a bx@sddlZddlZddlZddlZddlZddlmZddlmZmZddl m Z m Z ddl m Z ddlmZddlmZddlmZmZmZmZdd lmZmZmZdd lmZmZdd lmZm Z dd l!m"Z"m#Z#m$Z$dd l%m&Z&ddl'm(Z(ddl)m*Z*m+Z+ddl,m-Z-m.Z.ddl/m0Z0m1Z1ddl2m3Z3m4Z4ddl5mZ6ddl7m8Z8ddl9m:Z:m;Z;ddlm?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFddlGmHZHmIZImJZJmKZKddlLmMZMmNZNmOZOddlPmQZQmRZRddlSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]ddl^m_Z_m`Z`maZambZbmcZcmdZdmeZemfZfmgZgddlhmiZiddljmkZkmlZlddlmmnZnmoZompZpmqZqerd d!d"gZsGd#d$d$ZtGd%d&d&ZuGd'd(d(ZveueTd)d*d+ZweuZxdS),N)contextmanager)utilsx509)UnsupportedAlgorithm_Reasons)aead)_CipherContext _CMACContext) _DHParameters _DHPrivateKey _DHPublicKey_dh_params_dup)_DSAParameters_DSAPrivateKey _DSAPublicKey)_EllipticCurvePrivateKey_EllipticCurvePublicKey)_Ed25519PrivateKey_Ed25519PublicKey)_ED448_KEY_SIZE_Ed448PrivateKey_Ed448PublicKey _HashContext _HMACContext)_POLY1305_KEY_SIZE_Poly1305Context)_RSAPrivateKey _RSAPublicKey)_X25519PrivateKey_X25519PublicKey)_X448PrivateKey_X448PublicKey)r)binding)hashes serialization)AsymmetricPadding)dhdsaeced25519ed448rsax25519x448)MGF1OAEPPKCS1v15PSS)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESPRIVATE_KEY_TYPESPUBLIC_KEY_TYPES)BlockCipherAlgorithmCipherAlgorithm) AESARC4CamelliaChaCha20SM4 TripleDES_BlowfishInternal_CAST5Internal _IDEAInternal _SEEDInternal) CBCCFBCFB8CTRECBGCMModeOFBXTS)scrypt)pkcs7ssh)PKCS12CertificatePKCS12KeyAndCertificates_ALLOWED_PKCS12_TYPES_PKCS12_CAS_TYPES _MemoryBIObioZchar_ptrc@s eZdZdS)_RC2N)__name__ __module__ __qualname__rZrZS/tmp/pip-target-98j97qn4/lib/python/cryptography/hazmat/backends/openssl/backend.pyrVsrVc @sT eZdZdZdZhdZefZej ej ej ej ej ejejejejejejejf ZejejejejfZdZdZdd>ZdZde>Z ddZ!e"d d d Z#d?e$e%j&e%j'e(j)d d ddZ*e$d ddZ+d d ddZ,d d ddZ-e.j/ddZ0d d ddZ1e"d ddZ2e"d ddZ3e4d ddZ5e6ej7e8d d!d"Z9ej7d#d$d%Z:ej7d#d&d'Z;ej7e$d(d)d*Zej7e$d(d/d0Z?ej7ej@d(d1d2ZAeBeCe$d3d4d5ZDd6d7ZEd d d8d9ZFeBeCeGd3d:d;ZHeBeCeGd3dd?ZJej7e4e6e4e6e6d@dAdBZKe%j'e(j)d dCdDZLe%j'e(jMd dEdFZNe4d dGdHZOd@e4dIdJdKZPe4e4eQjRdLdMdNZSe4e4e$dLdOdPZTeQjUeQjRdQdRdSZVeQjWeQjXdQdTdUZYdVdWZZdXdYZ[e6dZd[d\Z\d]d^Z]e6d d_d`Z^e_d dadbZ`ead dcddZbej7e$d(dedfZcede$dgdhdiZee4efjgdjdkdlZhefjgefjidmdndoZje4efjidjdpdqZkdrdsZlefjmefjidQdtduZnefjoefjpdQdvdwZqefjrefjgdQdxdyZsdzd{Zte$d d|d}Zuej7e$d(d~dZve$d ddZwexeyd(ddZze6e%j&e6e_dddZ{e6eadddZ|e6e}j~dddZe6e%j&e6e_dddZddZe6eadddZe6e}j~dddZeje%jdddZe%jejdddZeje%jdddZe%jejdddZeje%jdddZe%jejdddZejee$dddZeje$dddZddZddZe%jd ddZeje$dddZejeje$dddZejejdddZejejdQddZejejdQddZeje6ejdddZe4ejejddd„ZejdÜddńZe4dƜddȄZejeje$dɜdd˄Zdd̈́Zeje4dddτZe/ddфZddӄZe4e4dԜddքZejejeje6dלddلZddۄZdd݄Zejeje6dޜddZe$d ddZe4e4e}j~dddZddZe}j~e}jdmddZe4e4e}jdddZe}je}jdQddZe}je}jdQddZe}je}j~dQddZdAe4e4e%j&e4e$dddZe$d ddZe6ejdddZe6ejdddZddZejd ddZe$d ddZe6ejdddZe6ejdddZejd ddZe$d ddZe$d d d Ze6ejdd d Ze6ejdd dZejd ddZe$d ddZe6ejdddZe6ejdddZejd ddZe6e6e4e4e4e4e6dddZe$d ddZe.j/e4e%jeddd Ze4d dd!d"Ze.j/d#d$Ze6e%j&e6e%je%j&e_e%j&eje%j'ejfdd%d&Ze6e%j&e6edd'd(Ze%j&e6e%j&ee%j&eje%j&e%j'eeje6d)d*d+Ze$d d,d-Ze6ed.d/d0Ze$d d1d2Ze6e%j'ejdd3d4Ze6e%j'ejdd5d6Zd7d8Ze%j'ejejd9d:d;Zejeje%j'eje6d<d=d>Zd S(BBackendz) OpenSSL API binding interfaces. Zopenssl>s aes-192-gcms aes-128-ccms aes-256-gcms aes-256-ccms aes-192-ccms aes-128-gcmicCst|_|jj|_|jj|_d|_||_ i|_ | |j rX|jj rXt dtn||jjg|_|jjr|j|jjdS)NFz)formatopenssl_version_textrfrqrZrZr[__repr__s zBackend.__repr__N)okerrorsrtcCstj|j||dS)N)ry)r%Z_openssl_assertrc)rrrxryrZrZr[openssl_assertszBackend.openssl_assertcCsH|jjr|j|jj}nt|jddd}|dkr@|jt|S)NZ FIPS_modecSsdSNrrZrZrZrZr[z*Backend._is_fips_enabled..r)rcZCryptography_HAS_300_FIPSZ&EVP_default_properties_is_fips_enabledraNULLgetattrZERR_clear_errorbool)rrmoderZrZr[res zBackend._is_fips_enabledcCs$|j|sJ||_dSN)r_ _enable_fipsrerfrqrZrZr[rs  zBackend._enable_fipscCsf|jjrb|j}||jjkrb|j||j|jj}||dk|j|}||dkdSNr^) rcriZENGINE_get_default_RANDrar~ZENGINE_unregister_RANDRAND_set_rand_methodrz ENGINE_finishrreresrZrZr[activate_builtin_randoms    zBackend.activate_builtin_randomc cs|j|jj}|||jjk|j|}||dkz>|VW|j|}||dk|j|}||dkn6|j|}||dk|j|}||dk0dSr) rcZ ENGINE_by_idZCryptography_osrandom_engine_idrzrar~Z ENGINE_initZ ENGINE_freerrrZrZr[_get_osurandom_engines     zBackend._get_osurandom_enginecCst|jjrp||*}|j|}||dkWdn1sH0Y|j|jj}||dkdSr) rcrirrZENGINE_set_default_RANDrzrrar~rrZrZr[rm s  ,z Backend.activate_osrandom_enginec