h)7UddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z ddlm Z ddlmZmZmZej"dk\rddlmZn,ej"d krej&d ZdOd ZnddlmZdd lmZmZdd lmZmZmZmZmZddlm Z ddlm!Z"ddlm#Z$ddlm%Z&ddlm'Z(ddlm)Z*ddlm+Z,gdZ-eej\ej^ej`ejbejdfZ3eejhejjejlejnejpfZ9ee3e9fZ:ee;ede;ffZde?d<e(jZAde?d<dZBe(jZDde?d<e(jZFde?d<e(jZHde?d<e(jZJde?d<Gdd eKZLe e$eLZMe*eLZNdPdQd!ZOdRd"ZPdSd#ZQdTd$ZRdUd%ZSGd&d'ZTGd(d)ZUGd*d+ZVed,dVd-ZWed.dWd/ZXejGd0d1ZZed2Gd3d4Z[ed5Gd6d7Z\Gd8d9Z]Gd:d;Z^Gd<d=Z_Gd>d?eKZ`Gd@dAZadXdBZbdYdCZcdZdDZd d[ d\dEZeGdFdGZfd]dHZg dP d^dIZhd_dJZieiZjej$eiekd5eldKLd`dMZmemZnej$emekd5eldNLy)a) annotationsN) b16encode)IterableSequence)partial)AnyCallableUnion) ) deprecated)r Tc dS)Nc|SN)fs J/var/www/Befach/backend/env/lib/python3.12/site-packages/OpenSSL/crypto.pyzdeprecated..sr)msgkwargss rr r sr)utilsx509)dsaeced448ed25519rsa)StrOrBytesPath) byte_string)exception_from_error_queue)ffi)lib) make_assert) path_bytes) FILETYPE_ASN1 FILETYPE_PEM FILETYPE_TEXTTYPE_DSATYPE_RSAX509ErrorPKey X509ExtensionX509NameX509Req X509StoreX509StoreContextX509StoreContextErrorX509StoreFlagsdump_certificatedump_certificate_requestdump_privatekeydump_publickeyget_elliptic_curveget_elliptic_curvesload_certificateload_certificate_requestload_privatekeyload_publickey.intr)r(ir,r+TYPE_DHTYPE_ECceZdZdZy)r.z7 An error occurred in an `OpenSSL.crypto` API. N)__name__ __module__ __qualname____doc__rrrr.r.tsrr.cT|8tjtj}tj}n;t j d|}tj |t|}|fdd}t|tjk7t j||}|S)z Allocate a new OpenSSL memory BIO. Arrange for the garbage collector to clean it up automatically. :param buffer: None or some bytes to use to put into the BIO so that they can be read out. char[]c,tj|Sr)_libBIO_free)biorefs rfreez_new_mem_buf..frees==% %r)rNrrOrreturnr) rLBIO_new BIO_s_memrM_ffinewBIO_new_mem_buflen_openssl_assertNULLgc)bufferrNrPdatas r _new_mem_bufr]~s~ll4>>+,}}xx&)""4V5'+ &C499$% ''#t C Jrctjd}tj||}tj|d|ddS)zO Copy the contents of an OpenSSL BIO object into a Python byte string. zchar**rN)rTrUrLBIO_get_mem_datar[)rN result_buffer buffer_lengths r_bio_to_stringrbs?HHX&M))#}=M ;;}Q' 7 ::rct|ts tdt|tj k7t j||}|dk(r tdy)a The the time value of an ASN1 time object. @param boundary: An ASN1_TIME pointer (or an object safely castable to that type) which will have its value set. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. zwhen must be a byte stringrzInvalid stringN) isinstancebytes TypeErrorrXrTrYrLASN1_TIME_set_string ValueError)boundarywhen set_results r_set_asn1_timerlsW dE "455H )***8T:JQ)**rctj}t|tjk7tj |tj }t|||S)a Behaves like _set_asn1_time but returns a new ASN1_TIME object. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. )rL ASN1_TIME_newrXrTrYrZASN1_TIME_freerl)rjrets r_new_asn1_timerqsH    CC499$% ''#t** +C3 JrcJtjd|}tj|dk(rytj|tj k(r(tj tj|Stjd}tj||t|dtjk7tjd|d}tj|}tj |}tj|d|S)a] Retrieve the time value of an ASN1 time object. @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to that type) from which the time value will be retrieved. @return: The time value from C{timestamp} as a L{bytes} string in a certain format. Or C{None} if the object contains no time value. ASN1_STRING*rNzASN1_GENERALIZEDTIME**) rTcastrLASN1_STRING_lengthASN1_STRING_typeV_ASN1_GENERALIZEDTIMEstringASN1_STRING_get0_datarUASN1_TIME_to_generalizedtimerXrYASN1_GENERALIZEDTIME_free) timestampstring_timestampgeneralized_timestamp string_data string_results r_get_asn1_timersyy; /0A5 ./43N3NN{{4556FGHH $)A B )))5JK-a0DII=>99^5J15MN001AB  K0  &&' >!-6C;;t%9#%MN Nrc t|tjtjtj tj tjtjtjtjtjtjf s t!dddlm}m}m}m}t|tjtj tjtjtjfr4t-t.|j1|j2|j4S|j7|j2|j8|}t;t.|S)z Construct based on a ``cryptography`` *crypto_key*. :param crypto_key: A ``cryptography`` key. :type crypto_key: One of ``cryptography``'s `key interfaces`_. :rtype: PKey .. versionadded:: 16.1.0 zUnsupported key typer)Encoding NoEncryption PrivateFormat PublicFormat)rdr DSAPrivateKey DSAPublicKeyrEllipticCurvePrivateKeyEllipticCurvePublicKeyrEd25519PrivateKeyEd25519PublicKeyrEd448PrivateKeyEd448PublicKeyr RSAPrivateKey RSAPublicKeyrfrrrrrr@r( public_bytesDERSubjectPublicKeyInfo private_bytesPKCS8r?)cls crypto_keyrrrrrs rfrom_cryptography_keyzPKey.from_cryptography_keys( !!  **))))((%%$$!!    23 3      ))(($$    "''LL,"C"C ** m11<>C#=#6 6rc t|ts tdt|ts td|tk(r|dkr t dt j }tj|t j}t j|t jt j}t j|||tj}t|dk(t j |j"|}t|dk(d|_y|t$k(r t j&}t|tjk7tj|t j(}t j*||tjdtjtjtj}t|dk(tt j,|dk(tt j.|j"|dk(d|_yt1d) a3 Generate a key pair of the given type, with the given number of bits. This generates a key "into" the this object. :param type: The key type. :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA` :param bits: The number of bits. :type bits: :py:data:`int` ``>= 0`` :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't of the appropriate type. :raises ValueError: If the number of bits isn't an integer of the appropriate size. :return: ``None`` ztype must be an integerzbits must be an integerrzInvalid number of bitszNo such key typeTN)rdrArfr,rhrLBN_newrTrZBN_free BN_set_wordRSA_F4RSA_newRSA_generate_key_exrYrXEVP_PKEY_assign_RSArr+DSA_newDSA_freeDSA_generate_parameters_exDSA_generate_keyEVP_PKEY_set1_DSAr.r)rtypebitsexponentr resultrress r generate_keyzPKey.generate_keyUs $$56 6$$56 6 8 qy !9::{{}Hwwx6H   Xt{{ 3,,.C--c4499MF FaK (--djj#>F FaK ("!X ,,.C C499, -''#t}}-C11T499aDIItyyC C1H % D11#6!; < D224::sCqH I!*+ +rc|jr tdtj|j tj k7r tdtj |j}tj|tj}tj|}|dk(ryty)ax Check the consistency of an RSA private key. This is the Python equivalent of OpenSSL's ``RSA_check_key``. :return: ``True`` if key is consistent. :raise OpenSSL.crypto.Error: if the key is inconsistent. :raise TypeError: if the key is of a type which cannot be checked. Only RSA keys can currently be checked. zpublic key onlyz'Only RSA keys can currently be checked.rTN) rrfrL EVP_PKEY_typer EVP_PKEY_RSAEVP_PKEY_get1_RSArrTrZRSA_free RSA_check_key_raise_current_error)rr rs rcheckz PKey.checks   -. .   