hg8UddlmZddlZddlZddlZddlZddlZddlmZddl m Z m Z ddlm Z ddl mZddlmZmZmZddlmZmZdd lmZmZmZmZmZdd lmZdd lmZdd lm Z!dd lm"Z#ddlm$Z%ddlm&Z'gdZ(eej)ej*ej+ej,ej-fZ.eej/ej0ej1ej2ej3fZ4ee.e4fZ5ee6e7efZ8ee7ede7ffZ9e#j:Z;dedeZ\e\Z]ejVe\eWd?eXd>5Gd@dAZ^e^Z_ejVe^eWdBeXdA5GdCdDZ`GdEdFZaGdGdHZbGdIdJeHZcGdKdLZddjdNZedkdPZfdldRZg dmdndWZhGdXdYZidod[Zj dbdpd\Zkdqd^ZlelZmejVeleWdBeXd_5drd`ZnenZoejVeneWdBeXda5dS)s) annotationsN) b16encode)IterableSequence)partial)PathLike)AnyCallableUnion)utilsx509)dsaeced448ed25519rsa) byte_string)exception_from_error_queue)ffi)lib) make_assert) path_bytes) FILETYPE_ASN1 FILETYPE_PEM FILETYPE_TEXTTYPE_DSATYPE_RSAX509ErrorPKey X509ExtensionX509NameX509Req X509StoreX509StoreContextX509StoreContextErrorX509StoreFlagsdump_certificatedump_certificate_requestdump_privatekeydump_publickeyget_elliptic_curveget_elliptic_curvesload_certificateload_certificate_requestload_privatekeyload_publickey.intrrirrTYPE_DHTYPE_ECceZdZdZdS)rz7 An error occurred in an `OpenSSL.crypto` API. N)__name__ __module__ __qualname____doc__G/var/www/fb-scrape/myenv/lib/python3.11/site-packages/OpenSSL/crypto.pyrrjsr;rbuffer bytes | Nonereturnr cL|2tjtj}tj}n=t jd|}tj|t|}|fdd}t|tj kt j ||}|S) z Allocate a new OpenSSL memory BIO. Arrange for the garbage collector to clean it up automatically. :param buffer: None or some bytes to use to put into the BIO so that they can be read out. Nchar[]bior refr?c*tj|SN)_libBIO_free)rBrCs r<freez_new_mem_buf..frees=%% %r;)rBr rCr r?r ) rFBIO_new BIO_s_memrG_ffinewBIO_new_mem_buflen_openssl_assertNULLgc)r=rBrHdatas r< _new_mem_bufrSts~l4>++,,}x&))"4V55'+ & & & & &C49$%%% '#t  C Jr;rBbytesctjd}tj||}tj|d|ddS)zO Copy the contents of an OpenSSL BIO object into a Python byte string. zchar**rN)rKrLrFBIO_get_mem_datar=)rB result_buffer buffer_lengths r<_bio_to_stringrYsEHX&&M)#}==M ;}Q' 7 7 ::r;boundarywhenNonect|tstdt|tjkt j||}|dkrtddS)a The the time value of an ASN1 time object. @param boundary: An ASN1_TIME pointer (or an object safely castable to that type) which will have its value set. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. zwhen must be a byte stringrzInvalid stringN) isinstancerT TypeErrorrOrKrPrFASN1_TIME_set_string ValueError)rZr[ set_results r<_set_asn1_timercsm dE " "64555H )****8T::JQ)***r;ctj}t|tjktj|tj}t|||S)a Behaves like _set_asn1_time but returns a new ASN1_TIME object. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. )rF ASN1_TIME_newrOrKrPrQASN1_TIME_freerc)r[rets r<_new_asn1_timerhsP    CC49$%%% '#t* + +C3 Jr; timestampcFtjd|}tj|dkrdStj|tjkr&tjtj|Stjd}tj ||t|dtj ktjd|d}tj|}tj|}tj |d|S)a] Retrieve the time value of an ASN1 time object. @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to that type) from which the time value will be retrieved. @return: The time value from C{timestamp} as a L{bytes} string in a certain format. Or C{None} if the object contains no time value. ASN1_STRING*rNzASN1_GENERALIZEDTIME**) rKcastrFASN1_STRING_lengthASN1_STRING_typeV_ASN1_GENERALIZEDTIMEstringASN1_STRING_get0_datarLASN1_TIME_to_generalizedtimerOrPASN1_GENERALIZEDTIME_free)ristring_timestampgeneralized_timestamp string_data string_results r<_get_asn1_timerxsy;; /00A55t .//43NNN{456FGGHHH $)A B B ))5JKKK-a0DI=>>>9^5J15MNN01ABB  K00  &'>C#=#66 6r;typer2bitsc t|tstdt|tstd|tkr|dkrt dt j}tj|t j }t j |t j t j }t j |||tj}t|dkt j|j|}t|dkn|t$krt j}t|tjktj|t j}t j||tjdtjtjtj}t|dktt j|dktt j|j|dknt1dd|_dS) a3 Generate a key pair of the given type, with the given number of bits. This generates a key "into" the this object. :param type: The key type. :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA` :param bits: The number of bits. :type bits: :py:data:`int` ``>= 0`` :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't of the appropriate type. :raises ValueError: If the number of bits isn't an integer of the appropriate size. :return: ``None`` ztype must be an integerzbits must be an integerrzInvalid number of bitszNo such key typeTN)r^r2r_rrarFBN_newrKrQBN_free BN_set_wordRSA_F4RSA_newRSA_generate_key_exrPrOEVP_PKEY_assign_RSArrDSA_newDSA_freeDSA_generate_parameters_exDSA_generate_keyEVP_PKEY_set1_DSArr)r~rrexponentrresultrress r< generate_keyzPKey.generate_keyKs $$$ 7566 6$$$ 7566 6 8  qyy !9:::{}}Hwx66H  Xt{ 3 3 3,..C-c449MMF FaK ( ( (-dj#>>F FaK ( ( ( ( X  ,..C C49, - - -'#t}--C1T49aDItyC C1H % % % D1#66!; < < < D24:sCCqH I I I I*++ + r;boolc||jrtdtj|tjkrtdtj|j}tj |tj }tj |}|dkrdStdS)ax Check the consistency of an RSA private key. This is the Python equivalent of OpenSSL's ``RSA_check_key``. :return: ``True`` if key is consistent. :raise OpenSSL.crypto.Error: if the key is inconsistent. :raise TypeError: if the key is of a type which cannot be checked. Only RSA keys can currently be checked. zpublic key onlyz'Only RSA keys can currently be checked.rTN) rr_rF EVP_PKEY_typer EVP_PKEY_RSAEVP_PKEY_get1_RSArrKrQRSA_free RSA_check_key_raise_current_error)r~rrs r<checkz PKey.checks   /-.. .  diikk * *d.? ? ?EFF F$TZ00gc4=))#C(( Q;;4r;c4tj|jS)zT Returns the type of the key :return: The type of the key. )rF EVP_PKEY_idrr}s r<rz PKey.types  +++r;c4tj|jS)zh Returns the number of bits of the key :return: The number of bits of the key. )rF EVP_PKEY_bitsrr}s r<rz PKey.bitss !$*---r;Nr)r?r)rrr?r )rr2rr2r?r\r?rr?r2)r6r7r8r9rrrr classmethodrrrrrr:r;r<r r sLL"""" 3333.777777[77r6!6!6!6!p4,,,,......r;r ceZdZdZdZdfd Zedd Zedd ZeddZ ddZ ddZ ddZ xZ S)_EllipticCurveaZ A representation of a supported elliptic curve. @cvar _curves: :py:obj:`None` until an attempt is made to load the curves. Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve` instances each of which represents one curve supported by the system. @type _curves: :py:type:`NoneType` or :py:type:`set` Notherr r?rc~t|tr!t|StS)z Implement cooperation with the right-hand side argument of ``!=``. Python 3 seems to have dropped this cooperation in this very narrow circumstance. )r^rsuper__ne__NotImplemented)r~r __class__s r<rz_EllipticCurve.__ne__s3 e^ , , )77>>%(( (r;rset[_EllipticCurve]ctjd}tjd|}||t fd|DS)z Get the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. rzEC_builtin_curve[]c3NK|]}|jV dSrE)from_nidnid).0crrs r< z7_EllipticCurve._load_elliptic_curves..s3DD3<<QU++DDDDDDr;)EC_get_builtin_curvesrKrPrLset)rr num_curvesbuiltin_curvess`` r<_load_elliptic_curvesz$_EllipticCurve._load_elliptic_curvessm..ty!<< "6 CC !!.*===DDDDD^DDDDDDr;cR|j|||_|jS)a Get, cache, and return the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. )_curvesr)rrs r<_get_elliptic_curvesz#_EllipticCurve._get_elliptic_curvess) ; 33C88CK{r;rr2c |||tj||dS)a Instantiate a new :py:class:`_EllipticCurve` associated with the given OpenSSL NID. :param lib: The OpenSSL library binding object. :param nid: The OpenSSL NID the resulting curve object will represent. This must be a curve NID (and not, for example, a hash NID) or subsequent operations will fail in unpredictable ways. :type nid: :py:class:`int` :return: The curve object. ascii)rKrp OBJ_nid2sndecode)rrrs r<rz_EllipticCurve.from_nids<s3T[)<)<==DDWMMNNNr;rstrr\c0||_||_||_dS)a :param _lib: The :py:mod:`cryptography` binding instance used to interface with OpenSSL. :param _nid: The OpenSSL NID identifying the curve this object represents. :type _nid: :py:class:`int` :param name: The OpenSSL short name identifying the curve this object represents. :type name: :py:class:`unicode` N)rF_nidr)r~rrrs r<rz_EllipticCurve.__init__s   r;cd|jdS)Nzrr}s r<__repr__z_EllipticCurve.__repr__s'''''r;c~|j|j}tj|tjS)z Create a new OpenSSL EC_KEY structure initialized to use this curve. The structure is automatically garbage collected when the Python object is garbage collected. )rFEC_KEY_new_by_curve_namerrKrQ EC_KEY_free)r~keys r< _to_EC_KEYz_EllipticCurve._to_EC_KEY s0i00;;wsD,---r;rr r?r)rr r?r)rr rr2r?r)rr rr2rrr?r\r?rr?r )r6r7r8r9rrrrrrrrr __classcell__rs@r<rrsG      EEE[E"   [ OOO[O "((((........r;rrc@ttS)a Return a set of objects representing the elliptic curves supported in the OpenSSL build in use. The curve objects have a :py:class:`unicode` ``name`` attribute by which they identify themselves. The curve objects are useful as values for the argument accepted by :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be used for ECDHE key exchange. )rrrFr:r;r<r-r-s  . .t 4 44r;zSget_elliptic_curves is deprecated. You should use the APIs in cryptography instead.r-rrrcbtD]}|j|kr|cStd|)aT Return a single curve object selected by name. See :py:func:`get_elliptic_curves` for information about curve objects. :param name: The OpenSSL short name identifying the curve object to retrieve. :type name: :py:class:`unicode` If the named curve is not supported then :py:class:`ValueError` is raised. zunknown curve name)_get_elliptic_curves_internalrra)rcurves r<r,r,2sE/00 :  LLL  )4 0 00r;zRget_elliptic_curve is deprecated. You should use the APIs in cryptography instead.r,cdeZdZdZddZdfd Zdd ZddZddZddZ ddZ ddZ ddZ xZ S)r"a An X.509 Distinguished Name. :ivar countryName: The country of the entity. :ivar C: Alias for :py:attr:`countryName`. :ivar stateOrProvinceName: The state or province of the entity. :ivar ST: Alias for :py:attr:`stateOrProvinceName`. :ivar localityName: The locality of the entity. :ivar L: Alias for :py:attr:`localityName`. :ivar organizationName: The organization name of the entity. :ivar O: Alias for :py:attr:`organizationName`. :ivar organizationalUnitName: The organizational unit of the entity. :ivar OU: Alias for :py:attr:`organizationalUnitName` :ivar commonName: The common name of the entity. :ivar CN: Alias for :py:attr:`commonName`. :ivar emailAddress: The e-mail address of the entity. rr?r\ctj|j}tj|tj|_dS)z Create a new X509Name, copying the given X509Name instance. :param name: The name to copy. :type name: :py:class:`X509Name` N)rF X509_NAME_duprrKrQX509_NAME_freers r<rzX509Name.__init__js0!$*--'$(;<< r;rvaluer c |dr"t||St|tur&t dt|jddtjt|}|tj kr/ tn#t$rYnwxYwtdttj|jD]z}tj|j|}tj|}tj|}||kr0tj|j|}tj|n{t-|tr|d}tj|j|tj|ddd}|stdSdS) N_z$attribute name must be string, not 'z.200'No such attributeutf-8r) startswithr __setattr__rrr_r6rF OBJ_txt2nid _byte_string NID_undefrrAttributeErrorrangeX509_NAME_entry_countrX509_NAME_get_entryX509_NAME_ENTRY_get_object OBJ_obj2nidX509_NAME_delete_entryX509_NAME_ENTRY_freer^encodeX509_NAME_add_entry_by_NID MBSTRING_UTF8) r~rr rientent_objent_nid add_resultrs r<rzX509Name.__setattr__ts ??3   477&&tU33 3 ::S 1KK(0111  |D1122 $.  $&&&&     !455 5t1$*==>>  A*4:q99C5c::G&w//Gg~~1$*a@@)#... eS ! ! *LL))E4 JT/B   # " " " " " # #s'B66 CC str | Nonectjt|}|tjkr/ t n#t $rYnwxYwt dtj|j|d}|dkrdStj |j|}tj |}tj d}tj ||}t|dk tj|d|ddd}tj|dn#tj|dwxYw|S)a  Find attribute. An X509Name object has the following attributes: countryName (alias C), stateOrProvince (alias ST), locality (alias L), organization (alias O), organizationalUnit (alias OU), commonName (alias CN) and more... rrNunsigned char**rr)rFrrrrrrX509_NAME_get_index_by_NIDrrX509_NAME_ENTRY_get_datarKrLASN1_STRING_to_UTF8rOr=r OPENSSL_free) r~rr entry_indexentryrRrW data_lengthrs r< __getattr__zX509Name.__getattr__s^|D1122 $.  $&&&&     !455 55dj#rJJ "  4([AA,U33!233 .}dCC  q())) 0[q!1;??BIIF  mA. / / / /D mA. / / / / sA AA/6EErrct|tstStj|j|jdkSNrr^r"rrF X509_NAME_cmprr~rs r<__eq__zX509Name.__eq__s6%** "! !!$*ek::a??r;ct|tstStj|j|jdkSr2r3r5s r<__lt__zX509Name.