Cst|jdd}|<}|j|dt|||jjd}||dkWdn1sX0Y|j| dS)Nchar[]@sget_implementationrascii) ranewrrcZENGINE_ctrl_cmdlenr~rzstringdecode)rrbufrrrZrZr[osrandom_engine_implementations ,z&Backend.osrandom_engine_implementationcCs|j|j|jjdS)z Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 r)rarrcZOpenSSL_versionOPENSSL_VERSIONrrqrZrZr[rv s zBackend.openssl_version_textcCs |jSr)rcZOpenSSL_version_numrqrZrZr[openssl_version_number+szBackend.openssl_version_number)key algorithmrtcCs t|||Srr)rrrrrZrZr[create_hmac_ctx.szBackend.create_hmac_ctx)rcCsL|jdks|jdkr0d|j|jdd}n |jd}|j|}|S)Nblake2bblake2sz{}{}r)nameru digest_sizeencodercZEVP_get_digestbyname)rrralgevp_mdrZrZr[_evp_md_from_algorithm3s   zBackend._evp_md_from_algorithmcCs ||}|||jjk|Sr)rrzrar~rrrrrZrZr[_evp_md_non_null_from_algorithm>s z'Backend._evp_md_non_null_from_algorithm)rrtcCs,|jrt||jsdS||}||jjkSNF)rf isinstance _fips_hashesrrar~rrZrZr[hash_supportedCs zBackend.hash_supportedcCs |jrt|tjrdS||Srrfrr&SHA1rrrrrZrZr[signature_hash_supportedJsz Backend.signature_hash_supportedcCs|jr dS|jjdkSdSNFr^)rfrcZCryptography_HAS_SCRYPTrqrZrZr[scrypt_supportedSszBackend.scrypt_supportedcCs |jrt|tjrdS||S)NTrrrZrZr[hmac_supportedYszBackend.hmac_supportedcCs t||SrrrrZrZr[create_hash_ctx`szBackend.create_hash_ctx)cipherrrtcCs^|jrt||jsdSz|jt|t|f}WntyDYdS0||||}|jj|kSr)rfr _fips_ciphersrgtypeKeyErrorrar~)rrrradapter evp_cipherrZrZr[cipher_supportedes   zBackend.cipher_supportedcCs0||f|jvrtd||||j||f<dS)Nz"Duplicate registration for: {} {}.)rg ValueErrorru)rr cipher_clsmode_clsrrZrZr[register_cipher_adaptersszBackend.register_cipher_adaptercCs~tttttttfD]}|t|t dqtttttfD]}|t |t dq8ttttfD]}|t |t dq\|t tt dttttfD]}|t |t dqttttfD]}|t |t dqtttgttttgD]\}}|||t dq|ttdt d|ttdt d|ttdt d |ttttttttfD]}|t|t d q`dS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}Zrc4Zrc2Zchacha20zsm4-{mode.name})rDrGrHrKrErFrIrr:GetCipherByNamer<r?r@rC itertoolsproductrArBr;rrVr=rL_get_xts_cipherr>)rrrrrZrZr[rh|s\      z!Backend._register_default_cipherscCst|||tjSr)rZ_ENCRYPTrrrrrZrZr[create_symmetric_encryption_ctxsz'Backend.create_symmetric_encryption_ctxcCst|||tjSr)rZ_DECRYPTrrZrZr[create_symmetric_decryption_ctxsz'Backend.create_symmetric_decryption_ctxcCs ||Sr)rrrZrZr[pbkdf2_hmac_supportedszBackend.pbkdf2_hmac_supported)rlengthsalt iterations key_materialrtc Csh|jd|}||}|j|}|j|t||t|||||} || dk|j|ddS)Nunsigned char[]r^) rarr from_bufferrcZPKCS5_PBKDF2_HMACrrzbuffer) rrrrrrrrrkey_material_ptrrrZrZr[derive_pbkdf2_hmacs   zBackend.derive_pbkdf2_hmaccCs t|jSr)r%_consume_errorsrcrqrZrZr[rszBackend._consume_errorscCs t|jSr)r%_consume_errors_with_textrcrqrZrZr[rsz!Backend._consume_errors_with_textcCsz||jjksJ||j| |j|}|jd|}|j||}||dkt |j |d|d}|S)Nrrbig) rar~rzrcZBN_is_negativeZ BN_num_bytesrZ BN_bn2binint from_bytesr)rrbnZ bn_num_bytesZbin_ptrZbin_lenvalrZrZr[ _bn_to_ints zBackend._bn_to_int)numcCsn|dus||jjksJ|dur(|jj}|t|ddd}|j|t||}|||jjk|S)a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @r^r) rar~to_bytesr bit_lengthrcZ BN_bin2bnrrz)rrrrbinaryZbn_ptrrZrZr[ _int_to_bnszBackend._int_to_bn)public_exponentkey_sizertcCst|||j}|||jjk|j||jj}| |}|j||jj }|j ||||jj}||dk| |}t ||||jSr)r.Z_verify_rsa_parametersrcRSA_newrzrar~gcRSA_freerBN_freeZRSA_generate_key_ex_rsa_cdata_to_evp_pkeyrrd)rrrr rsa_cdatarrevp_pkeyrZrZr[generate_rsa_private_keys      z Backend.generate_rsa_private_keycCs|dko|d@dko|dkS)Nr^rirZ)rrrrrZrZr[!generate_rsa_parameters_supported s  z)Backend.generate_rsa_parameters_supported)numbersrtc Cs6t|j|j|j|j|j|j|jj |jj |j }| ||jjk|j||j j}||j}||j}||j}||j}||j}||j}||jj } ||jj } |j |||} | | dk|j || | |} | | dk|j ||||} | | dk||} t||| |jSr)r.Z_check_private_key_componentspqddmp1dmq1iqmppublic_numbersrnrcrrzrar~rrrZRSA_set0_factors RSA_set0_keyZRSA_set0_crt_paramsrrrd) rrrrrrrrrrrrrrrZrZr[load_rsa_private_numberss>         z Backend.load_rsa_private_numberscCst|j|j|j}|||jjk|j ||jj }| |j}| |j}|j ||||jj}||dk| |}t|||Sr)r.Z_check_public_key_componentsrrrcrrzrar~rrrrrr )rrrrrrrrrZrZr[load_rsa_public_numbers:s    zBackend.load_rsa_public_numberscCs2|j}|||jjk|j||jj}|Sr)rcZ EVP_PKEY_newrzrar~r EVP_PKEY_freerrrrZrZr[_create_evp_pkey_gcIs zBackend._create_evp_pkey_gccCs(|}|j||}||dk|Sr)rrcZEVP_PKEY_set1_RSArz)rrrrrrZrZr[rOszBackend._rsa_cdata_to_evp_pkey)datacCsH|j|}|j|t|}|||jjkt|j||jj |S)z Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) rarrcZBIO_new_mem_bufrrzr~rTrBIO_free)rrrdata_ptrrUrZrZr[ _bytes_to_bioUs zBackend._bytes_to_biocCsP|j}|||jjk|j|}|||jjk|j||jj}|S)z. Creates an empty memory BIO. )rcZ BIO_s_memrzrar~ZBIO_newrr)rrZ bio_methodrUrZrZr[_create_mem_bio_gcbs   zBackend._create_mem_bio_gccCs\|jd}|j||}||dk||d|jjk|j|d|dd}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)rarrcZBIO_get_mem_datarzr~r)rrrUrbuf_lenbio_datarZrZr[ _read_mem_bioms  zBackend._read_mem_bioc CsD|j|}||jjkrX|j|}|||jjk|j||jj}t ||||j S||jj kr|jj s|jj s|jjs|j|}|||jjk|j||jj}|}|j||}||dk|j||ddS||jjkr.