Bwg,ddlmZmZmZmZddlmZddlZddlZddl Z ddl m Z m Z mZmZmZmZmZmZmZddlmZmZmZmZmZmZmZmZmZddlm Z ddl!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)d d l*m+Z+m,Z,m-Z-m.Z.d d l/m0Z0m1Z1m2Z2d d l3m4Z4dd l5m6Z6m7Z7m8Z8ddl9m:Z:m;Z;mZ>m?Z?m@Z@mAZAgdZBGddeZCGddeZDGddeZ d0dZEdZFdZGdZHd1dZIdZJdZKd1dZLd1dZMd ZNd!ZOd"ZPd#ZQd$ZRd%ZSd&ZTd'ZUd(ZVd)ZWd*ZXd+ZYd,ZZd-Z[d.Z\d/Z]y)2)unicode_literalsdivisionabsolute_importprint_function) b32encodeN) CertificateECDomainParametersIntegerKeyExchangeAlgorithmNullPrivateKeyInfoPublicKeyAlgorithm PublicKeyInfo RSAPublicKey) _CertificateBase _fingerprint _parse_pkcs12_PrivateKeyBase_PublicKeyBase_unwrap_private_key_infoparse_certificate parse_private parse_public)pretty_message)newunwrapbytes_from_bufferbuffer_from_bytesderefnullis_null pointer_set)Security SecurityConsthandle_sec_errorosx_version_info)CoreFoundation CFHelpershandle_cf_error) rand_bytes)AsymmetricKeyErrorIncompleteAsymmetricKeyErrorSignatureError)add_pss_paddingverify_pss_padding"remove_pkcs1v15_encryption_padding) type_namestr_clsbyte_cls int_types)r dsa_sign dsa_verify ecdsa_sign ecdsa_verify generate_pairload_certificate load_pkcs12load_private_keyload_public_key parse_pkcs12 PrivateKey PublicKeyrsa_oaep_decryptrsa_oaep_encryptrsa_pkcs1v15_decryptrsa_pkcs1v15_encryptrsa_pkcs1v15_signrsa_pkcs1v15_verify rsa_pss_signrsa_pss_verifycHeZdZdZdZdZdZdZedZ edZ dZ y)rAzM Container for the OS crypto library representation of a private key Nc6||_||_t|_y)z :param sec_key_ref: A Security framework SecKeyRef value from loading/importing the key :param asn1: An asn1crypto.keys.PrivateKeyInfo object N sec_key_refasn1r)_libselfrNrOs O/var/www/horilla/myenv/lib/python3.12/site-packages/oscrypto/_mac/asymmetric.py__init__zPrivateKey.__init__M' " c |jd} ttd}tj|j ddt |}t|t|}tj|}t|}|jdk(rOttdtdt!|dj"d|dj"dd d }n|jd k(rv|d d }ttd |j%dt't)|dj*|dj"j*|dj*d }nN|jdk(r?ttdt-d|j.d|dj"dd }|rtj0| t3|_|jS#|rtj0|wwxYw)z\ :return: A PublicKey object corresponding to this private key. N CFDataRef *rrsa) algorithm parameters private_keymoduluspublic_exponent)r]r^)rZ public_keydsaprivate_key_algorithmr[gpecnamed)namevaluer_) _public_keyrr)r% SecItemExportrNr!r'rr*cf_data_to_bytesrrZrrr rparsedcopyr pownativer curve CFRelease _load_key)rRcf_data_privatecf_data_private_pointerresultprivate_key_byteskey public_asn1paramss rSr_zPrivateKey.public_key[s    #"O3 >+.nm*L'!//0@0@!QPgh ("()@"A$-$>$>$O!#$56==E)"/%7).*.&9&'3'*='9'@'@'K/2=/A/H/HIZ/[4' 1 #K]]e+ !89,GF"/%7).*0++-9&'.c"3K.. .55<<"3K../' 1 #K]]d*"/%7)-*<%,&*jj+9&'*-&8&?&? &M 1 #K#",,_=(5D  #",,_=#s F"G''Hcp|jt|jt|_|jS)aY Creates a fingerprint that can be compared with a public key to see if the two form a pair. This fingerprint is not compatible with fingerprints generated by any other software. :return: A byte string that is a sha256 hash of selected components (based on the key type) )rrOr>rRs rS fingerprintzPrivateKey.fingerprints0    $ ,TYY8H ID    rVc|jr4|jj|jd|_d|_yyNrNrPrprzs rS__del__zPrivateKey.__del__7    II   0 0 1DI#D  rV) __name__ __module__ __qualname____doc__rNrhrPrTpropertyr_r{rrVrSrArAAsMKK D #? ? B!!"$rVrAc$eZdZdZdZdZdZdZy)rBzL Container for the OS crypto library representation of a public key Nc6||_||_t|_y)z :param sec_key_ref: A Security framework SecKeyRef value from loading/importing the key :param asn1: An asn1crypto.keys.PublicKeyInfo object NrMrQs rSrTzPublicKey.