3 y_@sddlmZmZmZddlZddlZddlZddlZddlmZddl Z ddl m Z ddl m Z mZddlmZmZddlmZmZmZmZmZddlmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'dd l(m)Z)dd l*m+Z+dd l,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5dd l6m7Z7m8Z8m9Z9m:Z:ddl;mZ>ddl?m@Z@mAZAddlBmCZCmDZDddlEmFZFmGZGmHZHddlImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRddlSmTZTddlUmVZVddlWmXZXmYZYddlZm[Z[m\Z\ddl]m^Z^m_Z_ddl`maZambZbddlcmdZdmeZeddlfmgZgmhZhmiZimjZjddlkmlZlddlmmnZnmoZoddlpmqZqmrZrmsZsmtZtmuZuddlvmwZwmxZxmyZymzZzddl{m|Z|m}Z}m~Z~mZmZmZmZmZmZdd lmZmZmZmZmZmZmZmZdd!lmZdd"lmZmZdd#lmZejd$d%d&gZGd'd(d(eZe jee jee jee jee jee jee je e jee je!e je#e je"e je%e jeljjje$Gd)d*d*eZGd+d,d,eZd-d.ZeZdS)/)absolute_importdivisionprint_functionN)contextmanager)range)utilsx509)UnsupportedAlgorithm_Reasons)INTEGERNULLSEQUENCE encode_derencode_der_integer) CMACBackend CipherBackendDERSerializationBackend DHBackend DSABackendEllipticCurveBackend HMACBackend HashBackendPBKDF2HMACBackendPEMSerializationBackend RSABackend ScryptBackend X509Backend)aead)_CipherContext) _CMACContext) _CRL_ENTRY_REASON_ENUM_TO_CODE_CRL_EXTENSION_HANDLERS_EXTENSION_HANDLERS_BASE_EXTENSION_HANDLERS_SCT"_OCSP_BASICRESP_EXTENSION_HANDLERS_OCSP_REQ_EXTENSION_HANDLERS'_OCSP_SINGLERESP_EXTENSION_HANDLERS_SCT_REVOKED_EXTENSION_HANDLERS_X509ExtensionParser) _DHParameters _DHPrivateKey _DHPublicKey_dh_params_dup)_DSAParameters_DSAPrivateKey _DSAPublicKey)_EllipticCurvePrivateKey_EllipticCurvePublicKey)_Ed25519PrivateKey_Ed25519PublicKey)_ED448_KEY_SIZE_Ed448PrivateKey_Ed448PublicKey) $_CRL_ENTRY_EXTENSION_ENCODE_HANDLERS_CRL_EXTENSION_ENCODE_HANDLERS_EXTENSION_ENCODE_HANDLERS)_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERS'_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS_encode_asn1_int_gc_encode_asn1_str_gc_encode_name_gc _txt2obj_gc) _HashContext) _HMACContext) _OCSPRequest _OCSPResponse)_POLY1305_KEY_SIZE_Poly1305Context)_RSAPrivateKey _RSAPublicKey)_X25519PrivateKey_X25519PublicKey)_X448PrivateKey_X448PublicKey) _Certificate_CertificateRevocationList_CertificateSigningRequest_RevokedCertificate)binding)hashes serialization)dsaeced25519ed448rsa)MGF1OAEPPKCS1v15PSS) AESARC4BlowfishCAST5CamelliaChaCha20IDEASEED TripleDES)CBCCFBCFB8CTRECBGCMOFBXTS)scrypt)pkcs7ssh)ocsp _MemoryBIObioZchar_ptrc@s eZdZdS)_RC2N)__name__ __module__ __qualname__rwrw/usr/lib64/python3.6/backend.pyrssrsc @s|eZdZdZdZddddddhZeefZe j e j e j e j e je je je je je je je je jf Zd Zd Zd d >Zd Zd e>Zd d Zd-ddZddZddZ e!j"ddZ#ddZ$ddZ%ddZ&ddZ'dd Z(d!d"Z)d#d$Z*d%d&Z+d'd(Z,d)d*Z-d+d,Z.d-d.Z/d/d0Z0d1d2Z1d3d4Z2d5d6Z3d7d8Z4d9d:Z5d;d<Z6d=d>Z7d?d@Z8dAdBZ9d.dCdDZ:dEdFZ;dGdHZdMdNZ?dOdPZ@dQdRZAdSdTZBdUdVZCdWdXZDdYdZZEd[d\ZFd]d^ZGd_d`ZHdadbZIdcddZJdedfZKdgdhZLdidjZMdkdlZNdmdnZOdodpZPdqdrZQdsdtZRdudvZSdwdxZTdydzZUd{d|ZVd}d~ZWddZXddZYddZZddZ[ddZ\ddZ]ddZ^ddZ_ddZ`ddZaddZbddZcddZdddZeddZfddZgddZhddZiddZjddZkddZlddZmddZnddZoddZpddZqddZrddZsddZtddZuddZvddZwddZxdd„ZyddĄZzddƄZ{ddȄZ|ddʄZ}dd̄Z~e"dd΄ZddЄZdd҄ZddԄZddքZdd؄ZddڄZdd܄ZddބZddZddZddZddZddZddZd/ddZddZddZddZddZddZddZddZddZddZddZddZddZddZddZd d Zd d Zd dZddZddZddZddZe!j"ddZddZe!j"ddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,ZdS(0Backendz) OpenSSL API binding interfaces. Zopenssls aes-128-ccms aes-192-ccms aes-256-ccms aes-128-gcms aes-192-gcms aes-256-gcmiicCstj|_|jj|_|jj|_|j|_i|_ |j |j |j |jrb|jj rbtjdtn|j|jjg|_|jjr|jj|jjdS)Nzsz*Backend._is_fips_enabled..r)getattrr~ZERR_clear_errorbool)rZ fips_modemoderwrwrxrs  zBackend._is_fips_enabledcCsf|jjrb|jj}||jjkrb|jj||jj|jj}|j|dk|jj|}|j|dkdS)Nrz) r~rZENGINE_get_default_RANDr|r ZENGINE_unregister_RANDRAND_set_rand_methodr ENGINE_finish)reresrwrwrxactivate_builtin_randoms    zBackend.activate_builtin_randomc cs|jj|jj}|j||jjk|jj|}|j|dkz |VWd|jj|}|j|dk|jj|}|j|dkXdS)Nrz) r~Z ENGINE_by_idZCryptography_osrandom_engine_idrr|r Z ENGINE_initZ ENGINE_freer)rrrrwrwrx_get_osurandom_engine s    zBackend._get_osurandom_enginec Cs`|jjr\|j|j }|jj|}|j|dkWdQRX|jj|jj}|j|dkdS)Nrz) r~rrrZENGINE_set_default_RANDrrr|r )rrrrwrwrxrs  z Backend.activate_osrandom_enginecCs`|jjdd}|j2}|jj|dt|||jjd}|j|dkWdQRX|jj|j dS)Nzchar[]@sget_implementationrascii) r|newrr~ZENGINE_ctrl_cmdlenr rstringdecode)rbufrrrwrwrxosrandom_engine_implementation+s  z&Backend.osrandom_engine_implementationcCs|jj|jj|jjjdS)z Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 r)r|rr~ZOpenSSL_versionZOPENSSL_VERSIONr)rrwrwrxopenssl_version_text4szBackend.openssl_version_textcCs |jjS)N)r~ZOpenSSL_version_num)rrwrwrxopenssl_version_number?szBackend.openssl_version_numbercCs t|||S)N)rA)rkey algorithmrwrwrxcreate_hmac_ctxBszBackend.create_hmac_ctxcCsL|jdks|jdkr0dj|j|jdjd}n |jjd}|jj|}|S)NZblake2bZblake2sz{}{}r)nameformatZ digest_sizeencoder~ZEVP_get_digestbyname)rrZalgevp_mdrwrwrx_evp_md_from_algorithmEs  zBackend._evp_md_from_algorithmcCs |j|}|j||jjk|S)N)rrr|r )rrrrwrwrx_evp_md_non_null_from_algorithmPs z'Backend._evp_md_non_null_from_algorithmcCs.