U EZhg@sddlZddlZddlZddlZddlZddlmZddlmZmZddl m Z m Z ddl m Z ddlmZddlmZddlmZmZmZmZdd lmZmZmZdd lmZmZdd lmZm Z m!Z!dd l"m#Z#m$Z$dd l%m&Z&ddl'm(Z(ddl)m*Z*m+Z+ddl,m-Z-m.Z.ddl/m0Z0m1Z1ddl2m3Z4ddl5m6Z6ddl7m8Z8m9Z9ddl:m;Z;ddlZ>m?Z?m@Z@mAZAmBZBmCZCmDZDddlEmFZFmGZGmHZHmIZIddlJmKZKmLZLddlMmNZNmOZOddlPmQZQmRZRmSZSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\ddl]m^Z^m_Z_m`Z`maZambZbmcZcmdZdmeZemfZfddlgmhZhddlimjZjddlkmlZlmmZmmnZnmoZompZpeqdd d!gZrGd"d#d#ZsGd$d%d%ZtGd&d'd'ZueteQd(d)d*ZvetZwdS)+N)contextmanager)utilsx509)UnsupportedAlgorithm_Reasons)aead)_CipherContext _CMACContext)_dh_params_dup _DHParameters _DHPrivateKey _DHPublicKey)_DSAParameters_DSAPrivateKey _DSAPublicKey)_EllipticCurvePrivateKey_EllipticCurvePublicKey)_ED448_KEY_SIZE_Ed448PrivateKey_Ed448PublicKey)_Ed25519PrivateKey_Ed25519PublicKey _HashContext _HMACContext)_POLY1305_KEY_SIZE_Poly1305Context)_RSAPrivateKey _RSAPublicKey)_X448PrivateKey_X448PublicKey)openssl)binding)hashes serialization)AsymmetricPadding)dhdsaeced448ed25519rsax448x25519)MGF1OAEPPSSPKCS1v15)PrivateKeyTypesPublicKeyTypes)BlockCipherAlgorithmCipherAlgorithm) AESAES128AES256ARC4SM4CamelliaChaCha20 TripleDES_BlowfishInternal_CAST5Internal _IDEAInternal _SEEDInternal) CBCCFBCFB8CTRECBGCMOFBXTSMode)scrypt)ssh)PBESPKCS12CertificatePKCS12KeyAndCertificatesPKCS12PrivateKeyTypes_PKCS12CATypes _MemoryBIObioZchar_ptrc@s eZdZdS)_RC2N)__name__ __module__ __qualname__rZrZs/home/aprabhat/apps/x.techxrdev.in/venv/lib/python3.8/site-packages/cryptography/hazmat/backends/openssl/backend.pyrV{srVc @s eZdZdZdZddddddhZefZej ej ej ej ej ejejejejejejejf ZejejejejfZd Zd Zd d >Zd Zd e>Z d d ddZ!e"d ddZ#d+e$e%j&e%j'e(j)d dddZ*e$d ddZ+d d ddZ,d d ddZ-e.j/ddZ0d d ddZ1e"d dd Z2e"d d!d"Z3e4d d#d$Z5e6ej7e8d%d&d'Z9ej7d(d)d*Z:ej7d(d+d,Z;ej7e$d-d.d/Zej7e$d-d4d5Z?ej7ej@d-d6d7ZAeBeCe$d8d9d:ZDd d d;d<ZEd d d=d>ZFeBeCeGd8d?d@ZHeBeCeGd8dAdBZIej7e$d-dCdDZJej7e4e6e4e6e6dEdFdGZKe%j'e(j)d dHdIZLe4d dJdKZMd,e4dLdMdNZNe4e4eOjPdOdPdQZQe4e4e$dOdRdSZReOjSe$eOjPdTdUdVZTeOjUeOjVdWdXdYZWdZd[ZXd\d]ZYe6eZd^d_d`Z[dadbZ\e6d dcddZ]e$e^dedfdgZ_e`d dhdiZaej7e$d-djdkZbece$dldmdnZdece$dldodpZee4efjgdqdrdsZhefjgefjidtdudvZje4efjidqdwdxZkd d dydzZlefjmefjidWd{d|ZnefjoefjpdWd}d~ZqefjrefjgdWddZsddZte$d ddZuej7e$d-ddZve$d ddZwexeyd-ddZze6e%j&e6e$e^dddZ{e6e`d^ddZ|e6e}j~d^ddZe6e%j&e6e$e^dddZddZe6e`d^ddZe6e}j~d^ddZeje%jdddZe%jejdddZd d ddZe^d ddZe%jd ddZeje$dddZejeje$dddZejejdddZejejdWddZejejdWddZeje6ejdddZe4ejejdddZejdddZe4dddZejeje$dddZdd„Zeje4dddĄZe/ddƄZe4e4d dǜddɄZejejeje6dʜdd̄Ze6d dd΄Ze6d ddЄZejeje6dќddӄZe$d ddՄZe4e4e}j~d֜dd؄ZddڄZe}j~e}jdtdd܄Ze4e4e}jd֜ddބZe}je}jdWddZe}je}jdWddZe}je}j~dWddZd-e4e4e%j&e4e$dddZe$d ddZe6ejd^ddZe6ejd^ddZddZejd ddZe$d ddZe6ejd^ddZe6ejd^ddZejd ddZe$d ddZe$d ddZe6ejd^ddZe6ejd^ddZejd ddZe$d ddZe6ejd^ddZe6ejd^dd Zejd d d Ze6e6e4e4e4e4e6d d dZe$d ddZe4d dddZe.j/ddZe6e%j&e6e%je%j&e^e%j&eje%j'ejfdddZe6e%j&e6eݐdddZe%j&e6e%j&ee%j&eje%j&e%j'eeje6dddZe$d ddZe6ed d!d"Ze$d d#d$Ze6e%j'ejd^d%d&Ze6e%j'ejd^d'd(Ze%j'ejd d)d*Zd S(.Backendz) OpenSSL API binding interfaces. r#s aes-128-ccms aes-192-ccms aes-256-ccms aes-128-gcms aes-192-gcms aes-256-gcmiN)returncCst|_|jj|_|jj|_||_i|_ | |jrR|jj rRt dtn||jjg|_|jjr~|j|jjdS)Nz)formatopenssl_version_textrfr`_legacy_provider_loadedrqrZrZr[__repr__s zBackend.