3TfSJUddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl mZddlmZddlmZddlmZmZmZmZmZddlmZdd lmZmZmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z% dd l&m'Z(d Z)dZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3ejhdZ5dZ6dZ7dZ8dZ9dZ:dZ;dZ<ejhe7d ze8zejzZ>e?e@eAd!d"ZBe Gd#d$ZCeCejd%ejdddd &eCejd%ejdddd &eCejd%ejdd'dd &d(ZHd)eId*<e.e/e0d+ZJ dWd,ZKdXd-ZLe7d.ze8d.zf dYd/ZMdZd0ZNd[d1ZO d\d2ZPd]d3ZQd]d4ZRd^d5ZSd]d6ZTd_d7ZUGd8d9ZVGd:d;ZWGd<d=ZXGd>d?ZYGd@dAZZe,eWe-eXe+eZe.eYdBeje/eYdCeje0eYdDejiZ^d`dEZ_ejejejejejfZe da dbdFZf dcdGZgejejejejejfZlejejejejfZmGdHdIejZoGdJdKZpdddLZq dU dedMZr dedNZsdfdOZt da dgdPZudhdQZvejejejejfZwdRZxGdSdTZyy#e*$rd Z) dU dVdZ(Y*wxYw)i) annotationsN) encodebytes) dataclass)utilsUnsupportedAlgorithm)hashes)dsaeced25519paddingrsa)AEADDecryptionContextCipher algorithmsmodes)EncodingKeySerializationEncryption NoEncryption PrivateFormat PublicFormat_KeySerializationEncryption)kdfTFctd)NzNeed bcrypt moduler)passwordsaltdesired_key_bytesroundsignore_few_roundss R/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdfr!1s##788s ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.coms rsa-sha2-256s rsa-sha2-512s\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnone aes256-ctrs(.*?)cTeZdZUded<ded<ded<ded<ded<d ed <d ed <y ) _SSHCipherztyping.Type[algorithms.AES]algintkey_lenzTtyping.Union[typing.Type[modes.CTR], typing.Type[modes.CBC], typing.Type[modes.GCM]]mode block_leniv_lentyping.Optional[int]tag_lenboolis_aeadN)__name__ __module__ __qualname____annotations__r"r r(r(Xs. $$ L  N K !! Mr"r( )r)r+r,r-r.r0r2 )r#s aes256-cbcsaes256-gcm@openssh.comztyping.Dict[bytes, _SSHCipher] _SSH_CIPHERS) secp256r1 secp384r1 secp521r1ct|tjrt|j }|St|tj r t|}|St|t jt jfrt}|St|tjtjfrt}|St|tjtj frt"}|St%d)NUnsupported key type) isinstancer EllipticCurvePrivateKey_ecdsa_key_type public_keyEllipticCurvePublicKeyr RSAPrivateKey RSAPublicKey_SSH_RSAr DSAPrivateKey DSAPublicKey_SSH_DSAr Ed25519PrivateKeyEd25519PublicKey _SSH_ED25519 ValueError)keykey_types r _get_ssh_key_typerQs#r112"3>>#34 O C22 3"3' O C#++S-=-=> ? O C#++S-=-=> ? O  g'')A)A B   O/00r"c|j}|jtvrtd|jt|jS)z3Return SSH key_type and curve_name for private key.z'Unsupported curve for ssh private key: )curvename_ECDSA_KEY_TYPErN)rCrSs r rBrBsE   E zz(5ejj^ D   5:: &&r" c<dj|t||gS)Nr")join_base64_encode)dataprefixsuffixs r _ssh_pem_encoder]s 88V^D16: ;;r"c@|rt||zdk7r tdy)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenrN)rZr-s r _check_block_sizer`s& 3t9y(A-899.r"c|r tdy)z!All data should have been parsed.zCorrupt data: unparsed dataN)rNrZs r _check_emptyrcs 677 r"c|s tdt|}t|||j|jz|d}t |j |d|j|j||jdS)z$Generate key + iv and return cipher.zKey is password-protected.TN)rNr:r!r+r.rr)r,) ciphernamerrrciphseeds r _init_cipherrhs| 566  #D $ t{{2FD D  n %& $t||~&' r"crt|dkr tdtj|ddd|ddfS)Uint32 Invalid dataNbig byteorderr_rNr* from_bytesrbs r _get_u32rr< 4y1}(( >>$r(e> 4d12h >>r"crt|dkr tdtj|ddd|ddfS)Uint64rlNrmrnrprbs r _get_u64rwrsr"cdt|\}}|t|kDr td|d|||dfS)zBytes with u32 length prefixrlN)rrr_rN)rZns r _get_sshstrrzs<tnGAt3t9}(( 8T!"X r"cxt|\}}|r|ddkDr tdtj|d|fS)z Big integer.rrlrm)rzrNr*rq)rZvals r _get_mpintr~s>D!IC s1v}(( >>#u %t ++r"c|dkr td|sy|jdzdz}tj||S)z!Storage format for signed bigint.rznegative mpint not allowedr"rv)rN bit_lengthr int_to_bytes)r}nbytess r _to_mpintrsD Qw566 nn"q (F   c6 **r"cpeZdZUdZded< d ddZddZddZddZdd Z dd Z dd Z ddd Z dd Z y) _FragListz,Build recursive structure without data copy.typing.List[bytes]flistNcNg|_|r|jj|yyN)rextend)selfinits r __init__z_FragList.__init__s%  JJ  d # r"c:|jj|y)zAdd plain bytesN)rappendrr}s r put_rawz_FragList.put_raw s #r"c\|jj|jddy)zBig-endian uint32rkrmlengthroNrrto_bytesrs r put_u32z_FragList.put_u32 ! #,,a5,ABr"c\|jj|jddy)zBig-endian uint64rvrmrNrrs r put_u64z_FragList.put_u64rr"c.t|tttfr6|j t ||j j|y|j |j|j j|j y)zBytes prefixed with u32 lengthN) r@bytes memoryview bytearrayrr_rrsizerrs r put_sshstrz_FragList.put_sshstrs] cE:y9 : LLS " JJ  c " LL $ JJ  cii (r"c8|jt|y)z*Big-endian bigint prefixed with u32 lengthN)rrrs r put_mpintz_FragList.put_mpints  #'r"cHttt|jS)zCurrent number of bytes)summapr_rrs r rz_FragList.size"s3sDJJ'((r"cV|jD]}t|}|||z}}|||||S)zWrite into bytearray)rr_)rdstbufposfragflenstarts r renderz_FragList.render&s>JJ %Dt9DcDj3E $F5  % r"ctt|j}|j||j S)zReturn as bytes)rrrrtobytes)rbufs r rz_FragList.tobytes.s/499;/0 C{{}r"r)rz#typing.Optional[typing.List[bytes]]returnNone)r}rrr)r}r*rr)r}ztyping.Union[bytes, _FragList]rrrr*)r)rrrr*rr*rr)r3r4r5__doc__r6rrrrrrrrrr7r"r rrsO6 ;?$7$ $CC)()r"rc`eZdZdZddZ d dZ d dZ d dZ d dZy) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q cFt|\}}t|\}}||f|fS)zRSA public fieldsr~)rrZerys r get_publicz_SSHFormatRSA.get_public>s,T"4T"41vt|r"c|j|\\}}}tj||}|j}||fS)zMake RSA public key from data.)rrRSAPublicNumbersrC)rrZrrypublic_numbersrCs r load_publicz_SSHFormatRSA.load_publicDsEt, A--a3#..0 4r"c t|\}}t|\}}t|\}}t|\}}t|\}}t|\}}||f|k7r tdtj||} tj||} tj ||} tj |||| | || } | j} | |fS)zMake RSA private key from data.z Corrupt data: rsa field mismatch)r~rNr rsa_crt_dmp1 rsa_crt_dmq1rRSAPrivateNumbers private_key)rrZ pubfieldsryrdiqmppqdmp1dmq1rprivate_numbersrs r load_privatez_SSHFormatRSA.load_privateMsT"4T"4T"4% dT"4T"4 q6Y ?