o gàeeŸã@s¶ddlZddlZddlZddlZddlZddlmZddlmZmZddl m Z m Z ddl m Z mZmZmZmZddlmZmZmZmZmZmZmZmZmZmZmZmZmZddl m!Z!ddl"m#Z#dd l$m%Z%dd l&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/dd l0m1Z1m2Z2m3Z3m4Z4dd l5m6Z6m7Z7m8Z8dd l9m:Z:m;Z;ddlZ>ddl?m@Z@mAZAmBZBddlCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLddlMmNZNddlOmPZPddlQmRZRmSZSddlTmUZUmVZVddlWmXZXmYZYddlZm[Z[m\Z\ddl]m^Z^m_Z_ddl`maZambZbmcZcmdZdddlemfZfddlgmhZhmiZiddljmkZkmlZlmmZmmnZnmoZompZpddlqmrZrmsZsmtZtmuZuddlvmwZwmxZxmyZymzZzm{Z{m|Z|m}Z}m~Z~mZddl€mZm‚Z‚mƒZƒm„Z„m…Z…m†Z†m‡Z‡mˆZˆddl‰mŠZŠdd l‹mŒZŒmZdd!lŽmZe d"d#d$g¡Z‘Gd%d&„d&e’ƒZ“e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e ”e¡e •ef –¡j—j˜e¡Gd'd(„d(e’ƒƒƒƒƒƒƒƒƒƒƒƒƒƒZ™Gd)d*„d*e’ƒZšd+d,„Z›e™ƒZœdS)-éN)Úcontextmanager)ÚutilsÚx509)ÚUnsupportedAlgorithmÚ_Reasons)ÚINTEGERÚNULLÚSEQUENCEÚ encode_derÚencode_der_integer) Ú CMACBackendÚ CipherBackendÚDERSerializationBackendÚ DHBackendÚ DSABackendÚEllipticCurveBackendÚ HMACBackendÚ HashBackendÚPBKDF2HMACBackendÚPEMSerializationBackendÚ RSABackendÚ ScryptBackendÚ X509Backend)Úaead)Ú_CipherContext©Ú _CMACContext) Ú_CRL_ENTRY_REASON_ENUM_TO_CODEÚ_CRL_EXTENSION_HANDLERSÚ_EXTENSION_HANDLERS_BASEÚ_EXTENSION_HANDLERS_SCTÚ"_OCSP_BASICRESP_EXTENSION_HANDLERSÚ_OCSP_REQ_EXTENSION_HANDLERSÚ'_OCSP_SINGLERESP_EXTENSION_HANDLERS_SCTÚ_REVOKED_EXTENSION_HANDLERSÚ_X509ExtensionParser)Ú _DHParametersÚ _DHPrivateKeyÚ _DHPublicKeyÚ_dh_params_dup)Ú_DSAParametersÚ_DSAPrivateKeyÚ _DSAPublicKey)Ú_EllipticCurvePrivateKeyÚ_EllipticCurvePublicKey)Ú_Ed25519PrivateKeyÚ_Ed25519PublicKey)Ú_ED448_KEY_SIZEÚ_Ed448PrivateKeyÚ_Ed448PublicKey) Ú$_CRL_ENTRY_EXTENSION_ENCODE_HANDLERSÚ_CRL_EXTENSION_ENCODE_HANDLERSÚ_EXTENSION_ENCODE_HANDLERSÚ)_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERSÚ'_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERSÚ_encode_asn1_int_gcÚ_encode_asn1_str_gcÚ_encode_name_gcÚ _txt2obj_gc©Ú _HashContext©Ú _HMACContext)Ú _OCSPRequestÚ _OCSPResponse)Ú_POLY1305_KEY_SIZEÚ_Poly1305Context)Ú_RSAPrivateKeyÚ _RSAPublicKey)Ú_X25519PrivateKeyÚ_X25519PublicKey)Ú_X448PrivateKeyÚ_X448PublicKey)Ú _CertificateÚ_CertificateRevocationListÚ_CertificateSigningRequestÚ_RevokedCertificate)Úbinding)ÚhashesÚ serialization)ÚdhÚdsaÚecÚed25519Úed448Úrsa)ÚMGF1ÚOAEPÚPKCS1v15ÚPSS) ÚAESÚARC4ÚBlowfishÚCAST5ÚCamelliaÚChaCha20ÚIDEAÚSEEDÚ TripleDES)ÚCBCÚCFBÚCFB8ÚCTRÚECBÚGCMÚOFBÚXTS)Úscrypt)Úpkcs7Ússh)ÚocspÚ _MemoryBIOÚbioÚchar_ptrc@s eZdZdS)Ú_RC2N)Ú__name__Ú __module__Ú __qualname__©rxrxúN/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.pyrt srtc @sjeZdZdZdZhd£ZeefZe j e j e j e j e je je je je je je je je jf ZdZdZdd>ZdZde>Zdd„Zd(d d „Zd d „Zdd„Z e!j"dd„ƒZ#dd„Z$dd„Z%dd„Z&dd„Z'dd„Z(dd„Z)dd„Z*d d!„Z+d"d#„Z,d$d%„Z-d&d'„Z.d(d)„Z/d*d+„Z0d,d-„Z1d.d/„Z2d0d1„Z3d2d3„Z4d4d5„Z5d6d7„Z6d8d9„Z7d:d;„Z8dd?„Z:d@dA„Z;dBdC„ZdHdI„Z?dJdK„Z@dLdM„ZAdNdO„ZBdPdQ„ZCdRdS„ZDdTdU„ZEdVdW„ZFdXdY„ZGdZd[„ZHd\d]„ZId^d_„ZJd`da„ZKdbdc„ZLddde„ZMdfdg„ZNdhdi„ZOdjdk„ZPdldm„ZQdndo„ZRdpdq„ZSdrds„ZTdtdu„ZUdvdw„ZVdxdy„ZWdzd{„ZXd|d}„ZYd~d„ZZd€d„Z[d‚dƒ„Z\d„d…„Z]d†d‡„Z^dˆd‰„Z_dŠd‹„Z`dŒd„ZadŽd„Zbdd‘„Zcd’d“„Zdd”d•„Zed–d—„Zfd˜d™„Zgdšd›„Zhdœd„ZidždŸ„Zjd d¡„Zkd¢d£„Zld¤d¥„Zmd¦d§„Znd¨d©„Zodªd«„Zpd¬d­„Zqd®d¯„Zrd°d±„Zsd²d³„Ztd´dµ„Zud¶d·„Zvd¸d¹„Zwdºd»„Zxd¼d½„Zyd¾d¿„ZzdÀdÁ„Z{dÂdÄZ|dÄdÅ„Z}dÆdÇ„Z~e"dÈdÉ„ƒZdÊdË„Z€dÌdÍ„ZdÎdÏ„Z‚dÐdÑ„ZƒdÒdÓ„Z„dÔdÕ„Z…dÖdׄZ†dØdÙ„Z‡dÚdÛ„ZˆdÜdÝ„Z‰dÞdß„ZŠdàdá„Z‹dâdã„ZŒdädå„Zd(dædç„ZŽdèdé„Zdêdë„Zdìdí„Z‘dîdï„Z’dðdñ„Z“dòdó„Z”dôdõ„Z•död÷„Z–dødù„Z—dúdû„Z˜düdý„Z™dþdÿ„Zšdd„Z›dd„Zœdd„Zdd„Zždd „ZŸd d „Z d d „Z¡dd„Z¢dd„Z£e!j"dd„ƒZ¤dd„Z¥e!j"dd„ƒZ¦dd„Z§dd„Z¨dd„Z©dd„Zªd d!„Z«d"d#„Z¬d$d%„Z­d&d'„Z®d S()ÚBackendz) OpenSSL API binding interfaces. Úopenssl>ó aes-128-ccmó aes-128-gcmó aes-192-ccmó aes-192-gcmó aes-256-ccmó aes-256-gcméiécCs–t ¡|_|jj|_|jj|_| ¡|_i|_ |  ¡|  ¡|  ¡|jr1|jj r1t dt¡n| ¡|jjg|_|jjrI|j |jj¡dSdS)Nzõsz*Backend._is_fips_enabled..r)Úgetattrr‰ÚERR_clear_errorÚbool)r›Ú fips_modeÚmoderxrxryrŠôs  zBackend._is_fips_enabledcCsn|jjr3|j ¡}||jjkr5|j |¡|j |jj¡}| |dk¡|j |¡}| |dk¡dSdSdS©Nrƒ) r‰rÚENGINE_get_default_RANDr‡rÚENGINE_unregister_RANDÚRAND_set_rand_methodr Ú ENGINE_finish©r›ÚeÚresrxrxryÚactivate_builtin_randomüs    özBackend.activate_builtin_randomc cs¶|j |jj¡}| ||jjk¡|j |¡}| |dk¡z |VW|j |¡}| |dk¡|j |¡}| |dk¡dS|j |¡}| |dk¡|j |¡}| |dk¡wrª) r‰Ú ENGINE_by_idÚCryptography_osrandom_engine_idr r‡rÚ ENGINE_initÚ ENGINE_freer®r¯rxrxryÚ_get_osurandom_engine s€    ü zBackend._get_osurandom_enginecCsx|jjr:| ¡| ¡}|j |¡}| |dk¡Wdƒn1s$wY|j |jj¡}| |dk¡dSdSrª) r‰rr²r·ÚENGINE_set_default_RANDr r­r‡rr¯rxrxryr”s  ý÷z Backend.activate_osrandom_enginec Cst|j dd¡}| ¡}|j |dt|ƒ||jjd¡}| |dk¡Wdƒn1s,wY|j |¡  d¡S)Núchar[]é@sget_implementationrÚascii) r‡Únewr·r‰ÚENGINE_ctrl_cmdÚlenrr ÚstringÚdecode)r›Úbufr°r±rxrxryÚosrandom_engine_implementation)s ÿüz&Backend.osrandom_engine_implementationcCs|j |j |jj¡¡ d¡S)zÀ Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 r»)r‡r¿r‰ÚOpenSSL_versionÚOPENSSL_VERSIONrÀršrxrxryÚopenssl_version_text2s ÿþzBackend.openssl_version_textcCs |j ¡S©N)r‰ÚOpenSSL_version_numršrxrxryÚopenssl_version_number=ó zBackend.openssl_version_numbercCs t|||ƒSrÆr?)r›ÚkeyÚ algorithmrxrxryÚcreate_hmac_ctx@ó zBackend.create_hmac_ctxcCsL|jdks |jdkrd |j|jd¡ d¡}n|j d¡}|j |¡}|S)NÚblake2bÚblake2sz{}{}ér»)ÚnameÚformatÚ digest_sizeÚencoder‰ÚEVP_get_digestbyname)r›rËÚalgÚevp_mdrxrxryÚ_evp_md_from_algorithmCs ÿþ  