__lt__s6%** "! !!$*ek::Q>>r;c*tjdd}tj|j|t |}t |tjkdtj | dS)z6 String representation of an X509Name rAizr) rKrLrFX509_NAME_onelinerrNrOrPformatrpr)r~rW format_results r<rzX509Name.__repr__s3// . J s='9'9    2333'.. K & & - -g 6 6   r;r2c4tj|jS)a& Return an integer representation of the first four bytes of the MD5 digest of the DER representation of the name. This is the Python equivalent of OpenSSL's ``X509_NAME_hash``. :return: The (integer) hash of this name. :rtype: :py:class:`int` )rFX509_NAME_hashrr}s r<hashz X509Name.hashs"4:...r;rTctjd}tj|j|}t |dktj|d|dd}tj|d|S)z Return the DER encoding of this name. :return: The DER encoded form of this name. :rtype: :py:class:`bytes` r(rN)rKrLrF i2d_X509_NAMErrOr=r,)r~rW encode_resultrws r<rz X509Name.dersv!233 *4:}EE  *+++ M!$4mDDQQQG  -*+++r;list[tuple[bytes, bytes]]cg}ttj|jD]}tj|j|}tj|}tj|}tj|}tj|}tj tj |tj |dd}| tj||f|S)z Returns the components of this name, as a sequence of 2-tuples. :return: The components of this name. :rtype: :py:class:`list` of ``name, value`` tuples. N)rrFrrrrr*rrrKr=rqrmrrp) r~rr!r"fnamefvalrrr s r<get_componentszX509Name.get_componentsst1$*==>> 6 6A*4:q99C3C88E055D"5))C?3''DK*400$2I$2O2OaaE MM4;t,,e4 5 5 5 5 r;r)rrr r r?r\)rrr?r&rrrr?rT)r?rC)r6r7r8r9rrr0r6r8rr?rrGrrs@r<r"r"Ps0====%#%#%#%#%#%#N&&&&P@@@@ ????      / / / /    r;r"ceZdZUdZ ddd ZeddZejdej dej diZ de d<ddZ ddZddZd dZd dZdS)!r!zu An X.509 v3 certificate extension. .. deprecated:: 23.3.0 Use cryptography's X509 APIs instead. N type_namerTcriticalrr subject X509 | Noneissuerr?r\cttjd}tj|tjtjtjtjdtj||0t |tstd|j |_ |0t |tstd|j |_ |rd|z}tj tj|||}|tjkrttj|tj|_dS)a Initializes an X509 extension. :param type_name: The name of the type of extension_ to create. :type type_name: :py:data:`bytes` :param bool critical: A flag indicating whether this is a critical extension. :param value: The OpenSSL textual representation of the extension's value. :type value: :py:data:`bytes` :param subject: Optional X509 certificate to use as subject. :type subject: :py:class:`X509` :param issuer: Optional X509 certificate to use as issuer. :type issuer: :py:class:`X509` .. _extension: https://www.openssl.org/docs/manmaster/man5/ x509v3_config.html#STANDARD-EXTENSIONS z X509V3_CTX*rNzissuer must be an X509 instancez subject must be an X509 instances critical,)rKrLrFX509V3_set_ctxrPX509V3_set_ctx_nodbr^rr__x509 issuer_cert subject_certX509V3_EXT_nconfrrQX509_EXTENSION_free _extension)r~rJrKr rLrNctx extensions r<rzX509Extension.__init__s<h}%% CDIty$)QOOO  %%%  fd++ C ABBB$lCO  gt,, D BCCC&}C   )!5(E)$)S)UKK  ! ! " " "')T-EFFr;r cXtjtj|jSrE)rFrX509_EXTENSION_get_objectrWr}s r<rzX509Extension._nid`s'  *4? ; ;   r;emailDNSURIztyping.ClassVar[dict[int, str]] _prefixesrctjdtj|j}tj|tj}g}ttj|D]}tj ||} |j |j }tj |j jj|j jjddd}||dz|z#t&$r[t)}tj|||t-|dYwxYwd|S)NzGENERAL_NAMES*r:z, )rKrlrFX509V3_EXT_d2irWrQGENERAL_NAMES_freersk_GENERAL_NAME_numsk_GENERAL_NAME_valuer_rr=dia5rRlengthrrKeyErrorrSGENERAL_NAME_printrYjoin)r~namespartsr!rlabelr rBs r<_subjectAltNameStringz#X509Extension._subjectAltNameStringls` d1$/BB  t677t/6677 2 2A-eQ77D 2ty1  DFJOTVZ5FGGAA&// US[501111 B B B"nn'T222 ^C0077@@AAAAA ByysDA"E('E(ctj|jkr|St }tj||jdd}t|dkt| dS)zF :return: a nice text representation of the extension rr) rFNID_subject_alt_namerrorSX509V3_EXT_printrWrOrYr)r~rB print_results r<__str__zX509Extension.__str__sv  $ 1 1--// /nn,S$/1aHH  )***c""))'222r;c4tj|jS)zk Returns the critical field of this X.509 extension. :return: The critical field. )rFX509_EXTENSION_get_criticalrWr}s r< get_criticalzX509Extension.get_criticals /@@@r;ctj|j}tj|}tj|}|t jkrt j|SdS)z Returns the short type name of this X.509 extension. The result is a byte string such as :py:const:`b"basicConstraints"`. :return: The short type name. :rtype: :py:data:`bytes` .. versionadded:: 0.12 sUNDEF)rFr[rWrrrKrPrp)r~objrbufs r<get_short_namezX509Extension.get_short_namesY,T_==s##oc"" $)  ;s## #8r;ctj|j}tjd|}tj|}tj|}tj||ddS)z Returns the data of the X509 extension, encoded as ASN.1. :return: The ASN.1 encoded data of this X509 extension. :rtype: :py:data:`bytes` .. versionadded:: 0.12 rkN)rFX509_EXTENSION_get_datarWrKrlrqrmr=)r~ octet_resultrw char_result result_lengths r<get_datazX509Extension.get_datasb3DODD  .,?? 0?? / >> {; 66qqq99r;NN) rJrTrKrr rTrLrMrNrMr?r\rrrrH)r6r7r8r9rpropertyrrF GEN_EMAILGEN_DNSGEN_URIr___annotations__rortrwr{rr:r;r<r!r!s $" CGCGCGCGCGJ   X  e e2I     , 3 3 3 3AAAA, : : : : : :r;r!zZX509Extension support in pyOpenSSL is deprecated. You should use the APIs in cryptography.ceZdZdZddZddZed dZd!d Zd"d Z d#dZ d$dZ d%dZ d&dZ d'dZd(dZd)dZdS)*r#z An X.509 certificate signing requests. .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. r?r\ctj}tj|tj|_|ddSr2)rF X509_REQ_newrKrQ X509_REQ_free_req set_version)r~reqs r<rzX509Req.__init__s@!!GC!344  r;x509.CertificateSigningRequestcNddlm}tt|}||S)z Export as a ``cryptography`` certificate signing request. :rtype: ``cryptography.x509.CertificateSigningRequest`` .. versionadded:: 17.1.0 r)load_der_x509_csr)cryptography.x509r"_dump_certificate_request_internalr)r~rrs r<to_cryptographyzX509Req.to_cryptographys6 8777770EE  %%%r; crypto_reqct|tjstdddlm}||j}tt|S)a Construct based on a ``cryptography`` *crypto_req*. :param crypto_req: A ``cryptography`` X.509 certificate signing request :type crypto_req: ``cryptography.x509.CertificateSigningRequest`` :rtype: X509Req .. versionadded:: 17.1.0 z%Must be a certificate signing requestrr) r^r CertificateSigningRequestr_rrrr"_load_certificate_request_internalr)rrrrs r<from_cryptographyzX509Req.from_cryptographys`*d&DEE ECDD DIIIIII%%hl331-EEEr;rr cjtj|j|j}t |dkdS)z Set the public key of the certificate signing request. :param pkey: The public key to use. :type pkey: :py:class:`PKey` :return: ``None`` rN)rFX509_REQ_set_pubkeyrrrOr~rrbs r< set_pubkeyzX509Req.set_pubkeys2-diDD  a(((((r;c$tt}tj|j|_t |jtjktj |jtj |_d|_ |S)z Get the public key of the certificate signing request. :return: The public key. :rtype: :py:class:`PKey` T) r __new__rFX509_REQ_get_pubkeyrrrOrKrPrQrrrs r< get_pubkeyzX509Req.get_pubkeyse||D!!