o >h)7@sUddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z ddlm Z ddlmZmZmZejdkrIddlmZnejd krYed ZdwddZnddlmZddlmZmZddlmZmZmZmZmZddlm Z ddlm!Z"ddlm#Z$ddlm%Z&ddlm'Z(ddlm)Z*ddlm+Z,gdZ-eej.ej/ej0ej1ej2fZ3eej4ej5ej6ej7ej8fZ9ee3e9fZ:ee;ede;ffZde?d<e(j@ZAde?d <d!ZBe(jCZDde?d"<e(jEZFde?d#<e(jGZHde?d$<e(jIZJde?d%<Gd&d'd'eKZLe e$eLZMe*eLZNdxdyd+d,ZOdzd/d0ZPd{d4d5ZQd|d6d7ZRd}d9d:ZSGd;d<d<ZTGd=d>d>ZUGd?d@d@ZVedAd~dCdDZWedEddGdHZXejYGdIdJdJZZedKGdLdMdMZ[edNGdOdPdPZ\GdQdRdRZ]GdSdTdTZ^GdUdVdVZ_GdWdXdXeKZ`GdYdZdZZadd\d]Zbdd_d`ZcddbdcZd  dddhdiZeGdjdkdkZfddmdnZg dxddodpZhddrdsZieiZjejeiekdNeldsdtddudvZmemZnejemekdNeldvdtdS)) annotationsN) b16encode)IterableSequence)partial)AnyCallableUnion) ) deprecated)r TmsgstrkwargsobjectreturnCallable[[_T], _T]cKsddS)NcSs|SN)frrn/var/www/vedio/testing/chatpythonscript.ninositsolution.com/env/lib/python3.10/site-packages/OpenSSL/crypto.pyszdeprecated..r)rrrrrr sr )utilsx509)dsaeced448ed25519rsa)StrOrBytesPath) byte_string)exception_from_error_queue)ffi)lib) make_assert) path_bytes) FILETYPE_ASN1 FILETYPE_PEM FILETYPE_TEXTTYPE_DSATYPE_RSAX509ErrorPKey X509ExtensionX509NameX509Req X509StoreX509StoreContextX509StoreContextErrorX509StoreFlagsdump_certificatedump_certificate_requestdump_privatekeydump_publickeyget_elliptic_curveget_elliptic_curvesload_certificateload_certificate_requestload_privatekeyload_publickey.intr)r(ir,r+TYPE_DHTYPE_ECc@seZdZdZdS)r.z7 An error occurred in an `OpenSSL.crypto` API. N)__name__ __module__ __qualname____doc__rrrrr.tsr.buffer bytes | NonercCsf|durtt}tj}ntd|}t|t|}|fd dd}t|tj kt ||}|S) z Allocate a new OpenSSL memory BIO. Arrange for the garbage collector to clean it up automatically. :param buffer: None or some bytes to use to put into the BIO so that they can be read out. Nchar[]biorrefrcSs t|Sr)_libBIO_free)rKrLrrrfree z_new_mem_buf..free)rKrrLrrr) rMBIO_new BIO_s_memrN_ffinewBIO_new_mem_buflen_openssl_assertNULLgc)rHrKrOdatarrr _new_mem_buf~s   r[rKbytescCs.td}t||}t|d|ddS)zO Copy the contents of an OpenSSL BIO object into a Python byte string. zchar**rN)rSrTrMBIO_get_mem_datarH)rK result_buffer buffer_lengthrrr_bio_to_strings  r`boundarywhenNonecCs@t|ts tdt|tjkt||}|dkrtddS)a The the time value of an ASN1 time object. @param boundary: An ASN1_TIME pointer (or an object safely castable to that type) which will have its value set. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. zwhen must be a byte stringrzInvalid stringN) isinstancer\ TypeErrorrWrSrXrMASN1_TIME_set_string ValueError)rarb set_resultrrr_set_asn1_times  ricCs2t}t|tjkt|tj}t|||S)a Behaves like _set_asn1_time but returns a new ASN1_TIME object. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. )rM ASN1_TIME_newrWrSrXrYASN1_TIME_freeri)rbretrrr_new_asn1_times   rm timestampcCstd|}t|dkrdSt|tjkrtt|Std}t ||t |dtj ktd|d}t|}t|}t |d|S)a] Retrieve the time value of an ASN1 time object. @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to that type) from which the time value will be retrieved. @return: The time value from C{timestamp} as a L{bytes} string in a certain format. Or C{None} if the object contains no time value. ASN1_STRING*rNzASN1_GENERALIZEDTIME**) rScastrMASN1_STRING_lengthASN1_STRING_typeV_ASN1_GENERALIZEDTIMEstringASN1_STRING_get0_datarTASN1_TIME_to_generalizedtimerWrXASN1_GENERALIZEDTIME_free)rnstring_timestampgeneralized_timestamp string_data string_resultrrr_get_asn1_times     r|c@s*eZdZd ddZd ddZd d d Zd S)_X509NameInvalidatorrrccCs g|_dSr)_namesselfrrr__init__rPz_X509NameInvalidator.__init__namer1cCs|j|dSr)r~appendrrrrraddsz_X509NameInvalidator.addcCs|jD]}|`qdSr)r~_namerrrrclears z_X509NameInvalidator.clearNrrcrr1rrc)rDrErFrrrrrrrr}s  r}c@sbeZdZdZdZdZdddZdd d Zedd d Z dddZ dddZ d ddZ d ddZ dS)!r/zD A class representing an DSA or RSA public key or key pair. FTrrccCs"t}t|tj|_d|_dS)NF)rM EVP_PKEY_newrSrY EVP_PKEY_free_pkey _initializedrpkeyrrrrs z PKey.__init___KeycCsNddlm}m}|jrtt|}tt||St t|}tt||ddS)a Export as a ``cryptography`` key. :rtype: One of ``cryptography``'s `key interfaces`_. .. _key interfaces: https://cryptography.io/en/latest/hazmat/ primitives/asymmetric/rsa/#key-interfaces .. versionadded:: 16.1.0 r)load_der_private_keyload_der_public_keyN)password) ,cryptography.hazmat.primitives.serializationrr _only_publicr:r(typingrprr9)rrrderrrrto_cryptography_keys    zPKey.to_cryptography_key crypto_keyc Cst|tjtjtjtjtjtj t j t j t jt jf stdddlm}m}m}m}t|tjtjtj t j t jfrCtt||j|jS||j|j|}tt|S)z Construct based on a ``cryptography`` *crypto_key*. :param crypto_key: A ``cryptography`` key. :type crypto_key: One of ``cryptography``'s `key interfaces`_. :rtype: PKey .. versionadded:: 16.1.0 zUnsupported key typer)Encoding NoEncryption PrivateFormat PublicFormat)rdr DSAPrivateKey DSAPublicKeyrEllipticCurvePrivateKeyEllipticCurvePublicKeyrEd25519PrivateKeyEd25519PublicKeyrEd448PrivateKeyEd448PublicKeyr RSAPrivateKey RSAPublicKeyrerrrrrr@r( public_bytesDERSubjectPublicKeyInfo private_bytesPKCS8r?)clsrrrrrrrrrfrom_cryptography_keysF    zPKey.from_cryptography_keytyperAbitsc Cs4t|ts tdt|tstd|tkrQ|dkrtdt}t|tj }t |tj t }t |||tj}t|dkt|j|}t|dknD|tkrt}t|tjkt|tj}t||tjdtjtjtj}t|dktt|dktt|j|dkntdd|_dS) a3 Generate a key pair of the given type, with the given number of bits. This generates a key "into" the this object. :param type: