B \Úæ`Ô'ã@sddlmZmZmZddlZddlZddlZddlZddlZddlm Z ddl Z ddl m Z m Z ddlmZmZddlmZmZmZmZmZmZmZmZmZmZmZmZmZddlm Z ddl!m"Z"dd l#m$Z$dd l%m&Z&dd l'm(Z(m)Z)m*Z*m+Z+dd l,m-Z-m.Z.m/Z/dd l0m1Z1m2Z2ddl3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:ddl;mZ>ddl?m@Z@mAZAddlBmCZCmDZDddlEmFZFmGZGmHZHmIZIddlJmKZKddlLmMZMmNZNddlOmPZPmQZQmRZRddlSmTZTmUZUmVZVmWZWddlXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZaddlbmcZcmdZdmeZemfZfmgZgmhZhmiZimjZjddlkmlZle mdddg¡Zne  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  oe¡e  peK q¡jrjse¡Gdd„detƒƒƒƒƒƒƒƒƒƒƒƒƒƒZuGd d!„d!etƒZvd"d#„ZweuƒZxdS)$é)Úabsolute_importÚdivisionÚprint_functionN)Úcontextmanager)ÚutilsÚx509)ÚUnsupportedAlgorithmÚ_Reasons) Ú CMACBackendÚ CipherBackendÚDERSerializationBackendÚ DHBackendÚ DSABackendÚEllipticCurveBackendÚ HMACBackendÚ HashBackendÚPBKDF2HMACBackendÚPEMSerializationBackendÚ RSABackendÚ ScryptBackendÚ X509Backend)Úaead)Ú_CipherContext)Ú _CMACContext)Ú _Integers)Ú _DHParametersÚ _DHPrivateKeyÚ _DHPublicKeyÚ_dh_params_dup)Ú_DSAParametersÚ_DSAPrivateKeyÚ _DSAPublicKey)Ú_EllipticCurvePrivateKeyÚ_EllipticCurvePublicKey)Ú$_CRL_ENTRY_EXTENSION_ENCODE_HANDLERSÚ_CRL_EXTENSION_ENCODE_HANDLERSÚ_EXTENSION_ENCODE_HANDLERSÚ_encode_asn1_int_gcÚ_encode_asn1_str_gcÚ_encode_name_gcÚ _txt2obj_gc)Ú _HashContext)Ú _HMACContext)Ú_RSAPrivateKeyÚ _RSAPublicKey)Ú_X25519PrivateKeyÚ_X25519PublicKey)Ú _CertificateÚ_CertificateRevocationListÚ_CertificateSigningRequestÚ_RevokedCertificate)Úbinding)ÚhashesÚ serialization)ÚdsaÚecÚrsa)ÚMGF1ÚOAEPÚPKCS1v15ÚPSS) ÚAESÚARC4ÚBlowfishÚCAST5ÚCamelliaÚChaCha20ÚIDEAÚSEEDÚ TripleDES)ÚCBCÚCFBÚCFB8ÚCTRÚECBÚGCMÚOFBÚXTS)ÚscryptÚ _MemoryBIOÚbioZchar_ptrc@sbeZdZdZdZdd„Zdd„Zdd„Zej d d „ƒZ d d „Z d d„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd „Zd!d"„Zd#d$„Zd%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„ZdÔd0d1„Zd2d3„Zd4d5„Zd6d7„Z d8d9„Z!d:d;„Z"dd?„Z$d@dA„Z%dBdC„Z&dDdE„Z'dFdG„Z(dHdI„Z)dJdK„Z*dLdM„Z+dNdO„Z,dPdQ„Z-dRdS„Z.dTdU„Z/dVdW„Z0dXdY„Z1dZd[„Z2d\d]„Z3d^d_„Z4d`da„Z5dbdc„Z6ddde„Z7dfdg„Z8dhdi„Z9djdk„Z:dldm„Z;dndo„Zdtdu„Z?dvdw„Z@dxdy„ZAdzd{„ZBd|d}„ZCd~d„ZDd€d„ZEd‚dƒ„ZFd„d…„ZGd†d‡„ZHdˆd‰„ZIdŠd‹„ZJdŒd„ZKdŽd„ZLdd‘„ZMd’d“„ZNd”d•„ZOd–d—„ZPd˜d™„ZQdšd›„ZRdœd„ZSdždŸ„ZTd d¡„ZUd¢d£„ZVe d¤d¥„ƒZWd¦d§„ZXd¨d©„ZYdªd«„ZZd¬d­„Z[d®d¯„Z\d°d±„Z]d²d³„Z^d´dµ„Z_d¶d·„Z`d¸d¹„Zadºd»„Zbd¼d½„Zcd¾d¿„ZddÀdÁ„ZedÕdÂdÄZfdÄdÅ„ZgdÆdÇ„ZhdÈdÉ„ZidÊdË„ZjdÌdÍ„ZkdÎdÏ„ZldÐdÑ„ZmdÒdÓ„Znd/S)ÖÚBackendz) OpenSSL API binding interfaces. ZopensslcCs\t ¡|_|jj|_|jj|_i|_| ¡|  ¡|jj g|_ |jj rX|j   |jj¡dS)N)r5ÚBindingÚ_bindingZffiÚ_ffiÚlibÚ_libÚ_cipher_registryÚ_register_default_ciphersÚactivate_osrandom_engineZ EVP_PKEY_DHÚ _dh_typesÚCryptography_HAS_EVP_PKEY_DHXÚappendZ EVP_PKEY_DHX)Úself©r`ú_/opt/alt/python37/lib64/python3.7/site-packages/cryptography/hazmat/backends/openssl/backend.pyÚ__init__\s    zBackend.__init__cCst |j|¡S)N)r5Z_openssl_assertrX)r_Úokr`r`raÚopenssl_asserthszBackend.openssl_assertcCsJ|j ¡}||jjkrF|j |¡|j ¡|j |¡}| |dk¡dS)Né)rXZENGINE_get_default_RANDrVÚNULLZENGINE_unregister_RANDÚ RAND_cleanupÚ ENGINE_finishrd)r_ÚeÚresr`r`raÚactivate_builtin_randomks      zBackend.activate_builtin_randomc cs‚|j |jj¡}| ||jjk¡|j |¡}| |dk¡z |VWd|j |¡}| |dk¡|j  |¡}| |dk¡XdS)Nre) rXZ ENGINE_by_idrUZ_osrandom_engine_idrdrVrfZ ENGINE_initZ ENGINE_freerh)r_rirjr`r`raÚ_get_osurandom_enginevs    zBackend._get_osurandom_enginec CsD| ¡| ¡ }|j |¡}| |dk¡WdQRX|j ¡dS)Nre)rkrlrXZENGINE_set_default_RANDrdrg)r_rirjr`r`rar[Šs   z Backend.activate_osrandom_enginec Cs`|j dd¡}| ¡2}|j |dt|ƒ||jjd¡}| |dk¡WdQRX|j |¡  d¡S)Nzchar[]é@sget_implementationrÚascii) rVÚnewrlrXZENGINE_ctrl_cmdÚlenrfrdÚstringÚdecode)r_Úbufrirjr`r`raÚosrandom_engine_implementation”s   z&Backend.osrandom_engine_implementationcCs|j |j |jj¡¡ d¡S)z¿ Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.0.1e 11 Feb 2013 rn)rVrqrXZOpenSSL_versionZOPENSSL_VERSIONrr)r_r`r`raÚopenssl_version_textszBackend.openssl_version_textcCs |j ¡S)N)rXZOpenSSL_version_num)r_r`r`raÚopenssl_version_number¨szBackend.openssl_version_numbercCs t|||ƒS)N)r,)r_ÚkeyÚ algorithmr`r`raÚcreate_hmac_ctx«szBackend.create_hmac_ctxcCs@|jdks|jdkr0d |j|jd¡ d¡}n |j d¡}|S)NZblake2bZblake2sz{0}{1}érn)ÚnameÚformatZ digest_sizeÚencode)r_rxZalgr`r`raÚ_build_openssl_digest_name®s  z"Backend._build_openssl_digest_namecCs"| |¡}|j |¡}||jjkS)N)r~rXÚEVP_get_digestbynamerVrf)r_rxr{Zdigestr`r`raÚhash_supported¸s  zBackend.hash_supportedcCs | |¡S)N)r€)r_rxr`r`raÚhmac_supported½szBackend.hmac_supportedcCs t||ƒS)N)r+)r_rxr`r`raÚcreate_hash_ctxÀszBackend.create_hash_ctxcCsHy|jt|ƒt|ƒf}Wntk r.dSX||||ƒ}|jj|kS)NF)rYÚtypeÚKeyErrorrVrf)r_ÚcipherÚmodeÚadapterÚ evp_cipherr`r`raÚcipher_supportedÃs  zBackend.cipher_supportedcCs0||f|jkrtd ||¡ƒ‚||j||f<dS)Nz$Duplicate registration for: {0} {1}.)rYÚ ValueErrorr|)r_Ú cipher_clsÚmode_clsr‡r`r`raÚregister_cipher_adapterËs zBackend.register_cipher_adaptercCsXx,tttttttgD]}| t|t dƒ¡qWx(tttttgD]}| t |t dƒ¡q>Wx&ttttgD]}| t |t dƒ¡qfW| t tt dƒ¡x&ttttgD]}| t |t dƒ¡q Wx&ttttgD]}| t |t dƒ¡qÈWx6t ttgttttg¡D]\}}| ||t dƒ¡qüW| ttdƒt dƒ¡| ttdƒt dƒ¡| ttt¡dS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}Zrc4Zchacha20)rHrKrLrNrIrJrMrr?ÚGetCipherByNamerCrGrArFÚ itertoolsÚproductrBrEr@rƒrDrOÚ_get_xts_cipher)r_rŒr‹r`r`rarZÒsZ   z!Backend._register_default_cipherscCst|||tjƒS)N)rZ_ENCRYPT)r_r…r†r`r`raÚcreate_symmetric_encryption_ctx sz'Backend.create_symmetric_encryption_ctxcCst|||tjƒS)N)rZ_DECRYPT)r_r…r†r`r`raÚcreate_symmetric_decryption_ctxsz'Backend.create_symmetric_decryption_ctxcCs | |¡S)N)r)r_rxr`r`raÚpbkdf2_hmac_supportedszBackend.pbkdf2_hmac_supportedc Csx|j d|¡}|j |j d¡¡}| ||jjk¡|j |t |ƒ|t |ƒ||||¡}| |dk¡|j  |¡dd…S)Nzunsigned char[]rnre) rVrorXrr{r}rdrfZPKCS5_PBKDF2_HMACrpÚbuffer) r_rxÚlengthÚsaltZ iterationsÚ key_materialrsÚevp_mdrjr`r`raÚderive_pbkdf2_hmacszBackend.derive_pbkdf2_hmaccCs t |j¡S)N)r5Ú_consume_errorsrX)r_r`r`rar›'szBackend._consume_errorscCsœtjsX|j |¡}|j d|¡}|j ||¡}| |dk¡t  |j  |¡d|…d¡S|j  |¡}| ||jj k¡|j  |¡}|j |¡t|dƒSdS)Nzunsigned char[]rÚbigé)ÚsixÚPY2rXZ BN_num_bytesrVroZ BN_bn2binrdÚintÚ from_bytesr•Z BN_bn2hexrfrqÚ OPENSSL_free)r_ÚbnZ bn_num_bytesZbin_ptrZbin_lenZ hex_cdataZhex_strr`r`raÚ _bn_to_int*s    zBackend._bn_to_intNcCsÊ|dkr|jj}tjs\| t| ¡ddƒd¡}|j |t |ƒ|¡}|  ||jjk¡|St |ƒ  d¡dd…  d¡}|j d¡}||d <|j ||¡}|  |d k¡|  |d |jjk¡|d SdS) a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @rerœÚLérnz BIGNUM **r)rVrfržrŸÚto_bytesr Ú bit_lengthrXZ BN_bin2bnrprdÚhexÚrstripr}roZ BN_hex2bn)r_Znumr£ZbinaryZbn_ptrZhex_numrjr`r`raÚ _int_to_bn=s  zBackend._int_to_bncCst ||¡|j ¡}| ||jjk¡|j ||jj¡}|  |¡}|j ||jj ¡}|j  ||||jj¡}| |dk¡|  |¡}t |||ƒS)Nre)r:Z_verify_rsa_parametersrXÚRSA_newrdrVrfÚgcÚRSA_freer«ÚBN_freeZRSA_generate_key_exÚ_rsa_cdata_to_evp_pkeyr-)r_Úpublic_exponentÚkey_sizeÚ rsa_cdatar£rjÚevp_pkeyr`r`raÚgenerate_rsa_private_key\s    z Backend.generate_rsa_private_keycCs|dko|d@dko|dkS)Nérerir`)r_r±r²r`r`raÚ!generate_rsa_parameters_supportednsz)Backend.generate_rsa_parameters_supportedc CsRt |j|j|j|j|j|j|jj |jj ¡|j   ¡}|  ||jjk¡|j ||j j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |jj ¡} | |jj ¡} |j  |||¡} |  | dk¡|j  || | |¡} |  | dk¡|j  ||||¡} |  | dk¡|j  ||jj¡} |  | dk¡| |¡} t||| ƒS)Nre)r:Z_check_private_key_componentsÚpÚqÚdÚdmp1Údmq1ÚiqmpÚpublic_numbersriÚnrXr¬rdrVrfr­r®r«ZRSA_set0_factorsÚ RSA_set0_keyZRSA_set0_crt_paramsZRSA_blinding_onr°r-) r_Únumbersr³r¸r¹rºr»r¼r½rir¿rjr´r`r`raÚload_rsa_private_numbersrs<         z Backend.load_rsa_private_numberscCst |j|j¡|j ¡}| ||jjk¡|j  ||jj ¡}|  |j¡}|  |j¡}|j  ||||jj¡}| |dk¡|  |¡}t|||ƒS)Nre)r:Z_check_public_key_componentsrir¿rXr¬rdrVrfr­r®r«rÀr°r.)r_rÁr³rir¿rjr´r`r`raÚload_rsa_public_numbers”s    zBackend.load_rsa_public_numberscCs2|j ¡}| ||jjk¡|j ||jj¡}|S)N)rXZ EVP_PKEY_newrdrVrfr­Ú EVP_PKEY_free)r_r´r`r`raÚ_create_evp_pkey_gc¡s zBackend._create_evp_pkey_gccCs(| ¡}|j ||¡}| |dk¡|S)Nre)rÅrXZEVP_PKEY_set1_RSArd)r_r³r´rjr`r`rar°§szBackend._rsa_cdata_to_evp_pkeycCsJ|j d|¡}|j |t|ƒ¡}| ||jjk¡t|j ||jj ¡|ƒS)z® Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. zchar[]) rVrorXZBIO_new_mem_bufrprdrfrQr­ÚBIO_free)r_ÚdataZ data_char_prRr`r`raÚ _bytes_to_bio­s  zBackend._bytes_to_biocCsP|j ¡}| ||jjk¡|j |¡}| ||jjk¡|j ||jj¡}|S)z. Creates an empty memory BIO. )rXZ BIO_s_memrdrVrfZBIO_newr­rÆ)r_Z bio_methodrRr`r`raÚ_create_mem_bio_gc¼s   zBackend._create_mem_bio_gccCs\|j d¡}|j ||¡}| |dk¡| |d|jjk¡|j |d|¡dd…}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)rVrorXZBIO_get_mem_datardrfr•)r_rRrsZbuf_lenÚbio_datar`r`raÚ _read_mem_bioÇs  zBackend._read_mem_biocCs8|j |¡}||jjkrT|j |¡}| ||jjk¡|j ||jj¡}t |||ƒS||jj krœ|j  |¡}| ||jjk¡|j ||jj ¡}t |||ƒS||jjkrä|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS||jkr,|j |¡}| ||jjk¡|j ||jj¡}t|||ƒStdƒ‚dS)zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. zUnsupported key type.N)rXÚ EVP_PKEY_idÚ EVP_PKEY_RSAÚEVP_PKEY_get1_RSArdrVrfr­r®r-Ú EVP_PKEY_DSAÚEVP_PKEY_get1_DSAÚDSA_freer Ú EVP_PKEY_ECÚEVP_PKEY_get1_EC_KEYÚ EC_KEY_freer"r\ÚEVP_PKEY_get1_DHÚDH_freerr)r_r´Úkey_typer³Ú dsa_cdataÚec_cdataÚdh_cdatar`r`raÚ_evp_pkey_to_private_keyÒs,             z Backend._evp_pkey_to_private_keycCs8|j |¡}||jjkrT|j |¡}| ||jjk¡|j ||jj¡}t |||ƒS||jj krœ|j  |¡}| ||jjk¡|j ||jj ¡}t |||ƒS||jjkrä|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS||jkr,|j |¡}| ||jjk¡|j ||jj¡}t|||ƒStdƒ‚dS)zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. zUnsupported key type.N)rXrÌrÍrÎrdrVrfr­r®r.rÏrÐrÑr!rÒrÓrÔr#r\rÕrÖrr)r_r´r×r³rØrÙrÚr`r`raÚ_evp_pkey_to_public_keyñs,             zBackend._evp_pkey_to_public_keycCs6|jjr&t|tjtjtjtjtjfƒSt|tjƒSdS)N) rXZCryptography_HAS_RSA_OAEP_MDÚ isinstancer6ZSHA1ZSHA224ZSHA256ZSHA384ZSHA512)r_rxr`r`raÚ_oaep_hash_supporteds zBackend._oaep_hash_supportedcCsŽt|tƒrdSt|tƒr2t|jtƒr2| |jj¡St|tƒr†t|jtƒr†| |jj¡o„| |j¡o„|j dkp„t |j ƒdkp„|j j dkSdSdS)NTrreF) rÝr=r>Z_mgfr;r€Z _algorithmr<rÞZ_labelrprXZCryptography_HAS_RSA_OAEP_LABEL)r_Zpaddingr`r`raÚrsa_padding_supporteds   zBackend.rsa_padding_supportedc Cs~|dkrtdƒ‚|j ¡}| ||jjk¡|j ||jj¡}|j |||jjd|jj|jj|jj¡}| |dk¡t ||ƒS)N)iii z+Key size must be 1024 or 2048 or 3072 bits.rre) rŠrXÚDSA_newrdrVrfr­rÑZDSA_generate_parameters_exr)r_r²Úctxrjr`r`raÚgenerate_dsa_parameters/s  zBackend.generate_dsa_parameterscCsT|j |j¡}| ||jjk¡|j ||jj¡}|j |¡|  |¡}t |||ƒS)N) rXZ DSAparams_dupZ _dsa_cdatardrVrfr­rÑZDSA_generate_keyÚ_dsa_cdata_to_evp_pkeyr )r_Ú parametersrár´r`r`raÚgenerate_dsa_private_key@s   z Backend.generate_dsa_private_keycCs| |¡}| |¡S)N)rârå)r_r²rär`r`raÚ'generate_dsa_private_key_and_parametersIs z/Backend.generate_dsa_private_key_and_parameterscCsB|j ||||¡}| |dk¡|j |||¡}| |dk¡dS)Nre)rXÚ DSA_set0_pqgrdZ DSA_set0_key)r_rØr¸r¹ÚgÚpub_keyÚpriv_keyrjr`r`raÚ_dsa_cdata_set_valuesMszBackend._dsa_cdata_set_valuesc Cs¨t |¡|jj}|j ¡}| ||jjk¡|j  ||jj ¡}|  |j ¡}|  |j ¡}|  |j¡}|  |jj¡}|  |j¡}| ||||||¡| |¡} t||| ƒS)N)r8Z_check_dsa_private_numbersr¾Úparameter_numbersrXràrdrVrfr­rÑr«r¸r¹rèÚyÚxrërãr ) r_rÁrìrØr¸r¹rèrérêr´r`r`raÚload_dsa_private_numbersSs       z Backend.load_dsa_private_numbersc Cs¢t |j¡|j ¡}| ||jjk¡|j ||jj ¡}|  |jj ¡}|  |jj ¡}|  |jj ¡}|  |j¡}|jj}| ||||||¡| |¡}t|||ƒS)N)r8Ú_check_dsa_parametersrìrXràrdrVrfr­rÑr«r¸r¹rèrírërãr!) r_rÁrØr¸r¹rèrérêr´r`r`raÚload_dsa_public_numbersfs    zBackend.load_dsa_public_numberscCs†t |¡|j ¡}| ||jjk¡|j ||jj¡}|  |j ¡}|  |j ¡}|  |j ¡}|j  ||||¡}| |dk¡t||ƒS)Nre)r8rðrXràrdrVrfr­rÑr«r¸r¹rèrçr)r_rÁrØr¸r¹rèrjr`r`raÚload_dsa_parameter_numbersws     z"Backend.load_dsa_parameter_numberscCs(| ¡}|j ||¡}| |dk¡|S)Nre)rÅrXZEVP_PKEY_set1_DSArd)r_rØr´rjr`r`rarã…szBackend._dsa_cdata_to_evp_pkeycCs | |¡S)N)r€)r_rxr`r`raÚdsa_hash_supported‹szBackend.dsa_hash_supportedcCsdS)NTr`)r_r¸r¹rèr`r`raÚdsa_parameters_supportedŽsz Backend.dsa_parameters_supportedcCs| |td|jƒ¡S)Nó)r‰rHZ block_size)r_rxr`r`raÚcmac_algorithm_supported‘sz Backend.cmac_algorithm_supportedcCs t||ƒS)N)r)r_rxr`r`raÚcreate_cmac_ctx–szBackend.create_cmac_ctxc Cs¬t|tjƒstdƒ‚t|tjƒr4t|tjƒs4tdƒ‚|j  |j   d¡¡}|  ||j jk¡|j ¡}|  ||j jk¡|j  ||jj¡}|j |tjjj¡}|  |dk¡|j |t||jƒ¡}|  |dk¡| ¡}|j ||j¡}|  |dk¡|j ¡}|  ||j jk¡|j  ||jj¡}|j|j t!