|jrt||j rdS|j|}||jjkS)NF)r isinstance _fips_hashesrr|r )rrrrwrwrxhash_supportedUs zBackend.hash_supportedcCs |j|S)N)r)rrrwrwrxhmac_supported\szBackend.hmac_supportedcCs t||S)N)r@)rrrwrwrxcreate_hash_ctx_szBackend.create_hash_ctxc Cs`|jrt||j rdSy|jt|t|f}Wntk rFdSX||||}|jj|kS)NF)rr _fips_ciphersrtypeKeyErrorr|r )rcipherradapter evp_cipherrwrwrxcipher_supportedbs zBackend.cipher_supportedcCs0||f|jkrtdj||||j||f<dS)Nz"Duplicate registration for: {} {}.)r ValueErrorr)r cipher_clsmode_clsrrwrwrxregister_cipher_adapterls  zBackend.register_cipher_adaptercCsnx,tttttttgD]}|jt|t dqWx(tttttgD]}|jt |t dq>Wx&ttttgD]}|jt |t dqfW|jt tt dx&ttttgD]}|jt |t dqWx&ttttgD]}|jt |t dqWx6tjttgttttgD]\}}|j||t dqW|jttdt d|jttdt d|jttdt d |jtttdS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}Zrc4Zrc2Zchacha20)rerhrirkrfrgrjrr\GetCipherByNamer`rdr^rc itertoolsproductr_rbr]rrsrarl_get_xts_cipher)rrrrwrwrxrusBz!Backend._register_default_cipherscCstj}tj}|jjr,|jt|jtt||jj |jj |d|_ t||jj |jj |d|_t||jj|jjtd|_t||jj|jjtd|_t||jj|jjtd|_t||jj|jjtd|_t||jj|jj|d|_ dS)N)Z ext_countZget_exthandlers)!r"copyr'r~ZCryptography_HAS_SCTupdater#r&r(ZX509_get_ext_countZ X509_get_extZ_certificate_extension_parserZsk_X509_EXTENSION_numZsk_X509_EXTENSION_valueZ_csr_extension_parserZX509_REVOKED_get_ext_countZX509_REVOKED_get_extZ_revoked_cert_extension_parserZX509_CRL_get_ext_countZX509_CRL_get_extr!Z_crl_extension_parserZOCSP_REQUEST_get_ext_countZOCSP_REQUEST_get_extr%Z_ocsp_req_ext_parserZOCSP_BASICRESP_get_ext_countZOCSP_BASICRESP_get_extr$Z_ocsp_basicresp_ext_parserZOCSP_SINGLERESP_get_ext_countZOCSP_SINGLERESP_get_extZ_ocsp_singleresp_ext_parser)rZ ext_handlersZsingleresp_handlersrwrwrxrsP        z"Backend._register_x509_ext_parserscCs6tj|_tj|_tj|_tj|_t j|_ dS)N) r9r_extension_encode_handlersr8_crl_extension_encode_handlersr7$_crl_entry_extension_encode_handlersr;'_ocsp_request_extension_encode_handlersr:)_ocsp_basicresp_extension_encode_handlers)rrwrwrxrs     zBackend._register_x509_encoderscCst|||tjS)N)rZ_ENCRYPT)rrrrwrwrxcreate_symmetric_encryption_ctxsz'Backend.create_symmetric_encryption_ctxcCst|||tjS)N)rZ_DECRYPT)rrrrwrwrxcreate_symmetric_decryption_ctxsz'Backend.create_symmetric_decryption_ctxcCs |j|S)N)r)rrrwrwrxpbkdf2_hmac_supportedszBackend.pbkdf2_hmac_supportedc Csh|jjd|}|j|}|jj|}|jj|t||t|||||} |j| dk|jj|ddS)Nzunsigned char[]rz) r|rr from_bufferr~ZPKCS5_PBKDF2_HMACrrbuffer) rrlengthsaltZ iterations key_materialrrkey_material_ptrrrwrwrxderive_pbkdf2_hmacs  zBackend.derive_pbkdf2_hmaccCs tj|jS)N)rP_consume_errorsr~)rrwrwrxrszBackend._consume_errorscCs tj|jS)N)rP_consume_errors_with_textr~)rrwrwrxrsz!Backend._consume_errors_with_textcCs||jjksttjs~|jj|}|jjd|}|jj||}|j |dkt j |jj |d|d}|jj |rz| }|S|jj|}|j ||jjk|jj|}|jj|t |dSdS)Nzunsigned char[]rbig)r|r AssertionErrorsixPY2r~Z BN_num_bytesrZ BN_bn2binrint from_bytesrZBN_is_negativeZ BN_bn2hexr OPENSSL_free)rbnZ bn_num_bytesZbin_ptrZbin_lenvalZ hex_cdataZhex_strrwrwrx _bn_to_ints     zBackend._bn_to_intcCs|dks||jjkst|dkr(|jj}tjst|jt|jddd}|jj |t ||}|j ||jjk|St |j dddjd}|jjd}||d <|jj||}|j |d k|j |d |jjk|d SdS) a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @rzrLrz BIGNUM **r)r|r rrrto_bytesr bit_lengthr~Z BN_bin2bnrrhexrstriprrZ BN_hex2bn)rnumrZbinaryZbn_ptrZhex_numrrwrwrx _int_to_bns zBackend._int_to_bncCstj|||jj}|j||jjk|jj||jj}|j |}|jj||jj }|jj ||||jj}|j|dk|j |}t |||S)Nrz)rWZ_verify_rsa_parametersr~RSA_newrr|r gcRSA_freerBN_freeZRSA_generate_key_ex_rsa_cdata_to_evp_pkeyrF)rpublic_exponentkey_size rsa_cdatarrevp_pkeyrwrwrxgenerate_rsa_private_key=s    z Backend.generate_rsa_private_keycCs|dko|d@dko|dkS)Nrzrirw)rrrrwrwrx!generate_rsa_parameters_supportedOs z)Backend.generate_rsa_parameters_supportedc Cs2tj|j|j|j|j|j|j|jj |jj |j j }|j ||jjk|jj||j j}|j|j}|j|j}|j|j}|j|j}|j|j}|j|j}|j|jj } |j|jj } |j j|||} |j | dk|j j|| | |} |j | dk|j j||||} |j | dk|j|} t||| S)Nrz)rWZ_check_private_key_componentspqddmp1dmq1iqmppublic_numbersrnr~rrr|r rrrZRSA_set0_factors RSA_set0_keyZRSA_set0_crt_paramsrrF) rnumbersrrrrrrrrrrrrwrwrxload_rsa_private_numbersVs8         z Backend.load_rsa_private_numberscCstj|j|j|jj}|j||jjk|jj ||jj }|j |j}|j |j}|jj ||||jj}|j|dk|j |}t|||S)Nrz)rWZ_check_public_key_componentsrrr~rrr|r rrrrrrG)rrrrrrrrwrwrxload_rsa_public_numbersvs    zBackend.load_rsa_public_numberscCs2|jj}|j||jjk|jj||jj}|S)N)r~Z EVP_PKEY_newrr|r r EVP_PKEY_free)rrrwrwrx_create_evp_pkey_gcs zBackend._create_evp_pkey_gccCs(|j}|jj||}|j|dk|S)Nrz)rr~ZEVP_PKEY_set1_RSAr)rrrrrwrwrxrszBackend._rsa_cdata_to_evp_pkeycCsH|jj|}|jj|t|}|j||jjkt|jj||jj |S)z Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) r|rr~ZBIO_new_mem_bufrrr rqrBIO_free)rdatadata_ptrrrrwrwrx _bytes_to_bios zBackend._bytes_to_biocCsP|jj}|j||jjk|jj|}|j||jjk|jj||jj}|S)z. Creates an empty memory BIO. )r~Z BIO_s_memrr|r ZBIO_newrr)rZ bio_methodrrrwrwrx_create_mem_bio_gcs   zBackend._create_mem_bio_gccCs\|jjd}|jj||}|j|dk|j|d|jjk|jj|d|dd}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)r|rr~ZBIO_get_mem_datarr r)rrrrZbuf_lenbio_datarwrwrx _read_mem_bios  zBackend._read_mem_biocCs|jj|}||jjkrT|jj|}|j||jjk|jj||jj}t |||S||jj kr|jj |}|j||jjk|jj||jj }t |||S||jjkr|jj|}|j||jjk|jj||jj}t|||S||jkr,|jj|}|j||jjk|jj||jj}t|||S|t|jddkrJt||S|t|jddkrht||S|t|jddkrt||S|t|jddkrt||StddS)zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. EVP_PKEY_ED25519N EVP_PKEY_X448EVP_PKEY_X25519EVP_PKEY_ED448zUnsupported key type.)r~ EVP_PKEY_id EVP_PKEY_RSAEVP_PKEY_get1_RSArr|r rrrF EVP_PKEY_DSAEVP_PKEY_get1_DSADSA_freer. EVP_PKEY_ECEVP_PKEY_get1_EC_KEY EC_KEY_freer0rEVP_PKEY_get1_DHDH_freer*rr2rJrHr5r )rrkey_typer dsa_cdataec_cdatadh_cdatarwrwrx_evp_pkey_to_private_keys<                 z Backend._evp_pkey_to_private_keycCs|jj|}||jjkrT|jj|}|j||jjk|jj||jj}t |||S||jj kr|jj |}|j||jjk|jj||jj }t |||S||jjkr|jj|}|j||jjk|jj||jj}t|||S||jkr,|jj|}|j||jjk|jj||jj}t|||S|t|jddkrJt||S|t|jddkrht||S|t|jddkrt||S|t|jddkrt||StddS)zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. r Nr rrzUnsupported key type.)r~rrrrr|r rrrGrrrr/rrrr1rrrr+rr3rKrIr6r )rrrrrrrrwrwrx_evp_pkey_to_public_keys<                 zBackend._evp_pkey_to_public_keycCs6|jjr&t|tjtjtjtjtjfSt|tjSdS)N) r~ZCryptography_HAS_RSA_OAEP_MDrrQSHA1SHA224SHA256SHA384SHA512)rrrwrwrx_oaep_hash_supporteds zBackend._oaep_hash_supportedcCst|trdSt|tr2t|jtr2|j|jjSt|trt|jtr|j|jjo|j|jo|j dkpt |j dkp|j j dkSdSdS)NTrrzF) rrZr[Z_mgfrXr _algorithmrYr&Z_labelrr~ZCryptography_HAS_RSA_OAEP_LABEL)rZpaddingrwrwrxrsa_padding_supporteds   zBackend.rsa_padding_supportedcCs~|dkrtd|jj}|j||jjk|jj||jj}|jj|||jjd|jj|jj|jj}|j|dkt ||S) N z0Key size must be 1024, 2048, 3072, or 4096 bits.rrz)r)r*r+r,) rr~DSA_newrr|r rrZDSA_generate_parameters_exr-)rrctxrrwrwrxgenerate_dsa_parameters(s   zBackend.generate_dsa_parameterscCsT|jj|j}|j||jjk|jj||jj}|jj||j |}t |||S)N) r~Z DSAparams_dupZ _dsa_cdatarr|r rrZDSA_generate_key_dsa_cdata_to_evp_pkeyr.)r parametersr.rrwrwrxgenerate_dsa_private_key@s   z Backend.generate_dsa_private_keycCs|j|}|j|S)N)r/r2)rrr1rwrwrx'generate_dsa_private_key_and_parametersIs z/Backend.generate_dsa_private_key_and_parameterscCsB|jj||||}|j|dk|jj|||}|j|dkdS)Nrz)r~ DSA_set0_pqgrZ DSA_set0_key)rrrrgpub_keypriv_keyrrwrwrx_dsa_cdata_set_valuesMszBackend._dsa_cdata_set_valuesc Cstj||jj}|jj}|j||jjk|jj ||jj }|j |j }|j |j }|j |j}|j |jj}|j |j}|j|||||||j|} t||| S)N)rSZ_check_dsa_private_numbersrparameter_numbersr~r-rr|r rrrrrr5yxr8r0r.) rrr9rrrr5r6r7rrwrwrxload_dsa_private_numbersSs       z Backend.load_dsa_private_numbersc Cstj|j|jj}|j||jjk|jj||jj }|j |jj }|j |jj }|j |jj }|j |j}|jj}|j|||||||j|}t|||S)N)rS_check_dsa_parametersr9r~r-rr|r rrrrrr5r:r8r0r/) rrrrrr5r6r7rrwrwrxload_dsa_public_numbersfs    zBackend.load_dsa_public_numberscCstj||jj}|j||jjk|jj||jj}|j |j }|j |j }|j |j }|jj ||||}|j|dkt||S)Nrz)rSr=r~r-rr|r rrrrrr5r4r-)rrrrrr5rrwrwrxload_dsa_parameter_numbersws     z"Backend.load_dsa_parameter_numberscCs(|j}|jj||}|j|dk|S)Nrz)rr~ZEVP_PKEY_set1_DSAr)rrrrrwrwrxr0szBackend._dsa_cdata_to_evp_pkeycCs |j|S)N)r)rrrwrwrxdsa_hash_supportedszBackend.dsa_hash_supportedcCsdS)NTrw)rrrr5rwrwrxdsa_parameters_supportedsz Backend.dsa_parameters_supportedcCs|j|td|jS)N)rreZ block_size)rrrwrwrxcmac_algorithm_supportedsz Backend.cmac_algorithm_supportedcCs t||S)N)r)rrrwrwrxcreate_cmac_ctxszBackend.create_cmac_ctxcCst|tjtjfr$|dk r|tdnXt|tjtj t j fsDt dn8t|t jsZt dn"t|t jr|t|tj r|tddS)Nz8algorithm must be None when signing via ed25519 or ed448z;Key must be an rsa, dsa, ec, ed25519, or ed448 private key.z.Algorithm must be a registered hash algorithm.z2MD5 hash algorithm is only supported with RSA keys)rrUEd25519PrivateKeyrVEd448PrivateKeyrrWZ RSAPrivateKeyrSZ DSAPrivateKeyrTZEllipticCurvePrivateKey TypeErrorrQZ HashAlgorithmZMD5)r private_keyrrwrwrx_x509_check_signature_paramss    z$Backend._x509_check_signature_paramsc st|tjstdj||j||}jj}j|j j kj j |jj }jj |tjjj}j|dkjj|t|j}j|dk|j}jj||j}j|dkjj}j|j j kj j |fdd}j|jj|jjddjj||}j|dkxN|jD]D\} } t| j} jj || tj!j"j#j| t$| }j|dkq8Wjj%||j|}|dkrj&} t'd| t(|S) NzBuilder type mismatch.rzcsjj|jjjjdS)NX509_EXTENSION_free)r~Zsk_X509_EXTENSION_pop_freer| addressof _original_lib)r;)rrwrxrsz)Backend.create_x509_csr..F) extensionsrx509_objadd_funcrrzSigning failed))rrZ CertificateSigningRequestBuilderrGrI_evp_md_x509_null_if_eddsar~Z X509_REQ_newrr|r r X509_REQ_freeZX509_REQ_set_versionZVersionZv1valueZX509_REQ_set_subject_namer> _subject_name public_keyZX509_REQ_set_pubkey _evp_pkeyZsk_X509_EXTENSION_new_null_create_x509_extensions _extensionsrZsk_X509_EXTENSION_insertZX509_REQ_add_extensions _attributesr? dotted_stringZX509_REQ_add1_attr_by_OBJrZ _ASN1TypeZ UTF8StringrZ X509_REQ_signrrrN) rbuilderrHrrx509_reqrrTZ sk_extensionZattr_oidZattr_valobjrrw)rrxcreate_x509_csrsT           zBackend.create_x509_csrc Csxt|tjstd|j|||j||}|jj}|jj ||jj }|jj ||j j }|j|dk|jj|t||j}|j|dk|jj||jj}|j|dkt||j}|jj||}|j|dk|j|jj||j|j|jj||j|j|j|j||jj dd|jj!|t||j"}|j|dk|jj#||j|}|dkrn|j$}t%d|t&||S)NzBuilder type mismatch.rzT)rMrrNrOrrzSigning failed)'rrZCertificateBuilderrGrIrPr~ZX509_newr|r X509_freeZX509_set_versionZ_versionrRrZX509_set_subject_namer>rSZX509_set_pubkeyZ _public_keyrUr<_serial_numberZX509_set_serialNumber_set_asn1_timeZX509_getm_notBeforeZ_not_valid_beforeZX509_getm_notAfterZ_not_valid_afterrVrWrZ X509_add_extZX509_set_issuer_name _issuer_nameZ X509_signrrrL) rrZrHrrZ x509_certr serial_numberrrwrwrxcreate_x509_certificatesF        zBackend.create_x509_certificatecCs(t|tjtjfr|jjS|j|SdS)N)rrUrErVrFr|r r)rrHrrwrwrxrP;sz"Backend._evp_md_x509_null_if_eddsacCsL|jdkr|jdjd}n|jdjd}|jj||}|j|dkdS)Niz %Y%m%d%H%M%SZrz %y%m%d%H%M%SZrz)ZyearZstrftimerr~ZASN1_TIME_set_stringr)r asn1_timetimeZasn1_strrrwrwrxr`Ds  zBackend._set_asn1_timecCs>|jj}|j||jjk|jj||jj}|j|||S)N)r~Z ASN1_TIME_newrr|r rZASN1_TIME_freer`)rrerdrwrwrx_create_asn1_timeLs   zBackend._create_asn1_timec Csxt|tjstd|j|||j||}|jj}|jj ||jj }|jj |d}|j |dk|jj |t||j}|j |dk|j|j}|jj||}|j |dk|j|j}|jj||}|j |dk|j|j|j||jjddxJ|jD]@} |jj| j} |j | |jjk|jj|| }|j |dkqW|jj||j|}|dkrn|j } t!d| t"||S)NzBuilder type mismatch.rzT)rMrrNrOrrzSigning failed)#rrZ CertificateRevocationListBuilderrGrIrPr~Z X509_CRL_newr|r X509_CRL_freeZX509_CRL_set_versionrZX509_CRL_set_issuer_namer>rarfZ _last_updateZX509_CRL_set_lastUpdate _next_updateZX509_CRL_set_nextUpdaterVrWrZX509_CRL_add_extZ_revoked_certificatesZX509_REVOKED_dupZ _x509_revokedr ZX509_CRL_add0_revokedZ X509_CRL_signrUrrrM) rrZrHrrx509_crlrZ last_update next_updateZ revoked_certZrevokedrrwrwrxcreate_x509_crlSsB         zBackend.create_x509_crlc Cshxbt|D]V\}}|j||}|j||jjk|rF|jj||jj}||||} |j| dkq WdS)Nrz) enumerate_create_x509_extensionrr|r rr~rJ) rrMrrNrOri extensionZx509_extensionrrwrwrxrVs   zBackend._create_x509_extensionscCs.t||jj}|jj|jj||jr&dnd|S)Nrzr)r?oidrYr~ZX509_EXTENSION_create_by_OBJr|r critical)rrorRr\rwrwrx_create_raw_x509_extensionsz"Backend._create_raw_x509_extensionc Cst|jtjr(t||jj}|j||St|jtjrfttfdd|jD}t||}|j||St|jtj rt|tt }|j||Sy||j }Wn$t k rt dj|j YnX|||j}|jj|j jjd}|j||jjk|jj||jr dnd|SdS)NcSsg|]}ttt|jqSrw)rr rrR).0r;rwrwrx sz2Backend._create_x509_extension..zExtension not supported: {}rrzr)rrRrZUnrecognizedExtensionr=rrZ TLSFeaturerr Z PrecertPoisonr rprNotImplementedErrorrr~Z OBJ_txt2nidrYrr NID_undefZX509V3_EXT_i2drq)rrrorRZasn1rZ ext_structnidrwrwrxrms0     zBackend._create_x509_extensioncCst|tjstd|jj}|j||jjk|jj ||jj }t ||j }|jj ||}|j|dk|j|j}|jj||}|j|dk|j|j|j||jjddt|d|S)NzBuilder type mismatch.rzT)rMrrNrOr)rrZRevokedCertificateBuilderrGr~ZX509_REVOKED_newrr|r rZX509_REVOKED_freer<r_ZX509_REVOKED_set_serialNumberrfZ_revocation_dateZX509_REVOKED_set_revocationDaterVrWrZX509_REVOKED_add_extrO)rrZZ x509_revokedrbrZrev_daterwrwrxcreate_x509_revoked_certificates&    z'Backend.create_x509_revoked_certificatecCs|j|jj|j||S)N) _load_keyr~ZPEM_read_bio_PrivateKeyr)rrpasswordrwrwrxload_pem_private_keys zBackend.load_pem_private_keycCs|j|}|jj|j|jj|jj|jj}||jjkrR|jj||jj}|j|S|j |jj |j}|j |dk|jj |j|jj|jj|jj}||jjkr|jj||jj }|j|}t|||S|jdS)Nrz)rr~ZPEM_read_bio_PUBKEYrrr|r rrr r BIO_resetrZPEM_read_bio_RSAPublicKeyrrrG_handle_key_loading_error)rrmem_biorrrrwrwrxload_pem_public_keys       zBackend.load_pem_public_keycCs^|j|}|jj|j|jj|jj|jj}||jjkrR|jj||jj}t||S|j