__init__rUrVc|jr4|jj|jd|_d|_yyr}r~rzs rSrzPublicKey.__del__rrV)rrrrrNrPrTrrrVrSrBrBsK D #$rVrBcXeZdZdZdZdZdZdZedZ edZ edZ dZ y)r zM Container for the OS crypto library representation of a certificate Nc ||_||_y)z :param sec_certificate_ref: A Security framework SecCertificateRef value from loading/importing the certificate :param asn1: An asn1crypto.x509.Certificate object N)sec_certificate_refrO)rRrrOs rSrTzCertificate.__init__s$7  rVc.|jjS)zF :return: The SecKeyRef of the public key )r_rNrzs rSrNzCertificate.sec_key_refs***rVc|js|jr|jjdk(r@|jj }d|dddd<t |}|j}n |j}t td}tj||}t|t|}t||jdd|_|jS)zh :return: The PublicKey object for the public key this certificate contains rsassa_pssrYtbs_certificatesubject_public_key_inforZ SecKeyRef *) rhrrOsignature_algorl _load_x509rr%SecCertificateCopyPublicKeyr'rrB)rRrO temp_cert sec_cert_refsec_public_key_ref_pointerressec_public_key_refs rSr_zCertificate.public_keysD$<$<yy''<7yy~~'_d&'(AB;OP[\&t, (<< #77 ),X})E &66|E_`C S !!'(B!C ();TYYGX=YZs=tuD rVc^|jd|_|jjtddgvr|jdj}|jdj }|dk(rt }n9|dk(rt}n-|dk(rt}n!|dk(rt}nttd | ||j|jd j|jd j|d |_|jS|jS#t$rY|jSwxYw) zT :return: A boolean - if the certificate is self-signed Fyesmaybesignature_algorithmrsassa_pkcs1v15rr`ecdsaz Unable to verify the signature of the certificate since it uses the unsupported algorithm %s signature_valuerT) _self_signedrO self_signedsetr hash_algorHrJr8r:OSErrorrr_rndumpr/)rRrr verify_funcs rSrzCertificate.self_signeds4    $ %D yy$$UG,<(==!%+@!A!P!P II&;<FF !%66"5K#|3"0K#u,",K#w.".K!.' #  "34;; "3499;!  )-D%   t   '   s/AD D,+D,c|jr!|jjd|_|jr'tj|jd|_yyr})rhrrr)rprzs rSrzCertificate.__del__;sO       $ $ &#D   # #  $ $T%=%= >'+D $ $rV) rrrrrrhrrTrrNr_rrrrVrSr r s`KL ++  2)!)!V,rVr c  |tgdvrttdt||dk(r-|tgdvrttdt||dk(r,|tdgvrPttdt||d k(r-|tgd vrttd t|d }d }d }d }d }d }d } d } d } tj tj tjd |} |d k(r dddd |} n|} ttd}ttd}tjd}d}td|z}|dd }t|d djd}tj } t"j$j'| |j)d}ttd}tj*|||dt-|}t/|t1|} ttd}tj2|t-|}t/|t1|} tj4| | | dtj6tj8tj:ztj<tj8tj:z| || }t/|t1|}t1|}tt>d}tj@|ddt-|}t/|t1|}tjB|}tt>d}tj@|ddt-|}t/|t1|}tjB|}tjD|}t/|tjD|}t/||rt?jF||rt?jF||rt?jF||rt?jF||rt?jF||rt?jF|| r*tjH| t?jF| | rtKjL| | rt?jF|  tO|tQ|fS#|rt?jF||rt?jF||rt?jF||rt?jF||rt?jF||rt?jF|| r*tjH| t?jF| | rtKjL| | rt?jF| wwxYw)a Generates a public/private key pair :param algorithm: The key algorithm - "rsa", "dsa" or "ec" :param bit_size: An integer - used for "rsa" and "dsa". For "rsa" the value maye be 1024, 2048, 3072 or 4096. For "dsa" the value may be 1024. :param curve: A unicode string - used for "ec" keys. Valid values include "secp256r1", "secp384r1" and "secp521r1". :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A 2-element tuple of (PublicKey, PrivateKey). The contents of each key may be saved by calling .asn1.dump(). )rYr`rdzM algorithm must be one of "rsa", "dsa", "ec", not %s rY)ii zX bit_size must be one of 1024, 2048, 3072, 4096, not %s r`rz? bit_size must be 1024, not %s rd secp256r1 secp384r1 secp521r1zd curve must be one of "secp256r1", "secp384r1", "secp521r1", not %s N)r`rdrYi rTemporary oscrypto key utf-8SecKeychainRef *FSecAccessRef *rrX))r ValueErrorrreprr&CSSM_ALGID_DSACSSM_ALGID_ECDSACSSM_ALGID_RSArr%r*cf_string_from_unicoder,rdecodetempfilemkdtempospathjoinencodeSecKeychainCreater!r'rSecAccessCreateSecKeyCreatePairCSSM_KEYUSE_VERIFYCSSM_KEYATTR_EXTRACTABLECSSM_KEYATTR_PERMANENTCSSM_KEYUSE_SIGNr)rirjSecKeychainItemDeleterpSecKeychainDeleteshutilrmtreer?r>)rZbit_sizerocf_dictpublic_key_refprivate_key_refcf_data_publicrr cf_stringsec_access_refsec_keychain_reftemp_diralg_idkey_sizeprivate_key_pointerpublic_key_pointerpassphrase_len rand_data passphrase temp_filename temp_pathsec_keychain_ref_pointerrtsec_access_ref_pointercf_data_public_pointerpublic_key_bytesrsrus rSr;r;Es=2011  O    E 378 8^X   e  3v; &^X   d  CD D^U  GNONOINHi5 //00 //         H  H!