||jj"dd|j #||¡}|  |dk¡|j $||j|¡}|dkr¢| %¡} |  | d &|jj'|jj(¡¡tdƒ‚t)||ƒS) Nz.Algorithm must be a registered hash algorithm.z5MD5 is not a supported hash algorithm for EC/DSA CSRsrnreF)Ú extensionsÚhandlersÚx509_objÚadd_funcr­rzDigest too big for RSA key)*rÝr6Ú HashAlgorithmÚ TypeErrorÚMD5r:Ú RSAPrivateKeyrŠrXrr{r}rdrVrfZ X509_REQ_newr­Ú X509_REQ_freeZX509_REQ_set_versionrZVersionZv1ÚvalueZX509_REQ_set_subject_namer)Ú _subject_nameÚ public_keyZX509_REQ_set_pubkeyÚ _evp_pkeyZsk_X509_EXTENSION_new_nullZsk_X509_EXTENSION_freeÚ_create_x509_extensionsÚ _extensionsr&Zsk_X509_EXTENSION_insertZX509_REQ_add_extensionsZ X509_REQ_signr›Ú_lib_reason_matchÚ ERR_LIB_RSAÚ RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEYr3) r_ÚbuilderÚ private_keyrxr™Úx509_reqrjrZ sk_extensionÚerrorsr`r`raÚcreate_x509_csr™sV          zBackend.create_x509_csrc Cst|tjƒstdƒ‚t|tjƒs(tdƒ‚t|tjƒrHt|tjƒsHt dƒ‚|j   |j   d¡¡}| ||jjk¡|j  ¡}|j |tj j¡}|j  ||jj¡}| |dk¡|j  |t||jƒ¡}| |dk¡|j  ||jj¡}| |dk¡t||jƒ}|j   ||¡}| |dk¡|j  !|j  "|¡t# $|j% &¡¡¡}||jjkrN| '¡|j  !|j  (|¡t# $|j) &¡¡¡}||jjkr†| '¡|j*|j+t,||j j-dd|j  .|t||j/ƒ¡}| |dk¡|j  0||j|¡}|dkr| 1¡}| |d 2|j j3|j j4¡¡t d ƒ‚t5||ƒS) NzBuilder type mismatch.z.Algorithm must be a registered hash algorithm.z=MD5 is not a supported hash algorithm for EC/DSA certificatesrnreT)rørùrúrûr­rzDigest too big for RSA key)6rÝrZCertificateBuilderrýr6rürþr:rÿrŠrXrr{r}rdrVrfZX509_newr­ÚbackendÚ X509_freeZX509_set_versionZ_versionrZX509_set_subject_namer)rZX509_set_pubkeyZ _public_keyrr'Ú_serial_numberZX509_set_serialNumberÚ ASN1_TIME_setZX509_get_notBeforeÚcalendarÚtimegmZ_not_valid_beforeÚ timetupleÚ_raise_time_set_errorZX509_get_notAfterZ_not_valid_afterrrr&Z X509_add_extZX509_set_issuer_nameÚ _issuer_nameZ X509_signr›rrr r1) r_r r rxr™Z x509_certrjÚ serial_numberr r`r`raÚcreate_x509_certificateäsj            zBackend.create_x509_certificatecCs2| ¡}| |d |jj|jj¡¡tdƒ‚dS)NrzVInvalid time. This error can occur if you set a time too far in the future on Windows.)r›rdrrXZ ERR_LIB_ASN1ZASN1_R_ERROR_GETTING_TIMErŠ)r_r r`r`rar@s zBackend._raise_time_set_errorc CsBt|tjƒstdƒ‚t|tjƒs(tdƒ‚t|tjƒrHt|tjƒsHt dƒ‚|j   |j   d¡¡}| ||jjk¡|j  ¡}|j |tj j¡}|j  |d¡}| |dk¡|j  |t||jƒ¡}| |dk¡|j  |jjt |j ¡¡¡}| ||jjk¡|j ||j j¡}|j  ||¡}| |dk¡|j  |jjt |j  ¡¡¡}| ||jjk¡|j ||j j¡}|j  !||¡}| |dk¡|j"|j#t$||j j%ddxL|j&D]B} |j  '| j(¡} | | |jjk¡|j  )|| ¡}| |dk¡q¨W|j  *||j+|¡}|dkr8| ,¡} | | d -|j j.|j j/¡¡t d ƒ‚t0||ƒS) NzBuilder type mismatch.z.Algorithm must be a registered hash algorithm.z5MD5 is not a supported hash algorithm for EC/DSA CRLsrnreT)rørùrúrûr­rzDigest too big for RSA key)1rÝrZ CertificateRevocationListBuilderrýr6rürþr:rÿrŠrXrr{r}rdrVrfZ X509_CRL_newr­rÚ X509_CRL_freeZX509_CRL_set_versionZX509_CRL_set_issuer_namer)rrrrZ _last_updaterÚASN1_TIME_freeZX509_CRL_set_lastUpdateZ _next_updateZX509_CRL_set_nextUpdaterrr%ZX509_CRL_add_extZ_revoked_certificatesZCryptography_X509_REVOKED_dupZ _x509_revokedZX509_CRL_add0_revokedZ X509_CRL_signrr›rrr r2) r_r r rxr™Úx509_crlrjZ last_updateZ next_updateZ revoked_certZrevokedr r`r`raÚcreate_x509_crlMsh         zBackend.create_x509_crlc Cshxbt|ƒD]V\}}| ||¡}| ||jjk¡|rF|j ||jj¡}||||ƒ} | | dk¡q WdS)Nre)Ú enumerateÚ_create_x509_extensionrdrVrfr­rXZX509_EXTENSION_free) r_rørùrúrûr­ÚiÚ extensionZx509_extensionrjr`r`rar£s  zBackend._create_x509_extensionscCs.t||jjƒ}|j |jj||jr&dnd|¡S)Nrer)r*ÚoidÚ dotted_stringrXZX509_EXTENSION_create_by_OBJrVrfÚcritical)r_r!rÚobjr`r`raÚ_create_raw_x509_extension²sz"Backend._create_raw_x509_extensioncCsút|jtjƒr2t||jjt|jjƒƒ}| ||¡St|jtjƒrttdd„|jDƒƒ  ¡}t||t|ƒƒ}| ||¡Sy||j }Wn$t k r¦t d  |j ¡ƒ‚YnX|||jƒ}|j |j j d¡¡}t ||jjk¡|j ||jrîdnd|¡SdS)NcSsg|] }|j‘qSr`)r)Ú.0rîr`r`raú ¿sz2Backend._create_x509_extension..zExtension not supported: {0}rnrer)rÝrrZUnrecognizedExtensionr(rpr&Z TLSFeaturerÚdumpr"r„ÚNotImplementedErrorr|rXZ OBJ_txt2nidr#r}rrdÚ NID_undefZX509V3_EXT_i2dr$)r_rùr!rZasn1r}Z ext_structÚnidr`r`rar¸s&   zBackend._create_x509_extensioncCsît|tjƒstdƒ‚|j ¡}| ||jjk¡|j  ||jj ¡}t ||j ƒ}|j  ||¡}| |dk¡|j |jjt |j ¡¡¡}| ||jjk¡|j  ||jj¡}|j ||¡}| |dk¡|j|jt||jjddt|d|ƒS)NzBuilder type mismatch.reT)rørùrúrûr­)rÝrZRevokedCertificateBuilderrýrXZX509_REVOKED_newrdrVrfr­ZX509_REVOKED_freer'rZX509_REVOKED_set_serialNumberrrrZ_revocation_daterrZX509_REVOKED_set_revocationDaterrr$ZX509_REVOKED_add_extr4)r_r Z x509_revokedrrjZrev_dater`r`raÚcreate_x509_revoked_certificateÓs.   