commit 2dfad803f0a5bc536cca6b5083a6df6fd248d209 parent 60a87abb70d58e230fa2adb898629d1267ca180e Author: therealFIGBERT <naomi@Naomis-MacBook-Air.local> Date: Sun, 30 Jun 2019 16:35:48 -0700 Removing faulty application Diffstat:
182 files changed, 0 insertions(+), 18750 deletions(-)
diff --git a/MacOS/FigENC_MacOS.app/Contents/Info.plist b/MacOS/FigENC_MacOS.app/Contents/Info.plist Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/MacOS/FigENC MacOS b/MacOS/FigENC_MacOS.app/Contents/MacOS/FigENC MacOS Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/AppIcon.icns b/MacOS/FigENC_MacOS.app/Contents/Resources/AppIcon.icns Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/AppSettings.plist b/MacOS/FigENC_MacOS.app/Contents/Resources/AppSettings.plist Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/MainMenu.nib b/MacOS/FigENC_MacOS.app/Contents/Resources/MainMenu.nib Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/decrypt.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/decrypt.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/encrypt.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/encrypt.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/enum.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/enum.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/initiate_key.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/__pycache__/initiate_key.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__about__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__about__.py @@ -1,23 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -__all__ = [ - "__title__", "__summary__", "__uri__", "__version__", "__author__", - "__email__", "__license__", "__copyright__", -] - -__title__ = "cryptography" -__summary__ = ("cryptography is a package which provides cryptographic recipes" - " and primitives to Python developers.") -__uri__ = "https://github.com/pyca/cryptography" - -__version__ = "2.7" - -__author__ = "The cryptography developers" -__email__ = "cryptography-dev@python.org" - -__license__ = "BSD or Apache License, Version 2.0" -__copyright__ = "Copyright 2013-2017 {}".format(__author__) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__init__.py @@ -1,16 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography.__about__ import ( - __author__, __copyright__, __email__, __license__, __summary__, __title__, - __uri__, __version__ -) - - -__all__ = [ - "__title__", "__summary__", "__uri__", "__version__", "__author__", - "__email__", "__license__", "__copyright__", -] diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__about__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__about__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/exceptions.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/exceptions.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/fernet.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/fernet.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/utils.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/utils.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/exceptions.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/exceptions.py @@ -1,58 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from enum import Enum - - -class _Reasons(Enum): - BACKEND_MISSING_INTERFACE = 0 - UNSUPPORTED_HASH = 1 - UNSUPPORTED_CIPHER = 2 - UNSUPPORTED_PADDING = 3 - UNSUPPORTED_MGF = 4 - UNSUPPORTED_PUBLIC_KEY_ALGORITHM = 5 - UNSUPPORTED_ELLIPTIC_CURVE = 6 - UNSUPPORTED_SERIALIZATION = 7 - UNSUPPORTED_X509 = 8 - UNSUPPORTED_EXCHANGE_ALGORITHM = 9 - UNSUPPORTED_DIFFIE_HELLMAN = 10 - UNSUPPORTED_MAC = 11 - - -class UnsupportedAlgorithm(Exception): - def __init__(self, message, reason=None): - super(UnsupportedAlgorithm, self).__init__(message) - self._reason = reason - - -class AlreadyFinalized(Exception): - pass - - -class AlreadyUpdated(Exception): - pass - - -class NotYetFinalized(Exception): - pass - - -class InvalidTag(Exception): - pass - - -class InvalidSignature(Exception): - pass - - -class InternalError(Exception): - def __init__(self, msg, err_code): - super(InternalError, self).__init__(msg) - self.err_code = err_code - - -class InvalidKey(Exception): - pass diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/fernet.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/fernet.py @@ -1,171 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import base64 -import binascii -import os -import struct -import time - -import six - -from cryptography import utils -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import hashes, padding -from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes -from cryptography.hazmat.primitives.hmac import HMAC - - -class InvalidToken(Exception): - pass - - -_MAX_CLOCK_SKEW = 60 - - -class Fernet(object): - def __init__(self, key, backend=None): - if backend is None: - backend = default_backend() - - key = base64.urlsafe_b64decode(key) - if len(key) != 32: - raise ValueError( - "Fernet key must be 32 url-safe base64-encoded bytes." - ) - - self._signing_key = key[:16] - self._encryption_key = key[16:] - self._backend = backend - - @classmethod - def generate_key(cls): - return base64.urlsafe_b64encode(os.urandom(32)) - - def encrypt(self, data): - current_time = int(time.time()) - iv = os.urandom(16) - return self._encrypt_from_parts(data, current_time, iv) - - def _encrypt_from_parts(self, data, current_time, iv): - utils._check_bytes("data", data) - - padder = padding.PKCS7(algorithms.AES.block_size).padder() - padded_data = padder.update(data) + padder.finalize() - encryptor = Cipher( - algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend - ).encryptor() - ciphertext = encryptor.update(padded_data) + encryptor.finalize() - - basic_parts = ( - b"\x80" + struct.pack(">Q", current_time) + iv + ciphertext - ) - - h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) - h.update(basic_parts) - hmac = h.finalize() - return base64.urlsafe_b64encode(basic_parts + hmac) - - def decrypt(self, token, ttl=None): - timestamp, data = Fernet._get_unverified_token_data(token) - return self._decrypt_data(data, timestamp, ttl) - - def extract_timestamp(self, token): - timestamp, data = Fernet._get_unverified_token_data(token) - # Verify the token was not tampered with. - self._verify_signature(data) - return timestamp - - @staticmethod - def _get_unverified_token_data(token): - utils._check_bytes("token", token) - try: - data = base64.urlsafe_b64decode(token) - except (TypeError, binascii.Error): - raise InvalidToken - - if not data or six.indexbytes(data, 0) != 0x80: - raise InvalidToken - - try: - timestamp, = struct.unpack(">Q", data[1:9]) - except struct.error: - raise InvalidToken - return timestamp, data - - def _verify_signature(self, data): - h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) - h.update(data[:-32]) - try: - h.verify(data[-32:]) - except InvalidSignature: - raise InvalidToken - - def _decrypt_data(self, data, timestamp, ttl): - current_time = int(time.time()) - if ttl is not None: - if timestamp + ttl < current_time: - raise InvalidToken - - if current_time + _MAX_CLOCK_SKEW < timestamp: - raise InvalidToken - - self._verify_signature(data) - - iv = data[9:25] - ciphertext = data[25:-32] - decryptor = Cipher( - algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend - ).decryptor() - plaintext_padded = decryptor.update(ciphertext) - try: - plaintext_padded += decryptor.finalize() - except ValueError: - raise InvalidToken - unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() - - unpadded = unpadder.update(plaintext_padded) - try: - unpadded += unpadder.finalize() - except ValueError: - raise InvalidToken - return unpadded - - -class MultiFernet(object): - def __init__(self, fernets): - fernets = list(fernets) - if not fernets: - raise ValueError( - "MultiFernet requires at least one Fernet instance" - ) - self._fernets = fernets - - def encrypt(self, msg): - return self._fernets[0].encrypt(msg) - - def rotate(self, msg): - timestamp, data = Fernet._get_unverified_token_data(msg) - for f in self._fernets: - try: - p = f._decrypt_data(data, timestamp, None) - break - except InvalidToken: - pass - else: - raise InvalidToken - - iv = os.urandom(16) - return self._fernets[0]._encrypt_from_parts(p, timestamp, iv) - - def decrypt(self, msg, ttl=None): - for f in self._fernets: - try: - return f.decrypt(msg, ttl) - except InvalidToken: - pass - raise InvalidToken diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__init__.py @@ -1,11 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. -""" -Hazardous Materials - -This is a "Hazardous Materials" module. You should ONLY use it if you're -100% absolutely sure that you know what you're doing because this module -is full of land mines, dragons, and dinosaurs with laser guns. -""" -from __future__ import absolute_import, division, print_function diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/_oid.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/_oid.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/_oid.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/_oid.py @@ -1,67 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import utils - - -class ObjectIdentifier(object): - def __init__(self, dotted_string): - self._dotted_string = dotted_string - - nodes = self._dotted_string.split(".") - intnodes = [] - - # There must be at least 2 nodes, the first node must be 0..2, and - # if less than 2, the second node cannot have a value outside the - # range 0..39. All nodes must be integers. - for node in nodes: - try: - intnodes.append(int(node, 0)) - except ValueError: - raise ValueError( - "Malformed OID: %s (non-integer nodes)" % ( - self._dotted_string)) - - if len(nodes) < 2: - raise ValueError( - "Malformed OID: %s (insufficient number of nodes)" % ( - self._dotted_string)) - - if intnodes[0] > 2: - raise ValueError( - "Malformed OID: %s (first node outside valid range)" % ( - self._dotted_string)) - - if intnodes[0] < 2 and intnodes[1] >= 40: - raise ValueError( - "Malformed OID: %s (second node outside valid range)" % ( - self._dotted_string)) - - def __eq__(self, other): - if not isinstance(other, ObjectIdentifier): - return NotImplemented - - return self.dotted_string == other.dotted_string - - def __ne__(self, other): - return not self == other - - def __repr__(self): - return "<ObjectIdentifier(oid={}, name={})>".format( - self.dotted_string, - self._name - ) - - def __hash__(self): - return hash(self.dotted_string) - - @property - def _name(self): - # Lazy import to avoid an import cycle - from cryptography.x509.oid import _OID_NAMES - return _OID_NAMES.get(self, "Unknown OID") - - dotted_string = utils.read_only_property("_dotted_string") diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__init__.py @@ -1,18 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - - -_default_backend = None - - -def default_backend(): - global _default_backend - - if _default_backend is None: - from cryptography.hazmat.backends.openssl.backend import backend - _default_backend = backend - - return _default_backend diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/interfaces.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/interfaces.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/interfaces.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/interfaces.py @@ -1,395 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - - -@six.add_metaclass(abc.ABCMeta) -class CipherBackend(object): - @abc.abstractmethod - def cipher_supported(self, cipher, mode): - """ - Return True if the given cipher and mode are supported. - """ - - @abc.abstractmethod - def create_symmetric_encryption_ctx(self, cipher, mode): - """ - Get a CipherContext that can be used for encryption. - """ - - @abc.abstractmethod - def create_symmetric_decryption_ctx(self, cipher, mode): - """ - Get a CipherContext that can be used for decryption. - """ - - -@six.add_metaclass(abc.ABCMeta) -class HashBackend(object): - @abc.abstractmethod - def hash_supported(self, algorithm): - """ - Return True if the hash algorithm is supported by this backend. - """ - - @abc.abstractmethod - def create_hash_ctx(self, algorithm): - """ - Create a HashContext for calculating a message digest. - """ - - -@six.add_metaclass(abc.ABCMeta) -class HMACBackend(object): - @abc.abstractmethod - def hmac_supported(self, algorithm): - """ - Return True if the hash algorithm is supported for HMAC by this - backend. - """ - - @abc.abstractmethod - def create_hmac_ctx(self, key, algorithm): - """ - Create a context for calculating a message authentication code. - """ - - -@six.add_metaclass(abc.ABCMeta) -class CMACBackend(object): - @abc.abstractmethod - def cmac_algorithm_supported(self, algorithm): - """ - Returns True if the block cipher is supported for CMAC by this backend - """ - - @abc.abstractmethod - def create_cmac_ctx(self, algorithm): - """ - Create a context for calculating a message authentication code. - """ - - -@six.add_metaclass(abc.ABCMeta) -class PBKDF2HMACBackend(object): - @abc.abstractmethod - def pbkdf2_hmac_supported(self, algorithm): - """ - Return True if the hash algorithm is supported for PBKDF2 by this - backend. - """ - - @abc.abstractmethod - def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations, - key_material): - """ - Return length bytes derived from provided PBKDF2 parameters. - """ - - -@six.add_metaclass(abc.ABCMeta) -class RSABackend(object): - @abc.abstractmethod - def generate_rsa_private_key(self, public_exponent, key_size): - """ - Generate an RSAPrivateKey instance with public_exponent and a modulus - of key_size bits. - """ - - @abc.abstractmethod - def rsa_padding_supported(self, padding): - """ - Returns True if the backend supports the given padding options. - """ - - @abc.abstractmethod - def generate_rsa_parameters_supported(self, public_exponent, key_size): - """ - Returns True if the backend supports the given parameters for key - generation. - """ - - @abc.abstractmethod - def load_rsa_private_numbers(self, numbers): - """ - Returns an RSAPrivateKey provider. - """ - - @abc.abstractmethod - def load_rsa_public_numbers(self, numbers): - """ - Returns an RSAPublicKey provider. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DSABackend(object): - @abc.abstractmethod - def generate_dsa_parameters(self, key_size): - """ - Generate a DSAParameters instance with a modulus of key_size bits. - """ - - @abc.abstractmethod - def generate_dsa_private_key(self, parameters): - """ - Generate a DSAPrivateKey instance with parameters as a DSAParameters - object. - """ - - @abc.abstractmethod - def generate_dsa_private_key_and_parameters(self, key_size): - """ - Generate a DSAPrivateKey instance using key size only. - """ - - @abc.abstractmethod - def dsa_hash_supported(self, algorithm): - """ - Return True if the hash algorithm is supported by the backend for DSA. - """ - - @abc.abstractmethod - def dsa_parameters_supported(self, p, q, g): - """ - Return True if the parameters are supported by the backend for DSA. - """ - - @abc.abstractmethod - def load_dsa_private_numbers(self, numbers): - """ - Returns a DSAPrivateKey provider. - """ - - @abc.abstractmethod - def load_dsa_public_numbers(self, numbers): - """ - Returns a DSAPublicKey provider. - """ - - @abc.abstractmethod - def load_dsa_parameter_numbers(self, numbers): - """ - Returns a DSAParameters provider. - """ - - -@six.add_metaclass(abc.ABCMeta) -class EllipticCurveBackend(object): - @abc.abstractmethod - def elliptic_curve_signature_algorithm_supported( - self, signature_algorithm, curve - ): - """ - Returns True if the backend supports the named elliptic curve with the - specified signature algorithm. - """ - - @abc.abstractmethod - def elliptic_curve_supported(self, curve): - """ - Returns True if the backend supports the named elliptic curve. - """ - - @abc.abstractmethod - def generate_elliptic_curve_private_key(self, curve): - """ - Return an object conforming to the EllipticCurvePrivateKey interface. - """ - - @abc.abstractmethod - def load_elliptic_curve_public_numbers(self, numbers): - """ - Return an EllipticCurvePublicKey provider using the given numbers. - """ - - @abc.abstractmethod - def load_elliptic_curve_private_numbers(self, numbers): - """ - Return an EllipticCurvePrivateKey provider using the given numbers. - """ - - @abc.abstractmethod - def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve): - """ - Returns whether the exchange algorithm is supported by this backend. - """ - - @abc.abstractmethod - def derive_elliptic_curve_private_key(self, private_value, curve): - """ - Compute the private key given the private value and curve. - """ - - -@six.add_metaclass(abc.ABCMeta) -class PEMSerializationBackend(object): - @abc.abstractmethod - def load_pem_private_key(self, data, password): - """ - Loads a private key from PEM encoded data, using the provided password - if the data is encrypted. - """ - - @abc.abstractmethod - def load_pem_public_key(self, data): - """ - Loads a public key from PEM encoded data. - """ - - @abc.abstractmethod - def load_pem_parameters(self, data): - """ - Load encryption parameters from PEM encoded data. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DERSerializationBackend(object): - @abc.abstractmethod - def load_der_private_key(self, data, password): - """ - Loads a private key from DER encoded data. Uses the provided password - if the data is encrypted. - """ - - @abc.abstractmethod - def load_der_public_key(self, data): - """ - Loads a public key from DER encoded data. - """ - - @abc.abstractmethod - def load_der_parameters(self, data): - """ - Load encryption parameters from DER encoded data. - """ - - -@six.add_metaclass(abc.ABCMeta) -class X509Backend(object): - @abc.abstractmethod - def load_pem_x509_certificate(self, data): - """ - Load an X.509 certificate from PEM encoded data. - """ - - @abc.abstractmethod - def load_der_x509_certificate(self, data): - """ - Load an X.509 certificate from DER encoded data. - """ - - @abc.abstractmethod - def load_der_x509_csr(self, data): - """ - Load an X.509 CSR from DER encoded data. - """ - - @abc.abstractmethod - def load_pem_x509_csr(self, data): - """ - Load an X.509 CSR from PEM encoded data. - """ - - @abc.abstractmethod - def create_x509_csr(self, builder, private_key, algorithm): - """ - Create and sign an X.509 CSR from a CSR builder object. - """ - - @abc.abstractmethod - def create_x509_certificate(self, builder, private_key, algorithm): - """ - Create and sign an X.509 certificate from a CertificateBuilder object. - """ - - @abc.abstractmethod - def create_x509_crl(self, builder, private_key, algorithm): - """ - Create and sign an X.509 CertificateRevocationList from a - CertificateRevocationListBuilder object. - """ - - @abc.abstractmethod - def create_x509_revoked_certificate(self, builder): - """ - Create a RevokedCertificate object from a RevokedCertificateBuilder - object. - """ - - @abc.abstractmethod - def x509_name_bytes(self, name): - """ - Compute the DER encoded bytes of an X509 Name object. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DHBackend(object): - @abc.abstractmethod - def generate_dh_parameters(self, generator, key_size): - """ - Generate a DHParameters instance with a modulus of key_size bits. - Using the given generator. Often 2 or 5. - """ - - @abc.abstractmethod - def generate_dh_private_key(self, parameters): - """ - Generate a DHPrivateKey instance with parameters as a DHParameters - object. - """ - - @abc.abstractmethod - def generate_dh_private_key_and_parameters(self, generator, key_size): - """ - Generate a DHPrivateKey instance using key size only. - Using the given generator. Often 2 or 5. - """ - - @abc.abstractmethod - def load_dh_private_numbers(self, numbers): - """ - Load a DHPrivateKey from DHPrivateNumbers - """ - - @abc.abstractmethod - def load_dh_public_numbers(self, numbers): - """ - Load a DHPublicKey from DHPublicNumbers. - """ - - @abc.abstractmethod - def load_dh_parameter_numbers(self, numbers): - """ - Load DHParameters from DHParameterNumbers. - """ - - @abc.abstractmethod - def dh_parameters_supported(self, p, g, q=None): - """ - Returns whether the backend supports DH with these parameter values. - """ - - @abc.abstractmethod - def dh_x942_serialization_supported(self): - """ - Returns True if the backend supports the serialization of DH objects - with subgroup order (q). - """ - - -@six.add_metaclass(abc.ABCMeta) -class ScryptBackend(object): - @abc.abstractmethod - def derive_scrypt(self, key_material, salt, length, n, r, p): - """ - Return bytes derived from provided Scrypt parameters. - """ diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__init__.py @@ -1,10 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography.hazmat.backends.openssl.backend import backend - - -__all__ = ["backend"] diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/aead.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/aead.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/backend.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/backend.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ciphers.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ciphers.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/cmac.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/cmac.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/decode_asn1.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/decode_asn1.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dh.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dh.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dsa.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dsa.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ec.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ec.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed25519.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed25519.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed448.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed448.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/encode_asn1.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/encode_asn1.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hashes.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hashes.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hmac.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hmac.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ocsp.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ocsp.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/poly1305.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/poly1305.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/rsa.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/rsa.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/utils.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/utils.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x25519.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x25519.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x448.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x448.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x509.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x509.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/aead.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/aead.py @@ -1,161 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography.exceptions import InvalidTag - - -_ENCRYPT = 1 -_DECRYPT = 0 - - -def _aead_cipher_name(cipher): - from cryptography.hazmat.primitives.ciphers.aead import ( - AESCCM, AESGCM, ChaCha20Poly1305 - ) - if isinstance(cipher, ChaCha20Poly1305): - return b"chacha20-poly1305" - elif isinstance(cipher, AESCCM): - return "aes-{}-ccm".format(len(cipher._key) * 8).encode("ascii") - else: - assert isinstance(cipher, AESGCM) - return "aes-{}-gcm".format(len(cipher._key) * 8).encode("ascii") - - -def _aead_setup(backend, cipher_name, key, nonce, tag, tag_len, operation): - evp_cipher = backend._lib.EVP_get_cipherbyname(cipher_name) - backend.openssl_assert(evp_cipher != backend._ffi.NULL) - ctx = backend._lib.EVP_CIPHER_CTX_new() - ctx = backend._ffi.gc(ctx, backend._lib.EVP_CIPHER_CTX_free) - res = backend._lib.EVP_CipherInit_ex( - ctx, evp_cipher, - backend._ffi.NULL, - backend._ffi.NULL, - backend._ffi.NULL, - int(operation == _ENCRYPT) - ) - backend.openssl_assert(res != 0) - res = backend._lib.EVP_CIPHER_CTX_set_key_length(ctx, len(key)) - backend.openssl_assert(res != 0) - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_SET_IVLEN, len(nonce), - backend._ffi.NULL - ) - backend.openssl_assert(res != 0) - if operation == _DECRYPT: - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, len(tag), tag - ) - backend.openssl_assert(res != 0) - else: - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, tag_len, backend._ffi.NULL - ) - - nonce_ptr = backend._ffi.from_buffer(nonce) - key_ptr = backend._ffi.from_buffer(key) - res = backend._lib.EVP_CipherInit_ex( - ctx, - backend._ffi.NULL, - backend._ffi.NULL, - key_ptr, - nonce_ptr, - int(operation == _ENCRYPT) - ) - backend.openssl_assert(res != 0) - return ctx - - -def _set_length(backend, ctx, data_len): - intptr = backend._ffi.new("int *") - res = backend._lib.EVP_CipherUpdate( - ctx, - backend._ffi.NULL, - intptr, - backend._ffi.NULL, - data_len - ) - backend.openssl_assert(res != 0) - - -def _process_aad(backend, ctx, associated_data): - outlen = backend._ffi.new("int *") - res = backend._lib.EVP_CipherUpdate( - ctx, backend._ffi.NULL, outlen, associated_data, len(associated_data) - ) - backend.openssl_assert(res != 0) - - -def _process_data(backend, ctx, data): - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, data, len(data)) - backend.openssl_assert(res != 0) - return backend._ffi.buffer(buf, outlen[0])[:] - - -def _encrypt(backend, cipher, nonce, data, associated_data, tag_length): - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - cipher_name = _aead_cipher_name(cipher) - ctx = _aead_setup( - backend, cipher_name, cipher._key, nonce, None, tag_length, _ENCRYPT - ) - # CCM requires us to pass the length of the data before processing anything - # However calling this with any other AEAD results in an error - if isinstance(cipher, AESCCM): - _set_length(backend, ctx, len(data)) - - _process_aad(backend, ctx, associated_data) - processed_data = _process_data(backend, ctx, data) - outlen = backend._ffi.new("int *") - res = backend._lib.EVP_CipherFinal_ex(ctx, backend._ffi.NULL, outlen) - backend.openssl_assert(res != 0) - backend.openssl_assert(outlen[0] == 0) - tag_buf = backend._ffi.new("unsigned char[]", tag_length) - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_GET_TAG, tag_length, tag_buf - ) - backend.openssl_assert(res != 0) - tag = backend._ffi.buffer(tag_buf)[:] - - return processed_data + tag - - -def _decrypt(backend, cipher, nonce, data, associated_data, tag_length): - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - if len(data) < tag_length: - raise InvalidTag - tag = data[-tag_length:] - data = data[:-tag_length] - cipher_name = _aead_cipher_name(cipher) - ctx = _aead_setup( - backend, cipher_name, cipher._key, nonce, tag, tag_length, _DECRYPT - ) - # CCM requires us to pass the length of the data before processing anything - # However calling this with any other AEAD results in an error - if isinstance(cipher, AESCCM): - _set_length(backend, ctx, len(data)) - - _process_aad(backend, ctx, associated_data) - # CCM has a different error path if the tag doesn't match. Errors are - # raised in Update and Final is irrelevant. - if isinstance(cipher, AESCCM): - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, data, len(data)) - if res != 1: - backend._consume_errors() - raise InvalidTag - - processed_data = backend._ffi.buffer(buf, outlen[0])[:] - else: - processed_data = _process_data(backend, ctx, data) - outlen = backend._ffi.new("int *") - res = backend._lib.EVP_CipherFinal_ex(ctx, backend._ffi.NULL, outlen) - if res == 0: - backend._consume_errors() - raise InvalidTag - - return processed_data diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/backend.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/backend.py @@ -1,2445 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import base64 -import collections -import contextlib -import itertools -from contextlib import contextmanager - -import asn1crypto.core - -import six -from six.moves import range - -from cryptography import utils, x509 -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons -from cryptography.hazmat.backends.interfaces import ( - CMACBackend, CipherBackend, DERSerializationBackend, DHBackend, DSABackend, - EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend, - PEMSerializationBackend, RSABackend, ScryptBackend, X509Backend -) -from cryptography.hazmat.backends.openssl import aead -from cryptography.hazmat.backends.openssl.ciphers import _CipherContext -from cryptography.hazmat.backends.openssl.cmac import _CMACContext -from cryptography.hazmat.backends.openssl.decode_asn1 import ( - _CRL_ENTRY_REASON_ENUM_TO_CODE, _Integers -) -from cryptography.hazmat.backends.openssl.dh import ( - _DHParameters, _DHPrivateKey, _DHPublicKey, _dh_params_dup -) -from cryptography.hazmat.backends.openssl.dsa import ( - _DSAParameters, _DSAPrivateKey, _DSAPublicKey -) -from cryptography.hazmat.backends.openssl.ec import ( - _EllipticCurvePrivateKey, _EllipticCurvePublicKey -) -from cryptography.hazmat.backends.openssl.ed25519 import ( - _Ed25519PrivateKey, _Ed25519PublicKey -) -from cryptography.hazmat.backends.openssl.ed448 import ( - _ED448_KEY_SIZE, _Ed448PrivateKey, _Ed448PublicKey -) -from cryptography.hazmat.backends.openssl.encode_asn1 import ( - _CRL_ENTRY_EXTENSION_ENCODE_HANDLERS, - _CRL_EXTENSION_ENCODE_HANDLERS, _EXTENSION_ENCODE_HANDLERS, - _OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERS, - _OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS, - _encode_asn1_int_gc, _encode_asn1_str_gc, _encode_name_gc, _txt2obj_gc, -) -from cryptography.hazmat.backends.openssl.hashes import _HashContext -from cryptography.hazmat.backends.openssl.hmac import _HMACContext -from cryptography.hazmat.backends.openssl.ocsp import ( - _OCSPRequest, _OCSPResponse -) -from cryptography.hazmat.backends.openssl.poly1305 import ( - _POLY1305_KEY_SIZE, _Poly1305Context -) -from cryptography.hazmat.backends.openssl.rsa import ( - _RSAPrivateKey, _RSAPublicKey -) -from cryptography.hazmat.backends.openssl.x25519 import ( - _X25519PrivateKey, _X25519PublicKey -) -from cryptography.hazmat.backends.openssl.x448 import ( - _X448PrivateKey, _X448PublicKey -) -from cryptography.hazmat.backends.openssl.x509 import ( - _Certificate, _CertificateRevocationList, - _CertificateSigningRequest, _RevokedCertificate -) -from cryptography.hazmat.bindings.openssl import binding -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import dsa, ec, ed25519, rsa -from cryptography.hazmat.primitives.asymmetric.padding import ( - MGF1, OAEP, PKCS1v15, PSS -) -from cryptography.hazmat.primitives.ciphers.algorithms import ( - AES, ARC4, Blowfish, CAST5, Camellia, ChaCha20, IDEA, SEED, TripleDES -) -from cryptography.hazmat.primitives.ciphers.modes import ( - CBC, CFB, CFB8, CTR, ECB, GCM, OFB, XTS -) -from cryptography.hazmat.primitives.kdf import scrypt -from cryptography.hazmat.primitives.serialization import ssh -from cryptography.x509 import ocsp - - -_MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) - - -@utils.register_interface(CipherBackend) -@utils.register_interface(CMACBackend) -@utils.register_interface(DERSerializationBackend) -@utils.register_interface(DHBackend) -@utils.register_interface(DSABackend) -@utils.register_interface(EllipticCurveBackend) -@utils.register_interface(HashBackend) -@utils.register_interface(HMACBackend) -@utils.register_interface(PBKDF2HMACBackend) -@utils.register_interface(RSABackend) -@utils.register_interface(PEMSerializationBackend) -@utils.register_interface(X509Backend) -@utils.register_interface_if( - binding.Binding().lib.Cryptography_HAS_SCRYPT, ScryptBackend -) -class Backend(object): - """ - OpenSSL API binding interfaces. - """ - name = "openssl" - - def __init__(self): - self._binding = binding.Binding() - self._ffi = self._binding.ffi - self._lib = self._binding.lib - - self._cipher_registry = {} - self._register_default_ciphers() - self.activate_osrandom_engine() - self._dh_types = [self._lib.EVP_PKEY_DH] - if self._lib.Cryptography_HAS_EVP_PKEY_DHX: - self._dh_types.append(self._lib.EVP_PKEY_DHX) - - def openssl_assert(self, ok): - return binding._openssl_assert(self._lib, ok) - - def activate_builtin_random(self): - if self._lib.Cryptography_HAS_ENGINE: - # Obtain a new structural reference. - e = self._lib.ENGINE_get_default_RAND() - if e != self._ffi.NULL: - self._lib.ENGINE_unregister_RAND(e) - # Reset the RNG to use the new engine. - self._lib.RAND_cleanup() - # decrement the structural reference from get_default_RAND - res = self._lib.ENGINE_finish(e) - self.openssl_assert(res == 1) - - @contextlib.contextmanager - def _get_osurandom_engine(self): - # Fetches an engine by id and returns it. This creates a structural - # reference. - e = self._lib.ENGINE_by_id(self._lib.Cryptography_osrandom_engine_id) - self.openssl_assert(e != self._ffi.NULL) - # Initialize the engine for use. This adds a functional reference. - res = self._lib.ENGINE_init(e) - self.openssl_assert(res == 1) - - try: - yield e - finally: - # Decrement the structural ref incremented by ENGINE_by_id. - res = self._lib.ENGINE_free(e) - self.openssl_assert(res == 1) - # Decrement the functional ref incremented by ENGINE_init. - res = self._lib.ENGINE_finish(e) - self.openssl_assert(res == 1) - - def activate_osrandom_engine(self): - if self._lib.Cryptography_HAS_ENGINE: - # Unregister and free the current engine. - self.activate_builtin_random() - with self._get_osurandom_engine() as e: - # Set the engine as the default RAND provider. - res = self._lib.ENGINE_set_default_RAND(e) - self.openssl_assert(res == 1) - # Reset the RNG to use the new engine. - self._lib.RAND_cleanup() - - def osrandom_engine_implementation(self): - buf = self._ffi.new("char[]", 64) - with self._get_osurandom_engine() as e: - res = self._lib.ENGINE_ctrl_cmd(e, b"get_implementation", - len(buf), buf, - self._ffi.NULL, 0) - self.openssl_assert(res > 0) - return self._ffi.string(buf).decode('ascii') - - def openssl_version_text(self): - """ - Friendly string name of the loaded OpenSSL library. This is not - necessarily the same version as it was compiled against. - - Example: OpenSSL 1.0.1e 11 Feb 2013 - """ - return self._ffi.string( - self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION) - ).decode("ascii") - - def openssl_version_number(self): - return self._lib.OpenSSL_version_num() - - def create_hmac_ctx(self, key, algorithm): - return _HMACContext(self, key, algorithm) - - def _evp_md_from_algorithm(self, algorithm): - if algorithm.name == "blake2b" or algorithm.name == "blake2s": - alg = "{}{}".format( - algorithm.name, algorithm.digest_size * 8 - ).encode("ascii") - else: - alg = algorithm.name.encode("ascii") - - evp_md = self._lib.EVP_get_digestbyname(alg) - return evp_md - - def _evp_md_non_null_from_algorithm(self, algorithm): - evp_md = self._evp_md_from_algorithm(algorithm) - self.openssl_assert(evp_md != self._ffi.NULL) - return evp_md - - def hash_supported(self, algorithm): - evp_md = self._evp_md_from_algorithm(algorithm) - return evp_md != self._ffi.NULL - - def hmac_supported(self, algorithm): - return self.hash_supported(algorithm) - - def create_hash_ctx(self, algorithm): - return _HashContext(self, algorithm) - - def cipher_supported(self, cipher, mode): - try: - adapter = self._cipher_registry[type(cipher), type(mode)] - except KeyError: - return False - evp_cipher = adapter(self, cipher, mode) - return self._ffi.NULL != evp_cipher - - def register_cipher_adapter(self, cipher_cls, mode_cls, adapter): - if (cipher_cls, mode_cls) in self._cipher_registry: - raise ValueError("Duplicate registration for: {} {}.".format( - cipher_cls, mode_cls) - ) - self._cipher_registry[cipher_cls, mode_cls] = adapter - - def _register_default_ciphers(self): - for mode_cls in [CBC, CTR, ECB, OFB, CFB, CFB8, GCM]: - self.register_cipher_adapter( - AES, - mode_cls, - GetCipherByName("{cipher.name}-{cipher.key_size}-{mode.name}") - ) - for mode_cls in [CBC, CTR, ECB, OFB, CFB]: - self.register_cipher_adapter( - Camellia, - mode_cls, - GetCipherByName("{cipher.name}-{cipher.key_size}-{mode.name}") - ) - for mode_cls in [CBC, CFB, CFB8, OFB]: - self.register_cipher_adapter( - TripleDES, - mode_cls, - GetCipherByName("des-ede3-{mode.name}") - ) - self.register_cipher_adapter( - TripleDES, - ECB, - GetCipherByName("des-ede3") - ) - for mode_cls in [CBC, CFB, OFB, ECB]: - self.register_cipher_adapter( - Blowfish, - mode_cls, - GetCipherByName("bf-{mode.name}") - ) - for mode_cls in [CBC, CFB, OFB, ECB]: - self.register_cipher_adapter( - SEED, - mode_cls, - GetCipherByName("seed-{mode.name}") - ) - for cipher_cls, mode_cls in itertools.product( - [CAST5, IDEA], - [CBC, OFB, CFB, ECB], - ): - self.register_cipher_adapter( - cipher_cls, - mode_cls, - GetCipherByName("{cipher.name}-{mode.name}") - ) - self.register_cipher_adapter( - ARC4, - type(None), - GetCipherByName("rc4") - ) - self.register_cipher_adapter( - ChaCha20, - type(None), - GetCipherByName("chacha20") - ) - self.register_cipher_adapter(AES, XTS, _get_xts_cipher) - - def create_symmetric_encryption_ctx(self, cipher, mode): - return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) - - def create_symmetric_decryption_ctx(self, cipher, mode): - return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) - - def pbkdf2_hmac_supported(self, algorithm): - return self.hmac_supported(algorithm) - - def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations, - key_material): - buf = self._ffi.new("unsigned char[]", length) - evp_md = self._evp_md_non_null_from_algorithm(algorithm) - key_material_ptr = self._ffi.from_buffer(key_material) - res = self._lib.PKCS5_PBKDF2_HMAC( - key_material_ptr, - len(key_material), - salt, - len(salt), - iterations, - evp_md, - length, - buf - ) - self.openssl_assert(res == 1) - return self._ffi.buffer(buf)[:] - - def _consume_errors(self): - return binding._consume_errors(self._lib) - - def _bn_to_int(self, bn): - assert bn != self._ffi.NULL - - if not six.PY2: - # Python 3 has constant time from_bytes, so use that. - bn_num_bytes = self._lib.BN_num_bytes(bn) - bin_ptr = self._ffi.new("unsigned char[]", bn_num_bytes) - bin_len = self._lib.BN_bn2bin(bn, bin_ptr) - # A zero length means the BN has value 0 - self.openssl_assert(bin_len >= 0) - val = int.from_bytes(self._ffi.buffer(bin_ptr)[:bin_len], "big") - if self._lib.BN_is_negative(bn): - val = -val - return val - else: - # Under Python 2 the best we can do is hex() - hex_cdata = self._lib.BN_bn2hex(bn) - self.openssl_assert(hex_cdata != self._ffi.NULL) - hex_str = self._ffi.string(hex_cdata) - self._lib.OPENSSL_free(hex_cdata) - return int(hex_str, 16) - - def _int_to_bn(self, num, bn=None): - """ - Converts a python integer to a BIGNUM. The returned BIGNUM will not - be garbage collected (to support adding them to structs that take - ownership of the object). Be sure to register it for GC if it will - be discarded after use. - """ - assert bn is None or bn != self._ffi.NULL - - if bn is None: - bn = self._ffi.NULL - - if not six.PY2: - # Python 3 has constant time to_bytes, so use that. - - binary = num.to_bytes(int(num.bit_length() / 8.0 + 1), "big") - bn_ptr = self._lib.BN_bin2bn(binary, len(binary), bn) - self.openssl_assert(bn_ptr != self._ffi.NULL) - return bn_ptr - - else: - # Under Python 2 the best we can do is hex(), [2:] removes the 0x - # prefix. - hex_num = hex(num).rstrip("L")[2:].encode("ascii") - bn_ptr = self._ffi.new("BIGNUM **") - bn_ptr[0] = bn - res = self._lib.BN_hex2bn(bn_ptr, hex_num) - self.openssl_assert(res != 0) - self.openssl_assert(bn_ptr[0] != self._ffi.NULL) - return bn_ptr[0] - - def generate_rsa_private_key(self, public_exponent, key_size): - rsa._verify_rsa_parameters(public_exponent, key_size) - - rsa_cdata = self._lib.RSA_new() - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - - bn = self._int_to_bn(public_exponent) - bn = self._ffi.gc(bn, self._lib.BN_free) - - res = self._lib.RSA_generate_key_ex( - rsa_cdata, key_size, bn, self._ffi.NULL - ) - self.openssl_assert(res == 1) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - - return _RSAPrivateKey(self, rsa_cdata, evp_pkey) - - def generate_rsa_parameters_supported(self, public_exponent, key_size): - return (public_exponent >= 3 and public_exponent & 1 != 0 and - key_size >= 512) - - def load_rsa_private_numbers(self, numbers): - rsa._check_private_key_components( - numbers.p, - numbers.q, - numbers.d, - numbers.dmp1, - numbers.dmq1, - numbers.iqmp, - numbers.public_numbers.e, - numbers.public_numbers.n - ) - rsa_cdata = self._lib.RSA_new() - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - p = self._int_to_bn(numbers.p) - q = self._int_to_bn(numbers.q) - d = self._int_to_bn(numbers.d) - dmp1 = self._int_to_bn(numbers.dmp1) - dmq1 = self._int_to_bn(numbers.dmq1) - iqmp = self._int_to_bn(numbers.iqmp) - e = self._int_to_bn(numbers.public_numbers.e) - n = self._int_to_bn(numbers.public_numbers.n) - res = self._lib.RSA_set0_factors(rsa_cdata, p, q) - self.openssl_assert(res == 1) - res = self._lib.RSA_set0_key(rsa_cdata, n, e, d) - self.openssl_assert(res == 1) - res = self._lib.RSA_set0_crt_params(rsa_cdata, dmp1, dmq1, iqmp) - self.openssl_assert(res == 1) - res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL) - self.openssl_assert(res == 1) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - - return _RSAPrivateKey(self, rsa_cdata, evp_pkey) - - def load_rsa_public_numbers(self, numbers): - rsa._check_public_key_components(numbers.e, numbers.n) - rsa_cdata = self._lib.RSA_new() - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - e = self._int_to_bn(numbers.e) - n = self._int_to_bn(numbers.n) - res = self._lib.RSA_set0_key(rsa_cdata, n, e, self._ffi.NULL) - self.openssl_assert(res == 1) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - - return _RSAPublicKey(self, rsa_cdata, evp_pkey) - - def _create_evp_pkey_gc(self): - evp_pkey = self._lib.EVP_PKEY_new() - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return evp_pkey - - def _rsa_cdata_to_evp_pkey(self, rsa_cdata): - evp_pkey = self._create_evp_pkey_gc() - res = self._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata) - self.openssl_assert(res == 1) - return evp_pkey - - def _bytes_to_bio(self, data): - """ - Return a _MemoryBIO namedtuple of (BIO, char*). - - The char* is the storage for the BIO and it must stay alive until the - BIO is finished with. - """ - data_ptr = self._ffi.from_buffer(data) - bio = self._lib.BIO_new_mem_buf( - data_ptr, len(data) - ) - self.openssl_assert(bio != self._ffi.NULL) - - return _MemoryBIO(self._ffi.gc(bio, self._lib.BIO_free), data_ptr) - - def _create_mem_bio_gc(self): - """ - Creates an empty memory BIO. - """ - bio_method = self._lib.BIO_s_mem() - self.openssl_assert(bio_method != self._ffi.NULL) - bio = self._lib.BIO_new(bio_method) - self.openssl_assert(bio != self._ffi.NULL) - bio = self._ffi.gc(bio, self._lib.BIO_free) - return bio - - def _read_mem_bio(self, bio): - """ - Reads a memory BIO. This only works on memory BIOs. - """ - buf = self._ffi.new("char **") - buf_len = self._lib.BIO_get_mem_data(bio, buf) - self.openssl_assert(buf_len > 0) - self.openssl_assert(buf[0] != self._ffi.NULL) - bio_data = self._ffi.buffer(buf[0], buf_len)[:] - return bio_data - - def _evp_pkey_to_private_key(self, evp_pkey): - """ - Return the appropriate type of PrivateKey given an evp_pkey cdata - pointer. - """ - - key_type = self._lib.EVP_PKEY_id(evp_pkey) - - if key_type == self._lib.EVP_PKEY_RSA: - rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPrivateKey(self, rsa_cdata, evp_pkey) - elif key_type == self._lib.EVP_PKEY_DSA: - dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey) - self.openssl_assert(dsa_cdata != self._ffi.NULL) - dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free) - return _DSAPrivateKey(self, dsa_cdata, evp_pkey) - elif key_type == self._lib.EVP_PKEY_EC: - ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey) - self.openssl_assert(ec_cdata != self._ffi.NULL) - ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) - elif key_type in self._dh_types: - dh_cdata = self._lib.EVP_PKEY_get1_DH(evp_pkey) - self.openssl_assert(dh_cdata != self._ffi.NULL) - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - return _DHPrivateKey(self, dh_cdata, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_ED25519", None): - # EVP_PKEY_ED25519 is not present in OpenSSL < 1.1.1 - return _Ed25519PrivateKey(self, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_X448", None): - # EVP_PKEY_X448 is not present in OpenSSL < 1.1.1 - return _X448PrivateKey(self, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_X25519", None): - # EVP_PKEY_X25519 is not present in OpenSSL < 1.1.0 - return _X25519PrivateKey(self, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_ED448", None): - # EVP_PKEY_ED448 is not present in OpenSSL < 1.1.1 - return _Ed448PrivateKey(self, evp_pkey) - else: - raise UnsupportedAlgorithm("Unsupported key type.") - - def _evp_pkey_to_public_key(self, evp_pkey): - """ - Return the appropriate type of PublicKey given an evp_pkey cdata - pointer. - """ - - key_type = self._lib.EVP_PKEY_id(evp_pkey) - - if key_type == self._lib.EVP_PKEY_RSA: - rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPublicKey(self, rsa_cdata, evp_pkey) - elif key_type == self._lib.EVP_PKEY_DSA: - dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey) - self.openssl_assert(dsa_cdata != self._ffi.NULL) - dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free) - return _DSAPublicKey(self, dsa_cdata, evp_pkey) - elif key_type == self._lib.EVP_PKEY_EC: - ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey) - self.openssl_assert(ec_cdata != self._ffi.NULL) - ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) - elif key_type in self._dh_types: - dh_cdata = self._lib.EVP_PKEY_get1_DH(evp_pkey) - self.openssl_assert(dh_cdata != self._ffi.NULL) - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - return _DHPublicKey(self, dh_cdata, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_ED25519", None): - # EVP_PKEY_ED25519 is not present in OpenSSL < 1.1.1 - return _Ed25519PublicKey(self, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_X448", None): - # EVP_PKEY_X448 is not present in OpenSSL < 1.1.1 - return _X448PublicKey(self, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_X25519", None): - # EVP_PKEY_X25519 is not present in OpenSSL < 1.1.0 - return _X25519PublicKey(self, evp_pkey) - elif key_type == getattr(self._lib, "EVP_PKEY_ED448", None): - # EVP_PKEY_X25519 is not present in OpenSSL < 1.1.1 - return _Ed448PublicKey(self, evp_pkey) - else: - raise UnsupportedAlgorithm("Unsupported key type.") - - def _oaep_hash_supported(self, algorithm): - if self._lib.Cryptography_HAS_RSA_OAEP_MD: - return isinstance( - algorithm, ( - hashes.SHA1, - hashes.SHA224, - hashes.SHA256, - hashes.SHA384, - hashes.SHA512, - ) - ) - else: - return isinstance(algorithm, hashes.SHA1) - - def rsa_padding_supported(self, padding): - if isinstance(padding, PKCS1v15): - return True - elif isinstance(padding, PSS) and isinstance(padding._mgf, MGF1): - return self.hash_supported(padding._mgf._algorithm) - elif isinstance(padding, OAEP) and isinstance(padding._mgf, MGF1): - return ( - self._oaep_hash_supported(padding._mgf._algorithm) and - self._oaep_hash_supported(padding._algorithm) and - ( - (padding._label is None or len(padding._label) == 0) or - self._lib.Cryptography_HAS_RSA_OAEP_LABEL == 1 - ) - ) - else: - return False - - def generate_dsa_parameters(self, key_size): - if key_size not in (1024, 2048, 3072): - raise ValueError("Key size must be 1024 or 2048 or 3072 bits.") - - ctx = self._lib.DSA_new() - self.openssl_assert(ctx != self._ffi.NULL) - ctx = self._ffi.gc(ctx, self._lib.DSA_free) - - res = self._lib.DSA_generate_parameters_ex( - ctx, key_size, self._ffi.NULL, 0, - self._ffi.NULL, self._ffi.NULL, self._ffi.NULL - ) - - self.openssl_assert(res == 1) - - return _DSAParameters(self, ctx) - - def generate_dsa_private_key(self, parameters): - ctx = self._lib.DSAparams_dup(parameters._dsa_cdata) - self.openssl_assert(ctx != self._ffi.NULL) - ctx = self._ffi.gc(ctx, self._lib.DSA_free) - self._lib.DSA_generate_key(ctx) - evp_pkey = self._dsa_cdata_to_evp_pkey(ctx) - - return _DSAPrivateKey(self, ctx, evp_pkey) - - def generate_dsa_private_key_and_parameters(self, key_size): - parameters = self.generate_dsa_parameters(key_size) - return self.generate_dsa_private_key(parameters) - - def _dsa_cdata_set_values(self, dsa_cdata, p, q, g, pub_key, priv_key): - res = self._lib.DSA_set0_pqg(dsa_cdata, p, q, g) - self.openssl_assert(res == 1) - res = self._lib.DSA_set0_key(dsa_cdata, pub_key, priv_key) - self.openssl_assert(res == 1) - - def load_dsa_private_numbers(self, numbers): - dsa._check_dsa_private_numbers(numbers) - parameter_numbers = numbers.public_numbers.parameter_numbers - - dsa_cdata = self._lib.DSA_new() - self.openssl_assert(dsa_cdata != self._ffi.NULL) - dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free) - - p = self._int_to_bn(parameter_numbers.p) - q = self._int_to_bn(parameter_numbers.q) - g = self._int_to_bn(parameter_numbers.g) - pub_key = self._int_to_bn(numbers.public_numbers.y) - priv_key = self._int_to_bn(numbers.x) - self._dsa_cdata_set_values(dsa_cdata, p, q, g, pub_key, priv_key) - - evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata) - - return _DSAPrivateKey(self, dsa_cdata, evp_pkey) - - def load_dsa_public_numbers(self, numbers): - dsa._check_dsa_parameters(numbers.parameter_numbers) - dsa_cdata = self._lib.DSA_new() - self.openssl_assert(dsa_cdata != self._ffi.NULL) - dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free) - - p = self._int_to_bn(numbers.parameter_numbers.p) - q = self._int_to_bn(numbers.parameter_numbers.q) - g = self._int_to_bn(numbers.parameter_numbers.g) - pub_key = self._int_to_bn(numbers.y) - priv_key = self._ffi.NULL - self._dsa_cdata_set_values(dsa_cdata, p, q, g, pub_key, priv_key) - - evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata) - - return _DSAPublicKey(self, dsa_cdata, evp_pkey) - - def load_dsa_parameter_numbers(self, numbers): - dsa._check_dsa_parameters(numbers) - dsa_cdata = self._lib.DSA_new() - self.openssl_assert(dsa_cdata != self._ffi.NULL) - dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free) - - p = self._int_to_bn(numbers.p) - q = self._int_to_bn(numbers.q) - g = self._int_to_bn(numbers.g) - res = self._lib.DSA_set0_pqg(dsa_cdata, p, q, g) - self.openssl_assert(res == 1) - - return _DSAParameters(self, dsa_cdata) - - def _dsa_cdata_to_evp_pkey(self, dsa_cdata): - evp_pkey = self._create_evp_pkey_gc() - res = self._lib.EVP_PKEY_set1_DSA(evp_pkey, dsa_cdata) - self.openssl_assert(res == 1) - return evp_pkey - - def dsa_hash_supported(self, algorithm): - return self.hash_supported(algorithm) - - def dsa_parameters_supported(self, p, q, g): - return True - - def cmac_algorithm_supported(self, algorithm): - return self.cipher_supported( - algorithm, CBC(b"\x00" * algorithm.block_size) - ) - - def create_cmac_ctx(self, algorithm): - return _CMACContext(self, algorithm) - - def create_x509_csr(self, builder, private_key, algorithm): - if not isinstance(algorithm, hashes.HashAlgorithm): - raise TypeError('Algorithm must be a registered hash algorithm.') - - if ( - isinstance(algorithm, hashes.MD5) and not - isinstance(private_key, rsa.RSAPrivateKey) - ): - raise ValueError( - "MD5 is not a supported hash algorithm for EC/DSA CSRs" - ) - - # Resolve the signature algorithm. - evp_md = self._evp_md_non_null_from_algorithm(algorithm) - - # Create an empty request. - x509_req = self._lib.X509_REQ_new() - self.openssl_assert(x509_req != self._ffi.NULL) - x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free) - - # Set x509 version. - res = self._lib.X509_REQ_set_version(x509_req, x509.Version.v1.value) - self.openssl_assert(res == 1) - - # Set subject name. - res = self._lib.X509_REQ_set_subject_name( - x509_req, _encode_name_gc(self, builder._subject_name) - ) - self.openssl_assert(res == 1) - - # Set subject public key. - public_key = private_key.public_key() - res = self._lib.X509_REQ_set_pubkey( - x509_req, public_key._evp_pkey - ) - self.openssl_assert(res == 1) - - # Add extensions. - sk_extension = self._lib.sk_X509_EXTENSION_new_null() - self.openssl_assert(sk_extension != self._ffi.NULL) - sk_extension = self._ffi.gc( - sk_extension, - lambda x: self._lib.sk_X509_EXTENSION_pop_free( - x, self._ffi.addressof( - self._lib._original_lib, "X509_EXTENSION_free" - ) - ) - ) - # Don't GC individual extensions because the memory is owned by - # sk_extensions and will be freed along with it. - self._create_x509_extensions( - extensions=builder._extensions, - handlers=_EXTENSION_ENCODE_HANDLERS, - x509_obj=sk_extension, - add_func=self._lib.sk_X509_EXTENSION_insert, - gc=False - ) - res = self._lib.X509_REQ_add_extensions(x509_req, sk_extension) - self.openssl_assert(res == 1) - - # Sign the request using the requester's private key. - res = self._lib.X509_REQ_sign( - x509_req, private_key._evp_pkey, evp_md - ) - if res == 0: - errors = self._consume_errors() - self.openssl_assert( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_RSA, - self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - ) - ) - - raise ValueError("Digest too big for RSA key") - - return _CertificateSigningRequest(self, x509_req) - - def create_x509_certificate(self, builder, private_key, algorithm): - if not isinstance(builder, x509.CertificateBuilder): - raise TypeError('Builder type mismatch.') - if not isinstance(algorithm, hashes.HashAlgorithm): - raise TypeError('Algorithm must be a registered hash algorithm.') - - if ( - isinstance(algorithm, hashes.MD5) and not - isinstance(private_key, rsa.RSAPrivateKey) - ): - raise ValueError( - "MD5 is not a supported hash algorithm for EC/DSA certificates" - ) - - # Resolve the signature algorithm. - evp_md = self._evp_md_non_null_from_algorithm(algorithm) - - # Create an empty certificate. - x509_cert = self._lib.X509_new() - x509_cert = self._ffi.gc(x509_cert, backend._lib.X509_free) - - # Set the x509 version. - res = self._lib.X509_set_version(x509_cert, builder._version.value) - self.openssl_assert(res == 1) - - # Set the subject's name. - res = self._lib.X509_set_subject_name( - x509_cert, _encode_name_gc(self, builder._subject_name) - ) - self.openssl_assert(res == 1) - - # Set the subject's public key. - res = self._lib.X509_set_pubkey( - x509_cert, builder._public_key._evp_pkey - ) - self.openssl_assert(res == 1) - - # Set the certificate serial number. - serial_number = _encode_asn1_int_gc(self, builder._serial_number) - res = self._lib.X509_set_serialNumber(x509_cert, serial_number) - self.openssl_assert(res == 1) - - # Set the "not before" time. - self._set_asn1_time( - self._lib.X509_get_notBefore(x509_cert), builder._not_valid_before - ) - - # Set the "not after" time. - self._set_asn1_time( - self._lib.X509_get_notAfter(x509_cert), builder._not_valid_after - ) - - # Add extensions. - self._create_x509_extensions( - extensions=builder._extensions, - handlers=_EXTENSION_ENCODE_HANDLERS, - x509_obj=x509_cert, - add_func=self._lib.X509_add_ext, - gc=True - ) - - # Set the issuer name. - res = self._lib.X509_set_issuer_name( - x509_cert, _encode_name_gc(self, builder._issuer_name) - ) - self.openssl_assert(res == 1) - - # Sign the certificate with the issuer's private key. - res = self._lib.X509_sign( - x509_cert, private_key._evp_pkey, evp_md - ) - if res == 0: - errors = self._consume_errors() - self.openssl_assert( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_RSA, - self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - ) - ) - raise ValueError("Digest too big for RSA key") - - return _Certificate(self, x509_cert) - - def _set_asn1_time(self, asn1_time, time): - if time.year >= 2050: - asn1_str = time.strftime('%Y%m%d%H%M%SZ').encode('ascii') - else: - asn1_str = time.strftime('%y%m%d%H%M%SZ').encode('ascii') - res = self._lib.ASN1_TIME_set_string(asn1_time, asn1_str) - self.openssl_assert(res == 1) - - def _create_asn1_time(self, time): - asn1_time = self._lib.ASN1_TIME_new() - self.openssl_assert(asn1_time != self._ffi.NULL) - asn1_time = self._ffi.gc(asn1_time, self._lib.ASN1_TIME_free) - self._set_asn1_time(asn1_time, time) - return asn1_time - - def create_x509_crl(self, builder, private_key, algorithm): - if not isinstance(builder, x509.CertificateRevocationListBuilder): - raise TypeError('Builder type mismatch.') - if not isinstance(algorithm, hashes.HashAlgorithm): - raise TypeError('Algorithm must be a registered hash algorithm.') - - if ( - isinstance(algorithm, hashes.MD5) and not - isinstance(private_key, rsa.RSAPrivateKey) - ): - raise ValueError( - "MD5 is not a supported hash algorithm for EC/DSA CRLs" - ) - - evp_md = self._evp_md_non_null_from_algorithm(algorithm) - - # Create an empty CRL. - x509_crl = self._lib.X509_CRL_new() - x509_crl = self._ffi.gc(x509_crl, backend._lib.X509_CRL_free) - - # Set the x509 CRL version. We only support v2 (integer value 1). - res = self._lib.X509_CRL_set_version(x509_crl, 1) - self.openssl_assert(res == 1) - - # Set the issuer name. - res = self._lib.X509_CRL_set_issuer_name( - x509_crl, _encode_name_gc(self, builder._issuer_name) - ) - self.openssl_assert(res == 1) - - # Set the last update time. - last_update = self._create_asn1_time(builder._last_update) - res = self._lib.X509_CRL_set_lastUpdate(x509_crl, last_update) - self.openssl_assert(res == 1) - - # Set the next update time. - next_update = self._create_asn1_time(builder._next_update) - res = self._lib.X509_CRL_set_nextUpdate(x509_crl, next_update) - self.openssl_assert(res == 1) - - # Add extensions. - self._create_x509_extensions( - extensions=builder._extensions, - handlers=_CRL_EXTENSION_ENCODE_HANDLERS, - x509_obj=x509_crl, - add_func=self._lib.X509_CRL_add_ext, - gc=True - ) - - # add revoked certificates - for revoked_cert in builder._revoked_certificates: - # Duplicating because the X509_CRL takes ownership and will free - # this memory when X509_CRL_free is called. - revoked = self._lib.Cryptography_X509_REVOKED_dup( - revoked_cert._x509_revoked - ) - self.openssl_assert(revoked != self._ffi.NULL) - res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked) - self.openssl_assert(res == 1) - - res = self._lib.X509_CRL_sign( - x509_crl, private_key._evp_pkey, evp_md - ) - if res == 0: - errors = self._consume_errors() - self.openssl_assert( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_RSA, - self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - ) - ) - raise ValueError("Digest too big for RSA key") - - return _CertificateRevocationList(self, x509_crl) - - def _create_x509_extensions(self, extensions, handlers, x509_obj, - add_func, gc): - for i, extension in enumerate(extensions): - x509_extension = self._create_x509_extension( - handlers, extension - ) - self.openssl_assert(x509_extension != self._ffi.NULL) - - if gc: - x509_extension = self._ffi.gc( - x509_extension, self._lib.X509_EXTENSION_free - ) - res = add_func(x509_obj, x509_extension, i) - self.openssl_assert(res >= 1) - - def _create_raw_x509_extension(self, extension, value): - obj = _txt2obj_gc(self, extension.oid.dotted_string) - return self._lib.X509_EXTENSION_create_by_OBJ( - self._ffi.NULL, obj, 1 if extension.critical else 0, value - ) - - def _create_x509_extension(self, handlers, extension): - if isinstance(extension.value, x509.UnrecognizedExtension): - value = _encode_asn1_str_gc(self, extension.value.value) - return self._create_raw_x509_extension(extension, value) - elif isinstance(extension.value, x509.TLSFeature): - asn1 = _Integers([x.value for x in extension.value]).dump() - value = _encode_asn1_str_gc(self, asn1) - return self._create_raw_x509_extension(extension, value) - elif isinstance(extension.value, x509.PrecertPoison): - asn1 = asn1crypto.core.Null().dump() - value = _encode_asn1_str_gc(self, asn1) - return self._create_raw_x509_extension(extension, value) - else: - try: - encode = handlers[extension.oid] - except KeyError: - raise NotImplementedError( - 'Extension not supported: {}'.format(extension.oid) - ) - - ext_struct = encode(self, extension.value) - nid = self._lib.OBJ_txt2nid( - extension.oid.dotted_string.encode("ascii") - ) - backend.openssl_assert(nid != self._lib.NID_undef) - return self._lib.X509V3_EXT_i2d( - nid, 1 if extension.critical else 0, ext_struct - ) - - def create_x509_revoked_certificate(self, builder): - if not isinstance(builder, x509.RevokedCertificateBuilder): - raise TypeError('Builder type mismatch.') - - x509_revoked = self._lib.X509_REVOKED_new() - self.openssl_assert(x509_revoked != self._ffi.NULL) - x509_revoked = self._ffi.gc(x509_revoked, self._lib.X509_REVOKED_free) - serial_number = _encode_asn1_int_gc(self, builder._serial_number) - res = self._lib.X509_REVOKED_set_serialNumber( - x509_revoked, serial_number - ) - self.openssl_assert(res == 1) - rev_date = self._create_asn1_time(builder._revocation_date) - res = self._lib.X509_REVOKED_set_revocationDate(x509_revoked, rev_date) - self.openssl_assert(res == 1) - # add CRL entry extensions - self._create_x509_extensions( - extensions=builder._extensions, - handlers=_CRL_ENTRY_EXTENSION_ENCODE_HANDLERS, - x509_obj=x509_revoked, - add_func=self._lib.X509_REVOKED_add_ext, - gc=True - ) - return _RevokedCertificate(self, None, x509_revoked) - - def load_pem_private_key(self, data, password): - return self._load_key( - self._lib.PEM_read_bio_PrivateKey, - self._evp_pkey_to_private_key, - data, - password, - ) - - def load_pem_public_key(self, data): - mem_bio = self._bytes_to_bio(data) - evp_pkey = self._lib.PEM_read_bio_PUBKEY( - mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL - ) - if evp_pkey != self._ffi.NULL: - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return self._evp_pkey_to_public_key(evp_pkey) - else: - # It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still - # need to check to see if it is a pure PKCS1 RSA public key (not - # embedded in a subjectPublicKeyInfo) - self._consume_errors() - res = self._lib.BIO_reset(mem_bio.bio) - self.openssl_assert(res == 1) - rsa_cdata = self._lib.PEM_read_bio_RSAPublicKey( - mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL - ) - if rsa_cdata != self._ffi.NULL: - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return _RSAPublicKey(self, rsa_cdata, evp_pkey) - else: - self._handle_key_loading_error() - - def load_pem_parameters(self, data): - mem_bio = self._bytes_to_bio(data) - # only DH is supported currently - dh_cdata = self._lib.PEM_read_bio_DHparams( - mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL) - if dh_cdata != self._ffi.NULL: - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - return _DHParameters(self, dh_cdata) - else: - self._handle_key_loading_error() - - def load_der_private_key(self, data, password): - # OpenSSL has a function called d2i_AutoPrivateKey that in theory - # handles this automatically, however it doesn't handle encrypted - # private keys. Instead we try to load the key two different ways. - # First we'll try to load it as a traditional key. - bio_data = self._bytes_to_bio(data) - key = self._evp_pkey_from_der_traditional_key(bio_data, password) - if key: - return self._evp_pkey_to_private_key(key) - else: - # Finally we try to load it with the method that handles encrypted - # PKCS8 properly. - return self._load_key( - self._lib.d2i_PKCS8PrivateKey_bio, - self._evp_pkey_to_private_key, - data, - password, - ) - - def _evp_pkey_from_der_traditional_key(self, bio_data, password): - key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) - if key != self._ffi.NULL: - key = self._ffi.gc(key, self._lib.EVP_PKEY_free) - if password is not None: - raise TypeError( - "Password was given but private key is not encrypted." - ) - - return key - else: - self._consume_errors() - return None - - def load_der_public_key(self, data): - mem_bio = self._bytes_to_bio(data) - evp_pkey = self._lib.d2i_PUBKEY_bio(mem_bio.bio, self._ffi.NULL) - if evp_pkey != self._ffi.NULL: - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return self._evp_pkey_to_public_key(evp_pkey) - else: - # It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still - # need to check to see if it is a pure PKCS1 RSA public key (not - # embedded in a subjectPublicKeyInfo) - self._consume_errors() - res = self._lib.BIO_reset(mem_bio.bio) - self.openssl_assert(res == 1) - rsa_cdata = self._lib.d2i_RSAPublicKey_bio( - mem_bio.bio, self._ffi.NULL - ) - if rsa_cdata != self._ffi.NULL: - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return _RSAPublicKey(self, rsa_cdata, evp_pkey) - else: - self._handle_key_loading_error() - - def load_der_parameters(self, data): - mem_bio = self._bytes_to_bio(data) - dh_cdata = self._lib.d2i_DHparams_bio( - mem_bio.bio, self._ffi.NULL - ) - if dh_cdata != self._ffi.NULL: - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - return _DHParameters(self, dh_cdata) - elif self._lib.Cryptography_HAS_EVP_PKEY_DHX: - # We check to see if the is dhx. - self._consume_errors() - res = self._lib.BIO_reset(mem_bio.bio) - self.openssl_assert(res == 1) - dh_cdata = self._lib.Cryptography_d2i_DHxparams_bio( - mem_bio.bio, self._ffi.NULL - ) - if dh_cdata != self._ffi.NULL: - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - return _DHParameters(self, dh_cdata) - - self._handle_key_loading_error() - - def load_pem_x509_certificate(self, data): - mem_bio = self._bytes_to_bio(data) - x509 = self._lib.PEM_read_bio_X509( - mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL - ) - if x509 == self._ffi.NULL: - self._consume_errors() - raise ValueError( - "Unable to load certificate. See https://cryptography.io/en/la" - "test/faq/#why-can-t-i-import-my-pem-file for more details." - ) - - x509 = self._ffi.gc(x509, self._lib.X509_free) - return _Certificate(self, x509) - - def load_der_x509_certificate(self, data): - mem_bio = self._bytes_to_bio(data) - x509 = self._lib.d2i_X509_bio(mem_bio.bio, self._ffi.NULL) - if x509 == self._ffi.NULL: - self._consume_errors() - raise ValueError("Unable to load certificate") - - x509 = self._ffi.gc(x509, self._lib.X509_free) - return _Certificate(self, x509) - - def load_pem_x509_crl(self, data): - mem_bio = self._bytes_to_bio(data) - x509_crl = self._lib.PEM_read_bio_X509_CRL( - mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL - ) - if x509_crl == self._ffi.NULL: - self._consume_errors() - raise ValueError( - "Unable to load CRL. See https://cryptography.io/en/la" - "test/faq/#why-can-t-i-import-my-pem-file for more details." - ) - - x509_crl = self._ffi.gc(x509_crl, self._lib.X509_CRL_free) - return _CertificateRevocationList(self, x509_crl) - - def load_der_x509_crl(self, data): - mem_bio = self._bytes_to_bio(data) - x509_crl = self._lib.d2i_X509_CRL_bio(mem_bio.bio, self._ffi.NULL) - if x509_crl == self._ffi.NULL: - self._consume_errors() - raise ValueError("Unable to load CRL") - - x509_crl = self._ffi.gc(x509_crl, self._lib.X509_CRL_free) - return _CertificateRevocationList(self, x509_crl) - - def load_pem_x509_csr(self, data): - mem_bio = self._bytes_to_bio(data) - x509_req = self._lib.PEM_read_bio_X509_REQ( - mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL - ) - if x509_req == self._ffi.NULL: - self._consume_errors() - raise ValueError( - "Unable to load request. See https://cryptography.io/en/la" - "test/faq/#why-can-t-i-import-my-pem-file for more details." - ) - - x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free) - return _CertificateSigningRequest(self, x509_req) - - def load_der_x509_csr(self, data): - mem_bio = self._bytes_to_bio(data) - x509_req = self._lib.d2i_X509_REQ_bio(mem_bio.bio, self._ffi.NULL) - if x509_req == self._ffi.NULL: - self._consume_errors() - raise ValueError("Unable to load request") - - x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free) - return _CertificateSigningRequest(self, x509_req) - - def _load_key(self, openssl_read_func, convert_func, data, password): - mem_bio = self._bytes_to_bio(data) - - userdata = self._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") - if password is not None: - utils._check_byteslike("password", password) - password_ptr = self._ffi.from_buffer(password) - userdata.password = password_ptr - userdata.length = len(password) - - evp_pkey = openssl_read_func( - mem_bio.bio, - self._ffi.NULL, - self._ffi.addressof( - self._lib._original_lib, "Cryptography_pem_password_cb" - ), - userdata, - ) - - if evp_pkey == self._ffi.NULL: - if userdata.error != 0: - errors = self._consume_errors() - self.openssl_assert(errors) - if userdata.error == -1: - raise TypeError( - "Password was not given but private key is encrypted" - ) - else: - assert userdata.error == -2 - raise ValueError( - "Passwords longer than {} bytes are not supported " - "by this backend.".format(userdata.maxsize - 1) - ) - else: - self._handle_key_loading_error() - - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - if password is not None and userdata.called == 0: - raise TypeError( - "Password was given but private key is not encrypted.") - - assert ( - (password is not None and userdata.called == 1) or - password is None - ) - - return convert_func(evp_pkey) - - def _handle_key_loading_error(self): - errors = self._consume_errors() - - if not errors: - raise ValueError("Could not deserialize key data.") - - elif ( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT - ) or errors[0]._lib_reason_match( - self._lib.ERR_LIB_PKCS12, - self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR - ) - ): - raise ValueError("Bad decrypt. Incorrect password?") - - elif ( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_EVP, self._lib.EVP_R_UNKNOWN_PBE_ALGORITHM - ) or errors[0]._lib_reason_match( - self._lib.ERR_LIB_PEM, self._lib.PEM_R_UNSUPPORTED_ENCRYPTION - ) - ): - raise UnsupportedAlgorithm( - "PEM data is encrypted with an unsupported cipher", - _Reasons.UNSUPPORTED_CIPHER - ) - - elif any( - error._lib_reason_match( - self._lib.ERR_LIB_EVP, - self._lib.EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM - ) - for error in errors - ): - raise ValueError("Unsupported public key algorithm.") - - else: - assert errors[0].lib in ( - self._lib.ERR_LIB_EVP, - self._lib.ERR_LIB_PEM, - self._lib.ERR_LIB_ASN1, - ) - raise ValueError("Could not deserialize key data.") - - def elliptic_curve_supported(self, curve): - try: - curve_nid = self._elliptic_curve_to_nid(curve) - except UnsupportedAlgorithm: - curve_nid = self._lib.NID_undef - - group = self._lib.EC_GROUP_new_by_curve_name(curve_nid) - - if group == self._ffi.NULL: - errors = self._consume_errors() - self.openssl_assert( - curve_nid == self._lib.NID_undef or - errors[0]._lib_reason_match( - self._lib.ERR_LIB_EC, - self._lib.EC_R_UNKNOWN_GROUP - ) - ) - return False - else: - self.openssl_assert(curve_nid != self._lib.NID_undef) - self._lib.EC_GROUP_free(group) - return True - - def elliptic_curve_signature_algorithm_supported( - self, signature_algorithm, curve - ): - # We only support ECDSA right now. - if not isinstance(signature_algorithm, ec.ECDSA): - return False - - return self.elliptic_curve_supported(curve) - - def generate_elliptic_curve_private_key(self, curve): - """ - Generate a new private key on the named curve. - """ - - if self.elliptic_curve_supported(curve): - ec_cdata = self._ec_key_new_by_curve(curve) - - res = self._lib.EC_KEY_generate_key(ec_cdata) - self.openssl_assert(res == 1) - - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) - else: - raise UnsupportedAlgorithm( - "Backend object does not support {}.".format(curve.name), - _Reasons.UNSUPPORTED_ELLIPTIC_CURVE - ) - - def load_elliptic_curve_private_numbers(self, numbers): - public = numbers.public_numbers - - ec_cdata = self._ec_key_new_by_curve(public.curve) - - private_value = self._ffi.gc( - self._int_to_bn(numbers.private_value), self._lib.BN_clear_free - ) - res = self._lib.EC_KEY_set_private_key(ec_cdata, private_value) - self.openssl_assert(res == 1) - - ec_cdata = self._ec_key_set_public_key_affine_coordinates( - ec_cdata, public.x, public.y) - - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) - - def load_elliptic_curve_public_numbers(self, numbers): - ec_cdata = self._ec_key_new_by_curve(numbers.curve) - ec_cdata = self._ec_key_set_public_key_affine_coordinates( - ec_cdata, numbers.x, numbers.y) - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) - - def load_elliptic_curve_public_bytes(self, curve, point_bytes): - ec_cdata = self._ec_key_new_by_curve(curve) - group = self._lib.EC_KEY_get0_group(ec_cdata) - self.openssl_assert(group != self._ffi.NULL) - point = self._lib.EC_POINT_new(group) - self.openssl_assert(point != self._ffi.NULL) - point = self._ffi.gc(point, self._lib.EC_POINT_free) - with self._tmp_bn_ctx() as bn_ctx: - res = self._lib.EC_POINT_oct2point( - group, point, point_bytes, len(point_bytes), bn_ctx - ) - if res != 1: - self._consume_errors() - raise ValueError("Invalid public bytes for the given curve") - - res = self._lib.EC_KEY_set_public_key(ec_cdata, point) - self.openssl_assert(res == 1) - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) - - def derive_elliptic_curve_private_key(self, private_value, curve): - ec_cdata = self._ec_key_new_by_curve(curve) - - get_func, group = self._ec_key_determine_group_get_func(ec_cdata) - - point = self._lib.EC_POINT_new(group) - self.openssl_assert(point != self._ffi.NULL) - point = self._ffi.gc(point, self._lib.EC_POINT_free) - - value = self._int_to_bn(private_value) - value = self._ffi.gc(value, self._lib.BN_clear_free) - - with self._tmp_bn_ctx() as bn_ctx: - res = self._lib.EC_POINT_mul(group, point, value, self._ffi.NULL, - self._ffi.NULL, bn_ctx) - self.openssl_assert(res == 1) - - bn_x = self._lib.BN_CTX_get(bn_ctx) - bn_y = self._lib.BN_CTX_get(bn_ctx) - - res = get_func(group, point, bn_x, bn_y, bn_ctx) - self.openssl_assert(res == 1) - - res = self._lib.EC_KEY_set_public_key(ec_cdata, point) - self.openssl_assert(res == 1) - private = self._int_to_bn(private_value) - private = self._ffi.gc(private, self._lib.BN_clear_free) - res = self._lib.EC_KEY_set_private_key(ec_cdata, private) - self.openssl_assert(res == 1) - - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) - - def _ec_key_new_by_curve(self, curve): - curve_nid = self._elliptic_curve_to_nid(curve) - ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid) - self.openssl_assert(ec_cdata != self._ffi.NULL) - return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - - def load_der_ocsp_request(self, data): - mem_bio = self._bytes_to_bio(data) - request = self._lib.d2i_OCSP_REQUEST_bio(mem_bio.bio, self._ffi.NULL) - if request == self._ffi.NULL: - self._consume_errors() - raise ValueError("Unable to load OCSP request") - - request = self._ffi.gc(request, self._lib.OCSP_REQUEST_free) - return _OCSPRequest(self, request) - - def load_der_ocsp_response(self, data): - mem_bio = self._bytes_to_bio(data) - response = self._lib.d2i_OCSP_RESPONSE_bio(mem_bio.bio, self._ffi.NULL) - if response == self._ffi.NULL: - self._consume_errors() - raise ValueError("Unable to load OCSP response") - - response = self._ffi.gc(response, self._lib.OCSP_RESPONSE_free) - return _OCSPResponse(self, response) - - def create_ocsp_request(self, builder): - ocsp_req = self._lib.OCSP_REQUEST_new() - self.openssl_assert(ocsp_req != self._ffi.NULL) - ocsp_req = self._ffi.gc(ocsp_req, self._lib.OCSP_REQUEST_free) - cert, issuer, algorithm = builder._request - evp_md = self._evp_md_non_null_from_algorithm(algorithm) - certid = self._lib.OCSP_cert_to_id( - evp_md, cert._x509, issuer._x509 - ) - self.openssl_assert(certid != self._ffi.NULL) - onereq = self._lib.OCSP_request_add0_id(ocsp_req, certid) - self.openssl_assert(onereq != self._ffi.NULL) - self._create_x509_extensions( - extensions=builder._extensions, - handlers=_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS, - x509_obj=ocsp_req, - add_func=self._lib.OCSP_REQUEST_add_ext, - gc=True, - ) - return _OCSPRequest(self, ocsp_req) - - def _create_ocsp_basic_response(self, builder, private_key, algorithm): - basic = self._lib.OCSP_BASICRESP_new() - self.openssl_assert(basic != self._ffi.NULL) - basic = self._ffi.gc(basic, self._lib.OCSP_BASICRESP_free) - evp_md = self._evp_md_non_null_from_algorithm( - builder._response._algorithm - ) - certid = self._lib.OCSP_cert_to_id( - evp_md, builder._response._cert._x509, - builder._response._issuer._x509 - ) - self.openssl_assert(certid != self._ffi.NULL) - certid = self._ffi.gc(certid, self._lib.OCSP_CERTID_free) - if builder._response._revocation_reason is None: - reason = -1 - else: - reason = _CRL_ENTRY_REASON_ENUM_TO_CODE[ - builder._response._revocation_reason - ] - if builder._response._revocation_time is None: - rev_time = self._ffi.NULL - else: - rev_time = self._create_asn1_time( - builder._response._revocation_time - ) - - next_update = self._ffi.NULL - if builder._response._next_update is not None: - next_update = self._create_asn1_time( - builder._response._next_update - ) - - this_update = self._create_asn1_time(builder._response._this_update) - - res = self._lib.OCSP_basic_add1_status( - basic, - certid, - builder._response._cert_status.value, - reason, - rev_time, - this_update, - next_update - ) - self.openssl_assert(res != self._ffi.NULL) - # okay, now sign the basic structure - evp_md = self._evp_md_non_null_from_algorithm(algorithm) - responder_cert, responder_encoding = builder._responder_id - flags = self._lib.OCSP_NOCERTS - if responder_encoding is ocsp.OCSPResponderEncoding.HASH: - flags |= self._lib.OCSP_RESPID_KEY - - if builder._certs is not None: - for cert in builder._certs: - res = self._lib.OCSP_basic_add1_cert(basic, cert._x509) - self.openssl_assert(res == 1) - - self._create_x509_extensions( - extensions=builder._extensions, - handlers=_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERS, - x509_obj=basic, - add_func=self._lib.OCSP_BASICRESP_add_ext, - gc=True, - ) - - res = self._lib.OCSP_basic_sign( - basic, responder_cert._x509, private_key._evp_pkey, - evp_md, self._ffi.NULL, flags - ) - if res != 1: - errors = self._consume_errors() - self.openssl_assert( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_X509, - self._lib.X509_R_KEY_VALUES_MISMATCH - ) - ) - raise ValueError("responder_cert must be signed by private_key") - - return basic - - def create_ocsp_response(self, response_status, builder, private_key, - algorithm): - if response_status is ocsp.OCSPResponseStatus.SUCCESSFUL: - basic = self._create_ocsp_basic_response( - builder, private_key, algorithm - ) - else: - basic = self._ffi.NULL - - ocsp_resp = self._lib.OCSP_response_create( - response_status.value, basic - ) - self.openssl_assert(ocsp_resp != self._ffi.NULL) - ocsp_resp = self._ffi.gc(ocsp_resp, self._lib.OCSP_RESPONSE_free) - return _OCSPResponse(self, ocsp_resp) - - def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve): - return ( - self.elliptic_curve_supported(curve) and - isinstance(algorithm, ec.ECDH) - ) - - def _ec_cdata_to_evp_pkey(self, ec_cdata): - evp_pkey = self._create_evp_pkey_gc() - res = self._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, ec_cdata) - self.openssl_assert(res == 1) - return evp_pkey - - def _elliptic_curve_to_nid(self, curve): - """ - Get the NID for a curve name. - """ - - curve_aliases = { - "secp192r1": "prime192v1", - "secp256r1": "prime256v1" - } - - curve_name = curve_aliases.get(curve.name, curve.name) - - curve_nid = self._lib.OBJ_sn2nid(curve_name.encode()) - if curve_nid == self._lib.NID_undef: - raise UnsupportedAlgorithm( - "{} is not a supported elliptic curve".format(curve.name), - _Reasons.UNSUPPORTED_ELLIPTIC_CURVE - ) - return curve_nid - - @contextmanager - def _tmp_bn_ctx(self): - bn_ctx = self._lib.BN_CTX_new() - self.openssl_assert(bn_ctx != self._ffi.NULL) - bn_ctx = self._ffi.gc(bn_ctx, self._lib.BN_CTX_free) - self._lib.BN_CTX_start(bn_ctx) - try: - yield bn_ctx - finally: - self._lib.BN_CTX_end(bn_ctx) - - def _ec_key_determine_group_get_func(self, ctx): - """ - Given an EC_KEY determine the group and what function is required to - get point coordinates. - """ - self.openssl_assert(ctx != self._ffi.NULL) - - nid_two_field = self._lib.OBJ_sn2nid(b"characteristic-two-field") - self.openssl_assert(nid_two_field != self._lib.NID_undef) - - group = self._lib.EC_KEY_get0_group(ctx) - self.openssl_assert(group != self._ffi.NULL) - - method = self._lib.EC_GROUP_method_of(group) - self.openssl_assert(method != self._ffi.NULL) - - nid = self._lib.EC_METHOD_get_field_type(method) - self.openssl_assert(nid != self._lib.NID_undef) - - if nid == nid_two_field and self._lib.Cryptography_HAS_EC2M: - get_func = self._lib.EC_POINT_get_affine_coordinates_GF2m - else: - get_func = self._lib.EC_POINT_get_affine_coordinates_GFp - - assert get_func - - return get_func, group - - def _ec_key_set_public_key_affine_coordinates(self, ctx, x, y): - """ - Sets the public key point in the EC_KEY context to the affine x and y - values. - """ - - if x < 0 or y < 0: - raise ValueError( - "Invalid EC key. Both x and y must be non-negative." - ) - - x = self._ffi.gc(self._int_to_bn(x), self._lib.BN_free) - y = self._ffi.gc(self._int_to_bn(y), self._lib.BN_free) - res = self._lib.EC_KEY_set_public_key_affine_coordinates(ctx, x, y) - if res != 1: - self._consume_errors() - raise ValueError("Invalid EC key.") - - return ctx - - def _private_key_bytes(self, encoding, format, encryption_algorithm, - evp_pkey, cdata): - if not isinstance(format, serialization.PrivateFormat): - raise TypeError( - "format must be an item from the PrivateFormat enum" - ) - - # X9.62 encoding is only valid for EC public keys - if encoding is serialization.Encoding.X962: - raise ValueError("X9.62 format is only valid for EC public keys") - - # Raw format and encoding are only valid for X25519, Ed25519, X448, and - # Ed448 keys. We capture those cases before this method is called so if - # we see those enum values here it means the caller has passed them to - # a key that doesn't support raw type - if format is serialization.PrivateFormat.Raw: - raise ValueError("raw format is invalid with this key or encoding") - - if encoding is serialization.Encoding.Raw: - raise ValueError("raw encoding is invalid with this key or format") - - if not isinstance(encryption_algorithm, - serialization.KeySerializationEncryption): - raise TypeError( - "Encryption algorithm must be a KeySerializationEncryption " - "instance" - ) - - if isinstance(encryption_algorithm, serialization.NoEncryption): - password = b"" - passlen = 0 - evp_cipher = self._ffi.NULL - elif isinstance(encryption_algorithm, - serialization.BestAvailableEncryption): - # This is a curated value that we will update over time. - evp_cipher = self._lib.EVP_get_cipherbyname( - b"aes-256-cbc" - ) - password = encryption_algorithm.password - passlen = len(password) - if passlen > 1023: - raise ValueError( - "Passwords longer than 1023 bytes are not supported by " - "this backend" - ) - else: - raise ValueError("Unsupported encryption type") - - key_type = self._lib.EVP_PKEY_id(evp_pkey) - if encoding is serialization.Encoding.PEM: - if format is serialization.PrivateFormat.PKCS8: - write_bio = self._lib.PEM_write_bio_PKCS8PrivateKey - key = evp_pkey - else: - assert format is serialization.PrivateFormat.TraditionalOpenSSL - if key_type == self._lib.EVP_PKEY_RSA: - write_bio = self._lib.PEM_write_bio_RSAPrivateKey - elif key_type == self._lib.EVP_PKEY_DSA: - write_bio = self._lib.PEM_write_bio_DSAPrivateKey - else: - assert key_type == self._lib.EVP_PKEY_EC - write_bio = self._lib.PEM_write_bio_ECPrivateKey - - key = cdata - elif encoding is serialization.Encoding.DER: - if format is serialization.PrivateFormat.TraditionalOpenSSL: - if not isinstance( - encryption_algorithm, serialization.NoEncryption - ): - raise ValueError( - "Encryption is not supported for DER encoded " - "traditional OpenSSL keys" - ) - - return self._private_key_bytes_traditional_der(key_type, cdata) - else: - assert format is serialization.PrivateFormat.PKCS8 - write_bio = self._lib.i2d_PKCS8PrivateKey_bio - key = evp_pkey - else: - raise TypeError("encoding must be Encoding.PEM or Encoding.DER") - - bio = self._create_mem_bio_gc() - res = write_bio( - bio, - key, - evp_cipher, - password, - passlen, - self._ffi.NULL, - self._ffi.NULL - ) - self.openssl_assert(res == 1) - return self._read_mem_bio(bio) - - def _private_key_bytes_traditional_der(self, key_type, cdata): - if key_type == self._lib.EVP_PKEY_RSA: - write_bio = self._lib.i2d_RSAPrivateKey_bio - elif key_type == self._lib.EVP_PKEY_EC: - write_bio = self._lib.i2d_ECPrivateKey_bio - else: - self.openssl_assert(key_type == self._lib.EVP_PKEY_DSA) - write_bio = self._lib.i2d_DSAPrivateKey_bio - - bio = self._create_mem_bio_gc() - res = write_bio(bio, cdata) - self.openssl_assert(res == 1) - return self._read_mem_bio(bio) - - def _public_key_bytes(self, encoding, format, key, evp_pkey, cdata): - if not isinstance(encoding, serialization.Encoding): - raise TypeError("encoding must be an item from the Encoding enum") - - # Compressed/UncompressedPoint are only valid for EC keys and those - # cases are handled by the ECPublicKey public_bytes method before this - # method is called - if format in (serialization.PublicFormat.UncompressedPoint, - serialization.PublicFormat.CompressedPoint): - raise ValueError("Point formats are not valid for this key type") - - # Raw format and encoding are only valid for X25519, Ed25519, X448, and - # Ed448 keys. We capture those cases before this method is called so if - # we see those enum values here it means the caller has passed them to - # a key that doesn't support raw type - if format is serialization.PublicFormat.Raw: - raise ValueError("raw format is invalid with this key or encoding") - - if encoding is serialization.Encoding.Raw: - raise ValueError("raw encoding is invalid with this key or format") - - if ( - format is serialization.PublicFormat.OpenSSH or - encoding is serialization.Encoding.OpenSSH - ): - if ( - format is not serialization.PublicFormat.OpenSSH or - encoding is not serialization.Encoding.OpenSSH - ): - raise ValueError( - "OpenSSH format must be used with OpenSSH encoding" - ) - return self._openssh_public_key_bytes(key) - elif format is serialization.PublicFormat.SubjectPublicKeyInfo: - if encoding is serialization.Encoding.PEM: - write_bio = self._lib.PEM_write_bio_PUBKEY - else: - assert encoding is serialization.Encoding.DER - write_bio = self._lib.i2d_PUBKEY_bio - - key = evp_pkey - elif format is serialization.PublicFormat.PKCS1: - # Only RSA is supported here. - assert self._lib.EVP_PKEY_id(evp_pkey) == self._lib.EVP_PKEY_RSA - if encoding is serialization.Encoding.PEM: - write_bio = self._lib.PEM_write_bio_RSAPublicKey - else: - assert encoding is serialization.Encoding.DER - write_bio = self._lib.i2d_RSAPublicKey_bio - - key = cdata - else: - raise TypeError( - "format must be an item from the PublicFormat enum" - ) - - bio = self._create_mem_bio_gc() - res = write_bio(bio, key) - self.openssl_assert(res == 1) - return self._read_mem_bio(bio) - - def _openssh_public_key_bytes(self, key): - if isinstance(key, rsa.RSAPublicKey): - public_numbers = key.public_numbers() - return b"ssh-rsa " + base64.b64encode( - ssh._ssh_write_string(b"ssh-rsa") + - ssh._ssh_write_mpint(public_numbers.e) + - ssh._ssh_write_mpint(public_numbers.n) - ) - elif isinstance(key, dsa.DSAPublicKey): - public_numbers = key.public_numbers() - parameter_numbers = public_numbers.parameter_numbers - return b"ssh-dss " + base64.b64encode( - ssh._ssh_write_string(b"ssh-dss") + - ssh._ssh_write_mpint(parameter_numbers.p) + - ssh._ssh_write_mpint(parameter_numbers.q) + - ssh._ssh_write_mpint(parameter_numbers.g) + - ssh._ssh_write_mpint(public_numbers.y) - ) - elif isinstance(key, ed25519.Ed25519PublicKey): - raw_bytes = key.public_bytes(serialization.Encoding.Raw, - serialization.PublicFormat.Raw) - return b"ssh-ed25519 " + base64.b64encode( - ssh._ssh_write_string(b"ssh-ed25519") + - ssh._ssh_write_string(raw_bytes) - ) - elif isinstance(key, ec.EllipticCurvePublicKey): - public_numbers = key.public_numbers() - try: - curve_name = { - ec.SECP256R1: b"nistp256", - ec.SECP384R1: b"nistp384", - ec.SECP521R1: b"nistp521", - }[type(public_numbers.curve)] - except KeyError: - raise ValueError( - "Only SECP256R1, SECP384R1, and SECP521R1 curves are " - "supported by the SSH public key format" - ) - - point = key.public_bytes( - serialization.Encoding.X962, - serialization.PublicFormat.UncompressedPoint - ) - return b"ecdsa-sha2-" + curve_name + b" " + base64.b64encode( - ssh._ssh_write_string(b"ecdsa-sha2-" + curve_name) + - ssh._ssh_write_string(curve_name) + - ssh._ssh_write_string(point) - ) - else: - raise ValueError( - "OpenSSH encoding is not supported for this key type" - ) - - def _parameter_bytes(self, encoding, format, cdata): - if encoding is serialization.Encoding.OpenSSH: - raise TypeError( - "OpenSSH encoding is not supported" - ) - - # Only DH is supported here currently. - q = self._ffi.new("BIGNUM **") - self._lib.DH_get0_pqg(cdata, - self._ffi.NULL, - q, - self._ffi.NULL) - if encoding is serialization.Encoding.PEM: - if q[0] != self._ffi.NULL: - write_bio = self._lib.PEM_write_bio_DHxparams - else: - write_bio = self._lib.PEM_write_bio_DHparams - elif encoding is serialization.Encoding.DER: - if q[0] != self._ffi.NULL: - write_bio = self._lib.Cryptography_i2d_DHxparams_bio - else: - write_bio = self._lib.i2d_DHparams_bio - else: - raise TypeError("encoding must be an item from the Encoding enum") - - bio = self._create_mem_bio_gc() - res = write_bio(bio, cdata) - self.openssl_assert(res == 1) - return self._read_mem_bio(bio) - - def generate_dh_parameters(self, generator, key_size): - if key_size < 512: - raise ValueError("DH key_size must be at least 512 bits") - - if generator not in (2, 5): - raise ValueError("DH generator must be 2 or 5") - - dh_param_cdata = self._lib.DH_new() - self.openssl_assert(dh_param_cdata != self._ffi.NULL) - dh_param_cdata = self._ffi.gc(dh_param_cdata, self._lib.DH_free) - - res = self._lib.DH_generate_parameters_ex( - dh_param_cdata, - key_size, - generator, - self._ffi.NULL - ) - self.openssl_assert(res == 1) - - return _DHParameters(self, dh_param_cdata) - - def _dh_cdata_to_evp_pkey(self, dh_cdata): - evp_pkey = self._create_evp_pkey_gc() - res = self._lib.EVP_PKEY_set1_DH(evp_pkey, dh_cdata) - self.openssl_assert(res == 1) - return evp_pkey - - def generate_dh_private_key(self, parameters): - dh_key_cdata = _dh_params_dup(parameters._dh_cdata, self) - - res = self._lib.DH_generate_key(dh_key_cdata) - self.openssl_assert(res == 1) - - evp_pkey = self._dh_cdata_to_evp_pkey(dh_key_cdata) - - return _DHPrivateKey(self, dh_key_cdata, evp_pkey) - - def generate_dh_private_key_and_parameters(self, generator, key_size): - return self.generate_dh_private_key( - self.generate_dh_parameters(generator, key_size)) - - def load_dh_private_numbers(self, numbers): - parameter_numbers = numbers.public_numbers.parameter_numbers - - dh_cdata = self._lib.DH_new() - self.openssl_assert(dh_cdata != self._ffi.NULL) - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - - p = self._int_to_bn(parameter_numbers.p) - g = self._int_to_bn(parameter_numbers.g) - - if parameter_numbers.q is not None: - q = self._int_to_bn(parameter_numbers.q) - else: - q = self._ffi.NULL - - pub_key = self._int_to_bn(numbers.public_numbers.y) - priv_key = self._int_to_bn(numbers.x) - - res = self._lib.DH_set0_pqg(dh_cdata, p, q, g) - self.openssl_assert(res == 1) - - res = self._lib.DH_set0_key(dh_cdata, pub_key, priv_key) - self.openssl_assert(res == 1) - - codes = self._ffi.new("int[]", 1) - res = self._lib.Cryptography_DH_check(dh_cdata, codes) - self.openssl_assert(res == 1) - - # DH_check will return DH_NOT_SUITABLE_GENERATOR if p % 24 does not - # equal 11 when the generator is 2 (a quadratic nonresidue). - # We want to ignore that error because p % 24 == 23 is also fine. - # Specifically, g is then a quadratic residue. Within the context of - # Diffie-Hellman this means it can only generate half the possible - # values. That sounds bad, but quadratic nonresidues leak a bit of - # the key to the attacker in exchange for having the full key space - # available. See: https://crypto.stackexchange.com/questions/12961 - if codes[0] != 0 and not ( - parameter_numbers.g == 2 and - codes[0] ^ self._lib.DH_NOT_SUITABLE_GENERATOR == 0 - ): - raise ValueError( - "DH private numbers did not pass safety checks." - ) - - evp_pkey = self._dh_cdata_to_evp_pkey(dh_cdata) - - return _DHPrivateKey(self, dh_cdata, evp_pkey) - - def load_dh_public_numbers(self, numbers): - dh_cdata = self._lib.DH_new() - self.openssl_assert(dh_cdata != self._ffi.NULL) - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - - parameter_numbers = numbers.parameter_numbers - - p = self._int_to_bn(parameter_numbers.p) - g = self._int_to_bn(parameter_numbers.g) - - if parameter_numbers.q is not None: - q = self._int_to_bn(parameter_numbers.q) - else: - q = self._ffi.NULL - - pub_key = self._int_to_bn(numbers.y) - - res = self._lib.DH_set0_pqg(dh_cdata, p, q, g) - self.openssl_assert(res == 1) - - res = self._lib.DH_set0_key(dh_cdata, pub_key, self._ffi.NULL) - self.openssl_assert(res == 1) - - evp_pkey = self._dh_cdata_to_evp_pkey(dh_cdata) - - return _DHPublicKey(self, dh_cdata, evp_pkey) - - def load_dh_parameter_numbers(self, numbers): - dh_cdata = self._lib.DH_new() - self.openssl_assert(dh_cdata != self._ffi.NULL) - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - - p = self._int_to_bn(numbers.p) - g = self._int_to_bn(numbers.g) - - if numbers.q is not None: - q = self._int_to_bn(numbers.q) - else: - q = self._ffi.NULL - - res = self._lib.DH_set0_pqg(dh_cdata, p, q, g) - self.openssl_assert(res == 1) - - return _DHParameters(self, dh_cdata) - - def dh_parameters_supported(self, p, g, q=None): - dh_cdata = self._lib.DH_new() - self.openssl_assert(dh_cdata != self._ffi.NULL) - dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free) - - p = self._int_to_bn(p) - g = self._int_to_bn(g) - - if q is not None: - q = self._int_to_bn(q) - else: - q = self._ffi.NULL - - res = self._lib.DH_set0_pqg(dh_cdata, p, q, g) - self.openssl_assert(res == 1) - - codes = self._ffi.new("int[]", 1) - res = self._lib.Cryptography_DH_check(dh_cdata, codes) - self.openssl_assert(res == 1) - - return codes[0] == 0 - - def dh_x942_serialization_supported(self): - return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 - - def x509_name_bytes(self, name): - x509_name = _encode_name_gc(self, name) - pp = self._ffi.new("unsigned char **") - res = self._lib.i2d_X509_NAME(x509_name, pp) - self.openssl_assert(pp[0] != self._ffi.NULL) - pp = self._ffi.gc( - pp, lambda pointer: self._lib.OPENSSL_free(pointer[0]) - ) - self.openssl_assert(res > 0) - return self._ffi.buffer(pp[0], res)[:] - - def x25519_load_public_bytes(self, data): - # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 we can - # switch this to EVP_PKEY_new_raw_public_key - if len(data) != 32: - raise ValueError("An X25519 public key is 32 bytes long") - - evp_pkey = self._create_evp_pkey_gc() - res = self._lib.EVP_PKEY_set_type(evp_pkey, self._lib.NID_X25519) - backend.openssl_assert(res == 1) - res = self._lib.EVP_PKEY_set1_tls_encodedpoint( - evp_pkey, data, len(data) - ) - backend.openssl_assert(res == 1) - return _X25519PublicKey(self, evp_pkey) - - def x25519_load_private_bytes(self, data): - # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 we can - # switch this to EVP_PKEY_new_raw_private_key and drop the - # zeroed_bytearray garbage. - # OpenSSL only has facilities for loading PKCS8 formatted private - # keys using the algorithm identifiers specified in - # https://tools.ietf.org/html/draft-ietf-curdle-pkix-09. - # This is the standard PKCS8 prefix for a 32 byte X25519 key. - # The form is: - # 0:d=0 hl=2 l= 46 cons: SEQUENCE - # 2:d=1 hl=2 l= 1 prim: INTEGER :00 - # 5:d=1 hl=2 l= 5 cons: SEQUENCE - # 7:d=2 hl=2 l= 3 prim: OBJECT :1.3.101.110 - # 12:d=1 hl=2 l= 34 prim: OCTET STRING (the key) - # Of course there's a bit more complexity. In reality OCTET STRING - # contains an OCTET STRING of length 32! So the last two bytes here - # are \x04\x20, which is an OCTET STRING of length 32. - if len(data) != 32: - raise ValueError("An X25519 private key is 32 bytes long") - - pkcs8_prefix = b'0.\x02\x01\x000\x05\x06\x03+en\x04"\x04 ' - with self._zeroed_bytearray(48) as ba: - ba[0:16] = pkcs8_prefix - ba[16:] = data - bio = self._bytes_to_bio(ba) - evp_pkey = backend._lib.d2i_PrivateKey_bio(bio.bio, self._ffi.NULL) - - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - self.openssl_assert( - self._lib.EVP_PKEY_id(evp_pkey) == self._lib.EVP_PKEY_X25519 - ) - return _X25519PrivateKey(self, evp_pkey) - - def _evp_pkey_keygen_gc(self, nid): - evp_pkey_ctx = self._lib.EVP_PKEY_CTX_new_id(nid, self._ffi.NULL) - self.openssl_assert(evp_pkey_ctx != self._ffi.NULL) - evp_pkey_ctx = self._ffi.gc(evp_pkey_ctx, self._lib.EVP_PKEY_CTX_free) - res = self._lib.EVP_PKEY_keygen_init(evp_pkey_ctx) - self.openssl_assert(res == 1) - evp_ppkey = self._ffi.new("EVP_PKEY **") - res = self._lib.EVP_PKEY_keygen(evp_pkey_ctx, evp_ppkey) - self.openssl_assert(res == 1) - self.openssl_assert(evp_ppkey[0] != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_ppkey[0], self._lib.EVP_PKEY_free) - return evp_pkey - - def x25519_generate_key(self): - evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X25519) - return _X25519PrivateKey(self, evp_pkey) - - def x25519_supported(self): - return self._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER - - def x448_load_public_bytes(self, data): - if len(data) != 56: - raise ValueError("An X448 public key is 56 bytes long") - - evp_pkey = self._lib.EVP_PKEY_new_raw_public_key( - self._lib.NID_X448, self._ffi.NULL, data, len(data) - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return _X448PublicKey(self, evp_pkey) - - def x448_load_private_bytes(self, data): - if len(data) != 56: - raise ValueError("An X448 private key is 56 bytes long") - - data_ptr = self._ffi.from_buffer(data) - evp_pkey = self._lib.EVP_PKEY_new_raw_private_key( - self._lib.NID_X448, self._ffi.NULL, data_ptr, len(data) - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return _X448PrivateKey(self, evp_pkey) - - def x448_generate_key(self): - evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X448) - return _X448PrivateKey(self, evp_pkey) - - def x448_supported(self): - return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 - - def ed25519_supported(self): - return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B - - def ed25519_load_public_bytes(self, data): - utils._check_bytes("data", data) - - if len(data) != ed25519._ED25519_KEY_SIZE: - raise ValueError("An Ed25519 public key is 32 bytes long") - - evp_pkey = self._lib.EVP_PKEY_new_raw_public_key( - self._lib.NID_ED25519, self._ffi.NULL, data, len(data) - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - return _Ed25519PublicKey(self, evp_pkey) - - def ed25519_load_private_bytes(self, data): - if len(data) != ed25519._ED25519_KEY_SIZE: - raise ValueError("An Ed25519 private key is 32 bytes long") - - utils._check_byteslike("data", data) - data_ptr = self._ffi.from_buffer(data) - evp_pkey = self._lib.EVP_PKEY_new_raw_private_key( - self._lib.NID_ED25519, self._ffi.NULL, data_ptr, len(data) - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - return _Ed25519PrivateKey(self, evp_pkey) - - def ed25519_generate_key(self): - evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_ED25519) - return _Ed25519PrivateKey(self, evp_pkey) - - def ed448_supported(self): - return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B - - def ed448_load_public_bytes(self, data): - utils._check_bytes("data", data) - if len(data) != _ED448_KEY_SIZE: - raise ValueError("An Ed448 public key is 57 bytes long") - - evp_pkey = self._lib.EVP_PKEY_new_raw_public_key( - self._lib.NID_ED448, self._ffi.NULL, data, len(data) - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - return _Ed448PublicKey(self, evp_pkey) - - def ed448_load_private_bytes(self, data): - utils._check_byteslike("data", data) - if len(data) != _ED448_KEY_SIZE: - raise ValueError("An Ed448 private key is 57 bytes long") - - data_ptr = self._ffi.from_buffer(data) - evp_pkey = self._lib.EVP_PKEY_new_raw_private_key( - self._lib.NID_ED448, self._ffi.NULL, data_ptr, len(data) - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - return _Ed448PrivateKey(self, evp_pkey) - - def ed448_generate_key(self): - evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_ED448) - return _Ed448PrivateKey(self, evp_pkey) - - def derive_scrypt(self, key_material, salt, length, n, r, p): - buf = self._ffi.new("unsigned char[]", length) - key_material_ptr = self._ffi.from_buffer(key_material) - res = self._lib.EVP_PBE_scrypt( - key_material_ptr, len(key_material), salt, len(salt), n, r, p, - scrypt._MEM_LIMIT, buf, length - ) - if res != 1: - errors = self._consume_errors() - if not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111: - # This error is only added to the stack in 1.1.1+ - self.openssl_assert( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_EVP, - self._lib.ERR_R_MALLOC_FAILURE - ) or - errors[0]._lib_reason_match( - self._lib.ERR_LIB_EVP, - self._lib.EVP_R_MEMORY_LIMIT_EXCEEDED - ) - ) - - # memory required formula explained here: - # https://blog.filippo.io/the-scrypt-parameters/ - min_memory = 128 * n * r // (1024**2) - raise MemoryError( - "Not enough memory to derive key. These parameters require" - " {} MB of memory.".format(min_memory) - ) - return self._ffi.buffer(buf)[:] - - def aead_cipher_supported(self, cipher): - cipher_name = aead._aead_cipher_name(cipher) - return ( - self._lib.EVP_get_cipherbyname(cipher_name) != self._ffi.NULL - ) - - @contextlib.contextmanager - def _zeroed_bytearray(self, length): - """ - This method creates a bytearray, which we copy data into (hopefully - also from a mutable buffer that can be dynamically erased!), and then - zero when we're done. - """ - ba = bytearray(length) - try: - yield ba - finally: - self._zero_data(ba, length) - - def _zero_data(self, data, length): - # We clear things this way because at the moment we're not - # sure of a better way that can guarantee it overwrites the - # memory of a bytearray and doesn't just replace the underlying char *. - for i in range(length): - data[i] = 0 - - @contextlib.contextmanager - def _zeroed_null_terminated_buf(self, data): - """ - This method takes bytes, which can be a bytestring or a mutable - buffer like a bytearray, and yields a null-terminated version of that - data. This is required because PKCS12_parse doesn't take a length with - its password char * and ffi.from_buffer doesn't provide null - termination. So, to support zeroing the data via bytearray we - need to build this ridiculous construct that copies the memory, but - zeroes it after use. - """ - if data is None: - yield self._ffi.NULL - else: - data_len = len(data) - buf = self._ffi.new("char[]", data_len + 1) - self._ffi.memmove(buf, data, data_len) - try: - yield buf - finally: - # Cast to a uint8_t * so we can assign by integer - self._zero_data(self._ffi.cast("uint8_t *", buf), data_len) - - def load_key_and_certificates_from_pkcs12(self, data, password): - if password is not None: - utils._check_byteslike("password", password) - - bio = self._bytes_to_bio(data) - p12 = self._lib.d2i_PKCS12_bio(bio.bio, self._ffi.NULL) - if p12 == self._ffi.NULL: - self._consume_errors() - raise ValueError("Could not deserialize PKCS12 data") - - p12 = self._ffi.gc(p12, self._lib.PKCS12_free) - evp_pkey_ptr = self._ffi.new("EVP_PKEY **") - x509_ptr = self._ffi.new("X509 **") - sk_x509_ptr = self._ffi.new("Cryptography_STACK_OF_X509 **") - with self._zeroed_null_terminated_buf(password) as password_buf: - res = self._lib.PKCS12_parse( - p12, password_buf, evp_pkey_ptr, x509_ptr, sk_x509_ptr - ) - - if res == 0: - self._consume_errors() - raise ValueError("Invalid password or PKCS12 data") - - cert = None - key = None - additional_certificates = [] - - if evp_pkey_ptr[0] != self._ffi.NULL: - evp_pkey = self._ffi.gc(evp_pkey_ptr[0], self._lib.EVP_PKEY_free) - key = self._evp_pkey_to_private_key(evp_pkey) - - if x509_ptr[0] != self._ffi.NULL: - x509 = self._ffi.gc(x509_ptr[0], self._lib.X509_free) - cert = _Certificate(self, x509) - - if sk_x509_ptr[0] != self._ffi.NULL: - sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) - num = self._lib.sk_X509_num(sk_x509_ptr[0]) - for i in range(num): - x509 = self._lib.sk_X509_value(sk_x509, i) - x509 = self._ffi.gc(x509, self._lib.X509_free) - self.openssl_assert(x509 != self._ffi.NULL) - additional_certificates.append(_Certificate(self, x509)) - - return (key, cert, additional_certificates) - - def poly1305_supported(self): - return self._lib.Cryptography_HAS_POLY1305 == 1 - - def create_poly1305_ctx(self, key): - utils._check_byteslike("key", key) - if len(key) != _POLY1305_KEY_SIZE: - raise ValueError("A poly1305 key is 32 bytes long") - - return _Poly1305Context(self, key) - - -class GetCipherByName(object): - def __init__(self, fmt): - self._fmt = fmt - - def __call__(self, backend, cipher, mode): - cipher_name = self._fmt.format(cipher=cipher, mode=mode).lower() - return backend._lib.EVP_get_cipherbyname(cipher_name.encode("ascii")) - - -def _get_xts_cipher(backend, cipher, mode): - cipher_name = "aes-{}-xts".format(cipher.key_size // 2) - return backend._lib.EVP_get_cipherbyname(cipher_name.encode("ascii")) - - -backend = Backend() diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ciphers.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ciphers.py @@ -1,229 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import utils -from cryptography.exceptions import InvalidTag, UnsupportedAlgorithm, _Reasons -from cryptography.hazmat.primitives import ciphers -from cryptography.hazmat.primitives.ciphers import modes - - -@utils.register_interface(ciphers.CipherContext) -@utils.register_interface(ciphers.AEADCipherContext) -@utils.register_interface(ciphers.AEADEncryptionContext) -@utils.register_interface(ciphers.AEADDecryptionContext) -class _CipherContext(object): - _ENCRYPT = 1 - _DECRYPT = 0 - - def __init__(self, backend, cipher, mode, operation): - self._backend = backend - self._cipher = cipher - self._mode = mode - self._operation = operation - self._tag = None - - if isinstance(self._cipher, ciphers.BlockCipherAlgorithm): - self._block_size_bytes = self._cipher.block_size // 8 - else: - self._block_size_bytes = 1 - - ctx = self._backend._lib.EVP_CIPHER_CTX_new() - ctx = self._backend._ffi.gc( - ctx, self._backend._lib.EVP_CIPHER_CTX_free - ) - - registry = self._backend._cipher_registry - try: - adapter = registry[type(cipher), type(mode)] - except KeyError: - raise UnsupportedAlgorithm( - "cipher {} in {} mode is not supported " - "by this backend.".format( - cipher.name, mode.name if mode else mode), - _Reasons.UNSUPPORTED_CIPHER - ) - - evp_cipher = adapter(self._backend, cipher, mode) - if evp_cipher == self._backend._ffi.NULL: - msg = "cipher {0.name} ".format(cipher) - if mode is not None: - msg += "in {0.name} mode ".format(mode) - msg += ( - "is not supported by this backend (Your version of OpenSSL " - "may be too old. Current version: {}.)" - ).format(self._backend.openssl_version_text()) - raise UnsupportedAlgorithm(msg, _Reasons.UNSUPPORTED_CIPHER) - - if isinstance(mode, modes.ModeWithInitializationVector): - iv_nonce = self._backend._ffi.from_buffer( - mode.initialization_vector - ) - elif isinstance(mode, modes.ModeWithTweak): - iv_nonce = self._backend._ffi.from_buffer(mode.tweak) - elif isinstance(mode, modes.ModeWithNonce): - iv_nonce = self._backend._ffi.from_buffer(mode.nonce) - elif isinstance(cipher, modes.ModeWithNonce): - iv_nonce = self._backend._ffi.from_buffer(cipher.nonce) - else: - iv_nonce = self._backend._ffi.NULL - # begin init with cipher and operation type - res = self._backend._lib.EVP_CipherInit_ex(ctx, evp_cipher, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - operation) - self._backend.openssl_assert(res != 0) - # set the key length to handle variable key ciphers - res = self._backend._lib.EVP_CIPHER_CTX_set_key_length( - ctx, len(cipher.key) - ) - self._backend.openssl_assert(res != 0) - if isinstance(mode, modes.GCM): - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend._lib.EVP_CTRL_AEAD_SET_IVLEN, - len(iv_nonce), self._backend._ffi.NULL - ) - self._backend.openssl_assert(res != 0) - if mode.tag is not None: - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG, - len(mode.tag), mode.tag - ) - self._backend.openssl_assert(res != 0) - self._tag = mode.tag - elif ( - self._operation == self._DECRYPT and - self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and - not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ): - raise NotImplementedError( - "delayed passing of GCM tag requires OpenSSL >= 1.0.2." - " To use this feature please update OpenSSL" - ) - - # pass key/iv - res = self._backend._lib.EVP_CipherInit_ex( - ctx, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.from_buffer(cipher.key), - iv_nonce, - operation - ) - self._backend.openssl_assert(res != 0) - # We purposely disable padding here as it's handled higher up in the - # API. - self._backend._lib.EVP_CIPHER_CTX_set_padding(ctx, 0) - self._ctx = ctx - - def update(self, data): - buf = bytearray(len(data) + self._block_size_bytes - 1) - n = self.update_into(data, buf) - return bytes(buf[:n]) - - def update_into(self, data, buf): - if len(buf) < (len(data) + self._block_size_bytes - 1): - raise ValueError( - "buffer must be at least {} bytes for this " - "payload".format(len(data) + self._block_size_bytes - 1) - ) - - buf = self._backend._ffi.cast( - "unsigned char *", self._backend._ffi.from_buffer(buf) - ) - outlen = self._backend._ffi.new("int *") - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, buf, outlen, - self._backend._ffi.from_buffer(data), len(data) - ) - self._backend.openssl_assert(res != 0) - return outlen[0] - - def finalize(self): - # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions) - # appears to have a bug where you must make at least one call to update - # even if you are only using authenticate_additional_data or the - # GCM tag will be wrong. An (empty) call to update resolves this - # and is harmless for all other versions of OpenSSL. - if isinstance(self._mode, modes.GCM): - self.update(b"") - - if ( - self._operation == self._DECRYPT and - isinstance(self._mode, modes.ModeWithAuthenticationTag) and - self.tag is None - ): - raise ValueError( - "Authentication tag must be provided when decrypting." - ) - - buf = self._backend._ffi.new("unsigned char[]", self._block_size_bytes) - outlen = self._backend._ffi.new("int *") - res = self._backend._lib.EVP_CipherFinal_ex(self._ctx, buf, outlen) - if res == 0: - errors = self._backend._consume_errors() - - if not errors and isinstance(self._mode, modes.GCM): - raise InvalidTag - - self._backend.openssl_assert( - errors[0]._lib_reason_match( - self._backend._lib.ERR_LIB_EVP, - self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - ) - ) - raise ValueError( - "The length of the provided data is not a multiple of " - "the block length." - ) - - if (isinstance(self._mode, modes.GCM) and - self._operation == self._ENCRYPT): - tag_buf = self._backend._ffi.new( - "unsigned char[]", self._block_size_bytes - ) - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - self._ctx, self._backend._lib.EVP_CTRL_AEAD_GET_TAG, - self._block_size_bytes, tag_buf - ) - self._backend.openssl_assert(res != 0) - self._tag = self._backend._ffi.buffer(tag_buf)[:] - - res = self._backend._lib.EVP_CIPHER_CTX_cleanup(self._ctx) - self._backend.openssl_assert(res == 1) - return self._backend._ffi.buffer(buf)[:outlen[0]] - - def finalize_with_tag(self, tag): - if ( - self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and - not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ): - raise NotImplementedError( - "finalize_with_tag requires OpenSSL >= 1.0.2. To use this " - "method please update OpenSSL" - ) - if len(tag) < self._mode._min_tag_length: - raise ValueError( - "Authentication tag must be {} bytes or longer.".format( - self._mode._min_tag_length) - ) - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG, - len(tag), tag - ) - self._backend.openssl_assert(res != 0) - self._tag = tag - return self.finalize() - - def authenticate_additional_data(self, data): - outlen = self._backend._ffi.new("int *") - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, self._backend._ffi.NULL, outlen, - self._backend._ffi.from_buffer(data), len(data) - ) - self._backend.openssl_assert(res != 0) - - tag = utils.read_only_property("_tag") diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/cmac.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/cmac.py @@ -1,81 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - - -from cryptography import utils -from cryptography.exceptions import ( - InvalidSignature, UnsupportedAlgorithm, _Reasons -) -from cryptography.hazmat.primitives import constant_time -from cryptography.hazmat.primitives.ciphers.modes import CBC - - -class _CMACContext(object): - def __init__(self, backend, algorithm, ctx=None): - if not backend.cmac_algorithm_supported(algorithm): - raise UnsupportedAlgorithm("This backend does not support CMAC.", - _Reasons.UNSUPPORTED_CIPHER) - - self._backend = backend - self._key = algorithm.key - self._algorithm = algorithm - self._output_length = algorithm.block_size // 8 - - if ctx is None: - registry = self._backend._cipher_registry - adapter = registry[type(algorithm), CBC] - - evp_cipher = adapter(self._backend, algorithm, CBC) - - ctx = self._backend._lib.CMAC_CTX_new() - - self._backend.openssl_assert(ctx != self._backend._ffi.NULL) - ctx = self._backend._ffi.gc(ctx, self._backend._lib.CMAC_CTX_free) - - key_ptr = self._backend._ffi.from_buffer(self._key) - res = self._backend._lib.CMAC_Init( - ctx, key_ptr, len(self._key), - evp_cipher, self._backend._ffi.NULL - ) - self._backend.openssl_assert(res == 1) - - self._ctx = ctx - - algorithm = utils.read_only_property("_algorithm") - - def update(self, data): - res = self._backend._lib.CMAC_Update(self._ctx, data, len(data)) - self._backend.openssl_assert(res == 1) - - def finalize(self): - buf = self._backend._ffi.new("unsigned char[]", self._output_length) - length = self._backend._ffi.new("size_t *", self._output_length) - res = self._backend._lib.CMAC_Final( - self._ctx, buf, length - ) - self._backend.openssl_assert(res == 1) - - self._ctx = None - - return self._backend._ffi.buffer(buf)[:] - - def copy(self): - copied_ctx = self._backend._lib.CMAC_CTX_new() - copied_ctx = self._backend._ffi.gc( - copied_ctx, self._backend._lib.CMAC_CTX_free - ) - res = self._backend._lib.CMAC_CTX_copy( - copied_ctx, self._ctx - ) - self._backend.openssl_assert(res == 1) - return _CMACContext( - self._backend, self._algorithm, ctx=copied_ctx - ) - - def verify(self, signature): - digest = self.finalize() - if not constant_time.bytes_eq(digest, signature): - raise InvalidSignature("Signature did not match digest.") diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/decode_asn1.