figenc

[RADIOACTIVE] rsa and symmetric key encryption scripts and executables
git clone git://git.figbert.com/figenc.git
Log | Files | Refs | README
commit 798e6697a8f9dbad99fff393c83792d70df95e7b
parent a2ee25e549f38ef8cbb6c5a3a8706f5401e025bc
Author: therealFIGBERT <naomi@Naomis-MacBook-Air.local>
Date:   Sat, 29 Jun 2019 22:40:33 -0700

Adding compiled MacOS app (compiled with Platypus)

Diffstat:

AFigENC_MacOS.app/Contents/Info.plist | 0


AFigENC_MacOS.app/Contents/MacOS/FigENC MacOS | 0


AFigENC_MacOS.app/Contents/Resources/AppIcon.icns | 0


AFigENC_MacOS.app/Contents/Resources/AppSettings.plist | 0


AFigENC_MacOS.app/Contents/Resources/MainMenu.nib | 0


AFigENC_MacOS.app/Contents/Resources/__pycache__/decrypt.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/__pycache__/encrypt.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/__pycache__/enum.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/__pycache__/initiate_key.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/__about__.py | 23+++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/__init__.py | 16++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__about__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/exceptions.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/fernet.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/utils.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/exceptions.py | 58++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/fernet.py | 171+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__init__.py | 11+++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/_oid.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/_oid.py | 67+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__init__.py | 18++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/interfaces.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/interfaces.py | 395+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__init__.py | 10++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/aead.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/backend.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ciphers.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/cmac.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/decode_asn1.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dh.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dsa.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ec.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed25519.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed448.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/encode_asn1.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hashes.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hmac.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ocsp.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/poly1305.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/rsa.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/utils.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x25519.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x448.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x509.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/aead.py | 161+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/backend.py | 2445+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ciphers.py | 229+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/cmac.py | 81+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/decode_asn1.py | 899+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dh.py | 280+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dsa.py | 268+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ec.py | 340+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed25519.py | 151++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed448.py | 154+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/encode_asn1.py | 657+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hashes.py | 78++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hmac.py | 74++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ocsp.py | 381+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/poly1305.py | 60++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/rsa.py | 478+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/utils.py | 69+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x25519.py | 149+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x448.py | 123+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x509.py | 546+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__init__.py | 5+++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_constant_time.abi3.so | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_openssl.abi3.so | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_padding.abi3.so | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__init__.py | 5+++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/_conditional.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/binding.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/_conditional.py | 434+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/binding.py | 197+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__init__.py | 5+++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/cmac.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/constant_time.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hashes.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hmac.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/keywrap.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/padding.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/poly1305.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__init__.py | 40++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dh.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dsa.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ec.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed25519.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed448.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/padding.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/rsa.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/utils.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x25519.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x448.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dh.py | 212+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dsa.py | 254+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ec.py | 500+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed25519.py | 84+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed448.py | 79+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/padding.py | 79+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/rsa.py | 368+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/utils.py | 38++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x25519.py | 73+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x448.py | 73+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/__init__.py | 21+++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/__pycache__/aead.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/__pycache__/algorithms.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/__pycache__/base.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/__pycache__/modes.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/aead.py | 188+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/algorithms.py | 167+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/base.py | 235+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/ciphers/modes.py | 218+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/cmac.py | 64++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/constant_time.py | 35+++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/hashes.py | 255+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/hmac.py | 66++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__init__.py | 26++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__pycache__/concatkdf.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__pycache__/hkdf.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__pycache__/kbkdf.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__pycache__/pbkdf2.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__pycache__/scrypt.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/__pycache__/x963kdf.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/concatkdf.py | 124+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/hkdf.py | 110+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/kbkdf.py | 145+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/pbkdf2.py | 56++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/scrypt.py | 63+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/kdf/x963kdf.py | 68++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/keywrap.py | 154+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/padding.py | 200+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/poly1305.py | 43+++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/__init__.py | 26++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/__pycache__/base.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/__pycache__/pkcs12.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/__pycache__/ssh.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/base.py | 82+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/pkcs12.py | 9+++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/serialization/ssh.py | 153+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/__init__.py | 9+++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/__pycache__/hotp.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/__pycache__/totp.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/__pycache__/utils.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/hotp.py | 68++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/totp.py | 40++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/twofactor/utils.py | 30++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/utils.py | 173+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__init__.py | 189+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/__init__.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/base.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/certificate_transparency.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/extensions.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/general_name.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/name.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/ocsp.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/__pycache__/oid.cpython-37.pyc | 0


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/base.py | 753+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/certificate_transparency.py | 46++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/extensions.py | 1654+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/general_name.py | 360+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/name.py | 259+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/ocsp.py | 422+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/cryptography/x509/oid.py | 226+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/decrypt.py | 41+++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/encrypt.py | 39+++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/enum.py | 910+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/initiate_key.py | 46++++++++++++++++++++++++++++++++++++++++++++++


AFigENC_MacOS.app/Contents/Resources/script | 139+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


179 files changed, 18750 insertions(+), 0 deletions(-)

diff --git a/FigENC_MacOS.app/Contents/Info.plist b/FigENC_MacOS.app/Contents/Info.plist
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/MacOS/FigENC MacOS b/FigENC_MacOS.app/Contents/MacOS/FigENC MacOS
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/AppIcon.icns b/FigENC_MacOS.app/Contents/Resources/AppIcon.icns
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/AppSettings.plist b/FigENC_MacOS.app/Contents/Resources/AppSettings.plist
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/MainMenu.nib b/FigENC_MacOS.app/Contents/Resources/MainMenu.nib
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/__pycache__/decrypt.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/__pycache__/decrypt.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/__pycache__/encrypt.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/__pycache__/encrypt.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/__pycache__/enum.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/__pycache__/enum.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/__pycache__/initiate_key.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/__pycache__/initiate_key.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/__about__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/__about__.py
@@ -0,0 +1,23 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+__all__ = [
+    "__title__", "__summary__", "__uri__", "__version__", "__author__",
+    "__email__", "__license__", "__copyright__",
+]
+
+__title__ = "cryptography"
+__summary__ = ("cryptography is a package which provides cryptographic recipes"
+               " and primitives to Python developers.")
+__uri__ = "https://github.com/pyca/cryptography"
+
+__version__ = "2.7"
+
+__author__ = "The cryptography developers"
+__email__ = "cryptography-dev@python.org"
+
+__license__ = "BSD or Apache License, Version 2.0"
+__copyright__ = "Copyright 2013-2017 {}".format(__author__)
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/__init__.py
@@ -0,0 +1,16 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography.__about__ import (
+    __author__, __copyright__, __email__, __license__, __summary__, __title__,
+    __uri__, __version__
+)
+
+
+__all__ = [
+    "__title__", "__summary__", "__uri__", "__version__", "__author__",
+    "__email__", "__license__", "__copyright__",
+]
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__about__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__about__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/exceptions.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/exceptions.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/fernet.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/fernet.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/utils.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/__pycache__/utils.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/exceptions.py b/FigENC_MacOS.app/Contents/Resources/cryptography/exceptions.py
@@ -0,0 +1,58 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from enum import Enum
+
+
+class _Reasons(Enum):
+    BACKEND_MISSING_INTERFACE = 0
+    UNSUPPORTED_HASH = 1
+    UNSUPPORTED_CIPHER = 2
+    UNSUPPORTED_PADDING = 3
+    UNSUPPORTED_MGF = 4
+    UNSUPPORTED_PUBLIC_KEY_ALGORITHM = 5
+    UNSUPPORTED_ELLIPTIC_CURVE = 6
+    UNSUPPORTED_SERIALIZATION = 7
+    UNSUPPORTED_X509 = 8
+    UNSUPPORTED_EXCHANGE_ALGORITHM = 9
+    UNSUPPORTED_DIFFIE_HELLMAN = 10
+    UNSUPPORTED_MAC = 11
+
+
+class UnsupportedAlgorithm(Exception):
+    def __init__(self, message, reason=None):
+        super(UnsupportedAlgorithm, self).__init__(message)
+        self._reason = reason
+
+
+class AlreadyFinalized(Exception):
+    pass
+
+
+class AlreadyUpdated(Exception):
+    pass
+
+
+class NotYetFinalized(Exception):
+    pass
+
+
+class InvalidTag(Exception):
+    pass
+
+
+class InvalidSignature(Exception):
+    pass
+
+
+class InternalError(Exception):
+    def __init__(self, msg, err_code):
+        super(InternalError, self).__init__(msg)
+        self.err_code = err_code
+
+
+class InvalidKey(Exception):
+    pass
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/fernet.py b/FigENC_MacOS.app/Contents/Resources/cryptography/fernet.py
@@ -0,0 +1,171 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import base64
+import binascii
+import os
+import struct
+import time
+
+import six
+
+from cryptography import utils
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, padding
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives.hmac import HMAC
+
+
+class InvalidToken(Exception):
+    pass
+
+
+_MAX_CLOCK_SKEW = 60
+
+
+class Fernet(object):
+    def __init__(self, key, backend=None):
+        if backend is None:
+            backend = default_backend()
+
+        key = base64.urlsafe_b64decode(key)
+        if len(key) != 32:
+            raise ValueError(
+                "Fernet key must be 32 url-safe base64-encoded bytes."
+            )
+
+        self._signing_key = key[:16]
+        self._encryption_key = key[16:]
+        self._backend = backend
+
+    @classmethod
+    def generate_key(cls):
+        return base64.urlsafe_b64encode(os.urandom(32))
+
+    def encrypt(self, data):
+        current_time = int(time.time())
+        iv = os.urandom(16)
+        return self._encrypt_from_parts(data, current_time, iv)
+
+    def _encrypt_from_parts(self, data, current_time, iv):
+        utils._check_bytes("data", data)
+
+        padder = padding.PKCS7(algorithms.AES.block_size).padder()
+        padded_data = padder.update(data) + padder.finalize()
+        encryptor = Cipher(
+            algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
+        ).encryptor()
+        ciphertext = encryptor.update(padded_data) + encryptor.finalize()
+
+        basic_parts = (
+            b"\x80" + struct.pack(">Q", current_time) + iv + ciphertext
+        )
+
+        h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
+        h.update(basic_parts)
+        hmac = h.finalize()
+        return base64.urlsafe_b64encode(basic_parts + hmac)
+
+    def decrypt(self, token, ttl=None):
+        timestamp, data = Fernet._get_unverified_token_data(token)
+        return self._decrypt_data(data, timestamp, ttl)
+
+    def extract_timestamp(self, token):
+        timestamp, data = Fernet._get_unverified_token_data(token)
+        # Verify the token was not tampered with.
+        self._verify_signature(data)
+        return timestamp
+
+    @staticmethod
+    def _get_unverified_token_data(token):
+        utils._check_bytes("token", token)
+        try:
+            data = base64.urlsafe_b64decode(token)
+        except (TypeError, binascii.Error):
+            raise InvalidToken
+
+        if not data or six.indexbytes(data, 0) != 0x80:
+            raise InvalidToken
+
+        try:
+            timestamp, = struct.unpack(">Q", data[1:9])
+        except struct.error:
+            raise InvalidToken
+        return timestamp, data
+
+    def _verify_signature(self, data):
+        h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
+        h.update(data[:-32])
+        try:
+            h.verify(data[-32:])
+        except InvalidSignature:
+            raise InvalidToken
+
+    def _decrypt_data(self, data, timestamp, ttl):
+        current_time = int(time.time())
+        if ttl is not None:
+            if timestamp + ttl < current_time:
+                raise InvalidToken
+
+            if current_time + _MAX_CLOCK_SKEW < timestamp:
+                raise InvalidToken
+
+        self._verify_signature(data)
+
+        iv = data[9:25]
+        ciphertext = data[25:-32]
+        decryptor = Cipher(
+            algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
+        ).decryptor()
+        plaintext_padded = decryptor.update(ciphertext)
+        try:
+            plaintext_padded += decryptor.finalize()
+        except ValueError:
+            raise InvalidToken
+        unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
+
+        unpadded = unpadder.update(plaintext_padded)
+        try:
+            unpadded += unpadder.finalize()
+        except ValueError:
+            raise InvalidToken
+        return unpadded
+
+
+class MultiFernet(object):
+    def __init__(self, fernets):
+        fernets = list(fernets)
+        if not fernets:
+            raise ValueError(
+                "MultiFernet requires at least one Fernet instance"
+            )
+        self._fernets = fernets
+
+    def encrypt(self, msg):
+        return self._fernets[0].encrypt(msg)
+
+    def rotate(self, msg):
+        timestamp, data = Fernet._get_unverified_token_data(msg)
+        for f in self._fernets:
+            try:
+                p = f._decrypt_data(data, timestamp, None)
+                break
+            except InvalidToken:
+                pass
+        else:
+            raise InvalidToken
+
+        iv = os.urandom(16)
+        return self._fernets[0]._encrypt_from_parts(p, timestamp, iv)
+
+    def decrypt(self, msg, ttl=None):
+        for f in self._fernets:
+            try:
+                return f.decrypt(msg, ttl)
+            except InvalidToken:
+                pass
+        raise InvalidToken
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__init__.py
@@ -0,0 +1,11 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+"""
+Hazardous Materials
+
+This is a "Hazardous Materials" module. You should ONLY use it if you're
+100% absolutely sure that you know what you're doing because this module
+is full of land mines, dragons, and dinosaurs with laser guns.
+"""
+from __future__ import absolute_import, division, print_function
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/_oid.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/__pycache__/_oid.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/_oid.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/_oid.py
@@ -0,0 +1,67 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+
+
+class ObjectIdentifier(object):
+    def __init__(self, dotted_string):
+        self._dotted_string = dotted_string
+
+        nodes = self._dotted_string.split(".")
+        intnodes = []
+
+        # There must be at least 2 nodes, the first node must be 0..2, and
+        # if less than 2, the second node cannot have a value outside the
+        # range 0..39.  All nodes must be integers.
+        for node in nodes:
+            try:
+                intnodes.append(int(node, 0))
+            except ValueError:
+                raise ValueError(
+                    "Malformed OID: %s (non-integer nodes)" % (
+                        self._dotted_string))
+
+        if len(nodes) < 2:
+            raise ValueError(
+                "Malformed OID: %s (insufficient number of nodes)" % (
+                    self._dotted_string))
+
+        if intnodes[0] > 2:
+            raise ValueError(
+                "Malformed OID: %s (first node outside valid range)" % (
+                    self._dotted_string))
+
+        if intnodes[0] < 2 and intnodes[1] >= 40:
+            raise ValueError(
+                "Malformed OID: %s (second node outside valid range)" % (
+                    self._dotted_string))
+
+    def __eq__(self, other):
+        if not isinstance(other, ObjectIdentifier):
+            return NotImplemented
+
+        return self.dotted_string == other.dotted_string
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __repr__(self):
+        return "<ObjectIdentifier(oid={}, name={})>".format(
+            self.dotted_string,
+            self._name
+        )
+
+    def __hash__(self):
+        return hash(self.dotted_string)
+
+    @property
+    def _name(self):
+        # Lazy import to avoid an import cycle
+        from cryptography.x509.oid import _OID_NAMES
+        return _OID_NAMES.get(self, "Unknown OID")
+
+    dotted_string = utils.read_only_property("_dotted_string")
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__init__.py
@@ -0,0 +1,18 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+
+_default_backend = None
+
+
+def default_backend():
+    global _default_backend
+
+    if _default_backend is None:
+        from cryptography.hazmat.backends.openssl.backend import backend
+        _default_backend = backend
+
+    return _default_backend
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/interfaces.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/__pycache__/interfaces.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/interfaces.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/interfaces.py
@@ -0,0 +1,395 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class CipherBackend(object):
+    @abc.abstractmethod
+    def cipher_supported(self, cipher, mode):
+        """
+        Return True if the given cipher and mode are supported.
+        """
+
+    @abc.abstractmethod
+    def create_symmetric_encryption_ctx(self, cipher, mode):
+        """
+        Get a CipherContext that can be used for encryption.
+        """
+
+    @abc.abstractmethod
+    def create_symmetric_decryption_ctx(self, cipher, mode):
+        """
+        Get a CipherContext that can be used for decryption.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class HashBackend(object):
+    @abc.abstractmethod
+    def hash_supported(self, algorithm):
+        """
+        Return True if the hash algorithm is supported by this backend.
+        """
+
+    @abc.abstractmethod
+    def create_hash_ctx(self, algorithm):
+        """
+        Create a HashContext for calculating a message digest.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class HMACBackend(object):
+    @abc.abstractmethod
+    def hmac_supported(self, algorithm):
+        """
+        Return True if the hash algorithm is supported for HMAC by this
+        backend.
+        """
+
+    @abc.abstractmethod
+    def create_hmac_ctx(self, key, algorithm):
+        """
+        Create a context for calculating a message authentication code.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class CMACBackend(object):
+    @abc.abstractmethod
+    def cmac_algorithm_supported(self, algorithm):
+        """
+        Returns True if the block cipher is supported for CMAC by this backend
+        """
+
+    @abc.abstractmethod
+    def create_cmac_ctx(self, algorithm):
+        """
+        Create a context for calculating a message authentication code.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class PBKDF2HMACBackend(object):
+    @abc.abstractmethod
+    def pbkdf2_hmac_supported(self, algorithm):
+        """
+        Return True if the hash algorithm is supported for PBKDF2 by this
+        backend.
+        """
+
+    @abc.abstractmethod
+    def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+                           key_material):
+        """
+        Return length bytes derived from provided PBKDF2 parameters.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class RSABackend(object):
+    @abc.abstractmethod
+    def generate_rsa_private_key(self, public_exponent, key_size):
+        """
+        Generate an RSAPrivateKey instance with public_exponent and a modulus
+        of key_size bits.
+        """
+
+    @abc.abstractmethod
+    def rsa_padding_supported(self, padding):
+        """
+        Returns True if the backend supports the given padding options.
+        """
+
+    @abc.abstractmethod
+    def generate_rsa_parameters_supported(self, public_exponent, key_size):
+        """
+        Returns True if the backend supports the given parameters for key
+        generation.
+        """
+
+    @abc.abstractmethod
+    def load_rsa_private_numbers(self, numbers):
+        """
+        Returns an RSAPrivateKey provider.
+        """
+
+    @abc.abstractmethod
+    def load_rsa_public_numbers(self, numbers):
+        """
+        Returns an RSAPublicKey provider.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DSABackend(object):
+    @abc.abstractmethod
+    def generate_dsa_parameters(self, key_size):
+        """
+        Generate a DSAParameters instance with a modulus of key_size bits.
+        """
+
+    @abc.abstractmethod
+    def generate_dsa_private_key(self, parameters):
+        """
+        Generate a DSAPrivateKey instance with parameters as a DSAParameters
+        object.
+        """
+
+    @abc.abstractmethod
+    def generate_dsa_private_key_and_parameters(self, key_size):
+        """
+        Generate a DSAPrivateKey instance using key size only.
+        """
+
+    @abc.abstractmethod
+    def dsa_hash_supported(self, algorithm):
+        """
+        Return True if the hash algorithm is supported by the backend for DSA.
+        """
+
+    @abc.abstractmethod
+    def dsa_parameters_supported(self, p, q, g):
+        """
+        Return True if the parameters are supported by the backend for DSA.
+        """
+
+    @abc.abstractmethod
+    def load_dsa_private_numbers(self, numbers):
+        """
+        Returns a DSAPrivateKey provider.
+        """
+
+    @abc.abstractmethod
+    def load_dsa_public_numbers(self, numbers):
+        """
+        Returns a DSAPublicKey provider.
+        """
+
+    @abc.abstractmethod
+    def load_dsa_parameter_numbers(self, numbers):
+        """
+        Returns a DSAParameters provider.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class EllipticCurveBackend(object):
+    @abc.abstractmethod
+    def elliptic_curve_signature_algorithm_supported(
+        self, signature_algorithm, curve
+    ):
+        """
+        Returns True if the backend supports the named elliptic curve with the
+        specified signature algorithm.
+        """
+
+    @abc.abstractmethod
+    def elliptic_curve_supported(self, curve):
+        """
+        Returns True if the backend supports the named elliptic curve.
+        """
+
+    @abc.abstractmethod
+    def generate_elliptic_curve_private_key(self, curve):
+        """
+        Return an object conforming to the EllipticCurvePrivateKey interface.
+        """
+
+    @abc.abstractmethod
+    def load_elliptic_curve_public_numbers(self, numbers):
+        """
+        Return an EllipticCurvePublicKey provider using the given numbers.
+        """
+
+    @abc.abstractmethod
+    def load_elliptic_curve_private_numbers(self, numbers):
+        """
+        Return an EllipticCurvePrivateKey provider using the given numbers.
+        """
+
+    @abc.abstractmethod
+    def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve):
+        """
+        Returns whether the exchange algorithm is supported by this backend.
+        """
+
+    @abc.abstractmethod
+    def derive_elliptic_curve_private_key(self, private_value, curve):
+        """
+        Compute the private key given the private value and curve.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class PEMSerializationBackend(object):
+    @abc.abstractmethod
+    def load_pem_private_key(self, data, password):
+        """
+        Loads a private key from PEM encoded data, using the provided password
+        if the data is encrypted.
+        """
+
+    @abc.abstractmethod
+    def load_pem_public_key(self, data):
+        """
+        Loads a public key from PEM encoded data.
+        """
+
+    @abc.abstractmethod
+    def load_pem_parameters(self, data):
+        """
+        Load encryption parameters from PEM encoded data.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DERSerializationBackend(object):
+    @abc.abstractmethod
+    def load_der_private_key(self, data, password):
+        """
+        Loads a private key from DER encoded data. Uses the provided password
+        if the data is encrypted.
+        """
+
+    @abc.abstractmethod
+    def load_der_public_key(self, data):
+        """
+        Loads a public key from DER encoded data.
+        """
+
+    @abc.abstractmethod
+    def load_der_parameters(self, data):
+        """
+        Load encryption parameters from DER encoded data.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X509Backend(object):
+    @abc.abstractmethod
+    def load_pem_x509_certificate(self, data):
+        """
+        Load an X.509 certificate from PEM encoded data.
+        """
+
+    @abc.abstractmethod
+    def load_der_x509_certificate(self, data):
+        """
+        Load an X.509 certificate from DER encoded data.
+        """
+
+    @abc.abstractmethod
+    def load_der_x509_csr(self, data):
+        """
+        Load an X.509 CSR from DER encoded data.
+        """
+
+    @abc.abstractmethod
+    def load_pem_x509_csr(self, data):
+        """
+        Load an X.509 CSR from PEM encoded data.
+        """
+
+    @abc.abstractmethod
+    def create_x509_csr(self, builder, private_key, algorithm):
+        """
+        Create and sign an X.509 CSR from a CSR builder object.
+        """
+
+    @abc.abstractmethod
+    def create_x509_certificate(self, builder, private_key, algorithm):
+        """
+        Create and sign an X.509 certificate from a CertificateBuilder object.
+        """
+
+    @abc.abstractmethod
+    def create_x509_crl(self, builder, private_key, algorithm):
+        """
+        Create and sign an X.509 CertificateRevocationList from a
+        CertificateRevocationListBuilder object.
+        """
+
+    @abc.abstractmethod
+    def create_x509_revoked_certificate(self, builder):
+        """
+        Create a RevokedCertificate object from a RevokedCertificateBuilder
+        object.
+        """
+
+    @abc.abstractmethod
+    def x509_name_bytes(self, name):
+        """
+        Compute the DER encoded bytes of an X509 Name object.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DHBackend(object):
+    @abc.abstractmethod
+    def generate_dh_parameters(self, generator, key_size):
+        """
+        Generate a DHParameters instance with a modulus of key_size bits.
+        Using the given generator. Often 2 or 5.
+        """
+
+    @abc.abstractmethod
+    def generate_dh_private_key(self, parameters):
+        """
+        Generate a DHPrivateKey instance with parameters as a DHParameters
+        object.
+        """
+
+    @abc.abstractmethod
+    def generate_dh_private_key_and_parameters(self, generator, key_size):
+        """
+        Generate a DHPrivateKey instance using key size only.
+        Using the given generator. Often 2 or 5.
+        """
+
+    @abc.abstractmethod
+    def load_dh_private_numbers(self, numbers):
+        """
+        Load a DHPrivateKey from DHPrivateNumbers
+        """
+
+    @abc.abstractmethod
+    def load_dh_public_numbers(self, numbers):
+        """
+        Load a DHPublicKey from DHPublicNumbers.
+        """
+
+    @abc.abstractmethod
+    def load_dh_parameter_numbers(self, numbers):
+        """
+        Load DHParameters from DHParameterNumbers.
+        """
+
+    @abc.abstractmethod
+    def dh_parameters_supported(self, p, g, q=None):
+        """
+        Returns whether the backend supports DH with these parameter values.
+        """
+
+    @abc.abstractmethod
+    def dh_x942_serialization_supported(self):
+        """
+        Returns True if the backend supports the serialization of DH objects
+        with subgroup order (q).
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class ScryptBackend(object):
+    @abc.abstractmethod
+    def derive_scrypt(self, key_material, salt, length, n, r, p):
+        """
+        Return bytes derived from provided Scrypt parameters.
+        """
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__init__.py
@@ -0,0 +1,10 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography.hazmat.backends.openssl.backend import backend
+
+
+__all__ = ["backend"]
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/aead.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/aead.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/backend.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/backend.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ciphers.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ciphers.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/cmac.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/cmac.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/decode_asn1.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/decode_asn1.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dh.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dh.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dsa.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/dsa.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ec.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ec.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed25519.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed25519.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed448.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ed448.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/encode_asn1.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/encode_asn1.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hashes.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hashes.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hmac.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/hmac.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ocsp.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/ocsp.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/poly1305.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/poly1305.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/rsa.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/rsa.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/utils.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/utils.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x25519.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x25519.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x448.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x448.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x509.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/__pycache__/x509.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/aead.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/aead.py
@@ -0,0 +1,161 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography.exceptions import InvalidTag
+
+
+_ENCRYPT = 1
+_DECRYPT = 0
+
+
+def _aead_cipher_name(cipher):
+    from cryptography.hazmat.primitives.ciphers.aead import (
+        AESCCM, AESGCM, ChaCha20Poly1305
+    )
+    if isinstance(cipher, ChaCha20Poly1305):
+        return b"chacha20-poly1305"
+    elif isinstance(cipher, AESCCM):
+        return "aes-{}-ccm".format(len(cipher._key) * 8).encode("ascii")
+    else:
+        assert isinstance(cipher, AESGCM)
+        return "aes-{}-gcm".format(len(cipher._key) * 8).encode("ascii")
+
+
+def _aead_setup(backend, cipher_name, key, nonce, tag, tag_len, operation):
+    evp_cipher = backend._lib.EVP_get_cipherbyname(cipher_name)
+    backend.openssl_assert(evp_cipher != backend._ffi.NULL)
+    ctx = backend._lib.EVP_CIPHER_CTX_new()
+    ctx = backend._ffi.gc(ctx, backend._lib.EVP_CIPHER_CTX_free)
+    res = backend._lib.EVP_CipherInit_ex(
+        ctx, evp_cipher,
+        backend._ffi.NULL,
+        backend._ffi.NULL,
+        backend._ffi.NULL,
+        int(operation == _ENCRYPT)
+    )
+    backend.openssl_assert(res != 0)
+    res = backend._lib.EVP_CIPHER_CTX_set_key_length(ctx, len(key))
+    backend.openssl_assert(res != 0)
+    res = backend._lib.EVP_CIPHER_CTX_ctrl(
+        ctx, backend._lib.EVP_CTRL_AEAD_SET_IVLEN, len(nonce),
+        backend._ffi.NULL
+    )
+    backend.openssl_assert(res != 0)
+    if operation == _DECRYPT:
+        res = backend._lib.EVP_CIPHER_CTX_ctrl(
+            ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, len(tag), tag
+        )
+        backend.openssl_assert(res != 0)
+    else:
+        res = backend._lib.EVP_CIPHER_CTX_ctrl(
+            ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, tag_len, backend._ffi.NULL
+        )
+
+    nonce_ptr = backend._ffi.from_buffer(nonce)
+    key_ptr = backend._ffi.from_buffer(key)
+    res = backend._lib.EVP_CipherInit_ex(
+        ctx,
+        backend._ffi.NULL,
+        backend._ffi.NULL,
+        key_ptr,
+        nonce_ptr,
+        int(operation == _ENCRYPT)
+    )
+    backend.openssl_assert(res != 0)
+    return ctx
+
+
+def _set_length(backend, ctx, data_len):
+    intptr = backend._ffi.new("int *")
+    res = backend._lib.EVP_CipherUpdate(
+        ctx,
+        backend._ffi.NULL,
+        intptr,
+        backend._ffi.NULL,
+        data_len
+    )
+    backend.openssl_assert(res != 0)
+
+
+def _process_aad(backend, ctx, associated_data):
+    outlen = backend._ffi.new("int *")
+    res = backend._lib.EVP_CipherUpdate(
+        ctx, backend._ffi.NULL, outlen, associated_data, len(associated_data)
+    )
+    backend.openssl_assert(res != 0)
+
+
+def _process_data(backend, ctx, data):
+    outlen = backend._ffi.new("int *")
+    buf = backend._ffi.new("unsigned char[]", len(data))
+    res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, data, len(data))
+    backend.openssl_assert(res != 0)
+    return backend._ffi.buffer(buf, outlen[0])[:]
+
+
+def _encrypt(backend, cipher, nonce, data, associated_data, tag_length):
+    from cryptography.hazmat.primitives.ciphers.aead import AESCCM
+    cipher_name = _aead_cipher_name(cipher)
+    ctx = _aead_setup(
+        backend, cipher_name, cipher._key, nonce, None, tag_length, _ENCRYPT
+    )
+    # CCM requires us to pass the length of the data before processing anything
+    # However calling this with any other AEAD results in an error
+    if isinstance(cipher, AESCCM):
+        _set_length(backend, ctx, len(data))
+
+    _process_aad(backend, ctx, associated_data)
+    processed_data = _process_data(backend, ctx, data)
+    outlen = backend._ffi.new("int *")
+    res = backend._lib.EVP_CipherFinal_ex(ctx, backend._ffi.NULL, outlen)
+    backend.openssl_assert(res != 0)
+    backend.openssl_assert(outlen[0] == 0)
+    tag_buf = backend._ffi.new("unsigned char[]", tag_length)
+    res = backend._lib.EVP_CIPHER_CTX_ctrl(
+        ctx, backend._lib.EVP_CTRL_AEAD_GET_TAG, tag_length, tag_buf
+    )
+    backend.openssl_assert(res != 0)
+    tag = backend._ffi.buffer(tag_buf)[:]
+
+    return processed_data + tag
+
+
+def _decrypt(backend, cipher, nonce, data, associated_data, tag_length):
+    from cryptography.hazmat.primitives.ciphers.aead import AESCCM
+    if len(data) < tag_length:
+        raise InvalidTag
+    tag = data[-tag_length:]
+    data = data[:-tag_length]
+    cipher_name = _aead_cipher_name(cipher)
+    ctx = _aead_setup(
+        backend, cipher_name, cipher._key, nonce, tag, tag_length, _DECRYPT
+    )
+    # CCM requires us to pass the length of the data before processing anything
+    # However calling this with any other AEAD results in an error
+    if isinstance(cipher, AESCCM):
+        _set_length(backend, ctx, len(data))
+
+    _process_aad(backend, ctx, associated_data)
+    # CCM has a different error path if the tag doesn't match. Errors are
+    # raised in Update and Final is irrelevant.
+    if isinstance(cipher, AESCCM):
+        outlen = backend._ffi.new("int *")
+        buf = backend._ffi.new("unsigned char[]", len(data))
+        res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, data, len(data))
+        if res != 1:
+            backend._consume_errors()
+            raise InvalidTag
+
+        processed_data = backend._ffi.buffer(buf, outlen[0])[:]
+    else:
+        processed_data = _process_data(backend, ctx, data)
+        outlen = backend._ffi.new("int *")
+        res = backend._lib.EVP_CipherFinal_ex(ctx, backend._ffi.NULL, outlen)
+        if res == 0:
+            backend._consume_errors()
+            raise InvalidTag
+
+    return processed_data
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/backend.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/backend.py
@@ -0,0 +1,2445 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import base64
+import collections
+import contextlib
+import itertools
+from contextlib import contextmanager
+
+import asn1crypto.core
+
+import six
+from six.moves import range
+
+from cryptography import utils, x509
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.backends.interfaces import (
+    CMACBackend, CipherBackend, DERSerializationBackend, DHBackend, DSABackend,
+    EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend,
+    PEMSerializationBackend, RSABackend, ScryptBackend, X509Backend
+)
+from cryptography.hazmat.backends.openssl import aead
+from cryptography.hazmat.backends.openssl.ciphers import _CipherContext
+from cryptography.hazmat.backends.openssl.cmac import _CMACContext
+from cryptography.hazmat.backends.openssl.decode_asn1 import (
+    _CRL_ENTRY_REASON_ENUM_TO_CODE, _Integers
+)
+from cryptography.hazmat.backends.openssl.dh import (
+    _DHParameters, _DHPrivateKey, _DHPublicKey, _dh_params_dup
+)
+from cryptography.hazmat.backends.openssl.dsa import (
+    _DSAParameters, _DSAPrivateKey, _DSAPublicKey
+)
+from cryptography.hazmat.backends.openssl.ec import (
+    _EllipticCurvePrivateKey, _EllipticCurvePublicKey
+)
+from cryptography.hazmat.backends.openssl.ed25519 import (
+    _Ed25519PrivateKey, _Ed25519PublicKey
+)
+from cryptography.hazmat.backends.openssl.ed448 import (
+    _ED448_KEY_SIZE, _Ed448PrivateKey, _Ed448PublicKey
+)
+from cryptography.hazmat.backends.openssl.encode_asn1 import (
+    _CRL_ENTRY_EXTENSION_ENCODE_HANDLERS,
+    _CRL_EXTENSION_ENCODE_HANDLERS, _EXTENSION_ENCODE_HANDLERS,
+    _OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERS,
+    _OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS,
+    _encode_asn1_int_gc, _encode_asn1_str_gc, _encode_name_gc, _txt2obj_gc,
+)
+from cryptography.hazmat.backends.openssl.hashes import _HashContext
+from cryptography.hazmat.backends.openssl.hmac import _HMACContext
+from cryptography.hazmat.backends.openssl.ocsp import (
+    _OCSPRequest, _OCSPResponse
+)
+from cryptography.hazmat.backends.openssl.poly1305 import (
+    _POLY1305_KEY_SIZE, _Poly1305Context
+)
+from cryptography.hazmat.backends.openssl.rsa import (
+    _RSAPrivateKey, _RSAPublicKey
+)
+from cryptography.hazmat.backends.openssl.x25519 import (
+    _X25519PrivateKey, _X25519PublicKey
+)
+from cryptography.hazmat.backends.openssl.x448 import (
+    _X448PrivateKey, _X448PublicKey
+)
+from cryptography.hazmat.backends.openssl.x509 import (
+    _Certificate, _CertificateRevocationList,
+    _CertificateSigningRequest, _RevokedCertificate
+)
+from cryptography.hazmat.bindings.openssl import binding
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import dsa, ec, ed25519, rsa
+from cryptography.hazmat.primitives.asymmetric.padding import (
+    MGF1, OAEP, PKCS1v15, PSS
+)
+from cryptography.hazmat.primitives.ciphers.algorithms import (
+    AES, ARC4, Blowfish, CAST5, Camellia, ChaCha20, IDEA, SEED, TripleDES
+)
+from cryptography.hazmat.primitives.ciphers.modes import (
+    CBC, CFB, CFB8, CTR, ECB, GCM, OFB, XTS
+)
+from cryptography.hazmat.primitives.kdf import scrypt
+from cryptography.hazmat.primitives.serialization import ssh
+from cryptography.x509 import ocsp
+
+
+_MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"])
+
+
+@utils.register_interface(CipherBackend)
+@utils.register_interface(CMACBackend)
+@utils.register_interface(DERSerializationBackend)
+@utils.register_interface(DHBackend)
+@utils.register_interface(DSABackend)
+@utils.register_interface(EllipticCurveBackend)
+@utils.register_interface(HashBackend)
+@utils.register_interface(HMACBackend)
+@utils.register_interface(PBKDF2HMACBackend)
+@utils.register_interface(RSABackend)
+@utils.register_interface(PEMSerializationBackend)
+@utils.register_interface(X509Backend)
+@utils.register_interface_if(
+    binding.Binding().lib.Cryptography_HAS_SCRYPT, ScryptBackend
+)
+class Backend(object):
+    """
+    OpenSSL API binding interfaces.
+    """
+    name = "openssl"
+
+    def __init__(self):
+        self._binding = binding.Binding()
+        self._ffi = self._binding.ffi
+        self._lib = self._binding.lib
+
+        self._cipher_registry = {}
+        self._register_default_ciphers()
+        self.activate_osrandom_engine()
+        self._dh_types = [self._lib.EVP_PKEY_DH]
+        if self._lib.Cryptography_HAS_EVP_PKEY_DHX:
+            self._dh_types.append(self._lib.EVP_PKEY_DHX)
+
+    def openssl_assert(self, ok):
+        return binding._openssl_assert(self._lib, ok)
+
+    def activate_builtin_random(self):
+        if self._lib.Cryptography_HAS_ENGINE:
+            # Obtain a new structural reference.
+            e = self._lib.ENGINE_get_default_RAND()
+            if e != self._ffi.NULL:
+                self._lib.ENGINE_unregister_RAND(e)
+                # Reset the RNG to use the new engine.
+                self._lib.RAND_cleanup()
+                # decrement the structural reference from get_default_RAND
+                res = self._lib.ENGINE_finish(e)
+                self.openssl_assert(res == 1)
+
+    @contextlib.contextmanager
+    def _get_osurandom_engine(self):
+        # Fetches an engine by id and returns it. This creates a structural
+        # reference.
+        e = self._lib.ENGINE_by_id(self._lib.Cryptography_osrandom_engine_id)
+        self.openssl_assert(e != self._ffi.NULL)
+        # Initialize the engine for use. This adds a functional reference.
+        res = self._lib.ENGINE_init(e)
+        self.openssl_assert(res == 1)
+
+        try:
+            yield e
+        finally:
+            # Decrement the structural ref incremented by ENGINE_by_id.
+            res = self._lib.ENGINE_free(e)
+            self.openssl_assert(res == 1)
+            # Decrement the functional ref incremented by ENGINE_init.
+            res = self._lib.ENGINE_finish(e)
+            self.openssl_assert(res == 1)
+
+    def activate_osrandom_engine(self):
+        if self._lib.Cryptography_HAS_ENGINE:
+            # Unregister and free the current engine.
+            self.activate_builtin_random()
+            with self._get_osurandom_engine() as e:
+                # Set the engine as the default RAND provider.
+                res = self._lib.ENGINE_set_default_RAND(e)
+                self.openssl_assert(res == 1)
+            # Reset the RNG to use the new engine.
+            self._lib.RAND_cleanup()
+
+    def osrandom_engine_implementation(self):
+        buf = self._ffi.new("char[]", 64)
+        with self._get_osurandom_engine() as e:
+            res = self._lib.ENGINE_ctrl_cmd(e, b"get_implementation",
+                                            len(buf), buf,
+                                            self._ffi.NULL, 0)
+            self.openssl_assert(res > 0)
+        return self._ffi.string(buf).decode('ascii')
+
+    def openssl_version_text(self):
+        """
+        Friendly string name of the loaded OpenSSL library. This is not
+        necessarily the same version as it was compiled against.
