3Tf<ddlmZddlZddlZddlZddlZddlmZddlmZm Z ddl m Z m Z ddl mZddlmZddlmZdd lmZmZdd lmZmZdd lmZdd lmZdd lmZm Z ddl!m"Z"ddl#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+ddl,m-Z-m.Z.m/Z/m0Z0ddl1m2Z2m3Z3ddl4m5Z5m6Z6ddl7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCddlDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMddlNmOZOddlPmQZQmRZRmSZSmTZTmUZUejdddgZWGddZXGddZYGddZZd!d Z[eYZ\y)") annotationsN)contextmanager)utilsx509)UnsupportedAlgorithm_Reasons)aead)_CipherContext _CMACContext)_EllipticCurvePrivateKey_EllipticCurvePublicKey)_RSAPrivateKey _RSAPublicKey)openssl)binding)hashes serialization)AsymmetricPadding)dhdsaeced448ed25519rsax448x25519)MGF1OAEPPSSPKCS1v15)PrivateKeyTypesPublicKeyTypes)BlockCipherAlgorithmCipherAlgorithm) AESAES128AES256ARC4SM4CamelliaChaCha20 TripleDES_BlowfishInternal_CAST5Internal _IDEAInternal _SEEDInternal) CBCCFBCFB8CTRECBGCMOFBXTSMode)ssh)PBESPKCS12CertificatePKCS12KeyAndCertificatesPKCS12PrivateKeyTypes_PKCS12CATypes _MemoryBIObiochar_ptrc eZdZy)_RC2N)__name__ __module__ __qualname__N/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.pyrErE\srJrEc eZdZdZdZhdZefZejejejejejejejej ej"ej$ej&ej(f Zej.ej0ej2ej4fZdZdZddzZdZdezZ dwdZ!dxdZ" dy dzd Z#dwd Z$dxd Z%d{d Z&d|dZ'd|dZ(d}dZ) d}dZ*d~dZ+d}dZ,ddZ-dwdZ.dwdZ/ ddZ0 ddZ1d}dZ2ddZ3d{dZ4ddZ5 ddZ6 ddZ7 ddZ8 dd Z9d!Z:d"Z;dd#Z dd&Z?dd'Z@d}d(ZAdd)ZBdd*ZCdd+ZD dd,ZE dd-ZF dd.ZG dd/ZH dd0ZId~d1ZJd}d2ZKd~d3ZLdd4ZM dd5ZNdd6ZOdd7ZP dd8ZQd9ZRdd:ZSdd;ZTdd<ZUdd=ZVdd>ZW dd?ZXdd@ZYddAZZ ddBZ[ ddCZ\ ddDZ] ddEZ^ ddFZ_ ddGZ`ddHZaddIZb ddJZcdKZdddLZeefdMZg ddNZh ddOZi ddPZjddQZk ddRZld~dSZm ddTZn ddUZo ddVZp ddWZq ddXZr ddYZs dy ddZZtd~d[Zudd\Zv dd]Zwdd^Zxd~d_Zydd`ZzddaZ{ddbZ|d~dcZ}d~ddZ~ ddeZ ddfZddgZd~dhZddiZddjZddkZd~dlZddmZejdnZ ddoZ ddpZ ddqZd~drZd~dsZ ddtZ dduZddvZy )Backendz) OpenSSL API binding interfaces. r> aes-128-ccm aes-128-gcm aes-192-ccm aes-192-gcm aes-256-ccm aes-256-gcmictj|_|jj|_|jj |_tj|_ i|_ |j|j jg|_ |j jr0|jj|j j yyN)rBinding_bindingffi_ffilib_lib rust_opensslis_fips_enabled _fips_enabled_cipher_registry_register_default_ciphers EVP_PKEY_DH _dh_typesCryptography_HAS_EVP_PKEY_DHXappend EVP_PKEY_DHXselfs rK__init__zBackend.__init__s) MM%% MM%% )99;   &&())//0 99 2 2 NN ! !$))"8"8 9 3rJcdj|j|j|jjS)Nz3)formatopenssl_version_textr`rY_legacy_provider_loadedrhs rK__repr__zBackend.__repr__s7DKK  % % '    MM 1 1  rJNcFtj|j||S)N)errors)r_openssl_assertr])riokrqs rKopenssl_assertzBackend.openssl_asserts &&tyy"VDDrJc|jjtjsJtj|_yrW)rY _enable_fipsr^r_r`rhs rKrvzBackend._enable_fipss7 ""$++---)99;rJc|jj|jj|jjj dS)z Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 ascii)r[stringr]OpenSSL_versionOPENSSL_VERSIONdecoderhs rKrmzBackend.openssl_version_texts@yy II % %dii&?&? @ &/ rJc6|jjSrW)r]OpenSSL_version_numrhs rKopenssl_version_numberzBackend.openssl_version_numbersyy,,..rJc |jdk(s|jdk(r9dj|j|jdzjd}n|jjd}|jj |}|S)Nblake2bblake2sz{}{}rx)namerl digest_sizeencoder]EVP_get_digestbyname)ri algorithmalgevp_mds rK_evp_md_from_algorithmzBackend._evp_md_from_algorithmsv >>Y &)..I*E-- 5 5 9fWo ..''0C//4 rJcx|j|}|j||jjk7|SrW)rrtr[NULLrirrs rK_evp_md_non_null_from_algorithmz'Backend._evp_md_non_null_from_algorithms2,,Y7 Fdiinn45 rJc|jrt||jsy|j|}||jj k7SNF)r` isinstance _fips_hashesrr[rrs rKhash_supportedzBackend.hash_supporteds@   jDj(23rJc tttfD]H}ttt t tttfD]}|j||td Jttt t tfD]"}|jt|td$tttt fD]"}|jt|td$|jtt td|jttdtd|jtt t"t tt ttfD]"}|jt$|td$|j&j(s|j*j,s!ttt t fD]"}|jt.