__repr__)okerrorsr_cCstj|j||dS)N)ry)r$Z_openssl_assertrd)rrrxryrZrZr[openssl_assertszBackend.openssl_assertcCs>|jjr|j|jj}n |j}|dkr6|jt|SNr)rdZCryptography_HAS_300_FIPSZ&EVP_default_properties_is_fips_enabledrbNULLZ FIPS_modeZERR_clear_errorbool)rrmoderZrZr[res  zBackend._is_fips_enabledcCs$|j|st||_dSN)r` _enable_fipsreAssertionErrorrfrqrZrZr[rs  zBackend._enable_fipscCsf|jjrb|j}||jjkrb|j||j|jj}||dk|j|}||dkdSNr^) rdriZENGINE_get_default_RANDrbr|ZENGINE_unregister_RANDRAND_set_rand_methodrz ENGINE_finishrreresrZrZr[activate_builtin_randoms    zBackend.activate_builtin_randomc cs|j|jj}|||jjk|j|}||dkz |VW5|j|}||dk|j|}||dkXdSr) rdZ ENGINE_by_idZCryptography_osrandom_engine_idrzrbr|Z ENGINE_initZ ENGINE_freerrrZrZr[_get_osurandom_engines    zBackend._get_osurandom_enginec Cs`|jjr\|| }|j|}||dkW5QRX|j|jj}||dkdSr) rdrirrZENGINE_set_default_RANDrzrrbr|rrZrZr[rm s  z Backend.activate_osrandom_enginec Cs`|jdd}|2}|j|dt|||jjd}||dkW5QRX|j| dS)Nchar[]@sget_implementationrascii) rbnewrrdZENGINE_ctrl_cmdlenr|rzstringdecode)rrbufrrrZrZr[osrandom_engine_implementations z&Backend.osrandom_engine_implementationcCs|j|j|jjdS)z Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. Example: OpenSSL 1.1.1d 10 Sep 2019 r)rbrrdZOpenSSL_versionOPENSSL_VERSIONrrqrZrZr[rus zBackend.openssl_version_textcCs |jSr)rdZOpenSSL_version_numrqrZrZr[openssl_version_number*szBackend.openssl_version_number)key algorithmr_cCs t|||Srr)rrrrrZrZr[create_hmac_ctx-szBackend.create_hmac_ctx)rcCsL|jdks|jdkr0d|j|jdd}n |jd}|j|}|S)Nblake2bblake2sz{}{}r)namert digest_sizeencoderdZEVP_get_digestbyname)rrralgevp_mdrZrZr[_evp_md_from_algorithm2s  zBackend._evp_md_from_algorithmcCs ||}|||jjk|Sr)rrzrbr|rrrrrZrZr[_evp_md_non_null_from_algorithm=s z'Backend._evp_md_non_null_from_algorithm)rr_cCs,|jrt||jsdS||}||jjkSNF)rf isinstance _fips_hashesrrbr|rrZrZr[hash_supportedBs zBackend.hash_supportedcCs |jrt|tjrdS||Srrfrr%SHA1rrrrrZrZr[signature_hash_supportedIsz Backend.signature_hash_supportedcCs|jr dS|jjdkSdSNFr^)rfrdZCryptography_HAS_SCRYPTrqrZrZr[scrypt_supportedRszBackend.scrypt_supportedcCs |jrt|tjrdS||S)NTrrrZrZr[hmac_supportedXszBackend.hmac_supportedcCs t||SrrrrZrZr[create_hash_ctx_szBackend.create_hash_ctx)cipherr~r_cCs`|jrt||jsdSz|jt|t|f}Wntk rFYdSX||||}|jj|kSr)rfr _fips_ciphersrgtypeKeyErrorrbr|)rrrr~adapter evp_cipherrZrZr[cipher_supportedds  zBackend.cipher_supportedcCs0||f|jkrtd||||j||f<dS)Nz"Duplicate registration for: {} {}.)rg ValueErrorrt)rr cipher_clsmode_clsrrZrZr[register_cipher_adapterrszBackend.register_cipher_adaptercCstttfD].}ttttttt fD]}| ||t dq q tttttfD]}| t |t dqHttttfD]}| t |t dql| t tt d| ttdt d| ttttttttfD]}| t|t dq|jjs|jjsttttfD]}| t|t dqttttfD]}| t|t dq"tttgttttgD]\}}| ||t dqT| ttdt d | ttdt d dS) Nz+{cipher.name}-{cipher.key_size}-{mode.name}zdes-ede3-{mode.name}zdes-ede3Zchacha20zsm4-{mode.name}zbf-{mode.name}zseed-{mode.name}z{cipher.name}-{mode.name}Zrc4Zrc2)r8r9r:rDrGrHrJrErFrIrGetCipherByNamer=r?r>rrK_get_xts_cipherr<r`rvrd#CRYPTOGRAPHY_OPENSSL_300_OR_GREATERr@rC itertoolsproductrArBr;rV)rrrrrZrZr[rh{s z!Backend._register_default_cipherscCst|||tjSr)rZ_ENCRYPTrrrr~rZrZr[create_symmetric_encryption_ctxsz'Backend.create_symmetric_encryption_ctxcCst|||tjSr)rZ_DECRYPTrrZrZr[create_symmetric_decryption_ctxsz'Backend.create_symmetric_decryption_ctxcCs ||Sr)rrrZrZr[pbkdf2_hmac_supportedszBackend.pbkdf2_hmac_supported)rlengthsalt iterations key_materialr_c Csh|jd|}||}|j|}|j|t||t|||||} || dk|j|ddS)Nunsigned char[]r^) rbrr from_bufferrdZPKCS5_PBKDF2_HMACrrzbuffer) rrrrrrrrrkey_material_ptrrrZrZr[derive_pbkdf2_hmacs   zBackend.derive_pbkdf2_hmaccCstSr) rust_opensslZcapture_error_stackrqrZrZr[_consume_errorsszBackend._consume_errorscCsz||jjkst||j| |j|}|jd|}|j||}||dkt |j |d|d}|S)Nrrbig) rbr|rrzrdZBN_is_negativeZ BN_num_bytesrZ BN_bn2binint from_bytesr)rrbnZ bn_num_bytesZbin_ptrZbin_lenvalrZrZr[ _bn_to_ints zBackend._bn_to_int)numcCsn|dks||jjkst|dkr(|jj}|t|ddd}|j|t||}| ||jjk|S)a  Converts a python integer to a BIGNUM. The returned BIGNUM will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. Ng @r^r) rbr|rto_bytesr bit_lengthrdZ BN_bin2bnrrz)rrrrbinaryZbn_ptrrZrZr[ _int_to_bnszBackend._int_to_bn)public_exponentkey_sizer_cCst|||j}|||jjk|j||jj}| |}|j||jj }|j ||||jj}||dk| |}t |||ddS)Nr^Tunsafe_skip_rsa_key_validation)r-Z_verify_rsa_parametersrdRSA_newrzrbr|gcRSA_freerBN_freeZRSA_generate_key_ex_rsa_cdata_to_evp_pkeyr)rrrr rsa_cdatarrevp_pkeyrZrZr[generate_rsa_private_keys(    z Backend.generate_rsa_private_keycCs|dko|d@dko|dkS)Nr^rirZ)rrrrrZrZr[!generate_rsa_parameters_supporteds  z)Backend.generate_rsa_parameters_supported)numbersrr_c Cs6t|j|j|j|j|j|j|jj |jj |j }| ||jjk|j||j j}||j}||j}||j}||j}||j}||j} ||jj } ||jj } |j |||} | | dk|j || | |} | | dk|j |||| } | | dk||} t||| |dS)Nr^r)r-Z_check_private_key_componentspqddmp1dmq1iqmppublic_numbersrnrdrrzrbr|rrrZRSA_set0_factors RSA_set0_keyZRSA_set0_crt_paramsrr)rrrrrrrrrrrrrrrrZrZr[load_rsa_private_numbers$sD        z Backend.load_rsa_private_numbers)rr_cCst|j|j|j}|||jjk|j ||jj }| |j}| |j}|j ||||jj}||dk| |}t|||Sr)r-Z_check_public_key_componentsrrrdrrzrbr|rrrrrr )rrrrrrrrrZrZr[load_rsa_public_numbersMs    zBackend.load_rsa_public_numberscCs2|j}|||jjk|j||jj}|Sr)rdZ EVP_PKEY_newrzrbr|r EVP_PKEY_freerrrrZrZr[_create_evp_pkey_gc\s zBackend._create_evp_pkey_gccCs(|}|j||}||dk|Sr)rrdZEVP_PKEY_set1_RSArz)rrrrrrZrZr[rbszBackend._rsa_cdata_to_evp_pkey)datar_cCsH|j|}|j|t|}|||jjkt|j||jj |S)z Return a _MemoryBIO namedtuple of (BIO, char*). The char* is the storage for the BIO and it must stay alive until the BIO is finished with. ) rbrrdZBIO_new_mem_bufrrzr|rTrBIO_free)rrrdata_ptrrUrZrZr[ _bytes_to_biohs zBackend._bytes_to_biocCsP|j}|||jjk|j|}|||jjk|j||jj}|S)z. Creates an empty memory BIO. )rdZ BIO_s_memrzrbr|ZBIO_newrr)rrZ bio_methodrUrZrZr[_create_mem_bio_gcus   zBackend._create_mem_bio_gccCs\|jd}|j||}||dk||d|jjk|j|d|dd}|S)zE Reads a memory BIO. This only works on memory BIOs. zchar **rN)rbrrdZBIO_get_mem_datarzr|r)rrrUrZbuf_lenbio_datarZrZr[ _read_mem_bios  zBackend._read_mem_bio)rr_c CsP|j|}||jjkrX|j|}|||jjk|j||jj}t ||||dS||jj kr|jj s|jj s|jj s|j|}|||jjk|j||jj}|}|j||}||dk|j||d|dS||jjkr0|j|}|||jjk|j||jj}t|||S||jjkrz|j|}|||jjk|j||jj}t|||S||jkr|j|} || |jjk|j| |jj} t|| |S|t|jddkrt||S|t|jddkrt ||S||jj!kr&t"j#$t%|j&d|S|t|jddkrDt'||St(d dS) zd Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. rr^N)passwordrEVP_PKEY_ED25519 EVP_PKEY_X448 uintptr_tEVP_PKEY_ED448Unsupported key type.))rd EVP_PKEY_id EVP_PKEY_RSAEVP_PKEY_get1_RSArzrbr|rrrEVP_PKEY_RSA_PSSCRYPTOGRAPHY_IS_LIBRESSLCRYPTOGRAPHY_IS_BORINGSSL#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111Eri2d_RSAPrivateKey_bioload_der_private_keyr EVP_PKEY_DSAEVP_PKEY_get1_DSADSA_freer EVP_PKEY_ECEVP_PKEY_get1_EC_KEY EC_KEY_freerrnEVP_PKEY_get1_DHDH_freer getattrrr!EVP_PKEY_X25519rr/Zprivate_key_from_ptrrcastrr) rrrrkey_typerrUr dsa_cdataec_cdatadh_cdatarZrZr[_evp_pkey_to_private_keysp               z Backend._evp_pkey_to_private_keyc CsT|j|}||jjkrT|j|}|||jjk|j||jj}t |||S||jj kr|jj s|jj s|jj s|j|}|||jjk|j||jj}|}|j||}||dk|||S||jjkr&|j|}|||jjk|j||jj}t|||S||jjkr~|j|}||jjkr`|}td||j||jj}t|||S||jkr|j|} || |jjk|j| |jj} t|| |S|t |jddkrt!||S|t |jddkrt"||S||jj#kr*t$j%&t'|j(d|S|t |jddkrHt)||St*ddS) zc Return the appropriate type of PublicKey given an evp_pkey cdata pointer. r^zUnable to load EC keyrNrrrr)+rdrrrrzrbr|rrr rrrr ri2d_RSAPublicKey_bioload_der_public_keyrr r rrrrrrrrrnrrrrrr"rrr/Zpublic_key_from_ptrrrrr) rrrrrrUrrrryrrZrZr[_evp_pkey_to_public_keysb                 zBackend._evp_pkey_to_public_keycCs4|jrt|tjrdSt|tjtjtjtjtjfSr)rfrr%rSHA224SHA256SHA384SHA512rrZrZr[_oaep_hash_supportedszBackend._oaep_hash_supported)paddingr_cCst|trdSt|trNt|jtrN|jr>t|jjtjr>dS| |jjSn4t|t r~t|jtr~| |jjo|| |jSdSdS)NTF) rr3r2Z_mgfr0rf _algorithmr%rrr1r#rrr$rZrZr[rsa_padding_supporteds   zBackend.rsa_padding_supportedcCs"|jrt|trdS||SdSr)rfrr3r'r&rZrZr[rsa_encryption_supported0sz Backend.rsa_encryption_supported)rr_c