA )?PRIVATE KEYu"Error when getting PRIVATE KEY: %suwNuPEM written to {0}(R!R$R~t	set_umaskR�RzR<R{R�R"R#R�tdebugR�RRKR%R&R1(	R�R<t	overwriteR�t	_dhparamst_private_keyt
_filecontentsR�t_fp((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt	write_pem�s.++iuaes_128_cbcc		C@s|r#|r#tjjd��n|rD|rDtjjd��n|rYtjj}nt}tjj|tjj	|�}tj
j�}|d	kr�d	}n|j
|d|dt|��|r�td|j�d|dd�Stjjj|j��Sd	S(
u�
    Creates a private key in PEM format.

    path:
        The path to write the file to, either ``path`` or ``text``
        are required.

    text:
        If ``True``, return the PEM text without writing to a file.
        Default ``False``.

    bits:
        Length of the private key in bits. Default 2048

    passphrase:
        Passphrase for encryting the private key

    cipher:
        Cipher for encrypting the private key. Has no effect if passhprase is None.

    verbose:
        Provide visual feedback on stdout. Default True

        .. versionadded:: 2016.11.0

    CLI Example:

    .. code-block:: bash

        salt '*' x509.create_private_key path=/etc/pki/mykey.key
    u&Either path or text must be specified.u0Either path or text must be specified, not both.tcipherR�R�R<R�u(?:RSA )?PRIVATE KEYN(R!R"R#R'R�tkeygen_callbackR�tgen_keyR(tRSA_F4R�R�Rtsave_key_bioR�R�R�R$R%R&(	R<R�tbitsR�R�tverboset_callback_funcR�R�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytcreate_private_key s.%			
iduc	C@s6tstjjd��ntjj�}	|dkr?g}nx�|D]�}
d|
kr�t|
d�}|d|
d<|d|
d<n|
dj	dd�}tj
jj|�}d|
kr�|r�t
j
j|
dd	�}
t
j
j�|
kr�qFq�nd
|
kr't
j
j�jd	�|
d
<nt
j
j|
d
d	�}|jd�}tj
jj|�}tjj�}|jtj
jj|��|jtj
jj|��d|
kr�tj
jj|
d�}|j|�n|	j|�qFWt|�}tjjtjjt|d
d��}t|d|�jdd�}tjjtjjt|��}i|d6|d6tjjd6|d6}|r�tj
jj|�|d<n
tjd�y|	j |�}WnCt!t"fk
rtjd�|j#dd�|	j |�}nX|r|St$d|d|d
d�S(u

    Create a CRL

    :depends:   - PyOpenSSL Python module

    path:
        Path to write the crl to.

    text:
        If ``True``, return the PEM text without writing to a file.
        Default ``False``.

    signing_private_key:
        A path or string of the private key in PEM format that will be used
        to sign this crl. This is required.

    signing_private_key_passphrase:
        Passphrase to decrypt the private key.

    signing_cert:
        A certificate matching the private key that will be used to sign
        this crl. This is required.

    revoked:
        A list of dicts containing all the certificates to revoke. Each dict
        represents one certificate. A dict must contain either the key
        ``serial_number`` with the value of the serial number to revoke, or
        ``certificate`` with either the PEM encoded text of the certificate,
        or a path to the certificate to revoke.

        The dict can optionally contain the ``revocation_date`` key. If this
        key is omitted the revocation date will be set to now. If should be a
        string in the format "%Y-%m-%d %H:%M:%S".

        The dict can also optionally contain the ``not_after`` key. This is
        redundant if the ``certificate`` key is included. If the
        ``Certificate`` key is not included, this can be used for the logic
        behind the ``include_expired`` parameter. If should be a string in
        the format "%Y-%m-%d %H:%M:%S".

