U EZh6@sUddlZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddl mZddlmZmZmZmZmZddlm ZddlmZmZmZddlmZmZmZmZmZm Z zdd l!m"Z#d Z$Wn4e%k rd Z$dre&e&e'e'e(e&d d dZ#YnXdZ)dZ*dZ+dZ,dZ-dZ.dZ/dZ0dZ1e2dZ3dZ4dZ5dZ6dZ7dZ8dZ9dZ:e2e5d e6ej;Ze?d!d"Z@ejAd#ejBdfejAd#ejCdfd$ZDejEe&ejFejGejAe'ejHejGejBejGejCfe'ffeId%<e,e-e.d&ZJejHd'e&d(d)d*ZKejLe&d+d,d-ZMe5d.e6d.fe&e&e&e&d/d0d1ZNe&e'dd2d3d4ZOe&dd5d6d7ZPe&ejQe&e&e'eejHejCejBfd8d9d:ZRe=ejFe'e=fd5d;d<ZSe=ejFe'e=fd5d=d>ZTe=ejFe=e=fd5d?d@ZUe=ejFe'e=fd5dAdBZVe'e&dCdDdEZWGdFdGdGZXGdHdIdIZYGdJdKdKZZGdLdMdMZ[GdNdOdOZ\e*eYe+eZe)e\e,e[dPe]e-e[dQe^e.e[dRe_iZ`e&dSdTdUZaejHejbejcejdejefZfdse&ejQe&ejgefdVdWdXZhefe&ee&dYdZd[ZiejHejLejjejkejlfZmejHejLejjejlfZnGd\d]d]ejoZpGd^d_d_Zqejrejsd`dadbZtdte&ejHeqemfd5dcddZue&ejHeqemfd5dedfZve=ejEe&e&fdgdhdiZwdue&ejgemdjdkdlZxeme&d+dmdnZyejHejbejcejefZzdoZ{GdpdqdqZ|dS)vN) encodebytes)utilsUnsupportedAlgorithm)hashes)dsaeced25519paddingrsa)Cipher algorithmsmodes)EncodingKeySerializationEncryption NoEncryption PrivateFormat PublicFormat_KeySerializationEncryption)kdfTF)passwordsaltdesired_key_bytesroundsignore_few_roundsreturncCs tddS)NzNeed bcrypt moduler)rrrrrrw/home/aprabhat/apps/x.techxrdev.in/venv/lib/python3.8/site-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdf*srs ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.coms rsa-sha2-256s rsa-sha2-512s\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnone aes256-ctrs(.*?) )rs aes256-cbc _SSH_CIPHERS)Z secp256r1Z secp384r1Z secp521r1)SSHPrivateKeyTypesSSHPublicKeyTypes)keyrcCst|tjrt|}nft|tjr0t|}nPt|tjtjfrHt }n8t|t j t j fr`t }n t|tjtjfrxt}ntd|S)NUnsupported key type) isinstancerEllipticCurvePrivateKey_ecdsa_key_type public_keyEllipticCurvePublicKeyr RSAPrivateKey RSAPublicKey_SSH_RSAr DSAPrivateKey DSAPublicKey_SSH_DSAr Ed25519PrivateKeyEd25519PublicKey _SSH_ED25519 ValueError)r'key_typerrr_get_ssh_key_typefs    r9r,rcCs*|j}|jtkr td|jt|jS)z3Return SSH key_type and curve_name for private key.z'Unsupported curve for ssh private key: )curvename_ECDSA_KEY_TYPEr7)r,r;rrrr+{s   r+ )dataprefixsuffixrcCsd|t||gS)N)join_base64_encode)r?r@rArrr_ssh_pem_encodesrE)r? block_lenrcCs |rt||dkrtddS)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenr7)r?rFrrr_check_block_sizesrHr?rcCs|r tddS)z!All data should have been parsed.zCorrupt data: unparsed dataN)r7r?rrr _check_emptysrK) ciphernamerrrrc CsR|s tdt|\}}}}t|||||d}t||d||||dS)z$Generate key + iv and return cipher.zKey is password-protected.TN)r7r$rr ) rLrrralgoZkey_lenmodeZiv_lenseedrrr _init_ciphers rPcCs6t|dkrtdtj|dddd|ddfS)ZUint32 Invalid dataNbig byteorderrGr7int from_bytesrJrrr_get_u32s rYcCs6t|dkrtdtj|dddd|ddfS)ZUint64rRNrSrTrVrJrrr_get_u64s r[cCs8t|\}}|t|kr td|d|||dfS)zBytes with u32 length prefixrRN)rYrGr7)r?nrrr _get_sshstrs  r]cCs4t|\}}|r$|ddkr$tdt|d|fS)z Big integer.rrRrS)r]r7rWrX)r?valrrr _get_mpints r`r_rcCs4|dkrtd|sdS|dd}t||S)z!Storage format for signed bigint.rznegative mpint not allowedrBrZ)r7 bit_lengthrZ int_to_bytes)r_nbytesrrr _to_mpints rdc@seZdZUdZejeed<dejejeddddZ edddd Z e ddd d Z e ddd d Z ejedfddddZe ddddZe dddZdee e dddZedddZdS) _FragListz,Build recursive structure without data copy.flistN)initrcCsg|_|r|j|dSN)rfextend)selfrgrrr__init__sz_FragList.__init__racCs|j|dS)zAdd plain bytesN)rfappendrjr_rrrput_rawsz_FragList.put_rawcCs|j|jddddS)zBig-endian uint32rQrSlengthrUNrfrlto_bytesrmrrrput_u32sz_FragList.put_u32cCs|j|jddddS)zBig-endian uint64rZrSroNrqrmrrrput_u64sz_FragList.put_u64cCsLt|tttfr,|t||j|n|||j |jdS)zBytes prefixed with u32 lengthN) r)bytes memoryview bytearrayrsrGrfrlsizerirmrrr put_sshstrs z_FragList.put_sshstrcCs|t|dS)z*Big-endian bigint prefixed with u32 lengthN)ryrdrmrrr put_mpintsz_FragList.put_mpintrcCsttt|jS)zCurrent number of bytes)summaprGrfrjrrrrxsz_FragList.sizer)dstbufposrcCs2|jD]&}t|}|||}}||||<q|S)zWrite into bytearray)rfrG)rjrrfragZflenstartrrrrenders  z_FragList.rendercCs"tt|}|||S)zReturn as bytes)rvrwrxrtobytes)rjbufrrrrs z_FragList.tobytes)N)r)__name__ __module__ __qualname____doc__typingListru__annotations__OptionalrkrnrWrsrtUnionryrzrxrvrrrrrrres   rec@s~eZdZdZedddZeejej efdddZ eejej efddd Z ej e d d d d Zej e d dddZd S) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q rJcCs$t|\}}t|\}}||f|fS)zRSA public fieldsr`)rjr?er\rrr get_publics  z_SSHFormatRSA.get_publicrIcCs.||\\}}}t||}|}||fS)zMake RSA public key from data.)rr RSAPublicNumbersr,)rjr?rr\public_numbersr,rrr load_publics z_SSHFormatRSA.load_publicc Cst|\}}t|\}}t|\}}t|\}}t|\}}t|\}}||f|kr\tdt||} t||} t||} t|||| | || } | } | |fS)zMake RSA private key from data.z Corrupt data: rsa field mismatch)r`r7r Z rsa_crt_dmp1Z rsa_crt_dmq1rZRSAPrivateNumbers private_key)rjr? pubfieldsr\rdiqmppqZdmp1Zdmq1rprivate_numbersrrrr load_private s,          z_SSHFormatRSA.load_privateNr,f_pubrcCs$|}||j||jdS)zWrite RSA public keyN)rrzrr\)rjr,rZpubnrrr encode_public6s z_SSHFormatRSA.encode_publicrf_privrcCsZ|}|j}||j||j||j||j||j||jdS)zWrite RSA