o ei@s ddlmZddlZddlZddlZddlZddlmZddlmZm Z ddl m Z m Z ddl mZddlmZddlmZdd lmZmZdd lmZmZdd lmZdd lmZdd lmZm Z ddl!m"Z"ddl#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+ddl,m-Z-m.Z.m/Z/m0Z0ddl1m2Z2m3Z3ddl4m5Z5m6Z6ddl7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCddlDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMddlNmOZOddlPmQZQmRZRmSZSmTZTmUZUeVdddgZWGdddZXGdddZYGdddZZd%d#d$Z[eYZ\dS)&) annotationsN)contextmanager)utilsx509)UnsupportedAlgorithm_Reasons)aead)_CipherContext _CMACContext)_EllipticCurvePrivateKey_EllipticCurvePublicKey)_RSAPrivateKey _RSAPublicKey)openssl)binding)hashes serialization)AsymmetricPadding)dhdsaeced448ed25519rsax448x25519)MGF1OAEPPSSPKCS1v15)PrivateKeyTypesPublicKeyTypes)BlockCipherAlgorithmCipherAlgorithm) AESAES128AES256ARC4SM4CamelliaChaCha20 TripleDES_BlowfishInternal_CAST5Internal _IDEAInternal _SEEDInternal) CBCCFBCFB8CTRECBGCMOFBXTSMode)ssh)PBESPKCS12CertificatePKCS12KeyAndCertificatesPKCS12PrivateKeyTypes_PKCS12CATypes _MemoryBIObiochar_ptrc@s eZdZdS)_RC2N)__name__ __module__ __qualname__rGrG_/var/www/html/venv/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/backend.pyrC\srCc @s$eZdZdZdZhdZefZej ej ej ej ej ejejejejejejejf ZejejejejfZdZdZdd>ZdZde>Z dId d Z!dJd d Z" dKdLddZ#dIddZ$dJddZ%dMddZ&dNddZ'dNd d!Z(dOd"d#Z)dOd$d%Z*dPd&d'Z+dOd(d)Z,dQd.d/Z-dId0d1Z.dId2d3Z/dRd5d6Z0dRd7d8Z1dOd9d:Z2dSdd?Z4dTdAdBZ5dUdFdGZ6dVdHdIZ7dWdMdNZ8dXdQdRZ9dSdTZ:dUdVZ;dYdZd[Zd[dadbZ?d\dddeZ@dOdfdgZAd]djdkZBd]dldmZCd^dodpZDd_dsdtZEd`dudvZFdadxdyZGdbd|d}ZHdcddZIdPddZJdOddZKdPddZLddddZMdeddZNdfddZOdgddZPdeddZQddZRdfddZSdgddZTdhddZUdiddZVdjddZWdkddZXdlddZYdmddZZdnddZ[doddZ\dpddZ]dqddZ^drddZ_dsddĄZ`dtddƄZaduddɄZbdvdd̄Zcdd΄ZddwddЄZeefdd҄ZgdxddքZhdyddބZidZddZjdZddZkdzddZldPddZmd{ddZnd|ddZod}ddZpd~ddZqdddZrdddZs dKdddZtdPddZudddZvdddZwddd ZxdPd d Zydd dZzdddZ{dddZ|dPddZ}dPddZ~dddZdddZdddZdPd d!Zdd#d$Zdd&d'Zdd(d)ZdPd*d+Zdd-d.Zejfd/d0Zdd2d3Zdd5d6Zdd<d=ZdPd>d?ZdPd@dAZddCdDZddEdFZddGdHZdS(Backendz) OpenSSL API binding interfaces. r> aes-128-ccm aes-128-gcm aes-192-ccm aes-192-gcm aes-256-ccm aes-256-gcmireturnNonecCsbt|_|jj|_|jj|_t|_ i|_ | |jj g|_ |jjr/|j |jjdSdSN)rBinding_bindingffi_ffilib_lib rust_opensslis_fips_enabled _fips_enabled_cipher_registry_register_default_ciphers EVP_PKEY_DH _dh_typesCryptography_HAS_EVP_PKEY_DHXappend EVP_PKEY_DHXselfrGrGrH__init__s     zBackend.__init__strcCsd||j|jjS)Nz3)formatopenssl_version_textr]rV_legacy_provider_loadedrerGrGrH__repr__s zBackend.__repr__Nokboolerrors7typing.Optional[typing.List[rust_openssl.OpenSSLError]]cCstj|j||dS)N)ro)r_openssl_assertrZ)rfrmrorGrGrHopenssl_assertszBackend.openssl_assertcCs$|jts Jt|_dSrT)rV _enable_fipsr[r\r]rerGrGrHrss  zBackend._enable_fipscCs|j|j|jjdS)z Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 ascii)rXstringrZOpenSSL_versionOPENSSL_VERSIONdecodererGrGrHrjs zBackend.openssl_version_textintcCs |jSrT)rZOpenSSL_version_numrerGrGrHopenssl_version_number zBackend.openssl_version_number algorithmhashes.HashAlgorithmcCsL|jdks |jdkrd|j|jdd}n|jd}|j|}|S)Nblake2bblake2sz{}{}rt)nameri digest_sizeencoderZEVP_get_digestbyname)rfr}algevp_mdrGrGrH_evp_md_from_algorithms   zBackend._evp_md_from_algorithmcCs ||}|||jjk|SrT)rrrrXNULLrfr}rrGrGrH_evp_md_non_null_from_algorithms z'Backend._evp_md_non_null_from_algorithmcCs,|jr t||js dS||}||jjkSNF)r] isinstance _fips_hashesrrXrrrGrGrHhash_supporteds  