Cs~|dkrtd|j}|||jjk|j||jj}|j|||jjd|jj|jj|jj}||dkt ||S)N)ir]i iz0Key size must be 1024, 2048, 3072, or 4096 bits.rr^) rrdDSA_newrzrbr|rrZDSA_generate_parameters_exr)rrrctxrrZrZr[generate_dsa_parameters6s$  zBackend.generate_dsa_parameters) parametersr_cCsT|j|j}|||jjk|j||jj}|j|| |}t |||Sr) rdZ DSAparams_dupZ _dsa_cdatarzrbr|rrZDSA_generate_key_dsa_cdata_to_evp_pkeyr)rrr,r*rrZrZr[generate_dsa_private_keyNs  z Backend.generate_dsa_private_keycCs||}||Sr)r+r.)rrrr,rZrZr['generate_dsa_private_key_and_parameters[s z/Backend.generate_dsa_private_key_and_parameterscCsB|j||||}||dk|j|||}||dkdSr)rd DSA_set0_pqgrzZ DSA_set0_key)rrrrrgpub_keypriv_keyrrZrZr[_dsa_cdata_set_valuesaszBackend._dsa_cdata_set_valuesc Cst||jj}|j}|||jjk|j ||jj }| |j }| |j }| |j}| |jj}| |j}|||||||||} t||| Sr)r)Z_check_dsa_private_numbersrparameter_numbersrdr)rzrbr|rrrrrr1yxr4r-r) rrrr5rrrr1r2r3rrZrZr[load_dsa_private_numbersis       z Backend.load_dsa_private_numbersc Cst|j|j}|||jjk|j||jj }| |jj }| |jj }| |jj }| |j}|jj}|||||||||}t|||Sr)r)_check_dsa_parametersr5rdr)rzrbr|rrrrrr1r6r4r-r) rrrrrrr1r2r3rrZrZr[load_dsa_public_numbers~s    zBackend.load_dsa_public_numberscCst||j}|||jjk|j||jj}| |j }| |j }| |j }|j ||||}||dkt||Sr)r)r9rdr)rzrbr|rrrrrr1r0r)rrrrrrr1rrZrZr[load_dsa_parameter_numberss     z"Backend.load_dsa_parameter_numberscCs(|}|j||}||dk|Sr)rrdZEVP_PKEY_set1_DSArz)rrrrrrZrZr[r-szBackend._dsa_cdata_to_evp_pkeycCs|j Sr)rfrqrZrZr[ dsa_supportedszBackend.dsa_supportedcCs|s dS||Sr)r<rrrZrZr[dsa_hash_supportedszBackend.dsa_hash_supportedcCs||td|jS)N)rrD block_sizerrZrZr[cmac_algorithm_supporteds z Backend.cmac_algorithm_supportedcCs t||Srr rrZrZr[create_cmac_ctxszBackend.create_cmac_ctx)rrrr_cCs||jj|||Sr) _load_keyrdZPEM_read_bio_PrivateKey)rrrrrrZrZr[load_pem_private_keys zBackend.load_pem_private_keycCs||}|jd}|j|j|jj|j|jjd|}||jjkrd|j ||jj }| |S| |j |j}||dk|j|j|jj|j|jjd|}||jjkr|j ||jj}||}t|||S|dS)NCRYPTOGRAPHY_PASSWORD_DATA *Cryptography_pem_password_cbr^)rrbrrdZPEM_read_bio_PUBKEYrUr| addressof _original_librrrr BIO_resetrzZPEM_read_bio_RSAPublicKeyrrr _handle_key_loading_error)rrrmem_biouserdatarrrrZrZr[load_pem_public_keys>       zBackend.load_pem_public_keycCs^||}|j|j|jj|jj|jj}||jjkrR|j||jj}t||S| dSr) rrdZPEM_read_bio_DHparamsrUrbr|rrr rI)rrrrJrrZrZr[load_pem_parameterss   zBackend.load_pem_parameterscCs>||}|||}|r&|||S||jj|||SdSr)r"_evp_pkey_from_der_traditional_keyrrBrdZd2i_PKCS8PrivateKey_bio)rrrrrrrrZrZr[r s  zBackend.load_der_private_keycCsV|j|j|jj}||jjkrF|j||jj}|dk rBtd|S|dSdS)N4Password was given but private key is not encrypted.) rdZd2i_PrivateKey_biorUrbr|rr TypeErrorr)rrrrrrZrZr[rNs z*Backend._evp_pkey_from_der_traditional_keycCs||}|j|j|jj}||jjkrF|j||jj}||S| |j |j}| |dk|j |j|jj}||jjkr|j||jj }||}t|||S|dSr)rrdZd2i_PUBKEY_biorUrbr|rrrrrHrzZd2i_RSAPublicKey_biorrr rI)rrrrJrrrrZrZr[r"s"      zBackend.load_der_public_keycCs||}|j|j|jj}||jjkrF|j||jj}t||S|jj r| |j |j}| |dk|j |j|jj}||jjkr|j||jj}t||S|dSr)rrdZd2i_DHparams_biorUrbr|rrr rorrHrzZd2i_DHxparams_biorI)rrrrJrrrZrZr[load_der_parameters9s     zBackend.load_der_parameters)certr_cCsT|tjj}||}|j|j|jj }| ||jj k|j ||jj }|Sr) Z public_bytesr&EncodingDERrrdZ d2i_X509_biorUrbr|rzr X509_free)rrrRrrJrrZrZr[ _cert2osslKs  zBackend._cert2ossl)x509_ptrr_cCs4|}|j||}||dkt||Sr)rrdZ i2d_X509_biorzrZload_der_x509_certificater)rrrWrUrrZrZr[ _ossl2certSszBackend._ossl2certcCs"|j|j|jdkrtddS)Nr^zKeys do not correspond)rdZ EVP_PKEY_cmp _evp_pkeyr)rrkey1key2rZrZr[_check_keys_correspondYszBackend._check_keys_correspondc Cs"||}|jd}|dk rFtd||j|}||_t||_||j |jj |j |j j d|}||jj kr|jdkr||jdkrtdq|jdksttd|jd n||j||j j}|dk r|jdkrtd |dk r|jd ks|dkst|||S) NrDrrErz3Password was not given but private key is encryptedzAPasswords longer than {} bytes are not supported by this backend.r^rO)rrbrr_check_byteslikerrrrrUr|rFrdrGerrorrrPrrrtmaxsizerIrrZcalledr) rrZopenssl_read_funcrrrrJrKZ password_ptrrrZrZr[rB]sZ        zBackend._load_keycs}|stdn|djjjjsf|djjjjsfjjrp|djj jj rptdn*t fdd|Drtdn td|dS)Nz|Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.rz Bad decrypt. Incorrect password?c3s"|]}|jjjjVqdSr)_lib_reason_matchrd ERR_LIB_EVPZ'EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM).0r`rqrZr[ s z4Backend._handle_key_loading_error..z!Unsupported public key algorithm.zCould not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).) rrrbrdrcZEVP_R_BAD_DECRYPTZERR_LIB_PKCS12Z!PKCS12_R_PKCS12_CIPHERFINAL_ERRORZCryptography_HAS_PROVIDERSZ ERR_LIB_PROVZPROV_R_BAD_DECRYPTany)rrryrZrqr[rIs>     z!Backend._handle_key_loading_error)curver_cCsvz||}Wntk r*|jj}YnX|j|}||jjkrP|dS|||jjk|j |dSdS)NFT) _elliptic_curve_to_nidrrd NID_undefZEC_GROUP_new_by_curve_namerbr|rrzZ EC_GROUP_free)rrrg curve_nidgrouprZrZr[elliptic_curve_supporteds   z Backend.elliptic_curve_supported)signature_algorithmrgr_cCst|tjsdS||Sr)rr*ZECDSArl)rrrmrgrZrZr[,elliptic_curve_signature_algorithm_supporteds z4Backend.elliptic_curve_signature_algorithm_supportedcCs^||rD||}|j|}||dk||}t|||Std|jdt j dS)z@ Generate a new private key on the named curve. r^z Backend object does not support .N) rl_ec_key_new_by_curverdZEC_KEY_generate_keyrz_ec_cdata_to_evp_pkeyrrrrUNSUPPORTED_ELLIPTIC_CURVE)rrrgrrrrZrZr[#generate_elliptic_curve_private_keys      z+Backend.generate_elliptic_curve_private_keyc CsH|j}||j}|j||j|jj}|j ||}|dkrR| t d| }| ||j|j||j|}|||jjktj|}|||jjk|j|} || |jjk|j| |jj} |j|| ||jj|jj|}||dk|j||| |dkr(t dW5QRX||} t||| S)Nr^Invalid EC key.r)rrprgrbrr private_valuerd BN_clear_freeEC_KEY_set_private_keyrr _tmp_bn_ctx)_ec_key_set_public_key_affine_coordinatesr7r6EC_KEY_get0_grouprzr|backendZEC_KEY_get0_public_key EC_POINT_new EC_POINT_free EC_POINT_mulZ EC_POINT_cmprqr) rrrpublicrrurbn_ctxrkZ set_pointZcomputed_pointrrZrZr[#load_elliptic_curve_private_numberss`       z+Backend.load_elliptic_curve_private_numbersc CsJ||j}|}|||j|j|W5QRX||}t|||Sr)rprgrxryr7r6rqr)rrrrrrrZrZr["load_elliptic_curve_public_numbers$s   z*Backend.load_elliptic_curve_public_numbers)rg point_bytesr_c Cs||}|j|}|||jjk|j|}|||jjk|j||jj}| 6}|j |||t ||}|dkr| t dW5QRX|j||}||dk||}t|||S)Nr^z(Invalid public bytes for the given curve)rprdrzrzrbr|r|rr}rxZEC_POINT_oct2pointrrrEC_KEY_set_public_keyrqr) rrrgrrrkpointrrrrZrZr[ load_elliptic_curve_public_bytes0s*     z(Backend.load_elliptic_curve_public_bytes)rurgr_c Csb||}|j|}|||jjk|j|}|||jjk|j||jj}| |}|j||jj }| v}|j ||||jj|jj|}||dk|j |} |j |} |j||| | |}|dkr|tdW5QRX|j||}||dk| |} |j| |jj } |j|| }||dk||} t||| S)Nr^z'Unable to derive key from private_value)rprdrzrzrbr|r|rr}rrvrxr~Z BN_CTX_getZEC_POINT_get_affine_coordinatesrrrrwrqr) rrrurgrrkrvaluerrZbn_xZbn_yprivaterrZrZr[!derive_elliptic_curve_private_keyFsL         z)Backend.derive_elliptic_curve_private_key)rgcCs||}||Sr)rh_ec_key_new_by_curve_nid)rrrgrjrZrZr[rpps zBackend._ec_key_new_by_curve)rjcCs0|j|}|||jjk|j||jjSr)rdZEC_KEY_new_by_curve_namerzrbr|rr)rrrjrrZrZr[rts z Backend._ec_key_new_by_curve_nid)rrgr_cCs,|jrt||jsdS||o*t|tjSr)rfr_fips_ecdh_curvesrlr*ECDH)rrrrgrZrZr[+elliptic_curve_exchange_algorithm_supportedys z3Backend.elliptic_curve_exchange_algorithm_supportedcCs(|}|j||}||dk|Sr)rrdZEVP_PKEY_set1_EC_KEYrz)rrrrrrZrZr[rqszBackend._ec_cdata_to_evp_pkeycCsNddd}||j|j}|j|}||jjkrJt|jdtj|S)z/ Get the NID for a curve name. Z prime192v1Z prime256v1)Z secp192r1Z secp256r1z" is not a supported elliptic curve) getrrdZ OBJ_sn2nidrrirrrr)rrrgZ curve_aliasesZ curve_namerjrZrZr[rhs   zBackend._elliptic_curve_to_nidc csX|j}|||jjk|j||jj}|j|z |VW5|j|XdSr) rdZ BN_CTX_newrzrbr|rZ BN_CTX_freeZ BN_CTX_startZ BN_CTX_end)rrrrZrZr[rxs   zBackend._tmp_bn_ctx)r7r6r_cCs|dks|dkrtd|j|||jj}|j|||jj}|j|}|||jjk|j |}|||jjk|j||jj }|j |||||}|dkr| td|j ||}||dkdS)zg Sets the public key point in the EC_KEY context to the affine x and y values. rz2Invalid EC key. Both x and y must be non-negative.r^rtN)rrbrrrdrrzrzr|r|r}ZEC_POINT_set_affine_coordinatesrr)rrrr7r6rrkrrrZrZr[rys.   z1Backend._ec_key_set_public_key_affine_coordinates)encodingrtencryption_algorithmr_c Cs`t|tjstdt|tjs(tdt|tjs|jj}|j}|||jjk|j||jj}| |j }| |j }|j dk rf| |j }n|jj}| |jj }| |j}|j||||} || dk|j|||} || dk|jdd} |j|| } || dk| ddkr(|j dkr | d|jjAdks(td||} t||| S)Nr^int[]rrz.DH private numbers did not pass safety checks.)rr5rdrrzrbr|rrrrr1rr6r7 DH_set0_pqg DH_set0_keyrDH_checkZDH_NOT_SUITABLE_GENERATORrrr ) rrrr5rrr1rr2r3rcodesrrZrZr[load_dh_private_numberss4       zBackend.load_dh_private_numbersc Cs|j}|||jjk|j||jj}|j}||j }||j }|j dk rd||j }n|jj}||j }|j ||||}||dk|j|||jj}||dk||} t||| Sr)rdrrzrbr|rrr5rrr1rr6rrrr) rrrrr5rr1rr2rrrZrZr[load_dh_public_numberss       zBackend.load_dh_public_numberscCs|j}|||jjk|j||jj}||j}||j }|j dk r^||j }n|jj}|j ||||}||dkt ||Sr) rdrrzrbr|rrrrr1rrr )rrrrrr1rrrZrZr[load_dh_parameter_numberss    z!Backend.load_dh_parameter_numbers)rr1rr_cCs|j}|||jjk|j||jj}||}||}|dk rV||}n|jj}|j||||}||dk|j dd}|j ||}||dk|ddkS)Nr^rr) rdrrzrbr|rrrrrr)rrrr1rrrrrZrZr[dh_parameters_supported+s    zBackend.dh_parameters_supportedcCs |jjdkSr)rdrorqrZrZr[dh_x942_serialization_supportedCsz'Backend.dh_x942_serialization_supportedcCs tj|Sr)rr/Zfrom_public_bytesrrrrZrZr[x25519_load_public_bytesFsz Backend.x25519_load_public_bytescCs tj|Sr)rr/Zfrom_private_bytesrrZrZr[x25519_load_private_bytesIsz!Backend.x25519_load_private_bytescCs|j||jj}|||jjk|j||jj}|j|}||dk|jd}|j ||}||dk||d|jjk|j|d|jj }|S)Nr^ EVP_PKEY **r) rdZEVP_PKEY_CTX_new_idrbr|rzrZEVP_PKEY_CTX_freeZEVP_PKEY_keygen_initrZEVP_PKEY_keygenr)rrnidZ evp_pkey_ctxrZ evp_ppkeyrrZrZr[_evp_pkey_keygen_gcNs  zBackend._evp_pkey_keygen_gccCs tjSr)rr/Z generate_keyrqrZrZr[x25519_generate_key[szBackend.x25519_generate_keycCs|jr dS|jj Sr)rfrdZ#CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370rqrZrZr[x25519_supported^szBackend.x25519_supportedcCs`t|dkrtd|j|jj|jj|t|}|||jjk|j||jj }t ||S)N8z#An X448 public key is 56 bytes long) rrrdEVP_PKEY_new_raw_public_keyNID_X448rbr|rzrrr"rrrrrZrZr[x448_load_public_bytescs zBackend.x448_load_public_bytescCslt|dkrtd|j|}|j|jj|jj|t|}|||jjk|j ||jj }t ||S)Nrz$An X448 private key is 56 bytes long) rrrbrrdEVP_PKEY_new_raw_private_keyrr|rzrrr!rrrrrrZrZr[x448_load_private_bytesns  zBackend.x448_load_private_bytescCs||jj}t||Sr)rrdrr!rrZrZr[x448_generate_keyzszBackend.x448_generate_keycCs|jr dS|jj o|jj Sr)rfrdrrrqrZrZr[x448_supported~s  zBackend.x448_supportedcCs|jr dS|jjSr)rfrdZ CRYPTOGRAPHY_HAS_WORKING_ED25519rqrZrZr[ed25519_supportedszBackend.ed25519_supportedcCsntd|t|tjkr"td|j|jj|j j |t|}| ||j j k|j ||jj }t||S)Nrz&An Ed25519 public key is 32 bytes long)r _check_bytesrr,_ED25519_KEY_SIZErrdr NID_ED25519rbr|rzrrrrrZrZr[ed25519_load_public_bytess z!Backend.ed25519_load_public_bytescCszt|tjkrtdtd||j|}|j |jj |jj |t|}| ||jj k|j ||jj}t||S)Nz'An Ed25519 private key is 32 bytes longr)rr,rrrr_rbrrdrrr|rzrrrrrZrZr[ed25519_load_private_bytess  z"Backend.ed25519_load_private_bytescCs||jj}t||Sr)rrdrrrrZrZr[ed25519_generate_keyszBackend.ed25519_generate_keycCs|jr dS|jj o|jj Sr)rfrdZ#CRYPTOGRAPHY_OPENSSL_LESS_THAN_111BrrqrZrZr[ed448_supporteds  zBackend.ed448_supportedcCsltd|t|tkr td|j|jj|jj |t|}| ||jj k|j ||jj }t ||S)Nrz$An Ed448 public key is 57 bytes long)rrrrrrdr NID_ED448rbr|rzrrrrrZrZr[ed448_load_public_bytess  zBackend.ed448_load_public_bytescCsxtd|t|tkr td|j|}|j|jj |jj |t|}| ||jj k|j ||jj }t||S)Nrz%An Ed448 