o ct@sddlZddlZddlZddlZddlZddlmZddlmZmZddl m Z m Z ddl m Z ddlmZddlmZddlmZmZmZmZdd lmZmZmZdd lmZmZdd lmZm Z m!Z!dd l"m#Z#m$Z$dd l%m&Z&ddl'm(Z(ddl)m*Z*m+Z+ddl,m-Z-m.Z.ddl/m0Z0m1Z1ddl2m3Z3m4Z4ddl5mZ6ddl7m8Z8ddl9m:Z:m;Z;ddlm?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFddlGmHZHmIZImJZJmKZKddlLmMZMmNZNmOZOddlPmQZQmRZRddlSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_ddl`maZambZbmcZcmdZdmeZemfZfmgZgmhZhmiZiddljmkZkddllmmZmddlnmoZompZpmqZqmrZrmsZsetd d!d"gZuGd#d$d$ZvGd%d&d&ZwGd'd(d(Zxd)ewd*eTfd+d,ZyewZzdS)-N)contextmanager)utilsx509)UnsupportedAlgorithm_Reasons)aead)_CipherContext _CMACContext)_dh_params_dup _DHParameters _DHPrivateKey _DHPublicKey)_DSAParameters_DSAPrivateKey _DSAPublicKey)_EllipticCurvePrivateKey_EllipticCurvePublicKey)_ED448_KEY_SIZE_Ed448PrivateKey_Ed448PublicKey)_Ed25519PrivateKey_Ed25519PublicKey _HashContext _HMACContext)_POLY1305_KEY_SIZE_Poly1305Context)_RSAPrivateKey _RSAPublicKey)_X448PrivateKey_X448PublicKey)_X25519PrivateKey_X25519PublicKey)r)binding)hashes serialization)AsymmetricPadding)dhdsaeced448ed25519rsax448x25519)MGF1OAEPPSSPKCS1v15)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESPRIVATE_KEY_TYPESPUBLIC_KEY_TYPES)BlockCipherAlgorithmCipherAlgorithm) AESAES128AES256ARC4SM4CamelliaChaCha20 TripleDES_BlowfishInternal_CAST5Internal _IDEAInternal _SEEDInternal) CBCCFBCFB8CTRECBGCMOFBXTSMode)scrypt)ssh)_ALLOWED_PKCS12_TYPES_PKCS12_CAS_TYPESPBESPKCS12CertificatePKCS12KeyAndCertificates _MemoryBIObiochar_ptrc@s eZdZdS)_RC2N)__name__ __module__ __qualname__r]r]Y/opt/certbot/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/backend.pyrYsrYc@s eZdZdZdZhdZefZej ej ej ej ej ejejejejejejejf ZejejejejfZdZdZdd>ZdZde>Z ddZ!d e"fd d Z# d9d e$de%j&e%j'e(j)d d fddZ*d e$fddZ+d:ddZ,d:ddZ-e.j/ddZ0d:ddZ1d e"fddZ2d e"fddZ3d e4fdd Z5d!e6d"ej7d e8fd#d$Z9d"ej7fd%d&Z:d"ej7fd'd(Z;d"ej7d e$fd)d*Zd"ej7d e$fd/d0Z?d"ej7d ej@fd1d2ZAd3eBd4eCd e$fd5d6ZDd7d8ZEd:d9d:ZFd3eBd4eCd eGfd;d<ZHd3eBd4eCd eGfd=d>ZId"ej7d e$fd?d@ZJd"ej7dAe4dBe6dCe4dDe6d e6f dEdFZKd e%j'e(j)fdGdHZLd e%j'e(jMfdIdJZNd e4fdKdLZOd9dMe4fdNdOZPdPe4dQe4d eQjRfdRdSZSdPe4dQe4d e$fdTdUZTdVeQjUdWe$d eQjRfdXdYZVdVeQjWd eQjXfdZd[ZYd\d]ZZd^d_Z[d`e6fdadbZ\dcddZ]d e6fdedfZ^dWe$d e_fdgdhZ`d eafdidjZbd"ej7d e$fdkdlZcdmedd e$fdndoZedQe4d efjgfdpdqZhdrefjgd efjifdsdtZjdQe4d efjifdudvZkdwdxZldVefjmd efjifdydzZndVefjod efjpfd{d|ZqdVefjrd efjgfd}d~ZsddZtd e$fddZud"ej7d e$fddZvd e$fddZwd"exd eyfddZzd`e6de%j&e6dWe$d e_fddZ{d`e6d eafddZ|d`e6d e}j~fddZd`e6de%j&e6dWe$d e_fddZddZd`e6d eafddZd`e6d e}j~fddZdejd e%jfddZde%jd ejfddZdejd e%jfddZdejd e%jfddZdejded e$fddZdejd e$fddZddZddZd e%jfddZdejd e$fddZdejdejd e$fddZdejd ejfddZdVejd ejfddZdVejd ejfddZdejde6d ejfddZde4dejd ejfddZdejfdd„Zde4fddńZd"ejdejd e$fddDŽZddɄZdejd e4fdd˄Ze/dd̈́ZddτZde4de4fddӄZdejdejdejd e6fdd؄ZddڄZdd܄Zdejdejd e6fddބZd e$fddZde4dQe4d e}j~fddZddZdre}j~d e}jfddZde4dQe4d e}jfddZdVe}jd e}jfddZdVe}jd e}jfddZdVe}jd e}j~fddZ d9de4de4de%j&e4d e$fddZd e$fddZd`e6d ejfddZd`e6d ejfddZddZd ejfddZd e$fddZd`e6d ejfddZd`e6d ejfddZd ejfddZd e$fddZd e$fd d Zd`e6d ejfd d Zd`e6d ejfd dZd ejfddZd e$fddZd`e6d ejfddZd`e6d ejfddZd ejfddZdDe6dBe6dAe4de4de4de4d e6fddZd e$fddZe.j/dAe4d e%jefdd ZdAe4d d fd!d"Ze.j/d#d$Zd`e6de%j&e6d e%je%j&e_e%j&eje%j'ejffd%d&Zd`e6de%j&e6d efd'd(Zd)e%j&e6d!e%j&ede%j&ejd*e%j&e%j'edejd e6f d+d,Zd e$fd-d.Zd!e6d efd/d0Zd e$fd1d2Zd`e6d e%j'ejfd3d4Zd`e6d e%j'ejfd5d6Zd7d8Zd S(;Backendz) OpenSSL API binding interfaces. openssl> aes-128-ccm aes-128-gcm aes-192-ccm aes-192-gcm aes-256-ccm aes-256-gcmicCst|_|jj|_|jj|_||_i|_ | |jr)|jj r)t dtn||jjg|_|jjrA|j|jjdSdS)Nz)formatopenssl_version_textrprj_legacy_provider_loadedr}r]r]r^__repr__s zBackend.