|td$ttt t fD]"}|jt0|td$t3j4t6t8gtt tt gD]!\}}|j||td#|jt:tdtd |jt<tdtd yy) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3chacha20zsm4-{mode.name}zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}rc4rc2)r&r'r(r2r5r6r8r3r4r7rGetCipherByNamer+r-r,rr9_get_xts_cipherr*rYrnr]#CRYPTOGRAPHY_OPENSSL_300_OR_GREATERr.r1 itertoolsproductr/r0r)rE)rirrs rKrbz!Backend._register_default_cipherssj/ J #sCdC@ ,,#E  c3S1 H  ( ( MN   c4- H  ( (8_5K%L   $$ sOJ7  $$ d4j/*"=  $$S#?c3S1 H  ( (X/@A   MM 1 199@@ #sC0 ,,%#$45  !#sC0 ,,!#$67  )2(9(9/c3$) $ H,,#$?@    ( (d4j/%"8   ( (d4j/%"8 7ArJc:t|||tjSrW)r _ENCRYPTrirrs rKcreate_symmetric_encryption_ctxz'Backend.create_symmetric_encryption_ctxLdFD.2I2IJJrJc:t|||tjSrW)r _DECRYPTrs rKcreate_symmetric_decryption_ctxz'Backend.create_symmetric_decryption_ctxQrrJc$|j|SrW)rrs rKpbkdf2_hmac_supportedzBackend.pbkdf2_hmac_supportedVs""9--rJc*tjSrW)r^capture_error_stackrhs rK_consume_errorszBackend._consume_errorsYs//11rJc||jjk7sJ|j|jj | |jj |}|jj d|}|jj||}|j|dk\tj|jj|d|d}|S)Nzunsigned char[]rbig) r[rrtr]BN_is_negative BN_num_bytesnew BN_bn2binint from_bytesbuffer)ribn bn_num_bytesbin_ptrbin_lenvals rK _bn_to_intzBackend._bn_to_int\sTYY^^###  8 8 <<=yy--b1 ))-- 1<@))%%b'2 GqL)nnTYY--g6x@%H rJc(|jt|jdz dzd}|jj |t ||j j}|j||j jk7|S)a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. g @rUr) to_bytesr bit_lengthr] BN_bin2bnlenr[rrt)rinumbinarybn_ptrs rK _int_to_bnzBackend._int_to_bnhsnc#.."2S"81"<=uE$$VS[$))..I Fdiinn45 rJc`tj|||jj}|j ||j j k7|j j||jj}|j|}|j j||jj}|jj||||j j }|j |dk(|j|}t|||dS)NrUTunsafe_skip_rsa_key_validation)r_verify_rsa_parametersr]RSA_newrtr[rgcRSA_freerBN_freeRSA_generate_key_ex_rsa_cdata_to_evp_pkeyr)ripublic_exponentkey_size rsa_cdatarresevp_pkeys rKgenerate_rsa_private_keyz Backend.generate_rsa_private_keyts ""?H=II%%'  I78IILLDII,>,>? ___ - YY\\"dii// 0ii++ xTYY^^  C1H%..y9 )Xd  rJc.|dk\xr|dzdk7xr|dk\S)NrUrirI)rirrs rK!generate_rsa_parameters_supportedz)Backend.generate_rsa_parameters_supporteds/ q  !#q( C rJc (tj|j|j|j|j |j |j|jj|jj|jj}|j||jjk7|jj!||jj"}|j%|j}|j%|j}|j%|j}|j%|j }|j%|j }|j%|j} |j%|jj} |j%|jj} |jj'|||} |j| dk(|jj)|| | |} |j| dk(|jj+|||| } |j| dk(|j-|} t/||| |S)NrUr)r_check_private_key_componentspqddmp1dmq1iqmppublic_numbersenr]rrtr[rrrrRSA_set0_factors RSA_set0_keyRSA_set0_crt_paramsrr)rinumbersrrrrrrrrrrrrs rKload_rsa_private_numbersz Backend.load_rsa_private_numberss )) II II II LL LL LL  " " $ $  " " $ $ II%%'  I78IILLDII,>,>? OOGII & OOGII & OOGII &w||,w||,w||, OOG2244 5 OOG2244 5ii((Aq9 C1H%ii$$Y1a8 C1H%ii++ItT4H C1H%..y9   +I   rJcntj|j|j|jj }|j ||jjk7|jj||jj}|j|j}|j|j}|jj||||jj}|j |dk(|j|}t|||SNrU)r_check_public_key_componentsrrr]rrtr[rrrrrrr)rirrrrrrs rKload_rsa_public_numberszBackend.load_rsa_public_numberss ((GII>II%%'  I78IILLDII,>,>? OOGII & OOGII &ii$$Y1diinnE C1H%..y9T9h77rJc|jj}|j||jjk7|jj ||jj }|SrW)r] EVP_PKEY_newrtr[rr EVP_PKEY_free)rirs rK_create_evp_pkey_gczBackend._create_evp_pkey_gcsR99))+ H 6799<<$))*A*ABrJc|j}|jj||}|j|dk(|Sr)rr]EVP_PKEY_set1_RSArt)rirrrs rKrzBackend._rsa_cdata_to_evp_pkeys=++-ii))(I> C1H%rJcF|jj|}|jj|t |}|j ||jj k7t|jj||jj|S)z Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) r[ from_bufferr]BIO_new_mem_bufrrtrrArBIO_free)ridatadata_ptrrBs rK _bytes_to_biozBackend._bytes_to_bioss99((.ii''#d)< C499>>12$)),,sDII,>,>?JJrJcp|jj}|j||jjk7|jj |}|j||jjk7|jj ||jj}|S)z. Creates an empty memory BIO. )r] BIO_s_memrtr[rBIO_newrr )ri bio_methodrBs rK_create_mem_bio_gczBackend._create_mem_bio_gcsYY((*  J$))..89ii + C499>>12iill3 2 23 rJc6|jjd}|jj||}|j |dkD|j |d|jj k7|jj |d|dd}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)r[rr]BIO_get_mem_datartrr)rirBbufbuf_lenbio_datas rK _read_mem_biozBackend._read_mem_biosiimmI&)),,S#6 GaK( CFdiinn4599##CFG4Q7rJcP |jj|}||jjk(r|jj|}|j ||j j k7|j j||jj}t||||S||jjk(r|jjs|jjs|jjs|jj|}|j ||j j k7|j j||jj}|j}|jj||}|j |dk(|j!