.PhUddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl mZddlmZddlmZddlmZmZmZmZmZddlmZdd lmZmZmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z% dd l&m'Z(d Z)n#e*$r d Z) dddZ(YnwxYwdZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2d Z3d!Z4d"Z5ej6d#Z7d$Z8d%Z9d&Z:d'Z;d(Zej6e9d+ze:zej?Z@eAeBeCd,d-ZDe Gd.d/ZEeEejFd0ejGd*d*dd 1eEejFd0ejHd*d*dd 1eEejFd0ejId*d2d*d 1d3ZJd4eKd5<e.e/e0d6ZLdd9ZMdd<ZNe9d=ze:d=zfddBZOddEZPddFZQddJZRddMZSddNZTddPZUddQZVddSZWGdTdUZXGdVdWZYGdXdYZZGdZd[Z[Gd\d]Z\dd^Z]Gd_d`Z^GdadbZ_e,eYe-eZe+e\e.e[dcej`e/e[ddejae0e[deejbe2e^e3e_iZcddgZdejeejfejgejhejifZj dd dhddmZkddqZlejeejmejnejoejpfZqejeejmejnejpfZrGdrdsejsZtGdtduZuddyZv ddd{Zwdd|ZxddZyddZz dddZ{ddZ|ejeejfejgejifZ}dZ~GddZdS)) annotationsN) encodebytes) dataclass)utilsUnsupportedAlgorithm)hashes)dsaeced25519paddingrsa)AEADDecryptionContextCipher algorithmsmodes)EncodingKeySerializationEncryption NoEncryption PrivateFormat PublicFormat_KeySerializationEncryption)kdfTFpasswordbytessaltdesired_key_bytesintroundsignore_few_roundsboolreturnc td)NzNeed bcrypt moduler)rrrrr s p/var/www/html/test/jupyter/venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdfr%1s##7888s ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.comssk-ssh-ed25519@openssh.coms"sk-ecdsa-sha2-nistp256@openssh.coms rsa-sha2-256s rsa-sha2-512s\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnone aes256-ctrs(.*?)cVeZdZUded<ded<ded<ded<ded<d ed <d ed <d S) _SSHCipherztype[algorithms.AES]algrkey_lenz3type[modes.CTR] | type[modes.CBC] | type[modes.GCM]mode block_leniv_len int | Nonetag_lenr!is_aeadN)__name__ __module__ __qualname____annotations__r&r$r,r,\sXLLL====NNNKKKMMMMMr&r, )r-r.r/r0r1r3r4 )r's aes256-cbcsaes256-gcm@openssh.comzdict[bytes, _SSHCipher] _SSH_CIPHERS) secp256r1 secp384r1 secp521r1key&SSHPrivateKeyTypes | SSHPublicKeyTypesct|tjr"t|}nt|tjrt|}nt|t jt jfrt}nkt|tj tj frt}n=t|tjtjfrt"}nt%d|S)NUnsupported key type) isinstancer EllipticCurvePrivateKey_ecdsa_key_type public_keyEllipticCurvePublicKeyr RSAPrivateKey RSAPublicKey_SSH_RSAr DSAPrivateKey DSAPublicKey_SSH_DSAr Ed25519PrivateKeyEd25519PublicKey _SSH_ED25519 ValueError)r@key_types r$_get_ssh_key_typerTs#r122 1"3>>#3#344 C2 3 3 1"3'' C#+S-=> ? ? 1 C#+S-=> ? ?1  g')A B  1 /000 Or&rGec.EllipticCurvePublicKeyc~|j}|jtvrtd|jt|jS)z3Return SSH key_type and curve_name for private key.z'Unsupported curve for ssh private key: )curvename_ECDSA_KEY_TYPErR)rGrWs r$rFrFsE  E z(( Dej D D    5: &&r& data utils.BufferprefixsuffixcLd|t||gS)Nr&)join_base64_encode)r[r]r^s r$_ssh_pem_encoderbs% 88V^D116: ; ;;r&r0NonecT|rt||zdkrtddS)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenrR)r[r0s r$_check_block_sizerfs6 :3t99y(A--8999.