class _HashContext(object): def __init__(self, backend, algorithm, ctx=None): self._algorithm = algorithm self._backend = backend if ctx is None: ctx = self._backend._lib.EVP_MD_CTX_create() ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_MD_CTX_destroy) evp_md = self._backend._lib.EVP_get_digestbyname( algorithm.name.encode("ascii")) if evp_md == self._backend._ffi.NULL: raise UnsupportedAlgorithm( "{0} is not a supported hash on this backend.".format( algorithm.name), _Reasons.UNSUPPORTED_HASH) res = self._backend._lib.EVP_DigestInit_ex(ctx, evp_md, self._backend._ffi.NULL) assert res != 0 self._ctx = ctx algorithm = utils.read_only_property("_algorithm") def copy(self): copied_ctx = self._backend._lib.EVP_MD_CTX_create() copied_ctx = self._backend._ffi.gc( copied_ctx, self._backend._lib.EVP_MD_CTX_destroy) res = self._backend._lib.EVP_MD_CTX_copy_ex(copied_ctx, self._ctx) assert res != 0 return _HashContext(self._backend, self.algorithm, ctx=copied_ctx) def update(self, data): res = self._backend._lib.EVP_DigestUpdate(self._ctx, data, len(data)) assert res != 0 def finalize(self): buf = self._backend._ffi.new("unsigned char[]", self._backend._lib.EVP_MAX_MD_SIZE) outlen = self._backend._ffi.new("unsigned int *") res = self._backend._lib.EVP_DigestFinal_ex(self._ctx, buf, outlen) assert res != 0 assert outlen[0] == self.algorithm.digest_size res = self._backend._lib.EVP_MD_CTX_cleanup(self._ctx) assert res == 1 return self._backend._ffi.buffer(buf)[:outlen[0]]
class SubjectKeyIdentifier(object): def __init__(self, digest): self._digest = digest digest = utils.read_only_property("_digest") def __repr__(self): return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest) def __eq__(self, other): if not isinstance(other, SubjectKeyIdentifier): return NotImplemented return (self.digest == other.digest) def __ne__(self, other): return not self == other
class CTR(object): name = "CTR" def __init__(self, nonce): if not isinstance(nonce, bytes): raise TypeError("nonce must be bytes") self._nonce = nonce nonce = utils.read_only_property("_nonce") def validate_for_algorithm(self, algorithm): _check_aes_key_length(self, algorithm) if len(self.nonce) * 8 != algorithm.block_size: raise ValueError("Invalid nonce size ({0}) for {1}.".format( len(self.nonce), self.name ))
class _EllipticCurvePublicKey(object): def __init__(self, backend, ec_key_cdata, evp_pkey): self._backend = backend _mark_asn1_named_ec_curve(backend, ec_key_cdata) self._ec_key = ec_key_cdata self._evp_pkey = evp_pkey sn = _ec_key_curve_sn(backend, ec_key_cdata) self._curve = _sn_to_elliptic_curve(backend, sn) curve = utils.read_only_property("_curve") def verifier(self, signature, signature_algorithm): if isinstance(signature_algorithm, ec.ECDSA): return _ECDSAVerificationContext(self._backend, self, signature, signature_algorithm.algorithm) else: raise UnsupportedAlgorithm( "Unsupported elliptic curve signature algorithm.", _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM) def public_numbers(self): set_func, get_func, group = ( self._backend._ec_key_determine_group_get_set_funcs(self._ec_key)) point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) assert point != self._backend._ffi.NULL with self._backend._tmp_bn_ctx() as bn_ctx: bn_x = self._backend._lib.BN_CTX_get(bn_ctx) bn_y = self._backend._lib.BN_CTX_get(bn_ctx) res = get_func(group, point, bn_x, bn_y, bn_ctx) assert res == 1 x = self._backend._bn_to_int(bn_x) y = self._backend._bn_to_int(bn_y) return ec.EllipticCurvePublicNumbers(x=x, y=y, curve=self._curve) def public_bytes(self, encoding, format): if format is serialization.PublicFormat.PKCS1: raise ValueError( "EC public keys do not support PKCS1 serialization") return self._backend._public_key_bytes(encoding, format, self._evp_pkey, None)