diik *d.?.? ?EF F$$TZZ0ggc4==)##C( Q;rc@tj|jS)zT Returns the type of the key :return: The type of the key. )rL EVP_PKEY_idrrs rrz PKey.types  ++rc@tj|jS)zh Returns the number of bits of the key :return: The number of bits of the key. )rL EVP_PKEY_bitsrrs rrz PKey.bitss !!$**--rNr)rQr)rrrQr/)rrArrArQrrQboolrQrA)rErFrGrHrrrr classmethodrrrrrrrrr/r/sHLL" O.7777r6!p4,.rr/cveZdZdZdZd fd Zed dZed dZed dZ d dZ ddZ dd Z xZ S)_EllipticCurveaZ A representation of a supported elliptic curve. @cvar _curves: :py:obj:`None` until an attempt is made to load the curves. Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve` instances each of which represents one curve supported by the system. @type _curves: :py:type:`NoneType` or :py:type:`set` NcNt|trt| |StS)z Implement cooperation with the right-hand side argument of ``!=``. Python 3 seems to have dropped this cooperation in this very narrow circumstance. )rdrsuper__ne__NotImplemented)rother __class__s rrz_EllipticCurve.__ne__s$ e^ ,7>%( (rcjtjd}tjd|}j||t fd|DS)z Get the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. rzEC_builtin_curve[]c3VK|] }j|j"ywr)from_nidnid).0crr%s r z7_EllipticCurve._load_elliptic_curves..s D3<<QUU+Ds&))EC_get_builtin_curvesrTrYrUset)rr% num_curvesbuiltin_curvess`` r_load_elliptic_curvesz$_EllipticCurve._load_elliptic_curvessO..tyy!< "6 C !!.*=D^DDDrc^|j|j||_|jS)a Get, cache, and return the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. )_curvesr)rr%s r_get_elliptic_curvesz#_EllipticCurve._get_elliptic_curvess* ;; 33C8CK{{rc x|||tj|j|jdS)a Instantiate a new :py:class:`_EllipticCurve` associated with the given OpenSSL NID. :param lib: The OpenSSL library binding object. :param nid: The OpenSSL NID the resulting curve object will represent. This must be a curve NID (and not, for example, a hash NID) or subsequent operations will fail in unpredictable ways. :type nid: :py:class:`int` :return: The curve object. ascii)rTrx OBJ_nid2sndecode)rr%rs rrz_EllipticCurve.from_nids03T[[)<=DDWMNNrc.||_||_||_y)a :param _lib: The :py:mod:`cryptography` binding instance used to interface with OpenSSL. :param _nid: The OpenSSL NID identifying the curve this object represents. :type _nid: :py:class:`int` :param name: The OpenSSL short name identifying the curve this object represents. :type name: :py:class:`unicode` N)rL_nidr)rr%rrs rrz_EllipticCurve.__init__s   rc"d|jdS)Nzrrs r__repr__z_EllipticCurve.__repr__s Q''rc|jj|j}tj|tj S)z Create a new OpenSSL EC_KEY structure initialized to use this curve. The structure is automatically garbage collected when the Python object is garbage collected. )rLEC_KEY_new_by_curve_namerrTrZ EC_KEY_free)rkeys r _to_EC_KEYz_EllipticCurve._to_EC_KEYs3ii00;wwsD,,--rrrrQr)r%rrQset[_EllipticCurve])r%rrrArQr)r%rrrArstrrQrrQr rQr)rErFrGrHrrrrrrrrr __classcell__rs@rrrscG EE"  OO "(.rrzSget_elliptic_curves is deprecated. You should use the APIs in cryptography instead.c4tjtS)a Return a set of objects representing the elliptic curves supported in the OpenSSL build in use. The curve objects have a :py:class:`unicode` ``name`` attribute by which they identify themselves. The curve objects are useful as values for the argument accepted by :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be used for ECDHE key exchange. )rrrLrrrr<r<s  . .t 44rzRget_elliptic_curve is deprecated. You should use the APIs in cryptography instead.c^tD]}|j|k(s|cStd|)aT Return a single curve object selected by name. See :py:func:`get_elliptic_curves` for information about curve objects. :param name: The OpenSSL short name identifying the curve object to retrieve. :type name: :py:class:`unicode` If the named curve is not supported then :py:class:`ValueError` is raised. zunknown curve name)r<rrh)rcurves rr;r;2s2 %& :: L' )4 00rcdeZdZdZd dZd fd Zd dZddZddZddZ ddZ dd Z dd Z xZ S)r1a An X.509 Distinguished Name. :ivar countryName: The country of the entity. :ivar C: Alias for :py:attr:`countryName`. :ivar stateOrProvinceName: The state or province of the entity. :ivar ST: Alias for :py:attr:`stateOrProvinceName`. :ivar localityName: The locality of the entity. :ivar L: Alias for :py:attr:`localityName`. :ivar organizationName: The organization name of the entity. :ivar O: Alias for :py:attr:`organizationName`. :ivar organizationalUnitName: The organizational unit of the entity. :ivar OU: Alias for :py:attr:`organizationalUnitName` :ivar commonName: The common name of the entity. :ivar CN: Alias for :py:attr:`commonName`. :ivar emailAddress: The e-mail address of the entity. ctj|j}tj|tj |_y)z Create a new X509Name, copying the given X509Name instance. :param name: The name to copy. :type name: :py:class:`X509Name` N)rL X509_NAME_duprrTrZX509_NAME_freers rrzX509Name.__init__bs0!!$**-''$(;(;< rc |jdrt | ||St|tur#t dt|j ddtjt|}|tjk(r ttdttj|j D]}tj"|j |}tj$|}tj&|}||k(sStj(|j |}tj*|nt-|tr|j/d}tj0|j |tj2|ddd}|s tyy#t$r YtdwxYw) N_z$attribute name must be string, not 'z.200'No such attributeutf-8r) startswithr __setattr__rr rfrErL OBJ_txt2nid _byte_string NID_undefrr.AttributeErrorrangeX509_NAME_entry_countrX509_NAME_get_entryX509_NAME_ENTRY_get_object OBJ_obj2nidX509_NAME_delete_entryX509_NAME_ENTRY_freerdencodeX509_NAME_add_entry_by_NID MBSTRING_UTF8) rrvaluerientent_objent_nid add_resultrs rrzX509Name.__setattr__ls ??3 7&tU3 3 :S K((.a1  |D12 $..  $&!!45 5t11$**=>A**4::q9C55c:G&&w/Gg~11$**a@))#.? eS !LL)E44 JJT//B  ")  !45 5 s F33 G G ctjt|}|tjk(r t t dtj|j|d}|dk(rytj|j|}tj|}tjd}tj||}t|dk\ tj|d|ddj!d}tj"|d|S#t $r Yt dwxYw#tj"|dwxYw)a  Find attribute. An X509Name object has the following attributes: countryName (alias C), stateOrProvince (alias ST), locality (alias L), organization (alias O), organizationalUnit (alias OU), commonName (alias CN) and more... rrNunsigned char**rr)rLrrrrr.r X509_NAME_get_index_by_NIDrr#X509_NAME_ENTRY_get_datarTrUASN1_STRING_to_UTF8rXr[r OPENSSL_free) rrr entry_indexentryr\r` data_lengthrs r __getattr__zX509Name.__getattr__s2|D12 $..  $&!!45 555djj#rJ " (([A,,U3!23 ..}dC  q() 0[[q!1;?BIIF   mA. / -  !45 5 *   mA. /s D#+D<# D98D9<Ect|tstStj|j |j dk(SNrrdr1rrL X509_NAME_cmprrrs r__eq__zX509Name.__eq__s2%*! !!!$**ekk:a??rct|tstStj|j |j dkSr<r=r?s r__lt__zX509Name.__lt__s2%*! !!!$**ekk:Q>>rc tjdd}tj|j|t |}t |tjk7djtj|jdS)z6 String representation of an X509Name rJizr) rTrUrLX509_NAME_onelinerrWrXrYformatrxr)rr` format_results rrzX509Name.__repr__sq3/ .. JJ s='9   23'.. KK & - -g 6  rc@tj|jS)a& Return an integer representation of the first four bytes of the MD5 digest of the DER representation of the name. This is the Python equivalent of OpenSSL's ``X509_NAME_hash``. :return: The (integer) hash of this name. :rtype: :py:class:`int` )rLX509_NAME_hashrrs rhashz X509Name.hashs""4::..rctjd}tj|j|}t |dk\tj |d|dd}tj|d|S)z Return the DER encoding of this name. :return: The DER encoded form of this name. :rtype: :py:class:`bytes` r2rN)rTrUrL i2d_X509_NAMErrXr[r6)rr` encode_resultrs rrz X509Name.dersi!23 **4::}E  *+ M!$4mDQG  -*+rcg}ttj|jD]}tj|j|}tj |}tj |}tj|}tj|}tjtj|tj|dd}|jtj||f|S)z Returns the components of this name, as a sequence of 2-tuples. :return: The components of this name. :rtype: :py:class:`list` of ``name, value`` tuples. N)r!rLr"rr#r$r4r%rrTr[ryrurrx) rrr,r-fnamefvalrrr+s rget_componentszX509Name.get_componentsst11$**=>A**4::q9C33C8E005D""5)C??3'DKK**40$2I2I$2OE MM4;;t,e4 5?  rr)rr r+rrQr)rr rQ str | Nonerr rrQre)rQzlist[tuple[bytes, bytes]])rErFrGrHrrr:r@rBrrIrrPr r s@rr1r1Hs80=%#N&P@ ?   / rr1zZX509Extension support in pyOpenSSL is deprecated. You should use the APIs in cryptography.ceZdZUdZ d ddZeddZejdejdejdiZ de d <dd Z dd Zdd Zdd ZddZy)r0zu An X.509 v3 certificate extension. .. deprecated:: 23.3.0 Use cryptography's X509 APIs instead. Nctjd}tj|tjtjtjtjdtj ||,t |ts td|j|_ |,t |ts td|j|_ |rd|z}tjtj|||}|tjk(r ttj|tj|_y)a Initializes an X509 extension. :param type_name: The name of the type of extension_ to create. :type type_name: :py:data:`bytes` :param bool critical: A flag indicating whether this is a critical extension. :param value: The OpenSSL textual representation of the extension's value. :type value: :py:data:`bytes` :param subject: Optional X509 certificate to use as subject. :type subject: :py:class:`X509` :param issuer: Optional X509 certificate to use as issuer. :type issuer: :py:class:`X509` .. _extension: https://www.openssl.org/docs/manmaster/man5/ x509v3_config.html#STANDARD-EXTENSIONS z X509V3_CTX*rNzissuer must be an X509 instancez subject must be an X509 instances critical,)rTrUrLX509V3_set_ctxrYX509V3_set_ctx_nodbrdr-rf_x509 issuer_cert subject_certX509V3_EXT_nconfrrZX509_EXTENSION_free _extension)r type_namecriticalr+subjectissuerctx extensions rrzX509Extension.__init__s<hh}% CDIItyy$))QO   %  fd+ ABB$llCO  gt, BCC&}}C  !5(E))$))S)UK  ! "'')T-E-EFrcftjtj|jSr)rLr%X509_EXTENSION_get_objectr\rs rrzX509Extension._nid\s'  * *4?? ;  remailDNSURIztyping.ClassVar[dict[int, str]] _prefixesc$tjdtj|j}tj |tj }g}ttj|D]}tj||} |j|j}tj|jjj|jjj ddj#d}|j%|dz|zdj/|S#t&$rMt)}tj*|||j%t-|j#dYwxYw)NzGENERAL_NAMES*r:z, )rTrtrLX509V3_EXT_d2ir\rZGENERAL_NAMES_freer!sk_GENERAL_NAME_numsk_GENERAL_NAME_valuerhrr[dia5r\lengthrrKeyErrorr]GENERAL_NAME_printrbjoin)rnamespartsr,rlabelr+rNs r_subjectAltNameStringz#X509Extension._subjectAltNameStringhs2 d11$//B t667t//67A--eQ7D 2tyy1  DFFJJOOTVVZZ5F5FG&/ US[5018yy B"n''T2 ^C077@A BsD99AFFctj|jk(r|jSt }tj ||j dd}t|dk7t|jdS)zF :return: a nice text representation of the extension rr) rLNID_subject_alt_namerrxr]X509V3_EXT_printr\rXrbr)rrN print_results r__str__zX509Extension.__str__~si  $ $ 1--/ /n,,S$//1aH  )*c"))'22rc@tj|jS)zk Returns the critical field of this X.509 extension. :return: The critical field. )rLX509_EXTENSION_get_criticalr\rs r get_criticalzX509Extension.get_criticals //@@rctj|j}tj|}tj|}|t j k7rt j|Sy)z Returns the short type name of this X.509 extension. The result is a byte string such as :py:const:`b"basicConstraints"`. :return: The short type name. :rtype: :py:data:`bytes` .. versionadded:: 0.12 sUNDEF)rLrdr\r%rrTrYrx)robjrbufs rget_short_namezX509Extension.get_short_namesV,,T__=s#ooc" $)) ;;s# #rctj|j}tjd|}tj |}tj |}tj||ddS)z Returns the data of the X509 extension, encoded as ASN.1. :return: The ASN.1 encoded data of this X509 extension. :rtype: :py:data:`bytes` .. versionadded:: 0.12 rsN)rLX509_EXTENSION_get_datar\rTrtryrur[)r octet_resultr char_result result_lengths rget_datazX509Extension.get_datas^33DOOD  .,? 00? // > {{; 6q99rNN) r]rer^rr+rer_ X509 | Noner`rrQrr r rrR)rErFrGrHrpropertyrrL GEN_EMAILGEN_DNSGEN_URIrh__annotations__rxr}rrrrrrr0r0 s  $" CGCGCG CG  CG  CG CGJ   e e2I.  , 3A, :rr0zPCSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.ceZdZdZddZddZe ddZddZddZ ddZ ddZ dd Z dd Z dd Zdd Zdd Zy)r2z An X.509 certificate signing requests. .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. ctj}tj|tj|_|j dyr<)rL X509_REQ_newrTrZ X509_REQ_free_req set_version)rreqs rrzX509Req.