__repr__NokerrorscCstj|j||dS)N)r)r%_openssl_assertrn)r~rrr]r]r^openssl_assertszBackend.openssl_assertcCs>|jjr |j|jj}n|j}|dkr|jt|SNr)rnCryptography_HAS_300_FIPS&EVP_default_properties_is_fips_enabledrlNULL FIPS_modeERR_clear_errorbool)r~moder]r]r^ros  zBackend._is_fips_enabledcCs$|j|s J||_dSN)rj _enable_fipsrorpr}r]r]r^rs  zBackend._enable_fipscCsn|jjr3|j}||jjkr5|j||j|jj}||dk|j|}||dkdSdSdSNrh) rnrsENGINE_get_default_RANDrlrENGINE_unregister_RANDRAND_set_rand_methodr ENGINE_finishr~eresr]r]r^activate_builtin_randoms    zBackend.activate_builtin_randomc cs|j|jj}|||jjk|j|}||dkz |VW|j|}||dk|j|}||dkdS|j|}||dk|j|}||dkwr) rn ENGINE_by_idCryptography_osrandom_engine_idrrlr ENGINE_init ENGINE_freerrr]r]r^_get_osurandom_engines     zBackend._get_osurandom_enginecCsx|jjr:||}|j|}||dkWdn1s$wY|j|jj}||dkdSdSr) rnrsrrENGINE_set_default_RANDrrrlrrr]r]r^rw s  z Backend.activate_osrandom_enginec Cst|jdd}|}|j|dt|||jjd}||dkWdn1s,wY|j| dS)Nchar[]@sget_implementationrascii) rlnewrrnENGINE_ctrl_cmdlenrrstringdecode)r~bufrrr]r]r^osrandom_engine_implementations z&Backend.osrandom_engine_implementationcCs|j|j|jjdS)z Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 r)rlrrnOpenSSL_versionOPENSSL_VERSIONrr}r]r]r^r!s zBackend.openssl_version_textcCs |jSr)rnOpenSSL_version_numr}r]r]r^openssl_version_number, zBackend.openssl_version_numberkey algorithmcCs t|||Srr)r~rrr]r]r^create_hmac_ctx/ zBackend.create_hmac_ctxcCsL|jdks |jdkrd|j|jdd}n|jd}|j|}|S)Nblake2bblake2sz{}{}r)namer digest_sizeencodernEVP_get_digestbyname)r~ralgevp_mdr]r]r^_evp_md_from_algorithm4s   zBackend._evp_md_from_algorithmcCs ||}|||jjk|Sr)rrrlrr~rrr]r]r^_evp_md_non_null_from_algorithm?s z'Backend._evp_md_non_null_from_algorithmcCs,|jr t||js dS||}||jjkSNF)rp isinstance _fips_hashesrrlrrr]r]r^hash_supportedDs  zBackend.hash_supportedcC |jr t|tjr dS||Srrprr&SHA1rr~rr]r]r^signature_hash_supportedKs z Backend.signature_hash_supportedcC|jrdS|jjdkSNFrh)rprnCryptography_HAS_SCRYPTr}r]r]r^scrypt_supportedTs zBackend.scrypt_supportedcCr)NTrrr]r]r^hmac_supportedZs zBackend.hmac_supportedcC t||Srrrr]r]r^create_hash_ctxas zBackend.create_hash_ctxcipherrcCs^|jr t||js dSz |jt|t|f}Wn ty"YdSw||||}|jj|kSr)rpr _fips_ciphersrqtypeKeyErrorrlr)r~rradapter evp_cipherr]r]r^cipher_supportedfs    zBackend.cipher_supportedcCs0||f|jvrtd||||j||f<dS)Nz"Duplicate registration for: {} {}.)rq ValueErrorr)r~ cipher_clsmode_clsrr]r]r^register_cipher_adaptertszBackend.register_cipher_adaptercCstttfD]}ttttttt fD] }| ||t dqqtttttfD] }| t |t dq$ttttfD] }| t |t dq6| t tt d| ttdt d| ttttttttfD] }| t|t dqd|jjsx|jjsttttfD] }| t|t dq~ttttfD] }| t|t dqtttgttttgD] \}}| ||t dq| ttdt d | ttdt d dSdS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3chacha20zsm4-{mode.name}zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}rc4rc2)r:r;r<rFrIrJrLrGrHrKrGetCipherByNamer?rAr@rrM_get_xts_cipherr>rjrrn#CRYPTOGRAPHY_OPENSSL_300_OR_GREATERrBrE itertoolsproductrCrDr=rY)r~rrr]r]r^rr}s~     z!Backend._register_default_cipherscCt|||tjSr)r_ENCRYPTr~rrr]r]r^create_symmetric_encryption_ctxz'Backend.create_symmetric_encryption_ctxcCrr)r_DECRYPTrr]r]r^create_symmetric_decryption_ctxrz'Backend.create_symmetric_decryption_ctxcCs ||Sr)rrr]r]r^pbkdf2_hmac_supportedrzBackend.pbkdf2_hmac_supportedlengthsalt iterations key_materialc Csh|jd|}||}|j|}|j|t||t|||||} || dk|j|ddS)Nunsigned char[]rh) rlrr from_bufferrnPKCS5_PBKDF2_HMACrrbuffer) r~rrrrrrrkey_material_ptrrr]r]r^derive_pbkdf2_hmacs   zBackend.derive_pbkdf2_hmaccC t|jSr)r%_consume_errorsrnr}r]r]r^r zBackend._consume_errorscCrr)r%_consume_errors_with_textrnr}r]r]r^rrz!Backend._consume_errors_with_textcCsz||jjksJ||j| |j|}|jd|}|j||}||dkt |j |d|d}|S)Nrrbig) rlrrrnBN_is_negative BN_num_bytesr BN_bn2binint from_bytesr)r~bn bn_num_bytesbin_ptrbin_lenvalr]r]r^ _bn_to_ints zBackend._bn_to_intnumcCsn|dus ||jjks J|dur|jj}|t|ddd}|j|t||}|||jjk|S)a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @rhr) rlrto_bytesr bit_lengthrn BN_bin2bnrr)r~rrbinarybn_ptrr]r]r^ _int_to_bnszBackend._int_to_bnpublic_exponentkey_sizecCst|||j}|||jjk|j||jj}| |}|j||jj }|j ||||jj}||dk| |}t |||ddS)NrhTunsafe_skip_rsa_key_validation)r._verify_rsa_parametersrnRSA_newrrlrgcRSA_freer BN_freeRSA_generate_key_ex_rsa_cdata_to_evp_pkeyr)r~r r rsa_cdatarrevp_pkeyr]r]r^generate_rsa_private_key s     z Backend.generate_rsa_private_keycCs|dko |d@dko |dkS)Nrhrir])r~r rr]r]r^!generate_rsa_parameters_supported"s  z)Backend.generate_rsa_parameters_supportednumbersrc Cs6t|j|j|j|j|j|j|jj |jj |j }| ||jjk|j||j j}||j}||j}||j}||j}||j}||j} ||jj } ||jj } |j |||} | | dk|j || | |} | | dk|j |||| } | | dk||} t||| |dS)Nrhr)r._check_private_key_componentspqddmp1dmq1iqmppublic_numbersrnrnrrrlrrrr RSA_set0_factors