private keyN) rrrzr\rrrrr)rjrrrrrrrencode_private>s     z_SSHFormatRSA.encode_private)rrrrrvrrTupler r/rr.rrerrrrrrrs    rc@seZdZdZeejejefdddZeejej efdddZ eejej efdddZ ej e d d d d Zej e d d ddZejd dddZd S) _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x rIcCs@t|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsr)rjr?rrgyrrrrWs     z_SSHFormatDSA.get_publicc CsJ||\\}}}}}t|||}t||}|||}||fS)zMake DSA public key from data.)rrDSAParameterNumbersDSAPublicNumbers _validater,) rjr?rrrrparameter_numbersrr,rrrras   z_SSHFormatDSA.load_publicc Csz||\\}}}}}t|\}}||||f|kr:tdt|||}t||} || t|| } | } | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rr`r7rrrrZDSAPrivateNumbersr) rjr?rrrrrxrrrrrrrrls    z_SSHFormatDSA.load_privateNrcCsL|}|j}||||j||j||j||jdS)zWrite DSA public keyN)rrrrzrrrr)rjr,rrrrrrr|s    z_SSHFormatDSA.encode_publicrcCs$|||||jdS)zWrite DSA private keyN)rr,rzrr)rjrrrrrrsz_SSHFormatDSA.encode_private)rrcCs |j}|jdkrtddS)Niz#SSH supports only 1024 bit DSA keys)rrrbr7)rjrrrrrrsz_SSHFormatDSA._validate)rrrrrvrrrrr2rr1rrerrrrrrrrrNs&      rc@seZdZdZeejdddZee j e j efdddZ ee j ej efddd Z ee j ejefdd d Zej ed d ddZejed dddZd S)_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret ssh_curve_namer;cCs||_||_dSrhr)rjrr;rrrrksz_SSHFormatECDSA.__init__rIcCsJt|\}}t|\}}||jkr*td|ddkr>td||f|fS)zECDSA public fieldszCurve name mismatchrrQzNeed uncompressed point)r]rr7NotImplementedError)rjr?r;pointrrrrs    z_SSHFormatECDSA.get_publiccCs.||\\}}}tj|j|}||fS)z Make ECDSA public key from data.)rrr-Zfrom_encoded_pointr;r)rjr? curve_namerr,rrrrs z_SSHFormatECDSA.load_publiccCsH||\\}}}t|\}}||f|kr2tdt||j}||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rr`r7rZderive_private_keyr;)rjr?rrrsecretrrrrrs   z_SSHFormatECDSA.load_privateNrcCs*|tjtj}||j||dS)zWrite ECDSA public keyN) public_bytesrZX962rZUncompressedPointryr)rjr,rrrrrrs  z_SSHFormatECDSA.encode_publicrcCs,|}|}|||||jdS)zWrite ECDSA private keyN)r,rrrzZ private_value)rjrrr,rrrrrs z_SSHFormatECDSA.encode_private)rrrrrur EllipticCurverkrvrrrr-rr*rrerrrrrrrs&     rc@seZdZdZeejejefdddZeejej efdddZ eejej efdddZ ej e d d d d Zej e d d ddZd S)_SSHFormatEd25519z~Format for Ed25519 keys. Public: bytes point Private: bytes point bytes secret_and_point rIcCst|\}}|f|fS)zEd25519 public fields)r])rjr?rrrrrs z_SSHFormatEd25519.get_publiccCs(||\\}}tj|}||fS)z"Make Ed25519 public key from data.)rr r5Zfrom_public_bytesr)rjr?rr,rrrrs