__init__s6!GGC!3!34  rc>ddlm}tt|}||S)z Export as a ``cryptography`` certificate signing request. :rtype: ``cryptography.x509.CertificateSigningRequest`` .. versionadded:: 17.1.0 r)load_der_x509_csr)cryptography.x509r"_dump_certificate_request_internalr()rrrs rto_cryptographyzX509Req.to_cryptographys 80E %%rct|tjs tdddlm}|j |j}tt|S)a Construct based on a ``cryptography`` *crypto_req*. :param crypto_req: A ``cryptography`` X.509 certificate signing request :type crypto_req: ``cryptography.x509.CertificateSigningRequest`` :rtype: X509Req .. versionadded:: 17.1.0 z%Must be a certificate signing requestrr) rdrCertificateSigningRequestrfrrrr"_load_certificate_request_internalr()r crypto_reqrrs rfrom_cryptographyzX509Req.from_cryptographysD*d&D&DECD DI%%hll31-EErcttj|j|j}t |dk(y)z Set the public key of the certificate signing request. :param pkey: The public key to use. :type pkey: :py:class:`PKey` :return: ``None`` rN)rLX509_REQ_set_pubkeyrrrXrrrks r set_pubkeyzX509Req.set_pubkeys*--diiD  a(rc@tjt}tj|j|_t |j tjk7tj|j tj|_d|_ |S)z Get the public key of the certificate signing request. :return: The public key. :rtype: :py:class:`PKey` T) r/__new__rLX509_REQ_get_pubkeyrrrXrTrYrZrrrs r get_pubkeyzX509Req.get_pubkeysf||D!--dii8  dii/0WWTZZ););<   rct|ts td|dk7r tdt j |j |}t|dk(y)z Set the version subfield (RFC 2986, section 4.1) of the certificate request. :param int version: The version number. :return: ``None`` zversion must be an intrz9Invalid version. The only valid version for X509Req is 0.rN)rdrArfrhrLX509_REQ_set_versionrrX)rversionrks rrzX509Req.set_version sU'3'45 5 a<K ..tyy'B  a(rc@tj|jS)z Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate request. :return: The value of the version subfield. :rtype: :py:class:`int` )rLX509_REQ_get_versionrrs r get_versionzX509Req.get_versions((33rctjt}tj|j|_t |j tjk7||_ |S)a Return the subject of this certificate signing request. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate signing request. Modifying it will modify the underlying signing request, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate signing request. :rtype: :class:`X509Name` ) r1rrLX509_REQ_get_subject_namerrrXrTrY_ownerrs r get_subjectzX509Req.get_subject$sM)33DII>  dii/0  rctjdtdtj}t |t jk7t j|tj}|D]=}t|ts tdtj||j?tj|j |}t |dk(y)z Add extensions to the certificate signing request. :param extensions: The X.509 extensions to add. :type extensions: iterable of :py:class:`X509Extension` :return: ``None`` This API is deprecated and will be removed in a future version of pyOpenSSL. You should use pyca/cryptography's X.509 APIs instead. stacklevel+One of the elements is not an X509ExtensionrN)warningswarnDeprecationWarningrLsk_X509_EXTENSION_new_nullrXrTrYrZsk_X509_EXTENSION_freerdr0rhsk_X509_EXTENSION_pushr\X509_REQ_add_extensionsr)r extensionsstackextr0s radd_extensionszX509Req.add_extensions:s  &  //1*+t::;Cc=1 !NOO  ' 's~~ > 11$))UC  a(rctjdtdg}tj|j }t j|d}ttj|D]~}tjt}tjtj||}t j|tj|_|j!||S)z Get X.509 extensions in the certificate signing request. :return: The X.509 extensions in this request. :rtype: :py:class:`list` of :py:class:`X509Extension` objects. .. versionadded:: 0.15 rrrcrtj|tjtjdS)Nr[)rLsk_X509_EXTENSION_pop_freerT addressof _original_lib)xs rrz(X509Req.get_extensions..rs'd55t113HIr)rrrrLX509_REQ_get_extensionsrrTrZr!sk_X509_EXTENSION_numr0rX509_EXTENSION_dupsk_X509_EXTENSION_valuer[r\r)rextsnative_exts_objr,rrbs rget_extensionszX509Req.get_extensions[s  &  66tyyA''   t11/BCA'' 6C//,,_a@I"WWY0H0HICN KK  D rcJ|jr td|js tdtjt |}|t jk(r tdtj|j|j|}t|dkDy)aa Sign the certificate signing request with this key and digest type. :param pkey: The key pair to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use for the signature, e.g. :py:data:`"sha256"`. :type digest: :py:class:`str` :return: ``None`` zKey has only public partKey is uninitializedNo such digest methodrN) rrhrrLEVP_get_digestbynamerrTrY X509_REQ_signrrrX)rrdigest digest_obj sign_results rsignz X509Req.signs   78 8  34 4..|F/CD  "45 5((DJJ K  a(rct|ts tdtj|j |j }|dkr t|S)a@ Verifies the signature on this certificate signing request. :param PKey key: A public key. :return: ``True`` if the signature is correct. :rtype: bool :raises OpenSSL.crypto.Error: If the signature is invalid or there is a problem verifying the signature. pkey must be a PKey instancer)rdr/rfrLX509_REQ_verifyrrr)rrrs rverifyzX509Req.verifysF$%:; ;%%dii< Q; " rNr)rQx509.CertificateSigningRequest)rrrQr2rr/rQrrQr/rrArQrrrQr1rzIterable[X509Extension]rQr)rQzlist[X509Extension]rr/rr rQr)rr/rQr)rErFrGrHrrrrrrrrrrrrrrrrr2r2sh  &F7F FF* ) )"4,)B$L)0rr2c0eZdZdZd#dZed$dZd%dZed&dZd'dZ d(dZ d)dZ d*d Z d+d Z d,d Zd-d Zd(d Zd.dZd(dZd/dZd/dZd0dZd1dZd2dZ d3dZd4dZd2dZd4dZd5dZd6dZd7dZd8dZd7dZ d9dZ!d(dZ"d:d Z#d;d!Z$y")>2 #7#9 $8$:!rc|j|}tj|tj|_t |_t |_|Sr) rrTrZrLrrWrrr)rrcerts r_from_raw_x509_ptrzX509._from_raw_x509_ptrsA{{3WWT4>>2 #7#9 $8$:! rc>ddlm}tt|}||S)z Export as a ``cryptography`` certificate. :rtype: ``cryptography.x509.Certificate`` .. versionadded:: 17.1.0 r)load_der_x509_certificate)rrr7r()rrrs rrzX509.to_cryptographys @}d3(--rct|tjs tdddlm}|j |j}tt|S)z Construct based on a ``cryptography`` *crypto_cert*. :param crypto_key: A ``cryptography`` X.509 certificate. :type crypto_key: ``cryptography.x509.Certificate`` :rtype: X509 .. versionadded:: 17.1.0 zMust be a certificaterr) rdr Certificaterfrrrrr=r()r crypto_certrrs rrzX509.from_cryptographysD+t'7'7834 4I&&x||4 s33rct|ts tdtt j |j |dk(y)a  Set the version number of the certificate. Note that the version value is zero-based, eg. a value of 0 is V1. :param version: The version number of the certificate. :type version: :py:class:`int` :return: ``None`` zversion must be an integerrN)rdrArfrXrLX509_set_versionrW)rrs rrzX509.set_versions8'3'89 9--djj'BaGHrc@tj|jS)z Return the version number of the certificate. :return: The version number of the certificate. :rtype: :py:class:`int` )rLX509_get_versionrWrs rrzX509.get_versions$$TZZ00rcBtjt}tj|j|_|j t jk(r tt j|j tj|_d|_ |S)z{ Get the public key of the certificate. :return: The public key. :rtype: :py:class:`PKey` T) r/rrLX509_get_pubkeyrWrrTrYrrZrrrs rrzX509.get_pubkeysg||D!))