-r&c(|rtddS)z!All data should have been parsed.zCorrupt data: unparsed dataN)rRr[s r$ _check_emptyris# 8677788r& ciphername bytes | None)Cipher[modes.CBC | modes.CTR | modes.GCM]c|stdt|}t|||j|jz|d}t ||d|j|||jdS)z$Generate key + iv and return cipher.z9Key is password-protected, but password was not provided.TN) TypeErrorr<r%r.r1rr-r/)rjrrrciphseeds r$ _init_cipherrqs   G     #D $ t{2FD  D  n n%&& $t|~~&''  r& memoryviewtuple[int, memoryview]ct|dkrtdt|ddd|ddfS)Uint32 Invalid dataNbig byteorderrerRr from_bytesrhs r$_get_u32r}J 4yy1}}((( >>$rr(e> 4 4d122h >>r&ct|dkrtdt|ddd|ddfS)Uint64rwNrxryr{rhs r$_get_u64rr~r&tuple[memoryview, memoryview]ct|\}}|t|krtd|d|||dfS)zBytes with u32 length prefixrwN)r}rerR)r[ns r$ _get_sshstrrsItnnGAt3t99}}((( 8T!""X r&ct|\}}|r|ddkrtdt|d|fS)z Big integer.rrwrx)rrRrr|)r[vals r$ _get_mpintrsND!!IC )s1v}}((( >>#u % %t ++r&rc|dkrtd|sdS|dzdz}tj||S)z!Storage format for signed bigint.rznegative mpint not allowedr&r)rR bit_lengthr int_to_bytes)rnbytess r$ _to_mpintrsS Qww5666 snn"q (F  c6 * **r&cjeZdZUdZded<ddd Zdd ZddZddZddZ ddZ d dZ d!d"dZ d#dZ dS)$ _FragListz,Build recursive structure without data copy.zlist[utils.Buffer]flistNinitlist[utils.Buffer] | Noner"rccPg|_|r|j|dSdSN)rextend)selfrs r$__init__z_FragList.__init__s7  $ J  d # # # # # $ $r&rr\c:|j|dS)zAdd plain bytesN)rappendrrs r$put_rawz_FragList.put_raws #r&rcd|j|dddS)zBig-endian uint32rvrxlengthrzNrrto_bytesrs r$put_u32z_FragList.put_u32 . #,,a5,AABBBBBr&cd|j|dddS)zBig-endian uint64rrxrNrrs r$put_u64z_FragList.put_u64rr&bytes | _FragListcRt|tttfr>|t ||j|dS|||j |jdS)zBytes prefixed with u32 lengthN) rDrrr bytearrayrrerrsizerrs r$ put_sshstrz_FragList.put_sshstrs cE:y9 : : ) LLS " " " J  c " " " " " LL $ $ $ J  ci ( ( ( ( (r&cJ|t|dS)z*Big-endian bigint prefixed with u32 lengthN)rrrs r$ put_mpintz_FragList.put_mpints   #'''''r&cPttt|jS)zCurrent number of bytes)summaprerrs r$rz_FragList.size s3sDJ''(((r&rdstbufrrposcT|jD]}t|}|||z}}||||< |S)zWrite into bytearray)rre)rrrfragflenstarts r$renderz_FragList.render$sAJ % %Dt99DcDj3E $F59   r&rctt|}|||S)zReturn as bytes)rrrrrtobytes)rbufs r$rz_FragList.tobytes,s?499;;//00 C{{}}r&r)rrr"rc)rr\r"rc)rrr"rc)rrr"rcr"r)r)rrrrrr"rr"r)r5r6r7__doc__r8rrrrrrrrrr9r&r$rrs66$$$$$ CCCCCCCC))))(((())))r&rc:eZdZdZddZddZdd ZddZddZdS) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q r[rrr""tuple[tuple[int, int], memoryview]cVt|\}}t|\}}||f|fS)zRSA public fieldsr)rr[ers r$ get_publicz_SSHFormatRSA.get_public<s4T""4T""41vt|r&#tuple[rsa.RSAPublicKey, memoryview]c||\\}}}tj||}|}||fS)zMake RSA public key from data.)rrRSAPublicNumbersrG)rr[rrpublic_numbersrGs r$ load_publicz_SSHFormatRSA.load_publicDsKt,, A-a33#..00 4r&unsafe_skip_rsa_key_validationr!$tuple[rsa.RSAPrivateKey, memoryview]c t|\}}t|\}}t|\}}t|\}}t|\}}t|\} }||f|krtdtj||} tj|| } tj||} tj|| || | || } | |}||fS)zMake RSA private key from data.z Corrupt data: rsa field mismatchr)rrRr rsa_crt_dmp1 rsa_crt_dmq1rRSAPrivateNumbers private_key)rr[ pubfieldsrrrdiqmppqdmp1dmq1rprivate_numbersrs r$ load_privatez_SSHFormatRSA.load_privateMs T""4T""4T""4%% dT""4T""4 q6Y  ?