|j#|d|S||jj$k(rBt&j(j+t-|j j/d|S||jj0k(r|jj3|}|j ||j j k7|j j||jj4}t7|||S||j8vrBt&j:j+t-|j j/d|S|t=|jddk(rBt&j>j+t-|j j/d|S|t=|jddk(rBt&j@j+t-|j j/d|S||jjBk(rBt&jDj+t-|j j/d|S|t=|jddk(rBt&jFj+t-|j j/d|StId ) zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. rrUN)passwordr uintptr_tEVP_PKEY_ED25519 EVP_PKEY_X448EVP_PKEY_ED448Unsupported key type.)%r] EVP_PKEY_id EVP_PKEY_RSAEVP_PKEY_get1_RSArtr[rrrrEVP_PKEY_RSA_PSSCRYPTOGRAPHY_IS_LIBRESSLCRYPTOGRAPHY_IS_BORINGSSL#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Eri2d_RSAPrivateKey_bioload_der_private_keyr EVP_PKEY_DSAr^rprivate_key_from_ptrrcast EVP_PKEY_ECEVP_PKEY_get1_EC_KEY EC_KEY_freer rdrgetattrrrEVP_PKEY_X25519rrr)rirrkey_typerrBrec_cdatas rK_evp_pkey_to_private_keyz Backend._evp_pkey_to_private_keys99((2 tyy-- - 33H=I    TYY^^ ; < Y 0B0BCI!/M    22 2II66II77IIAA  33H=I    TYY^^ ; < Y 0B0BCI))+C))11#yAC   q ),,""3'/M-  // /##88DIINN;9: .. .yy55h?H   DIINN : ;yy||Hdii.C.CDH+D(HE E  '??77DIINN;9: ,>E E''<<DIINN;9: OTB B$$99DIINN;9: 22 2&&;;DIINN;9: ,? ?rJc^ |jj|}||jjk(r|jj|}|j ||j j k7|j j||jj}t|||S||jjk(r|jjs|jjs|jjs|jj|}|j ||j j k7|j j||jj}|j}|jj||}|j |dk(|j!|j#|S||jj$k(rBt&j(j+t-|j j/d|S||jj0k(r|jj3|}||j j k(r|j5}t7d||j j||jj8}t;|||S||j<vrBt&j>j+t-|j j/d|S|tA|jddk(rBt&jBj+t-|j j/d|S|tA|jddk(rBt&jDj+t-|j j/d|S||jjFk(rBt&jHj+t-|j j/d|S|tA|jddk(rBt&jJj+t-|j j/d|StMd) zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. rUrzUnable to load EC keyrNrr r!)'r]r"r#r$rtr[rrrrr%r&r'r(ri2d_RSAPublicKey_bioload_der_public_keyrr+r^rpublic_key_from_ptrrr-r.r/rrr0rrdrr1rrr2rrr)rirr3rrBrr4rqs rK_evp_pkey_to_public_keyzBackend._evp_pkey_to_public_keyGs 99((2 tyy-- - 33H=I    TYY^^ ; < Y 0B0BCI y(; ;  22 2II66II77IIAA 33H=I    TYY^^ ; < Y 0B0BCI))+C))00i@C   q )++D,>,>s,CD D // /##77DIINN;9: .. .yy55h?H499>>)--/ !8&AAyy||Hdii.C.CDH*48D D  '??66DIINN;9: ,>E E'';;DIINN;9: OTB B$$88DIINN;9: 22 2&&::DIINN;9: ,? ?rJc|jrt|tjryt|tjtjtj tj tjfSr)r`rrrSHA224SHA256SHA384SHA512rs rK_oaep_hash_supportedzBackend._oaep_hash_supportedsS   *Y "D         rJct|tryt|trzt|jtr`|j r/t|jj tjry|j|jj St|tr\t|jtrB|j|jj xr|j|j Sy)NTF) rr!r _mgfrr` _algorithmrrrrr@ripaddings rKrsa_padding_supportedzBackend.rsa_padding_supporteds gx (  %*W\\4*H!!j '''**7<<+B+BCC  &:gllD+I,, ''@++G,>,>? @rJc^|jrt|try|j|Sr)r`rr!rFrDs rKrsa_encryption_supportedz Backend.rsa_encryption_supporteds(   *Wh"?--g6 6rJc^|dvr tdtjj|S)N)irTi iz0Key size must be 1024, 2048, 3072, or 4096 bits.)rr^rgenerate_parameters)rirs rKgenerate_dsa_parameterszBackend.generate_dsa_parameterss4 3 3B 33H==rJc"|jSrWgenerate_private_keyri parameterss rKgenerate_dsa_private_keyz Backend.generate_dsa_private_key..00rJcF|j|}|j|SrW)rKrQ)rirrPs rK'generate_dsa_private_key_and_parametersz/Backend.generate_dsa_private_key_and_parameterss%11(; ,,Z88rJcjtj|tjj|SrW)r_check_dsa_private_numbersr^from_private_numbersrirs rKload_dsa_private_numbersz Backend.load_dsa_private_numberss) &&w/44W==rJc~tj|jtjj |SrW)r_check_dsa_parametersparameter_numbersr^from_public_numbersrXs rKload_dsa_public_numberszBackend.load_dsa_public_numberss/ !!'";";<33G<> 11.  