$**5 :: " "WWTZZ););<   rct|ts tdtj|j |j }t|dk(y)z Set the public key of the certificate. :param pkey: The public key. :type pkey: :py:class:`PKey` :return: :py:data:`None` rrN)rdr/rfrLX509_set_pubkeyrWrrXrs rrzX509.set_pubkey s@$%:; ;))$**djjA  a(rct|ts td|jr t d|j s t dt jt|}|tjk(r t dt j|j|j|}t|dkDy)a Sign the certificate with this key and digest type. :param pkey: The key to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use. :type digest: :py:class:`str` :return: :py:data:`None` rzKey only has public partrrrN)rdr/rfrrhrrLrrrTrY X509_signrWrrX)rrrevp_mdrs rrz X509.signs$%:; ;   78 8  34 4**<+?@ TYY 45 5nnTZZVD  a(rctj|j}tjd}tj |tj tj |tj|d}|tjk(r tdtjtj|S)z Return the signature algorithm used in the certificate. :return: The name of the algorithm. :rtype: :py:class:`bytes` :raises ValueError: If the signature algorithm is undefined. .. versionadded:: 0.13 zASN1_OBJECT **rzUndefined signature algorithm) rLX509_get0_tbs_sigalgrWrTrUX509_ALGOR_get0rYr%rrhrx OBJ_nid2ln)rsig_algalgrs rget_signature_algorithmzX509.get_signature_algorithm7s++DJJ7hh'( S$))TYY@s1v& $.. <= ={{4??3/00rctjt|}|tjk(r t dtj dtj}tj dd}t||d<tj|j|||}t|dk(djtj||dDcgc]}t|jc}Scc}w)a5 Return the digest of the X509 object. :param digest_name: The name of the digest algorithm to use. :type digest_name: :py:class:`str` :return: The digest of the object, formatted as :py:const:`b":"`-delimited hex pairs. :rtype: :py:class:`bytes` rzunsigned char[]zunsigned int[]rr:)rLrrrTrYrhrUEVP_MAX_MD_SIZErW X509_digestrWrXrtr[rupper)r digest_namerr`r digest_resultchs rrz X509.digestJs**< +DE TYY 45 5!2D4H4HI !115 }- a(( JJ }   *+yy++m]15EF " ##%    s Dc@tj|jS)z Return the hash of the X509 subject. :return: The hash of the subject. :rtype: :py:class:`int` )rLX509_subject_name_hashrWrs rsubject_name_hashzX509.subject_name_hashis**4::66rc`t|ts tdt|dd}|j d}t j d}tj||}t|t jk7tj|dt j}tj|dt|t jk7t j|tj}tj|j |}t|dk(y)z Set the serial number of the certificate. :param serial: The new serial number. :type serial: :py:class:`int` :return: :py:data`None` zserial must be an integerrNrzBIGNUM**rr)rdrArfhexr(rTrUrL BN_hex2bnrXrYBN_to_ASN1_INTEGERrrZASN1_INTEGER_freeX509_set_serialNumberrW)rserial hex_serialhex_serial_bytes bignum_serialr asn1_serialrks rset_serial_numberzX509.set_serial_numberrs&#&78 8[_ %,,W5,  /?@$))+,--mA.> J  ]1%& tyy01ggk4+A+AB // KH  a(rctj|j}tj|tj } tj |} t j|}t|d}|tj|tj|S#tj|wxYw#tj|wxYw)zx Return the serial number of this certificate. :return: The serial number. :rtype: int ) rLX509_get_serialNumberrWASN1_INTEGER_to_BNrTrY BN_bn2hexrxrAr6r)rrrrhexstring_serialrs rget_serial_numberzX509.get_serial_numbers00< // TYYG  ( 6J .#';;z#: -r2!!*- LL '!!*- LL 's$C"B(=C(B??CCct|ts tdtj|j }tj ||y)z Adjust the time stamp on which the certificate stops being valid. :param int amount: The number of seconds by which to adjust the timestamp. :return: ``None`` amount must be an integerN)rdrArfrLX509_getm_notAfterrWX509_gmtime_adj)ramountnotAfters rgmtime_adj_notAfterzX509.gmtime_adj_notAfters>&#&78 8**4::6 Xv.rct|ts tdtj|j }tj ||y)z Adjust the timestamp on which the certificate starts being valid. :param amount: The number of seconds by which to adjust the timestamp. :return: ``None`` r'N)rdrArfrLX509_getm_notBeforerWr))rr* notBefores rgmtime_adj_notBeforezX509.gmtime_adj_notBefores>&#&78 8,,TZZ8  Y/rc:|j}| td|jd}tjj |d}tj j }tjj|jd}||kS)z Check whether the certificate has expired. :return: ``True`` if the certificate has expired, ``False`` otherwise. :rtype: bool NzUnable to determine notAfterrz %Y%m%d%H%M%SZ)tzinfo) get_notAfterrhrdatetimestrptimetimezoneutcnowreplace)r time_bytes time_string not_afterUTCutcnows r has_expiredzX509.has_expireds&&(  ;< < ''0 %%..{OL ##""&&s+3343@6!!rc8t||jSr)rrW)rwhichs r_get_boundary_timezX509._get_boundary_timeseDJJ/00rc@|jtjS)a  Get the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )rBrLr.rs r get_notBeforezX509.get_notBefores&&t'?'?@@rc:t||j|Sr)rlrW)rrArjs r_set_boundary_timezX509._set_boundary_timeseDJJ/66rcB|jtj|S)z Set the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rFrLr.rrjs r set_notBeforezX509.set_notBefores&&t'?'?FFrc@|jtjS)a  Get the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )rBrLr(rs rr3zX509.get_notAfters&&t'>'>??rcB|jtj|S)z Set the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rFrLr(rHs r set_notAfterzX509.set_notAfters&&t'>'>EErctjt}||j|_t |jt j k7||_|Sr)r1rrWrrXrTrYr)rrArs r _get_namezX509._get_name sE)4::&  dii/0  rct|ts td||j|j}t |dk(y)Nzname must be an X509Namer)rdr1rfrWrrX)rrArrks r _set_namezX509._set_names8$)67 74::tzz2  a(rcz|jtj}|jj ||S)a Return the issuer of this certificate. This creates a new :class:`X509Name` that wraps the underlying issuer name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this issuer. :return: The issuer of this certificate. :rtype: :class:`X509Name` )rNrLX509_get_issuer_namerrrs r get_issuerzX509.get_issuers1~~d778   $$T* rcx|jtj||jj y)z Set the issuer of this certificate. :param issuer: The issuer. :type issuer: :py:class:`X509Name` :return: ``None`` N)rPrLX509_set_issuer_namerr)rr`s r set_issuerzX509.set_issuer+s* t00&9   &&(rcz|jtj}|jj ||S)a Return the subject of this certificate. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate. :rtype: :class:`X509Name` )rNrLX509_get_subject_namerrrs rrzX509.get_subject7s1~~d889 !!%%d+ rcx|jtj||jj y)z Set the subject of this certificate. :param subject: The subject. :type subject: :py:class:`X509Name` :return: ``None`` N)rPrLX509_set_subject_namerr)rr_s r set_subjectzX509.set_subjectGs* t117; !!'')rc@tj|jS)z Get the number of extensions on this certificate. :return: The number of extensions. :rtype: :py:class:`int` .. versionadded:: 0.12 )rLX509_get_ext_countrWrs rget_extension_countzX509.get_extension_countSs&&tzz22rctjdtd|D]V}t|ts t dt j|j|jd}t|dk(Xy)z Add extensions to the certificate. :param extensions: The extensions to add. :type extensions: An iterable of :py:class:`X509Extension` objects. :return: ``None`` rrrrrrN) rrrrdr0rhrL X509_add_extrWr\rX)rrrr0s rrzX509.add_extensions^sg  &  Cc=1 !NOO**4::s~~rJJ J!O , rctjdtdtj t}t j |j||_|jtjk(r tdt j|j}tj|t j|_|S)a Get a specific extension of the certificate by index. Extensions on a certificate are kept in order. The index parameter selects which extension will be returned. :param int index: The index of the extension to retrieve. :return: The extension at the specified index. :rtype: :py:class:`X509Extension` :raises IndexError: If the extension index was out of bounds. .. versionadded:: 0.12 rrrzextension index out of bounds)rrrr0rrL X509_get_extrWr\rTrY IndexErrorrrZr[)rindexrrbs r get_extensionzX509.get_extensionws  &  ##M2**4::u= >>TYY &<= =++CNN; D,D,DE rNr)rrrQr-)rQx509.Certificate)rrfrQr-rrrrrrR)r r rQre)rrArQr)r*rArQrr)rArrQ bytes | None)rQrg)rAzCallable[..., Any]rjrerQr)rjrerQr)rArrQr1)rArrr1rQrr)r`r1rQr)r_r1rQrr)rdrArQr0)%rErFrGrHrrrrrrrrrrrrrrr%r,r0r?rBrDrFrIr3rLrNrPrSrVrr[r^rrerrrr-r-s; .44& I1  ))81& >7)8(( / 0""1 A7'7/47 7 G @ F )  ) * 3-2rr-cfeZdZUdZej Zded<ejZ ded<ejZ ded<ejZ ded<ejZded<ej Zded<ej$Zded <ej(Zded <ej,Zded <ej0Zded <y )r6a  Flags for X509 verification, used to change the behavior of :class:`X509Store`. See `OpenSSL Verification Flags`_ for details. .. _OpenSSL Verification Flags: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html rA CRL_CHECK CRL_CHECK_ALLIGNORE_CRITICAL X509_STRICTALLOW_PROXY_CERTS POLICY_CHECKEXPLICIT_POLICY INHIBIT_MAPCHECK_SS_SIGNATURE PARTIAL_CHAINN)rErFrGrHrLX509_V_FLAG_CRL_CHECKrirX509_V_FLAG_CRL_CHECK_ALLrjX509_V_FLAG_IGNORE_CRITICALrkX509_V_FLAG_X509_STRICTrlX509_V_FLAG_ALLOW_PROXY_CERTSrmX509_V_FLAG_POLICY_CHECKrnX509_V_FLAG_EXPLICIT_POLICYroX509_V_FLAG_INHIBIT_MAPrpX509_V_FLAG_CHECK_SS_SIGNATURErqX509_V_FLAG_PARTIAL_CHAINrrrrrr6r6s//Is/77M37;;OS;33K3!??s?55L#5;;OS;33K3"AAA77M37rr6cNeZdZdZd dZd dZd dZd dZd dZ d ddZ y)r3a An X.509 store. An X.509 store is used to describe a context in which to verify a certificate. A description of a context may include a set of certificates to trust, a set of certificate revocation lists, verification flags and more. An X.509 store, being only a description, cannot be used by itself to verify a certificate. To carry out the actual verification process, see :class:`X509StoreContext`. c~tj}tj|tj|_yr)rLX509_STORE_newrTrZX509_STORE_free_storerstores rrzX509Store.__init__s(##%ggeT%9%9: rct|ts ttj|j |j }t|dk(y)a Adds a trusted certificate to this store. Adding a certificate with this method adds this certificate as a *trusted* certificate. :param X509 cert: The certificate to add to this store. :raises TypeError: If the certificate is not an :class:`X509`. :raises OpenSSL.crypto.Error: If OpenSSL was unhappy with your certificate. :return: ``None`` if the certificate was added successfully. rN)rdr-rfrLX509_STORE_add_certrrWrX)rrrs radd_certzX509Store.add_certs< $%+ &&t{{DJJ?q!rct|tjrddlm}t |j |j}tj|tj}t|tjk7tj|tj}n tdttj |j"|dk7y)a Add a certificate revocation list to this store. The certificate revocation lists added to a store will only be used if the associated flags are configured to check certificate revocation lists. .. versionadded:: 16.1.0 :param crl: The certificate revocation list to add to this store. :type crl: ``cryptography.x509.CertificateRevocationList`` :return: ``None`` if the certificate revocation list was added successfully. rrz?CRL must be of type cryptography.x509.CertificateRevocationListN)rdrCertificateRevocationListrrr]rrrLd2i_X509_CRL_biorTrYrXrZ X509_CRL_freerfX509_STORE_add_crlr)rcrlrrN openssl_crls radd_crlzX509Store.add_crls c499 : Ms// =>C//TYY?K K4994 5''+t'9'9:C>  // SAQFGrc\ttj|j|dk7y)a Set verification flags to this store. Verification flags can be combined by oring them together. .. note:: Setting a verification flag sometimes requires clients to add additional information to the store, otherwise a suitable error will be raised. For example, in setting flags to enable CRL checking a suitable CRL must be added to the store otherwise an error will be raised. .. versionadded:: 16.1.0 :param int flags: The verification flags to set on this store. See :class:`X509StoreFlags` for available constants. :return: ``None`` if the verification flags were successfully set. rN)rXrLX509_STORE_set_flagsr)rflagss r set_flagszX509Store.set_flagss", 11$++uEJKrc:tj}tj|tj}tj |t j|jttj|j|dk7y)a Set the time against which the certificates are verified. Normally the current time is used. .. note:: For example, you can determine if a certificate was valid at a given time. .. versionadded:: 17.0.0 :param datetime vfy_time: The verification