wh)7UddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z ddlm Z ddlmZmZmZejdkrddlmZn&ejd krejd ZdidZnddlmZddlmZmZddlmZmZmZmZmZddlm Z ddlm!Z"ddlm#Z$ddlm%Z&ddlm'Z(ddlm)Z*ddlm+Z,gdZ-eej.ej/ej0ej1ej2fZ3eej4ej5ej6ej7ej8fZ9ee3e9fZ:ee;ede;ffZde?d<e(j@ZAde?d<d ZBe(jCZDde?d!<e(jEZFde?d"<e(jGZHde?d#<e(jIZJde?d$<Gd%d&eKZLe e$eLZMe*eLZNdjdkd*ZOdld-ZPdmd1ZQdnd2ZRdod4ZSGd5d6ZTGd7d8ZUGd9d:ZVed;dpd=ZWed>dqd@ZXejYGdAdBZZedCGdDdEZ[edFGdGdHZ\GdIdJZ]GdKdLZ^GdMdNZ_GdOdPeKZ`GdQdRZadrdTZbdsdVZcdtdXZd dudvd]ZeGd^d_ZfdwdaZg djdxdbZhdyddZieiZjejeiekdFeldefdzdgZmemZnejemekdFeldhfdS){) annotationsN) b16encode)IterableSequence)partial)AnyCallableUnion) ) deprecated)r TmsgstrkwargsobjectreturnCallable[[_T], _T]c dS)Nc|SN)fs A/var/www/test/venv/lib/python3.11/site-packages/OpenSSL/crypto.pyzdeprecated..sr)rrs rr r s {r)utilsx509)dsaeced448ed25519rsa)StrOrBytesPath) byte_string)exception_from_error_queue)ffi)lib) make_assert) path_bytes) FILETYPE_ASN1 FILETYPE_PEM FILETYPE_TEXTTYPE_DSATYPE_RSAX509ErrorPKey X509ExtensionX509NameX509Req X509StoreX509StoreContextX509StoreContextErrorX509StoreFlagsdump_certificatedump_certificate_requestdump_privatekeydump_publickeyget_elliptic_curveget_elliptic_curvesload_certificateload_certificate_requestload_privatekeyload_publickey.intr-r,ir0r/TYPE_DHTYPE_ECceZdZdZdS)r2z7 An error occurred in an `OpenSSL.crypto` API. N)__name__ __module__ __qualname____doc__rrrr2r2tsrr2buffer bytes | NonercL|2tjtj}tj}n=t jd|}tj|t|}|fdd}t|tj kt j ||}|S) z Allocate a new OpenSSL memory BIO. Arrange for the garbage collector to clean it up automatically. :param buffer: None or some bytes to use to put into the BIO so that they can be read out. Nchar[]biorrefrc*tj|Sr)_libBIO_free)rQrRs rfreez_new_mem_buf..frees=%% %r)rQrrRrrr) rTBIO_new BIO_s_memrU_ffinewBIO_new_mem_buflen_openssl_assertNULLgc)rMrQrVdatas r _new_mem_bufra~s~l4>++,,}x&))"4V55'+ & & & & &C49$%%% '#t  C JrrQbytesctjd}tj||}tj|d|ddS)zO Copy the contents of an OpenSSL BIO object into a Python byte string. zchar**rN)rYrZrTBIO_get_mem_datarM)rQ result_buffer buffer_lengths r_bio_to_stringrgsEHX&&M)#}==M ;}Q' 7 7 ::rboundarywhenNonect|tstdt|tjkt j||}|dkrtddS)a The the time value of an ASN1 time object. @param boundary: An ASN1_TIME pointer (or an object safely castable to that type) which will have its value set. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. zwhen must be a byte stringrzInvalid stringN) isinstancerb TypeErrorr]rYr^rTASN1_TIME_set_string ValueError)rhri set_results r_set_asn1_timerqsm dE " "64555H )****8T::JQ)***rctj}t|tjktj|tj}t|||S)a Behaves like _set_asn1_time but returns a new ASN1_TIME object. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. )rT ASN1_TIME_newr]rYr^r_ASN1_TIME_freerq)rirets r_new_asn1_timervsP    CC49$%%% '#t* + +C3 Jr timestampcFtjd|}tj|dkrdStj|tjkr&tjtj|Stjd}tj ||t|dtj ktjd|d}tj|}tj|}tj |d|S)a] Retrieve the time value of an ASN1 time object. @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to that type) from which the time value will be retrieved. @return: The time value from C{timestamp} as a L{bytes} string in a certain format. Or C{None} if the object contains no time value. ASN1_STRING*rNzASN1_GENERALIZEDTIME**) rYcastrTASN1_STRING_lengthASN1_STRING_typeV_ASN1_GENERALIZEDTIMEstringASN1_STRING_get0_datarZASN1_TIME_to_generalizedtimer]r^ASN1_GENERALIZEDTIME_free)rwstring_timestampgeneralized_timestamp string_data string_results r_get_asn1_timersy;; /00A55t .//43NNN{456FGGHHH $)A B B ))5JKKK-a0DI=>>>9^5J15MNN01ABB  K00  &'r,typingrzrr=)rrrders rto_cryptography_keyzPKey.to_cryptography_keys          O 55C;t%8%8%=%=>> >!-66C;t%9%9#%M%M%MNN Nr crypto_keyc t|tjtjtjtjtjtj tj tj tjtjf st!dddlm}m}m}m}t|tjtjtj tj tjfr3t-t.||j|jS||j|j|}t;t.|S)z Construct based on a ``cryptography`` *crypto_key*. :param crypto_key: A ``cryptography`` key. :type crypto_key: One of ``cryptography``'s `key interfaces`_. :rtype: PKey .. versionadded:: 16.1.0 zUnsupported key typer)Encoding NoEncryption PrivateFormat PublicFormat)rlr DSAPrivateKey DSAPublicKeyr!EllipticCurvePrivateKeyEllipticCurvePublicKeyr#Ed25519PrivateKeyEd25519PublicKeyr"Ed448PrivateKeyEd448PublicKeyr$ RSAPrivateKey RSAPublicKeyrmrrrrrrDr, public_bytesDERSubjectPublicKeyInfo private_bytesPKCS8rC)clsrrrrrrs rfrom_cryptography_keyzPKey.from_cryptography_keysP ! *))(%$!     4233 3               )($    7"''L,"C ** m1<<>>C#=#66 6rtyperEbitsc t|tstdt|tstd|tkr|dkrt dt j}tj|t j }t j |t j t j }t j |||tj}t|dkt j|j|}t|dkn|t$krt j}t|tjktj|t j}t j||tjdtjtjtj}t|dktt j|dktt j|j|dknt1dd|_dS) a3 Generate a key pair of the given type, with the given number of bits. This generates a key "into" the this object. :param type: The key type. :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA` :param bits: The number of bits. :type bits: :py:data:`int` ``>= 0`` :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't of the appropriate type. :raises ValueError: If the number of bits isn't an integer of the appropriate size. :return: ``None`` ztype must be an integerzbits must be an integerrzInvalid number of bitszNo such key typeTN)rlrErmr0rorTBN_newrYr_BN_free BN_set_wordRSA_F4RSA_newRSA_generate_key_exr^r]EVP_PKEY_assign_RSArr/DSA_newDSA_freeDSA_generate_parameters_exDSA_generate_keyEVP_PKEY_set1_DSAr2r)rrrexponentr$resultr ress r generate_keyzPKey.generate_keyUs $$$ 7566 6$$$ 7566 6 8  qyy !9:::{}}Hwx66H  Xt{ 3 3 3,..C-c449MMF FaK ( ( (-dj#>>F FaK ( ( ( ( X  ,..C C49, - - -'#t}--C1T49aDItyC C1H % % % D1#66!; < < < D24:sCCqH I I I I*++ + rboolc||jrtdtj|tjkrtdtj|j}tj |tj }tj |}|dkrdStdS)ax Check the consistency of an RSA private key. This is the Python equivalent of OpenSSL's ``RSA_check_key``. :return: ``True`` if key is consistent. :raise OpenSSL.crypto.Error: if the key is inconsistent. :raise TypeError: if the key is of a type which cannot be checked. Only RSA keys can currently be checked. zpublic key onlyz'Only RSA keys can currently be checked.rTN) rrmrT EVP_PKEY_typer EVP_PKEY_RSAEVP_PKEY_get1_RSArrYr_RSA_free RSA_check_key_raise_current_error)rr$rs rcheckz PKey.checks   /-.. .  