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -1,899 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import datetime -import ipaddress - -import asn1crypto.core - -import six - -from cryptography import x509 -from cryptography.x509.extensions import _TLS_FEATURE_TYPE_TO_ENUM -from cryptography.x509.name import _ASN1_TYPE_TO_ENUM -from cryptography.x509.oid import ( - CRLEntryExtensionOID, CertificatePoliciesOID, ExtensionOID, - OCSPExtensionOID, -) - - -class _Integers(asn1crypto.core.SequenceOf): - _child_spec = asn1crypto.core.Integer - - -def _obj2txt(backend, obj): - # Set to 80 on the recommendation of - # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values - # - # But OIDs longer than this occur in real life (e.g. Active - # Directory makes some very long OIDs). So we need to detect - # and properly handle the case where the default buffer is not - # big enough. - # - buf_len = 80 - buf = backend._ffi.new("char[]", buf_len) - - # 'res' is the number of bytes that *would* be written if the - # buffer is large enough. If 'res' > buf_len - 1, we need to - # alloc a big-enough buffer and go again. - res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1) - if res > buf_len - 1: # account for terminating null byte - buf_len = res + 1 - buf = backend._ffi.new("char[]", buf_len) - res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1) - backend.openssl_assert(res > 0) - return backend._ffi.buffer(buf, res)[:].decode() - - -def _decode_x509_name_entry(backend, x509_name_entry): - obj = backend._lib.X509_NAME_ENTRY_get_object(x509_name_entry) - backend.openssl_assert(obj != backend._ffi.NULL) - data = backend._lib.X509_NAME_ENTRY_get_data(x509_name_entry) - backend.openssl_assert(data != backend._ffi.NULL) - value = _asn1_string_to_utf8(backend, data) - oid = _obj2txt(backend, obj) - type = _ASN1_TYPE_TO_ENUM[data.type] - - return x509.NameAttribute(x509.ObjectIdentifier(oid), value, type) - - -def _decode_x509_name(backend, x509_name): - count = backend._lib.X509_NAME_entry_count(x509_name) - attributes = [] - prev_set_id = -1 - for x in range(count): - entry = backend._lib.X509_NAME_get_entry(x509_name, x) - attribute = _decode_x509_name_entry(backend, entry) - set_id = backend._lib.Cryptography_X509_NAME_ENTRY_set(entry) - if set_id != prev_set_id: - attributes.append(set([attribute])) - else: - # is in the same RDN a previous entry - attributes[-1].add(attribute) - prev_set_id = set_id - - return x509.Name(x509.RelativeDistinguishedName(rdn) for rdn in attributes) - - -def _decode_general_names(backend, gns): - num = backend._lib.sk_GENERAL_NAME_num(gns) - names = [] - for i in range(num): - gn = backend._lib.sk_GENERAL_NAME_value(gns, i) - backend.openssl_assert(gn != backend._ffi.NULL) - names.append(_decode_general_name(backend, gn)) - - return names - - -def _decode_general_name(backend, gn): - if gn.type == backend._lib.GEN_DNS: - # Convert to bytes and then decode to utf8. We don't use - # asn1_string_to_utf8 here because it doesn't properly convert - # utf8 from ia5strings. - data = _asn1_string_to_bytes(backend, gn.d.dNSName).decode("utf8") - # We don't use the constructor for DNSName so we can bypass validation - # This allows us to create DNSName objects that have unicode chars - # when a certificate (against the RFC) contains them. - return x509.DNSName._init_without_validation(data) - elif gn.type == backend._lib.GEN_URI: - # Convert to bytes and then decode to utf8. We don't use - # asn1_string_to_utf8 here because it doesn't properly convert - # utf8 from ia5strings. - data = _asn1_string_to_bytes( - backend, gn.d.uniformResourceIdentifier - ).decode("utf8") - # We don't use the constructor for URI so we can bypass validation - # This allows us to create URI objects that have unicode chars - # when a certificate (against the RFC) contains them. - return x509.UniformResourceIdentifier._init_without_validation(data) - elif gn.type == backend._lib.GEN_RID: - oid = _obj2txt(backend, gn.d.registeredID) - return x509.RegisteredID(x509.ObjectIdentifier(oid)) - elif gn.type == backend._lib.GEN_IPADD: - data = _asn1_string_to_bytes(backend, gn.d.iPAddress) - data_len = len(data) - if data_len == 8 or data_len == 32: - # This is an IPv4 or IPv6 Network and not a single IP. This - # type of data appears in Name Constraints. Unfortunately, - # ipaddress doesn't support packed bytes + netmask. Additionally, - # IPv6Network can only handle CIDR rather than the full 16 byte - # netmask. To handle this we convert the netmask to integer, then - # find the first 0 bit, which will be the prefix. If another 1 - # bit is present after that the netmask is invalid. - base = ipaddress.ip_address(data[:data_len // 2]) - netmask = ipaddress.ip_address(data[data_len // 2:]) - bits = bin(int(netmask))[2:] - prefix = bits.find('0') - # If no 0 bits are found it is a /32 or /128 - if prefix == -1: - prefix = len(bits) - - if "1" in bits[prefix:]: - raise ValueError("Invalid netmask") - - ip = ipaddress.ip_network(base.exploded + u"/{}".format(prefix)) - else: - ip = ipaddress.ip_address(data) - - return x509.IPAddress(ip) - elif gn.type == backend._lib.GEN_DIRNAME: - return x509.DirectoryName( - _decode_x509_name(backend, gn.d.directoryName) - ) - elif gn.type == backend._lib.GEN_EMAIL: - # Convert to bytes and then decode to utf8. We don't use - # asn1_string_to_utf8 here because it doesn't properly convert - # utf8 from ia5strings. - data = _asn1_string_to_bytes(backend, gn.d.rfc822Name).decode("utf8") - # We don't use the constructor for RFC822Name so we can bypass - # validation. This allows us to create RFC822Name objects that have - # unicode chars when a certificate (against the RFC) contains them. - return x509.RFC822Name._init_without_validation(data) - elif gn.type == backend._lib.GEN_OTHERNAME: - type_id = _obj2txt(backend, gn.d.otherName.type_id) - value = _asn1_to_der(backend, gn.d.otherName.value) - return x509.OtherName(x509.ObjectIdentifier(type_id), value) - else: - # x400Address or ediPartyName - raise x509.UnsupportedGeneralNameType( - "{} is not a supported type".format( - x509._GENERAL_NAMES.get(gn.type, gn.type) - ), - gn.type - ) - - -def _decode_ocsp_no_check(backend, ext): - return x509.OCSPNoCheck() - - -def _decode_crl_number(backend, ext): - asn1_int = backend._ffi.cast("ASN1_INTEGER *", ext) - asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free) - return x509.CRLNumber(_asn1_integer_to_int(backend, asn1_int)) - - -def _decode_delta_crl_indicator(backend, ext): - asn1_int = backend._ffi.cast("ASN1_INTEGER *", ext) - asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free) - return x509.DeltaCRLIndicator(_asn1_integer_to_int(backend, asn1_int)) - - -class _X509ExtensionParser(object): - def __init__(self, ext_count, get_ext, handlers): - self.ext_count = ext_count - self.get_ext = get_ext - self.handlers = handlers - - def parse(self, backend, x509_obj): - extensions = [] - seen_oids = set() - for i in range(self.ext_count(backend, x509_obj)): - ext = self.get_ext(backend, x509_obj, i) - backend.openssl_assert(ext != backend._ffi.NULL) - crit = backend._lib.X509_EXTENSION_get_critical(ext) - critical = crit == 1 - oid = x509.ObjectIdentifier( - _obj2txt(backend, backend._lib.X509_EXTENSION_get_object(ext)) - ) - if oid in seen_oids: - raise x509.DuplicateExtension( - "Duplicate {} extension found".format(oid), oid - ) - - # These OIDs are only supported in OpenSSL 1.1.0+ but we want - # to support them in all versions of OpenSSL so we decode them - # ourselves. - if oid == ExtensionOID.TLS_FEATURE: - data = backend._lib.X509_EXTENSION_get_data(ext) - parsed = _Integers.load(_asn1_string_to_bytes(backend, data)) - value = x509.TLSFeature( - [_TLS_FEATURE_TYPE_TO_ENUM[x.native] for x in parsed] - ) - extensions.append(x509.Extension(oid, critical, value)) - seen_oids.add(oid) - continue - elif oid == ExtensionOID.PRECERT_POISON: - data = backend._lib.X509_EXTENSION_get_data(ext) - parsed = asn1crypto.core.Null.load( - _asn1_string_to_bytes(backend, data) - ) - assert parsed == asn1crypto.core.Null() - extensions.append(x509.Extension( - oid, critical, x509.PrecertPoison() - )) - seen_oids.add(oid) - continue - - try: - handler = self.handlers[oid] - except KeyError: - # Dump the DER payload into an UnrecognizedExtension object - data = backend._lib.X509_EXTENSION_get_data(ext) - backend.openssl_assert(data != backend._ffi.NULL) - der = backend._ffi.buffer(data.data, data.length)[:] - unrecognized = x509.UnrecognizedExtension(oid, der) - extensions.append( - x509.Extension(oid, critical, unrecognized) - ) - else: - ext_data = backend._lib.X509V3_EXT_d2i(ext) - if ext_data == backend._ffi.NULL: - backend._consume_errors() - raise ValueError( - "The {} extension is invalid and can't be " - "parsed".format(oid) - ) - - value = handler(backend, ext_data) - extensions.append(x509.Extension(oid, critical, value)) - - seen_oids.add(oid) - - return x509.Extensions(extensions) - - -def _decode_certificate_policies(backend, cp): - cp = backend._ffi.cast("Cryptography_STACK_OF_POLICYINFO *", cp) - cp = backend._ffi.gc(cp, backend._lib.CERTIFICATEPOLICIES_free) - - num = backend._lib.sk_POLICYINFO_num(cp) - certificate_policies = [] - for i in range(num): - qualifiers = None - pi = backend._lib.sk_POLICYINFO_value(cp, i) - oid = x509.ObjectIdentifier(_obj2txt(backend, pi.policyid)) - if pi.qualifiers != backend._ffi.NULL: - qnum = backend._lib.sk_POLICYQUALINFO_num(pi.qualifiers) - qualifiers = [] - for j in range(qnum): - pqi = backend._lib.sk_POLICYQUALINFO_value( - pi.qualifiers, j - ) - pqualid = x509.ObjectIdentifier( - _obj2txt(backend, pqi.pqualid) - ) - if pqualid == CertificatePoliciesOID.CPS_QUALIFIER: - cpsuri = backend._ffi.buffer( - pqi.d.cpsuri.data, pqi.d.cpsuri.length - )[:].decode('ascii') - qualifiers.append(cpsuri) - else: - assert pqualid == CertificatePoliciesOID.CPS_USER_NOTICE - user_notice = _decode_user_notice( - backend, pqi.d.usernotice - ) - qualifiers.append(user_notice) - - certificate_policies.append( - x509.PolicyInformation(oid, qualifiers) - ) - - return x509.CertificatePolicies(certificate_policies) - - -def _decode_user_notice(backend, un): - explicit_text = None - notice_reference = None - - if un.exptext != backend._ffi.NULL: - explicit_text = _asn1_string_to_utf8(backend, un.exptext) - - if un.noticeref != backend._ffi.NULL: - organization = _asn1_string_to_utf8( - backend, un.noticeref.organization - ) - - num = backend._lib.sk_ASN1_INTEGER_num( - un.noticeref.noticenos - ) - notice_numbers = [] - for i in range(num): - asn1_int = backend._lib.sk_ASN1_INTEGER_value( - un.noticeref.noticenos, i - ) - notice_num = _asn1_integer_to_int(backend, asn1_int) - notice_numbers.append(notice_num) - - notice_reference = x509.NoticeReference( - organization, notice_numbers - ) - - return x509.UserNotice(notice_reference, explicit_text) - - -def _decode_basic_constraints(backend, bc_st): - basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st) - basic_constraints = backend._ffi.gc( - basic_constraints, backend._lib.BASIC_CONSTRAINTS_free - ) - # The byte representation of an ASN.1 boolean true is \xff. OpenSSL - # chooses to just map this to its ordinal value, so true is 255 and - # false is 0. - ca = basic_constraints.ca == 255 - path_length = _asn1_integer_to_int_or_none( - backend, basic_constraints.pathlen - ) - - return x509.BasicConstraints(ca, path_length) - - -def _decode_subject_key_identifier(backend, asn1_string): - asn1_string = backend._ffi.cast("ASN1_OCTET_STRING *", asn1_string) - asn1_string = backend._ffi.gc( - asn1_string, backend._lib.ASN1_OCTET_STRING_free - ) - return x509.SubjectKeyIdentifier( - backend._ffi.buffer(asn1_string.data, asn1_string.length)[:] - ) - - -def _decode_authority_key_identifier(backend, akid): - akid = backend._ffi.cast("AUTHORITY_KEYID *", akid) - akid = backend._ffi.gc(akid, backend._lib.AUTHORITY_KEYID_free) - key_identifier = None - authority_cert_issuer = None - - if akid.keyid != backend._ffi.NULL: - key_identifier = backend._ffi.buffer( - akid.keyid.data, akid.keyid.length - )[:] - - if akid.issuer != backend._ffi.NULL: - authority_cert_issuer = _decode_general_names( - backend, akid.issuer - ) - - authority_cert_serial_number = _asn1_integer_to_int_or_none( - backend, akid.serial - ) - - return x509.AuthorityKeyIdentifier( - key_identifier, authority_cert_issuer, authority_cert_serial_number - ) - - -def _decode_authority_information_access(backend, aia): - aia = backend._ffi.cast("Cryptography_STACK_OF_ACCESS_DESCRIPTION *", aia) - aia = backend._ffi.gc( - aia, - lambda x: backend._lib.sk_ACCESS_DESCRIPTION_pop_free( - x, backend._ffi.addressof( - backend._lib._original_lib, "ACCESS_DESCRIPTION_free" - ) - ) - ) - num = backend._lib.sk_ACCESS_DESCRIPTION_num(aia) - access_descriptions = [] - for i in range(num): - ad = backend._lib.sk_ACCESS_DESCRIPTION_value(aia, i) - backend.openssl_assert(ad.method != backend._ffi.NULL) - oid = x509.ObjectIdentifier(_obj2txt(backend, ad.method)) - backend.openssl_assert(ad.location != backend._ffi.NULL) - gn = _decode_general_name(backend, ad.location) - access_descriptions.append(x509.AccessDescription(oid, gn)) - - return x509.AuthorityInformationAccess(access_descriptions) - - -def _decode_key_usage(backend, bit_string): - bit_string = backend._ffi.cast("ASN1_BIT_STRING *", bit_string) - bit_string = backend._ffi.gc(bit_string, backend._lib.ASN1_BIT_STRING_free) - get_bit = backend._lib.ASN1_BIT_STRING_get_bit - digital_signature = get_bit(bit_string, 0) == 1 - content_commitment = get_bit(bit_string, 1) == 1 - key_encipherment = get_bit(bit_string, 2) == 1 - data_encipherment = get_bit(bit_string, 3) == 1 - key_agreement = get_bit(bit_string, 4) == 1 - key_cert_sign = get_bit(bit_string, 5) == 1 - crl_sign = get_bit(bit_string, 6) == 1 - encipher_only = get_bit(bit_string, 7) == 1 - decipher_only = get_bit(bit_string, 8) == 1 - return x509.KeyUsage( - digital_signature, - content_commitment, - key_encipherment, - data_encipherment, - key_agreement, - key_cert_sign, - crl_sign, - encipher_only, - decipher_only - ) - - -def _decode_general_names_extension(backend, gns): - gns = backend._ffi.cast("GENERAL_NAMES *", gns) - gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free) - general_names = _decode_general_names(backend, gns) - return general_names - - -def _decode_subject_alt_name(backend, ext): - return x509.SubjectAlternativeName( - _decode_general_names_extension(backend, ext) - ) - - -def _decode_issuer_alt_name(backend, ext): - return x509.IssuerAlternativeName( - _decode_general_names_extension(backend, ext) - ) - - -def _decode_name_constraints(backend, nc): - nc = backend._ffi.cast("NAME_CONSTRAINTS *", nc) - nc = backend._ffi.gc(nc, backend._lib.NAME_CONSTRAINTS_free) - permitted = _decode_general_subtrees(backend, nc.permittedSubtrees) - excluded = _decode_general_subtrees(backend, nc.excludedSubtrees) - return x509.NameConstraints( - permitted_subtrees=permitted, excluded_subtrees=excluded - ) - - -def _decode_general_subtrees(backend, stack_subtrees): - if stack_subtrees == backend._ffi.NULL: - return None - - num = backend._lib.sk_GENERAL_SUBTREE_num(stack_subtrees) - subtrees = [] - - for i in range(num): - obj = backend._lib.sk_GENERAL_SUBTREE_value(stack_subtrees, i) - backend.openssl_assert(obj != backend._ffi.NULL) - name = _decode_general_name(backend, obj.base) - subtrees.append(name) - - return subtrees - - -def _decode_issuing_dist_point(backend, idp): - idp = backend._ffi.cast("ISSUING_DIST_POINT *", idp) - idp = backend._ffi.gc(idp, backend._lib.ISSUING_DIST_POINT_free) - if idp.distpoint != backend._ffi.NULL: - full_name, relative_name = _decode_distpoint(backend, idp.distpoint) - else: - full_name = None - relative_name = None - - only_user = idp.onlyuser == 255 - only_ca = idp.onlyCA == 255 - indirect_crl = idp.indirectCRL == 255 - only_attr = idp.onlyattr == 255 - if idp.onlysomereasons != backend._ffi.NULL: - only_some_reasons = _decode_reasons(backend, idp.onlysomereasons) - else: - only_some_reasons = None - - return x509.IssuingDistributionPoint( - full_name, relative_name, only_user, only_ca, only_some_reasons, - indirect_crl, only_attr - ) - - -def _decode_policy_constraints(backend, pc): - pc = backend._ffi.cast("POLICY_CONSTRAINTS *", pc) - pc = backend._ffi.gc(pc, backend._lib.POLICY_CONSTRAINTS_free) - - require_explicit_policy = _asn1_integer_to_int_or_none( - backend, pc.requireExplicitPolicy - ) - inhibit_policy_mapping = _asn1_integer_to_int_or_none( - backend, pc.inhibitPolicyMapping - ) - - return x509.PolicyConstraints( - require_explicit_policy, inhibit_policy_mapping - ) - - -def _decode_extended_key_usage(backend, sk): - sk = backend._ffi.cast("Cryptography_STACK_OF_ASN1_OBJECT *", sk) - sk = backend._ffi.gc(sk, backend._lib.sk_ASN1_OBJECT_free) - num = backend._lib.sk_ASN1_OBJECT_num(sk) - ekus = [] - - for i in range(num): - obj = backend._lib.sk_ASN1_OBJECT_value(sk, i) - backend.openssl_assert(obj != backend._ffi.NULL) - oid = x509.ObjectIdentifier(_obj2txt(backend, obj)) - ekus.append(oid) - - return x509.ExtendedKeyUsage(ekus) - - -_DISTPOINT_TYPE_FULLNAME = 0 -_DISTPOINT_TYPE_RELATIVENAME = 1 - - -def _decode_dist_points(backend, cdps): - cdps = backend._ffi.cast("Cryptography_STACK_OF_DIST_POINT *", cdps) - cdps = backend._ffi.gc(cdps, backend._lib.CRL_DIST_POINTS_free) - - num = backend._lib.sk_DIST_POINT_num(cdps) - dist_points = [] - for i in range(num): - full_name = None - relative_name = None - crl_issuer = None - reasons = None - cdp = backend._lib.sk_DIST_POINT_value(cdps, i) - if cdp.reasons != backend._ffi.NULL: - reasons = _decode_reasons(backend, cdp.reasons) - - if cdp.CRLissuer != backend._ffi.NULL: - crl_issuer = _decode_general_names(backend, cdp.CRLissuer) - - # Certificates may have a crl_issuer/reasons and no distribution - # point so make sure it's not null. - if cdp.distpoint != backend._ffi.NULL: - full_name, relative_name = _decode_distpoint( - backend, cdp.distpoint - ) - - dist_points.append( - x509.DistributionPoint( - full_name, relative_name, reasons, crl_issuer - ) - ) - - return dist_points - - -# ReasonFlags ::= BIT STRING { -# unused (0), -# keyCompromise (1), -# cACompromise (2), -# affiliationChanged (3), -# superseded (4), -# cessationOfOperation (5), -# certificateHold (6), -# privilegeWithdrawn (7), -# aACompromise (8) } -_REASON_BIT_MAPPING = { - 1: x509.ReasonFlags.key_compromise, - 2: x509.ReasonFlags.ca_compromise, - 3: x509.ReasonFlags.affiliation_changed, - 4: x509.ReasonFlags.superseded, - 5: x509.ReasonFlags.cessation_of_operation, - 6: x509.ReasonFlags.certificate_hold, - 7: x509.ReasonFlags.privilege_withdrawn, - 8: x509.ReasonFlags.aa_compromise, -} - - -def _decode_reasons(backend, reasons): - # We will check each bit from RFC 5280 - enum_reasons = [] - for bit_position, reason in six.iteritems(_REASON_BIT_MAPPING): - if backend._lib.ASN1_BIT_STRING_get_bit(reasons, bit_position): - enum_reasons.append(reason) - - return frozenset(enum_reasons) - - -def _decode_distpoint(backend, distpoint): - if distpoint.type == _DISTPOINT_TYPE_FULLNAME: - full_name = _decode_general_names(backend, distpoint.name.fullname) - return full_name, None - - # OpenSSL code doesn't test for a specific type for - # relativename, everything that isn't fullname is considered - # relativename. Per RFC 5280: - # - # DistributionPointName ::= CHOICE { - # fullName [0] GeneralNames, - # nameRelativeToCRLIssuer [1] RelativeDistinguishedName } - rns = distpoint.name.relativename - rnum = backend._lib.sk_X509_NAME_ENTRY_num(rns) - attributes = set() - for i in range(rnum): - rn = backend._lib.sk_X509_NAME_ENTRY_value( - rns, i - ) - backend.openssl_assert(rn != backend._ffi.NULL) - attributes.add( - _decode_x509_name_entry(backend, rn) - ) - - relative_name = x509.RelativeDistinguishedName(attributes) - - return None, relative_name - - -def _decode_crl_distribution_points(backend, cdps): - dist_points = _decode_dist_points(backend, cdps) - return x509.CRLDistributionPoints(dist_points) - - -def _decode_freshest_crl(backend, cdps): - dist_points = _decode_dist_points(backend, cdps) - return x509.FreshestCRL(dist_points) - - -def _decode_inhibit_any_policy(backend, asn1_int): - asn1_int = backend._ffi.cast("ASN1_INTEGER *", asn1_int) - asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free) - skip_certs = _asn1_integer_to_int(backend, asn1_int) - return x509.InhibitAnyPolicy(skip_certs) - - -def _decode_precert_signed_certificate_timestamps(backend, asn1_scts): - from cryptography.hazmat.backends.openssl.x509 import ( - _SignedCertificateTimestamp - ) - asn1_scts = backend._ffi.cast("Cryptography_STACK_OF_SCT *", asn1_scts) - asn1_scts = backend._ffi.gc(asn1_scts, backend._lib.SCT_LIST_free) - - scts = [] - for i in range(backend._lib.sk_SCT_num(asn1_scts)): - sct = backend._lib.sk_SCT_value(asn1_scts, i) - - scts.append(_SignedCertificateTimestamp(backend, asn1_scts, sct)) - return x509.PrecertificateSignedCertificateTimestamps(scts) - - -# CRLReason ::= ENUMERATED { -# unspecified (0), -# keyCompromise (1), -# cACompromise (2), -# affiliationChanged (3), -# superseded (4), -# cessationOfOperation (5), -# certificateHold (6), -# -- value 7 is not used -# removeFromCRL (8), -# privilegeWithdrawn (9), -# aACompromise (10) } -_CRL_ENTRY_REASON_CODE_TO_ENUM = { - 0: x509.ReasonFlags.unspecified, - 1: x509.ReasonFlags.key_compromise, - 2: x509.ReasonFlags.ca_compromise, - 3: x509.ReasonFlags.affiliation_changed, - 4: x509.ReasonFlags.superseded, - 5: x509.ReasonFlags.cessation_of_operation, - 6: x509.ReasonFlags.certificate_hold, - 8: x509.ReasonFlags.remove_from_crl, - 9: x509.ReasonFlags.privilege_withdrawn, - 10: x509.ReasonFlags.aa_compromise, -} - - -_CRL_ENTRY_REASON_ENUM_TO_CODE = { - x509.ReasonFlags.unspecified: 0, - x509.ReasonFlags.key_compromise: 1, - x509.ReasonFlags.ca_compromise: 2, - x509.ReasonFlags.affiliation_changed: 3, - x509.ReasonFlags.superseded: 4, - x509.ReasonFlags.cessation_of_operation: 5, - x509.ReasonFlags.certificate_hold: 6, - x509.ReasonFlags.remove_from_crl: 8, - x509.ReasonFlags.privilege_withdrawn: 9, - x509.ReasonFlags.aa_compromise: 10 -} - - -def _decode_crl_reason(backend, enum): - enum = backend._ffi.cast("ASN1_ENUMERATED *", enum) - enum = backend._ffi.gc(enum, backend._lib.ASN1_ENUMERATED_free) - code = backend._lib.ASN1_ENUMERATED_get(enum) - - try: - return x509.CRLReason(_CRL_ENTRY_REASON_CODE_TO_ENUM[code]) - except KeyError: - raise ValueError("Unsupported reason code: {}".format(code)) - - -def _decode_invalidity_date(backend, inv_date): - generalized_time = backend._ffi.cast( - "ASN1_GENERALIZEDTIME *", inv_date - ) - generalized_time = backend._ffi.gc( - generalized_time, backend._lib.ASN1_GENERALIZEDTIME_free - ) - return x509.InvalidityDate( - _parse_asn1_generalized_time(backend, generalized_time) - ) - - -def _decode_cert_issuer(backend, gns): - gns = backend._ffi.cast("GENERAL_NAMES *", gns) - gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free) - general_names = _decode_general_names(backend, gns) - return x509.CertificateIssuer(general_names) - - -def _asn1_to_der(backend, asn1_type): - buf = backend._ffi.new("unsigned char **") - res = backend._lib.i2d_ASN1_TYPE(asn1_type, buf) - backend.openssl_assert(res >= 0) - backend.openssl_assert(buf[0] != backend._ffi.NULL) - buf = backend._ffi.gc( - buf, lambda buffer: backend._lib.OPENSSL_free(buffer[0]) - ) - return backend._ffi.buffer(buf[0], res)[:] - - -def _asn1_integer_to_int(backend, asn1_int): - bn = backend._lib.ASN1_INTEGER_to_BN(asn1_int, backend._ffi.NULL) - backend.openssl_assert(bn != backend._ffi.NULL) - bn = backend._ffi.gc(bn, backend._lib.BN_free) - return backend._bn_to_int(bn) - - -def _asn1_integer_to_int_or_none(backend, asn1_int): - if asn1_int == backend._ffi.NULL: - return None - else: - return _asn1_integer_to_int(backend, asn1_int) - - -def _asn1_string_to_bytes(backend, asn1_string): - return backend._ffi.buffer(asn1_string.data, asn1_string.length)[:] - - -def _asn1_string_to_ascii(backend, asn1_string): - return _asn1_string_to_bytes(backend, asn1_string).decode("ascii") - - -def _asn1_string_to_utf8(backend, asn1_string): - buf = backend._ffi.new("unsigned char **") - res = backend._lib.ASN1_STRING_to_UTF8(buf, asn1_string) - if res == -1: - raise ValueError( - "Unsupported ASN1 string type. Type: {}".format(asn1_string.type) - ) - - backend.openssl_assert(buf[0] != backend._ffi.NULL) - buf = backend._ffi.gc( - buf, lambda buffer: backend._lib.OPENSSL_free(buffer[0]) - ) - return backend._ffi.buffer(buf[0], res)[:].decode('utf8') - - -def _parse_asn1_time(backend, asn1_time): - backend.openssl_assert(asn1_time != backend._ffi.NULL) - generalized_time = backend._lib.ASN1_TIME_to_generalizedtime( - asn1_time, backend._ffi.NULL - ) - if generalized_time == backend._ffi.NULL: - raise ValueError( - "Couldn't parse ASN.1 time as generalizedtime {!r}".format( - _asn1_string_to_bytes(backend, asn1_time) - ) - ) - - generalized_time = backend._ffi.gc( - generalized_time, backend._lib.ASN1_GENERALIZEDTIME_free - ) - return _parse_asn1_generalized_time(backend, generalized_time) - - -def _parse_asn1_generalized_time(backend, generalized_time): - time = _asn1_string_to_ascii( - backend, backend._ffi.cast("ASN1_STRING *", generalized_time) - ) - return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ") - - -def _decode_nonce(backend, nonce): - nonce = backend._ffi.cast("ASN1_OCTET_STRING *", nonce) - nonce = backend._ffi.gc(nonce, backend._lib.ASN1_OCTET_STRING_free) - return x509.OCSPNonce(_asn1_string_to_bytes(backend, nonce)) - - -_EXTENSION_HANDLERS_NO_SCT = { - ExtensionOID.BASIC_CONSTRAINTS: _decode_basic_constraints, - ExtensionOID.SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier, - ExtensionOID.KEY_USAGE: _decode_key_usage, - ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name, - ExtensionOID.EXTENDED_KEY_USAGE: _decode_extended_key_usage, - ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier, - ExtensionOID.AUTHORITY_INFORMATION_ACCESS: ( - _decode_authority_information_access - ), - ExtensionOID.CERTIFICATE_POLICIES: _decode_certificate_policies, - ExtensionOID.CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points, - ExtensionOID.FRESHEST_CRL: _decode_freshest_crl, - ExtensionOID.OCSP_NO_CHECK: _decode_ocsp_no_check, - ExtensionOID.INHIBIT_ANY_POLICY: _decode_inhibit_any_policy, - ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name, - ExtensionOID.NAME_CONSTRAINTS: _decode_name_constraints, - ExtensionOID.POLICY_CONSTRAINTS: _decode_policy_constraints, -} -_EXTENSION_HANDLERS = _EXTENSION_HANDLERS_NO_SCT.copy() -_EXTENSION_HANDLERS[ - ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS -] = _decode_precert_signed_certificate_timestamps - - -_REVOKED_EXTENSION_HANDLERS = { - CRLEntryExtensionOID.CRL_REASON: _decode_crl_reason, - CRLEntryExtensionOID.INVALIDITY_DATE: _decode_invalidity_date, - CRLEntryExtensionOID.CERTIFICATE_ISSUER: _decode_cert_issuer, -} - -_CRL_EXTENSION_HANDLERS = { - ExtensionOID.CRL_NUMBER: _decode_crl_number, - ExtensionOID.DELTA_CRL_INDICATOR: _decode_delta_crl_indicator, - ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier, - ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name, - ExtensionOID.AUTHORITY_INFORMATION_ACCESS: ( - _decode_authority_information_access - ), - ExtensionOID.ISSUING_DISTRIBUTION_POINT: _decode_issuing_dist_point, -} - -_OCSP_REQ_EXTENSION_HANDLERS = { - OCSPExtensionOID.NONCE: _decode_nonce, -} - -_OCSP_BASICRESP_EXTENSION_HANDLERS = { - OCSPExtensionOID.NONCE: _decode_nonce, -} - -_CERTIFICATE_EXTENSION_PARSER_NO_SCT = _X509ExtensionParser( - ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x), - get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i), - handlers=_EXTENSION_HANDLERS_NO_SCT -) - -_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser( - ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x), - get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i), - handlers=_EXTENSION_HANDLERS -) - -_CSR_EXTENSION_PARSER = _X509ExtensionParser( - ext_count=lambda backend, x: backend._lib.sk_X509_EXTENSION_num(x), - get_ext=lambda backend, x, i: backend._lib.sk_X509_EXTENSION_value(x, i), - handlers=_EXTENSION_HANDLERS -) - -_REVOKED_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser( - ext_count=lambda backend, x: backend._lib.X509_REVOKED_get_ext_count(x), - get_ext=lambda backend, x, i: backend._lib.X509_REVOKED_get_ext(x, i), - handlers=_REVOKED_EXTENSION_HANDLERS, -) - -_CRL_EXTENSION_PARSER = _X509ExtensionParser( - ext_count=lambda backend, x: backend._lib.X509_CRL_get_ext_count(x), - get_ext=lambda backend, x, i: backend._lib.X509_CRL_get_ext(x, i), - handlers=_CRL_EXTENSION_HANDLERS, -) - -_OCSP_REQ_EXT_PARSER = _X509ExtensionParser( - ext_count=lambda backend, x: backend._lib.OCSP_REQUEST_get_ext_count(x), - get_ext=lambda backend, x, i: backend._lib.OCSP_REQUEST_get_ext(x, i), - handlers=_OCSP_REQ_EXTENSION_HANDLERS, -) - -_OCSP_BASICRESP_EXT_PARSER = _X509ExtensionParser( - ext_count=lambda backend, x: backend._lib.OCSP_BASICRESP_get_ext_count(x), - get_ext=lambda backend, x, i: backend._lib.OCSP_BASICRESP_get_ext(x, i), - handlers=_OCSP_BASICRESP_EXTENSION_HANDLERS, -) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dh.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dh.py @@ -1,280 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import utils -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons -from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric import dh - - -def _dh_params_dup(dh_cdata, backend): - lib = backend._lib - ffi = backend._ffi - - param_cdata = lib.DHparams_dup(dh_cdata) - backend.openssl_assert(param_cdata != ffi.NULL) - param_cdata = ffi.gc(param_cdata, lib.DH_free) - if lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102: - # In OpenSSL versions < 1.0.2 or libressl DHparams_dup don't copy q - q = ffi.new("BIGNUM **") - lib.DH_get0_pqg(dh_cdata, ffi.NULL, q, ffi.NULL) - q_dup = lib.BN_dup(q[0]) - res = lib.DH_set0_pqg(param_cdata, ffi.NULL, q_dup, ffi.NULL) - backend.openssl_assert(res == 1) - - return param_cdata - - -def _dh_cdata_to_parameters(dh_cdata, backend): - param_cdata = _dh_params_dup(dh_cdata, backend) - return _DHParameters(backend, param_cdata) - - -@utils.register_interface(dh.DHParametersWithSerialization) -class _DHParameters(object): - def __init__(self, backend, dh_cdata): - self._backend = backend - self._dh_cdata = dh_cdata - - def parameter_numbers(self): - p = self._backend._ffi.new("BIGNUM **") - g = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_pqg(self._dh_cdata, p, q, g) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(g[0] != self._backend._ffi.NULL) - if q[0] == self._backend._ffi.NULL: - q_val = None - else: - q_val = self._backend._bn_to_int(q[0]) - return dh.DHParameterNumbers( - p=self._backend._bn_to_int(p[0]), - g=self._backend._bn_to_int(g[0]), - q=q_val - ) - - def generate_private_key(self): - return self._backend.generate_dh_private_key(self) - - def parameter_bytes(self, encoding, format): - if format is not serialization.ParameterFormat.PKCS3: - raise ValueError( - "Only PKCS3 serialization is supported" - ) - if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX: - q = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_pqg(self._dh_cdata, - self._backend._ffi.NULL, - q, - self._backend._ffi.NULL) - if q[0] != self._backend._ffi.NULL: - raise UnsupportedAlgorithm( - "DH X9.42 serialization is not supported", - _Reasons.UNSUPPORTED_SERIALIZATION) - - return self._backend._parameter_bytes( - encoding, - format, - self._dh_cdata - ) - - -def _handle_dh_compute_key_error(errors, backend): - lib = backend._lib - - backend.openssl_assert( - errors[0]._lib_reason_match( - lib.ERR_LIB_DH, lib.DH_R_INVALID_PUBKEY - ) - ) - - raise ValueError("Public key value is invalid for this exchange.") - - -def _get_dh_num_bits(backend, dh_cdata): - p = backend._ffi.new("BIGNUM **") - backend._lib.DH_get0_pqg(dh_cdata, p, - backend._ffi.NULL, - backend._ffi.NULL) - backend.openssl_assert(p[0] != backend._ffi.NULL) - return backend._lib.BN_num_bits(p[0]) - - -@utils.register_interface(dh.DHPrivateKeyWithSerialization) -class _DHPrivateKey(object): - def __init__(self, backend, dh_cdata, evp_pkey): - self._backend = backend - self._dh_cdata = dh_cdata - self._evp_pkey = evp_pkey - self._key_size_bytes = self._backend._lib.DH_size(dh_cdata) - - @property - def key_size(self): - return _get_dh_num_bits(self._backend, self._dh_cdata) - - def private_numbers(self): - p = self._backend._ffi.new("BIGNUM **") - g = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_pqg(self._dh_cdata, p, q, g) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(g[0] != self._backend._ffi.NULL) - if q[0] == self._backend._ffi.NULL: - q_val = None - else: - q_val = self._backend._bn_to_int(q[0]) - pub_key = self._backend._ffi.new("BIGNUM **") - priv_key = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_key(self._dh_cdata, pub_key, priv_key) - self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(priv_key[0] != self._backend._ffi.NULL) - return dh.DHPrivateNumbers( - public_numbers=dh.DHPublicNumbers( - parameter_numbers=dh.DHParameterNumbers( - p=self._backend._bn_to_int(p[0]), - g=self._backend._bn_to_int(g[0]), - q=q_val - ), - y=self._backend._bn_to_int(pub_key[0]) - ), - x=self._backend._bn_to_int(priv_key[0]) - ) - - def exchange(self, peer_public_key): - - buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) - pub_key = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_key(peer_public_key._dh_cdata, pub_key, - self._backend._ffi.NULL) - self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) - res = self._backend._lib.DH_compute_key( - buf, - pub_key[0], - self._dh_cdata - ) - - if res == -1: - errors = self._backend._consume_errors() - return _handle_dh_compute_key_error(errors, self._backend) - else: - self._backend.openssl_assert(res >= 1) - - key = self._backend._ffi.buffer(buf)[:res] - pad = self._key_size_bytes - len(key) - - if pad > 0: - key = (b"\x00" * pad) + key - - return key - - def public_key(self): - dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) - pub_key = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_key(self._dh_cdata, - pub_key, self._backend._ffi.NULL) - self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) - pub_key_dup = self._backend._lib.BN_dup(pub_key[0]) - self._backend.openssl_assert(pub_key_dup != self._backend._ffi.NULL) - - res = self._backend._lib.DH_set0_key(dh_cdata, - pub_key_dup, - self._backend._ffi.NULL) - self._backend.openssl_assert(res == 1) - evp_pkey = self._backend._dh_cdata_to_evp_pkey(dh_cdata) - return _DHPublicKey(self._backend, dh_cdata, evp_pkey) - - def parameters(self): - return _dh_cdata_to_parameters(self._dh_cdata, self._backend) - - def private_bytes(self, encoding, format, encryption_algorithm): - if format is not serialization.PrivateFormat.PKCS8: - raise ValueError( - "DH private keys support only PKCS8 serialization" - ) - if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX: - q = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_pqg(self._dh_cdata, - self._backend._ffi.NULL, - q, - self._backend._ffi.NULL) - if q[0] != self._backend._ffi.NULL: - raise UnsupportedAlgorithm( - "DH X9.42 serialization is not supported", - _Reasons.UNSUPPORTED_SERIALIZATION) - - return self._backend._private_key_bytes( - encoding, - format, - encryption_algorithm, - self._evp_pkey, - self._dh_cdata - ) - - -@utils.register_interface(dh.DHPublicKeyWithSerialization) -class _DHPublicKey(object): - def __init__(self, backend, dh_cdata, evp_pkey): - self._backend = backend - self._dh_cdata = dh_cdata - self._evp_pkey = evp_pkey - self._key_size_bits = _get_dh_num_bits(self._backend, self._dh_cdata) - - @property - def key_size(self): - return self._key_size_bits - - def public_numbers(self): - p = self._backend._ffi.new("BIGNUM **") - g = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_pqg(self._dh_cdata, p, q, g) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(g[0] != self._backend._ffi.NULL) - if q[0] == self._backend._ffi.NULL: - q_val = None - else: - q_val = self._backend._bn_to_int(q[0]) - pub_key = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_key(self._dh_cdata, - pub_key, self._backend._ffi.NULL) - self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) - return dh.DHPublicNumbers( - parameter_numbers=dh.DHParameterNumbers( - p=self._backend._bn_to_int(p[0]), - g=self._backend._bn_to_int(g[0]), - q=q_val - ), - y=self._backend._bn_to_int(pub_key[0]) - ) - - def parameters(self): - return _dh_cdata_to_parameters(self._dh_cdata, self._backend) - - def public_bytes(self, encoding, format): - if format is not serialization.PublicFormat.SubjectPublicKeyInfo: - raise ValueError( - "DH public keys support only " - "SubjectPublicKeyInfo serialization" - ) - - if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX: - q = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DH_get0_pqg(self._dh_cdata, - self._backend._ffi.NULL, - q, - self._backend._ffi.NULL) - if q[0] != self._backend._ffi.NULL: - raise UnsupportedAlgorithm( - "DH X9.42 serialization is not supported", - _Reasons.UNSUPPORTED_SERIALIZATION) - - return self._backend._public_key_bytes( - encoding, - format, - self, - self._evp_pkey, - None - ) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dsa.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dsa.py @@ -1,268 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import utils -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _check_not_prehashed, - _warn_sign_verify_deprecated -) -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import ( - AsymmetricSignatureContext, AsymmetricVerificationContext, dsa -) - - -def _dsa_sig_sign(backend, private_key, data): - sig_buf_len = backend._lib.DSA_size(private_key._dsa_cdata) - sig_buf = backend._ffi.new("unsigned char[]", sig_buf_len) - buflen = backend._ffi.new("unsigned int *") - - # The first parameter passed to DSA_sign is unused by OpenSSL but - # must be an integer. - res = backend._lib.DSA_sign( - 0, data, len(data), sig_buf, buflen, private_key._dsa_cdata - ) - backend.openssl_assert(res == 1) - backend.openssl_assert(buflen[0]) - - return backend._ffi.buffer(sig_buf)[:buflen[0]] - - -def _dsa_sig_verify(backend, public_key, signature, data): - # The first parameter passed to DSA_verify is unused by OpenSSL but - # must be an integer. - res = backend._lib.DSA_verify( - 0, data, len(data), signature, len(signature), public_key._dsa_cdata - ) - - if res != 1: - backend._consume_errors() - raise InvalidSignature - - -@utils.register_interface(AsymmetricVerificationContext) -class _DSAVerificationContext(object): - def __init__(self, backend, public_key, signature, algorithm): - self._backend = backend - self._public_key = public_key - self._signature = signature - self._algorithm = algorithm - - self._hash_ctx = hashes.Hash(self._algorithm, self._backend) - - def update(self, data): - self._hash_ctx.update(data) - - def verify(self): - data_to_verify = self._hash_ctx.finalize() - - _dsa_sig_verify( - self._backend, self._public_key, self._signature, data_to_verify - ) - - -@utils.register_interface(AsymmetricSignatureContext) -class _DSASignatureContext(object): - def __init__(self, backend, private_key, algorithm): - self._backend = backend - self._private_key = private_key - self._algorithm = algorithm - self._hash_ctx = hashes.Hash(self._algorithm, self._backend) - - def update(self, data): - self._hash_ctx.update(data) - - def finalize(self): - data_to_sign = self._hash_ctx.finalize() - return _dsa_sig_sign(self._backend, self._private_key, data_to_sign) - - -@utils.register_interface(dsa.DSAParametersWithNumbers) -class _DSAParameters(object): - def __init__(self, backend, dsa_cdata): - self._backend = backend - self._dsa_cdata = dsa_cdata - - def parameter_numbers(self): - p = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - g = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DSA_get0_pqg(self._dsa_cdata, p, q, g) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(q[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(g[0] != self._backend._ffi.NULL) - return dsa.DSAParameterNumbers( - p=self._backend._bn_to_int(p[0]), - q=self._backend._bn_to_int(q[0]), - g=self._backend._bn_to_int(g[0]) - ) - - def generate_private_key(self): - return self._backend.generate_dsa_private_key(self) - - -@utils.register_interface(dsa.DSAPrivateKeyWithSerialization) -class _DSAPrivateKey(object): - def __init__(self, backend, dsa_cdata, evp_pkey): - self._backend = backend - self._dsa_cdata = dsa_cdata - self._evp_pkey = evp_pkey - - p = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DSA_get0_pqg( - dsa_cdata, p, self._backend._ffi.NULL, self._backend._ffi.NULL - ) - self._backend.openssl_assert(p[0] != backend._ffi.NULL) - self._key_size = self._backend._lib.BN_num_bits(p[0]) - - key_size = utils.read_only_property("_key_size") - - def signer(self, signature_algorithm): - _warn_sign_verify_deprecated() - _check_not_prehashed(signature_algorithm) - return _DSASignatureContext(self._backend, self, signature_algorithm) - - def private_numbers(self): - p = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - g = self._backend._ffi.new("BIGNUM **") - pub_key = self._backend._ffi.new("BIGNUM **") - priv_key = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DSA_get0_pqg(self._dsa_cdata, p, q, g) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(q[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(g[0] != self._backend._ffi.NULL) - self._backend._lib.DSA_get0_key(self._dsa_cdata, pub_key, priv_key) - self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(priv_key[0] != self._backend._ffi.NULL) - return dsa.DSAPrivateNumbers( - public_numbers=dsa.DSAPublicNumbers( - parameter_numbers=dsa.DSAParameterNumbers( - p=self._backend._bn_to_int(p[0]), - q=self._backend._bn_to_int(q[0]), - g=self._backend._bn_to_int(g[0]) - ), - y=self._backend._bn_to_int(pub_key[0]) - ), - x=self._backend._bn_to_int(priv_key[0]) - ) - - def public_key(self): - dsa_cdata = self._backend._lib.DSAparams_dup(self._dsa_cdata) - self._backend.openssl_assert(dsa_cdata != self._backend._ffi.NULL) - dsa_cdata = self._backend._ffi.gc( - dsa_cdata, self._backend._lib.DSA_free - ) - pub_key = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DSA_get0_key( - self._dsa_cdata, pub_key, self._backend._ffi.NULL - ) - self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) - pub_key_dup = self._backend._lib.BN_dup(pub_key[0]) - res = self._backend._lib.DSA_set0_key( - dsa_cdata, pub_key_dup, self._backend._ffi.NULL - ) - self._backend.openssl_assert(res == 1) - evp_pkey = self._backend._dsa_cdata_to_evp_pkey(dsa_cdata) - return _DSAPublicKey(self._backend, dsa_cdata, evp_pkey) - - def parameters(self): - dsa_cdata = self._backend._lib.DSAparams_dup(self._dsa_cdata) - self._backend.openssl_assert(dsa_cdata != self._backend._ffi.NULL) - dsa_cdata = self._backend._ffi.gc( - dsa_cdata, self._backend._lib.DSA_free - ) - return _DSAParameters(self._backend, dsa_cdata) - - def private_bytes(self, encoding, format, encryption_algorithm): - return self._backend._private_key_bytes( - encoding, - format, - encryption_algorithm, - self._evp_pkey, - self._dsa_cdata - ) - - def sign(self, data, algorithm): - data, algorithm = _calculate_digest_and_algorithm( - self._backend, data, algorithm - ) - return _dsa_sig_sign(self._backend, self, data) - - -@utils.register_interface(dsa.DSAPublicKeyWithSerialization) -class _DSAPublicKey(object): - def __init__(self, backend, dsa_cdata, evp_pkey): - self._backend = backend - self._dsa_cdata = dsa_cdata - self._evp_pkey = evp_pkey - p = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DSA_get0_pqg( - dsa_cdata, p, self._backend._ffi.NULL, self._backend._ffi.NULL - ) - self._backend.openssl_assert(p[0] != backend._ffi.NULL) - self._key_size = self._backend._lib.BN_num_bits(p[0]) - - key_size = utils.read_only_property("_key_size") - - def verifier(self, signature, signature_algorithm): - _warn_sign_verify_deprecated() - utils._check_bytes("signature", signature) - - _check_not_prehashed(signature_algorithm) - return _DSAVerificationContext( - self._backend, self, signature, signature_algorithm - ) - - def public_numbers(self): - p = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - g = self._backend._ffi.new("BIGNUM **") - pub_key = self._backend._ffi.new("BIGNUM **") - self._backend._lib.DSA_get0_pqg(self._dsa_cdata, p, q, g) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(q[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(g[0] != self._backend._ffi.NULL) - self._backend._lib.DSA_get0_key( - self._dsa_cdata, pub_key, self._backend._ffi.NULL - ) - self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) - return dsa.DSAPublicNumbers( - parameter_numbers=dsa.DSAParameterNumbers( - p=self._backend._bn_to_int(p[0]), - q=self._backend._bn_to_int(q[0]), - g=self._backend._bn_to_int(g[0]) - ), - y=self._backend._bn_to_int(pub_key[0]) - ) - - def parameters(self): - dsa_cdata = self._backend._lib.DSAparams_dup(self._dsa_cdata) - dsa_cdata = self._backend._ffi.gc( - dsa_cdata, self._backend._lib.DSA_free - ) - return _DSAParameters(self._backend, dsa_cdata) - - def public_bytes(self, encoding, format): - if format is serialization.PublicFormat.PKCS1: - raise ValueError( - "DSA public keys do not support PKCS1 serialization" - ) - - return self._backend._public_key_bytes( - encoding, - format, - self, - self._evp_pkey, - None - ) - - def verify(self, signature, data, algorithm): - data, algorithm = _calculate_digest_and_algorithm( - self._backend, data, algorithm - ) - return _dsa_sig_verify(self._backend, self, signature, data) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ec.