|j|}|||jjk|j||jj}t|||S||jjkrx|j|}|||jjk|j||jj}t|||S||jvr|j|}|||jjk|j||jj}t|||S|t|jddkrt ||S|t|jddkrt!||S|t|jddkrt"||S|t|jddkr8t#||St$ddS) zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. r^N)passwordEVP_PKEY_ED25519 EVP_PKEY_X448EVP_PKEY_X25519EVP_PKEY_ED448Unsupported key type.)%rc EVP_PKEY_id EVP_PKEY_RSAEVP_PKEY_get1_RSArzrar~rrrrdZEVP_PKEY_RSA_PSSCRYPTOGRAPHY_IS_LIBRESSLCRYPTOGRAPHY_IS_BORINGSSLZ#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Eri2d_RSAPrivateKey_bioload_der_private_keyr EVP_PKEY_DSAEVP_PKEY_get1_DSADSA_freer EVP_PKEY_ECEVP_PKEY_get1_EC_KEY EC_KEY_freerrnEVP_PKEY_get1_DHDH_freer rrr#r!rr) rrrkey_typerrUr dsa_cdataec_cdatadh_cdatarZrZr[_evp_pkey_to_private_keyxsb                  z Backend._evp_pkey_to_private_keycCs|j|}||jjkrT|j|}|||jjk|j||jj}t |||S||jj kr|j |}|||jjk|j||jj }t |||S||jjkr|j|}|||jjk|j||jj}t|||S||jvr,|j|}|||jjk|j||jj}t|||S|t|jddkrJt||S|t|jddkrht||S|t|jddkrt||S|t|jddkrt||StddS)zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. rNrrrr)rcrrrrzrar~rrr r r r rr rrrrnrrr rrr$r"rr)rrrrrrrrrZrZr[_evp_pkey_to_public_keys<                 zBackend._evp_pkey_to_public_keycCst|tjtjtjtjtjfSr)rr&rSHA224SHA256SHA384SHA512rrZrZr[_oaep_hash_supportedszBackend._oaep_hash_supported)paddingrtcCst|trdSt|trNt|jtrN|jr>t|jjtjr>dS| |jjSn4t|t r~t|jtr~| |jjo|| |jSdSdS)NTF) rr3r4Z_mgfr1rf _algorithmr&rrr2r)rrrrZrZr[rsa_padding_supporteds   zBackend.rsa_padding_supported)rrtc Cs~|dvrtd|j}|||jjk|j||jj}|j|||jjd|jj|jj|jj}||dkt ||S)N)ir]i iz0Key size must be 1024, 2048, 3072, or 4096 bits.rr^) rrcDSA_newrzrar~rr ZDSA_generate_parameters_exr)rrrctxrrZrZr[generate_dsa_parameterss$  zBackend.generate_dsa_parameters) parametersrtcCsT|j|j}|||jjk|j||jj}|j|| |}t |||Sr) rcZ DSAparams_dupZ _dsa_cdatarzrar~rr ZDSA_generate_key_dsa_cdata_to_evp_pkeyr)rrr#r!rrZrZr[generate_dsa_private_keys  z Backend.generate_dsa_private_keycCs||}||Sr)r"r%)rrrr#rZrZr['generate_dsa_private_key_and_parameters's z/Backend.generate_dsa_private_key_and_parameterscCsB|j||||}||dk|j|||}||dkdSr)rc DSA_set0_pqgrzZ DSA_set0_key)rrrrrgpub_keypriv_keyrrZrZr[_dsa_cdata_set_values-szBackend._dsa_cdata_set_valuesc Cst||jj}|j}|||jjk|j ||jj }| |j }| |j }| |j}| |jj}| |j}|||||||||} t||| Sr)r*Z_check_dsa_private_numbersrparameter_numbersrcr rzrar~rr rrrr(yxr+r$r) rrrr,rrrr(r)r*rrZrZr[load_dsa_private_numbers3s       z Backend.load_dsa_private_numbersc Cst|j|j}|||jjk|j||jj }| |jj }| |jj }| |jj }| |j}|jj}|||||||||}t|||Sr)r*_check_dsa_parametersr,rcr rzrar~rr rrrr(r-r+r$r) rrrrrrr(r)r*rrZrZr[load_dsa_public_numbersHs    zBackend.load_dsa_public_numberscCst||j}|||jjk|j||jj}| |j }| |j }| |j }|j ||||}||dkt||Sr)r*r0rcr rzrar~rr rrrr(r'r)rrrrrrr(rrZrZr[load_dsa_parameter_numbers[s     z"Backend.load_dsa_parameter_numberscCs(|}|j||}||dk|Sr)rrcZEVP_PKEY_set1_DSArz)rrrrrrZrZr[r$kszBackend._dsa_cdata_to_evp_pkeycCs|j Sr)rfrqrZrZr[ dsa_supportedqszBackend.dsa_supportedcCs|s dS||Sr)r3rrrZrZr[dsa_hash_supportedtszBackend.dsa_hash_supportedcCs||td|jS)N)rrD block_sizerrZrZr[cmac_algorithm_supportedysz Backend.cmac_algorithm_supportedcCs t||Srr rrZrZr[create_cmac_ctx~szBackend.create_cmac_ctx)rrrtcCs||jj|j||Sr) _load_keyrcZPEM_read_bio_PrivateKeyr)rrrrrZrZr[load_pem_private_keys zBackend.load_pem_private_key)rrtcCs||}|jd}|j|j|jj|j|jjd|}||jjkrd|j ||jj }| |S| |j |j}||dk|j|j|jj|j|jjd|}||jjkr|j ||jj}||}t|||S|dS)NCRYPTOGRAPHY_PASSWORD_DATA *Cryptography_pem_password_cbr^)rrarrcZPEM_read_bio_PUBKEYrUr~ addressof _original_librrrr BIO_resetrzZPEM_read_bio_RSAPublicKeyrrr _handle_key_loading_error)rrrmem_biouserdatarrrrZrZr[load_pem_public_keys:       zBackend.load_pem_public_keycCs^||}|j|j|jj|jj|jj}||jjkrR|j||jj}t||S| dSr) rrcZPEM_read_bio_DHparamsrUrar~rrr r@)rrrrArrZrZr[load_pem_parameterss   