ӝghUddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl mZddlmZddlmZddlmZmZmZmZmZddlmZdd lmZmZmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z% dd l&m'Z(d Z)dZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3dZ4dZ5ejldZ7dZ8dZ9dZ:dZ;dZejle9d"ze:zej~Z@eAeBeCd#d$ZDe Gd%d&ZEeEejd'ejd!d!dd (eEejd'ejd!d!dd (eEejd'ejd!d)d!d (d*ZJd+eKd,<e.e/e0d-ZLd`d.ZMdad/ZNe9d0ze:d0zf dbd1ZOdcd2ZPddd3ZQ ded4ZRdfd5ZSdfd6ZTdgd7ZUdfd8ZVdhd9ZWGd:d;ZXGd<d=ZYGd>d?ZZGd@dAZ[GdBdCZ\didDZ]GdEdFZ^GdGdHZ_e,eYe-eZe+e\e.e[dIeje/e[dJeje0e[dKeje2e^e3e_iZcdjdLZdejejejejejfZj dkd dM dldNZk dmdOZlejejejejejfZqejejejejfZrGdPdQejZtGdRdSZudndTZv d^ dodUZw dpdVZxdqdWZy drdXZz dk dsdYZ{dtdZZ|ejejejejfZ}d[Z~Gd\d]Zy#e*$rd Z) d^ d_dZ(Y_wxYw)u) annotationsN) encodebytes) dataclass)utilsUnsupportedAlgorithm)hashes)dsaeced25519paddingrsa)AEADDecryptionContextCipher algorithmsmodes)EncodingKeySerializationEncryption NoEncryption PrivateFormat PublicFormat_KeySerializationEncryption)kdfTFctd)NzNeed bcrypt moduler)passwordsaltdesired_key_bytesroundsignore_few_roundss t/var/www/enzed_healthcare/enzed_env/lib/python3.12/site-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdfr!1s##788s ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.comssk-ssh-ed25519@openssh.coms"sk-ecdsa-sha2-nistp256@openssh.coms rsa-sha2-256s rsa-sha2-512s\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnone aes256-ctrs(.*?)cTeZdZUded<ded<ded<ded<ded<d ed <d ed <y ) _SSHCipherztype[algorithms.AES]algintkey_lenz3type[modes.CTR] | type[modes.CBC] | type[modes.GCM]mode block_leniv_len int | Nonetag_lenboolis_aeadN)__name__ __module__ __qualname____annotations__r"r r(r(\s(  L ==N K  Mr"r( )r)r+r,r-r.r0r2 )r#s aes256-cbcsaes256-gcm@openssh.comzdict[bytes, _SSHCipher] _SSH_CIPHERS) secp256r1 secp384r1 secp521r1ct|tjrt|j }|St|tj r t|}|St|t jt jfrt}|St|tjtjfrt}|St|tjtj frt"}|St%d)NUnsupported key type) isinstancer EllipticCurvePrivateKey_ecdsa_key_type public_keyEllipticCurvePublicKeyr RSAPrivateKey RSAPublicKey_SSH_RSAr DSAPrivateKey DSAPublicKey_SSH_DSAr Ed25519PrivateKeyEd25519PublicKey _SSH_ED25519 ValueError)keykey_types r _get_ssh_key_typerQs#r112"3>>#34 O C22 3"3' O C#++S-=-=> ? O C#++S-=-=> ? O  g'')A)A B   O/00r"c|j}|jtvrtd|jt|jS)z3Return SSH key_type and curve_name for private key.z'Unsupported curve for ssh private key: )curvename_ECDSA_KEY_TYPErN)rCrSs r rBrBsE   E zz(5ejj^ D   5:: &&r" c<dj|t||gS)Nr")join_base64_encode)dataprefixsuffixs r _ssh_pem_encoder]s 88V^D16: ;;r"c@|rt||zdk7r tdy)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenrN)rZr-s r _check_block_sizer`s& 3t9y(A-899.r"c|r tdy)z!All data should have been parsed.zCorrupt data: unparsed dataN)rNrZs r _check_emptyrcs 677 r"c|s tdt|}t|||j|jz|d}t |j |d|j|j||jdS)z$Generate key + iv and return cipher.z9Key is password-protected, but