private key is 57 bytes long)rr_rrrrbrrdrrr|rzrrrrrZrZr[ed448_load_private_bytess   z Backend.ed448_load_private_bytescCs||jj}t||Sr)rrdrrrrZrZr[ed448_generate_keyszBackend.ed448_generate_key)rrrrrrr_c Cs|jd|}|j|}|j|t||t||||tj|| } | dkrr|} d||d} t d | | |j |ddS)Nrr^izJNot enough memory to derive key. These parameters require {} MB of memory.) rbrrrdZEVP_PBE_scryptrrMZ _MEM_LIMITr MemoryErrorrtr) rrrrrrrrrrrryZ min_memoryrZrZr[ derive_scrypts0   zBackend.derive_scryptcCsLt|}|jr||jkrdS|dr4|jjdkS|j||jj kSdS)NFs-sivr^) rZ_aead_cipher_namerf _fips_aeadendswithrdrrrbr|)rrr cipher_namerZrZr[aead_cipher_supporteds   zBackend.aead_cipher_supported)rr_cCst|D] }d||<qdSr{)range)rrrrirZrZr[ _zero_datas zBackend._zero_datac csf|dkr|jjVnNt|}|jd|d}|j|||z |VW5||jd||XdS)a This method takes bytes, which can be a bytestring or a mutable buffer like a bytearray, and yields a null-terminated version of that data. This is required because PKCS12_parse doesn't take a length with its password char * and ffi.from_buffer doesn't provide null termination. So, to support zeroing the data via bytearray we need to build this ridiculous construct that copies the memory, but zeroes it after use. Nrr^z uint8_t *)rbr|rrZmemmoverr)rrrZdata_lenrrZrZr[_zeroed_null_terminated_bufs   z#Backend._zeroed_null_terminated_buf)rrr_cCs2|||}|j|jr|jjnddd|jDfS)NcSsg|] }|jqSrZ) certificate)rdrRrZrZr[ 0szABackend.load_key_and_certificates_from_pkcs12..) load_pkcs12rrRrZadditional_certs)rrrrZpkcs12rZrZr[%load_key_and_certificates_from_pkcs12%s  z-Backend.load_key_and_certificates_from_pkcs12c Csj|dk rtd|||}|j|j|jj}||jjkrN|t d|j ||jj }|j d}|j d}|j d}| |}|j|||||} W5QRX| dkr|t dd} d} g} |d|jjkr|j |d|jj} |j| dd } |d|jjkrt|j |d|jj}||}d}|j||jj}||jjkrj|j|}t||} |d|jjkr^|j |d|jj}|j|d}|jjs|jjrt|}n tt|}|D]}|j||}|||jjk|j ||jj}||}d}|j||jj}||jjkrJ|j|}| t||qt| | | S) Nrz!Could not deserialize PKCS12 datarzX509 **zCryptography_STACK_OF_X509 **rzInvalid password or PKCS12 dataFr) rr_rrdZd2i_PKCS12_biorUrbr|rrr PKCS12_freerrZ PKCS12_parserrrUrXZX509_alias_get0rrP sk_X509_free sk_X509_numrrrreversed sk_X509_valuerzrprQ)rrrrrUp12Z evp_pkey_ptrrWZ sk_x509_ptr password_bufrrRrZadditional_certificatesrrZcert_objrZ maybe_namesk_x509rindicesrZ addl_certZ addl_namerZrZr[r3sz              zBackend.load_pkcs12)rrrRcasrr_cCsfd}|dk rtd|t|tjr@d}d}d} d} |jj} nDt|tjr|jj rf|jj }|jj }n|jj }|jj }d} d} |jj} |j }nt|tj r||jtjjkr|d}d}d} d} |j }|j} | tjkr|jj }|jj }n>| tjkr|jj std|jj }|jj }n| dks"t|jdk r`|jjs@td||j} || |jjkn|jj} |jdk r|j} ntd|dkst|dkr|jj} n|j} |j| |jj } g}|D]}t|t!r0|j"}|#|j$}|dkr |j%||jjd}n|j%||t|}||dkn |#|}|&||j'| |}t(|dkq|)|}|)|V}|r|#|n|jj}|dk r|j*}n|jj}|j+||||| ||| | d }W5QRX|jjr | |jjkr |j,||d|jjd| | W5QRX|||jjk|j||jj-}|.}|j/||}||dk|0|S) Nrr]ri Nr^z2PBESv2 is not supported by this version of OpenSSLzBSetting MAC algorithm is not supported by this version of OpenSSL.zUnsupported key encryption type)1rrrr&rrbr|rrdrZNID_aes_256_cbcZ&NID_pbe_WithSHA1And3_Key_TripleDES_CBCrrrrZPKCS12Z_key_cert_algorithmrOZPBESv1SHA1And3KeyTripleDESCBCZPBESv2SHA256AndAES256CBCrrZ _hmac_hashZCryptography_HAS_PKCS12_SET_MACrrzZ _kdf_roundsrrZsk_X509_new_nullrrrPZ friendly_namerVrZX509_alias_set1rpZ sk_X509_pushr{rrYZ PKCS12_createZPKCS12_set_macrrZi2d_PKCS12_bior)rrrrrRrrrZnid_certZnid_keyZ pkcs12_iterZmac_iterZmac_algZ keycertalgrZossl_cascaZca_aliasZossl_carrZname_bufZ ossl_certrrrUrZrZr[(serialize_key_and_certificates_to_pkcs12~s                         z0Backend.serialize_key_and_certificates_to_pkcs12cCs|jr dS|jjdkSr)rfrdZCryptography_HAS_POLY1305rqrZrZr[poly1305_supported szBackend.poly1305_supported)rr_cCs*td|t|tkr tdt||S)NrzA poly1305 key is 32 bytes long)rr_rrrr)rrrrZrZr[create_poly1305_ctx" s  zBackend.create_poly1305_ctxcCs |jj SrrrqrZrZr[pkcs7_supported) szBackend.pkcs7_supportedcCsntd|||}|j|j|jj|jj|jj}||jjkrR|t d|j ||jj }| |SNrzUnable to parse PKCS7 data) rrrrdZPEM_read_bio_PKCS7rUrbr|rrr PKCS7_free_load_pkcs7_certificatesrrrrUp7rZrZr[load_pem_pkcs7_certificates, s   z#Backend.load_pem_pkcs7_certificatescCsbtd|||}|j|j|jj}||jjkrF|t d|j ||jj }| |Sr) rrrrdZ d2i_PKCS7_biorUrbr|rrrrrrrZrZr[load_der_pkcs7_certificates; s   z#Backend.load_der_pkcs7_certificatesc Cs|j|j}|||jjk||jjkr>td|tj |j j j }|j |}g}t|D]8}|j||}|||jjk||}||q`|S)NzNOnly basic signed structures are currently supported. NID for this data was {})rdZ OBJ_obj2nidrrzriZNID_pkcs7_signedrrtrZUNSUPPORTED_SERIALIZATIONrsignrRrrrrbr|rXrp) rrrrrrcertsrrrRrZrZr[rH s$      z Backend._load_pkcs7_certificates)N)N)N)rWrXrY__doc__rrr8rr%rr r!r"Z SHA512_224Z SHA512_256ZSHA3_224ZSHA3_256ZSHA3_384ZSHA3_512ZSHAKE128ZSHAKE256rr*Z SECP224R1Z SECP256R1Z SECP384R1Z SECP521R1rZ_fips_rsa_min_key_sizeZ_fips_rsa_min_public_exponentZ_fips_dsa_min_modulusZ_fips_dh_min_key_sizeZ_fips_dh_min_modulusrsstrrwr}typingOptionalListrZ OpenSSLErrorrzrerr contextlibrrrmrrurrbytesZ HashAlgorithmrrrrrrrrZ HashContextrr7rLrrrhrrrrrrrrr-Z RSAPrivateKeyrrZRSAPrivateNumbersrZRSAPublicNumbersZ RSAPublicKeyrrrrTrrrr4rr5rr#r'r'r(r)Z DSAParametersr+Z DSAPrivateKeyr.r/r4ZDSAPrivateNumbersr8ZDSAPublicNumbersZ DSAPublicKeyr:ZDSAParameterNumbersr;r-r<r=r@r6r rArCrLr(Z DHParametersrMr rNrrQrZ CertificateAnyrVrXr\rBNoReturnrIZ EllipticCurverlZEllipticCurveSignatureAlgorithmrnZEllipticCurvePrivateKeyrsZEllipticCurvePrivateNumbersrZEllipticCurvePublicNumbersZEllipticCurvePublicKeyrrrrprrrrqrhrxryr&rSrrrrrrrrrrZ DHPrivateKeyrrZDHPrivateNumbersrZDHPublicNumbersZ DHPublicKeyrZDHParameterNumbersrrrr/ZX25519PublicKeyrZX25519PrivateKeyrrrrr.Z X448PublicKeyrZX448PrivateKeyrrrrr,ZEd25519PublicKeyrZEd25519PrivateKeyrrrr+ZEd448PublicKeyrZEd448PrivateKeyrrrrrrTuplerrQrrRrSrrrrrrrrrZrZrZr[r\s\              E       *     H;       *  4.   5   *   # |  7    1         #  M     r\c@s,eZdZedddZeeedddZdS)r)fmtcCs ||_dSr)_fmt)rrr rZrZr[rs_ szGetCipherByName.__init__)r{rr~cCsd|jj||d}|j|d}||jjkrX|jjrX|j |jj|d|jj}| |S)N)rr~r) r rtlowerrdrrrbr|ZCryptography_HAS_300_EVP_CIPHERZEVP_CIPHER_fetchr)rrr{rr~rrrZrZr[__call__b s zGetCipherByName.__call__N) rWrXrYrrsr\r7rLr rZrZrZr[r^ sr)r{rcCs$d|jdd}|j|dS)Nzaes-rz-xtsr)rrdrr)r{rr~rrZrZr[rw sr)x collectionsrrrrjrZ cryptographyrrZcryptography.exceptionsrrZ$cryptography.hazmat.backends.opensslrZ,cryptography.hazmat.backends.openssl.ciphersrZ)cryptography.hazmat.backends.openssl.cmacr Z'cryptography.hazmat.backends.openssl.dhr r r rZ(cryptography.hazmat.backends.openssl.dsarrrZ'cryptography.hazmat.backends.openssl.ecrrZ*cryptography.hazmat.backends.openssl.ed448rrrZ,cryptography.hazmat.backends.openssl.ed25519rrZ+cryptography.hazmat.backends.openssl.hashesrZ)cryptography.hazmat.backends.openssl.hmacrZ-cryptography.hazmat.backends.openssl.poly1305rrZ(cryptography.hazmat.backends.openssl.rsarr Z)cryptography.hazmat.backends.openssl.x448r!r"Z"cryptography.hazmat.bindings._rustr#rZ$cryptography.hazmat.bindings.opensslr$Zcryptography.hazmat.primitivesr%r&Z*cryptography.hazmat.primitives._asymmetricr'Z)cryptography.hazmat.primitives.asymmetricr(r)r*r+r,r-r.r/Z1cryptography.hazmat.primitives.asymmetric.paddingr0r1r2r3Z/cryptography.hazmat.primitives.asymmetric.typesr4r5Z&cryptography.hazmat.primitives.ciphersr6r7Z1cryptography.hazmat.primitives.ciphers.algorithmsr8r9r:r;r<r=r>r?r@rArBrCZ,cryptography.hazmat.primitives.ciphers.modesrDrErFrGrHrIrJrKrLZ"cryptography.hazmat.primitives.kdfrMZ,cryptography.hazmat.primitives.serializationrNZ3cryptography.hazmat.primitives.serialization.pkcs12rOrPrQrRrS namedtuplerTrVr\rrr{rZrZrZr[sp         ( 8,  p