zBackend.hash_supportedcC |jr t|tjr dS||Srr]rrSHA1rrfr}rGrGrHsignature_hash_supporteds z Backend.signature_hash_supportedcC|jrdS|jjdkSNFrQ)r]rZCryptography_HAS_SCRYPTrerGrGrHscrypt_supporteds zBackend.scrypt_supportedcCr)NTrrrGrGrHhmac_supporteds zBackend.hmac_supportedcipherr$moder9cCs^|jr t||js dSz |jt|t|f}Wn ty"YdSw||||}|jj|kSr)r]r _fips_ciphersr^typeKeyErrorrXr)rfrradapter evp_cipherrGrGrHcipher_supporteds    zBackend.cipher_supportedcCs0||f|jvrtd||||j||f<dS)Nz"Duplicate registration for: {} {}.)r^ ValueErrorri)rf cipher_clsmode_clsrrGrGrHregister_cipher_adapterszBackend.register_cipher_adaptercCstttfD]}ttttttt fD] }| ||t dqqtttttfD] }| t |t dq$ttttfD] }| t |t dq6| t tt d| ttdt d| ttttttttfD] }| t|t dqd|jjsx|jjsttttfD] }| t|t dq~ttttfD] }| t|t dqtttgttttgD] \}}| ||t dq| ttdt d | ttdt d dSdS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3chacha20zsm4-{mode.name}zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}rc4rc2)r%r&r'r1r4r5r7r2r3r6rGetCipherByNamer*r,r+rr8_get_xts_cipherr)rVrkrZ#CRYPTOGRAPHY_OPENSSL_300_OR_GREATERr-r0 itertoolsproductr.r/r(rC)rfrrrGrGrHr_s~     z!Backend._register_default_ciphersr cCt|||tjSrT)r _ENCRYPTrfrrrGrGrHcreate_symmetric_encryption_ctxLz'Backend.create_symmetric_encryption_ctxcCrrT)r _DECRYPTrrGrGrHcreate_symmetric_decryption_ctxQrz'Backend.create_symmetric_decryption_ctxcCs ||SrT)rrrGrGrHpbkdf2_hmac_supportedVr|zBackend.pbkdf2_hmac_supported&typing.List[rust_openssl.OpenSSLError]cCstSrT)r[capture_error_stackrerGrGrH_consume_errorsYszBackend._consume_errorscCsz||jjksJ||j| |j|}|jd|}|j||}||dkt |j |d|d}|S)Nzunsigned char[]rbig) rXrrrrZBN_is_negative BN_num_bytesnew BN_bn2binry from_bytesbuffer)rfbn bn_num_bytesbin_ptrbin_lenvalrGrGrH _bn_to_int\s zBackend._bn_to_intnumcCsJ|t|ddd}|j|t||jj}|||jjk|S)a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. g @rQr) to_bytesry bit_lengthrZ BN_bin2bnlenrXrrr)rfrbinarybn_ptrrGrGrH _int_to_bnhszBackend._int_to_bnpublic_exponentkey_sizersa.RSAPrivateKeycCst|||j}|||jjk|j||jj}| |}|j||jj }|j ||||jj}||dk| |}t |||ddS)NrQTunsafe_skip_rsa_key_validation)r_verify_rsa_parametersrZRSA_newrrrXrgcRSA_freerBN_freeRSA_generate_key_ex_rsa_cdata_to_evp_pkeyr)rfrr rsa_cdatarresevp_pkeyrGrGrHgenerate_rsa_private_keyts     z Backend.generate_rsa_private_keycCs|dko |d@dko |dkS)NrQrirG)rfrrrGrGrH!generate_rsa_parameters_supporteds  z)Backend.generate_rsa_parameters_supportednumbersrsa.RSAPrivateNumbersrc Cs6t|j|j|j|j|j|j|jj |jj |j }| ||jjk|j||j j}||j}||j}||j}||j}||j}||j} ||jj } ||jj } |j |||} | | dk|j || | |} | | dk|j |||| } | | dk||} t||| |dS)NrQr)r_check_private_key_componentspqddmp1dmq1iqmppublic_numbersenrZrrrrXrrrrRSA_set0_factors RSA_set0_keyRSA_set0_crt_paramsrr)rfrrrrrrrrrrrrrrGrGrHload_rsa_private_numberssD        z Backend.load_rsa_private_numbersrsa.RSAPublicNumbersrsa.RSAPublicKeycCst|j|j|j}|||jjk|j ||jj }| |j}| |j}|j ||||jj}||dk| |}t|||SNrQ)r_check_public_key_componentsrrrZrrrrXrrrrrrr)rfrrrrrrrGrGrHload_rsa_public_numberss     zBackend.load_rsa_public_numberscCs2|j}|||jjk|j||jj}|SrT)rZ EVP_PKEY_newrrrXrr EVP_PKEY_free)rfrrGrGrH_create_evp_pkey_gcs zBackend._create_evp_pkey_gccC(|}|j||}||dk|Sr)rrZEVP_PKEY_set1_RSArr)rfrrrrGrGrHrzBackend._rsa_cdata_to_evp_pkeydatabytesr@cCsH|j|}|j|t|}|||jjkt|j||jj |S)z Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) rX