password was not provided.TN) TypeErrorr:r!r+r.rr)r,) ciphernamerrrciphseeds r _init_cipherris  G    #D $ t{{2FD D  n %& $t||~&' r"crt|dkr tdtj|ddd|ddfS)Uint32 Invalid dataNbig byteorderr_rNr* from_bytesrbs r _get_u32rs< 4y1}(( >>$r(e> 4d12h >>r"crt|dkr tdtj|ddd|ddfS)Uint64rmNrnrorqrbs r _get_u64rxrtr"cdt|\}}|t|kDr td|d|||dfS)zBytes with u32 length prefixrmN)rsr_rN)rZns r _get_sshstrr{s<tnGAt3t9}(( 8T!"X r"cxt|\}}|r|ddkDr tdtj|d|fS)z Big integer.rrmrn)r{rNr*rr)rZvals r _get_mpintrs>D!IC s1v}(( >>#u %t ++r"c|dkr td|sy|jdzdz}tj||S)z!Storage format for signed bigint.rznegative mpint not allowedr"rw)rN bit_lengthr int_to_bytes)r~nbytess r _to_mpintrsD Qw566 nn"q (F   c6 **r"cheZdZUdZded<dddZddZddZddZdd Z dd Z dd Z ddd Z dd Z y) _FragListz,Build recursive structure without data copy.zlist[utils.Buffer]flistNcNg|_|r|jj|yyN)rextend)selfinits r __init__z_FragList.__init__s#  JJ  d # r"c:|jj|y)zAdd plain bytesN)rappendrr~s r put_rawz_FragList.put_raws #r"c\|jj|jddy)zBig-endian uint32rlrnlengthrpNrrto_bytesrs r put_u32z_FragList.put_u32 ! #,,a5,ABr"c\|jj|jddy)zBig-endian uint64rwrnrNrrs r put_u64z_FragList.put_u64rr"c.t|tttfr6|j t ||j j|y|j |j|j j|j y)zBytes prefixed with u32 lengthN) r@bytes memoryview bytearrayrr_rrsizerrs r put_sshstrz_FragList.put_sshstrs] cE:y9 : LLS " JJ  c " LL $ JJ  cii (r"c8|jt|y)z*Big-endian bigint prefixed with u32 lengthN)rrrs r put_mpintz_FragList.put_mpints  #'r"cHttt|jS)zCurrent number of bytes)summapr_rrs r rz_FragList.size s3sDJJ'((r"cV|jD]}t|}|||z}}|||||S)zWrite into bytearray)rr_)rdstbufposfragflenstarts r renderz_FragList.render$s>JJ %Dt9DcDj3E $F5  % r"ctt|j}|j||j S)zReturn as bytes)rrrrtobytes)rbufs r rz_FragList.tobytes,s/499;/0 C{{}r"r)rzlist[utils.Buffer] | NonereturnNone)r~ utils.Bufferrr)r~r*rr)r~zbytes | _FragListrrrr*)r)rrrr*rr*rr)r3r4r5__doc__r6rrrrrrrrrr7r"r rrs:6 $ CC)()r"rcleZdZdZ ddZ d dZ d dZ d dZ d dZy) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q cFt|\}}t|\}}||f|fS)zRSA public fieldsr)rrZerzs r get_publicz_SSHFormatRSA.get_public<s.T"4T"41vt|r"c|j|\\}}}tj||}|j}||fS)zMake RSA public key from data.)rrRSAPublicNumbersrC)rrZrrzpublic_numbersrCs r load_publicz_SSHFormatRSA.load_publicDsEt, A--a3#..0 4r"c t|\}}t|\}}t|\}}t|\}}t|\}}t|\} }||f|k7r tdtj||} tj|| } tj ||} tj || || | || } | j|}||fS)zMake RSA private key from data.z Corrupt data: rsa field mismatchunsafe_skip_rsa_key_validation)rrNr rsa_crt_dmp1 rsa_crt_dmq1rRSAPrivateNumbers private_key)rrZ pubfieldsrrzrdiqmppqdmp1dmq1rprivate_numbersrs r load_privatez_SSHFormatRSA.load_privateMsT"4T"4T"4% dT"4T"4 q6Y ?@ @1%1%--a3// q!T4~ &11+I2 D  r"c|j}|j|j|j|jy)zWrite RSA public keyN)rrrrz)rrCf_pubpubns r encode_publicz_SSHFormatRSA.encode_publices2((*  r"c|j}|j}|j|j|j|j|j|j |j|j |j|j|j|jy)zWrite RSA private keyN) rrrrzrrrrr)rrf_privrrs r encode_privatez_SSHFormatRSA.encode_privatems&557(77))*))***+--.