The key type. :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA` :param bits: The number of bits. :type bits: :py:data:`int` ``>= 0`` :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't of the appropriate type. :raises ValueError: If the number of bits isn't an integer of the appropriate size. :return: ``None`` ztype must be an integerzbits must be an integerrzInvalid number of bitszNo such key typeTN)rdrArer,rgrMBN_newrSrYBN_free BN_set_wordRSA_F4RSA_newRSA_generate_key_exrXrWEVP_PKEY_assign_RSArr+DSA_newDSA_freeDSA_generate_parameters_exDSA_generate_keyEVP_PKEY_set1_DSAr.r)rrrexponentr resultrresrrr generate_keyUs6     zPKey.generate_keyboolcCsd|jrtdt|tjkrtdt|j}t |tj }t |}|dkr-dSt dS)ax Check the consistency of an RSA private key. This is the Python equivalent of OpenSSL's ``RSA_check_key``. :return: ``True`` if key is consistent. :raise OpenSSL.crypto.Error: if the key is inconsistent. :raise TypeError: if the key is of a type which cannot be checked. Only RSA keys can currently be checked. zpublic key onlyz'Only RSA keys can currently be checked.rTN) rrerM EVP_PKEY_typer EVP_PKEY_RSAEVP_PKEY_get1_RSArrSrYRSA_free RSA_check_key_raise_current_error)rr rrrrchecks    z PKey.checkcC t|jS)zT Returns the type of the key :return: The type of the key. )rM EVP_PKEY_idrrrrrr z PKey.typecCr)zh Returns the number of bits of the key :return: The number of bits of the key. )rM EVP_PKEY_bitsrrrrrrrz PKey.bitsNr)rr)rrrr/)rrArrArrcrrrrA)rDrErFrGrrrr classmethodrrrrrrrrrr/s    9 8 r/csneZdZdZdZdfdd Zedd d Zedd dZedddZ dddZ d ddZ d!ddZ Z S)"_EllipticCurveaZ A representation of a supported elliptic curve. @cvar _curves: :py:obj:`None` until an attempt is made to load the curves. Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve` instances each of which represents one curve supported by the system. @type _curves: :py:type:`NoneType` or :py:type:`set` Notherrrrcst|tr t|StS)z Implement cooperation with the right-hand side argument of ``!=``. Python 3 seems to have dropped this cooperation in this very narrow circumstance. )rdrsuper__ne__NotImplementedrr __class__rrrs  z_EllipticCurve.__ne__r%set[_EllipticCurve]cs>tjd}td|}||tfdd|DS)z Get the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. rzEC_builtin_curve[]c3s|] }|jVqdSr)from_nidnid).0crr%rr sz7_EllipticCurve._load_elliptic_curves..)EC_get_builtin_curvesrSrXrTset)rr% num_curvesbuiltin_curvesrrr_load_elliptic_curvess  z$_EllipticCurve._load_elliptic_curvescCs|jdur |||_|jS)a Get, cache, and return the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. N)_curvesrrrrr_get_elliptic_curvess z#_EllipticCurve._get_elliptic_curvesrrAcCs|||t||dS)a Instantiate a new :py:class:`_EllipticCurve` associated with the given OpenSSL NID. :param lib: The OpenSSL library binding object. :param nid: The OpenSSL NID the resulting curve object will represent. This must be a curve NID (and not, for example, a hash NID) or subsequent operations will fail in unpredictable ways. :type nid: :py:class:`int` :return: The curve object. ascii)rSrt OBJ_nid2sndecode)rr%rrrrrsz_EllipticCurve.from_nidrrrccCs||_||_||_dS)a :param _lib: The :py:mod:`cryptography` binding instance used to interface with OpenSSL. :param _nid: The OpenSSL NID identifying the curve this object represents. :type _nid: :py:class:`int` :param name: The OpenSSL short name identifying the curve this object represents. :type name: :py:class:`unicode` N)rM_nidr)rr%rrrrrrs  z_EllipticCurve.__init__cCsd|jdS)Nzrrrrr__repr__z_EllipticCurve.__repr__cCs|j|j}t|tjS)z Create a new OpenSSL EC_KEY structure initialized to use this curve. The structure is automatically garbage collected when the Python object is garbage collected. )rMEC_KEY_new_by_curve_namerrSrY EC_KEY_free)rkeyrrr _to_EC_KEYsz_EllipticCurve._to_EC_KEYrrrr)r%rrr)r%rrrArr)r%rrrArrrrcrrrr)rDrErFrGrrrrrrrrr __classcell__rrrrrs      rzSget_elliptic_curves is deprecated. You should use the APIs in cryptography instead.rcCs ttS)a Return a set of objects representing the elliptic curves supported in the OpenSSL build in use. The curve objects have a :py:class:`unicode` ``name`` attribute by which they identify themselves. The curve objects are useful as values for the argument accepted by :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be used for ECDHE key exchange. )rrrMrrrrr<s r<zRget_elliptic_curve is deprecated. You should use the APIs in cryptography instead.rcCs(tD] }|j|kr|Sqtd|)aT Return a single curve object selected by name. See :py:func:`get_elliptic_curves` for information about curve objects. :param name: The OpenSSL short name identifying the curve object to retrieve. :type name: :py:class:`unicode` If the named curve is not supported then :py:class:`ValueError` is raised. zunknown curve name)r<rrg)rcurverrrr;2s   r;csreZdZdZd ddZd!fd d Zd"d dZd#ddZd#ddZd$ddZ d%ddZ d&ddZ d'ddZ Z S)(r1a An X.509 Distinguished Name. :ivar countryName: The country of the entity. :ivar C: Alias for :py:attr:`countryName`. :ivar stateOrProvinceName: The state or province of the entity. :ivar ST: Alias for :py:attr:`stateOrProvinceName`. :ivar localityName: The locality of the entity. :ivar L: Alias for :py:attr:`localityName`. :ivar organizationName: The organization name of the entity. :ivar O: Alias for :py:attr:`organizationName`. :ivar organizationalUnitName: The organizational unit of the entity. :ivar OU: Alias for :py:attr:`organizationalUnitName` :ivar commonName: The common name of the entity. :ivar CN: Alias for :py:attr:`commonName`. :ivar emailAddress: The e-mail address of the entity. rrrccCs t|j}t|tj|_dS)z Create a new X509Name, copying the given X509Name instance. :param name: The name to copy. :type name: :py:class:`X509Name` N)rM X509_NAME_duprrSrYX509_NAME_freerrrrrbs zX509Name.