HOME

Mini Shell 1.0
DIR:/snap/certbot/4557/lib/python3.12/site-packages/OpenSSL/__pycache__/
Current File : //snap/certbot/4557/lib/python3.12/site-packages/OpenSSL/__pycache__/crypto.cpython-312.pyc
�


N�g)7���UddlmZddlZddlZddlZddlZddlZddlZddlm	Z	ddl
mZmZddlm
Z
ddlmZmZmZej"dk\rddlmZn,ej"d	krej&d
�ZdOd�ZnddlmZddlmZmZdd
lmZmZmZmZmZddlm Z ddlm!Z"ddlm#Z$ddlm%Z&ddlm'Z(ddlm)Z*ddlm+Z,gd�Z-eej\ej^ej`ejbejdfZ3eejhejjejlejnejpfZ9ee3e9fZ:ee;ede;ffZ<e(jzZ>de?d<e(j�ZAde?d<dZBe(j�ZDde?d<e(j�ZFde?d<e(j�ZHde?d<e(j�ZJde?d<Gd�d eK�ZLe
e$eL�ZMe*eL�ZNdPdQd!�ZOdRd"�ZPdSd#�ZQdTd$�ZRdUd%�ZSGd&�d'�ZTGd(�d)�ZUGd*�d+�ZVed,�dVd-��ZWed.�dWd/��ZXej�Gd0�d1��ZZed2�Gd3�d4��Z[ed5�Gd6�d7��Z\Gd8�d9�Z]Gd:�d;�Z^Gd<�d=�Z_Gd>�d?eK�Z`Gd@�dA�ZadXdB�ZbdYdC�ZcdZdD�Zd		d[									d\dE�ZeGdF�dG�Zfd]dH�Zg	dP							d^dI�Zhd_dJ�ZieiZjej$eiekd5eldK�L�d`dM�ZmemZnej$emekd5eldN�L�y)a�)�annotationsN)�	b16encode)�Iterable�Sequence)�partial)�Any�Callable�Union)��
)�
deprecated)r��Tc��d�S)Nc��|S�N�)�fs �~/build/snapcraft-certbot-2c33630aaf29c47357e5a1683f659d3d/parts/certbot/install/lib/python3.12/site-packages/OpenSSL/crypto.py�<lambda>zdeprecated.<locals>.<lambda>s����r)�msg�kwargss  rr
r
s���r)�utils�x509)�dsa�ec�ed448�ed25519�rsa)�StrOrBytesPath)�byte_string)�exception_from_error_queue)�ffi)�lib)�make_assert)�
path_bytes)�
FILETYPE_ASN1�FILETYPE_PEM�
FILETYPE_TEXT�TYPE_DSA�TYPE_RSA�X509�Error�PKey�
X509Extension�X509Name�X509Req�	X509Store�X509StoreContext�X509StoreContextError�X509StoreFlags�dump_certificate�dump_certificate_request�dump_privatekey�dump_publickey�get_elliptic_curve�get_elliptic_curves�load_certificate�load_certificate_request�load_privatekey�load_publickey.�intr)r(i��r,r+�TYPE_DH�TYPE_ECc��eZdZdZy)r.z7
    An error occurred in an `OpenSSL.crypto` API.
    N)�__name__�
__module__�__qualname__�__doc__rrrr.r.ts��rr.c�T�|�8tjtj��}tj}n;t	j
d|�}tj|t|��}|fdd�}t|tjk7�t	j||�}|S)z�
    Allocate a new OpenSSL memory BIO.

    Arrange for the garbage collector to clean it up automatically.

    :param buffer: None or some bytes to use to put into the BIO so that they
        can be read out.
    �char[]c�,�tj|�Sr)�_lib�BIO_free)�bio�refs  r�freez_new_mem_buf.<locals>.free�s���=�=��%�%r)rNrrOr�returnr)rL�BIO_new�	BIO_s_memrM�_ffi�new�BIO_new_mem_buf�len�_openssl_assert�NULL�gc)�bufferrNrP�datas    r�_new_mem_bufr]~s���~��l�l�4�>�>�+�,���}�}���x�x��&�)���"�"�4��V��5��'+�	&��C�4�9�9�$�%�
�'�'�#�t�
�C��Jrc��tjd�}tj||�}tj|d|�ddS)zO
    Copy the contents of an OpenSSL BIO object into a Python byte string.
    zchar**rN)rTrUrL�BIO_get_mem_datar[)rN�
result_buffer�
buffer_lengths   r�_bio_to_stringrb�s?���H�H�X�&�M��)�)�#�}�=�M��;�;�}�Q�'��7��:�:rc��t|t�std��t|tj
k7�t
j||�}|dk(rtd��y)a�
    The the time value of an ASN1 time object.

    @param boundary: An ASN1_TIME pointer (or an object safely
        castable to that type) which will have its value set.
    @param when: A string representation of the desired time value.

    @raise TypeError: If C{when} is not a L{bytes} string.
    @raise ValueError: If C{when} does not represent a time in the required
        format.
    @raise RuntimeError: If the time value cannot be set for some other
        (unspecified) reason.
    zwhen must be a byte stringrzInvalid stringN)	�
isinstance�bytes�	TypeErrorrXrTrYrL�ASN1_TIME_set_string�
ValueError)�boundary�when�
set_results   r�_set_asn1_timerl�sW���d�E�"��4�5�5��H��	�	�)�*��*�*�8�T�:�J��Q���)�*�*�rc���tj�}t|tjk7�tj
|tj�}t||�|S)a�
    Behaves like _set_asn1_time but returns a new ASN1_TIME object.

    @param when: A string representation of the desired time value.

    @raise TypeError: If C{when} is not a L{bytes} string.
    @raise ValueError: If C{when} does not represent a time in the required
        format.
    @raise RuntimeError: If the time value cannot be set for some other
        (unspecified) reason.
    )rL�
ASN1_TIME_newrXrTrYrZ�ASN1_TIME_freerl)rj�rets  r�_new_asn1_timerq�sH���
�
�
�C��C�4�9�9�$�%�
�'�'�#�t�*�*�
+�C��3����Jrc�J�tjd|�}tj|�dk(rytj|�tj
k(r(tjtj|��Stjd�}tj||�t|dtjk7�tjd|d�}tj|�}tj|�}tj|d�|S)a]
    Retrieve the time value of an ASN1 time object.

    @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to
        that type) from which the time value will be retrieved.

    @return: The time value from C{timestamp} as a L{bytes} string in a certain
        format.  Or C{None} if the object contains no time value.
    �ASN1_STRING*rNzASN1_GENERALIZEDTIME**)
rT�castrL�ASN1_STRING_length�ASN1_STRING_type�V_ASN1_GENERALIZEDTIME�string�ASN1_STRING_get0_datarU�ASN1_TIME_to_generalizedtimerXrY�ASN1_GENERALIZEDTIME_free)�	timestamp�string_timestamp�generalized_timestamp�string_data�
string_results     r�_get_asn1_timer��s����y�y���;�����/�0�A�5�����.�/�4�3N�3N�N��{�{�4�5�5�6F�G�H�H� $���)A� B���)�)�)�5J�K��-�a�0�D�I�I�=�>��9�9�^�5J�1�5M�N���0�0�1A�B�����K�0�
��&�&�'<�Q�'?�@��rc�$�eZdZdd�Zdd�Zdd�Zy)�_X509NameInvalidatorc��g|_yr)�_names��selfs r�__init__z_X509NameInvalidator.__init__�s	��&(��rc�:�|jj|�yr)r��append�r��names  r�addz_X509NameInvalidator.add�s�������4� rc�*�|jD]}|`�yr)r��_namer�s  r�clearz_X509NameInvalidator.clear�s���K�K�	�D��
�	rN�rQ�None�r�r1rQr�)rErFrGr�r�r�rrrr�r��s��)�!�rr�c�Z�eZdZdZdZdZdd�Zd
d�Zedd��Z	dd�Z
dd�Zdd	�Zdd
�Z
y)r/zD
    A class representing an DSA or RSA public key or key pair.
    FTc��tj�}tj|tj�|_d|_y)NF)rL�EVP_PKEY_newrTrZ�
EVP_PKEY_free�_pkey�_initialized�r��pkeys  rr�z
PKey.__init__�s0��� � �"���W�W�T�4�#5�#5�6��
�!��rc���ddlm}m}|jr0t	t
|�}t
jt||��Stt
|�}t
jt||d���S)a
        Export as a ``cryptography`` key.

        :rtype: One of ``cryptography``'s `key interfaces`_.

        .. _key interfaces: https://cryptography.io/en/latest/hazmat/            primitives/asymmetric/rsa/#key-interfaces

        .. versionadded:: 16.1.0
        r)�load_der_private_key�load_der_public_keyN)�password)
�,cryptography.hazmat.primitives.serializationr�r��_only_publicr:r(�typingrt�_Keyr9)r�r�r��ders    r�to_cryptography_keyzPKey.to_cryptography_keysZ��	
�
��� ���5�C��;�;�t�%8��%=�>�>�!�-��6�C��;�;�t�%9�#��%M�N�Nrc
��t|tjtjtj
tjtjtjtjtjtjtjf
�st!d��ddlm}m}m}m}t|tjtjtjtjtjf�r4t-t.|j1|j2|j4��S|j7|j2|j8|��}t;t.|�S)z�
        Construct based on a ``cryptography`` *crypto_key*.

        :param crypto_key: A ``cryptography`` key.
        :type crypto_key: One of ``cryptography``'s `key interfaces`_.

        :rtype: PKey

        .. versionadded:: 16.1.0
        zUnsupported key typer)�Encoding�NoEncryption�
PrivateFormat�PublicFormat)rdr�
DSAPrivateKey�DSAPublicKeyr�EllipticCurvePrivateKey�EllipticCurvePublicKeyr�Ed25519PrivateKey�Ed25519PublicKeyr�Ed448PrivateKey�Ed448PublicKeyr �
RSAPrivateKey�RSAPublicKeyrfr�r�r�r�r�r@r(�public_bytes�DER�SubjectPublicKeyInfo�
private_bytes�PKCS8r?)�cls�
crypto_keyr�r�r�r�r�s       r�from_cryptography_keyzPKey.from_cryptography_keys(�����!�!�� � ��*�*��)�)��)�)��(�(��%�%��$�$��!�!�� � �
�
��2�3�3�	
�	
���� � ��)�)��(�(��$�$�� � �
�	
�"���'�'��L�L�,�"C�"C���
��*�*����m�1�1�<�>��C�#�=�#�6�6rc	��t|t�std��t|t�std��|tk(r�|dkrt	d��tj�}tj|t
j�}tj|t
j�tj�}tj|||tj�}t|dk(�tj |j"|�}t|dk(�d|_y|t$k(�r
tj&�}t|tjk7�tj|t
j(�}tj*||tjdtjtjtj�}t|dk(�ttj,|�dk(�ttj.|j"|�dk(�d|_yt1d��)	a3
        Generate a key pair of the given type, with the given number of bits.