@ @1%1%--a3// q!T4~ &113 D  r"c|j}|j|j|j|jy)zWrite RSA public keyN)rrrry)rrCf_pubpubns r encode_publicz_SSHFormatRSA.encode_publiccs2((*  r"c|j}|j}|j|j|j|j|j|j |j|j |j|j|j|jy)zWrite RSA private keyN) rrrryrrrrr)rrf_privrrs r encode_privatez_SSHFormatRSA.encode_privateks&557(77))*))***+--.**+**+r"N)rZr)rZrrz*typing.Tuple[rsa.RSAPublicKey, memoryview])rZrrz+typing.Tuple[rsa.RSAPrivateKey, memoryview])rCzrsa.RSAPublicKeyrrrr)rzrsa.RSAPrivateKeyrrrr r3r4r5rrrrrrr7r"r rr5sp   3 !! 4!, * 3<   ,, ,6? ,  ,r"rcpeZdZdZ d dZ d dZ d dZ d dZ d dZddZ y) _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x ct|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsr)rrZrrgys r rz_SSHFormatDSA.get_publicsOT"4T"4T"4T"41a|T!!r"c|j|\\}}}}}tj|||}tj||}|j ||j }||fS)zMake DSA public key from data.)rr DSAParameterNumbersDSAPublicNumbers _validaterC) rrZrrrrparameter_numbersrrCs r rz_SSHFormatDSA.load_publicsl"__T2 Aq!d33Aq!<--a1BC ~&#..0 4r"cH|j|\\}}}}}t|\}}||||f|k7r tdtj|||}tj ||} |j | tj|| } | j} | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rr~rNr rrrDSAPrivateNumbersr) rrZrrrrrxrrrrs r rz_SSHFormatDSA.load_privates"__T2 Aq!dT"4 q!Q<9 $?@ @33Aq!<--a1BC ~&//>B%113 D  r"c6|j}|j}|j||j|j|j|j |j|j |j|jy)zWrite DSA public keyN)rrrrrrrr)rrCrrrs r rz_SSHFormatDSA.encode_publicsu$224*<< ~& )++, )++, )++, (()r"c|j|j||j|jjy)zWrite DSA private keyN)rrCrrr)rrrs r rz_SSHFormatDSA.encode_privates: ;113V<446889r"cl|j}|jjdk7r tdy)Niz#SSH supports only 1024 bit DSA keys)rrrrN)rrrs r rz_SSHFormatDSA._validates6*<<    ) ) +t 3BC C 4r"NrZrrz&typing.Tuple[typing.Tuple, memoryview])rZrrz*typing.Tuple[dsa.DSAPublicKey, memoryview])rZrrz+typing.Tuple[dsa.DSAPrivateKey, memoryview])rCzdsa.DSAPublicKeyrrrr)rzdsa.DSAPrivateKeyrrrr)rzdsa.DSAPublicNumbersrr) r3r4r5rrrrrrrr7r"r rr{s"" /"    3  !! 4! ** *3< *  *:,:6?: :Dr"rcpeZdZdZd dZ d dZ d dZ d dZ d dZ ddZ y)_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret c ||_||_yr)ssh_curve_namerS)rrrSs r rz_SSHFormatECDSA.__init__s, r"ct|\}}t|\}}||jk7r td|ddk7r td||f|fS)zECDSA public fieldszCurve name mismatchrrkzNeed uncompressed point)rzrrNNotImplementedError)rrZrSpoints r rz_SSHFormatECDSA.get_publics`"$' t!$' t D'' '23 3 8q=%&?@ @u~t##r"c|j|\\}}}tjj|j|j }||fS)z Make ECDSA public key from data.)rr rDfrom_encoded_pointrSr)rrZ curve_namerrCs r rz_SSHFormatECDSA.load_publicsN%)OOD$9!UT..AA JJ  4r"c|j|\\}}}t|\}}||f|k7r tdtj||j }||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rr~rNr derive_private_keyrS)rrZrrrsecretrs r rz_SSHFormatECDSA.load_privatesd%)OOD$9!UT!