diikk * *d.? ? ?EFF F$TZ00gc4=))#C(( Q;;4rc4tj|jS)zT Returns the type of the key :return: The type of the key. )rT EVP_PKEY_idrrs rrz PKey.types  +++rc4tj|jS)zh Returns the number of bits of the key :return: The number of bits of the key. )rT EVP_PKEY_bitsrrs rrz PKey.bitss !$*---rNr)rr)rrrr3)rrErrErrjrrrrE)rIrJrKrLrrrr classmethodrrrrrrrrr3r3sLL"""" OOOO.777777[77r6!6!6!6!p4,,,,......rr3ceZdZdZdZdfd Zedd Zedd ZeddZ ddZ ddZ ddZ xZ S)_EllipticCurveaZ A representation of a supported elliptic curve. @cvar _curves: :py:obj:`None` until an attempt is made to load the curves. Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve` instances each of which represents one curve supported by the system. @type _curves: :py:type:`NoneType` or :py:type:`set` Notherrrrc~t|tr!t|StS)z Implement cooperation with the right-hand side argument of ``!=``. Python 3 seems to have dropped this cooperation in this very narrow circumstance. )rlrsuper__ne__NotImplemented)rr __class__s rrz_EllipticCurve.__ne__s3 e^ , , )77>>%(( (rr)set[_EllipticCurve]ctjd}tjd|}||t fd|DS)z Get the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. rzEC_builtin_curve[]c3NK|]}|jV dSr)from_nidnid).0crr)s r z7_EllipticCurve._load_elliptic_curves..s3DD3<<QU++DDDDDDr)EC_get_builtin_curvesrYr^rZset)rr) num_curvesbuiltin_curvess`` r_load_elliptic_curvesz$_EllipticCurve._load_elliptic_curvessm..ty!<< "6 CC !!.*===DDDDD^DDDDDDrcR|j|||_|jS)a Get, cache, and return the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. )_curvesr)rr)s r_get_elliptic_curvesz#_EllipticCurve._get_elliptic_curvess) ; 33C88CK{rrrEc |||tj||dS)a Instantiate a new :py:class:`_EllipticCurve` associated with the given OpenSSL NID. :param lib: The OpenSSL library binding object. :param nid: The OpenSSL NID the resulting curve object will represent. This must be a curve NID (and not, for example, a hash NID) or subsequent operations will fail in unpredictable ways. :type nid: :py:class:`int` :return: The curve object. ascii)rYr~ OBJ_nid2sndecode)rr)rs rrz_EllipticCurve.from_nids<s3T[)<)<==DDWMMNNNrrrrjc0||_||_||_dS)a :param _lib: The :py:mod:`cryptography` binding instance used to interface with OpenSSL. :param _nid: The OpenSSL NID identifying the curve this object represents. :type _nid: :py:class:`int` :param name: The OpenSSL short name identifying the curve this object represents. :type name: :py:class:`unicode` N)rT_nidr)rr)rrs rrz_EllipticCurve.__init__s   rcd|jdS)Nzrrs r__repr__z_EllipticCurve.__repr__s'''''rc~|j|j}tj|tjS)z Create a new OpenSSL EC_KEY structure initialized to use this curve. The structure is automatically garbage collected when the Python object is garbage collected. )rTEC_KEY_new_by_curve_namerrYr_ EC_KEY_free)rkeys r _to_EC_KEYz_EllipticCurve._to_EC_KEYs0i00;;wsD,---rrrrr)r)rrr)r)rrrErr)r)rrrErrrrjrrrr)rIrJrKrLrrrrrrrrr  __classcell__rs@rrrsG      EEE[E"   [ OOO[O "((((........rrzSget_elliptic_curves is deprecated. You should use the APIs in cryptography instead.rc@ttS)a Return a set of objects representing the elliptic curves supported in the OpenSSL build in use. The curve objects have a :py:class:`unicode` ``name`` attribute by which they identify themselves. The curve objects are useful as values for the argument accepted by :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be used for ECDHE key exchange. )rrrTrrrr@r@s  . .t 4 44rzRget_elliptic_curve is deprecated. You should use the APIs in cryptography instead.rcbtD]}|j|kr|cStd|)aT Return a single curve object selected by name. See :py:func:`get_elliptic_curves` for information about curve objects. :param name: The OpenSSL short name identifying the curve object to retrieve. :type name: :py:class:`unicode` If the named curve is not supported then :py:class:`ValueError` is raised. zunknown curve name)r@rro)rcurves rr?r?2sE %&& :  LLL  )4 0 00rcdeZdZdZddZdfd Zdd ZddZddZddZ ddZ ddZ ddZ xZ S)r5a An X.509 Distinguished Name. :ivar countryName: The country of the entity. :ivar C: Alias for :py:attr:`countryName`. :ivar stateOrProvinceName: The state or province of the entity. :ivar ST: Alias for :py:attr:`stateOrProvinceName`. :ivar localityName: The locality of the entity. :ivar L: Alias for :py:attr:`localityName`. :ivar organizationName: The organization name of the entity. :ivar O: Alias for :py:attr:`organizationName`. :ivar organizationalUnitName: The organizational unit of the entity. :ivar OU: Alias for :py:attr:`organizationalUnitName` :ivar commonName: The common name of the entity. :ivar CN: Alias for :py:attr:`commonName`. :ivar emailAddress: The e-mail address of the entity. rrrjctj|j}tj|tj|_dS)z Create a new X509Name, copying the given X509Name instance. :param name: The name to copy. :type name: :py:class:`X509Name` N)rT X509_NAME_duprrYr_X509_NAME_freers rrzX509Name.__init__bs0!$*--'$(;<< rrvaluerc |dr"t||St|tur&t dt|jddtjt|}|tj kr/ tn#t$rYnwxYwtdttj|jD]z}tj|j|}tj|}tj|}||kr0tj|j|}tj|n{t-|tr|d}tj|j|tj|ddd}|stdSdS) N_z$attribute name must be string, not 'z.200'No such attributeutf-8r) startswithr __setattr__rrrmrIrT OBJ_txt2nid _byte_string NID_undefrr2AttributeErrorrangeX509_NAME_entry_countrX509_NAME_get_entryX509_NAME_ENTRY_get_object OBJ_obj2nidX509_NAME_delete_entryX509_NAME_ENTRY_freerlencodeX509_NAME_add_entry_by_NID MBSTRING_UTF8) rrrrientent_objent_nid add_resultrs rr zX509Name.__setattr__ls ??3   477&&tU33 3 ::S 1KK(0111  |D1122 $.  $&&&&     !455 5t1$*==>>  A*4:q99C5c::G&w//Gg~~1$*a@@)#... eS ! ! *LL))E4 JT/B   # " " " " " # #s'B66 CC str | Nonectjt|}|tjkr/ t n#t $rYnwxYwt dtj|j|d}|dkrdStj |j|}tj |}tj d}tj ||}t|dk tj|d|ddd}tj|dn#tj|dwxYw|S)a  Find attribute. An X509Name object has the following attributes: countryName (alias C), stateOrProvince (alias ST), locality (alias L), organization (alias O), organizationalUnit (alias OU), commonName (alias CN) and more... rrNunsigned char**rr)rTr!r"r#rr2r$X509_NAME_get_index_by_NIDrr'X509_NAME_ENTRY_get_datarYrZASN1_STRING_to_UTF8r]rMr OPENSSL_free) rrr entry_indexentryr`re data_lengthrs r __getattr__zX509Name.__getattr__s^|D1122 $.  $&&&&     !455 55dj#rJJ "  4([AA,U33!233 .}dCC  q())) 0[q!1;??BIIF  mA. / / / /D mA. / / / / sA AA/6EErrct|tstStj|j|jdkSNrrlr5rrT X509_NAME_cmprrrs r__eq__zX509Name.__eq__s6%** "! !!$*ek::a??rct|tstStj|j|jdkSr@rArCs r__lt__zX509Name.__lt__s6%** "! !!$*ek::Q>>rc*tjdd}tj|j|t |}t |tjkdtj | dS)z6 String representation of an X509Name rPizr) rYrZrTX509_NAME_onelinerr\r]r^formatr~r)rre format_results rrzX509Name.__repr__s3// . J s='9'9    2333'.. K & & - -g 6 6   rrEc4tj|jS)a& Return an integer representation of the first four bytes of the MD5 digest of the DER representation of the name. This is the Python equivalent of OpenSSL's ``X509_NAME_hash``. :return: The (integer) hash of this name. :rtype: :py:class:`int` )rTX509_NAME_hashrrs rhashz X509Name.hashs"4:...rrbctjd}tj|j|}t |dktj|d|dd}tj|d|S)z Return the DER encoding of this name. :return: The DER encoded form of this name. :rtype: :py:class:`bytes` r6rN)rYrZrT i2d_X509_NAMErr]rMr:)rre encode_resultrs rrz X509Name.dersv!233 *4:}EE  *+++ M!$4mDDQQQG  -*+++rlist[tuple[bytes, bytes]]cg}ttj|jD]}tj|j|}tj|}tj|}tj|}tj|}tj tj |tj |dd}| tj||f|S)z Returns the components of this name, as a sequence of 2-tuples. :return: The components of this name. :rtype: :py:class:`list` of ``name, value`` tuples. N)r%rTr&rr'r(r8r)rrYrMrr{rr~) rrr/r0fnamefvalrrrs rget_componentszX509Name.get_componentsst1$*==>> 6 6A*4:q99C3C88E055D"5))C?3''DK*400$2I$2O2OaaE MM4;t,,e4 5 5 5 5 rr)rrrrrrj)rrrr4r r rrrb)rrQ)rIrJrKrLrr r>rDrFrrMrrUrrs@rr5r5Hs0====%#%#%#%#%#%#N&&&&P@@@@ ????      / / / /    rr5zZX509Extension support in pyOpenSSL is deprecated. You should use the APIs in cryptography.ceZdZUdZ ddd ZeddZejdej dej diZ de d<ddZ ddZddZd dZd dZdS)!r4zu An X.509 v3 certificate extension. .. deprecated:: 23.3.0 Use cryptography's X509 APIs instead. N type_namerbcriticalrrsubject X509 | Noneissuerrrjcttjd}tj|tjtjtjtjdtj||0t |tstd|j |_ |0t |tstd|j |_ |rd|z}tj tj|||}|tjkrttj|tj|_dS)a Initializes an X509 extension. :param type_name: The name of the type of extension_ to create. :type type_name: :py:data:`bytes` :param bool critical: A flag indicating whether this is a critical extension. :param value: The OpenSSL textual representation of the extension's value. :type value: :py:data:`bytes` :param subject: Optional X509 certificate to use as subject. :type subject: :py:class:`X509` :param issuer: Optional X509 certificate to use as issuer. :type issuer: :py:class:`X509` .. _extension: https://www.openssl.org/docs/manmaster/man5/ x509v3_config.html#STANDARD-EXTENSIONS z X509V3_CTX*rNzissuer must be an X509 instancez subject must be an X509 instances critical,)rYrZrTX509V3_set_ctxr^X509V3_set_ctx_nodbrlr1rm_x509 issuer_cert subject_certX509V3_EXT_nconfrr_X509_EXTENSION_free _extension)rrXrYrrZr\ctx extensions rrzX509Extension.__init__s<h}%% CDIty$)QOOO  %%%  fd++ C ABBB$lCO  gt,, D BCCC&}C   )!5(E)$)S)UKK  ! ! " " "')T-EFFrrcXtjtj|jSr)rTr)X509_EXTENSION_get_objectrers rrzX509Extension._nid\s'  *4? ; ;   remailDNSURIztyping.ClassVar[dict[int, str]] _prefixesrctjdtj|j}tj|tj}g}ttj|D]}tj ||} |j |j }tj |j jj|j jjddd}||dz|z#t&$r[t)}tj|||t-|dYwxYwd|S)NzGENERAL_NAMES*r:z, )rYrzrTX509V3_EXT_d2irer_GENERAL_NAMES_freer%sk_GENERAL_NAME_numsk_GENERAL_NAME_valuermrrMdia5r`lengthrrKeyErrorraGENERAL_NAME_printrgjoin)rnamespartsr/rlabelrrQs r_subjectAltNameStringz#X509Extension._subjectAltNameStringhs` d1$/BB  t677t/6677 2 2A-eQ77D 2ty1  DFJOTVZ5FGGAA&// US[501111 B B B"nn'T222 ^C0077@@AAAAA ByysDA"E('E(ctj|jkr|St }tj||jdd}t|dkt| dS)zF :return: a nice text representation of the extension rr) rTNID_subject_alt_namerr}raX509V3_EXT_printrer]rgr)rrQ print_results r__str__zX509Extension.__str__~sv  $ 1 1--// /nn,S$/1aHH  )***c""))'222rc4tj|jS)zk Returns the critical field of this X.509 extension. :return: The critical field. )rTX509_EXTENSION_get_criticalrers r get_criticalzX509Extension.get_criticals /@@@rctj|j}tj|}tj|}|t jkrt j|SdS)z Returns the short type name of this X.509 extension. The result is a byte string such as :py:const:`b"basicConstraints"`. :return: The short type name. :rtype: :py:data:`bytes` .. versionadded:: 0.12 sUNDEF)rTrirer)rrYr^r~)robjrbufs rget_short_namezX509Extension.get_short_namesY,T_==s##oc"" $)  ;s## #8rctj|j}tjd|}tj|}tj|}tj||ddS)z Returns the data of the X509 extension, encoded as ASN.1. :return: The ASN.1 encoded data of this X509 extension. :rtype: :py:data:`bytes` .. versionadded:: 0.12 ryN)rTX509_EXTENSION_get_datarerYrzrr{rM)r octet_resultr char_result result_lengths rget_datazX509Extension.get_datasb3DODD  .,?? 0?? / >> {; 66qqq99rNN) rXrbrYrrrbrZr[r\r[rrjrr rrV)rIrJrKrLrpropertyrrT GEN_EMAILGEN_DNSGEN_URIrm__annotations__r}rrrrrrrr4r4 s  $" CGCGCGCGCGJ   X  e e2I     , 3 3 3 3AAAA, : : : : : :rr4zPCSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.ceZdZdZddZddZed dZd!d Zd"d Z d#dZ d$dZ d%dZ d&dZ d'dZd(dZd)dZdS)*r6z An X.509 certificate signing requests. .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. rrjctj}tj|tj|_|ddSr@)rT X509_REQ_newrYr_ X509_REQ_free_req set_version)rreqs rrzX509Req.