class _RSAPublicKey(object): def __init__(self, backend, rsa_cdata, evp_pkey): self._backend = backend self._rsa_cdata = rsa_cdata self._evp_pkey = evp_pkey n = self._backend._ffi.new("BIGNUM **") self._backend._lib.RSA_get0_key(self._rsa_cdata, n, self._backend._ffi.NULL, self._backend._ffi.NULL) self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) self._key_size = self._backend._lib.BN_num_bits(n[0]) key_size = utils.read_only_property("_key_size") def verifier(self, signature, padding, algorithm): if not isinstance(signature, bytes): raise TypeError("signature must be bytes.") return _RSAVerificationContext(self._backend, self, signature, padding, algorithm) def encrypt(self, plaintext, padding): return _enc_dec_rsa(self._backend, self, plaintext, padding) def public_numbers(self): n = self._backend._ffi.new("BIGNUM **") e = self._backend._ffi.new("BIGNUM **") self._backend._lib.RSA_get0_key(self._rsa_cdata, n, e, self._backend._ffi.NULL) self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) self._backend.openssl_assert(e[0] != self._backend._ffi.NULL) return rsa.RSAPublicNumbers( e=self._backend._bn_to_int(e[0]), n=self._backend._bn_to_int(n[0]), ) def public_bytes(self, encoding, format): return self._backend._public_key_bytes(encoding, format, self, self._evp_pkey, self._rsa_cdata) def verify(self, signature, data, padding, algorithm): verifier = self.verifier(signature, padding, algorithm) verifier.update(data) verifier.verify()
class _EllipticCurvePrivateKey(object): def __init__(self, backend, ec_key_cdata): self._backend = backend _mark_asn1_named_ec_curve(backend, ec_key_cdata) self._ec_key = ec_key_cdata sn = _ec_key_curve_sn(backend, ec_key_cdata) self._curve = _sn_to_elliptic_curve(backend, sn) curve = utils.read_only_property("_curve") def signer(self, signature_algorithm): if isinstance(signature_algorithm, ec.ECDSA): return _ECDSASignatureContext(self._backend, self, signature_algorithm.algorithm) else: raise UnsupportedAlgorithm( "Unsupported elliptic curve signature algorithm.", _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM) def public_key(self): group = self._backend._lib.EC_KEY_get0_group(self._ec_key) assert group != self._backend._ffi.NULL curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group) public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid) assert public_ec_key != self._backend._ffi.NULL public_ec_key = self._backend._ffi.gc(public_ec_key, self._backend._lib.EC_KEY_free) point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) assert point != self._backend._ffi.NULL res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point) assert res == 1 return _EllipticCurvePublicKey(self._backend, public_ec_key) def private_numbers(self): bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key) private_value = self._backend._bn_to_int(bn) return ec.EllipticCurvePrivateNumbers( private_value=private_value, public_numbers=self.public_key().public_numbers())
class RSAPrivateNumbers(object): def __init__(self, p, q, d, dmp1, dmq1, iqmp, public_numbers): if (not isinstance(p, six.integer_types) or not isinstance(q, six.integer_types) or not isinstance(d, six.integer_types) or not isinstance(dmp1, six.integer_types) or not isinstance(dmq1, six.integer_types) or not isinstance(iqmp, six.integer_types)): raise TypeError( "RSAPrivateNumbers p, q, d, dmp1, dmq1, iqmp arguments must" " all be an integers.") if not isinstance(public_numbers, RSAPublicNumbers): raise TypeError( "RSAPrivateNumbers public_numbers must be an RSAPublicNumbers" " instance.") self._p = p self._q = q self._d = d self._dmp1 = dmp1 self._dmq1 = dmq1 self._iqmp = iqmp self._public_numbers = public_numbers p = utils.read_only_property("_p") q = utils.read_only_property("_q") d = utils.read_only_property("_d") dmp1 = utils.read_only_property("_dmp1") dmq1 = utils.read_only_property("_dmq1") iqmp = utils.read_only_property("_iqmp") public_numbers = utils.read_only_property("_public_numbers") def private_key(self, backend): return backend.load_rsa_private_numbers(self) def __eq__(self, other): if not isinstance(other, RSAPrivateNumbers): return NotImplemented return (self.p == other.p and self.q == other.q and self.d == other.d and self.dmp1 == other.dmp1 and self.dmq1 == other.dmq1 and self.iqmp == other.iqmp and self.public_numbers == other.public_numbers) def __ne__(self, other): return not self == other
class ChaCha20(object): name = "ChaCha20" key_sizes = frozenset([256]) def __init__(self, key, nonce): self.key = _verify_key_size(self, key) utils._check_byteslike("nonce", nonce) if len(nonce) != 16: raise ValueError("nonce must be 128-bits (16 bytes)") self._nonce = nonce nonce = utils.read_only_property("_nonce") @property def key_size(self): return len(self.key) * 8
class XTS(object): name = "XTS" def __init__(self, tweak): utils._check_byteslike("tweak", tweak) if len(tweak) != 16: raise ValueError("tweak must be 128-bits (16 bytes)") self._tweak = tweak tweak = utils.read_only_property("_tweak") def validate_for_algorithm(self, algorithm): if algorithm.key_size not in (256, 512): raise ValueError( "The XTS specification requires a 256-bit key for AES-128-XTS" " and 512-bit key for AES-256-XTS")