$'   ) +AB B++FDJJ? D  r"c|jtjtj}|j |j |j |y)zWrite ECDSA public keyN) public_bytesrX962rUncompressedPointrr)rrCrrs r rz_SSHFormatECDSA.encode_publicsG'' MM<99  ,,- r"c|j}|j}|j|||j|jy)zWrite ECDSA private keyN)rCrrr private_value)rrrrCrs r rz_SSHFormatECDSA.encode_privatesD!++- %557 :v.667r"N)rrrSec.EllipticCurver)rZrrz3typing.Tuple[ec.EllipticCurvePublicKey, memoryview])rZrrz4typing.Tuple[ec.EllipticCurvePrivateKey, memoryview])rCec.EllipticCurvePublicKeyrrrr)rzec.EllipticCurvePrivateKeyrrrr) r3r4r5rrrrrrrr7r"r rrs  $ $ / $  <  ! ! = ! 3 G% %r"rsnistp256snistp384snistp521ct|tst|j}|tvr t|St d|)z"Return valid format or throw errorzUnsupported key type: )r@rrr _KEY_FORMATSr)rPs r _lookup_kformatrWsE h &h'//1<H%% !7|D EEr"ctjd||tjd|tj |}|s t d|j d}|jd}tjt|||}|jts t dt|ttd}t|\}}t|\}}t|\}}t|\} }| dk7r t dt|\} }t| \} } t!| } | j#| \} } t%| ||ft&t&fk7r|j)}|t*vrt-d||t.k7rt-d|t*|j0}t*|j2}t|\}}t*|j4r$t7|}t||k7rt d t%|t9||t|\}}t|\}}t%|t;|||j)|}|j=}t|j?|}t*|j4r-tA|tBsJt%|jEnAt%|jGn't|\}}t%|d }t9||t|\}}t|\}}||k7r t d t|\}}|| k7r t d | jI|| \}}t|\}}|tJdt|k7r t d tA|tLjNr&tQjRdtjTd|S)z.Load private key from OpenSSH custom encoding.rZNrzNot OpenSSH private key formatr%zOnly one key supportedzUnsupported cipher: zUnsupported KDF: z+Corrupt data: invalid tag length for cipherrvzCorrupt data: broken checksumzCorrupt data: key type mismatchzCorrupt data: invalid paddingDSSH DSA keys are deprecated and will be removed in a future release. stacklevel)+r_check_byteslike _check_bytes_PEM_RCsearchrNrendbinascii a2b_base64r startswith _SK_MAGICr_rzrrrrrc_NONErr:r_BCRYPTr-r0r2rr`rh decryptorupdater@rfinalize_with_tagfinalizer_PADDINGr rHwarningswarnDeprecatedIn40)rZrbackendmp1p2rekdfname kdfoptionsnkeyspubdata pub_key_typekformatrciphername_bytesblklenr0edatatagrkbufrrfdecck1ck2rPrcomments r load_ssh_private_keyr:hs  64( :x0tA 9:: B qB   z$/26 7D ??9 %9:: d C N, -D#4(J%MGT"4(J4.KE4 z122 %MGT'0L'l+G ++G4IwG.%--/ < /&&'7&:;  g &):7+'FG G./99/088!$' t ( ) 1 1+C3x7" !NOO  %( , d~ T,h Onn3::e,- ( ) 1 1c#89 99 ..s3 4  ("$' tT%(%JC%JC cz899"%(OHe<:;; --eY?K 'NGU 3u:&&899+s001       r"ctjd|t|tjr&t j dtjdt|}t|}t}|rt}t|j}t}t} t|t r|j" |j"} t%j&d} |j)| |j+| t-||| | } n t.x}}d}d} d} t%j&d} d }t}|j)||j1|j3|t| | g}|j)||j5|||j)||j7t8d||j;|zz t}|j7t<|j)||j)||j)||j+| |j)||j)||j;}|j;}t?tA||z}|jC|||z }| &| jEjG|||||dtI|d|S) z3Serialize private key with OpenSSH custom encoding.rISSH DSA key support is deprecated and will be removed in a future releaserkrNr$rvr%r")%rrr@r rHr$r%r&rQrr_DEFAULT_CIPHERr:r-r_DEFAULT_ROUNDSr _kdf_roundsosurandomrrrhrrrCrrr#rrrrr encryptor update_intor])rrencryption_algorithmrPr0 f_kdfoptionsrer2r+rrrfr-checkvalr9 f_public_key f_secretsf_mainslenmlenrofss r _serialize_ssh_private_keyrMs  z8,+s001  *    !-Hh'G;L$ j)33  +-H I$00<)55Fzz"~%V$J$?