o c7@sddlZddlZddlZddlZddlZddlmZddlmZmZddl m Z m Z ddl m Z ddlmZddlmZddlmZmZmZmZdd lmZmZmZdd lmZmZdd lmZm Z dd l!m"Z"m#Z#m$Z$dd l%m&Z&ddl'm(Z(ddl)m*Z*m+Z+ddl,m-Z-m.Z.ddl/m0Z0m1Z1ddl2m3Z3m4Z4ddl5mZ6ddl7m8Z8ddl9m:Z:m;Z;ddlm?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFddlGmHZHmIZImJZJmKZKddlLmMZMmNZNmOZOddlPmQZQmRZRddlSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_ddl`maZambZbmcZcmdZdmeZemfZfmgZgmhZhmiZiddljmkZkddllmmZmmnZnddlompZpmqZqmrZrmsZsmtZteud d!d"gZvGd#d$d$ZwGd%d&d&ZxGd'd(d(Zyd)exd*eTfd+d,ZzexZ{dS)-N)contextmanager)utilsx509)UnsupportedAlgorithm_Reasons)aead)_CipherContext _CMACContext) _DHParameters _DHPrivateKey _DHPublicKey_dh_params_dup)_DSAParameters_DSAPrivateKey _DSAPublicKey)_EllipticCurvePrivateKey_EllipticCurvePublicKey)_Ed25519PrivateKey_Ed25519PublicKey)_ED448_KEY_SIZE_Ed448PrivateKey_Ed448PublicKey _HashContext _HMACContext)_POLY1305_KEY_SIZE_Poly1305Context)_RSAPrivateKey _RSAPublicKey)_X25519PrivateKey_X25519PublicKey)_X448PrivateKey_X448PublicKey)r)binding)hashes serialization)AsymmetricPadding)dhdsaeced25519ed448rsax25519x448)MGF1OAEPPKCS1v15PSS)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESPRIVATE_KEY_TYPESPUBLIC_KEY_TYPES)BlockCipherAlgorithmCipherAlgorithm) AESAES128AES256ARC4CamelliaChaCha20SM4 TripleDES_BlowfishInternal_CAST5Internal _IDEAInternal _SEEDInternal) CBCCFBCFB8CTRECBGCMModeOFBXTS)scrypt)pkcs7ssh)PBESPKCS12CertificatePKCS12KeyAndCertificates_ALLOWED_PKCS12_TYPES_PKCS12_CAS_TYPES _MemoryBIObioZchar_ptrc@s eZdZdS)_RC2N)__name__ __module__ __qualname__r]r]Pusr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/backend.pyrYsrYc@s@ eZdZdZdZhdZefZej ej ej ej ej ejejejejejejejf ZejejejejfZdZdZdd>ZdZde>Z ddZ!d e"fd d Z# dEd e$de%j&e%j'e(j)d d fddZ*d e$fddZ+dFddZ,dFddZ-e.j/ddZ0dFddZ1d e"fddZ2d e"fddZ3d e4fdd Z5d!e6d"ej7d e8fd#d$Z9d"ej7fd%d&Z:d"ej7fd'd(Z;d"ej7d e$fd)d*Zd"ej7d e$fd/d0Z?d"ej7d ej@fd1d2ZAd3eBd4eCd e$fd5d6ZDd7d8ZEdFd9d:ZFd3eBd4eCd eGfd;d<ZHd3eBd4eCd eGfd=d>ZId"ej7d e$fd?d@ZJd"ej7dAe4dBe6dCe4dDe6d e6f dEdFZKd e%j'e(j)fdGdHZLd e%j'e(jMfdIdJZNd e4fdKdLZOdEdMe4fdNdOZPdPe4dQe4d eQjRfdRdSZSdPe4dQe4d e$fdTdUZTdVeQjUd eQjRfdWdXZVdVeQjWd eQjXfdYdZZYd[d\ZZd]d^Z[d_e6fd`daZ\dbdcZ]d e6fdddeZ^d e_fdfdgZ`d eafdhdiZbd"ej7d e$fdjdkZcdledd e$fdmdnZedQe4d efjgfdodpZhdqefjgd efjifdrdsZjdQe4d efjifdtduZkdvdwZldVefjmd efjifdxdyZndVefjod efjpfdzd{ZqdVefjrd efjgfd|d}Zsd~dZtd e$fddZud"ej7d e$fddZvd e$fddZwd"exd eyfddZzd_e6de%j&e6d e_fddZ{d_e6d eafddZ|d_e6d e}j~fddZd_e6de%j&e6d e_fddZddZd_e6d eafddZd_e6d e}j~fddZdejd e%jfddZde%jd ejfddZdejd e%jfddZde%jd ejfddZdejd e%jfddZde%jd ejfddZdejded e$fddZdejd e$fddZddZddZd e%jfddZdejd e$fddZdejdejd e$fddZdejd ejfddZdVejd ejfddZdVejd ejfddZdejde6d ejfdd„Zde4dejd ejfddńZdejfddDŽZde4fddʄZd"ejdejd e$fdd̄Zdd΄Zdejd e4fddЄZe/dd҄ZddԄZde4de4fdd؄Zdejdejdejd e6fdd݄Zdd߄ZddZdejdejd e6fddZd e$fddZde4dQe4d e}j~fddZddZdqe}j~d e}jfddZde4dQe4d e}jfddZdVe}jd e}jfddZdVe}jd e}jfddZdVe}jd e}j~fddZ dEde4de4de%j&e4d e$fddZd e$fddZd_e6d ejfddZd_e6d ejfddZȐddZd ejfddZd e$fddZd_e6d ejfddZd_e6d ejfdd Zd ejfd d Zd e$fd d Zd e$fddZd_e6d ejfddZd_e6d ejfddZd ejfddZd e$fddZd_e6d ejfddZd_e6d ejfddZd ejfddZdDe6dBe6dAe4de4de4de4d e6fd d!Zd e$fd"d#Ze.j/dAe4d e%jefd$d%ZdAe4d d fd&d'Ze.j/d(d)Zd_e6de%j&e6d e%je%j&e_e%j&eje%j'ejffd*d+Zd_e6de%j&e6d efd,d-Zd.e%j&e6d!e%j&ede%j&ejd/e%j&e%j'edejd e6f d0d1Zd e$fd2d3Zd!e6d efd4d5Zd e$fd6d7Zd_e6d e%j'ejfd8d9Zd_e6d e%j'ejfd:d;Zd<d=Zd>e%j'ejdejfd?d@ZdAejdejdBe%j'ejd e6fdCdDZd S(GBackendz) OpenSSL API binding interfaces. openssl>s aes-256-ccms aes-192-gcms aes-128-ccms aes-128-gcms aes-192-ccms aes-256-gcmicCst|_|jj|_|jj|_d|_||_ i|_ | |j r,|jj r,t dtn||jjg|_|jjrD|j|jjdSdS)NFz)formatopenssl_version_textrkrvr]r]r^__repr__s zBackend.__repr__NokerrorscCstj|j||dS)N)r~)r%Z_openssl_assertrh)rwr}r~r]r]r^openssl_assertszBackend.openssl_assertcCsH|jjr |j|jj}n t|jddd}|dkr |jt|S)NZ FIPS_modecSsdSNrr]r]r]r]r^sz*Backend._is_fips_enabled..r)rhZCryptography_HAS_300_FIPSZ&EVP_default_properties_is_fips_enabledrfNULLgetattrZERR_clear_errorbool)rwmoder]r]r^rjs zBackend._is_fips_enabledcCs$|j|s J||_dSN)rd _enable_fipsrjrkrvr]r]r^rs  zBackend._enable_fipscCsn|jjr3|j}||jjkr5|j||j|jj}||dk|j|}||dkdSdSdSNrb) rhrnZENGINE_get_default_RANDrfrZENGINE_unregister_RANDRAND_set_rand_methodr ENGINE_finishrweresr]r]r^activate_builtin_randoms    zBackend.activate_builtin_randomc cs|j|jj}|||jjk|j|}||dkz |VW|j|}||dk|j|}||dkdS|j|}||dk|j|}||dkwr) rhZ ENGINE_by_idZCryptography_osrandom_engine_idrrfrZ ENGINE_initZ ENGINE_freerrr]r]r^_get_osurandom_engines     zBackend._get_osurandom_enginecCsx|jjr:||}|j|}||dkWdn1s$wY|j|jj}||dkdSdSr) rhrnrrZENGINE_set_default_RANDrrrfrrr]r]r^rrs  z Backend.activate_osrandom_enginec Cst|jdd}|}|j|dt|||jjd}||dkWdn1s,wY|j| dS)Nchar[]@sget_implementationrascii) rfnewrrhZENGINE_ctrl_cmdlenrrstringdecode)rwbufrrr]r]r^osrandom_engine_implementations z&Backend.osrandom_engine_implementationcCs|j|j|jjdS)z Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 r)rfrrhZOpenSSL_versionZOPENSSL_VERSIONrrvr]r]r^r{#s zBackend.openssl_version_textcCs |jSr)rhZOpenSSL_version_numrvr]r]r^openssl_version_number. zBackend.openssl_version_numberkey algorithmcCs t|||Srr)rwrrr]r]r^create_hmac_ctx1 zBackend.create_hmac_ctxcCsL|jdks |jdkrd|j|jdd}n|jd}|j|}|S)NZblake2bZblake2sz{}{}r)namerz digest_sizeencoderhZEVP_get_digestbyname)rwrZalgevp_mdr]r]r^_evp_md_from_algorithm6s   zBackend._evp_md_from_algorithmcCs ||}|||jjk|Sr)rrrfrrwrrr]r]r^_evp_md_non_null_from_algorithmAs z'Backend._evp_md_non_null_from_algorithmcCs,|jr t||js dS||}||jjkSNF)rk isinstance _fips_hashesrrfrrr]r]r^hash_supportedFs  zBackend.hash_supportedcC |jr t|tjr dS||Srrkrr&SHA1rrwrr]r]r^signature_hash_supportedMs z Backend.signature_hash_supportedcC|jrdS|jjdkSNFrb)rkrhZCryptography_HAS_SCRYPTrvr]r]r^scrypt_supportedVs zBackend.scrypt_supportedcCr)NTrrr]r]r^hmac_supported\s zBackend.hmac_supportedcC t||Srrrr]r]r^create_hash_ctxcs zBackend.create_hash_ctxcipherrcCs^|jr t||js dSz |jt|t|f}Wn ty"YdSw||||}|jj|kSr)rkr _fips_ciphersrltypeKeyErrorrfr)rwrradapter evp_cipherr]r]r^cipher_supportedhs    zBackend.cipher_supportedcCs0||f|jvrtd||||j||f<dS)Nz"Duplicate registration for: {} {}.)rl ValueErrorrz)rw cipher_clsmode_clsrr]r]r^register_cipher_adaptervszBackend.register_cipher_adaptercCstttfD]}ttttttt fD] }| ||t dqqtttttfD] }| t |t dq$ttttfD] }| t |t dq6| t tt dttttfD] }| t|t dqQttttfD] }| t|t dqctttgttttgD] \}}| ||t dq{| ttdt d| ttdt d| ttdt d | ttttttttfD] }| t|t d qdS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}Zrc4Zrc2Zchacha20zsm4-{mode.name})r:r;r<rFrIrJrMrGrHrKrGetCipherByNamer>rArBrE itertoolsproductrCrDr=rrYr?rN_get_xts_cipherr@)rwrrr]r]r^rmsf       z!Backend._register_default_cipherscCt|||tjSr)rZ_ENCRYPTrwrrr]r]r^create_symmetric_encryption_ctxz'Backend.create_symmetric_encryption_ctxcCrr)rZ_DECRYPTrr]r]r^create_symmetric_decryption_ctxrz'Backend.create_symmetric_decryption_ctxcCs ||Sr)rrr]r]r^pbkdf2_hmac_supportedrzBackend.pbkdf2_hmac_supportedlengthsalt iterations key_materialc Csh|jd|}||}|j|}|j|t||t|||||} || dk|j|ddS)Nunsigned char[]rb) rfrr from_bufferrhZPKCS5_PBKDF2_HMACrrbuffer) rwrrrrrrrkey_material_ptrrr]r]r^derive_pbkdf2_hmacs   zBackend.derive_pbkdf2_hmaccC t|jSr)r%_consume_errorsrhrvr]r]r^r zBackend._consume_errorscCrr)r%_consume_errors_with_textrhrvr]r]r^rrz!Backend._consume_errors_with_textcCsz||jjksJ||j| |j|}|jd|}|j||}||dkt |j |d|d}|S)Nrrbig) rfrrrhZBN_is_negativeZ BN_num_bytesrZ BN_bn2binint from_bytesr)rwbnZ bn_num_bytesZbin_ptrZbin_lenvalr]r]r^ _bn_to_ints zBackend._bn_to_intnumcCsn|dus ||jjks J|dur|jj}|t|ddd}|j|t||}|||jjk|S)a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @rbr) rfrto_bytesr bit_lengthrhZ BN_bin2bnrr)rwrrbinaryZbn_ptrr]r]r^ _int_to_bnszBackend._int_to_bnpublic_exponentkey_sizecCst|||j}|||jjk|j||jj}| |}|j||jj }|j ||||jj}||dk| |}t ||||jSr)r.Z_verify_rsa_parametersrhRSA_newrrfrgcRSA_freerBN_freeZRSA_generate_key_ex_rsa_cdata_to_evp_pkeyrri)rwrr rsa_cdatarrevp_pkeyr]r]r^generate_rsa_private_keys      z Backend.generate_rsa_private_keycCs|dko |d@dko |dkS)Nrbrir])rwrrr]r]r^!generate_rsa_parameters_supporteds  z)Backend.generate_rsa_parameters_supportednumbersc Cs6t|j|j|j|j|j|j|jj |jj |j }| ||jjk|j||j j}||j}||j}||j}||j}||j}||j}||jj } ||jj } |j |||} | | dk|j || | |} | | dk|j ||||} | | dk||} t||| |jSr)r.Z_check_private_key_componentspqddmp1dmq1iqmppublic_numbersrnrhrrrfrrrrZRSA_set0_factors RSA_set0_keyZRSA_set0_crt_paramsrrri) rwrrrrrrrrrrrrr]r]r^load_rsa_private_numberss>         z Backend.load_rsa_private_numberscCst|j|j|j}|||jjk|j ||jj }| |j}| |j}|j ||||jj}||dk| |}t|||Sr)r.Z_check_public_key_componentsrrrhrrrfrrrrrrr )rwrrrrrrr]r]r^load_rsa_public_numbers@s     zBackend.load_rsa_public_numberscCs2|j}|||jjk|j||jj}|Sr)rhZ EVP_PKEY_newrrfrr EVP_PKEY_freerwrr]r]r^_create_evp_pkey_gcOs