o eS@sUddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl mZddlmZddlmZddlmZmZmZmZmZddlmZdd lmZmZmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z%z dd l&m'Z(d Z)Wne*yd Z) ddddZ(YnwdZ+dZ,dZ-dZ.dZ/dZ0dZ1d Z2d!Z3e4d"Z5d#Z6d$Z7d%Z8d&Z9d'Z:d(Z;d)Ze?e@eAd+d,ZBe Gd-d.d.ZCeCejDd/ejEd)d)dd d0eCejDd/ejFd)d)dd d0eCejDd/ejGd)d1d)d d0d2ZHd3eId4<e.e/e0d5ZJdd8d9ZKdde8d>fddBdCZMddFdGZNddHdIZOddMdNZPddQdRZQddSdTZRddVdWZSddXdYZTdd[d\ZUGd]d^d^ZVGd_d`d`ZWGdadbdbZXGdcddddZYGdedfdfZZe,eWe-eXe+eZe.eYdge[e/eYdhe\e0eYdie]iZ^ddkdlZ_ej`ejaejbejcejdfZe dddpdqZfddudvZgej`ejhejiejjejkfZlej`ejhejiejkfZmGdwdxdxejnZoGdydzdzZpdd~dZq ddddZrdddZsdddZt ddddZudddZvej`ejaejbejdfZwdZxGdddZydS)) annotationsN) encodebytes) dataclass)utilsUnsupportedAlgorithm)hashes)dsaeced25519paddingrsa)AEADDecryptionContextCipher algorithmsmodes)EncodingKeySerializationEncryption NoEncryption PrivateFormat PublicFormat_KeySerializationEncryption)kdfTFpasswordbytessaltdesired_key_bytesintroundsignore_few_roundsboolreturncCstd)NzNeed bcrypt moduler)rrrrrr"c/var/www/html/venv/lib/python3.10/site-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdf1sr$s ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.coms rsa-sha2-256s rsa-sha2-512s\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnone aes256-ctrs(.*?)c@sFeZdZUded<ded<ded<ded<ded<d ed <d ed <d S) _SSHCipherztyping.Type[algorithms.AES]algrkey_lenzTtyping.Union[typing.Type[modes.CTR], typing.Type[modes.CBC], typing.Type[modes.GCM]]mode block_leniv_lentyping.Optional[int]tag_lenr is_aeadN)__name__ __module__ __qualname____annotations__r"r"r"r#r)Xs  r) )r*r+r,r-r.r0r1 )r%s aes256-cbcsaes256-gcm@openssh.comztyping.Dict[bytes, _SSHCipher] _SSH_CIPHERS) secp256r1 secp384r1 secp521r1key3typing.Union[SSHPrivateKeyTypes, SSHPublicKeyTypes]cCst|tjrt|}|St|tjrt|}|St|tjtjfr't }|St|t j t j fr4t }|St|tjtjfrAt}|Std)NUnsupported key type) isinstancer EllipticCurvePrivateKey_ecdsa_key_type public_keyEllipticCurvePublicKeyr RSAPrivateKey RSAPublicKey_SSH_RSAr DSAPrivateKey DSAPublicKey_SSH_DSAr Ed25519PrivateKeyEd25519PublicKey _SSH_ED25519 ValueError)r<key_typer"r"r#_get_ssh_key_types$      rOrBec.EllipticCurvePublicKeycCs*|j}|jtvrtd|jt|jS)z3Return SSH key_type and curve_name for private key.z'Unsupported curve for ssh private key: )curvename_ECDSA_KEY_TYPErM)rBrQr"r"r#rAs    rA dataprefixsuffixcCsd|t||gS)N)join_base64_encode)rUrVrWr"r"r#_ssh_pem_encodesr[r-NonecCs |r t||dkrtddS)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenrM)rUr-r"r"r#_check_block_sizesr^cCs|rtddS)z!All data should have been parsed.zCorrupt data: unparsed