$$ W Ezz!}HG;LH% +002LA8X./I " ; 2 ! hE9>>+;f+D!EFG[F NN9 j! g l# NN5 l# i  >> D ;;=D Ytf}- .C MM# +C  $$ST]CI> 3u: &&r"ceZdZdZdZy)SSHCertificateTyper%rN)r3r4r5USERHOSTr7r"r rOrO*s D Dr"rOceZdZ ddZeddZddZeddZeddZeddZ eddZ eddZ edd Z edd Z edd Zdd Zdd ZddZy)SSHCertificatec6||_||_||_ t||_||_||_||_||_ | |_ | |_ | |_ | |_ | |_||_||_||_||_y#t $r t dwxYw)NzInvalid certificate type)_nonce _public_key_serialrO_typerN_key_id_valid_principals _valid_after _valid_before_critical_options _extensions _sig_type_sig_key_inner_sig_type _signature_cert_key_type _cert_body_tbs_cert_body)rrUrVrW_cctyperYrZr[r\r]r^r_r`rarbrercrds r rzSSHCertificate.__init__0s( &  9+G4DJ !2(*!2&"  .$,$, 978 8 9s BBc,t|jSr)rrUrs r noncezSSHCertificate.nonceYsT[[!!r"cJtjt|jSr)typingcastSSHCertPublicKeyTypesrVrs r rCzSSHCertificate.public_key]s{{0$2B2BCCr"c|jSr)rWrs r serialzSSHCertificate.serialbs ||r"c|jSr)rXrs r typezSSHCertificate.typefs zzr"c,t|jSr)rrYrs r key_idzSSHCertificate.key_idjsT\\""r"c|jSr)rZrs r valid_principalszSSHCertificate.valid_principalsn%%%r"c|jSr)r\rs r valid_beforezSSHCertificate.valid_beforers!!!r"c|jSr)r[rs r valid_afterzSSHCertificate.valid_aftervs   r"c|jSr)r]rs r critical_optionszSSHCertificate.critical_optionszrur"c|jSr)r^rs r extensionszSSHCertificate.extensions~sr"ct|j}|j|j\}}t ||Sr)rr_rr`rc)r sigformat signature_key sigkey_rests r rzSSHCertificate.signature_keys7#DNN3 %.%:%:4==%I" {[!r"ct|jdztjt|jdzS)N F)newline)rrcr b2a_base64rdrs r rzSSHCertificate.public_bytess< $%% & !!%"8%H I r"c|j}t|tjr9|j t |j t |jyt|tjrt|j \}}t|\}}t|tj||}t|j}|j |t |jtj |yt|t"j$sJ|j&t(k(rt+j,}nQ|j&t.k(rt+j0}n)|j&t2k(sJt+j4}|j t |j t |jt7j8|yr)rr@r rLverifyrrbrer rDr~rc asym_utilsencode_dss_signature_get_ec_hash_algrSECDSArrFrarGr SHA1_SSH_RSA_SHA256SHA256_SSH_RSA_SHA512SHA512r PKCS1v15)rrrrZs computed_sighash_algs r verify_cert_signaturez$SSHCertificate.verify_cert_signaturesl**, mW%=%= >  doo&d.A.A(B  r'@'@ A 1GAt &GAt  %::1a@L' (;(; >>##x/!;;=%%8!==?++>>>!==?  doo&d))*  "  r"N)"rUrrVSSHPublicKeyTypesrWr*rfr*rYrrZrr[r*r\r*r]typing.Dict[bytes, bytes]r^rr_rr`rrarrbrrerrcrrdrr)rrlr)rrO)rr)rr)rr)r3r4r5rpropertyrhrCrnrprrrtrwryr{r}rrrr7r"r rSrS/sy'-'-''- '-  '-  '-.'-'-'-5'-/'-'-'-$'-'- #!'-"#'-$%'-R""D ##&&""!!&&    r"rSct|tjrtjSt|tj rtj St|tjsJtjSr) r@r SECP256R1r r SECP384R1SHA384 SECP521R1r)rSs r rrsV%&}} E2<< (}}%...}}r"ctjd|tj|}|s t d|j dx}}|j d}d}|j trd}|dtt }|tk(r |s tdt|} ttj|}|r|} t#|\} }| |k7r t d |rt#|\} }|j%|\} }|rt'|\} }t)|\}}t#|\}}t#|\}}g}|r+t#|\}}|j+t-||r+t'|\}}t'|\}}t#|\}}t/|}t#|\}}t/|}t#|\}}t#|\}}t#|\}}|tk(r |s td  dt| }t#|\}}t1|t#|\}} |t2k(r|t4t6t2fvs|t2k7r||k7r t d t#| \}!