-di88  di/000WTZ);<<   r;versionr2ct|tstd|dkrtdt j|j|}t|dkdS)z Set the version subfield (RFC 2986, section 4.1) of the certificate request. :param int version: The version number. :return: ``None`` zversion must be an intrz9Invalid version. The only valid version for X509Req is 0.rN)r^r2r_rarFX509_REQ_set_versionrrO)r~rrbs r<rzX509Req.set_versionsq'3'' 6455 5 a<<K .ty'BB  a(((((r;c4tj|jS)z Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate request. :return: The value of the version subfield. :rtype: :py:class:`int` )rFX509_REQ_get_versionrr}s r< get_versionzX509Req.get_version's(333r;r"ctt}tj|j|_t |jtjk||_ |S)a Return the subject of this certificate signing request. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate signing request. Modifying it will modify the underlying signing request, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate signing request. :rtype: :class:`X509Name` ) r"rrFX509_REQ_get_subject_namerrrOrKrP_ownerrs r< get_subjectzX509Req.get_subject1sP))3DI>>  di/000  r; extensions Iterable[_X509ExtensionInternal]ctjdtdtj}t |t jkt j|tj }|D]@}t|tstdtj ||jAtj|j|}t |dkdS)z Add extensions to the certificate signing request. :param extensions: The X.509 extensions to add. :type extensions: iterable of :py:class:`X509Extension` :return: ``None`` This API is deprecated and will be removed in a future version of pyOpenSSL. You should use pyca/cryptography's X.509 APIs instead. stacklevel+One of the elements is not an X509ExtensionrN)warningswarnDeprecationWarningrFsk_X509_EXTENSION_new_nullrOrKrPrQsk_X509_EXTENSION_freer^_X509ExtensionInternalrask_X509_EXTENSION_pushrWX509_REQ_add_extensionsr)r~rstackextr%s r<add_extensionszX509Req.add_extensionsGs  &     /11*+++t:;; ? ?Cc#9:: P !NOOO  's~ > > > >1$)UCC  a(((((r;list[_X509ExtensionInternal]ctjdtdg}tj|j}t j|d}ttj |D]}t t}tj tj ||}t j|tj|_|||S)z Get X.509 extensions in the certificate signing request. :return: The X.509 extensions in this request. :rtype: :py:class:`list` of :py:class:`X509Extension` objects. .. versionadded:: 0.15 rrrcftj|tjtjdS)NrV)rFsk_X509_EXTENSION_pop_freerK addressof _original_lib)xs r<z(X509Req.get_extensions..s)d5t13HIIr;)rrrrFX509_REQ_get_extensionsrrKrQrsk_X509_EXTENSION_numrrX509_EXTENSION_dupsk_X509_EXTENSION_valuerVrWr)r~extsnative_exts_objr!rrYs r<get_extensionszX509Req.get_extensionsjs  &     6tyAA'     t1/BBCC  A(001GHHC/,_a@@I"WY0HIICN KK     r;digestrcD|jrtd|jstdtjt |}|t jkrtdtj|j |j |}t|dkdS)aa Sign the certificate signing request with this key and digest type. :param pkey: The key pair to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use for the signature, e.g. :py:data:`"sha256"`. :type digest: :py:class:`str` :return: ``None`` zKey has only public partKey is uninitializedNo such digest methodrN) rrarrFEVP_get_digestbynamerrKrP X509_REQ_signrrrO)r~rr digest_obj sign_results r<signz X509Req.signs   9788 8  5344 4.|F/C/CDD  " "455 5(DJ KK  a(((((r;rct|tstdtj|j|j}|dkrt|S)a@ Verifies the signature on this certificate signing request. :param PKey key: A public key. :return: ``True`` if the signature is correct. :rtype: bool :raises OpenSSL.crypto.Error: If the signature is invalid or there is a problem verifying the signature. pkey must be a PKey instancer)r^r r_rFX509_REQ_verifyrrr)r~rrs r<verifyzX509Req.verifysU$%% <:;; ;%di<< Q;; " " " r;Nr)r?r)rrr?r#rr r?r\r?r rr2r?r\rr?r"rrr?r\)r?rrr rrr?r\)rr r?r)r6r7r8r9rrrrrrrrrrrrrr:r;r<r#r#s  & & & &FFF[F* ) ) ) )    ))))"4444,!)!)!)!)F$$$$L))))0r;r#zPCSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.c2eZdZdZd@dZedAdZdBd ZedCd ZdDdZ dEdZ dFdZ dGdZ dHdZ dIdZdJdZdIdZdKdZdEdZdLd ZdLd!ZdMd#ZdNd&ZdOd'ZdPd*ZdQd+ZdOd,ZdQd-ZdRd/ZdSd1ZdTd2ZdUd4ZdTd5Z dVd7Z!dEd8Z"dWd;Z#dXd>Z$d?S)Yrz An X.509 certificate. r?r\ctj}t|tjktj|tj|_t|_ t|_ dSrE) rFX509_newrOrKrPrQ X509_freerRrz_issuer_invalidator_subject_invalidator)r~r s r<rz X509.__init__sY} )***WT4>22 #7#9#9 $8$:$:!!!r;r r c||}tj|tj|_t |_t |_|SrE) rrKrQrFrrRrzrr)rr certs r<_from_raw_x509_ptrzX509._from_raw_x509_ptrsI{{3WT4>22 #7#9#9 $8$:$:! r;x509.CertificatecNddlm}tt|}||S)z Export as a ``cryptography`` certificate. :rtype: ``cryptography.x509.Certificate`` .. versionadded:: 17.1.0 r)load_der_x509_certificate)rrr(r)r~rrs r<rzX509.to_cryptographys7 @?????}d33((---r; crypto_certct|tjstdddlm}||j}tt|S)z Construct based on a ``cryptography`` *crypto_cert*. :param crypto_key: A ``cryptography`` X.509 certificate. :type crypto_key: ``cryptography.x509.Certificate`` :rtype: X509 .. versionadded:: 17.1.0 zMust be a certificaterr) r^r Certificater_rrrrr.r)rrrrs r<rzX509.from_cryptographys_+t'788 5344 4IIIIII&&x|44 s333r;rr2ct|tstdtt j|j|dkdS)a  Set the version number of the certificate. Note that the version value is zero-based, eg. a value of 0 is V1. :param version: The version number of the certificate. :type version: :py:class:`int` :return: ``None`` zversion must be an integerrN)r^r2r_rOrFX509_set_versionrR)r~rs r<rzX509.set_versionsM'3'' :899 9-dj'BBaGHHHHHr;c4tj|jS)z Return the version number of the certificate. :return: The version number of the certificate. :rtype: :py:class:`int` )rFX509_get_versionrRr}s r<rzX509.get_versions$TZ000r;r c&tt}tj|j|_|jt jkrtt j |jtj |_d|_ |S)z{ Get the public key of the certificate. :return: The public key. :rtype: :py:class:`PKey` T) r rrFX509_get_pubkeyrRrrKrPrrQrrrs r<rzX509.get_pubkeysi||D!!)