g8UddlmZddlZddlZddlZddlZddlZddlmZddl m Z m Z ddlm Z ddl mZddlmZmZmZddlmZmZdd lmZmZmZmZmZdd lmZdd lmZdd lm Z!dd lm"Z#ddlm$Z%ddlm&Z'gdZ(eejRejTejVejXejZfZ.eej^ej`ejbejdejffZ4ee.e4fZ5ee6e7efZ8ee7ede7ffZ9e#jtZ;deded?ZddTd@ZedUdAZfdVdBZg dW dXdCZhGdDdEZidYdFZj dL dZdGZkd[dHZlelZmejeleWd5eXdI*d\dJZnenZoejeneWd5eXdK*y)]) annotationsN) b16encode)IterableSequence)partial)PathLike)AnyCallableUnion)utilsx509)dsaeced448ed25519rsa) byte_string)exception_from_error_queue)ffi)lib) make_assert) path_bytes) FILETYPE_ASN1 FILETYPE_PEM FILETYPE_TEXTTYPE_DSATYPE_RSAX509ErrorPKey X509ExtensionX509NameX509Req X509StoreX509StoreContextX509StoreContextErrorX509StoreFlagsdump_certificatedump_certificate_requestdump_privatekeydump_publickeyget_elliptic_curveget_elliptic_curvesload_certificateload_certificate_requestload_privatekeyload_publickey.intrrirrTYPE_DHTYPE_ECceZdZdZy)rz7 An error occurred in an `OpenSSL.crypto` API. N)__name__ __module__ __qualname____doc__C/var/www/openai/venv/lib/python3.12/site-packages/OpenSSL/crypto.pyrrjsr;rcT|8tjtj}tj}n;t j d|}tj |t|}|fdd}t|tjk7t j||}|S)z Allocate a new OpenSSL memory BIO. Arrange for the garbage collector to clean it up automatically. :param buffer: None or some bytes to use to put into the BIO so that they can be read out. char[]c,tj|SN)_libBIO_free)biorefs r<freez_new_mem_buf..frees==% %r;)rCr rDr returnr ) rABIO_new BIO_s_memrB_ffinewBIO_new_mem_buflen_openssl_assertNULLgc)bufferrCrEdatas r< _new_mem_bufrRts~ll4>>+,}}xx&)""4V5'+ &C499$% ''#t C Jr;ctjd}tj||}tj|d|ddS)zO Copy the contents of an OpenSSL BIO object into a Python byte string. zchar**rN)rIrJrABIO_get_mem_datarP)rC result_buffer buffer_lengths r<_bio_to_stringrWs?HHX&M))#}=M ;;}Q' 7 ::r;ct|ts tdt|tj k7t j||}|dk(r tdy)a The the time value of an ASN1 time object. @param boundary: An ASN1_TIME pointer (or an object safely castable to that type) which will have its value set. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. zwhen must be a byte stringrzInvalid stringN) isinstancebytes TypeErrorrMrIrNrAASN1_TIME_set_string ValueError)boundarywhen set_results r<_set_asn1_timerasW dE "455H )***8T:JQ)**r;ctj}t|tjk7tj |tj }t|||S)a Behaves like _set_asn1_time but returns a new ASN1_TIME object. @param when: A string representation of the desired time value. @raise TypeError: If C{when} is not a L{bytes} string. @raise ValueError: If C{when} does not represent a time in the required format. @raise RuntimeError: If the time value cannot be set for some other (unspecified) reason. )rA ASN1_TIME_newrMrIrNrOASN1_TIME_freera)r_rets r<_new_asn1_timerfsH    CC499$% ''#t** +C3 Jr;cJtjd|}tj|dk(rytj|tj k(r(tj tj|Stjd}tj||t|dtjk7tjd|d}tj|}tj |}tj|d|S)a] Retrieve the time value of an ASN1 time object. @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to that type) from which the time value will be retrieved. @return: The time value from C{timestamp} as a L{bytes} string in a certain format. Or C{None} if the object contains no time value. ASN1_STRING*rNzASN1_GENERALIZEDTIME**) rIcastrAASN1_STRING_lengthASN1_STRING_typeV_ASN1_GENERALIZEDTIMEstringASN1_STRING_get0_datarJASN1_TIME_to_generalizedtimerMrNASN1_GENERALIZEDTIME_free) timestampstring_timestampgeneralized_timestamp string_data string_results r<_get_asn1_timervsyy; /0A5 ./43N3NN{{4556FGHH $)A B )))5JK-a0DII=>99^5J15MN001AB  K0  &&'C#=#6 6r;c t|ts tdt|ts td|tk(r|dkr t dt j }tj|t j}t j|t jt j}t j|||tj}t|dk(t j |j"|}t|dk(d|_y|t$k(r t j&}t|tjk7tj|t j(}t j*||tjdtjtjtj}t|dk(tt j,|dk(tt j.|j"|dk(d|_yt1d) a3 Generate a key pair of the given type, with the given number of bits. This generates a key "into" the this object. :param type: The key type. :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA` :param bits: The number of bits. :type bits: :py:data:`int` ``>= 0`` :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't of the appropriate type. :raises ValueError: If the number of bits isn't an integer of the appropriate size. :return: ``None`` ztype must be an integerzbits must be an integerrzInvalid number of bitszNo such key typeTN)rYr2r[rr]rABN_newrIrOBN_free BN_set_wordRSA_F4RSA_newRSA_generate_key_exrNrMEVP_PKEY_assign_RSArrDSA_newDSA_freeDSA_generate_parameters_exDSA_generate_keyEVP_PKEY_set1_DSArr)r|typebitsexponentrresultrress r< generate_keyzPKey.generate_keyKs $$56 6$$56 6 8 qy !9::{{}Hwwx6H   Xt{{ 3,,.C--c4499MF FaK (--djj#>F FaK ("!X ,,.C C499, -''#t}}-C11T499aDIItyyC C1H % D11#6!; < D224::sCqH I!*+ +r;c|jr tdtj|j tj k7r tdtj |j}tj|tj}tj|}|dk(ryty)ax Check the consistency of an RSA private key. This is the Python equivalent of OpenSSL's ``RSA_check_key``. :return: ``True`` if key is consistent. :raise OpenSSL.crypto.Error: if the key is inconsistent. :raise TypeError: if the key is of a type which cannot be checked. Only RSA keys can currently be checked. zpublic key onlyz'Only RSA keys can currently be checked.rTN) rr[rA EVP_PKEY_typer EVP_PKEY_RSAEVP_PKEY_get1_RSArrIrORSA_free RSA_check_key_raise_current_error)r|rrs r<checkz PKey.checks   -. .   diik *d.?.? ?EF F$$TZZ0ggc4==)##C( Q;r;c@tj|jS)zT Returns the type of the key :return: The type of the key. )rA EVP_PKEY_idrr{s r<rz PKey.types  ++r;c@tj|jS)zh Returns the number of bits of the key :return: The number of bits of the key. )rA EVP_PKEY_bitsrr{s r<rz PKey.bitss !!$**--r;Nr)rF_Key)rrrFr )rr2rr2rFrrFboolrFr2)r6r7r8r9rrr}r classmethodrrrrrr:r;r<r r sGLL" 3.7777r6!p4,.r;r cveZdZdZdZd fd Zed dZed dZed dZ d dZ ddZ dd Z xZ S)_EllipticCurveaZ A representation of a supported elliptic curve. @cvar _curves: :py:obj:`None` until an attempt is made to load the curves. Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve` instances each of which represents one curve supported by the system. @type _curves: :py:type:`NoneType` or :py:type:`set` NcNt|trt| |StS)z Implement cooperation with the right-hand side argument of ``!=``. Python 3 seems to have dropped this cooperation in this very narrow circumstance. )rYrsuper__ne__NotImplemented)r|other __class__s r<rz_EllipticCurve.__ne__s$ e^ ,7>%( (r;cjtjd}tjd|}j||t fd|DS)z Get the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. rzEC_builtin_curve[]c3VK|] }j|j"ywr@)from_nidnid).0crrs r< z7_EllipticCurve._load_elliptic_curves..s!D^3<<QUU+^s&))EC_get_builtin_curvesrIrNrJset)rr num_curvesbuiltin_curvess`` r<_load_elliptic_curvesz$_EllipticCurve._load_elliptic_curvessO..tyy!< "6 C !!.*=D^DDDr;c^|j|j||_|jS)a Get, cache, and return the curves supported by OpenSSL. :param lib: The OpenSSL library binding object. :return: A :py:type:`set` of ``cls`` instances giving the names of the elliptic curves the underlying library supports. )_curvesr)rrs r<_get_elliptic_curvesz#_EllipticCurve._get_elliptic_curvess* ;; 33C8CK{{r;c x|||tj|j|jdS)a Instantiate a new :py:class:`_EllipticCurve` associated with the given OpenSSL NID. :param lib: The OpenSSL library binding object. :param nid: The OpenSSL NID the resulting curve object will represent. This must be a curve NID (and not, for example, a hash NID) or subsequent operations will fail in unpredictable ways. :type nid: :py:class:`int` :return: The curve object. ascii)rIrm OBJ_nid2sndecode)rrrs r<rz_EllipticCurve.from_nids03T[[)<=DDWMNNr;c.||_||_||_y)a :param _lib: The :py:mod:`cryptography` binding instance used to interface with OpenSSL. :param _nid: The OpenSSL NID identifying the curve this object represents. :type _nid: :py:class:`int` :param name: The OpenSSL short name identifying the curve this object represents. :type name: :py:class:`unicode` N)rA_nidr)r|rrrs r<r}z_EllipticCurve.__init__s   r;c"d|jdS)Nzrr{s r<__repr__z_EllipticCurve.__repr__s Q''r;c|jj|j}tj|tj S)z Create a new OpenSSL EC_KEY structure initialized to use this curve. The structure is automatically garbage collected when the Python object is garbage collected. )rAEC_KEY_new_by_curve_namerrIrO EC_KEY_free)r|keys r< _to_EC_KEYz_EllipticCurve._to_EC_KEY s3ii00;wwsD,,--r;rr rFr)rr rFset[_EllipticCurve])rr rr2rFr)rr rr2rstrrFrrFrrFr )r6r7r8r9rrrrrrr}rr __classcell__rs@r<rrscG EE"  OO "(.r;rc4tjtS)a Return a set of objects representing the elliptic curves supported in the OpenSSL build in use. The curve objects have a :py:class:`unicode` ``name`` attribute by which they identify themselves. The curve objects are useful as values for the argument accepted by :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be used for ECDHE key exchange. )rrrAr:r;r<r-r-s  . .t 44r;zSget_elliptic_curves is deprecated. You should use the APIs in cryptography instead.r-rc^tD]}|j|k(s|cStd|)aT Return a single curve object selected by name. See :py:func:`get_elliptic_curves` for information about curve objects. :param name: The OpenSSL short name identifying the curve object to retrieve. :type name: :py:class:`unicode` If the named curve is not supported then :py:class:`ValueError` is raised. zunknown curve name)_get_elliptic_curves_internalrr])rcurves r<r,r,2s2/0 :: L1 )4 00r;zRget_elliptic_curve is deprecated. You should use the APIs in cryptography instead.r,cdeZdZdZd dZd fd Zd dZddZddZddZ ddZ dd Z dd Z xZ S)r"a An X.509 Distinguished Name. :ivar countryName: The country of the entity. :ivar C: Alias for :py:attr:`countryName`. :ivar stateOrProvinceName: The state or province of the entity. :ivar ST: Alias for :py:attr:`stateOrProvinceName`. :ivar localityName: The locality of the entity. :ivar L: Alias for :py:attr:`localityName`. :ivar organizationName: The organization name of the entity. :ivar O: Alias for :py:attr:`organizationName`. :ivar organizationalUnitName: The organizational unit of the entity. :ivar OU: Alias for :py:attr:`organizationalUnitName` :ivar commonName: The common name of the entity. :ivar CN: Alias for :py:attr:`commonName`. :ivar emailAddress: The e-mail address of the entity. ctj|j}tj|tj |_y)z Create a new X509Name, copying the given X509Name instance. :param name: The name to copy. :type name: :py:class:`X509Name` N)rA X509_NAME_duprrIrOX509_NAME_freers r<r}zX509Name.__init__js0!!$**-''$(;(;< r;c |jdrt | ||St|tur#t dt|j ddtjt|}|tjk(r ttdttj|j D]}tj"|j |}tj$|}tj&|}||k(sStj(|j |}tj*|nt-|tr|j/d}tj0|j |tj2|ddd}|s tyy#t$r YtdwxYw) N_z$attribute name must be string, not 'z.200'No such attributeutf-8r) startswithr __setattr__rrr[r6rA OBJ_txt2nid _byte_string NID_undefrrAttributeErrorrangeX509_NAME_entry_countrX509_NAME_get_entryX509_NAME_ENTRY_get_object OBJ_obj2nidX509_NAME_delete_entryX509_NAME_ENTRY_freerYencodeX509_NAME_add_entry_by_NID MBSTRING_UTF8) r|rvaluerientent_objent_nid add_resultrs r<rzX509Name.__setattr__ts ??3 7&tU3 3 :S K((.a1  |D12 $..  $&!!45 5t11$**=>A**4::q9C55c:G&&w/Gg~11$**a@))#.? eS !LL)E44 JJT//B  ")  !45 5 s F33 G G ctjt|}|tjk(r t t dtj|j|d}|dk(rytj|j|}tj|}tjd}tj||}t|dk\ tj|d|ddj!d}tj"|d|S#t $r Yt dwxYw#tj"|dwxYw)a  Find attribute. An X509Name object has the following attributes: countryName (alias C), stateOrProvince (alias ST), locality (alias L), organization (alias O), organizationalUnit (alias OU), commonName (alias CN) and more... r rNunsigned char**rr )rArrrrrrX509_NAME_get_index_by_NIDrrX509_NAME_ENTRY_get_datarIrJASN1_STRING_to_UTF8rMrPr OPENSSL_free) r|rr entry_indexentryrQrU data_lengthrs r< __getattr__zX509Name.__getattr__s2|D12 $..  $&!!45 555djj#rJ " (([A,,U3!23 ..