b[VddlZddlZddlZddlmZddlmZddlmZm Z ddl m Z ddlm Z ddl Z ddlmZddlmZmZddlZddlZdd lmZddlZ dd lmZn#e$rd Zejd YnwxYwdd lmZddlmZddl m!Z!dZ"dZ#dZ$dZ%dZ&dZ'dZ(dgfdZ)dZ*dZ+dZ,dZ-d!dZ.Gdd eZ/dS)"N) gp_pol_ext)Ldb) SCOPE_SUBTREE SCOPE_BASE)system_session)get_dc_hostname)which)PopenPIPE)log)load_der_pkcs7_certificatescgS)N)xs B/usr/lib/python3/dist-packages/samba/gp/gp_cert_auto_enroll_ext.pyr r $sr zNpython cryptography missing pkcs7 support. Certificate chain parsing will fail)Encoding)load_der_x509_certificate)default_backends9 -----BEGIN CERTIFICATE----- %s -----END CERTIFICATE-----z/etc/pki/trust/anchorszc(https|HTTPS)://(?P[a-zA-Z0-9.-]+)/ADPolicyProvider_CEP_(?P[a-zA-Z]+)/service.svc/CEPc~dtjd|dddzddtjd|dddzddtjd|dddzddtjd |dd dzdd tjd |d d z S)z)Convert an octet string to an objectGUID.z%02xzH z%02x%02xz>HLN)structunpack)datas roctet_string_to_objectGUIDr4s% dD1I(F(Fq(IIII% dD1I(F(Fq(IIII% dD1I(F(Fq(IIII% dD2J(G(G(JJJJ)FM%bcc,K,KKK  MMrcni}|D]J}|d|vr g||d<||d|K|D]}|dd|D}t |}|D]z}||}t |tjt||z dz }||krSd} t|||dz| |||dz<{t|S)aGroup and Sort End Point Information. [MS-CAESO] 4.4.5.3.2.3 In this step autoenrollment processes the end point information by grouping it by CEP ID and sorting in the order with which it will use the end point to access the CEP information. PolicyIDc|dS)NCostres rz6group_and_sort_end_point_information..Qs 1V9r)keycg|] }|d S)r#r.0r%s r z8group_and_sort_end_point_information..Ts8881QvY888rc>|ddkrdS|ddkrdSdS)N AuthFlagsrr,rr$s r sort_authz7group_and_sort_end_point_information..sort_auth`s/[>S((1{^s**11r) keysappendvaluessortsetindexlenoperatorindexOfreversedsortedlist) end_point_informationend_point_groupsr%end_point_group cost_listcostscostijr0s r$group_and_sort_end_point_informationrE=s} "22 Z= 0 5 5 7 7 7 7.0 Qz] +:'..q1111,2244;; !4!455598888 I ; ;D%%AIx/0C0CTJJJ1LAAvv    &,OAacE,B09&;&;&;OAacE " "' ;*  '')) * **rci}d}|D]h}|j|s|j|d}||vri||<|j|||j<i|D]}tjt|d}|rbd| dddz}||d<| d|d <| d |d <|d d kr#d |di}tj d |icSt|}|S)zObtain End Point Information. [MS-CAESO] 4.4.5.3.2.2 In this step autoenrollment initializes the CertificateEnrollmentPolicyEndPoints table. z7Software\Policies\Microsoft\Cryptography\PolicyServers\URLz%s-CAserver.rnamehostnameauthzldap:endpointzFailed to parse the endpoint)keyname startswithreplacer1r valuenamer3rematch endpoint_regrouplowerr errorrE)entriesr=sectionr%rKcamedatas robtain_end_point_informationr^msLG ::y##G,,  y  "-- ,1133 3 3*, !$ '346d#AK00#**,,   H["U) , ,  QWWX..66sC@@@DBvJWWX..BzNBvJJ Y__  ' ) ) "U)-E I4e < < <III* --B-I-I-K-KLL  rc4g}|}d|z}gd}d}||t||}t|dkr|S|D]A}|dd|dd|ddd}||B|S) z0Initialize CAs. [MS-CAESO] 4.4.5.3.1.2 zMCN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,%s) cACertificatecn dNSHostNamez"(objectClass=pKIEnrollmentService)rrarbr`)rKrLr`)get_default_basednsearchrr7r2) ldbresultbasedndnattrsexprresesrs rfetch_certification_authoritiesrms F  # # % %F Y[a aB 2 2 2E /D **Re 4 4C 3xx1}} D! .q1"$_"5a"8  d MrmsPKI-Minimal-Key-Sizec|}d|z}d|z}||t||}t|dkrd|dvrt |dSddgiS)NzOCN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%sz(cn=%s)r,rnr2048)rcrdrr7dict)rerKrirgrhrjrks rfetch_template_attrsrrsz  # # % %F Z]c cB t D **Re 4 4C 3xx1}}1SV;;CF||(6(33rc~tj|}ttjdd|dtjzS)Ns(.{64})s\1 r)base64 b64encode cert_wraprSsubDOTALL)certs rformat_root_certrzs1  D ! !D rvj(D!RYGG GGrctjdddg}tdd|S)NPATHz/usr/lib/certmongerz/usr/libexec/certmongerz cepces-submit:)path)osenvirongetr join)certmonger_dirss rfind_cepces_submitrs?z~~f--/D02O sxx'@'@ A A AArct}tj|rtj}d|d<t |d|zdg|t t }|\}}|jdkr+d| i}tj d|| SgS) NzGET-SUPPORTED-TEMPLATESCERTMONGER_OPERATIONz --server=%sz--auth=Kerberos)envstdoutstderrrErrorz0Failed to fetch the list of supported templates.)rrr~existsrr r communicate returncodedecoder rXstripsplit)rI cepces_submitrpouterrrs rget_supported_templatesrs&((M w~~m$$ #j&? "# =-&"8:KLtD : : :==??S <1  cjjll,D IH$ O O Oyy{{  """ Ircjtj|d|dz}g} tj|ddd}n0#tjj$rtjdd}YnwxYw||j d ks|j d d krtjd tjd d|vrtjd t|d}n2#t$r%t|dt}YnwxYw|tj}t#|d5}||dddn #1swxYwY|||S|j d dkr t|j }n1#t$r$t|j t}YnwxYw|tj}t#|d5}||dddn #1swxYwY||n|j d dkrt)|j } t+dt-| D]} | | tj}d|| fz} t#| d5}||dddn #1swxYwY|| ntjd|S)z$Fetch Certificate Chain from the CA.%s.crtrK GetCACert CAIdentifier) operationmessage)urlparamsz$Failed to establish a new connectionNrz Content-Typez text/htmlz+Failed to fetch the root certificate chain.zPThe Network Device Enrollment Service is either not installed or not configured.r`z'Installing the server certificate only.wbzapplication/x-x509-ca-certzapplication/x-x509-ca-ra-certrz%s.%dz+getca: Wrong (or missing) MIME content type)rr~rrequestsr exceptionsConnectionErrorr warncontentheadersr TypeErrorr public_bytesrPEMopenwriter2r ranger7) r[r trust_dir root_cert root_certsrry cert_datawcertsrCdests rgetcars Y2f:(=>>IJ LS{5C*E*E F F F   . 7888  yAI$$ .(A[(P(P >??? 1 2 2 2 b H> ? ? ? D0O1DEE D D D0O1D1@1B1BDD D))(,77Ii&& #! """ # # # # # # # # # # # # # # #   i ( ( (y $@@@ K,QY77DD K K K,QY8I8IJJDDD K%%hl33 )T " " a GGI                  )$$$$ > "&E E E+AI66q#e**%% $ $A8((66Di^+DdD!! Q                   d # # # #  $ >??? skA*A43A4C,,,DD E//E36E3#F88+G&%G&H::H>H>K==L L Kerberosc>ggd}d|dz}t|||}|d||D]}tjt tj|} tj|| |d| v#t$rtj dYt$rtj dt Yt$r|d| YwxYwtd} | "t| gtd } t#} | tj| r`t| d d |d d | d|dd|gt&t&} | \}}tj|| jdkr2||d d}tjd|t3|d}|D]r}t5||}|d d|}tj|d|z}tj|d|z}t| dd |d d|d|d|d|d|ddgt&t&} | \}}tj|| jdkr,||d}tjd||d||g|d |t| "t| gntj d!t7j|S)"z#Install the root certificate chain.)files templatesz0http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?rLrz=Failed to symlink root certificate to the admin trust anchorszZFailed to symlink root certificate to the admin trust anchors. The directory was not foundzupdate-ca-certificatesNgetcertzadd-ca-crKz-ez --server=z --auth=)rrr)rCAz#Failed to add Certificate AuthorityrJz%s.keyrrequestz-Tz-Iz-kz-fz-grn)r CertificatezFailed to request certificaterzOcertmonger and cepces must be installed for certificate auto enrollment to work)rextendrr~rglobal_trust_dirbasenamesymlinkr2PermissionErrorr rFileNotFoundErrorFileExistsErrorr r waitrrr rdebugrrrXrrrjsondumps)r[rer private_dirrMrrrsrcdstupdaterrrrrsupported_templatestemplaterinicknamekeyfilecertfiles r cert_enrollrs,b ) )D >D I;T B B B5bnEE+ / /H(h77E"$V***hoo.?.?.?