} t1| t9 | | |||||||||||!||| St1|| S#ttj f$r t dwxYw) NrZzInvalid line formatr%rFTz-DSA keys aren't supported in SSH certificateszInvalid formatzInvalid key formatz3DSA signatures aren't supported in SSH certificatesz!Signature key type does not match)rr_SSH_PUBKEY_RCmatchrNgroupendswith _CERT_SUFFIXr_rJrrrrr TypeErrorErrorrzrrwrrrr_parse_exts_optsrcrGrrrS)"rZ_legacy_dsa_allowedr(rP orig_key_typekey_body with_certr0rest cert_bodyinner_key_typerhrCrncctyperr principalsrt principalryrw crit_optionsr{extsr}_ sig_key_rawsig_typesig_key tbs_cert_body signature_rawinner_sig_typesig_rest signatures" r _load_ssh_public_identityrs 64(T"A .// wwqz)H}wwqzHI& 0s<0018$7" ;  h'G+(--h78 &t,ND&-..!$' t**40J~ ~ "4( &t, D$/ $; !Iz  # #E)$4 5%TN T%d^ d(. d+L9 & d%d+ d#4'- T' 4' x (;&E ",SYJ/ )$/ tT#.}#=   #_h?@("~'A@A A)(3 8X                 #  ( TK x~~ &+)**+s +J33%Kct|Sr)rrbs r load_ssh_public_identityrs %T **r"ci}d}|rt|\}}t|}||vr td|||kr tdt|\}}t|dkDr( t|\}}t|dkDr tdt|||<|}|r|S#t$r)t j dt jdYFwxYw)NzDuplicate namezFields not lexically sortedrz!Unexpected extra data after valuez{This certificate has an incorrect encoding for critical options or extensions. This will be an exception in cryptography 42rkr)rzrrNr_r$r%rDeprecatedIn41) exts_optsresult last_namerTbnamevalueextras r rrs(*FI %i0iT{ F?-. .  UY%6:; ;&y1y u:> J*51 uu:>$%HIIe u  / 0 M  &((  sB/C  C ct|d}t|tr|j}n|}t|tj r&t jdtjd|S)NT)rrrr) rr@rSrCr rIr$r%rr&)rZr' cert_or_keyrCs r load_ssh_public_keyr=sb,DdKK+~. ++-  *c../      r"ct|tjr&tjdt j dt|}t|}t}|j||j||tj|jj}dj!|d|gS)z&One-line public key format for OpenSSHr<rkrr"r)r@r rIr$r%rr&rQrrrrrrrstriprX)rCrPr0rpubs r serialize_ssh_public_keyrQs*c../  *    !,Hh'G KE X *e,   emmo . 4 4 6C 88XtS) **r"c eZdZddddgdddggf ddZ ddZddZddZddZ ddZd Z dd Z dd Z dd Z dd Z ddZy)SSHCertificateBuilderNFc ||_||_||_||_||_||_||_||_| |_| |_ yr rVrWrXrYrZ_valid_for_all_principalsr\r[r]r^) rrVrWrXrYrZrr\r[r]r^s r rzSSHCertificateBuilder.__init__rsQ'   !2)B&*(!2&r"c t|tjtjt j fs td|j tdt||j|j|j|j|j|j |j"|j$|j& S)Nr?zpublic_key already setr)r@r rDrrFr rLrrVrNrrWrXrYrZrr\r[r]r^)rrCs r rCz SSHCertificateBuilder.public_keys ))  ((  23 3    '56 6$"LL**LL"44&*&D&D,,**"44((  r"c t|ts tdd|cxkrdkstdtd|j tdt |j ||j|j|j|j|j|j|j|j S)Nzserial must be an integerrz"serial must be between 0 and 2**64zserial already setr)r@r*rrNrWrrVrXrYrZrr\r[r]r^)rrns r rnzSSHCertificateBuilder.serials&#&78 8F"U"AB B#AB B << #12 2$((**LL"44&*&D&D,,**"44((  r"c Dt|ts td|j t dt |j |j||j|j|j|j|j|j|j S)Nz"type must be an SSHCertificateTypeztype already setr)r@rOrrXrNrrVrWrYrZrr\r[r]r^)rrps r rpzSSHCertificateBuilder.types$ 23@A A :: !