@@ @1%%1%%-a33/ q!T4~  &11+I2  D  r&rGrsa.RSAPublicKeyf_pubrrcc|}||j||jdS)zWrite RSA public keyN)rrrr)rrGrpubns r$ encode_publicz_SSHFormatRSA.encode_publicesC((**  r&rrsa.RSAPrivateKeyf_privct|}|j}||j||j||j||j||j||jdS)zWrite RSA private keyN) rrrrrrrrr)rrrrrs r$encode_privatez_SSHFormatRSA.encode_privatems&5577(7)***)****+++-...*+++*+++++r&N)r[rrr"r)r[rrr"r)r[rrrr!r"r)rGrrrr"rc)rrrrr"rc r5r6r7rrrrrrr9r&r$rr3s    !!!!0     , , , , , ,r&rcBeZdZdZddZddZdd ZddZddZd dZ dS)! _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x r[rrr"tuple[tuple, memoryview]ct|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsr)rr[rrgys r$rz_SSHFormatDSA.get_publicsYT""4T""4T""4T""41a|T!!r&#tuple[dsa.DSAPublicKey, memoryview]c||\\}}}}}tj|||}tj||}|||}||fS)zMake DSA public key from data.)rr DSAParameterNumbersDSAPublicNumbers _validaterG) rr[rrrrparameter_numbersrrGs r$rz_SSHFormatDSA.load_publicsx"__T22 Aq!d3Aq!<<-a1BCC ~&&&#..00 4r&rr!$tuple[dsa.DSAPrivateKey, memoryview]cl||\\}}}}}t|\}}||||f|krtdtj|||} tj|| } || tj|| } | } | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rrrRr rrrDSAPrivateNumbersr) rr[rrrrrrxrrrrs r$rz_SSHFormatDSA.load_privates"__T22 Aq!dT""4 q!Q<9 $ $?@@ @3Aq!<<-a1BCC ~&&&/>BB%1133 D  r&rGdsa.DSAPublicKeyrrrcc6|}|j}||||j||j||j||jdS)zWrite DSA public keyN)rrrrrrrr)rrGrrrs r$rz_SSHFormatDSA.encode_publics$2244*< ~&&& )+,,, )+,,, )+,,, ()))))r&rdsa.DSAPrivateKeyrc|||||jdS)zWrite DSA private keyN)rrGrrr)rrrs r$rz_SSHFormatDSA.encode_privatesO ;1133V<<<4466899999r&rdsa.DSAPublicNumberscl|j}|jdkrtddS)Niz#SSH supports only 1024 bit DSA keys)rrrrR)rrrs r$rz_SSHFormatDSA._validates<*<   ) ) + +t 3 3BCC C 4 3r&N)r[rrr"r)r[rrr"r)r[rrrr!r"r)rGrrrr"rc)rrrrr"rc)rrr"rc) r5r6r7rrrrrrrr9r&r$rr}s""""     !!!! * * * *::::DDDDDDr&rcBeZdZdZddZdd Zdd Zd dZd!dZd"dZ dS)#_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret ssh_curve_namerrWec.EllipticCurvec"||_||_dSr)rrW)rrrWs r$rz_SSHFormatECDSA.__init__s, r&r[rrr"0tuple[tuple[memoryview, memoryview], memoryview]ct|\}}t|\}}||jkrtd|ddkrtd||f|fS)zECDSA public fieldszCurve name mismatchrrvzNeed uncompressed point)rrrRNotImplementedError)rr[rWpoints r$rz_SSHFormatECDSA.get_publicsn"$'' t!$'' t D' ' '233 3 8q==%&?@@ @u~t##r&,tuple[ec.EllipticCurvePublicKey, memoryview]c||\\}}}tj|j|}||fSz Make ECDSA public key from data.)rr rHfrom_encoded_pointrWr)rr[_rrGs r$rz_SSHFormatECDSA.load_publicsR ??400 ED.AA J   4r&rr!-tuple[ec.EllipticCurvePrivateKey, memoryview]c||\\}}}t|\}}||f|krtdtj||j}||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rrrRr derive_private_keyrW)rr[rr curve_namersecretrs r$rz_SSHFormatECDSA.load_privatesn%)OOD$9$9!UT!$''   ) + +ABB B+FDJ?? D  r&rGrUrrrcc|tjtj}||j||dS)zWrite ECDSA public keyN) public_bytesrX962rUncompressedPointrr)rrGrrs r$rz_SSHFormatECDSA.encode_publicsV'' M<9   ,--- r&rec.EllipticCurvePrivateKeyrc|}|}|||||jdS)zWrite ECDSA private keyN)rGrrr private_value)rrrrGrs r$rz_SSHFormatECDSA.encode_privatesY!++-- %5577 :v...677777r&N)rrrWr)r[rrr"rr[rrr"r)r[rrrr!r"r )rGrUrrr"rc)rrrrr"rc) r5r6r7rrrrrrrr9r&r$rrs   $ $ $ $     ! ! ! !    