__init__rvaluerc s|dr t||St|turtdt|jddtt |}|tj kr?zt Wt dt y>Yt dwtt|jD]%}t|j|}t|}t|}||krlt|j|}t|nqGt|trw|d}t|j|tj|ddd}|st dSdS) N_z$attribute name must be string, not 'z.200'No such attributeutf-8r) startswithr __setattr__rrrerDrM OBJ_txt2nid _byte_string NID_undefrr.AttributeErrorrangeX509_NAME_entry_countrX509_NAME_get_entryX509_NAME_ENTRY_get_object OBJ_obj2nidX509_NAME_delete_entryX509_NAME_ENTRY_freerdencodeX509_NAME_add_entry_by_NID MBSTRING_UTF8) rrrrientent_objent_nid add_resultrrrrlsD           zX509Name.__setattr__ str | Nonec Cstt|}|tjkr!ztWtdty Ytdwt|j|d}|dkr/dSt |j|}t |}t d}t ||}t|dkzt |d|ddd}Wt|d|St|dw)a  Find attribute. An X509Name object has the following attributes: countryName (alias C), stateOrProvince (alias ST), locality (alias L), organization (alias O), organizationalUnit (alias OU), commonName (alias CN) and more... rrNunsigned char**rr)rMrrrrr.rX509_NAME_get_index_by_NIDrrX509_NAME_ENTRY_get_datarSrTASN1_STRING_to_UTF8rWrHr OPENSSL_free) rrr entry_indexentryrZr^ data_lengthrrrr __getattr__s0      zX509Name.__getattr__rrcCs"t|tstSt|j|jdkSNrrdr1rrM X509_NAME_cmprrrrr__eq__ zX509Name.__eq__cCs"t|tstSt|j|jdkSrr rrrr__lt__r#zX509Name.__lt__cCsDtdd}t|j|t|}t|tjkdt | dS)z6 String representation of an X509Name rJizr) rSrTrMX509_NAME_onelinerrVrWrXformatrtr)rr^ format_resultrrrrs  zX509Name.__repr__rAcCr)a& Return an integer representation of the first four bytes of the MD5 digest of the DER representation of the name. This is the Python equivalent of OpenSSL's ``X509_NAME_hash``. :return: The (integer) hash of this name. :rtype: :py:class:`int` )rMX509_NAME_hashrrrrrhash z X509Name.hashr\cCsNtd}t|j|}t|dkt|d|dd}t|d|S)z Return the DER encoding of this name. :return: The DER encoded form of this name. :rtype: :py:class:`bytes` rrN)rSrTrM i2d_X509_NAMErrWrHr)rr^ encode_resultr{rrrrs  z X509Name.derlist[tuple[bytes, bytes]]c Csg}tt|jD]7}t|j|}t|}t|}t|}t|}t t |t |dd}| t ||fq |S)z Returns the components of this name, as a sequence of 2-tuples. :return: The components of this name. :rtype: :py:class:`list` of ``name, value`` tuples. N)rrMrrrr rr rrSrHrurqrrt) rrrrfnamefvalrrrrrrget_componentss    zX509Name.get_componentsr)rrrrrrc)rrrrrrrrr\)rr-)rDrErFrGrrrr"r$rr)rr0rrrrrr1Hs  ' (    r1zZX509Extension support in pyOpenSSL is deprecated. You should use the APIs in cryptography.c@seZdZUdZ  d"d#d dZed$ddZejdej dej diZ de d<d%ddZ d%ddZd&ddZd'ddZd'd d!ZdS)(r0zu An X.509 v3 certificate extension. .. deprecated:: 23.3.0 Use cryptography's X509 APIs instead. N type_namer\criticalrrsubject X509 | NoneissuerrrccCstd}t|tjtjtjtjdt||dur)t|ts%td|j |_ |dur:t|ts6td|j |_ |r@d|}t tj|||}|tjkrQt t|tj|_dS)a Initializes an X509 extension. :param type_name: The name of the type of extension_ to create. :type type_name: :py:data:`bytes` :param bool critical: A flag indicating whether this is a critical extension. :param value: The OpenSSL textual representation of the extension's value. :type value: :py:data:`bytes` :param subject: Optional X509 certificate to use as subject. :type subject: :py:class:`X509` :param issuer: Optional X509 certificate to use as issuer. :type issuer: :py:class:`X509` .. _extension: https://www.openssl.org/docs/manmaster/man5/ x509v3_config.html#STANDARD-EXTENSIONS z X509V3_CTX*rNzissuer must be an X509 instancez subject must be an X509 instances critical,)rSrTrMX509V3_set_ctxrXX509V3_set_ctx_nodbrdr-re_x509 issuer_cert subject_certX509V3_EXT_nconfrrYX509_EXTENSION_free _extension)rr2r3rr4r6ctx extensionrrrrs"     zX509Extension.__init__rcCstt|jSr)rMr X509_EXTENSION_get_objectr>rrrrr\s zX509Extension._nidemailDNSURIztyping.ClassVar[dict[int, str]] _prefixesrc Cstdt|j}t|tj}g}tt|D]I}t ||}z|j |j }Wnt yFt }t|||t|dYqwt|jjj|jjjddd}||d|qd|S)NzGENERAL_NAMES*r:z, )rSrprMX509V3_EXT_d2ir>rYGENERAL_NAMES_freersk_GENERAL_NAME_numsk_GENERAL_NAME_valuerErKeyErrorr[GENERAL_NAME_printrr`rrHdia5rZlengthjoin)rnamespartsrrlabelrKrrrr_subjectAltNameStringhs*     z#X509Extension._subjectAltNameStringcCsFtj|jkr |St}t||jdd}t|dkt| dS)zF :return: a nice text representation of the extension rr) rMNID_subject_alt_namerrTr[X509V3_EXT_printr>rWr`r)rrK print_resultrrr__str__~s  zX509Extension.__str__cCr)zk Returns the critical field of this X.509 extension. :return: The critical field. )rMX509_EXTENSION_get_criticalr>rrrr get_criticalrzX509Extension.get_criticalcCs8t|j}t|}t|}|tjkrt|SdS)z Returns the short type name of this X.509 extension. The result is a byte string such as :py:const:`b"basicConstraints"`. :return: The short type name. :rtype: :py:data:`bytes` .. versionadded:: 0.12 sUNDEF)rMrAr>r rrSrXrt)robjrbufrrrget_short_names    zX509Extension.get_short_namecCs@t|j}td|}t|}t|}t||ddS)z Returns the data of the X509 extension, encoded as ASN.1. :return: The ASN.1 encoded data of this X509 extension. :rtype: :py:data:`bytes` .. versionadded:: 0.12 roN)rMX509_EXTENSION_get_datar>rSrprurqrH)r octet_resultr{ char_result result_lengthrrrget_datas   zX509Extension.get_dataNN) r2r\r3rrr\r4r5r6r5rrcrrrr1)rDrErFrGrpropertyrrM GEN_EMAILGEN_DNSGEN_URIrE__annotations__rTrXrZr]rbrrrrr0 s   E    r0zPCSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.c@seZdZdZd*ddZd+ddZed,d d Zd-ddZd.ddZ d/ddZ d0ddZ d1ddZ d2ddZ d3d d!Zd4d$d%Zd5d'd(Zd)S)6r2z An X.509 certificate signing requests. .