(M: =9445MN rN23 rs^ !)CR.188A ##%GGLL=9@@I #&x1C#D ++     F $    !":;!$X/?!@)))TV=ST  67**     , ,  2 2]5Y5Y Y  * *  2 2]5Y5Y Y        23 !45!$^]!C''1dfF\]  67$55nE"%nm"D''AtvG^_  !89%66G//? //@    $ $W -   $ $^ 4   $ $_ 5   $ $^ 4   $ $_ 5   $ $Y /   & &'7 8  $ $%5 6  MM( #   $ $^ 4 , -/?@Q/R SS)   $ $W -   $ $^ 4   $ $_ 5   $ $^ 4   $ $_ 5   $ $Y /   & &'7 8  $ $%5 6  MM( #   $ $^ 4 sL SC'Wc  t|tsttdt ||dkr t d|dkDr t d|dzdk7r t dd }d }d }d }d }d }d }d } t td } t td } tjd }d } td | z} | d d } t| d d jd}tj}tj j#||j%d}t td}tj&|| | dt)|}t+|t-|}t td}tj.|t)|}t+|t-|}tj0|t2j4|ddt2j6t2j8zdt2j6t2j8z|| | }t+|t-| }t-| }t t:d}tj<|ddt)|}t+|t-|}tj>|}tj@|}t+|tj@|}t+|tCjD|d|rt;jF||rt;jF||rt;jF||rt;jF||rt;jF||r*tjH|t;jF||rtKjL||rt;jF|SS#|rt;jF||rt;jF||rt;jF||rt;jF||rt;jF||r*tjH|t;jF||rtKjL||rt;jF|wwxYw)a` Generates DH parameters for use with Diffie-Hellman key exchange. Returns a structure in the format of DHParameter defined in PKCS#3, which is also used by the OpenSSL dhparam tool. THIS CAN BE VERY TIME CONSUMING! :param bit_size: The integer bit size of the parameters to generate. Must be between 512 and 4096, and divisible by 64. Recommended secure value as of early 2016 is 2048, with an absolute minimum of 1024. :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: An asn1crypto.algos.DHParameters object. Use oscrypto.asymmetric.dump_dh_parameters() to save to disk for usage with web servers. z= bit_size must be an integer, not %s z-bit_size must be greater than or equal to 512rz+bit_size must be less than or equal to 4096@rz!bit_size must be a multiple of 64NrrrrrrFrrXr[)' isinstancer6 TypeErrorrr3rrr%r*rr,rrrrrrrrrr!r'rrrr& CSSM_ALGID_DHrrr)rirjrr loadrprrr)rrrrrrrrrrrrrrrrrrrtrrsrus rSgenerate_dh_parametersrs0 h *  h     #~HII$FGG"}<==NONOINHQ5 =9!(M:445MN rN23 rs^ !)CR.188A ##%GGLL=9@@I #&x1C#D ++     F $    !":;!$X/?!@)))TV=ST  67**   ' '   2 2]5Y5Y Y  2 2]5Y5Y Y        23 !45"%nm"D''AtvG^_  !89%66G//? //@ #(():;LI   $ $^ 4   $ $_ 5   $ $^ 4   $ $_ 5   $ $Y /   & &'7 8  $ $%5 6  MM( #   $ $^ 4    $ $^ 4   $ $_ 5   $ $^ 4   $ $_ 5   $ $Y /   & &'7 8  $ $%5 6  MM( #   $ $^ 4 s3I6N88CRct|tr |}t|St|trt|}t|St|tr9t |d5}t|j }dddt|Sttdt|#1swYtSxYw)a Loads an x509 certificate into a Certificate object :param source: A byte string of file contents, a unicode string filename or an asn1crypto.x509.Certificate object :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A Certificate object rbNz source must be a byte string, unicode string or asn1crypto.x509.Certificate object, not %s ) rAsn1Certificater5rr4openreadrrr3r)source certificatefs rSr<r<s"&/* $ k ""! FH %'/  k "" FG $ &$  61+AFFH5K 6 k ""  f      6 k "" B++B>c|j}d} tj|}tjt j |}t|||rt j|SS#|rt j|wwxYw)z Loads an ASN.1 object of an x509 certificate into a Certificate object :param certificate: An asn1crypto.x509.Certificate object :return: A Certificate object N) rr*cf_data_from_bytesr%SecCertificateCreateWithDatar)kCFAllocatorDefaultr rp)rr cf_sourcerNs rSrrs~   FI0008 ;;N<^<^`ij ; 4   $ $Y / 9  $ $Y / s AA11B ct|tr |}t|S|Ot|tr|jd}t|tst t dt|t|tr&t|d5}|j}dddn.t|tst t dt|t||}t|S#1swY xYw)a Loads a private key into a PrivateKey object :param source: A byte string of file contents, a unicode string filename or an asn1crypto.keys.PrivateKeyInfo object :param password: A byte or unicode string to decrypt the private key file. Unicode strings will be encoded using UTF-8. Not used is the source is a PrivateKeyInfo object. :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type oscrypto.errors.AsymmetricKeyError - when the private key is incompatible with the OS crypto library OSError - when an error is returned by the OS crypto library :return: A PrivateKey object NrzP password must be a byte string, not %s rz source must be a byte string, unicode string or asn1crypto.keys.PrivateKeyInfo object, not %s ) rrr4rr5rrr3rrrrq)rpasswordprivate_objectrs rSr>r>s.&.): ^ $$5  (G,#??73h1h' ! fg &fd# "q " "FH-N&!  'vx8 ^ $$ " "s C**C3ct|tr |}t|St|trt|}t|St|tr9t |d5}t|j }dddt|Sttdt|#1swYtSxYw)a3 Loads a public key into a PublicKey object :param source: A byte string of file contents, a unicode string filename or an asn1crypto.keys.PublicKeyInfo object :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type oscrypto.errors.AsymmetricKeyError - when the public key is incompatible with the OS crypto library OSError - when an error is returned by the OS crypto library :return: A PublicKey object rNz source must be a byte string, unicode string or asn1crypto.keys.PublicKeyInfo object, not %s ) rrr5rr4rrrrr3rq)rr_rs rSr?r?s$&-( $ Z  ! FH %!&)  Z   FG $ &$  01%affh/J 0 Z    f      0 Z  rc |jdk(rB|j\}}|dk7r td|tgdvrtt d|jdk(r.|j dk(rtt d|j |jdk(r |j tt d t|trY|jd k(r)|j}d |d d <|j}n|j}tj}n)t|j}tj}d }d }d } t!j"|}t%t&d} t)| tj*t%t&d} t)| |t%t,d} t!j.t&j0g}t%t&d} t3| } d| _d| _t9| _t9| _t9| _t9| _ t9| _!|| _"t'jF|t9| | d| t9| }tI|t3| }t-jJ|}|dkDr+t-jL|d}t-jN||tjk(rRtQ||rt-jR||rt-jR||rt-jR|SS|tjk(rRtU||rt-jR||rt-jR||rt-jR|SS |rt-jR||rt-jR||rt-jR|y y #|rt-jR||rt-jR||rt-jR|wwxYw)aN Common code to load public and private keys into PublicKey and PrivateKey objects :param key_object: An asn1crypto.keys.PublicKeyInfo or asn1crypto.keys.PrivateKeyInfo object :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type oscrypto.errors.AsymmetricKeyError - when the key is incompatible with the OS crypto library OSError - when an error is returned by the OS crypto library :return: A PublicKey or PrivateKey object rdrez-OS X only supports EC keys using named curvesrz OS X only supports EC keys using the named curves secp256r1, secp384r1 and secp521r1 r`sha2z OS X only supports DSA keys based on SHA1 (2048 bits or less) - this key is based on SHA2 and is %s bits Nzz The DSA key does not contain the necessary p, q and g parameters and can not be used rrYrZz uint32_t *z CFArrayRef *z"SecItemImportExportKeyParameters *r)+rZror-rrrrr.rrrlrr&kSecItemTypePublicKeyrkSecItemTypePrivateKeyr*rrr%r#kSecFormatOpenSSLr)cf_array_from_listkSecAttrIsExtractablerversionflagsr!r alertTitle alertPrompt accessRefkeyUsage keyAttributes SecItemImportr'CFArrayGetCountCFArrayGetValueAtIndexCFRetainrBrprA) key_object curve_typedetailstemp_key_objectr item_typer keys_array attr_arrayformat_pointer type_pointer keys_pointerimport_export_params_pointerimport_export_paramsrlengthrNs rSrqrqs&t#(.. G  $%TU U #EF F$^&     &:+?