dataN)rMrUr"r"r# _check_emptysr` ciphernametyping.Optional[bytes]5Cipher[typing.Union[modes.CBC, modes.CTR, modes.GCM]]cCsV|stdt|}t|||j|j|d}t||d|j|||jdS)z$Generate key + iv and return cipher.zKey is password-protected.TN)rMr8r$r+r.rr*r,)rarrrciphseedr"r"r# _init_ciphersrf memoryviewtyping.Tuple[int, memoryview]cC6t|dkr tdtj|dddd|ddfS)Uint32 Invalid dataNbig byteorderr]rMr from_bytesr_r"r"r#_get_u32 "rrcCri)Uint64rlNrmrnrpr_r"r"r#_get_u64rsrv$typing.Tuple[memoryview, memoryview]cCs8t|\}}|t|krtd|d|||dfS)zBytes with u32 length prefixrlN)rrr]rM)rUnr"r"r# _get_sshstrs  rycCs4t|\}}|r|ddkrtdt|d|fS)z Big integer.rrlrm)ryrMrrq)rUvalr"r"r# _get_mpints r|r{cCs4|dkrtd|s dS|dd}t||S)z!Storage format for signed bigint.rznegative mpint not allowedrXru)rM bit_lengthr int_to_bytes)r{nbytesr"r"r# _to_mpints  rc@szeZdZUdZded< d#d$d d Zd%d dZd&ddZd&ddZd'ddZ d&ddZ d(ddZ d)d*dd Z d+d!d"Z dS), _FragListz,Build recursive structure without data copy.typing.List[bytes]flistNinit#typing.Optional[typing.List[bytes]]r!r\cCsg|_|r |j|dSdSN)rextend)selfrr"r"r#__init__sz_FragList.__init__r{rcCs|j|dS)zAdd plain bytesN)rappendrr{r"r"r#put_raw z_FragList.put_rawrcC|j|jddddS)zBig-endian uint32rkrmlengthroNrrto_bytesrr"r"r#put_u32 z_FragList.put_u32cCr)zBig-endian uint64rurmrNrrr"r"r#put_u64rz_FragList.put_u64typing.Union[bytes, _FragList]cCsNt|tttfr|t||j|dS|||j |jdS)zBytes prefixed with u32 lengthN) r?rrg bytearrayrr]rrsizerrr"r"r# put_sshstrs z_FragList.put_sshstrcCs|t|dS)z*Big-endian bigint prefixed with u32 lengthN)rrrr"r"r# put_mpintsz_FragList.put_mpintcCsttt|jS)zCurrent number of bytes)summapr]rrr"r"r#r"rz_FragList.sizerdstbufrgposcCs2|jD]}t|}|||}}||||<q|S)zWrite into bytearray)rr])rrrfragflenstartr"r"r#render&s z_FragList.rendercCs"tt|}|||S)zReturn as bytes)rgrrrtobytes)rbufr"r"r#r.s z_FragList.tobytesr)rrr!r\)r{rr!r\)r{rr!r\)r{rr!r\r!r)r)rrgrrr!rr!r)r2r3r4__doc__r5rrrrrrrrrr"r"r"r#rs       rc@sBeZdZdZdddZddd Zdd d ZdddZdddZdS) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q rUrgcCs$t|\}}t|\}}||f|fS)zRSA public fieldsr|)rrUerxr"r"r# get_public>s   z_SSHFormatRSA.get_publicr!*typing.Tuple[rsa.RSAPublicKey, memoryview]cCs.||\\}}}t||}|}||fS)zMake RSA public key from data.)rr RSAPublicNumbersrB)rrUrrxpublic_numbersrBr"r"r# load_publicDs z_SSHFormatRSA.load_public+typing.Tuple[rsa.RSAPrivateKey, memoryview]c Cst|\}}t|\}}t|\}}t|\}}t|\}}t|\}}||f|kr.tdt||} t||} t||} t|||| | || } | } | |fS)zMake RSA private key from data.z Corrupt data: rsa field mismatch)r|rMr rsa_crt_dmp1 rsa_crt_dmq1rRSAPrivateNumbers private_key)rrU pubfieldsrxrdiqmppqdmp1dmq1rprivate_numbersrr"r"r# load_privateMs          z_SSHFormatRSA.load_privaterBrsa.RSAPublicKeyf_pubrr\cCs$|}||j||jdS)zWrite