time to set on this store. :return: ``None`` if the verification time was successfully set. rN) rLX509_VERIFY_PARAM_newrTrZX509_VERIFY_PARAM_freeX509_VERIFY_PARAM_set_timecalendartimegm timetuplerXX509_STORE_set1_paramr)rvfy_timeparams rset_timezX509Store.set_timesm **,t::; '' 8??8#5#5#78  224;;F!KLrNc|tj}n t|}|tj}n t|}tj|j ||}|s t yy)a Let X509Store know where we can find trusted certificates for the certificate chain. Note that the certificates have to be in PEM format. If *capath* is passed, it must be a directory prepared using the ``c_rehash`` tool included with OpenSSL. Either, but not both, of *cafile* or *capath* may be ``None``. .. note:: Both *cafile* and *capath* may be set simultaneously. Call this method multiple times to add more than one location. For example, CA certificates, and certificate revocation list bundles may be passed in *cafile* in subsequent calls to this method. .. versionadded:: 20.0 :param cafile: In which file we can find the certificates (``bytes`` or ``unicode``). :param capath: In which directory we can find the certificates (``bytes`` or ``unicode``). :return: ``None`` if the locations were set successfully. :raises OpenSSL.crypto.Error: If both *cafile* and *capath* is ``None`` or the locations could not be set for any reason. N)rTrY _path_bytesrLX509_STORE_load_locationsrr)rcafilecapath load_results rload_locationszX509Store.load_locations&s`F >YYF (F >YYF (F44 KK  "rr)rr-rQr)rzx509.CertificateRevocationListrQr)rrArQr)rzdatetime.datetimerQrr)rStrOrBytesPath | NonerrrQr) rErFrGrHrrrrrrrrrr3r3sI ;",H<L0M6)-1#%1#&1#  1#rr3c4eZdZdZ dfd ZxZS)r5z An exception raised when an error occurred while verifying a certificate using `OpenSSL.X509StoreContext.verify_certificate`. :ivar certificate: The certificate which caused verificate failure. :type certificate: :class:`X509` c@t||||_||_yr)rrerrors certificate)rmessagerrrs rrzX509StoreContextError.__init__cs! ! &r)rr rz list[Any]rr-rQr)rErFrGrHrr r s@rr5r5Zs2''$-'<@' ''rr5cveZdZdZ d d dZe d dZed dZddZddZ ddZ dd Z y)r4a9 An X.509 store context. An X.509 store context is used to carry out the actual verification process of a certificate in a described context. For describing such a context, see :class:`X509Store`. :param X509Store store: The certificates which will be trusted for the purposes of any verifications. :param X509 certificate: The certificate to be verified. :param chain: List of untrusted certificates that may be used for building the certificate chain. May be ``None``. :type chain: :class:`list` of :class:`X509` NcL||_||_|j||_yr)r_cert_build_certificate_stack_chain)rrrchains rrzX509StoreContext.__init__{s$    33E: rcdd}|t|dk(rtjStj}t |tjk7tj ||}|D]}t|ts tdt tj|jdkDtj||jdksmtj|jt|S)Ncttj|D]-}tj||}tj|/tj |yr)r!rL sk_X509_num sk_X509_valuer sk_X509_free)sr,rs rcleanupz:X509StoreContext._build_certificate_stack..cleanupsL4++A./&&q!,q!0   a rrz+One of the elements is not an X509 instance)rrrQr)rWrTrYrLsk_X509_new_nullrXrZrdr-rf X509_up_refrW sk_X509_pushrr) certificatesrrrs rrz)X509StoreContext._build_certificate_stacks !  3|#4#999 %%'*+w' DdD) MNN D,,TZZ81< =   3q8tzz*$&! rctjtjtj|j d}tj|tj ||g}tj|}tj|}tj|}t|||S)z Convert an OpenSSL native context error failure into a Python exception. When a call to native OpenSSL X509_verify_cert fails, additional information about the failure can be obtained from the store context. r) rTrxrLX509_verify_cert_error_stringX509_STORE_CTX_get_errorrX509_STORE_CTX_get_error_depthX509_STORE_CTX_get_current_certX509_dupr-rr5) store_ctxrrrWrpycerts r_exception_from_contextz(X509StoreContext._exception_from_contexts++  . .--i8   &/   ) )) 4  / / :  44Y? e$((/$Wff==rctj}t|tjk7tj |tj }tj||jj|jj|j}t|dk(tj|}|dkr|j||S)a3 Verifies the certificate and runs an X509_STORE_CTX containing the results. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. rr)rLX509_STORE_CTX_newrXrTrYrZX509_STORE_CTX_freeX509_STORE_CTX_initrrrWrX509_verify_certr)rrrps r_verify_certificatez$X509StoreContext._verify_certificates++-  TYY./GGIt'?'?@ && t{{))4::+;+;T[[  q!##I. !8..y9 9rc||_y)z Set the context's X.509 store. .. versionadded:: 0.15 :param X509Store store: The store description which will be used for the purposes of any *future* verifications. N)rrs r set_storezX509StoreContext.set_stores  rc$|jy)a" Verify a certificate in a context. .. versionadded:: 0.15 :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. N)rrs rverify_certificatez#X509StoreContext.verify_certificates   "rc|j}tj|}t|tj k7g}t tj|D]Z}tj||}t|tj k7tj|}|j|\tj||S)aR Verify a certificate in a context and return the complete validated chain. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. .. versionadded:: 20.0 ) rrLX509_STORE_CTX_get1_chainrXrTrYr!rrr-rrr)rr cert_stackrr,rrs rget_verified_chainz#X509StoreContext.get_verified_chains,,. 33I>  dii/0t'' 34A%%j!4D DDII- .,,T2F MM& ! 5 *% rr)rr3rr-rSequence[X509] | NonerQr)rrrQr)rrrQr5r )rr3rQrr)rQz list[X509]) rErFrGrHr staticmethodrrrrrrrrrr4r4ks &(, ;;;% ;  ;+ :>>20  #rr4ct|tr|jd}t|}|tk(rCt j |tjtjtj}n9|tk(r%t j|tj}n td|tjk(r ttj|S)a Load a certificate (X509) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param bytes buffer: The buffer the certificate is stored in :return: The X509 object r3type argument must be FILETYPE_PEM or FILETYPE_ASN1)rdr r(r]r)rLPEM_read_bio_X509rTrYr( d2i_X509_biorhrr-r)rr[rNrs rr=r= s&#w' v C |%%c499diiK    dii0NOO tyy  " "4 ((rc^t}|tk(r!tj||j}na|t k(r!tj ||j}n7|tk(r#tj||jdd}n tdt|dk(t|S)a Dump the certificate *cert* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT) :param cert: The certificate to dump :return: The buffer with the dumped certificate in rCtype argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXTr) r]r)rLPEM_write_bio_X509rWr( i2d_X509_bior* X509_print_exrhrXrb)rrrN result_codes rr7r7&s .C |--c4::>  ''TZZ8  ((djj!Q?    