**+**+r"N)rZrrz"tuple[tuple[int, int], memoryview])rZrrz#tuple[rsa.RSAPublicKey, memoryview])rZrrr1rz$tuple[rsa.RSAPrivateKey, memoryview])rCzrsa.RSAPublicKeyrrrr)rzrsa.RSAPrivateKeyrrrr r3r4r5rrrrrrr7r"r rr3s +  , !!KO! -!0 * 3<   ,, ,6? ,  ,r"rcleZdZdZd dZ d dZ d dZ d dZ d dZddZ y) _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x ct|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsr)rrZrrgys r rz_SSHFormatDSA.get_publicsMT"4T"4T"4T"41a|T!!r"c|j|\\}}}}}tj|||}tj||}|j ||j }||fS)zMake DSA public key from data.)rr DSAParameterNumbersDSAPublicNumbers _validaterC) rrZrrrrparameter_numbersrrCs r rz_SSHFormatDSA.load_publicsl"__T2 Aq!d33Aq!<--a1BC ~&#..0 4r"cH|j|\\}}}}}t|\}}||||f|k7r tdtj|||} tj || } |j | tj|| } | j} | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rrrNr rrrDSAPrivateNumbersr) rrZrrrrrrxrrrrs r rz_SSHFormatDSA.load_privates"__T2 Aq!dT"4 q!Q<9 $?@ @33Aq!<--a1BC ~&//>B%113 D  r"c6|j}|j}|j||j|j|j|j |j|j |j|jy)zWrite DSA public keyN)rrrrrrrr)rrCrrrs r rz_SSHFormatDSA.encode_publicsu$224*<< ~& )++, )++, )++, (()r"c|j|j||j|jjy)zWrite DSA private keyN)rrCrrr)rrrs r rz_SSHFormatDSA.encode_privates: ;113V<446889r"cl|j}|jjdk7r tdy)Niz#SSH supports only 1024 bit DSA keys)rrrrN)rrrs r rz_SSHFormatDSA._validates6*<<    ) ) +t 3BC C 4r"N)rZrrztuple[tuple, memoryview])rZrrz#tuple[dsa.DSAPublicKey, memoryview])rZrrr1rz$tuple[dsa.DSAPrivateKey, memoryview])rCzdsa.DSAPublicKeyrrrr)rzdsa.DSAPrivateKeyrrrr)rzdsa.DSAPublicNumbersrr) r3r4r5rrrrrrrr7r"r rr}s~"    ,  !!KO! -! ** *3< *  *:,:6?: :Dr"rcteZdZdZd dZ d dZ d dZ d dZ d dZ ddZ y)_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret c ||_||_yr)ssh_curve_namerS)rrrSs r rz_SSHFormatECDSA.__init__s, r"ct|\}}t|\}}||jk7r td|ddk7r td||f|fS)zECDSA public fieldszCurve name mismatchrrlzNeed uncompressed point)r{rrNNotImplementedError)rrZrSpoints r rz_SSHFormatECDSA.get_publics`"$' t!$' t D'' '23 3 8q=%&?@ @u~t##r"c|j|\\}}}tjj|j|j }||fSz Make ECDSA public key from data.)rr rDfrom_encoded_pointrSr)rrZ_rrCs r rz_SSHFormatECDSA.load_publicsM ??40 ED..AA JJ  4r"c|j|\\}}}t|\}}||f|k7r tdtj||j }||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rrrNr derive_private_keyrS)rrZrr curve_namersecretrs r rz_SSHFormatECDSA.load_privatesd%)OOD$9!UT!$'   ) +AB B++FDJJ? D  r"c|jtjtj}|j |j |j |y)zWrite ECDSA public keyN) public_bytesrX962rUncompressedPointrr)rrCrrs r rz_SSHFormatECDSA.encode_publicsG'' MM<99  ,,- r"c|j}|j}|j|||j|jy)zWrite ECDSA private keyN)rCrrr private_value)rrrrCrs r rz_SSHFormatECDSA.encode_privatesD!++- %557 :v.667r"N)rrrSec.EllipticCurve)rZrrz0tuple[tuple[memoryview, memoryview], memoryview]rZrrz,tuple[ec.EllipticCurvePublicKey, memoryview])rZrrr1rz-tuple[ec.EllipticCurvePrivateKey, memoryview])rCec.EllipticCurvePublicKeyrrrr)rzec.EllipticCurvePrivateKeyrrrr) r3r4r5rrrrrrrr7r"r rrs  $ $ 9 $  5  ! !KO ! 