        This generates a key "into" the this object.

        :param type: The key type.
        :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA`
        :param bits: The number of bits.
        :type bits: :py:data:`int` ``>= 0``
        :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't
            of the appropriate type.
        :raises ValueError: If the number of bits isn't an integer of
            the appropriate size.
        :return: ``None``
        ztype must be an integerzbits must be an integerrzInvalid number of bits�zNo such key typeTN)rdrArfr,rhrL�BN_newrTrZ�BN_free�BN_set_word�RSA_F4�RSA_new�RSA_generate_key_exrYrX�EVP_PKEY_assign_RSAr�r+�DSA_new�DSA_free�DSA_generate_parameters_ex�DSA_generate_key�EVP_PKEY_set1_DSAr.r�)r��type�bits�exponentr �resultr�ress        r�generate_keyzPKey.generate_keyUs��� �$��$��5�6�6��$��$��5�6�6��8���q�y� �!9�:�:��{�{�}�H��w�w�x����6�H����X�t�{�{�3��,�,�.�C��-�-�c�4��4�9�9�M�F��F�a�K�(��-�-�d�j�j�#�>�F��F�a�K�(�"!����X�
��,�,�.�C��C�4�9�9�,�-��'�'�#�t�}�}�-�C��1�1��T�4�9�9�a����D�I�I�t�y�y��C�
�C�1�H�%��D�1�1�#�6�!�;�<��D�2�2�4�:�:�s�C�q�H�I�!����*�+�+rc��|jrtd��tj|j	��tj
k7rtd��tj|j�}tj|tj�}tj|�}|dk(ryt�y)ax
        Check the consistency of an RSA private key.

        This is the Python equivalent of OpenSSL's ``RSA_check_key``.

        :return: ``True`` if key is consistent.

        :raise OpenSSL.crypto.Error: if the key is inconsistent.

        :raise TypeError: if the key is of a type which cannot be checked.
            Only RSA keys can currently be checked.
        zpublic key onlyz'Only RSA keys can currently be checked.r�TN)
r�rfrL�
EVP_PKEY_typer��EVP_PKEY_RSA�EVP_PKEY_get1_RSAr�rTrZ�RSA_free�
RSA_check_key�_raise_current_error)r�r r�s   r�checkz
PKey.check�s�������-�.�.����d�i�i�k�*�d�.?�.?�?��E�F�F��$�$�T�Z�Z�0���g�g�c�4�=�=�)���#�#�C�(���Q�;���rc�@�tj|j�S)zT
        Returns the type of the key

        :return: The type of the key.
        )rL�EVP_PKEY_idr�r�s rr�z	PKey.type�s������
�
�+�+rc�@�tj|j�S)zh
        Returns the number of bits of the key

        :return: The number of bits of the key.
        )rL�
EVP_PKEY_bitsr�r�s rr�z	PKey.bits�s���!�!�$�*�*�-�-rNr�)rQr�)r�r�rQr/)r�rAr�rArQr��rQ�bool�rQrA)rErFrGrHr�r�r�r��classmethodr�r�r�r�r�rrrr/r/�sH����L��L�"�
O�.�77��77�r6!�p�4,�.rr/c�v��eZdZdZdZd
�fd�Zedd��Zedd��Zedd��Z	d
d�Z
dd�Zdd	�Z�xZ
S)�_EllipticCurveaZ
    A representation of a supported elliptic curve.

    @cvar _curves: :py:obj:`None` until an attempt is made to load the curves.
        Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve`
        instances each of which represents one curve supported by the system.
    @type _curves: :py:type:`NoneType` or :py:type:`set`
    Nc�N��t|t�rt�|�
|�StS)z�
        Implement cooperation with the right-hand side argument of ``!=``.

        Python 3 seems to have dropped this cooperation in this very narrow
        circumstance.
        )rdr��super�__ne__�NotImplemented)r��other�	__class__s  �rr�z_EllipticCurve.__ne__�s$����e�^�,��7�>�%�(�(��rc�����jtjd�}tjd|�}�j||�t	��fd�|D��S)z�
        Get the curves supported by OpenSSL.

        :param lib: The OpenSSL library binding object.

        :return: A :py:type:`set` of ``cls`` instances giving the names of the
            elliptic curves the underlying library supports.
        rzEC_builtin_curve[]c3�V�K�|] }�j�|j����"y�wr)�from_nid�nid)�.0�cr�r%s  ��r�	<genexpr>z7_EllipticCurve._load_elliptic_curves.<locals>.<genexpr>�s �����D��3�<�<��Q�U�U�+�D�s�&))�EC_get_builtin_curvesrTrYrU�set)r�r%�
num_curves�builtin_curvess``  r�_load_elliptic_curvesz$_EllipticCurve._load_elliptic_curves�sO����.�.�t�y�y�!�<�
����"6�
�C��	�!�!�.�*�=��D�^�D�D�Drc�^�|j�|j|�|_|jS)a
        Get, cache, and return the curves supported by OpenSSL.

        :param lib: The OpenSSL library binding object.

        :return: A :py:type:`set` of ``cls`` instances giving the names of the
            elliptic curves the underlying library supports.
        )�_curvesr�)r�r%s  r�_get_elliptic_curvesz#_EllipticCurve._get_elliptic_curves�s*���;�;���3�3�C�8�C�K��{�{�rc	�x�|||tj|j|��jd��S)a�
        Instantiate a new :py:class:`_EllipticCurve` associated with the given
        OpenSSL NID.

        :param lib: The OpenSSL library binding object.

        :param nid: The OpenSSL NID the resulting curve object will represent.
            This must be a curve NID (and not, for example, a hash NID) or
            subsequent operations will fail in unpredictable ways.
        :type nid: :py:class:`int`

        :return: The curve object.
        �ascii)rTrx�
OBJ_nid2sn�decode)r�r%r�s   rr�z_EllipticCurve.from_nid�s0���3��T�[�[�����)<�=�D�D�W�M�N�Nrc�.�||_||_||_y)a�
        :param _lib: The :py:mod:`cryptography` binding instance used to
            interface with OpenSSL.

        :param _nid: The OpenSSL NID identifying the curve this object
            represents.
        :type _nid: :py:class:`int`

        :param name: The OpenSSL short name identifying the curve this object
            represents.
        :type name: :py:class:`unicode`
        N)rL�_nidr�)r�r%r�r�s    rr�z_EllipticCurve.__init__s����	���	���	rc�"�d|j�d�S)Nz<Curve �>�r�r�s r�__repr__z_EllipticCurve.__repr__s������
�Q�'�'rc��|jj|j�}tj|tj
�S)z�
        Create a new OpenSSL EC_KEY structure initialized to use this curve.

        The structure is automatically garbage collected when the Python object
        is garbage collected.
        )rL�EC_KEY_new_by_curve_namer�rTrZ�EC_KEY_free)r��keys  r�
_to_EC_KEYz_EllipticCurve._to_EC_KEYs3���i�i�0�0����;���w�w�s�D�,�,�-�-r�r�rrQr�)r%rrQ�set[_EllipticCurve])r%rr�rArQr�)r%rr�rAr��strrQr��rQr	�rQr)rErFrGrHr�r�r�r�r�r�r�rr�
__classcell__�r�s@rr�r��sc�����G�	��E��E�"�����O��O� �"(�.rr�zSget_elliptic_curves is deprecated. You should use the APIs in cryptography instead.c�4�tjt�S)a�
    Return a set of objects representing the elliptic curves supported in the
    OpenSSL build in use.

    The curve objects have a :py:class:`unicode` ``name`` attribute by which
    they identify themselves.

    The curve objects are useful as values for the argument accepted by
    :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be
    used for ECDHE key exchange.
    )r�r�rLrrrr<r<s�� �.�.�t�4�4rzRget_elliptic_curve is deprecated. You should use the APIs in cryptography instead.c�^�t�D]}|j|k(s�|cStd|��)aT
    Return a single curve object selected by name.

    See :py:func:`get_elliptic_curves` for information about curve objects.

    :param name: The OpenSSL short name identifying the curve object to
        retrieve.
    :type name: :py:class:`unicode`

    If the named curve is not supported then :py:class:`ValueError` is raised.
    zunknown curve name)r<r�rh)r��curves  rr;r;2s7�� %�&����:�:����L���)�4�
0�0rc�d��eZdZdZdd�Zd�fd�Zd
d�Zdd�Zdd�Zdd�Z	dd�Z
dd	�Zdd
�Z�xZ
S)r1a
    An X.509 Distinguished Name.

    :ivar countryName: The country of the entity.
    :ivar C: Alias for  :py:attr:`countryName`.

    :ivar stateOrProvinceName: The state or province of the entity.
    :ivar ST: Alias for :py:attr:`stateOrProvinceName`.

    :ivar localityName: The locality of the entity.
    :ivar L: Alias for :py:attr:`localityName`.

    :ivar organizationName: The organization name of the entity.
    :ivar O: Alias for :py:attr:`organizationName`.

    :ivar organizationalUnitName: The organizational unit of the entity.
    :ivar OU: Alias for :py:attr:`organizationalUnitName`

    :ivar commonName: The common name of the entity.
    :ivar CN: Alias for :py:attr:`commonName`.

    :ivar emailAddress: The e-mail address of the entity.
    c��tj|j�}tj|tj
�|_y)z�
        Create a new X509Name, copying the given X509Name instance.