zBackend._evp_md_from_algorithmcCs | |¡}| ||jjk¡|SrÆ)rØr r‡r©r›rËr×rxrxryÚ_evp_md_non_null_from_algorithmNs z'Backend._evp_md_non_null_from_algorithmcCs,|jr t||jƒs dS| |¡}||jjkS©NF)r‹Ú isinstanceÚ _fips_hashesrØr‡rrÙrxrxryÚhash_supportedSs  zBackend.hash_supportedcCó | |¡SrÆ©rÞ©r›rËrxrxryÚhmac_supportedZrÉzBackend.hmac_supportedcCó t||ƒSrÆr=rárxrxryÚcreate_hash_ctx]rÉzBackend.create_hash_ctxcCs^|jr t||jƒs dSz |jt|ƒt|ƒf}Wn ty"YdSw||||ƒ}|jj|kSrÛ)r‹rÜÚ _fips_ciphersrŒÚtypeÚKeyErrorr‡r)r›Úcipherr©ÚadapterÚ evp_cipherrxrxryÚcipher_supported`s ÿ  zBackend.cipher_supportedcCs0||f|jvrtd ||¡ƒ‚||j||f<dS)Nz"Duplicate registration for: {} {}.)rŒÚ ValueErrorrÒ)r›Ú cipher_clsÚmode_clsrérxrxryÚregister_cipher_adapterjsÿÿzBackend.register_cipher_adaptercCsVtttttttfD] }| t|t dƒ¡q tttttfD] }| t |t dƒ¡qttttfD] }| t |t dƒ¡q.| t tt dƒ¡ttttfD] }| t |t dƒ¡qIttttfD] }| t |t dƒ¡q[t ttgttttg¡D] \}}| ||t dƒ¡qs| ttdƒt dƒ¡| ttdƒt dƒ¡| ttdƒt d ƒ¡| ttt¡dS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}Úrc4Úrc2Úchacha20)rerhrirkrfrgrjrïr\ÚGetCipherByNamer`rdr^rcÚ itertoolsÚproductr_rbr]rærtrarlÚ_get_xts_cipher)r›rîrírxrxryrssTýý ÿ ÿ ÿ ÿ  þýÿz!Backend._register_default_cipherscCsæt ¡}t ¡}|jjr| t¡| t¡t||jj |jj |d|_ t||jj |jj |d|_t||jj|jjtd|_t||jj|jjtd|_t||jj|jjtd|_t||jj|jjtd|_t||jj|jj|d|_ dS)N)Ú ext_countÚget_extÚhandlers)!rÚcopyr$r‰ÚCryptography_HAS_SCTÚupdater r#r%ÚX509_get_ext_countÚ X509_get_extÚ_certificate_extension_parserÚsk_X509_EXTENSION_numÚsk_X509_EXTENSION_valueÚ_csr_extension_parserÚX509_REVOKED_get_ext_countÚX509_REVOKED_get_extÚ_revoked_cert_extension_parserÚX509_CRL_get_ext_countÚX509_CRL_get_extrÚ_crl_extension_parserÚOCSP_REQUEST_get_ext_countÚOCSP_REQUEST_get_extr"Ú_ocsp_req_ext_parserÚOCSP_BASICRESP_get_ext_countÚOCSP_BASICRESP_get_extr!Ú_ocsp_basicresp_ext_parserÚOCSP_SINGLERESP_get_ext_countÚOCSP_SINGLERESP_get_extÚ_ocsp_singleresp_ext_parser)r›Ú ext_handlersÚsingleresp_handlersrxrxryrŽ s^  üüüüüü üz"Backend._register_x509_ext_parserscCs6t ¡|_t ¡|_t ¡|_t ¡|_t  ¡|_ dSrÆ) r6rúÚ_extension_encode_handlersr5Ú_crl_extension_encode_handlersr4Ú$_crl_entry_extension_encode_handlersr8Ú'_ocsp_request_extension_encode_handlersr7Ú)_ocsp_basicresp_extension_encode_handlersršrxrxryrÕs ÿÿÿÿzBackend._register_x509_encoderscCót|||tjƒSrÆ)rÚ_ENCRYPT©r›rèr©rxrxryÚcreate_symmetric_encryption_ctxäóz'Backend.create_symmetric_encryption_ctxcCrrÆ)rÚ_DECRYPTrrxrxryÚcreate_symmetric_decryption_ctxçrz'Backend.create_symmetric_decryption_ctxcCrßrÆ)rârárxrxryÚpbkdf2_hmac_supportedêrÉzBackend.pbkdf2_hmac_supportedc Csh|j d|¡}| |¡}|j |¡}|j |t|ƒ|t|ƒ||||¡} | | dk¡|j |¡dd…S)Núunsigned char[]rƒ) r‡r¼rÚÚ from_bufferr‰ÚPKCS5_PBKDF2_HMACr¾r Úbuffer) r›rËÚlengthÚsaltÚ iterationsÚ key_materialrÁr×Úkey_material_ptrr±rxrxryÚderive_pbkdf2_hmacís  ø zBackend.derive_pbkdf2_hmaccCó t |j¡SrÆ)rOÚ_consume_errorsr‰ršrxrxryr,rÍzBackend._consume_errorscCr+rÆ)rOÚ_consume_errors_with_textr‰ršrxrxryr-rÍz!Backend._consume_errors_with_textcCsx||jjksJ‚|j |¡}|j d|¡}|j ||¡}| |dk¡t |j  |¡d|…d¡}|j  |¡r:| }|S)Nr!rÚbig) r‡rr‰Ú BN_num_bytesr¼Ú BN_bn2binr ÚintÚ from_bytesr$ÚBN_is_negative)r›ÚbnÚ bn_num_bytesÚbin_ptrÚbin_lenÚvalrxrxryÚ _bn_to_ints  zBackend._bn_to_intcCsn|dus ||jjks J‚|dur|jj}| t| ¡ddƒd¡}|j |t|ƒ|¡}| ||jjk¡|S)a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @rƒr.) r‡rÚto_bytesr1Ú bit_lengthr‰Ú BN_bin2bnr¾r )r›Únumr4ÚbinaryÚbn_ptrrxrxryÚ _int_to_bnszBackend._int_to_bncCst ||¡|j ¡}| ||jjk¡|j ||jj¡}|  |¡}|j ||jj ¡}|j  ||||jj¡}| |dk¡|  |¡}t |||ƒSrª)rWÚ_verify_rsa_parametersr‰ÚRSA_newr r‡rÚgcÚRSA_freer@ÚBN_freeÚRSA_generate_key_exÚ_rsa_cdata_to_evp_pkeyrE)r›Úpublic_exponentÚkey_sizeÚ rsa_cdatar4r±Úevp_pkeyrxrxryÚgenerate_rsa_private_key$s    ÿ  z Backend.generate_rsa_private_keycCs|dko |d@dko |dkS)Nérƒrirx)r›rHrIrxrxryÚ!generate_rsa_parameters_supported6s  ÿýz)Backend.generate_rsa_parameters_supportedc Cs2t |j|j|j|j|j|j|jj |jj ¡|j   ¡}|  ||jjk¡|j ||j j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |j¡}| |jj ¡} | |jj ¡} |j  |||¡} |  | dk¡|j  || | |¡} |  | dk¡|j  ||||¡} |  | dk¡| |¡} t||| ƒSrª)rWÚ_check_private_key_componentsÚpÚqÚdÚdmp1Údmq1ÚiqmpÚpublic_numbersr°Únr‰rBr r‡rrCrDr@ÚRSA_set0_factorsÚ RSA_set0_keyÚRSA_set0_crt_paramsrGrE) r›ÚnumbersrJrPrQrRrSrTrUr°rWr±rKrxrxryÚload_rsa_private_numbers=s:ø         z Backend.load_rsa_private_numberscCst |j|j¡|j ¡}| ||jjk¡|j  ||jj ¡}|  |j¡}|  |j¡}|j  ||||jj¡}| |dk¡|  |¡}t|||ƒSrª)rWÚ_check_public_key_componentsr°rWr‰rBr r‡rrCrDr@rYrGrF)r›r[rJr°rWr±rKrxrxryÚload_rsa_public_numbers]s     zBackend.load_rsa_public_numberscCs2|j ¡}| ||jjk¡|j ||jj¡}|SrÆ)r‰Ú EVP_PKEY_newr r‡rrCÚ EVP_PKEY_free©r›rKrxrxryÚ_create_evp_pkey_gcjs zBackend._create_evp_pkey_gccCó(| ¡}|j ||¡}| |dk¡|Srª)rbr‰ÚEVP_PKEY_set1_RSAr )r›rJrKr±rxrxryrGpózBackend._rsa_cdata_to_evp_pkeycCsH|j |¡}|j |t|ƒ¡}| ||jjk¡t|j ||jj ¡|ƒS)z® Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) r‡r"r‰ÚBIO_new_mem_bufr¾r rrqrCÚBIO_free)r›ÚdataÚdata_ptrrrrxrxryÚ _bytes_to_biovs zBackend._bytes_to_biocCsP|j ¡}| ||jjk¡|j |¡}| ||jjk¡|j ||jj¡}|S)z. Creates an empty memory BIO. )r‰Ú BIO_s_memr r‡rÚBIO_newrCrg)r›Ú bio_methodrrrxrxryÚ_create_mem_bio_gcƒs  zBackend._create_mem_bio_gccCs\|j d¡}|j ||¡}| |dk¡| |d|jjk¡|j |d|¡dd…}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)r‡r¼r‰ÚBIO_get_mem_datar rr$)r›rrrÁÚbuf_lenÚbio_datarxrxryÚ _read_mem_bioŽs zBackend._read_mem_biocCó¢|j |¡}||jjkr*|j |¡}| ||jjk¡|j ||jj¡}t |||ƒS||jj krN|j  |¡}| ||jjk¡|j ||jj ¡}t |||ƒS||jjkrr|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS||jvr•|j |¡}| ||jjk¡|j ||jj¡}t|||ƒS|t|jddƒkr£t||ƒS|t|jddƒkr±t||ƒS|t|jddƒkr¿t||ƒS|t|jddƒkrÍt||ƒStdƒ‚)zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. ÚEVP_PKEY_ED25519NÚ EVP_PKEY_X448ÚEVP_PKEY_X25519ÚEVP_PKEY_ED448úUnsupported key type.)r‰Ú EVP_PKEY_idÚ EVP_PKEY_RSAÚEVP_PKEY_get1_RSAr r‡rrCrDrEÚ EVP_PKEY_DSAÚEVP_PKEY_get1_DSAÚDSA_freer+Ú EVP_PKEY_ECÚEVP_PKEY_get1_EC_KEYÚ EC_KEY_freer-r–ÚEVP_PKEY_get1_DHÚDH_freer'r¥r/rIrGr2r©r›rKÚkey_typerJÚ dsa_cdataÚec_cdataÚdh_cdatarxrxryÚ_evp_pkey_to_private_key™ó<                 z Backend._evp_pkey_to_private_keycCrs)zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. rtNrurvrwrx)r‰ryrzr{r r‡rrCrDrFr|r}r~r,rr€rr.r–r‚rƒr(r¥r0rJrHr3rr„rxrxryÚ_evp_pkey_to_public_keyÄrŠzBackend._evp_pkey_to_public_keycCs2|jjrt|tjtjtjtjtjfƒSt|tjƒSrÆ) r‰ÚCryptography_HAS_RSA_OAEP_MDrÜrPÚSHA1ÚSHA224ÚSHA256ÚSHA384ÚSHA512rárxrxryÚ_oaep_hash_supportedïsûþ zBackend._oaep_hash_supportedcCsŠt|tƒrdSt|tƒrt|jtƒr| |jj¡St|tƒrCt|jtƒrC| |jj¡oB| |j¡oB|j dupBt |j ƒdkpB|j j dkSdS)NTrrƒF) rÜrZr[Ú_mgfrXrÞÚ _algorithmrYr’Ú_labelr¾r‰ÚCryptography_HAS_RSA_OAEP_LABEL)r›ÚpaddingrxrxryÚrsa_padding_supportedþs  ÿ û zBackend.rsa_padding_supportedc Cs~|dvrtdƒ‚|j ¡}| ||jjk¡|j ||jj¡}|j |||jjd|jj|jj|jj¡}| |dk¡t ||ƒS)N)ir‚i iz0Key size must be 1024, 2048, 3072, or 4096 bits.rrƒ) rìr‰ÚDSA_newr r‡rrCr~ÚDSA_generate_parameters_exr*)r›rIÚctxr±rxrxryÚgenerate_dsa_parameterss$ÿ ù zBackend.generate_dsa_parameterscCsT|j |j¡}| ||jjk¡|j ||jj¡}|j |¡|  |¡}t |||ƒSrÆ) r‰Ú DSAparams_dupÚ _dsa_cdatar r‡rrCr~ÚDSA_generate_keyÚ_dsa_cdata_to_evp_pkeyr+)r›Ú parametersr›rKrxrxryÚgenerate_dsa_private_key's    z Backend.generate_dsa_private_keycCó| |¡}| |¡SrÆ)rœr¢)r›rIr¡rxrxryÚ'generate_dsa_private_key_and_parameters0ó  z/Backend.generate_dsa_private_key_and_parameterscCsB|j ||||¡}| |dk¡|j |||¡}| |dk¡dSrª)r‰Ú DSA_set0_pqgr Ú DSA_set0_key)r›r†rPrQÚgÚpub_keyÚpriv_keyr±rxrxryÚ_dsa_cdata_set_values4szBackend._dsa_cdata_set_valuesc Cs¨t |¡|jj}|j ¡}| ||jjk¡|j  ||jj ¡}|  |j ¡}|  |j ¡}|  |j¡}|  |jj¡}|  |j¡}| ||||||¡| |¡} t||| ƒSrÆ)rSÚ_check_dsa_private_numbersrVÚparameter_numbersr‰r™r r‡rrCr~r@rPrQr¨ÚyÚxr«r r+) r›r[r­r†rPrQr¨r©rªrKrxrxryÚload_dsa_private_numbers:s        z Backend.load_dsa_private_numbersc Cs¢t |j¡|j ¡}| ||jjk¡|j ||jj ¡}|  |jj ¡}|  |jj ¡}|  |jj ¡}|  |j¡}|jj}| ||||||¡| |¡}t|||ƒSrÆ)rSÚ_check_dsa_parametersr­r‰r™r r‡rrCr~r@rPrQr¨r®r«r r,) r›r[r†rPrQr¨r©rªrKrxrxryÚload_dsa_public_numbersMs     zBackend.load_dsa_public_numberscCs†t |¡|j ¡}| ||jjk¡|j ||jj¡}|  |j ¡}|  |j ¡}|  |j ¡}|j  ||||¡}| |dk¡t||ƒSrª)rSr±r‰r™r r‡rrCr~r@rPrQr¨r¦r*)r›r[r†rPrQr¨r±rxrxryÚload_dsa_parameter_numbers^s      z"Backend.load_dsa_parameter_numberscCrcrª)rbr‰ÚEVP_PKEY_set1_DSAr )r›r†rKr±rxrxryr lrezBackend._dsa_cdata_to_evp_pkeycCrßrÆràrárxrxryÚdsa_hash_supportedrrÉzBackend.dsa_hash_supportedcCr¢)NTrx)r›rPrQr¨rxrxryÚdsa_parameters_supportedusz Backend.dsa_parameters_supportedcCs| |td|jƒ¡S)Nó)rëreÚ block_sizerárxrxryÚcmac_algorithm_supportedxsÿz Backend.cmac_algorithm_supportedcCrãrÆrrárxrxryÚcreate_cmac_ctx}rÉzBackend.create_cmac_ctxcCs€t|tjtjfƒr|durtdƒ‚dSt|tjtj t j fƒs"t dƒ‚t|t jƒs,t dƒ‚t|t jƒrtdƒ‚dSdS)Nz8algorithm must be None when signing via ed25519 or ed448z;Key must be an rsa, dsa, ec, ed25519, or ed448 private key.z.Algorithm must be a registered hash algorithm.z2MD5 hash algorithm is only supported with RSA keys)rÜrUÚEd25519PrivateKeyrVÚEd448PrivateKeyrìrWÚ RSAPrivateKeyrSÚ DSAPrivateKeyrTÚEllipticCurvePrivateKeyÚ TypeErrorrPÚ HashAlgorithmÚMD5©r›Ú private_keyrËrxrxryÚ_x509_check_signature_params€s0 ÿÿÿþÿ ÿÿýz$Backend._x509_check_signature_paramsc s°t|tjƒs tdƒ‚ˆ ||¡ˆ ||¡}ˆj ¡}ˆ |ˆj j k¡ˆj   |ˆjj ¡}ˆj  |tjjj¡}ˆ |dk¡ˆj |tˆ|jƒ¡}ˆ |dk¡| ¡}ˆj ||j¡}ˆ |dk¡ˆj ¡}ˆ |ˆj j k¡ˆj   |‡fdd„¡}ˆj|jˆj|ˆjjddˆj ||¡}ˆ |dk¡|jD]!\} } tˆ| jƒ} ˆj  || tj!j"j#j| t$| ƒ¡}ˆ |dk¡q›ˆj %||j|¡}|dkrÓˆ &¡} t'd| ƒ‚t(ˆ|ƒS) NúBuilder type mismatch.rƒcsˆj |ˆj ˆjjd¡¡S)NÚX509_EXTENSION_free)r‰Úsk_X509_EXTENSION_pop_freer‡Ú addressofÚ _original_lib)r¯ršrxryr¤¹s ÿþz)Backend.create_x509_csr..F©Ú extensionsrùÚx509_objÚadd_funcrCrúSigning failed))rÜrÚ CertificateSigningRequestBuilderrÀrÅÚ_evp_md_x509_null_if_eddsar‰Ú X509_REQ_newr r‡rrCÚ X509_REQ_freeÚX509_REQ_set_versionÚVersionÚv1ÚvalueÚX509_REQ_set_subject_namer;Ú _subject_nameÚ public_keyÚX509_REQ_set_pubkeyÚ _evp_pkeyÚsk_X509_EXTENSION_new_nullÚ_create_x509_extensionsÚ _extensionsrÚsk_X509_EXTENSION_insertÚX509_REQ_add_extensionsÚ _attributesr<Ú dotted_stringÚX509_REQ_add1_attr_by_OBJrÑÚ _ASN1TypeÚ UTF8Stringr¾Ú X509_REQ_signr-rìrM) r›ÚbuilderrÄrËr×Úx509_reqr±rÚÚ sk_extensionÚattr_oidÚattr_valÚobjrrxršryÚcreate_x509_csr˜s\     ÿ  þ û  û  zBackend.create_x509_csrc Csvt|tjƒs tdƒ‚| ||¡| ||¡}|j ¡}|j  ||jj ¡}|j  ||j j ¡}| |dk¡|j |t||jƒ¡}| |dk¡|j ||jj¡}| |dk¡t||jƒ}|j ||¡}| |dk¡| |j |¡|j¡| |j |¡|j¡|j|j|j||jj dd|j !