+
+        Example: OpenSSL 1.0.1e 11 Feb 2013
+        """
+        return self._ffi.string(
+            self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION)
+        ).decode("ascii")
+
+    def openssl_version_number(self):
+        return self._lib.OpenSSL_version_num()
+
+    def create_hmac_ctx(self, key, algorithm):
+        return _HMACContext(self, key, algorithm)
+
+    def _evp_md_from_algorithm(self, algorithm):
+        if algorithm.name == "blake2b" or algorithm.name == "blake2s":
+            alg = "{}{}".format(
+                algorithm.name, algorithm.digest_size * 8
+            ).encode("ascii")
+        else:
+            alg = algorithm.name.encode("ascii")
+
+        evp_md = self._lib.EVP_get_digestbyname(alg)
+        return evp_md
+
+    def _evp_md_non_null_from_algorithm(self, algorithm):
+        evp_md = self._evp_md_from_algorithm(algorithm)
+        self.openssl_assert(evp_md != self._ffi.NULL)
+        return evp_md
+
+    def hash_supported(self, algorithm):
+        evp_md = self._evp_md_from_algorithm(algorithm)
+        return evp_md != self._ffi.NULL
+
+    def hmac_supported(self, algorithm):
+        return self.hash_supported(algorithm)
+
+    def create_hash_ctx(self, algorithm):
+        return _HashContext(self, algorithm)
+
+    def cipher_supported(self, cipher, mode):
+        try:
+            adapter = self._cipher_registry[type(cipher), type(mode)]
+        except KeyError:
+            return False
+        evp_cipher = adapter(self, cipher, mode)
+        return self._ffi.NULL != evp_cipher
+
+    def register_cipher_adapter(self, cipher_cls, mode_cls, adapter):
+        if (cipher_cls, mode_cls) in self._cipher_registry:
+            raise ValueError("Duplicate registration for: {} {}.".format(
+                cipher_cls, mode_cls)
+            )
+        self._cipher_registry[cipher_cls, mode_cls] = adapter
+
+    def _register_default_ciphers(self):
+        for mode_cls in [CBC, CTR, ECB, OFB, CFB, CFB8, GCM]:
+            self.register_cipher_adapter(
+                AES,
+                mode_cls,
+                GetCipherByName("{cipher.name}-{cipher.key_size}-{mode.name}")
+            )
+        for mode_cls in [CBC, CTR, ECB, OFB, CFB]:
+            self.register_cipher_adapter(
+                Camellia,
+                mode_cls,
+                GetCipherByName("{cipher.name}-{cipher.key_size}-{mode.name}")
+            )
+        for mode_cls in [CBC, CFB, CFB8, OFB]:
+            self.register_cipher_adapter(
+                TripleDES,
+                mode_cls,
+                GetCipherByName("des-ede3-{mode.name}")
+            )
+        self.register_cipher_adapter(
+            TripleDES,
+            ECB,
+            GetCipherByName("des-ede3")
+        )
+        for mode_cls in [CBC, CFB, OFB, ECB]:
+            self.register_cipher_adapter(
+                Blowfish,
+                mode_cls,
+                GetCipherByName("bf-{mode.name}")
+            )
+        for mode_cls in [CBC, CFB, OFB, ECB]:
+            self.register_cipher_adapter(
+                SEED,
+                mode_cls,
+                GetCipherByName("seed-{mode.name}")
+            )
+        for cipher_cls, mode_cls in itertools.product(
+            [CAST5, IDEA],
+            [CBC, OFB, CFB, ECB],
+        ):
+            self.register_cipher_adapter(
+                cipher_cls,
+                mode_cls,
+                GetCipherByName("{cipher.name}-{mode.name}")
+            )
+        self.register_cipher_adapter(
+            ARC4,
+            type(None),
+            GetCipherByName("rc4")
+        )
+        self.register_cipher_adapter(
+            ChaCha20,
+            type(None),
+            GetCipherByName("chacha20")
+        )
+        self.register_cipher_adapter(AES, XTS, _get_xts_cipher)
+
+    def create_symmetric_encryption_ctx(self, cipher, mode):
+        return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
+
+    def create_symmetric_decryption_ctx(self, cipher, mode):
+        return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
+
+    def pbkdf2_hmac_supported(self, algorithm):
+        return self.hmac_supported(algorithm)
+
+    def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+                           key_material):
+        buf = self._ffi.new("unsigned char[]", length)
+        evp_md = self._evp_md_non_null_from_algorithm(algorithm)
+        key_material_ptr = self._ffi.from_buffer(key_material)
+        res = self._lib.PKCS5_PBKDF2_HMAC(
+            key_material_ptr,
+            len(key_material),
+            salt,
+            len(salt),
+            iterations,
+            evp_md,
+            length,
+            buf
+        )
+        self.openssl_assert(res == 1)
+        return self._ffi.buffer(buf)[:]
+
+    def _consume_errors(self):
+        return binding._consume_errors(self._lib)
+
+    def _bn_to_int(self, bn):
+        assert bn != self._ffi.NULL
+
+        if not six.PY2:
+            # Python 3 has constant time from_bytes, so use that.
+            bn_num_bytes = self._lib.BN_num_bytes(bn)
+            bin_ptr = self._ffi.new("unsigned char[]", bn_num_bytes)
+            bin_len = self._lib.BN_bn2bin(bn, bin_ptr)
+            # A zero length means the BN has value 0
+            self.openssl_assert(bin_len >= 0)
+            val = int.from_bytes(self._ffi.buffer(bin_ptr)[:bin_len], "big")
+            if self._lib.BN_is_negative(bn):
+                val = -val
+            return val
+        else:
+            # Under Python 2 the best we can do is hex()
+            hex_cdata = self._lib.BN_bn2hex(bn)
+            self.openssl_assert(hex_cdata != self._ffi.NULL)
+            hex_str = self._ffi.string(hex_cdata)
+            self._lib.OPENSSL_free(hex_cdata)
+            return int(hex_str, 16)
+
+    def _int_to_bn(self, num, bn=None):
+        """
+        Converts a python integer to a BIGNUM. The returned BIGNUM will not
+        be garbage collected (to support adding them to structs that take
+        ownership of the object). Be sure to register it for GC if it will
+        be discarded after use.
+        """
+        assert bn is None or bn != self._ffi.NULL
+
+        if bn is None:
+            bn = self._ffi.NULL
+
+        if not six.PY2:
+            # Python 3 has constant time to_bytes, so use that.
+
+            binary = num.to_bytes(int(num.bit_length() / 8.0 + 1), "big")
+            bn_ptr = self._lib.BN_bin2bn(binary, len(binary), bn)
+            self.openssl_assert(bn_ptr != self._ffi.NULL)
+            return bn_ptr
+
+        else:
+            # Under Python 2 the best we can do is hex(), [2:] removes the 0x
+            # prefix.
+            hex_num = hex(num).rstrip("L")[2:].encode("ascii")
+            bn_ptr = self._ffi.new("BIGNUM **")
+            bn_ptr[0] = bn
+            res = self._lib.BN_hex2bn(bn_ptr, hex_num)
+            self.openssl_assert(res != 0)
+            self.openssl_assert(bn_ptr[0] != self._ffi.NULL)
+            return bn_ptr[0]
+
+    def generate_rsa_private_key(self, public_exponent, key_size):
+        rsa._verify_rsa_parameters(public_exponent, key_size)
+
+        rsa_cdata = self._lib.RSA_new()
+        self.openssl_assert(rsa_cdata != self._ffi.NULL)
+        rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
+
+        bn = self._int_to_bn(public_exponent)
+        bn = self._ffi.gc(bn, self._lib.BN_free)
+
+        res = self._lib.RSA_generate_key_ex(
+            rsa_cdata, key_size, bn, self._ffi.NULL
+        )
+        self.openssl_assert(res == 1)
+        evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+
+        return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
+
+    def generate_rsa_parameters_supported(self, public_exponent, key_size):
+        return (public_exponent >= 3 and public_exponent & 1 != 0 and
+                key_size >= 512)
+
+    def load_rsa_private_numbers(self, numbers):
+        rsa._check_private_key_components(
+            numbers.p,
+            numbers.q,
+            numbers.d,
+            numbers.dmp1,
+            numbers.dmq1,
+            numbers.iqmp,
+            numbers.public_numbers.e,
+            numbers.public_numbers.n
+        )
+        rsa_cdata = self._lib.RSA_new()
+        self.openssl_assert(rsa_cdata != self._ffi.NULL)
+        rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
+        p = self._int_to_bn(numbers.p)
+        q = self._int_to_bn(numbers.q)
+        d = self._int_to_bn(numbers.d)
+        dmp1 = self._int_to_bn(numbers.dmp1)
+        dmq1 = self._int_to_bn(numbers.dmq1)
+        iqmp = self._int_to_bn(numbers.iqmp)
+        e = self._int_to_bn(numbers.public_numbers.e)
+        n = self._int_to_bn(numbers.public_numbers.n)
+        res = self._lib.RSA_set0_factors(rsa_cdata, p, q)
+        self.openssl_assert(res == 1)
+        res = self._lib.RSA_set0_key(rsa_cdata, n, e, d)
+        self.openssl_assert(res == 1)
+        res = self._lib.RSA_set0_crt_params(rsa_cdata, dmp1, dmq1, iqmp)
+        self.openssl_assert(res == 1)
+        res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL)
+        self.openssl_assert(res == 1)
+        evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+
+        return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
+
+    def load_rsa_public_numbers(self, numbers):
+        rsa._check_public_key_components(numbers.e, numbers.n)
+        rsa_cdata = self._lib.RSA_new()
+        self.openssl_assert(rsa_cdata != self._ffi.NULL)
+        rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
+        e = self._int_to_bn(numbers.e)
+        n = self._int_to_bn(numbers.n)
+        res = self._lib.RSA_set0_key(rsa_cdata, n, e, self._ffi.NULL)
+        self.openssl_assert(res == 1)
+        evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+
+        return _RSAPublicKey(self, rsa_cdata, evp_pkey)
+
+    def _create_evp_pkey_gc(self):
+        evp_pkey = self._lib.EVP_PKEY_new()
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+        return evp_pkey
+
+    def _rsa_cdata_to_evp_pkey(self, rsa_cdata):
+        evp_pkey = self._create_evp_pkey_gc()
+        res = self._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
+        self.openssl_assert(res == 1)
+        return evp_pkey
+
+    def _bytes_to_bio(self, data):
+        """
+        Return a _MemoryBIO namedtuple of (BIO, char*).
+
+        The char* is the storage for the BIO and it must stay alive until the
+        BIO is finished with.
+        """
+        data_ptr = self._ffi.from_buffer(data)
+        bio = self._lib.BIO_new_mem_buf(
+            data_ptr, len(data)
+        )
+        self.openssl_assert(bio != self._ffi.NULL)
+
+        return _MemoryBIO(self._ffi.gc(bio, self._lib.BIO_free), data_ptr)
+
+    def _create_mem_bio_gc(self):
+        """
+        Creates an empty memory BIO.
+        """
+        bio_method = self._lib.BIO_s_mem()
+        self.openssl_assert(bio_method != self._ffi.NULL)
+        bio = self._lib.BIO_new(bio_method)
+        self.openssl_assert(bio != self._ffi.NULL)
+        bio = self._ffi.gc(bio, self._lib.BIO_free)
+        return bio
+
+    def _read_mem_bio(self, bio):
+        """
+        Reads a memory BIO. This only works on memory BIOs.
+        """
+        buf = self._ffi.new("char **")
+        buf_len = self._lib.BIO_get_mem_data(bio, buf)
+        self.openssl_assert(buf_len > 0)
+        self.openssl_assert(buf[0] != self._ffi.NULL)
+        bio_data = self._ffi.buffer(buf[0], buf_len)[:]
+        return bio_data
+
+    def _evp_pkey_to_private_key(self, evp_pkey):
+        """
+        Return the appropriate type of PrivateKey given an evp_pkey cdata
+        pointer.
+        """
+
+        key_type = self._lib.EVP_PKEY_id(evp_pkey)
+
+        if key_type == self._lib.EVP_PKEY_RSA:
+            rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
+            self.openssl_assert(rsa_cdata != self._ffi.NULL)
+            rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
+            return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
+        elif key_type == self._lib.EVP_PKEY_DSA:
+            dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
+            self.openssl_assert(dsa_cdata != self._ffi.NULL)
+            dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
+            return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
+        elif key_type == self._lib.EVP_PKEY_EC:
+            ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
+            self.openssl_assert(ec_cdata != self._ffi.NULL)
+            ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
+            return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
+        elif key_type in self._dh_types:
+            dh_cdata = self._lib.EVP_PKEY_get1_DH(evp_pkey)
+            self.openssl_assert(dh_cdata != self._ffi.NULL)
+            dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+            return _DHPrivateKey(self, dh_cdata, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_ED25519", None):
+            # EVP_PKEY_ED25519 is not present in OpenSSL < 1.1.1
+            return _Ed25519PrivateKey(self, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_X448", None):
+            # EVP_PKEY_X448 is not present in OpenSSL < 1.1.1
+            return _X448PrivateKey(self, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_X25519", None):
+            # EVP_PKEY_X25519 is not present in OpenSSL < 1.1.0
+            return _X25519PrivateKey(self, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_ED448", None):
+            # EVP_PKEY_ED448 is not present in OpenSSL < 1.1.1
+            return _Ed448PrivateKey(self, evp_pkey)
+        else:
+            raise UnsupportedAlgorithm("Unsupported key type.")
+
+    def _evp_pkey_to_public_key(self, evp_pkey):
+        """
+        Return the appropriate type of PublicKey given an evp_pkey cdata
+        pointer.
+        """
+
+        key_type = self._lib.EVP_PKEY_id(evp_pkey)
+
+        if key_type == self._lib.EVP_PKEY_RSA:
+            rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
+            self.openssl_assert(rsa_cdata != self._ffi.NULL)
+            rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
+            return _RSAPublicKey(self, rsa_cdata, evp_pkey)
+        elif key_type == self._lib.EVP_PKEY_DSA:
+            dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
+            self.openssl_assert(dsa_cdata != self._ffi.NULL)
+            dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
+            return _DSAPublicKey(self, dsa_cdata, evp_pkey)
+        elif key_type == self._lib.EVP_PKEY_EC:
+            ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
+            self.openssl_assert(ec_cdata != self._ffi.NULL)
+            ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
+            return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
+        elif key_type in self._dh_types:
+            dh_cdata = self._lib.EVP_PKEY_get1_DH(evp_pkey)
+            self.openssl_assert(dh_cdata != self._ffi.NULL)
+            dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+            return _DHPublicKey(self, dh_cdata, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_ED25519", None):
+            # EVP_PKEY_ED25519 is not present in OpenSSL < 1.1.1
+            return _Ed25519PublicKey(self, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_X448", None):
+            # EVP_PKEY_X448 is not present in OpenSSL < 1.1.1
+            return _X448PublicKey(self, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_X25519", None):
+            # EVP_PKEY_X25519 is not present in OpenSSL < 1.1.0
+            return _X25519PublicKey(self, evp_pkey)
+        elif key_type == getattr(self._lib, "EVP_PKEY_ED448", None):
+            # EVP_PKEY_X25519 is not present in OpenSSL < 1.1.1
+            return _Ed448PublicKey(self, evp_pkey)
+        else:
+            raise UnsupportedAlgorithm("Unsupported key type.")
+
+    def _oaep_hash_supported(self, algorithm):
+        if self._lib.Cryptography_HAS_RSA_OAEP_MD:
+            return isinstance(
+                algorithm, (
+                    hashes.SHA1,
+                    hashes.SHA224,
+                    hashes.SHA256,
+                    hashes.SHA384,
+                    hashes.SHA512,
+                )
+            )
+        else:
+            return isinstance(algorithm, hashes.SHA1)
+
+    def rsa_padding_supported(self, padding):
+        if isinstance(padding, PKCS1v15):
+            return True
+        elif isinstance(padding, PSS) and isinstance(padding._mgf, MGF1):
+            return self.hash_supported(padding._mgf._algorithm)
+        elif isinstance(padding, OAEP) and isinstance(padding._mgf, MGF1):
+            return (
+                self._oaep_hash_supported(padding._mgf._algorithm) and
+                self._oaep_hash_supported(padding._algorithm) and
+                (
+                    (padding._label is None or len(padding._label) == 0) or
+                    self._lib.Cryptography_HAS_RSA_OAEP_LABEL == 1
+                )
+            )
+        else:
+            return False
+
+    def generate_dsa_parameters(self, key_size):
+        if key_size not in (1024, 2048, 3072):
+            raise ValueError("Key size must be 1024 or 2048 or 3072 bits.")
+
+        ctx = self._lib.DSA_new()
+        self.openssl_assert(ctx != self._ffi.NULL)
+        ctx = self._ffi.gc(ctx, self._lib.DSA_free)
+
+        res = self._lib.DSA_generate_parameters_ex(
+            ctx, key_size, self._ffi.NULL, 0,
+            self._ffi.NULL, self._ffi.NULL, self._ffi.NULL
+        )
+
+        self.openssl_assert(res == 1)
+
+        return _DSAParameters(self, ctx)
+
+    def generate_dsa_private_key(self, parameters):
+        ctx = self._lib.DSAparams_dup(parameters._dsa_cdata)
+        self.openssl_assert(ctx != self._ffi.NULL)
+        ctx = self._ffi.gc(ctx, self._lib.DSA_free)
+        self._lib.DSA_generate_key(ctx)
+        evp_pkey = self._dsa_cdata_to_evp_pkey(ctx)
+
+        return _DSAPrivateKey(self, ctx, evp_pkey)
+
+    def generate_dsa_private_key_and_parameters(self, key_size):
+        parameters = self.generate_dsa_parameters(key_size)
+        return self.generate_dsa_private_key(parameters)
+
+    def _dsa_cdata_set_values(self, dsa_cdata, p, q, g, pub_key, priv_key):
+        res = self._lib.DSA_set0_pqg(dsa_cdata, p, q, g)
+        self.openssl_assert(res == 1)
+        res = self._lib.DSA_set0_key(dsa_cdata, pub_key, priv_key)
+        self.openssl_assert(res == 1)
+
+    def load_dsa_private_numbers(self, numbers):
+        dsa._check_dsa_private_numbers(numbers)
+        parameter_numbers = numbers.public_numbers.parameter_numbers
+
+        dsa_cdata = self._lib.DSA_new()
+        self.openssl_assert(dsa_cdata != self._ffi.NULL)
+        dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
+
+        p = self._int_to_bn(parameter_numbers.p)
+        q = self._int_to_bn(parameter_numbers.q)
+        g = self._int_to_bn(parameter_numbers.g)
+        pub_key = self._int_to_bn(numbers.public_numbers.y)
+        priv_key = self._int_to_bn(numbers.x)
+        self._dsa_cdata_set_values(dsa_cdata, p, q, g, pub_key, priv_key)
+
+        evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+        return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
+
+    def load_dsa_public_numbers(self, numbers):
+        dsa._check_dsa_parameters(numbers.parameter_numbers)
+        dsa_cdata = self._lib.DSA_new()
+        self.openssl_assert(dsa_cdata != self._ffi.NULL)
+        dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
+
+        p = self._int_to_bn(numbers.parameter_numbers.p)
+        q = self._int_to_bn(numbers.parameter_numbers.q)
+        g = self._int_to_bn(numbers.parameter_numbers.g)
+        pub_key = self._int_to_bn(numbers.y)
+        priv_key = self._ffi.NULL
+        self._dsa_cdata_set_values(dsa_cdata, p, q, g, pub_key, priv_key)
+
+        evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+        return _DSAPublicKey(self, dsa_cdata, evp_pkey)
+
+    def load_dsa_parameter_numbers(self, numbers):
+        dsa._check_dsa_parameters(numbers)
+        dsa_cdata = self._lib.DSA_new()
+        self.openssl_assert(dsa_cdata != self._ffi.NULL)
+        dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
+
+        p = self._int_to_bn(numbers.p)
+        q = self._int_to_bn(numbers.q)
+        g = self._int_to_bn(numbers.g)
+        res = self._lib.DSA_set0_pqg(dsa_cdata, p, q, g)
+        self.openssl_assert(res == 1)
+
+        return _DSAParameters(self, dsa_cdata)
+
+    def _dsa_cdata_to_evp_pkey(self, dsa_cdata):
+        evp_pkey = self._create_evp_pkey_gc()
+        res = self._lib.EVP_PKEY_set1_DSA(evp_pkey, dsa_cdata)
+        self.openssl_assert(res == 1)
+        return evp_pkey
+
+    def dsa_hash_supported(self, algorithm):
+        return self.hash_supported(algorithm)
+
+    def dsa_parameters_supported(self, p, q, g):
+        return True
+
+    def cmac_algorithm_supported(self, algorithm):
+        return self.cipher_supported(
+            algorithm, CBC(b"\x00" * algorithm.block_size)
+        )
+
+    def create_cmac_ctx(self, algorithm):
+        return _CMACContext(self, algorithm)
+
+    def create_x509_csr(self, builder, private_key, algorithm):
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError('Algorithm must be a registered hash algorithm.')
+
+        if (
+            isinstance(algorithm, hashes.MD5) and not
+            isinstance(private_key, rsa.RSAPrivateKey)
+        ):
+            raise ValueError(
+                "MD5 is not a supported hash algorithm for EC/DSA CSRs"
+            )
+
+        # Resolve the signature algorithm.
+        evp_md = self._evp_md_non_null_from_algorithm(algorithm)
+
+        # Create an empty request.
+        x509_req = self._lib.X509_REQ_new()
+        self.openssl_assert(x509_req != self._ffi.NULL)
+        x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free)
+
+        # Set x509 version.
+        res = self._lib.X509_REQ_set_version(x509_req, x509.Version.v1.value)
+        self.openssl_assert(res == 1)
+
+        # Set subject name.
+        res = self._lib.X509_REQ_set_subject_name(
+            x509_req, _encode_name_gc(self, builder._subject_name)
+        )
+        self.openssl_assert(res == 1)
+
+        # Set subject public key.
+        public_key = private_key.public_key()
+        res = self._lib.X509_REQ_set_pubkey(
+            x509_req, public_key._evp_pkey
+        )
+        self.openssl_assert(res == 1)
+
+        # Add extensions.
+        sk_extension = self._lib.sk_X509_EXTENSION_new_null()
+        self.openssl_assert(sk_extension != self._ffi.NULL)
+        sk_extension = self._ffi.gc(
+            sk_extension,
+            lambda x: self._lib.sk_X509_EXTENSION_pop_free(
+                x, self._ffi.addressof(
+                    self._lib._original_lib, "X509_EXTENSION_free"
+                )
+            )
+        )
+        # Don't GC individual extensions because the memory is owned by
+        # sk_extensions and will be freed along with it.
+        self._create_x509_extensions(
+            extensions=builder._extensions,
+            handlers=_EXTENSION_ENCODE_HANDLERS,
+            x509_obj=sk_extension,
+            add_func=self._lib.sk_X509_EXTENSION_insert,
+            gc=False
+        )
+        res = self._lib.X509_REQ_add_extensions(x509_req, sk_extension)
+        self.openssl_assert(res == 1)
+
+        # Sign the request using the requester's private key.
+        res = self._lib.X509_REQ_sign(
+            x509_req, private_key._evp_pkey, evp_md
+        )
+        if res == 0:
+            errors = self._consume_errors()
+            self.openssl_assert(
+                errors[0]._lib_reason_match(
+                    self._lib.ERR_LIB_RSA,
+                    self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+                )
+            )
+
+            raise ValueError("Digest too big for RSA key")
+
+        return _CertificateSigningRequest(self, x509_req)
+
+    def create_x509_certificate(self, builder, private_key, algorithm):
+        if not isinstance(builder, x509.CertificateBuilder):
+            raise TypeError('Builder type mismatch.')
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError('Algorithm must be a registered hash algorithm.')
+
+        if (
+            isinstance(algorithm, hashes.MD5) and not
+            isinstance(private_key, rsa.RSAPrivateKey)
+        ):
+            raise ValueError(
+                "MD5 is not a supported hash algorithm for EC/DSA certificates"
+            )
+
+        # Resolve the signature algorithm.
+        evp_md = self._evp_md_non_null_from_algorithm(algorithm)
+
+        # Create an empty certificate.
+        x509_cert = self._lib.X509_new()
+        x509_cert = self._ffi.gc(x509_cert, backend._lib.X509_free)
+
+        # Set the x509 version.
+        res = self._lib.X509_set_version(x509_cert, builder._version.value)
+        self.openssl_assert(res == 1)
+
+        # Set the subject's name.
+        res = self._lib.X509_set_subject_name(
+            x509_cert, _encode_name_gc(self, builder._subject_name)
+        )
+        self.openssl_assert(res == 1)
+
+        # Set the subject's public key.
+        res = self._lib.X509_set_pubkey(
+            x509_cert, builder._public_key._evp_pkey
+        )
+        self.openssl_assert(res == 1)
+
+        # Set the certificate serial number.
+        serial_number = _encode_asn1_int_gc(self, builder._serial_number)
+        res = self._lib.X509_set_serialNumber(x509_cert, serial_number)
+        self.openssl_assert(res == 1)
+
+        # Set the "not before" time.
+        self._set_asn1_time(
+            self._lib.X509_get_notBefore(x509_cert), builder._not_valid_before
+        )
+
+        # Set the "not after" time.
+        self._set_asn1_time(
+            self._lib.X509_get_notAfter(x509_cert), builder._not_valid_after
+        )
+
+        # Add extensions.
+        self._create_x509_extensions(
+            extensions=builder._extensions,
+            handlers=_EXTENSION_ENCODE_HANDLERS,
+            x509_obj=x509_cert,
+            add_func=self._lib.X509_add_ext,
+            gc=True
+        )
+
+        # Set the issuer name.
+        res = self._lib.X509_set_issuer_name(
+            x509_cert, _encode_name_gc(self, builder._issuer_name)
+        )
+        self.openssl_assert(res == 1)
+
+        # Sign the certificate with the issuer's private key.
+        res = self._lib.X509_sign(
+            x509_cert, private_key._evp_pkey, evp_md
+        )
+        if res == 0:
+            errors = self._consume_errors()
+            self.openssl_assert(
+                errors[0]._lib_reason_match(
+                    self._lib.ERR_LIB_RSA,
+                    self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+                )
+            )
+            raise ValueError("Digest too big for RSA key")
+
+        return _Certificate(self, x509_cert)
+
+    def _set_asn1_time(self, asn1_time, time):
+        if time.year >= 2050:
+            asn1_str = time.strftime('%Y%m%d%H%M%SZ').encode('ascii')
+        else:
+            asn1_str = time.strftime('%y%m%d%H%M%SZ').encode('ascii')
+        res = self._lib.ASN1_TIME_set_string(asn1_time, asn1_str)
+        self.openssl_assert(res == 1)
+
+    def _create_asn1_time(self, time):
+        asn1_time = self._lib.ASN1_TIME_new()
+        self.openssl_assert(asn1_time != self._ffi.NULL)
+        asn1_time = self._ffi.gc(asn1_time, self._lib.ASN1_TIME_free)
+        self._set_asn1_time(asn1_time, time)
+        return asn1_time
+
+    def create_x509_crl(self, builder, private_key, algorithm):
+        if not isinstance(builder, x509.CertificateRevocationListBuilder):
+            raise TypeError('Builder type mismatch.')
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError('Algorithm must be a registered hash algorithm.')
+
+        if (
+            isinstance(algorithm, hashes.MD5) and not
+            isinstance(private_key, rsa.RSAPrivateKey)
+        ):
+            raise ValueError(
+                "MD5 is not a supported hash algorithm for EC/DSA CRLs"
+            )
+
+        evp_md = self._evp_md_non_null_from_algorithm(algorithm)
+
+        # Create an empty CRL.
+        x509_crl = self._lib.X509_CRL_new()
+        x509_crl = self._ffi.gc(x509_crl, backend._lib.X509_CRL_free)
+
+        # Set the x509 CRL version. We only support v2 (integer value 1).
+        res = self._lib.X509_CRL_set_version(x509_crl, 1)
+        self.openssl_assert(res == 1)
+
+        # Set the issuer name.
+        res = self._lib.X509_CRL_set_issuer_name(
+            x509_crl, _encode_name_gc(self, builder._issuer_name)
+        )
+        self.openssl_assert(res == 1)
+
+        # Set the last update time.
+        last_update = self._create_asn1_time(builder._last_update)
+        res = self._lib.X509_CRL_set_lastUpdate(x509_crl, last_update)
+        self.openssl_assert(res == 1)
+
+        # Set the next update time.
+        next_update = self._create_asn1_time(builder._next_update)
+        res = self._lib.X509_CRL_set_nextUpdate(x509_crl, next_update)
+        self.openssl_assert(res == 1)
+
+        # Add extensions.
+        self._create_x509_extensions(
+            extensions=builder._extensions,
+            handlers=_CRL_EXTENSION_ENCODE_HANDLERS,
+            x509_obj=x509_crl,
+            add_func=self._lib.X509_CRL_add_ext,
+            gc=True
+        )
+
+        # add revoked certificates
+        for revoked_cert in builder._revoked_certificates:
+            # Duplicating because the X509_CRL takes ownership and will free
+            # this memory when X509_CRL_free is called.
+            revoked = self._lib.Cryptography_X509_REVOKED_dup(
+                revoked_cert._x509_revoked
+            )
+            self.openssl_assert(revoked != self._ffi.NULL)
+            res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked)
+            self.openssl_assert(res == 1)
+
+        res = self._lib.X509_CRL_sign(
+            x509_crl, private_key._evp_pkey, evp_md
+        )
+        if res == 0:
+            errors = self._consume_errors()
+            self.openssl_assert(
+                errors[0]._lib_reason_match(
+                    self._lib.ERR_LIB_RSA,
+                    self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+                )
+            )
+            raise ValueError("Digest too big for RSA key")
+
+        return _CertificateRevocationList(self, x509_crl)
+
+    def _create_x509_extensions(self, extensions, handlers, x509_obj,
+                                add_func, gc):
+        for i, extension in enumerate(extensions):
+            x509_extension = self._create_x509_extension(
+                handlers, extension
+            )
+            self.openssl_assert(x509_extension != self._ffi.NULL)
+
+            if gc:
+                x509_extension = self._ffi.gc(
+                    x509_extension, self._lib.X509_EXTENSION_free
+                )
+            res = add_func(x509_obj, x509_extension, i)
+            self.openssl_assert(res >= 1)
+
+    def _create_raw_x509_extension(self, extension, value):
+        obj = _txt2obj_gc(self, extension.oid.dotted_string)
+        return self._lib.X509_EXTENSION_create_by_OBJ(
+            self._ffi.NULL, obj, 1 if extension.critical else 0, value
+        )
+
+    def _create_x509_extension(self, handlers, extension):
+        if isinstance(extension.value, x509.UnrecognizedExtension):
+            value = _encode_asn1_str_gc(self, extension.value.value)
+            return self._create_raw_x509_extension(extension, value)
+        elif isinstance(extension.value, x509.TLSFeature):
+            asn1 = _Integers([x.value for x in extension.value]).dump()
+            value = _encode_asn1_str_gc(self, asn1)
+            return self._create_raw_x509_extension(extension, value)
+        elif isinstance(extension.value, x509.PrecertPoison):
+            asn1 = asn1crypto.core.Null().dump()
+            value = _encode_asn1_str_gc(self, asn1)
+            return self._create_raw_x509_extension(extension, value)
+        else:
+            try:
+                encode = handlers[extension.oid]
+            except KeyError:
+                raise NotImplementedError(
+                    'Extension not supported: {}'.format(extension.oid)
+                )
+
+            ext_struct = encode(self, extension.value)
+            nid = self._lib.OBJ_txt2nid(
+                extension.oid.dotted_string.encode("ascii")
+            )
+            backend.openssl_assert(nid != self._lib.NID_undef)
+            return self._lib.X509V3_EXT_i2d(
+                nid, 1 if extension.critical else 0, ext_struct
+            )
+
+    def create_x509_revoked_certificate(self, builder):
+        if not isinstance(builder, x509.RevokedCertificateBuilder):
+            raise TypeError('Builder type mismatch.')
+
+        x509_revoked = self._lib.X509_REVOKED_new()
+        self.openssl_assert(x509_revoked != self._ffi.NULL)
+        x509_revoked = self._ffi.gc(x509_revoked, self._lib.X509_REVOKED_free)
+        serial_number = _encode_asn1_int_gc(self, builder._serial_number)
+        res = self._lib.X509_REVOKED_set_serialNumber(
+            x509_revoked, serial_number
+        )
+        self.openssl_assert(res == 1)
+        rev_date = self._create_asn1_time(builder._revocation_date)
+        res = self._lib.X509_REVOKED_set_revocationDate(x509_revoked, rev_date)
+        self.openssl_assert(res == 1)
+        # add CRL entry extensions
+        self._create_x509_extensions(
+            extensions=builder._extensions,
+            handlers=_CRL_ENTRY_EXTENSION_ENCODE_HANDLERS,
+            x509_obj=x509_revoked,
+            add_func=self._lib.X509_REVOKED_add_ext,
+            gc=True
+        )
+        return _RevokedCertificate(self, None, x509_revoked)
+
+    def load_pem_private_key(self, data, password):
+        return self._load_key(
+            self._lib.PEM_read_bio_PrivateKey,
+            self._evp_pkey_to_private_key,
+            data,
+            password,
+        )
+
+    def load_pem_public_key(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        evp_pkey = self._lib.PEM_read_bio_PUBKEY(
+            mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL
+        )
+        if evp_pkey != self._ffi.NULL:
+            evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+            return self._evp_pkey_to_public_key(evp_pkey)
+        else:
+            # It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still
+            # need to check to see if it is a pure PKCS1 RSA public key (not
+            # embedded in a subjectPublicKeyInfo)
+            self._consume_errors()
+            res = self._lib.BIO_reset(mem_bio.bio)
+            self.openssl_assert(res == 1)
+            rsa_cdata = self._lib.PEM_read_bio_RSAPublicKey(
+                mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL
+            )
+            if rsa_cdata != self._ffi.NULL:
+                rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
+                evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+                return _RSAPublicKey(self, rsa_cdata, evp_pkey)
+            else:
+                self._handle_key_loading_error()
+
+    def load_pem_parameters(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        # only DH is supported currently
+        dh_cdata = self._lib.PEM_read_bio_DHparams(
+            mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL)
+        if dh_cdata != self._ffi.NULL:
+            dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+            return _DHParameters(self, dh_cdata)
+        else:
+            self._handle_key_loading_error()
+
+    def load_der_private_key(self, data, password):
+        # OpenSSL has a function called d2i_AutoPrivateKey that in theory
+        # handles this automatically, however it doesn't handle encrypted
+        # private keys. Instead we try to load the key two different ways.
+        # First we'll try to load it as a traditional key.
+        bio_data = self._bytes_to_bio(data)
+        key = self._evp_pkey_from_der_traditional_key(bio_data, password)
+        if key:
+            return self._evp_pkey_to_private_key(key)
+        else:
+            # Finally we try to load it with the method that handles encrypted
+            # PKCS8 properly.
+            return self._load_key(
+                self._lib.d2i_PKCS8PrivateKey_bio,
+                self._evp_pkey_to_private_key,
+                data,
+                password,
+            )
+
+    def _evp_pkey_from_der_traditional_key(self, bio_data, password):
+        key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL)
+        if key != self._ffi.NULL:
+            key = self._ffi.gc(key, self._lib.EVP_PKEY_free)
+            if password is not None:
+                raise TypeError(
+                    "Password was given but private key is not encrypted."
+                )
+
+            return key
+        else:
+            self._consume_errors()
+            return None
+
+    def load_der_public_key(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        evp_pkey = self._lib.d2i_PUBKEY_bio(mem_bio.bio, self._ffi.NULL)
+        if evp_pkey != self._ffi.NULL:
+            evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+            return self._evp_pkey_to_public_key(evp_pkey)
+        else:
+            # It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still
+            # need to check to see if it is a pure PKCS1 RSA public key (not
+            # embedded in a subjectPublicKeyInfo)
+            self._consume_errors()
+            res = self._lib.BIO_reset(mem_bio.bio)
+            self.openssl_assert(res == 1)
+            rsa_cdata = self._lib.d2i_RSAPublicKey_bio(
+                mem_bio.bio, self._ffi.NULL
+            )
+            if rsa_cdata != self._ffi.NULL:
+                rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
+                evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+                return _RSAPublicKey(self, rsa_cdata, evp_pkey)
+            else:
+                self._handle_key_loading_error()
+
+    def load_der_parameters(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        dh_cdata = self._lib.d2i_DHparams_bio(
+            mem_bio.bio, self._ffi.NULL
+        )
+        if dh_cdata != self._ffi.NULL:
+            dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+            return _DHParameters(self, dh_cdata)
+        elif self._lib.Cryptography_HAS_EVP_PKEY_DHX:
+            # We check to see if the is dhx.
+            self._consume_errors()
+            res = self._lib.BIO_reset(mem_bio.bio)
+            self.openssl_assert(res == 1)
+            dh_cdata = self._lib.Cryptography_d2i_DHxparams_bio(
+                mem_bio.bio, self._ffi.NULL
+            )
+            if dh_cdata != self._ffi.NULL:
+                dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+                return _DHParameters(self, dh_cdata)
+
+        self._handle_key_loading_error()
+
+    def load_pem_x509_certificate(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        x509 = self._lib.PEM_read_bio_X509(
+            mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL
+        )
+        if x509 == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError(
+                "Unable to load certificate. See https://cryptography.io/en/la"
+                "test/faq/#why-can-t-i-import-my-pem-file for more details."
+            )
+
+        x509 = self._ffi.gc(x509, self._lib.X509_free)
+        return _Certificate(self, x509)
+
+    def load_der_x509_certificate(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        x509 = self._lib.d2i_X509_bio(mem_bio.bio, self._ffi.NULL)
+        if x509 == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError("Unable to load certificate")
+
+        x509 = self._ffi.gc(x509, self._lib.X509_free)
+        return _Certificate(self, x509)
+
+    def load_pem_x509_crl(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        x509_crl = self._lib.PEM_read_bio_X509_CRL(
+            mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL
+        )
+        if x509_crl == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError(
+                "Unable to load CRL. See https://cryptography.io/en/la"
+                "test/faq/#why-can-t-i-import-my-pem-file for more details."
+            )
+
+        x509_crl = self._ffi.gc(x509_crl, self._lib.X509_CRL_free)
+        return _CertificateRevocationList(self, x509_crl)
+
+    def load_der_x509_crl(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        x509_crl = self._lib.d2i_X509_CRL_bio(mem_bio.bio, self._ffi.NULL)
+        if x509_crl == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError("Unable to load CRL")
+
+        x509_crl = self._ffi.gc(x509_crl, self._lib.X509_CRL_free)
+        return _CertificateRevocationList(self, x509_crl)
+
+    def load_pem_x509_csr(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        x509_req = self._lib.PEM_read_bio_X509_REQ(
+            mem_bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL
+        )
+        if x509_req == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError(
+                "Unable to load request. See https://cryptography.io/en/la"
+                "test/faq/#why-can-t-i-import-my-pem-file for more details."
+            )
+
+        x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free)
+        return _CertificateSigningRequest(self, x509_req)
+
+    def load_der_x509_csr(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        x509_req = self._lib.d2i_X509_REQ_bio(mem_bio.bio, self._ffi.NULL)
+        if x509_req == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError("Unable to load request")
+
+        x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free)
+        return _CertificateSigningRequest(self, x509_req)
+
+    def _load_key(self, openssl_read_func, convert_func, data, password):
+        mem_bio = self._bytes_to_bio(data)
+
+        userdata = self._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *")
+        if password is not None:
+            utils._check_byteslike("password", password)
+            password_ptr = self._ffi.from_buffer(password)
+            userdata.password = password_ptr
+            userdata.length = len(password)
+
+        evp_pkey = openssl_read_func(
+            mem_bio.bio,
+            self._ffi.NULL,
+            self._ffi.addressof(
+                self._lib._original_lib, "Cryptography_pem_password_cb"
+            ),
+            userdata,
+        )
+
+        if evp_pkey == self._ffi.NULL:
+            if userdata.error != 0:
+                errors = self._consume_errors()
+                self.openssl_assert(errors)
+                if userdata.error == -1:
+                    raise TypeError(
+                        "Password was not given but private key is encrypted"
+                    )
+                else:
+                    assert userdata.error == -2
+                    raise ValueError(
+                        "Passwords longer than {} bytes are not supported "
+                        "by this backend.".format(userdata.maxsize - 1)
+                    )
+            else:
+                self._handle_key_loading_error()
+
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+
+        if password is not None and userdata.called == 0:
+            raise TypeError(
+                "Password was given but private key is not encrypted.")
+
+        assert (
+            (password is not None and userdata.called == 1) or
+            password is None
+        )
+
+        return convert_func(evp_pkey)
+
+    def _handle_key_loading_error(self):
+        errors = self._consume_errors()
+
+        if not errors:
+            raise ValueError("Could not deserialize key data.")
+
+        elif (
+            errors[0]._lib_reason_match(
+                self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
+            ) or errors[0]._lib_reason_match(
+                self._lib.ERR_LIB_PKCS12,
+                self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR
+            )
+        ):
+            raise ValueError("Bad decrypt. Incorrect password?")
+
+        elif (
+            errors[0]._lib_reason_match(
+                self._lib.ERR_LIB_EVP, self._lib.EVP_R_UNKNOWN_PBE_ALGORITHM
+            ) or errors[0]._lib_reason_match(
+                self._lib.ERR_LIB_PEM, self._lib.PEM_R_UNSUPPORTED_ENCRYPTION
+            )
+        ):
+            raise UnsupportedAlgorithm(
+                "PEM data is encrypted with an unsupported cipher",
+                _Reasons.UNSUPPORTED_CIPHER
+            )
+
+        elif any(
+            error._lib_reason_match(
+                self._lib.ERR_LIB_EVP,
+                self._lib.EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM
+            )
+            for error in errors
+        ):
+            raise ValueError("Unsupported public key algorithm.")
+
+        else:
+            assert errors[0].lib in (
+                self._lib.ERR_LIB_EVP,
+                self._lib.ERR_LIB_PEM,
+                self._lib.ERR_LIB_ASN1,
+            )
+            raise ValueError("Could not deserialize key data.")