zBackend._create_evp_pkey_gccC(|}|j||}||dk|Sr)rrhZEVP_PKEY_set1_RSAr)rwrrrr]r]r^rUzBackend._rsa_cdata_to_evp_pkeydatacCsH|j|}|j|t|}|||jjkt|j||jj |S)z Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) rfrrhZBIO_new_mem_bufrrrrWrBIO_free)rwrdata_ptrrXr]r]r^ _bytes_to_bio[s zBackend._bytes_to_biocCsP|j}|||jjk|j|}|||jjk|j||jj}|S)z. Creates an empty memory BIO. )rhZ BIO_s_memrrfrZBIO_newrr)rwZ bio_methodrXr]r]r^_create_mem_bio_gchs  zBackend._create_mem_bio_gccCs\|jd}|j||}||dk||d|jjk|j|d|dd}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)rfrrhZBIO_get_mem_datarrr)rwrXrZbuf_lenbio_datar]r]r^ _read_mem_bioss zBackend._read_mem_bioc Cs6|j|}||jjkr,|j|}|||jjk|j||jj}t ||||j S||jj krr|jj sr|jj sr|jjsr|j|}|||jjk|j||jj}|}|j||}||dk|j||ddS||jjkr|j|}|||jjk|j||jj}t|||S||jjkr|j|}|||jjk|j||jj}t|||S||jvr|j|}|||jjk|j||jj}t|||S|t|jddkrt ||S|t|jddkrt!||S|t|jddkrt"||S|t|jddkrt#||St$d) zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. rbN)passwordEVP_PKEY_ED25519 EVP_PKEY_X448EVP_PKEY_X25519EVP_PKEY_ED448Unsupported key type.)%rh EVP_PKEY_id EVP_PKEY_RSAEVP_PKEY_get1_RSArrfrrrrriEVP_PKEY_RSA_PSSCRYPTOGRAPHY_IS_LIBRESSLCRYPTOGRAPHY_IS_BORINGSSL#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Eri2d_RSAPrivateKey_bioload_der_private_keyr EVP_PKEY_DSAEVP_PKEY_get1_DSADSA_freer EVP_PKEY_ECEVP_PKEY_get1_EC_KEY EC_KEY_freerrsEVP_PKEY_get1_DHDH_freer rrr#r!rr) rwrkey_typerrXr dsa_cdataec_cdatadh_cdatar]r]r^_evp_pkey_to_private_key~s`                    z Backend._evp_pkey_to_private_keyc Cs:|j|}||jjkr*|j|}|||jjk|j||jj}t |||S||jj krn|jj sn|jj sn|jj sn|j|}|||jjk|j||jj}|}|j||}||dk|||S||jjkr|j|}|||jjk|j||jj}t|||S||jjkr|j|}||jjkr|}td||j||jj}t|||S||jvr|j|} || |jjk|j| |jj} t|| |S|t |jddkrt!||S|t |jddkrt"||S|t |jddkr t#||S|t |jddkrt$||St%d) zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. rbzUnable to load EC keyrNr r r r )&rhr rrrrfrrrr rrrrri2d_RSAPublicKey_bioload_der_public_keyrrrrrrrrrrrrsrrr rrr$r"rr) rwrrrrXrrr r~r!r]r]r^_evp_pkey_to_public_keys\                     zBackend._evp_pkey_to_public_keycCst|tjtjtjtjtjfSr)rr&rSHA224SHA256SHA384SHA512rr]r]r^_oaep_hash_supportedszBackend._oaep_hash_supportedpaddingcCst|trdSt|tr&t|jtr&|jrt|jjtjrdS| |jjSt|t r>t|jtr>| |jjo=| |jSdS)NTF) rr3r4Z_mgfr1rkZ _algorithmr&rrr2r*)rwr+r]r]r^rsa_padding_supporteds   zBackend.rsa_padding_supportedc Cs~|dvrtd|j}|||jjk|j||jj}|j|||jjd|jj|jj|jj}||dkt ||S)N)irai iz0Key size must be 1024, 2048, 3072, or 4096 bits.rrb) rrhDSA_newrrfrrrZDSA_generate_parameters_exr)rwrctxrr]r]r^generate_dsa_parameterss$  zBackend.generate_dsa_parameters parameterscCsT|j|j}|||jjk|j||jj}|j|| |}t |||Sr) rhZ DSAparams_dupZ _dsa_cdatarrfrrrZDSA_generate_key_dsa_cdata_to_evp_pkeyr)rwr0r.rr]r]r^generate_dsa_private_key/s   z Backend.generate_dsa_private_keycC||}||Sr)r/r2)rwrr0r]r]r^'generate_dsa_private_key_and_parameters<s  z/Backend.generate_dsa_private_key_and_parameterscCsB|j||||}||dk|j|||}||dkdSr)rh DSA_set0_pqgrZ DSA_set0_key)rwrrrgpub_keypriv_keyrr]r]r^_dsa_cdata_set_valuesBszBackend._dsa_cdata_set_valuesc Cst||jj}|j}|||jjk|j ||jj }| |j }| |j }| |j}| |jj}| |j}|||||||||} t||| Sr)r*Z_check_dsa_private_numbersrparameter_numbersrhr-rrfrrrrrrr6yxr9r1r) rwrr:rrrr6r7r8rr]r]r^load_dsa_private_numbersHs        z Backend.load_dsa_private_numbersc Cst|j|j}|||jjk|j||jj }| |jj }| |jj }| |jj }| |j}|jj}|||||||||}t|||Sr)r*_check_dsa_parametersr:rhr-rrfrrrrrrr6r;r9r1r) rwrrrrr6r7r8rr]r]r^load_dsa_public_numbers]s     zBackend.load_dsa_public_numberscCst||j}|||jjk|j||jj}| |j }| |j }| |j }|j ||||}||dkt||Sr)r*r>rhr-rrfrrrrrrr6r5r)rwrrrrr6rr]r]r^load_dsa_parameter_numbersps      z"Backend.load_dsa_parameter_numberscCrr)rrhZEVP_PKEY_set1_DSAr)rwrrrr]r]r^r1rzBackend._dsa_cdata_to_evp_pkeycCs|j Sr)rkrvr]r]r^ dsa_supportedszBackend.dsa_supportedcCs|sdS||Sr)rArrr]r]r^dsa_hash_supporteds zBackend.dsa_hash_supportedcCs||td|jS)N)rrF block_sizerr]r]r^cmac_algorithm_supportedsz Backend.cmac_algorithm_supportedcCrrr rr]r]r^create_cmac_ctxrzBackend.create_cmac_ctxrcCs||jj|j||Sr) _load_keyrhZPEM_read_bio_PrivateKeyr")rwrrr]r]r^load_pem_private_keys zBackend.load_pem_private_keycCs||}|jd}|j|j|jj|j|jjd|}||jjkr2|j ||jj }| |S| |j |j}||dk|j|j|jj|j|jjd|}||jjkrq|j ||jj}||}t|||S|dS)NCRYPTOGRAPHY_PASSWORD_DATA *Cryptography_pem_password_cbrb)rrfrrhZPEM_read_bio_PUBKEYrXr addressof _original_librrr%r BIO_resetrZPEM_read_bio_RSAPublicKeyrrr _handle_key_loading_error)rwrmem_biouserdatarrrr]r]r^load_pem_public_keys:        