K1$% # rct}|tk(rtj}n%|tk(rtj }n t d|||j}|dk7r tt|S)z Dump a public key to a buffer. :param type: The file type (one of :data:`FILETYPE_PEM` or :data:`FILETYPE_ASN1`). :param PKey pkey: The public key to dump :return: The buffer with the dumped key in it. :rtype: bytes rr) r]r)rLPEM_write_bio_PUBKEYr(i2d_PUBKEY_biorhrrrb)rrrN write_biors rr:r:Bsf .C |--  '' NOOC,Ka # rc t}t|ts td|I| tdt j t |}|tjk(rtdtj}t||}|tk(rXt j||j|tjd|j|j}|j!n|t"k(r!t j$||j}n|t&k(rt j(|jtj*k7r tdtj,t j.|jtj0}t j2||d}n tdt5|dk7t7|S)a Dump the private key *pkey* into a buffer string encoded with the type *type*. Optionally (if *type* is :const:`FILETYPE_PEM`) encrypting it using *cipher* and *passphrase*. :param type: The file type (one of :const:`FILETYPE_PEM`, :const:`FILETYPE_ASN1`, or :const:`FILETYPE_TEXT`) :param PKey pkey: The PKey to dump :param cipher: (optional) if encrypted PEM format, the cipher to use :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The buffer with the dumped key in :rtype: bytes zpkey must be a PKeyzDif a value is given for cipher one must also be given for passphrasezInvalid cipher namerz-Only RSA keys are supported for FILETYPE_TEXTr)r]rdr/rfrLEVP_get_cipherbynamerrTrYrh_PassphraseHelperr)PEM_write_bio_PrivateKeyrcallback callback_argsraise_if_problemr(i2d_PrivateKey_bior*rrrZrr RSA_printrXrb) rrcipher passphraserN cipher_objhelperrr s rr9r9[s* .C dD !-..   8 ..|F/CD  "23 3YY tZ 0F |33  JJ  II OO    !  --c4::>     DJJ '4+<+< <KL Lggd,,TZZ8$--HnnS#q1    K1$% # rcxeZdZ d ddZed dZed dZefd dZ d dZ y) rch|tk7r | td||_||_||_g|_y)Nz0only FILETYPE_PEM key format supports encryption)r)rh _passphrase _more_args _truncate _problems)rrr more_argstruncates rrz_PassphraseHelper.__init__s@ < J$:B &#!*,rc|jtjSt|jtst |jr tj d|jStd)Npem_password_cb2Last argument must be a byte string or a callable.) rrTrYrdrecallabler_read_passphraserfrs rrz_PassphraseHelper.callbacks]    #99  ((% 0HT=M=M4N==!2D4I4IJ JD rc|jtjSt|jtst |jrtjSt d)Nr)rrTrYrdrerrfrs rrz_PassphraseHelper.callback_argssO    #99  ((% 0HT=M=M4N99 D rc|jr' t||jjdy#|$rY#wxYwr<)r_exception_from_error_queuepop)r exceptionTypes rrz"_PassphraseHelper.raise_if_problemsF >> +M:..$$Q' ' !  s 5==c t|jr2|jr|j|||}n,|j|}n|jJ|j}t|ts t dt ||kDr|jr|d|}n t dtt |D] }|||dz||<t |S#t$r%}|jj|Yd}~yd}~wwxYw)NzBytes expectedz+passphrase returned by callback is too longrr) rrrrdrerhrWrr! Exceptionrr)rrsizerwflaguserdatarr,es rrz"_PassphraseHelper._read_passphrases (()??!--dFHEF!--f5F''333))fe, !1226{T!>>#ET]F$E3v;'AE*A(v;   NN ! !! $ sCC D!DDN)FF) rrArPassphraseCallableT | NonerrrrrQrr )rztype[Exception]rQr) rrrrArrrrrQrA) rErFrGrrrrr.rrrrrrrs   --/- -  -  - AF(!+.:= rrc4t|tr|jd}t|}|tk(rCt j |tjtjtj}n9|tk(r%t j|tj}n td|tjk(r ttjt}tj|t j |_d|_|S)a< Load a public key from a buffer. :param type: The file type (one of :data:`FILETYPE_PEM`, :data:`FILETYPE_ASN1`). :param buffer: The buffer the key is stored in. :type buffer: A Python string object, either unicode or bytestring. :return: The PKey object. :rtype: :class:`PKey` rrT)rdr r(r]r)rLPEM_read_bio_PUBKEYrTrYr(d2i_PUBKEY_biorhrr/rrZrrr)rr[rNevp_pkeyrs rr@r@s&#w' v C |++ DIItyy   &&sDII6NOO499 << D4#5#56DJD KrcNt|tr|jd}t|}t ||}|t k(rKt j|tj|j|j}|jn9|tk(r%t j|tj}n td|tjk(r t!t"j%t"}tj&|t j(|_|S)a Load a private key (PKey) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the key is stored in :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The PKey object rr)rdr r(r]rr)rLPEM_read_bio_PrivateKeyrTrYrrrr(d2i_PrivateKey_biorhrr/rrZrr)rr[rrNrr rs rr?r? s"&#w' v C tZ 0F |// FOOV-A-A  !  **3 :NOO499 << D4#5#56DJ Krc^t}|tk(r!tj||j}na|t k(r!tj ||j}n7|tk(r#tj||jdd}n tdt|dk7t|S)av Dump the certificate request *req* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param req: The certificate request to dump :return: The buffer with the dumped certificate request in .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. rr) r]r)rLPEM_write_bio_X509_REQrr(i2d_X509_REQ_bior*X509_REQ_print_exrhrXrb)rrrNrs rr8r89 s .C |11#sxx@  ++C:  ,,S#((AqA    K1$% # rr8rc$t|tr|jd}t|}|tk(rCt j |tjtjtj}n9|tk(r%t j|tj}n tdt|tjk7tjt}tj|t j |_|S)a Load a certificate request (X509Req) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the certificate request is stored in :return: The X509Req object .. deprecated:: 24.2.0 Use `cryptography.x509.load_der_x509_csr` or `cryptography.x509.load_pem_x509_csr` instead. rr)rdr r(r]r)rLPEM_read_bio_X509_REQrTrYr(d2i_X509_REQ_biorhrXr2rrZrr)rr[rNrx509reqs rr>r>g s&#w' v C |((diiDIIN  ##C3NOOC499$%oog&G773 2 23GL Nrr>)rr robjectrQzCallable[[_T], _T]r)r[rgrQr)rNrrQre)rirrjrerQr)rjrerQr)r|rrQrg)rQr)rr rQr)rrAr[rerQr-)rrArr-rQre)rrArr/rQrer) rrArr/rrQrrrQre)rrAr[ str | bytesrQr/)rrAr[rrrrQr/)rrArr2rQre)rrAr[rerQr2)o __future__rrr4 functoolssysrrbase64rcollections.abcrrrrr r version_infor TypeVar_Ttyping_extensions cryptographyrr)cryptography.hazmat.primitives.asymmetricrrrrr OpenSSL._utilr!r"rr#rr$rTr%rLr& _make_assertr'r__all__rrrrr _PrivateKeyrrrrr _PublicKeyrrePassphraseCallableTSSL_FILETYPE_PEMr)rSSL_FILETYPE_ASN1r(r*rr, EVP_PKEY_DSAr+ EVP_PKEY_DHrB EVP_PKEY_ECrCrr.rrXr]rbrlrqrrr/rr<r;total_orderingr1r0r2r-r6r3r5r4r=r7r:r9rr@r?r8rrErr>rrrrr1s" . w#  B-$) :         [* $%E8CJ#778)) c)++ s+ !!#!!!#!I :EBu%4;+2&:  ~.~.Bd.d.N  5  5 1 1$ D g:g: g:T oo odggT88.g#g#T'I'"[[|):88-1 B B B B+ B  BJKK\J.2& & &+& &R@&>"   # @&>"   # r