}dC  q() 0[[q!1;?BIIF   mA. / -  !45 5 *   mA. /s D#+D<# D98D9<Ect|tstStj|j |j dk(SNrrYr"rrA X509_NAME_cmprr|rs r<__eq__zX509Name.__eq__s2%*! !!!$**ekk:a??r;ct|tstStj|j |j dkSr0r1r3s r<__lt__zX509Name.__lt__s2%*! !!!$**ekk:Q>>r;c tjdd}tj|j|t |}t |tjk7djtj|jdS)z6 String representation of an X509Name r>izr ) rIrJrAX509_NAME_onelinerrLrMrNformatrmr)r|rU format_results r<rzX509Name.__repr__sq3/ .. JJ s='9   23'.. KK & - -g 6  r;c@tj|jS)a& Return an integer representation of the first four bytes of the MD5 digest of the DER representation of the name. This is the Python equivalent of OpenSSL's ``X509_NAME_hash``. :return: The (integer) hash of this name. :rtype: :py:class:`int` )rAX509_NAME_hashrr{s r<hashz X509Name.hashs""4::..r;ctjd}tj|j|}t |dk\tj |d|dd}tj|d|S)z Return the DER encoding of this name. :return: The DER encoded form of this name. :rtype: :py:class:`bytes` r&rN)rIrJrA i2d_X509_NAMErrMrPr*)r|rU encode_resultrus r<rz X509Name.dersi!23 **4::}E  *+ M!$4mDQG  -*+r;cg}ttj|jD]}tj|j|}tj |}tj |}tj|}tj|}tjtj|tj|dd}|jtj||f|S)z Returns the components of this name, as a sequence of 2-tuples. :return: The components of this name. :rtype: :py:class:`list` of ``name, value`` tuples. N)rrArrrrr(rrrIrPrnrjrrm) r|rr r!fnamefvalrrrs r<get_componentszX509Name.get_componentsst11$**=>A**4::q9C33C8E005D""5)C??3'DKK**40$2I2I$2OE MM4;;t,e4 5?  r;r)rrrr rFr)rrrF str | NonerrrrFrZ)rFzlist[tuple[bytes, bytes]])r6r7r8r9r}rr.r4r6rr=rrDrrs@r<r"r"Ps80=%#N&P@ ?   / r;r"ceZdZUdZ d ddZeddZejdejdejdiZ de d <dd Z dd Zdd Zdd ZddZy)r!zu An X.509 v3 certificate extension. .. deprecated:: 23.3.0 Use cryptography's X509 APIs instead. Nctjd}tj|tjtjtjtjdtj ||,t |ts td|j|_ |,t |ts td|j|_ |rd|z}tjtj|||}|tjk(r ttj|tj|_y)a Initializes an X509 extension. :param type_name: The name of the type of extension_ to create. :type type_name: :py:data:`bytes` :param bool critical: A flag indicating whether this is a critical extension. :param value: The OpenSSL textual representation of the extension's value. :type value: :py:data:`bytes` :param subject: Optional X509 certificate to use as subject. :type subject: :py:class:`X509` :param issuer: Optional X509 certificate to use as issuer. :type issuer: :py:class:`X509` .. _extension: https://www.openssl.org/docs/manmaster/man5/ x509v3_config.html#STANDARD-EXTENSIONS z X509V3_CTX*rNzissuer must be an X509 instancez subject must be an X509 instances critical,)rIrJrAX509V3_set_ctxrNX509V3_set_ctx_nodbrYrr[_x509 issuer_cert subject_certX509V3_EXT_nconfrrOX509_EXTENSION_free _extension)r| type_namecriticalrsubjectissuerctx extensions r<r}zX509Extension.__init__s<hh}% CDIItyy$))QO   %  fd+ ABB$llCO  gt, BCC&}}C  !5(E))$))S)UK  ! "'')T-E-EFr;cftjtj|jSr@)rArX509_EXTENSION_get_objectrPr{s r<rzX509Extension._nid`s'  * *4?? ;  r;emailDNSURIztyping.ClassVar[dict[int, str]] _prefixesc$tjdtj|j}tj |tj }g}ttj|D]}tj||} |j|j}tj|jjj|jjj ddj#d}|j%|dz|zdj/|S#t&$rMt)}tj*|||j%t-|j#dYwxYw)NzGENERAL_NAMES*r :z, )rIrirAX509V3_EXT_d2irPrOGENERAL_NAMES_freersk_GENERAL_NAME_numsk_GENERAL_NAME_valuer\rrPdia5rQlengthrrKeyErrorrRGENERAL_NAME_printrWjoin)r|namespartsr rlabelrrCs r<_subjectAltNameStringz#X509Extension._subjectAltNameStringls2 d11$//B t667t//67A--eQ7D 2tyy1  DFFJJOOTVVZZ5F5FG&/ US[5018yy B"n''T2 ^C077@A BsD99AFFctj|jk(r|jSt }tj ||j dd}t|dk7t|jdS)zF :return: a nice text representation of the extension rr ) rANID_subject_alt_namerrlrRX509V3_EXT_printrPrMrWr)r|rC print_results r<__str__zX509Extension.__str__si  $ $ 1--/ /n,,S$//1aH  )*c"))'22r;c@tj|jS)zk Returns the critical field of this X.509 extension. :return: The critical field. )rAX509_EXTENSION_get_criticalrPr{s r< get_criticalzX509Extension.get_criticals //@@r;ctj|j}tj|}tj|}|t j k7rt j|Sy)z Returns the short type name of this X.509 extension. The result is a byte string such as :py:const:`b"basicConstraints"`. :return: The short type name. :rtype: :py:data:`bytes` .. versionadded:: 0.12 sUNDEF)rArXrPrrrIrNrm)r|objrbufs r<get_short_namezX509Extension.get_short_namesV,,T__=s#ooc" $)) ;;s# #r;ctj|j}tjd|}tj |}tj |}tj||ddS)z Returns the data of the X509 extension, encoded as ASN.1. :return: The ASN.1 encoded data of this X509 extension. :rtype: :py:data:`bytes` .. versionadded:: 0.12 rhN)rAX509_EXTENSION_get_datarPrIrirnrjrP)r| octet_resultru char_result result_lengths r<get_datazX509Extension.get_datas^33DOOD  .,? 00? // > {{; 6q99r;NN) rQrZrRrrrZrS X509 | NonerTrrFrrrrrF)r6r7r8r9r}propertyrrA GEN_EMAILGEN_DNSGEN_URIr\__annotations__rlrqrtrxr~r:r;r<r!r!s $" CGCGCG CG  CG  CG CGJ   e e2I.  , 3A, :r;r!zZX509Extension support in pyOpenSSL is deprecated. You should use the APIs in cryptography.ceZdZdZddZddZe ddZddZddZ ddZ ddZ dd Z dd Z dd Zdd Zdd Zy)r#z An X.509 certificate signing requests. .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. ctj}tj|tj|_|j dyr0)rA X509_REQ_newrIrO X509_REQ_free_req set_version)r|reqs r<r}zX509Req.__init__s6!GGC!3!34  r;c>ddlm}tt|}||S)z Export as a ``cryptography`` certificate signing request. :rtype: ``cryptography.x509.CertificateSigningRequest`` .. versionadded:: 17.1.0 r)load_der_x509_csr)cryptography.x509r"_dump_certificate_request_internalr)r|rrs r<to_cryptographyzX509Req.to_cryptographys 80E %%r;ct|tjs tdddlm}|j |j}tt|S)a Construct based on a ``cryptography`` *crypto_req*. :param crypto_req: A ``cryptography`` X.509 certificate signing request :type crypto_req: ``cryptography.x509.CertificateSigningRequest`` :rtype: X509Req .. versionadded:: 17.1.0 z%Must be a certificate signing requestrr) rYr CertificateSigningRequestr[rrrr"_load_certificate_request_internalr)r crypto_reqrrs r<from_cryptographyzX509Req.from_cryptographysD*d&D&DECD DI%%hll31-EEr;cttj|j|j}t |dk(y)z Set the public key of the certificate signing request. :param pkey: The public key to use. :type pkey: :py:class:`PKey` :return: ``None`` rN)rAX509_REQ_set_pubkeyrrrMr|rr`s r< set_pubkeyzX509Req.set_pubkeys*--diiD  a(r;c@tjt}tj|j|_t |j tjk7tj|j tj|_d|_ |S)z Get the public key of the certificate signing request. :return: The public key. :rtype: :py:class:`PKey` T) r __new__rAX509_REQ_get_pubkeyrrrMrIrNrOrrrs r< get_pubkeyzX509Req.get_pubkeysf||D!