/0 0$((LLLL"44&*&D&D,,**"44((  r"c Dt|ts td|j t dt |j |j|j||j|j|j|j|j|j S)Nzkey_id must be byteszkey_id already setr)r@rrrYrNrrVrWrXrZrr\r[r]r^)rrrs r rrzSSHCertificateBuilder.key_ids&%(23 3 << #12 2$((LL**"44&*&D&D,,**"44((  r"c |jr tdtd|Dr|s td|jr tdt |t kDr tdt|j|j|j|j||j|j|j|j|j S)NzDPrincipals can't be set because the cert is valid for all principalsc3<K|]}t|tywr)r@r).0rs r z9SSHCertificateBuilder.valid_principals..sCQJq%(Csz5principals must be a list of bytes and can't be emptyzvalid_principals already setz:Reached or exceeded the maximum number of valid_principalsr)rrNallrrZr__SSHKEY_CERT_MAX_PRINCIPALSrrVrWrXrYr\r[r]r^)rrts r rtz&SSHCertificateBuilder.valid_principalss  ) )%  C2BCC#G   ! !;< <  #> >L %((LL**LL.&*&D&D,,**"44((  r"c <|jr td|jr tdt|j|j |j |j|jd|j|j|j|j S)Nz@valid_principals already set, can't set valid_for_all_principalsz$valid_for_all_principals already setTr) rZrNrrrVrWrXrYr\r[r]r^rs r valid_for_all_principalsz.SSHCertificateBuilder.valid_for_all_principalss  ! !+   ) )CD D$((LL**LL"44&*,,**"44((  r"c t|ttfs tdt|}|dks|dk\r t d|j t dt |j|j|j|j|j|j||j|j|j S)Nz$valid_before must be an int or floatrrzvalid_before must [0, 2**64)zvalid_before already setr)r@r*floatrrNr\rrVrWrXrYrZrr[r]r^)rrws r rwz"SSHCertificateBuilder.valid_befores,e 5BC C<( ! |u4;< <    )78 8$((LL**LL"44&*&D&D&**"44((  r"c t|ttfs tdt|}|dks|dk\r t d|j t dt |j|j|j|j|j|j|j||j|j S)Nz#valid_after must be an int or floatrrzvalid_after must [0, 2**64)zvalid_after already setr)r@r*rrrNr[rrVrWrXrYrZrr\r]r^)rrys r ryz!SSHCertificateBuilder.valid_after3s+U|4AB B+& ?kU2:; ;    (67 7$((LL**LL"44&*&D&D,,$"44((  r"c t|trt|ts td||jDcgc]\}}| c}}vr t dt |j |j|j|j|j|j|j|j|j|fgz|j Scc}}w)Nname and value must be byteszDuplicate critical option namer)r@rrr]rNrrVrWrXrYrZrr\r[r^rrTrrs r add_critical_optionz)SSHCertificateBuilder.add_critical_optionKs$&j.F:; ; (>(>?WT1D? ?=> >$((LL**LL"44&*&D&D,,**"44u F((  @ Cct|trt|ts td||jDcgc]\}}| c}}vr t dt |j |j|j|j|j|j|j|j|j|j|fgz Scc}}w)NrzDuplicate extension namer)r@rrr^rNrrVrWrXrYrZrr\r[r]rs r add_extensionz#SSHCertificateBuilder.add_extensionas$&j.F:; ; (8(89WT1D9 978 8$((LL**LL"44&*&D&D,,**"44((T5M?:  :rc "t|tjtjt j fs td|j td|jdn |j}|j td|jdn |j}|js|js td|j td|j td|j |jkDr td |j"j%d |j&j%d t)|j}|t*z}t-j.d }t1|}t3}|j5||j5||j7|j||j9||j;|jj<|j5|t3} |jD]} | j5| |j5| j?|j9|j |j9|jt3} |j"D]p\} } | j5| tA| dkDr;t3}|j5| | j5|j?`| j5| r|j5| j?t3}|j&D]p\} } |j5| tA| dkDr;t3}|j5| |j5|j?`|j5| r|j5|j?|j5dt)|}t1|}t3}|j5||j7|jC||j5|j?t|t j rl|jE|j?}t3}|j5||j5||j5|j?nt|tjrtG|jH}|jE|j?tjJ|}tMjN|\}}t3}|j5|t3}|jQ||jQ||j5|j?