+?6+I      "       &:+?+?+G*> ,   *m,   < /)oo/O8=OK ( 5$))+F__&F!77 **5::<!88 IJJ60008 X|4NM$C$CD8\2 L),>>: 11  * *3  (+85Y'Z$%&BC'($%&"*.&'*.&'+/6()-&(,%-7*$$  F   ( F    L) // ; A:(?? ANK  # #K 0  ;; ;[*5   $ $Z 0   $ $Z 0   $ $Y /   << <k:6   $ $Z 0   $ $Z 0   $ $Y /  =   $ $Z 0   $ $Z 0   $ $Y /    $ $Z 0   $ $Z 0   $ $Y / sF/O: O::AQc$t||tS)a Parses a PKCS#12 ANS.1 DER-encoded structure and extracts certs and keys :param data: A byte string of a DER-encoded PKCS#12 file :param password: A byte string of the password to any encrypted data :raises: ValueError - when any of the parameters are of the wrong type or value OSError - when an error is returned by one of the OS decryption functions :return: A three-element tuple of: 1. An asn1crypto.keys.PrivateKeyInfo object 2. An asn1crypto.x509.Certificate object 3. A list of zero or more asn1crypto.x509.Certificate objects that are "extra" certificates, possibly intermediates from the cert chain )rr>)datars rSr@r@s, x)9 ::rVc$|Ot|tr|jd}t|tst t dt |t|tr&t|d5}|j}dddn.t|tst t dt |t||\}}}d}d}|r t|}|r t|}|Dcgc] }t|} }||| fS#1swYTxYwcc}w)a Loads a .p12 or .pfx file into a PrivateKey object and one or more Certificates objects :param source: A byte string of file contents or a unicode string filename :param password: A byte or unicode string to decrypt the PKCS12 file. Unicode strings will be encoded using UTF-8. :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type oscrypto.errors.AsymmetricKeyError - when a contained key is incompatible with the OS crypto library OSError - when an error is returned by the OS crypto library :return: A three-element tuple containing (PrivateKey, Certificate, [Certificate, ...]) NrzH password must be a byte string, not %s rzR source must be a byte string or a unicode string, not %s ) rr4rr5rrr3rrr@rqr) rrrkey_info cert_infoextra_certs_inforvcertinfo extra_certss rSr=r=s, h (w/H(H-N(#  &'" &$  1VVXF   )  f     -9,J)Hi) C D!)$0@A:d#AKA { ##1  ,Bs.D(D D ct|ttfstt dt |t|t stt dt ||j}t|}ttd|}tj|jtj|t|||}t!|t#|t%|S)aF Encrypts a byte string using an RSA public key or certificate. Uses PKCS#1 v1.5 padding. :param certificate_or_public_key: A PublicKey or Certificate object :param data: A byte string, with a maximum length 11 bytes less than the key length (in bytes) :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the encrypted data certificate_or_public_key must be an instance of the Certificate or PublicKey class, not %s < data must be a byte string, not %s size_t *)rr rBrrr3r5 byte_sizerrr% SecKeyEncryptrNr&kSecPaddingPKCS1lenr'rr )certificate_or_public_keyr! key_lengthbuffer output_lengthrts rSrFrFs* /+y1I J  / 0     dH %  dO    +44J z *F*j9M  # #!--&&  D  FV VU=%9 ::rVc&t|tsttdt |t|t sttdt ||j }t|}ttd|}tdkrtj}ntj}tj|j||t!|||}t#|t%|t'|}tdkr t)||}|S)a Decrypts a byte string using an RSA private key. Uses PKCS#1 v1.5 padding. :param private_key: A PrivateKey object :param ciphertext: A byte string of the encrypted data :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the original plaintext zV private_key must an instance of the PrivateKey class, not %s r+r,)r)rrArrr3r5r-rrr%r(r&kSecPaddingNoner/ SecKeyDecryptrNr0r'rr r2)r\ ciphertextr2r3r4paddingrtoutputs rSrErE&s& k: .  