RSA public keyN)rrrrx)rrBrpubnr"r"r# encode_publiccs z_SSHFormatRSA.encode_publicrrsa.RSAPrivateKeyf_privcCsZ|}|j}||j||j||j||j||j||jdS)zWrite RSA private keyN) rrrrxrrrrr)rrrrrr"r"r#encode_privateks     z_SSHFormatRSA.encode_privateN)rUrg)rUrgr!r)rUrgr!r)rBrrrr!r\)rrrrr!r\ r2r3r4rrrrrrr"r"r"r#r5s   rc@sLeZdZdZdddZd d d Zd!d d Zd"ddZd#ddZd$ddZ dS)% _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x rUrgr!&typing.Tuple[typing.Tuple, memoryview]cCs@t|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsr)rrUrrgyr"r"r#rs    z_SSHFormatDSA.get_public*typing.Tuple[dsa.DSAPublicKey, memoryview]c CsJ||\\}}}}}t|||}t||}|||}||fS)zMake DSA public key from data.)rr DSAParameterNumbersDSAPublicNumbers _validaterB) rrUrrrrparameter_numbersrrBr"r"r#rs   z_SSHFormatDSA.load_public+typing.Tuple[dsa.DSAPrivateKey, memoryview]c Csz||\\}}}}}t|\}}||||f|krtdt|||}t||} || t|| } | } | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rr|rMr rrrDSAPrivateNumbersr) rrUrrrrrxrrrrr"r"r#rs    z_SSHFormatDSA.load_privaterBdsa.DSAPublicKeyrrr\cCsL|}|j}||||j||j||j||jdS)zWrite DSA public keyN)rrrrrrrr)rrBrrrr"r"r#rs    z_SSHFormatDSA.encode_publicrdsa.DSAPrivateKeyrcCs$|||||jdS)zWrite DSA private keyN)rrBrrr)rrrr"r"r#rsz_SSHFormatDSA.encode_privaterdsa.DSAPublicNumberscCs |j}|jdkrtddS)Niz#SSH supports only 1024 bit DSA keys)rrr}rM)rrrr"r"r#rsz_SSHFormatDSA._validateNrUrgr!r)rUrgr!r)rUrgr!r)rBrrrr!r\)rrrrr!r\)rrr!r\) r2r3r4rrrrrrrr"r"r"r#r{s   rc@sLeZdZdZd!ddZd"d d Zd#ddZd$ddZd%ddZd&ddZ d S)'_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret ssh_curve_namerrQec.EllipticCurvecCs||_||_dSr)rrQ)rrrQr"r"r#rs z_SSHFormatECDSA.__init__rUrgr!rcCsJt|\}}t|\}}||jkrtd|ddkrtd||f|fS)zECDSA public fieldszCurve name mismatchrrkzNeed uncompressed point)ryrrMNotImplementedError)rrUrQpointr"r"r#rs     z_SSHFormatECDSA.get_public3typing.Tuple[ec.EllipticCurvePublicKey, memoryview]cCs.||\\}}}tj|j|}||fS)z Make ECDSA public key from data.)rr rCfrom_encoded_pointrQr)rrU curve_namerrBr"r"r#rs  z_SSHFormatECDSA.load_public4typing.Tuple[ec.EllipticCurvePrivateKey, memoryview]cCsH||\\}}}t|\}}||f|krtdt||j}||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rr|rMr derive_private_keyrQ)rrUrrrsecretrr"r"r#rs   z_SSHFormatECDSA.load_privaterBrPrrr\cCs*|tjtj}||j||dS)zWrite ECDSA public keyN) public_bytesrX962rUncompressedPointrr)rrBrrr"r"r#rs  z_SSHFormatECDSA.encode_publicrec.EllipticCurvePrivateKeyrcCs,|}|}|||||jdS)zWrite ECDSA private keyN)rBrrr private_value)rrrrBrr"r"r#rs z_SSHFormatECDSA.encode_privateN)rrrQrr)rUrgr!r)rUrgr!r)rBrPrrr!r\)rrrrr!r\) r2r3r4rrrrrrrr"r"r"r#rs   rc@sBeZdZdZdddZdd d Zdd d