dS)N) rr~ZPEM_read_bio_DHparamsrrr|r rrr)r})rrr~rrwrwrxload_pem_parameterss   zBackend.load_pem_parameterscCs>|j|}|j||}|r$|j|S|j|jj|j||SdS)N)r"_evp_pkey_from_der_traditional_keyrryr~Zd2i_PKCS8PrivateKey_bio)rrrzr rrwrwrxload_der_private_keys   zBackend.load_der_private_keycCsV|jj|j|jj}||jjkrF|jj||jj}|dk rBtd|S|jdSdS)Nz4Password was given but private key is not encrypted.) r~d2i_PrivateKey_biorrr|r rrrGr)rr rzrrwrwrxrs z*Backend._evp_pkey_from_der_traditional_keycCs|j|}|jj|j|jj}||jjkrF|jj||jj}|j|S|j |jj |j}|j |dk|jj |j|jj}||jjkr|jj||jj }|j|}t|||S|jdS)Nrz)rr~Zd2i_PUBKEY_biorrr|r rrr rr|rZd2i_RSAPublicKey_biorrrGr})rrr~rrrrwrwrxload_der_public_key(s      zBackend.load_der_public_keycCs|j|}|jj|j|jj}||jjkrF|jj||jj}t||S|jj r|j |jj |j}|j |dk|jj |j|jj}||jjkr|jj||jj}t||S|jdS)Nrz)rr~Zd2i_DHparams_biorrr|r rrr)rrr|rZCryptography_d2i_DHxparams_bior})rrr~rrrwrwrxload_der_parameters?s     zBackend.load_der_parameterscCsb|j|}|jj|j|jj|jj|jj}||jjkrF|jtd|jj||jj }t ||S)NzwUnable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.) rr~ZPEM_read_bio_X509rrr|r rrrr^rL)rrr~rrwrwrxload_pem_x509_certificateSs  z!Backend.load_pem_x509_certificatecCsV|j|}|jj|j|jj}||jjkr:|jtd|jj||jj }t ||S)NzUnable to load certificate) rr~Z d2i_X509_biorrr|r rrrr^rL)rrr~rrwrwrxload_der_x509_certificatebs  z!Backend.load_der_x509_certificatecCsb|j|}|jj|j|jj|jj|jj}||jjkrF|jtd|jj||jj }t ||S)NzoUnable to load CRL. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.) rr~ZPEM_read_bio_X509_CRLrrr|r rrrrgrM)rrr~rirwrwrxload_pem_x509_crlls  zBackend.load_pem_x509_crlcCsV|j|}|jj|j|jj}||jjkr:|jtd|jj||jj }t ||S)NzUnable to load CRL) rr~Zd2i_X509_CRL_biorrr|r rrrrgrM)rrr~rirwrwrxload_der_x509_crl{s  zBackend.load_der_x509_crlcCsb|j|}|jj|j|jj|jj|jj}||jjkrF|jtd|jj||jj }t ||S)NzsUnable to load request. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.) rr~ZPEM_read_bio_X509_REQrrr|r rrrrQrN)rrr~r[rwrwrxload_pem_x509_csrs  zBackend.load_pem_x509_csrcCsV|j|}|jj|j|jj}||jjkr:|jtd|jj||jj }t ||S)NzUnable to load request) rr~Zd2i_X509_REQ_biorrr|r rrrrQrN)rrr~r[rwrwrxload_der_x509_csrs  zBackend.load_der_x509_csrc Cs*|j|}|jjd}|dk rFtjd||jj|}||_t||_||j |jj |jj |j j d|}||jj kr|jdkr|j} |j| |jd krtdq|jd ksttdj|jdn|j|jj||j j}|dk o|jdkrtd |dk r|jdks"|dks"t||S) NzCRYPTOGRAPHY_PASSWORD_DATA *rzZCryptography_pem_password_cbrrzz3Password was not given but private key is encryptedrzAPasswords longer than {} bytes are not supported by this backend.z4Password was given but private key is not encrypted.)rr|rr_check_byteslikerrzrrrrr rKr~rLerrorrrrGrrrmaxsizer}rrZcalled) rZopenssl_read_funcZ convert_funcrrzr~ZuserdataZ password_ptrrrrwrwrxrys@          zBackend._load_keycsj}|stdn|djjjjjsF|djjjjjrPtdn|djjjjjs|djjj jj rt dt j nLtfdd|Drtdn,|djjjjj jjfksttddS)NzCould not deserialize key data.rz Bad decrypt. Incorrect password?z0PEM data is encrypted with an unsupported cipherc3s"|]}|jjjjjVqdS)N)_lib_reason_matchr~ ERR_LIB_EVPZ'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM)rsr)rrwrx sz4Backend._handle_key_loading_error..z!Unsupported public key algorithm.)rrrr~rZEVP_R_BAD_DECRYPTZERR_LIB_PKCS12Z!PKCS12_R_PKCS12_CIPHERFINAL_ERRORZEVP_R_UNKNOWN_PBE_ALGORITHMZ ERR_LIB_PEMZPEM_R_UNSUPPORTED_ENCRYPTIONr r ZUNSUPPORTED_CIPHERanyr}Z ERR_LIB_ASN1r)rrrw)rrxr}s2       z!Backend._handle_key_loading_errorc Csvy|j|}Wntk r*|jj}YnX|jj|}||jjkrP|jdS|j||jjk|jj |dSdS)NFT) _elliptic_curve_to_nidr r~rvZEC_GROUP_new_by_curve_namer|r rrZ EC_GROUP_free)rcurve curve_nidgrouprwrwrxelliptic_curve_supporteds   z Backend.elliptic_curve_supportedcCst|tjsdS|j|S)NF)rrTZECDSAr)rZsignature_algorithmrrwrwrx,elliptic_curve_signature_algorithm_supporteds z4Backend.elliptic_curve_signature_algorithm_supportedcCs\|j|rD|j|}|jj|}|j|dk|j|}t|||Stdj|j t j dS)z@ Generate a new private key on the named curve. rzz#Backend object does not support {}.N) r_ec_key_new_by_curver~ZEC_KEY_generate_keyr_ec_cdata_to_evp_pkeyr0r rrr UNSUPPORTED_ELLIPTIC_CURVE)rrrrrrwrwrx#generate_elliptic_curve_private_keys      z+Backend.generate_elliptic_curve_private_keycCsp|j}|j|j}|jj|j|j|jj}|jj ||}|j |dk|j ||j |j }|j|}t|||S)Nrz)rrrr|rr private_valuer~ BN_clear_freeEC_KEY_set_private_keyr)_ec_key_set_public_key_affine_coordinatesr;r:rr0)rrZpublicrrrrrwrwrx#load_elliptic_curve_private_numbers%s  z+Backend.load_elliptic_curve_private_numberscCs4|j|j}|j||j|j}|j|}t|||S)N)rrrr;r:rr1)rrrrrwrwrx"load_elliptic_curve_public_numbers8s   z*Backend.load_elliptic_curve_public_numbersc Cs|j|}|jj|}|j||jjk|jj|}|j||jjk|jj||jj}|j 6}|jj |||t ||}|dkr|j t dWdQRX|jj||}|j|dk|j|}t|||S)Nrzz(Invalid public bytes for the given curve)rr~EC_KEY_get0_grouprr|r EC_POINT_newr EC_POINT_free _tmp_bn_ctxZEC_POINT_oct2pointrrrEC_KEY_set_public_keyrr1) rrZ point_bytesrrpointbn_ctxrrrwrwrx load_elliptic_curve_public_bytesAs      z(Backend.load_elliptic_curve_public_bytescCsD|j|}|j|\}}|jj|}|j||jjk|jj||jj}|j |}|jj||jj }|j h}|jj ||||jj|jj|} |j| dk|jj |} |jj |} |||| | |} |j| dkWdQRX|jj||} |j| dk|j |} |jj| |jj } |jj|| } |j| dk|j|} t||| S)Nrz)r _ec_key_determine_group_get_funcr~rrr|r rrrrrZ EC_POINT_mulZ BN_CTX_getrrrr0)rrrrget_funcrrrRrrZbn_xZbn_yZprivaterrwrwrx!derive_elliptic_curve_private_keyUs.        