z_SSHFormatEd25519.load_publiccCsb||\\}}t|\}}|dd}|dd}||ksF|f|krNtdtj|}||fS)z#Make Ed25519 private key from data.Nr#z$Corrupt data: ed25519 field mismatch)rr]r7r r4Zfrom_private_bytes)rjr?rrZkeypairrZpoint2rrrrrs    z_SSHFormatEd25519.load_privateNrcCs|tjtj}||dS)zWrite Ed25519 public keyN)rrRawrry)rjr,rraw_public_keyrrrrs z_SSHFormatEd25519.encode_publicrcCsR|}|tjtjt}|tjtj}t||g}| ||| |dS)zWrite Ed25519 private keyN) r,Z private_bytesrrrrrrrerry)rjrrr,Zraw_private_keyrZ f_keypairrrrrs  z _SSHFormatEd25519.encode_private)rrrrrvrrrr r5rr4rrerrrrrrrs$     rsnistp256snistp384snistp521r8cCs8t|tst|}|tkr&t|Std|dS)z"Return valid format or throw errorzUnsupported key type: N)r)rurvr _KEY_FORMATSrrrrr_lookup_kformat*s   r)r?rbackendrcCsjtd||dk r td|t|}|s6td|d}|d}t t |||}| t srtdt |t t d}t|\}}t|\}}t|\}}t|\} }| dkrtdt|\} }t| \} } t| } | | \} } t| t|\}}t|||fttfkr|}|tkrBtd||tkrZtd|t|d }t||t|\}}t|\}}t|t||||}t ||}nd }t||t|\}}t|\}}||krtd t|\}}|| kr td | || \}}t|\}}|tdt |krFtd t|tj rft!j"dtj#dd|S)z.Load private key from OpenSSH custom encoding.r?NrzNot OpenSSH private key formatr!zOnly one key supportedzUnsupported cipher: zUnsupported KDF: rZzCorrupt data: broken checksumzCorrupt data: key type mismatchzCorrupt data: invalid paddingDSSH DSA keys are deprecated and will be removed in a future release. stacklevel)$r_check_byteslike _check_bytes_PEM_RCsearchr7rendbinascii a2b_base64rv startswith _SK_MAGICrGr]rYrrrK_NONErr$r_BCRYPTrHrPZ decryptorupdater_PADDINGr)rr1warningswarnDeprecatedIn40)r?rrmp1Zp2rLkdfnameZ kdfoptionsnkeysZpubdataZ pub_key_typekformatrZedataZciphername_bytesblklenrZkbufrciphZck1Zck2r8rcommentrrrload_ssh_private_key;sx                          r)rrencryption_algorithmrcCstd|t|tjr*tjdtjddt|}t |}t }|rt }t |d}t }t} t|trv|jdk rv|j} td} || || t||| | } nt}}d}d} d } td} d }t }|||||t | | g}||||||||td|||t }|t|||||||| |||||}|}tt||}| |||}| dk r| !"|||||dt#|d|S) z3Serialize private key with OpenSSH custom encoding.rISSH DSA key support is deprecated and will be removed in a future releaserQrrNr rZr!rB)$rrr)rr1rrrr9rre_DEFAULT_CIPHERr$r_DEFAULT_ROUNDSrZ _kdf_roundsosurandomryrsrPrrr,rrnrrxrrvrwrZ encryptorZ update_intorE)rrrr8rZ f_kdfoptionsrLrrrrrrZcheckvalrZ f_public_keyZ f_secretsZf_mainslenmlenrZofsrrr_serialize_ssh_private_keysl                      rc@seZdZdZdZdS)SSHCertificateTyper!rN)rrrUSERZHOSTrrrrrsrc@sHeZdZeeeeeejeeeej eefej eefeeeeeeedddZ e edddZ e dddZe edd d Ze edd d Ze edd dZe ejedddZe edddZe edddZe ej eefdddZe ej eefdddZe