U çe¨]Ï{ã@sžddlmZmZmZddlZddlZddlZddlZddlmZddl Z ddl m Z ddl m Z mZddlmZmZddlmZmZmZmZmZddlmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'dd l(m)Z)dd l*m+Z+dd l,m-Z-dd l.m/Z/m0Z0m1Z1m2Z2ddl3m4Z4m5Z5m6Z6ddl7m8Z8m9Z9ddl:m;Z;mZ>m?Z?m@Z@ddlAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJddlKmLZLddlMmNZNddlOmPZPmQZQddlRmSZSmTZTddlUmVZVmWZWddlXmYZYmZZZddl[m\Z\m]Z]ddl^m_Z_m`Z`maZambZbddlcmdZdddlemfZfmgZgddlhmiZimjZjmkZkmlZlmmZmddlnmoZompZpmqZqmrZrddlsmtZtmuZumvZvmwZwmxZxmyZymzZzm{Z{m|Z|dd l}m~Z~mZm€Z€mZm‚Z‚mƒZƒm„Z„m…Z…dd!l†m‡Z‡dd"lˆm‰Z‰dd#lŠm‹Z‹e Œd$d%d&g¡Ze  Že¡e  Že¡e  Že¡e  Že¡e  Že¡e  Že¡e  Že ¡e  Že¡e  Že!¡e  Že#¡e  Že"¡e  Že%¡e  ed ¡j‘j’e$¡Gd'd(„d(e“ƒƒƒƒƒƒƒƒƒƒƒƒƒƒZ”Gd)d*„d*e“ƒZ•d+d,„Z–e”ƒZ—dS)-é)Úabsolute_importÚdivisionÚprint_functionN)Úcontextmanager©Úrange)ÚutilsÚx509)ÚUnsupportedAlgorithmÚ_Reasons)ÚINTEGERÚNULLÚSEQUENCEÚ encode_derÚencode_der_integer) Ú CMACBackendÚ CipherBackendÚDERSerializationBackendÚ DHBackendÚ DSABackendÚEllipticCurveBackendÚ HMACBackendÚ HashBackendÚPBKDF2HMACBackendÚPEMSerializationBackendÚ RSABackendÚ ScryptBackendÚ X509Backend)Úaead)Ú_CipherContext©Ú _CMACContext)Ú_CRL_ENTRY_REASON_ENUM_TO_CODE)Ú _DHParametersÚ _DHPrivateKeyÚ _DHPublicKeyÚ_dh_params_dup)Ú_DSAParametersÚ_DSAPrivateKeyÚ _DSAPublicKey)Ú_EllipticCurvePrivateKeyÚ_EllipticCurvePublicKey)Ú_Ed25519PrivateKeyÚ_Ed25519PublicKey)Ú_ED448_KEY_SIZEÚ_Ed448PrivateKeyÚ_Ed448PublicKey) Ú$_CRL_ENTRY_EXTENSION_ENCODE_HANDLERSÚ_CRL_EXTENSION_ENCODE_HANDLERSÚ_EXTENSION_ENCODE_HANDLERSÚ)_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERSÚ'_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERSÚ_encode_asn1_int_gcÚ_encode_asn1_str_gcÚ_encode_name_gcÚ _txt2obj_gc©Ú _HashContext©Ú _HMACContext)Ú _OCSPRequestÚ _OCSPResponse)Ú_POLY1305_KEY_SIZEÚ_Poly1305Context)Ú_RSAPrivateKeyÚ _RSAPublicKey)Ú_X25519PrivateKeyÚ_X25519PublicKey)Ú_X448PrivateKeyÚ_X448PublicKey)Ú _CertificateÚ_CertificateRevocationListÚ_CertificateSigningRequestÚ_RevokedCertificate)Úbinding)ÚhashesÚ serialization)ÚdsaÚecÚed25519Úed448Úrsa)ÚMGF1ÚOAEPÚPKCS1v15ÚPSS) ÚAESÚARC4ÚBlowfishÚCAST5ÚCamelliaÚChaCha20ÚIDEAÚSEEDÚ TripleDES)ÚCBCÚCFBÚCFB8ÚCTRÚECBÚGCMÚOFBÚXTS)Úscrypt)Ússh)ÚocspÚ _MemoryBIOÚbioZchar_ptrc@sveZdZdZdZdd„Zdd„Zdd„Zej d d „ƒZ d d „Z d d„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd „Zd!d"„Zd#d$„Zd%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„Zd/d0„Zdd2d3„Zd4d5„Zd6d7„Z d8d9„Z!d:d;„Z"dd?„Z$d@dA„Z%dBdC„Z&dDdE„Z'dFdG„Z(dHdI„Z)dJdK„Z*dLdM„Z+dNdO„Z,dPdQ„Z-dRdS„Z.dTdU„Z/dVdW„Z0dXdY„Z1dZd[„Z2d\d]„Z3d^d_„Z4d`da„Z5dbdc„Z6ddde„Z7dfdg„Z8dhdi„Z9djdk„Z:dldm„Z;dndo„Zdtdu„Z?dvdw„Z@dxdy„ZAdzd{„ZBd|d}„ZCd~d„ZDd€d„ZEd‚dƒ„ZFd„d…„ZGd†d‡„ZHdˆd‰„ZIdŠd‹„ZJdŒd„ZKdŽd„ZLdd‘„ZMd’d“„ZNd”d•„ZOd–d—„ZPd˜d™„ZQdšd›„ZRdœd„ZSdždŸ„ZTd d¡„ZUd¢d£„ZVd¤d¥„ZWd¦d§„ZXd¨d©„ZYdªd«„ZZd¬d­„Z[d®d¯„Z\d°d±„Z]d²d³„Z^d´dµ„Z_d¶d·„Z`e d¸d¹„ƒZadºd»„Zbd¼d½„Zcd¾d¿„ZddÀdÁ„ZedÂdÄZfdÄdÅ„ZgdÆdÇ„ZhdÈdÉ„ZidÊdË„ZjdÌdÍ„ZkdÎdÏ„ZldÐdÑ„ZmdÒdÓ„ZndÔdÕ„ZoddÖdׄZpdØdÙ„ZqdÚdÛ„ZrdÜdÝ„ZsdÞdß„Ztdàdá„Zudâdã„Zvdädå„Zwdædç„Zxdèdé„Zydêdë„Zzdìdí„Z{dîdï„Z|dðdñ„Z}dòdó„Z~dôdõ„Zdöd÷„Z€dødù„Zdúdû„Z‚düdý„Zƒdþdÿ„Z„dd„Z…ej dd„ƒZ†dd„Z‡ej dd„ƒZˆdd „Z‰d d „ZŠd d „Z‹d1S(ÚBackendz) OpenSSL API binding interfaces. ZopensslcCs\t ¡|_|jj|_|jj|_i|_| ¡|  ¡|jj g|_ |jj rX|j   |jj¡dS©N)rLÚBindingZ_bindingZffiÚ_ffiÚlibÚ_libÚ_cipher_registryÚ_register_default_ciphersÚactivate_osrandom_engineZ EVP_PKEY_DHÚ _dh_typesÚCryptography_HAS_EVP_PKEY_DHXÚappendZ EVP_PKEY_DHX©Úself©r|úN/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.pyÚ__init__vs    zBackend.__init__cCst |j|¡Sro)rLZ_openssl_assertrs)r{Úokr|r|r}Úopenssl_assert‚szBackend.openssl_assertcCsf|jjrb|j ¡}||jjkrb|j |¡|j |jj¡}| |dk¡|j |¡}| |dk¡dS©Né) rsÚCryptography_HAS_ENGINEZENGINE_get_default_RANDrqr ZENGINE_unregister_RANDÚRAND_set_rand_methodr€Ú ENGINE_finish©r{ÚeÚresr|r|r}Úactivate_builtin_random…s    zBackend.activate_builtin_randomc cs‚|j |jj¡}| ||jjk¡|j |¡}| |dk¡z |VW5|j |¡}| |dk¡|j |¡}| |dk¡XdSr) rsZ ENGINE_by_idZCryptography_osrandom_engine_idr€rqr Z ENGINE_initZ ENGINE_freer…r†r|r|r}Ú_get_osurandom_engine’s    zBackend._get_osurandom_enginec Cs`|jjr\| ¡| ¡ }|j |¡}| |dk¡W5QRX|j |jj¡}| |dk¡dSr) rsrƒr‰rŠZENGINE_set_default_RANDr€r„rqr r†r|r|r}rv¦s  z Backend.activate_osrandom_enginec Cs`|j dd¡}| ¡2}|j |dt|ƒ||jjd¡}| |dk¡W5QRX|j |¡  d¡S)Núchar[]é@sget_implementationrÚascii) rqÚnewrŠrsZENGINE_ctrl_cmdÚlenr r€ÚstringÚdecode)r{Úbufr‡rˆr|r|r}Úosrandom_engine_implementation²s  þz&Backend.osrandom_engine_implementationcCs|j |j |jj¡¡ d¡S)z¿ Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.0.1e 11 Feb 2013 r)rqrrsZOpenSSL_versionZOPENSSL_VERSIONr‘rzr|r|r}Úopenssl_version_text»s ÿþzBackend.openssl_version_textcCs |j ¡Sro)rsZOpenSSL_version_numrzr|r|r}Úopenssl_version_numberÆszBackend.openssl_version_numbercCs t|||ƒSror<)r{ÚkeyÚ algorithmr|r|r}Úcreate_hmac_ctxÉszBackend.create_hmac_ctxcCsL|jdks|jdkr0d |j|jd¡ d¡}n |j d¡}|j |¡}|S)NZblake2bZblake2sz{}{}ér)ÚnameÚformatZ digest_sizeÚencodersZEVP_get_digestbyname)r{r—ZalgÚevp_mdr|r|r}Ú_evp_md_from_algorithmÌsÿþ  zBackend._evp_md_from_algorithmcCs | |¡}| ||jjk¡|Sro)ržr€rqr ©r{r—rr|r|r}Ú_evp_md_non_null_from_algorithm×s z'Backend._evp_md_non_null_from_algorithmcCs| |¡}||jjkSro)ržrqr rŸr|r|r}Úhash_supportedÜs zBackend.hash_supportedcCs | |¡Sro©r¡©r{r—r|r|r}Úhmac_supportedàszBackend.hmac_supportedcCs t||ƒSror:r£r|r|r}Úcreate_hash_ctxãszBackend.create_hash_ctxcCsJz|jt|ƒt|ƒf}Wntk r0YdSX||||ƒ}|jj|kS©NF)rtÚtypeÚKeyErrorrqr )r{ÚcipherÚmodeÚadapterÚ evp_cipherr|r|r}Úcipher_supportedæs  zBackend.cipher_supportedcCs0||f|jkrtd ||¡ƒ‚||j||f<dS)Nz"Duplicate registration for: {} {}.)rtÚ ValueErrorr›)r{Ú cipher_clsÚmode_clsr«r|r|r}Úregister_cipher_adapterîs ÿzBackend.register_cipher_adaptercCs@tttttttfD]}| t|t dƒ¡qtttttfD]}| t |t dƒ¡q8ttttfD]}| t |t dƒ¡q\| t tt dƒ¡ttttfD]}| t |t dƒ¡q’ttttfD]}| t |t dƒ¡q¶t ttgttttg¡D]\}}| ||t dƒ¡qæ| ttdƒt dƒ¡| ttdƒt dƒ¡| ttt¡dS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}Zrc4Zchacha20)rardrergrbrcrfr±rXÚGetCipherByNamer\r`rZr_Ú itertoolsÚproductr[r^rYr§r]rhÚ_get_xts_cipher)r{r°r¯r|r|r}ruõsnýýýýýý þ ýýýz!Backend._register_default_cipherscCst|||tjƒSro)rZ_ENCRYPT©r{r©rªr|r|r}Úcreate_symmetric_encryption_ctx.sz'Backend.create_symmetric_encryption_ctxcCst|||tjƒSro)rZ_DECRYPTr¶r|r|r}Úcreate_symmetric_decryption_ctx1sz'Backend.create_symmetric_decryption_ctxcCs | |¡Sro)r¤r£r|r|r}Úpbkdf2_hmac_supported4szBackend.pbkdf2_hmac_supportedc Csh|j d|¡}| |¡}|j |¡}|j |t|ƒ|t|ƒ||||¡} | | dk¡|j |¡dd…S)Núunsigned char[]r‚) rqrŽr Ú from_bufferrsZPKCS5_PBKDF2_HMACrr€Úbuffer) r{r—ÚlengthÚsaltZ iterationsÚ key_materialr’rÚkey_material_ptrrˆr|r|r}Úderive_pbkdf2_hmac7s  ø zBackend.derive_pbkdf2_hmaccCs t |j¡Sro)rLÚ_consume_errorsrsrzr|r|r}rÂIszBackend._consume_errorscCsÂ||jjkst‚tjs~|j |¡}|j d|¡}|j ||¡}|  |dk¡t   |j  |¡d|…d¡}|j  |¡rz| }|S|j |¡}|  ||jjk¡|j |¡}|j |¡t |dƒSdS)NrºrÚbigé)rqr ÚAssertionErrorÚsixÚPY2rsZ BN_num_bytesrŽZ BN_bn2binr€ÚintÚ from_bytesr¼ZBN_is_negativeZ BN_bn2hexrÚ OPENSSL_free)r{ÚbnZ bn_num_bytesZbin_ptrZbin_lenÚvalZ hex_cdataZhex_strr|r|r}Ú _bn_to_intLs     zBackend._bn_to_intNcCsâ|dks||jjkst‚|dkr(|jj}tjst| t| ¡ddƒd¡}|j  |t |ƒ|¡}|  ||jjk¡|St |ƒ  d¡dd… d¡}|j d¡}||d <|j ||¡}|  |d k¡|  |d |jjk¡|d SdS) a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @r‚rÃÚLérú BIGNUM **r)rqr rÅrÆrÇÚto_bytesrÈÚ bit_lengthrsZ BN_bin2bnrr€ÚhexÚrstriprœrŽZ BN_hex2bn)r{ÚnumrËÚbinaryZbn_ptrZhex_numrˆr|r|r}Ú _int_to_bnbs zBackend._int_to_bncCst ||¡|j ¡}| ||jjk¡|j ||jj¡}|  |¡}|j ||jj ¡}|j  ||||jj¡}| |dk¡|  |¡}t |||ƒSr)rSZ_verify_rsa_parametersrsÚRSA_newr€rqr ÚgcÚRSA_freer×ÚBN_freeZRSA_generate_key_exÚ_rsa_cdata_to_evp_pkeyrB)r{Úpublic_exponentÚkey_sizeÚ rsa_cdatarËrˆÚevp_pkeyr|r|r}Úgenerate_rsa_private_keys   ÿ z Backend.generate_rsa_private_keycCs|dko|d@dko|dkS)Nér‚rér|)r{rÝrÞr|r|r}Ú!generate_rsa_parameters_supported“sÿz)Backend.generate_rsa_parameters_supportedc CsRt |j|j|j|j|j|j|jj |jj ¡|j   ¡}|  ||jjk¡|j ||j j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |jj ¡} | |jj ¡} |j  |||¡} |  | dk¡|j  || | |¡} |  | dk¡|j  ||||¡} |  | dk¡|j  ||jj¡} |  | dk¡| |¡} t||| ƒSr)rSZ_check_private_key_componentsÚpÚqÚdÚdmp1Údmq1ÚiqmpÚpublic_numbersr‡ÚnrsrØr€rqr rÙrÚr×ZRSA_set0_factorsÚ RSA_set0_keyZRSA_set0_crt_paramsZRSA_blinding_onrÜrB) r{Únumbersrßrårærçrèrérêr‡rìrˆràr|r|r}Úload_rsa_private_numbers—s>ø        z Backend.load_rsa_private_numberscCst |j|j¡|j ¡}| ||jjk¡|j  ||jj ¡}|  |j¡}|  |j¡}|j  ||||jj¡}| |dk¡|  |¡}t|||ƒSr)rSZ_check_public_key_componentsr‡rìrsrØr€rqr rÙrÚr×rírÜrC)r{rîrßr‡rìrˆràr|r|r}Úload_rsa_public_numbers¹s    zBackend.load_rsa_public_numberscCs2|j ¡}| ||jjk¡|j ||jj¡}|Sro)rsZ EVP_PKEY_newr€rqr rÙÚ EVP_PKEY_free©r{ràr|r|r}Ú_create_evp_pkey_gcÆs zBackend._create_evp_pkey_gccCs(| ¡}|j ||¡}| |dk¡|Sr)rórsZEVP_PKEY_set1_RSAr€)r{rßràrˆr|r|r}rÜÌszBackend._rsa_cdata_to_evp_pkeycCsH|j |¡}|j |t|ƒ¡}| ||jjk¡t|j ||jj ¡|ƒS)z® Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) rqr»rsZBIO_new_mem_bufrr€r rlrÙÚBIO_free)r{ÚdataÚdata_ptrrmr|r|r}Ú _bytes_to_bioÒs ÿzBackend._bytes_to_biocCsP|j ¡}| ||jjk¡|j |¡}| ||jjk¡|j ||jj¡}|S)z. Creates an empty memory BIO. )rsZ BIO_s_memr€rqr ZBIO_newrÙrô)r{Z bio_methodrmr|r|r}Ú_create_mem_bio_gcás   zBackend._create_mem_bio_gccCs\|j d¡}|j ||¡}| |dk¡| |d|jjk¡|j |d|¡dd…}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)rqrŽrsZBIO_get_mem_datar€r r¼)r{rmr’Zbuf_lenÚbio_datar|r|r}Ú _read_mem_bioìs  zBackend._read_mem_biocCs°|j |¡}||jjkrT|j |¡}| ||jjk¡|j ||jj¡}t |||ƒS||jj krœ|j  |¡}| ||jjk¡|j ||jj ¡}t |||ƒS||jjkrä|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS||jkr,|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS|t|jddƒkrJt||ƒS|t|jddƒkrht||ƒS|t|jddƒkr†t||ƒS|t|jddƒkr¤t||ƒStdƒ‚dS)zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. ÚEVP_PKEY_ED25519NÚ EVP_PKEY_X448ÚEVP_PKEY_X25519ÚEVP_PKEY_ED448úUnsupported key type.)rsÚ EVP_PKEY_idÚ EVP_PKEY_RSAÚEVP_PKEY_get1_RSAr€rqr rÙrÚrBÚ EVP_PKEY_DSAÚEVP_PKEY_get1_DSAÚDSA_freer(Ú EVP_PKEY_ECÚEVP_PKEY_get1_EC_KEYÚ EC_KEY_freer*rwÚEVP_PKEY_get1_DHÚDH_freer$Úgetattrr,rFrDr/r ©r{ràÚkey_typerßÚ dsa_cdataÚec_cdataÚdh_cdatar|r|r}Ú_evp_pkey_to_private_key÷s<                 z Backend._evp_pkey_to_private_keycCs°|j |¡}||jjkrT|j |¡}| ||jjk¡|j ||jj¡}t |||ƒS||jj krœ|j  |¡}| ||jjk¡|j ||jj ¡}t |||ƒS||jjkrä|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS||jkr,|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS|t|jddƒkrJt||ƒS|t|jddƒkrht||ƒS|t|jddƒkr†t||ƒS|t|jddƒkr¤t||ƒStdƒ‚dS)zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. rûNrürýrþrÿ)rsrrrr€rqr rÙrÚrCrrrr)rrrr+rwr r r%r r-rGrEr0r r r|r|r}Ú_evp_pkey_to_public_key"s<                 zBackend._evp_pkey_to_public_keycCs6|jjr&t|tjtjtjtjtjfƒSt|tjƒSdSro) rsZCryptography_HAS_RSA_OAEP_MDÚ isinstancerMZSHA1ZSHA224ZSHA256ZSHA384ZSHA512r£r|r|r}Ú_oaep_hash_supportedMsûÿ zBackend._oaep_hash_supportedcCsŽt|tƒrdSt|tƒr2t|jtƒr2| |jj¡St|tƒr†t|jtƒr†| |jj¡o„| |j¡o„|j dkp„t |j ƒdkp„|j j dkSdSdS)NTrr‚F) rrVrWZ_mgfrTr¡Ú _algorithmrUrZ_labelrrsZCryptography_HAS_RSA_OAEP_LABEL)r{Zpaddingr|r|r}Úrsa_padding_supported[s  ÿ û zBackend.rsa_padding_supportedc Cs~|dkrtdƒ‚|j ¡}| ||jjk¡|j ||jj¡}|j |||jjd|jj|jj|jj¡}| |dk¡t ||ƒS)N)iii z+Key size must be 1024 or 2048 or 3072 bits.rr‚) r®rsÚDSA_newr€rqr rÙrZDSA_generate_parameters_exr')r{rÞÚctxrˆr|r|r}Úgenerate_dsa_parametersls  þzBackend.generate_dsa_parameterscCsT|j |j¡}| ||jjk¡|j ||jj¡}|j |¡|  |¡}t |||ƒSro) rsZ DSAparams_dupZ _dsa_cdatar€rqr rÙrZDSA_generate_keyÚ_dsa_cdata_to_evp_pkeyr()r{Ú parametersrràr|r|r}Úgenerate_dsa_private_key}s   z Backend.generate_dsa_private_keycCs| |¡}| |¡Sro)rr)r{rÞrr|r|r}Ú'generate_dsa_private_key_and_parameters†s z/Backend.generate_dsa_private_key_and_parameterscCsB|j ||||¡}| |dk¡|j |||¡}| |dk¡dSr)rsÚ DSA_set0_pqgr€Z DSA_set0_key)r{rråræÚgÚpub_keyÚpriv_keyrˆr|r|r}Ú_dsa_cdata_set_valuesŠszBackend._dsa_cdata_set_valuesc Cs¨t |¡|jj}|j ¡}| ||jjk¡|j  ||jj ¡}|  |j ¡}|  |j ¡}|  |j¡}|  |jj¡}|  |j¡}| ||||||¡| |¡} t||| ƒSro)rOZ_check_dsa_private_numbersrëÚparameter_numbersrsrr€rqr rÙrr×rårærÚyÚxr"rr() r{rîr#rrårærr r!ràr|r|r}Úload_dsa_private_numberss       z Backend.load_dsa_private_numbersc Cs¢t |j¡|j ¡}| ||jjk¡|j ||jj ¡}|  |jj ¡}|  |jj ¡}|  |jj ¡}|  |j¡}|jj}| ||||||¡| |¡}t|||ƒSro)rOÚ_check_dsa_parametersr#rsrr€rqr rÙrr×rårærr$r"rr)) r{rîrrårærr r!ràr|r|r}Úload_dsa_public_numbers£s    zBackend.load_dsa_public_numberscCs†t |¡|j ¡}| ||jjk¡|j ||jj¡}|  |j ¡}|  |j ¡}|  |j ¡}|j  ||||¡}| |dk¡t||ƒSr)rOr'rsrr€rqr rÙrr×rårærrr')r{rîrrårærrˆr|r|r}Úload_dsa_parameter_numbers´s     z"Backend.load_dsa_parameter_numberscCs(| ¡}|j ||¡}| |dk¡|Sr)rórsZEVP_PKEY_set1_DSAr€)r{rràrˆr|r|r}rÂszBackend._dsa_cdata_to_evp_pkeycCs | |¡Sror¢r£r|r|r}Údsa_hash_supportedÈszBackend.dsa_hash_supportedcCsdS)NTr|)r{rårærr|r|r}Údsa_parameters_supportedËsz Backend.dsa_parameters_supportedcCs| |td|jƒ¡S)Nó)r­raZ block_sizer£r|r|r}Úcmac_algorithm_supportedÎs ÿz Backend.cmac_algorithm_supportedcCs t||ƒSror r£r|r|r}Úcreate_cmac_ctxÓszBackend.create_cmac_ctxc sÐt|tjƒstdƒ‚t|tjtjfƒr8|dk rntdƒ‚n6t|t j ƒsNtdƒ‚n t|t j ƒrnt|t j ƒsntdƒ‚ˆ ||¡}ˆj ¡}ˆ |ˆjjk¡ˆj |ˆjj¡}ˆj |tjjj¡}ˆ |dk¡ˆj |tˆ|jƒ¡}ˆ |dk¡| ¡}ˆj ||j¡}ˆ |dk¡ˆj  ¡}ˆ |ˆjjk¡ˆj |‡fdd„¡}ˆj!|j"t#|ˆjj$dd ˆj %||¡}ˆ |dk¡ˆj &||j|¡}|d krƈ '¡} ˆ | d  (ˆjj)ˆjj*¡¡td ƒ‚t+ˆ|ƒS) NúBuilder type mismatch.