ZdddZdddZdS) _SSHFormatEd25519z~Format for Ed25519 keys. Public: bytes point Private: bytes point bytes secret_and_point rUrgr!rcCst|\}}|f|fS)zEd25519 public fields)ry)rrUrr"r"r#rs  z_SSHFormatEd25519.get_public2typing.Tuple[ed25519.Ed25519PublicKey, memoryview]cCs(||\\}}tj|}||fS)z"Make Ed25519 public key from data.)rr rKfrom_public_bytesr)rrUrrBr"r"r#rs z_SSHFormatEd25519.load_public3typing.Tuple[ed25519.Ed25519PrivateKey, memoryview]cCsb||\\}}t|\}}|dd}|dd}||ks#|f|kr'tdtj|}||fS)z#Make Ed25519 private key from data.Nr6z$Corrupt data: ed25519 field mismatch)rryrMr rJfrom_private_bytes)rrUrrkeypairrpoint2rr"r"r#r%s    z_SSHFormatEd25519.load_privaterBed25519.Ed25519PublicKeyrrr\cCs|tjtj}||dS)zWrite Ed25519 public keyN)rrRawrr)rrBrraw_public_keyr"r"r#r3sz_SSHFormatEd25519.encode_publicred25519.Ed25519PrivateKeyrcCsR|}|tjtjt}|tjtj}t||g}| ||| |dS)zWrite Ed25519 private keyN) rB private_bytesrrrrrrrrr)rrrrBraw_private_keyr f_keypairr"r"r#r<s   z _SSHFormatEd25519.encode_privateNr)rUrgr!r)rUrgr!r)rBrrrr!r\)rrrrr!r\rr"r"r"r#r s   rsnistp256snistp384snistp521rNcCs4t|ts t|}|tvrt|Std|)z"Return valid format or throw errorzUnsupported key type: )r?rrgr _KEY_FORMATSr)rNr"r"r#_lookup_kformatWs  rbackend typing.AnySSHPrivateKeyTypescCstd||durtd|t|}|std|d}|d}t t |||}| t s9tdt |t t d}t|\}}t|\}}t|\}}t|\} }| dkrctdt|\} }t| \} } t| } | | \} } t| ||fttfkr|}|tvrtd||tkrtd|t|j}t|j}t|\}}t|jrt|}t ||krtd nt|t||t|\}}t|\}}t|t||||}|}t ||}t|jrt |t!sJt|"|nt|#nt|\}}t|d }t||t|\}}t|\}}||kr4td t|\}}|| krCtd | $|| \}}t|\}}|t%dt |kr`td t |t&j'rpt(j)dtj*dd|S)z.Load private key from OpenSSH custom encoding.rUNrzNot OpenSSH private key formatr'zOnly one key supportedzUnsupported cipher: zUnsupported KDF: z+Corrupt data: invalid tag length for cipherruzCorrupt data: broken checksumzCorrupt data: key type mismatchzCorrupt data: invalid paddingDSSH DSA keys are deprecated and will be removed in a future release. stacklevel)+r_check_byteslike _check_bytes_PEM_RCsearchrMrendbinascii a2b_base64rg startswith _SK_MAGICr]ryrrrrr`_NONErr8r_BCRYPTr-r0r1rr^rf decryptorupdater?rfinalize_with_tagfinalizer_PADDINGr rGwarningswarnDeprecatedIn40)rUrrmp1p2rakdfname kdfoptionsnkeyspubdata pub_key_typekformatrciphername_bytesblklenr0edatatagrkbufrrddecck1ck2rNrcommentr"r"r#load_ssh_private_keyhs                             r#rencryption_algorithmrcCstd|t|tjrtjdtjddt|}t |}t }|rQt }t |j }t}t} t|tr:|jdur:|j} td} || || t||| | } nt}}d}d} d} td} d }t }|||||t | | g}||||||||td|||t }|t|||||||| |||||}|}tt ||}|!