dddZedddZddddZdS) SSHCertificate)_nonce _public_key_serial_cctype_key_id_valid_principals _valid_after _valid_before_critical_options _extensions _sig_type_sig_key_inner_sig_type _signature_tbs_cert_body_cert_key_type _cert_bodycCs||_||_||_zt||_Wntk r<tdYnX||_||_||_||_ | |_ | |_ | |_ | |_ | |_||_||_||_||_dS)NzInvalid certificate type)rrrr_typer7rrrrrrrrrrrrr)rjrrrrrrrrrrrrrrrrrrrrrks(zSSHCertificate.__init__r{cCs t|jSrh)rurr~rrrnonceszSSHCertificate.noncecCstt|jSrh)rcastSSHCertPublicKeyTypesrr~rrrr,szSSHCertificate.public_keycCs|jSrh)rr~rrrserial#szSSHCertificate.serialcCs|jSrh)rr~rrrtype'szSSHCertificate.typecCs t|jSrh)rurr~rrrkey_id+szSSHCertificate.key_idcCs|jSrh)rr~rrrvalid_principals/szSSHCertificate.valid_principalscCs|jSrh)rr~rrr valid_before3szSSHCertificate.valid_beforecCs|jSrh)rr~rrr valid_after7szSSHCertificate.valid_aftercCs|jSrh)rr~rrrcritical_options;szSSHCertificate.critical_optionscCs|jSrh)rr~rrr extensions?szSSHCertificate.extensionscCs&t|j}||j\}}t||Srh)rrrrrK)rjZ sigformat signature_keyZ sigkey_restrrrrCs zSSHCertificate.signature_keycCs"t|jdtjt|jddS)N F)newline)rurr b2a_base64rr~rrrrIs zSSHCertificate.public_bytesNcCs|}t|tjr.|t|jt|jnt|tj rt |j\}}t |\}}t |t ||}t|j}||t|jt|nnt|tjst|jtkrt}n*|jtkrt}n|jtkstt}|t|jt|jt|dSrh)rr)r r5verifyrurrrr-r`rK asym_utilsZencode_dss_signature_get_ec_hash_algr;ECDSAr r/AssertionErrorrr0rSHA1_SSH_RSA_SHA256SHA256_SSH_RSA_SHA512SHA512r PKCS1v15)rjrrr?sZ computed_sighash_algrrrverify_cert_signaturePs<         z$SSHCertificate.verify_cert_signature)rrrrvr&rWrrruDictrkpropertyrrr,rrrrrrrrrrrrrrrrrsP   )r)r;rcCsDt|tjrtSt|tjr(tSt|tjs8tt SdSrh) r)r SECP256R1rr SECP384R1SHA384 SECP521R1r r)r;rrrr qs   r c"Cstd|t|}|s"td|d}}|d}d}|tr^d}|dtt }|t krr|srt dt |}zt t |}Wn"tt jfk rtdYnX|r|} t|\} }| |krtd |rt|\} }||\} }|rpt|\} }t|\}}t|\}}t|\}}g}|rPt|\}}|t|q,t|\}}t|\}}t|\}}t|}t|\}}t|}t|\}}t|\}}t|\}}|t kr|st d | dt| }t|\}}t|t|\}} |tkr|tttfks,|tkr4||kr4td t| \}!} t| t| | | |||||||||||!||| St|| SdS) Nr?zInvalid line formatr!rFTz-DSA keys aren't supported in SSH certificateszInvalid formatzInvalid key formatz3DSA signatures aren't supported in SSH certificatesz!Signature key type does not match)rr_SSH_PUBKEY_RCmatchr7groupendswith _CERT_SUFFIXrGr3rrrvrr TypeErrorErrorr]rr[rYrlru_parse_exts_optsrKr0rrr)"r?