from_bufferrZBIO_new_mem_bufrrrrr@rBIO_free)rfrdata_ptrrArGrGrH _bytes_to_bios zBackend._bytes_to_biocCsP|j}|||jjk|j|}|||jjk|j||jj}|S)z. Creates an empty memory BIO. )rZ BIO_s_memrrrXrBIO_newrr)rf bio_methodrArGrGrH_create_mem_bio_gcs  zBackend._create_mem_bio_gccCs\|jd}|j||}||dk||d|jjk|j|d|dd}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)rXrrZBIO_get_mem_datarrrr)rfrAbufbuf_lenbio_datarGrGrH _read_mem_bios zBackend._read_mem_bior!cCs,|j|}||jjkr,|j|}|||jjk|j||jj}t ||||dS||jj krs|jj ss|jj ss|jj ss|j|}|||jjk|j||jj}|}|j||}||dk|j||d|dS||jjkrtjt|jd|S||jjkr|j|}|||jjk|j||jj}t|||S||jvrtjt|jd|S|t|jddkrtjt|jd|S|t|jddkrtj t|jd|S||jj!krtj"t|jd|S|t|jddkrtj#t|jd|St$d ) zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. rrQN)passwordr uintptr_tEVP_PKEY_ED25519 EVP_PKEY_X448EVP_PKEY_ED448Unsupported key type.)%rZ EVP_PKEY_id EVP_PKEY_RSAEVP_PKEY_get1_RSArrrXrrrrEVP_PKEY_RSA_PSSCRYPTOGRAPHY_IS_LIBRESSLCRYPTOGRAPHY_IS_BORINGSSL#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Eri2d_RSAPrivateKey_bioload_der_private_keyr  EVP_PKEY_DSAr[rprivate_key_from_ptrrycast EVP_PKEY_ECEVP_PKEY_get1_EC_KEY EC_KEY_freer rargetattrrrEVP_PKEY_X25519rrr)rfrrkey_typerrArec_cdatarGrGrH_evp_pkey_to_private_keysv           z Backend._evp_pkey_to_private_keyr"cCs.|j|}||jjkr*|j|}|||jjk|j||jj}t |||S||jj krn|jj sn|jj sn|jj sn|j|}|||jjk|j||jj}|}|j||}||dk|||S||jjkrtjt|jd|S||jjkr|j|}||jjkr|}td||j||jj}t|||S||jvrtjt|jd|S|t |jddkrtj!t|jd|S|t |jddkrtj"t|jd|S||jj#krtj$t|jd|S|t |jddkrtj%t|jd|St&d) zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. rQr zUnable to load EC keyr Nrrr)'rZrrrrrrXrrrrrrrrri2d_RSAPublicKey_bioload_der_public_keyr rr[rpublic_key_from_ptrryrrrrrrr rarr rrr!rrr)rfrr"rrArr#rorGrGrH_evp_pkey_to_public_keyGsh              zBackend._evp_pkey_to_public_keycCs4|jr t|tjr dSt|tjtjtjtjtjfSr)r]rrrSHA224SHA256SHA384SHA512rrGrGrH_oaep_hash_supportedszBackend._oaep_hash_supportedpaddingrcCst|trdSt|tr&t|jtr&|jrt|jjtjrdS| |jjSt|t r>t|jtr>| |jjo=| |jSdS)NTF) rr r_mgfrr] _algorithmrrrrr-rfr.rGrGrHrsa_padding_supporteds   zBackend.rsa_padding_supportedcCs|jr t|tr dS||Sr)r]rr r2r1rGrGrHrsa_encryption_supporteds z Backend.rsa_encryption_supporteddsa.DSAParameterscCs|dvrtdtj|S)N)irPi iz0Key size must be 1024, 2048, 3072, or 4096 bits.)rr[rgenerate_parameters)rfrrGrGrHgenerate_dsa_parameterss  zBackend.generate_dsa_parameters parametersdsa.DSAPrivateKeycC|SrTgenerate_private_keyrfr7rGrGrHgenerate_dsa_private_keyz Backend.generate_dsa_private_keycC||}||SrT)r6r=)rfrr7rGrGrH'generate_dsa_private_key_and_parameterss  z/Backend.generate_dsa_private_key_and_parametersdsa.DSAPrivateNumberscCt|tj|SrT)r_check_dsa_private_numbersr[from_private_numbersrfrrGrGrHload_dsa_private_numbers  z Backend.load_dsa_private_numbersdsa.DSAPublicNumbersdsa.DSAPublicKeycCst|jtj|SrT)r_check_dsa_parametersparameter_numbersr[from_public_numbersrErGrGrHload_dsa_public_numberss  zBackend.load_dsa_public_numbersdsa.DSAParameterNumberscCrBrT)rrJr[from_parameter_numbersrErGrGrHload_dsa_parameter_numbersrGz"Backend.load_dsa_parameter_numberscCs|jj o|j SrT)rZrr]rerGrGrH dsa_supportedszBackend.dsa_supportedcCs|sdS||Sr)rQrrrGrGrHdsa_hash_supporteds zBackend.dsa_hash_supportedcCs||td|jS)N)rr1 block_sizerrGrGrHcmac_algorithm_supportedsz Backend.cmac_algorithm_supportedr#r cCs t||SrTr rrGrGrHcreate_cmac_ctxr|zBackend.create_cmac_ctxr