|j5|j?nt|tjsJt3}|j5tR|jE|j?tUjVtYjZ}|j5||j5|j?t]j^|j?ja}tcjdtftidjk|d|gS)NzUnsupported private key typezpublic_key must be setrztype must be setr"zAvalid_principals must be set if valid_for_all_principals is Falsezvalid_before must be setzvalid_after must be setz-valid_after must be earlier than valid_beforec |dSNrr7rs r z,SSHCertificateBuilder.sign..s !A$r")rOc |dSrr7rs r rz,SSHCertificateBuilder.sign..s AaDr"r8r)6r@r rArrEr rKrrVrNrWrXrYrZrr\r[r]sortr^rQrr@rArrrrrrrrr_rCsignrrSrrdecode_dss_signaturerrr rr rrrrrjrkrSrrX)rrrnrrrP cert_prefixrhr0f fprincipalsrfcritrTrfoptvalfextfextvalca_typecaformatcafrfsigrrrfsigblob cert_datas r rzSSHCertificateBuilder.signwsh **!!))  :; ;    #56 6ll*  :: /0 0 ,$,, %%d.L.L     %78 8    $67 7   t11 1LM M ###7 .1$T%5%56-  2!(+ K [! Ud..2 & $**""# Vk '' &A  " "1 % & [((*+ $##$ $$$% 11 (KD%   T "5zA~#+""5)  !23  ' ( U]]_%{++ 'KD% OOD !5zA~#+""5) 12& ' T\\^$ S#K0"7+k w{557= S[[]# k7#<#< =#((5I;D OOG $ OOI & LL (  R%?%? @' (9(9:H#((bhhx6HII229=DAq;D OOG $ {H   q !   q ! OOH,,. / LL (k3+<+<= == ;D OOO ,#(( W--/I OOI & LL ('' 4::< {{  $SXX{D).L%M N  r")rVz&typing.Optional[SSHCertPublicKeyTypes]rWr/rXz#typing.Optional[SSHCertificateType]rYtyping.Optional[bytes]rZrrr1r\r/r[r/r]'typing.List[typing.Tuple[bytes, bytes]]r^r)rCrlrr)rnr*rr)rprOrr)rrrrr)rtrrr)rwtyping.Union[int, float]rr)ryrrr)rTrrrrr)rSSHCertPrivateKeyTypesrrS)r3r4r5rrCrnrprrrtrrwryrrrr7r"r rrqs4?C(,59*.02*/.2-1EG?A';'&'3 ' ( ' . '$(','+'C'='0 /  8 * & &" 2" " H , 4  0 3  0  "'  ,  "'  ,G r"r)F) rrrrrr*rr*rr1rr)rOz3typing.Union[SSHPrivateKeyTypes, SSHPublicKeyTypes]rr)rCrrr)rZrr[rr\rrr)rZrr-r*rr)rZrrr) rerrrrrrr*rz5Cipher[typing.Union[modes.CBC, modes.CTR, modes.GCM]])rZrrztyping.Tuple[int, memoryview])rZrrz$typing.Tuple[memoryview, memoryview])r}r*rr)rPrr)rZrrrr' typing.AnyrSSHPrivateKeyTypes)rrrrrDrrr)rSrrzhashes.HashAlgorithm)rZrrz/typing.Union[SSHCertificate, SSHPublicKeyTypes])rrrr)rZrr'rrr)rCrrr)z __future__rrenumr@rerjr$base64rrY dataclassesr cryptographyrcryptography.exceptionsrcryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr r r r rr&cryptography.hazmat.primitives.ciphersrrrr,cryptography.hazmat.primitives.serializationrrrrrrbcryptrr!_bcrypt_supported ImportErrorrMrGrJ_ECDSA_NISTP256_ECDSA_NISTP384_ECDSA_NISTP521rrrcompilerr _SK_START_SK_ENDrrr=r>DOTALLrrrranger#r(AESCTRCBCGCMr:r6rUrQrBr]r`rcrhrrrwrzr~rrrrrrrrrr rUnionrArErHrKrr:rMrDrFrIrLrrlEnumrOrSrrrrrrrrrr7r"r r$s# # 0!81J 9)  (((' "!23  2 .  "**Y)G3RYY ? ia 01 2       NN YY NN YY * NN YY '0 ,@!   < *'%eO< < < < <: 8 $    ; (??,+55pC,C,LEDEDPD8D8N@%@%H mo mo#%_[,",,.A_[,",,.A_[,",,.A  F\\ d d$dd dNJ'#J'J'5J' J'ZLL     ~~B\ \5\~+ +4+ >(, $(+(  "M M G" 9#( 9999 9  9  9 9s/NN"!N"