|||}| dur| "#|||||dt$|d|S) z3Serialize private key with OpenSSH custom encoding.rISSH DSA key support is deprecated and will be removed in a future releaserkrNr&rur'rX)%rrr?r rGrrrrOrr_DEFAULT_CIPHERr8r-r_DEFAULT_ROUNDSr _kdf_roundsosurandomrrrfrrrBrrr rrrgrr encryptor update_intor[)rrr$rNr f_kdfoptionsrarrrrrdrcheckvalr" f_public_key f_secretsf_mainslenmlenrofsr"r"r#_serialize_ssh_private_keysj                      r5c@seZdZdZdZdS)SSHCertificateTyper'rN)r2r3r4USERHOSTr"r"r"r#r6*sr6c@seZdZd9ddZed:ddZd;ddZedd'd(Z edr?r@rArBrCrErFrGrHrIrJrKrLr"r"r#r0s*  zSSHCertificate.__init__r!cC t|jSr)rr:rr"r"r#nonceY zSSHCertificate.nonceSSHCertPublicKeyTypescCstt|jSr)typingcastrQr;rr"r"r#rB]szSSHCertificate.public_keycC|jSr)r=rr"r"r#serialbzSSHCertificate.serialr6cCrTr)rMrr"r"r#typefrVzSSHCertificate.typecCrNr)rr?rr"r"r#key_idjrPzSSHCertificate.key_idcCrTr)r@rr"r"r#valid_principalsnrVzSSHCertificate.valid_principalscCrTr)rBrr"r"r# valid_beforerrVzSSHCertificate.valid_beforecCrTr)rArr"r"r# valid_aftervrVzSSHCertificate.valid_aftercCrTr)rCrr"r"r#critical_optionszrVzSSHCertificate.critical_optionscCrTr)rErr"r"r# extensions~rVzSSHCertificate.extensionscCs&t|j}||j\}}t||Sr)rrFrrGr`)r sigformat signature_key sigkey_restr"r"r#r_s zSSHCertificate.signature_keycCs"t|jdtjt|jddS)N F)newline)rrKr b2a_base64rLrr"r"r#rs zSSHCertificate.public_bytesr\cCs|}t|tjr|t|jt|jdSt|tj rIt |j\}}t |\}}t |t ||}t|j}||t|jt|dSt|tjsQJ|jtkr[t}n|jtkret}n |jtkslJt}|t|jt|jt|dSr)r_r?r rKverifyrrIrJr rCr|r` asym_utilsencode_dss_signature_get_ec_hash_algrQECDSAr rErHrFrSHA1_SSH_RSA_SHA256SHA256_SSH_RSA_SHA512SHA512r PKCS1v15)rr_rrUs computed_sighash_algr"r"r#verify_cert_signatures6         z$SSHCertificate.verify_cert_signatureN)"r:rgr;r<r=rr>rr?rgr@rrArrBrrCrDrErDrFrgrGrgrHrgrIrgrJrgrKrrLrgr)r!rQr)r!r6)r!r)r!rD)r!r\)r2r3r4rpropertyrOrBrUrWrXrYrZr[r\r]r_rrsr"r"r"r#r9/s0 )            r9rQrhashes.HashAlgorithmcCs@t|tjr tSt|tjrtSt|tjsJtSr) r?r SECP256R1rrk SECP384R1SHA384 SECP521R1rm)rQr"r"r#rgs  rg/typing.Union[SSHCertificate, SSHPublicKeyTypes]c"Csptd|t|}|std|d}}|d}d}|tr/d}|dtt }|t kr9|s9t dt |}z t t |}Wntt jfyTtdw|rY|} t|\} }| |krgtd |rot|\} }||\} }|r2t|\} }t|\}}t|\}}t|\}}g}|rt|\}}|t||st|\}}t|\}}t|\}}t|}t|\}}t|}t|\}}t|\}}t|\}}|t kr|st d | dt| }t|\}}t|t|\}} |tkr|tttfvs|tkr||krtd t| \}!} t| t| | | |||||||||||!||| St|| S) NrUzInvalid line formatr'rFTz-DSA keys aren't supported in SSH certificateszInvalid formatzInvalid key formatz3DSA signatures aren't supported in SSH certificatesz!Signature key type does not match)rr_SSH_PUBKEY_RCmatchrMgroupendswith _CERT_SUFFIXr]rIrrrgrr TypeErrorErrorryrrvrrrr_parse_exts_optsr`rFrjrlr9)"rU_legacy_dsa_allowedrrN orig_key_typekey_body with_certrrest cert_bodyinner_key_typerOrBrUcctyperX principalsrY principalr[rZ crit_optionsr\extsr]_ sig_key_rawsig_typesig_key