typing.Optional[bytes]cCs||jj|||SrT) _load_keyrZPEM_read_bio_PrivateKey)rfrr rrGrGrHload_pem_private_keys zBackend.load_pem_private_keycCs||}|jd}|j|j|jj|j|jjd|}||jjkr2|j ||jj }| |S| |j |j}||dk|j|j|jj|j|jjd|}||jjkrq|j ||jj}||}t|||S|dS)NCRYPTOGRAPHY_PASSWORD_DATA *Cryptography_pem_password_cbrQ)rrXrrZPEM_read_bio_PUBKEYrAr addressof _original_librrr(r BIO_resetrrPEM_read_bio_RSAPublicKeyrrr_handle_key_loading_error)rfrmem_biouserdatarrrrGrGrHload_pem_public_keys:        zBackend.load_pem_public_keydh.DHParameterscC tj|SrT)r[rfrom_pem_parametersrfrrGrGrHload_pem_parameters zBackend.load_pem_parameterscCs:||}|||}|r|||S||jj|||SrT)r"_evp_pkey_from_der_traditional_keyr$rXrZd2i_PKCS8PrivateKey_bio)rfrr rr keyrGrGrHrs zBackend.load_der_private_keycCsR|j|j|jj}||jjkr#|j||jj}|dur!td|S|dS)N4Password was given but private key is not encrypted.) rZd2i_PrivateKey_biorArXrrr TypeErrorr)rfr r rnrGrGrHrl9s z*Backend._evp_pkey_from_der_traditional_keycCs||}|j|j|jj}||jjkr#|j||jj}||S| |j |j}| |dk|j |j|jj}||jjkrY|j||jj }||}t|||S|dSr)rrZd2i_PUBKEY_biorArXrrrr(rr`rrd2i_RSAPublicKey_biorrrrb)rfrrcrrrrGrGrHr&Gs        zBackend.load_der_public_keycCrgrT)r[rfrom_der_parametersrirGrGrHload_der_parameters^rkzBackend.load_der_parameterscertx509.Certificate typing.AnycCsT|tjj}||}|j|j|jj }| ||jj k|j ||jj }|SrT) public_bytesrEncodingDERrrZ d2i_X509_biorArXrrrr X509_free)rfrvrrcrrGrGrH _cert2osslas  zBackend._cert2osslx509_ptrcCs4|}|j||}||dkt||Sr)rrZ i2d_X509_biorrrload_der_x509_certificater )rfrrArrGrGrH _ossl2certiszBackend._ossl2certrnr>cCs\|tjjtjjt}||}|j |j |j j }| ||j j k|j ||jjSrT) private_bytesrrzr{ PrivateFormatPKCS8 NoEncryptionrrZrprArXrrrrr)rfrnrrcrrGrGrH _key2osslos zBackend._key2osslc Cs||}|jd}|dur#td||j|}||_t||_||j |jj |j |j j d|}||jj kra|jdkr]||jdkrLtd|jdksSJtd|jd ||j||j j}|durw|jdkrwtd |dur|jd ks|dusJ|||S) Nr[r r\rz3Password was not given but private key is encryptedzAPasswords longer than {} bytes are not supported by this backend.rQro)rrXrr_check_byteslikerr rlengthrArr^rZr_errorrrqrrimaxsizerbrrcalledr$) rfopenssl_read_funcrr rrcrd password_ptrrrGrGrHrX~sL         zBackend._load_keytyping.NoReturncs}|s td|djjjjs2|djjjjs2jjr6|djj jj r6tdt fdd|DrEtdtd|)Nz|Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.rz Bad decrypt. Incorrect password?c3s$|] }|jjjjVqdSrT)_lib_reason_matchrZ ERR_LIB_EVP'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM).0rrerGrH s z4Backend._handle_key_loading_error..z!Unsupported public key algorithm.zCould not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).) rrrrZrEVP_R_BAD_DECRYPTERR_LIB_PKCS12!PKCS12_R_PKCS12_CIPHERFINAL_ERRORCryptography_HAS_PROVIDERS ERR_LIB_PROVPROV_R_BAD_DECRYPTany)rfrorGrerHrbs<    z!Backend._handle_key_loading_errorcurveec.EllipticCurvecCspz||}Wn ty|jj}Ynw|j|}||jjkr'|dS|||jjk|j |dS)NFT) _elliptic_curve_to_nidrrZ NID_undefEC_GROUP_new_by_curve_namerXrrrr EC_GROUP_free)rfr curve_nidgrouprGrGrHelliptic_curve_supporteds     z Backend.elliptic_curve_supportedsignature_algorithm"ec.EllipticCurveSignatureAlgorithmcCst|tjsdS||Sr)rrECDSAr)rfrrrGrGrH,elliptic_curve_signature_algorithm_supporteds  z4Backend.elliptic_curve_signature_algorithm_supportedec.EllipticCurvePrivateKeycCsZ||r"||}|j|}||dk||}t|||Std|jdt j )z@ Generate a new private key on the named curve. rQz Backend object does not support .) r_ec_key_new_by_curverZEC_KEY_generate_keyrr_ec_cdata_to_evp_pkeyr