--dii8  dii/0WWTZZ););<   r;ct|ts td|dk7r tdt j |j |}t|dk(y)z Set the version subfield (RFC 2986, section 4.1) of the certificate request. :param int version: The version number. :return: ``None`` zversion must be an intrz9Invalid version. The only valid version for X509Req is 0.rN)rYr2r[r]rAX509_REQ_set_versionrrM)r|versionr`s r<rzX509Req.set_versionsU'3'45 5 a<K ..tyy'B  a(r;c@tj|jS)z Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate request. :return: The value of the version subfield. :rtype: :py:class:`int` )rAX509_REQ_get_versionrr{s r< get_versionzX509Req.get_version's((33r;ctjt}tj|j|_t |j tjk7||_ |S)a Return the subject of this certificate signing request. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate signing request. Modifying it will modify the underlying signing request, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate signing request. :rtype: :class:`X509Name` ) r"rrAX509_REQ_get_subject_namerrrMrIrN_ownerrs r< get_subjectzX509Req.get_subject1sM)33DII>  dii/0  r;ctjdtdtj}t |t jk7t j|tj}|D]=}t|ts tdtj||j?tj|j |}t |dk(y)z Add extensions to the certificate signing request. :param extensions: The X.509 extensions to add. :type extensions: iterable of :py:class:`X509Extension` :return: ``None`` This API is deprecated and will be removed in a future version of pyOpenSSL. You should use pyca/cryptography's X.509 APIs instead. stacklevel+One of the elements is not an X509ExtensionrN)warningswarnDeprecationWarningrAsk_X509_EXTENSION_new_nullrMrIrNrOsk_X509_EXTENSION_freerY_X509ExtensionInternalr]sk_X509_EXTENSION_pushrPX509_REQ_add_extensionsr)r| extensionsstackextr$s r<add_extensionszX509Req.add_extensionsGs  &  //1*+t::;Cc#9: !NOO  ' 's~~ > 11$))UC  a(r;ctjdtdg}tj|j }t j|d}ttj|D]~}tjt}tjtj||}t j|tj|_|j!||S)z Get X.509 extensions in the certificate signing request. :return: The X.509 extensions in this request. :rtype: :py:class:`list` of :py:class:`X509Extension` objects. .. versionadded:: 0.15 rrrcrtj|tjtjdS)NrO)rAsk_X509_EXTENSION_pop_freerI addressof _original_lib)xs r<z(X509Req.get_extensions..s'd55t113HIr;)rrrrAX509_REQ_get_extensionsrrIrOrsk_X509_EXTENSION_numrrX509_EXTENSION_dupsk_X509_EXTENSION_valuerOrPr)r|extsnative_exts_objr rrVs r<get_extensionszX509Req.get_extensionsjs  &  66tyyA''   t11/BCA(001GHC//,,_a@I"WWY0H0HICN KK  D r;cJ|jr td|js tdtjt |}|t jk(r tdtj|j|j|}t|dkDy)aa Sign the certificate signing request with this key and digest type. :param pkey: The key pair to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use for the signature, e.g. :py:data:`"sha256"`. :type digest: :py:class:`str` :return: ``None`` zKey has only public partKey is uninitializedNo such digest methodrN) rr]rrAEVP_get_digestbynamerrIrN X509_REQ_signrrrM)r|rdigest digest_obj sign_results r<signz X509Req.signs   78 8  34 4..|F/CD  "45 5((DJJ K  a(r;ct|ts tdtj|j |j }|dkr t|S)a@ Verifies the signature on this certificate signing request. :param PKey key: A public key. :return: ``True`` if the signature is correct. :rtype: bool :raises OpenSSL.crypto.Error: If the signature is invalid or there is a problem verifying the signature. pkey must be a PKey instancer)rYr r[rAX509_REQ_verifyrrr)r|rrs r<verifyzX509Req.verifysF$%:; ;%%dii< Q; " r;Nr)rFx509.CertificateSigningRequest)rrrFr#rr rFrrFr rr2rFrrrFr"rz Iterable[_X509ExtensionInternal]rFr)rFzlist[_X509ExtensionInternal]rr rrrFr)rr rFr)r6r7r8r9r}rrrrrrrrrrrrr:r;r<r#r#sx &F7F FF* ) )"4,!):!) !)F$L)0r;r#zPCSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.c8eZdZdZd#dZed$dZd%dZed&dZd'dZ d(dZ d)dZ d*d Z d+d Z d,d Zd-d Zd,d Zd.dZd(dZd/dZd/dZd0dZd1dZd2dZ d3dZd4dZd2dZd4dZd5dZd6dZd7dZd8dZd7dZ d9dZ!d(dZ" d:d Z#d;d!Z$y")>2 #7#9 $8$:!r;c|j|}tj|tj|_t |_t |_|Sr@) rrIrOrArrKrxrr)rr certs r<_from_raw_x509_ptrzX509._from_raw_x509_ptrsA{{3WWT4>>2 #7#9 $8$:! r;c>ddlm}tt|}||S)z Export as a ``cryptography`` certificate. :rtype: ``cryptography.x509.Certificate`` .. versionadded:: 17.1.0 r)load_der_x509_certificate)rrr(r)r|rrs r<rzX509.to_cryptographys @}d3(--r;ct|tjs tdddlm}|j |j}tt|S)z Construct based on a ``cryptography`` *crypto_cert*. :param crypto_key: A ``cryptography`` X.509 certificate. :type crypto_key: ``cryptography.x509.Certificate`` :rtype: X509 .. versionadded:: 17.1.0 zMust be a certificaterr) rYr Certificater[rrrrr.r)r crypto_certrrs r<rzX509.from_cryptographysD+t'7'7834 4I&&x||4 s33r;ct|ts tdtt j |j |dk(y)a  Set the version number of the certificate. Note that the version value is zero-based, eg. a value of 0 is V1. :param version: The version number of the certificate. :type version: :py:class:`int` :return: ``None`` zversion must be an integerrN)rYr2r[rMrAX509_set_versionrK)r|rs r<rzX509.set_versions8'3'89 9--djj'BaGHr;c@tj|jS)z Return the version number of the certificate. :return: The version number of the certificate. :rtype: :py:class:`int` )rAX509_get_versionrKr{s r<rzX509.get_versions$$TZZ00r;cBtjt}tj|j|_|j t jk(r tt j|j tj|_d|_ |S)z{ Get the public key of the certificate. :return: The public key. :rtype: :py:class:`PKey` T) r rrAX509_get_pubkeyrKrrIrNrrOrrrs r<rzX509.get_pubkeysg||D!))