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ec.py @@ -1,340 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import utils -from cryptography.exceptions import ( - InvalidSignature, UnsupportedAlgorithm, _Reasons -) -from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _check_not_prehashed, - _warn_sign_verify_deprecated -) -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import ( - AsymmetricSignatureContext, AsymmetricVerificationContext, ec -) - - -def _check_signature_algorithm(signature_algorithm): - if not isinstance(signature_algorithm, ec.ECDSA): - raise UnsupportedAlgorithm( - "Unsupported elliptic curve signature algorithm.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM) - - -def _ec_key_curve_sn(backend, ec_key): - group = backend._lib.EC_KEY_get0_group(ec_key) - backend.openssl_assert(group != backend._ffi.NULL) - - nid = backend._lib.EC_GROUP_get_curve_name(group) - # The following check is to find EC keys with unnamed curves and raise - # an error for now. - if nid == backend._lib.NID_undef: - raise NotImplementedError( - "ECDSA certificates with unnamed curves are unsupported " - "at this time" - ) - - curve_name = backend._lib.OBJ_nid2sn(nid) - backend.openssl_assert(curve_name != backend._ffi.NULL) - - sn = backend._ffi.string(curve_name).decode('ascii') - return sn - - -def _mark_asn1_named_ec_curve(backend, ec_cdata): - """ - Set the named curve flag on the EC_KEY. This causes OpenSSL to - serialize EC keys along with their curve OID which makes - deserialization easier. - """ - - backend._lib.EC_KEY_set_asn1_flag( - ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE - ) - - -def _sn_to_elliptic_curve(backend, sn): - try: - return ec._CURVE_TYPES[sn]() - except KeyError: - raise UnsupportedAlgorithm( - "{} is not a supported elliptic curve".format(sn), - _Reasons.UNSUPPORTED_ELLIPTIC_CURVE - ) - - -def _ecdsa_sig_sign(backend, private_key, data): - max_size = backend._lib.ECDSA_size(private_key._ec_key) - backend.openssl_assert(max_size > 0) - - sigbuf = backend._ffi.new("unsigned char[]", max_size) - siglen_ptr = backend._ffi.new("unsigned int[]", 1) - res = backend._lib.ECDSA_sign( - 0, data, len(data), sigbuf, siglen_ptr, private_key._ec_key - ) - backend.openssl_assert(res == 1) - return backend._ffi.buffer(sigbuf)[:siglen_ptr[0]] - - -def _ecdsa_sig_verify(backend, public_key, signature, data): - res = backend._lib.ECDSA_verify( - 0, data, len(data), signature, len(signature), public_key._ec_key - ) - if res != 1: - backend._consume_errors() - raise InvalidSignature - - -@utils.register_interface(AsymmetricSignatureContext) -class _ECDSASignatureContext(object): - def __init__(self, backend, private_key, algorithm): - self._backend = backend - self._private_key = private_key - self._digest = hashes.Hash(algorithm, backend) - - def update(self, data): - self._digest.update(data) - - def finalize(self): - digest = self._digest.finalize() - - return _ecdsa_sig_sign(self._backend, self._private_key, digest) - - -@utils.register_interface(AsymmetricVerificationContext) -class _ECDSAVerificationContext(object): - def __init__(self, backend, public_key, signature, algorithm): - self._backend = backend - self._public_key = public_key - self._signature = signature - self._digest = hashes.Hash(algorithm, backend) - - def update(self, data): - self._digest.update(data) - - def verify(self): - digest = self._digest.finalize() - _ecdsa_sig_verify( - self._backend, self._public_key, self._signature, digest - ) - - -@utils.register_interface(ec.EllipticCurvePrivateKeyWithSerialization) -class _EllipticCurvePrivateKey(object): - def __init__(self, backend, ec_key_cdata, evp_pkey): - self._backend = backend - _mark_asn1_named_ec_curve(backend, ec_key_cdata) - self._ec_key = ec_key_cdata - self._evp_pkey = evp_pkey - - sn = _ec_key_curve_sn(backend, ec_key_cdata) - self._curve = _sn_to_elliptic_curve(backend, sn) - - curve = utils.read_only_property("_curve") - - @property - def key_size(self): - return self.curve.key_size - - def signer(self, signature_algorithm): - _warn_sign_verify_deprecated() - _check_signature_algorithm(signature_algorithm) - _check_not_prehashed(signature_algorithm.algorithm) - return _ECDSASignatureContext( - self._backend, self, signature_algorithm.algorithm - ) - - def exchange(self, algorithm, peer_public_key): - if not ( - self._backend.elliptic_curve_exchange_algorithm_supported( - algorithm, self.curve - ) - ): - raise UnsupportedAlgorithm( - "This backend does not support the ECDH algorithm.", - _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM - ) - - if peer_public_key.curve.name != self.curve.name: - raise ValueError( - "peer_public_key and self are not on the same curve" - ) - - group = self._backend._lib.EC_KEY_get0_group(self._ec_key) - z_len = (self._backend._lib.EC_GROUP_get_degree(group) + 7) // 8 - self._backend.openssl_assert(z_len > 0) - z_buf = self._backend._ffi.new("uint8_t[]", z_len) - peer_key = self._backend._lib.EC_KEY_get0_public_key( - peer_public_key._ec_key - ) - - r = self._backend._lib.ECDH_compute_key( - z_buf, z_len, peer_key, self._ec_key, self._backend._ffi.NULL - ) - self._backend.openssl_assert(r > 0) - return self._backend._ffi.buffer(z_buf)[:z_len] - - def public_key(self): - group = self._backend._lib.EC_KEY_get0_group(self._ec_key) - self._backend.openssl_assert(group != self._backend._ffi.NULL) - - curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group) - - public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid) - self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL) - public_ec_key = self._backend._ffi.gc( - public_ec_key, self._backend._lib.EC_KEY_free - ) - - point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) - self._backend.openssl_assert(point != self._backend._ffi.NULL) - - res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point) - self._backend.openssl_assert(res == 1) - - evp_pkey = self._backend._ec_cdata_to_evp_pkey(public_ec_key) - - return _EllipticCurvePublicKey(self._backend, public_ec_key, evp_pkey) - - def private_numbers(self): - bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key) - private_value = self._backend._bn_to_int(bn) - return ec.EllipticCurvePrivateNumbers( - private_value=private_value, - public_numbers=self.public_key().public_numbers() - ) - - def private_bytes(self, encoding, format, encryption_algorithm): - return self._backend._private_key_bytes( - encoding, - format, - encryption_algorithm, - self._evp_pkey, - self._ec_key - ) - - def sign(self, data, signature_algorithm): - _check_signature_algorithm(signature_algorithm) - data, algorithm = _calculate_digest_and_algorithm( - self._backend, data, signature_algorithm._algorithm - ) - return _ecdsa_sig_sign(self._backend, self, data) - - -@utils.register_interface(ec.EllipticCurvePublicKeyWithSerialization) -class _EllipticCurvePublicKey(object): - def __init__(self, backend, ec_key_cdata, evp_pkey): - self._backend = backend - _mark_asn1_named_ec_curve(backend, ec_key_cdata) - self._ec_key = ec_key_cdata - self._evp_pkey = evp_pkey - - sn = _ec_key_curve_sn(backend, ec_key_cdata) - self._curve = _sn_to_elliptic_curve(backend, sn) - - curve = utils.read_only_property("_curve") - - @property - def key_size(self): - return self.curve.key_size - - def verifier(self, signature, signature_algorithm): - _warn_sign_verify_deprecated() - utils._check_bytes("signature", signature) - - _check_signature_algorithm(signature_algorithm) - _check_not_prehashed(signature_algorithm.algorithm) - return _ECDSAVerificationContext( - self._backend, self, signature, signature_algorithm.algorithm - ) - - def public_numbers(self): - get_func, group = ( - self._backend._ec_key_determine_group_get_func(self._ec_key) - ) - point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) - self._backend.openssl_assert(point != self._backend._ffi.NULL) - - with self._backend._tmp_bn_ctx() as bn_ctx: - bn_x = self._backend._lib.BN_CTX_get(bn_ctx) - bn_y = self._backend._lib.BN_CTX_get(bn_ctx) - - res = get_func(group, point, bn_x, bn_y, bn_ctx) - self._backend.openssl_assert(res == 1) - - x = self._backend._bn_to_int(bn_x) - y = self._backend._bn_to_int(bn_y) - - return ec.EllipticCurvePublicNumbers( - x=x, - y=y, - curve=self._curve - ) - - def _encode_point(self, format): - if format is serialization.PublicFormat.CompressedPoint: - conversion = self._backend._lib.POINT_CONVERSION_COMPRESSED - else: - assert format is serialization.PublicFormat.UncompressedPoint - conversion = self._backend._lib.POINT_CONVERSION_UNCOMPRESSED - - group = self._backend._lib.EC_KEY_get0_group(self._ec_key) - self._backend.openssl_assert(group != self._backend._ffi.NULL) - point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) - self._backend.openssl_assert(point != self._backend._ffi.NULL) - with self._backend._tmp_bn_ctx() as bn_ctx: - buflen = self._backend._lib.EC_POINT_point2oct( - group, point, conversion, self._backend._ffi.NULL, 0, bn_ctx - ) - self._backend.openssl_assert(buflen > 0) - buf = self._backend._ffi.new("char[]", buflen) - res = self._backend._lib.EC_POINT_point2oct( - group, point, conversion, buf, buflen, bn_ctx - ) - self._backend.openssl_assert(buflen == res) - - return self._backend._ffi.buffer(buf)[:] - - def public_bytes(self, encoding, format): - if format is serialization.PublicFormat.PKCS1: - raise ValueError( - "EC public keys do not support PKCS1 serialization" - ) - - if ( - encoding is serialization.Encoding.X962 or - format is serialization.PublicFormat.CompressedPoint or - format is serialization.PublicFormat.UncompressedPoint - ): - if ( - encoding is not serialization.Encoding.X962 or - format not in ( - serialization.PublicFormat.CompressedPoint, - serialization.PublicFormat.UncompressedPoint - ) - ): - raise ValueError( - "X962 encoding must be used with CompressedPoint or " - "UncompressedPoint format" - ) - - return self._encode_point(format) - else: - return self._backend._public_key_bytes( - encoding, - format, - self, - self._evp_pkey, - None - ) - - def verify(self, signature, data, signature_algorithm): - _check_signature_algorithm(signature_algorithm) - data, algorithm = _calculate_digest_and_algorithm( - self._backend, data, signature_algorithm._algorithm - ) - _ecdsa_sig_verify(self._backend, self, signature, data) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed25519.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed25519.py @@ -1,151 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import exceptions, utils -from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric.ed25519 import ( - Ed25519PrivateKey, Ed25519PublicKey, _ED25519_KEY_SIZE, _ED25519_SIG_SIZE -) - - -@utils.register_interface(Ed25519PublicKey) -class _Ed25519PublicKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_bytes(self, encoding, format): - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - encoding is not serialization.Encoding.Raw or - format is not serialization.PublicFormat.Raw - ): - raise ValueError( - "When using Raw both encoding and format must be Raw" - ) - - return self._raw_public_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PublicFormat.SubjectPublicKeyInfo - ): - raise ValueError( - "format must be SubjectPublicKeyInfo when encoding is PEM or " - "DER" - ) - - return self._backend._public_key_bytes( - encoding, format, self, self._evp_pkey, None - ) - - def _raw_public_bytes(self): - buf = self._backend._ffi.new("unsigned char []", _ED25519_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _ED25519_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_public_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED25519_KEY_SIZE) - return self._backend._ffi.buffer(buf, _ED25519_KEY_SIZE)[:] - - def verify(self, signature, data): - evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() - self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL) - evp_md_ctx = self._backend._ffi.gc( - evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free - ) - res = self._backend._lib.EVP_DigestVerifyInit( - evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL, - self._backend._ffi.NULL, self._evp_pkey - ) - self._backend.openssl_assert(res == 1) - res = self._backend._lib.EVP_DigestVerify( - evp_md_ctx, signature, len(signature), data, len(data) - ) - if res != 1: - self._backend._consume_errors() - raise exceptions.InvalidSignature - - -@utils.register_interface(Ed25519PrivateKey) -class _Ed25519PrivateKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_key(self): - buf = self._backend._ffi.new("unsigned char []", _ED25519_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _ED25519_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_public_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED25519_KEY_SIZE) - public_bytes = self._backend._ffi.buffer(buf)[:] - return self._backend.ed25519_load_public_bytes(public_bytes) - - def sign(self, data): - evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() - self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL) - evp_md_ctx = self._backend._ffi.gc( - evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free - ) - res = self._backend._lib.EVP_DigestSignInit( - evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL, - self._backend._ffi.NULL, self._evp_pkey - ) - self._backend.openssl_assert(res == 1) - buf = self._backend._ffi.new("unsigned char[]", _ED25519_SIG_SIZE) - buflen = self._backend._ffi.new("size_t *", len(buf)) - res = self._backend._lib.EVP_DigestSign( - evp_md_ctx, buf, buflen, data, len(data) - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED25519_SIG_SIZE) - return self._backend._ffi.buffer(buf, buflen[0])[:] - - def private_bytes(self, encoding, format, encryption_algorithm): - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - format is not serialization.PrivateFormat.Raw or - encoding is not serialization.Encoding.Raw or not - isinstance(encryption_algorithm, serialization.NoEncryption) - ): - raise ValueError( - "When using Raw both encoding and format must be Raw " - "and encryption_algorithm must be NoEncryption" - ) - - return self._raw_private_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PrivateFormat.PKCS8 - ): - raise ValueError( - "format must be PKCS8 when encoding is PEM or DER" - ) - - return self._backend._private_key_bytes( - encoding, format, encryption_algorithm, self._evp_pkey, None - ) - - def _raw_private_bytes(self): - buf = self._backend._ffi.new("unsigned char []", _ED25519_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _ED25519_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_private_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED25519_KEY_SIZE) - return self._backend._ffi.buffer(buf, _ED25519_KEY_SIZE)[:] diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed448.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed448.py @@ -1,154 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import exceptions, utils -from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric.ed448 import ( - Ed448PrivateKey, Ed448PublicKey -) - -_ED448_KEY_SIZE = 57 -_ED448_SIG_SIZE = 114 - - -@utils.register_interface(Ed448PublicKey) -class _Ed448PublicKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_bytes(self, encoding, format): - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - encoding is not serialization.Encoding.Raw or - format is not serialization.PublicFormat.Raw - ): - raise ValueError( - "When using Raw both encoding and format must be Raw" - ) - - return self._raw_public_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PublicFormat.SubjectPublicKeyInfo - ): - raise ValueError( - "format must be SubjectPublicKeyInfo when encoding is PEM or " - "DER" - ) - - return self._backend._public_key_bytes( - encoding, format, self, self._evp_pkey, None - ) - - def _raw_public_bytes(self): - buf = self._backend._ffi.new("unsigned char []", _ED448_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _ED448_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_public_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED448_KEY_SIZE) - return self._backend._ffi.buffer(buf, _ED448_KEY_SIZE)[:] - - def verify(self, signature, data): - evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() - self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL) - evp_md_ctx = self._backend._ffi.gc( - evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free - ) - res = self._backend._lib.EVP_DigestVerifyInit( - evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL, - self._backend._ffi.NULL, self._evp_pkey - ) - self._backend.openssl_assert(res == 1) - res = self._backend._lib.EVP_DigestVerify( - evp_md_ctx, signature, len(signature), data, len(data) - ) - if res != 1: - self._backend._consume_errors() - raise exceptions.InvalidSignature - - -@utils.register_interface(Ed448PrivateKey) -class _Ed448PrivateKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_key(self): - buf = self._backend._ffi.new("unsigned char []", _ED448_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _ED448_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_public_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED448_KEY_SIZE) - public_bytes = self._backend._ffi.buffer(buf)[:] - return self._backend.ed448_load_public_bytes(public_bytes) - - def sign(self, data): - evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() - self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL) - evp_md_ctx = self._backend._ffi.gc( - evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free - ) - res = self._backend._lib.EVP_DigestSignInit( - evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL, - self._backend._ffi.NULL, self._evp_pkey - ) - self._backend.openssl_assert(res == 1) - buf = self._backend._ffi.new("unsigned char[]", _ED448_SIG_SIZE) - buflen = self._backend._ffi.new("size_t *", len(buf)) - res = self._backend._lib.EVP_DigestSign( - evp_md_ctx, buf, buflen, data, len(data) - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED448_SIG_SIZE) - return self._backend._ffi.buffer(buf, buflen[0])[:] - - def private_bytes(self, encoding, format, encryption_algorithm): - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - format is not serialization.PrivateFormat.Raw or - encoding is not serialization.Encoding.Raw or not - isinstance(encryption_algorithm, serialization.NoEncryption) - ): - raise ValueError( - "When using Raw both encoding and format must be Raw " - "and encryption_algorithm must be NoEncryption" - ) - - return self._raw_private_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PrivateFormat.PKCS8 - ): - raise ValueError( - "format must be PKCS8 when encoding is PEM or DER" - ) - - return self._backend._private_key_bytes( - encoding, format, encryption_algorithm, self._evp_pkey, None - ) - - def _raw_private_bytes(self): - buf = self._backend._ffi.new("unsigned char []", _ED448_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _ED448_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_private_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _ED448_KEY_SIZE) - return self._backend._ffi.buffer(buf, _ED448_KEY_SIZE)[:] diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/encode_asn1.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/encode_asn1.py @@ -1,657 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import calendar -import ipaddress - -import six - -from cryptography import utils, x509 -from cryptography.hazmat.backends.openssl.decode_asn1 import ( - _CRL_ENTRY_REASON_ENUM_TO_CODE, _DISTPOINT_TYPE_FULLNAME, - _DISTPOINT_TYPE_RELATIVENAME -) -from cryptography.x509.name import _ASN1Type -from cryptography.x509.oid import ( - CRLEntryExtensionOID, ExtensionOID, OCSPExtensionOID, -) - - -def _encode_asn1_int(backend, x): - """ - Converts a python integer to an ASN1_INTEGER. The returned ASN1_INTEGER - will not be garbage collected (to support adding them to structs that take - ownership of the object). Be sure to register it for GC if it will be - discarded after use. - - """ - # Convert Python integer to OpenSSL "bignum" in case value exceeds - # machine's native integer limits (note: `int_to_bn` doesn't automatically - # GC). - i = backend._int_to_bn(x) - i = backend._ffi.gc(i, backend._lib.BN_free) - - # Wrap in an ASN.1 integer. Don't GC -- as documented. - i = backend._lib.BN_to_ASN1_INTEGER(i, backend._ffi.NULL) - backend.openssl_assert(i != backend._ffi.NULL) - return i - - -def _encode_asn1_int_gc(backend, x): - i = _encode_asn1_int(backend, x) - i = backend._ffi.gc(i, backend._lib.ASN1_INTEGER_free) - return i - - -def _encode_asn1_str(backend, data): - """ - Create an ASN1_OCTET_STRING from a Python byte string. - """ - s = backend._lib.ASN1_OCTET_STRING_new() - res = backend._lib.ASN1_OCTET_STRING_set(s, data, len(data)) - backend.openssl_assert(res == 1) - return s - - -def _encode_asn1_utf8_str(backend, string): - """ - Create an ASN1_UTF8STRING from a Python unicode string. - This object will be an ASN1_STRING with UTF8 type in OpenSSL and - can be decoded with ASN1_STRING_to_UTF8. - """ - s = backend._lib.ASN1_UTF8STRING_new() - res = backend._lib.ASN1_STRING_set( - s, string.encode("utf8"), len(string.encode("utf8")) - ) - backend.openssl_assert(res == 1) - return s - - -def _encode_asn1_str_gc(backend, data): - s = _encode_asn1_str(backend, data) - s = backend._ffi.gc(s, backend._lib.ASN1_OCTET_STRING_free) - return s - - -def _encode_inhibit_any_policy(backend, inhibit_any_policy): - return _encode_asn1_int_gc(backend, inhibit_any_policy.skip_certs) - - -def _encode_name(backend, name): - """ - The X509_NAME created will not be gc'd. Use _encode_name_gc if needed. - """ - subject = backend._lib.X509_NAME_new() - for rdn in name.rdns: - set_flag = 0 # indicate whether to add to last RDN or create new RDN - for attribute in rdn: - name_entry = _encode_name_entry(backend, attribute) - # X509_NAME_add_entry dups the object so we need to gc this copy - name_entry = backend._ffi.gc( - name_entry, backend._lib.X509_NAME_ENTRY_free - ) - res = backend._lib.X509_NAME_add_entry( - subject, name_entry, -1, set_flag) - backend.openssl_assert(res == 1) - set_flag = -1 - return subject - - -def _encode_name_gc(backend, attributes): - subject = _encode_name(backend, attributes) - subject = backend._ffi.gc(subject, backend._lib.X509_NAME_free) - return subject - - -def _encode_sk_name_entry(backend, attributes): - """ - The sk_X509_NAME_ENTRY created will not be gc'd. - """ - stack = backend._lib.sk_X509_NAME_ENTRY_new_null() - for attribute in attributes: - name_entry = _encode_name_entry(backend, attribute) - res = backend._lib.sk_X509_NAME_ENTRY_push(stack, name_entry) - backend.openssl_assert(res >= 1) - return stack - - -def _encode_name_entry(backend, attribute): - if attribute._type is _ASN1Type.BMPString: - value = attribute.value.encode('utf_16_be') - else: - value = attribute.value.encode('utf8') - - obj = _txt2obj_gc(backend, attribute.oid.dotted_string) - - name_entry = backend._lib.X509_NAME_ENTRY_create_by_OBJ( - backend._ffi.NULL, obj, attribute._type.value, value, len(value) - ) - return name_entry - - -def _encode_crl_number_delta_crl_indicator(backend, ext): - return _encode_asn1_int_gc(backend, ext.crl_number) - - -def _encode_issuing_dist_point(backend, ext): - idp = backend._lib.ISSUING_DIST_POINT_new() - backend.openssl_assert(idp != backend._ffi.NULL) - idp = backend._ffi.gc(idp, backend._lib.ISSUING_DIST_POINT_free) - idp.onlyuser = 255 if ext.only_contains_user_certs else 0 - idp.onlyCA = 255 if ext.only_contains_ca_certs else 0 - idp.indirectCRL = 255 if ext.indirect_crl else 0 - idp.onlyattr = 255 if ext.only_contains_attribute_certs else 0 - if ext.only_some_reasons: - idp.onlysomereasons = _encode_reasonflags( - backend, ext.only_some_reasons - ) - - if ext.full_name: - idp.distpoint = _encode_full_name(backend, ext.full_name) - - if ext.relative_name: - idp.distpoint = _encode_relative_name(backend, ext.relative_name) - - return idp - - -def _encode_crl_reason(backend, crl_reason): - asn1enum = backend._lib.ASN1_ENUMERATED_new() - backend.openssl_assert(asn1enum != backend._ffi.NULL) - asn1enum = backend._ffi.gc(asn1enum, backend._lib.ASN1_ENUMERATED_free) - res = backend._lib.ASN1_ENUMERATED_set( - asn1enum, _CRL_ENTRY_REASON_ENUM_TO_CODE[crl_reason.reason] - ) - backend.openssl_assert(res == 1) - - return asn1enum - - -def _encode_invalidity_date(backend, invalidity_date): - time = backend._lib.ASN1_GENERALIZEDTIME_set( - backend._ffi.NULL, calendar.timegm( - invalidity_date.invalidity_date.timetuple() - ) - ) - backend.openssl_assert(time != backend._ffi.NULL) - time = backend._ffi.gc(time, backend._lib.ASN1_GENERALIZEDTIME_free) - - return time - - -def _encode_certificate_policies(backend, certificate_policies): - cp = backend._lib.sk_POLICYINFO_new_null() - backend.openssl_assert(cp != backend._ffi.NULL) - cp = backend._ffi.gc(cp, backend._lib.sk_POLICYINFO_free) - for policy_info in certificate_policies: - pi = backend._lib.POLICYINFO_new() - backend.openssl_assert(pi != backend._ffi.NULL) - res = backend._lib.sk_POLICYINFO_push(cp, pi) - backend.openssl_assert(res >= 1) - oid = _txt2obj(backend, policy_info.policy_identifier.dotted_string) - pi.policyid = oid - if policy_info.policy_qualifiers: - pqis = backend._lib.sk_POLICYQUALINFO_new_null() - backend.openssl_assert(pqis != backend._ffi.NULL) - for qualifier in policy_info.policy_qualifiers: - pqi = backend._lib.POLICYQUALINFO_new() - backend.openssl_assert(pqi != backend._ffi.NULL) - res = backend._lib.sk_POLICYQUALINFO_push(pqis, pqi) - backend.openssl_assert(res >= 1) - if isinstance(qualifier, six.text_type): - pqi.pqualid = _txt2obj( - backend, x509.OID_CPS_QUALIFIER.dotted_string - ) - pqi.d.cpsuri = _encode_asn1_str( - backend, - qualifier.encode("ascii"), - ) - else: - assert isinstance(qualifier, x509.UserNotice) - pqi.pqualid = _txt2obj( - backend, x509.OID_CPS_USER_NOTICE.dotted_string - ) - un = backend._lib.USERNOTICE_new() - backend.openssl_assert(un != backend._ffi.NULL) - pqi.d.usernotice = un - if qualifier.explicit_text: - un.exptext = _encode_asn1_utf8_str( - backend, qualifier.explicit_text - ) - - un.noticeref = _encode_notice_reference( - backend, qualifier.notice_reference - ) - - pi.qualifiers = pqis - - return cp - - -def _encode_notice_reference(backend, notice): - if notice is None: - return backend._ffi.NULL - else: - nr = backend._lib.NOTICEREF_new() - backend.openssl_assert(nr != backend._ffi.NULL) - # organization is a required field - nr.organization = _encode_asn1_utf8_str(backend, notice.organization) - - notice_stack = backend._lib.sk_ASN1_INTEGER_new_null() - nr.noticenos = notice_stack - for number in notice.notice_numbers: - num = _encode_asn1_int(backend, number) - res = backend._lib.sk_ASN1_INTEGER_push(notice_stack, num) - backend.openssl_assert(res >= 1) - - return nr - - -def _txt2obj(backend, name): - """ - Converts a Python string with an ASN.1 object ID in dotted form to a - ASN1_OBJECT. - """ - name = name.encode('ascii') - obj = backend._lib.OBJ_txt2obj(name, 1) - backend.openssl_assert(obj != backend._ffi.NULL) - return obj - - -def _txt2obj_gc(backend, name): - obj = _txt2obj(backend, name) - obj = backend._ffi.gc(obj, backend._lib.ASN1_OBJECT_free) - return obj - - -def _encode_ocsp_nocheck(backend, ext): - # Doesn't need to be GC'd - return backend._lib.ASN1_NULL_new() - - -def _encode_key_usage(backend, key_usage): - set_bit = backend._lib.ASN1_BIT_STRING_set_bit - ku = backend._lib.ASN1_BIT_STRING_new() - ku = backend._ffi.gc(ku, backend._lib.ASN1_BIT_STRING_free) - res = set_bit(ku, 0, key_usage.digital_signature) - backend.openssl_assert(res == 1) - res = set_bit(ku, 1, key_usage.content_commitment) - backend.openssl_assert(res == 1) - res = set_bit(ku, 2, key_usage.key_encipherment) - backend.openssl_assert(res == 1) - res = set_bit(ku, 3, key_usage.data_encipherment) - backend.openssl_assert(res == 1) - res = set_bit(ku, 4, key_usage.key_agreement) - backend.openssl_assert(res == 1) - res = set_bit(ku, 5, key_usage.key_cert_sign) - backend.openssl_assert(res == 1) - res = set_bit(ku, 6, key_usage.crl_sign) - backend.openssl_assert(res == 1) - if key_usage.key_agreement: - res = set_bit(ku, 7, key_usage.encipher_only) - backend.openssl_assert(res == 1) - res = set_bit(ku, 8, key_usage.decipher_only) - backend.openssl_assert(res == 1) - else: - res = set_bit(ku, 7, 0) - backend.openssl_assert(res == 1) - res = set_bit(ku, 8, 0) - backend.openssl_assert(res == 1) - - return ku - - -def _encode_authority_key_identifier(backend, authority_keyid): - akid = backend._lib.AUTHORITY_KEYID_new() - backend.openssl_assert(akid != backend._ffi.NULL) - akid = backend._ffi.gc(akid, backend._lib.AUTHORITY_KEYID_free) - if authority_keyid.key_identifier is not None: - akid.keyid = _encode_asn1_str( - backend, - authority_keyid.key_identifier, - ) - - if authority_keyid.authority_cert_issuer is not None: - akid.issuer = _encode_general_names( - backend, authority_keyid.authority_cert_issuer - ) - - if authority_keyid.authority_cert_serial_number is not None: - akid.serial = _encode_asn1_int( - backend, authority_keyid.authority_cert_serial_number - ) - - return akid - - -def _encode_basic_constraints(backend, basic_constraints): - constraints = backend._lib.BASIC_CONSTRAINTS_new() - constraints = backend._ffi.gc( - constraints, backend._lib.BASIC_CONSTRAINTS_free - ) - constraints.ca = 255 if basic_constraints.ca else 0 - if basic_constraints.ca and basic_constraints.path_length is not None: - constraints.pathlen = _encode_asn1_int( - backend, basic_constraints.path_length - ) - - return constraints - - -def _encode_authority_information_access(backend, authority_info_access): - aia = backend._lib.sk_ACCESS_DESCRIPTION_new_null() - backend.openssl_assert(aia != backend._ffi.NULL) - aia = backend._ffi.gc( - aia, - lambda x: backend._lib.sk_ACCESS_DESCRIPTION_pop_free( - x, backend._ffi.addressof( - backend._lib._original_lib, "ACCESS_DESCRIPTION_free" - ) - ) - ) - for access_description in authority_info_access: - ad = backend._lib.ACCESS_DESCRIPTION_new() - method = _txt2obj( - backend, access_description.access_method.dotted_string - ) - _encode_general_name_preallocated( - backend, access_description.access_location, ad.location - ) - ad.method = method - res = backend._lib.sk_ACCESS_DESCRIPTION_push(aia, ad) - backend.openssl_assert(res >= 1) - - return aia - - -def _encode_general_names(backend, names): - general_names = backend._lib.GENERAL_NAMES_new() - backend.openssl_assert(general_names != backend._ffi.NULL) - for name in names: - gn = _encode_general_name(backend, name) - res = backend._lib.sk_GENERAL_NAME_push(general_names, gn) - backend.openssl_assert(res != 0) - - return general_names - - -def _encode_alt_name(backend, san): - general_names = _encode_general_names(backend, san) - general_names = backend._ffi.gc( - general_names, backend._lib.GENERAL_NAMES_free - ) - return general_names - - -def _encode_subject_key_identifier(backend, ski): - return _encode_asn1_str_gc(backend, ski.digest) - - -def _encode_general_name(backend, name): - gn = backend._lib.GENERAL_NAME_new() - _encode_general_name_preallocated(backend, name, gn) - return gn - - -def _encode_general_name_preallocated(backend, name, gn): - if isinstance(name, x509.DNSName): - backend.openssl_assert(gn != backend._ffi.NULL) - gn.type = backend._lib.GEN_DNS - - ia5 = backend._lib.ASN1_IA5STRING_new() - backend.openssl_assert(ia5 != backend._ffi.NULL) - # ia5strings are supposed to be ITU T.50 but to allow round-tripping - # of broken certs that encode utf8 we'll encode utf8 here too. - value = name.value.encode("utf8") - - res = backend._lib.ASN1_STRING_set(ia5, value, len(value)) - backend.openssl_assert(res == 1) - gn.d.dNSName = ia5 - elif isinstance(name, x509.RegisteredID): - backend.openssl_assert(gn != backend._ffi.NULL) - gn.type = backend._lib.GEN_RID - obj = backend._lib.OBJ_txt2obj( - name.value.dotted_string.encode('ascii'), 1 - ) - backend.openssl_assert(obj != backend._ffi.NULL) - gn.d.registeredID = obj - elif isinstance(name, x509.DirectoryName): - backend.openssl_assert(gn != backend._ffi.NULL) - dir_name = _encode_name(backend, name.value) - gn.type = backend._lib.GEN_DIRNAME - gn.d.directoryName = dir_name - elif isinstance(name, x509.IPAddress): - backend.openssl_assert(gn != backend._ffi.NULL) - if isinstance(name.value, ipaddress.IPv4Network): - packed = ( - name.value.network_address.packed + - utils.int_to_bytes(((1 << 32) - name.value.num_addresses), 4) - ) - elif isinstance(name.value, ipaddress.IPv6Network): - packed = ( - name.value.network_address.packed + - utils.int_to_bytes((1 << 128) - name.value.num_addresses, 16) - ) - else: - packed = name.value.packed - ipaddr = _encode_asn1_str(backend, packed) - gn.type = backend._lib.GEN_IPADD - gn.d.iPAddress = ipaddr - elif isinstance(name, x509.OtherName): - backend.openssl_assert(gn != backend._ffi.NULL) - other_name = backend._lib.OTHERNAME_new() - backend.openssl_assert(other_name != backend._ffi.NULL) - - type_id = backend._lib.OBJ_txt2obj( - name.type_id.dotted_string.encode('ascii'), 1 - ) - backend.openssl_assert(type_id != backend._ffi.NULL) - data = backend._ffi.new("unsigned char[]", name.value) - data_ptr_ptr = backend._ffi.new("unsigned char **") - data_ptr_ptr[0] = data - value = backend._lib.d2i_ASN1_TYPE( - backend._ffi.NULL, data_ptr_ptr, len(name.value) - ) - if value == backend._ffi.NULL: - backend._consume_errors() - raise ValueError("Invalid ASN.1 data") - other_name.type_id = type_id - other_name.value = value - gn.type = backend._lib.GEN_OTHERNAME - gn.d.otherName = other_name - elif isinstance(name, x509.RFC822Name): - backend.openssl_assert(gn != backend._ffi.NULL) - # ia5strings are supposed to be ITU T.50 but to allow round-tripping - # of broken certs that encode utf8 we'll encode utf8 here too. - data = name.value.encode("utf8") - asn1_str = _encode_asn1_str(backend, data) - gn.type = backend._lib.GEN_EMAIL - gn.d.rfc822Name = asn1_str - elif isinstance(name, x509.UniformResourceIdentifier): - backend.openssl_assert(gn != backend._ffi.NULL) - # ia5strings are supposed to be ITU T.50 but to allow round-tripping - # of broken certs that encode utf8 we'll encode utf8 here too. - data = name.value.encode("utf8") - asn1_str = _encode_asn1_str(backend, data) - gn.type = backend._lib.GEN_URI - gn.d.uniformResourceIdentifier = asn1_str - else: - raise ValueError( - "{} is an unknown GeneralName type".format(name) - ) - - -def _encode_extended_key_usage(backend, extended_key_usage): - eku = backend._lib.sk_ASN1_OBJECT_new_null() - eku = backend._ffi.gc(eku, backend._lib.sk_ASN1_OBJECT_free) - for oid in extended_key_usage: - obj = _txt2obj(backend, oid.dotted_string) - res = backend._lib.sk_ASN1_OBJECT_push(eku, obj) - backend.openssl_assert(res >= 1) - - return eku - - -_CRLREASONFLAGS = { - x509.ReasonFlags.key_compromise: 1, - x509.ReasonFlags.ca_compromise: 2, - x509.ReasonFlags.affiliation_changed: 3, - x509.ReasonFlags.superseded: 4, - x509.ReasonFlags.cessation_of_operation: 5, - x509.ReasonFlags.certificate_hold: 6, - x509.ReasonFlags.privilege_withdrawn: 7, - x509.ReasonFlags.aa_compromise: 8, -} - - -def _encode_reasonflags(backend, reasons): - bitmask = backend._lib.ASN1_BIT_STRING_new() - backend.openssl_assert(bitmask != backend._ffi.NULL) - for reason in reasons: - res = backend._lib.ASN1_BIT_STRING_set_bit( - bitmask, _CRLREASONFLAGS[reason], 1 - ) - backend.openssl_assert(res == 1) - - return bitmask - - -def _encode_full_name(backend, full_name): - dpn = backend._lib.DIST_POINT_NAME_new() - backend.openssl_assert(dpn != backend._ffi.NULL) - dpn.type = _DISTPOINT_TYPE_FULLNAME - dpn.name.fullname = _encode_general_names(backend, full_name) - return dpn - - -def _encode_relative_name(backend, relative_name): - dpn = backend._lib.DIST_POINT_NAME_new() - backend.openssl_assert(dpn != backend._ffi.NULL) - dpn.type = _DISTPOINT_TYPE_RELATIVENAME - dpn.name.relativename = _encode_sk_name_entry(backend, relative_name) - return dpn - - -def _encode_cdps_freshest_crl(backend, cdps): - cdp = backend._lib.sk_DIST_POINT_new_null() - cdp = backend._ffi.gc(cdp, backend._lib.sk_DIST_POINT_free) - for point in cdps: - dp = backend._lib.DIST_POINT_new() - backend.openssl_assert(dp != backend._ffi.NULL) - - if point.reasons: - dp.reasons = _encode_reasonflags(backend, point.reasons) - - if point.full_name: - dp.distpoint = _encode_full_name(backend, point.full_name) - - if point.relative_name: - dp.distpoint = _encode_relative_name(backend, point.relative_name) - - if point.crl_issuer: - dp.CRLissuer = _encode_general_names(backend, point.crl_issuer) - - res = backend._lib.sk_DIST_POINT_push(cdp, dp) - backend.openssl_assert(res >= 1) - - return cdp - - -def _encode_name_constraints(backend, name_constraints): - nc = backend._lib.NAME_CONSTRAINTS_new() - backend.openssl_assert(nc != backend._ffi.NULL) - nc = backend._ffi.gc(nc, backend._lib.NAME_CONSTRAINTS_free) - permitted = _encode_general_subtree( - backend, name_constraints.permitted_subtrees - ) - nc.permittedSubtrees = permitted - excluded = _encode_general_subtree( - backend, name_constraints.excluded_subtrees - ) - nc.excludedSubtrees = excluded - - return nc - - -def _encode_policy_constraints(backend, policy_constraints): - pc = backend._lib.POLICY_CONSTRAINTS_new() - backend.openssl_assert(pc != backend._ffi.NULL) - pc = backend._ffi.gc(pc, backend._lib.POLICY_CONSTRAINTS_free) - if policy_constraints.require_explicit_policy is not None: - pc.requireExplicitPolicy = _encode_asn1_int( - backend, policy_constraints.require_explicit_policy - ) - - if policy_constraints.inhibit_policy_mapping is not None: - pc.inhibitPolicyMapping = _encode_asn1_int( - backend, policy_constraints.inhibit_policy_mapping - ) - - return pc - - -def _encode_general_subtree(backend, subtrees): - if subtrees is None: - return backend._ffi.NULL - else: - general_subtrees = backend._lib.sk_GENERAL_SUBTREE_new_null() - for name in subtrees: - gs = backend._lib.GENERAL_SUBTREE_new() - gs.base = _encode_general_name(backend, name) - res = backend._lib.sk_GENERAL_SUBTREE_push(general_subtrees, gs) - assert res >= 1 - - return general_subtrees - - -def _encode_nonce(backend, nonce): - return _encode_asn1_str_gc(backend, nonce.nonce) - - -_EXTENSION_ENCODE_HANDLERS = { - ExtensionOID.BASIC_CONSTRAINTS: _encode_basic_constraints, - ExtensionOID.SUBJECT_KEY_IDENTIFIER: _encode_subject_key_identifier, - ExtensionOID.KEY_USAGE: _encode_key_usage, - ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _encode_alt_name, - ExtensionOID.ISSUER_ALTERNATIVE_NAME: _encode_alt_name, - ExtensionOID.EXTENDED_KEY_USAGE: _encode_extended_key_usage, - ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier, - ExtensionOID.CERTIFICATE_POLICIES: _encode_certificate_policies, - ExtensionOID.AUTHORITY_INFORMATION_ACCESS: ( - _encode_authority_information_access - ), - ExtensionOID.CRL_DISTRIBUTION_POINTS: _encode_cdps_freshest_crl, - ExtensionOID.FRESHEST_CRL: _encode_cdps_freshest_crl, - ExtensionOID.INHIBIT_ANY_POLICY: _encode_inhibit_any_policy, - ExtensionOID.OCSP_NO_CHECK: _encode_ocsp_nocheck, - ExtensionOID.NAME_CONSTRAINTS: _encode_name_constraints, - ExtensionOID.POLICY_CONSTRAINTS: _encode_policy_constraints, -} - -_CRL_EXTENSION_ENCODE_HANDLERS = { - ExtensionOID.ISSUER_ALTERNATIVE_NAME: _encode_alt_name, - ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier, - ExtensionOID.AUTHORITY_INFORMATION_ACCESS: ( - _encode_authority_information_access - ), - ExtensionOID.CRL_NUMBER: _encode_crl_number_delta_crl_indicator, - ExtensionOID.DELTA_CRL_INDICATOR: _encode_crl_number_delta_crl_indicator, - ExtensionOID.ISSUING_DISTRIBUTION_POINT: _encode_issuing_dist_point, -} - -_CRL_ENTRY_EXTENSION_ENCODE_HANDLERS = { - CRLEntryExtensionOID.CERTIFICATE_ISSUER: _encode_alt_name, - CRLEntryExtensionOID.CRL_REASON: _encode_crl_reason, - CRLEntryExtensionOID.INVALIDITY_DATE: _encode_invalidity_date, -} - -_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS = { - OCSPExtensionOID.NONCE: _encode_nonce, -} - -_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERS = { - OCSPExtensionOID.NONCE: _encode_nonce, -} diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hashes.