zBackend.load_pem_parameterscCs>||}|||}|r$||S||jj|j||SdSr)r"_evp_pkey_from_der_traditional_keyrr9rcZd2i_PKCS8PrivateKey_bio)rrrrrrrZrZr[r s   zBackend.load_der_private_keycCs^|j|j|jj}||jjkrN||j||jj}|durJtd|S|dSdS)N4Password was given but private key is not encrypted.) rcd2i_PrivateKey_biorUrar~rrr TypeError)rrrrrrZrZr[rEs z*Backend._evp_pkey_from_der_traditional_keycCs||}|j|j|jj}||jjkrF|j||jj}||S| |j |j}| |dk|j |j|jj}||jjkr|j||jj }||}t|||S|dSr)rrcZd2i_PUBKEY_biorUrar~rrrrr?rzZd2i_RSAPublicKey_biorrr r@)rrrrArrrrZrZr[load_der_public_keys        zBackend.load_der_public_keycCs||}|j|j|jj}||jjkrF|j||jj}t||S|jj r| |j |j}| |dk|j |j|jj}||jjkr|j||jj}t||S|dSr)rrcZd2i_DHparams_biorUrar~rrr rorr?rzZCryptography_d2i_DHxparams_bior@)rrrrArrrZrZr[load_der_parameterss       zBackend.load_der_parameters)certrtcCsT|tjj}||}|j|j|jj }| ||jj k|j ||jj }|Sr) public_bytesr'EncodingDERrrcZ d2i_X509_biorUrar~rzr X509_free)rrrKrrArrZrZr[ _cert2ossls  zBackend._cert2ossl)rrtcCs4|}|j||}||dkt||Sr)rrcZ i2d_X509_biorz rust_x509Zload_der_x509_certificater)rrrrUrrZrZr[ _ossl2certszBackend._ossl2cert)csrrtcCsT|tjj}||}|j|j|jj }| ||jj k|j ||jj }|Sr) rLr'rMrNrrcZd2i_X509_REQ_biorUrar~rzrZ X509_REQ_free)rrrSrrAx509_reqrZrZr[ _csr2ossl"s  zBackend._csr2ossl)rTrtcCs4|}|j||}||dkt||Sr)rrcZi2d_X509_REQ_biorzrQZload_der_x509_csrr)rrrTrUrrZrZr[ _ossl2csr*szBackend._ossl2csr)crlrtcCsT|tjj}||}|j|j|jj }| ||jj k|j ||jj }|Sr) rLr'rMrNrrcZd2i_X509_CRL_biorUrar~rzrZ X509_CRL_free)rrrWrrAx509_crlrZrZr[ _crl2ossl2s  zBackend._crl2ossl)rXrtcCs4|}|j||}||dkt||Sr)rrcZi2d_X509_CRL_biorzrQZload_der_x509_crlr)rrrXrUrrZrZr[ _ossl2crl:szBackend._ossl2crl)rW public_keyrtcCsJt|tttfstd||}|j||j}|dkrF| dSdS)NzGExpecting one of DSAPublicKey, RSAPublicKey, or EllipticCurvePublicKey.r^FT) rrr rrHrYrcZX509_CRL_verify _evp_pkeyr)rrrWr[rXrrZrZr[_crl_is_signature_validBs  zBackend._crl_is_signature_validcCs`||}|j|}|||jjk|j||jj}|j||}|dkr\| dSdS)Nr^FT) rUrcZX509_REQ_get_pubkeyrzrar~rrZX509_REQ_verifyr)rrrSrTpkeyrrZrZr[_csr_is_signature_valid\s  zBackend._csr_is_signature_validcCs"|j|j|jdkrtddS)Nr^zKeys do not correspond)rcZ EVP_PKEY_cmpr\r)rrkey1key2rZrZr[_check_keys_correspondkszBackend._check_keys_correspondc Cs&||}|jd}|durFtd||j|}||_t||_||j |jj |j |j j d|}||jj kr|jdkr||jdkrtdq|jdksJtd|jd n|||j||j j}|dur|jdkrtd |dur|jd ks|dusJ||S) Nr;rr<rz3Password was not given but private key is encryptedzAPasswords longer than {} bytes are not supported by this backend.r^rF)rrarr_check_byteslikerrrrrUr~r=rcr>errorrrHrrumaxsizer@rrcalled) rrZopenssl_read_funcZ convert_funcrrrArBZ password_ptrrrZrZr[r9osT        zBackend._load_keycs}|stdn|djjjjsf|djjjjsfjjrp|djj jj rptdn4t fdd|Drtdnt |}td|dS)Nz|Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.rz Bad decrypt. Incorrect password?c3s"|]}|jjjjVqdSr)_lib_reason_matchrc ERR_LIB_EVPZ'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM).0rfrqrZr[ s z4Backend._handle_key_loading_error..z!Unsupported public key algorithm.zCould not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).)rrrircrjZEVP_R_BAD_DECRYPTZERR_LIB_PKCS12Z!PKCS12_R_PKCS12_CIPHERFINAL_ERRORZCryptography_HAS_PROVIDERSZ ERR_LIB_PROVZPROV_R_BAD_DECRYPTanyr%Z_errors_with_text)rrryZerrors_with_textrZrqr[r@s>       z!Backend._handle_key_loading_error)curvertcCstz||}Wnty(|jj}Yn0|j|}||jjkrN|dS|||jjk|j |dSdS)NFT) _elliptic_curve_to_nidrrc NID_undefZEC_GROUP_new_by_curve_namerar~rrzZ EC_GROUP_free)rrrn curve_nidgrouprZrZr[elliptic_curve_supporteds    z Backend.elliptic_curve_supported)signature_algorithmrnrtcCst|tjsdS||Sr)rr+ZECDSArs)rrrtrnrZrZr[,elliptic_curve_signature_algorithm_supporteds z4Backend.elliptic_curve_signature_algorithm_supportedcCs\||rD||}|j|}||dk||}t|||Std|j t j dS)z@ Generate a new private key on the named curve. r^z#Backend object does not support {}.N) rs_ec_key_new_by_curvercZEC_KEY_generate_keyrz_ec_cdata_to_evp_pkeyrrrurrUNSUPPORTED_ELLIPTIC_CURVE)rrrnrrrrZrZr[#generate_elliptic_curve_private_keys      z+Backend.generate_elliptic_curve_private_keycCsz|j}||j}|j||j|jj}|j ||}|dkrR| t d| ||j |j||}t|||S)Nr^Invalid EC key.)rrvrnrarr private_valuerc BN_clear_freeEC_KEY_set_private_keyrr)_ec_key_set_public_key_affine_coordinatesr.r-rwr)rrrpublicrr{rrrZrZr[#load_elliptic_curve_private_numberss   z+Backend.load_elliptic_curve_private_numberscCs4||j}|||j|j||}t|||Sr)rvrnr~r.r-rwr)rrrrrrZrZr["load_elliptic_curve_public_numberss    