        :param name: The name to copy.
        :type name: :py:class:`X509Name`
        N)rL�
X509_NAME_dupr�rTrZ�X509_NAME_freer�s  rr�zX509Name.__init__bs0���!�!�$�*�*�-���'�'�$��(;�(;�<��
rc	���|jd�rt�	|�	||�St|�tur#tdt|�jd�d���tjt|��}|tjk(r	t�td��ttj|j ��D]�}tj"|j |�}tj$|�}tj&|�}||k(s�Stj(|j |�}tj*|�nt-|t�r|j/d�}tj0|j |tj2|ddd�}|st�yy#t$r
Ytd��wxYw)	N�_z$attribute name must be string, not 'z.200�'�No such attribute�utf-8���r)�
startswithr��__setattr__r�r	rfrErL�OBJ_txt2nid�_byte_string�	NID_undefr�r.�AttributeError�range�X509_NAME_entry_countr��X509_NAME_get_entry�X509_NAME_ENTRY_get_object�OBJ_obj2nid�X509_NAME_delete_entry�X509_NAME_ENTRY_freerd�encode�X509_NAME_add_entry_by_NID�
MBSTRING_UTF8)
r�r��valuer��i�ent�ent_obj�ent_nid�
add_resultr�s
         �rrzX509Name.__setattr__ls�����?�?�3���7�&�t�U�3�3���:�S� �����K�(�(��.�a�1��
�
���|�D�1�2���$�.�.� �
�$�&�!�!4�5�5��t�1�1�$�*�*�=�>�	�A��*�*�4�:�:�q�9�C��5�5�c�:�G��&�&�w�/�G��g�~��1�1�$�*�*�a�@���)�)�#�.��	��e�S�!��L�L��)�E��4�4��J�J��T�/�/���B��
�
�� �"���)�
�� �!4�5�5�
�s�	
F3�3	G	�G	c��tjt|��}|tjk(r	t	�t
d��tj|j|d�}|dk(rytj|j|�}tj|�}tjd�}tj||�}t|dk\�	tj|d|�ddj!d�}tj"|d�|S#t
$r
Yt
d��wxYw#tj"|d�wxYw)a

        Find attribute. An X509Name object has the following attributes:
        countryName (alias C), stateOrProvince (alias ST), locality (alias L),
        organization (alias O), organizationalUnit (alias OU), commonName
        (alias CN) and more...
        rrN�unsigned char**rr)rLrrrr�r.r �X509_NAME_get_index_by_NIDr�r#�X509_NAME_ENTRY_get_datarTrU�ASN1_STRING_to_UTF8rXr[r��OPENSSL_free)	r�r�r��entry_index�entryr\r`�data_lengthr�s	         r�__getattr__zX509Name.__getattr__�s2�����|�D�1�2���$�.�.� �
�$�&�!�!4�5�5��5�5�d�j�j�#�r�J���"����(�(����[�A���,�,�U�3�����!2�3�
��.�.�}�d�C����q�(�)�	0��[�[��q�!1�;�?��B�I�I���F�

���m�A�.�/��
��-�
�� �!4�5�5�
��*
���m�A�.�/�s�
D#�+D<�#	D9�8D9�<Ec��t|t�stStj|j
|j
�dk(S�Nr�rdr1r�rL�
X509_NAME_cmpr��r�r�s  r�__eq__zX509Name.__eq__�s2���%��*�!�!��!�!�$�*�*�e�k�k�:�a�?�?rc��t|t�stStj|j
|j
�dkSr<r=r?s  r�__lt__zX509Name.__lt__�s2���%��*�!�!��!�!�$�*�*�e�k�k�:�Q�>�>rc� �tjdd�}tj|j|t|��}t
|tjk7�djtj|�jd��S)z6
        String representation of an X509Name
        rJiz<X509Name object '{}'>r)rTrUrL�X509_NAME_oneliner�rWrXrY�formatrxr�)r�r`�
format_results   rrzX509Name.__repr__�sq������3�/�
��.�.��J�J�
�s�=�'9�
�
�	�
����2�3�'�.�.��K�K�
�&�-�-�g�6�
�	
rc�@�tj|j�S)a&
        Return an integer representation of the first four bytes of the
        MD5 digest of the DER representation of the name.

        This is the Python equivalent of OpenSSL's ``X509_NAME_hash``.

        :return: The (integer) hash of this name.
        :rtype: :py:class:`int`
        )rL�X509_NAME_hashr�r�s r�hashz
X509Name.hash�s���"�"�4�:�:�.�.rc���tjd�}tj|j|�}t|dk\�tj|d|�dd}tj|d�|S)z�
        Return the DER encoding of this name.

        :return: The DER encoded form of this name.
        :rtype: :py:class:`bytes`
        r2rN)rTrUrL�
i2d_X509_NAMEr�rXr[r6)r�r`�
encode_resultr�s    rr�zX509Name.der�si�����!2�3�
��*�*�4�:�:�}�E�
��
��*�+����M�!�$4�m�D�Q�G�
����-��*�+��rc��g}ttj|j��D]�}tj|j|�}tj
|�}tj|�}tj|�}tj|�}tjtj|�tj|��dd}|jtj|�|f���|S)z�
        Returns the components of this name, as a sequence of 2-tuples.

        :return: The components of this name.
        :rtype: :py:class:`list` of ``name, value`` tuples.
        N)r!rLr"r�r#r$r4r%r�rTr[ryrur�rx)	r�r�r,r-�fname�fvalr�r�r+s	         r�get_componentszX509Name.get_components�s������t�1�1�$�*�*�=�>�	6�A��*�*�4�:�:�q�9�C��3�3�C�8�E��0�0��5�D��"�"�5�)�C��?�?�3�'�D��K�K��*�*�4�0�$�2I�2I�$�2O����E�
�M�M�4�;�;�t�,�e�4�5�	6� �
rr�)r�r	r+rrQr�)r�r	rQ�
str | Nonerr
r��rQre)rQzlist[tuple[bytes, bytes]])rErFrGrHr�rr:r@rBrrIr�rPrr
s@rr1r1Hs8����0=�%#�N&�P@�?�
�
/�
�rr1zZX509Extension support in pyOpenSSL is deprecated. You should use the APIs in cryptography.c���eZdZUdZ		d											dd�Zedd��ZejdejdejdiZded	<dd
�Z
dd�Zdd�Zdd
�Zdd�Zy)r0zu
    An X.509 v3 certificate extension.

    .. deprecated:: 23.3.0
       Use cryptography's X509 APIs instead.
    Nc��tjd�}tj|tjtjtjtjd�tj
|�|�,t
|t�std��|j|_
|�,t
|t�std��|j|_|rd|z}tjtj|||�}|tjk(r
t�tj|tj�|_y)a�
        Initializes an X509 extension.

        :param type_name: The name of the type of extension_ to create.
        :type type_name: :py:data:`bytes`

        :param bool critical: A flag indicating whether this is a critical
            extension.

        :param value: The OpenSSL textual representation of the extension's
            value.
        :type value: :py:data:`bytes`

        :param subject: Optional X509 certificate to use as subject.
        :type subject: :py:class:`X509`

        :param issuer: Optional X509 certificate to use as issuer.
        :type issuer: :py:class:`X509`

        .. _extension: https://www.openssl.org/docs/manmaster/man5/
            x509v3_config.html#STANDARD-EXTENSIONS
        zX509V3_CTX*rNzissuer must be an X509 instancez subject must be an X509 instances	critical,)rTrUrL�X509V3_set_ctxrY�X509V3_set_ctx_nodbrdr-rf�_x509�issuer_cert�subject_cert�X509V3_EXT_nconfr�rZ�X509_EXTENSION_free�
_extension)r��	type_name�criticalr+�subject�issuer�ctx�	extensions        rr�zX509Extension.__init__s���<�h�h�}�%��
	
���C����D�I�I�t�y�y�$�)�)�Q�O�	
� � ��%����f�d�+�� A�B�B�$�l�l�C�O����g�t�,�� B�C�C�&�}�}�C���!�5�(�E��)�)�$�)�)�S�)�U�K�	���	�	�!� �"��'�'�)�T�-E�-E�F��rc�f�tjtj|j��Sr)rLr%�X509_EXTENSION_get_objectr\r�s rr�zX509Extension._nid\s'������*�*�4�?�?�;�
�	
r�email�DNS�URIztyping.ClassVar[dict[int, str]]�	_prefixesc�$�tjdtj|j��}tj
|tj�}g}ttj|��D]�}tj||�}	|j|j}tj|jjj|jjj �ddj#d�}|j%|dz|z���dj/|�S#t&$rMt)�}tj*||�|j%t-|�j#d��Y��wxYw)NzGENERAL_NAMES*r�:z, )rTrtrL�X509V3_EXT_d2ir\rZ�GENERAL_NAMES_freer!�sk_GENERAL_NAME_num�sk_GENERAL_NAME_valuerhr�r[�d�ia5r\�lengthr�r��KeyErrorr]�GENERAL_NAME_printrb�join)r��names�partsr,r��labelr+rNs        r�_subjectAltNameStringz#X509Extension._subjectAltNameStringhs7���	�	��d�1�1�$�/�/�B�
������t�6�6�7�����t�/�/��6�7�	2�A��-�-�e�Q�7�D�

2����t�y�y�1�����D�F�F�J�J�O�O�T�V�V�Z�Z�5F�5F�G����&��/�����U�S�[�5�0�1�	2��y�y������
B�"�n���'�'��T�2����^�C�0�7�7��@�A�
B�s�D9�9AF�Fc��tj|jk(r|j�St	�}tj
||jdd�}t|dk7�t|�jd�S)zF
        :return: a nice text representation of the extension
        rr)
rL�NID_subject_alt_namer�rxr]�X509V3_EXT_printr\rXrbr�)r�rN�print_results   r�__str__zX509Extension.__str__~si���$�$��	�	�1��-�-�/�/��n���,�,�S�$�/�/�1�a�H�����)�*��c�"�)�)�'�2�2rc�@�tj|j�S)zk
        Returns the critical field of this X.509 extension.

        :return: The critical field.
        )rL�X509_EXTENSION_get_criticalr\r�s r�get_criticalzX509Extension.get_critical�s���/�/����@�@rc���tj|j�}tj|�}tj|�}|t
jk7rtj|�Sy)z�
        Returns the short type name of this X.509 extension.

        The result is a byte string such as :py:const:`b"basicConstraints"`.

        :return: The short type name.
        :rtype: :py:data:`bytes`

        .. versionadded:: 0.12
        sUNDEF)rLrdr\r%r�rTrYrx)r��objr��bufs    r�get_short_namezX509Extension.get_short_name�sV���,�,�T�_�_�=�����s�#���o�o�c�"���$�)�)���;�;�s�#�#�rc���tj|j�}tjd|�}tj
|�}tj|�}tj||�ddS)z�
        Returns the data of the X509 extension, encoded as ASN.1.