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hashes.py @@ -1,78 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - - -from cryptography import utils -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons -from cryptography.hazmat.primitives import hashes - - -@utils.register_interface(hashes.HashContext) -class _HashContext(object): - def __init__(self, backend, algorithm, ctx=None): - self._algorithm = algorithm - - self._backend = backend - - if ctx is None: - ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() - ctx = self._backend._ffi.gc( - ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free - ) - evp_md = self._backend._evp_md_from_algorithm(algorithm) - if evp_md == self._backend._ffi.NULL: - raise UnsupportedAlgorithm( - "{} is not a supported hash on this backend.".format( - algorithm.name), - _Reasons.UNSUPPORTED_HASH - ) - res = self._backend._lib.EVP_DigestInit_ex(ctx, evp_md, - self._backend._ffi.NULL) - self._backend.openssl_assert(res != 0) - - self._ctx = ctx - - algorithm = utils.read_only_property("_algorithm") - - def copy(self): - copied_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() - copied_ctx = self._backend._ffi.gc( - copied_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free - ) - res = self._backend._lib.EVP_MD_CTX_copy_ex(copied_ctx, self._ctx) - self._backend.openssl_assert(res != 0) - return _HashContext(self._backend, self.algorithm, ctx=copied_ctx) - - def update(self, data): - data_ptr = self._backend._ffi.from_buffer(data) - res = self._backend._lib.EVP_DigestUpdate( - self._ctx, data_ptr, len(data) - ) - self._backend.openssl_assert(res != 0) - - def finalize(self): - if isinstance(self.algorithm, hashes.ExtendableOutputFunction): - # extendable output functions use a different finalize - return self._finalize_xof() - else: - buf = self._backend._ffi.new("unsigned char[]", - self._backend._lib.EVP_MAX_MD_SIZE) - outlen = self._backend._ffi.new("unsigned int *") - res = self._backend._lib.EVP_DigestFinal_ex(self._ctx, buf, outlen) - self._backend.openssl_assert(res != 0) - self._backend.openssl_assert( - outlen[0] == self.algorithm.digest_size - ) - return self._backend._ffi.buffer(buf)[:outlen[0]] - - def _finalize_xof(self): - buf = self._backend._ffi.new("unsigned char[]", - self.algorithm.digest_size) - res = self._backend._lib.EVP_DigestFinalXOF( - self._ctx, buf, self.algorithm.digest_size - ) - self._backend.openssl_assert(res != 0) - return self._backend._ffi.buffer(buf)[:self.algorithm.digest_size] diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hmac.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hmac.py @@ -1,74 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - - -from cryptography import utils -from cryptography.exceptions import ( - InvalidSignature, UnsupportedAlgorithm, _Reasons -) -from cryptography.hazmat.primitives import constant_time, hashes - - -@utils.register_interface(hashes.HashContext) -class _HMACContext(object): - def __init__(self, backend, key, algorithm, ctx=None): - self._algorithm = algorithm - self._backend = backend - - if ctx is None: - ctx = self._backend._lib.Cryptography_HMAC_CTX_new() - self._backend.openssl_assert(ctx != self._backend._ffi.NULL) - ctx = self._backend._ffi.gc( - ctx, self._backend._lib.Cryptography_HMAC_CTX_free - ) - evp_md = self._backend._evp_md_from_algorithm(algorithm) - if evp_md == self._backend._ffi.NULL: - raise UnsupportedAlgorithm( - "{} is not a supported hash on this backend".format( - algorithm.name), - _Reasons.UNSUPPORTED_HASH - ) - key_ptr = self._backend._ffi.from_buffer(key) - res = self._backend._lib.HMAC_Init_ex( - ctx, key_ptr, len(key), evp_md, self._backend._ffi.NULL - ) - self._backend.openssl_assert(res != 0) - - self._ctx = ctx - self._key = key - - algorithm = utils.read_only_property("_algorithm") - - def copy(self): - copied_ctx = self._backend._lib.Cryptography_HMAC_CTX_new() - self._backend.openssl_assert(copied_ctx != self._backend._ffi.NULL) - copied_ctx = self._backend._ffi.gc( - copied_ctx, self._backend._lib.Cryptography_HMAC_CTX_free - ) - res = self._backend._lib.HMAC_CTX_copy(copied_ctx, self._ctx) - self._backend.openssl_assert(res != 0) - return _HMACContext( - self._backend, self._key, self.algorithm, ctx=copied_ctx - ) - - def update(self, data): - data_ptr = self._backend._ffi.from_buffer(data) - res = self._backend._lib.HMAC_Update(self._ctx, data_ptr, len(data)) - self._backend.openssl_assert(res != 0) - - def finalize(self): - buf = self._backend._ffi.new("unsigned char[]", - self._backend._lib.EVP_MAX_MD_SIZE) - outlen = self._backend._ffi.new("unsigned int *") - res = self._backend._lib.HMAC_Final(self._ctx, buf, outlen) - self._backend.openssl_assert(res != 0) - self._backend.openssl_assert(outlen[0] == self.algorithm.digest_size) - return self._backend._ffi.buffer(buf)[:outlen[0]] - - def verify(self, signature): - digest = self.finalize() - if not constant_time.bytes_eq(digest, signature): - raise InvalidSignature("Signature did not match digest.") diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ocsp.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ocsp.py @@ -1,381 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import functools - -from cryptography import utils, x509 -from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl.decode_asn1 import ( - _CRL_ENTRY_REASON_CODE_TO_ENUM, _OCSP_BASICRESP_EXT_PARSER, - _OCSP_REQ_EXT_PARSER, _asn1_integer_to_int, - _asn1_string_to_bytes, _decode_x509_name, _obj2txt, - _parse_asn1_generalized_time, -) -from cryptography.hazmat.backends.openssl.x509 import _Certificate -from cryptography.hazmat.primitives import serialization -from cryptography.x509.ocsp import ( - OCSPCertStatus, OCSPRequest, OCSPResponse, OCSPResponseStatus, - _CERT_STATUS_TO_ENUM, _OIDS_TO_HASH, _RESPONSE_STATUS_TO_ENUM, -) - - -def _requires_successful_response(func): - @functools.wraps(func) - def wrapper(self, *args): - if self.response_status != OCSPResponseStatus.SUCCESSFUL: - raise ValueError( - "OCSP response status is not successful so the property " - "has no value" - ) - else: - return func(self, *args) - - return wrapper - - -def _issuer_key_hash(backend, cert_id): - key_hash = backend._ffi.new("ASN1_OCTET_STRING **") - res = backend._lib.OCSP_id_get0_info( - backend._ffi.NULL, backend._ffi.NULL, - key_hash, backend._ffi.NULL, cert_id - ) - backend.openssl_assert(res == 1) - backend.openssl_assert(key_hash[0] != backend._ffi.NULL) - return _asn1_string_to_bytes(backend, key_hash[0]) - - -def _issuer_name_hash(backend, cert_id): - name_hash = backend._ffi.new("ASN1_OCTET_STRING **") - res = backend._lib.OCSP_id_get0_info( - name_hash, backend._ffi.NULL, - backend._ffi.NULL, backend._ffi.NULL, cert_id - ) - backend.openssl_assert(res == 1) - backend.openssl_assert(name_hash[0] != backend._ffi.NULL) - return _asn1_string_to_bytes(backend, name_hash[0]) - - -def _serial_number(backend, cert_id): - num = backend._ffi.new("ASN1_INTEGER **") - res = backend._lib.OCSP_id_get0_info( - backend._ffi.NULL, backend._ffi.NULL, - backend._ffi.NULL, num, cert_id - ) - backend.openssl_assert(res == 1) - backend.openssl_assert(num[0] != backend._ffi.NULL) - return _asn1_integer_to_int(backend, num[0]) - - -def _hash_algorithm(backend, cert_id): - asn1obj = backend._ffi.new("ASN1_OBJECT **") - res = backend._lib.OCSP_id_get0_info( - backend._ffi.NULL, asn1obj, - backend._ffi.NULL, backend._ffi.NULL, cert_id - ) - backend.openssl_assert(res == 1) - backend.openssl_assert(asn1obj[0] != backend._ffi.NULL) - oid = _obj2txt(backend, asn1obj[0]) - try: - return _OIDS_TO_HASH[oid] - except KeyError: - raise UnsupportedAlgorithm( - "Signature algorithm OID: {} not recognized".format(oid) - ) - - -@utils.register_interface(OCSPResponse) -class _OCSPResponse(object): - def __init__(self, backend, ocsp_response): - self._backend = backend - self._ocsp_response = ocsp_response - status = self._backend._lib.OCSP_response_status(self._ocsp_response) - self._backend.openssl_assert(status in _RESPONSE_STATUS_TO_ENUM) - self._status = _RESPONSE_STATUS_TO_ENUM[status] - if self._status is OCSPResponseStatus.SUCCESSFUL: - basic = self._backend._lib.OCSP_response_get1_basic( - self._ocsp_response - ) - self._backend.openssl_assert(basic != self._backend._ffi.NULL) - self._basic = self._backend._ffi.gc( - basic, self._backend._lib.OCSP_BASICRESP_free - ) - self._backend.openssl_assert( - self._backend._lib.OCSP_resp_count(self._basic) == 1 - ) - self._single = self._backend._lib.OCSP_resp_get0(self._basic, 0) - self._backend.openssl_assert( - self._single != self._backend._ffi.NULL - ) - self._cert_id = self._backend._lib.OCSP_SINGLERESP_get0_id( - self._single - ) - self._backend.openssl_assert( - self._cert_id != self._backend._ffi.NULL - ) - - response_status = utils.read_only_property("_status") - - @property - @_requires_successful_response - def signature_algorithm_oid(self): - alg = self._backend._lib.OCSP_resp_get0_tbs_sigalg(self._basic) - self._backend.openssl_assert(alg != self._backend._ffi.NULL) - oid = _obj2txt(self._backend, alg.algorithm) - return x509.ObjectIdentifier(oid) - - @property - @_requires_successful_response - def signature_hash_algorithm(self): - oid = self.signature_algorithm_oid - try: - return x509._SIG_OIDS_TO_HASH[oid] - except KeyError: - raise UnsupportedAlgorithm( - "Signature algorithm OID:{} not recognized".format(oid) - ) - - @property - @_requires_successful_response - def signature(self): - sig = self._backend._lib.OCSP_resp_get0_signature(self._basic) - self._backend.openssl_assert(sig != self._backend._ffi.NULL) - return _asn1_string_to_bytes(self._backend, sig) - - @property - @_requires_successful_response - def tbs_response_bytes(self): - respdata = self._backend._lib.OCSP_resp_get0_respdata(self._basic) - self._backend.openssl_assert(respdata != self._backend._ffi.NULL) - pp = self._backend._ffi.new("unsigned char **") - res = self._backend._lib.i2d_OCSP_RESPDATA(respdata, pp) - self._backend.openssl_assert(pp[0] != self._backend._ffi.NULL) - pp = self._backend._ffi.gc( - pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) - ) - self._backend.openssl_assert(res > 0) - return self._backend._ffi.buffer(pp[0], res)[:] - - @property - @_requires_successful_response - def certificates(self): - sk_x509 = self._backend._lib.OCSP_resp_get0_certs(self._basic) - num = self._backend._lib.sk_X509_num(sk_x509) - certs = [] - for i in range(num): - x509 = self._backend._lib.sk_X509_value(sk_x509, i) - self._backend.openssl_assert(x509 != self._backend._ffi.NULL) - cert = _Certificate(self._backend, x509) - # We need to keep the OCSP response that the certificate came from - # alive until the Certificate object itself goes out of scope, so - # we give it a private reference. - cert._ocsp_resp = self - certs.append(cert) - - return certs - - @property - @_requires_successful_response - def responder_key_hash(self): - _, asn1_string = self._responder_key_name() - if asn1_string == self._backend._ffi.NULL: - return None - else: - return _asn1_string_to_bytes(self._backend, asn1_string) - - @property - @_requires_successful_response - def responder_name(self): - x509_name, _ = self._responder_key_name() - if x509_name == self._backend._ffi.NULL: - return None - else: - return _decode_x509_name(self._backend, x509_name) - - def _responder_key_name(self): - asn1_string = self._backend._ffi.new("ASN1_OCTET_STRING **") - x509_name = self._backend._ffi.new("X509_NAME **") - res = self._backend._lib.OCSP_resp_get0_id( - self._basic, asn1_string, x509_name - ) - self._backend.openssl_assert(res == 1) - return x509_name[0], asn1_string[0] - - @property - @_requires_successful_response - def produced_at(self): - produced_at = self._backend._lib.OCSP_resp_get0_produced_at( - self._basic - ) - return _parse_asn1_generalized_time(self._backend, produced_at) - - @property - @_requires_successful_response - def certificate_status(self): - status = self._backend._lib.OCSP_single_get0_status( - self._single, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(status in _CERT_STATUS_TO_ENUM) - return _CERT_STATUS_TO_ENUM[status] - - @property - @_requires_successful_response - def revocation_time(self): - if self.certificate_status is not OCSPCertStatus.REVOKED: - return None - - asn1_time = self._backend._ffi.new("ASN1_GENERALIZEDTIME **") - self._backend._lib.OCSP_single_get0_status( - self._single, - self._backend._ffi.NULL, - asn1_time, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(asn1_time[0] != self._backend._ffi.NULL) - return _parse_asn1_generalized_time(self._backend, asn1_time[0]) - - @property - @_requires_successful_response - def revocation_reason(self): - if self.certificate_status is not OCSPCertStatus.REVOKED: - return None - - reason_ptr = self._backend._ffi.new("int *") - self._backend._lib.OCSP_single_get0_status( - self._single, - reason_ptr, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - ) - # If no reason is encoded OpenSSL returns -1 - if reason_ptr[0] == -1: - return None - else: - self._backend.openssl_assert( - reason_ptr[0] in _CRL_ENTRY_REASON_CODE_TO_ENUM - ) - return _CRL_ENTRY_REASON_CODE_TO_ENUM[reason_ptr[0]] - - @property - @_requires_successful_response - def this_update(self): - asn1_time = self._backend._ffi.new("ASN1_GENERALIZEDTIME **") - self._backend._lib.OCSP_single_get0_status( - self._single, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - asn1_time, - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(asn1_time[0] != self._backend._ffi.NULL) - return _parse_asn1_generalized_time(self._backend, asn1_time[0]) - - @property - @_requires_successful_response - def next_update(self): - asn1_time = self._backend._ffi.new("ASN1_GENERALIZEDTIME **") - self._backend._lib.OCSP_single_get0_status( - self._single, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - asn1_time, - ) - if asn1_time[0] != self._backend._ffi.NULL: - return _parse_asn1_generalized_time(self._backend, asn1_time[0]) - else: - return None - - @property - @_requires_successful_response - def issuer_key_hash(self): - return _issuer_key_hash(self._backend, self._cert_id) - - @property - @_requires_successful_response - def issuer_name_hash(self): - return _issuer_name_hash(self._backend, self._cert_id) - - @property - @_requires_successful_response - def hash_algorithm(self): - return _hash_algorithm(self._backend, self._cert_id) - - @property - @_requires_successful_response - def serial_number(self): - return _serial_number(self._backend, self._cert_id) - - @utils.cached_property - @_requires_successful_response - def extensions(self): - return _OCSP_BASICRESP_EXT_PARSER.parse(self._backend, self._basic) - - def public_bytes(self, encoding): - if encoding is not serialization.Encoding.DER: - raise ValueError( - "The only allowed encoding value is Encoding.DER" - ) - - bio = self._backend._create_mem_bio_gc() - res = self._backend._lib.i2d_OCSP_RESPONSE_bio( - bio, self._ocsp_response - ) - self._backend.openssl_assert(res > 0) - return self._backend._read_mem_bio(bio) - - -@utils.register_interface(OCSPRequest) -class _OCSPRequest(object): - def __init__(self, backend, ocsp_request): - if backend._lib.OCSP_request_onereq_count(ocsp_request) > 1: - raise NotImplementedError( - 'OCSP request contains more than one request' - ) - self._backend = backend - self._ocsp_request = ocsp_request - self._request = self._backend._lib.OCSP_request_onereq_get0( - self._ocsp_request, 0 - ) - self._backend.openssl_assert(self._request != self._backend._ffi.NULL) - self._cert_id = self._backend._lib.OCSP_onereq_get0_id(self._request) - self._backend.openssl_assert(self._cert_id != self._backend._ffi.NULL) - - @property - def issuer_key_hash(self): - return _issuer_key_hash(self._backend, self._cert_id) - - @property - def issuer_name_hash(self): - return _issuer_name_hash(self._backend, self._cert_id) - - @property - def serial_number(self): - return _serial_number(self._backend, self._cert_id) - - @property - def hash_algorithm(self): - return _hash_algorithm(self._backend, self._cert_id) - - @utils.cached_property - def extensions(self): - return _OCSP_REQ_EXT_PARSER.parse(self._backend, self._ocsp_request) - - def public_bytes(self, encoding): - if encoding is not serialization.Encoding.DER: - raise ValueError( - "The only allowed encoding value is Encoding.DER" - ) - - bio = self._backend._create_mem_bio_gc() - res = self._backend._lib.i2d_OCSP_REQUEST_bio(bio, self._ocsp_request) - self._backend.openssl_assert(res > 0) - return self._backend._read_mem_bio(bio) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/poly1305.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/poly1305.py @@ -1,60 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - - -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.primitives import constant_time - - -_POLY1305_TAG_SIZE = 16 -_POLY1305_KEY_SIZE = 32 - - -class _Poly1305Context(object): - def __init__(self, backend, key): - self._backend = backend - - key_ptr = self._backend._ffi.from_buffer(key) - # This function copies the key into OpenSSL-owned memory so we don't - # need to retain it ourselves - evp_pkey = self._backend._lib.EVP_PKEY_new_raw_private_key( - self._backend._lib.NID_poly1305, - self._backend._ffi.NULL, key_ptr, len(key) - ) - self._backend.openssl_assert(evp_pkey != self._backend._ffi.NULL) - self._evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() - self._backend.openssl_assert(ctx != self._backend._ffi.NULL) - self._ctx = self._backend._ffi.gc( - ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free - ) - res = self._backend._lib.EVP_DigestSignInit( - self._ctx, self._backend._ffi.NULL, self._backend._ffi.NULL, - self._backend._ffi.NULL, self._evp_pkey - ) - self._backend.openssl_assert(res == 1) - - def update(self, data): - data_ptr = self._backend._ffi.from_buffer(data) - res = self._backend._lib.EVP_DigestSignUpdate( - self._ctx, data_ptr, len(data) - ) - self._backend.openssl_assert(res != 0) - - def finalize(self): - buf = self._backend._ffi.new("unsigned char[]", _POLY1305_TAG_SIZE) - outlen = self._backend._ffi.new("size_t *") - res = self._backend._lib.EVP_DigestSignFinal(self._ctx, buf, outlen) - self._backend.openssl_assert(res != 0) - self._backend.openssl_assert(outlen[0] == _POLY1305_TAG_SIZE) - return self._backend._ffi.buffer(buf)[:outlen[0]] - - def verify(self, tag): - mac = self.finalize() - if not constant_time.bytes_eq(mac, tag): - raise InvalidSignature("Value did not match computed tag.") diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/rsa.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/rsa.py @@ -1,478 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import math - -from cryptography import utils -from cryptography.exceptions import ( - InvalidSignature, UnsupportedAlgorithm, _Reasons -) -from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _check_not_prehashed, - _warn_sign_verify_deprecated -) -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import ( - AsymmetricSignatureContext, AsymmetricVerificationContext, rsa -) -from cryptography.hazmat.primitives.asymmetric.padding import ( - AsymmetricPadding, MGF1, OAEP, PKCS1v15, PSS, calculate_max_pss_salt_length -) -from cryptography.hazmat.primitives.asymmetric.rsa import ( - RSAPrivateKeyWithSerialization, RSAPublicKeyWithSerialization -) - - -def _get_rsa_pss_salt_length(pss, key, hash_algorithm): - salt = pss._salt_length - - if salt is MGF1.MAX_LENGTH or salt is PSS.MAX_LENGTH: - return calculate_max_pss_salt_length(key, hash_algorithm) - else: - return salt - - -def _enc_dec_rsa(backend, key, data, padding): - if not isinstance(padding, AsymmetricPadding): - raise TypeError("Padding must be an instance of AsymmetricPadding.") - - if isinstance(padding, PKCS1v15): - padding_enum = backend._lib.RSA_PKCS1_PADDING - elif isinstance(padding, OAEP): - padding_enum = backend._lib.RSA_PKCS1_OAEP_PADDING - - if not isinstance(padding._mgf, MGF1): - raise UnsupportedAlgorithm( - "Only MGF1 is supported by this backend.", - _Reasons.UNSUPPORTED_MGF - ) - - if not backend.rsa_padding_supported(padding): - raise UnsupportedAlgorithm( - "This combination of padding and hash algorithm is not " - "supported by this backend.", - _Reasons.UNSUPPORTED_PADDING - ) - - else: - raise UnsupportedAlgorithm( - "{} is not supported by this backend.".format( - padding.name - ), - _Reasons.UNSUPPORTED_PADDING - ) - - return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding) - - -def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding): - if isinstance(key, _RSAPublicKey): - init = backend._lib.EVP_PKEY_encrypt_init - crypt = backend._lib.EVP_PKEY_encrypt - else: - init = backend._lib.EVP_PKEY_decrypt_init - crypt = backend._lib.EVP_PKEY_decrypt - - pkey_ctx = backend._lib.EVP_PKEY_CTX_new( - key._evp_pkey, backend._ffi.NULL - ) - backend.openssl_assert(pkey_ctx != backend._ffi.NULL) - pkey_ctx = backend._ffi.gc(pkey_ctx, backend._lib.EVP_PKEY_CTX_free) - res = init(pkey_ctx) - backend.openssl_assert(res == 1) - res = backend._lib.EVP_PKEY_CTX_set_rsa_padding( - pkey_ctx, padding_enum) - backend.openssl_assert(res > 0) - buf_size = backend._lib.EVP_PKEY_size(key._evp_pkey) - backend.openssl_assert(buf_size > 0) - if ( - isinstance(padding, OAEP) and - backend._lib.Cryptography_HAS_RSA_OAEP_MD - ): - mgf1_md = backend._evp_md_non_null_from_algorithm( - padding._mgf._algorithm) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1_md) - backend.openssl_assert(res > 0) - oaep_md = backend._evp_md_non_null_from_algorithm(padding._algorithm) - res = backend._lib.EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, oaep_md) - backend.openssl_assert(res > 0) - - if ( - isinstance(padding, OAEP) and - padding._label is not None and - len(padding._label) > 0 - ): - # set0_rsa_oaep_label takes ownership of the char * so we need to - # copy it into some new memory - labelptr = backend._lib.OPENSSL_malloc(len(padding._label)) - backend.openssl_assert(labelptr != backend._ffi.NULL) - backend._ffi.memmove(labelptr, padding._label, len(padding._label)) - res = backend._lib.EVP_PKEY_CTX_set0_rsa_oaep_label( - pkey_ctx, labelptr, len(padding._label) - ) - backend.openssl_assert(res == 1) - - outlen = backend._ffi.new("size_t *", buf_size) - buf = backend._ffi.new("unsigned char[]", buf_size) - res = crypt(pkey_ctx, buf, outlen, data, len(data)) - if res <= 0: - _handle_rsa_enc_dec_error(backend, key) - - return backend._ffi.buffer(buf)[:outlen[0]] - - -def _handle_rsa_enc_dec_error(backend, key): - errors = backend._consume_errors() - backend.openssl_assert(errors) - backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA) - if isinstance(key, _RSAPublicKey): - backend.openssl_assert( - errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE - ) - raise ValueError( - "Data too long for key size. Encrypt less data or use a " - "larger key size." - ) - else: - decoding_errors = [ - backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01, - backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02, - backend._lib.RSA_R_OAEP_DECODING_ERROR, - # Though this error looks similar to the - # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts, - # rather than on encrypts - backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS, - ] - if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR: - decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR) - - backend.openssl_assert(errors[0].reason in decoding_errors) - raise ValueError("Decryption failed.") - - -def _rsa_sig_determine_padding(backend, key, padding, algorithm): - if not isinstance(padding, AsymmetricPadding): - raise TypeError("Expected provider of AsymmetricPadding.") - - pkey_size = backend._lib.EVP_PKEY_size(key._evp_pkey) - backend.openssl_assert(pkey_size > 0) - - if isinstance(padding, PKCS1v15): - padding_enum = backend._lib.RSA_PKCS1_PADDING - elif isinstance(padding, PSS): - if not isinstance(padding._mgf, MGF1): - raise UnsupportedAlgorithm( - "Only MGF1 is supported by this backend.", - _Reasons.UNSUPPORTED_MGF - ) - - # Size of key in bytes - 2 is the maximum - # PSS signature length (salt length is checked later) - if pkey_size - algorithm.digest_size - 2 < 0: - raise ValueError("Digest too large for key size. Use a larger " - "key or different digest.") - - padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING - else: - raise UnsupportedAlgorithm( - "{} is not supported by this backend.".format(padding.name), - _Reasons.UNSUPPORTED_PADDING - ) - - return padding_enum - - -def _rsa_sig_setup(backend, padding, algorithm, key, data, init_func): - padding_enum = _rsa_sig_determine_padding(backend, key, padding, algorithm) - evp_md = backend._evp_md_non_null_from_algorithm(algorithm) - pkey_ctx = backend._lib.EVP_PKEY_CTX_new(key._evp_pkey, backend._ffi.NULL) - backend.openssl_assert(pkey_ctx != backend._ffi.NULL) - pkey_ctx = backend._ffi.gc(pkey_ctx, backend._lib.EVP_PKEY_CTX_free) - res = init_func(pkey_ctx) - backend.openssl_assert(res == 1) - res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md) - if res == 0: - backend._consume_errors() - raise UnsupportedAlgorithm( - "{} is not supported by this backend for RSA signing.".format( - algorithm.name - ), - _Reasons.UNSUPPORTED_HASH - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding_enum) - backend.openssl_assert(res > 0) - if isinstance(padding, PSS): - res = backend._lib.EVP_PKEY_CTX_set_rsa_pss_saltlen( - pkey_ctx, _get_rsa_pss_salt_length(padding, key, algorithm) - ) - backend.openssl_assert(res > 0) - - mgf1_md = backend._evp_md_non_null_from_algorithm( - padding._mgf._algorithm) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1_md) - backend.openssl_assert(res > 0) - - return pkey_ctx - - -def _rsa_sig_sign(backend, padding, algorithm, private_key, data): - pkey_ctx = _rsa_sig_setup( - backend, padding, algorithm, private_key, data, - backend._lib.EVP_PKEY_sign_init - ) - buflen = backend._ffi.new("size_t *") - res = backend._lib.EVP_PKEY_sign( - pkey_ctx, - backend._ffi.NULL, - buflen, - data, - len(data) - ) - backend.openssl_assert(res == 1) - buf = backend._ffi.new("unsigned char[]", buflen[0]) - res = backend._lib.EVP_PKEY_sign( - pkey_ctx, buf, buflen, data, len(data)) - if res != 1: - errors = backend._consume_errors() - backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA) - if ( - errors[0].reason == - backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE - ): - reason = ("Salt length too long for key size. Try using " - "MAX_LENGTH instead.") - else: - backend.openssl_assert( - errors[0].reason == - backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - ) - reason = "Digest too large for key size. Use a larger key." - raise ValueError(reason) - - return backend._ffi.buffer(buf)[:] - - -def _rsa_sig_verify(backend, padding, algorithm, public_key, signature, data): - pkey_ctx = _rsa_sig_setup( - backend, padding, algorithm, public_key, data, - backend._lib.EVP_PKEY_verify_init - ) - res = backend._lib.EVP_PKEY_verify( - pkey_ctx, signature, len(signature), data, len(data) - ) - # The previous call can return negative numbers in the event of an - # error. This is not a signature failure but we need to fail if it - # occurs. - backend.openssl_assert(res >= 0) - if res == 0: - backend._consume_errors() - raise InvalidSignature - - -@utils.register_interface(AsymmetricSignatureContext) -class _RSASignatureContext(object): - def __init__(self, backend, private_key, padding, algorithm): - self._backend = backend - self._private_key = private_key - - # We now call _rsa_sig_determine_padding in _rsa_sig_setup. However - # we need to make a pointless call to it here so we maintain the - # API of erroring on init with this context if the values are invalid. - _rsa_sig_determine_padding(backend, private_key, padding, algorithm) - self._padding = padding - self._algorithm = algorithm - self._hash_ctx = hashes.Hash(self._algorithm, self._backend) - - def update(self, data): - self._hash_ctx.update(data) - - def finalize(self): - return _rsa_sig_sign( - self._backend, - self._padding, - self._algorithm, - self._private_key, - self._hash_ctx.finalize() - ) - - -@utils.register_interface(AsymmetricVerificationContext) -class _RSAVerificationContext(object): - def __init__(self, backend, public_key, signature, padding, algorithm): - self._backend = backend - self._public_key = public_key - self._signature = signature - self._padding = padding - # We now call _rsa_sig_determine_padding in _rsa_sig_setup. However - # we need to make a pointless call to it here so we maintain the - # API of erroring on init with this context if the values are invalid. - _rsa_sig_determine_padding(backend, public_key, padding, algorithm) - - padding = padding - self._algorithm = algorithm - self._hash_ctx = hashes.Hash(self._algorithm, self._backend) - - def update(self, data): - self._hash_ctx.update(data) - - def verify(self): - return _rsa_sig_verify( - self._backend, - self._padding, - self._algorithm, - self._public_key, - self._signature, - self._hash_ctx.finalize() - ) - - -@utils.register_interface(RSAPrivateKeyWithSerialization) -class _RSAPrivateKey(object): - def __init__(self, backend, rsa_cdata, evp_pkey): - self._backend = backend - self._rsa_cdata = rsa_cdata - self._evp_pkey = evp_pkey - - n = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key( - self._rsa_cdata, n, self._backend._ffi.NULL, - self._backend._ffi.NULL - ) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._key_size = self._backend._lib.BN_num_bits(n[0]) - - key_size = utils.read_only_property("_key_size") - - def signer(self, padding, algorithm): - _warn_sign_verify_deprecated() - _check_not_prehashed(algorithm) - return _RSASignatureContext(self._backend, self, padding, algorithm) - - def decrypt(self, ciphertext, padding): - key_size_bytes = int(math.ceil(self.key_size / 8.0)) - if key_size_bytes != len(ciphertext): - raise ValueError("Ciphertext length must be equal to key size.") - - return _enc_dec_rsa(self._backend, self, ciphertext, padding) - - def public_key(self): - ctx = self._backend._lib.RSAPublicKey_dup(self._rsa_cdata) - self._backend.openssl_assert(ctx != self._backend._ffi.NULL) - ctx = self._backend._ffi.gc(ctx, self._backend._lib.RSA_free) - res = self._backend._lib.RSA_blinding_on(ctx, self._backend._ffi.NULL) - self._backend.openssl_assert(res == 1) - evp_pkey = self._backend._rsa_cdata_to_evp_pkey(ctx) - return _RSAPublicKey(self._backend, ctx, evp_pkey) - - def private_numbers(self): - n = self._backend._ffi.new("BIGNUM **") - e = self._backend._ffi.new("BIGNUM **") - d = self._backend._ffi.new("BIGNUM **") - p = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - dmp1 = self._backend._ffi.new("BIGNUM **") - dmq1 = self._backend._ffi.new("BIGNUM **") - iqmp = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key(self._rsa_cdata, n, e, d) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(e[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(d[0] != self._backend._ffi.NULL) - self._backend._lib.RSA_get0_factors(self._rsa_cdata, p, q) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(q[0] != self._backend._ffi.NULL) - self._backend._lib.RSA_get0_crt_params( - self._rsa_cdata, dmp1, dmq1, iqmp - ) - self._backend.openssl_assert(dmp1[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(dmq1[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(iqmp[0] != self._backend._ffi.NULL) - return rsa.RSAPrivateNumbers( - p=self._backend._bn_to_int(p[0]), - q=self._backend._bn_to_int(q[0]), - d=self._backend._bn_to_int(d[0]), - dmp1=self._backend._bn_to_int(dmp1[0]), - dmq1=self._backend._bn_to_int(dmq1[0]), - iqmp=self._backend._bn_to_int(iqmp[0]), - public_numbers=rsa.RSAPublicNumbers( - e=self._backend._bn_to_int(e[0]), - n=self._backend._bn_to_int(n[0]), - ) - ) - - def private_bytes(self, encoding, format, encryption_algorithm): - return self._backend._private_key_bytes( - encoding, - format, - encryption_algorithm, - self._evp_pkey, - self._rsa_cdata - ) - - def sign(self, data, padding, algorithm): - data, algorithm = _calculate_digest_and_algorithm( - self._backend, data, algorithm - ) - return _rsa_sig_sign(self._backend, padding, algorithm, self, data) - - -@utils.register_interface(RSAPublicKeyWithSerialization) -class _RSAPublicKey(object): - def __init__(self, backend, rsa_cdata, evp_pkey): - self._backend = backend - self._rsa_cdata = rsa_cdata - self._evp_pkey = evp_pkey - - n = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key( - self._rsa_cdata, n, self._backend._ffi.NULL, - self._backend._ffi.NULL - ) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._key_size = self._backend._lib.BN_num_bits(n[0]) - - key_size = utils.read_only_property("_key_size") - - def verifier(self, signature, padding, algorithm): - _warn_sign_verify_deprecated() - utils._check_bytes("signature", signature) - - _check_not_prehashed(algorithm) - return _RSAVerificationContext( - self._backend, self, signature, padding, algorithm - ) - - def encrypt(self, plaintext, padding): - return _enc_dec_rsa(self._backend, self, plaintext, padding) - - def public_numbers(self): - n = self._backend._ffi.new("BIGNUM **") - e = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key( - self._rsa_cdata, n, e, self._backend._ffi.NULL - ) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(e[0] != self._backend._ffi.NULL) - return rsa.RSAPublicNumbers( - e=self._backend._bn_to_int(e[0]), - n=self._backend._bn_to_int(n[0]), - ) - - def public_bytes(self, encoding, format): - return self._backend._public_key_bytes( - encoding, - format, - self, - self._evp_pkey, - self._rsa_cdata - ) - - def verify(self, signature, data, padding, algorithm): - data, algorithm = _calculate_digest_and_algorithm( - self._backend, data, algorithm - ) - return _rsa_sig_verify( - self._backend, padding, algorithm, self, signature, data - ) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/utils.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/utils.py @@ -1,69 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import warnings - -from cryptography import utils -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric.utils import Prehashed - - -def _evp_pkey_derive(backend, evp_pkey, peer_public_key): - ctx = backend._lib.EVP_PKEY_CTX_new(evp_pkey, backend._ffi.NULL) - backend.openssl_assert(ctx != backend._ffi.NULL) - ctx = backend._ffi.gc(ctx, backend._lib.EVP_PKEY_CTX_free) - res = backend._lib.EVP_PKEY_derive_init(ctx) - backend.openssl_assert(res == 1) - res = backend._lib.EVP_PKEY_derive_set_peer( - ctx, peer_public_key._evp_pkey - ) - backend.openssl_assert(res == 1) - keylen = backend._ffi.new("size_t *") - res = backend._lib.EVP_PKEY_derive(ctx, backend._ffi.NULL, keylen) - backend.openssl_assert(res == 1) - backend.openssl_assert(keylen[0] > 0) - buf = backend._ffi.new("unsigned char[]", keylen[0]) - res = backend._lib.EVP_PKEY_derive(ctx, buf, keylen) - if res != 1: - raise ValueError( - "Null shared key derived from public/private pair." - ) - - return backend._ffi.buffer(buf, keylen[0])[:] - - -def _calculate_digest_and_algorithm(backend, data, algorithm): - if not isinstance(algorithm, Prehashed): - hash_ctx = hashes.Hash(algorithm, backend) - hash_ctx.update(data) - data = hash_ctx.finalize() - else: - algorithm = algorithm._algorithm - - if len(data) != algorithm.digest_size: - raise ValueError( - "The provided data must be the same length as the hash " - "algorithm's digest size." - ) - - return (data, algorithm) - - -def _check_not_prehashed(signature_algorithm): - if isinstance(signature_algorithm, Prehashed): - raise TypeError( - "Prehashed is only supported in the sign and verify methods. " - "It cannot be used with signer or verifier." - ) - - -def _warn_sign_verify_deprecated(): - warnings.warn( - "signer and verifier have been deprecated. Please use sign " - "and verify instead.", - utils.PersistentlyDeprecated2017, - stacklevel=3 - ) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x25519.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x25519.py @@ -1,149 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import warnings - -from cryptography import utils -from cryptography.hazmat.backends.openssl.utils import _evp_pkey_derive -from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric.x25519 import ( - X25519PrivateKey, X25519PublicKey -) - - -_X25519_KEY_SIZE = 32 - - -@utils.register_interface(X25519PublicKey) -class _X25519PublicKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_bytes(self, encoding=None, format=None): - if encoding is None or format is None: - if encoding is not None or format is not None: - raise ValueError("Both encoding and format are required") - else: - warnings.warn( - "public_bytes now requires encoding and format arguments. " - "Support for calling without arguments will be removed in " - "cryptography 2.7", - utils.DeprecatedIn25, - ) - encoding = serialization.Encoding.Raw - format = serialization.PublicFormat.Raw - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - encoding is not serialization.Encoding.Raw or - format is not serialization.PublicFormat.Raw - ): - raise ValueError( - "When using Raw both encoding and format must be Raw" - ) - - return self._raw_public_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PublicFormat.SubjectPublicKeyInfo - ): - raise ValueError( - "format must be SubjectPublicKeyInfo when encoding is PEM or " - "DER" - ) - - return self._backend._public_key_bytes( - encoding, format, self, self._evp_pkey, None - ) - - def _raw_public_bytes(self): - ucharpp = self._backend._ffi.new("unsigned char **") - res = self._backend._lib.EVP_PKEY_get1_tls_encodedpoint( - self._evp_pkey, ucharpp - ) - self._backend.openssl_assert(res == 32) - self._backend.openssl_assert(ucharpp[0] != self._backend._ffi.NULL) - data = self._backend._ffi.gc( - ucharpp[0], self._backend._lib.OPENSSL_free - ) - return self._backend._ffi.buffer(data, res)[:] - - -@utils.register_interface(X25519PrivateKey) -class _X25519PrivateKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_key(self): - bio = self._backend._create_mem_bio_gc() - res = self._backend._lib.i2d_PUBKEY_bio(bio, self._evp_pkey) - self._backend.openssl_assert(res == 1) - evp_pkey = self._backend._lib.d2i_PUBKEY_bio( - bio, self._backend._ffi.NULL - ) - self._backend.openssl_assert(evp_pkey != self._backend._ffi.NULL) - evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - return _X25519PublicKey(self._backend, evp_pkey) - - def exchange(self, peer_public_key): - if not isinstance(peer_public_key, X25519PublicKey): - raise TypeError("peer_public_key must be X25519PublicKey.") - - return _evp_pkey_derive( - self._backend, self._evp_pkey, peer_public_key - ) - - def private_bytes(self, encoding, format, encryption_algorithm): - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - format is not serialization.PrivateFormat.Raw or - encoding is not serialization.Encoding.Raw or not - isinstance(encryption_algorithm, serialization.NoEncryption) - ): - raise ValueError( - "When using Raw both encoding and format must be Raw " - "and encryption_algorithm must be NoEncryption" - ) - - return self._raw_private_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PrivateFormat.PKCS8 - ): - raise ValueError( - "format must be PKCS8 when encoding is PEM or DER" - ) - - return self._backend._private_key_bytes( - encoding, format, encryption_algorithm, self._evp_pkey, None - ) - - def _raw_private_bytes(self): - # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 we can - # switch this to EVP_PKEY_new_raw_private_key - # The trick we use here is serializing to a PKCS8 key and just - # using the last 32 bytes, which is the key itself. - bio = self._backend._create_mem_bio_gc() - res = self._backend._lib.i2d_PKCS8PrivateKey_bio( - bio, self._evp_pkey, - self._backend._ffi.NULL, self._backend._ffi.NULL, - 0, self._backend._ffi.NULL, self._backend._ffi.NULL - ) - self._backend.openssl_assert(res == 1) - pkcs8 = self._backend._read_mem_bio(bio) - self._backend.openssl_assert(len(pkcs8) == 48) - return pkcs8[-_X25519_KEY_SIZE:] diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x448.