rrrUNSUPPORTED_ELLIPTIC_CURVE)rfrr#rrrGrGrH#generate_elliptic_curve_private_keys      z+Backend.generate_elliptic_curve_private_keyec.EllipticCurvePrivateNumbersc CsZ|j}||j}|j||j|jj}|j ||}|dkr)| t d| m}| ||j|j||j|}|||jjktj|}|||jjk|j|} || |jjk|j| |jj} |j|| ||jj|jj|}||dk|j||| |dkrt dWdn1swY||} t||| S)NrQInvalid EC key.r)rrrrXrr private_valuerZ BN_clear_freeEC_KEY_set_private_keyrr _tmp_bn_ctx)_ec_key_set_public_key_affine_coordinatesxyEC_KEY_get0_grouprrrbackendEC_KEY_get0_public_key EC_POINT_new EC_POINT_free EC_POINT_mul EC_POINT_cmprr ) rfrpublicr#rrbn_ctxr set_pointcomputed_pointrrGrGrH#load_elliptic_curve_private_numberssR       ! z+Backend.load_elliptic_curve_private_numbersec.EllipticCurvePublicNumbersec.EllipticCurvePublicKeycCs^||j}|}|||j|j|Wdn1swY||}t|||SrT)rrrrrrrr )rfrr#rrrGrGrH"load_elliptic_curve_public_numbersEs     z*Backend.load_elliptic_curve_public_numbers point_bytesc Cs||}|j|}|||jjk|j|}|||jjk|j||jj}| }|j |||t ||}|dkrI| t dWdn1sSwY|j||}||dk||}t|||S)NrQz(Invalid public bytes for the given curve)rrZrrrrXrrrrrEC_POINT_oct2pointrrrEC_KEY_set_public_keyrr ) rfrrr#rpointrrrrGrGrH load_elliptic_curve_public_bytesQs&      z(Backend.load_elliptic_curve_public_bytesrc Csv||}|j|}|||jjk|j|}|||jjk|j||jj}| |}|j||jj }| @}|j ||||jj|jj|}||dk|j |} |j |} |j||| | |}|dkrw|tdWdn1swY|j||}||dk| |} |j| |jj } |j|| }||dk||} t||| S)NrQz'Unable to derive key from private_value)rrZrrrrXrrrrrrrr BN_CTX_getEC_POINT_get_affine_coordinatesrrrrrr ) rfrrr#rrvaluerrbn_xbn_yprivaterrGrGrH!derive_elliptic_curve_private_keygs>           z)Backend.derive_elliptic_curve_private_keycCr?rT)r_ec_key_new_by_curve_nid)rfrrrGrGrHrs  zBackend._ec_key_new_by_curvercCs0|j|}|||jjk|j||jjSrT)rZEC_KEY_new_by_curve_namerrrXrrr)rfrr#rGrGrHrs z Backend._ec_key_new_by_curve_nidec.ECDHcCs,|jr t||js dS||ot|tjSr)r]r_fips_ecdh_curvesrrECDH)rfr}rrGrGrH+elliptic_curve_exchange_algorithm_supporteds z3Backend.elliptic_curve_exchange_algorithm_supportedcCrr)rrZEVP_PKEY_set1_EC_KEYrr)rfr#rrrGrGrHrrzBackend._ec_cdata_to_evp_pkeycCsNddd}||j|j}|j|}||jjkr%t|jdtj|S)z/ Get the NID for a curve name. prime192v1 prime256v1) secp192r1 secp256r1z" is not a supported elliptic curve) getrrZ OBJ_sn2nidrrrrr)rfr curve_aliases curve_namerrGrGrHrs   zBackend._elliptic_curve_to_nidc csd|j}|||jjk|j||jj}|j|z |VW|j|dS|j|wrT) rZ BN_CTX_newrrrXrr BN_CTX_free BN_CTX_start BN_CTX_end)rfrrGrGrHrs  zBackend._tmp_bn_ctxrrcCs|dks|dkr td|j|||jj}|j|||jj}|j|}|||jjk|j |}|||jjk|j||jj }|j |||||}|dkra| td|j ||}||dkdS)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.rQrN)rrXrrrZrrrrrrrEC_POINT_set_affine_coordinatesrr)rfr#rrrrrrrGrGrHrs&    z1Backend._ec_key_set_public_key_affine_coordinatesencodingserialization.Encodingriserialization.PrivateFormatencryption_algorithm(serialization.KeySerializationEncryptionc Cst|tjs tdt|tjstdt|tjstdt|tjr'd}n4t|tjr;|j}t |dkr:t dn t|tj rW|j |urNtjj urWnt d|j}nt d|tjjur|tjjurl|jj}n|tjjurw|jj}nt d||||S|tjjur|jrt|tjst d |j|} |tjjur| |jjkr|jj}n | |jjksJ|jj}||||S|tjjur|rt d | |jjkr|jj}n | |jjksJ|jj}|||St d |tjj ur|tjjurt |||St d t d )N/encoding must be an item from the Encoding enumz2format must be an item from the PrivateFormat enumzBEncryption algorithm must be a KeySerializationEncryption instanceizBPasswords longer than 1023 bytes are not supported by this backendzUnsupported encryption typezUnsupported encoding for PKCS8zCEncrypted