+
+    def elliptic_curve_supported(self, curve):
+        try:
+            curve_nid = self._elliptic_curve_to_nid(curve)
+        except UnsupportedAlgorithm:
+            curve_nid = self._lib.NID_undef
+
+        group = self._lib.EC_GROUP_new_by_curve_name(curve_nid)
+
+        if group == self._ffi.NULL:
+            errors = self._consume_errors()
+            self.openssl_assert(
+                curve_nid == self._lib.NID_undef or
+                errors[0]._lib_reason_match(
+                    self._lib.ERR_LIB_EC,
+                    self._lib.EC_R_UNKNOWN_GROUP
+                )
+            )
+            return False
+        else:
+            self.openssl_assert(curve_nid != self._lib.NID_undef)
+            self._lib.EC_GROUP_free(group)
+            return True
+
+    def elliptic_curve_signature_algorithm_supported(
+        self, signature_algorithm, curve
+    ):
+        # We only support ECDSA right now.
+        if not isinstance(signature_algorithm, ec.ECDSA):
+            return False
+
+        return self.elliptic_curve_supported(curve)
+
+    def generate_elliptic_curve_private_key(self, curve):
+        """
+        Generate a new private key on the named curve.
+        """
+
+        if self.elliptic_curve_supported(curve):
+            ec_cdata = self._ec_key_new_by_curve(curve)
+
+            res = self._lib.EC_KEY_generate_key(ec_cdata)
+            self.openssl_assert(res == 1)
+
+            evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+
+            return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
+        else:
+            raise UnsupportedAlgorithm(
+                "Backend object does not support {}.".format(curve.name),
+                _Reasons.UNSUPPORTED_ELLIPTIC_CURVE
+            )
+
+    def load_elliptic_curve_private_numbers(self, numbers):
+        public = numbers.public_numbers
+
+        ec_cdata = self._ec_key_new_by_curve(public.curve)
+
+        private_value = self._ffi.gc(
+            self._int_to_bn(numbers.private_value), self._lib.BN_clear_free
+        )
+        res = self._lib.EC_KEY_set_private_key(ec_cdata, private_value)
+        self.openssl_assert(res == 1)
+
+        ec_cdata = self._ec_key_set_public_key_affine_coordinates(
+            ec_cdata, public.x, public.y)
+
+        evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+
+        return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
+
+    def load_elliptic_curve_public_numbers(self, numbers):
+        ec_cdata = self._ec_key_new_by_curve(numbers.curve)
+        ec_cdata = self._ec_key_set_public_key_affine_coordinates(
+            ec_cdata, numbers.x, numbers.y)
+        evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+
+        return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
+
+    def load_elliptic_curve_public_bytes(self, curve, point_bytes):
+        ec_cdata = self._ec_key_new_by_curve(curve)
+        group = self._lib.EC_KEY_get0_group(ec_cdata)
+        self.openssl_assert(group != self._ffi.NULL)
+        point = self._lib.EC_POINT_new(group)
+        self.openssl_assert(point != self._ffi.NULL)
+        point = self._ffi.gc(point, self._lib.EC_POINT_free)
+        with self._tmp_bn_ctx() as bn_ctx:
+            res = self._lib.EC_POINT_oct2point(
+                group, point, point_bytes, len(point_bytes), bn_ctx
+            )
+            if res != 1:
+                self._consume_errors()
+                raise ValueError("Invalid public bytes for the given curve")
+
+        res = self._lib.EC_KEY_set_public_key(ec_cdata, point)
+        self.openssl_assert(res == 1)
+        evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+        return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
+
+    def derive_elliptic_curve_private_key(self, private_value, curve):
+        ec_cdata = self._ec_key_new_by_curve(curve)
+
+        get_func, group = self._ec_key_determine_group_get_func(ec_cdata)
+
+        point = self._lib.EC_POINT_new(group)
+        self.openssl_assert(point != self._ffi.NULL)
+        point = self._ffi.gc(point, self._lib.EC_POINT_free)
+
+        value = self._int_to_bn(private_value)
+        value = self._ffi.gc(value, self._lib.BN_clear_free)
+
+        with self._tmp_bn_ctx() as bn_ctx:
+            res = self._lib.EC_POINT_mul(group, point, value, self._ffi.NULL,
+                                         self._ffi.NULL, bn_ctx)
+            self.openssl_assert(res == 1)
+
+            bn_x = self._lib.BN_CTX_get(bn_ctx)
+            bn_y = self._lib.BN_CTX_get(bn_ctx)
+
+            res = get_func(group, point, bn_x, bn_y, bn_ctx)
+            self.openssl_assert(res == 1)
+
+        res = self._lib.EC_KEY_set_public_key(ec_cdata, point)
+        self.openssl_assert(res == 1)
+        private = self._int_to_bn(private_value)
+        private = self._ffi.gc(private, self._lib.BN_clear_free)
+        res = self._lib.EC_KEY_set_private_key(ec_cdata, private)
+        self.openssl_assert(res == 1)
+
+        evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+
+        return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
+
+    def _ec_key_new_by_curve(self, curve):
+        curve_nid = self._elliptic_curve_to_nid(curve)
+        ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
+        self.openssl_assert(ec_cdata != self._ffi.NULL)
+        return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
+
+    def load_der_ocsp_request(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        request = self._lib.d2i_OCSP_REQUEST_bio(mem_bio.bio, self._ffi.NULL)
+        if request == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError("Unable to load OCSP request")
+
+        request = self._ffi.gc(request, self._lib.OCSP_REQUEST_free)
+        return _OCSPRequest(self, request)
+
+    def load_der_ocsp_response(self, data):
+        mem_bio = self._bytes_to_bio(data)
+        response = self._lib.d2i_OCSP_RESPONSE_bio(mem_bio.bio, self._ffi.NULL)
+        if response == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError("Unable to load OCSP response")
+
+        response = self._ffi.gc(response, self._lib.OCSP_RESPONSE_free)
+        return _OCSPResponse(self, response)
+
+    def create_ocsp_request(self, builder):
+        ocsp_req = self._lib.OCSP_REQUEST_new()
+        self.openssl_assert(ocsp_req != self._ffi.NULL)
+        ocsp_req = self._ffi.gc(ocsp_req, self._lib.OCSP_REQUEST_free)
+        cert, issuer, algorithm = builder._request
+        evp_md = self._evp_md_non_null_from_algorithm(algorithm)
+        certid = self._lib.OCSP_cert_to_id(
+            evp_md, cert._x509, issuer._x509
+        )
+        self.openssl_assert(certid != self._ffi.NULL)
+        onereq = self._lib.OCSP_request_add0_id(ocsp_req, certid)
+        self.openssl_assert(onereq != self._ffi.NULL)
+        self._create_x509_extensions(
+            extensions=builder._extensions,
+            handlers=_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS,
+            x509_obj=ocsp_req,
+            add_func=self._lib.OCSP_REQUEST_add_ext,
+            gc=True,
+        )
+        return _OCSPRequest(self, ocsp_req)
+
+    def _create_ocsp_basic_response(self, builder, private_key, algorithm):
+        basic = self._lib.OCSP_BASICRESP_new()
+        self.openssl_assert(basic != self._ffi.NULL)
+        basic = self._ffi.gc(basic, self._lib.OCSP_BASICRESP_free)
+        evp_md = self._evp_md_non_null_from_algorithm(
+            builder._response._algorithm
+        )
+        certid = self._lib.OCSP_cert_to_id(
+            evp_md, builder._response._cert._x509,
+            builder._response._issuer._x509
+        )
+        self.openssl_assert(certid != self._ffi.NULL)
+        certid = self._ffi.gc(certid, self._lib.OCSP_CERTID_free)
+        if builder._response._revocation_reason is None:
+            reason = -1
+        else:
+            reason = _CRL_ENTRY_REASON_ENUM_TO_CODE[
+                builder._response._revocation_reason
+            ]
+        if builder._response._revocation_time is None:
+            rev_time = self._ffi.NULL
+        else:
+            rev_time = self._create_asn1_time(
+                builder._response._revocation_time
+            )
+
+        next_update = self._ffi.NULL
+        if builder._response._next_update is not None:
+            next_update = self._create_asn1_time(
+                builder._response._next_update
+            )
+
+        this_update = self._create_asn1_time(builder._response._this_update)
+
+        res = self._lib.OCSP_basic_add1_status(
+            basic,
+            certid,
+            builder._response._cert_status.value,
+            reason,
+            rev_time,
+            this_update,
+            next_update
+        )
+        self.openssl_assert(res != self._ffi.NULL)
+        # okay, now sign the basic structure
+        evp_md = self._evp_md_non_null_from_algorithm(algorithm)
+        responder_cert, responder_encoding = builder._responder_id
+        flags = self._lib.OCSP_NOCERTS
+        if responder_encoding is ocsp.OCSPResponderEncoding.HASH:
+            flags |= self._lib.OCSP_RESPID_KEY
+
+        if builder._certs is not None:
+            for cert in builder._certs:
+                res = self._lib.OCSP_basic_add1_cert(basic, cert._x509)
+                self.openssl_assert(res == 1)
+
+        self._create_x509_extensions(
+            extensions=builder._extensions,
+            handlers=_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERS,
+            x509_obj=basic,
+            add_func=self._lib.OCSP_BASICRESP_add_ext,
+            gc=True,
+        )
+
+        res = self._lib.OCSP_basic_sign(
+            basic, responder_cert._x509, private_key._evp_pkey,
+            evp_md, self._ffi.NULL, flags
+        )
+        if res != 1:
+            errors = self._consume_errors()
+            self.openssl_assert(
+                errors[0]._lib_reason_match(
+                    self._lib.ERR_LIB_X509,
+                    self._lib.X509_R_KEY_VALUES_MISMATCH
+                )
+            )
+            raise ValueError("responder_cert must be signed by private_key")
+
+        return basic
+
+    def create_ocsp_response(self, response_status, builder, private_key,
+                             algorithm):
+        if response_status is ocsp.OCSPResponseStatus.SUCCESSFUL:
+            basic = self._create_ocsp_basic_response(
+                builder, private_key, algorithm
+            )
+        else:
+            basic = self._ffi.NULL
+
+        ocsp_resp = self._lib.OCSP_response_create(
+            response_status.value, basic
+        )
+        self.openssl_assert(ocsp_resp != self._ffi.NULL)
+        ocsp_resp = self._ffi.gc(ocsp_resp, self._lib.OCSP_RESPONSE_free)
+        return _OCSPResponse(self, ocsp_resp)
+
+    def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve):
+        return (
+            self.elliptic_curve_supported(curve) and
+            isinstance(algorithm, ec.ECDH)
+        )
+
+    def _ec_cdata_to_evp_pkey(self, ec_cdata):
+        evp_pkey = self._create_evp_pkey_gc()
+        res = self._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, ec_cdata)
+        self.openssl_assert(res == 1)
+        return evp_pkey
+
+    def _elliptic_curve_to_nid(self, curve):
+        """
+        Get the NID for a curve name.
+        """
+
+        curve_aliases = {
+            "secp192r1": "prime192v1",
+            "secp256r1": "prime256v1"
+        }
+
+        curve_name = curve_aliases.get(curve.name, curve.name)
+
+        curve_nid = self._lib.OBJ_sn2nid(curve_name.encode())
+        if curve_nid == self._lib.NID_undef:
+            raise UnsupportedAlgorithm(
+                "{} is not a supported elliptic curve".format(curve.name),
+                _Reasons.UNSUPPORTED_ELLIPTIC_CURVE
+            )
+        return curve_nid
+
+    @contextmanager
+    def _tmp_bn_ctx(self):
+        bn_ctx = self._lib.BN_CTX_new()
+        self.openssl_assert(bn_ctx != self._ffi.NULL)
+        bn_ctx = self._ffi.gc(bn_ctx, self._lib.BN_CTX_free)
+        self._lib.BN_CTX_start(bn_ctx)
+        try:
+            yield bn_ctx
+        finally:
+            self._lib.BN_CTX_end(bn_ctx)
+
+    def _ec_key_determine_group_get_func(self, ctx):
+        """
+        Given an EC_KEY determine the group and what function is required to
+        get point coordinates.
+        """
+        self.openssl_assert(ctx != self._ffi.NULL)
+
+        nid_two_field = self._lib.OBJ_sn2nid(b"characteristic-two-field")
+        self.openssl_assert(nid_two_field != self._lib.NID_undef)
+
+        group = self._lib.EC_KEY_get0_group(ctx)
+        self.openssl_assert(group != self._ffi.NULL)
+
+        method = self._lib.EC_GROUP_method_of(group)
+        self.openssl_assert(method != self._ffi.NULL)
+
+        nid = self._lib.EC_METHOD_get_field_type(method)
+        self.openssl_assert(nid != self._lib.NID_undef)
+
+        if nid == nid_two_field and self._lib.Cryptography_HAS_EC2M:
+            get_func = self._lib.EC_POINT_get_affine_coordinates_GF2m
+        else:
+            get_func = self._lib.EC_POINT_get_affine_coordinates_GFp
+
+        assert get_func
+
+        return get_func, group
+
+    def _ec_key_set_public_key_affine_coordinates(self, ctx, x, y):
+        """
+        Sets the public key point in the EC_KEY context to the affine x and y
+        values.
+        """
+
+        if x < 0 or y < 0:
+            raise ValueError(
+                "Invalid EC key. Both x and y must be non-negative."
+            )
+
+        x = self._ffi.gc(self._int_to_bn(x), self._lib.BN_free)
+        y = self._ffi.gc(self._int_to_bn(y), self._lib.BN_free)
+        res = self._lib.EC_KEY_set_public_key_affine_coordinates(ctx, x, y)
+        if res != 1:
+            self._consume_errors()
+            raise ValueError("Invalid EC key.")
+
+        return ctx
+
+    def _private_key_bytes(self, encoding, format, encryption_algorithm,
+                           evp_pkey, cdata):
+        if not isinstance(format, serialization.PrivateFormat):
+            raise TypeError(
+                "format must be an item from the PrivateFormat enum"
+            )
+
+        # X9.62 encoding is only valid for EC public keys
+        if encoding is serialization.Encoding.X962:
+            raise ValueError("X9.62 format is only valid for EC public keys")
+
+        # Raw format and encoding are only valid for X25519, Ed25519, X448, and
+        # Ed448 keys. We capture those cases before this method is called so if
+        # we see those enum values here it means the caller has passed them to
+        # a key that doesn't support raw type
+        if format is serialization.PrivateFormat.Raw:
+            raise ValueError("raw format is invalid with this key or encoding")
+
+        if encoding is serialization.Encoding.Raw:
+            raise ValueError("raw encoding is invalid with this key or format")
+
+        if not isinstance(encryption_algorithm,
+                          serialization.KeySerializationEncryption):
+            raise TypeError(
+                "Encryption algorithm must be a KeySerializationEncryption "
+                "instance"
+            )
+
+        if isinstance(encryption_algorithm, serialization.NoEncryption):
+            password = b""
+            passlen = 0
+            evp_cipher = self._ffi.NULL
+        elif isinstance(encryption_algorithm,
+                        serialization.BestAvailableEncryption):
+            # This is a curated value that we will update over time.
+            evp_cipher = self._lib.EVP_get_cipherbyname(
+                b"aes-256-cbc"
+            )
+            password = encryption_algorithm.password
+            passlen = len(password)
+            if passlen > 1023:
+                raise ValueError(
+                    "Passwords longer than 1023 bytes are not supported by "
+                    "this backend"
+                )
+        else:
+            raise ValueError("Unsupported encryption type")
+
+        key_type = self._lib.EVP_PKEY_id(evp_pkey)
+        if encoding is serialization.Encoding.PEM:
+            if format is serialization.PrivateFormat.PKCS8:
+                write_bio = self._lib.PEM_write_bio_PKCS8PrivateKey
+                key = evp_pkey
+            else:
+                assert format is serialization.PrivateFormat.TraditionalOpenSSL
+                if key_type == self._lib.EVP_PKEY_RSA:
+                    write_bio = self._lib.PEM_write_bio_RSAPrivateKey
+                elif key_type == self._lib.EVP_PKEY_DSA:
+                    write_bio = self._lib.PEM_write_bio_DSAPrivateKey
+                else:
+                    assert key_type == self._lib.EVP_PKEY_EC
+                    write_bio = self._lib.PEM_write_bio_ECPrivateKey
+
+                key = cdata
+        elif encoding is serialization.Encoding.DER:
+            if format is serialization.PrivateFormat.TraditionalOpenSSL:
+                if not isinstance(
+                    encryption_algorithm, serialization.NoEncryption
+                ):
+                    raise ValueError(
+                        "Encryption is not supported for DER encoded "
+                        "traditional OpenSSL keys"
+                    )
+
+                return self._private_key_bytes_traditional_der(key_type, cdata)
+            else:
+                assert format is serialization.PrivateFormat.PKCS8
+                write_bio = self._lib.i2d_PKCS8PrivateKey_bio
+                key = evp_pkey
+        else:
+            raise TypeError("encoding must be Encoding.PEM or Encoding.DER")
+
+        bio = self._create_mem_bio_gc()
+        res = write_bio(
+            bio,
+            key,
+            evp_cipher,
+            password,
+            passlen,
+            self._ffi.NULL,
+            self._ffi.NULL
+        )
+        self.openssl_assert(res == 1)
+        return self._read_mem_bio(bio)
+
+    def _private_key_bytes_traditional_der(self, key_type, cdata):
+        if key_type == self._lib.EVP_PKEY_RSA:
+            write_bio = self._lib.i2d_RSAPrivateKey_bio
+        elif key_type == self._lib.EVP_PKEY_EC:
+            write_bio = self._lib.i2d_ECPrivateKey_bio
+        else:
+            self.openssl_assert(key_type == self._lib.EVP_PKEY_DSA)
+            write_bio = self._lib.i2d_DSAPrivateKey_bio
+
+        bio = self._create_mem_bio_gc()
+        res = write_bio(bio, cdata)
+        self.openssl_assert(res == 1)
+        return self._read_mem_bio(bio)
+
+    def _public_key_bytes(self, encoding, format, key, evp_pkey, cdata):
+        if not isinstance(encoding, serialization.Encoding):
+            raise TypeError("encoding must be an item from the Encoding enum")
+
+        # Compressed/UncompressedPoint are only valid for EC keys and those
+        # cases are handled by the ECPublicKey public_bytes method before this
+        # method is called
+        if format in (serialization.PublicFormat.UncompressedPoint,
+                      serialization.PublicFormat.CompressedPoint):
+            raise ValueError("Point formats are not valid for this key type")
+
+        # Raw format and encoding are only valid for X25519, Ed25519, X448, and
+        # Ed448 keys. We capture those cases before this method is called so if
+        # we see those enum values here it means the caller has passed them to
+        # a key that doesn't support raw type
+        if format is serialization.PublicFormat.Raw:
+            raise ValueError("raw format is invalid with this key or encoding")
+
+        if encoding is serialization.Encoding.Raw:
+            raise ValueError("raw encoding is invalid with this key or format")
+
+        if (
+            format is serialization.PublicFormat.OpenSSH or
+            encoding is serialization.Encoding.OpenSSH
+        ):
+            if (
+                format is not serialization.PublicFormat.OpenSSH or
+                encoding is not serialization.Encoding.OpenSSH
+            ):
+                raise ValueError(
+                    "OpenSSH format must be used with OpenSSH encoding"
+                )
+            return self._openssh_public_key_bytes(key)
+        elif format is serialization.PublicFormat.SubjectPublicKeyInfo:
+            if encoding is serialization.Encoding.PEM:
+                write_bio = self._lib.PEM_write_bio_PUBKEY
+            else:
+                assert encoding is serialization.Encoding.DER
+                write_bio = self._lib.i2d_PUBKEY_bio
+
+            key = evp_pkey
+        elif format is serialization.PublicFormat.PKCS1:
+            # Only RSA is supported here.
+            assert self._lib.EVP_PKEY_id(evp_pkey) == self._lib.EVP_PKEY_RSA
+            if encoding is serialization.Encoding.PEM:
+                write_bio = self._lib.PEM_write_bio_RSAPublicKey
+            else:
+                assert encoding is serialization.Encoding.DER
+                write_bio = self._lib.i2d_RSAPublicKey_bio
+
+            key = cdata
+        else:
+            raise TypeError(
+                "format must be an item from the PublicFormat enum"
+            )
+
+        bio = self._create_mem_bio_gc()
+        res = write_bio(bio, key)
+        self.openssl_assert(res == 1)
+        return self._read_mem_bio(bio)
+
+    def _openssh_public_key_bytes(self, key):
+        if isinstance(key, rsa.RSAPublicKey):
+            public_numbers = key.public_numbers()
+            return b"ssh-rsa " + base64.b64encode(
+                ssh._ssh_write_string(b"ssh-rsa") +
+                ssh._ssh_write_mpint(public_numbers.e) +
+                ssh._ssh_write_mpint(public_numbers.n)
+            )
+        elif isinstance(key, dsa.DSAPublicKey):
+            public_numbers = key.public_numbers()
+            parameter_numbers = public_numbers.parameter_numbers
+            return b"ssh-dss " + base64.b64encode(
+                ssh._ssh_write_string(b"ssh-dss") +
+                ssh._ssh_write_mpint(parameter_numbers.p) +
+                ssh._ssh_write_mpint(parameter_numbers.q) +
+                ssh._ssh_write_mpint(parameter_numbers.g) +
+                ssh._ssh_write_mpint(public_numbers.y)
+            )
+        elif isinstance(key, ed25519.Ed25519PublicKey):
+            raw_bytes = key.public_bytes(serialization.Encoding.Raw,
+                                         serialization.PublicFormat.Raw)
+            return b"ssh-ed25519 " + base64.b64encode(
+                ssh._ssh_write_string(b"ssh-ed25519") +
+                ssh._ssh_write_string(raw_bytes)
+            )
+        elif isinstance(key, ec.EllipticCurvePublicKey):
+            public_numbers = key.public_numbers()
+            try:
+                curve_name = {
+                    ec.SECP256R1: b"nistp256",
+                    ec.SECP384R1: b"nistp384",
+                    ec.SECP521R1: b"nistp521",
+                }[type(public_numbers.curve)]
+            except KeyError:
+                raise ValueError(
+                    "Only SECP256R1, SECP384R1, and SECP521R1 curves are "
+                    "supported by the SSH public key format"
+                )
+
+            point = key.public_bytes(
+                serialization.Encoding.X962,
+                serialization.PublicFormat.UncompressedPoint
+            )
+            return b"ecdsa-sha2-" + curve_name + b" " + base64.b64encode(
+                ssh._ssh_write_string(b"ecdsa-sha2-" + curve_name) +
+                ssh._ssh_write_string(curve_name) +
+                ssh._ssh_write_string(point)
+            )
+        else:
+            raise ValueError(
+                "OpenSSH encoding is not supported for this key type"
+            )
+
+    def _parameter_bytes(self, encoding, format, cdata):
+        if encoding is serialization.Encoding.OpenSSH:
+            raise TypeError(
+                "OpenSSH encoding is not supported"
+            )
+
+        # Only DH is supported here currently.
+        q = self._ffi.new("BIGNUM **")
+        self._lib.DH_get0_pqg(cdata,
+                              self._ffi.NULL,
+                              q,
+                              self._ffi.NULL)
+        if encoding is serialization.Encoding.PEM:
+            if q[0] != self._ffi.NULL:
+                write_bio = self._lib.PEM_write_bio_DHxparams
+            else:
+                write_bio = self._lib.PEM_write_bio_DHparams
+        elif encoding is serialization.Encoding.DER:
+            if q[0] != self._ffi.NULL:
+                write_bio = self._lib.Cryptography_i2d_DHxparams_bio
+            else:
+                write_bio = self._lib.i2d_DHparams_bio
+        else:
+            raise TypeError("encoding must be an item from the Encoding enum")
+
+        bio = self._create_mem_bio_gc()
+        res = write_bio(bio, cdata)
+        self.openssl_assert(res == 1)
+        return self._read_mem_bio(bio)
+
+    def generate_dh_parameters(self, generator, key_size):
+        if key_size < 512:
+            raise ValueError("DH key_size must be at least 512 bits")
+
+        if generator not in (2, 5):
+            raise ValueError("DH generator must be 2 or 5")
+
+        dh_param_cdata = self._lib.DH_new()
+        self.openssl_assert(dh_param_cdata != self._ffi.NULL)
+        dh_param_cdata = self._ffi.gc(dh_param_cdata, self._lib.DH_free)
+
+        res = self._lib.DH_generate_parameters_ex(
+            dh_param_cdata,
+            key_size,
+            generator,
+            self._ffi.NULL
+        )
+        self.openssl_assert(res == 1)
+
+        return _DHParameters(self, dh_param_cdata)
+
+    def _dh_cdata_to_evp_pkey(self, dh_cdata):
+        evp_pkey = self._create_evp_pkey_gc()
+        res = self._lib.EVP_PKEY_set1_DH(evp_pkey, dh_cdata)
+        self.openssl_assert(res == 1)
+        return evp_pkey
+
+    def generate_dh_private_key(self, parameters):
+        dh_key_cdata = _dh_params_dup(parameters._dh_cdata, self)
+
+        res = self._lib.DH_generate_key(dh_key_cdata)
+        self.openssl_assert(res == 1)
+
+        evp_pkey = self._dh_cdata_to_evp_pkey(dh_key_cdata)
+
+        return _DHPrivateKey(self, dh_key_cdata, evp_pkey)
+
+    def generate_dh_private_key_and_parameters(self, generator, key_size):
+        return self.generate_dh_private_key(
+            self.generate_dh_parameters(generator, key_size))
+
+    def load_dh_private_numbers(self, numbers):
+        parameter_numbers = numbers.public_numbers.parameter_numbers
+
+        dh_cdata = self._lib.DH_new()
+        self.openssl_assert(dh_cdata != self._ffi.NULL)
+        dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+
+        p = self._int_to_bn(parameter_numbers.p)
+        g = self._int_to_bn(parameter_numbers.g)
+
+        if parameter_numbers.q is not None:
+            q = self._int_to_bn(parameter_numbers.q)
+        else:
+            q = self._ffi.NULL
+
+        pub_key = self._int_to_bn(numbers.public_numbers.y)
+        priv_key = self._int_to_bn(numbers.x)
+
+        res = self._lib.DH_set0_pqg(dh_cdata, p, q, g)
+        self.openssl_assert(res == 1)
+
+        res = self._lib.DH_set0_key(dh_cdata, pub_key, priv_key)
+        self.openssl_assert(res == 1)
+
+        codes = self._ffi.new("int[]", 1)
+        res = self._lib.Cryptography_DH_check(dh_cdata, codes)
+        self.openssl_assert(res == 1)
+
+        # DH_check will return DH_NOT_SUITABLE_GENERATOR if p % 24 does not
+        # equal 11 when the generator is 2 (a quadratic nonresidue).
+        # We want to ignore that error because p % 24 == 23 is also fine.
+        # Specifically, g is then a quadratic residue. Within the context of
+        # Diffie-Hellman this means it can only generate half the possible
+        # values. That sounds bad, but quadratic nonresidues leak a bit of
+        # the key to the attacker in exchange for having the full key space
+        # available. See: https://crypto.stackexchange.com/questions/12961
+        if codes[0] != 0 and not (
+            parameter_numbers.g == 2 and
+            codes[0] ^ self._lib.DH_NOT_SUITABLE_GENERATOR == 0
+        ):
+            raise ValueError(
+                "DH private numbers did not pass safety checks."
+            )
+
+        evp_pkey = self._dh_cdata_to_evp_pkey(dh_cdata)
+
+        return _DHPrivateKey(self, dh_cdata, evp_pkey)
+
+    def load_dh_public_numbers(self, numbers):
+        dh_cdata = self._lib.DH_new()
+        self.openssl_assert(dh_cdata != self._ffi.NULL)
+        dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+
+        parameter_numbers = numbers.parameter_numbers
+
+        p = self._int_to_bn(parameter_numbers.p)
+        g = self._int_to_bn(parameter_numbers.g)
+
+        if parameter_numbers.q is not None:
+            q = self._int_to_bn(parameter_numbers.q)
+        else:
+            q = self._ffi.NULL
+
+        pub_key = self._int_to_bn(numbers.y)
+
+        res = self._lib.DH_set0_pqg(dh_cdata, p, q, g)
+        self.openssl_assert(res == 1)
+
+        res = self._lib.DH_set0_key(dh_cdata, pub_key, self._ffi.NULL)
+        self.openssl_assert(res == 1)
+
+        evp_pkey = self._dh_cdata_to_evp_pkey(dh_cdata)
+
+        return _DHPublicKey(self, dh_cdata, evp_pkey)
+
+    def load_dh_parameter_numbers(self, numbers):
+        dh_cdata = self._lib.DH_new()
+        self.openssl_assert(dh_cdata != self._ffi.NULL)
+        dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+
+        p = self._int_to_bn(numbers.p)
+        g = self._int_to_bn(numbers.g)
+
+        if numbers.q is not None:
+            q = self._int_to_bn(numbers.q)
+        else:
+            q = self._ffi.NULL
+
+        res = self._lib.DH_set0_pqg(dh_cdata, p, q, g)
+        self.openssl_assert(res == 1)
+
+        return _DHParameters(self, dh_cdata)
+
+    def dh_parameters_supported(self, p, g, q=None):
+        dh_cdata = self._lib.DH_new()
+        self.openssl_assert(dh_cdata != self._ffi.NULL)
+        dh_cdata = self._ffi.gc(dh_cdata, self._lib.DH_free)
+
+        p = self._int_to_bn(p)
+        g = self._int_to_bn(g)
+
+        if q is not None:
+            q = self._int_to_bn(q)
+        else:
+            q = self._ffi.NULL
+
+        res = self._lib.DH_set0_pqg(dh_cdata, p, q, g)
+        self.openssl_assert(res == 1)
+
+        codes = self._ffi.new("int[]", 1)
+        res = self._lib.Cryptography_DH_check(dh_cdata, codes)
+        self.openssl_assert(res == 1)
+
+        return codes[0] == 0
+
+    def dh_x942_serialization_supported(self):
+        return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1
+
+    def x509_name_bytes(self, name):
+        x509_name = _encode_name_gc(self, name)
+        pp = self._ffi.new("unsigned char **")
+        res = self._lib.i2d_X509_NAME(x509_name, pp)
+        self.openssl_assert(pp[0] != self._ffi.NULL)
+        pp = self._ffi.gc(
+            pp, lambda pointer: self._lib.OPENSSL_free(pointer[0])
+        )
+        self.openssl_assert(res > 0)
+        return self._ffi.buffer(pp[0], res)[:]
+
+    def x25519_load_public_bytes(self, data):
+        # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 we can
+        # switch this to EVP_PKEY_new_raw_public_key
+        if len(data) != 32:
+            raise ValueError("An X25519 public key is 32 bytes long")
+
+        evp_pkey = self._create_evp_pkey_gc()
+        res = self._lib.EVP_PKEY_set_type(evp_pkey, self._lib.NID_X25519)
+        backend.openssl_assert(res == 1)
+        res = self._lib.EVP_PKEY_set1_tls_encodedpoint(
+            evp_pkey, data, len(data)
+        )
+        backend.openssl_assert(res == 1)
+        return _X25519PublicKey(self, evp_pkey)
+
+    def x25519_load_private_bytes(self, data):
+        # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 we can
+        # switch this to EVP_PKEY_new_raw_private_key and drop the
+        # zeroed_bytearray garbage.
+        # OpenSSL only has facilities for loading PKCS8 formatted private
+        # keys using the algorithm identifiers specified in
+        # https://tools.ietf.org/html/draft-ietf-curdle-pkix-09.
+        # This is the standard PKCS8 prefix for a 32 byte X25519 key.
+        # The form is:
+        #    0:d=0  hl=2 l=  46 cons: SEQUENCE
+        #    2:d=1  hl=2 l=   1 prim: INTEGER           :00
+        #    5:d=1  hl=2 l=   5 cons: SEQUENCE
+        #    7:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.110
+        #    12:d=1  hl=2 l=  34 prim: OCTET STRING      (the key)
+        # Of course there's a bit more complexity. In reality OCTET STRING
+        # contains an OCTET STRING of length 32! So the last two bytes here
+        # are \x04\x20, which is an OCTET STRING of length 32.
+        if len(data) != 32:
+            raise ValueError("An X25519 private key is 32 bytes long")
+
+        pkcs8_prefix = b'0.\x02\x01\x000\x05\x06\x03+en\x04"\x04 '
+        with self._zeroed_bytearray(48) as ba:
+            ba[0:16] = pkcs8_prefix
+            ba[16:] = data
+            bio = self._bytes_to_bio(ba)
+            evp_pkey = backend._lib.d2i_PrivateKey_bio(bio.bio, self._ffi.NULL)
+
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+        self.openssl_assert(
+            self._lib.EVP_PKEY_id(evp_pkey) == self._lib.EVP_PKEY_X25519
+        )
+        return _X25519PrivateKey(self, evp_pkey)
+
+    def _evp_pkey_keygen_gc(self, nid):
+        evp_pkey_ctx = self._lib.EVP_PKEY_CTX_new_id(nid, self._ffi.NULL)
+        self.openssl_assert(evp_pkey_ctx != self._ffi.NULL)
+        evp_pkey_ctx = self._ffi.gc(evp_pkey_ctx, self._lib.EVP_PKEY_CTX_free)
+        res = self._lib.EVP_PKEY_keygen_init(evp_pkey_ctx)
+        self.openssl_assert(res == 1)
+        evp_ppkey = self._ffi.new("EVP_PKEY **")
+        res = self._lib.EVP_PKEY_keygen(evp_pkey_ctx, evp_ppkey)
+        self.openssl_assert(res == 1)
+        self.openssl_assert(evp_ppkey[0] != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_ppkey[0], self._lib.EVP_PKEY_free)
+        return evp_pkey
+
+    def x25519_generate_key(self):
+        evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X25519)
+        return _X25519PrivateKey(self, evp_pkey)
+
+    def x25519_supported(self):
+        return self._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
+
+    def x448_load_public_bytes(self, data):
+        if len(data) != 56:
+            raise ValueError("An X448 public key is 56 bytes long")
+
+        evp_pkey = self._lib.EVP_PKEY_new_raw_public_key(
+            self._lib.NID_X448, self._ffi.NULL, data, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+        return _X448PublicKey(self, evp_pkey)
+
+    def x448_load_private_bytes(self, data):
+        if len(data) != 56:
+            raise ValueError("An X448 private key is 56 bytes long")
+
+        data_ptr = self._ffi.from_buffer(data)
+        evp_pkey = self._lib.EVP_PKEY_new_raw_private_key(
+            self._lib.NID_X448, self._ffi.NULL, data_ptr, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+        return _X448PrivateKey(self, evp_pkey)
+
+    def x448_generate_key(self):
+        evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X448)
+        return _X448PrivateKey(self, evp_pkey)
+
+    def x448_supported(self):
+        return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+
+    def ed25519_supported(self):
+        return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B
+
+    def ed25519_load_public_bytes(self, data):
+        utils._check_bytes("data", data)
+
+        if len(data) != ed25519._ED25519_KEY_SIZE:
+            raise ValueError("An Ed25519 public key is 32 bytes long")
+
+        evp_pkey = self._lib.EVP_PKEY_new_raw_public_key(
+            self._lib.NID_ED25519, self._ffi.NULL, data, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+
+        return _Ed25519PublicKey(self, evp_pkey)
+
+    def ed25519_load_private_bytes(self, data):
+        if len(data) != ed25519._ED25519_KEY_SIZE:
+            raise ValueError("An Ed25519 private key is 32 bytes long")
+
+        utils._check_byteslike("data", data)
+        data_ptr = self._ffi.from_buffer(data)
+        evp_pkey = self._lib.EVP_PKEY_new_raw_private_key(
+            self._lib.NID_ED25519, self._ffi.NULL, data_ptr, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+
+        return _Ed25519PrivateKey(self, evp_pkey)
+
+    def ed25519_generate_key(self):
+        evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_ED25519)
+        return _Ed25519PrivateKey(self, evp_pkey)
+
+    def ed448_supported(self):
+        return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B
+
+    def ed448_load_public_bytes(self, data):
+        utils._check_bytes("data", data)
+        if len(data) != _ED448_KEY_SIZE:
+            raise ValueError("An Ed448 public key is 57 bytes long")
+
+        evp_pkey = self._lib.EVP_PKEY_new_raw_public_key(
+            self._lib.NID_ED448, self._ffi.NULL, data, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+
+        return _Ed448PublicKey(self, evp_pkey)
+
+    def ed448_load_private_bytes(self, data):
+        utils._check_byteslike("data", data)
+        if len(data) != _ED448_KEY_SIZE:
+            raise ValueError("An Ed448 private key is 57 bytes long")
+
+        data_ptr = self._ffi.from_buffer(data)
+        evp_pkey = self._lib.EVP_PKEY_new_raw_private_key(
+            self._lib.NID_ED448, self._ffi.NULL, data_ptr, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+
+        return _Ed448PrivateKey(self, evp_pkey)
+
+    def ed448_generate_key(self):
+        evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_ED448)
+        return _Ed448PrivateKey(self, evp_pkey)
+
+    def derive_scrypt(self, key_material, salt, length, n, r, p):
+        buf = self._ffi.new("unsigned char[]", length)
+        key_material_ptr = self._ffi.from_buffer(key_material)
+        res = self._lib.EVP_PBE_scrypt(
+            key_material_ptr, len(key_material), salt, len(salt), n, r, p,
+            scrypt._MEM_LIMIT, buf, length
+        )
+        if res != 1:
+            errors = self._consume_errors()
+            if not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111:
+                # This error is only added to the stack in 1.1.1+
+                self.openssl_assert(
+                    errors[0]._lib_reason_match(
+                        self._lib.ERR_LIB_EVP,
+                        self._lib.ERR_R_MALLOC_FAILURE
+                    ) or
+                    errors[0]._lib_reason_match(
+                        self._lib.ERR_LIB_EVP,
+                        self._lib.EVP_R_MEMORY_LIMIT_EXCEEDED
+                    )
+                )
+
+            # memory required formula explained here:
+            # https://blog.filippo.io/the-scrypt-parameters/
+            min_memory = 128 * n * r // (1024**2)
+            raise MemoryError(
+                "Not enough memory to derive key. These parameters require"
+                " {} MB of memory.".format(min_memory)
+            )
+        return self._ffi.buffer(buf)[:]
+
+    def aead_cipher_supported(self, cipher):
+        cipher_name = aead._aead_cipher_name(cipher)
+        return (
+            self._lib.EVP_get_cipherbyname(cipher_name) != self._ffi.NULL
+        )
+
+    @contextlib.contextmanager
+    def _zeroed_bytearray(self, length):
+        """
+        This method creates a bytearray, which we copy data into (hopefully
+        also from a mutable buffer that can be dynamically erased!), and then
+        zero when we're done.
+        """
+        ba = bytearray(length)
+        try:
+            yield ba
+        finally:
+            self._zero_data(ba, length)
+
+    def _zero_data(self, data, length):
+        # We clear things this way because at the moment we're not
+        # sure of a better way that can guarantee it overwrites the
+        # memory of a bytearray and doesn't just replace the underlying char *.
+        for i in range(length):
+            data[i] = 0
+
+    @contextlib.contextmanager
+    def _zeroed_null_terminated_buf(self, data):
+        """
+        This method takes bytes, which can be a bytestring or a mutable
+        buffer like a bytearray, and yields a null-terminated version of that
+        data. This is required because PKCS12_parse doesn't take a length with
+        its password char * and ffi.from_buffer doesn't provide null
+        termination. So, to support zeroing the data via bytearray we
+        need to build this ridiculous construct that copies the memory, but
+        zeroes it after use.