ú8algorithm must be None when signing via ed25519 or ed448ú.Algorithm must be a registered hash algorithm.z5MD5 is not a supported hash algorithm for EC/DSA CSRsr‚csˆj |ˆj ˆjjd¡¡S)NÚX509_EXTENSION_free)rsZsk_X509_EXTENSION_pop_freerqÚ addressofÚ _original_lib)r%rzr|r}Ús ÿÿz)Backend.create_x509_csr..F©Ú extensionsÚhandlersÚx509_objÚadd_funcrÙrúDigest too big for RSA key),rr Z CertificateSigningRequestBuilderÚ TypeErrorrQÚEd25519PrivateKeyrRÚEd448PrivateKeyr®rMÚ HashAlgorithmÚMD5rSÚ RSAPrivateKeyÚ_evp_md_x509_null_if_eddsarsZ X509_REQ_newr€rqr rÙÚ X509_REQ_freeZX509_REQ_set_versionZVersionZv1ÚvalueZX509_REQ_set_subject_namer8Ú _subject_nameÚ public_keyZX509_REQ_set_pubkeyÚ _evp_pkeyZsk_X509_EXTENSION_new_nullÚ_create_x509_extensionsÚ _extensionsr3Zsk_X509_EXTENSION_insertZX509_REQ_add_extensionsZ X509_REQ_signrÂÚ_lib_reason_matchÚ ERR_LIB_RSAÚ RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEYrJ) r{ÚbuilderÚ private_keyr—rÚx509_reqrˆrFZ sk_extensionÚerrorsr|rzr}Úcreate_x509_csrÖs‚  ÿÿ   ÿ þÿ   ÿÿ  þ ûÿ þÿzBackend.create_x509_csrc CsÞt|tjƒstdƒ‚t|tjtjfƒr8|dk rLtdƒ‚nt|t j ƒsLtdƒ‚t|t j ƒrlt|t j ƒsltdƒ‚| ||¡}|j ¡}|j |tjj¡}|j ||jj¡}| |dk¡|j |t||jƒ¡}| |dk¡|j ||jj¡}| |dk¡t||j ƒ}|j !||¡}| |dk¡| "|j #|¡|j$¡| "|j %|¡|j&¡|j'|j(t)||jj*dd|j +|t||j,ƒ¡}| |dk¡|j -||j|¡}|dkrÔ| .¡}| |d /|jj0|jj1¡¡td ƒ‚t2||ƒS) Nr/r0r1z8MD5 is only (reluctantly) supported for RSA certificatesr‚Tr6rr;)3rr ZCertificateBuilderr<rQr=rRr>r®rMr?r@rSrArBrsZX509_newrqrÙÚbackendÚ X509_freeZX509_set_versionZ_versionrDr€ZX509_set_subject_namer8rEZX509_set_pubkeyZ _public_keyrGr6Ú_serial_numberZX509_set_serialNumberÚ_set_asn1_timeZX509_getm_notBeforeZ_not_valid_beforeZX509_getm_notAfterZ_not_valid_afterrHrIr3Z X509_add_extZX509_set_issuer_nameÚ _issuer_nameZ X509_signrÂrJrKrLrH) r{rMrNr—rZ x509_certrˆÚ serial_numberrPr|r|r}Úcreate_x509_certificate+sŽ  ÿÿ  ÿ þÿ   ÿÿ  ÿ ÿû  ÿÿ þÿzBackend.create_x509_certificatecCs(t|tjtjfƒr|jjS| |¡SdSro)rrQr=rRr>rqr r )r{rNr—r|r|r}rB„s  ÿz"Backend._evp_md_x509_null_if_eddsacCsL|jdkr| d¡ d¡}n| d¡ d¡}|j ||¡}| |dk¡dS)Niz %Y%m%d%H%M%SZrz %y%m%d%H%M%SZr‚)ZyearÚstrftimerœrsZASN1_TIME_set_stringr€)r{Ú asn1_timeÚtimeZasn1_strrˆr|r|r}rUŒs  zBackend._set_asn1_timecCs>|j ¡}| ||jjk¡|j ||jj¡}| ||¡|Sro)rsZ ASN1_TIME_newr€rqr rÙZASN1_TIME_freerU)r{r[rZr|r|r}Ú_create_asn1_time”s   zBackend._create_asn1_timec CsÜt|tjƒstdƒ‚t|tjtjfƒr8|dk rLtdƒ‚nt|t j ƒsLtdƒ‚t|t j ƒrlt|t j ƒsltdƒ‚| ||¡}|j ¡}|j |tjj¡}|j |d¡}| |dk¡|j |t||jƒ¡}| |dk¡| |j¡}|j ||¡}| |dk¡| |j¡}|j ||¡}| |dk¡|j|j t!||jj"dd|j#D]B} |j $| j%¡} | | |jj&k¡|j '|| ¡}| |dk¡qD|j (||j)|¡}|dkrÒ| *¡} | | d +|jj,|jj-¡¡td ƒ‚t.||ƒS) Nr/r0r1z5MD5 is not a supported hash algorithm for EC/DSA CRLsr‚Tr6rr;)/rr Z CertificateRevocationListBuilderr<rQr=rRr>r®rMr?r@rSrArBrsZ X509_CRL_newrqrÙrRÚ X509_CRL_freeZX509_CRL_set_versionr€ZX509_CRL_set_issuer_namer8rVr\Z _last_updateZX509_CRL_set_lastUpdateÚ _next_updateZX509_CRL_set_nextUpdaterHrIr2ZX509_CRL_add_extZ_revoked_certificatesZCryptography_X509_REVOKED_dupZ _x509_revokedr ZX509_CRL_add0_revokedZ X509_CRL_signrGrÂrJrKrLrI) r{rMrNr—rÚx509_crlrˆZ last_updateÚ next_updateZ revoked_certZrevokedrPr|r|r}Úcreate_x509_crl›s~  ÿÿ  ÿ þÿ   ÿ  û ÿÿ þÿzBackend.create_x509_crlc Csdt|ƒD]V\}}| ||¡}| ||jjk¡|rD|j ||jj¡}||||ƒ} | | dk¡qdSr)Ú enumerateÚ_create_x509_extensionr€rqr rÙrsr2) r{r7r8r9r:rÙÚiÚ extensionZx509_extensionrˆr|r|r}rHìsÿÿ zBackend._create_x509_extensionscCs.t||jjƒ}|j |jj||jr&dnd|¡S)Nr‚r)r9ÚoidÚ dotted_stringrsZX509_EXTENSION_create_by_OBJrqr Úcritical)r{rerDÚobjr|r|r}Ú_create_raw_x509_extensionûs ÿz"Backend._create_raw_x509_extensioncCst|jtjƒr(t||jjƒ}| ||¡St|jtjƒrfttfdd„|jDƒžŽ}t||ƒ}| ||¡St|jtj ƒrŽt|tt ƒƒ}| ||¡Sz||j }Wn$t k rÀt d |j ¡ƒ‚YnX|||jƒ}|j |j j d¡¡}t ||jjk¡|j ||jr dnd|¡SdS)NcSsg|]}ttt|jƒƒ‘qSr|)rr rrD)Ú.0r%r|r|r}Ú sÿz2Backend._create_x509_extension..zExtension not supported: {}rr‚r)rrDr ZUnrecognizedExtensionr7rjZ TLSFeaturerrZ PrecertPoisonr rfr¨ÚNotImplementedErrorr›rsZ OBJ_txt2nidrgrœrRr€Ú NID_undefZX509V3_EXT_i2drh)r{r8rerDZasn1rœZ ext_structÚnidr|r|r}rcs@ ÿþþ    ÿ   ÿÿzBackend._create_x509_extensioncCs¸t|tjƒstdƒ‚|j ¡}| ||jjk¡|j  ||jj ¡}t ||j ƒ}|j  ||¡}| |dk¡| |j¡}|j ||¡}| |dk¡|j|jt||jjddt|d|ƒS)Nr/r‚Tr6)rr ZRevokedCertificateBuilderr<rsZX509_REVOKED_newr€rqr rÙZX509_REVOKED_freer6rTZX509_REVOKED_set_serialNumberr\Z_revocation_dateZX509_REVOKED_set_revocationDaterHrIr1ZX509_REVOKED_add_extrK)r{rMZ x509_revokedrWrˆZrev_dater|r|r}Úcreate_x509_revoked_certificate#s,   ÿ ûz'Backend.create_x509_revoked_certificatecCs| |jj|j||¡Sro)Ú _load_keyrsZPEM_read_bio_PrivateKeyr)r{rõÚpasswordr|r|r}Úload_pem_private_key<s üzBackend.load_pem_private_keycCsÖ| |¡}|j |j|jj|jj|jj¡}||jjkrR|j ||jj¡}| |¡S|  ¡|j  |j¡}|  |dk¡|j  |j|jj|jj|jj¡}||jjkrÊ|j ||jj ¡}| |¡}t|||ƒS| ¡dSr)r÷rsZPEM_read_bio_PUBKEYrmrqr rÙrñrrÂÚ BIO_resetr€ZPEM_read_bio_RSAPublicKeyrÚrÜrCÚ_handle_key_loading_error©r{rõÚmem_bioràrˆrßr|r|r}Úload_pem_public_keyDs0 ÿ  ÿ   zBackend.load_pem_public_keycCs^| |¡}|j |j|jj|jj|jj¡}||jjkrR|j ||jj¡}t||ƒS|  ¡dSro) r÷rsZPEM_read_bio_DHparamsrmrqr rÙr r#ru)r{rõrwrr|r|r}Úload_pem_parameters]s ÿ  zBackend.load_pem_parameterscCs>| |¡}| ||¡}|r$| |¡S| |jj|j||¡SdSro)r÷Ú"_evp_pkey_from_der_traditional_keyrrqrsZd2i_PKCS8PrivateKey_bio)r{rõrrrùr–r|r|r}Úload_der_private_keyhs   üzBackend.load_der_private_keycCsV|j |j|jj¡}||jjkrF|j ||jj¡}|dk rBtdƒ‚|S| ¡dSdS)Nú4Password was given but private key is not encrypted.) rsÚd2i_PrivateKey_biormrqr rÙrñr<rÂ)r{rùrrr–r|r|r}rz{s ÿz*Backend._evp_pkey_from_der_traditional_keycCs¾| |¡}|j |j|jj¡}||jjkrF|j ||jj¡}| |¡S|  ¡|j  |j¡}|  |dk¡|j  |j|jj¡}||jjkr²|j ||jj ¡}| |¡}t|||ƒS| ¡dSr)r÷rsZd2i_PUBKEY_biormrqr rÙrñrrÂrtr€Zd2i_RSAPublicKey_biorÚrÜrCrurvr|r|r}Úload_der_public_key‰s"   ÿ   zBackend.load_der_public_keycCsº| |¡}|j |j|jj¡}||jjkrF|j ||jj¡}t||ƒS|jj r®|  ¡|j  |j¡}|  |dk¡|j  |j|jj¡}||jjkr®|j ||jj¡}t||ƒS| ¡dSr)r÷rsZd2i_DHparams_biormrqr rÙr r#rxrÂrtr€ZCryptography_d2i_DHxparams_bioru)r{rõrwrrˆr|r|r}Úload_der_parameters s( ÿ  ÿ  zBackend.load_der_parameterscCsb| |¡}|j |j|jj|jj|jj¡}||jjkrF| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzwUnable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.) r÷rsZPEM_read_bio_X509rmrqr rÂr®rÙrSrH©r{rõrwr r|r|r}Úload_pem_x509_certificate¶s ÿ ÿz!Backend.load_pem_x509_certificatecCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load certificate) r÷rsZ d2i_X509_biormrqr rÂr®rÙrSrHr€r|r|r}Úload_der_x509_certificateÅs  z!Backend.load_der_x509_certificatecCsb| |¡}|j |j|jj|jj|jj¡}||jjkrF| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzoUnable to load CRL. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.) r÷rsZPEM_read_bio_X509_CRLrmrqr rÂr®rÙr]rI©r{rõrwr_r|r|r}Úload_pem_x509_crlÏs ÿ ÿzBackend.load_pem_x509_crlcCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load CRL) r÷rsZd2i_X509_CRL_biormrqr rÂr®rÙr]rIrƒr|r|r}Úload_der_x509_crlÞs  zBackend.load_der_x509_crlcCsb| |¡}|j |j|jj|jj|jj¡}||jjkrF| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzsUnable to load request. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.) r÷rsZPEM_read_bio_X509_REQrmrqr rÂr®rÙrCrJ©r{rõrwrOr|r|r}Úload_pem_x509_csrès ÿ ÿzBackend.load_pem_x509_csrcCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load request) r÷rsZd2i_X509_REQ_biormrqr rÂr®rÙrCrJr†r|r|r}Úload_der_x509_csr÷s  zBackend.load_der_x509_csrc Cs(| |¡}|j d¡}|dk rFt d|¡|j |¡}||_t|ƒ|_||j |jj |j  |j j d¡|ƒ}||jj krÐ|jdkrÈ| ¡} | | ¡|jdkr¤tdƒ‚qÐ|jdks²t‚td |jd ¡ƒ‚n| ¡|j ||j j¡}|dk rü|jdkrütd ƒ‚|dk r|jd ks |dks t‚||ƒS) NzCRYPTOGRAPHY_PASSWORD_DATA *rrZCryptography_pem_password_cbréÿÿÿÿz3Password was not given but private key is encryptedéþÿÿÿzAPasswords longer than {} bytes are not supported by this backend.r‚r|)r÷rqrŽrÚ_check_bytesliker»rrrr½rmr r3rsr4ÚerrorrÂr€r<rÅr®r›ÚmaxsizerurÙrñZcalled) r{Zopenssl_read_funcZ convert_funcrõrrrwZuserdataZ password_ptrràrPr|r|r}rqsV     ÿú    ÿÿÿÿÿÿþzBackend._load_keycsÞˆ ¡}|stdƒ‚nÄ|d ˆjjˆjj¡sF|d ˆjjˆjj¡rPtdƒ‚nŠ|d ˆjjˆjj¡s€|d ˆjj ˆjj ¡rŽt dt j ƒ‚nLt‡fdd„|Dƒƒr®tdƒ‚n,|djˆjjˆjj ˆjjfksÒt‚tdƒ‚dS)NzCould not deserialize key data.rz Bad decrypt. Incorrect password?z0PEM data is encrypted with an unsupported cipherc3s"|]}| ˆjjˆjj¡VqdSro)rJrsÚ ERR_LIB_EVPZ'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM)rkrŒrzr|r}Ú Ns üþz4Backend._handle_key_loading_error..z!Unsupported public key algorithm.)rÂr®rJrsrŽZEVP_R_BAD_DECRYPTZERR_LIB_PKCS12Z!PKCS12_R_PKCS12_CIPHERFINAL_ERRORZEVP_R_UNKNOWN_PBE_ALGORITHMZ ERR_LIB_PEMZPEM_R_UNSUPPORTED_ENCRYPTIONr r ZUNSUPPORTED_CIPHERÚanyrrZ ERR_LIB_ASN1rÅ)r{rPr|rzr}ru2sL ÿÿþý ÿÿÿýþ û ý z!Backend._handle_key_loading_errorcCs z| |¡}Wntk r*|jj}YnX|j |¡}||jjkrz| ¡}| ||jjkpr|d  |jj |jj ¡¡dS| ||jjk¡|j  |¡dSdS)NrFT) Ú_elliptic_curve_to_nidr rsrnZEC_GROUP_new_by_curve_namerqr rÂr€rJZ ERR_LIB_ECZEC_R_UNKNOWN_GROUPZ EC_GROUP_free)r{ÚcurveÚ curve_nidÚgrouprPr|r|r}Úelliptic_curve_supported_s$   þþ z Backend.elliptic_curve_supportedcCst|tjƒsdS| |¡Sr¦)rrPZECDSAr•)r{Zsignature_algorithmr’r|r|r}Ú,elliptic_curve_signature_algorithm_supportedvs z4Backend.elliptic_curve_signature_algorithm_supportedcCs\| |¡rD| |¡}|j |¡}| |dk¡| |¡}t|||ƒStd |j ¡t j ƒ‚dS)z@ Generate a new private key on the named curve. r‚z#Backend object does not support {}.N) r•Ú_ec_key_new_by_curversZEC_KEY_generate_keyr€Ú_ec_cdata_to_evp_pkeyr*r r›ršr ÚUNSUPPORTED_ELLIPTIC_CURVE)r{r’rrˆràr|r|r}Ú#generate_elliptic_curve_private_keys      