class BLAKE2s(object): name = "blake2s" block_size = 64 _max_digest_size = 32 _min_digest_size = 1 def __init__(self, digest_size): if ( digest_size > self._max_digest_size or digest_size < self._min_digest_size ): raise ValueError("Digest size must be {0}-{1}".format( self._min_digest_size, self._max_digest_size) ) self._digest_size = digest_size digest_size = utils.read_only_property("_digest_size")
class RFC822Name(object): def __init__(self, value): if isinstance(value, str): try: value.encode("ascii") except UnicodeEncodeError: raise ValueError( "RFC822Name values should be passed as an A-label string. " "This means unicode characters should be encoded via " "a library like idna." ) else: raise TypeError("value must be string") name, address = parseaddr(value) if name or not address: # parseaddr has found a name (e.g. Name <email>) or the entire # value is an empty string. raise ValueError("Invalid rfc822name value") self._value = value value = utils.read_only_property("_value") @classmethod def _init_without_validation(cls, value): instance = cls.__new__(cls) instance._value = value return instance def __repr__(self): return "<RFC822Name(value={0!r})>".format(self.value) def __eq__(self, other): if not isinstance(other, RFC822Name): return NotImplemented return self.value == other.value def __ne__(self, other): return not self == other def __hash__(self): return hash(self.value)
class _HashContext(object): def __init__(self, backend, algorithm, ctx=None): self._algorithm = algorithm self._backend = backend if ctx is None: ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() ctx = self._backend._ffi.gc( ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free) name = self._backend._build_openssl_digest_name(algorithm) evp_md = self._backend._lib.EVP_get_digestbyname(name) if evp_md == self._backend._ffi.NULL: raise UnsupportedAlgorithm( "{0} is not a supported hash on this backend.".format( name), _Reasons.UNSUPPORTED_HASH) res = self._backend._lib.EVP_DigestInit_ex(ctx, evp_md, self._backend._ffi.NULL) self._backend.openssl_assert(res != 0) self._ctx = ctx algorithm = utils.read_only_property("_algorithm") def copy(self): copied_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() copied_ctx = self._backend._ffi.gc( copied_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free) res = self._backend._lib.EVP_MD_CTX_copy_ex(copied_ctx, self._ctx) self._backend.openssl_assert(res != 0) return _HashContext(self._backend, self.algorithm, ctx=copied_ctx) def update(self, data): res = self._backend._lib.EVP_DigestUpdate(self._ctx, data, len(data)) self._backend.openssl_assert(res != 0) def finalize(self): buf = self._backend._ffi.new("unsigned char[]", self._backend._lib.EVP_MAX_MD_SIZE) outlen = self._backend._ffi.new("unsigned int *") res = self._backend._lib.EVP_DigestFinal_ex(self._ctx, buf, outlen) self._backend.openssl_assert(res != 0) self._backend.openssl_assert(outlen[0] == self.algorithm.digest_size) return self._backend._ffi.buffer(buf)[:outlen[0]]
class _HMACContext(object): def __init__(self, backend, key, algorithm, ctx=None): self._algorithm = algorithm self._backend = backend if ctx is None: ctx = self._backend._ffi.new("CCHmacContext *") try: alg = self._backend._supported_hmac_algorithms[algorithm.name] except KeyError: raise UnsupportedAlgorithm( "{0} is not a supported HMAC hash on this backend.".format( algorithm.name), _Reasons.UNSUPPORTED_HASH) self._backend._lib.CCHmacInit(ctx, alg, key, len(key)) self._ctx = ctx self._key = key algorithm = utils.read_only_property("_algorithm") def copy(self): copied_ctx = self._backend._ffi.new("CCHmacContext *") # CommonCrypto has no APIs for copying HMACs, so we have to copy the # underlying struct. copied_ctx[0] = self._ctx[0] return _HMACContext(self._backend, self._key, self.algorithm, ctx=copied_ctx) def update(self, data): self._backend._lib.CCHmacUpdate(self._ctx, data, len(data)) def finalize(self): buf = self._backend._ffi.new("unsigned char[]", self.algorithm.digest_size) self._backend._lib.CCHmacFinal(self._ctx, buf) return self._backend._ffi.buffer(buf)[:] def verify(self, signature): digest = self.finalize() if not constant_time.bytes_eq(digest, signature): raise InvalidSignature("Signature did not match digest.")
