B uf@sUddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl mZddlmZddlmZddlmZmZmZmZmZddlmZdd lmZmZmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z%ydd l&m'Z(d Z)Wn4e*k r"d Z)ddddddddddZ(YnXdZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3e4dZ5dZ6dZ7d Z8d!Z9d"Z:d#Z;d$Ze?e@eAd&d'ZBe Gd(d)d)ZCeCejDd*ejEd$d$dd d+eCejDd*ejFd$d$dd d+eCejDd*ejGd$d,d$d d+d-ZHd.eId/<e.e/e0d0ZJd1dd2d3d4ZKd5dd6d7d8ZLe7d9e8d9fddddd:d;d<ZMddd=d>d?d@ZNdd=dAdBdCZOddDdddEdFdGdHZPdIdJdAdKdLZQdIdJdAdMdNZRdIdOdAdPdQZSdIdJdAdRdSZTdddTdUdVZUGdWdXdXZVGdYdZdZZWGd[d\d\ZXGd]d^d^ZYGd_d`d`ZZe,eWe-eXe+eZe.eYdae[e/eYdbe\e0eYdce]iZ^ddddedfZ_ej`ejaejbejcejdfZedddDdgdhdidjdkZfdhddlddmdndoZgej`ejhejiejjejkfZlej`ejhejiejkfZmGdpdqdqejnZoGdrdsdsZpdtdudvdwdxZqdddydAdzd{ZrddydAd|d}ZsdId~dddZtdddgddddZuddd6ddZvej`ejaejbejdfZwdZxGdddZydS)) annotationsN) encodebytes) dataclass)utils)UnsupportedAlgorithm)hashes)dsaeced25519paddingrsa)AEADDecryptionContextCipher algorithmsmodes)EncodingKeySerializationEncryption NoEncryption PrivateFormat PublicFormat_KeySerializationEncryption)kdfTFbytesintbool)passwordsaltdesired_key_bytesroundsignore_few_roundsreturncCs tddS)NzNeed bcrypt module)r)rrrrrr!r/home/ankuromar296_gmail_com/myenv/lib/python3.7/site-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdf1sr#s ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.coms rsa-sha2-256s rsa-sha2-512s\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnones aes256-ctrs(.*?)c@sFeZdZUded<ded<ded<ded<ded<d ed <d ed <d S) _SSHCipherztype[algorithms.AES]algrkey_lenz3type[modes.CTR] | type[modes.CBC] | type[modes.GCM]mode block_leniv_lenz int | Nonetag_lenris_aeadN)__name__ __module__ __qualname____annotations__r!r!r!r"r'Xs r' )r(r)r*r+r,r-r. )s aes256-ctrs aes256-cbcsaes256-gcm@openssh.comzdict[bytes, _SSHCipher] _SSH_CIPHERS)Z secp256r1Z secp384r1Z secp521r1z&SSHPrivateKeyTypes | SSHPublicKeyTypes)keyr cCst|tjrt|}nft|tjr0t|}nPt|tjtjfrHt }n8t|t j t j fr`t }n t|tjtjfrxt}ntd|S)NzUnsupported key type) isinstancer EllipticCurvePrivateKey_ecdsa_key_type public_keyEllipticCurvePublicKeyr RSAPrivateKey RSAPublicKey_SSH_RSAr DSAPrivateKey DSAPublicKey_SSH_DSAr Ed25519PrivateKeyEd25519PublicKey _SSH_ED25519 ValueError)r6key_typer!r!r"_get_ssh_key_types   rGzec.EllipticCurvePublicKey)r:r cCs*|j}|jtkr td|jt|jS)z3Return SSH key_type and curve_name for private key.z'Unsupported curve for ssh private key: )curvename_ECDSA_KEY_TYPErE)r:rHr!r!r"r9s  