þz+Backend.generate_elliptic_curve_private_keycCsp|j}| |j¡}|j | |j¡|jj¡}|j  ||¡}|  |dk¡|  ||j |j ¡}| |¡}t|||ƒSr)rër—r’rqrÙr×Ú private_valuersÚ BN_clear_freeÚEC_KEY_set_private_keyr€Ú)_ec_key_set_public_key_affine_coordinatesr%r$r˜r*)r{rîZpublicrr›rˆràr|r|r}Ú#load_elliptic_curve_private_numbers“s  ÿÿ z+Backend.load_elliptic_curve_private_numberscCs4| |j¡}| ||j|j¡}| |¡}t|||ƒSro)r—r’ržr%r$r˜r+)r{rîrràr|r|r}Ú"load_elliptic_curve_public_numbers¥s ÿ z*Backend.load_elliptic_curve_public_numbersc CsÎ| |¡}|j |¡}| ||jjk¡|j |¡}| ||jjk¡|j ||jj¡}|  ¡6}|j  |||t |ƒ|¡}|dkr’|  ¡t dƒ‚W5QRX|j ||¡}| |dk¡| |¡}t|||ƒS)Nr‚z(Invalid public bytes for the given curve)r—rsÚEC_KEY_get0_groupr€rqr Ú EC_POINT_newrÙÚ EC_POINT_freeÚ _tmp_bn_ctxZEC_POINT_oct2pointrrÂr®ÚEC_KEY_set_public_keyr˜r+) r{r’Z point_bytesrr”ÚpointÚbn_ctxrˆràr|r|r}Ú load_elliptic_curve_public_bytes­s*    ÿ z(Backend.load_elliptic_curve_public_bytesc CsD| |¡}| |¡\}}|j |¡}| ||jjk¡|j ||jj¡}|  |¡}|j ||jj ¡}|  ¡h}|j  ||||jj|jj|¡} | | dk¡|j  |¡} |j  |¡} |||| | |ƒ} | | dk¡W5QRX|j ||¡} | | dk¡|  |¡} |j | |jj ¡} |j || ¡} | | dk¡| |¡} t||| ƒSr)r—Ú _ec_key_determine_group_get_funcrsr¢r€rqr rÙr£r×rœr¤Z EC_POINT_mulZ BN_CTX_getr¥rr˜r*)r{r›r’rÚget_funcr”r¦rDr§rˆZbn_xZbn_yZprivateràr|r|r}Ú!derive_elliptic_curve_private_keyÁs2    ÿ    z)Backend.derive_elliptic_curve_private_keycCs:| |¡}|j |¡}| ||jjk¡|j ||jj¡Sro)r‘rsZEC_KEY_new_by_curve_namer€rqr rÙr)r{r’r“rr|r|r}r—ãs  zBackend._ec_key_new_by_curvecCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load OCSP request) r÷rsZd2i_OCSP_REQUEST_biormrqr rÂr®rÙÚOCSP_REQUEST_freer>)r{rõrwZrequestr|r|r}Úload_der_ocsp_requestés  zBackend.load_der_ocsp_requestcCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load OCSP response) r÷rsZd2i_OCSP_RESPONSE_biormrqr rÂr®rÙÚOCSP_RESPONSE_freer?)r{rõrwZresponser|r|r}Úload_der_ocsp_responseós  zBackend.load_der_ocsp_responsec Cs®|j ¡}| ||jjk¡|j ||jj¡}|j\}}}| |¡}|j  ||j |j ¡}| ||jjk¡|j  ||¡}| ||jjk¡|j |j t||jjddt||ƒS)NTr6)rsZOCSP_REQUEST_newr€rqr rÙr¬Z_requestr ÚOCSP_cert_to_idÚ_x509ZOCSP_request_add0_idrHrIr5ZOCSP_REQUEST_add_extr>) r{rMZocsp_reqÚcertZissuerr—rÚcertidZonereqr|r|r}Úcreate_ocsp_requestýs*   ÿûzBackend.create_ocsp_requestc Cs|j ¡}| ||jjk¡|j ||jj¡}| |jj ¡}|j  ||jj j |jj j ¡}| ||jjk¡|j ||jj¡}|jjdkrŽd}n t|jj}|jjdkr°|jj}n| |jj¡}|jj} |jjdk rà| |jj¡} | |jj¡} |j |||jjj||| | ¡} | | |jjk¡| ||¡}|j\} } |jj}| tjjkrV||jjO}|jdk rŽ|jD]$}|j  ||j ¡} | | dk¡qh|j!|j"t#||jj$dd|j %|| j |j&||jj|¡} | dkrþ| '¡}| |d (|jj)|jj*¡¡t+dƒ‚|S)Nr‰r‚Tr6rz,responder_cert must be signed by private_key),rsZOCSP_BASICRESP_newr€rqr rÙZOCSP_BASICRESP_freer Z _responserr°Z_certr±Z_issuerZOCSP_CERTID_freeZ_revocation_reasonr"Z_revocation_timer\r^Z _this_updateZOCSP_basic_add1_statusZ _cert_statusrDrBZ _responder_idZ OCSP_NOCERTSrkZOCSPResponderEncodingZHASHZOCSP_RESPID_KEYZ_certsZOCSP_basic_add1_certrHrIr4ZOCSP_BASICRESP_add_extZOCSP_basic_signrGrÂrJZ ERR_LIB_X509ZX509_R_KEY_VALUES_MISMATCHr®)r{rMrNr—Úbasicrr³ÚreasonZrev_timer`Z this_updaterˆZresponder_certZresponder_encodingÚflagsr²rPr|r|r}Ú_create_ocsp_basic_responses’ ÿþ ÿ  ÿ ÿù      ûþ þÿz#Backend._create_ocsp_basic_responsecCsb|tjjkr| |||¡}n|jj}|j |j|¡}|  ||jjk¡|j  ||jj ¡}t ||ƒSro) rkZOCSPResponseStatusZ SUCCESSFULr¸rqr rsZOCSP_response_createrDr€rÙr®r?)r{Zresponse_statusrMrNr—rµZ ocsp_respr|r|r}Úcreate_ocsp_responsebs ÿÿzBackend.create_ocsp_responsecCs| |¡ot|tjƒSro)r•rrPZECDH)r{r—r’r|r|r}Ú+elliptic_curve_exchange_algorithm_supportedrs  þz3Backend.elliptic_curve_exchange_algorithm_supportedcCs(| ¡}|j ||¡}| |dk¡|Sr)rórsZEVP_PKEY_set1_EC_KEYr€)r{rràrˆr|r|r}r˜xszBackend._ec_cdata_to_evp_pkeycCsNdddœ}| |j|j¡}|j | ¡¡}||jjkrJtd |j¡tj ƒ‚|S)z/ Get the NID for a curve name. Z prime192v1Z prime256v1)Z secp192r1Z secp256r1z${} is not a supported elliptic curve) ÚgetršrsÚ OBJ_sn2nidrœrnr r›r r™)r{r’Z curve_aliasesÚ curve_namer“r|r|r}r‘~sþ  þzBackend._elliptic_curve_to_nidc csX|j ¡}| ||jjk¡|j ||jj¡}|j |¡z |VW5|j |¡XdSro) rsZ BN_CTX_newr€rqr rÙZ BN_CTX_freeZ BN_CTX_startZ BN_CTX_end)r{r§r|r|r}r¤’s   zBackend._tmp_bn_ctxcCs¼| ||jjk¡|j d¡}| ||jjk¡|j |¡}| ||jjk¡|j |¡}| ||jjk¡|j |¡}| ||jjk¡||kr¤|jj r¤|jj }n|jj }|s´t ‚||fS)zu Given an EC_KEY determine the group and what function is required to get point coordinates. scharacteristic-two-field) r€rqr rsr¼rnr¡ZEC_GROUP_method_ofZEC_METHOD_get_field_typeZCryptography_HAS_EC2MZ$EC_POINT_get_affine_coordinates_GF2mZ#EC_POINT_get_affine_coordinates_GFprÅ)r{rZ nid_two_fieldr”Úmethodrorªr|r|r}r©s     