class _HashContext(object): def __init__(self, backend, algorithm, ctx=None): self._algorithm = algorithm self._backend = backend if ctx is None: try: methods = self._backend._hash_mapping[self.algorithm.name] except KeyError: raise UnsupportedAlgorithm( "{0} is not a supported hash on this backend.".format( algorithm.name), _Reasons.UNSUPPORTED_HASH ) ctx = self._backend._ffi.new(methods.ctx) res = methods.hash_init(ctx) assert res == 1 self._ctx = ctx algorithm = utils.read_only_property("_algorithm") def copy(self): methods = self._backend._hash_mapping[self.algorithm.name] new_ctx = self._backend._ffi.new(methods.ctx) # CommonCrypto has no APIs for copying hashes, so we have to copy the # underlying struct. new_ctx[0] = self._ctx[0] return _HashContext(self._backend, self.algorithm, ctx=new_ctx) def update(self, data): methods = self._backend._hash_mapping[self.algorithm.name] res = methods.hash_update(self._ctx, data, len(data)) assert res == 1 def finalize(self): methods = self._backend._hash_mapping[self.algorithm.name] buf = self._backend._ffi.new("unsigned char[]", self.algorithm.digest_size) res = methods.hash_final(buf, self._ctx) assert res == 1 return self._backend._ffi.buffer(buf)[:]
class _DSAPublicKey(object): def __init__(self, backend, dsa_cdata): self._backend = backend self._dsa_cdata = dsa_cdata self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p) key_size = utils.read_only_property("_key_size") def verifier(self, signature, signature_algorithm): return _DSAVerificationContext(self._backend, self, signature, signature_algorithm) def public_numbers(self): return dsa.DSAPublicNumbers(parameter_numbers=dsa.DSAParameterNumbers( p=self._backend._bn_to_int(self._dsa_cdata.p), q=self._backend._bn_to_int(self._dsa_cdata.q), g=self._backend._bn_to_int(self._dsa_cdata.g)), y=self._backend._bn_to_int( self._dsa_cdata.pub_key)) def parameters(self): dsa_cdata = self._backend._lib.DSA_new() assert dsa_cdata != self._backend._ffi.NULL dsa_cdata = self._backend._ffi.gc(dsa_cdata, self._backend._lib.DSA_free) dsa_cdata.p = self._backend._lib.BN_dup(self._dsa_cdata.p) dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q) dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g) return _DSAParameters(self._backend, dsa_cdata) def public_bytes(self, encoding, format): if format is serialization.PublicFormat.PKCS1: raise ValueError( "DSA public keys do not support PKCS1 serialization") evp_pkey = self._backend._lib.EVP_PKEY_new() assert evp_pkey != self._backend._ffi.NULL evp_pkey = self._backend._ffi.gc(evp_pkey, self._backend._lib.EVP_PKEY_free) res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata) assert res == 1 return self._backend._public_key_bytes(encoding, format, evp_pkey, None)
class DNSName(object): def __init__(self, value): if isinstance(value, six.text_type): try: value.encode("ascii") except UnicodeEncodeError: value = _idna_encode(value) warnings.warn( "DNSName values should be passed as an A-label string. " "This means unicode characters should be encoded via " "idna. Support for passing unicode strings (aka U-label) " "will be removed in a future version.", utils.PersistentlyDeprecated2017, stacklevel=2, ) else: raise TypeError("value must be string") self._value = value value = utils.read_only_property("_value") @classmethod def _init_without_validation(cls, value): instance = cls.__new__(cls) instance._value = value return instance def __repr__(self): return "<DNSName(value={0!r})>".format(self.value) def __eq__(self, other): if not isinstance(other, DNSName): return NotImplemented return self.value == other.value def __ne__(self, other): return not self == other def __hash__(self): return hash(self.value)
class UniformResourceIdentifier(object): def __init__(self, value): if not isinstance(value, six.text_type): raise TypeError("value must be a unicode string") self._value = value value = utils.read_only_property("_value") def __repr__(self): return "<UniformResourceIdentifier(value={0})>".format(self.value) def __eq__(self, other): if not isinstance(other, UniformResourceIdentifier): return NotImplemented return self.value == other.value def __ne__(self, other): return not self == other