zBackend.load_pem_public_keycCs^||}|j|j|jj|jj|jj}||jjkr)|j||jj}t||S| dSr) rrhZPEM_read_bio_DHparamsrXrfrrrr rN)rwrrOr!r]r]r^load_pem_parameterss    zBackend.load_pem_parameterscCs:||}|||}|r||S||jj|j||Sr)r"_evp_pkey_from_der_traditional_keyr"rGrhZd2i_PKCS8PrivateKey_bio)rwrrrrr]r]r^rs   zBackend.load_der_private_keycCsZ|j|j|jj}||jjkr'||j||jj}|dur%td|S|dS)N4Password was given but private key is not encrypted.) rhd2i_PrivateKey_biorXrfrrrr TypeError)rwrrrr]r]r^rSs z*Backend._evp_pkey_from_der_traditional_keycCs||}|j|j|jj}||jjkr#|j||jj}||S| |j |j}| |dk|j |j|jj}||jjkrY|j||jj }||}t|||S|dSr)rrhZd2i_PUBKEY_biorXrfrrrr%rrMrZd2i_RSAPublicKey_biorrr rN)rwrrOrrrr]r]r^r$s        zBackend.load_der_public_keycCs||}|j|j|jj}||jjkr#|j||jj}t||S|jj rW| |j |j}| |dk|j |j|jj}||jjkrW|j||jj}t||S|dSr)rrhZd2i_DHparams_biorXrfrrrr rtrrMrZCryptography_d2i_DHxparams_biorN)rwrrOr!rr]r]r^load_der_parameterss       zBackend.load_der_parameterscertcCT|tjj}||}|j|j|jj }| ||jj k|j ||jj }|Sr) public_bytesr'EncodingDERrrhZ d2i_X509_biorXrfrrr X509_free)rwrXrrOrr]r]r^ _cert2ossl)  zBackend._cert2osslrcC4|}|j||}||dkt||Sr)rrhZ i2d_X509_bior rust_x509Zload_der_x509_certificater)rwrrXrr]r]r^ _ossl2cert1szBackend._ossl2certcsrcCrYr) rZr'r[r\rrhZd2i_X509_REQ_biorXrfrrrZ X509_REQ_free)rwrcrrOx509_reqr]r]r^ _csr2ossl7r_zBackend._csr2osslrdcCr`r)rrhZi2d_X509_REQ_biorraZload_der_x509_csrr)rwrdrXrr]r]r^ _ossl2csr?zBackend._ossl2csrcrlcCrYr) rZr'r[r\rrhZd2i_X509_CRL_biorXrfrrrZ X509_CRL_free)rwrhrrOx509_crlr]r]r^ _crl2osslGr_zBackend._crl2osslricCr`r)rrhZi2d_X509_CRL_biorraZload_der_x509_crlr)rwrirXrr]r]r^ _ossl2crlOrgzBackend._ossl2crl public_keycCsJt|tttfs td||}|j||j}|dkr#| dSdS)NzGExpecting one of DSAPublicKey, RSAPublicKey, or EllipticCurvePublicKey.rbFT) rrr rrVrjrhZX509_CRL_verify _evp_pkeyr)rwrhrlrirr]r]r^_crl_is_signature_validWs  zBackend._crl_is_signature_validcCs`||}|j|}|||jjk|j||jj}|j||}|dkr.| dSdS)NrbFT) rerhZX509_REQ_get_pubkeyrrfrrrZX509_REQ_verifyr)rwrcrdZpkeyrr]r]r^_csr_is_signature_validqs  zBackend._csr_is_signature_validcCs"|j|j|jdkrtddS)NrbzKeys do not correspond)rhZ EVP_PKEY_cmprmr)rwkey1key2r]r]r^_check_keys_correspondszBackend._check_keys_correspondc Cs||}|jd}|dur#td||j|}||_t||_||j |jj |j |j j d|}||jj kra|jdkr]||jdkrLtd|jdksSJtd|jd |||j||j j}|dur{|jdkr{td |dur|jd ks|dusJ||S) NrIrrJrz3Password was not given but private key is encryptedzAPasswords longer than {} bytes are not supported by this backend.rbrT)rrfrr_check_byteslikerrrrrXrrKrhrLerrorrrVrrzmaxsizerNrrcalled) rwZopenssl_read_funcZ convert_funcrrrOrPZ password_ptrrr]r]r^rGsJ         zBackend._load_keycs}|s td|djjjjs2|djjjjs2jjr6|djj jj r6tdt fdd|DrEtdt |}td|)Nz|Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.rz Bad decrypt. Incorrect password?c3s$|] }|jjjjVqdSr)_lib_reason_matchrh ERR_LIB_EVPZ'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM).0rvrvr]r^ s z4Backend._handle_key_loading_error..z!Unsupported public key algorithm.zCould not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).)rrryrhrzZEVP_R_BAD_DECRYPTZERR_LIB_PKCS12Z!PKCS12_R_PKCS12_CIPHERFINAL_ERRORZCryptography_HAS_PROVIDERSZ ERR_LIB_PROVZPROV_R_BAD_DECRYPTanyr%Z_errors_with_text)rwr~Zerrors_with_textr]rvr^rNs>     z!Backend._handle_key_loading_errorcurvecCspz||}Wn ty|jj}Ynw|j|}||jjkr'|dS|||jjk|j |dS)NFT) _elliptic_curve_to_nidrrh NID_undefZEC_GROUP_new_by_curve_namerfrrrZ EC_GROUP_free)rwr~ curve_nidgroupr]r]r^elliptic_curve_supporteds     z Backend.elliptic_curve_supportedsignature_algorithmcCst|tjsdS||Sr)rr+ZECDSAr)rwrr~r]r]r^,elliptic_curve_signature_algorithm_supporteds  z4Backend.elliptic_curve_signature_algorithm_supportedcCsX||r"||}|j|}||dk||}t|||Std|j t j )z@ Generate a new private key on the named curve. rbz#Backend object does not support {}.) r_ec_key_new_by_curverhZEC_KEY_generate_keyr_ec_cdata_to_evp_pkeyrrrzrrUNSUPPORTED_ELLIPTIC_CURVE)rwr~r rrr]r]r^#generate_elliptic_curve_private_keys      z+Backend.generate_elliptic_curve_private_keycCsz|j}||j}|j||j|jj}|j ||}|dkr)| t d| ||j |j||}t|||S)NrbInvalid EC key.)rrr~rfrr private_valuerh BN_clear_freeEC_KEY_set_private_keyrr)_ec_key_set_public_key_affine_coordinatesr<r;rr)rwrpublicr rrrr]r]r^#load_elliptic_curve_private_numberss    z+Backend.load_elliptic_curve_private_numberscCs4||j}|||j|j||}t|||Sr)rr~rr<r;rr)rwrr rr]r]r^"load_elliptic_curve_public_numbers0s    z*Backend.load_elliptic_curve_public_numbers point_bytesc Cs||}|j|}|||jjk|j|}|||jjk|j||jj}| }|j |||t ||}|dkrI| t dWdn1sSwY|j||}||dk||}t|||S)Nrbz(Invalid public bytes for the given curve)rrhEC_KEY_get0_grouprrfr EC_POINT_newr EC_POINT_free _tmp_bn_ctxZEC_POINT_oct2pointrrrEC_KEY_set_public_keyrr) rwr~rr rpointbn_ctxrrr]r]r^ load_elliptic_curve_public_bytes;s&      z(Backend.load_elliptic_curve_public_bytesrc Csb||}||\}}|j|}|||jjk|j||jj}| |}|j||jj }| >}|j ||||jj|jj|} || dk|j |} |j |} |||| | |} | dkrm|tdWdn1swwY|j||} || dk| |} |j| |jj } |j|| } || dk||} t||| S)Nrbz'Unable to derive key from private_value)r _ec_key_determine_group_get_funcrhrrrfrrrrrrZ EC_POINT_mulZ BN_CTX_getrrrrrr)rwrr~r get_funcrrvaluerrZbn_xZbn_yZprivaterr]r]r^!derive_elliptic_curve_private_keyQs8         z)Backend.derive_elliptic_curve_private_keycCr3r)r_ec_key_new_by_curve_nid)rwr~rr]r]r^rxs  zBackend._ec_key_new_by_curvercCs0|j|}|||jjk|j||jjSr)rhZEC_KEY_new_by_curve_namerrfrrr)rwrr r]r]r^r|s z Backend._ec_key_new_by_curve_nidcCs,|jr t||js dS||ot|tjSr)rkr_fips_ecdh_curvesrr+ECDH)rwrr~r]r]r^+elliptic_curve_exchange_algorithm_supporteds z3Backend.elliptic_curve_exchange_algorithm_supportedcCrr)rrhZEVP_PKEY_set1_EC_KEYr)rwr rrr]r]r^rrzBackend._ec_cdata_to_evp_pkeycCsNddd}||j|j}|j|}||jjkr%td|jtj |S)z/ Get the NID for a curve name. Z prime192v1Z prime256v1)Z secp192r1Z secp256r1z${} is not a supported elliptic curve) getrrh OBJ_sn2nidrrrrzrr)rwr~Z curve_aliasesZ curve_namerr]r]r^rs   zBackend._elliptic_curve_to_nidc csd|j}|||jjk|j||jj}|j|z |VW|j|dS|j|wr) rhZ BN_CTX_newrrfrrZ BN_CTX_freeZ BN_CTX_startZ BN_CTX_end)rwrr]r]r^rs  zBackend._tmp_bn_ctxcCs|||jjk|jd}|||jjk|j|}|||jjk|j|}|||jjk|j|}|||jjk||krR|jj rR|jj }n|jj }|sZJ||fS)zu Given an EC_KEY determine the group and what function is required to get point coordinates. scharacteristic-two-field) rrfrrhrrrZEC_GROUP_method_ofZEC_METHOD_get_field_typeZCryptography_HAS_EC2MZ$EC_POINT_get_affine_coordinates_GF2mZ#EC_POINT_get_affine_coordinates_GFp)rwr.Z nid_two_fieldrmethodnidrr]r]r^rs     z(Backend._ec_key_determine_group_get_funcr<r;cCst|dks|dkr td|j|||jj}|j|||jj}|j|||}|dkr8|tddS)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.rbrN)rrfrrrhrZ(EC_KEY_set_public_key_affine_coordinatesr)rwr.r<r;rr]r]r^rsz1Backend._ec_key_set_public_key_affine_coordinatesencodingrzencryption_algorithmc CsNt|tjs tdt|tjstdt|tjstdt|tjr'd}n4t|tjr;|j}t |dkr:t dn t|tj rW|j |urNtjj urWnt d|j}nt d|tjjur|tjjurl|jj}n|tjjurw|jj}nt d||||S|tjjur |jrt|tjst d |j|} |tjjur| |jjkr|jj}n| |jjkr|jj}n| |jjkr|jj}nt d ||||S|tjjur|rt d | |jjkr|jj}n| |jjkr|jj}n| |jjkr|jj }nt d |!||St d |tjj ur#|tjjurt"#|||St d t d)N/encoding must be an item from the Encoding enumz2format must be an item from the PrivateFormat enumzBEncryption algorithm must be a KeySerializationEncryption instanceizBPasswords longer than 1023 bytes are not supported by this backendzUnsupported encryption typezUnsupported encoding for PKCS8zCEncrypted traditional OpenSSL format is not supported in FIPS mode.z+Unsupported key type for TraditionalOpenSSLzDEncryption is not supported for DER encoded traditional OpenSSL keysz+Unsupported encoding for TraditionalOpenSSLz=OpenSSH private key format can only be used with PEM encodingformat is invalid with this key)$rr'r[rV PrivateFormatKeySerializationEncryption NoEncryptionBestAvailableEncryptionrrr_KeySerializationEncryption_formatOpenSSHZPKCS8PEMrhZPEM_write_bio_PKCS8PrivateKeyr\Zi2d_PKCS8PrivateKey_bio_private_key_bytes_via_bioZTraditionalOpenSSLrkr rZPEM_write_bio_RSAPrivateKeyrZPEM_write_bio_DSAPrivateKeyrZPEM_write_bio_ECPrivateKeyrZi2d_ECPrivateKey_bioZi2d_DSAPrivateKey_bio_bio_func_outputrQZ_serialize_ssh_private_key) rwrrzrrrcdatar write_biorr]r]r^_private_key_bytess                        zBackend._private_key_bytesc Cs<|s|jj}n|jd}|||||t||jj|jjS)Ns aes-256-cbc)rfrrhEVP_get_cipherbynamerr)rwrrrrr]r]r^rWs  z"Backend._private_key_bytes_via_biocGs0|}||g|R}||dk||Sr)rrr)rwrargsrXrr]r]r^rhs zBackend._bio_func_outputcCst|tjs tdt|tjstd|tjjur:|tjjur%|jj}n|tjj ur0|jj }nt d| ||S|tjj urp|j|}||jjkrPt d|tjjur[|jj}n|tjj urf|jj}nt d| ||S|tjjur|tjjurt|St dt d)Nrz1format must be an item from the PublicFormat enumz8SubjectPublicKeyInfo works only with PEM or DER encodingz+PKCS1 format is supported only for RSA keysz)PKCS1 works only with PEM or DER encodingz1OpenSSH format must be used with OpenSSH encodingr)rr'r[rV PublicFormatZSubjectPublicKeyInforrhZPEM_write_bio_PUBKEYr\Zi2d_PUBKEY_biorrZPKCS1r