z(Backend._ec_key_determine_group_get_funccCst|dks|dkrtdƒ‚|j | |¡|jj¡}|j | |¡|jj¡}|j |||¡}|dkrp| ¡tdƒ‚|S)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.r‚zInvalid EC key.)r®rqrÙr×rsrÛZ(EC_KEY_set_public_key_affine_coordinatesrÂ)r{rr%r$rˆr|r|r}rž¹sÿz1Backend._ec_key_set_public_key_affine_coordinatescCsút|tjƒstdƒ‚|tjjkr(tdƒ‚|tjjkr|jj}|j ¡}| ||jjk¡|j ||jj¡}|  |j ¡}|  |j ¡}|j dk rf|  |j ¡}n|jj}|  |jj ¡}|  |j¡}|j ||||¡} | | dk¡|j |||¡} | | dk¡|j dd¡} |j || ¡} | | dk¡| ddkr(|j dkr | d|jjAdks(tdƒ‚| |¡} t||| ƒS)Nr‚úint[]rrÏz.DH private numbers did not pass safety checks.)rër#rsr×r€rqr rÙr r×rårrær$r%Ú DH_set0_pqgÚ DH_set0_keyrŽÚCryptography_DH_checkZDH_NOT_SUITABLE_GENERATORr®rÚr$) r{rîr#rrårrær r!rˆÚcodesràr|r|r}Úload_dh_private_numbersós8      ÿþÿ zBackend.load_dh_private_numbersc CsÐ|j ¡}| ||jjk¡|j ||jj¡}|j}| |j ¡}| |j ¡}|j dk rd| |j ¡}n|jj}| |j ¡}|j  ||||¡}| |dk¡|j |||jj¡}| |dk¡| |¡} t||| ƒSr)rsr×r€rqr rÙr r#r×rårrær$rÞrßrÚr%) r{rîrr#rårrær rˆràr|r|r}Úload_dh_public_numbers#s       zBackend.load_dh_public_numberscCs|j ¡}| ||jjk¡|j ||jj¡}| |j¡}| |j ¡}|j dk r^| |j ¡}n|jj}|j  ||||¡}| |dk¡t ||ƒSr) rsr×r€rqr rÙr r×rårrærÞr#)r{rîrrårrærˆr|r|r}Úload_dh_parameter_numbers>s    z!Backend.load_dh_parameter_numberscCs´|j ¡}| ||jjk¡|j ||jj¡}| |¡}| |¡}|dk rV| |¡}n|jj}|j ||||¡}| |dk¡|j  dd¡}|j  ||¡}| |dk¡|ddkS)Nr‚rÝr) rsr×r€rqr rÙr r×rÞrŽrà)r{rårrærrˆrár|r|r}Údh_parameters_supportedPs    zBackend.dh_parameters_supportedcCs |jjdkSr)rsrxrzr|r|r}Údh_x942_serialization_supportedfsz'Backend.dh_x942_serialization_supportedcsxtˆ|ƒ}ˆj d¡}ˆj ||¡}ˆ |dˆjjk¡ˆj |‡fdd„¡}ˆ |dk¡ˆj |d|¡dd…S)Nzunsigned char **rcsˆj |d¡S©Nr)rsrÊ)Zpointerrzr|r}r5orÁz)Backend.x509_name_bytes..) r8rqrŽrsZ i2d_X509_NAMEr€r rÙr¼)r{ršZ x509_nameZpprˆr|rzr}Úx509_name_bytesis   ÿzBackend.x509_name_bytescCsht|ƒdkrtdƒ‚| ¡}|j ||jj¡}t |dk¡|j ||t|ƒ¡}t |dk¡t ||ƒS)Né z%An X25519 public key is 32 bytes longr‚) rr®rórsZEVP_PKEY_set_typeÚ NID_X25519rRr€ZEVP_PKEY_set1_tls_encodedpointrE)r{rõràrˆr|r|r}Úx25519_load_public_bytests ÿz Backend.x25519_load_public_bytesc Cs¬t|ƒdkrtdƒ‚d}| d¡<}||dd…<||dd…<| |¡}tj |j|jj ¡}W5QRX|  ||jj k¡|j  ||jj ¡}|  |j  |¡|jjk¡t||ƒS)Nréz&An X25519 private key is 32 bytes longs0.0+en" é0rrÄ)rr®Ú_zeroed_bytearrayr÷rRrsr}rmrqr r€rÙrñrrýrD)r{rõZ pkcs8_prefixÚbarmràr|r|r}Úx25519_load_private_bytesƒs     ÿz!Backend.x25519_load_private_bytescCs¨|j ||jj¡}| ||jjk¡|j ||jj¡}|j |¡}| |dk¡|j d¡}|j  ||¡}| |dk¡| |d|jjk¡|j |d|jj ¡}|S)Nr‚ú EVP_PKEY **r) rsZEVP_PKEY_CTX_new_idrqr r€rÙZEVP_PKEY_CTX_freeZEVP_PKEY_keygen_initrŽZEVP_PKEY_keygenrñ)r{roZ evp_pkey_ctxrˆZ evp_ppkeyràr|r|r}Ú_evp_pkey_keygen_gc¥s  zBackend._evp_pkey_keygen_gccCs| |jj¡}t||ƒSro)rñrsrêrDròr|r|r}Úx25519_generate_key²szBackend.x25519_generate_keycCs|jjSro)rsZ#CRYPTOGRAPHY_OPENSSL_110_OR_GREATERrzr|r|r}Úx25519_supported¶szBackend.x25519_supportedcCs`t|ƒdkrtdƒ‚|j |jj|jj|t|ƒ¡}| ||jjk¡|j ||jj ¡}t ||ƒS)Né8z#An X448 public key is 56 bytes long) rr®rsÚEVP_PKEY_new_raw_public_keyÚNID_X448rqr r€rÙrñrG©r{rõràr|r|r}Úx448_load_public_bytes¹s ÿzBackend.x448_load_public_bytescCslt|ƒdkrtdƒ‚|j |¡}|j |jj|jj|t|ƒ¡}| ||jjk¡|j  ||jj ¡}t ||ƒS)Nrôz$An X448 private key is 56 bytes long) rr®rqr»rsÚEVP_PKEY_new_raw_private_keyrör r€rÙrñrF©r{rõröràr|r|r}Úx448_load_private_bytesÄs  ÿzBackend.x448_load_private_bytescCs| |jj¡}t||ƒSro)rñrsrörFròr|r|r}Úx448_generate_keyÐszBackend.x448_generate_keycCs |jj Sro)rsÚ"CRYPTOGRAPHY_OPENSSL_LESS_THAN_111rzr|r|r}Úx448_supportedÔszBackend.x448_supportedcCs |jj Sro©rsZ#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Brzr|r|r}Úed25519_supported×szBackend.ed25519_supportedcCsnt d|¡t|ƒtjkr"tdƒ‚|j |jj|j j |t|ƒ¡}|  ||j j k¡|j   ||jj ¡}t||ƒS)Nrõz&An Ed25519 public key is 32 bytes long)rÚ _check_bytesrrQÚ_ED25519_KEY_SIZEr®rsrõÚ NID_ED25519rqr r€rÙrñr-r÷r|r|r}Úed25519_load_public_bytesÚs ÿz!Backend.ed25519_load_public_bytescCszt|ƒtjkrtdƒ‚t d|¡|j |¡}|j  |jj |jj |t|ƒ¡}|  ||jj k¡|j  ||jj¡}t||ƒS)Nz'An Ed25519 private key is 32 bytes longrõ)rrQrr®rr‹rqr»rsrùrr r€rÙrñr,rúr|r|r}Úed25519_load_private_bytesès  ÿz"Backend.ed25519_load_private_bytescCs| |jj¡}t||ƒSro)rñrsrr,ròr|r|r}Úed25519_generate_keyöszBackend.ed25519_generate_keycCs |jj Srorÿrzr|r|r}Úed448_supportedúszBackend.ed448_supportedcCslt d|¡t|ƒtkr tdƒ‚|j |jj|jj |t|ƒ¡}|  ||jj k¡|j  ||jj ¡}t ||ƒS)Nrõz$An Ed448 public key is 57 bytes long)rrrr.r®rsrõÚ NID_ED448rqr r€rÙrñr0r÷r|r|r}Úed448_load_public_bytesýs  ÿzBackend.ed448_load_public_bytescCsxt d|¡t|ƒtkr tdƒ‚|j |¡}|j |jj |jj |t|ƒ¡}|  ||jj k¡|j  ||jj ¡}t||ƒS)Nrõz%An Ed448 private