RSA_set0_keyRSA_set0_crt_paramsrr)r~rrrrr r!r"r#r$rr&rrr]r]r^load_rsa_private_numbers+sD        z Backend.load_rsa_private_numberscCst|j|j|j}|||jjk|j ||jj }| |j}| |j}|j ||||jj}||dk| |}t|||Sr)r._check_public_key_componentsrr&rnrrrlrrrr r(rr )r~rrrr&rrr]r]r^load_rsa_public_numbersTs     zBackend.load_rsa_public_numberscCs2|j}|||jjk|j||jj}|Sr)rn EVP_PKEY_newrrlrr EVP_PKEY_freer~rr]r]r^_create_evp_pkey_gccs zBackend._create_evp_pkey_gccC(|}|j||}||dk|Sr)r0rnEVP_PKEY_set1_RSAr)r~rrrr]r]r^rizBackend._rsa_cdata_to_evp_pkeydatacCsH|j|}|j|t|}|||jjkt|j||jj |S)z Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) rlrrnBIO_new_mem_bufrrrrVrBIO_free)r~r4data_ptrrWr]r]r^ _bytes_to_bioos zBackend._bytes_to_biocCsP|j}|||jjk|j|}|||jjk|j||jj}|S)z. Creates an empty memory BIO. )rn BIO_s_memrrlrBIO_newrr6)r~ bio_methodrWr]r]r^_create_mem_bio_gc|s  zBackend._create_mem_bio_gccCs\|jd}|j||}||dk||d|jjk|j|d|dd}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)rlrrnBIO_get_mem_datarrr)r~rWrbuf_lenbio_datar]r]r^ _read_mem_bios zBackend._read_mem_bioc Cs2|j|}||jjkr,|j|}|||jjk|j||jj}t ||||dS||jj krs|jj ss|jj ss|jj ss|j|}|||jjk|j||jj}|}|j||}||dk|j||d|dS||jjkr|j|}|||jjk|j||jj}t|||S||jjkr|j|}|||jjk|j||jj}t|||S||jvr|j|} || |jjk|j| |jj} t|| |S|t|jddkrt||S|t|jddkrt ||S||jj!krt"||S|t|jddkrt#||St$d) zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. rrhN)passwordrEVP_PKEY_ED25519 EVP_PKEY_X448EVP_PKEY_ED448Unsupported key type.)%rn EVP_PKEY_id EVP_PKEY_RSAEVP_PKEY_get1_RSArrlrrrrEVP_PKEY_RSA_PSSCRYPTOGRAPHY_IS_LIBRESSLCRYPTOGRAPHY_IS_BORINGSSL#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Er<i2d_RSAPrivateKey_bioload_der_private_keyr@ EVP_PKEY_DSAEVP_PKEY_get1_DSADSA_freer EVP_PKEY_ECEVP_PKEY_get1_EC_KEY EC_KEY_freerryEVP_PKEY_get1_DHDH_freer getattrrr!EVP_PKEY_X25519r#rr) r~rrkey_typerrWr dsa_cdataec_cdatadh_cdatar]r]r^_evp_pkey_to_private_keysl                  z Backend._evp_pkey_to_private_keyc Cs4|j|}||jjkr*|j|}|||jjk|j||jj}t |||S||jj krn|jj sn|jj sn|jj sn|j|}|||jjk|j||jj}|}|j||}||dk|||S||jjkr|j|}|||jjk|j||jj}t|||S||jjkr|j|}||jjkr|}td||j||jj}t|||S||jvr|j|} || |jjk|j| |jj} t|| |S|t |jddkrt!||S|t |jddkrt"||S||jj#krt$||S|t |jddkrt%||St&d)zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. rhzUnable to load EC keyrBNrCrDrE)'rnrFrGrHrrlrrrr rIrJrKrLr<i2d_RSAPublicKey_bioload_der_public_keyr@rOrPrQrrRrSrrrTrryrUrVrrWrr"rXr$rr) r~rrYrrWrrZr[rr\r]r]r^_evp_pkey_to_public_keys^                     zBackend._evp_pkey_to_public_keycCst|tjtjtjtjtjfSr)rr&rSHA224SHA256SHA384SHA512rr]r]r^_oaep_hash_supportedszBackend._oaep_hash_supportedpaddingcCst|trdSt|tr&t|jtr&|jrt|jjtjrdS| |jjSt|t r>t|jtr>| |jjo=| |jSdS)NTF) rr4r3_mgfr1rp _algorithmr&rrr2re)r~rfr]r]r^rsa_padding_supporteds   zBackend.rsa_padding_supportedc Cs~|dvrtd|j}|||jjk|j||jj}|j|||jjd|jj|jj|jj}||dkt ||S)N)irgi iz0Key size must be 1024, 2048, 3072, or 4096 bits.rrh) rrnDSA_newrrlrrrQDSA_generate_parameters_exr)r~rctxrr]r]r^generate_dsa_parameters0s$  zBackend.generate_dsa_parameters parameterscCsT|j|j}|||jjk|j||jj}|j|| |}t |||Sr) rn DSAparams_dup _dsa_cdatarrlrrrQDSA_generate_key_dsa_cdata_to_evp_pkeyr)r~rnrlrr]r]r^generate_dsa_private_keyHs   z Backend.generate_dsa_private_keycC||}||Sr)rmrs)r~rrnr]r]r^'generate_dsa_private_key_and_parametersUs  z/Backend.generate_dsa_private_key_and_parameterscCsB|j||||}||dk|j|||}||dkdSr)rn DSA_set0_pqgr DSA_set0_key)r~rZrr gpub_keypriv_keyrr]r]r^_dsa_cdata_set_values[szBackend._dsa_cdata_set_valuesc Cst||jj}|j}|||jjk|j ||jj }| |j }| |j }| |j}| |jj}| |j}|||||||||} t||| Sr)r*_check_dsa_private_numbersr%parameter_numbersrnrjrrlrrrQr rr rxyxr{rrr) r~rr}rZrr rxryrzrr]r]r^load_dsa_private_numbersas        z Backend.load_dsa_private_numbersc Cst|j|j}|||jjk|j||jj }| |jj }| |jj }| |jj }| |j}|jj}|||||||||}t|||Sr)r*_check_dsa_parametersr}rnrjrrlrrrQr rr rxr~r{rrr) r~rrZrr rxryrzrr]r]r^load_dsa_public_numbersvs     zBackend.load_dsa_public_numberscCst||j}|||jjk|j||jj}| |j }| |j }| |j }|j ||||}||dkt||Sr)r*rrnrjrrlrrrQr rr rxrvr)r~rrZrr rxrr]r]r^load_dsa_parameter_numberss      z"Backend.load_dsa_parameter_numberscCr1r)r0rnEVP_PKEY_set1_DSAr)r~rZrrr]r]r^rrr3zBackend._dsa_cdata_to_evp_pkeycCs|j Sr)rpr}r]r]r^ dsa_supportedszBackend.dsa_supportedcCs|sdS||Sr)rrrr]r]r^dsa_hash_supporteds zBackend.dsa_hash_supportedcCs||td|jS)N)rrF block_sizerr]r]r^cmac_algorithm_supportedsz Backend.cmac_algorithm_supportedcCrrr rr]r]r^create_cmac_ctxrzBackend.create_cmac_ctxrAcCs||jj|||Sr) _load_keyrnPEM_read_bio_PrivateKey)r~r4rArr]r]r^load_pem_private_keys zBackend.load_pem_private_keycCs||}|jd}|j|j|jj|j|jjd|}||jjkr2|j ||jj }| |S| |j |j}||dk|j|j|jj|j|jjd|}||jjkrq|j ||jj}||}t|||S|dS)NCRYPTOGRAPHY_PASSWORD_DATA *Cryptography_pem_password_cbrh)r8rlrrnPEM_read_bio_PUBKEYrWr addressof _original_librr.r`r BIO_resetrPEM_read_bio_RSAPublicKeyrrr _handle_key_loading_error)r~r4mem_biouserdatarrrr]r]r^load_pem_public_keys:        zBackend.load_pem_public_keycCs^||}|j|j|jj|jj|jj}||jjkr)|j||jj}t||S| dSr) r8rnPEM_read_bio_DHparamsrWrlrrrVr r)r~r4rr\r]r]r^load_pem_parameterss    zBackend.load_pem_parameterscCs:||}|||}|r|||S||jj|||Sr)r8"_evp_pkey_from_der_traditional_keyr]rrnd2i_PKCS8PrivateKey_bio)r~r4rArr?rr]r]r^rNs zBackend.load_der_private_keycCsR|j|j|jj}||jjkr#|j||jj}|dur!td|S|dS)N4Password was given but private key is not encrypted.) rnd2i_PrivateKey_biorWrlrrr. TypeErrorr)r~r?rArr]r]r^r s z*Backend._evp_pkey_from_der_traditional_keycCs||}|j|j|jj}||jjkr#|j||jj}||S| |j |j}| |dk|j |j|jj}||jjkrY|j||jj }||}t|||S|dSr)r8rnd2i_PUBKEY_biorWrlrrr.r`rrrd2i_RSAPublicKey_biorrr r)r~r4rrrrr]r]r^r_s        zBackend.load_der_public_keycCs||}|j|j|jj}||jjkr#|j||jj}t||S|jj rW| |j |j}| |dk|j |j|jj}||jjkrW|j||jj}t||S|dSr)r8rnd2i_DHparams_biorWrlrrrVr rzrrrd2i_DHxparams_bior)r~r4rr\rr]r]r^load_der_parameters1s      zBackend.load_der_parameterscertcCT|tjj}||}|j|j|jj }| ||jj k|j ||jj }|Sr) public_bytesr'EncodingDERr8rn d2i_X509_biorWrlrrr X509_free)r~rr4rrr]r]r^ _cert2osslC  zBackend._cert2osslrcCs4|}|j||}||dkt||Sr)r<rn i2d_X509_bior rust_x509load_der_x509_certificater@)r~rrWrr]r]r^ _ossl2certKszBackend._ossl2certcsrcCrr) rr'rrr8rnd2i_X509_REQ_biorWrlrrr X509_REQ_free)r~rr4rx509_reqr]r]r^ _csr2osslQrzBackend._csr2osslcrlcCrr) rr'rrr8rnd2i_X509_CRL_biorWrlrrr X509_CRL_free)r~rr4rx509_crlr]r]r^ _crl2osslYrzBackend._crl2ossl public_keycCsJt|tttfs td||}|j||j}|dkr#| dSdS)NzGExpecting one of DSAPublicKey, RSAPublicKey, or EllipticCurvePublicKey.rhFT) rrr rrrrnX509_CRL_verify _evp_pkeyr)r~rrrrr]r]r^_crl_is_signature_validas  zBackend._crl_is_signature_validcCs`||}|j|}|||jjk|j||jj}|j||}|dkr.| dSdS)NrhFT) rrnX509_REQ_get_pubkeyrrlrrr.X509_REQ_verifyr)r~rrpkeyrr]r]r^_csr_is_signature_valid{s  zBackend._csr_is_signature_validcCs"|j|j|jdkrtddS)NrhzKeys do not correspond)rn EVP_PKEY_cmprr)r~key1key2r]r]r^_check_keys_correspondszBackend._check_keys_correspondc Cs||}|jd}|dur#td||j|}||_t||_||j |jj |j |j j d|}||jj kra|jdkr]||jdkrLtd|jdksSJtd|jd ||j||j j}|durw|jdkrwtd |dur|jd ks|dusJ|||S) NrrArrz3Password was not given but private key is encryptedzAPasswords longer than {} bytes are not supported by this backend.rhr)r8rlrr_check_byteslikerrArrrWrrrnrerrorrrrrmaxsizerrr.calledr]) r~openssl_read_funcr4rArrr password_ptrrr]r]r^rsT        zBackend._load_keycs}|s td|djjjjs2|djjjjs2jjr6|djj jj r6tdt fdd|DrEtdt |}td|)Nz|Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.rz Bad decrypt. Incorrect password?c3s$|] }|jjjjVqdSr)_lib_reason_matchrn ERR_LIB_EVP'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM).0rr}r]r^ s z4Backend._handle_key_loading_error..z!Unsupported public key algorithm.zCould not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).)rrrrnrEVP_R_BAD_DECRYPTERR_LIB_PKCS12!PKCS12_R_PKCS12_CIPHERFINAL_ERRORCryptography_HAS_PROVIDERS ERR_LIB_PROVPROV_R_BAD_DECRYPTanyr%_errors_with_text)r~rerrors_with_textr]r}r^rs>     z!Backend._handle_key_loading_errorcurvecCspz||}Wn ty|jj}Ynw|j|}||jjkr'|dS|||jjk|j |dS)NFT) _elliptic_curve_to_nidrrn NID_undefEC_GROUP_new_by_curve_namerlrrr EC_GROUP_free)r~r curve_nidgroupr]r]r^elliptic_curve_supporteds     z Backend.elliptic_curve_supportedsignature_algorithmcCst|tjsdS||Sr)rr+ECDSAr)r~rrr]r]r^,elliptic_curve_signature_algorithm_supporteds  z4Backend.elliptic_curve_signature_algorithm_supportedcCsX||r"||}|j|}||dk||}t|||Std|j t j )z@ Generate a new private key on the named curve. rhz#Backend object does not support {}.) r_ec_key_new_by_curvernEC_KEY_generate_keyr_ec_cdata_to_evp_pkeyrrrrrUNSUPPORTED_ELLIPTIC_CURVE)r~rr[rrr]r]r^#generate_elliptic_curve_private_key s      z+Backend.generate_elliptic_curve_private_keycCsz|j}||j}|j||j|jj}|j ||}|dkr)| t d| ||j |j||}t|||S)NrhInvalid EC key.)r%rrrlrr  private_valuern BN_clear_freeEC_KEY_set_private_keyrr)_ec_key_set_public_key_affine_coordinatesrr~rr)r~rpublicr[rrrr]r]r^#load_elliptic_curve_private_numbers"s    z+Backend.load_elliptic_curve_private_numberscCs4||j}|||j|j||}t|||Sr)rrrrr~rr)r~rr[rr]r]r^"load_elliptic_curve_public_numbers9s    z*Backend.load_elliptic_curve_public_numbers point_bytesc Cs||}|j|}|||jjk|j|}|||jjk|j||jj}| }|j |||t ||}|dkrI| t dWdn1sSwY|j||}||dk||}t|||S)Nrhz(Invalid public bytes for the given curve)rrnEC_KEY_get0_grouprrlr EC_POINT_newr EC_POINT_free _tmp_bn_ctxEC_POINT_oct2pointrrrEC_KEY_set_public_keyrr) r~rrr[rpointbn_ctxrrr]r]r^ load_elliptic_curve_public_bytesDs&      z(Backend.load_elliptic_curve_public_bytesrc Csb||}||\}}|j|}|||jjk|j||jj}| |}|j||jj }| >}|j ||||jj|jj|} || dk|j |} |j |} |||| | |} | dkrm|tdWdn1swwY|j||} || dk| |} |j| |jj } |j|| } || dk||} t||| S)Nrhz'Unable to derive key from private_value)r _ec_key_determine_group_get_funcrnrrrlrrrr rr EC_POINT_mul BN_CTX_getrrrrrr)r~rrr[get_funcrrvaluerrbn_xbn_yprivaterr]r]r^!derive_elliptic_curve_private_keyZs8         z)Backend.derive_elliptic_curve_private_keycCrtr)r_ec_key_new_by_curve_nid)r~rrr]r]r^rs  zBackend._ec_key_new_by_curvercCs0|j|}|||jjk|j||jjSr)rnEC_KEY_new_by_curve_namerrlrrrT)r~rr[r]r]r^r s z Backend._ec_key_new_by_curve_nidcCs,|jr t||js dS||ot|tjSr)rpr_fips_ecdh_curvesrr+ECDH)r~rrr]r]r^+elliptic_curve_exchange_algorithm_supporteds z3Backend.elliptic_curve_exchange_algorithm_supportedcCr1r)r0rnEVP_PKEY_set1_EC_KEYr)r~r[rrr]r]r^rr3zBackend._ec_cdata_to_evp_pkeycCsNddd}||j|j}|j|}||jjkr%td|jtj |S)z/ Get the NID for a curve name. prime192v1 prime256v1) secp192r1 secp256r1z${} is not a supported elliptic curve) getrrn OBJ_sn2nidrrrrrr)r~r curve_aliases curve_namerr]r]r^rs   zBackend._elliptic_curve_to_nidc csd|j}|||jjk|j||jj}|j|z |VW|j|dS|j|wr) rn BN_CTX_newrrlrr BN_CTX_free BN_CTX_start BN_CTX_end)r~rr]r]r^rs  zBackend._tmp_bn_ctxcCs|||jjk|jd}|||jjk|j|}|||jjk|j|}|||jjk|j|}|||jjk||krR|jj rR|jj }n|jj }|sZJ||fS)zu Given an EC_KEY determine the group and what function is required to get point coordinates. scharacteristic-two-field) rrlrrnrrrEC_GROUP_method_ofEC_METHOD_get_field_typeCryptography_HAS_EC2M$EC_POINT_get_affine_coordinates_GF2m#EC_POINT_get_affine_coordinates_GFp)r~rl nid_two_fieldrmethodnidrr]r]r^rs     z(Backend._ec_key_determine_group_get_funcrr~cCst|dks|dkr td|j|||jj}|j|||jj}|j|||}|dkr8|tddS)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.rhrN)rrlrr rnr(EC_KEY_set_public_key_affine_coordinatesr)r~rlrr~rr]r]r^rsz1Backend._ec_key_set_public_key_affine_coordinatesencodingrencryption_algorithmc CsNt|tjs tdt|tjstdt|tjstdt|tjr'd}n4t|tjr;|j}t |dkr:t dn t|tj rW|j |urNtjj urWnt d|j}nt d|tjjur|tjjurl|jj}n|tjjurw|jj}nt d||||S|tjjur |jrt|tjst d |j|} |tjjur| |jjkr|jj}n| |jjkr|jj}n| |jjkr|jj}nt d ||||S|tjjur|rt d | |jjkr|jj}n| |jjkr|jj}n| |jjkr|jj }nt d |!||St d |tjj ur#|tjjurt"#|||St d t d)N/encoding must be an item from the Encoding enumz2format must be an item from the PrivateFormat enumzBEncryption algorithm must be a KeySerializationEncryption instanceizBPasswords longer than 1023 bytes are not supported by this backendzUnsupported encryption typezUnsupported encoding for PKCS8zCEncrypted traditional OpenSSL format is not supported in FIPS mode.z+Unsupported key type for TraditionalOpenSSLzDEncryption is not supported for DER encoded traditional OpenSSL keysz+Unsupported encoding for TraditionalOpenSSLz=OpenSSH private key format can only be used with PEM encodingformat is invalid with this key)$rr'rr PrivateFormatKeySerializationEncryption NoEncryptionBestAvailableEncryptionrArr_KeySerializationEncryption_formatOpenSSHPKCS8PEMrnPEM_write_bio_PKCS8PrivateKeyri2d_PKCS8PrivateKey_bio_private_key_bytes_via_bioTraditionalOpenSSLrprFrGPEM_write_bio_RSAPrivateKeyrOPEM_write_bio_DSAPrivateKeyrRPEM_write_bio_ECPrivateKeyrMi2d_ECPrivateKey_bioi2d_DSAPrivateKey_bio_bio_func_outputrP_serialize_ssh_private_key) r~r$rr%rrcdatarA