6 ! 3 G% %r"rct|\}}|jjdstd|d||fS)z! U2F application strings sssh:z4U2F application string does not start with b'ssh:' ())r{r startswithrN)rZ applications r load_applicationrMsU$D)K    + +G 4 }A     r"c(eZdZdZ ddZddZy)_SSHFormatSKEd25519z The format of a sk-ssh-ed25519@openssh.com public key is: string "sk-ssh-ed25519@openssh.com" string public key string application (user-specified, but typically "ssh:") chttj|\}}t|\}}||fSr)_lookup_kformatrMrrrrZrCrs r rz_SSHFormatSKEd25519.load_publiccs7+<8DDTJ D"4(44r"ctd)Nz,sk-ssh-ed25519 private keys cannot be loadedrrrZs r rz_SSHFormatSKEd25519.get_publicks# :  r"NrrZrrztyping.NoReturnr3r4r5rrrr7r"r rrZs!  4  r"rc(eZdZdZ ddZddZy)_SSHFormatSKECDSAz The format of a sk-ecdsa-sha2-nistp256@openssh.com public key is: string "sk-ecdsa-sha2-nistp256@openssh.com" string curve name ec_point Q string application (user-specified, but typically "ssh:") chttj|\}}t|\}}||fSr)r_ECDSA_NISTP256rrrs r rz_SSHFormatSKECDSA.load_public}s7+?;GGM D"4(44r"ctd)Nz4sk-ecdsa-sha2-nistp256 private keys cannot be loadedrrs r rz_SSHFormatSKECDSA.get_publics# B  r"Nrrr r7r"r r"r"ss!  5  r"r"snistp256snistp384snistp521ct|tst|j}|tvr t|St d|)z"Return valid format or throw errorzUnsupported key type: )r@rrr _KEY_FORMATSr)rPs r rrsE h &h'//1<H%% !7|D EEr"rctjd||tjd|tj |}|s t d|j d}|jd}tjt|||}|jts t dt|ttd}t|\}}t|\}}t|\} }t|\} }| dk7r t dt|\} }t| \} } t!| } | j#| \}} t%| |t&k7s |t&k7r|j)}|t*vrt-d||t.k7rt-d|t*|j0}t*|j2}t|\}}t*|j4r$t7|}t||k7rt d t%|t9||t| \}}t|\}}t%|t;|||j)|}|j=}t|j?|}t*|j4r-tA|tBsJt%|jEnNt%|jGn4|r tId t|\}}t%|d }t9||t|\}}t|\}}||k7r t d t|\}}|| k7r t d | jK|||\}}t|\}}|tLdt|k7r t dtA|tNjPr&tSjTdtjVd|S)z.Load private key from OpenSSH custom encoding.rZNrzNot OpenSSH private key formatr%zOnly one key supportedzUnsupported cipher: zUnsupported KDF: z+Corrupt data: invalid tag length for cipherz4Password was given but private key is not encrypted.rwzCorrupt data: broken checksumzCorrupt data: key type mismatchrzCorrupt data: invalid paddingDSSH DSA keys are deprecated and will be removed in a future release. stacklevel),r_check_byteslike _check_bytes_PEM_RCsearchrNrendbinascii a2b_base64rr _SK_MAGICr_r{rsrrrc_NONErr:r_BCRYPTr-r0r2rr`ri decryptorupdater@rfinalize_with_tagfinalizerer_PADDINGr rHwarningswarnDeprecatedIn40)rZrbackendrmp1p2rfkdfname kdfoptionsnkeyspubdata pub_key_typekformatrciphername_bytesblklenr0edatatagrkbufrrgdecck1ck2rPrrs r load_ssh_private_keyrQs 64( :x0tA 9:: B qB   z$/26 7D ??9 %9:: d C N, -D#4(J%MGT"4(J4.KE4 z122 %MGT'0L'l+G ++G4IwUg.%--/ < /&&'7&:;  g &):7+'FG G./99/088!