rZPEM_write_bio_RSAPublicKeyr#rrQZserialize_ssh_public_key)rwrrzrrrrrr]r]r^_public_key_bytesns@                   zBackend._public_key_bytescC |jj Srrhrrvr]r]r^ dh_supportedrzBackend.dh_supported generatorcCs|tjkr tdtj|dvrtd|j}|||jjk|j ||jj }|j ||||jj}||dkt ||S)Nz$DH key_size must be at least {} bits)zDH generator must be 2 or 5rb) r)Z_MIN_MODULUS_SIZErrzrhDH_newrrfrrrZDH_generate_parameters_exr )rwrrZdh_param_cdatarr]r]r^generate_dh_parameterss    zBackend.generate_dh_parameterscCrr)rrhZEVP_PKEY_set1_DHr)rwr!rrr]r]r^_dh_cdata_to_evp_pkeyrzBackend._dh_cdata_to_evp_pkeycCs<t|j|}|j|}||dk||}t|||Sr)rZ _dh_cdatarhZDH_generate_keyrrr )rwr0Z dh_key_cdatarrr]r]r^generate_dh_private_keys   zBackend.generate_dh_private_keycCs||||Sr)rr)rwrrr]r]r^&generate_dh_private_key_and_parameterss z.Backend.generate_dh_private_key_and_parametersc Cs8|jj}|j}|||jjk|j||jj}| |j }| |j }|j dur3| |j }n|jj}| |jj }| |j}|j||||} || dk|j|||} || dk|jdd} |j|| } || dk| ddkr|j dkr| d|jjAdkstd||} t||| S)Nrbint[]rrz.DH private numbers did not pass safety checks.)rr:rhrrrfrrrrrr6rr;r< DH_set0_pqg DH_set0_keyrCryptography_DH_checkZDH_NOT_SUITABLE_GENERATORrrr ) rwrr:r!rr6rr7r8rcodesrr]r]r^load_dh_private_numberss0        zBackend.load_dh_private_numbersc Cs|j}|||jjk|j||jj}|j}||j }||j }|j dur2||j }n|jj}||j }|j ||||}||dk|j|||jj}||dk||} t||| Sr)rhrrrfrrrr:rrr6rr;rrrr ) rwrr!r:rr6rr7rrr]r]r^load_dh_public_numbers s       zBackend.load_dh_public_numberscCs|j}|||jjk|j||jj}||j}||j }|j dur/||j }n|jj}|j ||||}||dkt ||Sr) rhrrrfrrrrrr6rrr )rwrr!rr6rrr]r]r^load_dh_parameter_numbers(s     z!Backend.load_dh_parameter_numbersrr6rcCs|j}|||jjk|j||jj}||}||}|dur+||}n|jj}|j||||}||dk|j dd}|j ||}||dk|ddkS)Nrbrr) rhrrrfrrrrrrr)rwrr6rr!rrr]r]r^dh_parameters_supported<s     zBackend.dh_parameters_supportedcCs |jjdkSr)rhrtrvr]r]r^dh_x942_serialization_supportedTrz'Backend.dh_x942_serialization_supportedcCsht|dkr td|}|j||jj}||dk|j||t|}||dkt||S)N z%An X25519 public key is 32 bytes longrb) rrrrhZEVP_PKEY_set_type NID_X25519rZEVP_PKEY_set1_tls_encodedpointr")rwrrrr]r]r^x25519_load_public_bytesWs   z Backend.x25519_load_public_bytescCst|dkr tdd}|d#}||dd<||dd<||}|j|j|jj}Wdn1s7wY| ||jjk|j ||jj }| |j ||jj kt||S)Nrz&An X25519 private key is 32 bytes longs0.0+en" 0r)rr_zeroed_bytearrayrrhrUrXrfrrrrr r r!)rwrZ pkcs8_prefixbarXrr]r]r^x25519_load_private_bytesfs      z!Backend.x25519_load_private_bytescCs|j||jj}|||jjk|j||jj}|j|}||dk|jd}|j ||}||dk||d|jjk|j|d|jj }|S)Nrb EVP_PKEY **r) rhZEVP_PKEY_CTX_new_idrfrrrZEVP_PKEY_CTX_freeZEVP_PKEY_keygen_initrZEVP_PKEY_keygenr)rwrZ evp_pkey_ctxrZ evp_ppkeyrr]r]r^_evp_pkey_keygen_gcs  zBackend._evp_pkey_keygen_gccC||jj}t||Sr)rrhrr!rr]r]r^x25519_generate_key zBackend.x25519_generate_keycC|jrdS|jj Sr)rkrhrrvr]r]r^x25519_supported zBackend.x25519_supportedcCs`t|dkr td|j|jj|jj|t|}|||jjk|j||jj }t ||S)N8z#An X448 public key is 56 bytes long) rrrhEVP_PKEY_new_raw_public_keyNID_X448rfrrrrr$rwrrr]r]r^x448_load_public_bytess  zBackend.x448_load_public_bytescCslt|dkr td|j|}|j|jj|jj|t|}|||jjk|j ||jj }t ||S)Nrz$An X448 private key is 56 bytes long) rrrfrrhEVP_PKEY_new_raw_private_keyrrrrrr#rwrrrr]r]r^x448_load_private_bytess   zBackend.x448_load_private_bytescCrr)rrhrr#rr]r]r^x448_generate_keyrzBackend.x448_generate_keycC|jrdS|jj o|jj Sr)rkrhZ"CRYPTOGRAPHY_OPENSSL_LESS_THAN_111rrvr]r]r^x448_supported  zBackend.x448_supportedcCrr)rkrh#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Brvr]r]r^ed25519_supportedrzBackend.ed25519_supportedcCsntd|t|tjkrtd|j|jj|j j |t|}| ||j j k|j ||jj }t||S)Nrz&An Ed25519 public key is 32 bytes long)r _check_bytesrr,_ED25519_KEY_SIZErrhr NID_ED25519rfrrrrrrr]r]r^ed25519_load_public_bytess  z!Backend.ed25519_load_public_bytescCszt|tjkr tdtd||j|}|j |jj |jj |t|}| ||jj k|j ||jj}t||S)Nz'An Ed25519 private key is 32 bytes longr)rr,rrrrurfrrhrrrrrrrrr]r]r^ed25519_load_private_bytess   z"Backend.ed25519_load_private_bytescCrr)rrhrrrr]r]r^ed25519_generate_keyrzBackend.ed25519_generate_keycCrr)rkrhrrrvr]r]r^ed448_supportedrzBackend.ed448_supportedcCsltd|t|tkrtd|j|jj|jj |t|}| ||jj k|j ||jj }t ||S)Nrz$An Ed448 public key is 57 bytes long)rrrrrrhr NID_ED448rfrrrrrrr]r]r^ed448_load_public_bytess   zBackend.ed448_load_public_bytescCsxtd|t|tkrtd|j|}|j|jj |jj |t|}| ||jj k|j ||jj }t||S)Nrz%An Ed448 private key is 57 bytes long)rrurrrrfrrhrrrrrrrrr]r]r^ed448_load_private_bytess    z Backend.ed448_load_private_bytescCrr)rrhrrrr]r]r^ed448_generate_keyrzBackend.ed448_generate_keyrrc Cs|jd|}|j|}|j|t||t||||tj|| } | dkr9|} d||d} t d | | |j |ddS)NrrbizJNot enough memory to derive key. These parameters require {} MB of memory.) rfrrrhZEVP_PBE_scryptrrOZ _MEM_LIMITr MemoryErrorrzr) rwrrrrrrrrrr~Z min_memoryr]r]r^ derive_scrypts.  