write_biorYr]r]r^_private_key_bytess                         zBackend._private_key_bytesc Cs<|s|jj}n|jd}|||||t||jj|jjS)Ns aes-256-cbc)rlrrnEVP_get_cipherbynamer;r)r~r>rrArr]r]r^r4`s  z"Backend._private_key_bytes_via_biocGs0|}||g|R}||dk||Sr)r<rr@)r~r>argsrWrr]r]r^r;qs zBackend._bio_func_outputcCst|tjs tdt|tjstd|tjjur:|tjjur%|jj}n|tjj ur0|jj }nt d| ||S|tjj urp|j|}||jjkrPt d|tjjur[|jj}n|tjj urf|jj}nt d| ||S|tjjur|tjjurt|St dt d)Nr&z1format must be an item from the PublicFormat enumz8SubjectPublicKeyInfo works only with PEM or DER encodingz+PKCS1 format is supported only for RSA keysz)PKCS1 works only with PEM or DER encodingz1OpenSSH format must be used with OpenSSH encodingr()rr'rr PublicFormatSubjectPublicKeyInfor1rnPEM_write_bio_PUBKEYri2d_PUBKEY_biorr;PKCS1rFrGPEM_write_bio_RSAPublicKeyr^r/rPserialize_ssh_public_key)r~r$rrrr=r>rYr]r]r^_public_key_bytesws@                   zBackend._public_key_bytescC |jj SrrnrKr}r]r]r^ dh_supportedrzBackend.dh_supported generatorcCs|tjkr tdtj|dvrtd|j}|||jjk|j ||jj }|j ||||jj}|dkrD| }td|t ||S)Nz$DH key_size must be at least {} bits)zDH generator must be 2 or 5rhz Unable to generate DH parameters)r)_MIN_MODULUS_SIZErrrnDH_newrrlrrrVDH_generate_parameters_exrr )r~rMrdh_param_cdatarrr]r]r^generate_dh_parameterss$     zBackend.generate_dh_parameterscCr1r)r0rnEVP_PKEY_set1_DHr)r~r\rrr]r]r^_dh_cdata_to_evp_pkeyr3zBackend._dh_cdata_to_evp_pkeycCs<t|j|}|j|}||dk||}t|||Sr)r _dh_cdatarnDH_generate_keyrrVr )r~rn dh_key_cdatarrr]r]r^generate_dh_private_keys   zBackend.generate_dh_private_keycCs||||Sr)rZrT)r~rMrr]r]r^&generate_dh_private_key_and_parameterss z.Backend.generate_dh_private_key_and_parametersc Cs8|jj}|j}|||jjk|j||jj}| |j }| |j }|j dur3| |j }n|jj}| |jj }| |j}|j||||} || dk|j|||} || dk|jdd} |j|| } || dk| ddkr|j dkr| d|jjAdkstd||} t||| S)Nrhint[]rrNz.DH private numbers did not pass safety checks.)r%r}rnrQrrlrrrVr rrxr r~r DH_set0_pqg DH_set0_keyrDH_checkDH_NOT_SUITABLE_GENERATORrrVr ) r~rr}r\rrxr ryrzrcodesrr]r]r^load_dh_private_numberss4        zBackend.load_dh_private_numbersc Cs|j}|||jjk|j||jj}|j}||j }||j }|j dur2||j }n|jj}||j }|j ||||}||dk|j|||jj}||dk||} t||| Sr)rnrQrrlrrrVr}r rrxr r~r]r^rVr) r~rr\r}rrxr ryrrr]r]r^load_dh_public_numberss       zBackend.load_dh_public_numberscCs|j}|||jjk|j||jj}||j}||j }|j dur/||j }n|jj}|j ||||}||dkt ||Sr) rnrQrrlrrrVr rrxr r]r )r~rr\rrxr rr]r]r^load_dh_parameter_numbers3s     z!Backend.load_dh_parameter_numbersrrxr cCs|j}|||jjk|j||jj}||}||}|dur+||}n|jj}|j||||}||dk|j dd}|j ||}||dk|ddkS)Nrhr\r) rnrQrrlrrrVr r]rr_)r~rrxr r\rrar]r]r^dh_parameters_supportedGs     zBackend.dh_parameters_supportedcCs |jjdkSr)rnrzr}r]r]r^dh_x942_serialization_supported_rz'Backend.dh_x942_serialization_supportedcCsht|dkr td|}|j||jj}||dk|j||t|}||dkt||S)N z%An X25519 public key is 32 bytes longrh) rrr0rnEVP_PKEY_set_type NID_X25519rEVP_PKEY_set1_tls_encodedpointr$)r~r4rrr]r]r^x25519_load_public_bytesbs   z Backend.x25519_load_public_bytescCst|dkr tdd}|d#}||dd<||dd<||}|j|j|jj}Wdn1s7wY| ||jjk|j ||jj }| |j ||jj kt||S)Nrgz&An X25519 private key is 32 bytes longs0.0+en" 0r)rr_zeroed_bytearrayr8rnrrWrlrrrr.rFrXr#)r~r4 pkcs8_prefixbarWrr]r]r^x25519_load_private_bytesqs      z!Backend.x25519_load_private_bytescCs|j||jj}|||jjk|j||jj}|j|}||dk|jd}|j ||}||dk||d|jjk|j|d|jj }|S)Nrh EVP_PKEY **r) rnEVP_PKEY_CTX_new_idrlrrrEVP_PKEY_CTX_freeEVP_PKEY_keygen_initrEVP_PKEY_keygenr.)r~r" evp_pkey_ctxr evp_ppkeyrr]r]r^_evp_pkey_keygen_gcs  zBackend._evp_pkey_keygen_gccC||jj}t||Sr)ryrnrir#r/r]r]r^x25519_generate_key zBackend.x25519_generate_keycCs|jrdS|jj Sr)rprnrJr}r]r]r^x25519_supporteds zBackend.x25519_supportedcCs`t|dkr td|j|jj|jj|t|}|||jjk|j||jj }t ||S)N8z#An X448 public key is 56 bytes long) rrrnEVP_PKEY_new_raw_public_keyNID_X448rlrrrr.r"r~r4rr]r]r^x448_load_public_bytess  zBackend.x448_load_public_bytescCslt|dkr td|j|}|j|jj|jj|t|}|||jjk|j ||jj }t ||S)Nr~z$An X448 private key is 56 bytes long) rrrlrrnEVP_PKEY_new_raw_private_keyrrrrr.r!r~r4r7rr]r]r^x448_load_private_bytess   zBackend.x448_load_private_bytescCrzr)ryrnrr!r/r]r]r^x448_generate_keyr|zBackend.x448_generate_keycC|jrdS|jj o|jj