$' t ( ) 1 1+C3x7" !NOO  %( , d~ T,h Onn3::e,- ( ) 1 1c#89 99 ..s3 4  ( F "$' tT%(%JC%JC cz899"%(OHe<:;; -- 'E.K 5!HAu 3u:&&899+s001       r"ctjd|t|tjr&t j dtjdt|}t|}t}|rt}t|j}t}t} t|t r|j" |j"} t%j&d} |j)| |j+| t-||| | } n t.x}}d}d} d} t%j&d} d }t}|j)||j1|j3|t| | g}|j)||j5|||j)||j7t8d||j;|zz t}|j7t<|j)||j)||j)||j+| |j)||j)||j;}|j;}t?tA||z}|jC|||z }| &| jEjG|||||dtI|d|S) z3Serialize private key with OpenSSH custom encoding.rISSH DSA key support is deprecated and will be removed in a future releaserlr+Nr$rwr%r")%rr.r@r rHr<r=r>rQrr_DEFAULT_CIPHERr:r-r6_DEFAULT_ROUNDSr _kdf_roundsosurandomrrrir5rrCrrr;rr4rrr encryptor update_intor])rrencryption_algorithmrPrH f_kdfoptionsrfrJrCrrrgrEcheckvalcomment f_public_key f_secretsf_mainslenmlenrofss r _serialize_ssh_private_keyres  z8,+s001  *    !-Hh'G;L$ j)33  +-H I$00<)55Fzz"~%V$J$?$$ W Ezz!}HG;LH% +002LA8X./I " ; 2 ! hE9>>+;f+D!EFG[F NN9 j! g l# NN5 l# i  >> D ;;=D Ytf}- .C MM# +C  $$ST]CI> 3u: &&r"ceZdZdZdZy)SSHCertificateTyper%r*N)r3r4r5USERHOSTr7r"r rgrgws D Dr"rgceZdZ ddZeddZddZeddZeddZeddZ eddZ eddZ edd Z edd Z edd Zdd Zdd ZddZy)SSHCertificatec6||_||_||_ t||_||_||_||_||_ | |_ | |_ | |_ | |_ | |_||_||_||_||_y#t $r t dwxYw)NzInvalid certificate type)_nonce _public_key_serialrg_typerN_key_id_valid_principals _valid_after _valid_before_critical_options _extensions _sig_type_sig_key_inner_sig_type _signature_cert_key_type _cert_body_tbs_cert_body)rrmrnro_cctyperqrrrsrtrurvrwrxryrzr}r{r|s r rzSSHCertificate.__init__}s( &  9+G4DJ !2(*!2&"  .$,$, 978 8 9s BBc,t|jSr)rrmrs r noncezSSHCertificate.noncesT[[!!r"cJtjt|jSr)typingcastSSHCertPublicKeyTypesrnrs r rCzSSHCertificate.public_keys{{0$2B2BCCr"c|jSr)rors r serialzSSHCertificate.serials ||r"c|jSr)rprs r typezSSHCertificate.types zzr"c,t|jSr)rrqrs r key_idzSSHCertificate.key_idsT\\""r"c|jSr)rrrs r valid_principalszSSHCertificate.valid_principals%%%r"c|jSr)rtrs r valid_beforezSSHCertificate.valid_befores!!!r"c|jSr)rsrs r valid_afterzSSHCertificate.valid_afters   r"c|jSr)rurs r critical_optionszSSHCertificate.critical_optionsrr"c|jSr)rvrs r extensionszSSHCertificate.extensionssr"ct|j}|j|j\}}t ||Sr)rrwrrxrc)r sigformat signature_key sigkey_rests r rzSSHCertificate.signature_keys7#DNN3 %.%:%:4==%I" {[!r"ct|jdztjt|jdzS)N F)newline)rr{r2 b2a_base64r|rs r rzSSHCertificate.public_bytess< $%% & !!%"8%H I r"c|j}t|tjr9|j t |j t |jyt|tjrt|j \}}t|\}}t|tj||}t|j}|j |t |jtj |yt|t"j$sJ|j&t(k(rt+j,}nQ|j&t.k(rt+j0}n)|j&t2k(sJt+j4}|j t |j t |jt7j8|yr)rr@r rLverifyrrzr}r rDrrc asym_utilsencode_dss_signature_get_ec_hash_algrSECDSArrFryrGr SHA1_SSH_RSA_SHA256SHA256_SSH_RSA_SHA512SHA512r PKCS1v15)rrrrZs computed_sighash_algs r verify_cert_signaturez$SSHCertificate.verify_cert_signaturesl**, mW%=%= >  doo&d.A.A(B  r'@'@ A 1GAt &GAt  %::1a@L' (;(; >>##x/!;;=%%8!==?++>>>!==?  doo&d))*  "  r"N)"rmrrnSSHPublicKeyTypesror*r~r*rqrrr list[bytes]rsr*rtr*rudict[bytes, bytes]rvrrwrrxrryrrzrr}rr{rr|rr)rrr)rrg)rr)rr)rr)r3r4r5rpropertyrrCrrrrrrrrrrrr7r"r rkrk|sy'-'-''- '-  '-  '-''-'-'-.'