r9 )dataprefixsuffixr cCsd|t||gS)N)join_base64_encode)rLrMrNr!r!r"_ssh_pem_encodesrRNone)rLr+r cCs |rt||dkrtddS)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenrE)rLr+r!r!r"_check_block_sizesrU)rLr cCs|r tddS)z!All data should have been parsed.zCorrupt data: unparsed dataN)rE)rLr!r!r" _check_emptysrVz bytes | Nonez)Cipher[modes.CBC | modes.CTR | modes.GCM]) ciphernamerrrr cCsV|s tdt|}t|||j|j|d}t||d|j|||jdS)z$Generate key + iv and return cipher.zKey is password-protected.TN)rEr5r#r)r,rr(r*)rWrrrciphseedr!r!r" _init_ciphersrZ memoryviewztuple[int, memoryview]cCs6t|dkrtdtj|dddd|ddfS)ZUint32z Invalid dataNbig) byteorder)rTrEr from_bytes)rLr!r!r"_get_u32s r`cCs6t|dkrtdtj|dddd|ddfS)ZUint64z Invalid dataNr])r^)rTrErr_)rLr!r!r"_get_u64s rbztuple[memoryview, memoryview]cCs8t|\}}|t|kr td|d|||dfS)zBytes with u32 length prefixz Invalid dataN)r`rTrE)rLnr!r!r" _get_sshstrs  rdcCs4t|\}}|r$|ddkr$tdt|d|fS)z Big integer.rz Invalid datar])rdrErr_)rLvalr!r!r" _get_mpints rg)rfr cCs4|dkrtd|sdS|dd}t||S)z!Storage format for signed bigint.rznegative mpint not allowedrOra)rE bit_lengthrZ int_to_bytes)rfnbytesr!r!r" _to_mpints rjc@seZdZUdZded<d"ddddd Zd dd d d Zddd ddZddd ddZddd ddZ ddd ddZ ddddZ d#ddddddZ d dd d!Z dS)$ _FragListz,Build recursive structure without data copy.z list[bytes]flistNzlist[bytes] | NonerS)initr cCsg|_|r|j|dS)N)rlextend)selfrmr!r!r"__init__sz_FragList.__init__r)rfr cCs|j|dS)zAdd plain bytesN)rlappend)rorfr!r!r"put_rawsz_FragList.put_rawrcCs|j|jddddS)zBig-endian uint32r\r])lengthr^N)rlrqto_bytes)rorfr!r!r"put_u32sz_FragList.put_u32cCs|j|jddddS)zBig-endian uint64rar])rsr^N)rlrqrt)rorfr!r!r"put_u64 sz_FragList.put_u64zbytes | _FragListcCsLt|tttfr,|t||j|n|||j |jdS)zBytes prefixed with u32 lengthN) r7rr[ bytearrayrurTrlrqsizern)rorfr!r!r" put_sshstr s z_FragList.put_sshstrcCs|t|dS)z*Big-endian bigint prefixed with u32 lengthN)ryrj)rorfr!r!r" put_mpintsz_FragList.put_mpint)r cCsttt|jS)zCurrent number of bytes)summaprTrl)ror!r!r"rxsz_FragList.sizerr[)dstbufposr cCs6x0|jD]&}t|}|||}}||||<qW|S)zWrite into bytearray)rlrT)ror}r~fragZflenstartr!r!r"renders  z_FragList.rendercCs"tt|}|||S)zReturn as bytes)r[rwrxrtobytes)robufr!r!r"r&s z_FragList.tobytes)N)r)r/r0r1__doc__r2rprrrurvryrzrxrrr!r!r!r"rks  rkc@sbeZdZdZddddZddddd Zdd dd d Zd dddddZddddddZdS) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q r[)rLcCs$t|\}}t|\}}||f|fS)zRSA public fields)rg)rorLercr!r!r" get_public6s  z_SSHFormatRSA.get_publicz#tuple[rsa.RSAPublicKey, memoryview])rLr cCs.