        :return: The ASN.1 encoded data of this X509 extension.
        :rtype: :py:data:`bytes`

        .. versionadded:: 0.12
        rsN)rL�X509_EXTENSION_get_datar\rTrtryrur[)r��octet_resultr��char_result�
result_lengths     r�get_datazX509Extension.get_data�s^���3�3�D�O�O�D���	�	�.�,�?�
��0�0��?���/�/�
�>�
��{�{�;�
�6�q�9�9r�NN)r]rer^r�r+rer_�X509 | Noner`r�rQr�rr
r�rR)rErFrGrHr��propertyr�rL�	GEN_EMAIL�GEN_DNS�GEN_URIrh�__annotations__rxr}r�r�r�rrrr0r0s���
� $�"�
CG��CG��CG��	CG�
�CG��
CG�
�CG�J�
��
�	
�������e����e�2�I�.�� �,3�A��,
:rr0zPCSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.c��eZdZdZdd�Zdd�Ze				dd��Zdd�Zdd�Z	dd�Z
dd�Zdd	�Zdd
�Z
dd�Zdd�Zdd
�Zy)r2z�
    An X.509 certificate signing requests.

    .. deprecated:: 24.2.0
       Use `cryptography.x509.CertificateSigningRequest` instead.
    c��tj�}tj|tj�|_|j
d�yr<)rL�X509_REQ_newrTrZ�
X509_REQ_free�_req�set_version)r��reqs  rr�zX509Req.__init__�s6�����!���G�G�C��!3�!3�4��	�����rc�>�ddlm}tt|�}||�S)z�
        Export as a ``cryptography`` certificate signing request.

        :rtype: ``cryptography.x509.CertificateSigningRequest``

        .. versionadded:: 17.1.0
        r)�load_der_x509_csr)�cryptography.x509r��"_dump_certificate_request_internalr()r�r�r�s   r�to_cryptographyzX509Req.to_cryptography�s��	8�0���E�� ��%�%rc��t|tj�std��ddlm}|j
|j�}tt|�S)a
        Construct based on a ``cryptography`` *crypto_req*.

        :param crypto_req: A ``cryptography`` X.509 certificate signing request
        :type crypto_req: ``cryptography.x509.CertificateSigningRequest``

        :rtype: X509Req

        .. versionadded:: 17.1.0
        z%Must be a certificate signing requestr�r�)
rdr�CertificateSigningRequestrfr�r�r�r��"_load_certificate_request_internalr()r��
crypto_reqr�r�s    r�from_cryptographyzX509Req.from_cryptography�sD���*�d�&D�&D�E��C�D�D�I��%�%�h�l�l�3��1�-��E�Erc�t�tj|j|j�}t	|dk(�y)z�
        Set the public key of the certificate signing request.

        :param pkey: The public key to use.
        :type pkey: :py:class:`PKey`

        :return: ``None``
        r�N)rL�X509_REQ_set_pubkeyr�r�rX�r�r�rks   r�
set_pubkeyzX509Req.set_pubkey�s*���-�-�d�i�i����D�
��
�a��(rc�@�tjt�}tj|j�|_t
|j
tjk7�tj|j
tj�|_d|_|S)z�
        Get the public key of the certificate signing request.

        :return: The public key.
        :rtype: :py:class:`PKey`
        T)r/�__new__rL�X509_REQ_get_pubkeyr�r�rXrTrYrZr�r�r�s  r�
get_pubkeyzX509Req.get_pubkey�sf���|�|�D�!���-�-�d�i�i�8��
���
�
�d�i�i�/�0��W�W�T�Z�Z��);�);�<��
� ����rc��t|t�std��|dk7rtd��t	j
|j|�}t|dk(�y)z�
        Set the version subfield (RFC 2986, section 4.1) of the certificate
        request.

        :param int version: The version number.
        :return: ``None``
        zversion must be an intrz9Invalid version. The only valid version for X509Req is 0.r�N)rdrArfrhrL�X509_REQ_set_versionr�rX)r��versionrks   rr�zX509Req.set_version	sU���'�3�'��4�5�5��a�<��K��
��.�.�t�y�y�'�B�
��
�a��(rc�@�tj|j�S)z�
        Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate
        request.

        :return: The value of the version subfield.
        :rtype: :py:class:`int`
        )rL�X509_REQ_get_versionr�r�s r�get_versionzX509Req.get_versions���(�(����3�3rc���tjt�}tj|j�|_t
|j
tjk7�||_	|S)a�
        Return the subject of this certificate signing request.

        This creates a new :class:`X509Name` that wraps the underlying subject
        name field on the certificate signing request. Modifying it will modify
        the underlying signing request, and will have the effect of modifying
        any other :class:`X509Name` that refers to this subject.

        :return: The subject of this certificate signing request.
        :rtype: :class:`X509Name`
        )
r1r�rL�X509_REQ_get_subject_namer�r�rXrTrY�_ownerr�s  r�get_subjectzX509Req.get_subject$sM������)���3�3�D�I�I�>��
���
�
�d�i�i�/�0�����rc���tjdtd��tj�}t|tjk7�t
j|tj�}|D]=}t|t�std��tj||j��?tj|j |�}t|dk(�y)z�
        Add extensions to the certificate signing request.

        :param extensions: The X.509 extensions to add.
        :type extensions: iterable of :py:class:`X509Extension`
        :return: ``None``
        ��This API is deprecated and will be removed in a future version of pyOpenSSL. You should use pyca/cryptography's X.509 APIs instead.���
stacklevel�+One of the elements is not an X509Extensionr�N)�warnings�warn�DeprecationWarningrL�sk_X509_EXTENSION_new_nullrXrTrYrZ�sk_X509_EXTENSION_freerdr0rh�sk_X509_EXTENSION_pushr\�X509_REQ_add_extensionsr�)r��
extensions�stack�extr0s     r�add_extensionszX509Req.add_extensions:s���	�
�
�&�
��	
��/�/�1�������*�+�����t�:�:�;���	?�C��c�=�1� �!N�O�O�
�'�'��s�~�~�>�	?��1�1�$�)�)�U�C�
��
�a��(rc���tjdtd��g}tj|j
�}t
j|d��}ttj|��D]~}tjt�}tjtj||��}t
j|tj�|_|j!|���|S)z�
        Get X.509 extensions in the certificate signing request.

        :return: The X.509 extensions in this request.
        :rtype: :py:class:`list` of :py:class:`X509Extension` objects.

        .. versionadded:: 0.15
        r�r�r�c�r�tj|tjtjd��S)Nr[)rL�sk_X509_EXTENSION_pop_freerT�	addressof�
_original_lib)�xs rrz(X509Req.get_extensions.<locals>.<lambda>rs)��d�5�5�����t�1�1�3H�I��r)r�r�r�rL�X509_REQ_get_extensionsr�rTrZr!�sk_X509_EXTENSION_numr0r��X509_EXTENSION_dup�sk_X509_EXTENSION_valuer[r\r�)r��exts�native_exts_objr,r�rbs      r�get_extensionszX509Req.get_extensions[s���	�
�
�&�
��	
����6�6�t�y�y�A���'�'��
�
���t�1�1�/�B�C�	�A��'�'�
�6�C��/�/��,�,�_�a�@��I�"�W�W�Y��0H�0H�I�C�N��K�K���
	��rc�J�|jrtd��|jstd��tjt|��}|tjk(rtd��tj|j|j|�}t|dkD�y)aa
        Sign the certificate signing request with this key and digest type.

        :param pkey: The key pair to sign with.
        :type pkey: :py:class:`PKey`
        :param digest: The name of the message digest to use for the signature,
            e.g. :py:data:`"sha256"`.
        :type digest: :py:class:`str`
        :return: ``None``
        zKey has only public part�Key is uninitialized�No such digest methodrN)r�rhr�rL�EVP_get_digestbynamerrTrY�
X509_REQ_signr�r�rX)r�r��digest�
digest_obj�sign_results     r�signzX509Req.sign�s�������7�8�8�� � ��3�4�4��.�.�|�F�/C�D�
�����"��4�5�5��(�(����D�J�J�
�K����a��(rc��t|t�std��tj|j
|j�}|dkr
t�|S)a@
        Verifies the signature on this certificate signing request.

        :param PKey key: A public key.

        :return: ``True`` if the signature is correct.
        :rtype: bool

        :raises OpenSSL.crypto.Error: If the signature is invalid or there is a
            problem verifying the signature.
        �pkey must be a PKey instancer)rdr/rfrL�X509_REQ_verifyr�r�r�)r�r�r�s   r�verifyzX509Req.verify�sF���$��%��:�;�;��%�%�d�i�i����<���Q�;� �"��
rNr�)rQ�x509.CertificateSigningRequest)r�r�rQr2�r�r/rQr��rQr/�r�rArQr�r��rQr1�r�zIterable[X509Extension]rQr�)rQzlist[X509Extension]�r�r/r�r	rQr�)r�r/rQr�)rErFrGrHr�r�r�r�r�r�r�r�r�r�r�r�r�rrrr2r2�sh��
��&��F�7�F�	�F��F�*
)��)�"4��,)�B$�L)�0rr2c�0�eZdZdZd#d�Zed$d��Zd%d�Zed&d��Zd'd�Z	d(d�Z
d)d�Zd*d	�Zd+d
�Z
d,d�Zd-d�Zd(d
�Zd.d�Zd(d�Zd/d�Zd/d�Zd0d�Zd1d�Zd2d�Z						d3d�Zd4d�Zd2d�Zd4d�Zd5d�Zd6d�Zd7d�Zd8d�Zd7d�Z d9d�Z!d(d�Z"d:d �Z#d;d!�Z$y")<r-z
    An X.509 certificate.
    c���tj�}t|tjk7�tj
|tj�|_t�|_	t�|_
yr)rL�X509_newrXrTrYrZ�	X509_freerWr��_issuer_invalidator�_subject_invalidator)r�rs  rr�z
X509.__init__�sJ���}�}������	�	�)�*��W�W�T�4�>�>�2��
�#7�#9�� �$8�$:��!rc��|j|�}tj|tj�|_t
�|_t
�|_|Sr)	r�rTrZrLr�rWr�r�r�)r�r�certs   r�_from_raw_x509_ptrzX509._from_raw_x509_ptr�sA���{�{�3����W�W�T�4�>�>�2��
�#7�#9�� �$8�$:��!��rc�>�ddlm}tt|�}||�S)z�
        Export as a ``cryptography`` certificate.