rJcH|jj|j|jj}||jjk7r?|jj ||jj }| td|S|jy)N4Password was given but private key is not encrypted.) r]d2i_PrivateKey_biorBr[rrr TypeErrorr)rirrrs rKrz*Backend._evp_pkey_from_der_traditional_key9s~ii**8<<H $)).. )),,sDII$;$;>B DDIINN23yy||D$))"5"56 rJc|j}|jj||}|j|dk(t j |j |Sr)rr] i2d_X509_biortrload_der_x509_certificater)rix509_ptrrBrs rK _ossl2certzBackend._ossl2certisT%%'ii$$S(3 C1H%--d.@.@.EFFrJc|jtjjtjj tj }|j|}|jj|j|jj}|j||jjk7|jj||jjSrW) private_bytesrrr PrivateFormatPKCS8 NoEncryptionrr]rrBr[rrtrr)rirr ryrs rK _key2osslzBackend._key2osslos   " " & &  ' ' - -  & & (  $$T*99// KK IINN  H 67yy||Hdii&=&=>>rJc|j|}|jjd}|Htjd||jj |}||_t||_||j|jj|jj|jjd|}||jjk(r|jdk7rb|j|jdk(r t!d|jdk(sJt#dj%|j&d z |j)|jj+||jj,}||j.dk(r t!d ||j.d k(s|J|j1||S) Nrqrrrrz3Password was not given but private key is encryptedzAPasswords longer than {} bytes are not supported by this backend.rUr)rr[rr_check_bytesliker rrlengthrBrrtr]ruerrorrrrrlmaxsizerxrrcalledr5) riopenssl_read_funcr rrryrz password_ptrrs rKrmzBackend._load_key~s$$T*99==!?@    " ":x 89900:L ,H !(mHO$ KK IINN II   '')G     tyy~~ %~~"$$&>>R'#M$>>R///$++16(2B2BQ2F+G ..099<<$))*A*AB  HOOq$8F   X__%9   ,, 4  rJcDj}|s td|djjjjj s|djjj jjsSjjrH|djjjjjr tdtfd|Dr tdtd|)Nz|Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.rz Bad decrypt. Incorrect password?c3K|]>}|jjjjj@ywrW)_lib_reason_matchr] ERR_LIB_EVP'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM).0rris rK z4Backend._handle_key_loading_error..s@   # # %% AA  sAAz!Unsupported public key algorithm.zCould not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).) rrrr]rEVP_R_BAD_DECRYPTERR_LIB_PKCS12!PKCS12_R_PKCS12_CIPHERFINAL_ERRORCryptography_HAS_PROVIDERS ERR_LIB_PROVPROV_R_BAD_DECRYPTany)rirqs` rKrxz!Backend._handle_key_loading_errors%%'  1I ' ' %%tyy'B'B ay** (( ;;  441I//II**II00 ?@ @     @A A4  rJc |j|}|jj |}||j j k(r|jy|j||jjk7|jj|y#t$r|jj}YwxYw)NFT) _elliptic_curve_to_nidrr] NID_undefEC_GROUP_new_by_curve_namer[rrrt EC_GROUP_free)ricurve curve_nidgroups rKelliptic_curve_supportedz Backend.elliptic_curve_supporteds ,33E:I 44Y? DIINN "  "    TYY-@-@ @ A II # #E *$ , ++I ,sBB>=B>cZt|tjsy|j|Sr)rrECDSAr)risignature_algorithmrs rK,elliptic_curve_signature_algorithm_supportedz4Backend.elliptic_curve_signature_algorithm_supporteds' -rxx8,,U33rJc0|j|r^|j|}|jj|}|j |dk(|j |}t |||Std|jdtj)z@ Generate a new private key on the named curve. rUz Backend object does not support .) r_ec_key_new_by_curver]EC_KEY_generate_keyrt_ec_cdata_to_evp_pkeyr rrrUNSUPPORTED_ELLIPTIC_CURVE)rirr4rrs rK#generate_elliptic_curve_private_keyz+Backend.generate_elliptic_curve_private_keys  ( ( /007H))//9C   q )11(;H+D(HE E&25::,a@33 rJc <|j}|j|j}|jj |j |j |jj}|jj||}|dk7r|jtd|j5}|j||j|j||jj!|}|j#||jj$k7t&jj)|}|j#||jj$k7|jj+|} |j#| |jj$k7|jj | |jj,} |jj/|| ||jj$|jj$|}|j#|dk(|jj1||| |dk7r td ddd|j3|} t5||| S#1swY'xYw)NrUInvalid EC key.r)rrrr[rr private_valuer] BN_clear_freeEC_KEY_set_private_keyrr _tmp_bn_ctx)_ec_key_set_public_key_affine_coordinatesxyEC_KEY_get0_grouprtrbackendEC_KEY_get0_public_key EC_POINT_new EC_POINT_free EC_POINT_mul EC_POINT_cmprr ) rirpublicr4rrbn_ctxr set_pointcomputed_pointrs rK#load_elliptic_curve_private_numbersz+Backend.load_elliptic_curve_private_numberss#'',,V\\: OOG11 2DII4K4K ii..xG !8  "./ /     46  : :&((FHHf  II//9E    7 8 ;;HEI    TYY^^ ; <!YY33E:N   $)).. @ A!YY\\ 7 7N))((   C   q ) &&9nf !!233 5 4B--h7'hAAG 4 4s =F.JJc|j|j}|j5}|j||j|j |ddd|j |}t|||S#1swY'xYwrW)rrrrrrrr)rirr4rrs rK"load_elliptic_curve_public_numbersz*Backend.load_elliptic_curve_public_numbersEs{,,W]];     6  : :'))WYY  --h7&tXx@@   s )A;;Bc |j|}|jj|}|j||jj k7|jj |}|j||jj k7|jj||jj}|j5}|jj|||t||}|dk7r|jtd ddd|jj||}|j|dk(|j|}t!