$*55 : " " " " "WTZ);<<   r;rct|tstdtj|j|j}t|dkdS)z Set the public key of the certificate. :param pkey: The public key. :type pkey: :py:class:`PKey` :return: :py:data:`None` rrN)r^r r_rFX509_set_pubkeyrRrrOrs r<rzX509.set_pubkey)sS$%% <:;; ;)$*djAA  a(((((r;rrct|tstd|jrt d|jst dt jt|}|tj krt dt j |j |j |}t|dkdS)a Sign the certificate with this key and digest type. :param pkey: The key to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use. :type digest: :py:class:`str` :return: :py:data:`None` rzKey only has public partrrrN)r^r r_rrarrFrrrKrP X509_signrRrrO)r~rrevp_mdrs r<rz X509.sign8s$%% <:;; ;   9788 8  5344 4*<+?+?@@ TY  455 5nTZVDD  a(((((r;rTcptj|j}tjd}tj|tjtj|tj|d}|tjkrtdtj tj |S)z Return the signature algorithm used in the certificate. :return: The name of the algorithm. :rtype: :py:class:`bytes` :raises ValueError: If the signature algorithm is undefined. .. versionadded:: 0.13 zASN1_OBJECT **rzUndefined signature algorithm) rFX509_get0_tbs_sigalgrRrKrLX509_ALGOR_get0rPrrrarp OBJ_nid2ln)r~sig_algalgrs r<get_signature_algorithmzX509.get_signature_algorithmTs+DJ77h'(( S$)TY@@@s1v&& $. <== ={4?3//000r; digest_namectjt|}|tjkrt dtjdtj}tjdd}t||d<tj |j |||}t|dkd dtj ||dDS)a5 Return the digest of the X509 object. :param digest_name: The name of the digest algorithm to use. :type digest_name: :py:class:`str` :return: The digest of the object, formatted as :py:const:`b":"`-delimited hex pairs. :rtype: :py:class:`bytes` rzunsigned char[]zunsigned int[]rr:cPg|]#}t|$Sr:)rupper)rchs r< zX509.digest..s:   " ##%%   r;)rFrrrKrPrarLEVP_MAX_MD_SIZErN X509_digestrRrOrkr=)r~rrrWr digest_results r<rz X509.digestgs*< +D+DEE TY  455 5!2D4HII !1155 }-- a( J }    *+++yy  +m]15EFF      r;c4tj|jS)z Return the hash of the X509 subject. :return: The hash of the subject. :rtype: :py:class:`bytes` )rFX509_subject_name_hashrRr}s r<subject_name_hashzX509.subject_name_hashs*4:666r;serialct|tstdt|dd}|d}t jd}tj||}t|t j ktj |dt j }tj |dt|t j kt j |tj}tj|j|}t|dkdS)z Set the serial number of the certificate. :param serial: The new serial number. :type serial: :py:class:`int` :return: :py:data`None` zserial must be an integerrNrzBIGNUM**rr)r^r2r_hexrrKrLrF BN_hex2bnrOrPBN_to_ASN1_INTEGERrrQASN1_INTEGER_freeX509_set_serialNumberrR)r~r hex_serialhex_serial_bytes bignum_serialr asn1_serialrbs r<set_serial_numberzX509.set_serial_numbers&#&& 9788 8[[_ %,,W55,,  /?@@$)+,,,-mA.> JJ  ]1%&&& ty0111gk4+ABB / KHH  a(((((r;ctj|j}tj|tj} tj|} t j|}t|d}|tj |tj |S#tj |wxYw#tj |wxYw)zx Return the serial number of this certificate. :return: The serial number. :rtype: int ) rFX509_get_serialNumberrRASN1_INTEGER_to_BNrKrP BN_bn2hexrpr2r,r)r~rrrhexstring_serialrs r<get_serial_numberzX509.get_serial_numbers0<< / TYGG  ( 66J .#';z#:#: -r22!*--- L ' ' ' '!*---- L ' ' ' 's#B6%B4B6B33B66C amountct|tstdtj|j}tj||dS)z Adjust the time stamp on which the certificate stops being valid. :param int amount: The number of seconds by which to adjust the timestamp. :return: ``None`` amount must be an integerN)r^r2r_rFX509_getm_notAfterrRX509_gmtime_adj)r~r#notAfters r<gmtime_adj_notAfterzX509.gmtime_adj_notAftersP&#&& 9788 8*4:66 Xv.....r;ct|tstdtj|j}tj||dS)z Adjust the timestamp on which the certificate starts being valid. :param amount: The number of seconds by which to adjust the timestamp. :return: ``None`` r%N)r^r2r_rFX509_getm_notBeforerRr')r~r# notBefores r<gmtime_adj_notBeforezX509.gmtime_adj_notBeforesP&#&& 9788 8,TZ88  Y/////r;rcJ|}|td|d}tj|d}tjj}tj|d}||kS)z Check whether the certificate has expired. :return: ``True`` if the certificate has expired, ``False`` otherwise. :rtype: bool NzUnable to determine notAfterrz %Y%m%d%H%M%SZ)tzinfo) get_notAfterrardatetimestrptimetimezoneutcnowreplace)r~ time_bytes time_string not_afterUTCutcnows r< has_expiredzX509.has_expireds&&((  ;<< < ''00 %..{OLL #"&&s++3343@@6!!r;whichr>c<t||jSrE)rxrR)r~r=s r<_get_boundary_timezX509._get_boundary_timeseeDJ//000r;c@|tjS)a  Get the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )r?rFr+r}s r< get_notBeforezX509.get_notBefores&&t'?@@@r;Callable[..., Any]r[c>t||j|SrE)rcrR)r~r=r[s r<_set_boundary_timezX509._set_boundary_times eeDJ//666r;cB|tj|S)z Set the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rDrFr+r~r[s r< set_notBeforezX509.set_notBefores&&t'?FFFr;c@|tjS)a  Get the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )r?rFr&r}s r<r0zX509.get_notAfter s&&t'>???r;cB|tj|S)z Set the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )rDrFr&rFs r< set_notAfterzX509.set_notAfters&&t'>EEEr;r"ctt}||j|_t |jt jk||_|SrE)r"rrRrrOrKrPr)r~r=rs r< _get_namezX509._get_name'sM))U4:&&  di/000  r;rct|tstd||j|j}t |dkdS)Nzname must be an X509Namer)r^r"r_rRrrO)r~r=rrbs r< _set_namezX509._set_name2sP$)) 8677 7U4:tz22  a(((((r;cx|tj}|j||S)a Return the issuer of this certificate. This creates a new :class:`X509Name` that wraps the underlying issuer name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this issuer. :return: The issuer of this certificate. :rtype: :class:`X509Name` )rLrFX509_get_issuer_namerrrs r< get_issuerzX509.get_issuer8s4~~d788  $$T*** r;rNcx|tj||jdS)z Set the issuer of this certificate. :param issuer: The issuer. :type issuer: :py:class:`X509Name` :return: ``None`` N)rNrFX509_set_issuer_namerr)r~rNs r< set_issuerzX509.set_issuerHs6 t0&999  &&(((((r;cx|tj}|j||S)a Return the subject of this certificate. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate. :rtype: :class:`X509Name` )rLrFX509_get_subject_namerrrs r<rzX509.get_subjectTs4~~d899 !