+        """
+        if data is None:
+            yield self._ffi.NULL
+        else:
+            data_len = len(data)
+            buf = self._ffi.new("char[]", data_len + 1)
+            self._ffi.memmove(buf, data, data_len)
+            try:
+                yield buf
+            finally:
+                # Cast to a uint8_t * so we can assign by integer
+                self._zero_data(self._ffi.cast("uint8_t *", buf), data_len)
+
+    def load_key_and_certificates_from_pkcs12(self, data, password):
+        if password is not None:
+            utils._check_byteslike("password", password)
+
+        bio = self._bytes_to_bio(data)
+        p12 = self._lib.d2i_PKCS12_bio(bio.bio, self._ffi.NULL)
+        if p12 == self._ffi.NULL:
+            self._consume_errors()
+            raise ValueError("Could not deserialize PKCS12 data")
+
+        p12 = self._ffi.gc(p12, self._lib.PKCS12_free)
+        evp_pkey_ptr = self._ffi.new("EVP_PKEY **")
+        x509_ptr = self._ffi.new("X509 **")
+        sk_x509_ptr = self._ffi.new("Cryptography_STACK_OF_X509 **")
+        with self._zeroed_null_terminated_buf(password) as password_buf:
+            res = self._lib.PKCS12_parse(
+                p12, password_buf, evp_pkey_ptr, x509_ptr, sk_x509_ptr
+            )
+
+        if res == 0:
+            self._consume_errors()
+            raise ValueError("Invalid password or PKCS12 data")
+
+        cert = None
+        key = None
+        additional_certificates = []
+
+        if evp_pkey_ptr[0] != self._ffi.NULL:
+            evp_pkey = self._ffi.gc(evp_pkey_ptr[0], self._lib.EVP_PKEY_free)
+            key = self._evp_pkey_to_private_key(evp_pkey)
+
+        if x509_ptr[0] != self._ffi.NULL:
+            x509 = self._ffi.gc(x509_ptr[0], self._lib.X509_free)
+            cert = _Certificate(self, x509)
+
+        if sk_x509_ptr[0] != self._ffi.NULL:
+            sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free)
+            num = self._lib.sk_X509_num(sk_x509_ptr[0])
+            for i in range(num):
+                x509 = self._lib.sk_X509_value(sk_x509, i)
+                x509 = self._ffi.gc(x509, self._lib.X509_free)
+                self.openssl_assert(x509 != self._ffi.NULL)
+                additional_certificates.append(_Certificate(self, x509))
+
+        return (key, cert, additional_certificates)
+
+    def poly1305_supported(self):
+        return self._lib.Cryptography_HAS_POLY1305 == 1
+
+    def create_poly1305_ctx(self, key):
+        utils._check_byteslike("key", key)
+        if len(key) != _POLY1305_KEY_SIZE:
+            raise ValueError("A poly1305 key is 32 bytes long")
+
+        return _Poly1305Context(self, key)
+
+
+class GetCipherByName(object):
+    def __init__(self, fmt):
+        self._fmt = fmt
+
+    def __call__(self, backend, cipher, mode):
+        cipher_name = self._fmt.format(cipher=cipher, mode=mode).lower()
+        return backend._lib.EVP_get_cipherbyname(cipher_name.encode("ascii"))
+
+
+def _get_xts_cipher(backend, cipher, mode):
+    cipher_name = "aes-{}-xts".format(cipher.key_size // 2)
+    return backend._lib.EVP_get_cipherbyname(cipher_name.encode("ascii"))
+
+
+backend = Backend()
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ciphers.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ciphers.py
@@ -0,0 +1,229 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.exceptions import InvalidTag, UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.primitives import ciphers
+from cryptography.hazmat.primitives.ciphers import modes
+
+
+@utils.register_interface(ciphers.CipherContext)
+@utils.register_interface(ciphers.AEADCipherContext)
+@utils.register_interface(ciphers.AEADEncryptionContext)
+@utils.register_interface(ciphers.AEADDecryptionContext)
+class _CipherContext(object):
+    _ENCRYPT = 1
+    _DECRYPT = 0
+
+    def __init__(self, backend, cipher, mode, operation):
+        self._backend = backend
+        self._cipher = cipher
+        self._mode = mode
+        self._operation = operation
+        self._tag = None
+
+        if isinstance(self._cipher, ciphers.BlockCipherAlgorithm):
+            self._block_size_bytes = self._cipher.block_size // 8
+        else:
+            self._block_size_bytes = 1
+
+        ctx = self._backend._lib.EVP_CIPHER_CTX_new()
+        ctx = self._backend._ffi.gc(
+            ctx, self._backend._lib.EVP_CIPHER_CTX_free
+        )
+
+        registry = self._backend._cipher_registry
+        try:
+            adapter = registry[type(cipher), type(mode)]
+        except KeyError:
+            raise UnsupportedAlgorithm(
+                "cipher {} in {} mode is not supported "
+                "by this backend.".format(
+                    cipher.name, mode.name if mode else mode),
+                _Reasons.UNSUPPORTED_CIPHER
+            )
+
+        evp_cipher = adapter(self._backend, cipher, mode)
+        if evp_cipher == self._backend._ffi.NULL:
+            msg = "cipher {0.name} ".format(cipher)
+            if mode is not None:
+                msg += "in {0.name} mode ".format(mode)
+            msg += (
+                "is not supported by this backend (Your version of OpenSSL "
+                "may be too old. Current version: {}.)"
+            ).format(self._backend.openssl_version_text())
+            raise UnsupportedAlgorithm(msg, _Reasons.UNSUPPORTED_CIPHER)
+
+        if isinstance(mode, modes.ModeWithInitializationVector):
+            iv_nonce = self._backend._ffi.from_buffer(
+                mode.initialization_vector
+            )
+        elif isinstance(mode, modes.ModeWithTweak):
+            iv_nonce = self._backend._ffi.from_buffer(mode.tweak)
+        elif isinstance(mode, modes.ModeWithNonce):
+            iv_nonce = self._backend._ffi.from_buffer(mode.nonce)
+        elif isinstance(cipher, modes.ModeWithNonce):
+            iv_nonce = self._backend._ffi.from_buffer(cipher.nonce)
+        else:
+            iv_nonce = self._backend._ffi.NULL
+        # begin init with cipher and operation type
+        res = self._backend._lib.EVP_CipherInit_ex(ctx, evp_cipher,
+                                                   self._backend._ffi.NULL,
+                                                   self._backend._ffi.NULL,
+                                                   self._backend._ffi.NULL,
+                                                   operation)
+        self._backend.openssl_assert(res != 0)
+        # set the key length to handle variable key ciphers
+        res = self._backend._lib.EVP_CIPHER_CTX_set_key_length(
+            ctx, len(cipher.key)
+        )
+        self._backend.openssl_assert(res != 0)
+        if isinstance(mode, modes.GCM):
+            res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
+                ctx, self._backend._lib.EVP_CTRL_AEAD_SET_IVLEN,
+                len(iv_nonce), self._backend._ffi.NULL
+            )
+            self._backend.openssl_assert(res != 0)
+            if mode.tag is not None:
+                res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
+                    ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG,
+                    len(mode.tag), mode.tag
+                )
+                self._backend.openssl_assert(res != 0)
+                self._tag = mode.tag
+            elif (
+                self._operation == self._DECRYPT and
+                self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
+                not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
+            ):
+                raise NotImplementedError(
+                    "delayed passing of GCM tag requires OpenSSL >= 1.0.2."
+                    " To use this feature please update OpenSSL"
+                )
+
+        # pass key/iv
+        res = self._backend._lib.EVP_CipherInit_ex(
+            ctx,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+            self._backend._ffi.from_buffer(cipher.key),
+            iv_nonce,
+            operation
+        )
+        self._backend.openssl_assert(res != 0)
+        # We purposely disable padding here as it's handled higher up in the
+        # API.
+        self._backend._lib.EVP_CIPHER_CTX_set_padding(ctx, 0)
+        self._ctx = ctx
+
+    def update(self, data):
+        buf = bytearray(len(data) + self._block_size_bytes - 1)
+        n = self.update_into(data, buf)
+        return bytes(buf[:n])
+
+    def update_into(self, data, buf):
+        if len(buf) < (len(data) + self._block_size_bytes - 1):
+            raise ValueError(
+                "buffer must be at least {} bytes for this "
+                "payload".format(len(data) + self._block_size_bytes - 1)
+            )
+
+        buf = self._backend._ffi.cast(
+            "unsigned char *", self._backend._ffi.from_buffer(buf)
+        )
+        outlen = self._backend._ffi.new("int *")
+        res = self._backend._lib.EVP_CipherUpdate(
+            self._ctx, buf, outlen,
+            self._backend._ffi.from_buffer(data), len(data)
+        )
+        self._backend.openssl_assert(res != 0)
+        return outlen[0]
+
+    def finalize(self):
+        # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions)
+        # appears to have a bug where you must make at least one call to update
+        # even if you are only using authenticate_additional_data or the
+        # GCM tag will be wrong. An (empty) call to update resolves this
+        # and is harmless for all other versions of OpenSSL.
+        if isinstance(self._mode, modes.GCM):
+            self.update(b"")
+
+        if (
+            self._operation == self._DECRYPT and
+            isinstance(self._mode, modes.ModeWithAuthenticationTag) and
+            self.tag is None
+        ):
+            raise ValueError(
+                "Authentication tag must be provided when decrypting."
+            )
+
+        buf = self._backend._ffi.new("unsigned char[]", self._block_size_bytes)
+        outlen = self._backend._ffi.new("int *")
+        res = self._backend._lib.EVP_CipherFinal_ex(self._ctx, buf, outlen)
+        if res == 0:
+            errors = self._backend._consume_errors()
+
+            if not errors and isinstance(self._mode, modes.GCM):
+                raise InvalidTag
+
+            self._backend.openssl_assert(
+                errors[0]._lib_reason_match(
+                    self._backend._lib.ERR_LIB_EVP,
+                    self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
+                )
+            )
+            raise ValueError(
+                "The length of the provided data is not a multiple of "
+                "the block length."
+            )
+
+        if (isinstance(self._mode, modes.GCM) and
+           self._operation == self._ENCRYPT):
+            tag_buf = self._backend._ffi.new(
+                "unsigned char[]", self._block_size_bytes
+            )
+            res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
+                self._ctx, self._backend._lib.EVP_CTRL_AEAD_GET_TAG,
+                self._block_size_bytes, tag_buf
+            )
+            self._backend.openssl_assert(res != 0)
+            self._tag = self._backend._ffi.buffer(tag_buf)[:]
+
+        res = self._backend._lib.EVP_CIPHER_CTX_cleanup(self._ctx)
+        self._backend.openssl_assert(res == 1)
+        return self._backend._ffi.buffer(buf)[:outlen[0]]
+
+    def finalize_with_tag(self, tag):
+        if (
+            self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
+            not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ):
+            raise NotImplementedError(
+                "finalize_with_tag requires OpenSSL >= 1.0.2. To use this "
+                "method please update OpenSSL"
+            )
+        if len(tag) < self._mode._min_tag_length:
+            raise ValueError(
+                "Authentication tag must be {} bytes or longer.".format(
+                    self._mode._min_tag_length)
+            )
+        res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
+            self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG,
+            len(tag), tag
+        )
+        self._backend.openssl_assert(res != 0)
+        self._tag = tag
+        return self.finalize()
+
+    def authenticate_additional_data(self, data):
+        outlen = self._backend._ffi.new("int *")
+        res = self._backend._lib.EVP_CipherUpdate(
+            self._ctx, self._backend._ffi.NULL, outlen,
+            self._backend._ffi.from_buffer(data), len(data)
+        )
+        self._backend.openssl_assert(res != 0)
+
+    tag = utils.read_only_property("_tag")
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/cmac.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/cmac.py
@@ -0,0 +1,81 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+
+from cryptography import utils
+from cryptography.exceptions import (
+    InvalidSignature, UnsupportedAlgorithm, _Reasons
+)
+from cryptography.hazmat.primitives import constant_time
+from cryptography.hazmat.primitives.ciphers.modes import CBC
+
+
+class _CMACContext(object):
+    def __init__(self, backend, algorithm, ctx=None):
+        if not backend.cmac_algorithm_supported(algorithm):
+            raise UnsupportedAlgorithm("This backend does not support CMAC.",
+                                       _Reasons.UNSUPPORTED_CIPHER)
+
+        self._backend = backend
+        self._key = algorithm.key
+        self._algorithm = algorithm
+        self._output_length = algorithm.block_size // 8
+
+        if ctx is None:
+            registry = self._backend._cipher_registry
+            adapter = registry[type(algorithm), CBC]
+
+            evp_cipher = adapter(self._backend, algorithm, CBC)
+
+            ctx = self._backend._lib.CMAC_CTX_new()
+
+            self._backend.openssl_assert(ctx != self._backend._ffi.NULL)
+            ctx = self._backend._ffi.gc(ctx, self._backend._lib.CMAC_CTX_free)
+
+            key_ptr = self._backend._ffi.from_buffer(self._key)
+            res = self._backend._lib.CMAC_Init(
+                ctx, key_ptr, len(self._key),
+                evp_cipher, self._backend._ffi.NULL
+            )
+            self._backend.openssl_assert(res == 1)
+
+        self._ctx = ctx
+
+    algorithm = utils.read_only_property("_algorithm")
+
+    def update(self, data):
+        res = self._backend._lib.CMAC_Update(self._ctx, data, len(data))
+        self._backend.openssl_assert(res == 1)
+
+    def finalize(self):
+        buf = self._backend._ffi.new("unsigned char[]", self._output_length)
+        length = self._backend._ffi.new("size_t *", self._output_length)
+        res = self._backend._lib.CMAC_Final(
+            self._ctx, buf, length
+        )
+        self._backend.openssl_assert(res == 1)
+
+        self._ctx = None
+
+        return self._backend._ffi.buffer(buf)[:]
+
+    def copy(self):
+        copied_ctx = self._backend._lib.CMAC_CTX_new()
+        copied_ctx = self._backend._ffi.gc(
+            copied_ctx, self._backend._lib.CMAC_CTX_free
+        )
+        res = self._backend._lib.CMAC_CTX_copy(
+            copied_ctx, self._ctx
+        )
+        self._backend.openssl_assert(res == 1)
+        return _CMACContext(
+            self._backend, self._algorithm, ctx=copied_ctx
+        )
+
+    def verify(self, signature):
+        digest = self.finalize()
+        if not constant_time.bytes_eq(digest, signature):
+            raise InvalidSignature("Signature did not match digest.")
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/decode_asn1.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -0,0 +1,899 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import datetime
+import ipaddress
+
+import asn1crypto.core
+
+import six
+
+from cryptography import x509
+from cryptography.x509.extensions import _TLS_FEATURE_TYPE_TO_ENUM
+from cryptography.x509.name import _ASN1_TYPE_TO_ENUM
+from cryptography.x509.oid import (
+    CRLEntryExtensionOID, CertificatePoliciesOID, ExtensionOID,
+    OCSPExtensionOID,
+)
+
+
+class _Integers(asn1crypto.core.SequenceOf):
+    _child_spec = asn1crypto.core.Integer
+
+
+def _obj2txt(backend, obj):
+    # Set to 80 on the recommendation of
+    # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values
+    #
+    # But OIDs longer than this occur in real life (e.g. Active
+    # Directory makes some very long OIDs).  So we need to detect
+    # and properly handle the case where the default buffer is not
+    # big enough.
+    #
+    buf_len = 80
+    buf = backend._ffi.new("char[]", buf_len)
+
+    # 'res' is the number of bytes that *would* be written if the
+    # buffer is large enough.  If 'res' > buf_len - 1, we need to
+    # alloc a big-enough buffer and go again.
+    res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1)
+    if res > buf_len - 1:  # account for terminating null byte
+        buf_len = res + 1
+        buf = backend._ffi.new("char[]", buf_len)
+        res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1)
+    backend.openssl_assert(res > 0)
+    return backend._ffi.buffer(buf, res)[:].decode()
+
+
+def _decode_x509_name_entry(backend, x509_name_entry):
+    obj = backend._lib.X509_NAME_ENTRY_get_object(x509_name_entry)
+    backend.openssl_assert(obj != backend._ffi.NULL)
+    data = backend._lib.X509_NAME_ENTRY_get_data(x509_name_entry)
+    backend.openssl_assert(data != backend._ffi.NULL)
+    value = _asn1_string_to_utf8(backend, data)
+    oid = _obj2txt(backend, obj)
+    type = _ASN1_TYPE_TO_ENUM[data.type]
+
+    return x509.NameAttribute(x509.ObjectIdentifier(oid), value, type)
+
+
+def _decode_x509_name(backend, x509_name):
+    count = backend._lib.X509_NAME_entry_count(x509_name)
+    attributes = []
+    prev_set_id = -1
+    for x in range(count):
+        entry = backend._lib.X509_NAME_get_entry(x509_name, x)
+        attribute = _decode_x509_name_entry(backend, entry)
+        set_id = backend._lib.Cryptography_X509_NAME_ENTRY_set(entry)
+        if set_id != prev_set_id:
+            attributes.append(set([attribute]))
+        else:
+            # is in the same RDN a previous entry
+            attributes[-1].add(attribute)
+        prev_set_id = set_id
+
+    return x509.Name(x509.RelativeDistinguishedName(rdn) for rdn in attributes)
+
+
+def _decode_general_names(backend, gns):
+    num = backend._lib.sk_GENERAL_NAME_num(gns)
+    names = []
+    for i in range(num):
+        gn = backend._lib.sk_GENERAL_NAME_value(gns, i)
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        names.append(_decode_general_name(backend, gn))
+
+    return names
+
+
+def _decode_general_name(backend, gn):
+    if gn.type == backend._lib.GEN_DNS:
+        # Convert to bytes and then decode to utf8. We don't use
+        # asn1_string_to_utf8 here because it doesn't properly convert
+        # utf8 from ia5strings.
+        data = _asn1_string_to_bytes(backend, gn.d.dNSName).decode("utf8")
+        # We don't use the constructor for DNSName so we can bypass validation
+        # This allows us to create DNSName objects that have unicode chars
+        # when a certificate (against the RFC) contains them.
+        return x509.DNSName._init_without_validation(data)
+    elif gn.type == backend._lib.GEN_URI:
+        # Convert to bytes and then decode to utf8. We don't use
+        # asn1_string_to_utf8 here because it doesn't properly convert
+        # utf8 from ia5strings.
+        data = _asn1_string_to_bytes(
+            backend, gn.d.uniformResourceIdentifier
+        ).decode("utf8")
+        # We don't use the constructor for URI so we can bypass validation
+        # This allows us to create URI objects that have unicode chars
+        # when a certificate (against the RFC) contains them.
+        return x509.UniformResourceIdentifier._init_without_validation(data)
+    elif gn.type == backend._lib.GEN_RID:
+        oid = _obj2txt(backend, gn.d.registeredID)
+        return x509.RegisteredID(x509.ObjectIdentifier(oid))
+    elif gn.type == backend._lib.GEN_IPADD:
+        data = _asn1_string_to_bytes(backend, gn.d.iPAddress)
+        data_len = len(data)
+        if data_len == 8 or data_len == 32:
+            # This is an IPv4 or IPv6 Network and not a single IP. This
+            # type of data appears in Name Constraints. Unfortunately,
+            # ipaddress doesn't support packed bytes + netmask. Additionally,
+            # IPv6Network can only handle CIDR rather than the full 16 byte
+            # netmask. To handle this we convert the netmask to integer, then
+            # find the first 0 bit, which will be the prefix. If another 1
+            # bit is present after that the netmask is invalid.
+            base = ipaddress.ip_address(data[:data_len // 2])
+            netmask = ipaddress.ip_address(data[data_len // 2:])
+            bits = bin(int(netmask))[2:]
+            prefix = bits.find('0')
+            # If no 0 bits are found it is a /32 or /128
+            if prefix == -1:
+                prefix = len(bits)
+
+            if "1" in bits[prefix:]:
+                raise ValueError("Invalid netmask")
+
+            ip = ipaddress.ip_network(base.exploded + u"/{}".format(prefix))
+        else:
+            ip = ipaddress.ip_address(data)
+
+        return x509.IPAddress(ip)
+    elif gn.type == backend._lib.GEN_DIRNAME:
+        return x509.DirectoryName(
+            _decode_x509_name(backend, gn.d.directoryName)
+        )
+    elif gn.type == backend._lib.GEN_EMAIL:
+        # Convert to bytes and then decode to utf8. We don't use
+        # asn1_string_to_utf8 here because it doesn't properly convert
+        # utf8 from ia5strings.
+        data = _asn1_string_to_bytes(backend, gn.d.rfc822Name).decode("utf8")
+        # We don't use the constructor for RFC822Name so we can bypass
+        # validation. This allows us to create RFC822Name objects that have
+        # unicode chars when a certificate (against the RFC) contains them.
+        return x509.RFC822Name._init_without_validation(data)
+    elif gn.type == backend._lib.GEN_OTHERNAME:
+        type_id = _obj2txt(backend, gn.d.otherName.type_id)
+        value = _asn1_to_der(backend, gn.d.otherName.value)
+        return x509.OtherName(x509.ObjectIdentifier(type_id), value)
+    else:
+        # x400Address or ediPartyName
+        raise x509.UnsupportedGeneralNameType(
+            "{} is not a supported type".format(
+                x509._GENERAL_NAMES.get(gn.type, gn.type)
+            ),
+            gn.type
+        )
+
+
+def _decode_ocsp_no_check(backend, ext):
+    return x509.OCSPNoCheck()
+
+
+def _decode_crl_number(backend, ext):
+    asn1_int = backend._ffi.cast("ASN1_INTEGER *", ext)
+    asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
+    return x509.CRLNumber(_asn1_integer_to_int(backend, asn1_int))
+
+
+def _decode_delta_crl_indicator(backend, ext):
+    asn1_int = backend._ffi.cast("ASN1_INTEGER *", ext)
+    asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
+    return x509.DeltaCRLIndicator(_asn1_integer_to_int(backend, asn1_int))
+
+
+class _X509ExtensionParser(object):
+    def __init__(self, ext_count, get_ext, handlers):
+        self.ext_count = ext_count
+        self.get_ext = get_ext
+        self.handlers = handlers
+
+    def parse(self, backend, x509_obj):
+        extensions = []
+        seen_oids = set()
+        for i in range(self.ext_count(backend, x509_obj)):
+            ext = self.get_ext(backend, x509_obj, i)
+            backend.openssl_assert(ext != backend._ffi.NULL)
+            crit = backend._lib.X509_EXTENSION_get_critical(ext)
+            critical = crit == 1
+            oid = x509.ObjectIdentifier(
+                _obj2txt(backend, backend._lib.X509_EXTENSION_get_object(ext))
+            )
+            if oid in seen_oids:
+                raise x509.DuplicateExtension(
+                    "Duplicate {} extension found".format(oid), oid
+                )
+
+            # These OIDs are only supported in OpenSSL 1.1.0+ but we want
+            # to support them in all versions of OpenSSL so we decode them
+            # ourselves.
+            if oid == ExtensionOID.TLS_FEATURE:
+                data = backend._lib.X509_EXTENSION_get_data(ext)
+                parsed = _Integers.load(_asn1_string_to_bytes(backend, data))
+                value = x509.TLSFeature(
+                    [_TLS_FEATURE_TYPE_TO_ENUM[x.native] for x in parsed]
+                )
+                extensions.append(x509.Extension(oid, critical, value))
+                seen_oids.add(oid)
+                continue
+            elif oid == ExtensionOID.PRECERT_POISON:
+                data = backend._lib.X509_EXTENSION_get_data(ext)
+                parsed = asn1crypto.core.Null.load(
+                    _asn1_string_to_bytes(backend, data)
+                )
+                assert parsed == asn1crypto.core.Null()
+                extensions.append(x509.Extension(
+                    oid, critical, x509.PrecertPoison()
+                ))
+                seen_oids.add(oid)
+                continue
+
+            try:
+                handler = self.handlers[oid]
+            except KeyError:
+                # Dump the DER payload into an UnrecognizedExtension object
+                data = backend._lib.X509_EXTENSION_get_data(ext)
+                backend.openssl_assert(data != backend._ffi.NULL)
+                der = backend._ffi.buffer(data.data, data.length)[:]
+                unrecognized = x509.UnrecognizedExtension(oid, der)
+                extensions.append(
+                    x509.Extension(oid, critical, unrecognized)
+                )
+            else:
+                ext_data = backend._lib.X509V3_EXT_d2i(ext)
+                if ext_data == backend._ffi.NULL:
+                    backend._consume_errors()
+                    raise ValueError(
+                        "The {} extension is invalid and can't be "
+                        "parsed".format(oid)
+                    )
+
+                value = handler(backend, ext_data)
+                extensions.append(x509.Extension(oid, critical, value))
+
+            seen_oids.add(oid)
+
+        return x509.Extensions(extensions)
+
+
+def _decode_certificate_policies(backend, cp):
+    cp = backend._ffi.cast("Cryptography_STACK_OF_POLICYINFO *", cp)
+    cp = backend._ffi.gc(cp, backend._lib.CERTIFICATEPOLICIES_free)
+
+    num = backend._lib.sk_POLICYINFO_num(cp)
+    certificate_policies = []
+    for i in range(num):
+        qualifiers = None
+        pi = backend._lib.sk_POLICYINFO_value(cp, i)
+        oid = x509.ObjectIdentifier(_obj2txt(backend, pi.policyid))
+        if pi.qualifiers != backend._ffi.NULL:
+            qnum = backend._lib.sk_POLICYQUALINFO_num(pi.qualifiers)
+            qualifiers = []
+            for j in range(qnum):
+                pqi = backend._lib.sk_POLICYQUALINFO_value(
+                    pi.qualifiers, j
+                )
+                pqualid = x509.ObjectIdentifier(
+                    _obj2txt(backend, pqi.pqualid)
+                )
+                if pqualid == CertificatePoliciesOID.CPS_QUALIFIER:
+                    cpsuri = backend._ffi.buffer(
+                        pqi.d.cpsuri.data, pqi.d.cpsuri.length
+                    )[:].decode('ascii')
+                    qualifiers.append(cpsuri)
+                else:
+                    assert pqualid == CertificatePoliciesOID.CPS_USER_NOTICE
+                    user_notice = _decode_user_notice(
+                        backend, pqi.d.usernotice
+                    )
+                    qualifiers.append(user_notice)
+
+        certificate_policies.append(
+            x509.PolicyInformation(oid, qualifiers)
+        )
+
+    return x509.CertificatePolicies(certificate_policies)
+
+
+def _decode_user_notice(backend, un):
+    explicit_text = None
+    notice_reference = None
+
+    if un.exptext != backend._ffi.NULL:
+        explicit_text = _asn1_string_to_utf8(backend, un.exptext)
+
+    if un.noticeref != backend._ffi.NULL:
+        organization = _asn1_string_to_utf8(
+            backend, un.noticeref.organization
+        )
+
+        num = backend._lib.sk_ASN1_INTEGER_num(
+            un.noticeref.noticenos
+        )
+        notice_numbers = []
+        for i in range(num):
+            asn1_int = backend._lib.sk_ASN1_INTEGER_value(
+                un.noticeref.noticenos, i
+            )
+            notice_num = _asn1_integer_to_int(backend, asn1_int)
+            notice_numbers.append(notice_num)
+
+        notice_reference = x509.NoticeReference(
+            organization, notice_numbers
+        )
+
+    return x509.UserNotice(notice_reference, explicit_text)
+
+
+def _decode_basic_constraints(backend, bc_st):
+    basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
+    basic_constraints = backend._ffi.gc(
+        basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
+    )
+    # The byte representation of an ASN.1 boolean true is \xff. OpenSSL
+    # chooses to just map this to its ordinal value, so true is 255 and
+    # false is 0.
+    ca = basic_constraints.ca == 255
+    path_length = _asn1_integer_to_int_or_none(
+        backend, basic_constraints.pathlen
+    )
+
+    return x509.BasicConstraints(ca, path_length)
+
+
+def _decode_subject_key_identifier(backend, asn1_string):
+    asn1_string = backend._ffi.cast("ASN1_OCTET_STRING *", asn1_string)
+    asn1_string = backend._ffi.gc(
+        asn1_string, backend._lib.ASN1_OCTET_STRING_free
+    )
+    return x509.SubjectKeyIdentifier(
+        backend._ffi.buffer(asn1_string.data, asn1_string.length)[:]
+    )
+
+
+def _decode_authority_key_identifier(backend, akid):
+    akid = backend._ffi.cast("AUTHORITY_KEYID *", akid)
+    akid = backend._ffi.gc(akid, backend._lib.AUTHORITY_KEYID_free)
+    key_identifier = None
+    authority_cert_issuer = None
+
+    if akid.keyid != backend._ffi.NULL:
+        key_identifier = backend._ffi.buffer(
+            akid.keyid.data, akid.keyid.length
+        )[:]
+
+    if akid.issuer != backend._ffi.NULL:
+        authority_cert_issuer = _decode_general_names(
+            backend, akid.issuer
+        )
+
+    authority_cert_serial_number = _asn1_integer_to_int_or_none(
+        backend, akid.serial
+    )
+
+    return x509.AuthorityKeyIdentifier(
+        key_identifier, authority_cert_issuer, authority_cert_serial_number
+    )
+
+
+def _decode_authority_information_access(backend, aia):
+    aia = backend._ffi.cast("Cryptography_STACK_OF_ACCESS_DESCRIPTION *", aia)
+    aia = backend._ffi.gc(
+        aia,
+        lambda x: backend._lib.sk_ACCESS_DESCRIPTION_pop_free(
+            x, backend._ffi.addressof(
+                backend._lib._original_lib, "ACCESS_DESCRIPTION_free"
+            )
+        )
+    )
+    num = backend._lib.sk_ACCESS_DESCRIPTION_num(aia)
+    access_descriptions = []
+    for i in range(num):
+        ad = backend._lib.sk_ACCESS_DESCRIPTION_value(aia, i)
+        backend.openssl_assert(ad.method != backend._ffi.NULL)
+        oid = x509.ObjectIdentifier(_obj2txt(backend, ad.method))
+        backend.openssl_assert(ad.location != backend._ffi.NULL)
+        gn = _decode_general_name(backend, ad.location)
+        access_descriptions.append(x509.AccessDescription(oid, gn))
+
+    return x509.AuthorityInformationAccess(access_descriptions)
+
+
+def _decode_key_usage(backend, bit_string):
+    bit_string = backend._ffi.cast("ASN1_BIT_STRING *", bit_string)
+    bit_string = backend._ffi.gc(bit_string, backend._lib.ASN1_BIT_STRING_free)
+    get_bit = backend._lib.ASN1_BIT_STRING_get_bit
+    digital_signature = get_bit(bit_string, 0) == 1
+    content_commitment = get_bit(bit_string, 1) == 1
+    key_encipherment = get_bit(bit_string, 2) == 1
+    data_encipherment = get_bit(bit_string, 3) == 1
+    key_agreement = get_bit(bit_string, 4) == 1
+    key_cert_sign = get_bit(bit_string, 5) == 1
+    crl_sign = get_bit(bit_string, 6) == 1
+    encipher_only = get_bit(bit_string, 7) == 1
+    decipher_only = get_bit(bit_string, 8) == 1
+    return x509.KeyUsage(
+        digital_signature,
+        content_commitment,
+        key_encipherment,
+        data_encipherment,
+        key_agreement,
+        key_cert_sign,
+        crl_sign,
+        encipher_only,
+        decipher_only
+    )
+
+
+def _decode_general_names_extension(backend, gns):
+    gns = backend._ffi.cast("GENERAL_NAMES *", gns)
+    gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free)
+    general_names = _decode_general_names(backend, gns)
+    return general_names
+
+
+def _decode_subject_alt_name(backend, ext):
+    return x509.SubjectAlternativeName(
+        _decode_general_names_extension(backend, ext)
+    )
+
+
+def _decode_issuer_alt_name(backend, ext):
+    return x509.IssuerAlternativeName(
+        _decode_general_names_extension(backend, ext)
+    )
+
+
+def _decode_name_constraints(backend, nc):
+    nc = backend._ffi.cast("NAME_CONSTRAINTS *", nc)
+    nc = backend._ffi.gc(nc, backend._lib.NAME_CONSTRAINTS_free)
+    permitted = _decode_general_subtrees(backend, nc.permittedSubtrees)
+    excluded = _decode_general_subtrees(backend, nc.excludedSubtrees)
+    return x509.NameConstraints(
+        permitted_subtrees=permitted, excluded_subtrees=excluded
+    )
+
+
+def _decode_general_subtrees(backend, stack_subtrees):
+    if stack_subtrees == backend._ffi.NULL:
+        return None
+
+    num = backend._lib.sk_GENERAL_SUBTREE_num(stack_subtrees)
+    subtrees = []
+
+    for i in range(num):
+        obj = backend._lib.sk_GENERAL_SUBTREE_value(stack_subtrees, i)
+        backend.openssl_assert(obj != backend._ffi.NULL)
+        name = _decode_general_name(backend, obj.base)
+        subtrees.append(name)
+
+    return subtrees
+
+
+def _decode_issuing_dist_point(backend, idp):
+    idp = backend._ffi.cast("ISSUING_DIST_POINT *", idp)
+    idp = backend._ffi.gc(idp, backend._lib.ISSUING_DIST_POINT_free)
+    if idp.distpoint != backend._ffi.NULL:
+        full_name, relative_name = _decode_distpoint(backend, idp.distpoint)
+    else:
+        full_name = None
+        relative_name = None
+
+    only_user = idp.onlyuser == 255
+    only_ca = idp.onlyCA == 255
+    indirect_crl = idp.indirectCRL == 255
+    only_attr = idp.onlyattr == 255
+    if idp.onlysomereasons != backend._ffi.NULL:
+        only_some_reasons = _decode_reasons(backend, idp.onlysomereasons)
+    else:
+        only_some_reasons = None
+
+    return x509.IssuingDistributionPoint(
+        full_name, relative_name, only_user, only_ca, only_some_reasons,
+        indirect_crl, only_attr
+    )
+
+
+def _decode_policy_constraints(backend, pc):
+    pc = backend._ffi.cast("POLICY_CONSTRAINTS *", pc)
+    pc = backend._ffi.gc(pc, backend._lib.POLICY_CONSTRAINTS_free)
+
+    require_explicit_policy = _asn1_integer_to_int_or_none(
+        backend, pc.requireExplicitPolicy
+    )
+    inhibit_policy_mapping = _asn1_integer_to_int_or_none(
+        backend, pc.inhibitPolicyMapping
+    )
+
+    return x509.PolicyConstraints(
+        require_explicit_policy, inhibit_policy_mapping
+    )
+
+
+def _decode_extended_key_usage(backend, sk):
+    sk = backend._ffi.cast("Cryptography_STACK_OF_ASN1_OBJECT *", sk)
+    sk = backend._ffi.gc(sk, backend._lib.sk_ASN1_OBJECT_free)
+    num = backend._lib.sk_ASN1_OBJECT_num(sk)
+    ekus = []
+
+    for i in range(num):
+        obj = backend._lib.sk_ASN1_OBJECT_value(sk, i)
+        backend.openssl_assert(obj != backend._ffi.NULL)
+        oid = x509.ObjectIdentifier(_obj2txt(backend, obj))
+        ekus.append(oid)
+
+    return x509.ExtendedKeyUsage(ekus)
+
+
+_DISTPOINT_TYPE_FULLNAME = 0
+_DISTPOINT_TYPE_RELATIVENAME = 1
+
+
+def _decode_dist_points(backend, cdps):
+    cdps = backend._ffi.cast("Cryptography_STACK_OF_DIST_POINT *", cdps)
+    cdps = backend._ffi.gc(cdps, backend._lib.CRL_DIST_POINTS_free)
+
+    num = backend._lib.sk_DIST_POINT_num(cdps)
+    dist_points = []
+    for i in range(num):
+        full_name = None
+        relative_name = None
+        crl_issuer = None
+        reasons = None
+        cdp = backend._lib.sk_DIST_POINT_value(cdps, i)
+        if cdp.reasons != backend._ffi.NULL:
+            reasons = _decode_reasons(backend, cdp.reasons)
+
+        if cdp.CRLissuer != backend._ffi.NULL:
+            crl_issuer = _decode_general_names(backend, cdp.CRLissuer)
+
+        # Certificates may have a crl_issuer/reasons and no distribution
+        # point so make sure it's not null.