||\\}}}t||}|}||fS)zMake RSA public key from data.)rr RSAPublicNumbersr:)rorLrrcpublic_numbersr:r!r!r" load_public<s z_SSHFormatRSA.load_publicz$tuple[rsa.RSAPrivateKey, memoryview]c Cst|\}}t|\}}t|\}}t|\}}t|\}}t|\}}||f|kr\tdt||} t||} t||} t|||| | || } | } | |fS)zMake RSA private key from data.z Corrupt data: rsa field mismatch)rgrEr Z rsa_crt_dmp1Z rsa_crt_dmq1rZRSAPrivateNumbers private_key)rorL pubfieldsrcrdiqmppqZdmp1Zdmq1rprivate_numbersrr!r!r" load_privateEs          z_SSHFormatRSA.load_privatezrsa.RSAPublicKeyrkrS)r:f_pubr cCs$|}||j||jdS)zWrite RSA public keyN)rrzrrc)ror:rZpubnr!r!r" encode_public[s z_SSHFormatRSA.encode_publiczrsa.RSAPrivateKey)rf_privr cCsZ|}|j}||j||j||j||j||j||jdS)zWrite RSA private keyN) rrrzrcrrrrr)rorrrrr!r!r"encode_privatecs     z_SSHFormatRSA.encode_privateN) r/r0r1rrrrrrr!r!r!r"r-s  rc@steZdZdZdddddZddddd Zdd dd d Zd dddddZddddddZdddddZ dS) _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x r[ztuple[tuple, memoryview])rLr cCs@t|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fields)rg)rorLrrgyr!r!r"r|s     z_SSHFormatDSA.get_publicz#tuple[dsa.DSAPublicKey, memoryview]c CsJ||\\}}}}}t|||}t||}|||}||fS)zMake DSA public key from data.)rrDSAParameterNumbersDSAPublicNumbers _validater:) rorLrrrrparameter_numbersrr:r!r!r"rs   z_SSHFormatDSA.load_publicz$tuple[dsa.DSAPrivateKey, memoryview]c Csz||\\}}}}}t|\}}||||f|kr:tdt|||}t||} || t|| } | } | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rrgrErrrrZDSAPrivateNumbersr) rorLrrrrrxrrrrr!r!r"rs    z_SSHFormatDSA.load_privatezdsa.DSAPublicKeyrkrS)r:rr cCsL|}|j}||||j||j||j||jdS)zWrite DSA public keyN)rrrrzrrrr)ror:rrrr!r!r"rs    z_SSHFormatDSA.encode_publiczdsa.DSAPrivateKey)rrr cCs$|||||jdS)zWrite DSA private keyN)rr:rzrr)rorrr!r!r"rsz_SSHFormatDSA.encode_privatezdsa.DSAPublicNumbers)rr cCs |j}|jdkrtddS)Niz#SSH supports only 1024 bit DSA keys)rrrhrE)rorrr!r!r"rsz_SSHFormatDSA._validateN) r/r0r1rrrrrrrr!r!r!r"rss  rc@steZdZdZdddddZddd d d Zdd d d dZddd ddZddddddZddddddZ dS)_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret rzec.EllipticCurve)ssh_curve_namerHcCs||_||_dS)N)rrH)rorrHr!r!r"rpsz_SSHFormatECDSA.__init__r[ztuple[tuple, memoryview])rLr cCsJt|\}}t|\}}||jkr*td|ddkr>td||f|fS)zECDSA public fieldszCurve name mismatchrr\zNeed uncompressed point)rdrrENotImplementedError)rorLrHpointr!r!r"rs    z_SSHFormatECDSA.get_publicz,tuple[ec.EllipticCurvePublicKey, memoryview]cCs.