key is 57 bytes long)rr‹rr.r®rqr»rsrùrr r€rÙrñr/rúr|r|r}Úed448_load_private_bytes s   ÿz Backend.ed448_load_private_bytescCs| |jj¡}t||ƒSro)rñrsrr/ròr|r|r}Úed448_generate_key szBackend.ed448_generate_keyc CsÂ|j d|¡}|j |¡}|j |t|ƒ|t|ƒ|||tj||¡ } | dkr®| ¡} |jj s|  | d  |jj |jj ¡pŒ| d  |jj |jj¡¡d||d} td | ¡ƒ‚|j |¡dd…S)Nrºr‚ré€izJNot enough memory to derive key. These parameters require {} MB of memory.)rqrŽr»rsZEVP_PBE_scryptrriZ _MEM_LIMITrÂrýr€rJrŽZERR_R_MALLOC_FAILUREZEVP_R_MEMORY_LIMIT_EXCEEDEDÚ MemoryErrorr›r¼) r{r¿r¾r½rìÚrrår’rÀrˆrPZ min_memoryr|r|r}Ú derive_scrypt sD þþþû ÿÿzBackend.derive_scryptcCst |¡}|j |¡|jjkSro)rZ_aead_cipher_namersrÅrqr )r{r©Ú cipher_namer|r|r}Úaead_cipher_supported; s ÿzBackend.aead_cipher_supportedc cs&t|ƒ}z |VW5| ||¡XdS)zÁ This method creates a bytearray, which we copy data into (hopefully also from a mutable buffer that can be dynamically erased!), and then zero when we're done. N)Ú bytearrayÚ _zero_data)r{r½rîr|r|r}ríA s zBackend._zeroed_bytearraycCst|ƒD] }d||<qdSrçr)r{rõr½rdr|r|r}rN s zBackend._zero_datac csf|dkr|jjVnNt|ƒ}|j d|d¡}|j |||¡z |VW5| |j d|¡|¡XdS)aâ This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nr‹r‚z uint8_t *)rqr rrŽZmemmoverÚcast)r{rõZdata_lenr’r|r|r}Ú_zeroed_null_terminated_bufU s   z#Backend._zeroed_null_terminated_bufc CsÊ|dk rt d|¡| |¡}|j |j|jj¡}||jjkrN| ¡t dƒ‚|j  ||jj ¡}|j  d¡}|j  d¡}|j  d¡}|  |¡}|j |||||¡} W5QRX| dkrÆ| ¡t dƒ‚d} d} g} |d|jjkr|j  |d|jj¡} | | ¡} |d|jjkr6|j  |d|jj¡}t||ƒ} |d|jjkrÀ|j  |d|jj¡}|j |d¡}t|ƒD]H}|j ||¡}|j  ||jj¡}| ||jjk¡|  t||ƒ¡qv| | | fS)Nrrz!Could not deserialize PKCS12 datarðzX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 data)rr‹r÷rsZd2i_PKCS12_biormrqr rÂr®rÙZ PKCS12_freerŽrZ PKCS12_parserñrrSrHZ sk_X509_freeZ sk_X509_numrZ sk_X509_valuer€ry)r{rõrrrmZp12Z evp_pkey_ptrZx509_ptrZ sk_x509_ptrZ password_bufrˆr²r–Zadditional_certificatesràr Zsk_x509rÕrdr|r|r}Ú%load_key_and_certificates_from_pkcs12l sP       ÿ   z-Backend.load_key_and_certificates_from_pkcs12cCs |jjdkSr)rsZCryptography_HAS_POLY1305rzr|r|r}Úpoly1305_supportedš szBackend.poly1305_supportedcCs*t d|¡t|ƒtkr tdƒ‚t||ƒS)Nr–zA poly1305 key is 32 bytes long)rr‹rr@r®rA)r{r–r|r|r}Úcreate_poly1305_ctx s  zBackend.create_poly1305_ctx)N)N)ŒÚ__name__Ú __module__Ú __qualname__Ú__doc__ršr~r€r‰Ú contextlibrrŠrvr“r”r•r˜ržr r¡r¤r¥r­r±rur·r¸r¹rÁrÂrÍr×rárärïrðrórÜr÷rørúrrrrrrrr"r&r(r)rr*r+r-r.rQrXrBrUr\rarHrjrcrprsrxryr{rzr~rrr‚r„r…r‡rˆrqrur•r–ršrŸr r¨r«r—r­r¯r´r¸r¹rºr˜r‘r¤r©ržrÌrÈrÒrÑrÕrÙrÚrÛrÜrârãrärårærèrërïrñròrórørûrürþrrrrrr r r rrrírrrrrr|r|r|r}rnas       9 "   ++ UYQ"    1- "  P _=5 0  "       . rnc@seZdZdd„Zdd„ZdS)r²cCs ||_dSro)Ú_fmt)r{Zfmtr|r|r}r~¦ szGetCipherByName.__init__cCs&|jj||d ¡}|j | d¡¡S)N)r©rªr)rr›ÚlowerrsrÅrœ)r{rRr©rªrr|r|r}Ú__call__© szGetCipherByName.__call__N)rrrr~r r|r|r|r}r²¥ sr²cCs"d |jd¡}|j | d¡¡S)Nz aes-{}-xtsrÏr)r›rÞrsrÅrœ)rRr©rªrr|r|r}rµ® srµ)˜Z __future__rrrrÔÚ collectionsrr³rrÆZ six.movesrZ cryptographyrr Zcryptography.exceptionsr r Zcryptography.hazmat._derr r rrrZ'cryptography.hazmat.backends.interfacesrrrrrrrrrrrrrZ$cryptography.hazmat.backends.opensslrZ,cryptography.hazmat.backends.openssl.ciphersrZ)cryptography.hazmat.backends.openssl.cmacr!Z0cryptography.hazmat.backends.openssl.decode_asn1r"Z'cryptography.hazmat.backends.openssl.dhr#r$r%r&Z(cryptography.hazmat.backends.openssl.dsar'r(r)Z'cryptography.hazmat.backends.openssl.ecr*r+Z,cryptography.hazmat.backends.openssl.ed25519r,r-Z*cryptography.hazmat.backends.openssl.ed448r.r/r0Z0cryptography.hazmat.backends.openssl.encode_asn1r1r2r3r4r5r6r7r8r9Z+cryptography.hazmat.backends.openssl.hashesr;Z)cryptography.hazmat.backends.openssl.hmacr=Z)cryptography.hazmat.backends.openssl.ocspr>r?Z-cryptography.hazmat.backends.openssl.poly1305r@rAZ(cryptography.hazmat.backends.openssl.rsarBrCZ+cryptography.hazmat.backends.openssl.x25519rDrEZ)cryptography.hazmat.backends.openssl.x448rFrGZ)cryptography.hazmat.backends.openssl.x509rHrIrJrKZ$cryptography.hazmat.bindings.opensslrLZcryptography.hazmat.primitivesrMrNZ)cryptography.hazmat.primitives.asymmetricrOrPrQrRrSZ1cryptography.hazmat.primitives.asymmetric.paddingrTrUrVrWZ1cryptography.hazmat.primitives.ciphers.algorithmsrXrYrZr[r\r]r^r_r`Z,cryptography.hazmat.primitives.ciphers.modesrarbrcrdrerfrgrhZ"cryptography.hazmat.primitives.kdfriZ,cryptography.hazmat.primitives.serializationrjZcryptography.x509rkÚ namedtuplerlZregister_interfaceZregister_interface_ifrprrZCryptography_HAS_SCRYPTÚobjectrnr²rµrRr|r|r|r}Úsš  <    ,   ,(    ÿ*G