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x448.py @@ -1,123 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from cryptography import utils -from cryptography.hazmat.backends.openssl.utils import _evp_pkey_derive -from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric.x448 import ( - X448PrivateKey, X448PublicKey -) - -_X448_KEY_SIZE = 56 - - -@utils.register_interface(X448PublicKey) -class _X448PublicKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_bytes(self, encoding, format): - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - encoding is not serialization.Encoding.Raw or - format is not serialization.PublicFormat.Raw - ): - raise ValueError( - "When using Raw both encoding and format must be Raw" - ) - - return self._raw_public_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PublicFormat.SubjectPublicKeyInfo - ): - raise ValueError( - "format must be SubjectPublicKeyInfo when encoding is PEM or " - "DER" - ) - - return self._backend._public_key_bytes( - encoding, format, self, self._evp_pkey, None - ) - - def _raw_public_bytes(self): - buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_public_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE) - return self._backend._ffi.buffer(buf, _X448_KEY_SIZE)[:] - - -@utils.register_interface(X448PrivateKey) -class _X448PrivateKey(object): - def __init__(self, backend, evp_pkey): - self._backend = backend - self._evp_pkey = evp_pkey - - def public_key(self): - buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_public_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE) - return self._backend.x448_load_public_bytes(buf) - - def exchange(self, peer_public_key): - if not isinstance(peer_public_key, X448PublicKey): - raise TypeError("peer_public_key must be X448PublicKey.") - - return _evp_pkey_derive( - self._backend, self._evp_pkey, peer_public_key - ) - - def private_bytes(self, encoding, format, encryption_algorithm): - if ( - encoding is serialization.Encoding.Raw or - format is serialization.PublicFormat.Raw - ): - if ( - format is not serialization.PrivateFormat.Raw or - encoding is not serialization.Encoding.Raw or not - isinstance(encryption_algorithm, serialization.NoEncryption) - ): - raise ValueError( - "When using Raw both encoding and format must be Raw " - "and encryption_algorithm must be NoEncryption" - ) - - return self._raw_private_bytes() - - if ( - encoding in serialization._PEM_DER and - format is not serialization.PrivateFormat.PKCS8 - ): - raise ValueError( - "format must be PKCS8 when encoding is PEM or DER" - ) - - return self._backend._private_key_bytes( - encoding, format, encryption_algorithm, self._evp_pkey, None - ) - - def _raw_private_bytes(self): - buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE) - buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE) - res = self._backend._lib.EVP_PKEY_get_raw_private_key( - self._evp_pkey, buf, buflen - ) - self._backend.openssl_assert(res == 1) - self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE) - return self._backend._ffi.buffer(buf, _X448_KEY_SIZE)[:] diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x509.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x509.py @@ -1,546 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import datetime -import operator - -from cryptography import utils, x509 -from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl.decode_asn1 import ( - _CERTIFICATE_EXTENSION_PARSER, _CERTIFICATE_EXTENSION_PARSER_NO_SCT, - _CRL_EXTENSION_PARSER, _CSR_EXTENSION_PARSER, - _REVOKED_CERTIFICATE_EXTENSION_PARSER, _asn1_integer_to_int, - _asn1_string_to_bytes, _decode_x509_name, _obj2txt, _parse_asn1_time -) -from cryptography.hazmat.backends.openssl.encode_asn1 import ( - _encode_asn1_int_gc -) -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa - - -@utils.register_interface(x509.Certificate) -class _Certificate(object): - def __init__(self, backend, x509): - self._backend = backend - self._x509 = x509 - - def __repr__(self): - return "<Certificate(subject={}, ...)>".format(self.subject) - - def __eq__(self, other): - if not isinstance(other, x509.Certificate): - return NotImplemented - - res = self._backend._lib.X509_cmp(self._x509, other._x509) - return res == 0 - - def __ne__(self, other): - return not self == other - - def __hash__(self): - return hash(self.public_bytes(serialization.Encoding.DER)) - - def fingerprint(self, algorithm): - h = hashes.Hash(algorithm, self._backend) - h.update(self.public_bytes(serialization.Encoding.DER)) - return h.finalize() - - @property - def version(self): - version = self._backend._lib.X509_get_version(self._x509) - if version == 0: - return x509.Version.v1 - elif version == 2: - return x509.Version.v3 - else: - raise x509.InvalidVersion( - "{} is not a valid X509 version".format(version), version - ) - - @property - def serial_number(self): - asn1_int = self._backend._lib.X509_get_serialNumber(self._x509) - self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL) - return _asn1_integer_to_int(self._backend, asn1_int) - - def public_key(self): - pkey = self._backend._lib.X509_get_pubkey(self._x509) - if pkey == self._backend._ffi.NULL: - # Remove errors from the stack. - self._backend._consume_errors() - raise ValueError("Certificate public key is of an unknown type") - - pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free) - - return self._backend._evp_pkey_to_public_key(pkey) - - @property - def not_valid_before(self): - asn1_time = self._backend._lib.X509_get_notBefore(self._x509) - return _parse_asn1_time(self._backend, asn1_time) - - @property - def not_valid_after(self): - asn1_time = self._backend._lib.X509_get_notAfter(self._x509) - return _parse_asn1_time(self._backend, asn1_time) - - @property - def issuer(self): - issuer = self._backend._lib.X509_get_issuer_name(self._x509) - self._backend.openssl_assert(issuer != self._backend._ffi.NULL) - return _decode_x509_name(self._backend, issuer) - - @property - def subject(self): - subject = self._backend._lib.X509_get_subject_name(self._x509) - self._backend.openssl_assert(subject != self._backend._ffi.NULL) - return _decode_x509_name(self._backend, subject) - - @property - def signature_hash_algorithm(self): - oid = self.signature_algorithm_oid - try: - return x509._SIG_OIDS_TO_HASH[oid] - except KeyError: - raise UnsupportedAlgorithm( - "Signature algorithm OID:{} not recognized".format(oid) - ) - - @property - def signature_algorithm_oid(self): - alg = self._backend._ffi.new("X509_ALGOR **") - self._backend._lib.X509_get0_signature( - self._backend._ffi.NULL, alg, self._x509 - ) - self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL) - oid = _obj2txt(self._backend, alg[0].algorithm) - return x509.ObjectIdentifier(oid) - - @utils.cached_property - def extensions(self): - if self._backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER: - return _CERTIFICATE_EXTENSION_PARSER.parse( - self._backend, self._x509 - ) - else: - return _CERTIFICATE_EXTENSION_PARSER_NO_SCT.parse( - self._backend, self._x509 - ) - - @property - def signature(self): - sig = self._backend._ffi.new("ASN1_BIT_STRING **") - self._backend._lib.X509_get0_signature( - sig, self._backend._ffi.NULL, self._x509 - ) - self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL) - return _asn1_string_to_bytes(self._backend, sig[0]) - - @property - def tbs_certificate_bytes(self): - pp = self._backend._ffi.new("unsigned char **") - res = self._backend._lib.i2d_re_X509_tbs(self._x509, pp) - self._backend.openssl_assert(res > 0) - pp = self._backend._ffi.gc( - pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) - ) - return self._backend._ffi.buffer(pp[0], res)[:] - - def public_bytes(self, encoding): - bio = self._backend._create_mem_bio_gc() - if encoding is serialization.Encoding.PEM: - res = self._backend._lib.PEM_write_bio_X509(bio, self._x509) - elif encoding is serialization.Encoding.DER: - res = self._backend._lib.i2d_X509_bio(bio, self._x509) - else: - raise TypeError("encoding must be an item from the Encoding enum") - - self._backend.openssl_assert(res == 1) - return self._backend._read_mem_bio(bio) - - -@utils.register_interface(x509.RevokedCertificate) -class _RevokedCertificate(object): - def __init__(self, backend, crl, x509_revoked): - self._backend = backend - # The X509_REVOKED_value is a X509_REVOKED * that has - # no reference counting. This means when X509_CRL_free is - # called then the CRL and all X509_REVOKED * are freed. Since - # you can retain a reference to a single revoked certificate - # and let the CRL fall out of scope we need to retain a - # private reference to the CRL inside the RevokedCertificate - # object to prevent the gc from being called inappropriately. - self._crl = crl - self._x509_revoked = x509_revoked - - @property - def serial_number(self): - asn1_int = self._backend._lib.X509_REVOKED_get0_serialNumber( - self._x509_revoked - ) - self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL) - return _asn1_integer_to_int(self._backend, asn1_int) - - @property - def revocation_date(self): - return _parse_asn1_time( - self._backend, - self._backend._lib.X509_REVOKED_get0_revocationDate( - self._x509_revoked - ) - ) - - @utils.cached_property - def extensions(self): - return _REVOKED_CERTIFICATE_EXTENSION_PARSER.parse( - self._backend, self._x509_revoked - ) - - -@utils.register_interface(x509.CertificateRevocationList) -class _CertificateRevocationList(object): - def __init__(self, backend, x509_crl): - self._backend = backend - self._x509_crl = x509_crl - - def __eq__(self, other): - if not isinstance(other, x509.CertificateRevocationList): - return NotImplemented - - res = self._backend._lib.X509_CRL_cmp(self._x509_crl, other._x509_crl) - return res == 0 - - def __ne__(self, other): - return not self == other - - def fingerprint(self, algorithm): - h = hashes.Hash(algorithm, self._backend) - bio = self._backend._create_mem_bio_gc() - res = self._backend._lib.i2d_X509_CRL_bio( - bio, self._x509_crl - ) - self._backend.openssl_assert(res == 1) - der = self._backend._read_mem_bio(bio) - h.update(der) - return h.finalize() - - @utils.cached_property - def _sorted_crl(self): - # X509_CRL_get0_by_serial sorts in place, which breaks a variety of - # things we don't want to break (like iteration and the signature). - # Let's dupe it and sort that instead. - dup = self._backend._lib.X509_CRL_dup(self._x509_crl) - self._backend.openssl_assert(dup != self._backend._ffi.NULL) - dup = self._backend._ffi.gc(dup, self._backend._lib.X509_CRL_free) - return dup - - def get_revoked_certificate_by_serial_number(self, serial_number): - revoked = self._backend._ffi.new("X509_REVOKED **") - asn1_int = _encode_asn1_int_gc(self._backend, serial_number) - res = self._backend._lib.X509_CRL_get0_by_serial( - self._sorted_crl, revoked, asn1_int - ) - if res == 0: - return None - else: - self._backend.openssl_assert( - revoked[0] != self._backend._ffi.NULL - ) - return _RevokedCertificate( - self._backend, self._sorted_crl, revoked[0] - ) - - @property - def signature_hash_algorithm(self): - oid = self.signature_algorithm_oid - try: - return x509._SIG_OIDS_TO_HASH[oid] - except KeyError: - raise UnsupportedAlgorithm( - "Signature algorithm OID:{} not recognized".format(oid) - ) - - @property - def signature_algorithm_oid(self): - alg = self._backend._ffi.new("X509_ALGOR **") - self._backend._lib.X509_CRL_get0_signature( - self._x509_crl, self._backend._ffi.NULL, alg - ) - self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL) - oid = _obj2txt(self._backend, alg[0].algorithm) - return x509.ObjectIdentifier(oid) - - @property - def issuer(self): - issuer = self._backend._lib.X509_CRL_get_issuer(self._x509_crl) - self._backend.openssl_assert(issuer != self._backend._ffi.NULL) - return _decode_x509_name(self._backend, issuer) - - @property - def next_update(self): - nu = self._backend._lib.X509_CRL_get_nextUpdate(self._x509_crl) - self._backend.openssl_assert(nu != self._backend._ffi.NULL) - return _parse_asn1_time(self._backend, nu) - - @property - def last_update(self): - lu = self._backend._lib.X509_CRL_get_lastUpdate(self._x509_crl) - self._backend.openssl_assert(lu != self._backend._ffi.NULL) - return _parse_asn1_time(self._backend, lu) - - @property - def signature(self): - sig = self._backend._ffi.new("ASN1_BIT_STRING **") - self._backend._lib.X509_CRL_get0_signature( - self._x509_crl, sig, self._backend._ffi.NULL - ) - self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL) - return _asn1_string_to_bytes(self._backend, sig[0]) - - @property - def tbs_certlist_bytes(self): - pp = self._backend._ffi.new("unsigned char **") - res = self._backend._lib.i2d_re_X509_CRL_tbs(self._x509_crl, pp) - self._backend.openssl_assert(res > 0) - pp = self._backend._ffi.gc( - pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) - ) - return self._backend._ffi.buffer(pp[0], res)[:] - - def public_bytes(self, encoding): - bio = self._backend._create_mem_bio_gc() - if encoding is serialization.Encoding.PEM: - res = self._backend._lib.PEM_write_bio_X509_CRL( - bio, self._x509_crl - ) - elif encoding is serialization.Encoding.DER: - res = self._backend._lib.i2d_X509_CRL_bio(bio, self._x509_crl) - else: - raise TypeError("encoding must be an item from the Encoding enum") - - self._backend.openssl_assert(res == 1) - return self._backend._read_mem_bio(bio) - - def _revoked_cert(self, idx): - revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl) - r = self._backend._lib.sk_X509_REVOKED_value(revoked, idx) - self._backend.openssl_assert(r != self._backend._ffi.NULL) - return _RevokedCertificate(self._backend, self, r) - - def __iter__(self): - for i in range(len(self)): - yield self._revoked_cert(i) - - def __getitem__(self, idx): - if isinstance(idx, slice): - start, stop, step = idx.indices(len(self)) - return [self._revoked_cert(i) for i in range(start, stop, step)] - else: - idx = operator.index(idx) - if idx < 0: - idx += len(self) - if not 0 <= idx < len(self): - raise IndexError - return self._revoked_cert(idx) - - def __len__(self): - revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl) - if revoked == self._backend._ffi.NULL: - return 0 - else: - return self._backend._lib.sk_X509_REVOKED_num(revoked) - - @utils.cached_property - def extensions(self): - return _CRL_EXTENSION_PARSER.parse(self._backend, self._x509_crl) - - def is_signature_valid(self, public_key): - if not isinstance(public_key, (dsa.DSAPublicKey, rsa.RSAPublicKey, - ec.EllipticCurvePublicKey)): - raise TypeError('Expecting one of DSAPublicKey, RSAPublicKey,' - ' or EllipticCurvePublicKey.') - res = self._backend._lib.X509_CRL_verify( - self._x509_crl, public_key._evp_pkey - ) - - if res != 1: - self._backend._consume_errors() - return False - - return True - - -@utils.register_interface(x509.CertificateSigningRequest) -class _CertificateSigningRequest(object): - def __init__(self, backend, x509_req): - self._backend = backend - self._x509_req = x509_req - - def __eq__(self, other): - if not isinstance(other, _CertificateSigningRequest): - return NotImplemented - - self_bytes = self.public_bytes(serialization.Encoding.DER) - other_bytes = other.public_bytes(serialization.Encoding.DER) - return self_bytes == other_bytes - - def __ne__(self, other): - return not self == other - - def __hash__(self): - return hash(self.public_bytes(serialization.Encoding.DER)) - - def public_key(self): - pkey = self._backend._lib.X509_REQ_get_pubkey(self._x509_req) - self._backend.openssl_assert(pkey != self._backend._ffi.NULL) - pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free) - return self._backend._evp_pkey_to_public_key(pkey) - - @property - def subject(self): - subject = self._backend._lib.X509_REQ_get_subject_name(self._x509_req) - self._backend.openssl_assert(subject != self._backend._ffi.NULL) - return _decode_x509_name(self._backend, subject) - - @property - def signature_hash_algorithm(self): - oid = self.signature_algorithm_oid - try: - return x509._SIG_OIDS_TO_HASH[oid] - except KeyError: - raise UnsupportedAlgorithm( - "Signature algorithm OID:{} not recognized".format(oid) - ) - - @property - def signature_algorithm_oid(self): - alg = self._backend._ffi.new("X509_ALGOR **") - self._backend._lib.X509_REQ_get0_signature( - self._x509_req, self._backend._ffi.NULL, alg - ) - self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL) - oid = _obj2txt(self._backend, alg[0].algorithm) - return x509.ObjectIdentifier(oid) - - @utils.cached_property - def extensions(self): - x509_exts = self._backend._lib.X509_REQ_get_extensions(self._x509_req) - x509_exts = self._backend._ffi.gc( - x509_exts, - lambda x: self._backend._lib.sk_X509_EXTENSION_pop_free( - x, self._backend._ffi.addressof( - self._backend._lib._original_lib, "X509_EXTENSION_free" - ) - ) - ) - return _CSR_EXTENSION_PARSER.parse(self._backend, x509_exts) - - def public_bytes(self, encoding): - bio = self._backend._create_mem_bio_gc() - if encoding is serialization.Encoding.PEM: - res = self._backend._lib.PEM_write_bio_X509_REQ( - bio, self._x509_req - ) - elif encoding is serialization.Encoding.DER: - res = self._backend._lib.i2d_X509_REQ_bio(bio, self._x509_req) - else: - raise TypeError("encoding must be an item from the Encoding enum") - - self._backend.openssl_assert(res == 1) - return self._backend._read_mem_bio(bio) - - @property - def tbs_certrequest_bytes(self): - pp = self._backend._ffi.new("unsigned char **") - res = self._backend._lib.i2d_re_X509_REQ_tbs(self._x509_req, pp) - self._backend.openssl_assert(res > 0) - pp = self._backend._ffi.gc( - pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) - ) - return self._backend._ffi.buffer(pp[0], res)[:] - - @property - def signature(self): - sig = self._backend._ffi.new("ASN1_BIT_STRING **") - self._backend._lib.X509_REQ_get0_signature( - self._x509_req, sig, self._backend._ffi.NULL - ) - self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL) - return _asn1_string_to_bytes(self._backend, sig[0]) - - @property - def is_signature_valid(self): - pkey = self._backend._lib.X509_REQ_get_pubkey(self._x509_req) - self._backend.openssl_assert(pkey != self._backend._ffi.NULL) - pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free) - res = self._backend._lib.X509_REQ_verify(self._x509_req, pkey) - - if res != 1: - self._backend._consume_errors() - return False - - return True - - -@utils.register_interface( - x509.certificate_transparency.SignedCertificateTimestamp -) -class _SignedCertificateTimestamp(object): - def __init__(self, backend, sct_list, sct): - self._backend = backend - # Keep the SCT_LIST that this SCT came from alive. - self._sct_list = sct_list - self._sct = sct - - @property - def version(self): - version = self._backend._lib.SCT_get_version(self._sct) - assert version == self._backend._lib.SCT_VERSION_V1 - return x509.certificate_transparency.Version.v1 - - @property - def log_id(self): - out = self._backend._ffi.new("unsigned char **") - log_id_length = self._backend._lib.SCT_get0_log_id(self._sct, out) - assert log_id_length >= 0 - return self._backend._ffi.buffer(out[0], log_id_length)[:] - - @property - def timestamp(self): - timestamp = self._backend._lib.SCT_get_timestamp(self._sct) - milliseconds = timestamp % 1000 - return datetime.datetime.utcfromtimestamp( - timestamp // 1000 - ).replace(microsecond=milliseconds * 1000) - - @property - def entry_type(self): - entry_type = self._backend._lib.SCT_get_log_entry_type(self._sct) - # We currently only support loading SCTs from the X.509 extension, so - # we only have precerts. - assert entry_type == self._backend._lib.CT_LOG_ENTRY_TYPE_PRECERT - return x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE - - @property - def _signature(self): - ptrptr = self._backend._ffi.new("unsigned char **") - res = self._backend._lib.SCT_get0_signature(self._sct, ptrptr) - self._backend.openssl_assert(res > 0) - self._backend.openssl_assert(ptrptr[0] != self._backend._ffi.NULL) - return self._backend._ffi.buffer(ptrptr[0], res)[:] - - def __hash__(self): - return hash(self._signature) - - def __eq__(self, other): - if not isinstance(other, _SignedCertificateTimestamp): - return NotImplemented - - return self._signature == other._signature - - def __ne__(self, other): - return not self == other diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__init__.py @@ -1,5 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_constant_time.abi3.so b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_constant_time.abi3.so Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_openssl.abi3.so b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_openssl.abi3.so Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_padding.abi3.so b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_padding.abi3.so Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__init__.py @@ -1,5 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/_conditional.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/_conditional.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/binding.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/binding.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/_conditional.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/_conditional.py @@ -1,434 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - - -def cryptography_has_ec2m(): - return [ - "EC_POINT_set_affine_coordinates_GF2m", - "EC_POINT_get_affine_coordinates_GF2m", - "EC_POINT_set_compressed_coordinates_GF2m", - ] - - -def cryptography_has_ec_1_0_2(): - return [ - "EC_curve_nid2nist", - ] - - -def cryptography_has_set_ecdh_auto(): - return [ - "SSL_CTX_set_ecdh_auto", - ] - - -def cryptography_has_rsa_r_pkcs_decoding_error(): - return [ - "RSA_R_PKCS_DECODING_ERROR" - ] - - -def cryptography_has_rsa_oaep_md(): - return [ - "EVP_PKEY_CTX_set_rsa_oaep_md", - ] - - -def cryptography_has_rsa_oaep_label(): - return [ - "EVP_PKEY_CTX_set0_rsa_oaep_label", - ] - - -def cryptography_has_ssl3_method(): - return [ - "SSLv3_method", - "SSLv3_client_method", - "SSLv3_server_method", - ] - - -def cryptography_has_alpn(): - return [ - "SSL_CTX_set_alpn_protos", - "SSL_set_alpn_protos", - "SSL_CTX_set_alpn_select_cb", - "SSL_get0_alpn_selected", - ] - - -def cryptography_has_compression(): - return [ - "SSL_get_current_compression", - "SSL_get_current_expansion", - "SSL_COMP_get_name", - ] - - -def cryptography_has_get_server_tmp_key(): - return [ - "SSL_get_server_tmp_key", - ] - - -def cryptography_has_102_verification_error_codes(): - return [ - 'X509_V_ERR_SUITE_B_INVALID_VERSION', - 'X509_V_ERR_SUITE_B_INVALID_ALGORITHM', - 'X509_V_ERR_SUITE_B_INVALID_CURVE', - 'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM', - 'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED', - 'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256', - 'X509_V_ERR_HOSTNAME_MISMATCH', - 'X509_V_ERR_EMAIL_MISMATCH', - 'X509_V_ERR_IP_ADDRESS_MISMATCH' - ] - - -def cryptography_has_102_verification_params(): - return [ - "X509_V_FLAG_SUITEB_128_LOS_ONLY", - "X509_V_FLAG_SUITEB_192_LOS", - "X509_V_FLAG_SUITEB_128_LOS", - "X509_VERIFY_PARAM_set1_host", - "X509_VERIFY_PARAM_set1_email", - "X509_VERIFY_PARAM_set1_ip", - "X509_VERIFY_PARAM_set1_ip_asc", - "X509_VERIFY_PARAM_set_hostflags", - "SSL_get0_param", - "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT", - "X509_CHECK_FLAG_NO_WILDCARDS", - "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS", - "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS", - "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS" - ] - - -def cryptography_has_110_verification_params(): - return [ - "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT" - ] - - -def cryptography_has_x509_v_flag_trusted_first(): - return [ - "X509_V_FLAG_TRUSTED_FIRST", - ] - - -def cryptography_has_x509_v_flag_partial_chain(): - return [ - "X509_V_FLAG_PARTIAL_CHAIN", - ] - - -def cryptography_has_set_cert_cb(): - return [ - "SSL_CTX_set_cert_cb", - "SSL_set_cert_cb", - ] - - -def cryptography_has_ssl_st(): - return [ - "SSL_ST_BEFORE", - "SSL_ST_OK", - "SSL_ST_INIT", - "SSL_ST_RENEGOTIATE", - ] - - -def cryptography_has_tls_st(): - return [ - "TLS_ST_BEFORE", - "TLS_ST_OK", - ] - - -def cryptography_has_locking_callbacks(): - return [ - "Cryptography_setup_ssl_threads", - ] - - -def cryptography_has_scrypt(): - return [ - "EVP_PBE_scrypt", - ] - - -def cryptography_has_generic_dtls_method(): - return [ - "DTLS_method", - "DTLS_server_method", - "DTLS_client_method", - "SSL_OP_NO_DTLSv1", - "SSL_OP_NO_DTLSv1_2", - "DTLS_set_link_mtu", - "DTLS_get_link_min_mtu", - ] - - -def cryptography_has_evp_pkey_dhx(): - return [ - "EVP_PKEY_DHX", - ] - - -def cryptography_has_mem_functions(): - return [ - "Cryptography_CRYPTO_set_mem_functions", - ] - - -def cryptography_has_sct(): - return [ - "SCT_get_version", - "SCT_get_log_entry_type", - "SCT_get0_log_id", - "SCT_get0_signature", - "SCT_get_timestamp", - "SCT_set_source", - "sk_SCT_num", - "sk_SCT_value", - "SCT_LIST_free", - "sk_SCT_push", - "sk_SCT_new_null", - "SCT_new", - "SCT_set1_log_id", - "SCT_set_timestamp", - "SCT_set_version", - "SCT_set_log_entry_type", - ] - - -def cryptography_has_x509_store_ctx_get_issuer(): - return [ - "X509_STORE_get_get_issuer", - "X509_STORE_set_get_issuer", - ] - - -def cryptography_has_x25519(): - return [ - "EVP_PKEY_X25519", - "NID_X25519", - ] - - -def cryptography_has_x448(): - return [ - "EVP_PKEY_X448", - "NID_X448", - ] - - -def cryptography_has_ed448(): - return [ - "EVP_PKEY_ED448", - "NID_ED448", - ] - - -def cryptography_has_ed25519(): - return [ - "NID_ED25519", - "EVP_PKEY_ED25519", - ] - - -def cryptography_has_poly1305(): - return [ - "NID_poly1305", - "EVP_PKEY_POLY1305", - ] - - -def cryptography_has_oneshot_evp_digest_sign_verify(): - return [ - "EVP_DigestSign", - "EVP_DigestVerify", - ] - - -def cryptography_has_evp_digestfinal_xof(): - return [ - "EVP_DigestFinalXOF", - ] - - -def cryptography_has_evp_pkey_get_set_tls_encodedpoint(): - return [ - "EVP_PKEY_get1_tls_encodedpoint", - "EVP_PKEY_set1_tls_encodedpoint", - ] - - -def cryptography_has_fips(): - return [ - "FIPS_set_mode", - "FIPS_mode", - ] - - -def cryptography_has_ssl_sigalgs(): - return [ - "SSL_CTX_set1_sigalgs_list", - "SSL_get_sigalgs", - ] - - -def cryptography_has_psk(): - return [ - "SSL_CTX_use_psk_identity_hint", - "SSL_CTX_set_psk_server_callback", - "SSL_CTX_set_psk_client_callback", - ] - - -def cryptography_has_custom_ext(): - return [ - "SSL_CTX_add_client_custom_ext", - "SSL_CTX_add_server_custom_ext", - "SSL_extension_supported", - ] - - -def cryptography_has_openssl_cleanup(): - return [ - "OPENSSL_cleanup", - ] - - -def cryptography_has_cipher_details(): - return [ - "SSL_CIPHER_is_aead", - "SSL_CIPHER_get_cipher_nid", - "SSL_CIPHER_get_digest_nid", - "SSL_CIPHER_get_kx_nid", - "SSL_CIPHER_get_auth_nid", - ] - - -def cryptography_has_tlsv13(): - return [ - "SSL_OP_NO_TLSv1_3", - "SSL_VERIFY_POST_HANDSHAKE", - "SSL_CTX_set_ciphersuites", - "SSL_verify_client_post_handshake", - "SSL_CTX_set_post_handshake_auth", - "SSL_set_post_handshake_auth", - "SSL_SESSION_get_max_early_data", - "SSL_write_early_data", - "SSL_read_early_data", - "SSL_CTX_set_max_early_data", - ] - - -def cryptography_has_raw_key(): - return [ - "EVP_PKEY_new_raw_private_key", - "EVP_PKEY_new_raw_public_key", - "EVP_PKEY_get_raw_private_key", - "EVP_PKEY_get_raw_public_key", - ] - - -def cryptography_has_evp_r_memory_limit_exceeded(): - return [ - "EVP_R_MEMORY_LIMIT_EXCEEDED", - ] - - -def cryptography_has_engine(): - return [ - "ENGINE_by_id", - "ENGINE_init", - "ENGINE_finish", - "ENGINE_get_default_RAND", - "ENGINE_set_default_RAND", - "ENGINE_unregister_RAND", - "ENGINE_ctrl_cmd", - "ENGINE_free", - "ENGINE_get_name", - "Cryptography_add_osrandom_engine", - ] - - -# This is a mapping of -# {condition: function-returning-names-dependent-on-that-condition} so we can -# loop over them and delete unsupported names at runtime. It will be removed -# when cffi supports #if in cdef. We use functions instead of just a dict of -# lists so we can use coverage to measure which are used. -CONDITIONAL_NAMES = { - "Cryptography_HAS_EC2M": cryptography_has_ec2m, - "Cryptography_HAS_EC_1_0_2": cryptography_has_ec_1_0_2, - "Cryptography_HAS_SET_ECDH_AUTO": cryptography_has_set_ecdh_auto, - "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": ( - cryptography_has_rsa_r_pkcs_decoding_error - ), - "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md, - "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label, - "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method, - "Cryptography_HAS_ALPN": cryptography_has_alpn, - "Cryptography_HAS_COMPRESSION": cryptography_has_compression, - "Cryptography_HAS_GET_SERVER_TMP_KEY": cryptography_has_get_server_tmp_key, - "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": ( - cryptography_has_102_verification_error_codes - ), - "Cryptography_HAS_102_VERIFICATION_PARAMS": ( - cryptography_has_102_verification_params - ), - "Cryptography_HAS_110_VERIFICATION_PARAMS": ( - cryptography_has_110_verification_params - ), - "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": ( - cryptography_has_x509_v_flag_trusted_first - ), - "Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN": ( - cryptography_has_x509_v_flag_partial_chain - ), - "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, - "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, - "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, - "Cryptography_HAS_LOCKING_CALLBACKS": cryptography_has_locking_callbacks, - "Cryptography_HAS_SCRYPT": cryptography_has_scrypt, - "Cryptography_HAS_GENERIC_DTLS_METHOD": ( - cryptography_has_generic_dtls_method - ), - "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx, - "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions, - "Cryptography_HAS_SCT": cryptography_has_sct, - "Cryptography_HAS_X509_STORE_CTX_GET_ISSUER": ( - cryptography_has_x509_store_ctx_get_issuer - ), - "Cryptography_HAS_X25519": cryptography_has_x25519, - "Cryptography_HAS_X448": cryptography_has_x448, - "Cryptography_HAS_ED448": cryptography_has_ed448, - "Cryptography_HAS_ED25519": cryptography_has_ed25519, - "Cryptography_HAS_POLY1305": cryptography_has_poly1305, - "Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY": ( - cryptography_has_oneshot_evp_digest_sign_verify - ), - "Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint": ( - cryptography_has_evp_pkey_get_set_tls_encodedpoint - ), - "Cryptography_HAS_FIPS": cryptography_has_fips, - "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, - "Cryptography_HAS_PSK": cryptography_has_psk, - "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext, - "Cryptography_HAS_OPENSSL_CLEANUP": cryptography_has_openssl_cleanup, - "Cryptography_HAS_CIPHER_DETAILS": cryptography_has_cipher_details, - "Cryptography_HAS_TLSv1_3": cryptography_has_tlsv13, - "Cryptography_HAS_RAW_KEY": cryptography_has_raw_key, - "Cryptography_HAS_EVP_DIGESTFINAL_XOF": ( - cryptography_has_evp_digestfinal_xof - ), - "Cryptography_HAS_EVP_R_MEMORY_LIMIT_EXCEEDED": ( - cryptography_has_evp_r_memory_limit_exceeded - ), - "Cryptography_HAS_ENGINE": cryptography_has_engine, -} diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/binding.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/binding.py @@ -1,197 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import collections -import threading -import types -import warnings - -import cryptography -from cryptography import utils -from cryptography.exceptions import InternalError -from cryptography.hazmat.bindings._openssl import ffi, lib -from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES - -_OpenSSLErrorWithText = collections.namedtuple( - "_OpenSSLErrorWithText", ["code", "lib", "func", "reason", "reason_text"] -) - - -class _OpenSSLError(object): - def __init__(self, code, lib, func, reason): - self._code = code - self._lib = lib - self._func = func - self._reason = reason - - def _lib_reason_match(self, lib, reason): - return lib == self.lib and reason == self.reason - - code = utils.read_only_property("_code") - lib = utils.read_only_property("_lib") - func = utils.read_only_property("_func") - reason = utils.read_only_property("_reason") - - -def _consume_errors(lib): - errors = [] - while True: - code = lib.ERR_get_error() - if code == 0: - break - - err_lib = lib.ERR_GET_LIB(code) - err_func = lib.ERR_GET_FUNC(code) - err_reason = lib.ERR_GET_REASON(code) - - errors.append(_OpenSSLError(code, err_lib, err_func, err_reason)) - - return errors - - -def _openssl_assert(lib, ok): - if not ok: - errors = _consume_errors(lib) - errors_with_text = [] - for err in errors: - buf = ffi.new("char[]", 256) - lib.ERR_error_string_n(err.code, buf, len(buf)) - err_text_reason = ffi.string(buf) - - errors_with_text.append( - _OpenSSLErrorWithText( - err.code, err.lib, err.func, err.reason, err_text_reason - ) - ) - - raise InternalError( - "Unknown OpenSSL error. This error is commonly encountered when " - "another library is not cleaning up the OpenSSL error stack. If " - "you are using cryptography with another library that uses " - "OpenSSL try disabling it before reporting a bug. Otherwise " - "please file an issue at https://github.com/pyca/cryptography/" - "issues with information on how to reproduce " - "this. ({0!r})".format(errors_with_text), - errors_with_text - ) - - -def build_conditional_library(lib, conditional_names): - conditional_lib = types.ModuleType("lib") - conditional_lib._original_lib = lib - excluded_names = set() - for condition, names_cb in conditional_names.items(): - if not getattr(lib, condition): - excluded_names.update(names_cb()) - - for attr in dir(lib): - if attr not in excluded_names: - setattr(conditional_lib, attr, getattr(lib, attr)) - - return conditional_lib - - -class Binding(object): - """ - OpenSSL API wrapper. - """ - lib = None - ffi = ffi - _lib_loaded = False - _init_lock = threading.Lock() - _lock_init_lock = threading.Lock() - - def __init__(self): - self._ensure_ffi_initialized() - - @classmethod - def _register_osrandom_engine(cls): - # Clear any errors extant in the queue before we start. In many - # scenarios other things may be interacting with OpenSSL in the same - # process space and it has proven untenable to assume that they will - # reliably clear the error queue. Once we clear it here we will - # error on any subsequent unexpected item in the stack. - cls.lib.ERR_clear_error() - if cls.lib.Cryptography_HAS_ENGINE: - result = cls.lib.Cryptography_add_osrandom_engine() - _openssl_assert(cls.lib, result in (1, 2)) - - @classmethod - def _ensure_ffi_initialized(cls): - with cls._init_lock: - if not cls._lib_loaded: - cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES) - cls._lib_loaded = True - # initialize the SSL library - cls.lib.SSL_library_init() - # adds all ciphers/digests for EVP - cls.lib.OpenSSL_add_all_algorithms() - # loads error strings for libcrypto and libssl functions - cls.lib.SSL_load_error_strings() - cls._register_osrandom_engine() - - @classmethod - def init_static_locks(cls): - with cls._lock_init_lock: - cls._ensure_ffi_initialized() - # Use Python's implementation if available, importing _ssl triggers - # the setup for this. - __import__("_ssl") - - if (not cls.lib.Cryptography_HAS_LOCKING_CALLBACKS or - cls.lib.CRYPTO_get_locking_callback() != cls.ffi.NULL): - return - - # If nothing else has setup a locking callback already, we set up - # our own - res = lib.Cryptography_setup_ssl_threads() - _openssl_assert(cls.lib, res == 1) - - -def _verify_openssl_version(lib): - if ( - lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and - not lib.CRYPTOGRAPHY_IS_LIBRESSL - ): - warnings.warn( - "OpenSSL version 1.0.1 is no longer supported by the OpenSSL " - "project, please upgrade. A future version of cryptography will " - "drop support for it.", - utils.CryptographyDeprecationWarning - ) - - -def _verify_package_version(version): - # Occasionally we run into situations where the version of the Python - # package does not match the version of the shared object that is loaded. - # This may occur in environments where multiple versions of cryptography - # are installed and available in the python path. To avoid errors cropping - # up later this code checks that the currently imported package and the - # shared object that were loaded have the same version and raise an - # ImportError if they do not - so_package_version = ffi.string(lib.CRYPTOGRAPHY_PACKAGE_VERSION) - if version.encode("ascii") != so_package_version: - raise ImportError( - "The version of cryptography does not match the loaded " - "shared object. This can happen if you have multiple copies of " - "cryptography installed in your Python path. Please try creating " - "a new virtual environment to resolve this issue. " - "Loaded python version: {}, shared object version: {}".format( - version, so_package_version - ) - ) - - -_verify_package_version(cryptography.__version__) - -# OpenSSL is not thread safe until the locks are initialized. We call this -# method in module scope so that it executes with the import lock. On -# Pythons < 3.4 this import lock is a global lock, which can prevent a race -# condition registering the OpenSSL locks. On Python 3.4+ the import lock -# is per module so this approach will not work. -Binding.init_static_locks() - -_verify_openssl_version(Binding.lib) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__init__.py @@ -1,5 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/cmac.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/cmac.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/constant_time.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/constant_time.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hashes.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hashes.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hmac.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hmac.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/keywrap.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/keywrap.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/padding.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/padding.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/poly1305.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/poly1305.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__init__.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__init__.py @@ -1,40 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - - -@six.add_metaclass(abc.ABCMeta) -class AsymmetricSignatureContext(object): - @abc.abstractmethod - def update(self, data): - """ - Processes the provided bytes and returns nothing. - """ - - @abc.abstractmethod - def finalize(self): - """ - Returns the signature as bytes. - """ - - -@six.add_metaclass(abc.ABCMeta) -class AsymmetricVerificationContext(object): - @abc.abstractmethod - def update(self, data): - """ - Processes the provided bytes and returns nothing. - """ - - @abc.abstractmethod - def verify(self): - """ - Raises an exception if the bytes provided to update do not match the - signature or the signature does not match the public key. - """ diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/__init__.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/__init__.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dh.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dh.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dsa.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dsa.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ec.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ec.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed25519.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed25519.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed448.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed448.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/padding.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/padding.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/rsa.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/rsa.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/utils.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/utils.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x25519.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x25519.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x448.cpython-37.pyc b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x448.cpython-37.pyc Binary files differ. diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dh.