z'Backend.create_x509_revoked_certificatecCs| |jj|j||¡S)N)Ú _load_keyrXZPEM_read_bio_PrivateKeyrÛ)r_rÇÚpasswordr`r`raÚload_pem_private_keyñs zBackend.load_pem_private_keycCsÖ| |¡}|j |j|jj|jj|jj¡}||jjkrR|j ||jj¡}| |¡S|  ¡|j  |j¡}|  |dk¡|j  |j|jj|jj|jj¡}||jjkrÊ|j ||jj ¡}| |¡}t|||ƒS| ¡dS)Nre)rÈrXZPEM_read_bio_PUBKEYrRrVrfr­rÄrÜr›Ú BIO_resetrdZPEM_read_bio_RSAPublicKeyr®r°r.Ú_handle_key_loading_error)r_rÇÚmem_bior´rjr³r`r`raÚload_pem_public_keyùs       zBackend.load_pem_public_keycCs^| |¡}|j |j|jj|jj|jj¡}||jjkrR|j ||jj¡}t||ƒS|  ¡dS)N) rÈrXZPEM_read_bio_DHparamsrRrVrfr­rÖrr2)r_rÇr3rÚr`r`raÚload_pem_parameterss   zBackend.load_pem_parameterscCs>| |¡}| ||¡}|r$| |¡S| |jj|j||¡SdS)N)rÈÚ"_evp_pkey_from_der_traditional_keyrÛr.rXZd2i_PKCS8PrivateKey_bio)r_rÇr/rÊrwr`r`raÚload_der_private_keys   zBackend.load_der_private_keycCsV|j |j|jj¡}||jjkrF|j ||jj¡}|dk rBtdƒ‚|S| ¡dSdS)Nz4Password was given but private key is not encrypted.) rXÚd2i_PrivateKey_biorRrVrfr­rÄrýr›)r_rÊr/rwr`r`rar60s z*Backend._evp_pkey_from_der_traditional_keycCs¾| |¡}|j |j|jj¡}||jjkrF|j ||jj¡}| |¡S|  ¡|j  |j¡}|  |dk¡|j  |j|jj¡}||jjkr²|j ||jj ¡}| |¡}t|||ƒS| ¡dS)Nre)rÈrXZd2i_PUBKEY_biorRrVrfr­rÄrÜr›r1rdZd2i_RSAPublicKey_bior®r°r.r2)r_rÇr3r´rjr³r`r`raÚload_der_public_key>s      zBackend.load_der_public_keycCsº| |¡}|j |j|jj¡}||jjkrF|j ||jj¡}t||ƒS|jj r®|  ¡|j  |j¡}|  |dk¡|j  |j|jj¡}||jjkr®|j ||jj¡}t||ƒS| ¡dS)Nre)rÈrXZd2i_DHparams_biorRrVrfr­rÖrr]r›r1rdZCryptography_d2i_DHxparams_bior2)r_rÇr3rÚrjr`r`raÚload_der_parametersUs      zBackend.load_der_parameterscCsb| |¡}|j |j|jj|jj|jj¡}||jjkrF| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load certificate) rÈrXZPEM_read_bio_X509rRrVrfr›rŠr­rr1)r_rÇr3rr`r`raÚload_pem_x509_certificateks  z!Backend.load_pem_x509_certificatecCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load certificate) rÈrXZ d2i_X509_biorRrVrfr›rŠr­rr1)r_rÇr3rr`r`raÚload_der_x509_certificatews  z!Backend.load_der_x509_certificatecCsb| |¡}|j |j|jj|jj|jj¡}||jjkrF| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load CRL) rÈrXZPEM_read_bio_X509_CRLrRrVrfr›rŠr­rr2)r_rÇr3rr`r`raÚload_pem_x509_crls  zBackend.load_pem_x509_crlcCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load CRL) rÈrXZd2i_X509_CRL_biorRrVrfr›rŠr­rr2)r_rÇr3rr`r`raÚload_der_x509_crls  zBackend.load_der_x509_crlcCsb| |¡}|j |j|jj|jj|jj¡}||jjkrF| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load request) rÈrXZPEM_read_bio_X509_REQrRrVrfr›rŠr­rr3)r_rÇr3r r`r`raÚload_pem_x509_csr—s  zBackend.load_pem_x509_csrcCsV| |¡}|j |j|jj¡}||jjkr:| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load request) rÈrXZd2i_X509_REQ_biorRrVrfr›rŠr­rr3)r_rÇr3r r`r`raÚload_der_x509_csr£s  zBackend.load_der_x509_csrc Cs| |¡}|dk r$t|tƒs$tdƒ‚|j d¡}|dk rV|j d|¡}||_t|ƒ|_||j |jj |j  |j j d¡|ƒ}||jj krÒ|jdkrÊ| ¡} | | ¡|jdkr´tdƒ‚qÒtd |jd ¡ƒ‚n| ¡|j ||j j¡}|dk rþ|jdkrþtd ƒ‚||ƒS) NzPassword must be byteszCRYPTOGRAPHY_PASSWORD_DATA *zchar []ZCryptography_pem_password_cbréÿÿÿÿz3Password was not given but private key is encryptedzBPasswords longer than {0} bytes are not supported by this backend.rez4Password was given but private key is not encrypted.)rÈrÝÚbytesrýrVror/rpr–rRrfZ addressofrXZ _original_libÚerrorr›rdrŠr|Úmaxsizer2r­rÄZcalled) r_Zopenssl_read_funcZ convert_funcrÇr/r3ZuserdataZ password_bufr´r r`r`rar.