-('-'-'-$'-'- #!'-"#'-$%'-R""D ##&&""!!&&    r"rkct|tjrtjSt|tj rtj St|tjsJtjSr) r@r SECP256R1r r SECP384R1SHA384 SECP521R1r)rSs r rrsV%&}} E2<< (}}%...}}r"ctjd|tj|}|s t d|j dx}}|j d}d}|j trd}|dtt }|tk(r |s tdt|} ttj|}|r|} t#|\} }| |k7r t d |rt#|\} }|j%|\} }|rt'|\} }t)|\}}t#|\}}t#|\}}g}|r+t#|\}}|j+t-||r+t'|\}}t'|\}}t#|\}}t/|}t#|\}}t/|}t#|\}}t#|\}}t#|\}}|tk(r |s td  dt| }t#|\}}t1|t#|\}} |t2k(r|t4t6t2fvs|t2k7r||k7r t d t#| \}!} t1| t9 | | |||||||||||!||| St1|| S#ttj f$r t dwxYw) NrZzInvalid line formatr%r*FTz-DSA keys aren't supported in SSH certificateszInvalid formatzInvalid key formatz3DSA signatures aren't supported in SSH certificatesz!Signature key type does not match)rr-_SSH_PUBKEY_RCmatchrNgroupendswith _CERT_SUFFIXr_rJrrrr2r3reErrorr{rrxrsrr_parse_exts_optsrcrGrrrk)"rZ_legacy_dsa_allowedr@rP orig_key_typekey_body with_certrHrest cert_bodyinner_key_typerrCrcctyper principalsr principalrr crit_optionsrextsrr sig_key_rawsig_typesig_key tbs_cert_body signature_rawinner_sig_typesig_rest signatures" r _load_ssh_public_identityrs 64(T"A .// wwqz)H}wwqzHI& 0s<0018$7" ;  h'G+(--h78 &t,ND&-..!$' t**40J~ ~ "4( &t, D$/ $; !Iz  # #E)$4 5%TN T%d^ d(. d+L9 & d%d+ d#4'- T' 4' x (;&E ",SYJ/ )$/ tT#.}#=   #_h?@("~'A@A A)(3 8X                 #  ( TK x~~ &+)**+s +J33%Kct|Sr)rrbs r load_ssh_public_identityrfs %T **r"c2i}d}|rt|\}}t|}||vr td|||kr tdt|\}}t|dkDr't|\}}t|dkDr tdt|||<|}|r|S)NzDuplicate namezFields not lexically sortedrz!Unexpected extra data after value)r{rrNr_) exts_optsresult last_namerTbnamevalueextras r rrls!#FI %i0iT{ F?-. .  UY%6:; ;&y1y u:>&u-LE55zA~ !DEEe u    Mr"c~t|tjtjfs t dt |}t |}t}|j||j|||j}tj|}|j||jS)Nz+hash_algorithm must be either MD5 or SHA256)r@r MD5rrerQrrrrrHashr8r:)rOhash_algorithmrPrHrssh_binary_datahash_objs r ssh_key_fingerprintrs nvzz6==&A BEFF %Hh'G KE X #u%mmoO{{>*H OOO$    r"ct|d}t|tr|j}n|}t|tj r&t jdtjd|S)NT)rr)r*r+) rr@rkrCr rIr<r=rr>)rZr? cert_or_keyrCs r load_ssh_public_keyrsb,DdKK+~. ++-  *c../      r"ct|tjr&tjdt j dt|}t|}t}|j||j||tj|jj}dj!|d|gS)z&One-line public key format for OpenSSHrSrlr+r"r)r@r rIr<r=rr>rQrrrrr2rrstriprX)rCrPrHrpubs r serialize_ssh_public_keyrs*c../  *    !,Hh'G KE X *e,   emmo . 4 4 6C 88XtS) **r"c eZdZddddgdddggf ddZ ddZddZddZddZ ddZd Z dd Z dd Z dd Z dd Z ddZy)SSHCertificateBuilderNFc ||_||_||_||_||_||_||_||_| |_| |_ yr rnrorprqrr_valid_for_all_principalsrtrsrurv) rrnrorprqrrrrtrsrurvs r rzSSHCertificateBuilder.