class ObjectIdentifier(object): def __init__(self, dotted_string): self._dotted_string = dotted_string def __eq__(self, other): if not isinstance(other, ObjectIdentifier): return NotImplemented return self._dotted_string == other._dotted_string def __ne__(self, other): return not self == other def __repr__(self): return "<ObjectIdentifier(oid={0}, name={1})>".format( self._dotted_string, _OID_NAMES.get(self._dotted_string, "Unknown OID") ) dotted_string = utils.read_only_property("_dotted_string")
class RegisteredID(object): def __init__(self, value): if not isinstance(value, ObjectIdentifier): raise TypeError("value must be an ObjectIdentifier") self._value = value value = utils.read_only_property("_value") def __repr__(self): return "<RegisteredID(value={0})>".format(self.value) def __eq__(self, other): if not isinstance(other, RegisteredID): return NotImplemented return self.value == other.value def __ne__(self, other): return not self == other
class DirectoryName(object): def __init__(self, value): if not isinstance(value, Name): raise TypeError("value must be a Name") self._value = value value = utils.read_only_property("_value") def __repr__(self): return "<DirectoryName(value={0})>".format(self.value) def __eq__(self, other): if not isinstance(other, DirectoryName): return NotImplemented return self.value == other.value def __ne__(self, other): return not self == other
class _DSAPublicKey(object): def __init__(self, backend, dsa_cdata, evp_pkey): self._backend = backend self._dsa_cdata = dsa_cdata self._evp_pkey = evp_pkey self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p) key_size = utils.read_only_property("_key_size") def verifier(self, signature, signature_algorithm): if not isinstance(signature, bytes): raise TypeError("signature must be bytes.") return _DSAVerificationContext(self._backend, self, signature, signature_algorithm) def public_numbers(self): return dsa.DSAPublicNumbers(parameter_numbers=dsa.DSAParameterNumbers( p=self._backend._bn_to_int(self._dsa_cdata.p), q=self._backend._bn_to_int(self._dsa_cdata.q), g=self._backend._bn_to_int(self._dsa_cdata.g)), y=self._backend._bn_to_int( self._dsa_cdata.pub_key)) def parameters(self): dsa_cdata = self._backend._lib.DSA_new() self._backend.openssl_assert(dsa_cdata != self._backend._ffi.NULL) dsa_cdata = self._backend._ffi.gc(dsa_cdata, self._backend._lib.DSA_free) dsa_cdata.p = self._backend._lib.BN_dup(self._dsa_cdata.p) dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q) dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g) return _DSAParameters(self._backend, dsa_cdata) def public_bytes(self, encoding, format): if format is serialization.PublicFormat.PKCS1: raise ValueError( "DSA public keys do not support PKCS1 serialization") return self._backend._public_key_bytes(encoding, format, self._evp_pkey, None)
class _DSAPrivateKey(object): def __init__(self, backend, dsa_cdata): self._backend = backend self._dsa_cdata = dsa_cdata self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p) key_size = utils.read_only_property("_key_size") def signer(self, signature_algorithm): return _DSASignatureContext(self._backend, self, signature_algorithm) def private_numbers(self): return dsa.DSAPrivateNumbers(public_numbers=dsa.DSAPublicNumbers( parameter_numbers=dsa.DSAParameterNumbers( p=self._backend._bn_to_int(self._dsa_cdata.p), q=self._backend._bn_to_int(self._dsa_cdata.q), g=self._backend._bn_to_int(self._dsa_cdata.g)), y=self._backend._bn_to_int(self._dsa_cdata.pub_key)), x=self._backend._bn_to_int( self._dsa_cdata.priv_key)) def public_key(self): dsa_cdata = self._backend._lib.DSA_new() assert dsa_cdata != self._backend._ffi.NULL dsa_cdata = self._backend._ffi.gc(dsa_cdata, self._backend._lib.DSA_free) dsa_cdata.p = self._backend._lib.BN_dup(self._dsa_cdata.p) dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q) dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g) dsa_cdata.pub_key = self._backend._lib.BN_dup(self._dsa_cdata.pub_key) return _DSAPublicKey(self._backend, dsa_cdata) def parameters(self): dsa_cdata = self._backend._lib.DSA_new() assert dsa_cdata != self._backend._ffi.NULL dsa_cdata = self._backend._ffi.gc(dsa_cdata, self._backend._lib.DSA_free) dsa_cdata.p = self._backend._lib.BN_dup(self._dsa_cdata.p) dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q) dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g) return _DSAParameters(self._backend, dsa_cdata)