888888r&rc:eZdZdZddZddZdd ZddZddZdS)_SSHFormatEd25519z~Format for Ed25519 keys. Public: bytes point Private: bytes point bytes secret_and_point r[rrr"$tuple[tuple[memoryview], memoryview]c0t|\}}|f|fS)zEd25519 public fields)r)rr[rs r$rz_SSHFormatEd25519.get_publics!"$'' tx~r&+tuple[ed25519.Ed25519PublicKey, memoryview]c||\\}}tj|}||fSz"Make Ed25519 public key from data.)rr rPfrom_public_bytesr)rr[rrGs r$rz_SSHFormatEd25519.load_publicsK..$-?? MMOO  4r&rr!,tuple[ed25519.Ed25519PrivateKey, memoryview]c||\\}}t|\}}|dd}|dd}||ks|f|krtdtj|}||fS)z#Make Ed25519 private key from data.Nr:z$Corrupt data: ed25519 field mismatch)rrrRr rOfrom_private_bytes) rr[rrrkeypairrpoint2rs r$rz_SSHFormatEd25519.load_private%s..$#D)) " F??uh)33CDD D/BB6JJ D  r&rGed25519.Ed25519PublicKeyrrrcc|tjtj}||dS)zWrite Ed25519 public keyN)rrRawrr)rrGrraw_public_keys r$rz_SSHFormatEd25519.encode_public3s?$00 L,*   (((((r&red25519.Ed25519PrivateKeyrch|}|tjtjt }|tjtj}t||g}| ||| |dS)zWrite Ed25519 private keyN) rG private_bytesrr&rrrrrrr)rrrrGraw_private_keyr' f_keypairs r$rz _SSHFormatEd25519.encode_private<s!++-- %33 L-+\^^  $00 L,*  ?@@  :v...)$$$$$r&N)r[rrr"rr[rrr"r)r[rrrr!r"r)rGr$rrr"rc)rr(rrr"rcrr9r&r$rr s     ! ! ! !))))%%%%%%r&rct|\}}|dstd|d||fS)z! U2F application strings sssh:z4U2F application string does not start with b'ssh:' ())rr startswithrR)r[ applications r$load_applicationr2Msn$D))K    + +G 4 4          r&c"eZdZdZd dZd dZd S) _SSHFormatSKEd25519z The format of a sk-ssh-ed25519@openssh.com public key is: string "sk-ssh-ed25519@openssh.com" string public key string application (user-specified, but typically "ssh:") r[rrr"rctt|\}}t|\}}||fSr)_lookup_kformatrQrr2rr[rGr s r$rz_SSHFormatSKEd25519.load_publiccs@+<88DDTJJ D"4((44r&typing.NoReturnc td)Nz,sk-ssh-ed25519 private keys cannot be loadedrrr[s r$rz_SSHFormatSKEd25519.get_publicks# :   r&Nr-r[rrr"r8r5r6r7rrrr9r&r$r4r4ZsF          r&r4c"eZdZdZd dZd dZd S) _SSHFormatSKECDSAz The format of a sk-ecdsa-sha2-nistp256@openssh.com public key is: string "sk-ecdsa-sha2-nistp256@openssh.com" string curve name ec_point Q string application (user-specified, but typically "ssh:") r[rrr"rctt|\}}t|\}}||fSr)r6_ECDSA_NISTP256rr2r7s r$rz_SSHFormatSKECDSA.load_public}s@+?;;GGMM D"4((44r&r8c td)Nz4sk-ecdsa-sha2-nistp256 private keys cannot be loadedrr:s r$rz_SSHFormatSKECDSA.get_publics# B   r&Nrr;r<r9r&r$r>r>ssF          r&r>snistp256snistp384snistp521rSct|ts!t|}|tvr t|St d|)z"Return valid format or throw errorzUnsupported key type: )rDrrrr _KEY_FORMATSr)rSs r$r6r6sZ h & &2h''//11<H%% DDD E EEr&rbackend typing.AnyrSSHPrivateKeyTypesc tjd||tjd|t|}|st d|d}|d}tj t|||}| tst dt|ttd}t|\}}t|\}}t|\} }t|\} }| dkrt dt|\} }t| \} } t!