z*Backend.load_elliptic_curve_public_numbers)rn point_bytesrtc Cs||}|j|}|||jjk|j|}|||jjk|j||jj}| @}|j |||t ||}|dkr| t dWdn1s0Y|j||}||dk||}t|||S)Nr^z(Invalid public bytes for the given curve)rvrcEC_KEY_get0_grouprzrar~ EC_POINT_newr EC_POINT_free _tmp_bn_ctxZEC_POINT_oct2pointrrrEC_KEY_set_public_keyrwr) rrrnrrrrpointbn_ctxrrrZrZr[ load_elliptic_curve_public_bytes&s"    & z(Backend.load_elliptic_curve_public_bytes)r{rnrtc Csb||}||\}}|j|}|||jjk|j||jj}| |}|j||jj }| |}|j ||||jj|jj|} || dk|j |} |j |} |||| | |} | dkr|tdWdn1s0Y|j||} || dk| |} |j| |jj } |j|| } || dk||} t||| S)Nr^z'Unable to derive key from private_value)rv _ec_key_determine_group_get_funcrcrrzrar~rrrr|rZ EC_POINT_mulZ BN_CTX_getrrrr}rwr)rrr{rnrget_funcrrrvaluerrZbn_xZbn_yprivaterrZrZr[!derive_elliptic_curve_private_key<s4      &  z)Backend.derive_elliptic_curve_private_key)rncCs||}||Sr)ro_ec_key_new_by_curve_nid)rrrnrqrZrZr[rvcs zBackend._ec_key_new_by_curve)rqcCs0|j|}|||jjk|j||jjSr)rcZEC_KEY_new_by_curve_namerzrar~rr)rrrqrrZrZr[rgs z Backend._ec_key_new_by_curve_nid)rrnrtcCs,|jrt||jsdS||o*t|tjSr)rfr_fips_ecdh_curvesrsr+ECDH)rrrrnrZrZr[+elliptic_curve_exchange_algorithm_supportedls z3Backend.elliptic_curve_exchange_algorithm_supportedcCs(|}|j||}||dk|Sr)rrcZEVP_PKEY_set1_EC_KEYrz)rrrrrrZrZr[rwxszBackend._ec_cdata_to_evp_pkeycCsNddd}||j|j}|j|}||jjkrJtd|jtj |S)z/ Get the NID for a curve name. Z prime192v1Z prime256v1)Z secp192r1Z secp256r1z${} is not a supported elliptic curve) getrrc OBJ_sn2nidrrprrurrx)rrrnZ curve_aliasesZ curve_namerqrZrZr[ro~s   zBackend._elliptic_curve_to_nidc csd|j}|||jjk|j||jj}|j|z|VW|j|n|j|0dSr) rcZ BN_CTX_newrzrar~rZ BN_CTX_freeZ BN_CTX_startZ BN_CTX_end)rrrrZrZr[rs  zBackend._tmp_bn_ctxcCs|||jjk|jd}|||jjk|j|}|||jjk|j|}|||jjk|j|}|||jjk||kr|jj r|jj }n|jj }|sJ||fS)zu Given an EC_KEY determine the group and what function is required to get point coordinates. scharacteristic-two-field) rzrar~rcrrprZEC_GROUP_method_ofZEC_METHOD_get_field_typeZCryptography_HAS_EC2MZ$EC_POINT_get_affine_coordinates_GF2mZ#EC_POINT_get_affine_coordinates_GFp)rrr!Z nid_two_fieldrrmethodnidrrZrZr[rs     z(Backend._ec_key_determine_group_get_func)r.r-cCst|dks|dkrtd|j|||jj}|j|||jj}|j|||}|dkrp|tddS)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.r^rzN)rrarrrcrZ(EC_KEY_set_public_key_affine_coordinatesr)rrr!r.r-rrZrZr[r~sz1Backend._ec_key_set_public_key_affine_coordinates)encodingruencryption_algorithmrtc Cs(t|tjstdt|tjs(tdt|tjs|j j}n | |j jkrV|j j}nt d ||||S|tjjur|rt d | |j jkr|j j}n8| |j jkr|j j}n | |j jkr|j j}nt d |||St d |tjjur|tjj urt !||St d t ddS)N/encoding must be an item from the Encoding enumz2format must be an item from the PrivateFormat enumzBEncryption algorithm must be a KeySerializationEncryption instancer}izBPasswords longer than 1023 bytes are not supported by this backendzUnsupported encryption typezUnsupported encoding for PKCS8zCEncrypted traditional OpenSSL format is not supported in FIPS mode.z+Unsupported key type for TraditionalOpenSSLzDEncryption is not supported for DER encoded traditional OpenSSL keysz+Unsupported encoding for TraditionalOpenSSLz=OpenSSH private key format can only be used with PEM encodingformat is invalid with this key)"rr'rMrH PrivateFormatKeySerializationEncryption NoEncryptionBestAvailableEncryptionrrrZPKCS8PEMrcZPEM_write_bio_PKCS8PrivateKeyrNZi2d_PKCS8PrivateKey_bio_private_key_bytes_via_bioZTraditionalOpenSSLrfrrZPEM_write_bio_RSAPrivateKeyr ZPEM_write_bio_DSAPrivateKeyr ZPEM_write_bio_ECPrivateKeyrZi2d_ECPrivateKey_bioZi2d_DSAPrivateKey_bio_bio_func_outputOpenSSHrOZserialize_ssh_private_key) rrrrurrrcdatar write_biorrZrZr[_private_key_bytess                  zBackend._private_key_bytesc Cs<|s|jj}n |jd}|||||t||jj|jjS)Ns aes-256-cbc)rar~rcEVP_get_cipherbynamerr)rrrrrrrZrZr[r7s  z"Backend._private_key_bytes_via_biocGs0|}||g|R}||dk||Sr)rrzr)rrrargsrUrrZrZr[rHszBackend._bio_func_output)rrurtcCst|tjstdt|tjs(td|tjjurt|tjjurJ|jj}n|tjj ur`|jj }nt d| ||S|tjj ur|j|}||jjkrt d|tjjur|jj}n|tjj ur|jj}nt d| ||S|tjjur|tjjurt|St dt ddS)Nrz1format must be an item from the PublicFormat enumz8SubjectPublicKeyInfo works only with PEM or DER encodingz+PKCS1 format is supported only for RSA keysz)PKCS1 works only with PEM or DER encodingz1OpenSSH format