__init__s@!!GC!344  rx509.CertificateSigningRequestcNddlm}tt|}||S)z Export as a ``cryptography`` certificate signing request. :rtype: ``cryptography.x509.CertificateSigningRequest`` .. versionadded:: 17.1.0 r)load_der_x509_csr)cryptography.x509r"_dump_certificate_request_internalr,)rrrs rto_cryptographyzX509Req.to_cryptographys6 8777770EE  %%%r crypto_reqct|tjstdddlm}||j}tt|S)a Construct based on a ``cryptography`` *crypto_req*. :param crypto_req: A ``cryptography`` X.509 certificate signing request :type crypto_req: ``cryptography.x509.CertificateSigningRequest`` :rtype: X509Req .. versionadded:: 17.1.0 z%Must be a certificate signing requestrr) rlrCertificateSigningRequestrmrrrr"_load_certificate_request_internalr,)rrrrs rfrom_cryptographyzX509Req.from_cryptographys`*d&DEE ECDD DIIIIII%%hl331-EEErrr3cjtj|j|j}t |dkdS)z Set the public key of the certificate signing request. :param pkey: The public key to use. :type pkey: :py:class:`PKey` :return: ``None`` rN)rTX509_REQ_set_pubkeyrrr]rrrps r set_pubkeyzX509Req.set_pubkeys2-diDD  a(((((rc$tt}tj|j|_t |jtjktj |jtj |_d|_ |S)z Get the public key of the certificate signing request. :return: The public key. :rtype: :py:class:`PKey` T) r3__new__rTX509_REQ_get_pubkeyrrr]rYr^r_rrrs r get_pubkeyzX509Req.get_pubkeyse||D!!-di88  di/000WTZ);<<   rversionrEct|tstd|dkrtdt j|j|}t|dkdS)z Set the version subfield (RFC 2986, section 4.1) of the certificate request. :param int version: The version number. :return: ``None`` zversion must be an intrz9Invalid version. The only valid version for X509Req is 0.rN)rlrErmrorTX509_REQ_set_versionrr])rrrps rrzX509Req.set_version sq'3'' 6455 5 a<<K .ty'BB  a(((((rc4tj|jS)z Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate request. :return: The value of the version subfield. :rtype: :py:class:`int` )rTX509_REQ_get_versionrrs r get_versionzX509Req.get_versions(333rr5ctt}tj|j|_t |jtjk||_ |S)a Return the subject of this certificate signing request. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate signing request. Modifying it will modify the underlying signing request, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate signing request. :rtype: :class:`X509Name` ) r5rrTX509_REQ_get_subject_namerrr]rYr^_ownerrs r get_subjectzX509Req.get_subject$sP))3DI>>  di/000  r extensionsIterable[X509Extension]ctjdtdtj}t |t jkt j|tj }|D]@}t|tstdtj ||jAtj|j|}t |dkdS)z Add extensions to the certificate signing request. :param extensions: The X.509 extensions to add. :type extensions: iterable of :py:class:`X509Extension` :return: ``None`` This API is deprecated and will be removed in a future version of pyOpenSSL. You should use pyca/cryptography's X.509 APIs instead. stacklevel+One of the elements is not an X509ExtensionrN)warningswarnDeprecationWarningrTsk_X509_EXTENSION_new_nullr]rYr^r_sk_X509_EXTENSION_freerlr4rosk_X509_EXTENSION_pushreX509_REQ_add_extensionsr)rrstackextr3s radd_extensionszX509Req.add_extensions:s  &     /11*+++t:;; ? ?Cc=11 P !NOOO  's~ > > > >1$)UCC  a(((((rlist[X509Extension]ctjdtdg}tj|j}t j|d}ttj |D]}t t}tj tj ||}t j|tj|_|||S)z Get X.509 extensions in the certificate signing request. :return: The X.509 extensions in this request. :rtype: :py:class:`list` of :py:class:`X509Extension` objects. .. versionadded:: 0.15 rrrcftj|tjtjdS)Nrd)rTsk_X509_EXTENSION_pop_freerY addressof _original_lib)xs rrz(X509Req.get_extensions..rs)d5t13HIIr)rrrrTX509_REQ_get_extensionsrrYr_r%sk_X509_EXTENSION_numr4rX509_EXTENSION_dupsk_X509_EXTENSION_valuerdrer)rextsnative_exts_objr/rrgs rget_extensionszX509Req.get_extensions[s  &     6tyAA'     t1/BBCC  A'' 66C/,_a@@I"WY0HIICN KK     rdigestrcD|jrtd|jstdtjt |}|t jkrtdtj|j |j |}t|dkdS)aa Sign the certificate signing request with this key and digest type. :param pkey: The key pair to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use for the signature, e.g. :py:data:`"sha256"`. :type digest: :py:class:`str` :return: ``None`` zKey has only public partKey is uninitializedNo such digest methodrN) rrorrTEVP_get_digestbynamer"rYr^ X509_REQ_signrrr])rrr digest_obj sign_results rsignz X509Req.signs   9788 8  5344 4.|F/C/CDD  " "455 5(DJ KK  a(((((rrct|tstdtj|j|j}|dkrt|S)a@ Verifies the signature on this certificate signing request. :param PKey key: A public key. :return: ``True`` if the signature is correct. :rtype: bool :raises OpenSSL.crypto.Error: If the signature is invalid or there is a problem verifying the signature. pkey must be a PKey instancer)rlr3rmrTX509_REQ_verifyrrr)rrrs rverifyzX509Req.verifysU$%% <:;; ;%di<< Q;; " " " rNr)rr)rrrr6rr3rrjrr3rrErrjrrr5rrrrj)rrrr3rrrrj)rr3rr)rIrJrKrLrrrrrrrrrrrrrrrrr6r6s   & & & &FFF[F* ) ) ) )    ))))"4444,))))B$$$$L))))0rr6c2eZdZdZd@dZedAdZdBd ZedCd ZdDdZ dEdZ dFdZ dGdZ dHdZ dIdZdJdZdEdZdKdZdEdZdLd ZdLd!ZdMd#ZdNd&ZdOd'ZdPd*ZdQd+ZdOd,ZdQd-ZdRd/ZdSd1ZdTd2ZdUd4ZdTd5Z dVd7Z!dEd8Z"dWd;Z#dXd>Z$d?S)Yr1z An X.509 certificate. rrjctj}t|tjktj|tj|_t|_ t|_ dSr) rTX509_newr]rYr^r_ X509_freer`r_issuer_invalidator_subject_invalidator)rrs rrz X509.__init__sY} )***WT4>22 #7#9#9 $8$:$:!!!rrrc||}tj|tj|_t |_t |_|Sr) rrYr_rTrr`rrr)rrcerts r_from_raw_x509_ptrzX509._from_raw_x509_ptrsI{{3WT4>22 #7#9#9 $8$:$:! rx509.CertificatecNddlm}tt|}||S)z Export as a ``cryptography`` certificate. :rtype: ``cryptography.x509.Certificate`` .. versionadded:: 17.1.0 r)load_der_x509_certificate)rrr;r,)rrrs rrzX509.to_cryptographys7 @?????