        :rtype: ``cryptography.x509.Certificate``

        .. versionadded:: 17.1.0
        r)�load_der_x509_certificate)r�r�r7r()r�r�r�s   rr�zX509.to_cryptography�s��	@��}�d�3��(��-�-rc��t|tj�std��ddlm}|j
|j�}tt|�S)z�
        Construct based on a ``cryptography`` *crypto_cert*.

        :param crypto_key: A ``cryptography`` X.509 certificate.
        :type crypto_key: ``cryptography.x509.Certificate``

        :rtype: X509

        .. versionadded:: 17.1.0
        zMust be a certificaterr�)
rdr�Certificaterfr�r�r�r�r=r()r��crypto_certr�r�s    rr�zX509.from_cryptography�sD���+�t�'7�'7�8��3�4�4�I��&�&�x�|�|�4���
�s�3�3rc��t|t�std��tt	j
|j|�dk(�y)a	
        Set the version number of the certificate. Note that the
        version value is zero-based, eg. a value of 0 is V1.

        :param version: The version number of the certificate.
        :type version: :py:class:`int`

        :return: ``None``
        zversion must be an integerr�N)rdrArfrXrL�X509_set_versionrW)r�r�s  rr�zX509.set_version�s8���'�3�'��8�9�9���-�-�d�j�j�'�B�a�G�Hrc�@�tj|j�S)z�
        Return the version number of the certificate.

        :return: The version number of the certificate.
        :rtype: :py:class:`int`
        )rL�X509_get_versionrWr�s rr�zX509.get_version�s���$�$�T�Z�Z�0�0rc�B�tjt�}tj|j�|_|j
tjk(r
t�t
j|j
tj�|_d|_|S)z{
        Get the public key of the certificate.

        :return: The public key.
        :rtype: :py:class:`PKey`
        T)r/r�rL�X509_get_pubkeyrWr�rTrYr�rZr�r�r�s  rr�zX509.get_pubkey�sg���|�|�D�!���)�)�$�*�*�5��
��:�:����"� �"��W�W�T�Z�Z��);�);�<��
� ����rc��t|t�std��tj|j
|j�}t|dk(�y)z�
        Set the public key of the certificate.

        :param pkey: The public key.
        :type pkey: :py:class:`PKey`

        :return: :py:data:`None`
        r�r�N)rdr/rfrL�X509_set_pubkeyrWr�rXr�s   rr�zX509.set_pubkeys@���$��%��:�;�;��)�)�$�*�*�d�j�j�A�
��
�a��(rc��t|t�std��|jrt	d��|j
st	d��t
jt|��}|tjk(rt	d��t
j|j|j|�}t|dkD�y)a
        Sign the certificate with this key and digest type.

        :param pkey: The key to sign with.
        :type pkey: :py:class:`PKey`

        :param digest: The name of the message digest to use.
        :type digest: :py:class:`str`

        :return: :py:data:`None`
        r�zKey only has public partr�r�rN)rdr/rfr�rhr�rLr�rrTrY�	X509_signrWr�rX)r�r�r��evp_mdr�s     rr�z	X509.signs����$��%��:�;�;�����7�8�8�� � ��3�4�4��*�*�<��+?�@���T�Y�Y���4�5�5��n�n�T�Z�Z����V�D����a��(rc��tj|j�}tjd�}tj
|tjtj|�tj|d�}|tjk(rtd��tjtj|��S)z�
        Return the signature algorithm used in the certificate.

        :return: The name of the algorithm.
        :rtype: :py:class:`bytes`

        :raises ValueError: If the signature algorithm is undefined.

        .. versionadded:: 0.13
        zASN1_OBJECT **rzUndefined signature algorithm)rL�X509_get0_tbs_sigalgrWrTrU�X509_ALGOR_get0rYr%rrhrx�
OBJ_nid2ln)r��sig_alg�algr�s    r�get_signature_algorithmzX509.get_signature_algorithm7s����+�+�D�J�J�7���h�h�'�(�����S�$�)�)�T�Y�Y��@����s�1�v�&���$�.�.� ��<�=�=��{�{�4�?�?�3�/�0�0rc��tjt|��}|tjk(rtd��tjdtj�}tjdd�}t|�|d<tj|j|||�}t|dk(�djtj||d�D�cgc]}t|�j���c}�Scc}w)a5
        Return the digest of the X509 object.

        :param digest_name: The name of the digest algorithm to use.
        :type digest_name: :py:class:`str`

        :return: The digest of the object, formatted as
            :py:const:`b":"`-delimited hex pairs.
        :rtype: :py:class:`bytes`
        r�zunsigned char[]zunsigned int[]r�r�:)rLr�rrTrYrhrU�EVP_MAX_MD_SIZErW�X509_digestrWrXrtr[r�upper)r��digest_namer�r`r��
digest_result�chs       rr�zX509.digestJs����*�*�<��+D�E���T�Y�Y���4�5�5����!2�D�4H�4H�I�
����!1�1�5�
��}�-�
�a���(�(��J�J��
�}�
�
�	�
��*�+��y�y��+�+�m�]�1�5E�F�
���"�
�#�#�%�
�
�	
��
s� Dc�@�tj|j�S)z�
        Return the hash of the X509 subject.

        :return: The hash of the subject.
        :rtype: :py:class:`int`
        )rL�X509_subject_name_hashrWr�s r�subject_name_hashzX509.subject_name_hashis���*�*�4�:�:�6�6rc�`�t|t�std��t|�dd}|j	d�}tjd�}tj||�}t|t
jk7�tj|dt
j�}tj|d�t|t
jk7�tj|tj�}tj|j |�}t|dk(�y)z�
        Set the serial number of the certificate.

        :param serial: The new serial number.
        :type serial: :py:class:`int`

        :return: :py:data`None`
        zserial must be an integerr�Nr�zBIGNUM**rr�)rdrArf�hexr(rTrUrL�	BN_hex2bnrXrY�BN_to_ASN1_INTEGERr�rZ�ASN1_INTEGER_free�X509_set_serialNumberrW)r��serial�
hex_serial�hex_serial_bytes�
bignum_serialr��asn1_serialrks        r�set_serial_numberzX509.set_serial_numberrs����&�#�&��7�8�8���[���_�
�%�,�,�W�5������,�
����
�/?�@����$�)�)�+�,��-�-�m�A�.>��	�	�J�����]�1�%�&���t�y�y�0�1��g�g�k�4�+A�+A�B���/�/��
�
�K�H�
��
�a��(rc��tj|j�}tj|tj
�}	tj|�}	t	j|�}t|d�}|tj|�tj|�S#tj|�wxYw#tj|�wxYw)zx
        Return the serial number of this certificate.

        :return: The serial number.
        :rtype: int
        �)rL�X509_get_serialNumberrW�ASN1_INTEGER_to_BNrTrY�	BN_bn2hexrxrAr6r�)r�rrr�hexstring_serialrs      r�get_serial_numberzX509.get_serial_number�s����0�0����<���/�/��T�Y�Y�G�
�		(����
�6�J�
.�#'�;�;�z�#:� ��-�r�2����!�!�*�-��L�L��'���!�!�*�-���L�L��'�s$�C�"B(�=C�(B?�?C�Cc��t|t�std��tj|j
�}tj||�y)z�
        Adjust the time stamp on which the certificate stops being valid.

        :param int amount: The number of seconds by which to adjust the
            timestamp.
        :return: ``None``
        �amount must be an integerN)rdrArfrL�X509_getm_notAfterrW�X509_gmtime_adj)r��amount�notAfters   r�gmtime_adj_notAfterzX509.gmtime_adj_notAfter�s>���&�#�&��7�8�8��*�*�4�:�:�6�����X�v�.rc��t|t�std��tj|j
�}tj||�y)z�
        Adjust the timestamp on which the certificate starts being valid.

        :param amount: The number of seconds by which to adjust the timestamp.
        :return: ``None``
        r'N)rdrArfrL�X509_getm_notBeforerWr))r�r*�	notBefores   r�gmtime_adj_notBeforezX509.gmtime_adj_notBefore�s>���&�#�&��7�8�8��,�,�T�Z�Z�8�	����Y��/rc�:�|j�}|�td��|jd�}tjj	|d�}tj
j}tjj|�jd��}||kS)z�
        Check whether the certificate has expired.

        :return: ``True`` if the certificate has expired, ``False`` otherwise.
        :rtype: bool
        NzUnable to determine notAfterrz
%Y%m%d%H%M%SZ)�tzinfo)	�get_notAfterrhr��datetime�strptime�timezone�utc�now�replace)r��
time_bytes�time_string�	not_after�UTC�utcnows      r�has_expiredzX509.has_expired�s����&�&�(�
����;�<�<� �'�'��0���%�%�.�.�{�O�L�	����#�#���"�"�&�&�s�+�3�3�4�3�@���6�!�!rc�8�t||j��Sr)r�rW)r��whichs  r�_get_boundary_timezX509._get_boundary_time�s���e�D�J�J�/�0�0rc�@�|jtj�S)a

        Get the timestamp at which the certificate starts being valid.

        The timestamp is formatted as an ASN.1 TIME::

            YYYYMMDDhhmmssZ

        :return: A timestamp string, or ``None`` if there is none.
        :rtype: bytes or NoneType
        )rBrLr.r�s r�
get_notBeforezX509.get_notBefore�s���&�&�t�'?�'?�@�@rc�:�t||j�|�Sr)rlrW)r�rArjs   r�_set_boundary_timezX509._set_boundary_time�s���e�D�J�J�/��6�6rc�B�|jtj|�S)z�
        Set the timestamp at which the certificate starts being valid.

        The timestamp is formatted as an ASN.1 TIME::

            YYYYMMDDhhmmssZ

        :param bytes when: A timestamp string.
        :return: ``None``
        )rFrLr.�r�rjs  r�
set_notBeforezX509.set_notBefore�s���&�&�t�'?�'?��F�Frc�@�|jtj�S)a	
        Get the timestamp at which the certificate stops being valid.

        The timestamp is formatted as an ASN.1 TIME::

            YYYYMMDDhhmmssZ

        :return: A timestamp string, or ``None`` if there is none.
        :rtype: bytes or NoneType
        )rBrLr(r�s rr3zX509.get_notAfter�s���&�&�t�'>�'>�?�?rc�B�|jtj|�S)z�
        Set the timestamp at which the certificate stops being valid.