|||S#1swYWxYw)NrUz(Invalid public bytes for the given curve)rr]rrtr[rrrrrEC_POINT_oct2pointrrrEC_KEY_set_public_keyrr) rir point_bytesr4rpointrrrs rK load_elliptic_curve_public_bytesz(Backend.load_elliptic_curve_public_bytesQsJ,,U3 ++H5 ETYY^^34 &&u- ETYY^^34 UDII$;$;<     M6))..uk3{+;VCax$$& !KLL  Mii--h> C1H%--h7&tXx@@ M Ms A E88Fc ~|j|}|jj|}|j||jj k7|jj |}|j||jj k7|jj||jj}|j|}|jj||jj}|j5}|jj||||jj |jj |}|j|dk(|jj|} |jj|} |jj||| | |}|dk7r|jt!d ddd|jj#||}|j|dk(|j|} |jj| |jj} |jj%|| }|j|dk(|j'|} t)||| S#1swYxYw)NrUz'Unable to derive key from private_value)rr]rrtr[rrrrrrrr BN_CTX_getEC_POINT_get_affine_coordinatesrrrrrr ) rirrr4rrvaluerrbn_xbn_yprivaters rK!derive_elliptic_curve_private_keyz)Backend.derive_elliptic_curve_private_keygs2,,U3 ++H5 ETYY^^34 &&u- ETYY^^34 UDII$;$;< . UDII$;$;<     L6))((ueTYY^^TYY^^VC   q )99''/D99''/D));;udD&Cax$$& !JKK L ii--h> C1H%//-0)),,w (?(?@ii..xA C1H%--h7'hAA3 L Ls CJ33J<cF|j|}|j|SrW)r_ec_key_new_by_curve_nid)rirrs rKrzBackend._ec_key_new_by_curves#//6 ,,Y77rJc|jj|}|j||jjk7|jj ||jj SrW)r]EC_KEY_new_by_curve_namertr[rrr0)rirr4s rKrz Backend._ec_key_new_by_curve_nidsP9955i@ H 67yy||Hdii&;&;< II(():):)<=  ++ +&::,@A33 rJc#K|jj}|j||jjk7|jj ||jj }|jj| ||jj|y#|jj|wxYwwrW) r] BN_CTX_newrtr[rr BN_CTX_free BN_CTX_start BN_CTX_end)rirs rKrzBackend._tmp_bn_ctxs%%' Fdiinn45fdii&;&;< v& )L II  (DII  (sBCB1C1CCct|dks|dkr td|jj|j||jj }|jj|j||jj }|jj |}|j||jjk7|jj|}|j||jjk7|jj||jj}|jj|||||}|dk7r|jtd|jj||}|j|dk(y)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.rUrN)rr[rrr]rrrtrrrEC_POINT_set_affine_coordinatesrr)rir4rrrrrrs rKrz1Backend._ec_key_set_public_key_affine_coordinatessU q5AED  IILL+TYY->-> ? IILL+TYY->-> ? ++H5 ETYY^^34 &&u- ETYY^^34 UDII$;$;<ii77 5!Q  !8  "./ /ii--h> C1H%rJct|tjs tdt|tjs tdt|tj s tdt|tj rd}nt|tjr%|j}t|dkDrutdt|tjrE|j|cxurtjjurn td|j}n td|tjjur|tjjur|j j"}n>|tjj$ur|j j&}n td|j)|||S|tjj*ur|j,r%t|tj s td |j j/|} |tjjurt| |j j0k(r|j j2}n1| |j j4k(sJ|j j6}|j)|||S|tjj$ur|r td | |j j0k(r|j j8}n1| |j j4k(sJ|j j:}|j=||Std |tjjur>|tjjurt?j@|||Std td )N/encoding must be an item from the Encoding enumz2format must be an item from the PrivateFormat enumzBEncryption algorithm must be a KeySerializationEncryption instancerJizBPasswords longer than 1023 bytes are not supported by this backendzUnsupported encryption typezUnsupported encoding for PKCS8zCEncrypted traditional OpenSSL format is not supported in FIPS mode.zDEncryption is not supported for DER encoded traditional OpenSSL keysz+Unsupported encoding for TraditionalOpenSSLz=OpenSSH private key format can only be used with PEM encodingformat is invalid with this key)!rrrrrKeySerializationEncryptionrBestAvailableEncryptionrrr_KeySerializationEncryption_formatOpenSSHrPEMr]PEM_write_bio_PKCS8PrivateKeyri2d_PKCS8PrivateKey_bio_private_key_bytes_via_bioTraditionalOpenSSLr`r"r#PEM_write_bio_RSAPrivateKeyr.PEM_write_bio_ECPrivateKeyr)i2d_ECPrivateKey_bio_bio_func_outputr;_serialize_ssh_private_key) riencodingrlencryption_algorithmrrcdatar write_bior3s rK_private_key_byteszBackend._private_key_bytessp(M$:$:;MN N&-"="=>D  -"J"J   *M,F,F GH  -"G"G ,44H8}t# # $m&O&O %,,3**223 :; ;,44H:; ; ]0066 6=11555 IICC ]33777 II==  !ABB228X  ]00CC C!!