0eaddlZddlZddlZddlmZmZmZddlmZddl m Z m Z ddl m Z ddlmZddlZddlmZddlmZmZddlZddlZdd lmZddlZ dd lmZdd lmZddl m!Z!ddl"m#Z#ddl$m%Z%dZ&dZ'gdZ(dZ)dZ*dZ+dZ,d#dZ-dZ.dZ/dZ0dZ1dZ2dZ3dZ4d$d Z5Gd!d"eeZ6y#e$rd Zej:d YrwxYw)%N) gp_pol_ext gp_applierGPOSTATE)Ldb) SCOPE_SUBTREE SCOPE_BASE)system_session)get_dc_hostnamewhich)PopenPIPE)log)load_der_pkcs7_certificatescgSN)xs B/usr/lib/python3/dist-packages/samba/gp/gp_cert_auto_enroll_ext.pyrr$sr zNpython cryptography missing pkcs7 support. Certificate chain parsing will fail)Encoding)load_der_x509_certificate)default_backend) get_strings9 -----BEGIN CERTIFICATE----- %s -----END CERTIFICATE-----zc(https|HTTPS)://(?P[a-zA-Z0-9.-]+)/ADPolicyProvider_CEP_(?P[a-zA-Z]+)/service.svc/CEP)z/etc/pki/trust/anchorsz /etc/pki/ca-trust/source/anchorsz /usr/local/share/ca-certificatesc>dtjd|dddzddtjd|dddzddtjd|dddzddtjd |dd dzdd tjd |d d z S)z)Convert an octet string to an objectGUID.z%02xzH z%02x%02xz>HLN)structunpack)datas roctet_string_to_objectGUIDr$7s% dD1I(Fq(II% dD1I(Fq(II% dD1I(Fq(II% dD2J(G(JJ)FMM%bc,KK  MMrci}|D]6}|d|jvrg||d<||dj|8|jD]}|jd|Dcgc]}|d }}t |}|D]c}|j |}t |tjt||z dz }||k(rHd} t|||dz| |||dzet|jScc}w)aGroup and Sort End Point Information. [MS-CAESO] 4.4.5.3.2.3 In this step autoenrollment processes the end point information by grouping it by CEP ID and sorting in the order with which it will use the end point to access the CEP information. PolicyIDc |dS)NCostres rz6group_and_sort_end_point_information..Ts 1V9r)keyr(c(|ddk(ry|ddk(ryy)N AuthFlagsrr-rr)s r sort_authz7group_and_sort_end_point_information..sort_authcs#[>S({^s*r) keysappendvaluessortsetindexlenoperatorindexOfreversedsortedlist) end_point_informationend_point_groupsr*end_point_group cost_listcostscostijr1s r$group_and_sort_end_point_informationrF@s9 "2 Z= 0 5 5 7 7.0 Qz] +:'..q12 ,224; !45)881QvY8 8I ;D%AIx//0CTJJ1LAAv  &,OAac,B09&;OAac "' ;;:  '') **/9s( Dci}d}|D]m}|jj|s|jj|d}||jvri||<|j|||j <o|j D]}tjt|d}|rRd|jdjddz}||d<|jd|d <|jd |d <t|djd k7sd |di}tjd |icSt|j }|S)zObtain End Point Information. [MS-CAESO] 4.4.5.3.2.2 In this step autoenrollment initializes the CertificateEnrollmentPolicyEndPoints table. z7Software\Policies\Microsoft\Cryptography\PolicyServers\URLz%s-CAserver.rnamehostnameauthzldap:endpointzFailed to parse the endpoint)keyname startswithreplacer2r# valuenamer4rematch endpoint_regrouplowerrerrorrF)entriesr>sectionr*rLcamedatas robtain_end_point_informationr_psOLG :yy##G, yy  "- ,113 3*, !