}d33((---r crypto_certct|tjstdddlm}||j}tt|S)z Construct based on a ``cryptography`` *crypto_cert*. :param crypto_key: A ``cryptography`` X.509 certificate. :type crypto_key: ``cryptography.x509.Certificate`` :rtype: X509 .. versionadded:: 17.1.0 zMust be a certificaterr) rlr CertificatermrrrrrAr,)rrrrs rrzX509.from_cryptographys_+t'788 5344 4IIIIII&&x|44 s333rrrEct|tstdtt j|j|dkdS)a  Set the version number of the certificate. Note that the version value is zero-based, eg. a value of 0 is V1. :param version: The version number of the certificate. :type version: :py:class:`int` :return: ``None`` zversion must be an integerrN)rlrErmr]rTX509_set_versionr`)rrs rrzX509.set_versionsM'3'' :899 9-dj'BBaGHHHHHrc4tj|jS)z Return the version number of the certificate. :return: The version number of the certificate. :rtype: :py:class:`int` )rTX509_get_versionr`rs rrzX509.get_versions$TZ000rr3c&tt}tj|j|_|jt jkrtt j |jtj |_d|_ |S)z{ Get the public key of the certificate. :return: The public key. :rtype: :py:class:`PKey` T) r3rrTX509_get_pubkeyr`rrYr^rr_rrrs rrzX509.get_pubkeysi||D!!)$*55 : " " " " "WTZ);<<   rrct|tstdtj|j|j}t|dkdS)z Set the public key of the certificate. :param pkey: The public key. :type pkey: :py:class:`PKey` :return: :py:data:`None` rrN)rlr3rmrTX509_set_pubkeyr`rr]rs rrzX509.set_pubkey sS$%% <:;; ;)$*djAA  a(((((rrrct|tstd|jrt d|jst dt jt|}|tj krt dt j |j |j |}t|dkdS)a Sign the certificate with this key and digest type. :param pkey: The key to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use. :type digest: :py:class:`str` :return: :py:data:`None` rzKey only has public partrrrN)rlr3rmrrorrTrr"rYr^ X509_signr`rr])rrrevp_mdrs rrz X509.signs$%% <:;; ;   9788 8  5344 4*<+?+?@@ TY  455 5nTZVDD  a(((((rrbcptj|j}tjd}tj|tjtj|tj|d}|tjkrtdtj tj |S)z Return the signature algorithm used in the certificate. :return: The name of the algorithm. :rtype: :py:class:`bytes` :raises ValueError: If the signature algorithm is undefined. .. versionadded:: 0.13 zASN1_OBJECT **rzUndefined signature algorithm) rTX509_get0_tbs_sigalgr`rYrZX509_ALGOR_get0r^r)r#ror~ OBJ_nid2ln)rsig_algalgrs rget_signature_algorithmzX509.get_signature_algorithm7s+DJ77h'(( S$)TY@@@s1v&& $. <== ={4?3//000r digest_namectjt|}|tjkrt dtjdtj}tjdd}t||d<tj |j |||}t|dkd dtj ||dDS)a5 Return the digest of the X509 object. :param digest_name: The name of the digest algorithm to use. :type digest_name: :py:class:`str` :return: The digest of the object, formatted as :py:const:`b":"`-delimited hex pairs. :rtype: :py:class:`bytes` rzunsigned char[]zunsigned int[]rr:cPg|]#}t|$Sr)rupper)rchs r zX509.digest..cs:   " ##%%   r)rTrr"rYr^rorZEVP_MAX_MD_SIZEr\ X509_digestr`r]ryrM)rrrrer digest_results rrz X509.digestJs*< +D+DEE TY  455 5!2D4HII !1155 }-- a( J }    *+++yy  +m]15EFF      rc4tj|jS)z Return the hash of the X509 subject. :return: The hash of the subject. :rtype: :py:class:`int` )rTX509_subject_name_hashr`rs rsubject_name_hashzX509.subject_name_hashis*4:666rserialct|tstdt|dd}|d}t jd}tj||}t|t j ktj |dt j }tj |dt|t j kt j |tj}tj|j|}t|dkdS)z Set the serial number of the certificate. :param serial: The new serial number. :type serial: :py:class:`int` :return: :py:data`None` zserial must be an integerrNrzBIGNUM**rr)rlrErmhexr,rYrZrT BN_hex2bnr]r^BN_to_ASN1_INTEGERrr_ASN1_INTEGER_freeX509_set_serialNumberr`)rr hex_serialhex_serial_bytes bignum_serialr asn1_serialrps rset_serial_numberzX509.set_serial_numberrs&#&& 9788 8[[_ %,,W55,,  /?@@$)+,,,-mA.> JJ  ]1%&&& ty0111gk4+ABB / KHH  a(((((rctj|j}tj|tj} tj|} t j|}t|d}|tj |tj |S#tj |wxYw#tj |wxYw)zx Return the serial number of this certificate. :return: The serial number. :rtype: int ) rTX509_get_serialNumberr`ASN1_INTEGER_to_BNrYr^ BN_bn2hexr~rEr:r)rr&r%r#hexstring_serialrs rget_serial_numberzX509.get_serial_numbers0<< / TYGG  ( 66J .#';z#:#: -r22!*--- L ' ' ' '!*---- L ' ' ' 's#B6%B4B6B33B66C amountct|tstdtj|j}tj||dS)z Adjust the time stamp on which the certificate stops being valid. :param int amount: The number of seconds by which to adjust the timestamp. :return: ``None`` amount must be an integerN)rlrErmrTX509_getm_notAfterr`X509_gmtime_adj)rr/notAfters rgmtime_adj_notAfterzX509.gmtime_adj_notAftersP&#&& 9788 8*4:66 Xv.....rct|tstdtj|j}tj||dS)z Adjust the timestamp on which the certificate starts being valid. :param amount: The number of seconds by which to adjust the timestamp. :return: ``None`` r1N)rlrErmrTX509_getm_notBeforer`r3)rr/ notBefores rgmtime_adj_notBeforezX509.gmtime_adj_notBeforesP&#&& 9788 8,TZ88  Y/////rrcJ|}|td|d}tj|d}tjj}tj|d}||kS)z Check whether the certificate has expired. :return: ``True`` if the certificate has expired, ``False`` otherwise. :rtype: bool NzUnable to determine notAfterrz %Y%m%d%H%M%SZ)tzinfo) get_notAfterrordatetimestrptimetimezoneutcnowreplace)r time_bytes time_string not_afterUTCutcnows r has_expiredzX509.has_expireds&&((  ;<< < ''00 %..{OLL #"&&s++3343@@6!!rwhichrNc<t||jSr)rr`)rrIs r_get_boundary_timezX509._get_boundary_timeseeDJ//000rc@|tjS)a  Get the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )rKrTr7rs r get_notBeforezX509.get_notBefores&&t'?@@@rCallable[..., Any]ric>t||j|Sr)rqr`)rrIris r_set_boundary_timezX509._set_boundary_times eeDJ//666rcB|tj|S)z Set the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rPrTr7rris r set_notBeforezX509.set_notBefores&&t'?FFFrc@|tjS)a  Get the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )rKrTr2rs rr<zX509.get_notAfters&&t'>???rcB|tj|S)z Set the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rPrTr2rRs r set_notAfterzX509.set_notAfters&&t'>EEErr5ctt}||j|_t |jt jk||_|Sr)r5rr`rr]rYr^r)rrIrs r _get_namezX509._get_name sM))U4:&&  di/000  rrct|tstd||j|j}t |dkdS)Nzname must be an X509Namer)rlr5rmr`rr])rrIrrps r _set_namezX509._set_namesP$)) 8677 7U4:tz22  a(((((rcx|tj}|j||S)a Return the issuer of this certificate. This creates a new :class:`X509Name` that wraps the underlying issuer name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this issuer. :return: The issuer of this certificate. :rtype: :class:`X509Name` )rXrTX509_get_issuer_namerrrs r get_issuerzX509.get_issuers4~~d788  $$T*** rr\cx|tj||jdS)z Set the issuer of this certificate. :param issuer: The issuer. :type issuer: :py:class:`X509Name` :return: ``None`` N)rZrTX509_set_issuer_namerr)rr\s r set_issuerzX509.set_issuer+s6 t0&999  &&(((((rcx|tj}|j||S)a Return the subject of this certificate. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate. :rtype: :class:`X509Name` )rXrTX509_get_subject_namerrrs rrzX509.get_subject7s4~~d899 !%%d+++ rrZcx|tj||jdS)z Set the subject of this certificate. :param subject: The subject. :type subject: :py:class:`X509Name` :return: ``None`` N)rZrTX509_set_subject_namerr)rrZs r set_subjectzX509.set_subjectGs6 t17;;; !'')))))rc4tj|jS)z Get the number of extensions on this certificate. :return: The number of extensions. :rtype: :py:class:`int` .. versionadded:: 0.12 )rTX509_get_ext_countr`rs rget_extension_countzX509.get_extension_countSs&tz222rrrctjdtd|D]Y}t|tst dt j|j|j d}t|dkZdS)z Add extensions to the certificate. :param extensions: The extensions to add. :type extensions: An iterable of :py:class:`X509Extension` objects. :return: ``None`` rrrrrrN) rrrrlr4rorT X509_add_extr`rer])rrrr3s rrzX509.add_extensions^s  &      - -Cc=11 P !NOOO*4:s~rJJJ J!O , , , ,  - -rindexr4c|tjdtdtt}t j|j||_|jtj krtdt j |j}tj |t j|_|S)a Get a specific extension of the certificate by index. Extensions on a certificate are kept in order. The index parameter selects which extension will be returned. :param int index: The index of the extension to retrieve. :return: The extension at the specified index. :rtype: :py:class:`X509Extension` :raises IndexError: If the extension index was out of bounds. .. versionadded:: 0.12 rrrzextension index out of bounds)rrrr4rrT X509_get_extr`rerYr^ IndexErrorrr_rd)rrkrrgs r get_extensionzX509.get_extensionws  &     ##M22*4:u== >TY & &<== =+CN;; D,DEE rNr)rrrr1)rr)rrrr1rrrrrrV)rrrrb)rrErrj)r/rErrjr)rIrrrN)rrN)rIrNrirbrrj)rirbrrj)rIrrr5)rIrrr5rrjr)r\r5rrj)rZr5rrjr)rkrErr4)%rIrJrKrLrrrrrrrrrrrrrr'r.r5r9rHrKrMrPrSr<rVrXrZr]r`rrerhrrorrrr1r1s;;;;[ . . . .444[4& I I I I1111     ) ) ) )))))81111&    >7777))))8((((( / / / / 0 0 0 0"""""1111 A A A A7777 G G G G @ @ @ @ F F F F    ))))  ) ) ) ) * * * * 3 3 3 3----2rr1ceZdZUdZejZded<ejZ ded<ej Z ded<ej Z ded<ejZded<ejZded<ejZded <ejZded <ejZded <ejZded <d S)r:a  Flags for X509 verification, used to change the behavior of :class:`X509Store`. See `OpenSSL Verification Flags`_ for details. .. _OpenSSL Verification Flags: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html rE CRL_CHECK CRL_CHECK_ALLIGNORE_CRITICAL X509_STRICTALLOW_PROXY_CERTS POLICY_CHECKEXPLICIT_POLICY INHIBIT_MAPCHECK_SS_SIGNATURE PARTIAL_CHAINN)rIrJrKrLrTX509_V_FLAG_CRL_CHECKrqrX509_V_FLAG_CRL_CHECK_ALLrrX509_V_FLAG_IGNORE_CRITICALrsX509_V_FLAG_X509_STRICTrtX509_V_FLAG_ALLOW_PROXY_CERTSruX509_V_FLAG_POLICY_CHECKrvX509_V_FLAG_EXPLICIT_POLICYrwX509_V_FLAG_INHIBIT_MAPrxX509_V_FLAG_CHECK_SS_SIGNATUREryX509_V_FLAG_PARTIAL_CHAINrzrrrr:r:s/I////7M7777;O;;;;3K3333!?????5L5555;O;;;;3K3333"AAAAA7M777777rr:cFeZdZdZddZddZdd Zdd ZddZ dddZ dS)r7a An X.509 store. An X.509 store is used to describe a context in which to verify a certificate. A description of a context may include a set of certificates to trust, a set of certificate revocation lists, verification flags and more. An X.509 store, being only a description, cannot be used by itself to verify a certificate. To carry out the actual verification process, see :class:`X509StoreContext`. rrjcttj}tj|tj|_dSr)rTX509_STORE_newrYr_X509_STORE_free_storerstores rrzX509Store.__init__s*#%%geT%9:: rrr1ct|tsttj|j|j}t|dkdS)a Adds a trusted certificate to this store. Adding a certificate with this method adds this certificate as a *trusted* certificate. :param X509 cert: The certificate to add to this store. :raises TypeError: If the certificate is not an :class:`X509`. :raises OpenSSL.crypto.Error: If OpenSSL was unhappy with your certificate. :return: ``None`` if the certificate was added successfully. rN)rlr1rmrTX509_STORE_add_certrr`r])rrrs radd_certzX509Store.add_certsN $%% ++ &t{DJ??q!!!!!rcrlx509.CertificateRevocationListct|tjrddlm}t ||j}tj |tj }t|tj ktj |tj}ntdttj|j|dkdS)a Add a certificate revocation list to this store. The certificate revocation lists added to a store will only be used if the associated flags are configured to check certificate revocation lists. .. versionadded:: 16.1.0 :param crl: The certificate revocation list to add to this store. :type crl: ``cryptography.x509.CertificateRevocationList`` :return: ``None`` if the certificate revocation list was added successfully. rrz?CRL must be of type cryptography.x509.CertificateRevocationListN)rlrCertificateRevocationListrrrarrrTd2i_X509_CRL_biorYr^r]r_ X509_CRL_freermX509_STORE_add_crlr)rrrrQ openssl_crls radd_crlzX509Store.add_crls c49 : :  M M M M M Ms// ==>>C/TY??K K494 5 5 5'+t'9::CC>  / SAAQFGGGGGrflagsrEc\ttj|j|dkdS)a Set verification flags to this store. Verification flags can be combined by oring them together. .. note:: Setting a verification flag sometimes requires clients to add additional information to the store, otherwise a suitable error will be raised. For example, in setting flags to enable CRL checking a suitable CRL must be added to the store otherwise an error will be raised. .. versionadded:: 16.1.0 :param int flags: The verification flags to set on this store. See :class:`X509StoreFlags` for available constants. :return: ``None`` if the verification flags were successfully set. rN)r]rTX509_STORE_set_flagsr)rrs r set_flagszX509Store.set_flagss,, 1$+uEEJKKKKKrvfy_timedatetime.datetimec2tj}tj|tj}tj|t j|ttj |j |dkdS)a Set the time against which the certificates are verified. Normally the current time is used. .. note:: For example, you can determine if a certificate was