­s<        zBackend._load_keycsºˆ ¡}|stdƒ‚n |d ˆjjˆjj¡sF|d ˆjjˆjj¡rPtdƒ‚nf|d ˆjjˆjj¡s€|d ˆjj ˆjj ¡rŽt dt j ƒ‚n(t‡fdd„|Dƒƒr®tdƒ‚ntdƒ‚dS)NzCould not deserialize key data.rz Bad decrypt. Incorrect password?z0PEM data is encrypted with an unsupported cipherc3s"|]}| ˆjjˆjj¡VqdS)N)rrXÚ ERR_LIB_EVPZ'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM)r'rC)r_r`raú ýsz4Backend._handle_key_loading_error..z!Unsupported public key algorithm.)r›rŠrrXrEZEVP_R_BAD_DECRYPTZERR_LIB_PKCS12Z!PKCS12_R_PKCS12_CIPHERFINAL_ERRORZEVP_R_UNKNOWN_PBE_ALGORITHMZ ERR_LIB_PEMZPEM_R_UNSUPPORTED_ENCRYPTIONrr ZUNSUPPORTED_CIPHERÚany)r_r r`)r_rar2às*       z!Backend._handle_key_loading_errorcCs y| |¡}Wntk r*|jj}YnX|j |¡}||jjkrz| ¡}| ||jjkpr|d  |jj |jj ¡¡dS| ||jjk¡|j  |¡dSdS)NrFT) Ú_elliptic_curve_to_nidrrXr+ZEC_GROUP_new_by_curve_namerVrfr›rdrZ ERR_LIB_ECZEC_R_UNKNOWN_GROUPZ EC_GROUP_free)r_ÚcurveÚ curve_nidÚgroupr r`r`raÚelliptic_curve_supported s      z Backend.elliptic_curve_supportedcCst|tjƒsdS| |¡S)NF)rÝr9ZECDSArL)r_Zsignature_algorithmrIr`r`raÚ,elliptic_curve_signature_algorithm_supported$s z4Backend.elliptic_curve_signature_algorithm_supportedcCsŒ| |¡rt| |¡}|j |¡}| ||jjk¡|j ||jj¡}|j  |¡}| |dk¡|  |¡}t |||ƒSt d  |j¡tjƒ‚dS)z@ Generate a new private key on the named curve. rez$Backend object does not support {0}.N)rLrHrXÚEC_KEY_new_by_curve_namerdrVrfr­rÔZEC_KEY_generate_keyÚ_ec_cdata_to_evp_pkeyr"rr|r{r ÚUNSUPPORTED_ELLIPTIC_CURVE)r_rIrJrÙrjr´r`r`raÚ#generate_elliptic_curve_private_key-s       z+Backend.generate_elliptic_curve_private_keycCs |j}| |j¡}|j |¡}| ||jjk¡|j ||jj ¡}|j |  |j ¡|jj ¡}|j  ||¡}| |dk¡| ||j|j¡}| |¡}t|||ƒS)Nre)r¾rHrIrXrNrdrVrfr­rÔr«Ú private_valueÚ BN_clear_freeÚEC_KEY_set_private_keyÚ)_ec_key_set_public_key_affine_coordinatesrîrírOr")r_rÁZpublicrJrÙrRrjr´r`r`raÚ#load_elliptic_curve_private_numbersEs   z+Backend.load_elliptic_curve_private_numberscCsd| |j¡}|j |¡}| ||jjk¡|j ||jj¡}|  ||j |j ¡}|  |¡}t |||ƒS)N)rHrIrXrNrdrVrfr­rÔrUrîrírOr#)r_rÁrJrÙr´r`r`raÚ"load_elliptic_curve_public_numbers[s   z*Backend.load_elliptic_curve_public_numbersc Cst| |¡}|j |¡}| ||jjk¡|j ||jj¡}| |¡\}}|j  |¡}| ||jjk¡|j ||jj ¡}|  |¡}|j ||jj ¡}|  ¡h} |j ||||jj|jj| ¡} | | dk¡|j | ¡} |j | ¡} |||| | | ƒ} | | dk¡WdQRX|j ||¡} | | dk¡|  |¡} |j | |jj ¡} |j || ¡} | | dk¡| |¡}t|||ƒS)Nre)rHrXrNrdrVrfr­rÔÚ _ec_key_determine_group_get_funcZ EC_POINT_newZ EC_POINT_freer«rSÚ _tmp_bn_ctxZ EC_POINT_mulZ BN_CTX_getZEC_KEY_set_public_keyrTrOr")r_rRrIrJrÙÚget_funcrKZpointrÚbn_ctxrjZbn_xZbn_yZprivater´r`r`raÚ!derive_elliptic_curve_private_keyhs4          z)Backend.derive_elliptic_curve_private_keycCs| |¡ot|tjƒS)N)rLrÝr9ZECDH)r_rxrIr`r`raÚ+elliptic_curve_exchange_algorithm_supportedŽs z3Backend.elliptic_curve_exchange_algorithm_supportedcCs(| ¡}|j ||¡}| |dk¡|S)Nre)rÅrXZEVP_PKEY_set1_EC_KEYrd)r_rÙr´rjr`r`rarO”szBackend._ec_cdata_to_evp_pkeycCsNdddœ}| |j|j¡}|j | ¡¡}||jjkrJtd |j¡tj ƒ‚|S)z/ Get the NID for a curve name. Z prime192v1Z prime256v1)Z secp192r1Z secp256r1z%{0} is not a supported elliptic curve) Úgetr{rXÚ OBJ_sn2nidr}r+rr|r rP)r_rIZ curve_aliasesÚ curve_namerJr`r`rarHšs  zBackend._elliptic_curve_to_nidc csX|j ¡}| ||jjk¡|j ||jj¡}|j |¡z |VWd|j |¡XdS)N) rXZ BN_CTX_newrdrVrfr­Z BN_CTX_freeZ BN_CTX_startZ BN_CTX_end)r_r[r`r`rarY®s   zBackend._tmp_bn_ctxcCs´| ||jjk¡|j d¡}| ||jjk¡|j |¡}| ||jjk¡|j |¡}| ||jjk¡|j |¡}| ||jjk¡||kr¤|jj r¤|jj }n|jj }||fS)zu Given an EC_KEY determine the group and what function is required to get point coordinates. scharacteristic-two-field) rdrVrfrXr_r+ZEC_KEY_get0_groupZEC_GROUP_method_ofZEC_METHOD_get_field_typeZCryptography_HAS_EC2MZ$EC_POINT_get_affine_coordinates_GF2mZ#EC_POINT_get_affine_coordinates_GFp)r_ráZ nid_two_fieldrKÚmethodr,rZr`r`rarX¹s     z(Backend._ec_key_determine_group_get_funccCst|dks|dkrtdƒ‚|j | |¡|jj¡}|j | |¡|jj¡}|j |||¡}|dkrp| ¡tdƒ‚|S)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.rezInvalid EC key.)rŠrVr­r«rXr¯Z(EC_KEY_set_public_key_affine_coordinatesr›)r_rárîrírjr`r`rarUÕsz1Backend._ec_key_set_public_key_affine_coordinatescCs‚t|tjƒstdƒ‚t|tjƒs(tdƒ‚t|tjƒrFd}d}|jj}n@t|tjƒr~|j   