+        if cdp.distpoint != backend._ffi.NULL:
+            full_name, relative_name = _decode_distpoint(
+                backend, cdp.distpoint
+            )
+
+        dist_points.append(
+            x509.DistributionPoint(
+                full_name, relative_name, reasons, crl_issuer
+            )
+        )
+
+    return dist_points
+
+
+# ReasonFlags ::= BIT STRING {
+#      unused                  (0),
+#      keyCompromise           (1),
+#      cACompromise            (2),
+#      affiliationChanged      (3),
+#      superseded              (4),
+#      cessationOfOperation    (5),
+#      certificateHold         (6),
+#      privilegeWithdrawn      (7),
+#      aACompromise            (8) }
+_REASON_BIT_MAPPING = {
+    1: x509.ReasonFlags.key_compromise,
+    2: x509.ReasonFlags.ca_compromise,
+    3: x509.ReasonFlags.affiliation_changed,
+    4: x509.ReasonFlags.superseded,
+    5: x509.ReasonFlags.cessation_of_operation,
+    6: x509.ReasonFlags.certificate_hold,
+    7: x509.ReasonFlags.privilege_withdrawn,
+    8: x509.ReasonFlags.aa_compromise,
+}
+
+
+def _decode_reasons(backend, reasons):
+    # We will check each bit from RFC 5280
+    enum_reasons = []
+    for bit_position, reason in six.iteritems(_REASON_BIT_MAPPING):
+        if backend._lib.ASN1_BIT_STRING_get_bit(reasons, bit_position):
+            enum_reasons.append(reason)
+
+    return frozenset(enum_reasons)
+
+
+def _decode_distpoint(backend, distpoint):
+    if distpoint.type == _DISTPOINT_TYPE_FULLNAME:
+        full_name = _decode_general_names(backend, distpoint.name.fullname)
+        return full_name, None
+
+    # OpenSSL code doesn't test for a specific type for
+    # relativename, everything that isn't fullname is considered
+    # relativename.  Per RFC 5280:
+    #
+    # DistributionPointName ::= CHOICE {
+    #      fullName                [0]      GeneralNames,
+    #      nameRelativeToCRLIssuer [1]      RelativeDistinguishedName }
+    rns = distpoint.name.relativename
+    rnum = backend._lib.sk_X509_NAME_ENTRY_num(rns)
+    attributes = set()
+    for i in range(rnum):
+        rn = backend._lib.sk_X509_NAME_ENTRY_value(
+            rns, i
+        )
+        backend.openssl_assert(rn != backend._ffi.NULL)
+        attributes.add(
+            _decode_x509_name_entry(backend, rn)
+        )
+
+    relative_name = x509.RelativeDistinguishedName(attributes)
+
+    return None, relative_name
+
+
+def _decode_crl_distribution_points(backend, cdps):
+    dist_points = _decode_dist_points(backend, cdps)
+    return x509.CRLDistributionPoints(dist_points)
+
+
+def _decode_freshest_crl(backend, cdps):
+    dist_points = _decode_dist_points(backend, cdps)
+    return x509.FreshestCRL(dist_points)
+
+
+def _decode_inhibit_any_policy(backend, asn1_int):
+    asn1_int = backend._ffi.cast("ASN1_INTEGER *", asn1_int)
+    asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
+    skip_certs = _asn1_integer_to_int(backend, asn1_int)
+    return x509.InhibitAnyPolicy(skip_certs)
+
+
+def _decode_precert_signed_certificate_timestamps(backend, asn1_scts):
+    from cryptography.hazmat.backends.openssl.x509 import (
+        _SignedCertificateTimestamp
+    )
+    asn1_scts = backend._ffi.cast("Cryptography_STACK_OF_SCT *", asn1_scts)
+    asn1_scts = backend._ffi.gc(asn1_scts, backend._lib.SCT_LIST_free)
+
+    scts = []
+    for i in range(backend._lib.sk_SCT_num(asn1_scts)):
+        sct = backend._lib.sk_SCT_value(asn1_scts, i)
+
+        scts.append(_SignedCertificateTimestamp(backend, asn1_scts, sct))
+    return x509.PrecertificateSignedCertificateTimestamps(scts)
+
+
+#    CRLReason ::= ENUMERATED {
+#        unspecified             (0),
+#        keyCompromise           (1),
+#        cACompromise            (2),
+#        affiliationChanged      (3),
+#        superseded              (4),
+#        cessationOfOperation    (5),
+#        certificateHold         (6),
+#             -- value 7 is not used
+#        removeFromCRL           (8),
+#        privilegeWithdrawn      (9),
+#        aACompromise           (10) }
+_CRL_ENTRY_REASON_CODE_TO_ENUM = {
+    0: x509.ReasonFlags.unspecified,
+    1: x509.ReasonFlags.key_compromise,
+    2: x509.ReasonFlags.ca_compromise,
+    3: x509.ReasonFlags.affiliation_changed,
+    4: x509.ReasonFlags.superseded,
+    5: x509.ReasonFlags.cessation_of_operation,
+    6: x509.ReasonFlags.certificate_hold,
+    8: x509.ReasonFlags.remove_from_crl,
+    9: x509.ReasonFlags.privilege_withdrawn,
+    10: x509.ReasonFlags.aa_compromise,
+}
+
+
+_CRL_ENTRY_REASON_ENUM_TO_CODE = {
+    x509.ReasonFlags.unspecified: 0,
+    x509.ReasonFlags.key_compromise: 1,
+    x509.ReasonFlags.ca_compromise: 2,
+    x509.ReasonFlags.affiliation_changed: 3,
+    x509.ReasonFlags.superseded: 4,
+    x509.ReasonFlags.cessation_of_operation: 5,
+    x509.ReasonFlags.certificate_hold: 6,
+    x509.ReasonFlags.remove_from_crl: 8,
+    x509.ReasonFlags.privilege_withdrawn: 9,
+    x509.ReasonFlags.aa_compromise: 10
+}
+
+
+def _decode_crl_reason(backend, enum):
+    enum = backend._ffi.cast("ASN1_ENUMERATED *", enum)
+    enum = backend._ffi.gc(enum, backend._lib.ASN1_ENUMERATED_free)
+    code = backend._lib.ASN1_ENUMERATED_get(enum)
+
+    try:
+        return x509.CRLReason(_CRL_ENTRY_REASON_CODE_TO_ENUM[code])
+    except KeyError:
+        raise ValueError("Unsupported reason code: {}".format(code))
+
+
+def _decode_invalidity_date(backend, inv_date):
+    generalized_time = backend._ffi.cast(
+        "ASN1_GENERALIZEDTIME *", inv_date
+    )
+    generalized_time = backend._ffi.gc(
+        generalized_time, backend._lib.ASN1_GENERALIZEDTIME_free
+    )
+    return x509.InvalidityDate(
+        _parse_asn1_generalized_time(backend, generalized_time)
+    )
+
+
+def _decode_cert_issuer(backend, gns):
+    gns = backend._ffi.cast("GENERAL_NAMES *", gns)
+    gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free)
+    general_names = _decode_general_names(backend, gns)
+    return x509.CertificateIssuer(general_names)
+
+
+def _asn1_to_der(backend, asn1_type):
+    buf = backend._ffi.new("unsigned char **")
+    res = backend._lib.i2d_ASN1_TYPE(asn1_type, buf)
+    backend.openssl_assert(res >= 0)
+    backend.openssl_assert(buf[0] != backend._ffi.NULL)
+    buf = backend._ffi.gc(
+        buf, lambda buffer: backend._lib.OPENSSL_free(buffer[0])
+    )
+    return backend._ffi.buffer(buf[0], res)[:]
+
+
+def _asn1_integer_to_int(backend, asn1_int):
+    bn = backend._lib.ASN1_INTEGER_to_BN(asn1_int, backend._ffi.NULL)
+    backend.openssl_assert(bn != backend._ffi.NULL)
+    bn = backend._ffi.gc(bn, backend._lib.BN_free)
+    return backend._bn_to_int(bn)
+
+
+def _asn1_integer_to_int_or_none(backend, asn1_int):
+    if asn1_int == backend._ffi.NULL:
+        return None
+    else:
+        return _asn1_integer_to_int(backend, asn1_int)
+
+
+def _asn1_string_to_bytes(backend, asn1_string):
+    return backend._ffi.buffer(asn1_string.data, asn1_string.length)[:]
+
+
+def _asn1_string_to_ascii(backend, asn1_string):
+    return _asn1_string_to_bytes(backend, asn1_string).decode("ascii")
+
+
+def _asn1_string_to_utf8(backend, asn1_string):
+    buf = backend._ffi.new("unsigned char **")
+    res = backend._lib.ASN1_STRING_to_UTF8(buf, asn1_string)
+    if res == -1:
+        raise ValueError(
+            "Unsupported ASN1 string type. Type: {}".format(asn1_string.type)
+        )
+
+    backend.openssl_assert(buf[0] != backend._ffi.NULL)
+    buf = backend._ffi.gc(
+        buf, lambda buffer: backend._lib.OPENSSL_free(buffer[0])
+    )
+    return backend._ffi.buffer(buf[0], res)[:].decode('utf8')
+
+
+def _parse_asn1_time(backend, asn1_time):
+    backend.openssl_assert(asn1_time != backend._ffi.NULL)
+    generalized_time = backend._lib.ASN1_TIME_to_generalizedtime(
+        asn1_time, backend._ffi.NULL
+    )
+    if generalized_time == backend._ffi.NULL:
+        raise ValueError(
+            "Couldn't parse ASN.1 time as generalizedtime {!r}".format(
+                _asn1_string_to_bytes(backend, asn1_time)
+            )
+        )
+
+    generalized_time = backend._ffi.gc(
+        generalized_time, backend._lib.ASN1_GENERALIZEDTIME_free
+    )
+    return _parse_asn1_generalized_time(backend, generalized_time)
+
+
+def _parse_asn1_generalized_time(backend, generalized_time):
+    time = _asn1_string_to_ascii(
+        backend, backend._ffi.cast("ASN1_STRING *", generalized_time)
+    )
+    return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ")
+
+
+def _decode_nonce(backend, nonce):
+    nonce = backend._ffi.cast("ASN1_OCTET_STRING *", nonce)
+    nonce = backend._ffi.gc(nonce, backend._lib.ASN1_OCTET_STRING_free)
+    return x509.OCSPNonce(_asn1_string_to_bytes(backend, nonce))
+
+
+_EXTENSION_HANDLERS_NO_SCT = {
+    ExtensionOID.BASIC_CONSTRAINTS: _decode_basic_constraints,
+    ExtensionOID.SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
+    ExtensionOID.KEY_USAGE: _decode_key_usage,
+    ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
+    ExtensionOID.EXTENDED_KEY_USAGE: _decode_extended_key_usage,
+    ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
+    ExtensionOID.AUTHORITY_INFORMATION_ACCESS: (
+        _decode_authority_information_access
+    ),
+    ExtensionOID.CERTIFICATE_POLICIES: _decode_certificate_policies,
+    ExtensionOID.CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
+    ExtensionOID.FRESHEST_CRL: _decode_freshest_crl,
+    ExtensionOID.OCSP_NO_CHECK: _decode_ocsp_no_check,
+    ExtensionOID.INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
+    ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
+    ExtensionOID.NAME_CONSTRAINTS: _decode_name_constraints,
+    ExtensionOID.POLICY_CONSTRAINTS: _decode_policy_constraints,
+}
+_EXTENSION_HANDLERS = _EXTENSION_HANDLERS_NO_SCT.copy()
+_EXTENSION_HANDLERS[
+    ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS
+] = _decode_precert_signed_certificate_timestamps
+
+
+_REVOKED_EXTENSION_HANDLERS = {
+    CRLEntryExtensionOID.CRL_REASON: _decode_crl_reason,
+    CRLEntryExtensionOID.INVALIDITY_DATE: _decode_invalidity_date,
+    CRLEntryExtensionOID.CERTIFICATE_ISSUER: _decode_cert_issuer,
+}
+
+_CRL_EXTENSION_HANDLERS = {
+    ExtensionOID.CRL_NUMBER: _decode_crl_number,
+    ExtensionOID.DELTA_CRL_INDICATOR: _decode_delta_crl_indicator,
+    ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
+    ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
+    ExtensionOID.AUTHORITY_INFORMATION_ACCESS: (
+        _decode_authority_information_access
+    ),
+    ExtensionOID.ISSUING_DISTRIBUTION_POINT: _decode_issuing_dist_point,
+}
+
+_OCSP_REQ_EXTENSION_HANDLERS = {
+    OCSPExtensionOID.NONCE: _decode_nonce,
+}
+
+_OCSP_BASICRESP_EXTENSION_HANDLERS = {
+    OCSPExtensionOID.NONCE: _decode_nonce,
+}
+
+_CERTIFICATE_EXTENSION_PARSER_NO_SCT = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
+    get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
+    handlers=_EXTENSION_HANDLERS_NO_SCT
+)
+
+_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
+    get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
+    handlers=_EXTENSION_HANDLERS
+)
+
+_CSR_EXTENSION_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.sk_X509_EXTENSION_num(x),
+    get_ext=lambda backend, x, i: backend._lib.sk_X509_EXTENSION_value(x, i),
+    handlers=_EXTENSION_HANDLERS
+)
+
+_REVOKED_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.X509_REVOKED_get_ext_count(x),
+    get_ext=lambda backend, x, i: backend._lib.X509_REVOKED_get_ext(x, i),
+    handlers=_REVOKED_EXTENSION_HANDLERS,
+)
+
+_CRL_EXTENSION_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.X509_CRL_get_ext_count(x),
+    get_ext=lambda backend, x, i: backend._lib.X509_CRL_get_ext(x, i),
+    handlers=_CRL_EXTENSION_HANDLERS,
+)
+
+_OCSP_REQ_EXT_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.OCSP_REQUEST_get_ext_count(x),
+    get_ext=lambda backend, x, i: backend._lib.OCSP_REQUEST_get_ext(x, i),
+    handlers=_OCSP_REQ_EXTENSION_HANDLERS,
+)
+
+_OCSP_BASICRESP_EXT_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.OCSP_BASICRESP_get_ext_count(x),
+    get_ext=lambda backend, x, i: backend._lib.OCSP_BASICRESP_get_ext(x, i),
+    handlers=_OCSP_BASICRESP_EXTENSION_HANDLERS,
+)
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dh.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dh.py
@@ -0,0 +1,280 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import dh
+
+
+def _dh_params_dup(dh_cdata, backend):
+    lib = backend._lib
+    ffi = backend._ffi
+
+    param_cdata = lib.DHparams_dup(dh_cdata)
+    backend.openssl_assert(param_cdata != ffi.NULL)
+    param_cdata = ffi.gc(param_cdata, lib.DH_free)
+    if lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102:
+        # In OpenSSL versions < 1.0.2 or libressl DHparams_dup don't copy q
+        q = ffi.new("BIGNUM **")
+        lib.DH_get0_pqg(dh_cdata, ffi.NULL, q, ffi.NULL)
+        q_dup = lib.BN_dup(q[0])
+        res = lib.DH_set0_pqg(param_cdata, ffi.NULL, q_dup, ffi.NULL)
+        backend.openssl_assert(res == 1)
+
+    return param_cdata
+
+
+def _dh_cdata_to_parameters(dh_cdata, backend):
+    param_cdata = _dh_params_dup(dh_cdata, backend)
+    return _DHParameters(backend, param_cdata)
+
+
+@utils.register_interface(dh.DHParametersWithSerialization)
+class _DHParameters(object):
+    def __init__(self, backend, dh_cdata):
+        self._backend = backend
+        self._dh_cdata = dh_cdata
+
+    def parameter_numbers(self):
+        p = self._backend._ffi.new("BIGNUM **")
+        g = self._backend._ffi.new("BIGNUM **")
+        q = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DH_get0_pqg(self._dh_cdata, p, q, g)
+        self._backend.openssl_assert(p[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(g[0] != self._backend._ffi.NULL)
+        if q[0] == self._backend._ffi.NULL:
+            q_val = None
+        else:
+            q_val = self._backend._bn_to_int(q[0])
+        return dh.DHParameterNumbers(
+            p=self._backend._bn_to_int(p[0]),
+            g=self._backend._bn_to_int(g[0]),
+            q=q_val
+        )
+
+    def generate_private_key(self):
+        return self._backend.generate_dh_private_key(self)
+
+    def parameter_bytes(self, encoding, format):
+        if format is not serialization.ParameterFormat.PKCS3:
+            raise ValueError(
+                "Only PKCS3 serialization is supported"
+            )
+        if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX:
+            q = self._backend._ffi.new("BIGNUM **")
+            self._backend._lib.DH_get0_pqg(self._dh_cdata,
+                                           self._backend._ffi.NULL,
+                                           q,
+                                           self._backend._ffi.NULL)
+            if q[0] != self._backend._ffi.NULL:
+                raise UnsupportedAlgorithm(
+                    "DH X9.42 serialization is not supported",
+                    _Reasons.UNSUPPORTED_SERIALIZATION)
+
+        return self._backend._parameter_bytes(
+            encoding,
+            format,
+            self._dh_cdata
+        )
+
+
+def _handle_dh_compute_key_error(errors, backend):
+    lib = backend._lib
+
+    backend.openssl_assert(
+        errors[0]._lib_reason_match(
+            lib.ERR_LIB_DH, lib.DH_R_INVALID_PUBKEY
+        )
+    )
+
+    raise ValueError("Public key value is invalid for this exchange.")
+
+
+def _get_dh_num_bits(backend, dh_cdata):
+    p = backend._ffi.new("BIGNUM **")
+    backend._lib.DH_get0_pqg(dh_cdata, p,
+                             backend._ffi.NULL,
+                             backend._ffi.NULL)
+    backend.openssl_assert(p[0] != backend._ffi.NULL)
+    return backend._lib.BN_num_bits(p[0])
+
+
+@utils.register_interface(dh.DHPrivateKeyWithSerialization)
+class _DHPrivateKey(object):
+    def __init__(self, backend, dh_cdata, evp_pkey):
+        self._backend = backend
+        self._dh_cdata = dh_cdata
+        self._evp_pkey = evp_pkey
+        self._key_size_bytes = self._backend._lib.DH_size(dh_cdata)
+
+    @property
+    def key_size(self):
+        return _get_dh_num_bits(self._backend, self._dh_cdata)
+
+    def private_numbers(self):
+        p = self._backend._ffi.new("BIGNUM **")
+        g = self._backend._ffi.new("BIGNUM **")
+        q = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DH_get0_pqg(self._dh_cdata, p, q, g)
+        self._backend.openssl_assert(p[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(g[0] != self._backend._ffi.NULL)
+        if q[0] == self._backend._ffi.NULL:
+            q_val = None
+        else:
+            q_val = self._backend._bn_to_int(q[0])
+        pub_key = self._backend._ffi.new("BIGNUM **")
+        priv_key = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DH_get0_key(self._dh_cdata, pub_key, priv_key)
+        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(priv_key[0] != self._backend._ffi.NULL)
+        return dh.DHPrivateNumbers(
+            public_numbers=dh.DHPublicNumbers(
+                parameter_numbers=dh.DHParameterNumbers(
+                    p=self._backend._bn_to_int(p[0]),
+                    g=self._backend._bn_to_int(g[0]),
+                    q=q_val
+                ),
+                y=self._backend._bn_to_int(pub_key[0])
+            ),
+            x=self._backend._bn_to_int(priv_key[0])
+        )
+
+    def exchange(self, peer_public_key):
+
+        buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes)
+        pub_key = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DH_get0_key(peer_public_key._dh_cdata, pub_key,
+                                       self._backend._ffi.NULL)
+        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
+        res = self._backend._lib.DH_compute_key(
+            buf,
+            pub_key[0],
+            self._dh_cdata
+        )
+
+        if res == -1:
+            errors = self._backend._consume_errors()
+            return _handle_dh_compute_key_error(errors, self._backend)
+        else:
+            self._backend.openssl_assert(res >= 1)
+
+            key = self._backend._ffi.buffer(buf)[:res]
+            pad = self._key_size_bytes - len(key)
+
+            if pad > 0:
+                key = (b"\x00" * pad) + key
+
+            return key
+
+    def public_key(self):
+        dh_cdata = _dh_params_dup(self._dh_cdata, self._backend)
+        pub_key = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DH_get0_key(self._dh_cdata,
+                                       pub_key, self._backend._ffi.NULL)
+        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
+        pub_key_dup = self._backend._lib.BN_dup(pub_key[0])
+        self._backend.openssl_assert(pub_key_dup != self._backend._ffi.NULL)
+
+        res = self._backend._lib.DH_set0_key(dh_cdata,
+                                             pub_key_dup,
+                                             self._backend._ffi.NULL)
+        self._backend.openssl_assert(res == 1)
+        evp_pkey = self._backend._dh_cdata_to_evp_pkey(dh_cdata)
+        return _DHPublicKey(self._backend, dh_cdata, evp_pkey)
+
+    def parameters(self):
+        return _dh_cdata_to_parameters(self._dh_cdata, self._backend)
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        if format is not serialization.PrivateFormat.PKCS8:
+            raise ValueError(
+                "DH private keys support only PKCS8 serialization"
+            )
+        if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX:
+            q = self._backend._ffi.new("BIGNUM **")
+            self._backend._lib.DH_get0_pqg(self._dh_cdata,
+                                           self._backend._ffi.NULL,
+                                           q,
+                                           self._backend._ffi.NULL)
+            if q[0] != self._backend._ffi.NULL:
+                raise UnsupportedAlgorithm(
+                    "DH X9.42 serialization is not supported",
+                    _Reasons.UNSUPPORTED_SERIALIZATION)
+
+        return self._backend._private_key_bytes(
+            encoding,
+            format,
+            encryption_algorithm,
+            self._evp_pkey,
+            self._dh_cdata
+        )
+
+
+@utils.register_interface(dh.DHPublicKeyWithSerialization)
+class _DHPublicKey(object):
+    def __init__(self, backend, dh_cdata, evp_pkey):
+        self._backend = backend
+        self._dh_cdata = dh_cdata
+        self._evp_pkey = evp_pkey
+        self._key_size_bits = _get_dh_num_bits(self._backend, self._dh_cdata)
+
+    @property
+    def key_size(self):
+        return self._key_size_bits
+
+    def public_numbers(self):
+        p = self._backend._ffi.new("BIGNUM **")
+        g = self._backend._ffi.new("BIGNUM **")
+        q = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DH_get0_pqg(self._dh_cdata, p, q, g)
+        self._backend.openssl_assert(p[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(g[0] != self._backend._ffi.NULL)
+        if q[0] == self._backend._ffi.NULL:
+            q_val = None
+        else:
+            q_val = self._backend._bn_to_int(q[0])
+        pub_key = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DH_get0_key(self._dh_cdata,
+                                       pub_key, self._backend._ffi.NULL)
+        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
+        return dh.DHPublicNumbers(
+            parameter_numbers=dh.DHParameterNumbers(
+                p=self._backend._bn_to_int(p[0]),
+                g=self._backend._bn_to_int(g[0]),
+                q=q_val
+            ),
+            y=self._backend._bn_to_int(pub_key[0])
+        )
+
+    def parameters(self):
+        return _dh_cdata_to_parameters(self._dh_cdata, self._backend)
+
+    def public_bytes(self, encoding, format):
+        if format is not serialization.PublicFormat.SubjectPublicKeyInfo:
+            raise ValueError(
+                "DH public keys support only "
+                "SubjectPublicKeyInfo serialization"
+            )
+
+        if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX:
+            q = self._backend._ffi.new("BIGNUM **")
+            self._backend._lib.DH_get0_pqg(self._dh_cdata,
+                                           self._backend._ffi.NULL,
+                                           q,
+                                           self._backend._ffi.NULL)
+            if q[0] != self._backend._ffi.NULL:
+                raise UnsupportedAlgorithm(
+                    "DH X9.42 serialization is not supported",
+                    _Reasons.UNSUPPORTED_SERIALIZATION)
+
+        return self._backend._public_key_bytes(
+            encoding,
+            format,
+            self,
+            self._evp_pkey,
+            None
+        )
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dsa.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/dsa.py
@@ -0,0 +1,268 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.backends.openssl.utils import (
+    _calculate_digest_and_algorithm, _check_not_prehashed,
+    _warn_sign_verify_deprecated
+)
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import (
+    AsymmetricSignatureContext, AsymmetricVerificationContext, dsa
+)
+
+
+def _dsa_sig_sign(backend, private_key, data):
+    sig_buf_len = backend._lib.DSA_size(private_key._dsa_cdata)
+    sig_buf = backend._ffi.new("unsigned char[]", sig_buf_len)
+    buflen = backend._ffi.new("unsigned int *")
+
+    # The first parameter passed to DSA_sign is unused by OpenSSL but
+    # must be an integer.
+    res = backend._lib.DSA_sign(
+        0, data, len(data), sig_buf, buflen, private_key._dsa_cdata
+    )
+    backend.openssl_assert(res == 1)
+    backend.openssl_assert(buflen[0])
+
+    return backend._ffi.buffer(sig_buf)[:buflen[0]]
+
+
+def _dsa_sig_verify(backend, public_key, signature, data):
+    # The first parameter passed to DSA_verify is unused by OpenSSL but
+    # must be an integer.
+    res = backend._lib.DSA_verify(
+        0, data, len(data), signature, len(signature), public_key._dsa_cdata
+    )
+
+    if res != 1:
+        backend._consume_errors()
+        raise InvalidSignature
+
+
+@utils.register_interface(AsymmetricVerificationContext)
+class _DSAVerificationContext(object):
+    def __init__(self, backend, public_key, signature, algorithm):
+        self._backend = backend
+        self._public_key = public_key
+        self._signature = signature
+        self._algorithm = algorithm
+
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
+
+    def update(self, data):
+        self._hash_ctx.update(data)
+
+    def verify(self):
+        data_to_verify = self._hash_ctx.finalize()
+
+        _dsa_sig_verify(
+            self._backend, self._public_key, self._signature, data_to_verify
+        )
+
+
+@utils.register_interface(AsymmetricSignatureContext)
+class _DSASignatureContext(object):
+    def __init__(self, backend, private_key, algorithm):
+        self._backend = backend
+        self._private_key = private_key
+        self._algorithm = algorithm
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
+
+    def update(self, data):
+        self._hash_ctx.update(data)
+
+    def finalize(self):
+        data_to_sign = self._hash_ctx.finalize()
+        return _dsa_sig_sign(self._backend, self._private_key, data_to_sign)
+
+
+@utils.register_interface(dsa.DSAParametersWithNumbers)
+class _DSAParameters(object):
+    def __init__(self, backend, dsa_cdata):
+        self._backend = backend
+        self._dsa_cdata = dsa_cdata
+
+    def parameter_numbers(self):
+        p = self._backend._ffi.new("BIGNUM **")
+        q = self._backend._ffi.new("BIGNUM **")
+        g = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DSA_get0_pqg(self._dsa_cdata, p, q, g)
+        self._backend.openssl_assert(p[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(q[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(g[0] != self._backend._ffi.NULL)
+        return dsa.DSAParameterNumbers(
+            p=self._backend._bn_to_int(p[0]),
+            q=self._backend._bn_to_int(q[0]),
+            g=self._backend._bn_to_int(g[0])
+        )
+
+    def generate_private_key(self):
+        return self._backend.generate_dsa_private_key(self)
+
+
+@utils.register_interface(dsa.DSAPrivateKeyWithSerialization)
+class _DSAPrivateKey(object):
+    def __init__(self, backend, dsa_cdata, evp_pkey):
+        self._backend = backend
+        self._dsa_cdata = dsa_cdata
+        self._evp_pkey = evp_pkey
+
+        p = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DSA_get0_pqg(
+            dsa_cdata, p, self._backend._ffi.NULL, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(p[0] != backend._ffi.NULL)
+        self._key_size = self._backend._lib.BN_num_bits(p[0])
+
+    key_size = utils.read_only_property("_key_size")
+
+    def signer(self, signature_algorithm):
+        _warn_sign_verify_deprecated()
+        _check_not_prehashed(signature_algorithm)
+        return _DSASignatureContext(self._backend, self, signature_algorithm)
+
+    def private_numbers(self):
+        p = self._backend._ffi.new("BIGNUM **")
+        q = self._backend._ffi.new("BIGNUM **")
+        g = self._backend._ffi.new("BIGNUM **")
+        pub_key = self._backend._ffi.new("BIGNUM **")
+        priv_key = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DSA_get0_pqg(self._dsa_cdata, p, q, g)
+        self._backend.openssl_assert(p[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(q[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(g[0] != self._backend._ffi.NULL)
+        self._backend._lib.DSA_get0_key(self._dsa_cdata, pub_key, priv_key)
+        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(priv_key[0] != self._backend._ffi.NULL)
+        return dsa.DSAPrivateNumbers(
+            public_numbers=dsa.DSAPublicNumbers(
+                parameter_numbers=dsa.DSAParameterNumbers(
+                    p=self._backend._bn_to_int(p[0]),
+                    q=self._backend._bn_to_int(q[0]),
+                    g=self._backend._bn_to_int(g[0])
+                ),
+                y=self._backend._bn_to_int(pub_key[0])
+            ),
+            x=self._backend._bn_to_int(priv_key[0])
+        )
+
+    def public_key(self):
+        dsa_cdata = self._backend._lib.DSAparams_dup(self._dsa_cdata)
+        self._backend.openssl_assert(dsa_cdata != self._backend._ffi.NULL)
+        dsa_cdata = self._backend._ffi.gc(
+            dsa_cdata, self._backend._lib.DSA_free
+        )
+        pub_key = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DSA_get0_key(
+            self._dsa_cdata, pub_key, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
+        pub_key_dup = self._backend._lib.BN_dup(pub_key[0])
+        res = self._backend._lib.DSA_set0_key(
+            dsa_cdata, pub_key_dup, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(res == 1)
+        evp_pkey = self._backend._dsa_cdata_to_evp_pkey(dsa_cdata)
+        return _DSAPublicKey(self._backend, dsa_cdata, evp_pkey)
+
+    def parameters(self):
+        dsa_cdata = self._backend._lib.DSAparams_dup(self._dsa_cdata)
+        self._backend.openssl_assert(dsa_cdata != self._backend._ffi.NULL)
+        dsa_cdata = self._backend._ffi.gc(
+            dsa_cdata, self._backend._lib.DSA_free
+        )
+        return _DSAParameters(self._backend, dsa_cdata)
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        return self._backend._private_key_bytes(
+            encoding,
+            format,
+            encryption_algorithm,
+            self._evp_pkey,
+            self._dsa_cdata
+        )
+
+    def sign(self, data, algorithm):
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, algorithm
+        )
+        return _dsa_sig_sign(self._backend, self, data)
+
+
+@utils.register_interface(dsa.DSAPublicKeyWithSerialization)
+class _DSAPublicKey(object):
+    def __init__(self, backend, dsa_cdata, evp_pkey):
+        self._backend = backend
+        self._dsa_cdata = dsa_cdata
+        self._evp_pkey = evp_pkey
+        p = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DSA_get0_pqg(
+            dsa_cdata, p, self._backend._ffi.NULL, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(p[0] != backend._ffi.NULL)
+        self._key_size = self._backend._lib.BN_num_bits(p[0])
+
+    key_size = utils.read_only_property("_key_size")
+
+    def verifier(self, signature, signature_algorithm):
+        _warn_sign_verify_deprecated()
+        utils._check_bytes("signature", signature)
+
+        _check_not_prehashed(signature_algorithm)
+        return _DSAVerificationContext(
+            self._backend, self, signature, signature_algorithm
+        )
+
+    def public_numbers(self):
+        p = self._backend._ffi.new("BIGNUM **")
+        q = self._backend._ffi.new("BIGNUM **")
+        g = self._backend._ffi.new("BIGNUM **")
+        pub_key = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.DSA_get0_pqg(self._dsa_cdata, p, q, g)
+        self._backend.openssl_assert(p[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(q[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(g[0] != self._backend._ffi.NULL)
+        self._backend._lib.DSA_get0_key(
+            self._dsa_cdata, pub_key, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
+        return dsa.DSAPublicNumbers(
+            parameter_numbers=dsa.DSAParameterNumbers(
+                p=self._backend._bn_to_int(p[0]),
+                q=self._backend._bn_to_int(q[0]),
+                g=self._backend._bn_to_int(g[0])
+            ),
+            y=self._backend._bn_to_int(pub_key[0])
+        )
+
+    def parameters(self):
+        dsa_cdata = self._backend._lib.DSAparams_dup(self._dsa_cdata)
+        dsa_cdata = self._backend._ffi.gc(
+            dsa_cdata, self._backend._lib.DSA_free
+        )
+        return _DSAParameters(self._backend, dsa_cdata)
+
+    def public_bytes(self, encoding, format):
+        if format is serialization.PublicFormat.PKCS1:
+            raise ValueError(
+                "DSA public keys do not support PKCS1 serialization"
+            )
+
+        return self._backend._public_key_bytes(
+            encoding,
+            format,
+            self,
+            self._evp_pkey,
+            None
+        )
+
+    def verify(self, signature, data, algorithm):
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, algorithm
+        )
+        return _dsa_sig_verify(self._backend, self, signature, data)
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ec.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ec.py
@@ -0,0 +1,340 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.exceptions import (
+    InvalidSignature, UnsupportedAlgorithm, _Reasons
+)
+from cryptography.hazmat.backends.openssl.utils import (
+    _calculate_digest_and_algorithm, _check_not_prehashed,
+    _warn_sign_verify_deprecated
+)
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import (
+    AsymmetricSignatureContext, AsymmetricVerificationContext, ec
+)
+
+
+def _check_signature_algorithm(signature_algorithm):
+    if not isinstance(signature_algorithm, ec.ECDSA):
+        raise UnsupportedAlgorithm(
+            "Unsupported elliptic curve signature algorithm.",
+            _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
+
+
+def _ec_key_curve_sn(backend, ec_key):
+    group = backend._lib.EC_KEY_get0_group(ec_key)
+    backend.openssl_assert(group != backend._ffi.NULL)
+
+    nid = backend._lib.EC_GROUP_get_curve_name(group)
+    # The following check is to find EC keys with unnamed curves and raise
+    # an error for now.
+    if nid == backend._lib.NID_undef:
+        raise NotImplementedError(
+            "ECDSA certificates with unnamed curves are unsupported "
+            "at this time"
+        )
+
+    curve_name = backend._lib.OBJ_nid2sn(nid)
+    backend.openssl_assert(curve_name != backend._ffi.NULL)
+
+    sn = backend._ffi.string(curve_name).decode('ascii')
+    return sn
+
+
+def _mark_asn1_named_ec_curve(backend, ec_cdata):
+    """
+    Set the named curve flag on the EC_KEY. This causes OpenSSL to
+    serialize EC keys along with their curve OID which makes
+    deserialization easier.
+    """
+
+    backend._lib.EC_KEY_set_asn1_flag(
+        ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
+    )
+
+
+def _sn_to_elliptic_curve(backend, sn):
+    try:
+        return ec._CURVE_TYPES[sn]()
+    except KeyError:
+        raise UnsupportedAlgorithm(
+            "{} is not a supported elliptic curve".format(sn),
+            _Reasons.UNSUPPORTED_ELLIPTIC_CURVE
+        )
+
+
+def _ecdsa_sig_sign(backend, private_key, data):
+    max_size = backend._lib.ECDSA_size(private_key._ec_key)
+    backend.openssl_assert(max_size > 0)
+
+    sigbuf = backend._ffi.new("unsigned char[]", max_size)
+    siglen_ptr = backend._ffi.new("unsigned int[]", 1)
+    res = backend._lib.ECDSA_sign(
+        0, data, len(data), sigbuf, siglen_ptr, private_key._ec_key
+    )
+    backend.openssl_assert(res == 1)
+    return backend._ffi.buffer(sigbuf)[:siglen_ptr[0]]
+
+
+def _ecdsa_sig_verify(backend, public_key, signature, data):
+    res = backend._lib.ECDSA_verify(
+        0, data, len(data), signature, len(signature), public_key._ec_key
+    )
+    if res != 1:
+        backend._consume_errors()
+        raise InvalidSignature
+
+
+@utils.register_interface(AsymmetricSignatureContext)
+class _ECDSASignatureContext(object):
+    def __init__(self, backend, private_key, algorithm):
+        self._backend = backend
+        self._private_key = private_key
+        self._digest = hashes.Hash(algorithm, backend)
+
+    def update(self, data):
+        self._digest.update(data)
+
+    def finalize(self):
+        digest = self._digest.finalize()
+
+        return _ecdsa_sig_sign(self._backend, self._private_key, digest)
+
+
+@utils.register_interface(AsymmetricVerificationContext)
+class _ECDSAVerificationContext(object):
+    def __init__(self, backend, public_key, signature, algorithm):
+        self._backend = backend
+        self._public_key = public_key
+        self._signature = signature
+        self._digest = hashes.Hash(algorithm, backend)
+
+    def update(self, data):
+        self._digest.update(data)
+
+    def verify(self):
+        digest = self._digest.finalize()
+        _ecdsa_sig_verify(
+            self._backend, self._public_key, self._signature, digest
+        )
+
+
+@utils.register_interface(ec.EllipticCurvePrivateKeyWithSerialization)
+class _EllipticCurvePrivateKey(object):
+    def __init__(self, backend, ec_key_cdata, evp_pkey):
+        self._backend = backend
+        _mark_asn1_named_ec_curve(backend, ec_key_cdata)
+        self._ec_key = ec_key_cdata
+        self._evp_pkey = evp_pkey
+
+        sn = _ec_key_curve_sn(backend, ec_key_cdata)
+        self._curve = _sn_to_elliptic_curve(backend, sn)
+
+    curve = utils.read_only_property("_curve")
+
+    @property
+    def key_size(self):
+        return self.curve.key_size
+
+    def signer(self, signature_algorithm):
+        _warn_sign_verify_deprecated()
+        _check_signature_algorithm(signature_algorithm)
+        _check_not_prehashed(signature_algorithm.algorithm)
+        return _ECDSASignatureContext(
+            self._backend, self, signature_algorithm.algorithm
+        )
+
+    def exchange(self, algorithm, peer_public_key):
+        if not (
+            self._backend.elliptic_curve_exchange_algorithm_supported(
+                algorithm, self.curve
+            )
+        ):
+            raise UnsupportedAlgorithm(
+                "This backend does not support the ECDH algorithm.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+
+        if peer_public_key.curve.name != self.curve.name:
+            raise ValueError(
+                "peer_public_key and self are not on the same curve"
+            )
+
+        group = self._backend._lib.EC_KEY_get0_group(self._ec_key)
+        z_len = (self._backend._lib.EC_GROUP_get_degree(group) + 7) // 8
+        self._backend.openssl_assert(z_len > 0)
+        z_buf = self._backend._ffi.new("uint8_t[]", z_len)
+        peer_key = self._backend._lib.EC_KEY_get0_public_key(
+            peer_public_key._ec_key
+        )
+
+        r = self._backend._lib.ECDH_compute_key(
+            z_buf, z_len, peer_key, self._ec_key, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(r > 0)
+        return self._backend._ffi.buffer(z_buf)[:z_len]
+
+    def public_key(self):
+        group = self._backend._lib.EC_KEY_get0_group(self._ec_key)
+        self._backend.openssl_assert(group != self._backend._ffi.NULL)
+
+        curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
+
+        public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
+        self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
+        public_ec_key = self._backend._ffi.gc(
+            public_ec_key, self._backend._lib.EC_KEY_free
+        )
+
+        point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
+        self._backend.openssl_assert(point != self._backend._ffi.NULL)
+
+        res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point)
+        self._backend.openssl_assert(res == 1)
+
+        evp_pkey = self._backend._ec_cdata_to_evp_pkey(public_ec_key)
+
+        return _EllipticCurvePublicKey(self._backend, public_ec_key, evp_pkey)
+
+    def private_numbers(self):
+        bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key)
+        private_value = self._backend._bn_to_int(bn)
+        return ec.EllipticCurvePrivateNumbers(
+            private_value=private_value,
+            public_numbers=self.public_key().public_numbers()
+        )
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        return self._backend._private_key_bytes(
+            encoding,
+            format,
+            encryption_algorithm,
+            self._evp_pkey,
+            self._ec_key
+        )
+
+    def sign(self, data, signature_algorithm):
+        _check_signature_algorithm(signature_algorithm)
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, signature_algorithm._algorithm
+        )
+        return _ecdsa_sig_sign(self._backend, self, data)
+
+
+@utils.register_interface(ec.EllipticCurvePublicKeyWithSerialization)
+class _EllipticCurvePublicKey(object):
+    def __init__(self, backend, ec_key_cdata, evp_pkey):
+        self._backend = backend
+        _mark_asn1_named_ec_curve(backend, ec_key_cdata)
+        self._ec_key = ec_key_cdata
+        self._evp_pkey = evp_pkey
+
+        sn = _ec_key_curve_sn(backend, ec_key_cdata)
+        self._curve = _sn_to_elliptic_curve(backend, sn)
+
+    curve = utils.read_only_property("_curve")
+
+    @property
+    def key_size(self):
+        return self.curve.key_size
+
+    def verifier(self, signature, signature_algorithm):
+        _warn_sign_verify_deprecated()
+        utils._check_bytes("signature", signature)
+
+        _check_signature_algorithm(signature_algorithm)
+        _check_not_prehashed(signature_algorithm.algorithm)
+        return _ECDSAVerificationContext(
+            self._backend, self, signature, signature_algorithm.algorithm
+        )
+
+    def public_numbers(self):
+        get_func, group = (
+            self._backend._ec_key_determine_group_get_func(self._ec_key)
+        )
+        point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
+        self._backend.openssl_assert(point != self._backend._ffi.NULL)
+
+        with self._backend._tmp_bn_ctx() as bn_ctx:
+            bn_x = self._backend._lib.BN_CTX_get(bn_ctx)
+            bn_y = self._backend._lib.BN_CTX_get(bn_ctx)
+
+            res = get_func(group, point, bn_x, bn_y, bn_ctx)
+            self._backend.openssl_assert(res == 1)
+
+            x = self._backend._bn_to_int(bn_x)
+            y = self._backend._bn_to_int(bn_y)
+
+        return ec.EllipticCurvePublicNumbers(
+            x=x,
+            y=y,
+            curve=self._curve
+        )
+
+    def _encode_point(self, format):
+        if format is serialization.PublicFormat.CompressedPoint:
+            conversion = self._backend._lib.POINT_CONVERSION_COMPRESSED
+        else:
+            assert format is serialization.PublicFormat.UncompressedPoint
+            conversion = self._backend._lib.POINT_CONVERSION_UNCOMPRESSED
+
+        group = self._backend._lib.EC_KEY_get0_group(self._ec_key)
+        self._backend.openssl_assert(group != self._backend._ffi.NULL)
+        point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
+        self._backend.openssl_assert(point != self._backend._ffi.NULL)
+        with self._backend._tmp_bn_ctx() as bn_ctx:
+            buflen = self._backend._lib.EC_POINT_point2oct(
+                group, point, conversion, self._backend._ffi.NULL, 0, bn_ctx
+            )
+            self._backend.openssl_assert(buflen > 0)
+            buf = self._backend._ffi.new("char[]", buflen)
+            res = self._backend._lib.EC_POINT_point2oct(
+                group, point, conversion, buf, buflen, bn_ctx
+            )
+            self._backend.openssl_assert(buflen == res)
+
+        return self._backend._ffi.buffer(buf)[:]
+
+    def public_bytes(self, encoding, format):
+        if format is serialization.PublicFormat.PKCS1:
+            raise ValueError(
+                "EC public keys do not support PKCS1 serialization"
+            )
+
+        if (
+            encoding is serialization.Encoding.X962 or
+            format is serialization.PublicFormat.CompressedPoint or
+            format is serialization.PublicFormat.UncompressedPoint
+        ):
+            if (
+                encoding is not serialization.Encoding.X962 or
+                format not in (
+                    serialization.PublicFormat.CompressedPoint,
+                    serialization.PublicFormat.UncompressedPoint
+                )
+            ):
+                raise ValueError(
+                    "X962 encoding must be used with CompressedPoint or "
+                    "UncompressedPoint format"
+                )
+
+            return self._encode_point(format)
+        else:
+            return self._backend._public_key_bytes(
+                encoding,
+                format,
+                self,
+                self._evp_pkey,
+                None
+            )
+
+    def verify(self, signature, data, signature_algorithm):
+        _check_signature_algorithm(signature_algorithm)
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, signature_algorithm._algorithm
+        )
+        _ecdsa_sig_verify(self._backend, self, signature, data)
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed25519.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed25519.py
@@ -0,0 +1,151 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import exceptions, utils
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.ed25519 import (
+    Ed25519PrivateKey, Ed25519PublicKey, _ED25519_KEY_SIZE, _ED25519_SIG_SIZE
+)
+
+
+@utils.register_interface(Ed25519PublicKey)
+class _Ed25519PublicKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_bytes(self, encoding, format):
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                encoding is not serialization.Encoding.Raw or
+                format is not serialization.PublicFormat.Raw
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw"
+                )
+
+            return self._raw_public_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PublicFormat.SubjectPublicKeyInfo
+        ):
+            raise ValueError(
+                "format must be SubjectPublicKeyInfo when encoding is PEM or "
+                "DER"
+            )
+
+        return self._backend._public_key_bytes(
+            encoding, format, self, self._evp_pkey, None
+        )
+
+    def _raw_public_bytes(self):
+        buf = self._backend._ffi.new("unsigned char []", _ED25519_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _ED25519_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED25519_KEY_SIZE)
+        return self._backend._ffi.buffer(buf, _ED25519_KEY_SIZE)[:]
+
+    def verify(self, signature, data):
+        evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new()
+        self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL)
+        evp_md_ctx = self._backend._ffi.gc(
+            evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free
+        )
+        res = self._backend._lib.EVP_DigestVerifyInit(
+            evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL,
+            self._backend._ffi.NULL, self._evp_pkey
+        )
+        self._backend.openssl_assert(res == 1)
+        res = self._backend._lib.EVP_DigestVerify(
+            evp_md_ctx, signature, len(signature), data, len(data)
+        )
+        if res != 1:
+            self._backend._consume_errors()
+            raise exceptions.InvalidSignature
+
+
+@utils.register_interface(Ed25519PrivateKey)
+class _Ed25519PrivateKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_key(self):
+        buf = self._backend._ffi.new("unsigned char []", _ED25519_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _ED25519_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED25519_KEY_SIZE)
+        public_bytes = self._backend._ffi.buffer(buf)[:]
+        return self._backend.ed25519_load_public_bytes(public_bytes)
+
+    def sign(self, data):
+        evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new()
+        self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL)
+        evp_md_ctx = self._backend._ffi.gc(
+            evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free
+        )
+        res = self._backend._lib.EVP_DigestSignInit(
+            evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL,
+            self._backend._ffi.NULL, self._evp_pkey
+        )
+        self._backend.openssl_assert(res == 1)
+        buf = self._backend._ffi.new("unsigned char[]", _ED25519_SIG_SIZE)
+        buflen = self._backend._ffi.new("size_t *", len(buf))
+        res = self._backend._lib.EVP_DigestSign(
+            evp_md_ctx, buf, buflen, data, len(data)
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED25519_SIG_SIZE)
+        return self._backend._ffi.buffer(buf, buflen[0])[:]
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                format is not serialization.PrivateFormat.Raw or
+                encoding is not serialization.Encoding.Raw or not
+                isinstance(encryption_algorithm, serialization.NoEncryption)
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw "
+                    "and encryption_algorithm must be NoEncryption"
+                )
+
+            return self._raw_private_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PrivateFormat.PKCS8
+        ):
+            raise ValueError(
+                "format must be PKCS8 when encoding is PEM or DER"
+            )
+
+        return self._backend._private_key_bytes(
+            encoding, format, encryption_algorithm, self._evp_pkey, None
+        )
+
+    def _raw_private_bytes(self):
+        buf = self._backend._ffi.new("unsigned char []", _ED25519_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _ED25519_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_private_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED25519_KEY_SIZE)
+        return self._backend._ffi.buffer(buf, _ED25519_KEY_SIZE)[:]
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed448.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ed448.py
@@ -0,0 +1,154 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import exceptions, utils
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.ed448 import (
+    Ed448PrivateKey, Ed448PublicKey
+)
+
+_ED448_KEY_SIZE = 57
+_ED448_SIG_SIZE = 114
+
+
+@utils.register_interface(Ed448PublicKey)
+class _Ed448PublicKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_bytes(self, encoding, format):
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                encoding is not serialization.Encoding.Raw or
+                format is not serialization.PublicFormat.Raw
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw"
+                )
+
+            return self._raw_public_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PublicFormat.SubjectPublicKeyInfo
+        ):
+            raise ValueError(
+                "format must be SubjectPublicKeyInfo when encoding is PEM or "
+                "DER"
+            )
+
+        return self._backend._public_key_bytes(
+            encoding, format, self, self._evp_pkey, None
+        )
+
+    def _raw_public_bytes(self):
+        buf = self._backend._ffi.new("unsigned char []", _ED448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _ED448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED448_KEY_SIZE)
+        return self._backend._ffi.buffer(buf, _ED448_KEY_SIZE)[:]
+
+    def verify(self, signature, data):
+        evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new()
+        self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL)
+        evp_md_ctx = self._backend._ffi.gc(
+            evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free
+        )
+        res = self._backend._lib.EVP_DigestVerifyInit(
+            evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL,
+            self._backend._ffi.NULL, self._evp_pkey
+        )
+        self._backend.openssl_assert(res == 1)
+        res = self._backend._lib.EVP_DigestVerify(
+            evp_md_ctx, signature, len(signature), data, len(data)
+        )
+        if res != 1:
+            self._backend._consume_errors()
+            raise exceptions.InvalidSignature
+
+
+@utils.register_interface(Ed448PrivateKey)
+class _Ed448PrivateKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_key(self):
+        buf = self._backend._ffi.new("unsigned char []", _ED448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _ED448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED448_KEY_SIZE)
+        public_bytes = self._backend._ffi.buffer(buf)[:]
+        return self._backend.ed448_load_public_bytes(public_bytes)
+
+    def sign(self, data):
+        evp_md_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new()
+        self._backend.openssl_assert(evp_md_ctx != self._backend._ffi.NULL)
+        evp_md_ctx = self._backend._ffi.gc(
+            evp_md_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free
+        )
+        res = self._backend._lib.EVP_DigestSignInit(
+            evp_md_ctx, self._backend._ffi.NULL, self._backend._ffi.NULL,
+            self._backend._ffi.NULL, self._evp_pkey
+        )
+        self._backend.openssl_assert(res == 1)
+        buf = self._backend._ffi.new("unsigned char[]", _ED448_SIG_SIZE)
+        buflen = self._backend._ffi.new("size_t *", len(buf))
+        res = self._backend._lib.EVP_DigestSign(
+            evp_md_ctx, buf, buflen, data, len(data)
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED448_SIG_SIZE)
+        return self._backend._ffi.buffer(buf, buflen[0])[:]
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                format is not serialization.PrivateFormat.Raw or
+                encoding is not serialization.Encoding.Raw or not
+                isinstance(encryption_algorithm, serialization.NoEncryption)
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw "
+                    "and encryption_algorithm must be NoEncryption"
+                )
+
+            return self._raw_private_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PrivateFormat.PKCS8
+        ):
+            raise ValueError(
+                "format must be PKCS8 when encoding is PEM or DER"
+            )
+
+        return self._backend._private_key_bytes(
+            encoding, format, encryption_algorithm, self._evp_pkey, None
+        )
+
+    def _raw_private_bytes(self):
+        buf = self._backend._ffi.new("unsigned char []", _ED448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _ED448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_private_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _ED448_KEY_SIZE)
+        return self._backend._ffi.buffer(buf, _ED448_KEY_SIZE)[:]
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/encode_asn1.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/encode_asn1.py
@@ -0,0 +1,657 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import calendar
+import ipaddress
+
+import six
+
+from cryptography import utils, x509
+from cryptography.hazmat.backends.openssl.decode_asn1 import (
+    _CRL_ENTRY_REASON_ENUM_TO_CODE, _DISTPOINT_TYPE_FULLNAME,
+    _DISTPOINT_TYPE_RELATIVENAME
+)
+from cryptography.x509.name import _ASN1Type
+from cryptography.x509.oid import (
+    CRLEntryExtensionOID, ExtensionOID, OCSPExtensionOID,
+)
+
+
+def _encode_asn1_int(backend, x):
+    """
+    Converts a python integer to an ASN1_INTEGER. The returned ASN1_INTEGER
+    will not be garbage collected (to support adding them to structs that take
+    ownership of the object). Be sure to register it for GC if it will be
+    discarded after use.