*$m&@&@+!.yy,,X6H=11555tyy555 $ E EI#tyy'<'<<<< $ D DI66uh=11555$3tyy555 $ ? ?I#tyy'<'<<<< $ > >I,,Y>>JK K ]0088 8=1155555#7% :;;rJc |s|jj}n|jjd}|j ||||t ||jj|jjS)Ns aes-256-cbc)r[rr]EVP_get_cipherbynamerr)rir"rrrs rKrz"Backend._private_key_bytes_via_bioYsfJ77GJ$$     M IINN IINN  rJc~|j}||g|}|j|dk(|j|Sr)rrtr)rir"argsrBrs rKrzBackend._bio_func_outputlsB%%'#d# C1H%!!#&&rJcVt|tjs tdt|tjs td|tjj ur|tjj ur|jj}n>|tjjur|jj}n td|j||S|tjjur|jj|}||jjk7r td|tjj ur|jj }n>|tjjur|jj"}n td|j||S|tjj$ur<|tjj$urt'j(|Stdtd)Nrz1format must be an item from the PublicFormat enumz8SubjectPublicKeyInfo works only with PEM or DER encodingz+PKCS1 format is supported only for RSA keysz)PKCS1 works only with PEM or DER encodingz1OpenSSH format must be used with OpenSSH encodingr)rrrr PublicFormatSubjectPublicKeyInforr]PEM_write_bio_PUBKEYri2d_PUBKEY_biorrPKCS1r"r#PEM_write_bio_RSAPublicKeyr7rr;serialize_ssh_public_key)rirrlrrr!r"r3s rK_public_key_byteszBackend._public_key_bytesrs(M$:$:;MN N&-"<"<=C  ]//DD D=11555 II:: ]33777 II44  N((H= = ]//55 5yy,,X6H499111 !NOO=11555 II@@ ]33777 II::  !LMM((E: : ]//77 7=1199933C88C  :;;rJc0|jj SrWr]r'rhs rK dh_supportedzBackend.dh_supported996666rJcBtjj||SrW)r^rrJri generatorrs rKgenerate_dh_parameterszBackend.generate_dh_parameterss229hGGrJc"|jSrWrMrOs rKgenerate_dh_private_keyzBackend.generate_dh_private_keyrRrJcD|j|j||SrW)r:r8r6s rK&generate_dh_private_key_and_parametersz.Backend.generate_dh_private_key_and_parameterss'++  ' ' 8 <  rJc@tjj|SrW)r^rrWrXs rKload_dh_private_numberszBackend.load_dh_private_numberss33G<>rJc tjjtj|||y#t$rYywxYw)N)rgrTF)r^rr`DHParameterNumbersr)rirrDrs rKdh_parameters_supportedzBackend.dh_parameters_supportedsD  OO 2 2%%Q!4    s58 AAc4|jjdk(Sr)r]rerhs rKdh_x942_serialization_supportedz'Backend.dh_x942_serialization_supportedsyy66!;;rJc@tjj|SrW)r^rfrom_public_bytesr~s rKx25519_load_public_bytesz Backend.x25519_load_public_bytess""44T::rJc@tjj|SrW)r^rfrom_private_bytesr~s rKx25519_load_private_bytesz!Backend.x25519_load_private_bytess""55d;;rJc>tjjSrW)r^r generate_keyrhs rKx25519_generate_keyzBackend.x25519_generate_keys""//11rJcJ|jry|jj Sr)r`r]#CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370rhs rKx25519_supportedzBackend.x25519_supporteds!   99@@@@rJc@tjj|SrW)r^rrJr~s rKx448_load_public_byteszBackend.x448_load_public_bytess  22488rJc@tjj|SrW)r^rrMr~s rKx448_load_private_byteszBackend.x448_load_private_bytess  33D99rJc>tjjSrW)r^rrPrhs rKx448_generate_keyzBackend.x448_generate_keys  --//rJc||jry|jj xr|jj Srr`r]r&r'rhs rKx448_supportedzBackend.x448_supported8    22 2 8II777 rJcH|jry|jjSr)r`r] CRYPTOGRAPHY_HAS_WORKING_ED25519rhs rKed25519_supportedzBackend.ed25519_supporteds   yy999rJc@tjj|SrW)r^rrJr~s rKed25519_load_public_bytesz!Backend.ed25519_load_public_bytess##55d;;rJc@tjj|SrW)r^rrMr~s rKed25519_load_private_bytesz"Backend.ed25519_load_private_bytess##66t<tjjSrW)r^rrPrhs rKed25519_generate_keyzBackend.ed25519_generate_key s##0022rJc||jry|jj xr|jj Srr\rhs rKed448_supportedzBackend.ed448_supportedr^rJc@tjj|SrW)r^rrJr~s rKed448_load_public_byteszBackend.ed448_load_public_bytess!!33D99rJc@tjj|SrW)r^rrMr~s rKed448_load_private_bytesz Backend.ed448_load_private_bytess!!44T::rJc>tjjSrW)r^rrPrhs rKed448_generate_keyzBackend.ed448_generate_keys!!..00rJc.tj||SrW)r _aead_cipher_supported)rirs rKaead_cipher_supportedzBackend.aead_cipher_supporteds**488rJc.t|D]}d||< y)Nr)range)rir ris rK _zero_datazBackend._zero_data"s v ADG rJc#K||jjyt|}|jjd|dz}|jj ||| ||j |jj d||y#|j |jj d||wxYww)a This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nzchar[]rUz uint8_t *)r[rrrmemmovervr-)rir data_lenrs rK_zeroed_null_terminated_bufz#Backend._zeroed_null_terminated_buf)s <)).. 