||\\}}}tj|j|}||fS)z Make ECDSA public key from data.)rr r;Zfrom_encoded_pointrHr)rorL_rr:r!r!r"rsz_SSHFormatECDSA.load_publicz-tuple[ec.EllipticCurvePrivateKey, memoryview]cCsH||\\}}}t|\}}||f|kr2tdt||j}||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rrgrEr Zderive_private_keyrH)rorLrZ curve_namersecretrr!r!r"rs   z_SSHFormatECDSA.load_privatezec.EllipticCurvePublicKeyrkrS)r:rr cCs*|tjtj}||j||dS)zWrite ECDSA public keyN) public_bytesrZX962rZUncompressedPointryr)ror:rrr!r!r"rs  z_SSHFormatECDSA.encode_publiczec.EllipticCurvePrivateKey)rrr cCs,|}|}|||||jdS)zWrite ECDSA private keyN)r:rrrzZ private_value)rorrr:rr!r!r"rs z_SSHFormatECDSA.encode_privateN) r/r0r1rrprrrrrr!r!r!r"rs     rc@sdeZdZdZdddddZddddd Zdd dd d Zd dddddZddddddZdS)_SSHFormatEd25519z~Format for Ed25519 keys. Public: bytes point Private: bytes point bytes secret_and_point r[ztuple[tuple, memoryview])rLr cCst|\}}|f|fS)zEd25519 public fields)rd)rorLrr!r!r"rs z_SSHFormatEd25519.get_publicz+tuple[ed25519.Ed25519PublicKey, memoryview]cCs(||\\}}tj|}||fS)z"Make Ed25519 public key from data.)rr rCZfrom_public_bytesr)rorLrr:r!r!r"r s z_SSHFormatEd25519.load_publicz,tuple[ed25519.Ed25519PrivateKey, memoryview]cCsb||\\}}t|\}}|dd}|dd}||ksF|f|krNtdtj|}||fS)z#Make Ed25519 private key from data.Nr3z$Corrupt data: ed25519 field mismatch)rrdrEr rBZfrom_private_bytes)rorLrrZkeypairrZpoint2rr!r!r"rs    z_SSHFormatEd25519.load_privatezed25519.Ed25519PublicKeyrkrS)r:rr cCs|tjtj}||dS)zWrite Ed25519 public keyN)rrRawrry)ror:rraw_public_keyr!r!r"r%s z_SSHFormatEd25519.encode_publiczed25519.Ed25519PrivateKey)rrr cCsR|}|tjtjt}|tjtj}t||g}| ||| |dS)zWrite Ed25519 private keyN) r:Z private_bytesrrrrrrrkrry)rorrr:Zraw_private_keyrZ f_keypairr!r!r"r.s   z _SSHFormatEd25519.encode_privateN) r/r0r1rrrrrrr!r!r!r"rs   rsnistp256snistp384snistp521)rFcCs8t|tst|}|tkr&t|Std|dS)z"Return valid format or throw errorzUnsupported key type: N)r7rr[r _KEY_FORMATSr)rFr!r!r"_lookup_kformatIs   rz typing.AnySSHPrivateKeyTypes)rLrbackendr cCstd||dk r td|t|}|s6td|d}|d}t t |||}| t srtdt |t t d}t|\}}t|\}}t|\}}t|\} }| dkrtdt|\} }t| \} } t| } | | \} } t| ||fttfkr&|}|tkr.td||tkrFtd|t|j}t|j}t|\}}t|jrt|}t ||krtd nt|t||t|\}}t|\}}t|t||||}|}t ||}t|jrt |t!st"t|#|n t|$n"t|\}}t|d }t||t|\}}t|\}}||krrtd t|\}}|| krtd | %|| \}}t|\}}|t&dt |krtd t |t'j(rt)j*dtj+dd|S)z.Load private key from OpenSSH custom encoding.rLNrzNot