Sr)rprnrJrKr}r]r]r^x448_supported  zBackend.x448_supportedcCs|jrdS|jjSr)rprn CRYPTOGRAPHY_HAS_WORKING_ED25519r}r]r]r^ed25519_supportedszBackend.ed25519_supportedcCsntd|t|tjkrtd|j|jj|j j |t|}| ||j j k|j ||jj }t||S)Nr4z&An Ed25519 public key is 32 bytes long)r _check_bytesrr-_ED25519_KEY_SIZErrnr NID_ED25519rlrrrr.rrr]r]r^ed25519_load_public_bytess  z!Backend.ed25519_load_public_bytescCszt|tjkr tdtd||j|}|j |jj |jj |t|}| ||jj k|j ||jj}t||S)Nz'An Ed25519 private key is 32 bytes longr4)rr-rrrrrlrrnrrrrrr.rrr]r]r^ed25519_load_private_bytess   z"Backend.ed25519_load_private_bytescCrzr)ryrnrrr/r]r]r^ed25519_generate_keyr|zBackend.ed25519_generate_keycCrr)rprn#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111BrKr}r]r]r^ed448_supportedrzBackend.ed448_supportedcCsltd|t|tkrtd|j|jj|jj |t|}| ||jj k|j ||jj }t ||S)Nr4z$An Ed448 public key is 57 bytes long)rrrrrrnr NID_ED448rlrrrr.rrr]r]r^ed448_load_public_bytess   zBackend.ed448_load_public_bytescCsxtd|t|tkrtd|j|}|j|jj |jj |t|}| ||jj k|j ||jj }t||S)Nr4z%An Ed448 private key is 57 bytes long)rrrrrrlrrnrrrrrr.rrr]r]r^ed448_load_private_bytes s    z Backend.ed448_load_private_bytescCrzr)ryrnrrr/r]r]r^ed448_generate_keyr|zBackend.ed448_generate_keyr&rc Cs|jd|}|j|}|j|t||t||||tj|| } | dkr9|} d||d} t d | | |j |ddS)NrrhizJNot enough memory to derive key. These parameters require {} MB of memory.) rlrrrnEVP_PBE_scryptrrO _MEM_LIMITr MemoryErrorrr) r~rrrr&rrrrrr min_memoryr]r]r^ derive_scrypts.  zBackend.derive_scryptcCsHt|}|jr||jvrdS|dr|jjdkS|j||jj kS)NFs-sivrh) r_aead_cipher_namerp _fips_aeadendswithrnrr@rlr)r~r cipher_namer]r]r^aead_cipher_supportedAs   zBackend.aead_cipher_supportedc cs2t|}z |VW|||dS|||w)z This method creates a bytearray, which we copy data into (hopefully also from a mutable buffer that can be dynamically erased!), and then zero when we're done. N) bytearray _zero_data)r~rrpr]r]r^rnOs zBackend._zeroed_bytearraycCst|D]}d||<qdSr)range)r~r4rir]r]r^r\s  zBackend._zero_datac cs~|dur |jjVdSt|}|jd|d}|j|||z|VW||jd||dS||jd||w)a This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nrrhz uint8_t *)rlrrrmemmovercast)r~r4data_lenrr]r]r^_zeroed_null_terminated_bufcs 2z#Backend._zeroed_null_terminated_bufcCs2|||}|j|jr|jjnddd|jDfS)NcSsg|]}|jqSr]) certificate)rrr]r]r^ szABackend.load_key_and_certificates_from_pkcs12..) load_pkcs12rrradditional_certs)r~r4rApkcs12r]r]r^%load_key_and_certificates_from_pkcs12zs z-Backend.load_key_and_certificates_from_pkcs12cCsr|dur td|||}|j|j|jj}||jjkr'|t d|j ||jj }|j d}|j d}|j d}| |}|j|||||} Wdn1s\wY| dkrm|t dd} d} g} |d|jjkr|j |d|jj} |j| dd } |d|jjkr|j |d|jj}||}d}|j||jj}||jjkr|j|}t||} |d|jjkr3|j |d|jj}|j|d}|jjs|jjrt|}ntt|}|D]@}|j||}|||jjk|j ||jj}||}d}|j||jj}||jjkr*|j|}| t||qt| | | S) NrAz!Could not deserialize PKCS12 datarrzX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 dataFr) rrr8rnd2i_PKCS12_biorWrlrrrr PKCS12_freerr PKCS12_parser.r]rrX509_alias_get0rrT sk_X509_free sk_X509_numrrKrreversed sk_X509_valuerr{rU)r~r4rArWp12 evp_pkey_ptrx509_ptr sk_x509_ptr password_bufrrradditional_certificatesrrcert_objr maybe_namesk_x509rindicesr addl_cert addl_namer]r]r^rsr                 zBackend.load_pkcs12rcascCsd}|dur td|t|tjrd}d}d} d} |jj} nt|tjrF|jj r2|jj }|jj }n|jj }|jj }d} d} |jj} |j }nst|tj r|jtjjurd}d}d} d} |j }|j} | tjuro|jj }|jj }n| tjur|jj s|td|jj }|jj }n| dusJ|jdur|jjstd||j} || |jjkn|jj} |jdur|j} ntd|dust|dkr|jj} nb|j} |j| |jj} g}|D]O}t|t r|j!}|"|j#}|$|}|j%||d}||dkWdn 1s wYn|"|}|&||j'| |}t(|dkq|$|`}|$|0}|r>|"|n|jj}|durK|j)}n|jj}|j*||||| ||| | d }Wdn 1siwY|jjr| |jjkr|j+||d|jjd| | Wdn 1swY|||jjk|j||jj,}|-}|j.