k "     j( +  j !    &&J z *F*j9M'!//00  # # J FV vu]'; )r\r9s rSrCrC|s( KX-H-H IIrVct|ttfstt dt |t|t stt dt ||s tdd}d} tj|}ttd}tj|j|}t||r1tj |tj"||t|tj |tj$||t|tj&||}t|tj(||rtj*||rtj*|SS#|rtj*||rtj*|wwxYw)a> Encrypts plaintext using an RSA public key or certificate :param certificate_or_public_key: A Certificate or PublicKey object :param data: The plaintext - a byte string :param padding: The padding mode to use, specified as a kSecPadding*Key value :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the ciphertext r*r+padding must be specifiedN CFErrorRef *)rr rBrrr3r5rr*rrr)r%SecEncryptTransformCreaterNr+SecTransformSetAttributekSecPaddingKeykSecTransformInputAttributeNameSecTransformExecuterjrp)r1r!r:cf_data sec_transform error_pointerr9s rSr=r=s, /+y1I J  / 0     dH %  dO     455GM$4..t4NN;  :: % 1 1    &   - -''   M *))   4 4     &11-O  &))*5   $ $W -   $ $] 3    $ $W -   $ $] 3 s 5C)F1F?ctt|tsttdt |t|t sttdt ||s t dd}d} tj|}ttd}tj|j|}t|tj|tj ||t|tj|tj"||t|tj$||}t|tj&||rtj(||rtj(|SS#|rtj(||rtj(|wwxYw)a Decrypts RSA ciphertext using a private key :param private_key: A PrivateKey object :param ciphertext: The ciphertext - a byte string :param padding: The padding mode to use, specified as a kSecPadding*Key value :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the plaintext Y private_key must be an instance of the PrivateKey class, not %s zB ciphertext must be a byte string, not %s rBNrC)rrArrr3r5rr*rrr)r%SecDecryptTransformCreaterNr+rErFrGrHrjrp)r\r9r:rIrJrK plaintexts rSr@r@s, k: .  k "     j( +  j !     455GM#4..z:NN;  ::  # #    &))   # #     &))   4 4     &00 N  &)))4   $ $W -   $ $] 3    $ $W -   $ $] 3 s /C'F1F7cR|jdk7r tdt||||S)a Verifies an RSASSA-PKCS-v1.5 signature. When the hash_algorithm is "raw", the operation is identical to RSA public key decryption. That is: the data is not hashed and no ASN.1 structure with an algorithm identifier of the hash algorithm is placed in the encrypted byte string. :param certificate_or_public_key: A Certificate or PublicKey instance to verify the signature with :param signature: A byte string of the signature to verify :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384", "sha512" or "raw" :raises: oscrypto.errors.SignatureError - when the signature is determined to be invalid ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library rY*The key specified is not an RSA public keyrZr_verifyr1 signaturer!hash_algorithms rSrHrH9s08!**e3EFF ,i~ NNrVct|ttfstt dt |t|t stt dt ||j}|dk7r|dk7r tddddd d d j|d }|j}t|}ttd |}tj|jt j"|t%|||} t'| t)|t+|} t-|||j.|| s t1dy)a Verifies an RSASSA-PSS signature. For the PSS padding the mask gen algorithm will be mgf1 using the same hash algorithm as the signature. The salt length with be the length of the hash algorithm, and the trailer field with be the standard 0xBC byte. :param certificate_or_public_key: A Certificate or PublicKey instance to verify the signature with :param signature: A byte string of the signature to verify :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: oscrypto.errors.SignatureError - when the signature is determined to be invalid ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library r*r+rYrrQ 0rsha1sha224sha256sha384sha512rr,Signature is invalidN)rr rBrrr3r5rZrgetr-rrr%r.rNr&r7r0r'rr r1rr/) r1rUr!rVcp_algo hash_lengthr2r3r4rtrOs rSrJrJ[sT4 /+y1I J  / 0     dH %  dO    (11G%G|3EFF   c.! +44J z *F*j9M  # #!