OpenSSH private key formatr%zOnly one key supportedzUnsupported cipher: zUnsupported KDF: z+Corrupt data: invalid tag length for cipherrazCorrupt data: broken checksumzCorrupt data: key type mismatchzCorrupt data: invalid paddingzDSSH DSA keys are deprecated and will be removed in a future release.) stacklevel),r_check_byteslike _check_bytes_PEM_RCsearchrErendbinascii a2b_base64r[ startswith _SK_MAGICrTrdr`rrrV_NONErr5r_BCRYPTr+r-r.rrUrZZ decryptorupdater7r AssertionErrorZfinalize_with_tagfinalizer_PADDINGrr?warningswarnDeprecatedIn40)rLrrmp1p2rWkdfnameZ kdfoptionsnkeysZpubdataZ pub_key_typekformatrZciphername_bytesblklenr-ZedatatagrZkbufrrXdecZck1Zck2rFrrr!r!r"load_ssh_private_keyZs                                rr)rrencryption_algorithmr cCstd|t|tjr*tjdtjddt|}t |}t }|rt }t |j }t}t} t|trt|jdk rt|j} td} || || t||| | } nt}}d}d} d} td} d }t }|||||t | | g}||||||||td|||t }|t|||||||| |||||}|}tt ||}|!|||}| dk r| "#|||||dt$|d|S) z3Serialize private key with OpenSSH custom encoding.rzISSH DSA key support is deprecated and will be removed in a future releaser\)rNr$rar%rO)%rrr7rr?rrrrGrrk_DEFAULT_CIPHERr5r+r_DEFAULT_ROUNDSrZ _kdf_roundsosurandomryrurZrrr:rrrrrxrr[rwrZ encryptorZ update_intorR)rrrrFrZ f_kdfoptionsrWrrrrrXrZcheckvalcommentZ f_public_keyZ f_secretsZf_mainslenmlenrZofsr!r!r"_serialize_ssh_private_keysf                        rc@seZdZdZdZdS)SSHCertificateTyper%rN)r/r0r1USERZHOSTr!r!r!r"rsrc@seZdZdddddddddddddddddddd Zedd d d Zd d ddZedd ddZedd ddZedd ddZ edd ddZ edd ddZ edd ddZ edd ddZ edd dd Zd d d!d"Zdd d#d$Zd%d d&d'Zd(S))SSHCertificater[SSHPublicKeyTypesrz list[bytes]zdict[bytes, bytes]r)_nonce _public_key_serial_cctype_key_id_valid_principals _valid_after _valid_before_critical_options _extensions _sig_type_sig_key_inner_sig_type _signature_tbs_cert_body_cert_key_type _cert_bodycCs||_||_||_yt||_Wntk r<tdYnX||_||_||_||_ | |_ | |_ | |_ | |_ | |_||_||_||_||_dS)NzInvalid certificate type)rrrr_typerErrrrrrrrrrrrr)rorrrrrrrrrrrrrrrrrr!r!r"rp#s(zSSHCertificate.__init__)r cCs t|jS)N)rr)ror!r!r"nonceLszSSHCertificate.nonceSSHCertPublicKeyTypescCstt|jS)N)typingcastrr)ror!r!r"r:PszSSHCertificate.public_keycCs|jS)N)r)ror!r!r"serialUszSSHCertificate.serialrcCs|jS)N)r)ror!r!r"typeYszSSHCertificate.typecCs t|jS)N)rr)ror!r!r"key_id]szSSHCertificate.key_idcCs|jS)N)r)ror!r!r"valid_principalsaszSSHCertificate.valid_principalscCs|jS)N)r)ror!r!r" valid_beforeeszSSHCertificate.valid_beforecCs|jS)N)r)ror!r!r" valid_afteriszSSHCertificate.valid_aftercCs|jS)N)r)ror!r!r"critical_optionsmszSSHCertificate.critical_optionscCs|jS)N)r)ror!r!r" extensionsqszSSHCertificate.extensionscCs&t|j}||j\}}t||S)N)rrrrrV)roZ sigformat signature_keyZ sigkey_restr!r!r"rus zSSHCertificate.signature_keycCs"t|jdtjt|jddS)N F)newline)rrr b2a_base64r)ror!r!r"r{szSSHCertificate.public_bytesrScCs|}t|tjr.|t|jt|jnt|tj rt |j\}}t |\}}t |t ||}t|j}||t|jt|nnt|tjst|jtkrt}n*|jtkrt}n|jtkstt}|t|jt|jt|dS)N)rr7r rCverifyrrrr r;rgrV asym_utilsZencode_dss_signature_get_ec_hash_algrHECDSAr r=rrr>rSHA1_SSH_RSA_SHA256SHA256_SSH_RSA_SHA512SHA512r PKCS1v15)rorrrLsZ computed_sighash_algr!r!r"verify_cert_signatures0         z$SSHCertificate.verify_cert_signatureN)r/r0r1rppropertyrr:rrrrrrrrrrrr!r!r!r"r"s.)rzec.EllipticCurvezhashes.HashAlgorithm)rHr cCsDt|tjrtSt|tjr(tSt|tjs8tt SdS)N) r7r SECP256R1rr SECP384R1SHA384 SECP521R1rr)rHr!r!r"rs   rz"SSHCertificate | SSHPublicKeyTypesc"Cstd|t|}|s"td|d}}|d}d}|tr^d}|dtt }|t krr|srt dt |}yt t |}Wn"tt jfk rtdYnX|r|} t|\} }| |krtd |rt|\} }||\} }|rtt|\} }t|\}}t|\}}t|\}}g}x&|rRt|\}}|t|q.Wt|\}}t|\}}t|\}}t|}t|\}}t|}t|\}}t|\}}t|\}}|t kr|st d | dt| }t|\}}t|t|\}} |tkr|tttgks0|tkr8||kr8td t| \}!} t| t| | | |||||||||||!||| St|| SdS) NrLzInvalid line formatr%rFTz-DSA keys aren't supported in SSH certificateszInvalid formatzInvalid key formatz3DSA signatures aren't supported in SSH certificatesz!Signature key type does not match)rr_SSH_PUBKEY_RCmatchrEgroupendswith _CERT_SUFFIXrTrArrr[rr TypeErrorErrorrdrrbr`rqr_parse_exts_optsrVr>rrr)"rL_legacy_dsa_allowedrrFZ orig_key_typeZkey_bodyZ with_certrrestZ cert_bodyZinner_key_typerr:rZcctyperZ principalsrZ principalrrZ crit_optionsrextsrrZ sig_key_rawZsig_typeZsig_keyZ tbs_cert_bodyZ signature_rawZinner_sig_typeZsig_rest signaturer!r!r"_load_ssh_public_identitys                       rcCst|S)N)r)rLr!r!r"load_ssh_public_identity srzdict[bytes, bytes]) exts_optsr cCsi}d}x|rt|\}}t|}||kr2td|dk rJ||krJtdt|\}}t|dkrt|\}}t|dkrtdt|||<|}q W|S)NzDuplicate namezFields not lexically sortedrz!Unexpected extra data after value)rdrrErT)rresult last_namerIZbnamevalueextrar!r!r"rs"      rr)rLrr cCsFt|dd}t|tr |}n|}t|tjrBtjdtj dd|S)NT)rzDSSH DSA keys are deprecated and will be removed in a future release.r)r) rr7rr:rr@rrrr)rLrZ cert_or_keyr:r!r!r"load_ssh_public_key&s    r cCslt|tjrtjdtjddt|}t|}t }| || ||t |}d|d|gS)z&One-line public key format for OpenSSHzISSH