$ '3466d#AKK0 :$**,  HH["U) , QWWX.66sC@@DBvJWWX.BzNBvJ Y__ ' ) "U)-E II4e <I  --B-I-I-KL  rc Lg}|j}d|z}gd}d}|j|t||}t|dk(r|S|D]Y}t |ddt |ddt t j |ddd}|j|[|S) z0Initialize CAs. [MS-CAESO] 4.4.5.3.1.2 zMCN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,%s) cACertificatecn dNSHostNamez"(objectClass=pKIEnrollmentService)rrbrcra)rLrMra)get_default_basednsearchrr8rbase64 b64encoder3) ldbresultbasedndnattrsexprresesr#s rfetch_certification_authoritiesrps F  # # %F Y[a aB 2E /D **Re 4C 3x1} #BtHQK0'=(9!(<=",V-=-=b>QRS>T-U"V  d  Mrc|dg}|j}d|z}d|z}|j|t||}t|dk(rd|dvrt |dSddgiS)NmsPKI-Minimal-Key-SizezOCN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%sz(cn=%s)r-r2048)rdrerr8dict)rhrLrlrjrkrmrns rfetch_template_attrsrusx })*  # # %F Z]c cB t D **Re 4C 3x1}1SV;CF|(6(33rczttjdd|jdtjzS)Ns(.{64})s\1 r) cert_wraprTsubencodeDOTALL)certs rformat_root_certr|s( rvvj(DKKM1biiP PPrc~tjjdddg}tddj |S)NPATHz/usr/lib/certmongerz/usr/libexec/certmongerz cepces-submit:)path)osenvirongetr join)certmonger_dirss rfind_cepces_submitrs5zz~~f-/D02O sxx'@ AArct}|rtjj|st j dgStj }d|d<t|d|zdg|tt}|j\}}|jdk7r(d|ji}t j d ||jjS) NzFailed to find cepces-submitzGET-SUPPORTED-TEMPLATESCERTMONGER_OPERATIONz --server=%sz--auth=Kerberos)envstdoutstderrrErrorz0Failed to fetch the list of supported templates.)rrrexistsrrYrr r communicate returncodedecodestripsplit)rJ cepces_submitrpouterrr#s rget_supported_templatesrs&(M } = 01 **C";C }mf46GHd4 1A}}HC||q& DdK 99;   rcRtjj|d|dz}g} tj|ddd}|!|jd k(s|jd d k(rtjd tjd d|vrtjdtj|d} t|}|j!t"j$}t'|d5} | j)|ddd|j+||S|jd dk(rn t|j}|j!t"j$}t'|d5} | j)|ddd|j+||S|jd dk(rt-|j} t/dt1| D]x} | | j!t"j$}|j3dd\} } d| | | fz}t'|d5} | j)|ddd|j+|z|Stjd|S#tj j $rtjdd}YiwxYw#t$rt|t}YwxYw#1swYxYw#t$r"t|jt}YwxYw#1swYxYw#1swYxYw)z$Fetch Certificate Chain from the CA.%s.crtrL GetCACert CAIdentifier) operationmessage)urlparamsz$Failed to establish a new connectionNrz Content-Typez text/htmlz+Failed to fetch the root certificate chain.zPThe Network Device Enrollment Service is either not installed or not configured.raz'Installing the server certificate only.wbzapplication/x-x509-ca-certzapplication/x-x509-ca-ra-certrrKr-z%s.%d.%sz+getca: Wrong (or missing) MIME content type)rrrrequestsr exceptionsConnectionErrorrwarncontentheadersrf b64decoder TypeErrorr public_bytesrPEMopenwriter3rranger8rsplit)r\r trust_dir root_cert root_certsrder_certificater{ cert_datawcertsrDfilename extensiondests rgetcars Y2f:(=>IJ LLS{5C*E F  yAII$ .(A[(P >? 