--%% I FV!&% *>?I nk;T;];]_cen o344 prVcR|jdk7r tdt||||S)a Verifies a DSA signature :param certificate_or_public_key: A Certificate or PublicKey instance to verify the signature with :param signature: A byte string of the signature to verify :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: oscrypto.errors.SignatureError - when the signature is determined to be invalid ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library r`z)The key specified is not a DSA public keyrRrTs rSr8r8s0.!**e3DEE ,i~ NNrVcR|jdk7r tdt||||S)a Verifies an ECDSA signature :param certificate_or_public_key: A Certificate or PublicKey instance to verify the signature with :param signature: A byte string of the signature to verify :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: oscrypto.errors.SignatureError - when the signature is determined to be invalid ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library rdz)The key specified is not an EC public keyrRrTs rSr:r:s0.!**d2DEE ,i~ NNrVc  t|ttfstt dt |t|t stt dt |t|t stt dt |tgd}|jdk(r|tdgz}||vr5d}|jdk(r|dz }tt d |t||jdk(r|dk(rt||jd z kDr)tt d |jt|tj|jt j"|t||t|}|t j$k(s|t j&k(r t)d t+|y d }d }d } d } t-t.d} t1j2|}tj4|j|| } t7| tj8tj:tj<tj<tj<tj<d|} tj>| tj@| | t7| |tgdvrPddddd|} t1jB| } tj>| tjD| | t7| |jdk(r?tj>| tjFtjH| t7| t1j2|}tj>| tjJ|| t7| tjL| | }tO| s!tQ| }tO|s t)d tSt/jT|}|s t)d  | rt/jV| |rt/jV||rt/jV|| rt/jV| y y #| rt/jV| |rt/jV||rt/jV|| rt/jV| wwxYw)a Verifies an RSA, DSA or ECDSA signature :param certificate_or_public_key: A Certificate or PublicKey instance to verify the signature with :param signature: A byte string of the signature to verify :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: oscrypto.errors.SignatureError - when the signature is determined to be invalid ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library r*zA signature must be a byte string, not %s r+md5r]r^r_r`rarYraw5"md5", "sha1", "sha224", "sha256", "sha384", "sha512", "raw"B hash_algorithm must be one of %s, not %s z data must be 11 bytes shorter than the key size when hash_algorithm is "raw" - key size is %s bytes, but data is %s bytes long rbNrCr^r_r`rarrr),rr rBrrr3r5rrZrrr0r-r%SecKeyRawVerifyrNr&r/errSecVerifyFailed errSSLCryptor/r'rr)r*rSecVerifyTransformCreater+ kSecDigestMD5kSecDigestSHA1kSecDigestSHA2rEkSecDigestTypeAttributecf_number_from_integerkSecDigestLengthAttributerFkSecPaddingPKCS1KeyrGrHr"rboolCFBooleanGetValuerp)r1rUr!rVvalid_hash_algorithmsvalid_hash_algorithms_errorrt cf_signaturerIcf_hash_lengthrJrK hash_constantrererrors rSrSrSs. /+y1I J  / 0     i *  i     dH %  dO     WX **e3eW-22&]# $ . .% 7 '9 4 '  (     !**e3%8O t90::R? ?^ *33D  )) % 1 1  * *  I   N   ]55 5=C]C]9] !78 8 LGNMR5NN;  33I>  99 % 1 1    &))++--------     ))   , ,     & S!IJ J   K'==kJN  - -22   M * $ . .