class Hash(object): def __init__(self, algorithm, backend=None, ctx=None): backend = _get_backend(backend) if not isinstance(backend, HashBackend): raise UnsupportedAlgorithm( "Backend object does not implement HashBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) if not isinstance(algorithm, HashAlgorithm): raise TypeError("Expected instance of hashes.HashAlgorithm.") self._algorithm = algorithm self._backend = backend if ctx is None: self._ctx = self._backend.create_hash_ctx(self.algorithm) else: self._ctx = ctx algorithm = utils.read_only_property("_algorithm") def update(self, data): if self._ctx is None: raise AlreadyFinalized("Context was already finalized.") utils._check_byteslike("data", data) self._ctx.update(data) def copy(self): if self._ctx is None: raise AlreadyFinalized("Context was already finalized.") return Hash(self.algorithm, backend=self._backend, ctx=self._ctx.copy()) def finalize(self): if self._ctx is None: raise AlreadyFinalized("Context was already finalized.") digest = self._ctx.finalize() self._ctx = None return digest
class UniformResourceIdentifier(object): def __init__(self, value): if not isinstance(value, six.text_type): raise TypeError("value must be a unicode string") parsed = urllib_parse.urlparse(value) if not parsed.hostname: netloc = "" elif parsed.port: netloc = ( idna.encode(parsed.hostname) + ":{0}".format(parsed.port).encode("ascii")).decode("ascii") else: netloc = idna.encode(parsed.hostname).decode("ascii") # Note that building a URL in this fashion means it should be # semantically indistinguishable from the original but is not # guaranteed to be exactly the same. uri = urllib_parse.urlunparse( (parsed.scheme, netloc, parsed.path, parsed.params, parsed.query, parsed.fragment)).encode("ascii") self._value = value self._encoded = uri value = utils.read_only_property("_value") def __repr__(self): return "<UniformResourceIdentifier(value={0})>".format(self.value) def __eq__(self, other): if not isinstance(other, UniformResourceIdentifier): return NotImplemented return self.value == other.value def __ne__(self, other): return not self == other def __hash__(self): return hash(self.value)
class _RSAPublicKey(object): def __init__(self, backend, rsa_cdata): self._backend = backend self._rsa_cdata = rsa_cdata evp_pkey = self._backend._lib.EVP_PKEY_new() assert evp_pkey != self._backend._ffi.NULL evp_pkey = self._backend._ffi.gc( evp_pkey, self._backend._lib.EVP_PKEY_free ) res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata) assert res == 1 self._evp_pkey = evp_pkey self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n) key_size = utils.read_only_property("_key_size") def verifier(self, signature, padding, algorithm): return _RSAVerificationContext( self._backend, self, signature, padding, algorithm ) def encrypt(self, plaintext, padding): return _enc_dec_rsa(self._backend, self, plaintext, padding) def public_numbers(self): return rsa.RSAPublicNumbers( e=self._backend._bn_to_int(self._rsa_cdata.e), n=self._backend._bn_to_int(self._rsa_cdata.n), ) def public_bytes(self, encoding, format): return self._backend._public_key_bytes( encoding, format, self._backend._lib.PEM_write_bio_RSAPublicKey, self._evp_pkey, self._rsa_cdata )