|t||j"ƒ¡}| |dk¡|j #||j|¡}|dkr¶| $¡}t%d|ƒ‚t&||ƒS©NrÆrƒTrËrrÏ)'rÜrÚCertificateBuilderrÀrÅrÑr‰ÚX509_newr‡rCÚ X509_freeÚX509_set_versionÚ_versionr×r ÚX509_set_subject_namer;rÙÚX509_set_pubkeyÚ _public_keyrÜr9Ú_serial_numberÚX509_set_serialNumberÚ_set_asn1_timeÚX509_getm_notBeforeÚ_not_valid_beforeÚX509_getm_notAfterÚ_not_valid_afterrÞrßrÚ X509_add_extÚX509_set_issuer_nameÚ _issuer_nameÚ X509_signr-rìrK) r›rèrÄrËr×Ú x509_certr±Ú serial_numberrrxrxryÚcreate_x509_certificateàsR     ÿÿ ÿÿû ÿ  zBackend.create_x509_certificatecCs$t|tjtjfƒr |jjS| |¡SrÆ)rÜrUr»rVr¼r‡rrÚrÃrxrxryrÑ"s  ÿ z"Backend._evp_md_x509_null_if_eddsacCsL|jdkr| d¡ d¡}n| d¡ d¡}|j ||¡}| |dk¡dS)Niz %Y%m%d%H%M%SZr»z %y%m%d%H%M%SZrƒ)ÚyearÚstrftimerÔr‰ÚASN1_TIME_set_stringr )r›Ú asn1_timeÚtimeÚasn1_strr±rxrxryrú+s zBackend._set_asn1_timecCs>|j ¡}| ||jjk¡|j ||jj¡}| ||¡|SrÆ)r‰Ú ASN1_TIME_newr r‡rrCÚASN1_TIME_freerú)r›r r rxrxryÚ_create_asn1_time3s  zBackend._create_asn1_timec Csrt|tjƒs tdƒ‚| ||¡| ||¡}|j ¡}|j  ||jj ¡}|j  |d¡}|  |dk¡|j  |t||jƒ¡}|  |dk¡| |j¡}|j ||¡}|  |dk¡| |j¡}|j ||¡}|  |dk¡|j|j|j||jjdd|jD] } |j | j¡} |  | |jjk¡|j || ¡}|  |dk¡q}|j ||j|¡}|dkr´|  ¡} t!d| ƒ‚t"||ƒSrï)#rÜrÚ CertificateRevocationListBuilderrÀrÅrÑr‰Ú X509_CRL_newr‡rCÚ X509_CRL_freeÚX509_CRL_set_versionr ÚX509_CRL_set_issuer_namer;rrÚ _last_updateÚX509_CRL_set1_lastUpdateÚ _next_updateÚX509_CRL_set1_nextUpdaterÞrßrÚX509_CRL_add_extÚ_revoked_certificatesÚX509_REVOKED_dupÚ _x509_revokedrÚX509_CRL_add0_revokedÚ X509_CRL_signrÜr-rìrL) r›rèrÄrËr×Úx509_crlr±Ú last_updateÚ next_updateÚ revoked_certÚrevokedrrxrxryÚcreate_x509_crl:sF     ÿ  û   zBackend.create_x509_crlc Csdt|ƒD]+\}}| ||¡}| ||jjk¡|r"|j ||jj¡}||||ƒ} | | dk¡qdSrª)Ú enumerateÚ_create_x509_extensionr r‡rrCr‰rÇ) r›rÌrùrÍrÎrCÚiÚ extensionÚx509_extensionr±rxrxryrÞrs ÿ ÷zBackend._create_x509_extensionscCs2t||jjƒ}|j |jj||jrd|¡Sd|¡S)Nrƒr)r<Úoidrãr‰ÚX509_EXTENSION_create_by_OBJr‡rÚcritical)r›r'r×rírxrxryÚ_create_raw_x509_extension€s ÿÿz"Backend._create_raw_x509_extensioncCst|jtjƒrt||jjƒ}| ||¡St|jtjƒr4ttgdd„|jDƒ¢RŽ}t||ƒ}| ||¡St|jtj ƒrHt|tt ƒƒ}| ||¡Sz||j }Wnt y^t d |j ¡ƒ‚w|||jƒ}|j |j j d¡¡}| ||jjk¡|j ||jr„d|¡Sd|¡S)NcSsg|] }ttt|jƒƒ‘qSrx)r rr r×)Ú.0r¯rxrxryÚ sÿÿz2Backend._create_x509_extension..zExtension not supported: {}r»rƒr)rÜr×rÚUnrecognizedExtensionr:r,Ú TLSFeaturer r Ú PrecertPoisonrr)rçÚNotImplementedErrorrÒr‰Ú OBJ_txt2nidrãrÔr Ú NID_undefÚX509V3_EXT_i2dr+)r›rùr'r×Úasn1rÔÚ ext_structÚnidrxrxryr%†sB ÿþþ     ÿÿ  ÿ ÿÿzBackend._create_x509_extensioncCsºt|tjƒs tdƒ‚|j ¡}| ||jjk¡|j  ||jj ¡}t ||j ƒ}|j  ||¡}| |dk¡| |j¡}|j ||¡}| |dk¡|j|j|j||jjddt|d|ƒS)NrÆrƒTrË)rÜrÚRevokedCertificateBuilderrÀr‰ÚX509_REVOKED_newr r‡rrCÚX509_REVOKED_freer9røÚX509_REVOKED_set_serialNumberrÚ_revocation_dateÚX509_REVOKED_set_revocationDaterÞrßrÚX509_REVOKED_add_extrN)r›rèÚ x509_revokedrr±Úrev_daterxrxryÚcreate_x509_revoked_certificate¨s*   ÿ û z'Backend.create_x509_revoked_certificatecCs| |jj|j||¡SrÆ)Ú _load_keyr‰ÚPEM_read_bio_PrivateKeyr‰)r›rhÚpasswordrxrxryÚload_pem_private_keyÁs üzBackend.load_pem_private_keycCsÖ| |¡}|j |j|jj|jj|jj¡}||jjkr)|j ||jj¡}| |¡S|  ¡|j  |j¡}|  |dk¡|j  |j|jj|jj|jj¡}||jjkre|j ||jj ¡}| |¡}t|||ƒS| ¡dSrª)rjr‰ÚPEM_read_bio_PUBKEYrrr‡rrCr`r‹r,Ú BIO_resetr ÚPEM_read_bio_RSAPublicKeyrDrGrFÚ_handle_key_loading_error©r›rhÚmem_biorKr±rJrxrxryÚload_pem_public_keyÉs$ ÿ  ÿ    zBackend.load_pem_public_keycCs^| |¡}|j |j|jj|jj|jj¡}||jjkr)|j ||jj¡}t||ƒS|  ¡dSrÆ) rjr‰ÚPEM_read_bio_DHparamsrrr‡rrCrƒr&rJ)r›rhrLrˆrxrxryÚload_pem_parametersâs ÿ   zBackend.load_pem_parameterscCs:| |¡}| ||¡}|r| |¡S| |jj|j||¡SrÆ)rjÚ"_evp_pkey_from_der_traditional_keyr‰rCr‰Úd2i_PKCS8PrivateKey_bio)r›rhrErqrÊrxrxryÚload_der_private_keyîs   üzBackend.load_der_private_keycCsZ|j |j|jj¡}||jjkr'| ¡|j ||jj¡}|dur%tdƒ‚|S| ¡dS)Nú4Password was given but private key is not encrypted.) r‰Úd2i_PrivateKey_biorrr‡rr,rCr`rÀ)r›rqrErÊrxrxryrPs ÿz*Backend._evp_pkey_from_der_traditional_keycCs¾| |¡}|j |j|jj¡}||jjkr#|j ||jj¡}| |¡S|  ¡|j  |j¡}|  |dk¡|j  |j|jj¡}||jjkrY|j ||jj ¡}| |¡}t|||ƒS| ¡dSrª)rjr‰Úd2i_PUBKEY_biorrr‡rrCr`r‹r,rHr Úd2i_RSAPublicKey_biorDrGrFrJrKrxrxryÚload_der_public_keys    ÿ    zBackend.load_der_public_keycCsº| |¡}|j |j|jj¡}||jjkr#|j ||jj¡}t||ƒS|jj rW|  ¡|j  |j¡}|  |dk¡|j  |j|jj¡}||jjkrW|j ||jj¡}t||ƒS| ¡dSrª)rjr‰Úd2i_DHparams_biorrr‡rrCrƒr&r—r,rHr ÚCryptography_d2i_DHxparams_biorJ)r›rhrLrˆr±rxrxryÚload_der_parameters+s    ÿ   zBackend.load_der_parameterscCób| |¡}|j |j|jj|jj|jj¡}||jjkr#| ¡tdƒ‚|j ||jj ¡}t ||ƒS)Nz{Unable to load certificate. See https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more details.) rjr‰ÚPEM_read_bio_X509rrr‡rr,rìrCròrK©r›rhrLrrxrxryÚload_pem_x509_certificate?ó ÿ ÿ z!Backend.load_pem_x509_certificatecCóV| |¡}|j |j|jj¡}||jjkr| ¡tdƒ‚|j ||jj ¡}t ||ƒS)NzUnable to load certificate) rjr‰Ú d2i_X509_biorrr‡rr,rìrCròrKr]rxrxryÚload_der_x509_certificateOó   z!Backend.load_der_x509_certificatecCr[)NzsUnable to load CRL. See https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more details.) rjr‰ÚPEM_read_bio_X509_CRLrrr‡rr,rìrCrrL©r›rhrLrrxrxryÚload_pem_x509_crlYr_zBackend.load_pem_x509_crlcCr`)NzUnable to load CRL) rjr‰Úd2i_X509_CRL_biorrr‡rr,rìrCrrLrerxrxryÚload_der_x509_crlirczBackend.load_der_x509_crlcCr[)NzwUnable to load request. See https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more details.) rjr‰ÚPEM_read_bio_X509_REQrrr‡rr,rìrCrÓrM©r›rhrLrérxrxryÚload_pem_x509_csrsr_zBackend.load_pem_x509_csrcCr`)NzUnable to load request) rjr‰Úd2i_X509_REQ_biorrr‡rr,rìrCrÓrMrjrxrxryÚload_der_x509_csrƒrczBackend.load_der_x509_csrc Cs| |¡}|j d¡}|dur#t d|¡|j |¡}||_t|ƒ|_||j |jj |j  |j j d¡|ƒ}||jj kra|jdkr]| ¡|jdkrLtdƒ‚|jdksSJ‚td |jd ¡ƒ‚| ¡| ¡|j ||j j¡}|dur{|jdkr{td ƒ‚|dur„|jd ksŠ|dusŠJ‚||ƒS) NzCRYPTOGRAPHY_PASSWORD_DATA *rEÚCryptography_pem_password_cbréÿÿÿÿz3Password was not given but private key is encryptedéþÿÿÿzAPasswords longer than {} bytes are not supported by this backend.rƒrS)rjr‡r¼rÚ_check_bytesliker"rEr¾r%rrrrÉr‰rÊÚerrorr,rÀrìrÒÚmaxsizerJrCr`Úcalled) r›Úopenssl_read_funcÚ convert_funcrhrErLÚuserdataÚ password_ptrrKrxrxryrCsJ     ÿú  ÿ þÿ zBackend._load_keycs’ˆ ¡}|s tdƒ‚|d ˆjjˆjj¡s2|d ˆjjˆjj¡s2ˆjjr6|d ˆjj ˆjj ¡r6tdƒ‚t ‡fdd„|DƒƒrEtdƒ‚tdƒ‚)Nz|Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.rz Bad decrypt. Incorrect password?c3s$|] }| ˆjjˆjj¡VqdSrÆ)Ú_lib_reason_matchr‰Ú ERR_LIB_EVPÚ'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM)r-rrršrxryÚ Þs€üþ ÿz4Backend._handle_key_loading_error..z!Unsupported public key algorithm.) r,rìryr‰rzÚEVP_R_BAD_DECRYPTÚERR_LIB_PKCS12Ú!PKCS12_R_PKCS12_CIPHERFINAL_ERRORÚCryptography_HAS_PROVIDERSÚ ERR_LIB_PROVÚPROV_R_BAD_DECRYPTÚany)r›rrxršryrJÂs:ÿ ÿÿþü ÷ þö ûÿz!Backend._handle_key_loading_errorcCspz| |¡}Wn ty|jj}Ynw|j |¡}||jjkr'| ¡dS| ||jjk¡|j  |¡dS)NFT) Ú_elliptic_curve_to_nidrr‰r4ÚEC_GROUP_new_by_curve_namer‡rr,r Ú EC_GROUP_free)r›ÚcurveÚ curve_nidÚgrouprxrxryÚelliptic_curve_supportedîs  ÿ   z Backend.elliptic_curve_supportedcCst|tjƒsdS| |¡SrÛ)rÜrTÚECDSArŠ)r›Úsignature_algorithmr‡rxrxryÚ,elliptic_curve_signature_algorithm_supportedþs  z4Backend.elliptic_curve_signature_algorithm_supportedcCsX| |¡r"| |¡}|j |¡}| |dk¡| |¡}t|||ƒStd |j ¡t j ƒ‚)z@ Generate a new private key on the named curve. rƒz#Backend object does not support {}.) rŠÚ_ec_key_new_by_curver‰ÚEC_KEY_generate_keyr Ú_ec_cdata_to_evp_pkeyr-rrÒrÑrÚUNSUPPORTED_ELLIPTIC_CURVE)r›r‡r‡r±rKrxrxryÚ#generate_elliptic_curve_private_keys      þz+Backend.generate_elliptic_curve_private_keycCsp|j}| |j¡}|j | |j¡|jj¡}|j  ||¡}|  |dk¡|  ||j |j ¡}| |¡}t|||ƒSrª)rVrŽr‡r‡rCr@Ú private_valuer‰Ú BN_clear_freeÚEC_KEY_set_private_keyr Ú)_ec_key_set_public_key_affine_coordinatesr¯r®rr-)r›r[Úpublicr‡r“r±rKrxrxryÚ#load_elliptic_curve_private_numberss ÿ ÿ  z+Backend.load_elliptic_curve_private_numberscCs4| |j¡}| ||j|j¡}| |¡}t|||ƒSrÆ)rŽr‡r–r¯r®rr.)r›r[r‡rKrxrxryÚ"load_elliptic_curve_public_numbers.s  ÿ  z*Backend.load_elliptic_curve_public_numbersc Csâ| |¡}|j |¡}| ||jjk¡|j |¡}| ||jjk¡|j ||jj¡}|  ¡ }|j  |||t |ƒ|¡}|dkrI|  ¡t dƒ‚Wdƒn1sSwY|j ||¡}| |dk¡| |¡}t|||ƒS)Nrƒz(Invalid public bytes for the given curve)rŽr‰ÚEC_KEY_get0_groupr r‡rÚ EC_POINT_newrCÚ EC_POINT_freeÚ _tmp_bn_ctxÚEC_POINT_oct2pointr¾r,rìÚEC_KEY_set_public_keyrr.) r›r‡Ú point_bytesr‡r‰ÚpointÚbn_ctxr±rKrxrxryÚ load_elliptic_curve_public_bytes7s&    ÿþü  z(Backend.load_elliptic_curve_public_bytesc CsX| |¡}| |¡\}}|j |¡}| ||jjk¡|j ||jj¡}|  |¡}|j ||jj ¡}|  ¡9}|j  ||||jj|jj|¡} | | dk¡|j  |¡} |j  |¡} |||| | |ƒ} | | dk¡Wdƒn1srwY|j ||¡} | | dk¡|  |¡} |j | |jj ¡} |j || ¡} | | dk¡| |¡} t||| ƒSrª)rŽÚ _ec_key_determine_group_get_funcr‰r›r r‡rrCrœr@r”rÚ EC_POINT_mulÚ BN_CTX_getrŸr•rr-)r›r“r‡r‡Úget_funcr‰r¡r×r¢r±Úbn_xÚbn_yÚprivaterKrxrxryÚ!derive_elliptic_curve_private_keyKs2    ÿ  ö    z)Backend.derive_elliptic_curve_private_keycCr£rÆ)r„Ú_ec_key_new_by_curve_nid)r›r‡rˆrxrxryrŽnr¥zBackend._ec_key_new_by_curvecCs0|j |¡}| ||jjk¡|j ||jj¡SrÆ)r‰ÚEC_KEY_new_by_curve_namer r‡rrCr)r›rˆr‡rxrxryr¬rs z Backend._ec_key_new_by_curve_nidcCr`)NzUnable to load OCSP request) rjr‰Úd2i_OCSP_REQUEST_biorrr‡rr,rìrCÚOCSP_REQUEST_freerA)r›rhrLÚrequestrxrxryÚload_der_ocsp_requestwrczBackend.load_der_ocsp_requestcCr`)NzUnable to load OCSP response) rjr‰Úd2i_OCSP_RESPONSE_biorrr‡rr,rìrCÚOCSP_RESPONSE_freerB)r›rhrLÚresponserxrxryÚload_der_ocsp_responserczBackend.load_der_ocsp_responsec Cs°|j ¡}| ||jjk¡|j ||jj¡}|j\}}}| |¡}|j  ||j |j ¡}| ||jjk¡|j  ||¡}| ||jjk¡|j |j |j||jjddt||ƒS)NTrË)r‰ÚOCSP_REQUEST_newr r‡rrCr¯Ú_requestrÚÚOCSP_cert_to_idÚ_x509ÚOCSP_request_add0_idrÞrßrÚOCSP_REQUEST_add_extrA) r›rèÚocsp_reqÚcertÚissuerrËr×ÚcertidÚonereqrxrxryÚcreate_ocsp_request‹s"   û zBackend.create_ocsp_requestc Csì| ||¡|j ¡}| ||jjk¡|j ||jj¡}| |j j ¡}|j  ||j j j |j jj ¡}| ||jjk¡|j ||jj¡}|j jdurMd}nt|j j}|j jdur^|jj}n| |j j¡}|jj} |j jdurv| |j j¡} | |j j¡} |j |||j jj||| | ¡} | | |jjk¡| ||¡}|j\} } |jj}| tjjur°||jjO}|j durÊ|j D]}|j !||j ¡} | | dk¡q¸|j"|j#|j$||jj%dd|j &|| j |j'||jj|¡} | dkrô| (¡}t)d|ƒ‚|S)NrorƒTrËzAError while signing. responder_cert must be signed by private_key)*rÅr‰ÚOCSP_BASICRESP_newr r‡rrCÚOCSP_BASICRESP_freerÚÚ _responser”r¸Ú_certr¹Ú_issuerÚOCSP_CERTID_freeÚ_revocation_reasonrÚ_revocation_timerrÚ _this_updateÚOCSP_basic_add1_statusÚ _cert_statusr×rÑÚ _responder_idÚ OCSP_NOCERTSrpÚOCSPResponderEncodingÚHASHÚOCSP_RESPID_KEYÚ_certsÚOCSP_basic_add1_certrÞrßrÚOCSP_BASICRESP_add_extÚOCSP_basic_signrÜr-rì)r›rèrÄrËÚbasicr×r¿ÚreasonÚrev_timer Ú this_updater±Úresponder_certÚresponder_encodingÚflagsr½rrxrxryÚ_create_ocsp_basic_responsežsŽ  ÿý ÿ  ÿ ÿù      ûúýz#Backend._create_ocsp_basic_responsecCsb|tjjur| |||¡}n|jj}|j |j|¡}|  ||jjk¡|j  ||jj ¡}t ||ƒSrÆ) rpÚOCSPResponseStatusÚ SUCCESSFULrÝr‡rr‰ÚOCSP_response_creater×r rCr³rB)r›Úresponse_statusrèrÄrËrÖÚ ocsp_resprxrxryÚcreate_ocsp_responseós ÿÿ zBackend.create_ocsp_responsecCs| |¡o t|tjƒSrÆ)rŠrÜrTÚECDH)r›rËr‡rxrxryÚ+elliptic_curve_exchange_algorithm_supporteds ÿz3Backend.elliptic_curve_exchange_algorithm_supportedcCrcrª)rbr‰ÚEVP_PKEY_set1_EC_KEYr )r›r‡rKr±rxrxryr rezBackend._ec_cdata_to_evp_pkeycCsNdddœ}| |j|j¡}|j | ¡¡}||jjkr%td |j¡tj ƒ‚|S)z/ Get the NID for a curve name. Ú prime192v1Ú