        The dict can also optionally contain the ``reason`` key. This is the
        reason code for the revocation. Available choices are ``unspecified``,
        ``keyCompromise``, ``CACompromise``, ``affiliationChanged``,
        ``superseded``, ``cessationOfOperation`` and ``certificateHold``.

    include_expired:
        Include expired certificates in the CRL. Default is ``False``.

    days_valid:
        The number of days that the CRL should be valid. This sets the Next
        Update field in the CRL.

    digest:
        The digest to use for signing the CRL.
        This has no effect on versions of pyOpenSSL less than 0.14

    .. note

        At this time the pyOpenSSL library does not allow choosing a signing
        algorithm for CRLs See https://github.com/pyca/pyopenssl/issues/159

    CLI Example:

    .. code-block:: bash

        salt '*' x509.create_crl path=/etc/pki/mykey.key signing_private_key=/etc/pki/ca.key signing_cert=/etc/pki/ca.crt revoked="{'compromized-web-key': {'certificate': '/etc/pki/certs/www1.crt', 'revocation_date': '2015-03-01 00:00:00'}}"
    u2Could not load OpenSSL module, OpenSSL unavailableucertificateu
Serial Numberu
serial_numberu	Not Afteru	not_afteru:uu%Y-%m-%d %H:%M:%Surevocation_dateu
%Y%m%d%H%M%SZureasonR�uCERTIFICATER�R�ucertukeyutypeudaysudigestu9No digest specified. The default md5 digest will be used.utError signing crl with specified digest. Are you using pyopenssl 0.15 or newer? The default md5 digest will be used.R�R<uX509 CRLN(%tHAS_OPENSSLR!R"R#tOpenSSLtcryptotCRLRR�R[R$R%R�R\R]tnowR^tRevokedt
set_serialtset_rev_dateR&t
set_reasontadd_revokedR�tload_certificatetFILETYPE_PEMR�R�RLtload_privatekeyR�twarningtexportR�R|tpopR�(R<R�tsigning_private_keytsigning_private_key_passphrasetsigning_certRhtinclude_expiredt
days_validtdigestRRktrev_certt
serial_numbert	not_afterRmRgtreasonR�R�t
export_kwargstcrltext((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt
create_crlfsvM		
								


cK@sXd|krdSt|t�s1tj|�}ni}d|kr�t|d�}|sjdj|d�St|t�r�i}x|D]}|j|�q�W|}q�nd|krd|kr�dSd}d|dkr�d	}nt||d|d�sd
j|d|d�Snyt	dd
dt|�SWntk
rS}t
j|�SXd
S(u�
    Request a certificate to be remotely signed according to a signing policy.

    argdic:
        A dict containing all the arguments to be passed into the
        create_certificate function. This will become kwargs when passed
        to create_certificate.

    kwargs:
        kwargs delivered from publish.publish

    CLI Example:

    .. code-block:: bash

        salt '*' x509.sign_remote_certificate argdic="{'public_key': '/etc/pki/www.key', 'signing_policy': 'www'}" __pub_id='www1'
    usigning_policyu signing_policy must be specifiedu"Signing policy {0} does not exist.uminionsu__pub_idu3minion sending this request could not be identifiedu
match.globu@umatch.compoundu+{0} not permitted to use signing policy {1}R<R�N(R�tdicttasttliteral_evalRrR1tlisttupdateR>tcreate_certificateRtTruet	ExceptionRt	text_type(targdictkwargsRqtdict_titemtmatchertexcept_((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytsign_remote_certificates:
	cC@s�t|�}|sdj|�St|t�r[i}x|D]}|j|�q;W|}ny|d=Wntk
rynXyt|dd�|d<Wntk
r�nX|S(u�
    Returns the details of a names signing policy, including the text of
    the public key that will be used to sign it. Does not return the
    private key.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.get_signing_policy www
    u"Signing policy {0} does not exist.usigning_private_keyusigning_certuCERTIFICATE(RrR1R�R!R"tKeyErrorR�(tsigning_policy_nameRqR)R*((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytget_signing_policy9s$

	