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. rrccCs&t}t|tj|_|ddSr)rM X509_REQ_newrSrY X509_REQ_free_req set_version)rreqrrrrszX509Req.__init__x509.CertificateSigningRequestcCddlm}tt|}||S)z Export as a ``cryptography`` certificate signing request. :rtype: ``cryptography.x509.CertificateSigningRequest`` .. versionadded:: 17.1.0 r)load_der_x509_csr)cryptography.x509rp"_dump_certificate_request_internalr()rrprrrrto_cryptographys  zX509Req.to_cryptography crypto_reqcC6t|tjs tdddlm}||j}tt |S)a Construct based on a ``cryptography`` *crypto_req*. :param crypto_req: A ``cryptography`` X.509 certificate signing request :type crypto_req: ``cryptography.x509.CertificateSigningRequest`` :rtype: X509Req .. versionadded:: 17.1.0 z%Must be a certificate signing requestrr) rdrCertificateSigningRequestrerrrr"_load_certificate_request_internalr()rrtrrrrrfrom_cryptographys    zX509Req.from_cryptographyrr/cCs t|j|j}t|dkdS)z Set the public key of the certificate signing request. :param pkey: The public key to use. :type pkey: :py:class:`PKey` :return: ``None`` rN)rMX509_REQ_set_pubkeyrkrrWrrrhrrr set_pubkeys zX509Req.set_pubkeycCsDtt}t|j|_t|jtjkt |jtj |_d|_ |S)z Get the public key of the certificate signing request. :return: The public key. :rtype: :py:class:`PKey` T) r/__new__rMX509_REQ_get_pubkeyrkrrWrSrXrYrrrrrr get_pubkeys zX509Req.get_pubkeyversionrAcCs@t|ts td|dkrtdt|j|}t|dkdS)z Set the version subfield (RFC 2986, section 4.1) of the certificate request. :param int version: The version number. :return: ``None`` zversion must be an intrz9Invalid version. The only valid version for X509Req is 0.rN)rdrArergrMX509_REQ_set_versionrkrW)rrrhrrrrl s zX509Req.set_versioncCr)z Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate request. :return: The value of the version subfield. :rtype: :py:class:`int` )rMX509_REQ_get_versionrkrrrr get_versions zX509Req.get_versionr1cCs2tt}t|j|_t|jtjk||_ |S)a Return the subject of this certificate signing request. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate signing request. Modifying it will modify the underlying signing request, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate signing request. :rtype: :class:`X509Name` ) r1r}rMX509_REQ_get_subject_namerkrrWrSrX_ownerrrrr get_subject$s zX509Req.get_subject extensionsIterable[X509Extension]cCs|tjdtddt}t|tjkt|tj }|D]}t |t s't dt ||jqt|j|}t|dkdS)z Add extensions to the certificate signing request. :param extensions: The X.509 extensions to add. :type extensions: iterable of :py:class:`X509Extension` :return: ``None`` This API is deprecated and will be removed in a future version of pyOpenSSL. You should use pyca/cryptography's X.509 APIs instead. stacklevel+One of the elements is not an X509ExtensionrN)warningswarnDeprecationWarningrMsk_X509_EXTENSION_new_nullrWrSrXrYsk_X509_EXTENSION_freerdr0rgsk_X509_EXTENSION_pushr>X509_REQ_add_extensionsrk)rrstackextrrrradd_extensions:s  zX509Req.add_extensionslist[X509Extension]cCs~tjdtddg}t|j}t|dd}tt |D]}t t }t t ||}t|tj|_||q|S)z Get X.509 extensions in the certificate signing request. :return: The X.509 extensions in this request. :rtype: :py:class:`list` of :py:class:`X509Extension` objects. .. versionadded:: 0.15 rrrcSst|ttjdS)Nr=)rMsk_X509_EXTENSION_pop_freerS addressof _original_lib)xrrrrrs z(X509Req.get_extensions..)rrrrMX509_REQ_get_extensionsrkrSrYrsk_X509_EXTENSION_numr0r}X509_EXTENSION_dupsk_X509_EXTENSION_valuer=r>r)rextsnative_exts_objrrr@rrrget_extensions[s&     zX509Req.get_extensionsdigestrcCs^|jrtd|jstdtt|}|tjkrtdt|j |j |}t |dkdS)aa Sign the certificate signing request with this key and digest type. :param pkey: The key pair to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use for the signature, e.g. :py:data:`"sha256"`. :type digest: :py:class:`str` :return: ``None`` zKey has only public partKey is uninitializedNo such digest methodrN) rrgrrMEVP_get_digestbynamerrSrX X509_REQ_signrkrrW)rrr digest_obj sign_resultrrrsigns  z X509Req.signrcCs4t|ts tdt|j|j}|dkrt|S)a@ Verifies the signature on this certificate signing request. :param PKey key: A public key. :return: ``True`` if the signature is correct. :rtype: bool :raises OpenSSL.crypto.Error: If the signature is invalid or there is a problem verifying the signature. pkey must be a PKey instancer)rdr/rerMX509_REQ_verifyrkrr)rrrrrrverifys zX509Req.verifyNr)rrn)rtrnrr2rr/rrcrr/rrArrcrrr1rrrrc)rrrr/rrrrc)rr/rr)rDrErFrGrrsrryr|rrlrrrrrrrrrrr2s        ! &r2c@sXeZdZdZd`ddZedadd Zdbd d ZedcddZddddZ deddZ dfddZ dgddZ dhddZ did!d"Zdjd$d%Zded&d'Zdkd)d*Zded+d,Zdld.d/Zdld0d1Zdmd3d4Zdnd7d8Zdod9d:Zdpd=d>Zdqd?d@ZdodAdBZdqdCdDZdrdFdGZdsdIdJZdtdKdLZdudNdOZdtdPdQZ dvdSdTZ!dedUdVZ"dwdYdZZ#dxd]d^Z$d_S)yr-z An X.509 certificate. rrccCs:t}t|tjkt|tj|_t|_ t|_ dSr) rMX509_newrWrSrXrY X509_freer9r}_issuer_invalidator_subject_invalidator)rrrrrrs  z X509.