prime256v1)Ú secp192r1Ú secp256r1z${} is not a supported elliptic curve) ÚgetrÑr‰Ú OBJ_sn2nidrÔr4rrÒrr‘)r›r‡Ú curve_aliasesÚ curve_namerˆrxrxryr„s   þzBackend._elliptic_curve_to_nidc csd|j ¡}| ||jjk¡|j ||jj¡}|j |¡z |VW|j |¡dS|j |¡wrÆ) r‰Ú BN_CTX_newr r‡rrCÚ BN_CTX_freeÚ BN_CTX_startÚ BN_CTX_end)r›r¢rxrxryr s€  zBackend._tmp_bn_ctxcCs¼| ||jjk¡|j d¡}| ||jjk¡|j |¡}| ||jjk¡|j |¡}| ||jjk¡|j |¡}| ||jjk¡||krR|jj rR|jj }n|jj }|sZJ‚||fS)zu Given an EC_KEY determine the group and what function is required to get point coordinates. scharacteristic-two-field) r r‡rr‰rìr4ršÚEC_GROUP_method_ofÚEC_METHOD_get_field_typeÚCryptography_HAS_EC2MÚ$EC_POINT_get_affine_coordinates_GF2mÚ#EC_POINT_get_affine_coordinates_GFp)r›r›Ú nid_two_fieldr‰Úmethodr8r§rxrxryr¤+s     z(Backend._ec_key_determine_group_get_funccCst|dks|dkr tdƒ‚|j | |¡|jj¡}|j | |¡|jj¡}|j |||¡}|dkr8| ¡tdƒ‚|S)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.rƒzInvalid EC key.)rìr‡rCr@r‰rEÚ(EC_KEY_set_public_key_affine_coordinatesr,)r›r›r¯r®r±rxrxryr–Gsÿz1Backend._ec_key_set_public_key_affine_coordinatesc Cst|tjƒs tdƒ‚t|tjƒstdƒ‚t|tjƒstdƒ‚t|tjƒr'd}nt|tjƒr;|j}t |ƒdkr:t dƒ‚nt dƒ‚|tjj urf|tjj urP|j j}n|tjjur[|j j}nt dƒ‚| |||¡S|tjjurì|jryt|tjƒsyt d ƒ‚|j  |¡} |tjj ur±| |j jkr|j j}n| |j jkr›|j j}n| |j jkr¦|j j}nt d ƒ‚| |||¡S|tjjurè|r½t d ƒ‚| |j jkrÈ|j j}n| |j jkrÓ|j j}n| |j jkrÞ|j j}nt d ƒ‚| ||¡St d ƒ‚|tjjur|tjj urÿt  !||¡St d ƒ‚t dƒ‚)Nú/encoding must be an item from the Encoding enumz2format must be an item from the PrivateFormat enumzBEncryption algorithm must be a KeySerializationEncryption instanceóiÿzBPasswords longer than 1023 bytes are not supported by this backendzUnsupported encryption typezUnsupported encoding for PKCS8zCEncrypted traditional OpenSSL format is not supported in FIPS mode.z+Unsupported key type for TraditionalOpenSSLzDEncryption is not supported for DER encoded traditional OpenSSL keysz+Unsupported encoding for TraditionalOpenSSLz=OpenSSH private key format can only be used with PEM encodingúformat is invalid with this key)"rÜrQÚEncodingrÀÚ PrivateFormatÚKeySerializationEncryptionÚ NoEncryptionÚBestAvailableEncryptionrEr¾rìÚPKCS8ÚPEMr‰ÚPEM_write_bio_PKCS8PrivateKeyÚDERÚi2d_PKCS8PrivateKey_bioÚ_private_key_bytes_via_bioÚTraditionalOpenSSLr‹ryrzÚPEM_write_bio_RSAPrivateKeyr|ÚPEM_write_bio_DSAPrivateKeyrÚPEM_write_bio_ECPrivateKeyÚi2d_RSAPrivateKey_bioÚi2d_ECPrivateKey_bioÚi2d_DSAPrivateKey_bioÚ_bio_func_outputÚOpenSSHroÚserialize_ssh_private_key) r›ÚencodingrÒÚencryption_algorithmrÊrKÚcdatarEÚ write_bior…rxrxryÚ_private_key_bytes[sš  ÿÿÿ ÿ ÿÿ     ÿ ÿÿ        ÿÿ ÿ      ÿ   ÿzBackend._private_key_bytesc Cs<|s|jj}n|j d¡}| ||||t|ƒ|jj|jj¡S)Ns aes-256-cbc)r‡rr‰ÚEVP_get_cipherbynamerr¾)r›rrKrErêrxrxryrÄs  ùz"Backend._private_key_bytes_via_biocGs0| ¡}||g|¢RŽ}| |dk¡| |¡Srª)rnr rr)r›rÚargsrrr±rxrxryrÕs zBackend._bio_func_outputcCst|tjƒs tdƒ‚t|tjƒstdƒ‚|tjjur:|tjjur%|jj}n|tjj ur0|jj }nt dƒ‚|  ||¡S|tjj urp|j |¡}||jjkrPt dƒ‚|tjjur[|jj}n|tjj urf|jj}nt dƒ‚|  ||¡S|tjjur…|tjjurt |¡St dƒ‚t dƒ‚)Nrûz1format must be an item from the PublicFormat enumz8SubjectPublicKeyInfo works only with PEM or DER encodingz+PKCS1 format is supported only for RSA keysz)PKCS1 works only with PEM or DER encodingz1OpenSSH format must be used with OpenSSH encodingrý)rÜrQrþrÀÚ PublicFormatÚSubjectPublicKeyInforr‰ÚPEM_write_bio_PUBKEYrÚi2d_PUBKEY_biorìrÚPKCS1ryrzÚPEM_write_bio_RSAPublicKeyÚi2d_RSAPublicKey_biorroÚserialize_ssh_public_key)r›rrÒrÊrKrrr…rxrxryÚ_public_key_bytesÛs@  ÿ     ÿ            ÿzBackend._public_key_bytescCsÌ|tjjur tdƒ‚|j d¡}|j ||jj||jj¡|tjj ur5|d|jjkr0|jj }n!|jj }n|tjj urM|d|jjkrH|jj }n |jj}ntdƒ‚| ¡}|||ƒ}| |dk¡| |¡S)Nz!OpenSSH encoding is not supportedz BIGNUM **rrûrƒ)rQrþrrÀr‡r¼r‰Ú DH_get0_pqgrrÚPEM_write_bio_DHxparamsÚPEM_write_bio_DHparamsrÚCryptography_i2d_DHxparams_bioÚi2d_DHparams_biornr rr)r›rrÒrrQrrrr±rxrxryÚ_parameter_bytes s"          zBackend._parameter_bytescCs†|tjkr td tj¡ƒ‚|dvrtdƒ‚|j ¡}| ||jjk¡|j  ||jj ¡}|j  ||||jj¡}| |dk¡t ||ƒS)Nz$DH key_size must be at least {} bits)éézDH generator must be 2 or 5rƒ) rRÚ_MIN_MODULUS_SIZErìrÒr‰ÚDH_newr r‡rrCrƒÚDH_generate_parameters_exr&)r›Ú generatorrIÚdh_param_cdatar±rxrxryÚgenerate_dh_parameters$s ÿÿ  ÿ zBackend.generate_dh_parameterscCrcrª)rbr‰ÚEVP_PKEY_set1_DHr )r›rˆrKr±rxrxryÚ_dh_cdata_to_evp_pkey:rezBackend._dh_cdata_to_evp_pkeycCs<t|j|ƒ}|j |¡}| |dk¡| |¡}t|||ƒSrª)r)Ú _dh_cdatar‰ÚDH_generate_keyr r2r')r›r¡Ú dh_key_cdatar±rKrxrxryÚgenerate_dh_private_key@s    zBackend.generate_dh_private_keycCs| | ||¡¡SrÆ)r6r0)r›r.rIrxrxryÚ&generate_dh_private_key_and_parametersJs ÿz.Backend.generate_dh_private_key_and_parametersc Cs8|jj}|j ¡}| ||jjk¡|j ||jj¡}|  |j ¡}|  |j ¡}|j dur3|  |j ¡}n|jj}|  |jj ¡}|  |j¡}|j ||||¡} | | dk¡|j |||¡} | | dk¡|j dd¡} |j || ¡} | | dk¡| ddkr‘|j dkr| d|jjAdks‘tdƒ‚| |¡} t||| ƒS)Nrƒúint[]rr)z.DH private numbers did not pass safety checks.)rVr­r‰r,r r‡rrCrƒr@rPr¨rQr®r¯Ú DH_set0_pqgÚ DH_set0_keyr¼ÚCryptography_DH_checkÚDH_NOT_SUITABLE_GENERATORrìr2r') r›r[r­rˆrPr¨rQr©rªr±ÚcodesrKrxrxryÚload_dh_private_numbersOs0        zBackend.load_dh_private_numbersc CsÐ|j ¡}| ||jjk¡|j ||jj¡}|j}| |j ¡}| |j ¡}|j dur2| |j ¡}n|jj}| |j ¡}|j  ||||¡}| |dk¡|j |||jj¡}| |dk¡| |¡} t||| ƒSrª)r‰r,r r‡rrCrƒr­r@rPr¨rQr®r9r:r2r() r›r[rˆr­rPr¨rQr©r±rKrxrxryÚload_dh_public_numbers}s       zBackend.load_dh_public_numberscCs|j ¡}| ||jjk¡|j ||jj¡}| |j¡}| |j ¡}|j dur/| |j ¡}n|jj}|j  ||||¡}| |dk¡t ||ƒSrª) r‰r,r r‡rrCrƒr@rPr¨rQr9r&)r›r[rˆrPr¨rQr±rxrxryÚload_dh_parameter_numbers˜s     z!Backend.load_dh_parameter_numberscCs´|j ¡}| ||jjk¡|j ||jj¡}| |¡}| |¡}|dur+| |¡}n|jj}|j ||||¡}| |dk¡|j  dd¡}|j  ||¡}| |dk¡|ddkS)Nrƒr8r) r‰r,r r‡rrCrƒr@r9r¼r;)r›rPr¨rQrˆr±r=rxrxryÚdh_parameters_supportedªs     zBackend.dh_parameters_supportedcCs |jjdkSrª)r‰r—ršrxrxryÚdh_x942_serialization_supportedÀrÍz'Backend.dh_x942_serialization_supportedcsxtˆ|ƒ}ˆj d¡}ˆj ||¡}ˆ |dˆjjk¡ˆj |‡fdd„¡}ˆ |dk¡ˆj |d|¡dd…S)Nzunsigned char **rcsˆj |d¡Sr£)r‰Ú OPENSSL_free)Úpointerršrxryr¤Ész)Backend.x509_name_bytes..) r;r‡r¼r‰Ú i2d_X509_NAMEr rrCr$)r›rÑÚ x509_nameÚppr±rxršryÚx509_name_bytesÃs   ÿzBackend.x509_name_bytescCsht|ƒdkr tdƒ‚| ¡}|j ||jj¡}| |dk¡|j ||t|ƒ¡}| |dk¡t||ƒS)Né z%An X25519 public key is 32 bytes longrƒ) r¾rìrbr‰ÚEVP_PKEY_set_typeÚ NID_X25519r ÚEVP_PKEY_set1_tls_encodedpointrH)r›rhrKr±rxrxryÚx25519_load_public_bytesÎs  ÿ z Backend.x25519_load_public_bytescCsÀt|ƒdkr tdƒ‚d}| d¡#}||dd…<||dd…<| |¡}|j |j|jj¡}Wdƒn1s7wY|  ||jjk¡|j  ||jj ¡}|  |j  |¡|jj k¡t||ƒS)NrIz&An X25519 private key is 32 bytes longs0.0+en" é0ré)r¾rìÚ_zeroed_bytearrayrjr‰rTrrr‡rr rCr`ryrvrG)r›rhÚ pkcs8_prefixÚbarrrKrxrxryÚx25519_load_private_bytesÝs     üÿ z!Backend.x25519_load_private_bytescCs¨|j ||jj¡}| ||jjk¡|j ||jj¡}|j |¡}| |dk¡|j d¡}|j  ||¡}| |dk¡| |d|jjk¡|j |d|jj ¡}|S)Nrƒú EVP_PKEY **r) r‰ÚEVP_PKEY_CTX_new_idr‡rr rCÚEVP_PKEY_CTX_freeÚEVP_PKEY_keygen_initr¼ÚEVP_PKEY_keygenr`)r›r8Ú evp_pkey_ctxr±Ú evp_ppkeyrKrxrxryÚ_evp_pkey_keygen_gcÿs  zBackend._evp_pkey_keygen_gccCó| |jj¡}t||ƒSrÆ)r[r‰rKrGrarxrxryÚx25519_generate_key ó zBackend.x25519_generate_keycCó|jrdS|jj SrÛ)r‹r‰ÚCRYPTOGRAPHY_IS_LIBRESSLršrxrxryÚx25519_supported ó zBackend.x25519_supportedcCs`t|ƒdkr tdƒ‚|j |jj|jj|t|ƒ¡}| ||jjk¡|j ||jj ¡}t ||ƒS)Né8z#An X448 public key is 56 bytes long) r¾rìr‰ÚEVP_PKEY_new_raw_public_keyÚNID_X448r‡rr rCr`rJ©r›rhrKrxrxryÚx448_load_public_bytes s ÿ zBackend.x448_load_public_bytescCslt|ƒdkr tdƒ‚|j |¡}|j |jj|jj|t|ƒ¡}| ||jjk¡|j  ||jj ¡}t ||ƒS)Nrcz$An X448 private key is 56 bytes long) r¾rìr‡r"r‰ÚEVP_PKEY_new_raw_private_keyrerr rCr`rI©r›rhrirKrxrxryÚx448_load_private_bytes s  ÿ zBackend.x448_load_private_bytescCr\rÆ)r[r‰rerIrarxrxryÚx448_generate_key, r^zBackend.x448_generate_keycCr_rÛ)r‹r‰Ú"CRYPTOGRAPHY_OPENSSL_LESS_THAN_111ršrxrxryÚx448_supported0 rbzBackend.x448_supportedcCr_rÛ©r‹r‰Ú#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111BršrxrxryÚed25519_supported5 rbzBackend.ed25519_supportedcCsnt d|¡t|ƒtjkrtdƒ‚|j |jj|j j |t|ƒ¡}|  ||j j k¡|j   ||jj ¡}t||ƒS)Nrhz&An Ed25519 public key is 32 bytes long)rÚ _check_bytesr¾rUÚ_ED25519_KEY_SIZErìr‰rdÚ NID_ED25519r‡rr rCr`r0rfrxrxryÚed25519_load_public_bytes: s ÿ z!Backend.ed25519_load_public_bytescCszt|ƒtjkr tdƒ‚t d|¡|j |¡}|j  |jj |jj |t|ƒ¡}|  ||jj k¡|j  ||jj¡}t||ƒS)Nz'An Ed25519 private key is 32 bytes longrh)r¾rUrrrìrrqr‡r"r‰rhrsrr rCr`r/rirxrxryÚed25519_load_private_bytesH s  ÿ z"Backend.ed25519_load_private_bytescCr\rÆ)r[r‰rsr/rarxrxryÚed25519_generate_keyV r^zBackend.ed25519_generate_keycCr_rÛrnršrxrxryÚed448_supportedZ rbzBackend.ed448_supportedcCslt d|¡t|ƒtkrtdƒ‚|j |jj|jj |t|ƒ¡}|  ||jj k¡|j  ||jj ¡}t ||ƒS)Nrhz$An Ed448 public key is 57 bytes long)rrqr¾r1rìr‰rdÚ NID_ED448r‡rr rCr`r3rfrxrxryÚed448_load_public_bytes_ s  ÿ zBackend.ed448_load_public_bytescCsxt d|¡t|ƒtkrtdƒ‚|j |¡}|j |jj |jj |t|ƒ¡}|  ||jj k¡|j  ||jj ¡}t||ƒS)Nrhz%An Ed448 private key is 57 bytes long)rrqr¾r1rìr‡r"r‰rhrxrr rCr`r2rirxrxryÚed448_load_private_bytesl s   ÿ z Backend.ed448_load_private_bytescCr\rÆ)r[r‰rxr2rarxrxryÚed448_generate_keyz r^zBackend.ed448_generate_keyc Cs†|j d|¡}|j |¡}|j |t|ƒ|t|ƒ|||tj||¡ } | dkr9| ¡} d||d} t d  | ¡| ƒ‚|j  |¡dd…S)Nr!rƒé€izJNot enough memory to derive key. These parameters require {} MB of memory.) r‡r¼r"r‰ÚEVP_PBE_scryptr¾rmÚ _MEM_LIMITr-Ú MemoryErrorrÒr$) r›r(r&r%rWÚrrPrÁr)r±rÚ min_memoryrxrxryÚ derive_scrypt~ s. ö ýzBackend.derive_scryptcCs2t |¡}|jr||jvrdS|j |¡|jjkSrÛ)rÚ_aead_cipher_namer‹Ú _fips_aeadr‰rr‡r)r›rèÚ cipher_namerxrxryÚaead_cipher_supported™ s zBackend.aead_cipher_supportedc cs2t|ƒ}z |VW| ||¡dS| ||¡w)zÁ This method creates a bytearray, which we copy data into (hopefully also from a mutable buffer that can be dynamically erased!), and then zero when we're done. N)Ú bytearrayÚ _zero_data)r›r%rRrxrxryrPŸ s €zBackend._zeroed_bytearraycCst|ƒD]}d||<qdSr£)Úrange)r›rhr%r&rxrxryrˆ¬ s  ÿzBackend._zero_datac cs~|dur |jjVdSt|ƒ}|j d|d¡}|j |||¡z|VW| |j d|¡|¡dS| |j d|¡|¡w)aâ This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nr¹rƒz uint8_t *)r‡rr¾r¼ÚmemmoverˆÚcast)r›rhÚdata_lenrÁrxrxryÚ_zeroed_null_terminated_buf³ s€ 2z#Backend._zeroed_null_terminated_bufcCsð|dur t d|¡| |¡}|j |j|jj¡}||jjkr'| ¡t dƒ‚|j  ||jj ¡}|j  d¡}|j  d¡}|j  d¡}|  |¡}|j |||||¡} Wdƒn1s\wY| dkrm| ¡t dƒ‚d} d} g} |d|jjkr‹|j  |d|jj¡} | | ¡} |d|jjkr£|j  |d|jj¡}t||ƒ} |d|jjkró|j  |d|jj¡}|j |d¡}|jjrÇt|ƒ}ntt|ƒƒ}|D]#}|j ||¡}| ||jjk¡|j  ||jj¡}|  t||ƒ¡qÏ| | | fS)NrEz!Could not deserialize PKCS12 datarTzX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 data)rrqrjr‰Úd2i_PKCS12_biorrr‡rr,rìrCÚ PKCS12_freer¼rÚ PKCS12_parser`r‰ròrKÚ sk_X509_freeÚ sk_X509_numÚ#CRYPTOGRAPHY_OPENSSL_300_OR_GREATERr‰ÚreversedÚ sk_X509_valuer r˜)r›rhrErrÚp12Ú evp_pkey_ptrÚx509_ptrÚ sk_x509_ptrÚ password_bufr±r½rÊÚadditional_certificatesrKrÚsk_x509r=Úindicesr&rxrxryÚ%load_key_and_certificates_from_pkcs12Ê sP        ÿÿ     z-Backend.load_key_and_certificates_from_pkcs12cCs¬d}|dur t d|¡t|tjƒrd}d}d} d} nt|tjƒr1|jj}|jj}d} d} |j}nt dƒ‚|dus?t |ƒdkrD|j j } n"|j  ¡} |j  | |jj¡} |D]} |j | | j¡} t | dk¡qT| |¡:}| |¡%}|j |||r||jn|j j |r„|jn|j j | ||| | d¡ }Wdƒn1s™wYWdƒn1s¨wY| ||j j k¡|j  ||jj¡}| ¡}|j ||¡} | | dk¡| |¡S)NrÑrori NrƒzUnsupported key encryption type)rrqrÜrQrrr‰Ú&NID_pbe_WithSHA1And3_Key_TripleDES_CBCrErìr¾r‡rÚsk_X509_new_nullrCr‘Ú sk_X509_pushr¹Úbackendr rÚ PKCS12_createrÜrrnÚi2d_PKCS12_biorr)r›rÑrÊr½ÚcasrrEÚnid_certÚnid_keyÚ pkcs12_iterÚmac_iterrœÚcar±ršÚname_bufr–rrrxrxryÚ(serialize_key_and_certificates_to_pkcs12 s^  ÿ    öÿ€ÿ z0Backend.serialize_key_and_certificates_to_pkcs12cCs|jrdS|jjdkS)NFrƒ)r‹r‰ÚCryptography_HAS_POLY1305ršrxrxryÚpoly1305_supported? s zBackend.poly1305_supportedcCs*t d|¡t|ƒtkrtdƒ‚t||ƒS)NrÊzA poly1305 key is 32 bytes long)rrqr¾rCrìrD)r›rÊrxrxryÚcreate_poly1305_ctxD s   zBackend.create_poly1305_ctxcCsnt d|¡| |¡}|j |j|jj|jj|jj¡}||jjkr)| ¡t dƒ‚|j  ||jj ¡}|  |¡S©NrhzUnable to parse PKCS7 data) rrqrjr‰ÚPEM_read_bio_PKCS7rrr‡rr,rìrCÚ PKCS7_freeÚ_load_pkcs7_certificates©r›rhrrÚp7rxrxryÚload_pem_pkcs7_certificatesK s  ÿ  z#Backend.load_pem_pkcs7_certificatescCsbt d|¡| |¡}|j |j|jj¡}||jjkr#| ¡t dƒ‚|j  ||jj ¡}|  |¡Sr°) rrqrjr‰Ú d2i_PKCS7_biorrr‡rr,rìrCr²r³r´rxrxryÚload_der_pkcs7_certificatesX s    z#Backend.load_der_pkcs7_certificatesc CsÚ|j |j¡}| ||jjk¡||jjkrtd |¡tj ƒ‚g}|j j |j j kr+|S|j j j}|j |¡}t|ƒD]0}|j ||¡}| ||j j k¡|j |¡}| |dk¡|j  ||jj¡}| t||ƒ¡q:|S)NzNOnly basic signed structures are currently supported. NID for this data was {}rƒ)r‰Ú OBJ_obj2nidrær r4ÚNID_pkcs7_signedrrÒrÚUNSUPPORTED_SERIALIZATIONrRÚsignr‡rr½r’r‰r•Ú X509_up_refrCròr˜rK) r›rµr8Úcertsrœr=r&rr±rxrxryr³c s* ý    z Backend._load_pkcs7_certificatescCst| |j¡}|jj}d}t|jƒdkr|jj}n#|j ¡}|j  ||jj ¡}|jD]}|j  ||j ¡} |  | dk¡q)tjj|vrM||jjO}||jjO}|j |jj|jj||jj|¡} |  | |jjk¡|j  | |jj¡} d} tjj|vr~| |jjO} n tjj|vrŠ| |jjO} tjj|vr–| |jjO} |jD]\} } }| |¡}|j | | j | j|| ¡}|  ||jjk¡q™|D]}|tjjurÊ||jjO}q»|tjj urÖ||jj!O}q»| "¡}|t#j$j%urì|j &|| |j'|¡} nB|t#j$j(ur|j )| |j'|¡} |  | dk¡|j *|| |j'|¡} n |t#j$j+usJ‚|j )| |j'|¡} |  | dk¡|j ,|| ¡} |  | dk¡| -|¡S)Nrrƒ).rjÚ_datar‰Ú PKCS7_PARTIALr¾Ú_additional_certsr‡rr rCr‘r¡r¹r rnÚ PKCS7OptionsÚDetachedSignatureÚPKCS7_DETACHEDÚ PKCS7_signr²ÚNoCapabilitiesÚPKCS7_NOSMIMECAPÚ NoAttributesÚ PKCS7_NOATTRÚNoCertsÚ PKCS7_NOCERTSÚ_signersrÚÚPKCS7_sign_add_signerrÜÚTextÚ PKCS7_TEXTÚBinaryÚ PKCS7_BINARYrnrQrþÚSMIMEÚSMIME_write_PKCS7rrrÚ PKCS7_finalÚPEM_write_bio_PKCS7_streamrÚ i2d_PKCS7_biorr)r›rèrÚoptionsrrÚ init_flagsÚ final_flagsr¾r½r±rµÚ signer_flagsÚ certificaterÄÚhash_algorithmÚmdÚ p7signerinfoÚoptionÚbio_outrxrxryÚ pkcs7_sign st       û      ÿ   €  ÿ ÿ zBackend.pkcs7_signrÆ)¯rurvrwÚ__doc__rÑr„r\rdrårPrrŽrrr‘Ú SHA512_224Ú SHA512_256ÚSHA3_224ÚSHA3_256ÚSHA3_384ÚSHA3_512ÚSHAKE128ÚSHAKE256rÝÚ_fips_rsa_min_key_sizeÚ_fips_rsa_min_public_exponentÚ_fips_dsa_min_modulusÚ_fips_dh_min_key_sizeÚ_fips_dh_min_modulusrœr rŠr²Ú contextlibrr·r”rÂrÅrÈrÌrØrÚrÞrârärërïrrŽrrrr r*r,r-r9r@rLrNr\r^rbrGrjrnrrr‰r‹r’r˜rœr¢r¤r«r°r²r³r rµr¶r¹rºrÅrîrrÑrúrr#rÞr,r%rBrFrMrOrRrPrWrZr^rbrfrhrkrmrCrJrŠrr’r˜r™r£r«rŽr¬r±rµrÁrÝrãrårr„rr¤r–rrrr"r(r0r2r6r7r>r?r@rArBrHrMrSr[r]rargrjrkrmrprtrurvrwryrzr{r‚r†rPrˆrržr¬r®r¯r¶r¸r³rárxrxrxryrz¤sXó        -5      ++ HB 8"    5,  #  U  i0 .  "              7 >   rzc@seZdZdd„Zdd„ZdS)rócCs ||_dSrÆ)Ú_fmt)r›ÚfmtrxrxryrœÐ rÉzGetCipherByName.__init__cCs&|jj||d ¡}|j | d¡¡S)N)rèr©r»)rñrÒÚlowerr‰rrÔ)r›r¢rèr©r…rxrxryÚ__call__Ó szGetCipherByName.__call__N)rurvrwrœrôrxrxrxryróÏ s rócCs"d |jd¡}|j | d¡¡S)Nz aes-{}-xtsr)r»)rÒrIr‰rrÔ)r¢rèr©r…rxrxryröØ srö)Ú collectionsrðrôÚtypingr‘rÚ cryptographyrrÚcryptography.exceptionsrrÚcryptography.hazmat._derrrr r r Ú'cryptography.hazmat.backends.interfacesr r rrrrrrrrrrrÚ$cryptography.hazmat.backends.opensslrÚ,cryptography.hazmat.backends.openssl.ciphersrÚ)cryptography.hazmat.backends.openssl.cmacrÚ0cryptography.hazmat.backends.openssl.decode_asn1rrrr r!r"r#r$r%Ú'cryptography.hazmat.backends.openssl.dhr&r'r(r)Ú(cryptography.hazmat.backends.openssl.dsar*r+r,Ú'cryptography.hazmat.backends.openssl.ecr-r.Ú,cryptography.hazmat.backends.openssl.ed25519r/r0Ú*cryptography.hazmat.backends.openssl.ed448r1r2r3Ú0cryptography.hazmat.backends.openssl.encode_asn1r4r5r6r7r8r9r:r;r<Ú+cryptography.hazmat.backends.openssl.hashesr>Ú)cryptography.hazmat.backends.openssl.hmacr@Ú)cryptography.hazmat.backends.openssl.ocsprArBÚ-cryptography.hazmat.backends.openssl.poly1305rCrDÚ(cryptography.hazmat.backends.openssl.rsarErFÚ+cryptography.hazmat.backends.openssl.x25519rGrHÚ)cryptography.hazmat.backends.openssl.x448rIrJÚ)cryptography.hazmat.backends.openssl.x509rKrLrMrNÚ$cryptography.hazmat.bindings.opensslrOÚcryptography.hazmat.primitivesrPrQÚ)cryptography.hazmat.primitives.asymmetricrRrSrTrUrVrWÚ1cryptography.hazmat.primitives.asymmetric.paddingrXrYrZr[Ú1cryptography.hazmat.primitives.ciphers.algorithmsr\r]r^r_r`rarbrcrdÚ,cryptography.hazmat.primitives.ciphers.modesrerfrgrhrirjrkrlÚ"cryptography.hazmat.primitives.kdfrmÚ,cryptography.hazmat.primitives.serializationrnroÚcryptography.x509rpÚ namedtuplerqÚobjectrtÚregister_interfaceÚregister_interface_ifr„rˆÚCryptography_HAS_SCRYPTrzrórör¢rxrxrxryÚsœ <   , ,   ,(   ÿ*0