c K@s�|r?|r?d|ks*|dtkr?tjjd��n|r`|r`tjjd��nd|krydG|d<n|r�d|kr�tjjdj|���nd|kr�t|ddd	�jd
d�|d<nd|kr&tjj	j
t|dd
|d��jd
d�|d<nx1tt
�dddgD]}|j|dG�q@Wtdd|dddtjjj|dt�dd�}t|�s�tjjd��n||}|r�td|d|d|dd�S|Sni}d|krLt|d�}t|t�rLi}	x|D]}
|	j|
�q)W|	}qLn|j|�x6tjt�D]%\}}||kri|||<qiqiWtjj�}
|
j|dd�d |kr�ttj |d!��|d <nt!|d jd"d�d#�}tj"rtjj#j$�rLd$}||kr||t!||�|8}q|q|t%j&kr|t!|t%j&�t%j&8}qn|
j'|�tj(j)|
j*�}tj(j+|
j*�}tj(j,|d%�tj(j,|dI|d(�d|kr*d|kr*|d)|d<d*|kr*|d*|d<q*ni}d|kr�|d|d<t-|d�}|
j.|j/��t0|d�d+}n|
j1t|dd
|dd,t��|
j/�}xCtj|j2�D]/\}}||kr�t3||||�q�q�Wd-|krt4|d-�}n|
}|
j5|j/��x�tjt6�D]q\}}||kp~||kp~||kp~||ktkr�qEn|j7|�p�|j7|�p�|j7|�p�|j7|�}t}|j8d.�r�t}|d/}n|d0kr$d1|kr$|jd1t9|
��}ndG}|d2kr?|}n|d3kr`|jd4d5�}nt:d6|d7|d8|d9|�}|j;s�t<j=d:j||��qEn|
j>|�qEWd*|kr�dG|d*<nd|kr|dtkrt?|
�}t|d)d
|d*�|d;<|St@d<|d)d
|d*d=|�sqtjjd>j|d)|j7d-d����n|
jAtB|d)d
|d*�|d?�tC|
d@|�s�tjjdA��ndB|krIdC|kr|dCtkrtjD|dD�dE}nd}td|
jE�dtFjGjH|dB||d dF�dd�n|rttd|
jE�d|d|dd�Stjj	j
|
jE��SdGS(Ju% 
    Create an X509 certificate.

    path:
        Path to write the certificate to.

    text:
        If ``True``, return the PEM text without writing to a file.
        Default ``False``.

    overwrite:
        If True(default), create_certificate will overwrite the entire pem
        file. Set False to preserve existing private keys and dh params that
        may exist in the pem file.

    kwargs:
        Any of the properties below can be included as additional
        keyword arguments.

    ca_server:
        Request a remotely signed certificate from ca_server. For this to
        work, a ``signing_policy`` must be specified, and that same policy
        must be configured on the ca_server. See ``signing_policy`` for
        details. Also the salt master must permit peers to call the
        ``sign_remote_certificate`` function.

        Example:

        /etc/salt/master.d/peer.conf

        .. code-block:: yaml

            peer:
              .*:
                - x509.sign_remote_certificate

    subject properties:
        Any of the values below can be included to set subject properties
        Any other subject properties supported by OpenSSL should also work.

        C:
            2 letter Country code
        CN:
            Certificate common name, typically the FQDN.

        Email:
            Email address

        GN:
            Given Name

        L:
            Locality

        O:
            Organization

        OU:
            Organization Unit

        SN:
            SurName

        ST:
            State or Province

    signing_private_key:
        A path or string of the private key in PEM format that will be used
        to sign this certificate. If neither ``signing_cert``, ``public_key``,
        or ``csr`` are included, it will be assumed that this is a self-signed
        certificate, and the public key matching ``signing_private_key`` will
        be used to create the certificate.

    signing_private_key_passphrase:
        Passphrase used to decrypt the signing_private_key.

    signing_cert:
        A certificate matching the private key that will be used to sign this
        certificate. This is used to populate the issuer values in the
        resulting certificate. Do not include this value for
        self-signed certificates.

    public_key:
        The public key to be included in this certificate. This can be sourced
        from a public key, certificate, csr or private key. If a private key
        is used, the matching public key from the private key will be
        generated before any processing is done. This means you can request a
        certificate from a remote CA using a private key file as your
        public_key and only the public key will be sent across the network to
        the CA. If neither ``public_key`` or ``csr`` are specified, it will be
        assumed that this is a self-signed certificate, and the public key
        derived from ``signing_private_key`` will be used. Specify either
        ``public_key`` or ``csr``, not both. Because you can input a CSR as a
        public key or as a CSR, it is important to understand the difference.
        If you import a CSR as a public key, only the public key will be added
        to the certificate, subject or extension information in the CSR will
        be lost.

    public_key_passphrase:
        If the public key is supplied as a private key, this is the passphrase
        used to decrypt it.

    csr:
        A file or PEM string containing a certificate signing request. This
        will be used to supply the subject, extensions and public key of a
        certificate. Any subject or extensions specified explicitly will
        overwrite any in the CSR.

    basicConstraints:
        X509v3 Basic Constraints extension.

    extensions:
        The following arguments set X509v3 Extension values. If the value
        starts with ``critical``, the extension will be marked as critical.