||}||dk|/|S) Nrrri Nrhz2PBESv2 is not supported by this version of OpenSSLzBSetting MAC algorithm is not supported by this version of OpenSSL.zUnsupported key encryption type)0rrrr'r+rlrr,rnrNID_aes_256_cbc&NID_pbe_WithSHA1And3_Key_TripleDES_CBCrAr-r.r)PKCS12_key_cert_algorithmrSPBESv1SHA1And3KeyTripleDESCBCPBESv2SHA256AndAES256CBCr _hmac_hashCryptography_HAS_PKCS12_SET_MACrr _kdf_roundsrrsk_X509_new_nullrrrT friendly_namerrrX509_alias_set1r{ sk_X509_pushbackendr PKCS12_createPKCS12_set_macrr<i2d_PKCS12_bior@)r~rrrrr%rAnid_certnid_key pkcs12_itermac_itermac_alg keycertalgrossl_cascaca_aliasossl_ca ca_name_bufrrname_buf ossl_certrrrWr]r]r^(serialize_key_and_certificates_to_pkcs12s                      # z0Backend.serialize_key_and_certificates_to_pkcs12cCrr)rprnCryptography_HAS_POLY1305r}r]r]r^poly1305_supportedp s zBackend.poly1305_supportedcCs*td|t|tkrtdt||S)NrzA poly1305 key is 32 bytes long)rrrrrr)r~rr]r]r^create_poly1305_ctxu s   zBackend.create_poly1305_ctxcCrJrrKr}r]r]r^pkcs7_supported| rzBackend.pkcs7_supportedcCsntd|||}|j|j|jj|jj|jj}||jjkr)|t d|j ||jj }| |SNr4zUnable to parse PKCS7 data) rrr8rnPEM_read_bio_PKCS7rWrlrrrr PKCS7_free_load_pkcs7_certificatesr~r4rWp7r]r]r^load_pem_pkcs7_certificates s    z#Backend.load_pem_pkcs7_certificatescCsbtd|||}|j|j|jj}||jjkr#|t d|j ||jj }| |Sr) rrr8rn d2i_PKCS7_biorWrlrrrrrrrr]r]r^load_der_pkcs7_certificates s    z#Backend.load_der_pkcs7_certificatesc Cs|j|j}|||jjk||jjkrtd|tj |j j j }|j |}g}t|D]2}|j||}|||jjk|j|}||dk|j||jj}||} || q0|S)NzNOnly basic signed structures are currently supported. NID for this data was {}rh)rn OBJ_obj2nidrrrNID_pkcs7_signedrrrUNSUPPORTED_SERIALIZATIONr!signrrrrrlr X509_up_refrrrr{) r~rr"rrcertsrrrrr]r]r^r s(       z Backend._load_pkcs7_certificatesr)rN)rZr[r\__doc__rrr:rr&rarbrcrd SHA512_224 SHA512_256SHA3_224SHA3_256SHA3_384SHA3_512SHAKE128SHAKE256rr+ SECP224R1 SECP256R1 SECP384R1 SECP521R1r _fips_rsa_min_key_size_fips_rsa_min_public_exponent_fips_dsa_min_modulus_fips_dh_min_key_size_fips_dh_min_modulusrstrrrtypingOptionalListr% _OpenSSLErrorrrorr contextlibrrrwrrrrbytes HashAlgorithmrrrrrrrr HashContextrr9rNrrrrrrrrrr_OpenSSLErrorWithTextrrr r. RSAPrivateKeyrrRSAPrivateNumbersr*RSAPublicNumbers RSAPublicKeyr,r0rr8r<r@r6r]r7r`rer(rir* DSAParametersrm DSAPrivateKeyrsrur{DSAPrivateNumbersrDSAPublicNumbers DSAPublicKeyrDSAParameterNumbersrrrrrrr8r rrrr) DHParametersrrNrr_rr CertificateAnyrrCertificateSigningRequestrCertificateRevocationListrr5rrrrNoReturnr EllipticCurverEllipticCurveSignatureAlgorithmrEllipticCurvePrivateKeyrEllipticCurvePrivateNumbersrEllipticCurvePublicNumbersEllipticCurvePublicKeyrrrrr r r rrrrrr'rr)r*r?r4r;rBrIrLrTrV DHPrivateKeyrZr[DHPrivateNumbersrbDHPublicNumbers DHPublicKeyrcDHParameterNumbersrdrerfr0X25519PublicKeyrkX25519PrivateKeyrqryr{r}r/ X448PublicKeyrX448PrivateKeyrrrrr-Ed25519PublicKeyrEd25519PrivateKeyrrrr,Ed448PublicKeyrEd448PrivateKeyrrrrIteratorrrnrrTuplerrUrrQrRrrrrrrrrr]r]r]r^r_sb               D          )     F9         *    4/        '     z 7    0    $    #   K    r_c@s0eZdZdefddZdededefddZd S) rfmtcCs ||_dSr)_fmt)r~r:r]r]r^r rzGetCipherByName.__init__rrrcCsd|jj||d}|j|d}||jjkr,|jjr,|j |jj|d|jj}| |S)N)rrr) r;rlowerrnr@rrlrCryptography_HAS_300_EVP_CIPHEREVP_CIPHER_fetchr)r~rrrrrr]r]r^__call__ s zGetCipherByName.__call__N) rZr[r\r rr_r9rNr?r]r]r]r^r srrrcCs"d|jd}|j|dS)Nz aes-{}-xtsrNr)rrrnr@r)rrrrr]r]r^r sr){ collectionsrrr rtr cryptographyrrcryptography.exceptionsrr$cryptography.hazmat.backends.opensslr,cryptography.hazmat.backends.openssl.ciphersr)cryptography.hazmat.backends.openssl.cmacr 'cryptography.hazmat.backends.openssl.dhr r r r(cryptography.hazmat.backends.openssl.dsarrr'cryptography.hazmat.backends.openssl.ecrr*cryptography.hazmat.backends.openssl.ed448rrr,cryptography.hazmat.backends.openssl.ed25519rr+cryptography.hazmat.backends.openssl.hashesr)cryptography.hazmat.backends.openssl.hmacr-cryptography.hazmat.backends.openssl.poly1305rr(cryptography.hazmat.backends.openssl.rsarr )cryptography.hazmat.backends.openssl.x448r!r"+cryptography.hazmat.backends.openssl.x25519r#r$"cryptography.hazmat.bindings._rustr$cryptography.hazmat.bindings.opensslr%cryptography.hazmat.primitivesr&r'*cryptography.hazmat.primitives._asymmetricr()cryptography.hazmat.primitives.asymmetricr)r*r+r,r-r.r/r01cryptography.hazmat.primitives.asymmetric.paddingr1r2r3r4/cryptography.hazmat.primitives.asymmetric.typesr5r6r7&cryptography.hazmat.primitives.ciphersr8r91cryptography.hazmat.primitives.ciphers.algorithmsr:r;r<r=r>r?r@rArBrCrDrE,cryptography.hazmat.primitives.ciphers.modesrFrGrHrIrJrKrLrMrN"cryptography.hazmat.primitives.kdfrO,cryptography.hazmat.primitives.serializationrP3cryptography.hazmat.primitives.serialization.pkcs12rQrRrSrTrU namedtuplerVrYr_rrrr]r]r]r^sv         ( 8, B