1 2 b HH> ?$..r//BCO D0A))(,,7Ii& #! " #   i (yy $@@ K,QYY7D%%hll3 )T " a GGI  )$  > "&E E+AII6q#e*% $A8((6D"+"2"23": Hi1i 88DdD! Q     d #  $  >? W    . . 78  D01@1BD D # # K,QYY8IJD K    sYI6 J19K9K"9L0L64J.-J.1KKK"'L  L LL& cptD]%}tjj|s#|cStdS)zIReturn the global trust dir using known paths from various Linux distros.r)global_trust_dirsrrisdir)rs rfind_global_trust_dirrs4& 77== #  Q rc2tdxs tdS)z0Return the command to update the CA trust store.zupdate-ca-certificateszupdate-ca-trustr rrrupdate_ca_commandrs ) * Fe4E.FFrcLtfdjDS)z9Return True if any key present in both dicts has changed.c3@K|]}|vr ||k7ndyw)FNr).0knew_dataold_datas r zchanged..s1&/08m x{*F&s)anyr2)rrs``rchangedr s# &]]_& &&rcVtggdfi|}d|dz}t|||}|dj|t}|D]j} tj j |tj j| } t j| | |dj| lt} | t!| gj#t%d} t'} | ,tj j)| r t!| dd |d d | d |dd |gt*t*}|j-\}}tj.|j1|j2dk7r,|j1|d d}tj4d|t7|d}|D]@}t9||}|d d|j1}tj j |d|z}tj j |d|z}t!| dd |d d|j1d|d|d|d|ddgt*t*}|j-\}}tj.|j1|j2dk7r)|j1|d}tj4d||dj||g|dj|C| 0t!| gj#ntjdt;j<|S#t$rtjdY"t$rtjd|YCt$r|dj| YbwxYw) z#Install the root certificate chain.)files templatesz0http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?rMrz=Failed to symlink root certificate to the admin trust anchorszZFailed to symlink root certificate to the admin trust anchors. The directory was not foundgetcertzadd-ca-crLz-ez --server=z --auth=)rrr)rCAz#Failed to add Certificate AuthorityrKz%s.keyrrequestz-Tz-Iz-kz-fz-grr)r CertificatezFailed to request certificaterzOcertmonger and cepces must be installed for certificate auto enrollment to work)rtrextendrrrrbasenamesymlinkr3PermissionErrorrrFileNotFoundErrorFileExistsErrorrr waitr rrrrdebugrrrYrrujsondumps)r\rhr private_dirrNr#rrglobal_trust_dirsrcdstupdaterrrrrsupported_templatestemplaterlnicknamekeyfilecertfiles r cert_enrollrsC "2. 5" 5D D II;T B5bnE+ /H(h7E"$V*hoo.?@Hggll;80CDGww||Ix(/BCHw 4FX__.XtWdHU#;>!$IIaL ! ##D)4rcZtj|djj}|j ||}|t j |ni}|2t|dD cgc]} |dd| jc} ng} d| i|} t| |s!|jtjk(r|j||||.t| |s"|jtjk7ry||i|} |j||| ycc} w)NrLrMrKr)rfrgryrcache_get_attribute_valuerrrrcache_get_apply_staterENFORCErcache_add_attribute) rrr\ applier_funcargskwargsrold_valrtrrr#s rapplyzgp_cert_auto_enroll_ext.applyes$$RZ%6%6%89@@B 00yA*1*=4::g&2"BYY[\fYgAhiA6 AHHJ7i(*  )3r3 8X &$*D*D*F(JZJZ*Z LLy' 2  wx'B**,0@0@@ T,V,   y$7js2D(Nc D||jjd}||jjd}tjj |stj |dtjj |stj |d|D]J\}}t||vs|t|jD]\}}|j|||L|D]} | jsd} d} tjj| j| } |j| } | sS| jD]>}|j| k(s|jdk(s$|j dzr4|j d zd k(}|j d zd k(}|j d zd