zBackend.derive_scryptcCsHt|}|jr||jvrdS|dr|jjdkS|j||jj kS)NFs-sivrb) rZ_aead_cipher_namerk _fips_aeadendswithrh#CRYPTOGRAPHY_OPENSSL_300_OR_GREATERrrfr)rwr cipher_namer]r]r^aead_cipher_supported6s   zBackend.aead_cipher_supportedc cs2t|}z |VW|||dS|||w)z This method creates a bytearray, which we copy data into (hopefully also from a mutable buffer that can be dynamically erased!), and then zero when we're done. N) bytearray _zero_data)rwrrr]r]r^rDs zBackend._zeroed_bytearraycCst|D]}d||<qdSr)range)rwrrir]r]r^rQs  zBackend._zero_datac cs~|dur |jjVdSt|}|jd|d}|j|||z|VW||jd||dS||jd||w)a This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nrrbz uint8_t *)rfrrrmemmovercast)rwrZdata_lenrr]r]r^_zeroed_null_terminated_bufXs 2z#Backend._zeroed_null_terminated_bufcCs2|||}|j|jr|jjnddd|jDfS)NcSsg|]}|jqSr]) certificater{rXr]r]r^ zszABackend.load_key_and_certificates_from_pkcs12..) load_pkcs12rrXr Zadditional_certs)rwrrpkcs12r]r]r^%load_key_and_certificates_from_pkcs12os z-Backend.load_key_and_certificates_from_pkcs12cCs~|dur td|||}|j|j|jj}||jjkr'|t d|j ||jj }|j d}|j d}|j d}| |}|j|||||} Wdn1s\wY|jjri|| dkru|t dd} d} g} |d|jjkr|j |d|jj} || } |d|jjkr|j |d|jj}||}d}|j||jj}||jjkr|j|}t||} |d|jjkr9|j |d|jj}|j|d}|jjs|jjrt|}ntt|}|D]@}|j||}|||jjk|j ||jj}||}d}|j||jj}||jjkr0|j|}| t||qt | | | S)Nrz!Could not deserialize PKCS12 datarzX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 data)!rrurrhZd2i_PKCS12_biorXrfrrrr PKCS12_freerr Z PKCS12_parseZ#CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340rr"r]rbZX509_alias_get0rrS sk_X509_free sk_X509_numrrrreversed sk_X509_valuerrurT)rwrrrXp12Z evp_pkey_ptrZx509_ptrZ sk_x509_ptr password_bufrrXrZadditional_certificatesrrZcert_objrZ maybe_namesk_x509rindicesrZ addl_certZ addl_namer]r]r^r}sr                  zBackend.load_pkcs12rcascCsd}|dur td|t|tjrd}d}d} d} |jj} nt|tjrF|jj r2|jj }|jj }n|jj }|jj }d} d} |jj} |j }nst|tj r|jtjjurd}d}d} d} |j }|j} | tjuro|jj }|jj }n| tjur|jj s|td|jj }|jj }n| dusJ|jdur|jjstd||j} || |jjkn|jj} |jdur|j} ntd|dust|dkr|jj} nb|j} |j| |jj} g}|D]O}t|t r|j!}|"|j#}|$|}|j%||d}||dkWdn 1s wYn|"|}|&||j'| |}t(|dkq|$|`}|$|0}|r>|"|n|jj}|durK|j)}n|jj}|j*||||| ||| | d }Wdn 1siwY|jjr| |jjkr|j+||d|jjd| | Wdn 1swY|||jjk|j||jj,}|-}|j.||}||dk|/|S) Nrrsri Nrbz2PBESv2 is not supported by this version of OpenSSLzBSetting MAC algorithm is not supported by this version of OpenSSL.zUnsupported key encryption type)0rrrr'rrfrrrhrZNID_aes_256_cbcZ&NID_pbe_WithSHA1And3_Key_TripleDES_CBCrrrrZPKCS12Z_key_cert_algorithmrRZPBESv1SHA1And3KeyTripleDESCBCZPBESv2SHA256AndAES256CBCrZ _hmac_hashZCryptography_HAS_PKCS12_SET_MACrrZ _kdf_roundsrrsk_X509_new_nullrrrSZ friendly_namer^r r ZX509_alias_set1ru sk_X509_pushbackendrmZ PKCS12_createZPKCS12_set_macrrZi2d_PKCS12_bior)rwrrrXrrrZnid_certZnid_keyZ pkcs12_iterZmac_iterZmac_algZ keycertalgrZossl_cascaZca_aliasZossl_caZ ca_name_bufrrZname_buf ossl_certrrrXr]r]r^(serialize_key_and_certificates_to_pkcs12s                    # z0Backend.serialize_key_and_certificates_to_pkcs12cCrr)rkrhZCryptography_HAS_POLY1305rvr]r]r^poly1305_supportedg s zBackend.poly1305_supportedcCs*td|t|tkrtdt||S)NrzA poly1305 key is 32 bytes long)rrurrrr)rwrr]r]r^create_poly1305_ctxl s   zBackend.create_poly1305_ctxcCrrrrvr]r]r^pkcs7_supporteds rzBackend.pkcs7_supportedcCsntd|||}|j|j|jj|jj|jj}||jjkr)|t d|j ||jj }| |SNrzUnable to parse PKCS7 data) rrrrhZPEM_read_bio_PKCS7rXrfrrrr PKCS7_free_load_pkcs7_certificatesrwrrXp7r]r]r^load_pem_pkcs7_certificatesv s    z#Backend.load_pem_pkcs7_certificatescCsbtd|||}|j|j|jj}||jjkr#|t d|j ||jj }| |Sr$) rrrrhZ d2i_PKCS7_biorXrfrrrrr%r&r'r]r]r^load_der_pkcs7_certificates s    z#Backend.load_der_pkcs7_certificatesc Cs|j|j}|||jjk||jjkrtd|tj |j j j }|j |}g}t|D]2}|j||}|||jjk|j|}||dk|j||jj}||} || q0|S)NzNOnly basic signed structures are currently supported. NID for this data was {}rb)rhZ OBJ_obj2nidrrrZNID_pkcs7_signedrrzrZUNSUPPORTED_SERIALIZATIONrsignrXrrrrfrZ X509_up_refrr]rbru) rwr(rrrcertsrrrrXr]r]r^r& s(       z Backend._load_pkcs7_certificatesr,c Cs"t|}|rtdd|Dstd|tjjtjjfvr!td|j}|j ||jj }g}|D]}| |}| ||j||}||dkq3|j|j j|j j||j j|jj}|} |tjjurv|j| ||j jd}n|tjjus~J|j| |}||dk|| S)Ncss|] }t|tjVqdSr)rr Certificater r]r]r^r| s  z7Backend.pkcs7_serialize_certificates..z.certs must be a list of certs with length >= 1z/encoding must DER or PEM from the Encoding enumrbr)listallrVr'r[rr\rhrrfrrr^rurr PKCS7_signr PKCS7_PARTIALrPEM_write_bio_PKCS7_stream i2d_PKCS7_bior) rwr,rZcerts_sk ossl_certsrXrrr(bio_outr]r]r^pkcs7_serialize_certificates sD       z$Backend.pkcs7_serialize_certificatesbuilderoptionscCs|jdusJ||j}|jj}d}t|jdkr|jj}n.