$**5 :: " "WWTZZ););<   r;ct|ts tdtj|j |j }t|dk(y)z Set the public key of the certificate. :param pkey: The public key. :type pkey: :py:class:`PKey` :return: :py:data:`None` rrN)rYr r[rAX509_set_pubkeyrKrrMrs r<rzX509.set_pubkey)s@$%:; ;))$**djjA  a(r;ct|ts td|jr t d|j s t dt jt|}|tjk(r t dt j|j|j|}t|dkDy)a Sign the certificate with this key and digest type. :param pkey: The key to sign with. :type pkey: :py:class:`PKey` :param digest: The name of the message digest to use. :type digest: :py:class:`str` :return: :py:data:`None` rzKey only has public partrrrN)rYr r[rr]rrArrrIrN X509_signrKrrM)r|rrevp_mdrs r<rz X509.sign8s$%:; ;   78 8  34 4**<+?@ TYY 45 5nnTZZVD  a(r;ctj|j}tjd}tj |tj tj |tj|d}|tjk(r tdtjtj|S)z Return the signature algorithm used in the certificate. :return: The name of the algorithm. :rtype: :py:class:`bytes` :raises ValueError: If the signature algorithm is undefined. .. versionadded:: 0.13 zASN1_OBJECT **rzUndefined signature algorithm) rAX509_get0_tbs_sigalgrKrIrJX509_ALGOR_get0rNrrr]rm OBJ_nid2ln)r|sig_algalgrs r<get_signature_algorithmzX509.get_signature_algorithmTs++DJJ7hh'( S$))TYY@s1v& $.. <= ={{4??3/00r;ctjt|}|tjk(r t dtj dtj}tj dd}t||d<tj|j|||}t|dk(djtj||dDcgc]}t|jc}Scc}w)a5 Return the digest of the X509 object. :param digest_name: The name of the digest algorithm to use. :type digest_name: :py:class:`str` :return: The digest of the object, formatted as :py:const:`b":"`-delimited hex pairs. :rtype: :py:class:`bytes` rzunsigned char[]zunsigned int[]rr:)rArrrIrNr]rJEVP_MAX_MD_SIZErL X509_digestrKrMrhrPrupper)r| digest_namerrUr} digest_resultchs r<rz X509.digestgs**< +DE TYY 45 5!2D4H4HI !115 }- a(( JJ }   *+yy++m]15EF FB" ##%F    s Dc@tj|jS)z Return the hash of the X509 subject. :return: The hash of the subject. :rtype: :py:class:`bytes` )rAX509_subject_name_hashrKr{s r<subject_name_hashzX509.subject_name_hashs**4::66r;c`t|ts tdt|dd}|j d}t j d}tj||}t|t jk7tj|dt j}tj|dt|t jk7t j|tj}tj|j |}t|dk(y)z Set the serial number of the certificate. :param serial: The new serial number. :type serial: :py:class:`int` :return: :py:data`None` zserial must be an integerrNrzBIGNUM**rr)rYr2r[hexrrIrJrA BN_hex2bnrMrNBN_to_ASN1_INTEGERrrOASN1_INTEGER_freeX509_set_serialNumberrK)r|serial hex_serialhex_serial_bytes bignum_serialr asn1_serialr`s r<set_serial_numberzX509.set_serial_numbers&#&78 8[_ %,,W5,  /?@$))+,--mA.> J  ]1%& tyy01ggk4+A+AB // KH  a(r;ctj|j}tj|tj } tj |} t j|}t|d}|tj|tj|S#tj|wxYw#tj|wxYw)zx Return the serial number of this certificate. :return: The serial number. :rtype: int ) rAX509_get_serialNumberrKASN1_INTEGER_to_BNrIrN BN_bn2hexrmr2r*r)r|rrrhexstring_serialrs r<get_serial_numberzX509.get_serial_numbers00< // TYYG  ( 6J .#';;z#: -r2!!*- LL '!!*- LL 's$C"B(=C(B??CCct|ts tdtj|j }tj ||y)z Adjust the time stamp on which the certificate stops being valid. :param int amount: The number of seconds by which to adjust the timestamp. :return: ``None`` amount must be an integerN)rYr2r[rAX509_getm_notAfterrKX509_gmtime_adj)r|amountnotAfters r<gmtime_adj_notAfterzX509.gmtime_adj_notAfters>&#&78 8**4::6 Xv.r;ct|ts tdtj|j }tj ||y)z Adjust the timestamp on which the certificate starts being valid. :param amount: The number of seconds by which to adjust the timestamp. :return: ``None`` rN)rYr2r[rAX509_getm_notBeforerKr)r|r  notBefores r<gmtime_adj_notBeforezX509.gmtime_adj_notBefores>&#&78 8,,TZZ8  Y/r;c:|j}| td|jd}tjj |d}tj j }tjj|jd}||kS)z Check whether the certificate has expired. :return: ``True`` if the certificate has expired, ``False`` otherwise. :rtype: bool NzUnable to determine notAfterr z %Y%m%d%H%M%SZ)tzinfo) get_notAfterr]rdatetimestrptimetimezoneutcnowreplace)r| time_bytes time_string not_afterUTCutcnows r< has_expiredzX509.has_expireds&&(  ;< < ''0 %%..{OL ##""&&s+3343@6!!r;c8t||jSr@)rvrK)r|whichs r<_get_boundary_timezX509._get_boundary_timeseDJJ/00r;c@|jtjS)a  Get the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )r8rAr$r{s r< get_notBeforezX509.get_notBefores&&t'?'?@@r;c:t||j|Sr@)rarK)r|r7r_s r<_set_boundary_timezX509._set_boundary_timeseDJJ/66r;cB|jtj|S)z Set the timestamp at which the certificate starts being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )r<rAr$r|r_s r< set_notBeforezX509.set_notBefores&&t'?'?FFr;c@|jtjS)a  Get the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :return: A timestamp string, or ``None`` if there is none. :rtype: bytes or NoneType )r8rArr{s r<r)zX509.get_notAfter s&&t'>'>??r;cB|jtj|S)z Set the timestamp at which the certificate stops being valid. The timestamp is formatted as an ASN.1 TIME:: YYYYMMDDhhmmssZ :param bytes when: A timestamp string. :return: ``None`` )r<rArr>s r< set_notAfterzX509.set_notAfters&&t'>'>EEr;ctjt}||j|_t |jt j k7||_|Sr@)r"rrKrrMrIrNr)r|r7rs r< _get_namezX509._get_name'sE)4::&  dii/0  r;ct|ts td||j|j}t |dk(y)Nzname must be an X509Namer)rYr"r[rKrrM)r|r7rr`s r< _set_namezX509._set_name2s8$)67 74::tzz2  a(r;cz|jtj}|jj ||S)a Return the issuer of this certificate. This creates a new :class:`X509Name` that wraps the underlying issuer name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this issuer. :return: The issuer of this certificate. :rtype: :class:`X509Name` )rDrAX509_get_issuer_namerrrs r< get_issuerzX509.get_issuer8s1~~d778   $$T* r;cx|jtj||jj y)z Set the issuer of this certificate. :param issuer: The issuer. :type issuer: :py:class:`X509Name` :return: ``None`` N)rFrAX509_set_issuer_namerr)r|rTs r< set_issuerzX509.set_issuerHs* t00&9   &&(r;cz|jtj}|jj ||S)a Return the subject of this certificate. This creates a new :class:`X509Name` that wraps the underlying subject name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other :class:`X509Name` that refers to this subject. :return: The subject of this certificate. :rtype: :class:`X509Name` )rDrAX509_get_subject_namerrrs r<rzX509.get_subjectTs1~~d889 !!