+
+    """
+    # Convert Python integer to OpenSSL "bignum" in case value exceeds
+    # machine's native integer limits (note: `int_to_bn` doesn't automatically
+    # GC).
+    i = backend._int_to_bn(x)
+    i = backend._ffi.gc(i, backend._lib.BN_free)
+
+    # Wrap in an ASN.1 integer.  Don't GC -- as documented.
+    i = backend._lib.BN_to_ASN1_INTEGER(i, backend._ffi.NULL)
+    backend.openssl_assert(i != backend._ffi.NULL)
+    return i
+
+
+def _encode_asn1_int_gc(backend, x):
+    i = _encode_asn1_int(backend, x)
+    i = backend._ffi.gc(i, backend._lib.ASN1_INTEGER_free)
+    return i
+
+
+def _encode_asn1_str(backend, data):
+    """
+    Create an ASN1_OCTET_STRING from a Python byte string.
+    """
+    s = backend._lib.ASN1_OCTET_STRING_new()
+    res = backend._lib.ASN1_OCTET_STRING_set(s, data, len(data))
+    backend.openssl_assert(res == 1)
+    return s
+
+
+def _encode_asn1_utf8_str(backend, string):
+    """
+    Create an ASN1_UTF8STRING from a Python unicode string.
+    This object will be an ASN1_STRING with UTF8 type in OpenSSL and
+    can be decoded with ASN1_STRING_to_UTF8.
+    """
+    s = backend._lib.ASN1_UTF8STRING_new()
+    res = backend._lib.ASN1_STRING_set(
+        s, string.encode("utf8"), len(string.encode("utf8"))
+    )
+    backend.openssl_assert(res == 1)
+    return s
+
+
+def _encode_asn1_str_gc(backend, data):
+    s = _encode_asn1_str(backend, data)
+    s = backend._ffi.gc(s, backend._lib.ASN1_OCTET_STRING_free)
+    return s
+
+
+def _encode_inhibit_any_policy(backend, inhibit_any_policy):
+    return _encode_asn1_int_gc(backend, inhibit_any_policy.skip_certs)
+
+
+def _encode_name(backend, name):
+    """
+    The X509_NAME created will not be gc'd. Use _encode_name_gc if needed.
+    """
+    subject = backend._lib.X509_NAME_new()
+    for rdn in name.rdns:
+        set_flag = 0  # indicate whether to add to last RDN or create new RDN
+        for attribute in rdn:
+            name_entry = _encode_name_entry(backend, attribute)
+            # X509_NAME_add_entry dups the object so we need to gc this copy
+            name_entry = backend._ffi.gc(
+                name_entry, backend._lib.X509_NAME_ENTRY_free
+            )
+            res = backend._lib.X509_NAME_add_entry(
+                subject, name_entry, -1, set_flag)
+            backend.openssl_assert(res == 1)
+            set_flag = -1
+    return subject
+
+
+def _encode_name_gc(backend, attributes):
+    subject = _encode_name(backend, attributes)
+    subject = backend._ffi.gc(subject, backend._lib.X509_NAME_free)
+    return subject
+
+
+def _encode_sk_name_entry(backend, attributes):
+    """
+    The sk_X509_NAME_ENTRY created will not be gc'd.
+    """
+    stack = backend._lib.sk_X509_NAME_ENTRY_new_null()
+    for attribute in attributes:
+        name_entry = _encode_name_entry(backend, attribute)
+        res = backend._lib.sk_X509_NAME_ENTRY_push(stack, name_entry)
+        backend.openssl_assert(res >= 1)
+    return stack
+
+
+def _encode_name_entry(backend, attribute):
+    if attribute._type is _ASN1Type.BMPString:
+        value = attribute.value.encode('utf_16_be')
+    else:
+        value = attribute.value.encode('utf8')
+
+    obj = _txt2obj_gc(backend, attribute.oid.dotted_string)
+
+    name_entry = backend._lib.X509_NAME_ENTRY_create_by_OBJ(
+        backend._ffi.NULL, obj, attribute._type.value, value, len(value)
+    )
+    return name_entry
+
+
+def _encode_crl_number_delta_crl_indicator(backend, ext):
+    return _encode_asn1_int_gc(backend, ext.crl_number)
+
+
+def _encode_issuing_dist_point(backend, ext):
+    idp = backend._lib.ISSUING_DIST_POINT_new()
+    backend.openssl_assert(idp != backend._ffi.NULL)
+    idp = backend._ffi.gc(idp, backend._lib.ISSUING_DIST_POINT_free)
+    idp.onlyuser = 255 if ext.only_contains_user_certs else 0
+    idp.onlyCA = 255 if ext.only_contains_ca_certs else 0
+    idp.indirectCRL = 255 if ext.indirect_crl else 0
+    idp.onlyattr = 255 if ext.only_contains_attribute_certs else 0
+    if ext.only_some_reasons:
+        idp.onlysomereasons = _encode_reasonflags(
+            backend, ext.only_some_reasons
+        )
+
+    if ext.full_name:
+        idp.distpoint = _encode_full_name(backend, ext.full_name)
+
+    if ext.relative_name:
+        idp.distpoint = _encode_relative_name(backend, ext.relative_name)
+
+    return idp
+
+
+def _encode_crl_reason(backend, crl_reason):
+    asn1enum = backend._lib.ASN1_ENUMERATED_new()
+    backend.openssl_assert(asn1enum != backend._ffi.NULL)
+    asn1enum = backend._ffi.gc(asn1enum, backend._lib.ASN1_ENUMERATED_free)
+    res = backend._lib.ASN1_ENUMERATED_set(
+        asn1enum, _CRL_ENTRY_REASON_ENUM_TO_CODE[crl_reason.reason]
+    )
+    backend.openssl_assert(res == 1)
+
+    return asn1enum
+
+
+def _encode_invalidity_date(backend, invalidity_date):
+    time = backend._lib.ASN1_GENERALIZEDTIME_set(
+        backend._ffi.NULL, calendar.timegm(
+            invalidity_date.invalidity_date.timetuple()
+        )
+    )
+    backend.openssl_assert(time != backend._ffi.NULL)
+    time = backend._ffi.gc(time, backend._lib.ASN1_GENERALIZEDTIME_free)
+
+    return time
+
+
+def _encode_certificate_policies(backend, certificate_policies):
+    cp = backend._lib.sk_POLICYINFO_new_null()
+    backend.openssl_assert(cp != backend._ffi.NULL)
+    cp = backend._ffi.gc(cp, backend._lib.sk_POLICYINFO_free)
+    for policy_info in certificate_policies:
+        pi = backend._lib.POLICYINFO_new()
+        backend.openssl_assert(pi != backend._ffi.NULL)
+        res = backend._lib.sk_POLICYINFO_push(cp, pi)
+        backend.openssl_assert(res >= 1)
+        oid = _txt2obj(backend, policy_info.policy_identifier.dotted_string)
+        pi.policyid = oid
+        if policy_info.policy_qualifiers:
+            pqis = backend._lib.sk_POLICYQUALINFO_new_null()
+            backend.openssl_assert(pqis != backend._ffi.NULL)
+            for qualifier in policy_info.policy_qualifiers:
+                pqi = backend._lib.POLICYQUALINFO_new()
+                backend.openssl_assert(pqi != backend._ffi.NULL)
+                res = backend._lib.sk_POLICYQUALINFO_push(pqis, pqi)
+                backend.openssl_assert(res >= 1)
+                if isinstance(qualifier, six.text_type):
+                    pqi.pqualid = _txt2obj(
+                        backend, x509.OID_CPS_QUALIFIER.dotted_string
+                    )
+                    pqi.d.cpsuri = _encode_asn1_str(
+                        backend,
+                        qualifier.encode("ascii"),
+                    )
+                else:
+                    assert isinstance(qualifier, x509.UserNotice)
+                    pqi.pqualid = _txt2obj(
+                        backend, x509.OID_CPS_USER_NOTICE.dotted_string
+                    )
+                    un = backend._lib.USERNOTICE_new()
+                    backend.openssl_assert(un != backend._ffi.NULL)
+                    pqi.d.usernotice = un
+                    if qualifier.explicit_text:
+                        un.exptext = _encode_asn1_utf8_str(
+                            backend, qualifier.explicit_text
+                        )
+
+                    un.noticeref = _encode_notice_reference(
+                        backend, qualifier.notice_reference
+                    )
+
+            pi.qualifiers = pqis
+
+    return cp
+
+
+def _encode_notice_reference(backend, notice):
+    if notice is None:
+        return backend._ffi.NULL
+    else:
+        nr = backend._lib.NOTICEREF_new()
+        backend.openssl_assert(nr != backend._ffi.NULL)
+        # organization is a required field
+        nr.organization = _encode_asn1_utf8_str(backend, notice.organization)
+
+        notice_stack = backend._lib.sk_ASN1_INTEGER_new_null()
+        nr.noticenos = notice_stack
+        for number in notice.notice_numbers:
+            num = _encode_asn1_int(backend, number)
+            res = backend._lib.sk_ASN1_INTEGER_push(notice_stack, num)
+            backend.openssl_assert(res >= 1)
+
+        return nr
+
+
+def _txt2obj(backend, name):
+    """
+    Converts a Python string with an ASN.1 object ID in dotted form to a
+    ASN1_OBJECT.
+    """
+    name = name.encode('ascii')
+    obj = backend._lib.OBJ_txt2obj(name, 1)
+    backend.openssl_assert(obj != backend._ffi.NULL)
+    return obj
+
+
+def _txt2obj_gc(backend, name):
+    obj = _txt2obj(backend, name)
+    obj = backend._ffi.gc(obj, backend._lib.ASN1_OBJECT_free)
+    return obj
+
+
+def _encode_ocsp_nocheck(backend, ext):
+    # Doesn't need to be GC'd
+    return backend._lib.ASN1_NULL_new()
+
+
+def _encode_key_usage(backend, key_usage):
+    set_bit = backend._lib.ASN1_BIT_STRING_set_bit
+    ku = backend._lib.ASN1_BIT_STRING_new()
+    ku = backend._ffi.gc(ku, backend._lib.ASN1_BIT_STRING_free)
+    res = set_bit(ku, 0, key_usage.digital_signature)
+    backend.openssl_assert(res == 1)
+    res = set_bit(ku, 1, key_usage.content_commitment)
+    backend.openssl_assert(res == 1)
+    res = set_bit(ku, 2, key_usage.key_encipherment)
+    backend.openssl_assert(res == 1)
+    res = set_bit(ku, 3, key_usage.data_encipherment)
+    backend.openssl_assert(res == 1)
+    res = set_bit(ku, 4, key_usage.key_agreement)
+    backend.openssl_assert(res == 1)
+    res = set_bit(ku, 5, key_usage.key_cert_sign)
+    backend.openssl_assert(res == 1)
+    res = set_bit(ku, 6, key_usage.crl_sign)
+    backend.openssl_assert(res == 1)
+    if key_usage.key_agreement:
+        res = set_bit(ku, 7, key_usage.encipher_only)
+        backend.openssl_assert(res == 1)
+        res = set_bit(ku, 8, key_usage.decipher_only)
+        backend.openssl_assert(res == 1)
+    else:
+        res = set_bit(ku, 7, 0)
+        backend.openssl_assert(res == 1)
+        res = set_bit(ku, 8, 0)
+        backend.openssl_assert(res == 1)
+
+    return ku
+
+
+def _encode_authority_key_identifier(backend, authority_keyid):
+    akid = backend._lib.AUTHORITY_KEYID_new()
+    backend.openssl_assert(akid != backend._ffi.NULL)
+    akid = backend._ffi.gc(akid, backend._lib.AUTHORITY_KEYID_free)
+    if authority_keyid.key_identifier is not None:
+        akid.keyid = _encode_asn1_str(
+            backend,
+            authority_keyid.key_identifier,
+        )
+
+    if authority_keyid.authority_cert_issuer is not None:
+        akid.issuer = _encode_general_names(
+            backend, authority_keyid.authority_cert_issuer
+        )
+
+    if authority_keyid.authority_cert_serial_number is not None:
+        akid.serial = _encode_asn1_int(
+            backend, authority_keyid.authority_cert_serial_number
+        )
+
+    return akid
+
+
+def _encode_basic_constraints(backend, basic_constraints):
+    constraints = backend._lib.BASIC_CONSTRAINTS_new()
+    constraints = backend._ffi.gc(
+        constraints, backend._lib.BASIC_CONSTRAINTS_free
+    )
+    constraints.ca = 255 if basic_constraints.ca else 0
+    if basic_constraints.ca and basic_constraints.path_length is not None:
+        constraints.pathlen = _encode_asn1_int(
+            backend, basic_constraints.path_length
+        )
+
+    return constraints
+
+
+def _encode_authority_information_access(backend, authority_info_access):
+    aia = backend._lib.sk_ACCESS_DESCRIPTION_new_null()
+    backend.openssl_assert(aia != backend._ffi.NULL)
+    aia = backend._ffi.gc(
+        aia,
+        lambda x: backend._lib.sk_ACCESS_DESCRIPTION_pop_free(
+            x, backend._ffi.addressof(
+                backend._lib._original_lib, "ACCESS_DESCRIPTION_free"
+            )
+        )
+    )
+    for access_description in authority_info_access:
+        ad = backend._lib.ACCESS_DESCRIPTION_new()
+        method = _txt2obj(
+            backend, access_description.access_method.dotted_string
+        )
+        _encode_general_name_preallocated(
+            backend, access_description.access_location, ad.location
+        )
+        ad.method = method
+        res = backend._lib.sk_ACCESS_DESCRIPTION_push(aia, ad)
+        backend.openssl_assert(res >= 1)
+
+    return aia
+
+
+def _encode_general_names(backend, names):
+    general_names = backend._lib.GENERAL_NAMES_new()
+    backend.openssl_assert(general_names != backend._ffi.NULL)
+    for name in names:
+        gn = _encode_general_name(backend, name)
+        res = backend._lib.sk_GENERAL_NAME_push(general_names, gn)
+        backend.openssl_assert(res != 0)
+
+    return general_names
+
+
+def _encode_alt_name(backend, san):
+    general_names = _encode_general_names(backend, san)
+    general_names = backend._ffi.gc(
+        general_names, backend._lib.GENERAL_NAMES_free
+    )
+    return general_names
+
+
+def _encode_subject_key_identifier(backend, ski):
+    return _encode_asn1_str_gc(backend, ski.digest)
+
+
+def _encode_general_name(backend, name):
+    gn = backend._lib.GENERAL_NAME_new()
+    _encode_general_name_preallocated(backend, name, gn)
+    return gn
+
+
+def _encode_general_name_preallocated(backend, name, gn):
+    if isinstance(name, x509.DNSName):
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        gn.type = backend._lib.GEN_DNS
+
+        ia5 = backend._lib.ASN1_IA5STRING_new()
+        backend.openssl_assert(ia5 != backend._ffi.NULL)
+        # ia5strings are supposed to be ITU T.50 but to allow round-tripping
+        # of broken certs that encode utf8 we'll encode utf8 here too.
+        value = name.value.encode("utf8")
+
+        res = backend._lib.ASN1_STRING_set(ia5, value, len(value))
+        backend.openssl_assert(res == 1)
+        gn.d.dNSName = ia5
+    elif isinstance(name, x509.RegisteredID):
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        gn.type = backend._lib.GEN_RID
+        obj = backend._lib.OBJ_txt2obj(
+            name.value.dotted_string.encode('ascii'), 1
+        )
+        backend.openssl_assert(obj != backend._ffi.NULL)
+        gn.d.registeredID = obj
+    elif isinstance(name, x509.DirectoryName):
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        dir_name = _encode_name(backend, name.value)
+        gn.type = backend._lib.GEN_DIRNAME
+        gn.d.directoryName = dir_name
+    elif isinstance(name, x509.IPAddress):
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        if isinstance(name.value, ipaddress.IPv4Network):
+            packed = (
+                name.value.network_address.packed +
+                utils.int_to_bytes(((1 << 32) - name.value.num_addresses), 4)
+            )
+        elif isinstance(name.value, ipaddress.IPv6Network):
+            packed = (
+                name.value.network_address.packed +
+                utils.int_to_bytes((1 << 128) - name.value.num_addresses, 16)
+            )
+        else:
+            packed = name.value.packed
+        ipaddr = _encode_asn1_str(backend, packed)
+        gn.type = backend._lib.GEN_IPADD
+        gn.d.iPAddress = ipaddr
+    elif isinstance(name, x509.OtherName):
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        other_name = backend._lib.OTHERNAME_new()
+        backend.openssl_assert(other_name != backend._ffi.NULL)
+
+        type_id = backend._lib.OBJ_txt2obj(
+            name.type_id.dotted_string.encode('ascii'), 1
+        )
+        backend.openssl_assert(type_id != backend._ffi.NULL)
+        data = backend._ffi.new("unsigned char[]", name.value)
+        data_ptr_ptr = backend._ffi.new("unsigned char **")
+        data_ptr_ptr[0] = data
+        value = backend._lib.d2i_ASN1_TYPE(
+            backend._ffi.NULL, data_ptr_ptr, len(name.value)
+        )
+        if value == backend._ffi.NULL:
+            backend._consume_errors()
+            raise ValueError("Invalid ASN.1 data")
+        other_name.type_id = type_id
+        other_name.value = value
+        gn.type = backend._lib.GEN_OTHERNAME
+        gn.d.otherName = other_name
+    elif isinstance(name, x509.RFC822Name):
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        # ia5strings are supposed to be ITU T.50 but to allow round-tripping
+        # of broken certs that encode utf8 we'll encode utf8 here too.
+        data = name.value.encode("utf8")
+        asn1_str = _encode_asn1_str(backend, data)
+        gn.type = backend._lib.GEN_EMAIL
+        gn.d.rfc822Name = asn1_str
+    elif isinstance(name, x509.UniformResourceIdentifier):
+        backend.openssl_assert(gn != backend._ffi.NULL)
+        # ia5strings are supposed to be ITU T.50 but to allow round-tripping
+        # of broken certs that encode utf8 we'll encode utf8 here too.
+        data = name.value.encode("utf8")
+        asn1_str = _encode_asn1_str(backend, data)
+        gn.type = backend._lib.GEN_URI
+        gn.d.uniformResourceIdentifier = asn1_str
+    else:
+        raise ValueError(
+            "{} is an unknown GeneralName type".format(name)
+        )
+
+
+def _encode_extended_key_usage(backend, extended_key_usage):
+    eku = backend._lib.sk_ASN1_OBJECT_new_null()
+    eku = backend._ffi.gc(eku, backend._lib.sk_ASN1_OBJECT_free)
+    for oid in extended_key_usage:
+        obj = _txt2obj(backend, oid.dotted_string)
+        res = backend._lib.sk_ASN1_OBJECT_push(eku, obj)
+        backend.openssl_assert(res >= 1)
+
+    return eku
+
+
+_CRLREASONFLAGS = {
+    x509.ReasonFlags.key_compromise: 1,
+    x509.ReasonFlags.ca_compromise: 2,
+    x509.ReasonFlags.affiliation_changed: 3,
+    x509.ReasonFlags.superseded: 4,
+    x509.ReasonFlags.cessation_of_operation: 5,
+    x509.ReasonFlags.certificate_hold: 6,
+    x509.ReasonFlags.privilege_withdrawn: 7,
+    x509.ReasonFlags.aa_compromise: 8,
+}
+
+
+def _encode_reasonflags(backend, reasons):
+    bitmask = backend._lib.ASN1_BIT_STRING_new()
+    backend.openssl_assert(bitmask != backend._ffi.NULL)
+    for reason in reasons:
+        res = backend._lib.ASN1_BIT_STRING_set_bit(
+            bitmask, _CRLREASONFLAGS[reason], 1
+        )
+        backend.openssl_assert(res == 1)
+
+    return bitmask
+
+
+def _encode_full_name(backend, full_name):
+    dpn = backend._lib.DIST_POINT_NAME_new()
+    backend.openssl_assert(dpn != backend._ffi.NULL)
+    dpn.type = _DISTPOINT_TYPE_FULLNAME
+    dpn.name.fullname = _encode_general_names(backend, full_name)
+    return dpn
+
+
+def _encode_relative_name(backend, relative_name):
+    dpn = backend._lib.DIST_POINT_NAME_new()
+    backend.openssl_assert(dpn != backend._ffi.NULL)
+    dpn.type = _DISTPOINT_TYPE_RELATIVENAME
+    dpn.name.relativename = _encode_sk_name_entry(backend, relative_name)
+    return dpn
+
+
+def _encode_cdps_freshest_crl(backend, cdps):
+    cdp = backend._lib.sk_DIST_POINT_new_null()
+    cdp = backend._ffi.gc(cdp, backend._lib.sk_DIST_POINT_free)
+    for point in cdps:
+        dp = backend._lib.DIST_POINT_new()
+        backend.openssl_assert(dp != backend._ffi.NULL)
+
+        if point.reasons:
+            dp.reasons = _encode_reasonflags(backend, point.reasons)
+
+        if point.full_name:
+            dp.distpoint = _encode_full_name(backend, point.full_name)
+
+        if point.relative_name:
+            dp.distpoint = _encode_relative_name(backend, point.relative_name)
+
+        if point.crl_issuer:
+            dp.CRLissuer = _encode_general_names(backend, point.crl_issuer)
+
+        res = backend._lib.sk_DIST_POINT_push(cdp, dp)
+        backend.openssl_assert(res >= 1)
+
+    return cdp
+
+
+def _encode_name_constraints(backend, name_constraints):
+    nc = backend._lib.NAME_CONSTRAINTS_new()
+    backend.openssl_assert(nc != backend._ffi.NULL)
+    nc = backend._ffi.gc(nc, backend._lib.NAME_CONSTRAINTS_free)
+    permitted = _encode_general_subtree(
+        backend, name_constraints.permitted_subtrees
+    )
+    nc.permittedSubtrees = permitted
+    excluded = _encode_general_subtree(
+        backend, name_constraints.excluded_subtrees
+    )
+    nc.excludedSubtrees = excluded
+
+    return nc
+
+
+def _encode_policy_constraints(backend, policy_constraints):
+    pc = backend._lib.POLICY_CONSTRAINTS_new()
+    backend.openssl_assert(pc != backend._ffi.NULL)
+    pc = backend._ffi.gc(pc, backend._lib.POLICY_CONSTRAINTS_free)
+    if policy_constraints.require_explicit_policy is not None:
+        pc.requireExplicitPolicy = _encode_asn1_int(
+            backend, policy_constraints.require_explicit_policy
+        )
+
+    if policy_constraints.inhibit_policy_mapping is not None:
+        pc.inhibitPolicyMapping = _encode_asn1_int(
+            backend, policy_constraints.inhibit_policy_mapping
+        )
+
+    return pc
+
+
+def _encode_general_subtree(backend, subtrees):
+    if subtrees is None:
+        return backend._ffi.NULL
+    else:
+        general_subtrees = backend._lib.sk_GENERAL_SUBTREE_new_null()
+        for name in subtrees:
+            gs = backend._lib.GENERAL_SUBTREE_new()
+            gs.base = _encode_general_name(backend, name)
+            res = backend._lib.sk_GENERAL_SUBTREE_push(general_subtrees, gs)
+            assert res >= 1
+
+        return general_subtrees
+
+
+def _encode_nonce(backend, nonce):
+    return _encode_asn1_str_gc(backend, nonce.nonce)
+
+
+_EXTENSION_ENCODE_HANDLERS = {
+    ExtensionOID.BASIC_CONSTRAINTS: _encode_basic_constraints,
+    ExtensionOID.SUBJECT_KEY_IDENTIFIER: _encode_subject_key_identifier,
+    ExtensionOID.KEY_USAGE: _encode_key_usage,
+    ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _encode_alt_name,
+    ExtensionOID.ISSUER_ALTERNATIVE_NAME: _encode_alt_name,
+    ExtensionOID.EXTENDED_KEY_USAGE: _encode_extended_key_usage,
+    ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier,
+    ExtensionOID.CERTIFICATE_POLICIES: _encode_certificate_policies,
+    ExtensionOID.AUTHORITY_INFORMATION_ACCESS: (
+        _encode_authority_information_access
+    ),
+    ExtensionOID.CRL_DISTRIBUTION_POINTS: _encode_cdps_freshest_crl,
+    ExtensionOID.FRESHEST_CRL: _encode_cdps_freshest_crl,
+    ExtensionOID.INHIBIT_ANY_POLICY: _encode_inhibit_any_policy,
+    ExtensionOID.OCSP_NO_CHECK: _encode_ocsp_nocheck,
+    ExtensionOID.NAME_CONSTRAINTS: _encode_name_constraints,
+    ExtensionOID.POLICY_CONSTRAINTS: _encode_policy_constraints,
+}
+
+_CRL_EXTENSION_ENCODE_HANDLERS = {
+    ExtensionOID.ISSUER_ALTERNATIVE_NAME: _encode_alt_name,
+    ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier,
+    ExtensionOID.AUTHORITY_INFORMATION_ACCESS: (
+        _encode_authority_information_access
+    ),
+    ExtensionOID.CRL_NUMBER: _encode_crl_number_delta_crl_indicator,
+    ExtensionOID.DELTA_CRL_INDICATOR: _encode_crl_number_delta_crl_indicator,
+    ExtensionOID.ISSUING_DISTRIBUTION_POINT: _encode_issuing_dist_point,
+}
+
+_CRL_ENTRY_EXTENSION_ENCODE_HANDLERS = {
+    CRLEntryExtensionOID.CERTIFICATE_ISSUER: _encode_alt_name,
+    CRLEntryExtensionOID.CRL_REASON: _encode_crl_reason,
+    CRLEntryExtensionOID.INVALIDITY_DATE: _encode_invalidity_date,
+}
+
+_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERS = {
+    OCSPExtensionOID.NONCE: _encode_nonce,
+}
+
+_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERS = {
+    OCSPExtensionOID.NONCE: _encode_nonce,
+}
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hashes.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hashes.py
@@ -0,0 +1,78 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.primitives import hashes
+
+
+@utils.register_interface(hashes.HashContext)
+class _HashContext(object):
+    def __init__(self, backend, algorithm, ctx=None):
+        self._algorithm = algorithm
+
+        self._backend = backend
+
+        if ctx is None:
+            ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new()
+            ctx = self._backend._ffi.gc(
+                ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free
+            )
+            evp_md = self._backend._evp_md_from_algorithm(algorithm)
+            if evp_md == self._backend._ffi.NULL:
+                raise UnsupportedAlgorithm(
+                    "{} is not a supported hash on this backend.".format(
+                        algorithm.name),
+                    _Reasons.UNSUPPORTED_HASH
+                )
+            res = self._backend._lib.EVP_DigestInit_ex(ctx, evp_md,
+                                                       self._backend._ffi.NULL)
+            self._backend.openssl_assert(res != 0)
+
+        self._ctx = ctx
+
+    algorithm = utils.read_only_property("_algorithm")
+
+    def copy(self):
+        copied_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new()
+        copied_ctx = self._backend._ffi.gc(
+            copied_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free
+        )
+        res = self._backend._lib.EVP_MD_CTX_copy_ex(copied_ctx, self._ctx)
+        self._backend.openssl_assert(res != 0)
+        return _HashContext(self._backend, self.algorithm, ctx=copied_ctx)
+
+    def update(self, data):
+        data_ptr = self._backend._ffi.from_buffer(data)
+        res = self._backend._lib.EVP_DigestUpdate(
+            self._ctx, data_ptr, len(data)
+        )
+        self._backend.openssl_assert(res != 0)
+
+    def finalize(self):
+        if isinstance(self.algorithm, hashes.ExtendableOutputFunction):
+            # extendable output functions use a different finalize
+            return self._finalize_xof()
+        else:
+            buf = self._backend._ffi.new("unsigned char[]",
+                                         self._backend._lib.EVP_MAX_MD_SIZE)
+            outlen = self._backend._ffi.new("unsigned int *")
+            res = self._backend._lib.EVP_DigestFinal_ex(self._ctx, buf, outlen)
+            self._backend.openssl_assert(res != 0)
+            self._backend.openssl_assert(
+                outlen[0] == self.algorithm.digest_size
+            )
+            return self._backend._ffi.buffer(buf)[:outlen[0]]
+
+    def _finalize_xof(self):
+        buf = self._backend._ffi.new("unsigned char[]",
+                                     self.algorithm.digest_size)
+        res = self._backend._lib.EVP_DigestFinalXOF(
+            self._ctx, buf, self.algorithm.digest_size
+        )
+        self._backend.openssl_assert(res != 0)
+        return self._backend._ffi.buffer(buf)[:self.algorithm.digest_size]
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hmac.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/hmac.py
@@ -0,0 +1,74 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+
+from cryptography import utils
+from cryptography.exceptions import (
+    InvalidSignature, UnsupportedAlgorithm, _Reasons
+)
+from cryptography.hazmat.primitives import constant_time, hashes
+
+
+@utils.register_interface(hashes.HashContext)
+class _HMACContext(object):
+    def __init__(self, backend, key, algorithm, ctx=None):
+        self._algorithm = algorithm
+        self._backend = backend
+
+        if ctx is None:
+            ctx = self._backend._lib.Cryptography_HMAC_CTX_new()
+            self._backend.openssl_assert(ctx != self._backend._ffi.NULL)
+            ctx = self._backend._ffi.gc(
+                ctx, self._backend._lib.Cryptography_HMAC_CTX_free
+            )
+            evp_md = self._backend._evp_md_from_algorithm(algorithm)
+            if evp_md == self._backend._ffi.NULL:
+                raise UnsupportedAlgorithm(
+                    "{} is not a supported hash on this backend".format(
+                        algorithm.name),
+                    _Reasons.UNSUPPORTED_HASH
+                )
+            key_ptr = self._backend._ffi.from_buffer(key)
+            res = self._backend._lib.HMAC_Init_ex(
+                ctx, key_ptr, len(key), evp_md, self._backend._ffi.NULL
+            )
+            self._backend.openssl_assert(res != 0)
+
+        self._ctx = ctx
+        self._key = key
+
+    algorithm = utils.read_only_property("_algorithm")
+
+    def copy(self):
+        copied_ctx = self._backend._lib.Cryptography_HMAC_CTX_new()
+        self._backend.openssl_assert(copied_ctx != self._backend._ffi.NULL)
+        copied_ctx = self._backend._ffi.gc(
+            copied_ctx, self._backend._lib.Cryptography_HMAC_CTX_free
+        )
+        res = self._backend._lib.HMAC_CTX_copy(copied_ctx, self._ctx)
+        self._backend.openssl_assert(res != 0)
+        return _HMACContext(
+            self._backend, self._key, self.algorithm, ctx=copied_ctx
+        )
+
+    def update(self, data):
+        data_ptr = self._backend._ffi.from_buffer(data)
+        res = self._backend._lib.HMAC_Update(self._ctx, data_ptr, len(data))
+        self._backend.openssl_assert(res != 0)
+
+    def finalize(self):
+        buf = self._backend._ffi.new("unsigned char[]",
+                                     self._backend._lib.EVP_MAX_MD_SIZE)
+        outlen = self._backend._ffi.new("unsigned int *")
+        res = self._backend._lib.HMAC_Final(self._ctx, buf, outlen)
+        self._backend.openssl_assert(res != 0)
+        self._backend.openssl_assert(outlen[0] == self.algorithm.digest_size)
+        return self._backend._ffi.buffer(buf)[:outlen[0]]
+
+    def verify(self, signature):
+        digest = self.finalize()
+        if not constant_time.bytes_eq(digest, signature):
+            raise InvalidSignature("Signature did not match digest.")
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ocsp.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/ocsp.py
@@ -0,0 +1,381 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import functools
+
+from cryptography import utils, x509
+from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat.backends.openssl.decode_asn1 import (
+    _CRL_ENTRY_REASON_CODE_TO_ENUM, _OCSP_BASICRESP_EXT_PARSER,
+    _OCSP_REQ_EXT_PARSER, _asn1_integer_to_int,
+    _asn1_string_to_bytes, _decode_x509_name, _obj2txt,
+    _parse_asn1_generalized_time,
+)
+from cryptography.hazmat.backends.openssl.x509 import _Certificate
+from cryptography.hazmat.primitives import serialization
+from cryptography.x509.ocsp import (
+    OCSPCertStatus, OCSPRequest, OCSPResponse, OCSPResponseStatus,
+    _CERT_STATUS_TO_ENUM, _OIDS_TO_HASH, _RESPONSE_STATUS_TO_ENUM,
+)
+
+
+def _requires_successful_response(func):
+    @functools.wraps(func)
+    def wrapper(self, *args):
+        if self.response_status != OCSPResponseStatus.SUCCESSFUL:
+            raise ValueError(
+                "OCSP response status is not successful so the property "
+                "has no value"
+            )
+        else:
+            return func(self, *args)
+
+    return wrapper
+
+
+def _issuer_key_hash(backend, cert_id):
+    key_hash = backend._ffi.new("ASN1_OCTET_STRING **")
+    res = backend._lib.OCSP_id_get0_info(
+        backend._ffi.NULL, backend._ffi.NULL,
+        key_hash, backend._ffi.NULL, cert_id
+    )
+    backend.openssl_assert(res == 1)
+    backend.openssl_assert(key_hash[0] != backend._ffi.NULL)
+    return _asn1_string_to_bytes(backend, key_hash[0])
+
+
+def _issuer_name_hash(backend, cert_id):
+    name_hash = backend._ffi.new("ASN1_OCTET_STRING **")
+    res = backend._lib.OCSP_id_get0_info(
+        name_hash, backend._ffi.NULL,
+        backend._ffi.NULL, backend._ffi.NULL, cert_id
+    )
+    backend.openssl_assert(res == 1)
+    backend.openssl_assert(name_hash[0] != backend._ffi.NULL)
+    return _asn1_string_to_bytes(backend, name_hash[0])
+
+
+def _serial_number(backend, cert_id):
+    num = backend._ffi.new("ASN1_INTEGER **")
+    res = backend._lib.OCSP_id_get0_info(
+        backend._ffi.NULL, backend._ffi.NULL,
+        backend._ffi.NULL, num, cert_id
+    )
+    backend.openssl_assert(res == 1)
+    backend.openssl_assert(num[0] != backend._ffi.NULL)
+    return _asn1_integer_to_int(backend, num[0])
+
+
+def _hash_algorithm(backend, cert_id):
+    asn1obj = backend._ffi.new("ASN1_OBJECT **")
+    res = backend._lib.OCSP_id_get0_info(
+        backend._ffi.NULL, asn1obj,
+        backend._ffi.NULL, backend._ffi.NULL, cert_id
+    )
+    backend.openssl_assert(res == 1)
+    backend.openssl_assert(asn1obj[0] != backend._ffi.NULL)
+    oid = _obj2txt(backend, asn1obj[0])
+    try:
+        return _OIDS_TO_HASH[oid]
+    except KeyError:
+        raise UnsupportedAlgorithm(
+            "Signature algorithm OID: {} not recognized".format(oid)
+        )
+
+
+@utils.register_interface(OCSPResponse)
+class _OCSPResponse(object):
+    def __init__(self, backend, ocsp_response):
+        self._backend = backend
+        self._ocsp_response = ocsp_response
+        status = self._backend._lib.OCSP_response_status(self._ocsp_response)
+        self._backend.openssl_assert(status in _RESPONSE_STATUS_TO_ENUM)
+        self._status = _RESPONSE_STATUS_TO_ENUM[status]
+        if self._status is OCSPResponseStatus.SUCCESSFUL:
+            basic = self._backend._lib.OCSP_response_get1_basic(
+                self._ocsp_response
+            )
+            self._backend.openssl_assert(basic != self._backend._ffi.NULL)
+            self._basic = self._backend._ffi.gc(
+                basic, self._backend._lib.OCSP_BASICRESP_free
+            )
+            self._backend.openssl_assert(
+                self._backend._lib.OCSP_resp_count(self._basic) == 1
+            )
+            self._single = self._backend._lib.OCSP_resp_get0(self._basic, 0)
+            self._backend.openssl_assert(
+                self._single != self._backend._ffi.NULL
+            )
+            self._cert_id = self._backend._lib.OCSP_SINGLERESP_get0_id(
+                self._single
+            )
+            self._backend.openssl_assert(
+                self._cert_id != self._backend._ffi.NULL
+            )
+
+    response_status = utils.read_only_property("_status")
+
+    @property
+    @_requires_successful_response
+    def signature_algorithm_oid(self):
+        alg = self._backend._lib.OCSP_resp_get0_tbs_sigalg(self._basic)
+        self._backend.openssl_assert(alg != self._backend._ffi.NULL)
+        oid = _obj2txt(self._backend, alg.algorithm)
+        return x509.ObjectIdentifier(oid)
+
+    @property
+    @_requires_successful_response
+    def signature_hash_algorithm(self):
+        oid = self.signature_algorithm_oid
+        try:
+            return x509._SIG_OIDS_TO_HASH[oid]
+        except KeyError:
+            raise UnsupportedAlgorithm(
+                "Signature algorithm OID:{} not recognized".format(oid)
+            )
+
+    @property
+    @_requires_successful_response
+    def signature(self):
+        sig = self._backend._lib.OCSP_resp_get0_signature(self._basic)
+        self._backend.openssl_assert(sig != self._backend._ffi.NULL)
+        return _asn1_string_to_bytes(self._backend, sig)
+
+    @property
+    @_requires_successful_response
+    def tbs_response_bytes(self):
+        respdata = self._backend._lib.OCSP_resp_get0_respdata(self._basic)
+        self._backend.openssl_assert(respdata != self._backend._ffi.NULL)
+        pp = self._backend._ffi.new("unsigned char **")
+        res = self._backend._lib.i2d_OCSP_RESPDATA(respdata, pp)
+        self._backend.openssl_assert(pp[0] != self._backend._ffi.NULL)
+        pp = self._backend._ffi.gc(
+            pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
+        )
+        self._backend.openssl_assert(res > 0)
+        return self._backend._ffi.buffer(pp[0], res)[:]
+
+    @property
+    @_requires_successful_response
+    def certificates(self):
+        sk_x509 = self._backend._lib.OCSP_resp_get0_certs(self._basic)
+        num = self._backend._lib.sk_X509_num(sk_x509)
+        certs = []
+        for i in range(num):
+            x509 = self._backend._lib.sk_X509_value(sk_x509, i)
+            self._backend.openssl_assert(x509 != self._backend._ffi.NULL)
+            cert = _Certificate(self._backend, x509)
+            # We need to keep the OCSP response that the certificate came from
+            # alive until the Certificate object itself goes out of scope, so
+            # we give it a private reference.