must be used with OpenSSH encodingr)rr'rMrH PublicFormatZSubjectPublicKeyInforrcZPEM_write_bio_PUBKEYrNZi2d_PUBKEY_biorrZPKCS1rrZPEM_write_bio_RSAPublicKeyZi2d_RSAPublicKey_biorrOZserialize_ssh_public_key)rrrrurrrrrrZrZr[_public_key_bytesNs@                 zBackend._public_key_bytescCs |jj SrrcrrqrZrZr[ dh_supportedszBackend.dh_supported) generatorrrtcCs|tjkrtdtj|dvr*td|j}|||jjk|j ||jj }|j ||||jj}||dkt ||S)Nz$DH key_size must be at least {} bits)zDH generator must be 2 or 5r^) r)Z_MIN_MODULUS_SIZErrurcDH_newrzrar~rrZDH_generate_parameters_exr )rrrrZdh_param_cdatarrZrZr[generate_dh_parameterss    zBackend.generate_dh_parameterscCs(|}|j||}||dk|Sr)rrcZEVP_PKEY_set1_DHrz)rrrrrrZrZr[_dh_cdata_to_evp_pkeyszBackend._dh_cdata_to_evp_pkeycCs<t|j|}|j|}||dk||}t|||Sr)rZ _dh_cdatarcZDH_generate_keyrzrr )rrr#Z dh_key_cdatarrrZrZr[generate_dh_private_keys  zBackend.generate_dh_private_keycCs||||Sr)rr)rrrrrZrZr[&generate_dh_private_key_and_parameterss z.Backend.generate_dh_private_key_and_parametersc Cs>|jj}|j}|||jjk|j||jj}| |j }| |j }|j durf| |j }n|jj}| |jj }| |j}|j||||} || dk|j|||} || dk|jdd} |j|| } || dk| ddkr(|j dkr | d|jjAdks(td||} t||| S)Nr^int[]rrz.DH private numbers did not pass safety checks.)rr,rcrrzrar~rrrrr(rr-r. DH_set0_pqg DH_set0_keyrCryptography_DH_checkZDH_NOT_SUITABLE_GENERATORrrr ) rrrr,rrr(rr)r*rcodesrrZrZr[load_dh_private_numberss4       zBackend.load_dh_private_numbersc Cs|j}|||jjk|j||jj}|j}||j }||j }|j durd||j }n|jj}||j }|j ||||}||dk|j|||jj}||dk||} t||| Sr)rcrrzrar~rrr,rrr(rr-rrrr ) rrrrr,rr(rr)rrrZrZr[load_dh_public_numberss       zBackend.load_dh_public_numberscCs|j}|||jjk|j||jj}||j}||j }|j dur^||j }n|jj}|j ||||}||dkt ||Sr) rcrrzrar~rrrrr(rrr )rrrrrr(rrrZrZr[load_dh_parameter_numberss    z!Backend.load_dh_parameter_numbers)rr(rrtcCs|j}|||jjk|j||jj}||}||}|durV||}n|jj}|j||||}||dk|j dd}|j ||}||dk|ddkS)Nr^rr) rcrrzrar~rrrrrr)rrrr(rrrrrZrZr[dh_parameters_supporteds    zBackend.dh_parameters_supportedcCs |jjdkSr)rcrorqrZrZr[dh_x942_serialization_supported4sz'Backend.dh_x942_serialization_supportedcCsht|dkrtd|}|j||jj}||dk|j||t|}||dkt||S)N z%An X25519 public key is 32 bytes longr^) rrrrcZEVP_PKEY_set_type NID_X25519rzZEVP_PKEY_set1_tls_encodedpointr")rrrrrrZrZr[x25519_load_public_bytes7s  z Backend.x25519_load_public_bytescCst|dkrtdd}|dF}||dd<||dd<||}|j|j|jj}Wdn1sn0Y| ||jjk|j ||jj }| |j ||jj kt||S)Nrz&An X25519 private key is 32 bytes longs0.0+en" 0r)rr_zeroed_bytearrayrrcrGrUrar~rzrrrrr!)rrrZ pkcs8_prefixbarUrrZrZr[x25519_load_private_bytesFs     2z!Backend.x25519_load_private_bytescCs|j||jj}|||jjk|j||jj}|j|}||dk|jd}|j ||}||dk||d|jjk|j|d|jj }|S)Nr^ EVP_PKEY **r) rcZEVP_PKEY_CTX_new_idrar~rzrZEVP_PKEY_CTX_freeZEVP_PKEY_keygen_initrZEVP_PKEY_keygenr)rrrZ evp_pkey_ctxrZ evp_ppkeyrrZrZr[_evp_pkey_keygen_gcjs  zBackend._evp_pkey_keygen_gccCs||jj}t||Sr)rrcrr!rrZrZr[x25519_generate_keywszBackend.x25519_generate_keycCs|jr dS|jj Sr)rfrcrrqrZrZr[x25519_supported{szBackend.x25519_supportedcCs`t|dkrtd|j|jj|jj|t|}|||jjk|j||jj }t ||S)N8z#An X448 public key is 56 bytes long) rrrcEVP_PKEY_new_raw_public_keyNID_X448rar~rzrrr$rrrrrZrZr[x448_load_public_bytess zBackend.x448_load_public_bytescCslt|dkrtd|j|}|j|jj|jj|t|}|||jjk|j ||jj }t ||S)Nrz$An X448 private key is 56 bytes long) rrrarrcEVP_PKEY_new_raw_private_keyrr~rzrrr#rrrrrrZrZr[x448_load_private_bytess  zBackend.x448_load_private_bytescCs||jj}t||Sr)rrcrr#rrZrZr[x448_generate_keyszBackend.x448_generate_keycCs|jr dS|jj o|jj Sr)rfrcZ"CRYPTOGRAPHY_OPENSSL_LESS_THAN_111rrqrZrZr[x448_supporteds  zBackend.x448_supportedcCs|jr dS|jj Sr)rfrc#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111BrqrZrZr[ed25519_supportedszBackend.ed25519_supportedcCsntd|t|tjkr"td|j|jj|j j |t|}| ||j j k|j ||jj }t||S)Nrz&An Ed25519 public key is 32 bytes long)r _check_bytesrr,_ED25519_KEY_SIZErrcr NID_ED25519rar~rzrrrrrZrZr[ed25519_load_public_bytess z!Backend.ed25519_load_public_bytescCszt|tjkrtdtd||j|}|j |jj |jj |t|}| ||jj k|j ||jj}t||S)Nz'An Ed25519 private key is 32 bytes longr)rr,rrrrerarrcrrr~rzrrrrrZrZr[ed25519_load_private_bytess  z"Backend.ed25519_load_private_bytescCs||jj}t||Sr)rrcrrrrZrZr[ed25519_generate_keyszBackend.ed25519_generate_keycCs|jr dS|jj o|jj Sr)rfrcrrrqrZrZr[ed448_supporteds  zBackend.ed448_supportedcCsltd|t|tkr td|j|jj|jj |t|}| ||jj k|j ||jj }t ||S)Nrz$An Ed448 