class KeyUsage(object): def __init__(self, digital_signature, content_commitment, key_encipherment, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only): if not key_agreement and (encipher_only or decipher_only): raise ValueError( "encipher_only and decipher_only can only be true when " "key_agreement is true") self._digital_signature = digital_signature self._content_commitment = content_commitment self._key_encipherment = key_encipherment self._data_encipherment = data_encipherment self._key_agreement = key_agreement self._key_cert_sign = key_cert_sign self._crl_sign = crl_sign self._encipher_only = encipher_only self._decipher_only = decipher_only digital_signature = utils.read_only_property("_digital_signature") content_commitment = utils.read_only_property("_content_commitment") key_encipherment = utils.read_only_property("_key_encipherment") data_encipherment = utils.read_only_property("_data_encipherment") key_agreement = utils.read_only_property("_key_agreement") key_cert_sign = utils.read_only_property("_key_cert_sign") crl_sign = utils.read_only_property("_crl_sign") @property def encipher_only(self): if not self.key_agreement: raise ValueError( "encipher_only is undefined unless key_agreement is true") else: return self._encipher_only @property def decipher_only(self): if not self.key_agreement: raise ValueError( "decipher_only is undefined unless key_agreement is true") else: return self._decipher_only
class NodeIdExtension(UnrecognizedExtension): def __init__(self, node_id: str) -> None: super(NodeIdExtension, self).__init__(ExtensionsObjectIds.NODE_ID, node_id.encode("utf-8")) self._node_id = node_id node_id = utils.read_only_property("_node_id") def __repr__(self) -> str: return f"{self.__class__.__name__} <node_id: {self._node_id}>" def __eq__(self, other) -> bool: if not isinstance(other, NodeIdExtension): return NotImplemented return self._node_id == other._node_id def __ne__(self, other) -> bool: return not self == other def __hash__(self): return hash(self._node_id)
class NodePrivilegesExtension(UnrecognizedExtension): def __init__(self, node_privileges: str) -> None: super().__init__(ExtensionsObjectIds.NODE_PRIVILEGES, node_privileges.encode("utf-8")) self._node_privileges = node_privileges node_privileges = utils.read_only_property("_node_privileges") def __repr__(self) -> str: return f"{self.__class__.__name__} <node_privileges: {self._node_privileges}>" def __eq__(self, other) -> bool: if not isinstance(other, NodePrivilegesExtension): return NotImplemented return self._node_privileges == other._node_privileges def __ne__(self, other) -> bool: return not self == other def __hash__(self): return hash(self._node_privileges)
class RFC822Name(object): def __init__(self, value): if not isinstance(value, six.text_type): raise TypeError("value must be a unicode string") name, address = parseaddr(value) parts = address.split(u"@") if name or not address: # parseaddr has found a name (e.g. Name <email>) or the entire # value is an empty string. raise ValueError("Invalid rfc822name value") elif len(parts) == 1: # Single label email name. This is valid for local delivery. # No IDNA encoding needed since there is no domain component. encoded = address.encode("ascii") else: # A normal email of the form [email protected]. Let's attempt to # encode the domain component and reconstruct the address. encoded = parts[0].encode("ascii") + b"@" + idna.encode(parts[1]) self._value = value self._encoded = encoded value = utils.read_only_property("_value") def __repr__(self): return "<RFC822Name(value={0})>".format(self.value) def __eq__(self, other): if not isinstance(other, RFC822Name): return NotImplemented return self.value == other.value def __ne__(self, other): return not self == other def __hash__(self): return hash(self.value)
class IPAddress(GeneralName): def __init__( self, value: typing.Union[ipaddress.IPv4Address, ipaddress.IPv6Address, ipaddress.IPv4Network, ipaddress.IPv6Network, ], ): if not isinstance( value, ( ipaddress.IPv4Address, ipaddress.IPv6Address, ipaddress.IPv4Network, ipaddress.IPv6Network, ), ): raise TypeError( "value must be an instance of ipaddress.IPv4Address, " "ipaddress.IPv6Address, ipaddress.IPv4Network, or " "ipaddress.IPv6Network") self._value = value value = utils.read_only_property("_value") def __repr__(self) -> str: return "<IPAddress(value={})>".format(self.value) def __eq__(self, other: object) -> bool: if not isinstance(other, IPAddress): return NotImplemented return self.value == other.value def __ne__(self, other: object) -> bool: return not self == other def __hash__(self) -> int: return hash(self.value)