__init__sQ'   !2)B&*(!2&r"c t|tjtjt j fs td|j tdt||j|j|j|j|j|j |j"|j$|j& S)Nr?zpublic_key already setr)r@r rDrrFr rLrernrNrrorprqrrrrtrsrurv)rrCs r rCz SSHCertificateBuilder.public_keys ))  ((  23 3    '56 6$"LL**LL"44&*&D&D,,**"44((  r"c t|ts tdd|cxkrdkstdtd|j tdt |j ||j|j|j|j|j|j|j|j S)Nzserial must be an integerrz"serial must be between 0 and 2**64zserial already setr)r@r*rerNrorrnrprqrrrrtrsrurv)rrs r rzSSHCertificateBuilder.serials&#&78 8F"U"AB B#AB B << #12 2$((**LL"44&*&D&D,,**"44((  r"c Dt|ts td|j t dt |j |j||j|j|j|j|j|j|j S)Nz"type must be an SSHCertificateTypeztype already setr)r@rgrerprNrrnrorqrrrrtrsrurv)rrs r rzSSHCertificateBuilder.types$ 23@A A :: !/0 0$((LLLL"44&*&D&D,,**"44((  r"c Dt|ts td|j t dt |j |j|j||j|j|j|j|j|j S)Nzkey_id must be byteszkey_id already setr)r@rrerqrNrrnrorprrrrtrsrurv)rrs r rzSSHCertificateBuilder.key_id's&%(23 3 << #12 2$((LL**"44&*&D&D,,**"44((  r"c |jr tdtd|Dr|s td|jr tdt |t kDr tdt|j|j|j|j||j|j|j|j|j S)NzDPrincipals can't be set because the cert is valid for all principalsc3<K|]}t|tywr)r@r).0rs r z9SSHCertificateBuilder.valid_principals..CsCQJq%(Csz5principals must be a list of bytes and can't be emptyzvalid_principals already setz:Reached or exceeded the maximum number of valid_principalsr)rrNallrerrr__SSHKEY_CERT_MAX_PRINCIPALSrrnrorprqrtrsrurv)rrs r rz&SSHCertificateBuilder.valid_principals:s  ) )%  C2BCC#G   ! !;< <  #> >L %((LL**LL.&*&D&D,,**"44((  r"c <|jr td|jr tdt|j|j |j |j|jd|j|j|j|j S)Nz@valid_principals already set, can't set valid_for_all_principalsz$valid_for_all_principals already setTr) rrrNrrrnrorprqrtrsrurvrs r valid_for_all_principalsz.SSHCertificateBuilder.valid_for_all_principals^s  ! !+   ) )CD D$((LL**LL"44&*,,**"44((  r"c t|ttfs tdt|}|dks|dk\r t d|j t dt |j|j|j|j|j|j||j|j|j S)Nz$valid_before must be an int or floatrrzvalid_before must [0, 2**64)zvalid_before already setr)r@r*floatrerNrtrrnrorprqrrrrsrurv)rrs r rz"SSHCertificateBuilder.valid_beforets,e 5BC C<( ! |u4;< <    )78 8$((LL**LL"44&*&D&D&**"44((  r"c t|ttfs tdt|}|dks|dk\r t d|j t dt |j|j|j|j|j|j|j||j|j S)Nz#valid_after must be an int or floatrrzvalid_after must [0, 2**64)zvalid_after already setr)r@r*rrerNrsrrnrorprqrrrrtrurv)rrs r rz!SSHCertificateBuilder.valid_afters+U|4AB B+& ?kU2:; ;    (67 7$((LL**LL"44&*&D&D,,$"44((  r"c t|trt|ts td||jDcgc]\}}| c}}vr t dt |j |j|j|j|j|j|j|jg|j|f|j Scc}}w)Nname and value must be byteszDuplicate critical option namer)r@rrerurNrrnrorprqrrrrtrsrvrrTrrs r add_critical_optionz)SSHCertificateBuilder.add_critical_options$&j.F:; ; (>(>?WT1D? ?=> >$((LL**LL"44&*&D&D,,**F 6 6Fu F((  @ Cct|trt|ts td||jDcgc]\}}| c}}vr t dt |j |j|j|j|j|j|j|j|jg|j|f Scc}}w)NrzDuplicate extension namer)r@rrervrNrrnrorprqrrrrtrsrurs r add_extensionz#SSHCertificateBuilder.add_extensions$&j.F:; ; (8(89WT1D9 978 8$((LL**LL"44&*&D&D,,**"44:$**:T5M:  :rc "t|tjtjt j fs td|j td|jdn |j}|j td|jdn |j}|js|js td|j td|j td|j |jkDr td |j"j%d |j&j%d t)|j}|t*z}t-j.d }t1|}t3}|j5||j5||j7|j||j9||j;|jj<|j5|t3} |jD]} | j5| |j5| j?|j9|j |j9|jt3} |j"D]p\} } | j5| tA| dkDr;t3}|j5| | j5|j?`| j5| r|j5| j?t3}|j&D]p\} } |j5| tA| dkDr;t3}|j5| |j5|j?