%%d+ r;cx|jtj||jj y)z Set the subject of this certificate. :param subject: The subject. :type subject: :py:class:`X509Name` :return: ``None`` N)rFrAX509_set_subject_namerr)r|rSs r< set_subjectzX509.set_subjectds* t117; !!'')r;c@tj|jS)z Get the number of extensions on this certificate. :return: The number of extensions. :rtype: :py:class:`int` .. versionadded:: 0.12 )rAX509_get_ext_countrKr{s r<get_extension_countzX509.get_extension_countps&&tzz22r;ctjdtd|D]V}t|ts t dt j|j|jd}t|dk(Xy)z Add extensions to the certificate. :param extensions: The extensions to add. :type extensions: An iterable of :py:class:`X509Extension` objects. :return: ``None`` rrrrrrN) rrrrYrr]rA X509_add_extrKrPrM)r|rrr$s r<rzX509.add_extensions{sh  &  Cc#9: !NOO**4::s~~rJJ J!O , r;ctjdtdtj t}t j |j||_|jtjk(r tdt j|j}tj|t j|_|S)a Get a specific extension of the certificate by index. Extensions on a certificate are kept in order. The index parameter selects which extension will be returned. :param int index: The index of the extension to retrieve. :return: The extension at the specified index. :rtype: :py:class:`X509Extension` :raises IndexError: If the extension index was out of bounds. .. versionadded:: 0.12 rrrzextension index out of bounds)rrrrrrA X509_get_extrKrPrIrN IndexErrorrrOrO)r|indexrrVs r< get_extensionzX509.get_extensions  &  %,,-CD**4::u= >>TYY &<= =++CNN; D,D,DE r;Nr)r r rFr)rFx509.Certificate)rr\rFrrrrrrrF)rrrFrZ)rr2rFr)r r2rFrr)r7r rF bytes | None)rFr])r7zCallable[..., Any]r_rZrFr)r_rZrFr)r7r rFr")r7r rr"rFrr)rTr"rFr)rSr"rFrr)rZr2rFr)%r6r7r8r9r}rrrrrrrrrrrrrrr"r&r5r8r:r<r?r)rBrDrFrIrLrrQrTrr[r:r;r<rrs; .44& I1  ))81& >7)8(( / 0""1 A7'7/47 7 G @ F )  ) * 3-:- -6r;rcfeZdZUdZej Zded<ejZ ded<ejZ ded<ejZ ded<ejZded<ej Zded<ej$Zded <ej(Zded <ej,Zded <ej0Zded <y )r'a  Flags for X509 verification, used to change the behavior of :class:`X509Store`. See `OpenSSL Verification Flags`_ for details. .. _OpenSSL Verification Flags: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html r2 CRL_CHECK CRL_CHECK_ALLIGNORE_CRITICAL X509_STRICTALLOW_PROXY_CERTS POLICY_CHECKEXPLICIT_POLICY INHIBIT_MAPCHECK_SS_SIGNATURE PARTIAL_CHAINN)r6r7r8r9rAX509_V_FLAG_CRL_CHECKr_rX509_V_FLAG_CRL_CHECK_ALLr`X509_V_FLAG_IGNORE_CRITICALraX509_V_FLAG_X509_STRICTrbX509_V_FLAG_ALLOW_PROXY_CERTSrcX509_V_FLAG_POLICY_CHECKrdX509_V_FLAG_EXPLICIT_POLICYreX509_V_FLAG_INHIBIT_MAPrfX509_V_FLAG_CHECK_SS_SIGNATURErgX509_V_FLAG_PARTIAL_CHAINrhr:r;r<r'r's//Is/77M37;;OS;33K3!??s?55L#5;;OS;33K3"AAA77M37r;r'cNeZdZdZd dZd dZd dZd dZd dZ d ddZ y)r$a An X.509 store. An X.509 store is used to describe a context in which to verify a certificate. A description of a context may include a set of certificates to trust, a set of certificate revocation lists, verification flags and more. An X.509 store, being only a description, cannot be used by itself to verify a certificate. To carry out the actual verification process, see :class:`X509StoreContext`. c~tj}tj|tj|_yr@)rAX509_STORE_newrIrOX509_STORE_free_storer|stores r<r}zX509Store.__init__s(##%ggeT%9%9: r;ct|ts ttj|j |j }t|dk(y)a Adds a trusted certificate to this store. Adding a certificate with this method adds this certificate as a *trusted* certificate. :param X509 cert: The certificate to add to this store. :raises TypeError: If the certificate is not an :class:`X509`. :raises OpenSSL.crypto.Error: If OpenSSL was unhappy with your certificate. :return: ``None`` if the certificate was added successfully. rN)rYrr[rAX509_STORE_add_certrwrKrM)r|rrs r<add_certzX509Store.add_certs< $%+ &&t{{DJJ?q!r;ct|tjrddlm}t |j |j}tj|tj}t|tjk7tj|tj}n tdttj |j"|dk7y)a Add a certificate revocation list to this store. The certificate revocation lists added to a store will only be used if the associated flags are configured to check certificate revocation lists. .. versionadded:: 16.1.0 :param crl: The certificate revocation list to add to this store. :type crl: ``cryptography.x509.CertificateRevocationList`` :return: ``None`` if the certificate revocation list was added successfully. rrz?CRL must be of type cryptography.x509.CertificateRevocationListN)rYr CertificateRevocationListrrrRrrrAd2i_X509_CRL_biorIrNrMrO X509_CRL_freer[X509_STORE_add_crlrw)r|crlrrC openssl_crls r<add_crlzX509Store.add_crls c499 : Ms// =>C//TYY?K K4994 5''+t'9'9:C>  // SAQFGr;c\ttj|j|dk7y)a Set verification flags to this store. Verification flags can be combined by oring them together. .. note:: Setting a verification flag sometimes requires clients to add additional information to the store, otherwise a suitable error will be raised. For example, in setting flags to enable CRL checking a suitable CRL must be added to the store otherwise an error will be raised. .. versionadded:: 16.1.0 :param int flags: The verification flags to set on this store. See :class:`X509StoreFlags` for available constants. :return: ``None`` if the verification flags were successfully set. rN)rMrAX509_STORE_set_flagsrw)r|flagss r< set_flagszX509Store.set_flagss", 11$++uEJKr;c:tj}tj|tj}tj |t j|jttj|j|dk7y)a Set the time against which the certificates are verified. Normally the current time is used. .. note:: For example, you can determine if a certificate was valid at a given time. .. versionadded:: 17.0.0 :param datetime vfy_time: The verification time to set on this store. :return: ``None`` if the verification time was successfully