__init__rrcCs.||}t|tj|_t|_t|_|Sr) r}rSrYrMrr9r}rr)rrcertrrr_from_raw_x509_ptrs zX509._from_raw_x509_ptrx509.CertificatecCro)z Export as a ``cryptography`` certificate. :rtype: ``cryptography.x509.Certificate`` .. versionadded:: 17.1.0 r)load_der_x509_certificate)rqrr7r()rrrrrrrss  zX509.to_cryptography crypto_certcCru)z Construct based on a ``cryptography`` *crypto_cert*. :param crypto_key: A ``cryptography`` X.509 certificate. :type crypto_key: ``cryptography.x509.Certificate`` :rtype: X509 .. versionadded:: 17.1.0 zMust be a certificaterrv) rdr Certificatererrrrr=r()rrrrrrrrys    zX509.from_cryptographyrrAcCs,t|ts tdtt|j|dkdS)a  Set the version number of the certificate. Note that the version value is zero-based, eg. a value of 0 is V1. :param version: The version number of the certificate. :type version: :py:class:`int` :return: ``None`` zversion must be an integerrN)rdrArerWrMX509_set_versionr9)rrrrrrls zX509.set_versioncCr)z Return the version number of the certificate. :return: The version number of the certificate. :rtype: :py:class:`int` )rMX509_get_versionr9rrrrr zX509.get_versionr/cCsFtt}t|j|_|jtjkrtt |jtj |_d|_ |S)z{ Get the public key of the certificate. :return: The public key. :rtype: :py:class:`PKey` T) r/r}rMX509_get_pubkeyr9rrSrXrrYrrrrrrrs  zX509.get_pubkeyrcCs2t|ts tdt|j|j}t|dkdS)z Set the public key of the certificate. :param pkey: The public key. :type pkey: :py:class:`PKey` :return: :py:data:`None` rrN)rdr/rerMX509_set_pubkeyr9rrWr{rrrr| s zX509.set_pubkeyrrcCspt|ts td|jrtd|jstdtt|}|t j kr'tdt |j |j |}t|dkdS)a Sign the certificate with this key and digest type. :param pkey: The key to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use. :type digest: :py:class:`str` :return: :py:data:`None` rzKey only has public partrrrN)rdr/rerrgrrMrrrSrX X509_signr9rrW)rrrevp_mdrrrrrs  z X509.signr\cCsZt|j}td}t|tjtj|t|d}|tjkr%t dt t |S)z Return the signature algorithm used in the certificate. :return: The name of the algorithm. :rtype: :py:class:`bytes` :raises ValueError: If the signature algorithm is undefined. .. versionadded:: 0.13 zASN1_OBJECT **rzUndefined signature algorithm) rMX509_get0_tbs_sigalgr9rSrTX509_ALGOR_get0rXr rrgrt OBJ_nid2ln)rsig_algalgrrrrget_signature_algorithm7s  zX509.get_signature_algorithm digest_namecCstt|}|tjkrtdtdtj}tdd}t||d<t |j |||}t |dkd ddt ||dDS) a5 Return the digest of the X509 object. :param digest_name: The name of the digest algorithm to use. :type digest_name: :py:class:`str` :return: The digest of the object, formatted as :py:const:`b":"`-delimited hex pairs. :rtype: :py:class:`bytes` rzunsigned char[]zunsigned int[]rr:cSsg|]}t|qSr)rupper)rchrrr cs zX509.digest..)rMrrrSrXrgrTEVP_MAX_MD_SIZErV X509_digestr9rWrPrH)rrrr^ra digest_resultrrrrJs     z X509.digestcCr)z Return the hash of the X509 subject. :return: The hash of the subject. :rtype: :py:class:`int` )rMX509_subject_name_hashr9rrrrsubject_name_hashirzX509.subject_name_hashserialcCst|ts tdt|dd}|d}td}t||}t |tj kt |dtj }t |dt |tj kt |tj}t|j|}t |dkdS)z Set the serial number of the certificate. :param serial: The new serial number. :type serial: :py:class:`int` :return: :py:data`None` zserial must be an integerrNrzBIGNUM**rr)rdrArehexr rSrTrM BN_hex2bnrWrXBN_to_ASN1_INTEGERrrYASN1_INTEGER_freeX509_set_serialNumberr9)rr hex_serialhex_serial_bytes bignum_serialr asn1_serialrhrrrset_serial_numberrs    zX509.set_serial_numberc Cspt|j}t|tj}z$t|}zt|}t|d}|Wt |Wt |St |wt |w)zx Return the serial number of this certificate. :return: The serial number. :rtype: int ) rMX509_get_serialNumberr9ASN1_INTEGER_to_BNrSrX BN_bn2hexrtrArr)rrrrhexstring_serialrrrrget_serial_numbers       zX509.get_serial_numberamountcC.t|ts tdt|j}t||dS)z Adjust the time stamp on which the certificate stops being valid. :param int amount: The number of seconds by which to adjust the timestamp. :return: ``None`` amount must be an integerN)rdrArerMX509_getm_notAfterr9X509_gmtime_adj)rrnotAfterrrrgmtime_adj_notAfters  zX509.gmtime_adj_notAftercCr)z Adjust the timestamp on which the certificate starts being valid. :param amount: The number of seconds by which to adjust the timestamp. :return: ``None`` rN)rdrArerMX509_getm_notBeforer9r)rr notBeforerrrgmtime_adj_notBefores  zX509.gmtime_adj_notBeforercCsT|}|dur td|d}tj|d}tjj}tj|jdd}||kS)z Check whether the certificate has expired. :return: ``True`` if the certificate has expired, ``False`` otherwise. :rtype: bool NzUnable to determine notAfterrz %Y%m%d%H%M%SZ)tzinfo) get_notAfterrgrdatetimestrptimetimezoneutcnowreplace)r time_bytes time_string not_afterUTCutcnowrrr has_expireds zX509.has_expiredwhichrIcCst||jSr)r|r9)rrrrr_get_boundary_timerzX509._get_boundary_timecC |tjS)a  Get the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )rrMrrrrr get_notBefore zX509.get_notBeforeCallable[..., Any]rbcCst||j|Sr)rir9)rrrbrrr_set_boundary_timeszX509._set_boundary_timecC|tj|S)z Set the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rrMrrrbrrr set_notBefore zX509.set_notBeforecCr)a  Get the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )rrMrrrrrrrzX509.get_notAftercCr)z Set the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rrMrrrrr set_notAfterr zX509.set_notAfterr1cCs0tt}||j|_t|jtjk||_|Sr)r1r}r9rrWrSrXr)rrrrrr _get_name s  zX509._get_namercCs0t|ts td||j|j}t|dkdS)Nzname must be an X509Namer)rdr1rer9rrW)rrrrhrrr _set_names zX509._set_namecC|tj}|j||S)a Return the issuer of this certificate. This creates a new :class:`X509Name` that wraps the underlying issuer name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this issuer. :return: The issuer of this certificate. :rtype: :class:`X509Name` )r rMX509_get_issuer_namerrrrrr get_issuer zX509.get_issuerr6cC|tj||jdS)z Set the issuer of this certificate. :param issuer: The issuer. :type issuer: :py:class:`X509Name` :return: ``None`` N)r rMX509_set_issuer_namerr)rr6rrr set_issuer+ zX509.set_issuercCr )a Return the subject of this certificate. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate. :rtype: :class:`X509Name` )r rMX509_get_subject_namerrrrrrr7rzX509.get_subjectr4cCr)z Set the subject of this certificate. :param subject: The subject. :type subject: :py:class:`X509Name` :return: ``None`` N)r rMX509_set_subject_namerr)rr4rrr set_subjectGrzX509.set_subjectcCr)z Get the number of extensions on this certificate. :return: The number of extensions. :rtype: :py:class:`int` .. versionadded:: 0.12 )rMX509_get_ext_countr9rrrrget_extension_countSs zX509.get_extension_countrrcCsNtjdtdd|D]}t|tstdt|j|j d}t |dkq dS)z Add extensions to the certificate. :param extensions: The extensions to add. :type extensions: An iterable of :py:class:`X509Extension` objects. :return: ``None`` rrrrrrN) rrrrdr0rgrM X509_add_extr9r>rW)rrrrrrrr^s zX509.add_extensionsindexr0cCs^tjdtddtt}t|j||_|jt j krt dt |j}t |tj|_|S)a Get a specific extension of the certificate by index. Extensions on a certificate are kept in order. The index parameter selects which extension will be returned. :param int index: The index of the extension to retrieve. :return: The extension at the specified index. :rtype: :py:class:`X509Extension` :raises IndexError: If the extension index was out of bounds. .. versionadded:: 0.12 rrrzextension index out of bounds)rrrr0r}rM X509_get_extr9r>rSrX IndexErrorrrYr=)rrrr@rrr get_extensionws   zX509.get_extensionNr)rrrr-)rr)rrrr-rrrrrr1)rrrr\)rrArrc)rrArrcr)rrrrI)rrI)rrrbr\rrc)rbr\rrc)rrrr1)rrrr1rrcr)r6r1rrc)r4r1rrcr)rrArr0)%rDrErFrGrrrrsryrlrrr|rrrrrrrrrrrrrrr r r rrrrrrrrrrrr-sH                     r-c@seZdZUdZejZded<ejZ ded<ej Z ded<ej Z ded<ejZded<ejZded<ejZded <ejZded <ejZded <ejZded <d S)r6a  Flags for X509 verification, used to change the behavior of :class:`X509Store`. See `OpenSSL Verification Flags`_ for details. .. _OpenSSL Verification Flags: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html rA CRL_CHECK CRL_CHECK_ALLIGNORE_CRITICAL X509_STRICTALLOW_PROXY_CERTS POLICY_CHECKEXPLICIT_POLICY INHIBIT_MAPCHECK_SS_SIGNATURE PARTIAL_CHAINN)rDrErFrGrMX509_V_FLAG_CRL_CHECKrrhX509_V_FLAG_CRL_CHECK_ALLr X509_V_FLAG_IGNORE_CRITICALr!X509_V_FLAG_X509_STRICTr"X509_V_FLAG_ALLOW_PROXY_CERTSr#X509_V_FLAG_POLICY_CHECKr$X509_V_FLAG_EXPLICIT_POLICYr%X509_V_FLAG_INHIBIT_MAPr&X509_V_FLAG_CHECK_SS_SIGNATUREr'X509_V_FLAG_PARTIAL_CHAINr(rrrrr6s  r6c@sPeZdZdZdddZddd Zdd d ZdddZd ddZ d!d"ddZ dS)#r3a An X.509 store. An X.509 store is used to describe a context in which to verify a certificate. A description of a context may include a set of certificates to trust, a set of certificate revocation lists, verification flags and more. An X.509 store, being only a description, cannot be used by itself to verify a certificate. To carry out the actual verification process, see :class:`X509StoreContext`. rrccCst}t|tj|_dSr)rMX509_STORE_newrSrYX509_STORE_free_storerstorerrrrszX509Store.__init__rr-cCs0t|tstt|j|j}t|dkdS)a Adds a trusted certificate to this store. Adding a certificate with this method adds this certificate as a *trusted* certificate. :param X509 cert: The certificate to add to this store. :raises TypeError: If the certificate is not an :class:`X509`. :raises OpenSSL.crypto.Error: If OpenSSL was unhappy with your certificate. :return: ``None`` if the certificate was added successfully. rN)rdr-rerMX509_STORE_add_certr5r9rW)rrrrrradd_certs zX509Store.add_certcrlx509.CertificateRevocationListcCsvt|tjr*ddlm}t||j}t |t j }t |t j kt |tj}ntdt t|j|dkdS)a Add a certificate revocation list to this store. The certificate revocation lists added to a store will only be used if the associated flags are configured to check certificate revocation lists. .. versionadded:: 16.1.0 :param crl: The certificate revocation list to add to this store. :type crl: ``cryptography.x509.CertificateRevocationList`` :return: ``None`` if the certificate revocation list was added successfully. rrvz?CRL must be of type cryptography.x509.CertificateRevocationListN)rdrCertificateRevocationListrrr[rrrMd2i_X509_CRL_biorSrXrWrY X509_CRL_freereX509_STORE_add_crlr5)rr:rrK openssl_crlrrradd_crls  zX509Store.add_crlflagsrAcCstt|j|dkdS)a Set verification flags to this store. Verification flags can be combined by oring them together. .. note:: Setting a verification flag sometimes requires clients to add additional information to the store, otherwise a suitable error will be raised. For example, in setting flags to enable CRL checking a suitable CRL must be added to the store otherwise an error will be raised. .. versionadded:: 16.1.0 :param int flags: The verification flags to set