valid at a given time. .. versionadded:: 17.0.0 :param datetime vfy_time: The verification time to set on this store. :return: ``None`` if the verification time was successfully set. rN) rTX509_VERIFY_PARAM_newrYr_X509_VERIFY_PARAM_freeX509_VERIFY_PARAM_set_timecalendartimegm timetupler]X509_STORE_set1_paramr)rrparams rset_timezX509Store.set_times *,,t:;; ' 8?8#5#5#7#788    24;FF!KLLLLLrNcafileStrOrBytesPath | Nonecapathc| tj}nt|}| tj}nt|}tj|j||}|st dSdS)a Let X509Store know where we can find trusted certificates for the certificate chain. Note that the certificates have to be in PEM format. If *capath* is passed, it must be a directory prepared using the ``c_rehash`` tool included with OpenSSL. Either, but not both, of *cafile* or *capath* may be ``None``. .. note:: Both *cafile* and *capath* may be set simultaneously. Call this method multiple times to add more than one location. For example, CA certificates, and certificate revocation list bundles may be passed in *cafile* in subsequent calls to this method. .. versionadded:: 20.0 :param cafile: In which file we can find the certificates (``bytes`` or ``unicode``). :param capath: In which directory we can find the certificates (``bytes`` or ``unicode``). :return: ``None`` if the locations were set successfully. :raises OpenSSL.crypto.Error: If both *cafile* and *capath* is ``None`` or the locations could not be set for any reason. N)rYr^ _path_bytesrTX509_STORE_load_locationsrr)rrr load_results rload_locationszX509Store.load_locations&s|F >YFF ((F >YFF ((F4 K   # " " " " " # #rr)rr1rrj)rrrrj)rrErrj)rrrrjr)rrrrrrj) rIrJrKrLrrrrrrrrrr7r7s  ;;;;"""",HHHH<LLLL0MMMM6)-1#1#1#1#1#1#1#rr7c$eZdZdZd fd ZxZS) r9z An exception raised when an error occurred while verifying a certificate using `OpenSSL.X509StoreContext.verify_certificate`. :ivar certificate: The certificate which caused verificate failure. :type certificate: :class:`X509` messagererrors list[Any] certificater1rrjcft|||_||_dSr)rrrr)rrrrrs rrzX509StoreContextError.__init__cs2 !!! &r)rrrrrr1rrj)rIrJrKrLrrrs@rr9r9ZsG''''''''''rr9cneZdZdZ ddd Zedd ZeddZddZddZ ddZ ddZ dS)r8a9 An X.509 store context. An X.509 store context is used to carry out the actual verification process of a certificate in a described context. For describing such a context, see :class:`X509Store`. :param X509Store store: The certificates which will be trusted for the purposes of any verifications. :param X509 certificate: The certificate to be verified. :param chain: List of untrusted certificates that may be used for building the certificate chain. May be ``None``. :type chain: :class:`list` of :class:`X509` Nrr7rr1chainSequence[X509] | NonerrjcV||_||_|||_dSr)r_cert_build_certificate_stack_chain)rrrrs rrzX509StoreContext.__init__{s+    33E:: r certificatesc dd}|t|dkr tjStj}t |tjktj||}|D]}t|tstdt tj |j dktj ||j dkr'tj |j t|S) Nsrrrjcttj|D]+}tj||}tj|,tj|dSr)r%rT sk_X509_num sk_X509_valuer sk_X509_free)rr/rs rcleanupz:X509StoreContext._build_certificate_stack..cleanupsb4+A..// " "&q!,,q!!!!  a rrz+One of the elements is not an X509 instance)rrrrj)r\rYr^rTsk_X509_new_nullr]r_rlr1rm X509_up_refr` sk_X509_pushrr)rrrrs rrz)X509StoreContext._build_certificate_stacks ! ! ! !  3|#4#4#9#99 %''*+++w''  ' 'DdD)) O MNNN D,TZ881< = = =  33q88tz***$&&& r store_ctxrr9ctjtjtj|d}tj|tj||g}tj|}tj|}t |}t|||S)z Convert an OpenSSL native context error failure into a Python exception. When a call to native OpenSSL X509_verify_cert fails, additional information about the failure can be obtained from the store context. r) rYr~rTX509_verify_cert_error_stringX509_STORE_CTX_get_errorrX509_STORE_CTX_get_error_depthX509_STORE_CTX_get_current_certX509_dupr1rr9)rrrr`rpycerts r_exception_from_contextz(X509StoreContext._exception_from_contexts+  .-i88     &//   )) 4 4  / : :  4Y?? e$$((//$Wff===rctj}t|tjktj|tj}tj||jj|j j |j }t|dktj |}|dkr| ||S)a3 Verifies the certificate and runs an X509_STORE_CTX containing the results. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. rr)rTX509_STORE_CTX_newr]rYr^r_X509_STORE_CTX_freeX509_STORE_CTX_initrrr`rX509_verify_certr)rrrus r_verify_certificatez$X509StoreContext._verify_certificates+--  TY.///GIt'?@@ & t{)4:+;T[   q!!!#I.. !88..y99 9rc||_dS)z Set the context's X.509 store. .. versionadded:: 0.15 :param X509Store store: The store description which will be used for the purposes of any *future* verifications. N)rrs r set_storezX509StoreContext.set_stores rc.|dS)a" Verify a certificate in a context. .. versionadded:: 0.15 :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. N)rrs rverify_certificatez#X509StoreContext.verify_certificates   """""r list[X509]c|}tj|}t|tjkg}t tj|D]c}tj||}t|tjkt |}| |dtj ||S)aR Verify a certificate in a context and return the complete validated chain. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. .. versionadded:: 20.0 ) rrTX509_STORE_CTX_get1_chainr]rYr^r%rrr1rrr)rr cert_stackrr/rrs rget_verified_chainz#X509StoreContext.get_verified_chains,,.. 3I>>  di/000t' 3344 " "A%j!44D DDI- . . .,,T22F MM& ! ! ! ! *%%% rr)rr7rr1rrrrj)rrrrj)rrrr9r)rr7rrjr)rr) rIrJrKrLr staticmethodrrrrrrrrrr8r8ks  &(, ;;;;;\:>>>\>20     # # # #rr8rct|tr|d}t|}|tkr6t j|tjtjtj}n:|tkr t j |tj}ntd|tjkrtt|S)a Load a certificate (X509) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param bytes buffer: The buffer the certificate is stored in :return: The X509 object r3type argument must be FILETYPE_PEM or FILETYPE_ASN1)rlrr,rar-rTPEM_read_bio_X509rYr^r, d2i_X509_biororr1r)rrMrQrs rrArA s&#(w'' v  C |%c49diKK    di00NOOO ty  " "4 ( ((rrcht}|tkrtj||j}n]|t krtj||j}n7|tkrtj||jdd}ntdt|dkt|S)a Dump the certificate *cert* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT) :param cert: The certificate to dump :return: The buffer with the dumped certificate in rCtype argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXTr) rar-rTPEM_write_bio_X509r`r, i2d_X509_bior. X509_print_exror]rg)rrrQ result_codes rr;r;&s ..C |-c4:>>   'TZ88   (dj!Q??     