4yH))--(Q,7C II  c4 2 L  {C @(K {C @(KsA#C&B*-C.CCc|j||}|j|jr|jjnd|jDcgc]}|jc}fScc}wrW) load_pkcs12rr certificateadditional_certs)rir rpkcs12rs rK%load_key_and_certificates_from_pkcs12z-Backend.load_key_and_certificates_from_pkcs12@s\!!$1 JJ'-{{FKK # #*0*A*A B$T   B   CsA&c |tjd||j|}|jj |j |j j}||j jk(r|jtd|j j||jj}|j jd}|j jd}|j jd}|j|5}|jj|||||} ddd dk(r|jtdd} d} g} |d|j jk7rF|j j|d|jj} |j!| d } |d|j jk7r|j j|d|jj"}|j%|}d}|jj'||j j}||j jk7r|j j)|}t+||} |d|j jk7r|j j|d|jj,}|jj/|d}|jj0s|jj2r t5|}nt7t5|}|D] }|jj9||}|j;||j jk7|j j||jj"}|j%|}d}|jj'||j j}||j jk7r|j j)|}| j=t+|| t?| | | S#1swY:xYw) Nrz!Could not deserialize PKCS12 dataz EVP_PKEY **zX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 dataFr) rrrr]d2i_PKCS12_biorBr[rrrr PKCS12_freerrz PKCS12_parserr5rrX509_alias_get0ryr= sk_X509_free sk_X509_numrr'rtreversed sk_X509_valuertrfr>)rir rrBp12 evp_pkey_ptrr sk_x509_ptr password_bufrrradditional_certificatesrrcert_objr maybe_namesk_x509rindicesru addl_cert addl_names rKr|zBackend.load_pkcs12Ns    " ":x 8  &ii&&sww ? $))..  "@A Aiill3 5 56yy}}]3 99==+iimm$CD  - -h 7 <))((\<;C  !8  ">? ?"$ ?diinn ,yy||LOTYY5L5LMH//0C A;$)).. (99<< TYY-@-@ADt,HD224HJTYY^^+yy'' 3$Xt4D q>TYY^^ +iill;q>4993I3IJG))'' A7C  ==9966*"5:. yy..w:##DDIINN$:;yy||D$))*=*=> OOD1  !YY66tTYY^^L / $ 0 0 } g}|D]}t|t@r|jB}|jE|jF}|2|jjI||j j d}n&|jjI||t9|}|j3|dk(n|jE|}|jK||jjM| |}tNj3|dk\|jQ|5}|jQ|5}|r|jE|n|j j }||jS|n|j j }|jjU||||| ||| | d }||j j k(r|jW}t7d | ddd|jj.rN| |j j k7r5|jjY|d|j j d| | ddd|j3|j j k7|j j=||jjZ}|j]}|jj_||}|j3|dkD|ja|S#1swYxYw#1swYxYw) Nrrri NrUz2PBESv2 is not supported by this version of OpenSSLzBSetting MAC algorithm is not supported by this version of OpenSSL.zUnsupported key encryption typez=Failed to create PKCS12 (does the key match the certificate?))1r _check_bytesrrrr[rrr]rNID_aes_256_cbc&NID_pbe_WithSHA1And3_Key_TripleDES_CBCrrrrPKCS12_key_cert_algorithmr<PBESv1SHA1And3KeyTripleDESCBCPBESv2SHA256AndAES256CBCr _hmac_hashCryptography_HAS_PKCS12_SET_MACrrt _kdf_roundsrrsk_X509_new_nullrrr= friendly_namerr}X509_alias_set1rf sk_X509_pushrrzr PKCS12_createrPKCS12_set_macrri2d_PKCS12_bior)rirrrcasr rnid_certnid_key pkcs12_itermac_itermac_alg keycertalgrossl_cascaca_aliasossl_carrname_buf ossl_cert ossl_pkeyrrqrBs rK(serialize_key_and_certificates_to_pkcs12z0Backend.serialize_key_and_certificates_to_pkcs12s=     vt , *M,F,F GHGKHiinnG  -"G"G yy<<9944))3399KK))JJKHiinnG+44H $m&O&O %,,**112 HGKH+44H-AAJT???99KK))JJt<<<yyDD.L 9944))33!)))$..:yy@@..>>(33##Gtyy~~$=>))..#//;2>> >? ? ;#c(a-iinnGii002Giill7DII,B,BCGH 1b"34!//H"oobnn=G'"ii77#TYY^^R#ii77#Xs8}''q1"oob1G(ii,,Wg>&&sax0# 1& - -h 7) <11$7 859DOOD1tyy~~ +.?DNN3' ii--  $))..(!113F$, )% : 99tyy~~- (( IINNC) V C499>>12iill3 5 56%%'ii&&sC0 C!G$!!