+            cert._ocsp_resp = self
+            certs.append(cert)
+
+        return certs
+
+    @property
+    @_requires_successful_response
+    def responder_key_hash(self):
+        _, asn1_string = self._responder_key_name()
+        if asn1_string == self._backend._ffi.NULL:
+            return None
+        else:
+            return _asn1_string_to_bytes(self._backend, asn1_string)
+
+    @property
+    @_requires_successful_response
+    def responder_name(self):
+        x509_name, _ = self._responder_key_name()
+        if x509_name == self._backend._ffi.NULL:
+            return None
+        else:
+            return _decode_x509_name(self._backend, x509_name)
+
+    def _responder_key_name(self):
+        asn1_string = self._backend._ffi.new("ASN1_OCTET_STRING **")
+        x509_name = self._backend._ffi.new("X509_NAME **")
+        res = self._backend._lib.OCSP_resp_get0_id(
+            self._basic, asn1_string, x509_name
+        )
+        self._backend.openssl_assert(res == 1)
+        return x509_name[0], asn1_string[0]
+
+    @property
+    @_requires_successful_response
+    def produced_at(self):
+        produced_at = self._backend._lib.OCSP_resp_get0_produced_at(
+            self._basic
+        )
+        return _parse_asn1_generalized_time(self._backend, produced_at)
+
+    @property
+    @_requires_successful_response
+    def certificate_status(self):
+        status = self._backend._lib.OCSP_single_get0_status(
+            self._single,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+        )
+        self._backend.openssl_assert(status in _CERT_STATUS_TO_ENUM)
+        return _CERT_STATUS_TO_ENUM[status]
+
+    @property
+    @_requires_successful_response
+    def revocation_time(self):
+        if self.certificate_status is not OCSPCertStatus.REVOKED:
+            return None
+
+        asn1_time = self._backend._ffi.new("ASN1_GENERALIZEDTIME **")
+        self._backend._lib.OCSP_single_get0_status(
+            self._single,
+            self._backend._ffi.NULL,
+            asn1_time,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+        )
+        self._backend.openssl_assert(asn1_time[0] != self._backend._ffi.NULL)
+        return _parse_asn1_generalized_time(self._backend, asn1_time[0])
+
+    @property
+    @_requires_successful_response
+    def revocation_reason(self):
+        if self.certificate_status is not OCSPCertStatus.REVOKED:
+            return None
+
+        reason_ptr = self._backend._ffi.new("int *")
+        self._backend._lib.OCSP_single_get0_status(
+            self._single,
+            reason_ptr,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+        )
+        # If no reason is encoded OpenSSL returns -1
+        if reason_ptr[0] == -1:
+            return None
+        else:
+            self._backend.openssl_assert(
+                reason_ptr[0] in _CRL_ENTRY_REASON_CODE_TO_ENUM
+            )
+            return _CRL_ENTRY_REASON_CODE_TO_ENUM[reason_ptr[0]]
+
+    @property
+    @_requires_successful_response
+    def this_update(self):
+        asn1_time = self._backend._ffi.new("ASN1_GENERALIZEDTIME **")
+        self._backend._lib.OCSP_single_get0_status(
+            self._single,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+            asn1_time,
+            self._backend._ffi.NULL,
+        )
+        self._backend.openssl_assert(asn1_time[0] != self._backend._ffi.NULL)
+        return _parse_asn1_generalized_time(self._backend, asn1_time[0])
+
+    @property
+    @_requires_successful_response
+    def next_update(self):
+        asn1_time = self._backend._ffi.new("ASN1_GENERALIZEDTIME **")
+        self._backend._lib.OCSP_single_get0_status(
+            self._single,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+            self._backend._ffi.NULL,
+            asn1_time,
+        )
+        if asn1_time[0] != self._backend._ffi.NULL:
+            return _parse_asn1_generalized_time(self._backend, asn1_time[0])
+        else:
+            return None
+
+    @property
+    @_requires_successful_response
+    def issuer_key_hash(self):
+        return _issuer_key_hash(self._backend, self._cert_id)
+
+    @property
+    @_requires_successful_response
+    def issuer_name_hash(self):
+        return _issuer_name_hash(self._backend, self._cert_id)
+
+    @property
+    @_requires_successful_response
+    def hash_algorithm(self):
+        return _hash_algorithm(self._backend, self._cert_id)
+
+    @property
+    @_requires_successful_response
+    def serial_number(self):
+        return _serial_number(self._backend, self._cert_id)
+
+    @utils.cached_property
+    @_requires_successful_response
+    def extensions(self):
+        return _OCSP_BASICRESP_EXT_PARSER.parse(self._backend, self._basic)
+
+    def public_bytes(self, encoding):
+        if encoding is not serialization.Encoding.DER:
+            raise ValueError(
+                "The only allowed encoding value is Encoding.DER"
+            )
+
+        bio = self._backend._create_mem_bio_gc()
+        res = self._backend._lib.i2d_OCSP_RESPONSE_bio(
+            bio, self._ocsp_response
+        )
+        self._backend.openssl_assert(res > 0)
+        return self._backend._read_mem_bio(bio)
+
+
+@utils.register_interface(OCSPRequest)
+class _OCSPRequest(object):
+    def __init__(self, backend, ocsp_request):
+        if backend._lib.OCSP_request_onereq_count(ocsp_request) > 1:
+            raise NotImplementedError(
+                'OCSP request contains more than one request'
+            )
+        self._backend = backend
+        self._ocsp_request = ocsp_request
+        self._request = self._backend._lib.OCSP_request_onereq_get0(
+            self._ocsp_request, 0
+        )
+        self._backend.openssl_assert(self._request != self._backend._ffi.NULL)
+        self._cert_id = self._backend._lib.OCSP_onereq_get0_id(self._request)
+        self._backend.openssl_assert(self._cert_id != self._backend._ffi.NULL)
+
+    @property
+    def issuer_key_hash(self):
+        return _issuer_key_hash(self._backend, self._cert_id)
+
+    @property
+    def issuer_name_hash(self):
+        return _issuer_name_hash(self._backend, self._cert_id)
+
+    @property
+    def serial_number(self):
+        return _serial_number(self._backend, self._cert_id)
+
+    @property
+    def hash_algorithm(self):
+        return _hash_algorithm(self._backend, self._cert_id)
+
+    @utils.cached_property
+    def extensions(self):
+        return _OCSP_REQ_EXT_PARSER.parse(self._backend, self._ocsp_request)
+
+    def public_bytes(self, encoding):
+        if encoding is not serialization.Encoding.DER:
+            raise ValueError(
+                "The only allowed encoding value is Encoding.DER"
+            )
+
+        bio = self._backend._create_mem_bio_gc()
+        res = self._backend._lib.i2d_OCSP_REQUEST_bio(bio, self._ocsp_request)
+        self._backend.openssl_assert(res > 0)
+        return self._backend._read_mem_bio(bio)
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/poly1305.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/poly1305.py
@@ -0,0 +1,60 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import constant_time
+
+
+_POLY1305_TAG_SIZE = 16
+_POLY1305_KEY_SIZE = 32
+
+
+class _Poly1305Context(object):
+    def __init__(self, backend, key):
+        self._backend = backend
+
+        key_ptr = self._backend._ffi.from_buffer(key)
+        # This function copies the key into OpenSSL-owned memory so we don't
+        # need to retain it ourselves
+        evp_pkey = self._backend._lib.EVP_PKEY_new_raw_private_key(
+            self._backend._lib.NID_poly1305,
+            self._backend._ffi.NULL, key_ptr, len(key)
+        )
+        self._backend.openssl_assert(evp_pkey != self._backend._ffi.NULL)
+        self._evp_pkey = self._backend._ffi.gc(
+            evp_pkey, self._backend._lib.EVP_PKEY_free
+        )
+        ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new()
+        self._backend.openssl_assert(ctx != self._backend._ffi.NULL)
+        self._ctx = self._backend._ffi.gc(
+            ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free
+        )
+        res = self._backend._lib.EVP_DigestSignInit(
+            self._ctx, self._backend._ffi.NULL, self._backend._ffi.NULL,
+            self._backend._ffi.NULL, self._evp_pkey
+        )
+        self._backend.openssl_assert(res == 1)
+
+    def update(self, data):
+        data_ptr = self._backend._ffi.from_buffer(data)
+        res = self._backend._lib.EVP_DigestSignUpdate(
+            self._ctx, data_ptr, len(data)
+        )
+        self._backend.openssl_assert(res != 0)
+
+    def finalize(self):
+        buf = self._backend._ffi.new("unsigned char[]", _POLY1305_TAG_SIZE)
+        outlen = self._backend._ffi.new("size_t *")
+        res = self._backend._lib.EVP_DigestSignFinal(self._ctx, buf, outlen)
+        self._backend.openssl_assert(res != 0)
+        self._backend.openssl_assert(outlen[0] == _POLY1305_TAG_SIZE)
+        return self._backend._ffi.buffer(buf)[:outlen[0]]
+
+    def verify(self, tag):
+        mac = self.finalize()
+        if not constant_time.bytes_eq(mac, tag):
+            raise InvalidSignature("Value did not match computed tag.")
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/rsa.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/rsa.py
@@ -0,0 +1,478 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import math
+
+from cryptography import utils
+from cryptography.exceptions import (
+    InvalidSignature, UnsupportedAlgorithm, _Reasons
+)
+from cryptography.hazmat.backends.openssl.utils import (
+    _calculate_digest_and_algorithm, _check_not_prehashed,
+    _warn_sign_verify_deprecated
+)
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import (
+    AsymmetricSignatureContext, AsymmetricVerificationContext, rsa
+)
+from cryptography.hazmat.primitives.asymmetric.padding import (
+    AsymmetricPadding, MGF1, OAEP, PKCS1v15, PSS, calculate_max_pss_salt_length
+)
+from cryptography.hazmat.primitives.asymmetric.rsa import (
+    RSAPrivateKeyWithSerialization, RSAPublicKeyWithSerialization
+)
+
+
+def _get_rsa_pss_salt_length(pss, key, hash_algorithm):
+    salt = pss._salt_length
+
+    if salt is MGF1.MAX_LENGTH or salt is PSS.MAX_LENGTH:
+        return calculate_max_pss_salt_length(key, hash_algorithm)
+    else:
+        return salt
+
+
+def _enc_dec_rsa(backend, key, data, padding):
+    if not isinstance(padding, AsymmetricPadding):
+        raise TypeError("Padding must be an instance of AsymmetricPadding.")
+
+    if isinstance(padding, PKCS1v15):
+        padding_enum = backend._lib.RSA_PKCS1_PADDING
+    elif isinstance(padding, OAEP):
+        padding_enum = backend._lib.RSA_PKCS1_OAEP_PADDING
+
+        if not isinstance(padding._mgf, MGF1):
+            raise UnsupportedAlgorithm(
+                "Only MGF1 is supported by this backend.",
+                _Reasons.UNSUPPORTED_MGF
+            )
+
+        if not backend.rsa_padding_supported(padding):
+            raise UnsupportedAlgorithm(
+                "This combination of padding and hash algorithm is not "
+                "supported by this backend.",
+                _Reasons.UNSUPPORTED_PADDING
+            )
+
+    else:
+        raise UnsupportedAlgorithm(
+            "{} is not supported by this backend.".format(
+                padding.name
+            ),
+            _Reasons.UNSUPPORTED_PADDING
+        )
+
+    return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding)
+
+
+def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
+    if isinstance(key, _RSAPublicKey):
+        init = backend._lib.EVP_PKEY_encrypt_init
+        crypt = backend._lib.EVP_PKEY_encrypt
+    else:
+        init = backend._lib.EVP_PKEY_decrypt_init
+        crypt = backend._lib.EVP_PKEY_decrypt
+
+    pkey_ctx = backend._lib.EVP_PKEY_CTX_new(
+        key._evp_pkey, backend._ffi.NULL
+    )
+    backend.openssl_assert(pkey_ctx != backend._ffi.NULL)
+    pkey_ctx = backend._ffi.gc(pkey_ctx, backend._lib.EVP_PKEY_CTX_free)
+    res = init(pkey_ctx)
+    backend.openssl_assert(res == 1)
+    res = backend._lib.EVP_PKEY_CTX_set_rsa_padding(
+        pkey_ctx, padding_enum)
+    backend.openssl_assert(res > 0)
+    buf_size = backend._lib.EVP_PKEY_size(key._evp_pkey)
+    backend.openssl_assert(buf_size > 0)
+    if (
+        isinstance(padding, OAEP) and
+        backend._lib.Cryptography_HAS_RSA_OAEP_MD
+    ):
+        mgf1_md = backend._evp_md_non_null_from_algorithm(
+            padding._mgf._algorithm)
+        res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1_md)
+        backend.openssl_assert(res > 0)
+        oaep_md = backend._evp_md_non_null_from_algorithm(padding._algorithm)
+        res = backend._lib.EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, oaep_md)
+        backend.openssl_assert(res > 0)
+
+    if (
+        isinstance(padding, OAEP) and
+        padding._label is not None and
+        len(padding._label) > 0
+    ):
+        # set0_rsa_oaep_label takes ownership of the char * so we need to
+        # copy it into some new memory
+        labelptr = backend._lib.OPENSSL_malloc(len(padding._label))
+        backend.openssl_assert(labelptr != backend._ffi.NULL)
+        backend._ffi.memmove(labelptr, padding._label, len(padding._label))
+        res = backend._lib.EVP_PKEY_CTX_set0_rsa_oaep_label(
+            pkey_ctx, labelptr, len(padding._label)
+        )
+        backend.openssl_assert(res == 1)
+
+    outlen = backend._ffi.new("size_t *", buf_size)
+    buf = backend._ffi.new("unsigned char[]", buf_size)
+    res = crypt(pkey_ctx, buf, outlen, data, len(data))
+    if res <= 0:
+        _handle_rsa_enc_dec_error(backend, key)
+
+    return backend._ffi.buffer(buf)[:outlen[0]]
+
+
+def _handle_rsa_enc_dec_error(backend, key):
+    errors = backend._consume_errors()
+    backend.openssl_assert(errors)
+    backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
+    if isinstance(key, _RSAPublicKey):
+        backend.openssl_assert(
+            errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
+        )
+        raise ValueError(
+            "Data too long for key size. Encrypt less data or use a "
+            "larger key size."
+        )
+    else:
+        decoding_errors = [
+            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
+            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
+            backend._lib.RSA_R_OAEP_DECODING_ERROR,
+            # Though this error looks similar to the
+            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
+            # rather than on encrypts
+            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
+        ]
+        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
+            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
+
+        backend.openssl_assert(errors[0].reason in decoding_errors)
+        raise ValueError("Decryption failed.")
+
+
+def _rsa_sig_determine_padding(backend, key, padding, algorithm):
+    if not isinstance(padding, AsymmetricPadding):
+        raise TypeError("Expected provider of AsymmetricPadding.")
+
+    pkey_size = backend._lib.EVP_PKEY_size(key._evp_pkey)
+    backend.openssl_assert(pkey_size > 0)
+
+    if isinstance(padding, PKCS1v15):
+        padding_enum = backend._lib.RSA_PKCS1_PADDING
+    elif isinstance(padding, PSS):
+        if not isinstance(padding._mgf, MGF1):
+            raise UnsupportedAlgorithm(
+                "Only MGF1 is supported by this backend.",
+                _Reasons.UNSUPPORTED_MGF
+            )
+
+        # Size of key in bytes - 2 is the maximum
+        # PSS signature length (salt length is checked later)
+        if pkey_size - algorithm.digest_size - 2 < 0:
+            raise ValueError("Digest too large for key size. Use a larger "
+                             "key or different digest.")
+
+        padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING
+    else:
+        raise UnsupportedAlgorithm(
+            "{} is not supported by this backend.".format(padding.name),
+            _Reasons.UNSUPPORTED_PADDING
+        )
+
+    return padding_enum
+
+
+def _rsa_sig_setup(backend, padding, algorithm, key, data, init_func):
+    padding_enum = _rsa_sig_determine_padding(backend, key, padding, algorithm)
+    evp_md = backend._evp_md_non_null_from_algorithm(algorithm)
+    pkey_ctx = backend._lib.EVP_PKEY_CTX_new(key._evp_pkey, backend._ffi.NULL)
+    backend.openssl_assert(pkey_ctx != backend._ffi.NULL)
+    pkey_ctx = backend._ffi.gc(pkey_ctx, backend._lib.EVP_PKEY_CTX_free)
+    res = init_func(pkey_ctx)
+    backend.openssl_assert(res == 1)
+    res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md)
+    if res == 0:
+        backend._consume_errors()
+        raise UnsupportedAlgorithm(
+            "{} is not supported by this backend for RSA signing.".format(
+                algorithm.name
+            ),
+            _Reasons.UNSUPPORTED_HASH
+        )
+    res = backend._lib.EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding_enum)
+    backend.openssl_assert(res > 0)
+    if isinstance(padding, PSS):
+        res = backend._lib.EVP_PKEY_CTX_set_rsa_pss_saltlen(
+            pkey_ctx, _get_rsa_pss_salt_length(padding, key, algorithm)
+        )
+        backend.openssl_assert(res > 0)
+
+        mgf1_md = backend._evp_md_non_null_from_algorithm(
+            padding._mgf._algorithm)
+        res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1_md)
+        backend.openssl_assert(res > 0)
+
+    return pkey_ctx
+
+
+def _rsa_sig_sign(backend, padding, algorithm, private_key, data):
+    pkey_ctx = _rsa_sig_setup(
+        backend, padding, algorithm, private_key, data,
+        backend._lib.EVP_PKEY_sign_init
+    )
+    buflen = backend._ffi.new("size_t *")
+    res = backend._lib.EVP_PKEY_sign(
+        pkey_ctx,
+        backend._ffi.NULL,
+        buflen,
+        data,
+        len(data)
+    )
+    backend.openssl_assert(res == 1)
+    buf = backend._ffi.new("unsigned char[]", buflen[0])
+    res = backend._lib.EVP_PKEY_sign(
+        pkey_ctx, buf, buflen, data, len(data))
+    if res != 1:
+        errors = backend._consume_errors()
+        backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
+        if (
+            errors[0].reason ==
+            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
+        ):
+            reason = ("Salt length too long for key size. Try using "
+                      "MAX_LENGTH instead.")
+        else:
+            backend.openssl_assert(
+                errors[0].reason ==
+                backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+            )
+            reason = "Digest too large for key size. Use a larger key."
+        raise ValueError(reason)
+
+    return backend._ffi.buffer(buf)[:]
+
+
+def _rsa_sig_verify(backend, padding, algorithm, public_key, signature, data):
+    pkey_ctx = _rsa_sig_setup(
+        backend, padding, algorithm, public_key, data,
+        backend._lib.EVP_PKEY_verify_init
+    )
+    res = backend._lib.EVP_PKEY_verify(
+        pkey_ctx, signature, len(signature), data, len(data)
+    )
+    # The previous call can return negative numbers in the event of an
+    # error. This is not a signature failure but we need to fail if it
+    # occurs.
+    backend.openssl_assert(res >= 0)
+    if res == 0:
+        backend._consume_errors()
+        raise InvalidSignature
+
+
+@utils.register_interface(AsymmetricSignatureContext)
+class _RSASignatureContext(object):
+    def __init__(self, backend, private_key, padding, algorithm):
+        self._backend = backend
+        self._private_key = private_key
+
+        # We now call _rsa_sig_determine_padding in _rsa_sig_setup. However
+        # we need to make a pointless call to it here so we maintain the
+        # API of erroring on init with this context if the values are invalid.
+        _rsa_sig_determine_padding(backend, private_key, padding, algorithm)
+        self._padding = padding
+        self._algorithm = algorithm
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
+
+    def update(self, data):
+        self._hash_ctx.update(data)
+
+    def finalize(self):
+        return _rsa_sig_sign(
+            self._backend,
+            self._padding,
+            self._algorithm,
+            self._private_key,
+            self._hash_ctx.finalize()
+        )
+
+
+@utils.register_interface(AsymmetricVerificationContext)
+class _RSAVerificationContext(object):
+    def __init__(self, backend, public_key, signature, padding, algorithm):
+        self._backend = backend
+        self._public_key = public_key
+        self._signature = signature
+        self._padding = padding
+        # We now call _rsa_sig_determine_padding in _rsa_sig_setup. However
+        # we need to make a pointless call to it here so we maintain the
+        # API of erroring on init with this context if the values are invalid.
+        _rsa_sig_determine_padding(backend, public_key, padding, algorithm)
+
+        padding = padding
+        self._algorithm = algorithm
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
+
+    def update(self, data):
+        self._hash_ctx.update(data)
+
+    def verify(self):
+        return _rsa_sig_verify(
+            self._backend,
+            self._padding,
+            self._algorithm,
+            self._public_key,
+            self._signature,
+            self._hash_ctx.finalize()
+        )
+
+
+@utils.register_interface(RSAPrivateKeyWithSerialization)
+class _RSAPrivateKey(object):
+    def __init__(self, backend, rsa_cdata, evp_pkey):
+        self._backend = backend
+        self._rsa_cdata = rsa_cdata
+        self._evp_pkey = evp_pkey
+
+        n = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.RSA_get0_key(
+            self._rsa_cdata, n, self._backend._ffi.NULL,
+            self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(n[0] != self._backend._ffi.NULL)
+        self._key_size = self._backend._lib.BN_num_bits(n[0])
+
+    key_size = utils.read_only_property("_key_size")
+
+    def signer(self, padding, algorithm):
+        _warn_sign_verify_deprecated()
+        _check_not_prehashed(algorithm)
+        return _RSASignatureContext(self._backend, self, padding, algorithm)
+
+    def decrypt(self, ciphertext, padding):
+        key_size_bytes = int(math.ceil(self.key_size / 8.0))
+        if key_size_bytes != len(ciphertext):
+            raise ValueError("Ciphertext length must be equal to key size.")
+
+        return _enc_dec_rsa(self._backend, self, ciphertext, padding)
+
+    def public_key(self):
+        ctx = self._backend._lib.RSAPublicKey_dup(self._rsa_cdata)
+        self._backend.openssl_assert(ctx != self._backend._ffi.NULL)
+        ctx = self._backend._ffi.gc(ctx, self._backend._lib.RSA_free)
+        res = self._backend._lib.RSA_blinding_on(ctx, self._backend._ffi.NULL)
+        self._backend.openssl_assert(res == 1)
+        evp_pkey = self._backend._rsa_cdata_to_evp_pkey(ctx)
+        return _RSAPublicKey(self._backend, ctx, evp_pkey)
+
+    def private_numbers(self):
+        n = self._backend._ffi.new("BIGNUM **")
+        e = self._backend._ffi.new("BIGNUM **")
+        d = self._backend._ffi.new("BIGNUM **")
+        p = self._backend._ffi.new("BIGNUM **")
+        q = self._backend._ffi.new("BIGNUM **")
+        dmp1 = self._backend._ffi.new("BIGNUM **")
+        dmq1 = self._backend._ffi.new("BIGNUM **")
+        iqmp = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.RSA_get0_key(self._rsa_cdata, n, e, d)
+        self._backend.openssl_assert(n[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(e[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(d[0] != self._backend._ffi.NULL)
+        self._backend._lib.RSA_get0_factors(self._rsa_cdata, p, q)
+        self._backend.openssl_assert(p[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(q[0] != self._backend._ffi.NULL)
+        self._backend._lib.RSA_get0_crt_params(
+            self._rsa_cdata, dmp1, dmq1, iqmp
+        )
+        self._backend.openssl_assert(dmp1[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(dmq1[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(iqmp[0] != self._backend._ffi.NULL)
+        return rsa.RSAPrivateNumbers(
+            p=self._backend._bn_to_int(p[0]),
+            q=self._backend._bn_to_int(q[0]),
+            d=self._backend._bn_to_int(d[0]),
+            dmp1=self._backend._bn_to_int(dmp1[0]),
+            dmq1=self._backend._bn_to_int(dmq1[0]),
+            iqmp=self._backend._bn_to_int(iqmp[0]),
+            public_numbers=rsa.RSAPublicNumbers(
+                e=self._backend._bn_to_int(e[0]),
+                n=self._backend._bn_to_int(n[0]),
+            )
+        )
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        return self._backend._private_key_bytes(
+            encoding,
+            format,
+            encryption_algorithm,
+            self._evp_pkey,
+            self._rsa_cdata
+        )
+
+    def sign(self, data, padding, algorithm):
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, algorithm
+        )
+        return _rsa_sig_sign(self._backend, padding, algorithm, self, data)
+
+
+@utils.register_interface(RSAPublicKeyWithSerialization)
+class _RSAPublicKey(object):
+    def __init__(self, backend, rsa_cdata, evp_pkey):
+        self._backend = backend
+        self._rsa_cdata = rsa_cdata
+        self._evp_pkey = evp_pkey
+
+        n = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.RSA_get0_key(
+            self._rsa_cdata, n, self._backend._ffi.NULL,
+            self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(n[0] != self._backend._ffi.NULL)
+        self._key_size = self._backend._lib.BN_num_bits(n[0])
+
+    key_size = utils.read_only_property("_key_size")
+
+    def verifier(self, signature, padding, algorithm):
+        _warn_sign_verify_deprecated()
+        utils._check_bytes("signature", signature)
+
+        _check_not_prehashed(algorithm)
+        return _RSAVerificationContext(
+            self._backend, self, signature, padding, algorithm
+        )
+
+    def encrypt(self, plaintext, padding):
+        return _enc_dec_rsa(self._backend, self, plaintext, padding)
+
+    def public_numbers(self):
+        n = self._backend._ffi.new("BIGNUM **")
+        e = self._backend._ffi.new("BIGNUM **")
+        self._backend._lib.RSA_get0_key(
+            self._rsa_cdata, n, e, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(n[0] != self._backend._ffi.NULL)
+        self._backend.openssl_assert(e[0] != self._backend._ffi.NULL)
+        return rsa.RSAPublicNumbers(
+            e=self._backend._bn_to_int(e[0]),
+            n=self._backend._bn_to_int(n[0]),
+        )
+
+    def public_bytes(self, encoding, format):
+        return self._backend._public_key_bytes(
+            encoding,
+            format,
+            self,
+            self._evp_pkey,
+            self._rsa_cdata
+        )
+
+    def verify(self, signature, data, padding, algorithm):
+        data, algorithm = _calculate_digest_and_algorithm(
+            self._backend, data, algorithm
+        )
+        return _rsa_sig_verify(
+            self._backend, padding, algorithm, self, signature, data
+        )
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/utils.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/utils.py
@@ -0,0 +1,69 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import warnings
+
+from cryptography import utils
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
+
+
+def _evp_pkey_derive(backend, evp_pkey, peer_public_key):
+    ctx = backend._lib.EVP_PKEY_CTX_new(evp_pkey, backend._ffi.NULL)
+    backend.openssl_assert(ctx != backend._ffi.NULL)
+    ctx = backend._ffi.gc(ctx, backend._lib.EVP_PKEY_CTX_free)
+    res = backend._lib.EVP_PKEY_derive_init(ctx)
+    backend.openssl_assert(res == 1)
+    res = backend._lib.EVP_PKEY_derive_set_peer(
+        ctx, peer_public_key._evp_pkey
+    )
+    backend.openssl_assert(res == 1)
+    keylen = backend._ffi.new("size_t *")
+    res = backend._lib.EVP_PKEY_derive(ctx, backend._ffi.NULL, keylen)
+    backend.openssl_assert(res == 1)
+    backend.openssl_assert(keylen[0] > 0)
+    buf = backend._ffi.new("unsigned char[]", keylen[0])
+    res = backend._lib.EVP_PKEY_derive(ctx, buf, keylen)
+    if res != 1:
+        raise ValueError(
+            "Null shared key derived from public/private pair."
+        )
+
+    return backend._ffi.buffer(buf, keylen[0])[:]
+
+
+def _calculate_digest_and_algorithm(backend, data, algorithm):
+    if not isinstance(algorithm, Prehashed):
+        hash_ctx = hashes.Hash(algorithm, backend)
+        hash_ctx.update(data)
+        data = hash_ctx.finalize()
+    else:
+        algorithm = algorithm._algorithm
+
+    if len(data) != algorithm.digest_size:
+        raise ValueError(
+            "The provided data must be the same length as the hash "
+            "algorithm's digest size."
+        )
+
+    return (data, algorithm)
+
+
+def _check_not_prehashed(signature_algorithm):
+    if isinstance(signature_algorithm, Prehashed):
+        raise TypeError(
+            "Prehashed is only supported in the sign and verify methods. "
+            "It cannot be used with signer or verifier."
+        )
+
+
+def _warn_sign_verify_deprecated():
+    warnings.warn(
+        "signer and verifier have been deprecated. Please use sign "
+        "and verify instead.",
+        utils.PersistentlyDeprecated2017,
+        stacklevel=3
+    )
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x25519.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x25519.py
@@ -0,0 +1,149 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import warnings
+
+from cryptography import utils
+from cryptography.hazmat.backends.openssl.utils import _evp_pkey_derive
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.x25519 import (
+    X25519PrivateKey, X25519PublicKey
+)
+
+
+_X25519_KEY_SIZE = 32
+
+
+@utils.register_interface(X25519PublicKey)
+class _X25519PublicKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_bytes(self, encoding=None, format=None):
+        if encoding is None or format is None:
+            if encoding is not None or format is not None:
+                raise ValueError("Both encoding and format are required")
+            else:
+                warnings.warn(
+                    "public_bytes now requires encoding and format arguments. "
+                    "Support for calling without arguments will be removed in "
+                    "cryptography 2.7",
+                    utils.DeprecatedIn25,
+                )
+                encoding = serialization.Encoding.Raw
+                format = serialization.PublicFormat.Raw
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                encoding is not serialization.Encoding.Raw or
+                format is not serialization.PublicFormat.Raw
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw"
+                )
+
+            return self._raw_public_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PublicFormat.SubjectPublicKeyInfo
+        ):
+            raise ValueError(
+                "format must be SubjectPublicKeyInfo when encoding is PEM or "
+                "DER"
+            )
+
+        return self._backend._public_key_bytes(
+            encoding, format, self, self._evp_pkey, None
+        )
+
+    def _raw_public_bytes(self):
+        ucharpp = self._backend._ffi.new("unsigned char **")
+        res = self._backend._lib.EVP_PKEY_get1_tls_encodedpoint(
+            self._evp_pkey, ucharpp
+        )
+        self._backend.openssl_assert(res == 32)
+        self._backend.openssl_assert(ucharpp[0] != self._backend._ffi.NULL)
+        data = self._backend._ffi.gc(
+            ucharpp[0], self._backend._lib.OPENSSL_free
+        )
+        return self._backend._ffi.buffer(data, res)[:]
+
+
+@utils.register_interface(X25519PrivateKey)
+class _X25519PrivateKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_key(self):
+        bio = self._backend._create_mem_bio_gc()
+        res = self._backend._lib.i2d_PUBKEY_bio(bio, self._evp_pkey)
+        self._backend.openssl_assert(res == 1)
+        evp_pkey = self._backend._lib.d2i_PUBKEY_bio(
+            bio, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(evp_pkey != self._backend._ffi.NULL)
+        evp_pkey = self._backend._ffi.gc(
+            evp_pkey, self._backend._lib.EVP_PKEY_free
+        )
+        return _X25519PublicKey(self._backend, evp_pkey)
+
+    def exchange(self, peer_public_key):
+        if not isinstance(peer_public_key, X25519PublicKey):
+            raise TypeError("peer_public_key must be X25519PublicKey.")
+
+        return _evp_pkey_derive(
+            self._backend, self._evp_pkey, peer_public_key
+        )
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                format is not serialization.PrivateFormat.Raw or
+                encoding is not serialization.Encoding.Raw or not
+                isinstance(encryption_algorithm, serialization.NoEncryption)
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw "
+                    "and encryption_algorithm must be NoEncryption"
+                )
+
+            return self._raw_private_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PrivateFormat.PKCS8
+        ):
+            raise ValueError(
+                "format must be PKCS8 when encoding is PEM or DER"
+            )
+
+        return self._backend._private_key_bytes(
+            encoding, format, encryption_algorithm, self._evp_pkey, None
+        )
+
+    def _raw_private_bytes(self):
+        # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 we can
+        # switch this to EVP_PKEY_new_raw_private_key
+        # The trick we use here is serializing to a PKCS8 key and just
+        # using the last 32 bytes, which is the key itself.
+        bio = self._backend._create_mem_bio_gc()
+        res = self._backend._lib.i2d_PKCS8PrivateKey_bio(
+            bio, self._evp_pkey,
+            self._backend._ffi.NULL, self._backend._ffi.NULL,
+            0, self._backend._ffi.NULL, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(res == 1)
+        pkcs8 = self._backend._read_mem_bio(bio)
+        self._backend.openssl_assert(len(pkcs8) == 48)
+        return pkcs8[-_X25519_KEY_SIZE:]
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x448.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x448.py
@@ -0,0 +1,123 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.hazmat.backends.openssl.utils import _evp_pkey_derive
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.x448 import (
+    X448PrivateKey, X448PublicKey
+)
+
+_X448_KEY_SIZE = 56
+
+
+@utils.register_interface(X448PublicKey)
+class _X448PublicKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_bytes(self, encoding, format):
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                encoding is not serialization.Encoding.Raw or
+                format is not serialization.PublicFormat.Raw
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw"
+                )
+
+            return self._raw_public_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PublicFormat.SubjectPublicKeyInfo
+        ):
+            raise ValueError(
+                "format must be SubjectPublicKeyInfo when encoding is PEM or "
+                "DER"
+            )
+
+        return self._backend._public_key_bytes(
+            encoding, format, self, self._evp_pkey, None
+        )
+
+    def _raw_public_bytes(self):
+        buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE)
+        return self._backend._ffi.buffer(buf, _X448_KEY_SIZE)[:]
+
+
+@utils.register_interface(X448PrivateKey)
+class _X448PrivateKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_key(self):
+        buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE)
+        return self._backend.x448_load_public_bytes(buf)
+
+    def exchange(self, peer_public_key):
+        if not isinstance(peer_public_key, X448PublicKey):
+            raise TypeError("peer_public_key must be X448PublicKey.")
+
+        return _evp_pkey_derive(
+            self._backend, self._evp_pkey, peer_public_key
+        )
+
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        if (
+            encoding is serialization.Encoding.Raw or
+            format is serialization.PublicFormat.Raw
+        ):
+            if (
+                format is not serialization.PrivateFormat.Raw or
+                encoding is not serialization.Encoding.Raw or not
+                isinstance(encryption_algorithm, serialization.NoEncryption)
+            ):
+                raise ValueError(
+                    "When using Raw both encoding and format must be Raw "
+                    "and encryption_algorithm must be NoEncryption"
+                )
+
+            return self._raw_private_bytes()
+
+        if (
+            encoding in serialization._PEM_DER and
+            format is not serialization.PrivateFormat.PKCS8
+        ):
+            raise ValueError(
+                "format must be PKCS8 when encoding is PEM or DER"
+            )
+
+        return self._backend._private_key_bytes(
+            encoding, format, encryption_algorithm, self._evp_pkey, None
+        )
+
+    def _raw_private_bytes(self):
+        buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_private_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE)
+        return self._backend._ffi.buffer(buf, _X448_KEY_SIZE)[:]
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x509.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/backends/openssl/x509.py
@@ -0,0 +1,546 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import datetime
+import operator
+
+from cryptography import utils, x509
+from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat.backends.openssl.decode_asn1 import (
+    _CERTIFICATE_EXTENSION_PARSER, _CERTIFICATE_EXTENSION_PARSER_NO_SCT,
+    _CRL_EXTENSION_PARSER, _CSR_EXTENSION_PARSER,
+    _REVOKED_CERTIFICATE_EXTENSION_PARSER, _asn1_integer_to_int,
+    _asn1_string_to_bytes, _decode_x509_name, _obj2txt, _parse_asn1_time
+)
+from cryptography.hazmat.backends.openssl.encode_asn1 import (
+    _encode_asn1_int_gc
+)
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
+
+
+@utils.register_interface(x509.Certificate)
+class _Certificate(object):
+    def __init__(self, backend, x509):
+        self._backend = backend
+        self._x509 = x509
+
+    def __repr__(self):
+        return "<Certificate(subject={}, ...)>".format(self.subject)
+
+    def __eq__(self, other):
+        if not isinstance(other, x509.Certificate):
+            return NotImplemented
+
+        res = self._backend._lib.X509_cmp(self._x509, other._x509)
+        return res == 0
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __hash__(self):
+        return hash(self.public_bytes(serialization.Encoding.DER))
+
+    def fingerprint(self, algorithm):
+        h = hashes.Hash(algorithm, self._backend)
+        h.update(self.public_bytes(serialization.Encoding.DER))
+        return h.finalize()
+
+    @property
+    def version(self):
+        version = self._backend._lib.X509_get_version(self._x509)
+        if version == 0:
+            return x509.Version.v1
+        elif version == 2:
+            return x509.Version.v3
+        else:
+            raise x509.InvalidVersion(
+                "{} is not a valid X509 version".format(version), version
+            )
+
+    @property
+    def serial_number(self):
+        asn1_int = self._backend._lib.X509_get_serialNumber(self._x509)
+        self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
+        return _asn1_integer_to_int(self._backend, asn1_int)
+
+    def public_key(self):
+        pkey = self._backend._lib.X509_get_pubkey(self._x509)
+        if pkey == self._backend._ffi.NULL:
+            # Remove errors from the stack.