%%d+++ r;rLcx|tj||jdS)z Set the subject of this certificate. :param subject: The subject. :type subject: :py:class:`X509Name` :return: ``None`` N)rNrFX509_set_subject_namerr)r~rLs r< set_subjectzX509.set_subjectds6 t17;;; !'')))))r;c4tj|jS)z Get the number of extensions on this certificate. :return: The number of extensions. :rtype: :py:class:`int` .. versionadded:: 0.12 )rFX509_get_ext_countrRr}s r<get_extension_countzX509.get_extension_countps&tz222r;rrctjdtd|D]Y}t|tst dt j|j|j d}t|dkZdS)z Add extensions to the certificate. :param extensions: The extensions to add. :type extensions: An iterable of :py:class:`X509Extension` objects. :return: ``None`` rrrrrrN) rrrr^rrarF X509_add_extrRrWrO)r~rrr%s r<rzX509.add_extensions{s  &      - -Cc#9:: P !NOOO*4:s~rJJJ J!O , , , ,  - -r;indexrc|tjdtdtt}t j|j||_|jtj krtdt j |j}tj |t j|_|S)a Get a specific extension of the certificate by index. Extensions on a certificate are kept in order. The index parameter selects which extension will be returned. :param int index: The index of the extension to retrieve. :return: The extension at the specified index. :rtype: :py:class:`X509Extension` :raises IndexError: If the extension index was out of bounds. .. versionadded:: 0.12 rrrzextension index out of bounds)rrrrrrF X509_get_extrRrWrKrP IndexErrorrrQrV)r~r_rrYs r< get_extensionzX509.get_extensions  &     %,,-CDD*4:u== >TY & &<== =+CN;; D,DEE r;Nr)r r r?r)r?r)rrr?rrrrrrrH)rrr?rT)rr2r?r\)r#r2r?r\r)r=r r?r>)r?r>)r=rBr[rTr?r\)r[rTr?r\)r=r r?r")r=r rr"r?r\r)rNr"r?r\)rLr"r?r\r)r_r2r?r)%r6r7r8r9rrrrrrrrrrrrrrr"r)r-r<r?rArDrGr0rJrLrNrQrTrrYr\rrcr:r;r<rrs;;;;[ . . . .444[4& I I I I1111     ) ) ) )))))81111&    >7777))))8((((( / / / / 0 0 0 0"""""1111 A A A A7777 G G G G @ @ @ @ F F F F    ))))  ) ) ) ) * * * * 3 3 3 3----6r;rceZdZUdZejZded<ejZ ded<ej Z ded<ej Z ded<ejZded<ejZded<ejZded <ejZded <ejZded <ejZded <d S)r'a  Flags for X509 verification, used to change the behavior of :class:`X509Store`. See `OpenSSL Verification Flags`_ for details. .. _OpenSSL Verification Flags: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html r2 CRL_CHECK CRL_CHECK_ALLIGNORE_CRITICAL X509_STRICTALLOW_PROXY_CERTS POLICY_CHECKEXPLICIT_POLICY INHIBIT_MAPCHECK_SS_SIGNATURE PARTIAL_CHAINN)r6r7r8r9rFX509_V_FLAG_CRL_CHECKrerX509_V_FLAG_CRL_CHECK_ALLrfX509_V_FLAG_IGNORE_CRITICALrgX509_V_FLAG_X509_STRICTrhX509_V_FLAG_ALLOW_PROXY_CERTSriX509_V_FLAG_POLICY_CHECKrjX509_V_FLAG_EXPLICIT_POLICYrkX509_V_FLAG_INHIBIT_MAPrlX509_V_FLAG_CHECK_SS_SIGNATURErmX509_V_FLAG_PARTIAL_CHAINrnr:r;r<r'r's/I////7M7777;O;;;;3K3333!?????5L5555;O;;;;3K3333"AAAAA7M777777r;r'cFeZdZdZddZddZdd Zdd ZddZ dddZ dS)r$a An X.509 store. An X.509 store is used to describe a context in which to verify a certificate. A description of a context may include a set of certificates to trust, a set of certificate revocation lists, verification flags and more. An X.509 store, being only a description, cannot be used by itself to verify a certificate. To carry out the actual verification process, see :class:`X509StoreContext`. r?r\cttj}tj|tj|_dSrE)rFX509_STORE_newrKrQX509_STORE_free_storer~stores r<rzX509Store.__init__s*#%%geT%9:: r;rrct|tsttj|j|j}t|dkdS)a Adds a trusted certificate to this store. Adding a certificate with this method adds this certificate as a *trusted* certificate. :param X509 cert: The certificate to add to this store. :raises TypeError: If the certificate is not an :class:`X509`. :raises OpenSSL.crypto.Error: If OpenSSL was unhappy with your certificate. :return: ``None`` if the certificate was added successfully. rN)r^rr_rFX509_STORE_add_certr}rRrO)r~rrs r<add_certzX509Store.add_certsN $%% ++ &t{DJ??q!!!!!r;crlx509.CertificateRevocationListct|tjrddlm}t ||j}tj |tj }t|tj ktj |tj}ntdttj|j|dkdS)a Add a certificate revocation list to this store. The certificate revocation lists added to a store will only be used if the associated flags are configured to check certificate revocation lists. .. versionadded:: 16.1.0 :param crl: The certificate revocation list to add to this store. :type crl: ``cryptography.x509.CertificateRevocationList`` :return: ``None`` if the certificate revocation list was added successfully. rrz?CRL must be of type cryptography.x509.CertificateRevocationListN)r^r CertificateRevocationListrrrSrrrFd2i_X509_CRL_biorKrPrOrQ X509_CRL_freer_X509_STORE_add_crlr})r~rrrB openssl_crls r<add_crlzX509Store.add_crls c49 : :  M M M M M Ms// ==>>C/TY??K K494 5 5 5'+t'9::CC>  / SAAQFGGGGGr;flagsr2c\ttj|j|dkdS)a Set verification flags to this store. Verification flags can be combined by oring them together. .. note:: Setting a verification flag sometimes requires clients to add additional information to the store, otherwise a suitable error will be raised. For example, in setting flags to enable CRL checking a suitable CRL must be added to the store otherwise an error will be raised. .. versionadded:: 16.1.0 :param int flags: The verification flags to set on this store. See :class:`X509StoreFlags` for available constants. :return: ``None`` if the verification flags were successfully set. rN)rOrFX509_STORE_set_flagsr})r~rs r< set_flagszX509Store.set_flagss,, 1$+uEEJKKKKKr;vfy_timedatetime.datetimec2tj}tj|tj}tj|t j|ttj |j |dkdS)a Set the time against which the certificates are verified. Normally the current time is used. .. note:: For example, you can determine if a certificate was valid at a given time. .. versionadded:: 17.0.0 :param datetime vfy_time: The verification time to set on this store. :return: ``None`` if the verification time was successfully set. rN) rFX509_VERIFY_PARAM_newrKrQX509_VERIFY_PARAM_freeX509_VERIFY_PARAM_set_timecalendartimegm