        The timestamp is formatted as an ASN.1 TIME::

            YYYYMMDDhhmmssZ

        :param bytes when: A timestamp string.
        :return: ``None``
        )rFrLr(rHs  r�set_notAfterzX509.set_notAfter�s���&�&�t�'>�'>��E�Erc��tjt�}||j�|_t	|jt
jk7�||_|Sr)r1r�rWr�rXrTrYr�)r�rAr�s   r�	_get_namezX509._get_name
sE������)���4�:�:�&��
���
�
�d�i�i�/�0�����rc��t|t�std��||j|j�}t|dk(�y)Nzname must be an X509Namer�)rdr1rfrWr�rX)r�rAr�rks    r�	_set_namezX509._set_names8���$��)��6�7�7��4�:�:�t�z�z�2�
��
�a��(rc�z�|jtj�}|jj	|�|S)a�
        Return the issuer of this certificate.

        This creates a new :class:`X509Name` that wraps the underlying issuer
        name field on the certificate. Modifying it will modify the underlying
        certificate, and will have the effect of modifying any other
        :class:`X509Name` that refers to this issuer.

        :return: The issuer of this certificate.
        :rtype: :class:`X509Name`
        )rNrL�X509_get_issuer_namer�r�r�s  r�
get_issuerzX509.get_issuers1���~�~�d�7�7�8��� � �$�$�T�*��rc�x�|jtj|�|jj	�y)z�
        Set the issuer of this certificate.

        :param issuer: The issuer.
        :type issuer: :py:class:`X509Name`

        :return: ``None``
        N)rPrL�X509_set_issuer_namer�r�)r�r`s  r�
set_issuerzX509.set_issuer+s*��	
���t�0�0�&�9�� � �&�&�(rc�z�|jtj�}|jj	|�|S)a�
        Return the subject of this certificate.

        This creates a new :class:`X509Name` that wraps the underlying subject
        name field on the certificate. Modifying it will modify the underlying
        certificate, and will have the effect of modifying any other
        :class:`X509Name` that refers to this subject.

        :return: The subject of this certificate.
        :rtype: :class:`X509Name`
        )rNrL�X509_get_subject_namer�r�r�s  rr�zX509.get_subject7s1���~�~�d�8�8�9���!�!�%�%�d�+��rc�x�|jtj|�|jj	�y)z�
        Set the subject of this certificate.

        :param subject: The subject.
        :type subject: :py:class:`X509Name`

        :return: ``None``
        N)rPrL�X509_set_subject_namer�r�)r�r_s  r�set_subjectzX509.set_subjectGs*��	
���t�1�1�7�;��!�!�'�'�)rc�@�tj|j�S)z�
        Get the number of extensions on this certificate.

        :return: The number of extensions.
        :rtype: :py:class:`int`

        .. versionadded:: 0.12
        )rL�X509_get_ext_countrWr�s r�get_extension_countzX509.get_extension_countSs���&�&�t�z�z�2�2rc���tjdtd��|D]V}t|t�std��t
j|j|jd�}t|dk(��Xy)z�
        Add extensions to the certificate.

        :param extensions: The extensions to add.
        :type extensions: An iterable of :py:class:`X509Extension` objects.
        :return: ``None``
        r�r�r�r�rr�N)r�r�r�rdr0rhrL�X509_add_extrWr\rX)r�r�r�r0s    rr�zX509.add_extensions^sl��	�
�
�&�
��	
��	-�C��c�=�1� �!N�O�O��*�*�4�:�:�s�~�~�r�J�J��J�!�O�,�	-rc��tjdtd��tj	t�}tj|j|�|_|jtjk(rtd��tj|j�}tj|t
j�|_|S)a�
        Get a specific extension of the certificate by index.

        Extensions on a certificate are kept in order. The index
        parameter selects which extension will be returned.

        :param int index: The index of the extension to retrieve.
        :return: The extension at the specified index.
        :rtype: :py:class:`X509Extension`
        :raises IndexError: If the extension index was out of bounds.

        .. versionadded:: 0.12
        r�r�r�zextension index out of bounds)r�r�r�r0r�rL�X509_get_extrWr\rTrY�
IndexErrorr�rZr[)r��indexr�rbs    r�
get_extensionzX509.get_extensionws���	�
�
�&�
��	
��#�#�M�2���*�*�4�:�:�u�=����>�>�T�Y�Y�&��<�=�=��+�+�C�N�N�;�	�����D�,D�,D�E����
rNr�)rrrQr-)rQ�x509.Certificate)r�rfrQr-r�r�r�r�r�rR)r
r	rQre)rrArQr�)r*rArQr�r�)rArrQ�bytes | None)rQrg)rAzCallable[..., Any]rjrerQr�)rjrerQr�)rArrQr1)rArr�r1rQr�r�)r`r1rQr�)r_r1rQr�r�)rdrArQr0)%rErFrGrHr�r�r�r�r�r�r�r�r�r�rr�rrr%r,r0r?rBrDrFrIr3rLrNrPrSrVr�r[r^r�rerrrr-r-�s����;�����.��4��4�&
I�1�
�
)�)�81�&
�>7�)�8(�(/�0�"�"1�A�7�'�7�/4�7�	
�7�
G�@�F�	�)�� 
)�� 
*�	3�-�2rr-c�f�eZdZUdZej
Zded<ejZ	ded<ejZded<ejZ
ded<ejZded<ej Zded<ej$Zded	<ej(Zded
<ej,Zded<ej0Zded<y
)r6a
    Flags for X509 verification, used to change the behavior of
    :class:`X509Store`.

    See `OpenSSL Verification Flags`_ for details.

    .. _OpenSSL Verification Flags:
        https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
    rA�	CRL_CHECK�
CRL_CHECK_ALL�IGNORE_CRITICAL�X509_STRICT�ALLOW_PROXY_CERTS�POLICY_CHECK�EXPLICIT_POLICY�INHIBIT_MAP�CHECK_SS_SIGNATURE�
PARTIAL_CHAINN)rErFrGrHrL�X509_V_FLAG_CRL_CHECKrir��X509_V_FLAG_CRL_CHECK_ALLrj�X509_V_FLAG_IGNORE_CRITICALrk�X509_V_FLAG_X509_STRICTrl�X509_V_FLAG_ALLOW_PROXY_CERTSrm�X509_V_FLAG_POLICY_CHECKrn�X509_V_FLAG_EXPLICIT_POLICYro�X509_V_FLAG_INHIBIT_MAPrp�X509_V_FLAG_CHECK_SS_SIGNATURErq�X509_V_FLAG_PARTIAL_CHAINrrrrrr6r6�s�����/�/�I�s�/��7�7�M�3�7��;�;�O�S�;��3�3�K��3�!�?�?��s�?��5�5�L�#�5��;�;�O�S�;��3�3�K��3�"�A�A���A��7�7�M�3�7rr6c�N�eZdZdZd	d�Zd
d�Zdd�Zdd�Zd
d�Z	d					dd�Z	y)r3a�
    An X.509 store.

    An X.509 store is used to describe a context in which to verify a
    certificate. A description of a context may include a set of certificates
    to trust, a set of certificate revocation lists, verification flags and
    more.

    An X.509 store, being only a description, cannot be used by itself to
    verify a certificate. To carry out the actual verification process, see
    :class:`X509StoreContext`.
    c�~�tj�}tj|tj�|_yr)rL�X509_STORE_newrTrZ�X509_STORE_free�_store�r��stores  rr�zX509Store.__init__�s(���#�#�%���g�g�e�T�%9�%9�:��rc��t|t�s
t��tj|j
|j�}t|dk(�y)a�
        Adds a trusted certificate to this store.

        Adding a certificate with this method adds this certificate as a
        *trusted* certificate.

        :param X509 cert: The certificate to add to this store.

        :raises TypeError: If the certificate is not an :class:`X509`.

        :raises OpenSSL.crypto.Error: If OpenSSL was unhappy with your
            certificate.

        :return: ``None`` if the certificate was added successfully.
        r�N)rdr-rfrL�X509_STORE_add_certr�rWrX)r�r�r�s   r�add_certzX509Store.add_cert�s<�� �$��%��+���&�&�t�{�{�D�J�J�?����q��!rc���t|tj�r�ddlm}t|j
|j��}tj|tj�}t|tjk7�tj|tj�}ntd��ttj |j"|�dk7�y)a�
        Add a certificate revocation list to this store.

        The certificate revocation lists added to a store will only be used if
        the associated flags are configured to check certificate revocation
        lists.

        .. versionadded:: 16.1.0

        :param crl: The certificate revocation list to add to this store.
        :type crl: ``cryptography.x509.CertificateRevocationList``
        :return: ``None`` if the certificate revocation list was added
            successfully.
        rr�z?CRL must be of type cryptography.x509.CertificateRevocationListN)rdr�CertificateRevocationListr�r�r]r�r�rL�d2i_X509_CRL_biorTrYrXrZ�
X509_CRL_freerf�X509_STORE_add_crlr�)r��crlr�rN�openssl_crls     r�add_crlzX509Store.add_crl�s����c�4�9�9�:�M��s�/�/����=�>�C��/�/��T�Y�Y�?�K��K�4�9�9�4�5��'�'�+�t�'9�'9�:�C��>��
�
	��/�/����S�A�Q�F�Grc�\�ttj|j|�dk7�y)a�
        Set verification flags to this store.

        Verification flags can be combined by oring them together.

        .. note::

          Setting a verification flag sometimes requires clients to add
          additional information to the store, otherwise a suitable error will
          be raised.

          For example, in setting flags to enable CRL checking a
          suitable CRL must be added to the store otherwise an error will be
          raised.

        .. versionadded:: 16.1.0

        :param int flags: The verification flags to set on this store.
            See :class:`X509StoreFlags` for available constants.
        :return: ``None`` if the verification flags were successfully set.
        rN)rXrL�X509_STORE_set_flagsr�)r��flagss  r�	set_flagszX509Store.set_flags�s"��,	��1�1�$�+�+�u�E��J�Krc�:�tj�}tj|tj�}tj
|t
j|j���ttj|j|�dk7�y)a�
        Set the time against which the certificates are verified.

        Normally the current time is used.

        .. note::

          For example, you can determine if a certificate was valid at a given
          time.