set. rN) rAX509_VERIFY_PARAM_newrIrOX509_VERIFY_PARAM_freeX509_VERIFY_PARAM_set_timecalendartimegm timetuplerMX509_STORE_set1_paramrw)r|vfy_timeparams r<set_timezX509Store.set_time-sm **,t::; '' 8??8#5#5#78  224;;F!KLr;Nc|tj}n t|}|tj}n t|}tj|j ||}|s t yy)a Let X509Store know where we can find trusted certificates for the certificate chain. Note that the certificates have to be in PEM format. If *capath* is passed, it must be a directory prepared using the ``c_rehash`` tool included with OpenSSL. Either, but not both, of *cafile* or *capath* may be ``None``. .. note:: Both *cafile* and *capath* may be set simultaneously. Call this method multiple times to add more than one location. For example, CA certificates, and certificate revocation list bundles may be passed in *cafile* in subsequent calls to this method. .. versionadded:: 20.0 :param cafile: In which file we can find the certificates (``bytes`` or ``unicode``). :param capath: In which directory we can find the certificates (``bytes`` or ``unicode``). :return: ``None`` if the locations were set successfully. :raises OpenSSL.crypto.Error: If both *cafile* and *capath* is ``None`` or the locations could not be set for any reason. N)rIrN _path_bytesrAX509_STORE_load_locationsrwr)r|cafilecapath load_results r<load_locationszX509Store.load_locationsEs`B >YYF (F >YYF (F44 KK  "r;r)rrrFr)rzx509.CertificateRevocationListrFr)rr2rFr)rzdatetime.datetimerFrr@)rStrOrBytesPathrzStrOrBytesPath | NonerFr) r6r7r8r9r}r|rrrrr:r;r<r$r$sG ;",H<L0M2GK/#$/#.C/# /#r;r$c4eZdZdZ dfd ZxZS)r&z An exception raised when an error occurred while verifying a certificate using `OpenSSL.X509StoreContext.verify_certificate`. :ivar certificate: The certificate which caused verificate failure. :type certificate: :class:`X509` c@t||||_||_yr@)rr}errors certificate)r|messagerrrs r<r}zX509StoreContextError.__init__s! ! &r;)rrrz list[Any]rrrFr)r6r7r8r9r}rrs@r<r&r&ws2''$-'<@' ''r;r&cveZdZdZ d d dZe d dZed dZddZddZ ddZ dd Z y)r%a9 An X.509 store context. An X.509 store context is used to carry out the actual verification process of a certificate in a described context. For describing such a context, see :class:`X509Store`. :param X509Store store: The certificates which will be trusted for the purposes of any verifications. :param X509 certificate: The certificate to be verified. :param chain: List of untrusted certificates that may be used for building the certificate chain. May be ``None``. :type chain: :class:`list` of :class:`X509` NcL||_||_|j||_yr@)rw_cert_build_certificate_stack_chain)r|ryrchains r<r}zX509StoreContext.__init__s$    33E: r;cdd}|t|dk(rtjStj}t |tjk7tj ||}|D]}t|ts tdt tj|jdkDtj||jdksmtj|jt|S)Ncttj|D]-}tj||}tj|/tj |yr@)rrA sk_X509_num sk_X509_valuer sk_X509_free)sr rs r<cleanupz:X509StoreContext._build_certificate_stack..cleanupsL4++A./&&q!,q!0   a r;rz+One of the elements is not an X509 instance)rr rFr)rLrIrNrAsk_X509_new_nullrMrOrYrr[ X509_up_refrK sk_X509_pushrr) certificatesrrrs r<rz)X509StoreContext._build_certificate_stacks !  3|#4#999 %%'*+w' DdD) MNN D,,TZZ81< =   3q8tzz*$&! r;ctjtjtj|j d}tj|tj ||g}tj|}tj|}tj|}t|||S)z Convert an OpenSSL native context error failure into a Python exception. When a call to native OpenSSL X509_verify_cert fails, additional information about the failure can be obtained from the store context. r ) rIrmrAX509_verify_cert_error_stringX509_STORE_CTX_get_errorrX509_STORE_CTX_get_error_depthX509_STORE_CTX_get_current_certX509_duprrr&) store_ctxrrrKrpycerts r<_exception_from_contextz(X509StoreContext._exception_from_contexts++  . .--i8   &/   ) )) 4  / / :  44Y? e$((/$Wff==r;ctj}t|tjk7tj |tj }tj||jj|jj|j}t|dk(tj|}|dkr|j||S)a3 Verifies the certificate and runs an X509_STORE_CTX containing the results. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. rr)rAX509_STORE_CTX_newrMrIrNrOX509_STORE_CTX_freeX509_STORE_CTX_initrwrrKrX509_verify_certr)r|rres r<_verify_certificatez$X509StoreContext._verify_certificates++-  TYY./GGIt'?'?@ && t{{))4::+;+;T[[  q!##I. !8..y9 9r;c||_y)z Set the context's X.509 store. .. versionadded:: 0.15 :param X509Store store: The store description which will be used for the purposes of any *future* verifications. N)rwrxs r< set_storezX509StoreContext.set_stores  r;c$|jy)a" Verify a certificate in a context. .. versionadded:: 0.15 :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. N)rr{s r<verify_certificatez#X509StoreContext.verify_certificates   "r;c|j}tj|}t|tj k7g}t tj|D]Z}tj||}t|tj k7tj|}|j|\tj||S)aR Verify a certificate in a context and return the complete validated chain. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. .. versionadded:: 20.0 ) rrAX509_STORE_CTX_get1_chainrMrIrNrrrrrrr)r|r cert_stackrr rrs r<get_verified_chainz#X509StoreContext.get_verified_chain s,,. 33I>  dii/0t'' 34A%%j!4D DDII- .,,T2F MM& ! 5 *% r;r@)ryr$rrrSequence[X509] | NonerFr)rrrFr)rr rFr&r)ryr$rFrr)rFz list[X509]) r6r7r8r9r} staticmethodrrrrrrr:r;r<r%r%s &(, ;;;% ;  ;+ :>>20  #r;r%ct|tr|jd}t|}|tk(rCt j |tjtjtj}n9|tk(r%t j|tj}n td|tjk(r ttj|S)a Load a certificate (X509) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param bytes buffer: The buffer the certificate is stored in :return: The X509 object r3type argument must be FILETYPE_PEM or FILETYPE_ASN1)rYrrrRrrAPEM_read_bio_X509rIrNr d2i_X509_bior]rrr)rrPrCr s r<r.r.&s&#w' v C |%%c499diiK    dii0NOO tyy  " "4 ((r;c^t}|tk(r!tj||j}na|t k(r!tj ||j}n7|tk(r#tj||jdd}n tdt|dk(t|S)a Dump the certificate *cert* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT) :param cert: The certificate to dump :return: The buffer with the dumped certificate in rCtype argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXTr) rRrrAPEM_write_bio_X509rKr i2d_X509_bior X509_print_exr]rMrW)rrrC result_codes r<r(r(Cs .C |--c4::>  ''TZZ8  ((djj!Q?    