DSA key support is deprecated and will be removed in a future releaser\)rrOr)r7rr@rrrrrGrrkryrrrrstriprP)r:rFrrZpubr!r!r"serialize_ssh_public_key:s   r"c @seZdZddddgdddggf ddddddddd d d d d Zd ddddZdddddZdddddZdddddZdddddZd d!Z d"dd#d$d%Z d"dd&d'd(Z dddd)d*d+Z dddd)d,d-Z d.d/d0d1d2ZdS)3SSHCertificateBuilderNFzSSHCertPublicKeyTypes | Nonez int | NonezSSHCertificateType | Nonez bytes | Nonez list[bytes]rzlist[tuple[bytes, bytes]]) rrrrr_valid_for_all_principalsrrrrc Cs@||_||_||_||_||_||_||_||_| |_| |_ dS)N) rrrrrr%rrrr) rorrrrrr%rrrrr!r!r"rp[s zSSHCertificateBuilder.__init__r)r:r c Cs^t|tjtjtjfstd|jdk r0t dt ||j |j |j |j|j|j|j|j|jd S)NzUnsupported key typezpublic_key already set) rrrrrr%rrrr)r7r r;r r=r rCrrrEr$rrrrr%rrrr)ror:r!r!r"r:ss&  z SSHCertificateBuilder.public_keyr)rr c Cspt|tstdd|kr&dks0ntd|jdk rBtdt|j||j|j|j |j |j |j |j |jd S)Nzserial must be an integerrlz"serial must be between 0 and 2**64zserial already set) rrrrrr%rrrr)r7rrrErr$rrrrr%rrrr)rorr!r!r"rs"  zSSHCertificateBuilder.serialr)rr c CsRt|tstd|jdk r$tdt|j|j||j|j |j |j |j |j |jd S)Nz"type must be an SSHCertificateTypeztype already set) rrrrrr%rrrr)r7rrrrEr$rrrrr%rrrr)rorr!r!r"rs  zSSHCertificateBuilder.typer)rr c CsRt|tstd|jdk r$tdt|j|j|j||j |j |j |j |j |jd S)Nzkey_id must be byteszkey_id already set) rrrrrr%rrrr)r7rrrrEr$rrrrr%rrrr)rorr!r!r"rs  zSSHCertificateBuilder.key_id)rr c Cs||jrtdtdd|Dr$|s,td|jr:tdt|tkrNtdt|j|j |j |j ||j|j |j |j|jd S)NzDPrincipals can't be set because the cert is valid for all principalscss|]}t|tVqdS)N)r7r).0rr!r!r" sz9SSHCertificateBuilder.valid_principals..z5principals must be a list of bytes and can't be emptyzvalid_principals already setz:Reached or exceeded the maximum number of valid_principals) rrrrrr%rrrr)r%rEallrrrT_SSHKEY_CERT_MAX_PRINCIPALSr$rrrrrrrr)rorr!r!r"rs. z&SSHCertificateBuilder.valid_principalsc CsJ|jrtd|jrtdt|j|j|j|j|jd|j|j |j |j d S)Nz@valid_principals already set, can't set valid_for_all_principalsz$valid_for_all_principals already setT) rrrrrr%rrrr) rrEr%r$rrrrrrrr)ror!r!r"valid_for_all_principalss z.SSHCertificateBuilder.valid_for_all_principalsz int | float)rr c Csvt|ttfstdt|}|dks.|dkr6td|jdk rHtdt|j|j|j |j |j |j ||j |j|jd S)Nz$valid_before must be an int or floatrlzvalid_before must [0, 2**64)zvalid_before already set) rrrrrr%rrrr)r7rfloatrrErr$rrrrrr%rrr)rorr!r!r"rs$ z"SSHCertificateBuilder.valid_before)rr c Csvt|ttfstdt|}|dks.