        .. versionadded:: 17.0.0

        :param datetime vfy_time: The verification time to set on this store.
        :return: ``None`` if the verification time was successfully set.
        rN)rL�X509_VERIFY_PARAM_newrTrZ�X509_VERIFY_PARAM_free�X509_VERIFY_PARAM_set_time�calendar�timegm�	timetuplerX�X509_STORE_set1_paramr�)r��vfy_time�params   r�set_timezX509Store.set_timesm�� �*�*�,������t�:�:�;���'�'��8�?�?�8�#5�#5�#7�8�	
�	��2�2�4�;�;��F�!�K�LrNc���|�tj}nt|�}|�tj}nt|�}tj|j
||�}|st
�yy)a�
        Let X509Store know where we can find trusted certificates for the
        certificate chain.  Note that the certificates have to be in PEM
        format.

        If *capath* is passed, it must be a directory prepared using the
        ``c_rehash`` tool included with OpenSSL.  Either, but not both, of
        *cafile* or *capath* may be ``None``.

        .. note::

          Both *cafile* and *capath* may be set simultaneously.

          Call this method multiple times to add more than one location.
          For example, CA certificates, and certificate revocation list bundles
          may be passed in *cafile* in subsequent calls to this method.

        .. versionadded:: 20.0

        :param cafile: In which file we can find the certificates (``bytes`` or
                       ``unicode``).
        :param capath: In which directory we can find the certificates
                       (``bytes`` or ``unicode``).

        :return: ``None`` if the locations were set successfully.

        :raises OpenSSL.crypto.Error: If both *cafile* and *capath* is ``None``
            or the locations could not be set for any reason.

        N)rTrY�_path_bytesrL�X509_STORE_load_locationsr�r�)r��cafile�capath�load_results    r�load_locationszX509Store.load_locations&s`��F�>��Y�Y�F� ��(�F��>��Y�Y�F� ��(�F��4�4��K�K���
��� �"�rr�)r�r-rQr�)r�zx509.CertificateRevocationListrQr�)r�rArQr�)r�zdatetime.datetimerQr�r)r��StrOrBytesPath | Noner�r�rQr�)
rErFrGrHr�r�r�r�r�r�rrrr3r3�sI���;�"�,H�<L�0M�6)-�1#�%�1#�&�1#�
�	1#rr3c�4��eZdZdZ								d�fd�Z�xZS)r5z�
    An exception raised when an error occurred while verifying a certificate
    using `OpenSSL.X509StoreContext.verify_certificate`.

    :ivar certificate: The certificate which caused verificate failure.
    :type certificate: :class:`X509`
    c�@��t�|�|�||_||_yr)r�r��errors�certificate)r��messager�r�r�s    �rr�zX509StoreContextError.__init__cs!���	����!����&��r)r�r	r�z	list[Any]r�r-rQr�)rErFrGrHr�rr
s@rr5r5Zs2����'��'�$-�'�<@�'�	
�'�'rr5c�v�eZdZdZ	d
							dd�Ze				dd��Zed
d��Zdd�Zdd�Z	dd�Z
dd	�Zy)r4a9
    An X.509 store context.

    An X.509 store context is used to carry out the actual verification process
    of a certificate in a described context. For describing such a context, see
    :class:`X509Store`.

    :param X509Store store: The certificates which will be trusted for the
        purposes of any verifications.
    :param X509 certificate: The certificate to be verified.
    :param chain: List of untrusted certificates that may be used for building
        the certificate chain. May be ``None``.
    :type chain: :class:`list` of :class:`X509`
    Nc�L�||_||_|j|�|_yr)r��_cert�_build_certificate_stack�_chain)r�r�r��chains    rr�zX509StoreContext.__init__{s$����� ��
��3�3�E�:��rc��dd�}|�t|�dk(rtjStj�}t|tjk7�tj||�}|D]�}t|t�std��ttj|j�dkD�tj||j�dks�mtj|j�t���|S)Nc���ttj|��D]-}tj||�}tj|��/tj
|�yr)r!rL�sk_X509_num�
sk_X509_valuer��sk_X509_free)�sr,r�s   r�cleanupz:X509StoreContext._build_certificate_stack.<locals>.cleanup�sQ���4�+�+�A�.�/�
"���&�&�q�!�,�����q�!�
"�
���a� rrz+One of the elements is not an X509 instance)r�rrQr�)rWrTrYrL�sk_X509_new_nullrXrZrdr-rf�X509_up_refrW�sk_X509_pushr�r�)�certificatesr�r�r�s    rr�z)X509StoreContext._build_certificate_stack�s���	!���3�|�#4��#9��9�9���%�%�'�������*�+�����w�'�� �	'�D��d�D�)�� M�N�N��D�,�,�T�Z�Z�8�1�<�=�� � ���
�
�3�q�8����t�z�z�*�$�&�	'��rc��tjtjtj|���jd�}tj|�tj|�|g}tj|�}tj|�}tj|�}t|||�S)z�
        Convert an OpenSSL native context error failure into a Python
        exception.

        When a call to native OpenSSL X509_verify_cert fails, additional
        information about the failure can be obtained from the store context.
        r)rTrxrL�X509_verify_cert_error_string�X509_STORE_CTX_get_errorr��X509_STORE_CTX_get_error_depth�X509_STORE_CTX_get_current_cert�X509_dupr-r�r5)�	store_ctxr�r�rWr��pycerts      r�_exception_from_contextz(X509StoreContext._exception_from_context�s����+�+��.�.��-�-�i�8�
�
��&��/�		�
�)�)�)�4��/�/�	�:��
���4�4�Y�?���
�
�e�$���(�(��/��$�W�f�f�=�=rc��tj�}t|tjk7�tj
|tj�}tj||jj|jj|j�}t|dk(�tj|�}|dkr|j|��|S)a3
        Verifies the certificate and runs an X509_STORE_CTX containing the
        results.

        :raises X509StoreContextError: If an error occurred when validating a
          certificate in the context. Sets ``certificate`` attribute to
          indicate which certificate caused the error.
        r�r)rL�X509_STORE_CTX_newrXrTrYrZ�X509_STORE_CTX_free�X509_STORE_CTX_initr�r�rWr��X509_verify_certr�)r�r�rps   r�_verify_certificatez$X509StoreContext._verify_certificate�s����+�+�-�	��	�T�Y�Y�.�/��G�G�I�t�'?�'?�@�	��&�&��t�{�{�)�)�4�:�:�+;�+;�T�[�[�
��	��q��!��#�#�I�.���!�8��.�.�y�9�9��rc��||_y)z�
        Set the context's X.509 store.

        .. versionadded:: 0.15

        :param X509Store store: The store description which will be used for
            the purposes of any *future* verifications.
        N)r�r�s  r�	set_storezX509StoreContext.set_store�s����rc�$�|j�y)a"
        Verify a certificate in a context.

        .. versionadded:: 0.15

        :raises X509StoreContextError: If an error occurred when validating a
          certificate in the context. Sets ``certificate`` attribute to
          indicate which certificate caused the error.
        N)r�r�s r�verify_certificatez#X509StoreContext.verify_certificate�s��	
� � �"rc��|j�}tj|�}t|tj
k7�g}t
tj|��D]Z}tj||�}t|tj
k7�tj|�}|j|��\tj|�|S)aR
        Verify a certificate in a context and return the complete validated
        chain.

        :raises X509StoreContextError: If an error occurred when validating a
          certificate in the context. Sets ``certificate`` attribute to
          indicate which certificate caused the error.

        .. versionadded:: 20.0
        )
r�rL�X509_STORE_CTX_get1_chainrXrTrYr!r�r�r-r�r�r�)r�r��
cert_stackr�r,r�r�s       r�get_verified_chainz#X509StoreContext.get_verified_chain�s����,�,�.�	��3�3�I�>�
��
�d�i�i�/�0����t�'�'�
�3�4�	"�A��%�%�j�!�4�D��D�D�I�I�-�.��,�,�T�2�F��M�M�&�!�		"�	
���*�%��
rr)r�r3r�r-r��Sequence[X509] | NonerQr�)r�r�rQr�)r�rrQr5r)r�r3rQr�r�)rQz
list[X509])rErFrGrHr��staticmethodr�r�r�r�r�r�rrrr4r4ks���
�&(,�	;��;��;�%�	;�

�;���+��	
����:�>��>�2�0	�
#�rr4c���t|t�r|jd�}t|�}|tk(rCtj|tjtjtj�}n9|tk(r%tj|tj�}ntd��|tjk(r
t�tj|�S)a
    Load a certificate (X509) from the string *buffer* encoded with the
    type *type*.

    :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)

    :param bytes buffer: The buffer the certificate is stored in

    :return: The X509 object
    r��3type argument must be FILETYPE_PEM or FILETYPE_ASN1)rdr	r(r]r)rL�PEM_read_bio_X509rTrYr(�d2i_X509_biorhr�r-r�)r�r[rNrs    rr=r=	s����&�#�����w�'��
�v�
�C��|���%�%�c�4�9�9�d�i�i����K��	
��	�� � ��d�i�i�0���N�O�O��t�y�y�����"�"�4�(�(rc�^�t�}|tk(r!tj||j�}na|t
k(r!tj||j�}n7|tk(r#tj||jdd�}ntd��t|dk(�t|�S)a
    Dump the certificate *cert* into a buffer string encoded with the type
    *type*.

    :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or
        FILETYPE_TEXT)
    :param cert: The certificate to dump
    :return: The buffer with the dumped certificate in
    r�Ctype argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXTr�)r]r)rL�PEM_write_bio_X509rWr(�i2d_X509_bior*�
X509_print_exrhrXrb)r�r�rN�result_codes    rr7r7&s����.�C��|���-�-�c�4�:�:�>��	
��	��'�'��T�Z�Z�8��	
��	��(�(��d�j�j�!�Q�?���
�
�	
�
�K�1�$�%��#��rc���t�}|tk(rtj}n%|tk(rtj
}nt
d��|||j�}|dk7r
t�t|�S)z�
    Dump a public key to a buffer.

    :param type: The file type (one of :data:`FILETYPE_PEM` or
        :data:`FILETYPE_ASN1`).
    :param PKey pkey: The public key to dump
    :return: The buffer with the dumped key in it.
    :rtype: bytes
    r�r�)
r]r)rL�PEM_write_bio_PUBKEYr(�i2d_PUBKEY_biorhr�r�rb)r�r�rN�	write_bior�s     rr:r:Bsf���.�C��|���-�-�	�	
��	��'�'�	��N�O�O��C����,�K��a�����#��rc	��t�}t|t�std��|�I|�td��t	j
t
|��}|tjk(rtd��tj}t||�}|tk(rXt	j||j|tjd|j|j�}|j!�n�|t"k(r!t	j$||j�}n�|t&k(r�t	j(|j�tj*k7rtd��tj,t	j.|j�tj0�}t	j2||d�}ntd��t5|dk7�t7|�S)a�
    Dump the private key *pkey* into a buffer string encoded with the type
    *type*.  Optionally (if *type* is :const:`FILETYPE_PEM`) encrypting it
    using *cipher* and *passphrase*.