z)Backend.derive_elliptic_curve_private_keycCs|j|}|j|S)N)r_ec_key_new_by_curve_nid)rrrrwrwrxrxs zBackend._ec_key_new_by_curvecCsB|jj|}|j||jjk|jj|tjj|jj||jj S)N) r~ZEC_KEY_new_by_curve_namerr|r ZEC_KEY_set_asn1_flagbackendZOPENSSL_EC_NAMED_CURVErr)rrrrwrwrxr|s   z Backend._ec_key_new_by_curve_nidcCsV|j|}|jj|j|jj}||jjkr:|jtd|jj||jj }t ||S)NzUnable to load OCSP request) rr~Zd2i_OCSP_REQUEST_biorrr|r rrrOCSP_REQUEST_freerB)rrr~Zrequestrwrwrxload_der_ocsp_requests  zBackend.load_der_ocsp_requestcCsV|j|}|jj|j|jj}||jjkr:|jtd|jj||jj }t ||S)NzUnable to load OCSP response) rr~Zd2i_OCSP_RESPONSE_biorrr|r rrrOCSP_RESPONSE_freerC)rrr~Zresponserwrwrxload_der_ocsp_responses  zBackend.load_der_ocsp_responsec Cs|jj}|j||jjk|jj||jj}|j\}}}|j|}|jj ||j |j }|j||jjk|jj ||}|j||jjk|j |j |j||jjddt||S)NT)rMrrNrOr)r~ZOCSP_REQUEST_newrr|r rrZ_requestrOCSP_cert_to_id_x509ZOCSP_request_add0_idrVrWrZOCSP_REQUEST_add_extrB) rrZZocsp_reqcertZissuerrrcertidZonereqrwrwrxcreate_ocsp_requests    zBackend.create_ocsp_requestcCs|j|||jj}|j||jjk|jj||jj}|j|j j }|jj ||j j j |j jj }|j||jjk|jj||jj}|j jdkrd}n t|j j}|j jdkr|jj}n|j|j j}|jj} |j jdk r|j|j j} |j|j j} |jj|||j jj||| | } |j| |jjk|j||}|j\} } |jj}| tjjkrb||jjO}|j dk rx.|j D]$}|jj!||j } |j| dkqvW|j"|j#|j$||jj%dd|jj&|| j |j'||jj|} | dkr|j(}t)d||S)NrzT)rMrrNrOrzAError while signing. responder_cert must be signed by private_keyr)*rIr~ZOCSP_BASICRESP_newrr|r rZOCSP_BASICRESP_freerZ _responser'rZ_certrZ_issuerZOCSP_CERTID_freeZ_revocation_reasonr Z_revocation_timerfrhZ _this_updateZOCSP_basic_add1_statusZ _cert_statusrRrPZ _responder_idZ OCSP_NOCERTSrpZOCSPResponderEncodingZHASHZOCSP_RESPID_KEYZ_certsZOCSP_basic_add1_certrVrWrZOCSP_BASICRESP_add_extZOCSP_basic_signrUrr)rrZrHrbasicrrreasonZrev_timerjZ this_updaterZresponder_certZresponder_encodingflagsrrrwrwrx_create_ocsp_basic_responses|                 z#Backend._create_ocsp_basic_responsecCsb|tjjkr|j|||}n|jj}|jj|j|}|j ||jjk|jj ||jj }t ||S)N) rpZOCSPResponseStatusZ SUCCESSFULrr|r r~ZOCSP_response_createrRrrrrC)rZresponse_statusrZrHrrZ ocsp_resprwrwrxcreate_ocsp_responses   zBackend.create_ocsp_responsecCs|j|ot|tjS)N)rrrTZECDH)rrrrwrwrx+elliptic_curve_exchange_algorithm_supporteds z3Backend.elliptic_curve_exchange_algorithm_supportedcCs(|j}|jj||}|j|dk|S)Nrz)rr~ZEVP_PKEY_set1_EC_KEYr)rrrrrwrwrxrszBackend._ec_cdata_to_evp_pkeycCsNddd}|j|j|j}|jj|j}||jjkrJtdj|jtj |S)z/ Get the NID for a curve name. Z prime192v1Z prime256v1)Z secp192r1Z secp256r1z${} is not a supported elliptic curve) getrr~ OBJ_sn2nidrrvr rr r)rrZ curve_aliasesZ curve_namerrwrwrxr!s   zBackend._elliptic_curve_to_nidc csX|jj}|j||jjk|jj||jj}|jj|z |VWd|jj|XdS)N) r~Z BN_CTX_newrr|r rZ BN_CTX_freeZ BN_CTX_startZ BN_CTX_end)rrrwrwrxr2s   zBackend._tmp_bn_ctxcCs|j||jjk|jjd}|j||jjk|jj|}|j||jjk|jj|}|j||jjk|jj|}|j||jjk||kr|jj r|jj }n|jj }|st ||fS)zu Given an EC_KEY determine the group and what function is required to get point coordinates. scharacteristic-two-field) rr|r r~rrvrZEC_GROUP_method_ofZEC_METHOD_get_field_typeZCryptography_HAS_EC2MZ$EC_POINT_get_affine_coordinates_GF2mZ#EC_POINT_get_affine_coordinates_GFpr)rr.Z nid_two_fieldrmethodrwrrwrwrxr=s     z(Backend._ec_key_determine_group_get_funccCst|dks|dkrtd|jj|j||jj}|jj|j||jj}|jj|||}|dkrp|jtd|S)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.rzzInvalid EC key.)rr|rrr~rZ(EC_KEY_set_public_key_affine_coordinatesr)rr.r;r:rrwrwrxrYsz1Backend._ec_key_set_public_key_affine_coordinatesc Cs*t|tjstdt|tjs(tdt|tjs.) r>r|rr~Z i2d_X509_NAMErr rr)rrZ x509_nameZpprrw)rrxx509_name_bytess  zBackend.x509_name_bytescCsht|dkrtd|j}|jj||jj}|j|dk|jj||t|}|j|dkt||S)N z%An X25519 public key is 32 bytes longrz) rrrr~ZEVP_PKEY_set_type NID_X25519rZEVP_PKEY_set1_tls_encodedpointrI)rrrrrwrwrxx25519_load_public_bytess z Backend.x25519_load_public_bytesc Cst|dkrtdd}|jd<}||dd<||dd<|j|}|jj|j|jj}WdQRX|j ||jjk|jj ||jj }|j |jj ||jj kt||S)Nrz&An X25519 private key is 32 bytes longs0.0+en" 0rr)rr_zeroed_bytearrayrr~rrrr|r rrrrrrH)rrZ pkcs8_prefixbarrrrwrwrxx25519_load_private_bytess     z!Backend.x25519_load_private_bytescCs|jj||jj}|j||jjk|jj||jj}|jj|}|j|dk|jjd}|jj ||}|j|dk|j|d|jjk|jj|d|jj }|S)Nrzz EVP_PKEY **r) r~ZEVP_PKEY_CTX_new_idr|r rrZEVP_PKEY_CTX_freeZEVP_PKEY_keygen_initrZEVP_PKEY_keygenr)rrwZ evp_pkey_ctxrZ evp_ppkeyrrwrwrx_evp_pkey_keygen_gc s  zBackend._evp_pkey_keygen_gccCs|j|jj}t||S)N)rr~rrH)rrrwrwrxx25519_generate_key szBackend.x25519_generate_keycCs|jr dS|jjS)NF)rr~Z#CRYPTOGRAPHY_OPENSSL_110_OR_GREATER)rrwrwrxx25519_supported szBackend.x25519_supportedcCs`t|dkrtd|jj|jj|jj|t|}|j||jjk|jj||jj }t ||S)N8z#An X448 public key is 56 bytes long) rrr~EVP_PKEY_new_raw_public_keyNID_X448r|r rrrrK)rrrrwrwrxx448_load_public_bytes# s zBackend.x448_load_public_bytescCslt|dkrtd|jj|}|jj|jj|jj|t|}|j||jjk|jj ||jj }t ||S)Nrz$An X448 private key is 56 bytes long) rrr|rr~EVP_PKEY_new_raw_private_keyrr rrrrJ)rrrrrwrwrxx448_load_private_bytes. s  zBackend.x448_load_private_bytescCs|j|jj}t||S)N)rr~rrJ)rrrwrwrxx448_generate_key: szBackend.x448_generate_keycCs|jr dS|jj S)NF)rr~Z"CRYPTOGRAPHY_OPENSSL_LESS_THAN_111)rrwrwrxx448_supported> szBackend.x448_supportedcCs|jr dS|jj S)NF)rr~#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B)rrwrwrxed25519_supportedC szBackend.ed25519_supportedcCsntjd|t|tjkr"td|jj|jj|j j |t|}|j ||j j k|j j ||jj }t||S)Nrz&An Ed25519 public key is 32 bytes long)r _check_bytesrrU_ED25519_KEY_SIZErr~r NID_ED25519r|r rrrr3)rrrrwrwrxed25519_load_public_bytesH s z!Backend.ed25519_load_public_bytescCszt|tjkrtdtjd||jj|}|jj |jj |jj |t|}|j ||jj k|jj ||jj}t||S)Nz'An Ed25519 private key is 32 bytes longr)rrUrrrrr|rr~rrr rrrr2)rrrrrwrwrxed25519_load_private_bytesV s  z"Backend.ed25519_load_private_bytescCs|j|jj}t||S)N)rr~rr2)rrrwrwrxed25519_generate_keyd szBackend.ed25519_generate_keycCs|jr dS|jj S)NF)rr~r)rrwrwrxed448_supportedh szBackend.ed448_supportedcCsltjd|t|tkr td|jj|jj|jj |t|}|j ||jj k|jj ||jj }t ||S)Nrz$An Ed448 public key is 57 bytes long)rrrr4rr~r NID_ED448r|r rrrr6)rrrrwrwrxed448_load_public_bytesm s  zBackend.ed448_load_public_bytescCsxtjd|t|tkr td|jj|}|jj|jj |jj |t|}|j ||jj k|jj ||jj }t||S)Nrz%An Ed448 private key is 57 bytes long)rrrr4rr|rr~rrr rrrr5)rrrrrwrwrxed448_load_private_bytesz s   z Backend.ed448_load_private_bytescCs|j|jj}t||S)N)rr~rr5)rrrwrwrxed448_generate_key szBackend.ed448_generate_keyc Cs|jjd|}|jj|}|jj|t||t||||tj|| } | dkrr|j} d||d} t dj | | |jj |ddS)Nzunsigned char[]rzirzJNot enough memory to derive key. These parameters require {} MB of memory.i) r|rrr~ZEVP_PBE_scryptrrmZ _MEM_LIMITr MemoryErrorrr) rrrrrrrrrrrZ min_memoryrwrwrx derive_scrypt s* zBackend.derive_scryptcCs2tj|}|jr||jkrdS|jj||jjkS)NF)rZ_aead_cipher_namer _fips_aeadr~rr|r )rr cipher_namerwrwrxaead_cipher_supported s zBackend.aead_cipher_supportedc cs&t|}z |VWd|j||XdS)z This method creates a bytearray, which we copy data into (hopefully also from a mutable buffer that can be dynamically erased!), and then zero when we're done. N) bytearray _zero_data)rrrrwrwrxr s zBackend._zeroed_bytearraycCsxt|D] }d||<q WdS)Nr)r)rrrrnrwrwrxr szBackend._zero_datac csf|dkr|jjVnNt|}|jjd|d}|jj|||z |VWd|j|jjd||XdS)a This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nzchar[]rzz uint8_t *)r|r rrZmemmovercast)rrZdata_lenrrwrwrx_zeroed_null_terminated_buf s   z#Backend._zeroed_null_terminated_bufc Cs|dk rtjd||j|}|jj|j|jj}||jjkrN|jt d|jj ||jj }|jj d}|jj d}|jj d}|j |}|jj|||||} WdQRX| dkr|jt dd} d} g} |d|jjkr|jj |d|jj} |j| } |d|jjkr6|jj |d|jj}t||} |d|jjkr|jj |d|jj}|jj|d}xTt|D]H}|jj||}|j||jjk|jj ||jj}| jt||qxW| | | fS)Nrzz!Could not deserialize PKCS12 dataz EVP_PKEY **zX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 data)rrrr~Zd2i_PKCS12_biorrr|r rrr PKCS12_freerrZ PKCS12_parserrr^rL sk_X509_free sk_X509_numr sk_X509_valuerr)rrrzrrp12Z evp_pkey_ptrZx509_ptrZ sk_x509_ptr password_bufrrrZadditional_certificatesrrsk_x509rrnrwrwrx%load_key_and_certificates_from_pkcs12 sF         z-Backend.load_key_and_certificates_from_pkcs12cCsd}|dk rtjd|t|tjr6d}d}d} d} n4t|tjrb|jj}|jj}d} d} |j}nt d|dks~t |dkr|j j } nL|jj } |j j| |jj} x.t|D]"} |jj| | j} tj| dkqW|j|Z}|j|D}|jj|||r|jn|j j |r|jn|j j | ||| | d }WdQRXWdQRX|j||j j k|j j||jj}|j}|jj||} |j| dk|j|S)Nrrzri NzUnsupported key encryption typerr)rrrrRrrr~Z&NID_pbe_WithSHA1And3_Key_TripleDES_CBCrzrrr|r sk_X509_new_nullrrreversed sk_X509_pushrrrrZ PKCS12_createrUrr Zi2d_PKCS12_bior )rrrrZcasrrzZnid_certZnid_keyZ pkcs12_iterZmac_iterrZcarrZname_bufrrrrwrwrx(serialize_key_and_certificates_to_pkcs12 sT       z0Backend.serialize_key_and_certificates_to_pkcs12cCs|jr dS|jjdkS)NFrz)rr~ZCryptography_HAS_POLY1305)rrwrwrxpoly1305_supportedF szBackend.poly1305_supportedcCs*tjd|t|tkr tdt||S)NrzA poly1305 key is 32 bytes long)rrrrDrrE)rrrwrwrxcreate_poly1305_ctxK s  zBackend.create_poly1305_ctxcCsntjd||j|}|jj|j|jj|jj|jj}||jjkrR|jt d|jj ||jj }|j |S)NrzUnable to parse PKCS7 data) rrrr~ZPEM_read_bio_PKCS7rrr|r rrr PKCS7_free_load_pkcs7_certificates)rrrrp7rwrwrxload_pem_pkcs7_certificatesR s   z#Backend.load_pem_pkcs7_certificatescCsbtjd||j|}|jj|j|jj}||jjkrF|jt d|jj ||jj }|j |S)NrzUnable to parse PKCS7 data) rrrr~Z d2i_PKCS7_biorrr|r rrrrr )rrrrr!rwrwrxload_der_pkcs7_certificates_ s   z#Backend.load_der_pkcs7_certificatesc Cs|jj|j}|j||jjk||jjkr>tdj|tj |j j j }|jj |}g}xlt|D]`}|jj||}|j||jjk|jj|}|j|dk|jj||jj}|jt||qbW|S)NzNOnly basic signed structures are currently supported. NID for this data was {}rz)r~Z OBJ_obj2nidrrrvZNID_pkcs7_signedr rr ZUNSUPPORTED_SERIALIZATIONrZsignrrrrr|r Z X509_up_refrr^rrL) rr!rwrrcertsrnrrrwrwrxr j s$    z Backend._load_pkcs7_certificatescCs|j|j}|jj}d}t|jdkr0|jj}nJ|jj}|jj ||jj }x,|jD]"}|jj ||j } |j | dkqTWtjj|kr||jjO}||jjO}|jj|jj|jj||jj|} |j | |jjk|jj | |jj} d} tjj|kr| |jjO} ntjj|kr| |jjO} tjj|kr6| |jjO} xJ|jD]@\} } }|j|}|jj| | j | j|| }|j ||jjkq>WxD|D]<}|tjjkr||jjO}n|tjj kr||jj!O}qW|j"}|t#j$j%kr|jj&|| |j'|} n|t#j$j(kr8|jj)| |j'|} |j | dk|jj*|| |j'|} n@|t#j$j+ksJt,|jj)| |j'|} |j | dk|jj-|| } |j | dk|j.|S)Nrrz)/r_datar~Z PKCS7_PARTIALrZ_additional_certsr|r rrrrrrrnZ PKCS7OptionsZDetachedSignatureZPKCS7_DETACHEDZ PKCS7_signrZNoCapabilitiesZPKCS7_NOSMIMECAPZ NoAttributesZ PKCS7_NOATTRZNoCertsZ PKCS7_NOCERTSZ_signersrZPKCS7_sign_add_signerrUZTextZ PKCS7_TEXTZBinaryZ PKCS7_BINARYr rRrZSMIMEZSMIME_write_PKCS7rrrZ PKCS7_finalZPEM_write_bio_PKCS7_streamrrZ i2d_PKCS7_bior )rrZrZoptionsrrZ init_flagsZ final_flagsr$rrr!Z signer_flagsZ certificaterHZhash_algorithmZmdZ p7signerinfoZoptionZbio_outrwrwrx pkcs7_sign sj           zBackend.pkcs7_sign)N)N)N)rtrurv__doc__rr r\rdrrQr!r"r#r$r%Z SHA512_224Z SHA512_256ZSHA3_224ZSHA3_256ZSHA3_384ZSHA3_512ZSHAKE128ZSHAKE256rZ_fips_rsa_min_key_sizeZ_fips_rsa_min_public_exponentZ_fips_dsa_min_modulusZ_fips_dh_min_key_sizeZ_fips_dh_min_modulusrrrr contextlibrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r rr r&r(r/r2r3r8r<r>r?r0r@rArCrDrIr]rcrPr`rfrkrVrrrmrxr{rrrrrrrrrrrrryr}rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r rrrrrrrr"r#r r&rwrwrwrxrysV        -5      ++ HB 8"    1)  #   U i0 .  "               . @   ryc@seZdZddZddZdS)rcCs ||_dS)N)_fmt)rZfmtrwrwrxr szGetCipherByName.__init__cCs&|jj||dj}|jj|jdS)N)rrr)r)rlowerr~rr)rrrrr rwrwrx__call__ szGetCipherByName.__call__N)rtrurvrr+rwrwrwrxr srcCs"dj|jd}|jj|jdS)Nz aes-{}-xtsrr)rrr~rr)rrrr rwrwrxr sr)Z __future__rrr collectionsr(rrrrZ six.movesrZ cryptographyrrZcryptography.exceptionsr r Zcryptography.hazmat._derr r r rrZ'cryptography.hazmat.backends.interfacesrrrrrrrrrrrrrZ$cryptography.hazmat.backends.opensslrZ,cryptography.hazmat.backends.openssl.ciphersrZ)cryptography.hazmat.backends.openssl.cmacrZ0cryptography.hazmat.backends.openssl.decode_asn1r r!r"r#r$r%r&r'r(Z'cryptography.hazmat.backends.openssl.dhr)r*r+r,Z(cryptography.hazmat.backends.openssl.dsar-r.r/Z'cryptography.hazmat.backends.openssl.ecr0r1Z,cryptography.hazmat.backends.openssl.ed25519r2r3Z*cryptography.hazmat.backends.openssl.ed448r4r5r6Z0cryptography.hazmat.backends.openssl.encode_asn1r7r8r9r:r;r<r=r>r?Z+cryptography.hazmat.backends.openssl.hashesr@Z)cryptography.hazmat.backends.openssl.hmacrAZ)cryptography.hazmat.backends.openssl.ocsprBrCZ-cryptography.hazmat.backends.openssl.poly1305rDrEZ(cryptography.hazmat.backends.openssl.rsarFrGZ+cryptography.hazmat.backends.openssl.x25519rHrIZ)cryptography.hazmat.backends.openssl.x448rJrKZ)cryptography.hazmat.backends.openssl.x509rLrMrNrOZ$cryptography.hazmat.bindings.opensslrPZcryptography.hazmat.primitivesrQrRZ)cryptography.hazmat.primitives.asymmetricrSrTrUrVrWZ1cryptography.hazmat.primitives.asymmetric.paddingrXrYrZr[Z1cryptography.hazmat.primitives.ciphers.algorithmsr\r]r^r_r`rarbrcrdZ,cryptography.hazmat.primitives.ciphers.modesrerfrgrhrirjrkrlZ"cryptography.hazmat.primitives.kdfrmZ,cryptography.hazmat.primitives.serializationrnroZcryptography.x509rp namedtuplerqobjectrsZregister_interfaceZregister_interface_ifr{r}ZCryptography_HAS_SCRYPTryrrrrwrwrwrxs  <   , ,   , (   2