#&&a  ) ) s&?X(B,X>A,X(X% X((X1cN|jry|jjdk(Sr)r`r]Cryptography_HAS_POLY1305rhs rKpoly1305_supportedzBackend.poly1305_supported@s#   yy22a77rJc0|jj SrWr2rhs rKpkcs7_supportedzBackend.pkcs7_supportedEr4rJctjd||j|}|jj |j |j j|j j|j j}||j jk(r|jtd|j j||jj}|j|SNr zUnable to parse PKCS7 data) rrrr]PEM_read_bio_PKCS7rBr[rrrr PKCS7_free_load_pkcs7_certificatesrir rBp7s rKload_pem_pkcs7_certificatesz#Backend.load_pem_pkcs7_certificatesHs 64(  & YY ) ) GGTYY^^TYY^^TYY^^     "9: : YY\\"dii22 3,,R00rJctjd||j|}|jj |j |j j}||j jk(r|jtd|j j||jj}|j|Sr) rrrr] d2i_PKCS7_biorBr[rrrrrrrs rKload_der_pkcs7_certificatesz#Backend.load_der_pkcs7_certificatesWs 64(  & YY $ $SWWdiinn =    "9: : YY\\"dii22 3,,R00rJc|jj|j}|j||jjk7||jj k7r)t dj|tjg}|jj|jjk(r|S|jjj}|jj|}t!|D]h}|jj#||}|j||jjk7|j%|}|j'|j|S)NzNOnly basic signed structures are currently supported. NID for this data was {})r] OBJ_obj2nidrrtrNID_pkcs7_signedrrlrUNSUPPORTED_SERIALIZATIONrsignr[rrrrtrrrf) rirnidcertsrrrurrs rKrz Backend._load_pkcs7_certificatesdsii##BGG, C499#6#667 $)),, ,&((.s 22  )+ 4499  &L$$))..ii##G,s A99**7A6D     6 7??4(D LL     rJ)returnNone)rstrrW)rsboolrqz7typing.Optional[typing.List[rust_openssl.OpenSSLError]]rr)rr)rhashes.HashAlgorithm)rrrr)rr)rr%rr:rr)rr%rr:rr )rz&typing.List[rust_openssl.OpenSSLError])rr)rrrrrrsa.RSAPrivateKey)rrrrrr)rzrsa.RSAPrivateNumbersrrrr)rzrsa.RSAPublicNumbersrzrsa.RSAPublicKey)r bytesrrA)rr)rrrr")rr#)rErrr)rrrdsa.DSAParameters)rPrrdsa.DSAPrivateKey)rrrr)rzdsa.DSAPrivateNumbersrr)rzdsa.DSAPublicNumbersrzdsa.DSAPublicKey)rzdsa.DSAParameterNumbersrr)rr$rr )r rrtyping.Optional[bytes]rrrr")r rrr#)r rrdh.DHParameters)rx509.Certificater typing.Any)rrrr)rr?rr)rr")rztyping.NoReturn)rec.EllipticCurverr)rz"ec.EllipticCurveSignatureAlgorithmrrrr)rrrec.EllipticCurvePrivateKey)rzec.EllipticCurvePrivateNumbersrr)rzec.EllipticCurvePublicNumbersrec.EllipticCurvePublicKey)rrrrrr)rrrrrr)rr)rr)rzec.ECDHrrrr)rrrr)rrrrrr)rserialization.Encodingrlzserialization.PrivateFormatr (serialization.KeySerializationEncryptionrr)rrrlzserialization.PublicFormatrr)r7rrrrr)rPrrdh.DHPrivateKey)r7rrrrr)rzdh.DHPrivateNumbersrr)rzdh.DHPublicNumbersrzdh.DHPublicKey)rzdh.DHParameterNumbersrr)rrrDrrztyping.Optional[int]rr)r rrzx25519.X25519PublicKey)r rrx25519.X25519PrivateKey)rr)r rrzx448.X448PublicKey)r rrx448.X448PrivateKey)rr)r rrzed25519.Ed25519PublicKey)r rred25519.Ed25519PrivateKey)rr)r rrzed448.Ed448PublicKey)r rred448.Ed448PrivateKey)rr)rrrr)r rrrrzptyping.Tuple[typing.Optional[PrivateKeyTypes], typing.Optional[x509.Certificate], typing.List[x509.Certificate]])r rrrrr>) rrrz&typing.Optional[PKCS12PrivateKeyTypes]rz!typing.Optional[x509.Certificate]rz,typing.Optional[typing.List[_PKCS12CATypes]]r rrr)r rrtyping.List[x509.Certificate])rr)rFrGrH__doc__r _fips_aeadr&rrr<r=r>r? SHA512_224 SHA512_256SHA3_224SHA3_256SHA3_384SHA3_512SHAKE128SHAKE256rr SECP224R1 SECP256R1 SECP384R1 SECP521R1r_fips_rsa_min_key_size_fips_rsa_min_public_exponent_fips_dsa_min_modulus_fips_dh_min_key_size_fips_dh_min_modulusrjrortrvrmrrrrrrrrrrbrrrrrrrrrrrrrrrr5r:r@rFrHrKrQrTrYr^rarcrerirkror{rr*rr8rrrrrmrxrrrrrrrrrrrrrrrr#rrr0r3r8r:r<r>r@rBrFrHrKrNrQrTrVrXrZr]rarcrergrirkrmrorrrv contextlibrzrr|rrrrrrrIrJrKrMrM`s1 D JFM      L     "$)!I  55 : KOE EHE  E< /  (.-. .: . ,>BHK%K-1K K K%K-1K K .2   " .1  . " .1  ' &' )-'   ' R 8+ 8  8  K  J@8<J@ J@X=@~  &7 >1+1 1 99 9 >,> > =+= = @.@ @  8  -    )  )-    (1T9))-   4 1.9G ?2 2 h,\ 4? 4  4  4% #,2B52B #2Bh A4 A " AA%A49A "A,(B (B)9(B #(BT8=     )9     "))& &  &  &Bn<(n<,n<G n< n<`  &' 5<(5<+5< 5r?r@ namedtuplerArErMrrrrIrJrKrs # %$B5GBG8@H           =$[ # #L5*2E F   ZZz82J )rJ