    :param type: The file type (one of :const:`FILETYPE_PEM`,
        :const:`FILETYPE_ASN1`, or :const:`FILETYPE_TEXT`)
    :param PKey pkey: The PKey to dump
    :param cipher: (optional) if encrypted PEM format, the cipher to use
    :param passphrase: (optional) if encrypted PEM format, this can be either
        the passphrase to use, or a callback for providing the passphrase.

    :return: The buffer with the dumped key in
    :rtype: bytes
    zpkey must be a PKeyzDif a value is given for cipher one must also be given for passphrasezInvalid cipher namerz-Only RSA keys are supported for FILETYPE_TEXTr�)r]rdr/rfrL�EVP_get_cipherbynamerrTrYrh�_PassphraseHelperr)�PEM_write_bio_PrivateKeyr��callback�
callback_args�raise_if_problemr(�i2d_PrivateKey_bior*r�r�rZr�r��	RSA_printrXrb)	r�r��cipher�
passphraserN�
cipher_obj�helperr�r s	         rr9r9[s���*�.�C��d�D�!��-�.�.�
�����8��
��.�.�|�F�/C�D�
�����"��2�3�3��Y�Y�
�
�t�Z�
0�F��|���3�3���J�J���I�I�
��O�O�� � �
��	���!�	
��	��-�-�c�4�:�:�>��	
��	����D�J�J�'�4�+<�+<�<��K�L�L��g�g�d�,�,�T�Z�Z�8�$�-�-�H���n�n�S�#�q�1���
�
�	
�
�K�1�$�%��#��rc�x�eZdZ		d									dd�Zed	d��Zed	d��Zefd
d�Z										dd�Z	y)r�c�h�|tk7r
|�td��||_||_||_g|_y)Nz0only FILETYPE_PEM key format supports encryption)r)rh�_passphrase�
_more_args�	_truncate�	_problems)r�r�r��	more_args�truncates     rr�z_PassphraseHelper.__init__�s@���<��J�$:��B��
�&���#���!���*,��rc���|j�tjSt|jt�st|j�r tjd|j�Std��)N�pem_password_cb�2Last argument must be a byte string or a callable.)	r�rTrYrdre�callabler��_read_passphraserfr�s rr�z_PassphraseHelper.callback�s]�����#��9�9��
��(�(�%�
0�H�T�=M�=M�4N��=�=�!2�D�4I�4I�J�J��D��
rc���|j�tjSt|jt�st|j�rtjSt
d��)Nr�)r�rTrYrdrer�rfr�s rr�z_PassphraseHelper.callback_args�sO�����#��9�9��
��(�(�%�
0�H�T�=M�=M�4N��9�9���D��
rc��|jr'	t|�|jjd��y#|$rY�#wxYwr<)r��_exception_from_error_queue�pop)r��
exceptionTypes  rr�z"_PassphraseHelper.raise_if_problem�sF���>�>�
�+�M�:��.�.�$�$�Q�'�'���!�
��
�s�5�=�=c��	t|j�r2|jr|j|||�}n,|j|�}n|j�J�|j}t|t�std��t
|�|kDr|jr|d|}ntd��tt
|��D]
}|||dz||<�t
|�S#t$r%}|jj|�Yd}~yd}~wwxYw)NzBytes expectedz+passphrase returned by callback is too longr�r)r�r�r�rdrerhrWr�r!�	Exceptionr�r�)r�r��size�rwflag�userdatar�r,�es        rr�z"_PassphraseHelper._read_passphrase�s���	���(�(�)��?�?�!�-�-�d�F�H�E�F�!�-�-�f�5�F��'�'�3�3�3��)�)���f�e�,� �!1�2�2��6�{�T�!��>�>�#�E�T�]�F�$�E����3�v�;�'�
+����A��E�*��A��
+��v�;����	��N�N�!�!�!�$���	�s�CC�	D�!D�DN)FF)
r�rAr��PassphraseCallableT | Noner�r�r�r�rQr�r)rztype[Exception]rQr�)
r�rrrArrrrrQrA)
rErFrGr�r�r�r�r.r�r�rrrr�r��s���
 ��-��-�/�-��	-�
�-�
�
-� ��������AF�(����!��+.��:=��	�rr�c�4�t|t�r|jd�}t|�}|tk(rCtj|tjtjtj�}n9|tk(r%tj|tj�}ntd��|tjk(r
t�tjt�}tj|t
j �|_d|_|S)a<
    Load a public key from a buffer.

    :param type: The file type (one of :data:`FILETYPE_PEM`,
        :data:`FILETYPE_ASN1`).
    :param buffer: The buffer the key is stored in.
    :type buffer: A Python string object, either unicode or bytestring.
    :return: The PKey object.
    :rtype: :class:`PKey`
    r�r�T)rdr	r(r]r)rL�PEM_read_bio_PUBKEYrTrYr(�d2i_PUBKEY_biorhr�r/r�rZr�r�r�)r�r[rN�evp_pkeyr�s     rr@r@�s����&�#�����w�'��
�v�
�C��|���+�+�����D�I�I�t�y�y�
��
��	��&�&�s�D�I�I�6���N�O�O��4�9�9�����<�<���D�����4�#5�#5�6�D�J��D���Krc�N�t|t�r|jd�}t|�}t	||�}|t
k(rKt
j|tj|j|j�}|j�n9|tk(r%t
j|tj�}ntd��|tjk(r
t!�t"j%t"�}tj&|tj(�|_|S)a�
    Load a private key (PKey) from the string *buffer* encoded with the type
    *type*.

    :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
    :param buffer: The buffer the key is stored in
    :param passphrase: (optional) if encrypted PEM format, this can be
                       either the passphrase to use, or a callback for
                       providing the passphrase.

    :return: The PKey object
    r�r�)rdr	r(r]r�r)rL�PEM_read_bio_PrivateKeyrTrYr�r�r�r(�d2i_PrivateKey_biorhr�r/r�rZr�r�)r�r[r�rNr�rr�s       rr?r?	s���"�&�#�����w�'��
�v�
�C�
�t�Z�
0�F��|���/�/�����F�O�O�V�-A�-A�
��	���!�	
��	��*�*�3��	�	�:���N�O�O��4�9�9�����<�<���D�����4�#5�#5�6�D�J��Krc�^�t�}|tk(r!tj||j�}na|t
k(r!tj||j�}n7|tk(r#tj||jdd�}ntd��t|dk7�t|�S)av
    Dump the certificate request *req* into a buffer string encoded with the
    type *type*.

    :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
    :param req: The certificate request to dump
    :return: The buffer with the dumped certificate request in


    .. deprecated:: 24.2.0
       Use `cryptography.x509.CertificateSigningRequest` instead.
    rr�)r]r)rL�PEM_write_bio_X509_REQr�r(�i2d_X509_REQ_bior*�X509_REQ_print_exrhrXrb)r�r�rNr�s    rr8r89	s����.�C��|���1�1�#�s�x�x�@��	
��	��+�+�C����:��	
��	��,�,�S�#�(�(�A�q�A���
�
�	
�
�K�1�$�%��#��rr8rc�$�t|t�r|jd�}t|�}|tk(rCtj|tjtjtj�}n9|tk(r%tj|tj�}ntd��t|tjk7�tjt�}tj|t
j �|_|S)a�
    Load a certificate request (X509Req) from the string *buffer* encoded with
    the type *type*.

    :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
    :param buffer: The buffer the certificate request is stored in
    :return: The X509Req object

    .. deprecated:: 24.2.0
       Use `cryptography.x509.load_der_x509_csr` or
       `cryptography.x509.load_pem_x509_csr` instead.
    r�r�)rdr	r(r]r)rL�PEM_read_bio_X509_REQrTrYr(�d2i_X509_REQ_biorhrXr2r�rZr�r�)r�r[rNr��x509reqs     rr>r>g	s����&�#�����w�'��
�v�
�C��|���(�(��d�i�i����D�I�I�N��	
��	��#�#�C����3���N�O�O��C�4�9�9�$�%��o�o�g�&�G��7�7�3�� 2� 2�3�G�L��Nrr>)rr	r�objectrQzCallable[[_T], _T]r)r[rgrQr)rNrrQre)rirrjrerQr�)rjrerQr)r|rrQrg)rQr)r�r	rQr�)r�rAr[rerQr-)r�rAr�r-rQre)r�rAr�r/rQrer�)
r�rAr�r/r�rQr�rrQre)r�rAr[�str | bytesrQr/)r�rAr[rr�rrQr/)r�rAr�r2rQre)r�rAr[rerQr2)o�
__future__rr�r4�	functools�sysr�r��base64r�collections.abcrrrrr	r
�version_infor
�TypeVar�_T�typing_extensions�cryptographyrr�)cryptography.hazmat.primitives.asymmetricrrrrr �
OpenSSL._utilr!r"rr#r�r$rTr%rLr&�_make_assertr'r��__all__r�r�r�r�r��_PrivateKeyr�r�r�r�r��
_PublicKeyr�re�PassphraseCallableT�SSL_FILETYPE_PEMr)r��SSL_FILETYPE_ASN1r(r*r�r,�EVP_PKEY_DSAr+�EVP_PKEY_DHrB�EVP_PKEY_ECrCrr.r�rXr]rbrlrqr�r�r/r�r<r;�total_orderingr1r0r2r-r6r3r5r4r=r7r:r9r�r@r?r8r�rEr�r>r�rrr�<module>r1s���"����
�
���.�������w��#������	�����	�B��-�$���)���������:����������	������	�������������	������	��
�
�[�*�
$�%���E�8�C��J�#7�7�8���)�)��c�)��+�+�
�s�+��
��!�!��#�!��!�!��#�!��������������I���:�E�B���u�%���4;�+�2�&�:
�
�~.�~.�Bd.�d.�N���5�	�5����1�	�1�$�������D���g:�g:�	�g:�T���o�o�	�o�dg�g�T8�8�.g#�g#�T'�I�'�"[�[�|)�:�8�8�-1�	B�

�B�
�B�
�B�+�	B�
�B�JK�K�\�J.2�&�

�&��&�+�&�
�	&�R�@&>�"�������	��	#�	��@&>�"�������	��	#�	r