traditional OpenSSL format is not supported in FIPS mode.zDEncryption is not supported for DER encoded traditional OpenSSL keysz+Unsupported encoding for TraditionalOpenSSLz=OpenSSH private key format can only be used with PEM encodingformat is invalid with this key)!rrrzrqrKeySerializationEncryptionrBestAvailableEncryptionr rr_KeySerializationEncryption_formatOpenSSHrPEMrZPEM_write_bio_PKCS8PrivateKeyr{i2d_PKCS8PrivateKey_bio_private_key_bytes_via_bioTraditionalOpenSSLr]rrPEM_write_bio_RSAPrivateKeyrPEM_write_bio_ECPrivateKeyri2d_ECPrivateKey_bio_bio_func_outputr:_serialize_ssh_private_key) rfrrirrnrcdatar  write_bior"rGrGrH_private_key_bytess                  zBackend._private_key_bytesc Cs<|s|jj}n|jd}|||||t||jj|jjS)Ns aes-256-cbc)rXrrZEVP_get_cipherbynamerr)rfrrr rrGrGrHrYs  z"Backend._private_key_bytes_via_biocGs0|}||g|R}||dk||Sr)rrrr )rfrargsrArrGrGrHrls zBackend._bio_func_outputserialization.PublicFormatcCst|tjs tdt|tjstd|tjjur:|tjjur%|jj}n|tjj ur0|jj }nt d| ||S|tjj urp|j|}||jjkrPt d|tjjur[|jj}n|tjj urf|jj}nt d| ||S|tjjur|tjjurt|St dt d)Nrz1format must be an item from the PublicFormat enumz8SubjectPublicKeyInfo works only with PEM or DER encodingz+PKCS1 format is supported only for RSA keysz)PKCS1 works only with PEM or DER encodingz1OpenSSH format must be used with OpenSSH encodingr)rrrzrq PublicFormatSubjectPublicKeyInforrZPEM_write_bio_PUBKEYr{i2d_PUBKEY_biorrPKCS1rrPEM_write_bio_RSAPublicKeyr%rr:serialize_ssh_public_key)rfrrirnrrrr"rGrGrH_public_key_bytesrs@                   zBackend._public_key_bytescC |jj SrTrZrrerGrGrH dh_supportedr|zBackend.dh_supported generatorcCstj||SrT)r[rr5rfrrrGrGrHgenerate_dh_parametersszBackend.generate_dh_parametersdh.DHPrivateKeycCr9rTr:r<rGrGrHgenerate_dh_private_keyr>zBackend.generate_dh_private_keycCs||||SrT)rrrrGrGrH&generate_dh_private_key_and_parameterss z.Backend.generate_dh_private_key_and_parametersdh.DHPrivateNumberscCrgrT)r[rrDrErGrGrHload_dh_private_numbers zBackend.load_dh_private_numbersdh.DHPublicNumbersdh.DHPublicKeycCrgrT)r[rrLrErGrGrHload_dh_public_numbersrzBackend.load_dh_public_numbersdh.DHParameterNumberscCrgrT)r[rrOrErGrGrHload_dh_parameter_numbersrz!Backend.load_dh_parameter_numbersrgrtyping.Optional[int]cCs4ztjtj|||dWdStyYdSw)N)rr rFT)r[rrODHParameterNumbersr)rfrr rrGrGrHdh_parameters_supporteds zBackend.dh_parameters_supportedcCs |jjdkSr)rZrbrerGrGrHdh_x942_serialization_supportedrkz'Backend.dh_x942_serialization_supportedx25519.X25519PublicKeycCrgrT)r[rfrom_public_bytesrirGrGrHx25519_load_public_bytesrkz Backend.x25519_load_public_bytesx25519.X25519PrivateKeycCrgrT)r[rfrom_private_bytesrirGrGrHx25519_load_private_bytesrz!Backend.x25519_load_private_bytescC tjSrT)r[r generate_keyrerGrGrHx25519_generate_keyr|zBackend.x25519_generate_keycCs|jrdS|jj Sr)r]rZ#CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370rerGrGrHx25519_supporteds zBackend.x25519_supportedx448.X448PublicKeycCrgrT)r[rr&rirGrGrHx448_load_public_bytesrkzBackend.x448_load_public_bytesx448.X448PrivateKeycCrgrT)r[rr)rirGrGrHx448_load_private_bytesrkzBackend.x448_load_private_bytescCr+rT)r[rr,rerGrGrHx448_generate_keyr|zBackend.x448_generate_keycC|jrdS|jj o|jj Srr]rZrrrerGrGrHx448_supported  zBackend.x448_supportedcCs|jrdS|jjSr)r]rZ CRYPTOGRAPHY_HAS_WORKING_ED25519rerGrGrHed25519_supportedszBackend.ed25519_supporteded25519.Ed25519PublicKeycCrgrT)r[rr&rirGrGrHed25519_load_public_bytesrz!Backend.ed25519_load_public_bytesed25519.Ed25519PrivateKeycCrgrT)r[rr)rirGrGrHed25519_load_private_bytesrz"Backend.ed25519_load_private_bytescCr+rT)r[rr,rerGrGrHed25519_generate_key r|zBackend.ed25519_generate_keycCr5rr6rerGrGrHed448_supportedr8zBackend.ed448_supporteded448.Ed448PublicKeycCrgrT)r[rr&rirGrGrHed448_load_public_bytesrkzBackend.ed448_load_public_bytesed448.Ed448PrivateKeycCrgrT)r[rr)rirGrGrHed448_load_private_bytesrkz Backend.ed448_load_private_bytescCr+rT)r[rr,rerGrGrHed448_generate_keyr|zBackend.ed448_generate_keycCs t||SrT)r_aead_cipher_supported)rfrrGrGrHaead_cipher_supportedrkzBackend.aead_cipher_supportedrcCst|D]}d||<qdS)Nr)range)rfrrirGrGrH _zero_data"s  zBackend._zero_datac cs~|dur |jjVdSt|}|jd|d}|j|||z|VW||jd||dS||jd||w)a This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nzchar[]rQz uint8_t *)rXrrrmemmoverJr)rfrdata_lenrrGrGrH_zeroed_null_terminated_buf)s 2z#Backend._zeroed_null_terminated_bufptyping.Tuple[typing.Optional[PrivateKeyTypes], typing.Optional[x509.Certificate], typing.List[x509.Certificate]]cCs2|||}|j|jr|jjnddd|jDfS)NcSsg|]}|jqSrG) certificate)rrvrGrGrH KszABackend.load_key_and_certificates_from_pkcs12..) load_pkcs12rnrvrOadditional_certs)rfrr pkcs12rGrGrH%load_key_and_certificates_from_pkcs12@s z-Backend.load_key_and_certificates_from_pkcs12r=cCsr|dur td|||}|j|j|jj}||jjkr'|t d|j ||jj }|j d}|j d}|j d}| |}|j|||||} Wdn1s\wY| dkrm|t dd} d} g} |d|jjkr|j |d|jj} |j| dd } |d|jjkr|j |d|jj}||}d}|j||jj}||jjkr|j|}t||} |d|jjkr3|j |d|jj}|j|d}|jjs|jjrt|}ntt|}|D]@}|j||}|||jjk|j ||jj}||}d}|j||jj}||jjkr*|j|}| t||qt| | | S) Nr z!Could not deserialize PKCS12 dataz EVP_PKEY **zX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 dataFr) rrrrZd2i_PKCS12_biorArXrrrr PKCS12_freerrM PKCS12_parserr$r}rX509_alias_get0rur< sk_X509_free sk_X509_numrrrHreversed sk_X509_valuerrrcr=)rfrr rAp12 evp_pkey_ptrr sk_x509_ptr password_bufrrvrnadditional_certificatesrrcert_objr maybe_namesk_x509rindicesrI addl_cert addl_namerGrGrHrQNsr                 zBackend.load_pkcs12r&typing.Optional[PKCS12PrivateKeyTypes]!typing.Optional[x509.Certificate]cas,typing.Optional[typing.List[_PKCS12CATypes]]cCszd}|dur td|t|tjrd}d}d} d} |jj} nt|tjrF|jj r2|jj }|jj }n|jj }|jj }d} d} |jj} |j }nst|tj r|jtjjurd}d}d} d} |j }|j} | tjuro|jj }|jj }n| tjur|jj s|td|jj }|jj }n| dusJ|jdur|jjstd||j} || |jjkn|jj} |jdur|j} ntd|dust|dkr|jj} n]|j} |j| |jj} g}|D]J}t|t r |j!}|"|j#}|dur|j$||jjd}n |j$||t|}||dkn|"|}|%||j&| |}t'|dkq|(|a}|(|1}|r9|"|n|jj}|durG|)|n|jj}|j*||||| ||| | d }Wdn 1sewY|jjr| |jjkr|j+||d|jjd| | Wdn 1swY|||jjk|j||jj,}|-}|j.||}||dk|/|S) Nrrri NrQz2PBESv2 is not supported by this version of OpenSSLzBSetting MAC algorithm is not supported by this version of OpenSSL.zUnsupported key encryption type)0r _check_bytesrrrrXrrrZrNID_aes_256_cbc&NID_pbe_WithSHA1And3_Key_TripleDES_CBCr rrrPKCS12_key_cert_algorithmr;PBESv1SHA1And3KeyTripleDESCBCPBESv2SHA256AndAES256CBCr _hmac_hashCryptography_HAS_PKCS12_SET_MACrrr _kdf_roundsrrsk_X509_new_nullrrYr< friendly_namer~rOX509_alias_set1rc sk_X509_pushrrMr PKCS12_createPKCS12_set_macrVri2d_PKCS12_bior )rfrrnrvrjrr nid_certnid_key pkcs12_itermac_itermac_alg keycertalgrdossl_cascaca_aliasossl_carr`name_buf ossl_cert ossl_pkeyr]rArGrGrH(serialize_key_and_certificates_to_pkcs12s                     " z0Backend.serialize_key_and_certificates_to_pkcs12cCrr)r]rZCryptography_HAS_POLY1305rerGrGrHpoly1305_supported7s zBackend.poly1305_supportedcCrrTrrerGrGrHpkcs7_supported<r|zBackend.pkcs7_supportedtyping.List[x509.Certificate]cCsntd|||}|j|j|jj|jj|jj}||jjkr)|t d|j ||jj }| |SNrzUnable to parse PKCS7 data) rrlrrZPEM_read_bio_PKCS7rArXrrrr PKCS7_free_load_pkcs7_certificatesrfrrAp7rGrGrHload_pem_pkcs7_certificates?s    z#Backend.load_pem_pkcs7_certificatescCsbtd|||}|j|j|jj}||jjkr#|t d|j ||jj }| |Sr) rrlrrZ d2i_PKCS7_biorArXrrrrrrrrGrGrHload_der_pkcs7_certificatesNs    z#Backend.load_der_pkcs7_certificatesc Cs|j|j}|||jjk||jjkrtd|tj g}|j j |j j kr+|S|j j j}|j|}t|D]}|j||}|||j j k||}||q:|S)NzNOnly basic signed structures are currently supported. NID for this data was {})rZ OBJ_obj2nidrrrrNID_pkcs7_signedrrirUNSUPPORTED_SERIALIZATIONrsignrXrrvrZrHr\rrc) rfrnidcertsrdrrIrrvrGrGrHr[s&      z Backend._load_pkcs7_certificates)rRrS)rRrhrT)rmrnrorprRrS)rRry)r}r~)r}r~rRrn)rRrn)rr$rr9rRrn)rr$rr9rRr )rRr)rry)rryrryrRr)rryrryrRrn)rrrrnrRr)rrrRr)rrrRr@)rRr)rrnrRr!)rRr")r.rrRrn)rryrRr4)r7r4rRr8)rryrRr8)rrArRr8)rrHrRrI)rrNrRr4)r}r#rRr )rrr rWrrnrRr!)rrrRr")rrrRrf)rvrwrRrx)rrxrRrw)rnr>rRrx)rRr!)rRr)rrrRrn)rrrrrRrn)rrrRr)rrrRr)rrrRr)rrrrrRr)rryrrrRr)rr)rry)r}rrrrRrn)rrrRry)rryrryrRrS)rrrirrrrRr)rrrirrRr)rryrryrRrf)r7rfrRr)rryrryrRr)rrrRr)rrrRr)rrrRrf)rryr ryrr!rRrn)rrrRr%)rrrRr()rRr()rrrRr0)rrrRr2)rRr2)rrrRr;)rrrRr=)rRr=)rrrRrA)rrrRrC)rRrC)rryrRrS)rrr rWrRrN)rrr rWrRr=) rrWrnrhrvrirjrkrrrRr)rrrRr)rRr)rDrErF__doc__r _fips_aeadr%rrr)r*r+r, SHA512_224 SHA512_256SHA3_224SHA3_256SHA3_384SHA3_512SHAKE128SHAKE256rr SECP224R1 SECP256R1 SECP384R1 SECP521R1r_fips_rsa_min_key_size_fips_rsa_min_public_exponent_fips_dsa_min_modulus_fips_dh_min_key_size_fips_dh_min_modulusrgrlrrrsrjr{rrrrrrrrr_rrrrrrrrrrrrrrr r$r(r-r2r3r6r=r@rFrMrPrQrRrUrVrZrerjrrlr&rur~rrrXrbrrrrrrrrrrrrrrrrrrrrrrrrrrr#r$r'r*r-r/r1r3r4r7r:r<r>r?r@rBrDrErGrJ contextlibrMrTrQrrrrrrrGrGrGrHrI`s              D      )  L ?              *        4 .   4  *     ! p   7       K rIc@s eZdZdddZdd d Zd S)rfmtrhcCs ||_dSrT)_fmt)rfrrGrGrHrgur|zGetCipherByName.__init__rrIrr$rr9cCsd|jj||d}|j|d}||jjkr,|jjr,|j |jj|d|jj}| |S)N)rrrt) rrilowerrZrrrXrCryptography_HAS_300_EVP_CIPHEREVP_CIPHER_fetchr)rfrrr cipher_namerrGrGrH__call__xs zGetCipherByName.__call__N)rrh)rrIrr$rr9)rDrErFrgrrGrGrGrHrts rrrr%cCs$d|jdd}|j|dS)Nzaes-z-xtsrt)rrZrr)rrrrrGrGrHrsr)rrIrr%)] __future__r collectionsrrtypingr cryptographyrrcryptography.exceptionsrr$cryptography.hazmat.backends.opensslr,cryptography.hazmat.backends.openssl.ciphersr )cryptography.hazmat.backends.openssl.cmacr 'cryptography.hazmat.backends.openssl.ecr r (cryptography.hazmat.backends.openssl.rsarr"cryptography.hazmat.bindings._rustrr[$cryptography.hazmat.bindings.opensslrcryptography.hazmat.primitivesrr*cryptography.hazmat.primitives._asymmetricr)cryptography.hazmat.primitives.asymmetricrrrrrrrr1cryptography.hazmat.primitives.asymmetric.paddingrrrr /cryptography.hazmat.primitives.asymmetric.typesr!r"&cryptography.hazmat.primitives.ciphersr#r$1cryptography.hazmat.primitives.ciphers.algorithmsr%r&r'r(r)r*r+r,r-r.r/r0,cryptography.hazmat.primitives.ciphers.modesr1r2r3r4r5r6r7r8r9,cryptography.hazmat.primitives.serializationr:3cryptography.hazmat.primitives.serialization.pkcs12r;r<r=r>r? namedtupler@rCrIrrrrGrGrGrHsZ        ( 8, "