timetuplerOX509_STORE_set1_paramr})r~rparams r<set_timezX509Store.set_time-s *,,t:;; ' 8?8#5#5#7#788    24;FF!KLLLLLr;NcafileStrOrBytesPathcapathStrOrBytesPath | Nonec| tj}nt|}| tj}nt|}tj|j||}|st dSdS)a Let X509Store know where we can find trusted certificates for the certificate chain. Note that the certificates have to be in PEM format. If *capath* is passed, it must be a directory prepared using the ``c_rehash`` tool included with OpenSSL. Either, but not both, of *cafile* or *capath* may be ``None``. .. note:: Both *cafile* and *capath* may be set simultaneously. Call this method multiple times to add more than one location. For example, CA certificates, and certificate revocation list bundles may be passed in *cafile* in subsequent calls to this method. .. versionadded:: 20.0 :param cafile: In which file we can find the certificates (``bytes`` or ``unicode``). :param capath: In which directory we can find the certificates (``bytes`` or ``unicode``). :return: ``None`` if the locations were set successfully. :raises OpenSSL.crypto.Error: If both *cafile* and *capath* is ``None`` or the locations could not be set for any reason. N)rKrP _path_bytesrFX509_STORE_load_locationsr}r)r~rr load_results r<load_locationszX509Store.load_locationsEs|B >YFF ((F >YFF ((F4 K   # " " " " " # #r;r)rrr?r\)rrr?r\)rr2r?r\)rrr?r\rE)rrrrr?r\) r6r7r8r9rrrrrrr:r;r<r$r$s  ;;;;"""",HHHH<LLLL0MMMM2GK/#/#/#/#/#/#/#r;r$c$eZdZdZd fd ZxZS) r&z An exception raised when an error occurred while verifying a certificate using `OpenSSL.X509StoreContext.verify_certificate`. :ivar certificate: The certificate which caused verificate failure. :type certificate: :class:`X509` messagererrors list[Any] certificaterr?r\cft|||_||_dSrE)rrrr)r~rrrrs r<rzX509StoreContextError.__init__s2 !!! &r;)rrrrrrr?r\)r6r7r8r9rrrs@r<r&r&wsG''''''''''r;r&cneZdZdZ ddd Zedd ZeddZddZddZ ddZ ddZ dS)r%a9 An X.509 store context. An X.509 store context is used to carry out the actual verification process of a certificate in a described context. For describing such a context, see :class:`X509Store`. :param X509Store store: The certificates which will be trusted for the purposes of any verifications. :param X509 certificate: The certificate to be verified. :param chain: List of untrusted certificates that may be used for building the certificate chain. May be ``None``. :type chain: :class:`list` of :class:`X509` Nrr$rrchainSequence[X509] | Noner?r\cV||_||_|||_dSrE)r}_cert_build_certificate_stack_chain)r~rrrs r<rzX509StoreContext.__init__s+    33E:: r; certificatesc dd}|t|dkr tjStj}t |tjktj||}|D]}t|tstdt tj |j dktj ||j dkr'tj |j t|S) Nsr r?r\cttj|D]+}tj||}tj|,tj|dSrE)rrF sk_X509_num sk_X509_valuer sk_X509_free)rr!rs r<cleanupz:X509StoreContext._build_certificate_stack..cleanupsb4+A..// " "&q!,,q!!!!  a r;rz+One of the elements is not an X509 instance)rr r?r\)rNrKrPrFsk_X509_new_nullrOrQr^rr_ X509_up_refrR sk_X509_pushrr)rrrrs r<rz)X509StoreContext._build_certificate_stacks ! ! ! !  3|#4#4#9#99 %''*+++w''  ' 'DdD)) O MNNN D,TZ881< = = =  33q88tz***$&&& r; store_ctxr r&ctjtjtj|d}tj|tj||g}tj|}tj|}t |}t|||S)z Convert an OpenSSL native context error failure into a Python exception. When a call to native OpenSSL X509_verify_cert fails, additional information about the failure can be obtained from the store context. r) rKrprFX509_verify_cert_error_stringX509_STORE_CTX_get_errorrX509_STORE_CTX_get_error_depthX509_STORE_CTX_get_current_certX509_duprrr&)rrrrRrpycerts r<_exception_from_contextz(X509StoreContext._exception_from_contexts+  .-i88     &//   )) 4 4  / : :  4Y?? e$$((//$Wff===r;ctj}t|tjktj|tj}tj||jj|j j |j }t|dktj |}|dkr| ||S)a3 Verifies the certificate and runs an X509_STORE_CTX containing the results. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. rr)rFX509_STORE_CTX_newrOrKrPrQX509_STORE_CTX_freeX509_STORE_CTX_initr}rrRrX509_verify_certr)r~rrgs r<_verify_certificatez$X509StoreContext._verify_certificates+--  TY.///GIt'?@@ & t{)4:+;T[   q!!!#I.. !88..y99 9r;c||_dS)z Set the context's X.509 store. .. versionadded:: 0.15 :param X509Store store: The store description which will be used for the purposes of any *future* verifications. N)r}r~s r< set_storezX509StoreContext.set_stores r;c.|dS)a" Verify a certificate in a context. .. versionadded:: 0.15 :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. N)rr}s r<verify_certificatez#X509StoreContext.verify_certificates   """""r; list[X509]c|}tj|}t|tjkg}t tj|D]c}tj||}t|tjkt |}| |dtj ||S)aR Verify a certificate in a context and return the complete validated chain. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. .. versionadded:: 20.0 ) rrFX509_STORE_CTX_get1_chainrOrKrPrrrrrrr)r~r cert_stackrr!rrs r<get_verified_chainz#X509StoreContext.get_verified_chain s,,.. 3I>>  di/000t' 3344 " "A%j!44D DDI- . . .,,T22F MM& ! ! ! ! *%%% r;rE)rr$rrrrr?r\)rrr?r\)rr r?r&r)rr$r?r\r)r?r) r6r7r8r9r staticmethodrrrrrrr:r;r<r%r%s  &(, ;;;;;\:>>>\>20     # # # #r;r%rct|tr|d}t|}|tkr6t j|tjtjtj}n:|tkr t j |tj}ntd|tjkrtt|S)a Load a certificate (X509) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param bytes buffer: The buffer the certificate is stored in :return: The X509 object r3type argument must be FILETYPE_PEM or FILETYPE_ASN1)r^rrrSrrFPEM_read_bio_X509rKrPr d2i_X509_biorarrr)rr=rBr s r<r.r.&s&#(w'' v  C |%c49diKK    di00NOOO ty  " "4 ( ((r;rcht}|tkrtj||j}n]|t krtj||j}n7|tkrtj||jdd}ntdt|dkt|S)a Dump the certificate *cert* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT) :param cert: The certificate to dump :return: The buffer with the dumped certificate in rCtype argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXTr) rSrrFPEM_write_bio_X509rRr i2d_X509_bior X509_print_exrarOrY)rrrB result_codes r<r(r(Cs ..C |-c4:>>   'TZ88   (dj!Q??     