d¡}|j }t |ƒ}|dkr†t dƒ‚nt dƒ‚|j  |¡} |tjjkrò|tjjkr¸|j j} |} n8| |j jkrÎ|j j} n| |j jkrä|j j} n|j j} |} nT|tjjkr>|tjjkr0t|tjƒs$t d ƒ‚| | |¡S|j j} |} ntd ƒ‚| ¡} | | | ||||jj|jjƒ} | | d k¡| | ¡S) Nz2format must be an item from the PrivateFormat enumzBEncryption algorithm must be a KeySerializationEncryption instanceórs aes-256-cbciÿzBPasswords longer than 1023 bytes are not supported by this backendzUnsupported encryption typezDEncryption is not supported for DER encoded traditional OpenSSL keysz/encoding must be an item from the Encoding enumre)rÝr7Z PrivateFormatrýZKeySerializationEncryptionZ NoEncryptionrVrfZBestAvailableEncryptionrXÚEVP_get_cipherbynamer/rprŠrÌÚEncodingÚPEMZPKCS8ZPEM_write_bio_PKCS8PrivateKeyrÍZPEM_write_bio_RSAPrivateKeyrÏZPEM_write_bio_DSAPrivateKeyZPEM_write_bio_ECPrivateKeyÚDERZTraditionalOpenSSLÚ"_private_key_bytes_traditional_derZi2d_PKCS8PrivateKey_biorÉrdrË)r_Úencodingr|Zencryption_algorithmr´Úcdatar/Zpasslenrˆr×Ú write_biorwrRrjr`r`raÚ_private_key_bytesésj             zBackend._private_key_bytescCsp||jjkr|jj}n0||jjkr,|jj}n| ||jjk¡|jj}| ¡}|||ƒ}| |dk¡|  |¡S)Nre) rXrÍZi2d_RSAPrivateKey_biorÒZi2d_ECPrivateKey_biordrÏZi2d_DSAPrivateKey_biorÉrË)r_r×rirjrRrjr`r`rarg:s     z*Backend._private_key_bytes_traditional_derc Csèt|tjƒstdƒ‚|tjjks,|tjjkrV|tjjk sD|tjjk rLtdƒ‚| |¡S|tjjkr†|tjj krx|j j }n|j j }|}n8|tjj kr¶|tjj kr¨|j j}n|j j}|}ntdƒ‚| ¡}|||ƒ}| |dk¡| |¡S)Nz/encoding must be an item from the Encoding enumz1OpenSSH format must be used with OpenSSH encodingz1format must be an item from the PublicFormat enumre)rÝr7rdrýZ PublicFormatÚOpenSSHrŠÚ_openssh_public_key_bytesZSubjectPublicKeyInforerXZPEM_write_bio_PUBKEYZi2d_PUBKEY_bioZPKCS1ZPEM_write_bio_RSAPublicKeyZi2d_RSAPublicKey_biorÉrdrË) r_rhr|rwr´rirjrRrjr`r`raÚ_public_key_bytesHs2             zBackend._public_key_bytescCs$t|tjƒr@| ¡}dt t d¡t |j ¡t |j ¡¡St|t j ƒrž| ¡}|j }dt t d¡t |j¡t |j¡t |j¡t |j¡¡S| ¡}y$tjdtjdtjdit|jƒ}Wntk rætdƒ‚YnXd |d t t d |¡t |¡t | ¡¡¡SdS) Nsssh-rsa sssh-rsasssh-dss sssh-dsssnistp256snistp384snistp521zZOnly SECP256R1, SECP384R1, and SECP521R1 curves are supported by the SSH public key formats ecdsa-sha2-ó )rÝr:Z RSAPublicKeyr¾Úbase64Z b64encoder7Z_ssh_write_stringZ_ssh_write_mpintrir¿r8Z DSAPublicKeyrìr¸r¹rèrír9Z SECP256R1Z SECP384R1Z SECP521R1rƒrIr„rŠZ encode_point)r_rwr¾rìr`r`r`rarmts.  , z!Backend._openssh_public_key_bytescCsÌ|tjjkrtdƒ‚|j d¡}|j ||jj||jj¡|tjj krj|d|jjkr`|jj }q¢|jj }n8|tjj krš|d|jjkr|jj }q¢|jj}ntdƒ‚| ¡}|||ƒ}| |dk¡| |¡S)Nz!OpenSSH encoding is not supportedz BIGNUM **rz/encoding must be an item from the Encoding enumre)r7rdrlrýrVrorXZ DH_get0_pqgrfreZPEM_write_bio_DHxparamsZPEM_write_bio_DHparamsrfZCryptography_i2d_DHxparams_bioZi2d_DHparams_biorÉrdrË)r_rhr|rir¹rjrRrjr`r`raÚ_parameter_bytesšs*          zBackend._parameter_bytescCs||dkrtdƒ‚|dkr tdƒ‚|j ¡}| ||jjk¡|j ||jj¡}|j ||||jj¡}| |dk¡t ||ƒS)Niz%DH key_size must be at least 512 bits)r¦ézDH generator must be 2 or 5re) rŠrXÚDH_newrdrVrfr­rÖZDH_generate_parameters_exr)r_Ú generatorr²Zdh_param_cdatarjr`r`raÚgenerate_dh_parameters¸s  zBackend.generate_dh_parameterscCs(| ¡}|j ||¡}| |dk¡|S)Nre)rÅrXZEVP_PKEY_set1_DHrd)r_rÚr´rjr`r`raÚ_dh_cdata_to_evp_pkeyÍszBackend._dh_cdata_to_evp_pkeycCs<t|j|ƒ}|j |¡}| |dk¡| |¡}t|||ƒS)Nre)rZ _dh_cdatarXZDH_generate_keyrdrvr)r_räZ dh_key_cdatarjr´r`r`raÚgenerate_dh_private_keyÓs    zBackend.generate_dh_private_keycCs| | ||¡¡S)N)rwru)r_rtr²r`r`raÚ&generate_dh_private_key_and_parametersÝsz.Backend.generate_dh_private_key_and_parametersc Cs>|jj}|j ¡}| ||jjk¡|j ||jj¡}|  |j ¡}|  |j ¡}|j dk rf|  |j ¡}n|jj}|  |jj ¡}|  |j¡}|j ||||¡} | | dk¡|j |||¡} | | dk¡|j dd¡} |j || ¡} | | dk¡| ddkr(|j dkr | d|jjAdks(tdƒ‚| |¡} t||| ƒS)Nrezint[]rr¦z.DH private numbers did not pass safety checks.)r¾rìrXrsrdrVrfr­rÖr«r¸rèr¹rírîÚ DH_set0_pqgÚ DH_set0_keyroÚCryptography_DH_checkZDH_NOT_SUITABLE_GENERATORrŠrvr) r_rÁrìrÚr¸rèr¹rérêrjÚcodesr´r`r`raÚload_dh_private_numbersás2        zBackend.load_dh_private_numbersc