% 7  - -'',,   M *..t4))   4 4     &**=-H}%=)E5>$%;<<>33C89 !78 8   $ $] 3   $ $\ 2   $ $W -   $ $^ 4    $ $] 3   $ $\ 2   $ $W -   $ $^ 4 sIQ88AScP|jdk7r tdt|||S)a^ Generates an RSASSA-PKCS-v1.5 signature. When the hash_algorithm is "raw", the operation is identical to RSA private key encryption. That is: the data is not hashed and no ASN.1 structure with an algorithm identifier of the hash algorithm is placed in the encrypted byte string. :param private_key: The PrivateKey to generate the signature with :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384", "sha512" or "raw" :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the signature rY+The key specified is not an RSA private keyrZr_signr\r!rVs rSrGrGs-8%FGG dN 33rVcbt|tsttdt |t|t sttdt ||j }|dk7r|dk7r tddddd d d j|d }t|||j|}|j}t|}ttd |}tj|j t"j$|t'|||} t)| t+|t-|S)a6 Generates an RSASSA-PSS signature. For the PSS padding the mask gen algorithm will be mgf1 using the same hash algorithm as the signature. The salt length with be the length of the hash algorithm, and the trailer field with be the standard 0xBC byte. :param private_key: The PrivateKey to generate the signature with :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the signature rMr+rYrrrXrYrZr[rr\rr,)rrArrr3r5rZrrcr0rr-rrr%r8rNr&r7r0r'rr ) r\r!rVpk_algore encoded_datar2r3r4rts rSrIrIs;4 k: .  k "     dH %  dO    ##G%G|3FGG   c.! #>; @T@TVZ[L&&J z *F*j9M  # #%% L FV VU=%9 ::rVcP|jdk7r tdt|||S)aI Generates a DSA signature :param private_key: The PrivateKey to generate the signature with :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the signature r`z*The key specified is not a DSA private keyrrs rSr7r7s-.%EFF dN 33rVcP|jdk7r tdt|||S)aL Generates an ECDSA signature :param private_key: The PrivateKey to generate the signature with :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the signature rdz*The key specified is not an EC private keyrrs rSr9r9s-.$EFF dN 33rVc t|tsttdt |t|t sttdt |t gd}|jdk(r|t dgz}||vr5d}|jdk(r|dz }ttd|t||jdk(r|dk(rt||jd z kDr)ttd |jt||j}t|}ttd |}tj|j t"j$|t|||}t'|t)|t+|Sd } d } d } d } tt,d } tj.|j | } t1| tj2tj4tj6tj6tj6tj6d|}tj8| tj:|| t1| |t gdvrPddddd|}t=j>|} tj8| tj@| | t1| |jdk(r?tj8| tjBtjD| t1| t=jF|} tj8| tjH| | t1| tjJ| | } t1| t=jL| | rt-jN| | rt-jN| | rt-jN| | rt-jN| SS#| rt-jN| | rt-jN| | rt-jN| | rt-jN| wwxYw)aX Generates an RSA, DSA or ECDSA signature :param private_key: The PrivateKey to generate the signature with :param data: A byte string of the data the signature is for :param hash_algorithm: A unicode string of "md5", "sha1", "sha224", "sha256", "sha384" or "sha512" :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library :return: A byte string of the signature zO private_key must be an instance of PrivateKey, not %s r+rirYrkrlrmrnroz data must be 11 bytes shorter than the key size when hash_algorithm is "raw" - key size is %s bytes, but data is %s bytes long r,NrCrprqrrr)(rrArrr3r5rrZrrr0r-rrr% SecKeyRawSignrNr&r/r'rr r)SecSignTransformCreater+rvrwrxrEryr*rzr{rFr|rrGrHrjrp)r\r!rVrrr2r3r4rtrrIrrJrKrres rSrr6s. k: .  k "     dH %  dO     WX%eW-22&]#  E ) '9 4 '  (     %.E*A t9{,,r1 1^ %%D  !** ":.Hj*= ''  # #  * *  I       })=>>LGNMG5NN;  77 8O8OQ^_  &))++--------     ))   , ,     & S!IJ J   K'==kJN  - -22   M *  E )  - -'',,   M *..t4))   4 4     &33M=Q  &)),7   $ $] 3   $ $\ 2   $ $W -   $ $^ 4    $ $] 3   $ $\ 2   $ $W -   $ $^ 4 s%G4O77AQ)NNr})^ __future__rrrrbase64rrrr_asn1r rr r r r rrrr _asymmetricrrrrrrrrr_errorsr_ffirrrrr r!r"r# _securityr%r&r'r(_core_foundationr)r*r+utilr,errorsr-r.r/_pkcs1r0r1r2_typesr3r4r5r6__all__rArBr;rr<rr>r?rqr@r=rFrErDrCr=r@rHrJr8r:rSrGrIr7r9rrrVrSrs3RR       %gggRRHHUU\\<< 2r$r$j$$@l,"l,^qThC5L$#N005%p%!Py0x;2:$z3;l;|R0J.Q4hO4dODF5RO:O:q5h4DE;P4:4:^5rV