        Some special extensions are ``subjectKeyIdentifier`` and
        ``authorityKeyIdentifier``.

        ``subjectKeyIdentifier`` can be an explicit value or it can be the
        special string ``hash``. ``hash`` will set the subjectKeyIdentifier
        equal to the SHA1 hash of the modulus of the public key in this
        certificate. Note that this is not the exact same hashing method used
        by OpenSSL when using the hash value.

        ``authorityKeyIdentifier`` Use values acceptable to the openssl CLI
        tools. This will automatically populate ``authorityKeyIdentifier``
        with the ``subjectKeyIdentifier`` of ``signing_cert``. If this is a
        self-signed cert these values will be the same.

        basicConstraints:
            X509v3 Basic Constraints

        keyUsage:
            X509v3 Key Usage

        extendedKeyUsage:
            X509v3 Extended Key Usage

        subjectKeyIdentifier:
            X509v3 Subject Key Identifier

        issuerAltName:
            X509v3 Issuer Alternative Name

        subjectAltName:
            X509v3 Subject Alternative Name

        crlDistributionPoints:
            X509v3 CRL distribution points

        issuingDistributionPoint:
            X509v3 Issuing Distribution Point

        certificatePolicies:
            X509v3 Certificate Policies

        policyConstraints:
            X509v3 Policy Constraints

        inhibitAnyPolicy:
            X509v3 Inhibit Any Policy

        nameConstraints:
            X509v3 Name Constraints

        noCheck:
            X509v3 OCSP No Check

        nsComment:
            Netscape Comment

        nsCertType:
            Netscape Certificate Type

    days_valid:
        The number of days this certificate should be valid. This sets the
        ``notAfter`` property of the certificate. Defaults to 365.

    version:
        The version of the X509 certificate. Defaults to 3. This is
        automatically converted to the version value, so ``version=3``
        sets the certificate version field to 0x2.

    serial_number:
        The serial number to assign to this certificate. If omitted a random
        serial number of size ``serial_bits`` is generated.

    serial_bits:
        The number of bits to use when randomly generating a serial number.
        Defaults to 64.

    algorithm:
        The hashing algorithm to be used for signing this certificate.
        Defaults to sha256.

    copypath:
        An additional path to copy the resulting certificate to. Can be used
        to maintain a copy of all certificates issued for revocation purposes.

    prepend_cn:
        If set to True, the CN and a dash will be prepended to the copypath's filename.

        Example:
            /etc/pki/issued_certs/www.example.com-DE:CA:FB:AD:00:00:00:00.crt

    signing_policy:
        A signing policy that should be used to create this certificate.
        Signing policies should be defined in the minion configuration, or in
        a minion pillar. It should be a yaml formatted list of arguments
        which will override any arguments passed to this function. If the
        ``minions`` key is included in the signing policy, only minions
        matching that pattern (see match.glob and match.compound) will be
        permitted to remotely request certificates from that policy.

        Example:

        .. code-block:: yaml

            x509_signing_policies:
              www:
                - minions: 'www*'
                - signing_private_key: /etc/pki/ca.key
                - signing_cert: /etc/pki/ca.crt
                - C: US
                - ST: Utah
                - L: Salt Lake City
                - basicConstraints: "critical CA:false"
                - keyUsage: "critical cRLSign, keyCertSign"
                - subjectKeyIdentifier: hash
                - authorityKeyIdentifier: keyid,issuer:always
                - days_valid: 90
                - copypath: /etc/pki/issued_certs/

        The above signing policy can be invoked with ``signing_policy=www``

    CLI Example:

    .. code-block:: bash

        salt '*' x509.create_certificate path=/etc/pki/myca.crt signing_private_key='/etc/pki/myca.key' csr='/etc/pki/myca.csr'}
    utestrunu&Either path or text must be specified.u0Either path or text must be specified, not both.upublic_key_passphraseusigning_policyuTsigning_policy must be specifiedif requesting remote certificate from ca_server {0}.ucsrR�uCERTIFICATE REQUESTu
uu
public_keyR�u	listen_inupreqrequiredu__prerequired__upublish.publishttgttfunux509.sign_remote_certificatetargR&ttimeoutiueca_server did not respond salt master must permit peers to call the sign_remote_certificate function.R�R�R<uCERTIFICATEuversioniu
serial_numberuserial_bitsu:ii���ii<iu
days_validusigning_private_keyusigning_private_key_passphraseuX509v3 ExtensionsR�usigning_certu	critical i	usubjectKeyIdentifieruhashuauthorityKeyIdentifierusubjectAltNameu
IP AddressuIPR4R5R6Ru"Invalid X509v3 Extension. {0}: {1}uIssuer Public KeyR�t
public_keyu8signing_private_key: {0} does no match signing_cert: {1}u	algorithmtsigning_pub_keyu&failed to verify certificate signatureucopypathu
prepend_cnuCNu-u.crtNii�Q(IR	R!R"R#RR1R�R[R$R%R&R�R!t_STATE_INTERNAL_KEYWORDSRR>RAtdecode_dictR$tanyR�RrR�R"RROt
CERT_DEFAULTSR'R/tset_versionRytrandomtgetrandbitsRtPY3tplatformt
is_windowstsystmaxsizetset_serial_numberR(tx509_get_not_beforeRtx509_get_not_aftertx509_gmtime_adjR�tset_subjectR�R�t
set_pubkeyR�tsetattrR�t
set_issuerRPRoRZR�R;R:R�tinfotadd_extR�tverify_private_keytsignR�tverify_signatureR&RLRzR<R_( R<R�R�t	ca_serverR(tignoretcertstcert_txtRqR)R*tproptdefaultR�RtINT_MAXt
not_beforeRRURQRctentrytnumRtextnametextlongnametextvalR6RR�t
cert_propstprepend((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyR#]s2�		
	

#
		


	$

		

		

	"
cK@s�|r#|r#tjjd��n|rD|rDtjjd��ntjj�}|j�}x6tjt	�D]%\}}||kro|||<qoqoW|j
|dd�d|kr�d|kr�|d|d<tjd�nd|krtjjd��nd|kr!|d|d<nd	|kr:d|d	<nd
|krSd|d
<n|d
ry|d	ry|d
|d	<n|d	r�|d
r�|d	|d
<n|jt|dd|d
dt��xCtj|j�D]/\}}||kr�t||||�q�q�Wtjj�}	x9tjt�D](\}
}|
|krU||krUq+n||
pf||}t}
|jd
�r�t}
|d}n|
dkr�d|kr�|jdt|��}n|
dkr�|jdd�}n|
dkr�q+nd}td|
d|d|
d|�}|jsFtjdj|
|��q+n|	j|�q+W|j|	�|jt |dd|d	�|d�|r�t!d|j"�d|dd�S|j"�SdS( up
    Create a certificate signing request.

    path:
        Path to write the certificate to.

    text:
        If ``True``, return the PEM text without writing to a file.
        Default ``False``.

    algorithm:
        The hashing algorithm to be used for signing this request. Defaults to sha256.

    kwargs:
        The subject, extension and version arguments from
        :mod:`x509.create_certificate <salt.modules.x509.create_certificate>`
        can be used.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.create_csr path=/etc/pki/myca.csr public_key='/etc/pki/myca.key' CN='My Cert'
    u&Either path or text must be specified.u0Either path or text must be specified, not both.uversioniuprivate_keyu
public_keyu�OpenSSL no longer allows working with non-signed CSRs. A private_key must be specified. Attempting to use public_key as private_keyuprivate_key is requireduprivate_key_passphraseupublic_key_passphraseR�R�u	critical i	usubjectKeyIdentifieruhashusubjectAltNameu
IP AddressuIPuauthorityKeyIdentifierR4R5R6Ru"Invalid X509v3 Extension. {0}: {1}u	algorithmR�R<R�uCERTIFICATE REQUESTN(#R!R"R#R'R/tRequestR�RROR:R;R�RRRHR�R$R�RItX509_Extension_StackRPR	RZR[R�R;R:RKR1tpushtadd_extensionsRNR�R�RL(R<R�R(RQRcRTRURXRYtextstackRZR[R\R6RR�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt
create_csr2s�		





	
cC@stt||�t|�k�S(u 
    Verify that 'private_key' matches 'public_key'

    private_key:
        The private key to verify, can be a string or path to a private
        key in PEM format.

    public_key:
        The public key to verify, can be a string or path to a PEM formatted
        certificate, csr, or another private key.