on this store. See :class:`X509StoreFlags` for available constants. :return: ``None`` if the verification flags were successfully set. rN)rWrMX509_STORE_set_flagsr5)rrBrrr set_flagsszX509Store.set_flagsvfy_timedatetime.datetimecCsFt}t|tj}t|t|t t |j |dkdS)a Set the time against which the certificates are verified. Normally the current time is used. .. note:: For example, you can determine if a certificate was valid at a given time. .. versionadded:: 17.0.0 :param datetime vfy_time: The verification time to set on this store. :return: ``None`` if the verification time was successfully set. rN) rMX509_VERIFY_PARAM_newrSrYX509_VERIFY_PARAM_freeX509_VERIFY_PARAM_set_timecalendartimegm timetuplerWX509_STORE_set1_paramr5)rrEparamrrrset_times zX509Store.set_timeNcafileStrOrBytesPath | NonecapathcCsR|durtj}nt|}|durtj}nt|}t|j||}|s'tdSdS)a Let X509Store know where we can find trusted certificates for the certificate chain. Note that the certificates have to be in PEM format. If *capath* is passed, it must be a directory prepared using the ``c_rehash`` tool included with OpenSSL. Either, but not both, of *cafile* or *capath* may be ``None``. .. note:: Both *cafile* and *capath* may be set simultaneously. Call this method multiple times to add more than one location. For example, CA certificates, and certificate revocation list bundles may be passed in *cafile* in subsequent calls to this method. .. versionadded:: 20.0 :param cafile: In which file we can find the certificates (``bytes`` or ``unicode``). :param capath: In which directory we can find the certificates (``bytes`` or ``unicode``). :return: ``None`` if the locations were set successfully. :raises OpenSSL.crypto.Error: If both *cafile* and *capath* is ``None`` or the locations could not be set for any reason. N)rSrX _path_bytesrMX509_STORE_load_locationsr5r)rrPrR load_resultrrrload_locations&s# zX509Store.load_locationsr)rr-rrc)r:r;rrc)rBrArrc)rErFrrcr)rPrQrRrQrrc) rDrErFrGrr9rArDrOrVrrrrr3s    r3cs"eZdZdZd fd d ZZS) r5z An exception raised when an error occurred while verifying a certificate using `OpenSSL.X509StoreContext.verify_certificate`. :ivar certificate: The certificate which caused verificate failure. :type certificate: :class:`X509` messagererrors list[Any] certificater-rrccst|||_||_dSr)rrrXrZ)rrWrXrZrrrrcs  zX509StoreContextError.__init__)rWrrXrYrZr-rrc)rDrErFrGrrrrrrr5Zsr5c@sbeZdZdZ ddd d Zed ddZed!ddZd"ddZd#ddZ d$ddZ d%ddZ dS)&r4a9 An X.509 store context. An X.509 store context is used to carry out the actual verification process of a certificate in a described context. For describing such a context, see :class:`X509Store`. :param X509Store store: The certificates which will be trusted for the purposes of any verifications. :param X509 certificate: The certificate to be verified. :param chain: List of untrusted certificates that may be used for building the certificate chain. May be ``None``. :type chain: :class:`list` of :class:`X509` Nr7r3rZr-chainSequence[X509] | NonerrccCs||_||_|||_dSr)r5_cert_build_certificate_stack_chain)rr7rZr[rrrr{szX509StoreContext.__init__ certificatescCsd dd}|dust|dkrtjSt}t|tjkt||}|D]'}t|ts0t dtt |j dkt ||j dkrLt |j tq%|S) NsrrrccSs8tt|D] }t||}t|qt|dSr)rrM sk_X509_num sk_X509_valuer sk_X509_free)rarrrrrcleanups  z:X509StoreContext._build_certificate_stack..cleanuprz+One of the elements is not an X509 instance)rarrrc)rVrSrXrMsk_X509_new_nullrWrYrdr-re X509_up_refr9 sk_X509_pushrr)r`rerrrrrr^s    z)X509StoreContext._build_certificate_stack store_ctxrr5cCs\ttt|d}t|t||g}t|}t|}t |}t |||S)z Convert an OpenSSL native context error failure into a Python exception. When a call to native OpenSSL X509_verify_cert fails, additional information about the failure can be obtained from the store context. r) rSrtrMX509_verify_cert_error_stringX509_STORE_CTX_get_errorrX509_STORE_CTX_get_error_depthX509_STORE_CTX_get_current_certX509_dupr-rr5)rirWrXr9r]pycertrrr_exception_from_contexts     z(X509StoreContext._exception_from_contextcCsjt}t|tjkt|tj}t||jj|j j |j }t|dkt |}|dkr3| ||S)a3 Verifies the certificate and runs an X509_STORE_CTX containing the results. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. rr)rMX509_STORE_CTX_newrWrSrXrYX509_STORE_CTX_freeX509_STORE_CTX_initr5r]r9r_X509_verify_certrp)rrirlrrr_verify_certificates    z$X509StoreContext._verify_certificatecCs ||_dS)z Set the context's X.509 store. .. versionadded:: 0.15 :param X509Store store: The store description which will be used for the purposes of any *future* verifications. N)r5r6rrr set_stores zX509StoreContext.set_storecCs |dS)a" Verify a certificate in a context. .. versionadded:: 0.15 :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. N)rurrrrverify_certificater*z#X509StoreContext.verify_certificate list[X509]cCst|}t|}t|tjkg}tt|D]}t||}t|tjkt |}| |qt ||S)aR Verify a certificate in a context and return the complete validated chain. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. .. versionadded:: 20.0 ) rurMX509_STORE_CTX_get1_chainrWrSrXrrbrcr-rrrd)rri cert_stackrrrrorrrget_verified_chains     z#X509StoreContext.get_verified_chainr)r7r3rZr-r[r\rrc)r`r\rrc)rirrr5r)r7r3rrcr)rrx) rDrErFrGr staticmethodr^rprurvrwr{rrrrr4ks       r4rcCsvt|tr |d}t|}|tkrt|tjtjtj}n|t kr*t |tj}nt d|tjkr6t t |S)a Load a certificate (X509) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param bytes buffer: The buffer the certificate is stored in :return: The X509 object r3type argument must be FILETYPE_PEM or FILETYPE_ASN1)rdrr r[r)rMPEM_read_bio_X509rSrXr( d2i_X509_biorgrr-r)rrHrKrrrrr= s   r=rcCsnt}|tkrt||j}n|tkrt||j}n|tkr)t||jdd}nt dt |dkt |S)a Dump the certificate *cert* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT) :param cert: The certificate to dump :return: The buffer with the dumped certificate in rCtype argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXTr) r[r)rMPEM_write_bio_X509r9r( i2d_X509_bior* X509_print_exrgrWr`)rrrK result_coderrrr7&s  r7rcCsPt}|tkr tj}n |tkrtj}ntd|||j}|dkr$tt |S)z Dump a public key to a buffer. :param type: The file type (one of :data:`FILETYPE_PEM` or :data:`FILETYPE_ASN1`). :param PKey pkey: The public key to dump :return: The buffer with the dumped key in it. :rtype: bytes r}r) r[r)rMPEM_write_bio_PUBKEYr(i2d_PUBKEY_biorgrrr`)rrrK write_biorrrrr:Bs  r:cipherr passphrasePassphraseCallableT | Nonec Cst}t|ts td|dur)|durtdtt|}|tjkr(t dntj}t ||}|t krIt ||j |tjd|j|j}|n4|tkrUt||j }n(|tkryt|j tjkrftdtt|j tj}t||d}nt dt|dkt|S)a Dump the private key *pkey* into a buffer string encoded with the type *type*. Optionally (if *type* is :const:`FILETYPE_PEM`) encrypting it using *cipher* and *passphrase*. :param type: The file type (one of :const:`FILETYPE_PEM`, :const:`FILETYPE_ASN1`, or :const:`FILETYPE_TEXT`) :param PKey pkey: The PKey to dump :param cipher: (optional) if encrypted PEM format, the cipher to use :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The buffer with the dumped key in :rtype: bytes zpkey must be a PKeyNzDif a value is given for cipher one must also be given for passphrasezInvalid cipher namerz-Only RSA keys are supported for FILETYPE_TEXTr)r[rdr/rerMEVP_get_cipherbynamerrSrXrg_PassphraseHelperr)PEM_write_bio_PrivateKeyrcallback callback_argsraise_if_problemr(i2d_PrivateKey_bior*rrrYrr RSA_printrWr`) rrrrrK cipher_objhelperrr rrrr9[sJ     r9c@sPeZdZ  ddd d ZedddZedddZefd ddZd!ddZ dS)"rFrrArr more_argsrtruncaterrccCs4|tkr |dur td||_||_||_g|_dS)Nz0only FILETYPE_PEM key format supports encryption)r)rg _passphrase _more_args _truncate _problems)rrrrrrrrrs z_PassphraseHelper.__init__rcCs<|jdurtjSt|jtst|jrtd|jStd)Npem_password_cb2Last argument must be a byte string or a callable.) rrSrXrdr\callabler_read_passphrasererrrrrs z_PassphraseHelper.callbackcCs4|jdurtjSt|jtst|jrtjStd)Nr)rrSrXrdr\rrerrrrrs z_PassphraseHelper.callback_args exceptionTypetype[Exception]cCs6|jrzt|Wn |yYnw|jddSr)r_exception_from_error_queuepop)rrrrrrs   z"_PassphraseHelper.raise_if_problemr\sizerwflaguserdatac CszUt|jr|jr||||}n||}n |jdusJ|j}t|ts*tdt||kr>|jr:|d|}ntdtt|D] }|||d||<qDt|WSt yn}z |j |WYd}~dSd}~ww)NzBytes expectedz+passphrase returned by callback is too longrr) rrrrdr\rgrVrr Exceptionrr)rr\rrrrrerrrrs.      z"_PassphraseHelper._read_passphraseN)FF) rrArrrrrrrrcr)rrrrc) r\rrrArrrrrrA) rDrErFrrdrrr.rrrrrrrs     r str | bytescCst|tr |d}t|}|tkrt|tjtjtj}n|t kr*t |tj}nt d|tjkr6t t t }t|tj|_d|_|S)a< Load a public key from a buffer. :param type: The file type (one of :data:`FILETYPE_PEM`, :data:`FILETYPE_ASN1`). :param buffer: The buffer the key is stored in. :type buffer: A Python string object, either unicode or bytestring. :return: The PKey object. :rtype: :class:`PKey` rr}T)rdrr r[r)rMPEM_read_bio_PUBKEYrSrXr(d2i_PUBKEY_biorgrr/r}rYrrr)rrHrKevp_pkeyrrrrr@s   r@cCst|tr |d}t|}t||}|tkr't|tj |j |j }| n|t kr3t|tj }ntd|tj kr?ttt}t|tj|_|S)a Load a private key (PKey) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the key is stored in :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The PKey object rr})rdrr r[rr)rMPEM_read_bio_PrivateKeyrSrXrrrr(d2i_PrivateKey_biorgrr/r}rYrr)rrHrrKrrrrrrr? s"      r?rmcCsnt}|tkrt||j}n|tkrt||j}n|tkr)t||jdd}nt dt |dkt |S)av Dump the certificate request *req* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param req: The certificate request to dump :return: The buffer with the dumped certificate request in .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. rr) r[r)rMPEM_write_bio_X509_REQrkr(i2d_X509_REQ_bior*X509_REQ_print_exrgrWr`)rrmrKrrrrr89 s  r8rcCst|tr |d}t|}|tkrt|tjtjtj}n|t kr*t |tj}nt dt |tjkt t }t|tj|_|S)a Load a certificate request (X509Req) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the certificate request is stored in :return: The X509Req object .. deprecated:: 24.2.0 Use `cryptography.x509.load_der_x509_csr` or `cryptography.x509.load_pem_x509_csr` instead. rr})rdrr r[r)rMPEM_read_bio_X509_REQrSrXr(d2i_X509_REQ_biorgrWr2r}rYrjrk)rrHrKrmx509reqrrrr>g s  r>)rrrrrrr)rHrIrr)rKrrr\)rarrbr\rrc)rbr\rr)rnrrrI)rr)rrrr)rrArHr\rr-)rrArr-rr\)rrArr/rr\rc) rrArr/rrrrrr\)rrArHrrr/)rrArHrrrrr/)rrArmr2rr\)rrArHr\rr2)o __future__rrJr functoolssysrrbase64rcollections.abcrrrrrr version_infor TypeVar_Ttyping_extensions cryptographyrr)cryptography.hazmat.primitives.asymmetricrrrrr OpenSSL._utilr!r"rr#rr$rSr%rMr& _make_assertr'rS__all__rrrrr _PrivateKeyrrrrr _PublicKeyrr\PassphraseCallableTSSL_FILETYPE_PEMr)rhSSL_FILETYPE_ASN1r(r*rr, EVP_PKEY_DSAr+ EVP_PKEY_DHrB EVP_PKEY_ECrCrr.rrWr[r`rirmr|r}r/rr<r;total_orderingr1r0r2r-r6r3r5r4r=r7r:r9rr@r?r8rrrDrr>rxrrrrs                     Bg  C+sm+    E N% )