_legacy_dsa_allowedrr8Z orig_key_typeZkey_bodyZ with_certrrestZ cert_bodyZinner_key_typerr,rZcctyperZ principalsrZ principalrrZ crit_optionsrextsr_Z sig_key_rawZsig_typeZsig_keyZ tbs_cert_bodyZ signature_rawZinner_sig_typeZsig_rest signaturerrr_load_ssh_public_identity{s                      r*cCst|Srh)r*rJrrrload_ssh_public_identitysr+) exts_optsrcCsji}d}|rft|\}}t|}||kr0td|dk rH||krHtdt|\}}t|||<|}q|S)NzDuplicate namezFields not lexically sorted)r]rur7)r,result last_namer<Zbnamevaluerrrr$s   r$)r?rrcCsFt|dd}t|tr |}n|}t|tjrBtjdtj dd|S)NT)r%rrr) r*r)rr,rr2rrrr)r?rZ cert_or_keyr,rrrload_ssh_public_keys    r0cCslt|tjrtjdtjddt|}t|}t }| || ||t |}d|d|gS)z&One-line public key format for OpenSSHrrQrrBr)r)rr2rrrrr9rreryrrrrstriprC)r,r8rrZpubrrrserialize_ssh_public_keys   r2c@sReZdZddddgdddggf ejeejeejeejeej ee ejeejeej ej eefej ej eefd ddZ eddddZ edd d d Zedd d dZeddddZej eddddZddZejeefddddZejeefddddZeeddddZeeddd d!Zeed"d#d$ZdS)%SSHCertificateBuilderNF rrrrr_valid_for_all_principalsrrrrc Cs@||_||_||_||_||_||_||_||_| |_| |_ dSrhr5) rjrrrrrr6rrrrrrrrk%s zSSHCertificateBuilder.__init__r:c Cs^t|tjtjtjfstd|jdk r0t dt ||j |j |j |j|j|j|j|j|jd S)Nr(zpublic_key already setr5)r)rr-r r/r r5r"rr7r4rrrrr6rrrr)rjr,rrrr,=s, z SSHCertificateBuilder.public_key)rrc Cspt|tstdd|kr&dks0ntd|jdk rBtdt|j||j|j|j |j |j |j |j |jd S)Nzserial must be an integerrz"serial must be between 0 and 2**64zserial already setr5)r)rWr"r7rr4rrrrr6rrrr)rjrrrrrYs$  zSSHCertificateBuilder.serial)rrc CsRt|tstd|jdk r$tdt|j|j||j|j |j |j |j |j |jd S)Nz"type must be an SSHCertificateTypeztype already setr5)r)rr"rr7r4rrrrr6rrrr)rjrrrrrns   zSSHCertificateBuilder.type)rrc CsRt|tstd|jdk r$tdt|j|j|j||j |j |j |j |j |jd S)Nzkey_id must be byteszkey_id already setr5)r)rur"rr7r4rrrrr6rrrr)rjrrrrrs   zSSHCertificateBuilder.key_id)rrc Cs||jrtdtdd|Dr$|s,td|jr:tdt|tkrNtdt|j|j |j |j ||j|j |j |j|jd S)NzDPrincipals can't be set because the cert is valid for all principalscss|]}t|tVqdSrh)r)ru).0rrrr sz9SSHCertificateBuilder.valid_principals..z5principals must be a list of bytes and can't be emptyzvalid_principals already setz:Reached or exceeded the maximum number of valid_principalsr5)r6r7allr"rrG_SSHKEY_CERT_MAX_PRINCIPALSr4rrrrrrrr)rjrrrrrs: z&SSHCertificateBuilder.valid_principalsc CsJ|jrtd|jrtdt|j|j|j|j|jd|j|j |j |j d S)Nz@valid_principals already set, can't set valid_for_all_principalsz$valid_for_all_principals already setTr5) rr7r6r4rrrrrrrrr~rrrvalid_for_all_principalss$z.SSHCertificateBuilder.valid_for_all_principals)rrc Csvt|ttfstdt|}|dks.