|j}|j ||jj }g}|jD]} | | } | | |j || } || dkq2tjj|vr_||jjO}||jjO}|j|jj|jj||jj|} || |jjk|j | |jj} d} tjj|vr| |jjO} n tjj|vr| |jjO} tjj|vr| |jjO} |jD]#\}}}| |} ||}|j| | |j|| }|||jjkq|D]}|tjjur||jj O}q|tjj!ur||jj"O}q|#}|t$j%j&ur|j'|| |j(|} nK|t$j%j)ur%|j*| |j(|} || dk|j+|| |j(|} n)|t$j%j,us.J|j*| |j(|} || dk|jj-rG|.|j/|| } || dk|0|S)Nrrb)1_datarrhr1rZ_additional_certsrfrrrrr^rurrrP PKCS7OptionsZDetachedSignatureZPKCS7_DETACHEDr0r%ZNoCapabilitiesZPKCS7_NOSMIMECAPZ NoAttributesZ PKCS7_NOATTRZNoCertsZ PKCS7_NOCERTSZ_signersrZPKCS7_sign_add_signerrmTextZ PKCS7_TEXTZBinaryZ PKCS7_BINARYrr'r[ZSMIMEZSMIME_write_PKCS7rXrZ PKCS7_finalr2r\rrr3r)rwr7rr8rXZ init_flagsZ final_flagsr,r4rXrrr(Z signer_flagsr Z private_keyZhash_algorithmZmdZ p7signerinfooptionr5r]r]r^ pkcs7_sign s                       zBackend.pkcs7_signr)ryN)rZr[r\__doc__rrr:rr&r&r'r(r)Z SHA512_224Z SHA512_256ZSHA3_224ZSHA3_256ZSHA3_384ZSHA3_512ZSHAKE128ZSHAKE256rr+Z SECP224R1Z SECP256R1Z SECP384R1Z SECP521R1rZ_fips_rsa_min_key_sizeZ_fips_rsa_min_public_exponentZ_fips_dsa_min_modulusZ_fips_dh_min_key_sizeZ_fips_dh_min_modulusrxstrr|rtypingOptionalListr%Z _OpenSSLErrorrrjrr contextlibrrrrrr{rrbytesZ HashAlgorithmrrrrrrrrZ HashContextrr9rLrrrmrrrrrrZ_OpenSSLErrorWithTextrrrr.Z RSAPrivateKeyrrZRSAPrivateNumbersrZRSAPublicNumbersZ RSAPublicKeyrrrrrrr6r"r7r%r*r(r,r*Z DSAParametersr/Z DSAPrivateKeyr2r4r9ZDSAPrivateNumbersr=ZDSAPublicNumbersZ DSAPublicKeyr?ZDSAParameterNumbersr@r1rArBrEr8r rFrHrQr)Z DHParametersrRrrSr$rWrr-Anyr^rbZCertificateSigningRequestrerfZCertificateRevocationListrjrkr5rnrorrrGNoReturnrNZ EllipticCurverZEllipticCurveSignatureAlgorithmrZEllipticCurvePrivateKeyrZEllipticCurvePrivateNumbersrZEllipticCurvePublicNumbersZEllipticCurvePublicKeyrrrrrrrrrrrrr'r[rrrrrrrrrrZ DHPrivateKeyrrZDHPrivateNumbersrZDHPublicNumbersZ DHPublicKeyrZDHParameterNumbersrrrr/ZX25519PublicKeyrZX25519PrivateKeyrrrrr0Z X448PublicKeyrZX448PrivateKeyrrrrr,ZEd25519PublicKeyrZEd25519PrivateKeyrrrr-ZEd448PublicKeyrZEd448PrivateKeyrrrrIteratorrrrr TuplerrTrrUrVr r!rr"r#r)r*r&r6rPZPKCS7SignatureBuilderr:r=r]r]r]r^r_s~              4          $    @:         *      5/        '     z 7    0    $    #   M     / r_c@s0eZdZdefddZdededefddZd S) rfmtcCs ||_dSr)_fmt)rwrIr]r]r^rx? rzGetCipherByName.__init__rrrcCsd|jj||d}|j|d}||jjkr,|jjr,|j |jj|d|jj}| |S)N)rrr) rJrzlowerrhrrrfrZCryptography_HAS_300_EVP_CIPHERZEVP_CIPHER_fetchr)rwrrrrrr]r]r^__call__B s zGetCipherByName.__call__N) rZr[r\r?rxr_r9rLrLr]r]r]r^r> srrrcCs"d|jd}|j|dS)Nz aes-{}-xtsrr)rzrrhrr)rrrrr]r]r^rW sr)| collectionsrCrr@ror cryptographyrrZcryptography.exceptionsrrZ$cryptography.hazmat.backends.opensslrZ,cryptography.hazmat.backends.openssl.ciphersrZ)cryptography.hazmat.backends.openssl.cmacr Z'cryptography.hazmat.backends.openssl.dhr r r rZ(cryptography.hazmat.backends.openssl.dsarrrZ'cryptography.hazmat.backends.openssl.ecrrZ,cryptography.hazmat.backends.openssl.ed25519rrZ*cryptography.hazmat.backends.openssl.ed448rrrZ+cryptography.hazmat.backends.openssl.hashesrZ)cryptography.hazmat.backends.openssl.hmacrZ-cryptography.hazmat.backends.openssl.poly1305rrZ(cryptography.hazmat.backends.openssl.rsarr Z+cryptography.hazmat.backends.openssl.x25519r!r"Z)cryptography.hazmat.backends.openssl.x448r#r$Z"cryptography.hazmat.bindings._rustraZ$cryptography.hazmat.bindings.opensslr%Zcryptography.hazmat.primitivesr&r'Z*cryptography.hazmat.primitives._asymmetricr(Z)cryptography.hazmat.primitives.asymmetricr)r*r+r,r-r.r/r0Z1cryptography.hazmat.primitives.asymmetric.paddingr1r2r3r4Z/cryptography.hazmat.primitives.asymmetric.typesr5r6r7Z&cryptography.hazmat.primitives.ciphersr8r9Z1cryptography.hazmat.primitives.ciphers.algorithmsr:r;r<r=r>r?r@rArBrCrDrEZ,cryptography.hazmat.primitives.ciphers.modesrFrGrHrIrJrKrLrMrNZ"cryptography.hazmat.primitives.kdfrOZ,cryptography.hazmat.primitives.serializationrPrQZ3cryptography.hazmat.primitives.serialization.pkcs12rRrSrTrUrV namedtuplerWrYr_rrrr]r]r]r^sx         ( 8,  J