| } | | \}} t%| |t&ks |t&kr|}|t*vrt-d||t.krt-d|t*|j}t*|j}t|\}}t*|jr2t7|}t||krt d nt%|t9||t| \}}t|\}}t%|t;||||}|}t||}t*|jr:tA|tBsJt%|"|nft%|#nD|rtId t|\}}t%|d }t9||t|\}}t|\}}||krt d t|\}}|| krt d | %|||\}}t|\}}|tLdt|krt dtA|tNj(r!tSj*dtj+d|S)z.Load private key from OpenSSH custom encoding.r[NrzNot OpenSSH private key formatr)zOnly one key supportedzUnsupported cipher: zUnsupported KDF: z+Corrupt data: invalid tag length for cipherz4Password was given but private key is not encrypted.rzCorrupt data: broken checksumzCorrupt data: key type mismatchrzCorrupt data: invalid paddingDSSH DSA keys are deprecated and will be removed in a future release. stacklevel),r_check_byteslike _check_bytes_PEM_RCsearchrRrendbinascii a2b_base64rrr0 _SK_MAGICrerr}r6rri_NONErr<r_BCRYPTr0r3r4rrfrq decryptorupdaterDrfinalize_with_tagfinalizernr_PADDINGr rLwarningswarnDeprecatedIn40)r[rrDrmp1p2rjkdfname kdfoptionsnkeyspubdata pub_key_typekformatrciphername_bytesblklenr3edatatagrkbufrrodecck1ck2rSrr s r$load_ssh_private_keyros 64((( :x000tA ;9::: B qB  z$//26 7 7D ??9 % %;9::: d  C NN,, -D#4((J%%MGT"4((J4..KE4 zz1222 %%MGT'00L'l++G ++G44IwUg..%--// < / /&;'7;;  g  &'F7'F'FGG G./9/08!$'' t ( ) 1 ++C3xx7"" !NOOO#    %((( ,, d~~ T,h OOnn3::e,,-- ( ) 1 )c#899 9 9 9 ..s33 4 4 4 4  ( ( ( (  F "$'' tT%(((%JC%JC czz8999"%((OHe<:;;; -- 'E.K 5!!HAu 3u::&&&8999+s011           r&rencryption_algorithmrctjd|t|tjr!t jdtjdt|}t|}t}|rt}t|j }t}t} t|t r|j|j} t%jd} || || t-||| | } n t.x}}d}d} d} t%jd} d }t}|||||t| | g}||||||||t8d|||zz t}|t<|||||||| |||||}|}t?tA||z}|!|||z }| 8| "#|||||dtI|d|S) z3Serialize private key with OpenSSH custom encoding.rISSH DSA key support is deprecated and will be removed in a future releaservrJNr(rr)r&)%rrMrDr rLr[r\r]rTr6r_DEFAULT_CIPHERr<r0rU_DEFAULT_ROUNDSr _kdf_roundsosurandomrrrqrTrrGrrrZrrSrrrr encryptor update_intorb)rrrprSrf f_kdfoptionsrjrhrarrrorccheckvalcomment f_public_key f_secretsf_mainslenmlenrofss r$_serialize_ssh_private_keyrs/  z8,,,+s011   *       !--Hh''G;;L$ j)3  +-H I I 6$0<)5Fz"~~%%%V$$$J$??$$ W Ez!}}HG;;LH%%% +0022LAAA8X.//I """ ; 222 !!! hE9>>+;+;f+D!EEFGGG[[F NN9 j!!! g l### NN5 l### i    >>  D ;;==D Ytf}-- . .C MM# +C  $$ST]CI>>> 3uu: & &&r&ceZdZdZdZdS)SSHCertificateTyper)rIN)r5r6r7USERHOSTr9r&r$rrws D DDDr&rceZdZd+dZed,dZd-dZed.dZed/dZed,d Z ed0d!Z ed.d"Z ed.d#Z ed1d$Z ed1d%Zd-d&Zd,d'Zd2d)Zd*S)3SSHCertificate_noncerr _public_keySSHPublicKeyTypes_serialr_cctype_key_id_valid_principals list[bytes] _valid_after _valid_before_critical_optionsdict[bytes, bytes] _extensions _sig_type_sig_key_inner_sig_type _signature_tbs_cert_body_cert_key_typer _cert_bodycL||_||_||_ t||_n#t $rt dwxYw||_||_||_||_ | |_ | |_ | |_ | |_ | |_||_||_||_||_dS)NzInvalid certificate type)rrrr_typerRrrrrrrrrrrrrr)rrrrrrrrrrrrrrrrrrs r$rzSSHCertificate.__init__}s( &  9+G44DJJ 9 9 9788 8 9 !2(*!2&"  .$,$,s ,Ar"c*t|jSr)rrrs r$noncezSSHCertificate.noncesT[!!!r&SSHCertPublicKeyTypesc@tjt|jSr)typingcastrrrs r$rGzSSHCertificate.public_keys{0$2BCCCr&c|jSr)rrs r$serialzSSHCertificate.serials |r&rc|jSr)rrs r$typezSSHCertificate.types zr&c*t|jSr)rrrs r$key_idzSSHCertificate.key_idsT\"""r&c|jSr)rrs r$valid_principalszSSHCertificate.valid_principals %%r&c|jSr)rrs r$ valid_beforezSSHCertificate.valid_befores !!r&c|jSr)rrs r$ valid_afterzSSHCertificate.valid_afters   r&c|jSr)rrs r$critical_optionszSSHCertificate.critical_optionsrr&c|jSr)rrs r$ extensionszSSHCertificate.extensionss r&ct|j}||j\}}t ||Sr)r6rrrri)r sigformat signature_key sigkey_rests r$rzSSHCertificate.signature_keys?