K1$%%% #  r;rct}|tkr tj}n'|tkr tj}nt d|||j}|dkrtt|S)z Dump a public key to a buffer. :param type: The file type (one of :data:`FILETYPE_PEM` or :data:`FILETYPE_ASN1`). :param PKey pkey: The public key to dump :return: The buffer with the dumped key in it. :rtype: bytes rr) rSrrFPEM_write_bio_PUBKEYri2d_PUBKEY_biorarrrY)rrrB write_biors r<r+r+_s~ ..C |-   ' NOOO)C,,Ka #  r;cipherr& passphrasePassphraseCallableT | Nonec t}t|tstd|R|tdt jt |}|tjkrtdn tj}t||}|tkrHt j ||j |tjd|j|j}|n|t"krt j||j }n|t&krt j|j tjkrtdtjt j|j tj}t j||d}ntdt5|dkt7|S)a Dump the private key *pkey* into a buffer string encoded with the type *type*. Optionally (if *type* is :const:`FILETYPE_PEM`) encrypting it using *cipher* and *passphrase*. :param type: The file type (one of :const:`FILETYPE_PEM`, :const:`FILETYPE_ASN1`, or :const:`FILETYPE_TEXT`) :param PKey pkey: The PKey to dump :param cipher: (optional) if encrypted PEM format, the cipher to use :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The buffer with the dumped key in :rtype: bytes zpkey must be a PKeyNzDif a value is given for cipher one must also be given for passphrasezInvalid cipher namerz-Only RSA keys are supported for FILETYPE_TEXTr)rSr^r r_rFEVP_get_cipherbynamerrKrPra_PassphraseHelperrPEM_write_bio_PrivateKeyrcallback callback_argsraise_if_problemri2d_PrivateKey_biorrrrQrr RSA_printrOrY) rrrrrB cipher_objhelperrrs r<r*r*xs* ..C dD ! !/-...   8 .|F/C/CDD  " "233 3 #Y tZ 0 0F |3  J  I O     !!!!   -c4:>>     DJ ' '4+< < <KLL Lgd,TZ88$-HHnS#q11     K1$%%% #  r;c`eZdZ ddd Zedd ZeddZefddZddZ dS)rFrr2rr more_argsrtruncater?r\cv|tkr|td||_||_||_g|_dS)Nz0only FILETYPE_PEM key format supports encryption)rra _passphrase _more_args _truncate _problems)r~rrrrs r<rz_PassphraseHelper.__init__sL <  J$:B &#!*,r;r c|j tjSt|jtst |jrtjd|jStd)Npem_password_cb2Last argument must be a byte string or a callable.) rrKrPr^rTcallabler_read_passphraser_r}s r<rz_PassphraseHelper.callbackse   #9  (% 0 0 HT=M4N4N =!2D4IJJ JD r;c|j tjSt|jtst |jr tjSt d)Nr)rrKrPr^rTrr_r}s r<rz_PassphraseHelper.callback_argssW   #9  (% 0 0 HT=M4N4N 9 D r; exceptionTypetype[Exception]c|jr6 t|n #|$rYnwxYw|jddSr2)r_exception_from_error_queuepop)r~rs r<rz"_PassphraseHelper.raise_if_problemsd > ( +M::::     .$$Q'' ' ( (s !!rzsizerwflaguserdatacF t|jr5|jr||||}n&||}n|jJ|j}t|tst dt ||kr!|jr |d|}nt dtt |D]}|||dz||<t |S#t$r%}|j |Yd}~dSd}~wwxYw)NzBytes expectedz+passphrase returned by callback is too longrr) rrrr^rTrarNrr Exceptionrr)r~rzrrrrr!es r<rz"_PassphraseHelper._read_passphrasesN ()) *?6!--dFHEEFF!--f55FF'333)fe,, 3 !12226{{T!!>#ETE]FF$E3v;;'' + +AE *Av;;     N ! !! $ $ $11111 sC.C11 D ;DD N)FF) rr2rrrrrrr?r\r)rrr?r\) rzr rr2rr rr r?r2) r6r7r8rrrrrrrr:r;r<rrs   ----- XXAF(((((r;r str | bytesc>t|tr|d}t|}|tkr6t j|tjtjtj}n:|tkr t j |tj}ntd|tjkrttt}tj|t j|_d|_|S)a< Load a public key from a buffer. :param type: The file type (one of :data:`FILETYPE_PEM`, :data:`FILETYPE_ASN1`). :param buffer: The buffer the key is stored in. :type buffer: A Python string object, either unicode or bytestring. :return: The PKey object. :rtype: :class:`PKey` rrT)r^rrrSrrFPEM_read_bio_PUBKEYrKrPrd2i_PUBKEY_biorarr rrQrrr)rr=rBevp_pkeyrs r<r1r1 s&#(w'' v  C |+ DIty     &sDI66NOOO49 <<  D4#566DJD Kr;cdt|tr|d}t|}t ||}|t kr@t j|tj |j |j }| n:|tkr t j|tj }ntd|tj krt!t"t"}tj|t j|_|S)a Load a private key (PKey) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the key is stored in :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The PKey object rr)r^rrrSrrrFPEM_read_bio_PrivateKeyrKrPrrrrd2i_PrivateKey_biorarr rrQrr)rr=rrBrrrs r<r0r0- s"&#(w'' v  C tZ 0 0F |/ FOV-A   !!!!   *3 ::NOOO49 <<  D4#566DJ Kr;rcht}|tkrtj||j}n]|t krtj||j}n7|tkrtj||jdd}ntdt|dkt|S)av Dump the certificate request *req* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param req: The certificate request to dump :return: The buffer with the dumped certificate request in .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. rr) rSrrFPEM_write_bio_X509_REQrri2d_X509_REQ_biorX509_REQ_print_exrarOrY)rrrBrs r<r)r)V s ..C |1#sx@@   +C::   ,S#(AqAA     K1$%%% #  r;r)c.t|tr|d}t|}|tkr6t j|tjtjtj}n:|tkr t j |tj}ntdt|tjktt}tj|t j|_|S)a Load a certificate request (X509Req) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the certificate request is stored in :return: The X509Req object .. deprecated:: 24.2.0 Use `cryptography.x509.load_der_x509_csr` or `cryptography.x509.load_pem_x509_csr` instead. rr)r^rrrSrrFPEM_read_bio_X509_REQrKrPrd2i_X509_REQ_biorarO_X509ReqInternalrrQrr)rr=rBrx509reqs r<r/r/ s&#(w'' v  C |(diDINN   #C33NOOOC49$%%%&&'788G73 233GL Nr;r/rE)r=r>r?r )rBr r?rT)rZr r[rTr?r\)r[rTr?r )rir r?r>)r?r)rrr?r)rr2r=rTr?r)rr2rrr?rT)rr2rr r?rTr) rr2rr rr&rrr?rT)rr2r=r r?r )rr2r=r rrr?r )rr2rr#r?rT)rr2r=rTr?r#)p __future__rrr1 functoolstypingrbase64rcollections.abcrrrosrr r r cryptographyr r )cryptography.hazmat.primitives.asymmetricrrrrr OpenSSL._utilrrrrrrKrrFr _make_assertrr__all__rrrrr _PrivateKeyrrrrr _PublicKeyrrrTrPassphraseCallableTSSL_FILETYPE_PEMrrSSL_FILETYPE_ASN1rrrr EVP_PKEY_DSAr EVP_PKEY_DHr3 EVP_PKEY_ECr4r rrrOrSrYrcrhrxrzr rr-r deprecatedr6rr,total_orderingr"r!rr#rrr'r$r&r%r.r(r+r*rr1r0r)rr/rr:r;r<r1s:""""""" ........ %$$$$$$$   :         [* $%sE8+,E8CJ#778) ))))+ ++++ !!!!!!!!!!I w:EBB,u%%4;;;;++++2&:        ~.~.~.~.~.~.~.~.Bd.d.d.d.d.d.d.d.N 5 5 5 5!4       1111$        Dg:g:g:g:g:g:g:g:T'       qqqqqqqqh        iiiiiiiiX88888888.e#e#e#e#e#e#e#e#P'''''I'''"[[[[[[[[|)))):88-1 BBBBBJKKKKKKKK\J.2&&&&&R@&>"   #    @&>"   #      r;