|dkr6td|jdk rHtdt|j|j|j |j |j |j |j ||j|jd S)Nz#valid_after must be an int or floatrlzvalid_after must [0, 2**64)zvalid_after already set) rrrrrr%rrrr)r7rr+rrErr$rrrrrr%rrr)rorr!r!r"rs$ z!SSHCertificateBuilder.valid_after)rIrr c Csrt|trt|tstd|dd|jDkr8tdt|j|j|j|j |j |j |j |j |j||ff|jd S)Nzname and value must be bytescSsg|] \}}|qSr!r!)r&rIrr!r!r" 6sz=SSHCertificateBuilder.add_critical_option..zDuplicate critical option name) rrrrrr%rrrr)r7rrrrEr$rrrrrr%rrr)rorIrr!r!r"add_critical_option0sz)SSHCertificateBuilder.add_critical_optionc Csrt|trt|tstd|dd|jDkr8tdt|j|j|j|j |j |j |j |j |j|j||ffd S)Nzname and value must be bytescSsg|] \}}|qSr!r!)r&rIrr!r!r"r,Lsz7SSHCertificateBuilder.add_extension..zDuplicate extension name) rrrrrr%rrrr)r7rrrrEr$rrrrrr%rrr)rorIrr!r!r" add_extensionFsz#SSHCertificateBuilder.add_extensionSSHCertPrivateKeyTypesr)rr c Cst|tjtjtjfstd|jdkr0t d|j dkr>dn|j }|j dkrVt d|j dkrddn|j }|j s~|js~t d|jdkrt d|jdkrt d|j|jkrt d |jjd d d |jjd d d t|j}|t}td}t|}t}||||||j|||||j j||t} x|j D]} | | qVW|| ||j||jt} xV|jD]L\} } | | t | dkrt}|| | |n | | qW|| t}xV|jD]L\} } || t | dkrJt}|| ||n || q W|||dt|}t|}t}||||!|||t|tjr|"|}t}||||||nt|tjrzt#|j$}|"|t%|}t&'|\}}t}||t}|(||(|||||nTt|tjst)t}|t*|"|t+,t-.}||||t/0|1}t23t4t5d6|d|gS)NzUnsupported private key typezpublic_key must be setrztype must be setrOzAvalid_principals must be set if valid_for_all_principals is Falsezvalid_before must be setzvalid_after must be setz-valid_after must be earlier than valid_beforecSs|dS)Nrr!)rr!r!r"rOz,SSHCertificateBuilder.sign..)r6cSs|dS)Nrr!)rr!r!r"r0rOr3r)7r7r r8r r<r rBrrrErrrrr%rrrsortrrGrrrrrkryrrvrurrrTr:signrrHrrZdecode_dss_signaturerzrrr rrrrrr!rrrrrP)rorrrrFZ cert_prefixrrfZ fprincipalsrZfcritrIrZfoptvalZfextZfextvalZca_typeZcaformatZcafrZfsigrrrZfsigblobZ cert_datar!r!r"r2\s                              zSSHCertificateBuilder.sign)r/r0r1rpr:rrrrr*rrr-r.r2r!r!r!r"r$Zs*$ $r$)F)N)F)N)z __future__rrenumrrerrbase64rrQ dataclassesrZ cryptographyrZcryptography.exceptionsrZcryptography.hazmat.primitivesrZ)cryptography.hazmat.primitives.asymmetricrr r r r rZ&cryptography.hazmat.primitives.ciphersr rrrZ,cryptography.hazmat.primitives.serializationrrrrrrZbcryptrr#Z_bcrypt_supported ImportErrorrDr>rAZ_ECDSA_NISTP256Z_ECDSA_NISTP384Z_ECDSA_NISTP521rrrcompiler rZ _SK_STARTZ_SK_ENDrrrrDOTALLrr[rwrangerr'ZAESZCTRZCBCZGCMr5r2rJrGr9rRrUrVrZr`rbrdrgrjrkrrrrr r r rrUnionr8r<r?rBrrrr;r=r@rCrrEnumrrrrrrr r"r/r)r$r!r!r!r"s              6FFEB  eM   ]