`|j5| r|j5|j?|j5dt)|}t1|}t3}|j5||j7|jC||j5|j?t|t j rl|jE|j?}t3}|j5||j5||j5|j?nt|tjrtG|jH}|jE|j?tjJ|}tMjN|\}}t3}|j5|t3}|jQ||jQ||j5|j?|j5|j?nt|tjsJt3}|j5tR|jE|j?tUjVtYjZ}|j5||j5|j?t]j^|j?ja}tcjdtftidjk|d|gS)NzUnsupported private key typezpublic_key must be setrztype must be setr"zAvalid_principals must be set if valid_for_all_principals is Falsezvalid_before must be setzvalid_after must be setz-valid_after must be earlier than valid_beforec |dSNrr7rs r z,SSHCertificateBuilder.sign..s !A$r")rOc |dSr r7r s r r z,SSHCertificateBuilder.sign..s AaDr"r8r)6r@r rArrEr rKrernrNrorprqrrrrtrsrusortrvrQrrWrXrrrrrrrrr_rCsignrrSrrdecode_dss_signaturerrr rr rr2rrrrrkrrX)rrrrrP cert_prefixrrHf fprincipalsrfcritrTrfoptvalfextfextvalca_typecaformatcafrfsigrrrfsigblob cert_datas r rzSSHCertificateBuilder.signsh **!!))  :; ;    #56 6ll*  :: /0 0 ,$,, %%d.L.L     %78 8    $67 7   t11 1LM M ###7 .1$T%5%56-  2!(+ K [! Ud..2 & $**""# Vk '' &A  " "1 % & [((*+ $##$ $$$% 11 (KD%   T "5zA~#+""5)  !23  ' ( U]]_%{++ 'KD% OOD !5zA~#+""5) 12& ' T\\^$ S#K0"7+k w{557= S[[]# k7#<#< =#((5I;D OOG $ OOI & LL (  R%?%? @' (9(9:H#((bhhx6HII229=DAq;D OOG $ {H   q !   q ! OOH,,. / LL (k3+<+<= == ;D OOO ,#(( W--/I OOI & LL ('' 4::< {{  $SXX{D).L%M N  r")rnzSSHCertPublicKeyTypes | Noneror/rpzSSHCertificateType | Nonerq bytes | Nonerrrrr1rtr/rsr/rulist[tuple[bytes, bytes]]rvr )rCrrr)rr*rr)rrgrr)rrrr)rrrr)r int | floatrr)rr!rr)rTrrrrr)rSSHCertPrivateKeyTypesrrk)r3r4r5rrCrrrrrrrrrrr7r"r rrs59"+/ $)+*/$(#'7913'1'') '  ' ' '$('"'!'5'/'0 /  8 * & &" +" " H , , ,  "'  ,  "'  ,G r"r)F) rrrrrr*rr*rr1rr)rOz&SSHPrivateKeyTypes | SSHPublicKeyTypesrr)rCrrr)rZrr[rr\rrr)rZrr-r*rr)rZrrr) rfrrrrrrr*rz)Cipher[modes.CBC | modes.CTR | modes.GCM])rZrrztuple[int, memoryview])rZrrtuple[memoryview, memoryview])r~r*rr)rr#)rPrr) rZrrrr? typing.Anyrr1rSSHPrivateKeyTypes)rr%rrr[rrr)rSrrzhashes.HashAlgorithm)rZrr"SSHCertificate | SSHPublicKeyTypes)rZrrr&)rrrr)rOrrzhashes.MD5 | hashes.SHA256rr)rZrr?r$rr)rCrrr) __future__rr2enumrWrerr<base64rrY dataclassesr cryptographyrcryptography.exceptionsrcryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr r r r rr&cryptography.hazmat.primitives.ciphersrrrr,cryptography.hazmat.primitives.serializationrrrrrrbcryptrr!_bcrypt_supported ImportErrorrMrGrJr$_ECDSA_NISTP384_ECDSA_NISTP521r_SK_SSH_ED25519_SK_SSH_ECDSA_NISTP256rrcompilerr4 _SK_START_SK_ENDr6r5rTrUDOTALLr/rrranger;r(AESCTRCBCGCMr:r6rUrQrBr]r`rcrirsrxr{rrrrrrrrrr"rrrr'rUnionrArErHrKr%rQrerDrFrIrLrrEnumrgrkrrrrrrrr"rrr7r"r rDs # 0!81J 9)  (((' 0>"!23  2 .  "**Y)G3RYY ? ia 01 2   NN YY NN YY * NN YY ') %@!  &'%eO< < < < <: 8     / ,??,+33lG,G,TCDCDLD8D8N@%@%F   2  6 mo mo#%_[,",,.A_[,",,.A_[,",,.A(*-/  F\\ o ,1 o ooo %) o  odJ'#J'J'5J' J'ZLL     ~~B\ \(\~+ +'+ ( . ./3 !+(+(  "I I y$ 9#( 9999 9  9  9 9s/N;;OO