K1$% # r;ct}|tk(rtj}n%|tk(rtj }n t d|||j}|dk7r tt|S)z Dump a public key to a buffer. :param type: The file type (one of :data:`FILETYPE_PEM` or :data:`FILETYPE_ASN1`). :param PKey pkey: The public key to dump :return: The buffer with the dumped key in it. :rtype: bytes rr) rRrrAPEM_write_bio_PUBKEYri2d_PUBKEY_bior]rrrW)rrrC write_biors r<r+r+_sf .C |--  '' NOOC,Ka # r;c t}t|ts td|I| tdt j t |}|tjk(rtdtj}t||}|tk(rXt j||j|tjd|j|j}|j!n|t"k(r!t j$||j}n|t&k(rt j(|jtj*k7r tdtj,t j.|jtj0}t j2||d}n tdt5|dk7t7|S)a Dump the private key *pkey* into a buffer string encoded with the type *type*. Optionally (if *type* is :const:`FILETYPE_PEM`) encrypting it using *cipher* and *passphrase*. :param type: The file type (one of :const:`FILETYPE_PEM`, :const:`FILETYPE_ASN1`, or :const:`FILETYPE_TEXT`) :param PKey pkey: The PKey to dump :param cipher: (optional) if encrypted PEM format, the cipher to use :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The buffer with the dumped key in :rtype: bytes zpkey must be a PKeyzDif a value is given for cipher one must also be given for passphrasezInvalid cipher namerz-Only RSA keys are supported for FILETYPE_TEXTr)rRrYr r[rAEVP_get_cipherbynamerrIrNr]_PassphraseHelperrPEM_write_bio_PrivateKeyrcallback callback_argsraise_if_problemri2d_PrivateKey_biorrrrOrr RSA_printrMrW) rrcipher passphraserC cipher_objhelperrrs r<r*r*xs* .C dD !-..   8 ..|F/CD  "23 3YY tZ 0F |33  JJ  II OO    !  --c4::>     DJJ '4+<+< <KL Lggd,,TZZ8$--HnnS#q1    K1$% # r;cxeZdZ d ddZed dZed dZefd dZ d dZ y) rch|tk7r | td||_||_||_g|_y)Nz0only FILETYPE_PEM key format supports encryption)rr] _passphrase _more_args _truncate _problems)r|rr more_argstruncates r<r}z_PassphraseHelper.__init__s@ < J$:B &#!*,r;c|jtjSt|jtst |jr tj d|jStd)Npem_password_cb2Last argument must be a byte string or a callable.) rrIrNrYrZcallabler_read_passphraser[r{s r<rz_PassphraseHelper.callbacks]    #99  ((% 0HT=M=M4N==!2D4I4IJ JD r;c|jtjSt|jtst |jrtjSt d)Nr)rrIrNrYrZrr[r{s r<rz_PassphraseHelper.callback_argssO    #99  ((% 0HT=M=M4N99 D r;c|jr' t||jjdy#|$rY#wxYwr0)r_exception_from_error_queuepop)r| exceptionTypes r<rz"_PassphraseHelper.raise_if_problemsF >> +M:..$$Q' ' !  s 5==c t|jr2|jr|j|||}n,|j|}n|jJ|j}t|ts t dt ||kDr|jr|d|}n t dtt |D] }|||dz||<t |S#t$r%}|jj|Yd}~yd}~wwxYw)NzBytes expectedz+passphrase returned by callback is too longrr) rrrrYrZr]rLrr Exceptionrr)r|rwsizerwflaguserdatarr es r<rz"_PassphraseHelper._read_passphrases (()??!--dFHEF!--f5F''333))fe, !1226{T!>>#ET]F$E3v;'AE*A(v;   NN ! !! $ sCC D!DDN)FF) rr2rPassphraseCallableT | NonerrrrrFrr)rztype[Exception]rFr) rwr rr2rr rr rFr2) r6r7r8r}rrrrrrr:r;r<rrs   --/- -  -  - AF(!+.:= r;rc4t|tr|jd}t|}|tk(rCt j |tjtjtj}n9|tk(r%t j|tj}n td|tjk(r ttjt}tj|t j |_d|_|S)a< Load a public key from a buffer. :param type: The file type (one of :data:`FILETYPE_PEM`, :data:`FILETYPE_ASN1`). :param buffer: The buffer the key is stored in. :type buffer: A Python string object, either unicode or bytestring. :return: The PKey object. :rtype: :class:`PKey` rrT)rYrrrRrrAPEM_read_bio_PUBKEYrIrNrd2i_PUBKEY_bior]rr rrOrrr)rrPrCevp_pkeyrs r<r1r1 s&#w' v C |++ DIItyy   &&sDII6NOO499 << D4#5#56DJD Kr;cNt|tr|jd}t|}t ||}|t k(rKt j|tj|j|j}|jn9|tk(r%t j|tj}n td|tjk(r t!t"j%t"}tj&|t j(|_|S)a Load a private key (PKey) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the key is stored in :param passphrase: (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase. :return: The PKey object rr)rYrrrRrrrAPEM_read_bio_PrivateKeyrIrNrrrrd2i_PrivateKey_bior]rr rrOrr)rrPrrCrrrs r<r0r0- s"&#w' v C tZ 0F |// FOOV-A-A  !  **3 :NOO499 << D4#5#56DJ Kr;c^t}|tk(r!tj||j}na|t k(r!tj ||j}n7|tk(r#tj||jdd}n tdt|dk7t|S)av Dump the certificate request *req* into a buffer string encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param req: The certificate request to dump :return: The buffer with the dumped certificate request in .. deprecated:: 24.2.0 Use `cryptography.x509.CertificateSigningRequest` instead. rr) rRrrAPEM_write_bio_X509_REQrri2d_X509_REQ_biorX509_REQ_print_exr]rMrW)rrrCrs r<r)r)V s .C |11#sxx@  ++C:  ,,S#((AqA    K1$% # r;r)c$t|tr|jd}t|}|tk(rCt j |tjtjtj}n9|tk(r%t j|tj}n tdt|tjk7tjt}tj|t j |_|S)a Load a certificate request (X509Req) from the string *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the certificate request is stored in :return: The X509Req object .. deprecated:: 24.2.0 Use `cryptography.x509.load_der_x509_csr` or `cryptography.x509.load_pem_x509_csr` instead. rr)rYrrrRrrAPEM_read_bio_X509_REQrIrNrd2i_X509_REQ_bior]rM_X509ReqInternalrrOrr)rrPrCrx509reqs r<r/r/ s&#w' v C |((diiDIIN  ##C3NOOC499$%&&'78G773 2 23GL Nr;r/r@)rPr]rFr )rCr rFrZ)r^r r_rZrFr)r_rZrFr )rqr rFr])rFr)rrrFr)rr2rPrZrFr)rr2rrrFrZ)rr2rr rFrZr) rr2rr rrErrrFrZ)rr2rP str | bytesrFr )rr2rPrrrrFr )rr2rr#rFrZ)rr2rPrZrFr#)p __future__rrr* functoolstypingrbase64rcollections.abcrrrosrr r r cryptographyr r )cryptography.hazmat.primitives.asymmetricrrrrr OpenSSL._utilrrrrrrIrrAr _make_assertrr__all__rrrrr _PrivateKeyrrrrr _PublicKeyrrrZrPassphraseCallableTSSL_FILETYPE_PEMrrSSL_FILETYPE_ASN1rrrr EVP_PKEY_DSAr EVP_PKEY_DHr3 EVP_PKEY_ECr4rrrrMrRrWrarfrvrxr rr-r deprecatedr6rr,total_orderingr"r!rr#r rr'r$r&r%r.r(r+r*rr1r0r)rr/rr:r;r<r%s" . % :         [* $%sE8+,E8CJ#778)) c)++ s+ !!#!!!#!I :EBu%4;+2&:  ~.~.Bd.d.N 5!4    1$     Dg:g:T'    qqh     iiX88.e#e#P'I'"[[|):88-1 B B B B+ B  BJKK\J.2& & &+& &R@&>"   # @&>"   # r;