public key is 57 bytes long)rrrrrrcr NID_ED448rar~rzrrrrrZrZr[ed448_load_public_bytess  zBackend.ed448_load_public_bytescCsxtd|t|tkr td|j|}|j|jj |jj |t|}| ||jj k|j ||jj }t||S)Nrz%An Ed448 private key is 57 bytes long)rrerrrrarrcrrr~rzrrrrrZrZr[ed448_load_private_bytess   z Backend.ed448_load_private_bytescCs||jj}t||Sr)rrcrrrrZrZr[ed448_generate_keyszBackend.ed448_generate_key)rrrrrrrtc Cs|jd|}|j|}|j|t||t||||tj|| } | dkrr|} d||d} t d | | |j |ddS)Nrr^izJNot enough memory to derive key. These parameters require {} MB of memory.) rarrrcZEVP_PBE_scryptrrMZ _MEM_LIMITr MemoryErrorrur) rrrrrrrrrrrryZ min_memoryrZrZr[ derive_scrypts0   zBackend.derive_scryptcCsLt|}|jr||jvrdS|dr4|jjdkS|j||jj kSdS)NFs-sivr^) rZ_aead_cipher_namerf _fips_aeadendswithrc#CRYPTOGRAPHY_OPENSSL_300_OR_GREATERrrar~)rrr cipher_namerZrZr[aead_cipher_supporteds   zBackend.aead_cipher_supported)rrtc cs2t|}z|VW|||n|||0dS)z This method creates a bytearray, which we copy data into (hopefully also from a mutable buffer that can be dynamically erased!), and then zero when we're done. N) bytearray _zero_data)rrrrrZrZr[r$szBackend._zeroed_bytearraycCst|D] }d||<qdSr{)range)rrrrirZrZr[r1s zBackend._zero_datac cs||dur|jjVndt|}|jd|d}|j|||z |VW||jd||n||jd||0dS)a This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nrr^z uint8_t *)rar~rrmemmovercast)rrrdata_lenrrZrZr[_zeroed_null_terminated_buf8s  z#Backend._zeroed_null_terminated_bufcCs2|||}|j|jr|jjnddd|jDfS)NcSsg|] }|jqSrZ) certificaterkrKrZrZr[ Zr}zABackend.load_key_and_certificates_from_pkcs12..) load_pkcs12rrKrZadditional_certs)rrrrZpkcs12rZrZr[%load_key_and_certificates_from_pkcs12Os  z-Backend.load_key_and_certificates_from_pkcs12cCs|durtd|||}|j|j|jj}||jjkrN|t d|j ||jj }|j d}|j d}|j d}| |$}|j|||||} Wdn1s0Y|jjr|| dkr|t dd} d} g} |d|jjkr(|j |d|jj} || } |d|jjkr|j |d|jj}||}d}|j||jj}||jjkr|j|}t||} |d|jjkr~|j |d|jj}|j|d}|jjs|jjrt|}n tt|}|D]}|j||}|||jjk|j ||jj}||}d}|j||jj}||jjkrj|j|}| t||qt | | | S)Nrz!Could not deserialize PKCS12 datarzX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 data)!rrerrcZd2i_PKCS12_biorUrar~rrr PKCS12_freerrZ PKCS12_parseZ#CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340rrrOrRZX509_alias_get0rrP sk_X509_free sk_X509_numrrrreversed sk_X509_valuerzrprQ)rrrrrUp12Z evp_pkey_ptrZx509_ptrZ sk_x509_ptr password_bufrrKrZadditional_certificatesrrZcert_objrZ maybe_namesk_x509rindicesrZ addl_certZ addl_namerZrZr[r]sp        "        zBackend.load_pkcs12)rrrKcasrrtcCsFd}|durtd|t|tjr6d}d}d} d} n4t|tjrb|jj}|jj}d} d} |j}nt d|dus~t |dkr|j j } n|j } |j | |jj} g} |D]} t| tr| j}|| j}||.}|j||d}||dkWdn1s0Yn || }| ||j| |}t|dkq||}||`}|rt||n|j j }|dur|j}n|j j }|j||||| ||| | d }Wdn1s0YWdn1s0Y|||j j k|j ||jj}|}|j||}||dk||S)Nrrcri Nr^zUnsupported key encryption type) rrrr'rrrcZ&NID_pbe_WithSHA1And3_Key_TripleDES_CBCrrrrar~sk_X509_new_nullrrrPZ friendly_namerPrrZX509_alias_set1rzrp sk_X509_pushbackendr\Z PKCS12_createrrZi2d_PKCS12_bior)rrrrrKrrrZnid_certZnid_keyZ pkcs12_iterZmac_iterrZossl_cascaZca_aliasZossl_caZ ca_name_bufrrZname_buf ossl_certrrrUrZrZr[(serialize_key_and_certificates_to_pkcs12s|      0     D z0Backend.serialize_key_and_certificates_to_pkcs12cCs|jr dS|jjdkSr)rfrcZCryptography_HAS_POLY1305rqrZrZr[poly1305_supported szBackend.poly1305_supported)rrtcCs*td|t|tkr tdt||S)NrzA poly1305 key is 32 bytes long)rrerrrr)rrrrZrZr[create_poly1305_ctx s  zBackend.create_poly1305_ctxcCs |jj SrrrqrZrZr[pkcs7_supported szBackend.pkcs7_supportedcCsntd|||}|j|j|jj|jj|jj}||jjkrR|t d|j ||jj }| |SNrzUnable to parse PKCS7 data) rrrrcZPEM_read_bio_PKCS7rUrar~rrr PKCS7_free_load_pkcs7_certificatesrrrrUp7rZrZr[load_pem_pkcs7_certificates s   z#Backend.load_pem_pkcs7_certificatescCsbtd|||}|j|j|jj}||jjkrF|t d|j ||jj }| |Sr ) rrrrcZ d2i_PKCS7_biorUrar~rrrr r rrZrZr[load_der_pkcs7_certificates s   z#Backend.load_der_pkcs7_certificatesc Cs|j|j}|||jjk||jjkr>td|tj |j j j }|j |}g}t|D]d}|j||}|||jjk|j|}||dk|j||jj}||} || q`|S)NzNOnly basic signed structures are currently supported. NID for this data was {}r^)rcZ OBJ_obj2nidrrzrpZNID_pkcs7_signedrrurZUNSUPPORTED_SERIALIZATIONrsignrKrrrrar~Z X509_up_refrrOrRrp) rrrrrrcertsrrrrKrZrZr[r - s*       z Backend._load_pkcs7_certificates)rrc Cs"t|}|rtdd|Ds&td|tjjtjjfvrBtd|j}|j ||jj }g}|D]4}| |}| ||j||}||dkqf|j|j j|j j||j j|jj}|} |tjjur|j| ||j jd}n|tjjusJ|j| |}||dk|| S)Ncss|]}t|tjVqdSr)rr