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dh.py @@ -1,212 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - -from cryptography import utils - - -def generate_parameters(generator, key_size, backend): - return backend.generate_dh_parameters(generator, key_size) - - -class DHPrivateNumbers(object): - def __init__(self, x, public_numbers): - if not isinstance(x, six.integer_types): - raise TypeError("x must be an integer.") - - if not isinstance(public_numbers, DHPublicNumbers): - raise TypeError("public_numbers must be an instance of " - "DHPublicNumbers.") - - self._x = x - self._public_numbers = public_numbers - - def __eq__(self, other): - if not isinstance(other, DHPrivateNumbers): - return NotImplemented - - return ( - self._x == other._x and - self._public_numbers == other._public_numbers - ) - - def __ne__(self, other): - return not self == other - - def private_key(self, backend): - return backend.load_dh_private_numbers(self) - - public_numbers = utils.read_only_property("_public_numbers") - x = utils.read_only_property("_x") - - -class DHPublicNumbers(object): - def __init__(self, y, parameter_numbers): - if not isinstance(y, six.integer_types): - raise TypeError("y must be an integer.") - - if not isinstance(parameter_numbers, DHParameterNumbers): - raise TypeError( - "parameters must be an instance of DHParameterNumbers.") - - self._y = y - self._parameter_numbers = parameter_numbers - - def __eq__(self, other): - if not isinstance(other, DHPublicNumbers): - return NotImplemented - - return ( - self._y == other._y and - self._parameter_numbers == other._parameter_numbers - ) - - def __ne__(self, other): - return not self == other - - def public_key(self, backend): - return backend.load_dh_public_numbers(self) - - y = utils.read_only_property("_y") - parameter_numbers = utils.read_only_property("_parameter_numbers") - - -class DHParameterNumbers(object): - def __init__(self, p, g, q=None): - if ( - not isinstance(p, six.integer_types) or - not isinstance(g, six.integer_types) - ): - raise TypeError("p and g must be integers") - if q is not None and not isinstance(q, six.integer_types): - raise TypeError("q must be integer or None") - - if g < 2: - raise ValueError("DH generator must be 2 or greater") - - self._p = p - self._g = g - self._q = q - - def __eq__(self, other): - if not isinstance(other, DHParameterNumbers): - return NotImplemented - - return ( - self._p == other._p and - self._g == other._g and - self._q == other._q - ) - - def __ne__(self, other): - return not self == other - - def parameters(self, backend): - return backend.load_dh_parameter_numbers(self) - - p = utils.read_only_property("_p") - g = utils.read_only_property("_g") - q = utils.read_only_property("_q") - - -@six.add_metaclass(abc.ABCMeta) -class DHParameters(object): - @abc.abstractmethod - def generate_private_key(self): - """ - Generates and returns a DHPrivateKey. - """ - - @abc.abstractmethod - def parameter_bytes(self, encoding, format): - """ - Returns the parameters serialized as bytes. - """ - - @abc.abstractmethod - def parameter_numbers(self): - """ - Returns a DHParameterNumbers. - """ - - -DHParametersWithSerialization = DHParameters - - -@six.add_metaclass(abc.ABCMeta) -class DHPrivateKey(object): - @abc.abstractproperty - def key_size(self): - """ - The bit length of the prime modulus. - """ - - @abc.abstractmethod - def public_key(self): - """ - The DHPublicKey associated with this private key. - """ - - @abc.abstractmethod - def parameters(self): - """ - The DHParameters object associated with this private key. - """ - - @abc.abstractmethod - def exchange(self, peer_public_key): - """ - Given peer's DHPublicKey, carry out the key exchange and - return shared key as bytes. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DHPrivateKeyWithSerialization(DHPrivateKey): - @abc.abstractmethod - def private_numbers(self): - """ - Returns a DHPrivateNumbers. - """ - - @abc.abstractmethod - def private_bytes(self, encoding, format, encryption_algorithm): - """ - Returns the key serialized as bytes. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DHPublicKey(object): - @abc.abstractproperty - def key_size(self): - """ - The bit length of the prime modulus. - """ - - @abc.abstractmethod - def parameters(self): - """ - The DHParameters object associated with this public key. - """ - - @abc.abstractmethod - def public_numbers(self): - """ - Returns a DHPublicNumbers. - """ - - @abc.abstractmethod - def public_bytes(self, encoding, format): - """ - Returns the key serialized as bytes. - """ - - -DHPublicKeyWithSerialization = DHPublicKey diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dsa.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dsa.py @@ -1,254 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - -from cryptography import utils - - -@six.add_metaclass(abc.ABCMeta) -class DSAParameters(object): - @abc.abstractmethod - def generate_private_key(self): - """ - Generates and returns a DSAPrivateKey. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DSAParametersWithNumbers(DSAParameters): - @abc.abstractmethod - def parameter_numbers(self): - """ - Returns a DSAParameterNumbers. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DSAPrivateKey(object): - @abc.abstractproperty - def key_size(self): - """ - The bit length of the prime modulus. - """ - - @abc.abstractmethod - def public_key(self): - """ - The DSAPublicKey associated with this private key. - """ - - @abc.abstractmethod - def parameters(self): - """ - The DSAParameters object associated with this private key. - """ - - @abc.abstractmethod - def signer(self, signature_algorithm): - """ - Returns an AsymmetricSignatureContext used for signing data. - """ - - @abc.abstractmethod - def sign(self, data, algorithm): - """ - Signs the data - """ - - -@six.add_metaclass(abc.ABCMeta) -class DSAPrivateKeyWithSerialization(DSAPrivateKey): - @abc.abstractmethod - def private_numbers(self): - """ - Returns a DSAPrivateNumbers. - """ - - @abc.abstractmethod - def private_bytes(self, encoding, format, encryption_algorithm): - """ - Returns the key serialized as bytes. - """ - - -@six.add_metaclass(abc.ABCMeta) -class DSAPublicKey(object): - @abc.abstractproperty - def key_size(self): - """ - The bit length of the prime modulus. - """ - - @abc.abstractmethod - def parameters(self): - """ - The DSAParameters object associated with this public key. - """ - - @abc.abstractmethod - def verifier(self, signature, signature_algorithm): - """ - Returns an AsymmetricVerificationContext used for signing data. - """ - - @abc.abstractmethod - def public_numbers(self): - """ - Returns a DSAPublicNumbers. - """ - - @abc.abstractmethod - def public_bytes(self, encoding, format): - """ - Returns the key serialized as bytes. - """ - - @abc.abstractmethod - def verify(self, signature, data, algorithm): - """ - Verifies the signature of the data. - """ - - -DSAPublicKeyWithSerialization = DSAPublicKey - - -def generate_parameters(key_size, backend): - return backend.generate_dsa_parameters(key_size) - - -def generate_private_key(key_size, backend): - return backend.generate_dsa_private_key_and_parameters(key_size) - - -def _check_dsa_parameters(parameters): - if parameters.p.bit_length() not in [1024, 2048, 3072]: - raise ValueError("p must be exactly 1024, 2048, or 3072 bits long") - if parameters.q.bit_length() not in [160, 224, 256]: - raise ValueError("q must be exactly 160, 224, or 256 bits long") - - if not (1 < parameters.g < parameters.p): - raise ValueError("g, p don't satisfy 1 < g < p.") - - -def _check_dsa_private_numbers(numbers): - parameters = numbers.public_numbers.parameter_numbers - _check_dsa_parameters(parameters) - if numbers.x <= 0 or numbers.x >= parameters.q: - raise ValueError("x must be > 0 and < q.") - - if numbers.public_numbers.y != pow(parameters.g, numbers.x, parameters.p): - raise ValueError("y must be equal to (g ** x % p).") - - -class DSAParameterNumbers(object): - def __init__(self, p, q, g): - if ( - not isinstance(p, six.integer_types) or - not isinstance(q, six.integer_types) or - not isinstance(g, six.integer_types) - ): - raise TypeError( - "DSAParameterNumbers p, q, and g arguments must be integers." - ) - - self._p = p - self._q = q - self._g = g - - p = utils.read_only_property("_p") - q = utils.read_only_property("_q") - g = utils.read_only_property("_g") - - def parameters(self, backend): - return backend.load_dsa_parameter_numbers(self) - - def __eq__(self, other): - if not isinstance(other, DSAParameterNumbers): - return NotImplemented - - return self.p == other.p and self.q == other.q and self.g == other.g - - def __ne__(self, other): - return not self == other - - def __repr__(self): - return ( - "<DSAParameterNumbers(p={self.p}, q={self.q}, g={self.g})>".format( - self=self - ) - ) - - -class DSAPublicNumbers(object): - def __init__(self, y, parameter_numbers): - if not isinstance(y, six.integer_types): - raise TypeError("DSAPublicNumbers y argument must be an integer.") - - if not isinstance(parameter_numbers, DSAParameterNumbers): - raise TypeError( - "parameter_numbers must be a DSAParameterNumbers instance." - ) - - self._y = y - self._parameter_numbers = parameter_numbers - - y = utils.read_only_property("_y") - parameter_numbers = utils.read_only_property("_parameter_numbers") - - def public_key(self, backend): - return backend.load_dsa_public_numbers(self) - - def __eq__(self, other): - if not isinstance(other, DSAPublicNumbers): - return NotImplemented - - return ( - self.y == other.y and - self.parameter_numbers == other.parameter_numbers - ) - - def __ne__(self, other): - return not self == other - - def __repr__(self): - return ( - "<DSAPublicNumbers(y={self.y}, " - "parameter_numbers={self.parameter_numbers})>".format(self=self) - ) - - -class DSAPrivateNumbers(object): - def __init__(self, x, public_numbers): - if not isinstance(x, six.integer_types): - raise TypeError("DSAPrivateNumbers x argument must be an integer.") - - if not isinstance(public_numbers, DSAPublicNumbers): - raise TypeError( - "public_numbers must be a DSAPublicNumbers instance." - ) - self._public_numbers = public_numbers - self._x = x - - x = utils.read_only_property("_x") - public_numbers = utils.read_only_property("_public_numbers") - - def private_key(self, backend): - return backend.load_dsa_private_numbers(self) - - def __eq__(self, other): - if not isinstance(other, DSAPrivateNumbers): - return NotImplemented - - return ( - self.x == other.x and self.public_numbers == other.public_numbers - ) - - def __ne__(self, other): - return not self == other diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ec.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ec.py @@ -1,500 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc -import warnings - -import six - -from cryptography import utils -from cryptography.hazmat._oid import ObjectIdentifier - - -class EllipticCurveOID(object): - SECP192R1 = ObjectIdentifier("1.2.840.10045.3.1.1") - SECP224R1 = ObjectIdentifier("1.3.132.0.33") - SECP256K1 = ObjectIdentifier("1.3.132.0.10") - SECP256R1 = ObjectIdentifier("1.2.840.10045.3.1.7") - SECP384R1 = ObjectIdentifier("1.3.132.0.34") - SECP521R1 = ObjectIdentifier("1.3.132.0.35") - BRAINPOOLP256R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.7") - BRAINPOOLP384R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.11") - BRAINPOOLP512R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.13") - SECT163K1 = ObjectIdentifier("1.3.132.0.1") - SECT163R2 = ObjectIdentifier("1.3.132.0.15") - SECT233K1 = ObjectIdentifier("1.3.132.0.26") - SECT233R1 = ObjectIdentifier("1.3.132.0.27") - SECT283K1 = ObjectIdentifier("1.3.132.0.16") - SECT283R1 = ObjectIdentifier("1.3.132.0.17") - SECT409K1 = ObjectIdentifier("1.3.132.0.36") - SECT409R1 = ObjectIdentifier("1.3.132.0.37") - SECT571K1 = ObjectIdentifier("1.3.132.0.38") - SECT571R1 = ObjectIdentifier("1.3.132.0.39") - - -@six.add_metaclass(abc.ABCMeta) -class EllipticCurve(object): - @abc.abstractproperty - def name(self): - """ - The name of the curve. e.g. secp256r1. - """ - - @abc.abstractproperty - def key_size(self): - """ - Bit size of a secret scalar for the curve. - """ - - -@six.add_metaclass(abc.ABCMeta) -class EllipticCurveSignatureAlgorithm(object): - @abc.abstractproperty - def algorithm(self): - """ - The digest algorithm used with this signature. - """ - - -@six.add_metaclass(abc.ABCMeta) -class EllipticCurvePrivateKey(object): - @abc.abstractmethod - def signer(self, signature_algorithm): - """ - Returns an AsymmetricSignatureContext used for signing data. - """ - - @abc.abstractmethod - def exchange(self, algorithm, peer_public_key): - """ - Performs a key exchange operation using the provided algorithm with the - provided peer's public key. - """ - - @abc.abstractmethod - def public_key(self): - """ - The EllipticCurvePublicKey for this private key. - """ - - @abc.abstractproperty - def curve(self): - """ - The EllipticCurve that this key is on. - """ - - @abc.abstractproperty - def key_size(self): - """ - Bit size of a secret scalar for the curve. - """ - - @abc.abstractmethod - def sign(self, data, signature_algorithm): - """ - Signs the data - """ - - -@six.add_metaclass(abc.ABCMeta) -class EllipticCurvePrivateKeyWithSerialization(EllipticCurvePrivateKey): - @abc.abstractmethod - def private_numbers(self): - """ - Returns an EllipticCurvePrivateNumbers. - """ - - @abc.abstractmethod - def private_bytes(self, encoding, format, encryption_algorithm): - """ - Returns the key serialized as bytes. - """ - - -@six.add_metaclass(abc.ABCMeta) -class EllipticCurvePublicKey(object): - @abc.abstractmethod - def verifier(self, signature, signature_algorithm): - """ - Returns an AsymmetricVerificationContext used for signing data. - """ - - @abc.abstractproperty - def curve(self): - """ - The EllipticCurve that this key is on. - """ - - @abc.abstractproperty - def key_size(self): - """ - Bit size of a secret scalar for the curve. - """ - - @abc.abstractmethod - def public_numbers(self): - """ - Returns an EllipticCurvePublicNumbers. - """ - - @abc.abstractmethod - def public_bytes(self, encoding, format): - """ - Returns the key serialized as bytes. - """ - - @abc.abstractmethod - def verify(self, signature, data, signature_algorithm): - """ - Verifies the signature of the data. - """ - - @classmethod - def from_encoded_point(cls, curve, data): - utils._check_bytes("data", data) - - if not isinstance(curve, EllipticCurve): - raise TypeError("curve must be an EllipticCurve instance") - - if len(data) == 0: - raise ValueError("data must not be an empty byte string") - - if six.indexbytes(data, 0) not in [0x02, 0x03, 0x04]: - raise ValueError("Unsupported elliptic curve point type") - - from cryptography.hazmat.backends.openssl.backend import backend - return backend.load_elliptic_curve_public_bytes(curve, data) - - -EllipticCurvePublicKeyWithSerialization = EllipticCurvePublicKey - - -@utils.register_interface(EllipticCurve) -class SECT571R1(object): - name = "sect571r1" - key_size = 570 - - -@utils.register_interface(EllipticCurve) -class SECT409R1(object): - name = "sect409r1" - key_size = 409 - - -@utils.register_interface(EllipticCurve) -class SECT283R1(object): - name = "sect283r1" - key_size = 283 - - -@utils.register_interface(EllipticCurve) -class SECT233R1(object): - name = "sect233r1" - key_size = 233 - - -@utils.register_interface(EllipticCurve) -class SECT163R2(object): - name = "sect163r2" - key_size = 163 - - -@utils.register_interface(EllipticCurve) -class SECT571K1(object): - name = "sect571k1" - key_size = 571 - - -@utils.register_interface(EllipticCurve) -class SECT409K1(object): - name = "sect409k1" - key_size = 409 - - -@utils.register_interface(EllipticCurve) -class SECT283K1(object): - name = "sect283k1" - key_size = 283 - - -@utils.register_interface(EllipticCurve) -class SECT233K1(object): - name = "sect233k1" - key_size = 233 - - -@utils.register_interface(EllipticCurve) -class SECT163K1(object): - name = "sect163k1" - key_size = 163 - - -@utils.register_interface(EllipticCurve) -class SECP521R1(object): - name = "secp521r1" - key_size = 521 - - -@utils.register_interface(EllipticCurve) -class SECP384R1(object): - name = "secp384r1" - key_size = 384 - - -@utils.register_interface(EllipticCurve) -class SECP256R1(object): - name = "secp256r1" - key_size = 256 - - -@utils.register_interface(EllipticCurve) -class SECP256K1(object): - name = "secp256k1" - key_size = 256 - - -@utils.register_interface(EllipticCurve) -class SECP224R1(object): - name = "secp224r1" - key_size = 224 - - -@utils.register_interface(EllipticCurve) -class SECP192R1(object): - name = "secp192r1" - key_size = 192 - - -@utils.register_interface(EllipticCurve) -class BrainpoolP256R1(object): - name = "brainpoolP256r1" - key_size = 256 - - -@utils.register_interface(EllipticCurve) -class BrainpoolP384R1(object): - name = "brainpoolP384r1" - key_size = 384 - - -@utils.register_interface(EllipticCurve) -class BrainpoolP512R1(object): - name = "brainpoolP512r1" - key_size = 512 - - -_CURVE_TYPES = { - "prime192v1": SECP192R1, - "prime256v1": SECP256R1, - - "secp192r1": SECP192R1, - "secp224r1": SECP224R1, - "secp256r1": SECP256R1, - "secp384r1": SECP384R1, - "secp521r1": SECP521R1, - "secp256k1": SECP256K1, - - "sect163k1": SECT163K1, - "sect233k1": SECT233K1, - "sect283k1": SECT283K1, - "sect409k1": SECT409K1, - "sect571k1": SECT571K1, - - "sect163r2": SECT163R2, - "sect233r1": SECT233R1, - "sect283r1": SECT283R1, - "sect409r1": SECT409R1, - "sect571r1": SECT571R1, - - "brainpoolP256r1": BrainpoolP256R1, - "brainpoolP384r1": BrainpoolP384R1, - "brainpoolP512r1": BrainpoolP512R1, -} - - -@utils.register_interface(EllipticCurveSignatureAlgorithm) -class ECDSA(object): - def __init__(self, algorithm): - self._algorithm = algorithm - - algorithm = utils.read_only_property("_algorithm") - - -def generate_private_key(curve, backend): - return backend.generate_elliptic_curve_private_key(curve) - - -def derive_private_key(private_value, curve, backend): - if not isinstance(private_value, six.integer_types): - raise TypeError("private_value must be an integer type.") - - if private_value <= 0: - raise ValueError("private_value must be a positive integer.") - - if not isinstance(curve, EllipticCurve): - raise TypeError("curve must provide the EllipticCurve interface.") - - return backend.derive_elliptic_curve_private_key(private_value, curve) - - -class EllipticCurvePublicNumbers(object): - def __init__(self, x, y, curve): - if ( - not isinstance(x, six.integer_types) or - not isinstance(y, six.integer_types) - ): - raise TypeError("x and y must be integers.") - - if not isinstance(curve, EllipticCurve): - raise TypeError("curve must provide the EllipticCurve interface.") - - self._y = y - self._x = x - self._curve = curve - - def public_key(self, backend): - return backend.load_elliptic_curve_public_numbers(self) - - def encode_point(self): - warnings.warn( - "encode_point has been deprecated on EllipticCurvePublicNumbers" - " and will be removed in a future version. Please use " - "EllipticCurvePublicKey.public_bytes to obtain both " - "compressed and uncompressed point encoding.", - utils.DeprecatedIn25, - stacklevel=2, - ) - # key_size is in bits. Convert to bytes and round up - byte_length = (self.curve.key_size + 7) // 8 - return ( - b'\x04' + utils.int_to_bytes(self.x, byte_length) + - utils.int_to_bytes(self.y, byte_length) - ) - - @classmethod - def from_encoded_point(cls, curve, data): - if not isinstance(curve, EllipticCurve): - raise TypeError("curve must be an EllipticCurve instance") - - warnings.warn( - "Support for unsafe construction of public numbers from " - "encoded data will be removed in a future version. " - "Please use EllipticCurvePublicKey.from_encoded_point", - utils.DeprecatedIn25, - stacklevel=2, - ) - - if data.startswith(b'\x04'): - # key_size is in bits. Convert to bytes and round up - byte_length = (curve.key_size + 7) // 8 - if len(data) == 2 * byte_length + 1: - x = utils.int_from_bytes(data[1:byte_length + 1], 'big') - y = utils.int_from_bytes(data[byte_length + 1:], 'big') - return cls(x, y, curve) - else: - raise ValueError('Invalid elliptic curve point data length') - else: - raise ValueError('Unsupported elliptic curve point type') - - curve = utils.read_only_property("_curve") - x = utils.read_only_property("_x") - y = utils.read_only_property("_y") - - def __eq__(self, other): - if not isinstance(other, EllipticCurvePublicNumbers): - return NotImplemented - - return ( - self.x == other.x and - self.y == other.y and - self.curve.name == other.curve.name and - self.curve.key_size == other.curve.key_size - ) - - def __ne__(self, other): - return not self == other - - def __hash__(self): - return hash((self.x, self.y, self.curve.name, self.curve.key_size)) - - def __repr__(self): - return ( - "<EllipticCurvePublicNumbers(curve={0.curve.name}, x={0.x}, " - "y={0.y}>".format(self) - ) - - -class EllipticCurvePrivateNumbers(object): - def __init__(self, private_value, public_numbers): - if not isinstance(private_value, six.integer_types): - raise TypeError("private_value must be an integer.") - - if not isinstance(public_numbers, EllipticCurvePublicNumbers): - raise TypeError( - "public_numbers must be an EllipticCurvePublicNumbers " - "instance." - ) - - self._private_value = private_value - self._public_numbers = public_numbers - - def private_key(self, backend): - return backend.load_elliptic_curve_private_numbers(self) - - private_value = utils.read_only_property("_private_value") - public_numbers = utils.read_only_property("_public_numbers") - - def __eq__(self, other): - if not isinstance(other, EllipticCurvePrivateNumbers): - return NotImplemented - - return ( - self.private_value == other.private_value and - self.public_numbers == other.public_numbers - ) - - def __ne__(self, other): - return not self == other - - def __hash__(self): - return hash((self.private_value, self.public_numbers)) - - -class ECDH(object): - pass - - -_OID_TO_CURVE = { - EllipticCurveOID.SECP192R1: SECP192R1, - EllipticCurveOID.SECP224R1: SECP224R1, - EllipticCurveOID.SECP256K1: SECP256K1, - EllipticCurveOID.SECP256R1: SECP256R1, - EllipticCurveOID.SECP384R1: SECP384R1, - EllipticCurveOID.SECP521R1: SECP521R1, - EllipticCurveOID.BRAINPOOLP256R1: BrainpoolP256R1, - EllipticCurveOID.BRAINPOOLP384R1: BrainpoolP384R1, - EllipticCurveOID.BRAINPOOLP512R1: BrainpoolP512R1, - EllipticCurveOID.SECT163K1: SECT163K1, - EllipticCurveOID.SECT163R2: SECT163R2, - EllipticCurveOID.SECT233K1: SECT233K1, - EllipticCurveOID.SECT233R1: SECT233R1, - EllipticCurveOID.SECT283K1: SECT283K1, - EllipticCurveOID.SECT283R1: SECT283R1, - EllipticCurveOID.SECT409K1: SECT409K1, - EllipticCurveOID.SECT409R1: SECT409R1, - EllipticCurveOID.SECT571K1: SECT571K1, - EllipticCurveOID.SECT571R1: SECT571R1, -} - - -def get_curve_for_oid(oid): - try: - return _OID_TO_CURVE[oid] - except KeyError: - raise LookupError( - "The provided object identifier has no matching elliptic " - "curve class" - ) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed25519.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed25519.py @@ -1,84 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons - - -_ED25519_KEY_SIZE = 32 -_ED25519_SIG_SIZE = 64 - - -@six.add_metaclass(abc.ABCMeta) -class Ed25519PublicKey(object): - @classmethod - def from_public_bytes(cls, data): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.ed25519_supported(): - raise UnsupportedAlgorithm( - "ed25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ) - - return backend.ed25519_load_public_bytes(data) - - @abc.abstractmethod - def public_bytes(self, encoding, format): - """ - The serialized bytes of the public key. - """ - - @abc.abstractmethod - def verify(self, signature, data): - """ - Verify the signature. - """ - - -@six.add_metaclass(abc.ABCMeta) -class Ed25519PrivateKey(object): - @classmethod - def generate(cls): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.ed25519_supported(): - raise UnsupportedAlgorithm( - "ed25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ) - - return backend.ed25519_generate_key() - - @classmethod - def from_private_bytes(cls, data): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.ed25519_supported(): - raise UnsupportedAlgorithm( - "ed25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ) - - return backend.ed25519_load_private_bytes(data) - - @abc.abstractmethod - def public_key(self): - """ - The Ed25519PublicKey derived from the private key. - """ - - @abc.abstractmethod - def private_bytes(self, encoding, format, encryption_algorithm): - """ - The serialized bytes of the private key. - """ - - @abc.abstractmethod - def sign(self, data): - """ - Signs the data. - """ diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed448.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed448.py @@ -1,79 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons - - -@six.add_metaclass(abc.ABCMeta) -class Ed448PublicKey(object): - @classmethod - def from_public_bytes(cls, data): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.ed448_supported(): - raise UnsupportedAlgorithm( - "ed448 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ) - - return backend.ed448_load_public_bytes(data) - - @abc.abstractmethod - def public_bytes(self, encoding, format): - """ - The serialized bytes of the public key. - """ - - @abc.abstractmethod - def verify(self, signature, data): - """ - Verify the signature. - """ - - -@six.add_metaclass(abc.ABCMeta) -class Ed448PrivateKey(object): - @classmethod - def generate(cls): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.ed448_supported(): - raise UnsupportedAlgorithm( - "ed448 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ) - return backend.ed448_generate_key() - - @classmethod - def from_private_bytes(cls, data): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.ed448_supported(): - raise UnsupportedAlgorithm( - "ed448 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ) - - return backend.ed448_load_private_bytes(data) - - @abc.abstractmethod - def public_key(self): - """ - The Ed448PublicKey derived from the private key. - """ - - @abc.abstractmethod - def sign(self, data): - """ - Signs the data. - """ - - @abc.abstractmethod - def private_bytes(self, encoding, format, encryption_algorithm): - """ - The serialized bytes of the private key. - """ diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/padding.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/padding.py @@ -1,79 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc -import math - -import six - -from cryptography import utils -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import rsa - - -@six.add_metaclass(abc.ABCMeta) -class AsymmetricPadding(object): - @abc.abstractproperty - def name(self): - """ - A string naming this padding (e.g. "PSS", "PKCS1"). - """ - - -@utils.register_interface(AsymmetricPadding) -class PKCS1v15(object): - name = "EMSA-PKCS1-v1_5" - - -@utils.register_interface(AsymmetricPadding) -class PSS(object): - MAX_LENGTH = object() - name = "EMSA-PSS" - - def __init__(self, mgf, salt_length): - self._mgf = mgf - - if (not isinstance(salt_length, six.integer_types) and - salt_length is not self.MAX_LENGTH): - raise TypeError("salt_length must be an integer.") - - if salt_length is not self.MAX_LENGTH and salt_length < 0: - raise ValueError("salt_length must be zero or greater.") - - self._salt_length = salt_length - - -@utils.register_interface(AsymmetricPadding) -class OAEP(object): - name = "EME-OAEP" - - def __init__(self, mgf, algorithm, label): - if not isinstance(algorithm, hashes.HashAlgorithm): - raise TypeError("Expected instance of hashes.HashAlgorithm.") - - self._mgf = mgf - self._algorithm = algorithm - self._label = label - - -class MGF1(object): - MAX_LENGTH = object() - - def __init__(self, algorithm): - if not isinstance(algorithm, hashes.HashAlgorithm): - raise TypeError("Expected instance of hashes.HashAlgorithm.") - - self._algorithm = algorithm - - -def calculate_max_pss_salt_length(key, hash_algorithm): - if not isinstance(key, (rsa.RSAPrivateKey, rsa.RSAPublicKey)): - raise TypeError("key must be an RSA public or private key") - # bit length - 1 per RFC 3447 - emlen = int(math.ceil((key.key_size - 1) / 8.0)) - salt_length = emlen - hash_algorithm.digest_size - 2 - assert salt_length >= 0 - return salt_length diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/rsa.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -1,368 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc -try: - # Only available in math in 3.5+ - from math import gcd -except ImportError: - from fractions import gcd - -import six - -from cryptography import utils -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons -from cryptography.hazmat.backends.interfaces import RSABackend - - -@six.add_metaclass(abc.ABCMeta) -class RSAPrivateKey(object): - @abc.abstractmethod - def signer(self, padding, algorithm): - """ - Returns an AsymmetricSignatureContext used for signing data. - """ - - @abc.abstractmethod - def decrypt(self, ciphertext, padding): - """ - Decrypts the provided ciphertext. - """ - - @abc.abstractproperty - def key_size(self): - """ - The bit length of the public modulus. - """ - - @abc.abstractmethod - def public_key(self): - """ - The RSAPublicKey associated with this private key. - """ - - @abc.abstractmethod - def sign(self, data, padding, algorithm): - """ - Signs the data. - """ - - -@six.add_metaclass(abc.ABCMeta) -class RSAPrivateKeyWithSerialization(RSAPrivateKey): - @abc.abstractmethod - def private_numbers(self): - """ - Returns an RSAPrivateNumbers. - """ - - @abc.abstractmethod - def private_bytes(self, encoding, format, encryption_algorithm): - """ - Returns the key serialized as bytes. - """ - - -@six.add_metaclass(abc.ABCMeta) -class RSAPublicKey(object): - @abc.abstractmethod - def verifier(self, signature, padding, algorithm): - """ - Returns an AsymmetricVerificationContext used for verifying signatures. - """ - - @abc.abstractmethod - def encrypt(self, plaintext, padding): - """ - Encrypts the given plaintext. - """ - - @abc.abstractproperty - def key_size(self): - """ - The bit length of the public modulus. - """ - - @abc.abstractmethod - def public_numbers(self): - """ - Returns an RSAPublicNumbers - """ - - @abc.abstractmethod - def public_bytes(self, encoding, format): - """ - Returns the key serialized as bytes. - """ - - @abc.abstractmethod - def verify(self, signature, data, padding, algorithm): - """ - Verifies the signature of the data. - """ - - -RSAPublicKeyWithSerialization = RSAPublicKey - - -def generate_private_key(public_exponent, key_size, backend): - if not isinstance(backend, RSABackend): - raise UnsupportedAlgorithm( - "Backend object does not implement RSABackend.", - _Reasons.BACKEND_MISSING_INTERFACE - ) - - _verify_rsa_parameters(public_exponent, key_size) - return backend.generate_rsa_private_key(public_exponent, key_size) - - -def _verify_rsa_parameters(public_exponent, key_size): - if public_exponent < 3: - raise ValueError("public_exponent must be >= 3.") - - if public_exponent & 1 == 0: - raise ValueError("public_exponent must be odd.") - - if key_size < 512: - raise ValueError("key_size must be at least 512-bits.") - - -def _check_private_key_components(p, q, private_exponent, dmp1, dmq1, iqmp, - public_exponent, modulus): - if modulus < 3: - raise ValueError("modulus must be >= 3.") - - if p >= modulus: - raise ValueError("p must be < modulus.") - - if q >= modulus: - raise ValueError("q must be < modulus.") - - if dmp1 >= modulus: - raise ValueError("dmp1 must be < modulus.") - - if dmq1 >= modulus: - raise ValueError("dmq1 must be < modulus.") - - if iqmp >= modulus: - raise ValueError("iqmp must be < modulus.") - - if private_exponent >= modulus: - raise ValueError("private_exponent must be < modulus.") - - if public_exponent < 3 or public_exponent >= modulus: - raise ValueError("public_exponent must be >= 3 and < modulus.") - - if public_exponent & 1 == 0: - raise ValueError("public_exponent must be odd.") - - if dmp1 & 1 == 0: - raise ValueError("dmp1 must be odd.") - - if dmq1 & 1 == 0: - raise ValueError("dmq1 must be odd.") - - if p * q != modulus: - raise ValueError("p*q must equal modulus.") - - -def _check_public_key_components(e, n): - if n < 3: - raise ValueError("n must be >= 3.") - - if e < 3 or e >= n: - raise ValueError("e must be >= 3 and < n.") - - if e & 1 == 0: - raise ValueError("e must be odd.") - - -def _modinv(e, m): - """ - Modular Multiplicative Inverse. Returns x such that: (x*e) mod m == 1 - """ - x1, y1, x2, y2 = 1, 0, 0, 1 - a, b = e, m - while b > 0: - q, r = divmod(a, b) - xn, yn = x1 - q * x2, y1 - q * y2 - a, b, x1, y1, x2, y2 = b, r, x2, y2, xn, yn - return x1 % m - - -def rsa_crt_iqmp(p, q): - """ - Compute the CRT (q ** -1) % p value from RSA primes p and q. - """ - return _modinv(q, p) - - -def rsa_crt_dmp1(private_exponent, p): - """ - Compute the CRT private_exponent % (p - 1) value from the RSA - private_exponent (d) and p. - """ - return private_exponent % (p - 1) - - -def rsa_crt_dmq1(private_exponent, q): - """ - Compute the CRT private_exponent % (q - 1) value from the RSA - private_exponent (d) and q. - """ - return private_exponent % (q - 1) - - -# Controls the number of iterations rsa_recover_prime_factors will perform -# to obtain the prime factors. Each iteration increments by 2 so the actual -# maximum attempts is half this number. -_MAX_RECOVERY_ATTEMPTS = 1000 - - -def rsa_recover_prime_factors(n, e, d): - """ - Compute factors p and q from the private exponent d. We assume that n has - no more than two factors. This function is adapted from code in PyCrypto. - """ - # See 8.2.2(i) in Handbook of Applied Cryptography. - ktot = d * e - 1 - # The quantity d*e-1 is a multiple of phi(n), even, - # and can be represented as t*2^s. - t = ktot - while t % 2 == 0: - t = t // 2 - # Cycle through all multiplicative inverses in Zn. - # The algorithm is non-deterministic, but there is a 50% chance - # any candidate a leads to successful factoring. - # See "Digitalized Signatures and Public Key Functions as Intractable - # as Factorization", M. Rabin, 1979 - spotted = False - a = 2 - while not spotted and a < _MAX_RECOVERY_ATTEMPTS: - k = t - # Cycle through all values a^{t*2^i}=a^k - while k < ktot: - cand = pow(a, k, n) - # Check if a^k is a non-trivial root of unity (mod n) - if cand != 1 and cand != (n - 1) and pow(cand, 2, n) == 1: - # We have found a number such that (cand-1)(cand+1)=0 (mod n). - # Either of the terms divides n. - p = gcd(cand + 1, n) - spotted = True - break - k *= 2 - # This value was not any good... let's try another! - a += 2 - if not spotted: - raise ValueError("Unable to compute factors p and q from exponent d.") - # Found ! - q, r = divmod(n, p) - assert r == 0 - p, q = sorted((p, q), reverse=True) - return (p, q) - - -class RSAPrivateNumbers(object): - def __init__(self, p, q, d, dmp1, dmq1, iqmp, - public_numbers): - if ( - not isinstance(p, six.integer_types) or - not isinstance(q, six.integer_types) or - not isinstance(d, six.integer_types) or - not isinstance(dmp1, six.integer_types) or - not isinstance(dmq1, six.integer_types) or - not isinstance(iqmp, six.integer_types) - ): - raise TypeError( - "RSAPrivateNumbers p, q, d, dmp1, dmq1, iqmp arguments must" - " all be an integers." - ) - - if not isinstance(public_numbers, RSAPublicNumbers): - raise TypeError( - "RSAPrivateNumbers public_numbers must be an RSAPublicNumbers" - " instance." - ) - - self._p = p - self._q = q - self._d = d - self._dmp1 = dmp1 - self._dmq1 = dmq1 - self._iqmp = iqmp - self._public_numbers = public_numbers - - p = utils.read_only_property("_p") - q = utils.read_only_property("_q") - d = utils.read_only_property("_d") - dmp1 = utils.read_only_property("_dmp1") - dmq1 = utils.read_only_property("_dmq1") - iqmp = utils.read_only_property("_iqmp") - public_numbers = utils.read_only_property("_public_numbers") - - def private_key(self, backend): - return backend.load_rsa_private_numbers(self) - - def __eq__(self, other): - if not isinstance(other, RSAPrivateNumbers): - return NotImplemented - - return ( - self.p == other.p and - self.q == other.q and - self.d == other.d and - self.dmp1 == other.dmp1 and - self.dmq1 == other.dmq1 and - self.iqmp == other.iqmp and - self.public_numbers == other.public_numbers - ) - - def __ne__(self, other): - return not self == other - - def __hash__(self): - return hash(( - self.p, - self.q, - self.d, - self.dmp1, - self.dmq1, - self.iqmp, - self.public_numbers, - )) - - -class RSAPublicNumbers(object): - def __init__(self, e, n): - if ( - not isinstance(e, six.integer_types) or - not isinstance(n, six.integer_types) - ): - raise TypeError("RSAPublicNumbers arguments must be integers.") - - self._e = e - self._n = n - - e = utils.read_only_property("_e") - n = utils.read_only_property("_n") - - def public_key(self, backend): - return backend.load_rsa_public_numbers(self) - - def __repr__(self): - return "<RSAPublicNumbers(e={0.e}, n={0.n})>".format(self) - - def __eq__(self, other): - if not isinstance(other, RSAPublicNumbers): - return NotImplemented - - return self.e == other.e and self.n == other.n - - def __ne__(self, other): - return not self == other - - def __hash__(self): - return hash((self.e, self.n)) diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/utils.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/utils.py @@ -1,38 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -from asn1crypto.algos import DSASignature - -import six - -from cryptography import utils -from cryptography.hazmat.primitives import hashes - - -def decode_dss_signature(signature): - data = DSASignature.load(signature, strict=True).native - return data['r'], data['s'] - - -def encode_dss_signature(r, s): - if ( - not isinstance(r, six.integer_types) or - not isinstance(s, six.integer_types) - ): - raise ValueError("Both r and s must be integers") - - return DSASignature({'r': r, 's': s}).dump() - - -class Prehashed(object): - def __init__(self, algorithm): - if not isinstance(algorithm, hashes.HashAlgorithm): - raise TypeError("Expected instance of HashAlgorithm.") - - self._algorithm = algorithm - self._digest_size = algorithm.digest_size - - digest_size = utils.read_only_property("_digest_size") diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x25519.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x25519.py @@ -1,73 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons - - -@six.add_metaclass(abc.ABCMeta) -class X25519PublicKey(object): - @classmethod - def from_public_bytes(cls, data): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.x25519_supported(): - raise UnsupportedAlgorithm( - "X25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM - ) - - return backend.x25519_load_public_bytes(data) - - @abc.abstractmethod - def public_bytes(self, encoding=None, format=None): - """ - The serialized bytes of the public key. - """ - - -@six.add_metaclass(abc.ABCMeta) -class X25519PrivateKey(object): - @classmethod - def generate(cls): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.x25519_supported(): - raise UnsupportedAlgorithm( - "X25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM - ) - return backend.x25519_generate_key() - - @classmethod - def from_private_bytes(cls, data): - from cryptography.hazmat.backends.openssl.backend import backend - if not backend.x25519_supported(): - raise UnsupportedAlgorithm( - "X25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM - ) - - return backend.x25519_load_private_bytes(data) - - @abc.abstractmethod - def public_key(self): - """ - The serialized bytes of the public key. - """ - - @abc.abstractmethod - def private_bytes(self, encoding, format, encryption_algorithm): - """ - The serialized bytes of the private key. - """ - - @abc.abstractmethod - def exchange(self, peer_public_key): - """ - Performs a key exchange operation using the provided peer's public key. - """ diff --git a/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x448.py b/MacOS/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x448.py @@ -1,73 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import abc - -import six - -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons - - -@six.add_metaclass(abc.ABCMeta) -class X448PublicKey(object): - @classmethod <