|dkr6td|jdk rHtdt|j|j|j |j |j |j ||j |j|jd S)Nz$valid_before must be an int or floatrr7zvalid_before must [0, 2**64)zvalid_before already setr5)r)rWfloatr"r7rr4rrrrrr6rrr)rjrrrrrs& z"SSHCertificateBuilder.valid_before)rrc Csvt|ttfstdt|}|dks.|dkr6td|jdk rHtdt|j|j|j |j |j |j |j ||j|jd S)Nz#valid_after must be an int or floatrr7zvalid_after must [0, 2**64)zvalid_after already setr5)r)rWr=r"r7rr4rrrrrr6rrr)rjrrrrrs& z!SSHCertificateBuilder.valid_after)r<r/rc Csrt|trt|tstd|dd|jDkr8tdt|j|j|j|j |j |j |j |j |j||fg|jd S)Nname and value must be bytescSsg|] \}}|qSrrr8r<r(rrr sz=SSHCertificateBuilder.add_critical_option..zDuplicate critical option namer5)r)rur"rr7r4rrrrrr6rrrrjr<r/rrradd_critical_options z)SSHCertificateBuilder.add_critical_optionc Csrt|trt|tstd|dd|jDkr8tdt|j|j|j|j |j |j |j |j |j|j||fgd S)Nr>cSsg|] \}}|qSrrr?rrrr@sz7SSHCertificateBuilder.add_extension..zDuplicate extension namer5)r)rur"rr7r4rrrrrr6rrrrArrr add_extensions z#SSHCertificateBuilder.add_extension)rrc Cst|tjtjtjfstd|jdkr0t d|j dkr>dn|j }|j dkrVt d|j dkrddn|j }|j s~|js~t d|jdkrt d|jdkrt d|j|jkrt d |jjd d d |jjd d d t|j}|t}td}t|}t}||||||j|||||j j||t} |j D]} | | qT|| ||j||jt} |jD]\} } | | | | q|| t}|jD]\} } || || q|||dt|}t|}t}|||| |||t|tjr|!|}t}||||||nt|tjrt"|j#}|!|t$|}t%&|\}}t}||t}|'||'|||||nTt|tjs$t(t}|t)|!|t*+t,-}||||t./|0}t12t3t4d5|d|gS)NzUnsupported private key typezpublic_key must be setrztype must be setrBzAvalid_principals must be set if valid_for_all_principals is Falsezvalid_before must be setzvalid_after must be setz-valid_after must be earlier than valid_beforecSs|dSNrrrrrrUrBz,SSHCertificateBuilder.sign..)r'cSs|dSrDrrErrrrFVrBr#r)6r)rr*r r.r r4r"rr7rrrrr6rrrsortrr9r!rrrreryrrtrsr/rr,signr r;r r Zdecode_dss_signaturerzr rr rrrrrr1rrrr+rC)rjrrrr8Z cert_prefixrrfZ fprincipalsrZfcritr<r/ZfextZca_typeZcaformatZcafr)ZfsigrrrZfsigblobZ cert_datarrrrH*s                           zSSHCertificateBuilder.sign)rrrrrrrWrrurboolrrkr,rrrrr<rr=rrrBrCSSHCertPrivateKeyTypesrrHrrrrr4$s^   $      r4)F)N)F)N)}renumrrerrbase64rrDZ cryptographyrZcryptography.exceptionsrZcryptography.hazmat.primitivesrZ)cryptography.hazmat.primitives.asymmetricrrr r r r Z&cryptography.hazmat.primitives.ciphersr r rZ,cryptography.hazmat.primitives.serializationrrrrrrZbcryptrrZ_bcrypt_supported ImportErrorrurWrJr6r0r3Z_ECDSA_NISTP256Z_ECDSA_NISTP384Z_ECDSA_NISTP521r!rrcompilerrZ _SK_STARTZ_SK_ENDrrrrDOTALLrrvrwrangerZAESZCTRZCBCr$rrTyperrr=r9r-r+rErHrKrrPrYr[r]r`rdrerrrrrrrrrr*r.r1r4r%Anyrrr/r2r5r&rEnumrrrZ HashAlgorithmr r*r+r$r0r2rKr;r4rrrrsR                8FHGD       V M  `