CertificaterrZrZr[rlM sz7Backend.pkcs7_serialize_certificates..z.certs must be a list of certs with length >= 1z/encoding must DER or PEM from the Encoding enumr^r)listallrHr'rMrrNrcrrarrrPrprrz PKCS7_signr~ PKCS7_PARTIALrPEM_write_bio_PKCS7_stream i2d_PKCS7_bior) rrrrZcerts_sk ossl_certsrKrrrbio_outrZrZr[pkcs7_serialize_certificatesG sD      z$Backend.pkcs7_serialize_certificates)builderroptionsrtcCs|jdusJ||j}|jj}d}t|jdkr>|jj}n\|j}|j ||jj }g}|jD]4} | | } | | |j || } || dkqdtjj|vr||jjO}||jjO}|j|jj|jj||jj|} || |jjk|j | |jj} d} tjj|vr"| |jjO} ntjj|vr<| |jjO} tjj|vrV| |jjO} |jD]H\}}}| |} ||}|j| | |j|| }|||jjkq\|D]<}|tjjur||jj O}n|tjj!ur||jj"O}q|#}|t$j%j&ur|j'|| |j(|} n|t$j%j)urX|j*| |j(|} || dk|j+|| |j(|} nR|t$j%j,usjJ|j*| |j(|} || dk|jj-r|.|j/|| } || dk|0|S)Nrr^)1_datarrcrrZ_additional_certsrar~rrrrPrprrzrN PKCS7OptionsZDetachedSignatureZPKCS7_DETACHEDrr ZNoCapabilitiesZPKCS7_NOSMIMECAPZ NoAttributesZ PKCS7_NOATTRZNoCertsZ PKCS7_NOCERTSZ_signersrZPKCS7_sign_add_signerr\TextZ PKCS7_TEXTBinaryZ PKCS7_BINARYrr'rMZSMIMEZSMIME_write_PKCS7rUrZ PKCS7_finalrrNrrrr)rrrrrrUZ init_flagsZ final_flagsrrrKrrrZ signer_flagsrZ private_keyZhash_algorithmmdZ p7signerinfooptionrrZrZr[ pkcs7_signv s                zBackend.pkcs7_sign)N)N)N)rWrXrY__doc__rrr:rr&rrrrZ SHA512_224Z SHA512_256ZSHA3_224ZSHA3_256ZSHA3_384ZSHA3_512ZSHAKE128ZSHAKE256rr+Z SECP224R1Z SECP256R1Z SECP384R1Z SECP521R1rZ_fips_rsa_min_key_sizeZ_fips_rsa_min_public_exponentZ_fips_dsa_min_modulusZ_fips_dh_min_key_sizeZ_fips_dh_min_modulusrsstrrwrtypingOptionalListr%Z _OpenSSLErrorrzrerr contextlibrrrmrrvrrbytesZ HashAlgorithmrrrrrrrrZ HashContextrr9rJrrrhrrrrrrZ_OpenSSLErrorWithTextrrrr.Z RSAPrivateKeyrrZRSAPrivateNumbersrZRSAPublicNumbersZ RSAPublicKeyrrrrrrr6rr7rrr(rr*Z DSAParametersr"Z DSAPrivateKeyr%r&r+ZDSAPrivateNumbersr/ZDSAPublicNumbersZ DSAPublicKeyr1ZDSAParameterNumbersr2r$r3r4r7r8r r8r:rCr)Z DHParametersrDr rErIrJrrAnyrPrRZCertificateSigningRequestrUrVZCertificateRevocationListrYrZr5r]r_rbr9NoReturnr@Z EllipticCurversZEllipticCurveSignatureAlgorithmruZEllipticCurvePrivateKeyryZEllipticCurvePrivateNumbersrZEllipticCurvePublicNumbersZEllipticCurvePublicKeyrrrrvrrrrwrorrr~r'rMrrrrrrrrrrZ DHPrivateKeyrrZDHPrivateNumbersrZDHPublicNumbersZ DHPublicKeyrZDHParameterNumbersrrrr/ZX25519PublicKeyrZX25519PrivateKeyrrrrr0Z X448PublicKeyrZX448PrivateKeyrrrrr,ZEd25519PublicKeyrZEd25519PrivateKeyrrrr-ZEd448PublicKeyrZEd448PrivateKeyrrrrIteratorrrrrTuplerrQrrRrSrrrr r rrr rrNZPKCS7SignatureBuilderr!r&rZrZrZr[r\sN             2        %    @+        *        5/      '   o 7    1     $    #     O X    1 r\c@s,eZdZedddZeeedddZdS)r)fmtcCs ||_dSr)_fmt)rrr2rZrZr[rs szGetCipherByName.__init__)rrrcCs&|jj||d}|j|dS)N)rrr)r3rulowerrcrr)rrrrrrrZrZr[__call__ szGetCipherByName.__call__N) rWrXrYr(rsr\r9rJr5rZrZrZr[r sr)rrcCs"d|jd}|j|dS)Nz aes-{}-xtsrr)rurrcrr)rrrrrZrZr[r sr)y collectionsr,rr)rjrZ cryptographyrrZcryptography.exceptionsrrZ$cryptography.hazmat.backends.opensslrZ,cryptography.hazmat.backends.openssl.ciphersrZ)cryptography.hazmat.backends.openssl.cmacr Z'cryptography.hazmat.backends.openssl.dhr r r rZ(cryptography.hazmat.backends.openssl.dsarrrZ'cryptography.hazmat.backends.openssl.ecrrZ,cryptography.hazmat.backends.openssl.ed25519rrZ*cryptography.hazmat.backends.openssl.ed448rrrZ+cryptography.hazmat.backends.openssl.hashesrZ)cryptography.hazmat.backends.openssl.hmacrZ-cryptography.hazmat.backends.openssl.poly1305rrZ(cryptography.hazmat.backends.openssl.rsarr Z+cryptography.hazmat.backends.openssl.x25519r!r"Z)cryptography.hazmat.backends.openssl.x448r#r$Z"cryptography.hazmat.bindings._rustrQZ$cryptography.hazmat.bindings.opensslr%Zcryptography.hazmat.primitivesr&r'Z*cryptography.hazmat.primitives._asymmetricr(Z)cryptography.hazmat.primitives.asymmetricr)r*r+r,r-r.r/r0Z1cryptography.hazmat.primitives.asymmetric.paddingr1r2r3r4Z/cryptography.hazmat.primitives.asymmetric.typesr5r6r7Z&cryptography.hazmat.primitives.ciphersr8r9Z1cryptography.hazmat.primitives.ciphers.algorithmsr:r;r<r=r>r?r@rArBrCZ,cryptography.hazmat.primitives.ciphers.modesrDrErFrGrHrIrJrKrLZ"cryptography.hazmat.primitives.kdfrMZ,cryptography.hazmat.primitives.serializationrNrOZ3cryptography.hazmat.primitives.serialization.pkcs12rPrQrRrS namedtuplerTrVr\rrrrZrZrZr[st         ( 0 , g