k(}|r|j#| j$| j||}|Dcgc]3}t'j(|j+j-5}}|j/| j$| |j1| j$}|j/| j$t3|j5 Aycc}w)Nri)modei7Software\Policies\Microsoft\Cryptography\AutoEnrollmentMACHINE/Registry.polAEPolicyr-r0r)keep)remove)lp cache_path private_pathrrrmkdirstritemsr file_sys_pathrparserZrPrSr# _gp_cert_auto_enroll_ext__enrollrLrfrgryrcleancache_get_all_attribute_valuesr=r2)rdeleted_gpo_listchanged_gpo_listrrrsettings ca_cn_encr#gpor[pol_filerpol_confr*enrollmanageretrive_pendingca_namesnca_attrss rprocess_group_policyz,gp_cert_auto_enroll_ext.process_group_policyxs<  **73I  ''..w7Kww~~i( HHYU +ww~~k* HH[u -. 8ND(4yH$'/D ':'@'@'B8OItLLy$78 8 $ OC  T1ww||C$5$5x@::d+!))OAyyG+ z0I66F?$!"#!4!"#!4*+&&3,#*=!'+}}SXX5=5E5E5> (MH .6(7())/(8(8(D(K(K(M(7H(7 JJsxxhJ? !% C CCHH M% JJsxxX]]_8MJN-O O,(7s/8Jc |D]}|d}|ddzst|Dcgc] }|ddk( c}r|jdtddg}t|d k7rY|j|dddtdd g} t| d k7rd t | dd dj z} | d k7rg} |D]} | ddk(rBt |} | D]1}|j||t||||| j|d 3M| djjdr5|j|| t| |||| d| j| d d| di}tjd|| cSycc}w)zRead CEP Data. [MS-CAESO] 4.4.5.3.2.4 In this step autoenrollment initializes instances of the CertificateEnrollmentPolicy by accessing end points associated with CEP groups created in the previous step. rFlagsrILDAP:rHz(objectClass=*)rootDomainNamingContextr- objectGUIDz{%s}r&rLzhttps://rN)rNrOzUnrecognized endpointN)rrerr8r$upperrprrr3rXrQrrY)rrrhr>rrr@r*rnres2r'rr\cas_car^s r__read_cep_dataz'gp_cert_auto_enroll_ext.__read_cep_datas 58 O "AW:$ AAAeH'ABjjZ1B";!<>s8q=zz#a&)B"CA"F",.?#/.2t9> $.tAw|/DQ/GHNNPQ :.H% >e9'9#>C"5 4k3Y#.0 F 45 Y__&11*=JJtRb#y*F=OOBvJ/("U)5EII5u=! >"Oq8 BsF c dt|j|jz}t|t |j|j}g}t |}t |dkDr&|j|j||||||St|} | D]1} |j|| t| ||||j| d3|S)N ldap://%sr session_infor  credentialsrrL) r credsr rr r_r8r'_gp_cert_auto_enroll_ext__read_cep_datarprrr3) rrrZrrrrhrr>r*r\s r__enrollz gp_cert_auto_enroll_ext.__enrollsODJJ@@c(8WW$**6 r*slepcas2r\policyrbrrs rrsopzgp_cert_auto_enroll_ext.rsopsL)L   77<< 1 18C01A5-BPrRPrPPPtD5 W 4DEJJt,"&C!F B;2e9+?$!9Z!/-/F6N-/vr**b0 0O1D E L L N#6N2./?@zNvr*+CD4BzNC,2EEAQXXZEvr*;7F%" FF - QD(Fs-H H &H)NN) __name__ __module__ __qualname__rrrr!r3rr<rrrrrSs.. 58(:>.O`BH&,rrr)Kerberos)7rr9rsamba.gp.gpclassrrrsambarrhrr samba.authr r rfshutilr subprocessr rrTrsamba.gp.util.loggingrr!2cryptography.hazmat.primitives.serialization.pkcs7rModuleNotFoundErrorrY,cryptography.hazmat.primitives.serializationrcryptography.x509rcryptography.hazmat.backendsr samba.commonrrwrVrr$rFr_rprur|rrrrrrrrrrrrMs" ==)%, " % 5$ B78#  9 9M.+`!>. 4QB "3l G& @DXj*Xa 51 CII455sB22CC