K1$%%% #  rrct}|tkr tj}n'|tkr tj}nt d|||j}|dkrtt|S)z Dump a public key to a buffer. :param type: The file type (one of :data:`FILETYPE_PEM` or :data:`FILETYPE_ASN1`). :param PKey pkey: The public key to dump :return: The buffer with the dumped key in it. :rtype: bytes rr) rar-rTPEM_write_bio_PUBKEYr,i2d_PUBKEY_biororrrg)rrrQ write_biors rr>r>Bs~ ..C |-   ' NOOO)C,,Ka #  rcipherr4 passphrasePassphraseCallableT | Nonec t}t|tstd|R|tdt jt |}|tjkrtdn tj}t||}|tkrHt j ||j |tjd|j|j}|n|t"krt j||j }n|t&krt j|j tjkrtdtjt j|j tj}t j||d}ntdt5|dkt7|S)a Dump the private key *pkey* into a buffer string encoded with the type *type*. Optionally (if *type* is :const:`FILETYPE_PEM`) encrypting it using *cipher* and *passphrase*. :param type: The file type (one of :const:`FILETYPE_PEM`, :const:`FILETYPE_ASN1`, or :const:`FILETYPE_TEXT`) :param PKey pkey: The PKey to dump :param cipher: (optional) if encrypted PEM format, the cipher to use :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The buffer with the dumped key in :rtype: bytes zpkey must be a PKeyNzDif a value is given for cipher one must also be given for passphrasezInvalid cipher namerz-Only RSA keys are supported for FILETYPE_TEXTr)rarlr3rmrTEVP_get_cipherbynamer"rYr^ro_PassphraseHelperr-PEM_write_bio_PrivateKeyrcallback callback_argsraise_if_problemr,i2d_PrivateKey_bior.rrr_rr RSA_printr]rg) rrrrrQ cipher_objhelperrr$s rr=r=[s* ..C dD ! !/-...   8 .|F/C/CDD  " "233 3 #Y tZ 0 0F |3  J  I O     !!!!   -c4:>>     DJ ' '4+< < <KLL Lgd,TZ88$-HHnS#q11     K1$%%% #  rc`eZdZ ddd Zedd ZeddZefddZddZ dS)rFrrErr more_argsrtruncaterrjcv|tkr|td||_||_||_g|_dS)Nz0only FILETYPE_PEM key format supports encryption)r-ro _passphrase _more_args _truncate _problems)rrrrrs rrz_PassphraseHelper.__init__sL <  J$:B &#!*,rrc|j tjSt|jtst |jrtjd|jStd)Npem_password_cb2Last argument must be a byte string or a callable.) rrYr^rlrbcallabler_read_passphrasermrs rrz_PassphraseHelper.callbackse   #9  (% 0 0 HT=M4N4N =!2D4IJJ JD rc|j tjSt|jtst |jr tjSt d)Nr)rrYr^rlrbrrmrs rrz_PassphraseHelper.callback_argssW   #9  (% 0 0 HT=M4N4N 9 D r exceptionTypetype[Exception]c|jr6 t|n #|$rYnwxYw|jddSr@)r_exception_from_error_queuepop)rr s rrz"_PassphraseHelper.raise_if_problemsd > ( +M::::     .$$Q'' ' ( (s !!rsizerwflaguserdatacF t|jr5|jr||||}n&||}n|jJ|j}t|tst dt ||kr!|jr |d|}nt dtt |D]}|||dz||<t |S#t$r%}|j |Yd}~dSd}~wwxYw)NzBytes expectedz+passphrase returned by callback is too longrr) rrrrlrbror\rr% Exceptionrr)rrrrrrr/es rr z"_PassphraseHelper._read_passphrasesN ()) *?6!--dFHEEFF!--f55FF'333)fe,, 3 !12226{{T!!>#ETE]FF$E3v;;'' + +AE *Av;;     N ! !! $ $ $11111 sC.C11 D ;DD N)FF) rrErrrrrrrrjr)r r rrj) rrrrErrrrrrE) rIrJrKrrrrr2rr rrrrrs   ----- XXAF(((((rr str | bytesc>t|tr|d}t|}|tkr6t j|tjtjtj}n:|tkr t j |tj}ntd|tjkrttt}tj|t j|_d|_|S)a< Load a public key from a buffer. :param type: The file type (one of :data:`FILETYPE_PEM`, :data:`FILETYPE_ASN1`). :param buffer: The buffer the key is stored in. :type buffer: A Python string object, either unicode or bytestring. :return: The PKey object. :rtype: :class:`PKey` rrT)rlrr,rar-rTPEM_read_bio_PUBKEYrYr^r,d2i_PUBKEY_biororr3rr_rrr)rrMrQevp_pkeyrs rrDrDs&#(w'' v  C |+ DIty     &sDI66NOOO49 <<  D4#566DJD Krcdt|tr|d}t|}t ||}|t kr@t j|tj |j |j }| n:|tkr t j|tj }ntd|tj krt!t"t"}tj|t j|_|S)a Load a private key (PKey) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the key is stored in :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The PKey object rr)rlrr,rarr-rTPEM_read_bio_PrivateKeyrYr^rrrr,d2i_PrivateKey_biororr3rr_rr)rrMrrQrrrs rrCrC s"&#(w'' v  C tZ 0 0F |/ FOV-A   !!!!   *3 ::NOOO49 <<  D4#566DJ Krrcht}|tkrtj||j}n]|t krtj||j}n7|tkrtj||jdd}ntdt|dkt|S)av Dump the certificate request *req* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param req: The certificate request to dump :return: The buffer with the dumped certificate request in .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. rr) rar-rTPEM_write_bio_X509_REQrr,i2d_X509_REQ_bior.X509_REQ_print_exror]rg)rrrQrs rr<r<9 s ..C |1#sx@@   +C::   ,S#(AqAA     K1$%%% #  rr<rc.t|tr|d}t|}|tkr6t j|tjtjtj}n:|tkr t j |tj}ntdt|tjktt}tj|t j|_|S)a Load a certificate request (X509Req) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the certificate request is stored in :return: The X509Req object .. deprecated:: 24.2.0 Use `cryptography.x509.load_der_x509_csr` or `cryptography.x509.load_pem_x509_csr` instead. rr)rlrr,rar-rTPEM_read_bio_X509_REQrYr^r,d2i_X509_REQ_bioror]r6rr_rr)rrMrQrx509reqs rrBrBg s&#(w'' v  C |(diDINN   #C33NOOOC49$%%%oog&&G73 233GL NrrB)rrrrrrr)rMrNrr)rQrrrb)rhrrirbrrj)rirbrr)rwrrrN)rr)rrrr)rrErMrbrr1)rrErr1rrb)rrErr3rrbr) rrErr3rr4rrrrb)rrErMrrr3)rrErMrrrrr3)rrErr6rrb)rrErMrbrr6)o __future__rrr= functoolssysrrbase64rcollections.abcrrrrr r version_infor TypeVar_Ttyping_extensions cryptographyrr)cryptography.hazmat.primitives.asymmetricr r!r"r#r$ OpenSSL._utilr%r&r"r'rr(rYr)rTr* _make_assertr+r__all__rrrrr _PrivateKeyrrrrr _PublicKeyrrbPassphraseCallableTSSL_FILETYPE_PEMr-rSSL_FILETYPE_ASN1r,r.rr0 EVP_PKEY_DSAr/ EVP_PKEY_DHrF EVP_PKEY_ECrGrr2rr]rargrqrvrrr3rr@r?total_orderingr5r4r6r1r:r7r9r8rAr;r>r=rrDrCr<rrIrrBrrrrr=sM""""""" ........ w#######   B-,,,,,$$$$$$$$)(((((   :         [* $%E8CJ#778) ))))+ ++++ !!!!!!!!!!I w:EBB,u%%4;;;;++++2&:        ~.~.~.~.~.~.~.~.Bd.d.d.d.d.d.d.d.N  5 5 5  5 111 1$ D g:g:g:g:g:g:g: g:T ooooooo odggggggggT88888888.g#g#g#g#g#g#g#g#T'''''I'''"[[[[[[[[|)))):88-1 BBBBBJKKKKKKKK\J.2&&&&&R@&>"   #    @&>"   #      r