#DN33 %.%:%:4=%I%I" {[!!!r&ct|jdztjt|jdzS)N F)newline)rrrQ b2a_base64rrs r$rzSSHCertificate.public_bytess@ $% & & !%"8"8%HHH I r&rcc|}t|tjr<|t |jt |jdSt|tj rt|j\}}t|\}}t|tj ||}t|j}||t |jtj|dSt|t"jsJ|jt(krt+j}nI|jt.krt+j}n%|jt2ksJt+j}|t |jt |jt7j|dSr)rrDr rPverifyrrrr rHrri asym_utilsencode_dss_signature_get_ec_hash_algrWECDSArrJrrKr SHA1_SSH_RSA_SHA256SHA256_SSH_RSA_SHA512SHA512r PKCS1v15)rrrr[s computed_sighash_algs r$verify_cert_signaturez$SSHCertificate.verify_cert_signatures**,, mW%= > >   do&&d.A(B(B      r'@ A A  11GAt &&GAt    %:1a@@L' (;<> > > >#x//!;==%88!=??+>>>>!=??  do&&d)** ""      r&N)"rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr)r"rr)r"r)r"r)r"r)r"rc)r5r6r7rpropertyrrGrrrrrrrrrrrr9r&r$rr|s'-'-'-'-R"""X"DDDD XX###X#&&&X&"""X"!!!X!&&&X&   X      r&rrWrhashes.HashAlgorithmct|tjrtjSt|tjrtjSt|tjsJtjSr) rDr SECP256R1r r SECP384R1SHA384 SECP521R1r)rWs r$rrsf%&&} E2< ( (}%.....}r&"SSHCertificate | SSHPublicKeyTypesc tjd|t|}|st d|dx}}|d}d}|trd}|dtt }|tkr|stdt|} ttj|}n)#ttjf$rt dwxYw|r|} t#|\} }| |krt d |rt#|\} }||\} }|rt'|\} }t)|\}}t#|\}}t#|\}}g}|r6t#|\}}|t-||6t'|\}}t'|\}}t#|\}}t/|}t#|\}}t/|}t#|\}}t#|\}}t#|\}}|tkr|std | dt| }t#|\}}t1|t#|\}} |t2kr|t4t6t2fvs|t2kr||krt d t#| \}!} t1| t9| | | |||||||||||!||| St1|| S) Nr[zInvalid line formatr)rIFTz-DSA keys aren't supported in SSH certificateszInvalid formatzInvalid key formatz3DSA signatures aren't supported in SSH certificatesz!Signature key type does not match)rrL_SSH_PUBKEY_RCmatchrRgroupendswith _CERT_SUFFIXrerNrr6rrrQrRrnErrorrrrr}rr_parse_exts_optsrirKrrr)"r[_legacy_dsa_allowedr^rS orig_key_typekey_body with_certrfrest cert_bodyinner_key_typerrGrcctyper principalsr principalrr crit_optionsrextsrr  sig_key_rawsig_typesig_key tbs_cert_body signature_rawinner_sig_typesig_rest signatures" r$_load_ssh_public_identityrs 64(((T""A 0./// wwqzz)H}wwqzzHI&&2 0s<000018$7" ;   h''G+(-h7788 x~ &+++)***+ &t,,ND&&-...(!$'' t**400J:~~ ~~ "4(( &t,, D 6$/ $;$; !Iz  # #E)$4$4 5 5 5 6%TNN T%d^^ d(.. d+L99 && d%d++ d##4'-- T' 44' x  (; &E ",SYYJ,/ )$// tT#.}#=#=   #_h?@@(""~'A'A@AA A)(33 8X                 #   ( Ts !C66&Dc t|Sr)rrhs r$load_ssh_public_identityrfs %T * **r& exts_optsrci}d}|rt|\}}t|}||vrtd|||krtdt|\}}t|dkr4t|\}}t|dkrtdt|||<|}||S)NzDuplicate namezFields not lexically sortedrz!Unexpected extra data after value)rrrRre)rresult last_namerXbnamevalueextras r$rrls!#FI  %i00iT{{ F??-.. .  UY%6%6:;; ;&y11y u::>>&u--LE55zzA~~ !DEEEe u     Mr&rhash_algorithmhashes.MD5 | hashes.SHA256ct|tjtjfst dt |}t |}t}||| ||| }tj |}| || S)Nz+hash_algorithm must be either MD5 or SHA256)rDr MD5rrnrTr6rrrrHashrWrY)r@rrSrfrssh_binary_datahash_objs r$ssh_key_fingerprintrs nvz6=&A B BGEFFF %%Hh''G KKE X #u%%%mmooO{>**H OOO$$$     r&ct|d}t|tr|}n|}t|tjr!t jdtj d|S)NT)rrHrIrJ) rrDrrGr rMr[r\rr])r[rD cert_or_keyrGs r$load_ssh_public_keyrs,DdKKKK+~..! ++--  *c.//          r&ct|tjr!tjdt jdt|}t|}t}| || ||tj |}d|d|gS)z&One-line public key format for OpenSSHrrrvrJr&r)rDr rMr[r\rr]rTr6rrrrQrrstripr`)rGrSrfrpubs r$serialize_ssh_public_keyr s*c.//   *       !,,Hh''G KKE X *e,,,  emmoo . . 4 4 6 6C 88XtS) * **r&c eZdZddddgdddggf d2dZd3dZd4dZd5dZd6d!Zd7d#Zd$Z d8d'Z d9d)Z d:d,Z d:d-Z d;d1ZdS)<SSHCertificateBuilderNFrSSHCertPublicKeyTypes | Nonerr2rSSHCertificateType | Nonerrkrr_valid_for_all_principalsr!rrrlist[tuple[bytes, bytes]]rc ||_||_||_||_||_||_||_||_| |_| |_ dSr rrrrrrrrrr) rrrrrrrrrrrs r$rzSSHCertificateBuilder.__init__sW'   !2)B&*(!2&r&rGrr"c :t|tjtjt jfstd|jtdt||j |j |j |j|j|j|j|j|j S)NrCzpublic_key already setr)rDr rHrrJr rPrnrrRrrrrrrrrrr)rrGs r$rGz SSHCertificateBuilder.public_keys ) (    4233 3   '566 6$"L*L"4&*&D,*"4(    r&rrc >t|tstdd|cxkrdksntd|jtdt |j||j|j|j |j |j |j |j |j S)Nzserial must be an integerrz"serial must be between 0 and 2**64zserial already setr)rDrrnrRrrrrrrrrrrr)rrs r$rzSSHCertificateBuilder.serials&#&& 9788 8F""""U""""ABB B < #122 2$(*L"4&*&D,*"4(    r&rrc t|tstd|jt dt |j|j||j|j |j |j |j |j |j S)Nz"type must be an SSHCertificateTypeztype already setr)rDrrnrrRrrrrrrrrrr)rrs r$rzSSHCertificateBuilder.types$ 233 B@AA A : !/00 0$(LL"4&*&D,*"4(    r&rrc t|tstd|jt dt |j|j|j||j |j |j |j |j |j S)Nzkey_id must be byteszkey_id already setr)rDrrnrrRrrrrrrrrrr)rrs r$rzSSHCertificateBuilder.key_id's&%(( 4233 3 < #122 2$(L*"4&*&D,*"4(    r&rc |jrtdtd|Dr|std|jrtdt |t krtdt|j|j |j |j ||j|j |j |j|j S)NzDPrincipals can't be set because the cert is valid for all principalsc3@K|]}t|tVdSr)rDr).0rs r$ z9SSHCertificateBuilder.valid_principals..Cs,CCQJq%((CCCCCCr&z5principals must be a list of bytes and can't be emptyzvalid_principals already setz:Reached or exceeded the maximum number of valid_principalsr)rrRallrnrre_SSHKEY_CERT_MAX_PRINCIPALSrrrrrrrrr)rrs r$rz&SSHCertificateBuilder.valid_principals:s  ) %  CC2BCCCCC # G   ! =;<< <  #> > >L %(L*L.&*&D,*"4(    r&c |jrtd|jrtdt|j|j|j|j|jd|j|j |j |j  S)Nz@valid_principals already set, can't set valid_for_all_principalsz$valid_for_all_principals already setTr) rrRrrrrrrrrrrrs r$valid_for_all_principalsz.SSHCertificateBuilder.valid_for_all_principals^s  ! +   ) ECDD D$(L*L"4&*,*"4(    r&r int | floatc dt|ttfstdt|}|dks|dkrt d|jt dt |j|j|j |j |j |j ||j |j|j S)Nz$valid_before must be an int or floatrrzvalid_before must [0, 2**64)zvalid_before already setr)rDrfloatrnrRrrrrrrrrrrr)rrs r$rz"SSHCertificateBuilder.valid_beforets,e 55 DBCC C<(( !  |u44;<< <   )788 8$(L*L"4&*&D&*"4(    r&rc dt|ttfstdt|}|dks|dkrt d|jt dt |j|j|j |j |j |j |j ||j|j S)Nz#valid_after must be an int or floatrrzvalid_after must [0, 2**64)zvalid_after already setr)rDrr%rnrRrrrrrrrrrrr)rrs r$rz!SSHCertificateBuilder.valid_afters+U|44 CABB B+&& ??kU22:;; ;   (677 7$(L*L"4&*&D,$"4(    r&rXrc Zt|trt|tstd|d|jDvrt dt |j|j|j|j |j |j |j |j g|j||f|j S)Nname and value must be bytescg|]\}}|Sr9r9rrXr s r$ z=SSHCertificateBuilder.add_critical_option..s???WT1D???r&zDuplicate critical option namer)rDrrnrrRrrrrrrrrrrrrXrs r$add_critical_optionz)SSHCertificateBuilder.add_critical_options$&& ??? ? ?=>> >$(L*L"4&*&D,*F 6Fu F(    r&cZt|trt|tstd|d|jDvrt dt |j|j|j|j |j |j |j |j |jg|j||f S)Nr(cg|]\}}|Sr9r9r*s r$r+z7SSHCertificateBuilder.add_extension..s999WT1D999r&zDuplicate extension namer)rDrrnrrRrrrrrrrrrrr,s r$ add_extensionz#SSHCertificateBuilder.add_extensions$&& z,SSHCertificateBuilder.sign..s !A$r&)r@c|dSr4r9r5s r$r6z,SSHCertificateBuilder.sign..s AaDr&r:r)6rDr rErrIr rOrnrrRrrrrrrrrsortrrTrrvrwr6rrrrrrrrerGsignrrWrrdecode_dss_signaturerrr rr rrQrr rrrrr`)rrrrrS cert_prefixrrff fprincipalsrfcritrXrfoptvalfextfextvalca_typecaformatcafrfsigrrrfsigblob cert_datas r$r9zSSHCertificateBuilder.signs *!)    <:;; ;   #566 6l*  : /00 0 ,$, % d.L     %788 8   $677 7  t1 1 1LMM M ###777 ..111$T%566-  2!(++ KK [!!! Ud.222 & $*"### Vkk ' & &A  " "1 % % % % [((**+++ $#$$$ $$%%% 1 ( (KD%   T " " "5zzA~~#++""5)))  !2!23333  '''' U]]__%%%{{+ ' 'KD% OOD ! ! !5zzA~~#++""5))) 1 12222&&&& T\\^^$$$ S#K00"7++kk w{5577=== S[[]]### k7#< = = )#((55I;;D OOG $ $ $ OOI & & & LL ( ( ( (  R%? @ @ )' (9::H#((bhx6H6HIII29==DAq;;D OOG $ $ $ {{H   q ! ! !   q ! ! ! OOH,,.. / / / LL ( ( ( (k3+<== = = = ;;D OOO , , ,#(( W-//I OOI & & & LL ( ( (' 44::<< {  $SXX{D).L%M%M N N   r&)rrrr2rrrrkrrrr!rr2rr2rrrr)rGrr"r)rrr"r)rrr"r)rrr"r)rrr"r)rr#r"r)rr#r"r)rXrrrr"r)rr1r"r)r5r6r7rrGrrrrr"rrr-r0r9r9r&r$rrs+59"+/ $)+*/$(#'7913'''''0    8    *    &    &" " " " H   ,    ,    ,    ,    ,G G G G G G r&r)F) rrrrrrrrr r!r"r)r@rAr"r)rGrUr"r)r[r\r]rr^rr"r)r[r\r0rr"rc)r[r\r"rc) rjrrrkrrrrr"rl)r[rrr"rs)r[rrr"r)rrr"r)r"r)rSr\r) r[r\rrkrDrErr!r"rF)rrFrrrprr"r)rWrr"r)r[r\r"r)r[rr"r)rrrr"r)r@rrrr"r)r[r\rDrEr"r)rGrr"r) __future__rrQenumrvrerr[base64rra dataclassesr cryptographyrcryptography.exceptionsrcryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr r r r rr&cryptography.hazmat.primitives.ciphersrrrr,cryptography.hazmat.primitives.serializationrrrrrrbcryptrr%_bcrypt_supported ImportErrorrQrKrNr@_ECDSA_NISTP384_ECDSA_NISTP521r_SK_SSH_ED25519_SK_SSH_ECDSA_NISTP256rrcompilerrS _SK_START_SK_ENDrUrTrsrtDOTALLrNrrrrangerZr,AESCTRCBCGCMr<r8rYrTrFrbrfrirqr}rrrrrrrrrr2r4r>rrrrCr6UnionrErIrLrOrFrorrHrJrMrPrrEnumrrrrrrrrr r1r rr9r&r$res #"""""" 000000!!!!!!888888111111JIIIII 9)))))) 9 9 9#( 9999999 9  (((' 0>"!233  2 .  "*Y)G3RY ? ? :iia 0 011 2 2  : N Y: N Y *z N Y   ')) @!  &''''%eO<<<<<:::: 8888 ,????????,,,,++++33333333lG,G,G,G,G,G,G,G,TCDCDCDCDCDCDCDCDLD8D8D8D8D8D8D8D8N@%@%@%@%@%@%@%@%F            2        6 mmoo mmoo##%%__[,",..AA__[,",..AA__[,",..AA((**--//  FFFF\ o ,1 oooooodJ'J'J'J'ZL           ~~~~~~~~B\\\\\~++++ (./3(++++(  "I I I I I I I I I I s/A88 BB