@Hgll;80CDDGw||Ix(/BCCHw 4FX__..XtWdHU#;s  **733I  '..w77Kw~~i(( , HYU + + + +w~~k** . H[u - - - -.  ND( J   % % %4yyH$$'/D ':'@'@'B'B < >!,,)IaLLLJ%%c$ii;;;; J      # , ,C  ,S ##CH---1w||C$5x@@::d++!) , ,AyG++ z0I0I6F?%$!"#!4!"#!4*+&3,#*=!7 MM(*:I*5777 ))+++) , ,rc |D]C}|d}|ddzstd|Dr|dtddg}t|dkrb||dddtdd g}t|dkrd t |dd dz} | |d kr|D]V} | d d krzt |} | D]g} t| |||} |j t|tj | d | h| d drt| |||| d} |j t|tj | d | 7d| d i}t#jd|XEdS)zRead CEP Data. [MS-CAESO] 4.4.5.3.2.4 In this step autoenrollment initializes instances of the CertificateEnrollmentPolicy by accessing end points associated with CEP groups created in the previous step. rFlagsc&g|]}|ddkSrHLDAP:rr)s rr+z;gp_cert_auto_enroll_ext.__read_cep_data..s!AAAAAeH'AAArrGz(objectClass=*)rootDomainNamingContextr, objectGUIDz{%s}r!rHrrKzhttps://rM)rMrNzUnrecognized endpointN)anyrdrr7rupperrmrrstorerrtrurrWrPencoder rX)rrer=rrr?r%rkres2rr[cas_carr]s r__read_cep_dataz'gp_cert_auto_enroll_ext.__read_cep_dataqs 59 >9 >O "AW:$  AAAAABB jjZ1B";!<>>s88q==zz#a&)B"CA"F",.?#/.22t99>> $.tAw|/DQ/GHHNNPPQ :..& > >e9''9#>>C"//*3Y LL ((T)/)9#f+)F)F)M)M)O)O)-///// Y__&&11*==>&r3 '2FEEEDJ$$SYY(F):):)<)<==DDFF)"U)5EI5u====' >M9 >9 >rcdt|j|jz}t|t |j|j}t |}t |dkr|||||dSt|}|D]g}t||||} |j t|tj|d| hdS)N ldap://%sr session_infor credentialsrrK)rcredsrrrr^r7'_gp_cert_auto_enroll_ext__read_cep_datarmrrrrrtrur) rrYrrrrer=rr[rs r__enrollz gp_cert_auto_enroll_ext.__enrollsODJ@@@c(8(8W$*666!=W E E $ % % ) )  &;!*K 9 9 9 9 92#66C N N"2sI{CC   T!'!1"V*!=!=!D!D!F!FNNNN N Nrci}d}d}|jrtj|j|}||}|s|S|jD]}|j|kr|jdkr|jdzdk}|jdzs|s6i|d<dt|j |j z} t| t|j |j } t|j} t| } t!| d kr=d | D} t#d | Dr| | n| } | D]}d |vr |d d krd}|d}||vri||<i|||<d|vr6t'|d|||d<|d|||d<t+|d}d|D|||d<|S)Nrrrr,rzAuto Enrollment Policyr r rcg|] }|D]}| Srr)r*sleps rr+z0gp_cert_auto_enroll_ext.rsop..s%PPPrRPPrPPPPrc&g|]}|ddkSrr)r*r[s rr+z0gp_cert_auto_enroll_ext.rsop..s!DDD5 W 4DDDrrHrrKr`zCA CertificaterLzAuto Enrollment Serverc6g|]}|Sr)r)r*ts rr+z0gp_cert_auto_enroll_ext.rsop..s EEEAQXXZZEEEr Templates)rrr~rrrYrOrRrrrrrrr^rmr7rrrzrr)rroutputrrZr~rr%rrrer=rcas2r[policyrars rrsopzgp_cert_auto_enroll_ext.rsopsr)K  ' F7<< 18<>C011A55PP-BPPPDDtDDDEE'JJt,,,,"&C!FF B;;2e9+?+?$!9Z!//-/F6N-/vr**b00 0O1D E E L L N N#6N2./?@zNvr*+CD4BzNCC,FE1DEEEvr*;77 r)NN)__name__ __module__ __qualname__rrrrrrrrrr:sq---:>1,1,1,1,fC>C>C>JNNN ,,,,,rr)r)0rr8rsamba.gp.gpclassrsambarrerr samba.authrrrtshutilr subprocessr r rSrsamba.gp.util.loggingr r2cryptography.hazmat.primitives.serialization.pkcs7r ModuleNotFoundErrorrX,cryptography.hazmat.primitives.serializationrcryptography.x509rcryptography.hazmat.backendsrrvrrUrrEr^rmrrrzrrrrrrrrr-s" ''''''))))))))%%%%%%,,,,,, """""""" %%%%%% 5$$$$$$$555111 CI4555555BAAAAA777777888888  ,9 MMM.+.+.+`!!!>.,D*D4444HHHBBB   111h????BxxxxxjxxxxxsAA43A4