    passphrase:
        Passphrase to decrypt the private key.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.verify_private_key private_key=/etc/pki/myca.key \
                public_key=/etc/pki/myca.crt
    (tboolR�(R�R5R�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyRM�scC@sIt|�}|r-t|d|dt�}nt|jd|�dk�S(u`
    Verify that ``certificate`` has been signed by ``signing_pub_key``

    certificate:
        The certificate to verify. Can be a path or string containing a
        PEM formatted certificate.

    signing_pub_key:
        The public key to verify, can be a string or path to a PEM formatted
        certificate, csr, or private key.

    signing_pub_key_passphrase:
        Passphrase to the signing_pub_key if it is an encrypted private key.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.verify_signature /etc/pki/mycert.pem \
                signing_pub_key=/etc/pki/myca.crt
    R�R�tpkeyi(R�R�R$Retverify(R�R6tsigning_pub_key_passphraseR�((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyRO�s
	cC@stjjjd�s*tjjd��nt|�}t|dd�}tj	�}|j
tjjj|��|j
�t|�}t|dd�}tj	�}|j
tjjj|��|j
�dj|j|j�}td|�}|j�|j�d|krtStSd	S(
u�
    Validate a CRL against a certificate.
    Parses openssl command line output, this is a workaround for M2Crypto's
    inability to get them from CSR objects.

    crl:
        The CRL to verify

    cert:
        The certificate to verify the CRL against

    CLI Example:

    .. code-block:: bash

        salt '*' x509.verify_crl crl=/etc/pki/myca.crl cert=/etc/pki/myca.crt
    uopensslu openssl binary not found in pathR�uX509 CRLuCERTIFICATEu&openssl crl -noout -in {0} -CAfile {1}ucmd.run_stderru	verify OKN(R!R$R<R=R"R#R�R�RIRJRKR%R&RMR1R4R>RNR$R	(RR�RR�tcerttexttcerttempfileRFRG((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt
verify_crl�s*	



cC@s�i}tjj|�r�y�||d<t|�}tjj�}|j�j�}t|j	��d|d<|j
d�|j
d�kr�t|d<n
t|d<Wq�t
k
r�q�Xn|S(u�
    Returns a dict containing limited details of a
    certificate and whether the certificate has expired.

    .. versionadded:: 2016.11.0

    certificate:
        The certificate to be read. Can be a path to a certificate file,
        or a string containing the PEM formatted text of the certificate.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.expired "/etc/pki/mycert.crt"
    upathuCNucnu%Y-%m-%d %H:%M:%Suexpired(RzR<R{R�R\tutcnowR�R�R�R�R^R$R	R|(R�RRR�t_nowt_expiration_date((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytexpireds


cC@s�i}tjj|�r�y�||d<||d<t|�}tjj�tjd|�}|j�j�}t	|j
��d|d<|jd�|jd�kr�t|d<n
t
|d<Wq�tk
r�q�Xn|S(u�
    Returns a dict containing details of a certificate and whether
    the certificate will expire in the specified number of days.
    Input can be a PEM string or file path.

    .. versionadded:: 2016.11.0

    certificate:
        The certificate to be read. Can be a path to a certificate file,
        or a string containing the PEM formatted text of the certificate.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.will_expire "/etc/pki/mycert.crt" days=30
    upathu
check_daystdaysuCNucnu%Y-%m-%d %H:%M:%Suwill_expire(RzR<R{R�R\Rlt	timedeltaR�R�R�R�R^R$R	R|(R�RpRRR�t_check_timeRn((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pytwill_expire;s"



(WRt
__future__RRRRztloggingR�R�R<RRIR?R\RRAtsalt.utils.filesR!tsalt.utils.pathtsalt.utils.stringutilstsalt.utils.datatsalt.utils.platformtsalt.exceptionstsalt.extRtsalt.utils.odictRtsalt.ext.six.movesRt
salt.stateRR7R'R$RtImportErrorR	RRRt	getLoggerRR�RPR:R
t	StructureRRRR;RHRXRnRrRwRyR}R�R�R�R�R�R�R�R�R�R�R�R�R�R�R�R�R�R�RRR-R0R#RdRMRORkRoRs(((s5/usr/lib/python2.7/site-packages/salt/modules/x509.pyt<module>	s�





																
	
,			J			
					
								P		6		!	24B		�	6	%��w	0	(

Zerion Mini Shell 1.0