tbs_cert_body signature_rawinner_sig_typesig_rest signaturer"r"r#_load_ssh_public_identitys                        rcCst|Sr)rr_r"r"r#load_ssh_public_identitysr exts_optsrDcCsi}d}|r_t|\}}t|}||vrtd|dur$||kr$tdt|\}}t|dkrUzt|\}}WntyJtjdtjddYn wt|dkrUtdt|||<|}|s|S)NzDuplicate namezFields not lexically sortedrz{This certificate has an incorrect encoding for critical options or extensions. This will be an exception in cryptography 42rkrz!Unexpected extra data after value)ryrrMr]rrrDeprecatedIn41)rresult last_namerRbnamevalueextrar"r"r#rs4       rr<cCsFt|dd}t|tr|}n|}t|tjr!tjdtj dd|S)NT)rrrr) rr?r9rBr rHrrrr)rUr cert_or_keyrBr"r"r#load_ssh_public_key=s    rcCslt|tjrtjdtjddt|}t|}t }| || ||t |}d|d|gS)z&One-line public key format for OpenSSHr%rkrrXra)r?r rHrrrrrOrrrrrrcrstriprY)rBrNrrpubr"r"r#serialize_ssh_public_keyQs   rc @seZdZddddgdddggf d>ddZd?ddZd@ddZdAd!d"ZdBd%d&ZdCd(d)Zd*d+Z dDd.d/Z dEd1d2Z dFd5d6Z dFd7d8Z dGdzpublic_key already setr)r?r rCr rEr rKrr;rMrr=rMr?r@rrBrArCrE)rrBr"r"r#rBs, z SSHCertificateBuilder.public_keyrUrc Csvt|ts tdd|krdkstdtd|jdur$tdt|j||j|j|j |j |j |j |j |jd S)Nzserial must be an integerrz"serial must be between 0 and 2**64zserial already setr)r?rrrMr=rr;rMr?r@rrBrArCrE)rrUr"r"r#rUs(  zSSHCertificateBuilder.serialrWr6c CsRt|ts td|jdurtdt|j|j||j|j |j |j |j |j |jd S)Nz"type must be an SSHCertificateTypeztype already setr)r?r6rrMrMrr;r=r?r@rrBrArCrE)rrWr"r"r#rWs  zSSHCertificateBuilder.typerXrc CsRt|ts td|jdurtdt|j|j|j||j |j |j |j |j |jd S)Nzkey_id must be byteszkey_id already setr)r?rrr?rMrr;r=rMr@rrBrArCrE)rrXr"r"r#rXs  zSSHCertificateBuilder.key_idrYc Cs||jrtdtdd|Dr|std|jrtdt|tkr'tdt|j|j |j |j ||j|j |j |j|jd S)NzDPrincipals can't be set because the cert is valid for all principalscss|]}t|tVqdSr)r?r).0rr"r"r# sz9SSHCertificateBuilder.valid_principals..z5principals must be a list of bytes and can't be emptyzvalid_principals already setz:Reached or exceeded the maximum number of valid_principalsr)rrMallrr@r]_SSHKEY_CERT_MAX_PRINCIPALSrr;r=rMr?rBrArCrE)rrYr"r"r#rYs: z&SSHCertificateBuilder.valid_principalsc CsJ|jrtd|jrtdt|j|j|j|j|jd|j|j |j |j d S)Nz@valid_principals already set, can't set valid_for_all_principalsz$valid_for_all_principals already setTr) r@rMrrr;r=rMr?rBrArCrErr"r"r#valid_for_all_principalss$z.SSHCertificateBuilder.valid_for_all_principalsrZtyping.Union[int, float]c Csvt|ttfs tdt|}|dks|dkrtd|jdur$tdt|j|j|j |j |j |j ||j |j|jd S)Nz$valid_before must be an int or floatrrzvalid_before must [0, 2**64)zvalid_before already setr)r?rfloatrrMrBrr;r=rMr?r@rrArCrE)rrZr"r"r#rZs& z"SSHCertificateBuilder.valid_beforer[c Csvt|ttfs tdt|}|dks|dkrtd|jdur$tdt|j|j|j |j |j |j |j ||j|jd S)Nz#valid_after must be an int or floatrrzvalid_after must [0, 2**64)zvalid_after already setr)r?rrrrMrArr;r=rMr?r@rrBrCrE)rr[r"r"r#r[3s& z!SSHCertificateBuilder.valid_afterrRrc Csrt|tr t|tstd|dd|jDvrtdt|j|j|j|j |j |j |j |j |j||fg|jd S)Nname and value must be bytescSg|]\}}|qSr"r"rrRrr"r"r# Qz=SSHCertificateBuilder.add_critical_option..zDuplicate critical option namer)r?rrrCrMrr;r=rMr?r@rrBrArErrRrr"r"r#add_critical_optionKs z)SSHCertificateBuilder.add_critical_optionc Csrt|tr t|tstd|dd|jDvrtdt|j|j|j|j |j |j |j |j |j|j||fgd S)NrcSrr"r"rr"r"r#rgrz7SSHCertificateBuilder.add_extension..zDuplicate extension namer)r?rrrErMrr;r=rMr?r@rrBrArCrr"r"r# add_extensionas z#SSHCertificateBuilder.add_extensionrSSHCertPrivateKeyTypesr9c Cst|tjtjtjfstd|jdurt d|j durdn|j }|j dur+t d|j dur2dn|j }|j s?|js?t d|jdurHt d|jdurQt d|j|jkr[t d |jjd d d |jjd d d t|j}|t}td}t|}t}||||||j|||||j j||t} |j D]} | | q|| ||j||jt} |jD]$\} } | | t | dkrt}|| | |q| | q|| t}|jD]%\} } || t | dkrt}|| ||q|| q|||dt|}t|}t}||||!|||t|tjrq|"|}t}||||||nlt|tjrt#|j$}|"|t%|}t&'|\}}t}||t}|(||(|||||n*t|tjsJt}|t)|"|t*+t,-}||||t./|0}t12t3t4d5|d|gS)NzUnsupported private key typezpublic_key must be setrztype must be setrXzAvalid_principals must be set if valid_for_all_principals is Falsezvalid_before must be setzvalid_after must be setz-valid_after must be earlier than valid_beforecS|dSNrr"rr"r"r#z,SSHCertificateBuilder.sign..)r<cSrrr"rr"r"r#rrr6ra)6r?r r@r rDr rJrr;rMr=rMr?r@rrBrArCsortrErOrr)r*rrrrrrrrr]rBsignrgrQrhredecode_dss_signaturerrlr rnrrmrrcrrRrSr9rrY)rrrUrXrN cert_prefixrOrf fprincipalsrfcritrRrfoptvalfextfextvalca_typecaformatcafrfsigrrrorpfsigblob cert_datar"r"r#rws                                 zSSHCertificateBuilder.sign)r;rr=r/rMrr?rbr@rrr rBr/rAr/rCrrEr)rBrQr!r)rUrr!r)rWr6r!r)rXrr!r)rYrr!r)rZrr!r)r[rr!r)rRrrrr!r)rrr!r9)r2r3r4rrBrUrWrXrYrrZr[rrrr"r"r"r#rqs.     $    r)F) rrrrrrrrrr r!r)r<r=r!r)rBrPr!r)rUrrVrrWrr!r)rUrr-rr!r\)rUrr!r\) rarrrbrrrrr!rc)rUrgr!rh)rUrgr!rw)r{rr!r)rNrr)rUrrrbrrr!r)rrrrr$rr!r)rQrr!ru)rUrr!rz)rrgr!rD)rUrrrr!r<)rBr<r!r)z __future__rrenumr)rerRrbase64rrZ dataclassesr cryptographyrcryptography.exceptionsrcryptography.hazmat.primitivesr)cryptography.hazmat.primitives.asymmetricr r r r r re&cryptography.hazmat.primitives.ciphersrrrr,cryptography.hazmat.primitives.serializationrrrrrrbcryptrr$_bcrypt_supported ImportErrorrLrFrI_ECDSA_NISTP256_ECDSA_NISTP384_ECDSA_NISTP521rrjrlcompiler{r _SK_START_SK_ENDrrr&r'DOTALLrrgrranger r)AESCTRCBCGCMr8r5rSrOrAr[r^r`rfrrrvryr|rrrrrrrvrwryrrUnionr@rDrGrJrr#r5rCrErHrKr<rQEnumr6r9rgrrrrrrrrr"r"r"r#s"                          8FHGD   gM  _