CsÐ|j ¡}| ||jjk¡|j ||jj¡}|j}| |j ¡}| |j ¡}|j dk rd| |j ¡}n|jj}| |j ¡}|j  ||||¡}| |dk¡|j |||jj¡}| |dk¡| |¡} t||| ƒS)Nre)rXrsrdrVrfr­rÖrìr«r¸rèr¹ríryrzrvr) r_rÁrÚrìr¸rèr¹rérjr´r`r`raÚload_dh_public_numberss       zBackend.load_dh_public_numberscCs|j ¡}| ||jjk¡|j ||jj¡}| |j¡}| |j ¡}|j dk r^| |j ¡}n|jj}|j  ||||¡}| |dk¡t ||ƒS)Nre) rXrsrdrVrfr­rÖr«r¸rèr¹ryr)r_rÁrÚr¸rèr¹rjr`r`raÚload_dh_parameter_numbers,s    z!Backend.load_dh_parameter_numberscCs´|j ¡}| ||jjk¡|j ||jj¡}| |¡}| |¡}|dk rV| |¡}n|jj}|j ||||¡}| |dk¡|j  dd¡}|j  ||¡}| |dk¡|ddkS)Nrezint[]r) rXrsrdrVrfr­rÖr«ryror{)r_r¸rèr¹rÚrjr|r`r`raÚdh_parameters_supported>s    zBackend.dh_parameters_supportedcCs |jjdkS)Nre)rXr])r_r`r`raÚdh_x942_serialization_supportedTsz'Backend.dh_x942_serialization_supportedcsxtˆ|ƒ}ˆj d¡}ˆj ||¡}ˆ |dˆjjk¡ˆj |‡fdd„¡}ˆ |dk¡ˆj |d|¡dd…S)Nzunsigned char **rcsˆj |d¡S)Nr)rXr¢)Zpointer)r_r`raÚ]rbz)Backend.x509_name_bytes..) r)rVrorXZ i2d_X509_NAMErdrfr­r•)r_r{Z x509_nameZpprjr`)r_raÚx509_name_bytesWs  zBackend.x509_name_bytescCsT| ¡}|j ||jj¡}t |dk¡|j ||t|ƒ¡}t |dk¡t||ƒS)Nre) rÅrXZEVP_PKEY_set_typeÚ NID_X25519rrdZEVP_PKEY_set1_tls_encodedpointrpr0)r_rÇr´rjr`r`raÚx25519_load_public_bytesbsz Backend.x25519_load_public_bytescCsnd}| ||¡}tj |j|jj¡}| ||jjk¡|j ||jj ¡}| |j  |¡|jj k¡t ||ƒS)Ns0.0+en" ) rÈrrXr8rRrVrfrdr­rÄrÌZEVP_PKEY_X25519r/)r_rÇZ pkcs8_prefixrRr´r`r`raÚx25519_load_private_byteslsz!Backend.x25519_load_private_bytescCs²|j |jj|jj¡}| ||jjk¡|j ||jj¡}|j |¡}| |dk¡|j  d¡}|j  ||¡}| |dk¡| |d|jjk¡|j |d|jj ¡}t ||ƒS)Nrez EVP_PKEY **r) rXZEVP_PKEY_CTX_new_idr„rVrfrdr­ZEVP_PKEY_CTX_freeZEVP_PKEY_keygen_initroZEVP_PKEY_keygenrÄr/)r_Z evp_pkey_ctxrjZ evp_ppkeyr´r`r`raÚx25519_generate_key„s   zBackend.x25519_generate_keycCs|jjS)N)rXZ#CRYPTOGRAPHY_OPENSSL_110_OR_GREATER)r_r`r`raÚx25519_supported•szBackend.x25519_supportedc CsX|j d|¡}|j |t|ƒ|t|ƒ|||tj||¡ }| |dk¡|j |¡dd…S)Nzunsigned char[]re) rVrorXZEVP_PBE_scryptrprPZ _MEM_LIMITrdr•) r_r˜r—r–r¿Úrr¸rsrjr`r`raÚ derive_scrypt˜s  zBackend.derive_scryptcCst |¡}|j |¡|jjkS)N)rZ_aead_cipher_namerXrcrVrf)r_r…Ú cipher_namer`r`raÚaead_cipher_supported¡s zBackend.aead_cipher_supported)N)N)oÚ__name__Ú __module__Ú __qualname__Ú__doc__r{rbrdrkÚ contextlibrrlr[rtrurvryr~r€rr‚r‰rrZr’r“r”ršr›r¤r«rµr·rÂrÃrÅr°rÈrÉrËrÛrÜrÞrßrârårærërïrñròrãrórôrör÷rrrrrr&rr-r0r4r5r7r6r9r:r;r<r=r>r?r@r.r2rLrMrQrVrWr\r]rOrHrYrXrUrkrgrnrmrqrurvrwrxr}r~rr€rrƒr…r†r‡rˆrŠrŒr`r`r`rarSGsÔ      9 "    K\ V       3-  & Q,& 0    rSc@seZdZdd„Zdd„ZdS)rŽcCs ||_dS)N)Ú_fmt)r_Zfmtr`r`rarb©szGetCipherByName.__init__cCs&|jj||d ¡}|j | d¡¡S)N)r…r†rn)r’r|ÚlowerrXrcr})r_rr…r†r‹r`r`raÚ__call__¬szGetCipherByName.__call__N)rrŽrrbr”r`r`r`rarŽ¨srŽcCs"d |jd¡}|j | d¡¡S)Nz aes-{0}-xtsr¦rn)r|r²rXrcr})rr…r†r‹r`r`rar‘±sr‘)yZ __future__rrrrprÚ collectionsr‘rrržZ cryptographyrrZcryptography.exceptionsrr Z'cryptography.hazmat.backends.interfacesr r r r rrrrrrrrrZ$cryptography.hazmat.backends.opensslrZ,cryptography.hazmat.backends.openssl.ciphersrZ)cryptography.hazmat.backends.openssl.cmacrZ0cryptography.hazmat.backends.openssl.decode_asn1rZ'cryptography.hazmat.backends.openssl.dhrrrrZ(cryptography.hazmat.backends.openssl.dsarr r!Z'cryptography.hazmat.backends.openssl.ecr"r#Z0cryptography.hazmat.backends.openssl.encode_asn1r$r%r&r'r(r)r*Z+cryptography.hazmat.backends.openssl.hashesr+Z)cryptography.hazmat.backends.openssl.hmacr,Z(cryptography.hazmat.backends.openssl.rsar-r.Z+cryptography.hazmat.backends.openssl.x25519r/r0Z)cryptography.hazmat.backends.openssl.x509r1r2r3r4Z$cryptography.hazmat.bindings.opensslr5Zcryptography.hazmat.primitivesr6r7Z)cryptography.hazmat.primitives.asymmetricr8r9r:Z1cryptography.hazmat.primitives.asymmetric.paddingr;r<r=r>Z1cryptography.hazmat.primitives.ciphers.algorithmsr?r@rArBrCrDrErFrGZ,cryptography.hazmat.primitives.ciphers.modesrHrIrJrKrLrMrNrOZ"cryptography.hazmat.primitives.kdfrPÚ namedtuplerQZregister_interfaceZregister_interface_ifrTrWZCryptography_HAS_SCRYPTÚobjectrSrŽr‘rr`r`r`raÚs~ <    $   ,(  `