+            self._backend._consume_errors()
+            raise ValueError("Certificate public key is of an unknown type")
+
+        pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
+
+        return self._backend._evp_pkey_to_public_key(pkey)
+
+    @property
+    def not_valid_before(self):
+        asn1_time = self._backend._lib.X509_get_notBefore(self._x509)
+        return _parse_asn1_time(self._backend, asn1_time)
+
+    @property
+    def not_valid_after(self):
+        asn1_time = self._backend._lib.X509_get_notAfter(self._x509)
+        return _parse_asn1_time(self._backend, asn1_time)
+
+    @property
+    def issuer(self):
+        issuer = self._backend._lib.X509_get_issuer_name(self._x509)
+        self._backend.openssl_assert(issuer != self._backend._ffi.NULL)
+        return _decode_x509_name(self._backend, issuer)
+
+    @property
+    def subject(self):
+        subject = self._backend._lib.X509_get_subject_name(self._x509)
+        self._backend.openssl_assert(subject != self._backend._ffi.NULL)
+        return _decode_x509_name(self._backend, subject)
+
+    @property
+    def signature_hash_algorithm(self):
+        oid = self.signature_algorithm_oid
+        try:
+            return x509._SIG_OIDS_TO_HASH[oid]
+        except KeyError:
+            raise UnsupportedAlgorithm(
+                "Signature algorithm OID:{} not recognized".format(oid)
+            )
+
+    @property
+    def signature_algorithm_oid(self):
+        alg = self._backend._ffi.new("X509_ALGOR **")
+        self._backend._lib.X509_get0_signature(
+            self._backend._ffi.NULL, alg, self._x509
+        )
+        self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL)
+        oid = _obj2txt(self._backend, alg[0].algorithm)
+        return x509.ObjectIdentifier(oid)
+
+    @utils.cached_property
+    def extensions(self):
+        if self._backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER:
+            return _CERTIFICATE_EXTENSION_PARSER.parse(
+                self._backend, self._x509
+            )
+        else:
+            return _CERTIFICATE_EXTENSION_PARSER_NO_SCT.parse(
+                self._backend, self._x509
+            )
+
+    @property
+    def signature(self):
+        sig = self._backend._ffi.new("ASN1_BIT_STRING **")
+        self._backend._lib.X509_get0_signature(
+            sig, self._backend._ffi.NULL, self._x509
+        )
+        self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL)
+        return _asn1_string_to_bytes(self._backend, sig[0])
+
+    @property
+    def tbs_certificate_bytes(self):
+        pp = self._backend._ffi.new("unsigned char **")
+        res = self._backend._lib.i2d_re_X509_tbs(self._x509, pp)
+        self._backend.openssl_assert(res > 0)
+        pp = self._backend._ffi.gc(
+            pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
+        )
+        return self._backend._ffi.buffer(pp[0], res)[:]
+
+    def public_bytes(self, encoding):
+        bio = self._backend._create_mem_bio_gc()
+        if encoding is serialization.Encoding.PEM:
+            res = self._backend._lib.PEM_write_bio_X509(bio, self._x509)
+        elif encoding is serialization.Encoding.DER:
+            res = self._backend._lib.i2d_X509_bio(bio, self._x509)
+        else:
+            raise TypeError("encoding must be an item from the Encoding enum")
+
+        self._backend.openssl_assert(res == 1)
+        return self._backend._read_mem_bio(bio)
+
+
+@utils.register_interface(x509.RevokedCertificate)
+class _RevokedCertificate(object):
+    def __init__(self, backend, crl, x509_revoked):
+        self._backend = backend
+        # The X509_REVOKED_value is a X509_REVOKED * that has
+        # no reference counting. This means when X509_CRL_free is
+        # called then the CRL and all X509_REVOKED * are freed. Since
+        # you can retain a reference to a single revoked certificate
+        # and let the CRL fall out of scope we need to retain a
+        # private reference to the CRL inside the RevokedCertificate
+        # object to prevent the gc from being called inappropriately.
+        self._crl = crl
+        self._x509_revoked = x509_revoked
+
+    @property
+    def serial_number(self):
+        asn1_int = self._backend._lib.X509_REVOKED_get0_serialNumber(
+            self._x509_revoked
+        )
+        self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
+        return _asn1_integer_to_int(self._backend, asn1_int)
+
+    @property
+    def revocation_date(self):
+        return _parse_asn1_time(
+            self._backend,
+            self._backend._lib.X509_REVOKED_get0_revocationDate(
+                self._x509_revoked
+            )
+        )
+
+    @utils.cached_property
+    def extensions(self):
+        return _REVOKED_CERTIFICATE_EXTENSION_PARSER.parse(
+            self._backend, self._x509_revoked
+        )
+
+
+@utils.register_interface(x509.CertificateRevocationList)
+class _CertificateRevocationList(object):
+    def __init__(self, backend, x509_crl):
+        self._backend = backend
+        self._x509_crl = x509_crl
+
+    def __eq__(self, other):
+        if not isinstance(other, x509.CertificateRevocationList):
+            return NotImplemented
+
+        res = self._backend._lib.X509_CRL_cmp(self._x509_crl, other._x509_crl)
+        return res == 0
+
+    def __ne__(self, other):
+        return not self == other
+
+    def fingerprint(self, algorithm):
+        h = hashes.Hash(algorithm, self._backend)
+        bio = self._backend._create_mem_bio_gc()
+        res = self._backend._lib.i2d_X509_CRL_bio(
+            bio, self._x509_crl
+        )
+        self._backend.openssl_assert(res == 1)
+        der = self._backend._read_mem_bio(bio)
+        h.update(der)
+        return h.finalize()
+
+    @utils.cached_property
+    def _sorted_crl(self):
+        # X509_CRL_get0_by_serial sorts in place, which breaks a variety of
+        # things we don't want to break (like iteration and the signature).
+        # Let's dupe it and sort that instead.
+        dup = self._backend._lib.X509_CRL_dup(self._x509_crl)
+        self._backend.openssl_assert(dup != self._backend._ffi.NULL)
+        dup = self._backend._ffi.gc(dup, self._backend._lib.X509_CRL_free)
+        return dup
+
+    def get_revoked_certificate_by_serial_number(self, serial_number):
+        revoked = self._backend._ffi.new("X509_REVOKED **")
+        asn1_int = _encode_asn1_int_gc(self._backend, serial_number)
+        res = self._backend._lib.X509_CRL_get0_by_serial(
+            self._sorted_crl, revoked, asn1_int
+        )
+        if res == 0:
+            return None
+        else:
+            self._backend.openssl_assert(
+                revoked[0] != self._backend._ffi.NULL
+            )
+            return _RevokedCertificate(
+                self._backend, self._sorted_crl, revoked[0]
+            )
+
+    @property
+    def signature_hash_algorithm(self):
+        oid = self.signature_algorithm_oid
+        try:
+            return x509._SIG_OIDS_TO_HASH[oid]
+        except KeyError:
+            raise UnsupportedAlgorithm(
+                "Signature algorithm OID:{} not recognized".format(oid)
+            )
+
+    @property
+    def signature_algorithm_oid(self):
+        alg = self._backend._ffi.new("X509_ALGOR **")
+        self._backend._lib.X509_CRL_get0_signature(
+            self._x509_crl, self._backend._ffi.NULL, alg
+        )
+        self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL)
+        oid = _obj2txt(self._backend, alg[0].algorithm)
+        return x509.ObjectIdentifier(oid)
+
+    @property
+    def issuer(self):
+        issuer = self._backend._lib.X509_CRL_get_issuer(self._x509_crl)
+        self._backend.openssl_assert(issuer != self._backend._ffi.NULL)
+        return _decode_x509_name(self._backend, issuer)
+
+    @property
+    def next_update(self):
+        nu = self._backend._lib.X509_CRL_get_nextUpdate(self._x509_crl)
+        self._backend.openssl_assert(nu != self._backend._ffi.NULL)
+        return _parse_asn1_time(self._backend, nu)
+
+    @property
+    def last_update(self):
+        lu = self._backend._lib.X509_CRL_get_lastUpdate(self._x509_crl)
+        self._backend.openssl_assert(lu != self._backend._ffi.NULL)
+        return _parse_asn1_time(self._backend, lu)
+
+    @property
+    def signature(self):
+        sig = self._backend._ffi.new("ASN1_BIT_STRING **")
+        self._backend._lib.X509_CRL_get0_signature(
+            self._x509_crl, sig, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL)
+        return _asn1_string_to_bytes(self._backend, sig[0])
+
+    @property
+    def tbs_certlist_bytes(self):
+        pp = self._backend._ffi.new("unsigned char **")
+        res = self._backend._lib.i2d_re_X509_CRL_tbs(self._x509_crl, pp)
+        self._backend.openssl_assert(res > 0)
+        pp = self._backend._ffi.gc(
+            pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
+        )
+        return self._backend._ffi.buffer(pp[0], res)[:]
+
+    def public_bytes(self, encoding):
+        bio = self._backend._create_mem_bio_gc()
+        if encoding is serialization.Encoding.PEM:
+            res = self._backend._lib.PEM_write_bio_X509_CRL(
+                bio, self._x509_crl
+            )
+        elif encoding is serialization.Encoding.DER:
+            res = self._backend._lib.i2d_X509_CRL_bio(bio, self._x509_crl)
+        else:
+            raise TypeError("encoding must be an item from the Encoding enum")
+
+        self._backend.openssl_assert(res == 1)
+        return self._backend._read_mem_bio(bio)
+
+    def _revoked_cert(self, idx):
+        revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl)
+        r = self._backend._lib.sk_X509_REVOKED_value(revoked, idx)
+        self._backend.openssl_assert(r != self._backend._ffi.NULL)
+        return _RevokedCertificate(self._backend, self, r)
+
+    def __iter__(self):
+        for i in range(len(self)):
+            yield self._revoked_cert(i)
+
+    def __getitem__(self, idx):
+        if isinstance(idx, slice):
+            start, stop, step = idx.indices(len(self))
+            return [self._revoked_cert(i) for i in range(start, stop, step)]
+        else:
+            idx = operator.index(idx)
+            if idx < 0:
+                idx += len(self)
+            if not 0 <= idx < len(self):
+                raise IndexError
+            return self._revoked_cert(idx)
+
+    def __len__(self):
+        revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl)
+        if revoked == self._backend._ffi.NULL:
+            return 0
+        else:
+            return self._backend._lib.sk_X509_REVOKED_num(revoked)
+
+    @utils.cached_property
+    def extensions(self):
+        return _CRL_EXTENSION_PARSER.parse(self._backend, self._x509_crl)
+
+    def is_signature_valid(self, public_key):
+        if not isinstance(public_key, (dsa.DSAPublicKey, rsa.RSAPublicKey,
+                                       ec.EllipticCurvePublicKey)):
+            raise TypeError('Expecting one of DSAPublicKey, RSAPublicKey,'
+                            ' or EllipticCurvePublicKey.')
+        res = self._backend._lib.X509_CRL_verify(
+            self._x509_crl, public_key._evp_pkey
+        )
+
+        if res != 1:
+            self._backend._consume_errors()
+            return False
+
+        return True
+
+
+@utils.register_interface(x509.CertificateSigningRequest)
+class _CertificateSigningRequest(object):
+    def __init__(self, backend, x509_req):
+        self._backend = backend
+        self._x509_req = x509_req
+
+    def __eq__(self, other):
+        if not isinstance(other, _CertificateSigningRequest):
+            return NotImplemented
+
+        self_bytes = self.public_bytes(serialization.Encoding.DER)
+        other_bytes = other.public_bytes(serialization.Encoding.DER)
+        return self_bytes == other_bytes
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __hash__(self):
+        return hash(self.public_bytes(serialization.Encoding.DER))
+
+    def public_key(self):
+        pkey = self._backend._lib.X509_REQ_get_pubkey(self._x509_req)
+        self._backend.openssl_assert(pkey != self._backend._ffi.NULL)
+        pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
+        return self._backend._evp_pkey_to_public_key(pkey)
+
+    @property
+    def subject(self):
+        subject = self._backend._lib.X509_REQ_get_subject_name(self._x509_req)
+        self._backend.openssl_assert(subject != self._backend._ffi.NULL)
+        return _decode_x509_name(self._backend, subject)
+
+    @property
+    def signature_hash_algorithm(self):
+        oid = self.signature_algorithm_oid
+        try:
+            return x509._SIG_OIDS_TO_HASH[oid]
+        except KeyError:
+            raise UnsupportedAlgorithm(
+                "Signature algorithm OID:{} not recognized".format(oid)
+            )
+
+    @property
+    def signature_algorithm_oid(self):
+        alg = self._backend._ffi.new("X509_ALGOR **")
+        self._backend._lib.X509_REQ_get0_signature(
+            self._x509_req, self._backend._ffi.NULL, alg
+        )
+        self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL)
+        oid = _obj2txt(self._backend, alg[0].algorithm)
+        return x509.ObjectIdentifier(oid)
+
+    @utils.cached_property
+    def extensions(self):
+        x509_exts = self._backend._lib.X509_REQ_get_extensions(self._x509_req)
+        x509_exts = self._backend._ffi.gc(
+            x509_exts,
+            lambda x: self._backend._lib.sk_X509_EXTENSION_pop_free(
+                x, self._backend._ffi.addressof(
+                    self._backend._lib._original_lib, "X509_EXTENSION_free"
+                )
+            )
+        )
+        return _CSR_EXTENSION_PARSER.parse(self._backend, x509_exts)
+
+    def public_bytes(self, encoding):
+        bio = self._backend._create_mem_bio_gc()
+        if encoding is serialization.Encoding.PEM:
+            res = self._backend._lib.PEM_write_bio_X509_REQ(
+                bio, self._x509_req
+            )
+        elif encoding is serialization.Encoding.DER:
+            res = self._backend._lib.i2d_X509_REQ_bio(bio, self._x509_req)
+        else:
+            raise TypeError("encoding must be an item from the Encoding enum")
+
+        self._backend.openssl_assert(res == 1)
+        return self._backend._read_mem_bio(bio)
+
+    @property
+    def tbs_certrequest_bytes(self):
+        pp = self._backend._ffi.new("unsigned char **")
+        res = self._backend._lib.i2d_re_X509_REQ_tbs(self._x509_req, pp)
+        self._backend.openssl_assert(res > 0)
+        pp = self._backend._ffi.gc(
+            pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
+        )
+        return self._backend._ffi.buffer(pp[0], res)[:]
+
+    @property
+    def signature(self):
+        sig = self._backend._ffi.new("ASN1_BIT_STRING **")
+        self._backend._lib.X509_REQ_get0_signature(
+            self._x509_req, sig, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL)
+        return _asn1_string_to_bytes(self._backend, sig[0])
+
+    @property
+    def is_signature_valid(self):
+        pkey = self._backend._lib.X509_REQ_get_pubkey(self._x509_req)
+        self._backend.openssl_assert(pkey != self._backend._ffi.NULL)
+        pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
+        res = self._backend._lib.X509_REQ_verify(self._x509_req, pkey)
+
+        if res != 1:
+            self._backend._consume_errors()
+            return False
+
+        return True
+
+
+@utils.register_interface(
+    x509.certificate_transparency.SignedCertificateTimestamp
+)
+class _SignedCertificateTimestamp(object):
+    def __init__(self, backend, sct_list, sct):
+        self._backend = backend
+        # Keep the SCT_LIST that this SCT came from alive.
+        self._sct_list = sct_list
+        self._sct = sct
+
+    @property
+    def version(self):
+        version = self._backend._lib.SCT_get_version(self._sct)
+        assert version == self._backend._lib.SCT_VERSION_V1
+        return x509.certificate_transparency.Version.v1
+
+    @property
+    def log_id(self):
+        out = self._backend._ffi.new("unsigned char **")
+        log_id_length = self._backend._lib.SCT_get0_log_id(self._sct, out)
+        assert log_id_length >= 0
+        return self._backend._ffi.buffer(out[0], log_id_length)[:]
+
+    @property
+    def timestamp(self):
+        timestamp = self._backend._lib.SCT_get_timestamp(self._sct)
+        milliseconds = timestamp % 1000
+        return datetime.datetime.utcfromtimestamp(
+            timestamp // 1000
+        ).replace(microsecond=milliseconds * 1000)
+
+    @property
+    def entry_type(self):
+        entry_type = self._backend._lib.SCT_get_log_entry_type(self._sct)
+        # We currently only support loading SCTs from the X.509 extension, so
+        # we only have precerts.
+        assert entry_type == self._backend._lib.CT_LOG_ENTRY_TYPE_PRECERT
+        return x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE
+
+    @property
+    def _signature(self):
+        ptrptr = self._backend._ffi.new("unsigned char **")
+        res = self._backend._lib.SCT_get0_signature(self._sct, ptrptr)
+        self._backend.openssl_assert(res > 0)
+        self._backend.openssl_assert(ptrptr[0] != self._backend._ffi.NULL)
+        return self._backend._ffi.buffer(ptrptr[0], res)[:]
+
+    def __hash__(self):
+        return hash(self._signature)
+
+    def __eq__(self, other):
+        if not isinstance(other, _SignedCertificateTimestamp):
+            return NotImplemented
+
+        return self._signature == other._signature
+
+    def __ne__(self, other):
+        return not self == other
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__init__.py
@@ -0,0 +1,5 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_constant_time.abi3.so b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_constant_time.abi3.so
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_openssl.abi3.so b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_openssl.abi3.so
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_padding.abi3.so b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/_padding.abi3.so
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__init__.py
@@ -0,0 +1,5 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/_conditional.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/_conditional.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/binding.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/__pycache__/binding.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/_conditional.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -0,0 +1,434 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+
+def cryptography_has_ec2m():
+    return [
+        "EC_POINT_set_affine_coordinates_GF2m",
+        "EC_POINT_get_affine_coordinates_GF2m",
+        "EC_POINT_set_compressed_coordinates_GF2m",
+    ]
+
+
+def cryptography_has_ec_1_0_2():
+    return [
+        "EC_curve_nid2nist",
+    ]
+
+
+def cryptography_has_set_ecdh_auto():
+    return [
+        "SSL_CTX_set_ecdh_auto",
+    ]
+
+
+def cryptography_has_rsa_r_pkcs_decoding_error():
+    return [
+        "RSA_R_PKCS_DECODING_ERROR"
+    ]
+
+
+def cryptography_has_rsa_oaep_md():
+    return [
+        "EVP_PKEY_CTX_set_rsa_oaep_md",
+    ]
+
+
+def cryptography_has_rsa_oaep_label():
+    return [
+        "EVP_PKEY_CTX_set0_rsa_oaep_label",
+    ]
+
+
+def cryptography_has_ssl3_method():
+    return [
+        "SSLv3_method",
+        "SSLv3_client_method",
+        "SSLv3_server_method",
+    ]
+
+
+def cryptography_has_alpn():
+    return [
+        "SSL_CTX_set_alpn_protos",
+        "SSL_set_alpn_protos",
+        "SSL_CTX_set_alpn_select_cb",
+        "SSL_get0_alpn_selected",
+    ]
+
+
+def cryptography_has_compression():
+    return [
+        "SSL_get_current_compression",
+        "SSL_get_current_expansion",
+        "SSL_COMP_get_name",
+    ]
+
+
+def cryptography_has_get_server_tmp_key():
+    return [
+        "SSL_get_server_tmp_key",
+    ]
+
+
+def cryptography_has_102_verification_error_codes():
+    return [
+        'X509_V_ERR_SUITE_B_INVALID_VERSION',
+        'X509_V_ERR_SUITE_B_INVALID_ALGORITHM',
+        'X509_V_ERR_SUITE_B_INVALID_CURVE',
+        'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM',
+        'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED',
+        'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256',
+        'X509_V_ERR_HOSTNAME_MISMATCH',
+        'X509_V_ERR_EMAIL_MISMATCH',
+        'X509_V_ERR_IP_ADDRESS_MISMATCH'
+    ]
+
+
+def cryptography_has_102_verification_params():
+    return [
+        "X509_V_FLAG_SUITEB_128_LOS_ONLY",
+        "X509_V_FLAG_SUITEB_192_LOS",
+        "X509_V_FLAG_SUITEB_128_LOS",
+        "X509_VERIFY_PARAM_set1_host",
+        "X509_VERIFY_PARAM_set1_email",
+        "X509_VERIFY_PARAM_set1_ip",
+        "X509_VERIFY_PARAM_set1_ip_asc",
+        "X509_VERIFY_PARAM_set_hostflags",
+        "SSL_get0_param",
+        "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT",
+        "X509_CHECK_FLAG_NO_WILDCARDS",
+        "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS",
+        "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS",
+        "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS"
+    ]
+
+
+def cryptography_has_110_verification_params():
+    return [
+        "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT"
+    ]
+
+
+def cryptography_has_x509_v_flag_trusted_first():
+    return [
+        "X509_V_FLAG_TRUSTED_FIRST",
+    ]
+
+
+def cryptography_has_x509_v_flag_partial_chain():
+    return [
+        "X509_V_FLAG_PARTIAL_CHAIN",
+    ]
+
+
+def cryptography_has_set_cert_cb():
+    return [
+        "SSL_CTX_set_cert_cb",
+        "SSL_set_cert_cb",
+    ]
+
+
+def cryptography_has_ssl_st():
+    return [
+        "SSL_ST_BEFORE",
+        "SSL_ST_OK",
+        "SSL_ST_INIT",
+        "SSL_ST_RENEGOTIATE",
+    ]
+
+
+def cryptography_has_tls_st():
+    return [
+        "TLS_ST_BEFORE",
+        "TLS_ST_OK",
+    ]
+
+
+def cryptography_has_locking_callbacks():
+    return [
+        "Cryptography_setup_ssl_threads",
+    ]
+
+
+def cryptography_has_scrypt():
+    return [
+        "EVP_PBE_scrypt",
+    ]
+
+
+def cryptography_has_generic_dtls_method():
+    return [
+        "DTLS_method",
+        "DTLS_server_method",
+        "DTLS_client_method",
+        "SSL_OP_NO_DTLSv1",
+        "SSL_OP_NO_DTLSv1_2",
+        "DTLS_set_link_mtu",
+        "DTLS_get_link_min_mtu",
+    ]
+
+
+def cryptography_has_evp_pkey_dhx():
+    return [
+        "EVP_PKEY_DHX",
+    ]
+
+
+def cryptography_has_mem_functions():
+    return [
+        "Cryptography_CRYPTO_set_mem_functions",
+    ]
+
+
+def cryptography_has_sct():
+    return [
+        "SCT_get_version",
+        "SCT_get_log_entry_type",
+        "SCT_get0_log_id",
+        "SCT_get0_signature",
+        "SCT_get_timestamp",
+        "SCT_set_source",
+        "sk_SCT_num",
+        "sk_SCT_value",
+        "SCT_LIST_free",
+        "sk_SCT_push",
+        "sk_SCT_new_null",
+        "SCT_new",
+        "SCT_set1_log_id",
+        "SCT_set_timestamp",
+        "SCT_set_version",
+        "SCT_set_log_entry_type",
+    ]
+
+
+def cryptography_has_x509_store_ctx_get_issuer():
+    return [
+        "X509_STORE_get_get_issuer",
+        "X509_STORE_set_get_issuer",
+    ]
+
+
+def cryptography_has_x25519():
+    return [
+        "EVP_PKEY_X25519",
+        "NID_X25519",
+    ]
+
+
+def cryptography_has_x448():
+    return [
+        "EVP_PKEY_X448",
+        "NID_X448",
+    ]
+
+
+def cryptography_has_ed448():
+    return [
+        "EVP_PKEY_ED448",
+        "NID_ED448",
+    ]
+
+
+def cryptography_has_ed25519():
+    return [
+        "NID_ED25519",
+        "EVP_PKEY_ED25519",
+    ]
+
+
+def cryptography_has_poly1305():
+    return [
+        "NID_poly1305",
+        "EVP_PKEY_POLY1305",
+    ]
+
+
+def cryptography_has_oneshot_evp_digest_sign_verify():
+    return [
+        "EVP_DigestSign",
+        "EVP_DigestVerify",
+    ]
+
+
+def cryptography_has_evp_digestfinal_xof():
+    return [
+        "EVP_DigestFinalXOF",
+    ]
+
+
+def cryptography_has_evp_pkey_get_set_tls_encodedpoint():
+    return [
+        "EVP_PKEY_get1_tls_encodedpoint",
+        "EVP_PKEY_set1_tls_encodedpoint",
+    ]
+
+
+def cryptography_has_fips():
+    return [
+        "FIPS_set_mode",
+        "FIPS_mode",
+    ]
+
+
+def cryptography_has_ssl_sigalgs():
+    return [
+        "SSL_CTX_set1_sigalgs_list",
+        "SSL_get_sigalgs",
+    ]
+
+
+def cryptography_has_psk():
+    return [
+        "SSL_CTX_use_psk_identity_hint",
+        "SSL_CTX_set_psk_server_callback",
+        "SSL_CTX_set_psk_client_callback",
+    ]
+
+
+def cryptography_has_custom_ext():
+    return [
+        "SSL_CTX_add_client_custom_ext",
+        "SSL_CTX_add_server_custom_ext",
+        "SSL_extension_supported",
+    ]
+
+
+def cryptography_has_openssl_cleanup():
+    return [
+        "OPENSSL_cleanup",
+    ]
+
+
+def cryptography_has_cipher_details():
+    return [
+        "SSL_CIPHER_is_aead",
+        "SSL_CIPHER_get_cipher_nid",
+        "SSL_CIPHER_get_digest_nid",
+        "SSL_CIPHER_get_kx_nid",
+        "SSL_CIPHER_get_auth_nid",
+    ]
+
+
+def cryptography_has_tlsv13():
+    return [
+        "SSL_OP_NO_TLSv1_3",
+        "SSL_VERIFY_POST_HANDSHAKE",
+        "SSL_CTX_set_ciphersuites",
+        "SSL_verify_client_post_handshake",
+        "SSL_CTX_set_post_handshake_auth",
+        "SSL_set_post_handshake_auth",
+        "SSL_SESSION_get_max_early_data",
+        "SSL_write_early_data",
+        "SSL_read_early_data",
+        "SSL_CTX_set_max_early_data",
+    ]
+
+
+def cryptography_has_raw_key():
+    return [
+        "EVP_PKEY_new_raw_private_key",
+        "EVP_PKEY_new_raw_public_key",
+        "EVP_PKEY_get_raw_private_key",
+        "EVP_PKEY_get_raw_public_key",
+    ]
+
+
+def cryptography_has_evp_r_memory_limit_exceeded():
+    return [
+        "EVP_R_MEMORY_LIMIT_EXCEEDED",
+    ]
+
+
+def cryptography_has_engine():
+    return [
+        "ENGINE_by_id",
+        "ENGINE_init",
+        "ENGINE_finish",
+        "ENGINE_get_default_RAND",
+        "ENGINE_set_default_RAND",
+        "ENGINE_unregister_RAND",
+        "ENGINE_ctrl_cmd",
+        "ENGINE_free",
+        "ENGINE_get_name",
+        "Cryptography_add_osrandom_engine",
+    ]
+
+
+# This is a mapping of
+# {condition: function-returning-names-dependent-on-that-condition} so we can
+# loop over them and delete unsupported names at runtime. It will be removed
+# when cffi supports #if in cdef. We use functions instead of just a dict of
+# lists so we can use coverage to measure which are used.
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_EC2M": cryptography_has_ec2m,
+    "Cryptography_HAS_EC_1_0_2": cryptography_has_ec_1_0_2,
+    "Cryptography_HAS_SET_ECDH_AUTO": cryptography_has_set_ecdh_auto,
+    "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": (
+        cryptography_has_rsa_r_pkcs_decoding_error
+    ),
+    "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
+    "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
+    "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,
+    "Cryptography_HAS_ALPN": cryptography_has_alpn,
+    "Cryptography_HAS_COMPRESSION": cryptography_has_compression,
+    "Cryptography_HAS_GET_SERVER_TMP_KEY": cryptography_has_get_server_tmp_key,
+    "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": (
+        cryptography_has_102_verification_error_codes
+    ),
+    "Cryptography_HAS_102_VERIFICATION_PARAMS": (
+        cryptography_has_102_verification_params
+    ),
+    "Cryptography_HAS_110_VERIFICATION_PARAMS": (
+        cryptography_has_110_verification_params
+    ),
+    "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": (
+        cryptography_has_x509_v_flag_trusted_first
+    ),
+    "Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN": (
+        cryptography_has_x509_v_flag_partial_chain
+    ),
+    "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb,
+    "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st,
+    "Cryptography_HAS_TLS_ST": cryptography_has_tls_st,
+    "Cryptography_HAS_LOCKING_CALLBACKS": cryptography_has_locking_callbacks,
+    "Cryptography_HAS_SCRYPT": cryptography_has_scrypt,
+    "Cryptography_HAS_GENERIC_DTLS_METHOD": (
+        cryptography_has_generic_dtls_method
+    ),
+    "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx,
+    "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions,
+    "Cryptography_HAS_SCT": cryptography_has_sct,
+    "Cryptography_HAS_X509_STORE_CTX_GET_ISSUER": (
+        cryptography_has_x509_store_ctx_get_issuer
+    ),
+    "Cryptography_HAS_X25519": cryptography_has_x25519,
+    "Cryptography_HAS_X448": cryptography_has_x448,
+    "Cryptography_HAS_ED448": cryptography_has_ed448,
+    "Cryptography_HAS_ED25519": cryptography_has_ed25519,
+    "Cryptography_HAS_POLY1305": cryptography_has_poly1305,
+    "Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY": (
+        cryptography_has_oneshot_evp_digest_sign_verify
+    ),
+    "Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint": (
+        cryptography_has_evp_pkey_get_set_tls_encodedpoint
+    ),
+    "Cryptography_HAS_FIPS": cryptography_has_fips,
+    "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs,
+    "Cryptography_HAS_PSK": cryptography_has_psk,
+    "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext,
+    "Cryptography_HAS_OPENSSL_CLEANUP": cryptography_has_openssl_cleanup,
+    "Cryptography_HAS_CIPHER_DETAILS": cryptography_has_cipher_details,
+    "Cryptography_HAS_TLSv1_3": cryptography_has_tlsv13,
+    "Cryptography_HAS_RAW_KEY": cryptography_has_raw_key,
+    "Cryptography_HAS_EVP_DIGESTFINAL_XOF": (
+        cryptography_has_evp_digestfinal_xof
+    ),
+    "Cryptography_HAS_EVP_R_MEMORY_LIMIT_EXCEEDED": (
+        cryptography_has_evp_r_memory_limit_exceeded
+    ),
+    "Cryptography_HAS_ENGINE": cryptography_has_engine,
+}
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/binding.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/bindings/openssl/binding.py
@@ -0,0 +1,197 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import collections
+import threading
+import types
+import warnings
+
+import cryptography
+from cryptography import utils
+from cryptography.exceptions import InternalError
+from cryptography.hazmat.bindings._openssl import ffi, lib
+from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
+
+_OpenSSLErrorWithText = collections.namedtuple(
+    "_OpenSSLErrorWithText", ["code", "lib", "func", "reason", "reason_text"]
+)
+
+
+class _OpenSSLError(object):
+    def __init__(self, code, lib, func, reason):
+        self._code = code
+        self._lib = lib
+        self._func = func
+        self._reason = reason
+
+    def _lib_reason_match(self, lib, reason):
+        return lib == self.lib and reason == self.reason
+
+    code = utils.read_only_property("_code")
+    lib = utils.read_only_property("_lib")
+    func = utils.read_only_property("_func")
+    reason = utils.read_only_property("_reason")
+
+
+def _consume_errors(lib):
+    errors = []
+    while True:
+        code = lib.ERR_get_error()
+        if code == 0:
+            break
+
+        err_lib = lib.ERR_GET_LIB(code)
+        err_func = lib.ERR_GET_FUNC(code)
+        err_reason = lib.ERR_GET_REASON(code)
+
+        errors.append(_OpenSSLError(code, err_lib, err_func, err_reason))
+
+    return errors
+
+
+def _openssl_assert(lib, ok):
+    if not ok:
+        errors = _consume_errors(lib)
+        errors_with_text = []
+        for err in errors:
+            buf = ffi.new("char[]", 256)
+            lib.ERR_error_string_n(err.code, buf, len(buf))
+            err_text_reason = ffi.string(buf)
+
+            errors_with_text.append(
+                _OpenSSLErrorWithText(
+                    err.code, err.lib, err.func, err.reason, err_text_reason
+                )
+            )
+
+        raise InternalError(
+            "Unknown OpenSSL error. This error is commonly encountered when "
+            "another library is not cleaning up the OpenSSL error stack. If "
+            "you are using cryptography with another library that uses "
+            "OpenSSL try disabling it before reporting a bug. Otherwise "
+            "please file an issue at https://github.com/pyca/cryptography/"
+            "issues with information on how to reproduce "
+            "this. ({0!r})".format(errors_with_text),
+            errors_with_text
+        )
+
+
+def build_conditional_library(lib, conditional_names):
+    conditional_lib = types.ModuleType("lib")
+    conditional_lib._original_lib = lib
+    excluded_names = set()
+    for condition, names_cb in conditional_names.items():
+        if not getattr(lib, condition):
+            excluded_names.update(names_cb())
+
+    for attr in dir(lib):
+        if attr not in excluded_names:
+            setattr(conditional_lib, attr, getattr(lib, attr))
+
+    return conditional_lib
+
+
+class Binding(object):
+    """
+    OpenSSL API wrapper.
+    """
+    lib = None
+    ffi = ffi
+    _lib_loaded = False
+    _init_lock = threading.Lock()
+    _lock_init_lock = threading.Lock()
+
+    def __init__(self):
+        self._ensure_ffi_initialized()
+
+    @classmethod
+    def _register_osrandom_engine(cls):
+        # Clear any errors extant in the queue before we start. In many
+        # scenarios other things may be interacting with OpenSSL in the same
+        # process space and it has proven untenable to assume that they will
+        # reliably clear the error queue. Once we clear it here we will
+        # error on any subsequent unexpected item in the stack.
+        cls.lib.ERR_clear_error()
+        if cls.lib.Cryptography_HAS_ENGINE:
+            result = cls.lib.Cryptography_add_osrandom_engine()
+            _openssl_assert(cls.lib, result in (1, 2))
+
+    @classmethod
+    def _ensure_ffi_initialized(cls):
+        with cls._init_lock:
+            if not cls._lib_loaded:
+                cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES)
+                cls._lib_loaded = True
+                # initialize the SSL library
+                cls.lib.SSL_library_init()
+                # adds all ciphers/digests for EVP
+                cls.lib.OpenSSL_add_all_algorithms()
+                # loads error strings for libcrypto and libssl functions
+                cls.lib.SSL_load_error_strings()
+                cls._register_osrandom_engine()
+
+    @classmethod
+    def init_static_locks(cls):
+        with cls._lock_init_lock:
+            cls._ensure_ffi_initialized()
+            # Use Python's implementation if available, importing _ssl triggers
+            # the setup for this.
+            __import__("_ssl")
+
+            if (not cls.lib.Cryptography_HAS_LOCKING_CALLBACKS or
+                    cls.lib.CRYPTO_get_locking_callback() != cls.ffi.NULL):
+                return
+
+            # If nothing else has setup a locking callback already, we set up
+            # our own
+            res = lib.Cryptography_setup_ssl_threads()
+            _openssl_assert(cls.lib, res == 1)
+
+
+def _verify_openssl_version(lib):
+    if (
+        lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
+        not lib.CRYPTOGRAPHY_IS_LIBRESSL
+    ):
+        warnings.warn(
+            "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
+            "project, please upgrade. A future version of cryptography will "
+            "drop support for it.",
+            utils.CryptographyDeprecationWarning
+        )
+
+
+def _verify_package_version(version):
+    # Occasionally we run into situations where the version of the Python
+    # package does not match the version of the shared object that is loaded.
+    # This may occur in environments where multiple versions of cryptography
+    # are installed and available in the python path. To avoid errors cropping
+    # up later this code checks that the currently imported package and the
+    # shared object that were loaded have the same version and raise an
+    # ImportError if they do not
+    so_package_version = ffi.string(lib.CRYPTOGRAPHY_PACKAGE_VERSION)
+    if version.encode("ascii") != so_package_version:
+        raise ImportError(
+            "The version of cryptography does not match the loaded "
+            "shared object. This can happen if you have multiple copies of "
+            "cryptography installed in your Python path. Please try creating "
+            "a new virtual environment to resolve this issue. "
+            "Loaded python version: {}, shared object version: {}".format(
+                version, so_package_version
+            )
+        )
+
+
+_verify_package_version(cryptography.__version__)
+
+# OpenSSL is not thread safe until the locks are initialized. We call this
+# method in module scope so that it executes with the import lock. On
+# Pythons < 3.4 this import lock is a global lock, which can prevent a race
+# condition registering the OpenSSL locks. On Python 3.4+ the import lock
+# is per module so this approach will not work.
+Binding.init_static_locks()
+
+_verify_openssl_version(Binding.lib)
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__init__.py
@@ -0,0 +1,5 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/cmac.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/cmac.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/constant_time.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/constant_time.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hashes.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hashes.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hmac.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/hmac.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/keywrap.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/keywrap.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/padding.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/padding.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/poly1305.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/__pycache__/poly1305.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__init__.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__init__.py
@@ -0,0 +1,40 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class AsymmetricSignatureContext(object):
+    @abc.abstractmethod
+    def update(self, data):
+        """
+        Processes the provided bytes and returns nothing.
+        """
+
+    @abc.abstractmethod
+    def finalize(self):
+        """
+        Returns the signature as bytes.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class AsymmetricVerificationContext(object):
+    @abc.abstractmethod
+    def update(self, data):
+        """
+        Processes the provided bytes and returns nothing.
+        """
+
+    @abc.abstractmethod
+    def verify(self):
+        """
+        Raises an exception if the bytes provided to update do not match the
+        signature or the signature does not match the public key.
+        """
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/__init__.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/__init__.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dh.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dh.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dsa.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/dsa.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ec.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ec.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed25519.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed25519.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed448.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/ed448.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/padding.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/padding.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/rsa.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/rsa.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/utils.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/utils.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x25519.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x25519.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x448.cpython-37.pyc b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/__pycache__/x448.cpython-37.pyc
Binary files differ.
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dh.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dh.py
@@ -0,0 +1,212 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography import utils
+
+
+def generate_parameters(generator, key_size, backend):
+    return backend.generate_dh_parameters(generator, key_size)
+
+
+class DHPrivateNumbers(object):
+    def __init__(self, x, public_numbers):
+        if not isinstance(x, six.integer_types):
+            raise TypeError("x must be an integer.")
+
+        if not isinstance(public_numbers, DHPublicNumbers):
+            raise TypeError("public_numbers must be an instance of "
+                            "DHPublicNumbers.")
+
+        self._x = x
+        self._public_numbers = public_numbers
+
+    def __eq__(self, other):
+        if not isinstance(other, DHPrivateNumbers):
+            return NotImplemented
+
+        return (
+            self._x == other._x and
+            self._public_numbers == other._public_numbers
+        )
+
+    def __ne__(self, other):
+        return not self == other
+
+    def private_key(self, backend):
+        return backend.load_dh_private_numbers(self)
+
+    public_numbers = utils.read_only_property("_public_numbers")
+    x = utils.read_only_property("_x")
+
+
+class DHPublicNumbers(object):
+    def __init__(self, y, parameter_numbers):
+        if not isinstance(y, six.integer_types):
+            raise TypeError("y must be an integer.")
+
+        if not isinstance(parameter_numbers, DHParameterNumbers):
+            raise TypeError(
+                "parameters must be an instance of DHParameterNumbers.")
+
+        self._y = y
+        self._parameter_numbers = parameter_numbers
+
+    def __eq__(self, other):
+        if not isinstance(other, DHPublicNumbers):
+            return NotImplemented
+
+        return (
+            self._y == other._y and
+            self._parameter_numbers == other._parameter_numbers
+        )
+
+    def __ne__(self, other):
+        return not self == other
+
+    def public_key(self, backend):
+        return backend.load_dh_public_numbers(self)
+
+    y = utils.read_only_property("_y")
+    parameter_numbers = utils.read_only_property("_parameter_numbers")
+
+
+class DHParameterNumbers(object):
+    def __init__(self, p, g, q=None):
+        if (
+            not isinstance(p, six.integer_types) or
+            not isinstance(g, six.integer_types)
+        ):
+            raise TypeError("p and g must be integers")
+        if q is not None and not isinstance(q, six.integer_types):
+            raise TypeError("q must be integer or None")
+
+        if g < 2:
+            raise ValueError("DH generator must be 2 or greater")
+
+        self._p = p
+        self._g = g
+        self._q = q
+
+    def __eq__(self, other):
+        if not isinstance(other, DHParameterNumbers):
+            return NotImplemented
+
+        return (
+            self._p == other._p and
+            self._g == other._g and
+            self._q == other._q
+        )
+
+    def __ne__(self, other):
+        return not self == other
+
+    def parameters(self, backend):
+        return backend.load_dh_parameter_numbers(self)
+
+    p = utils.read_only_property("_p")
+    g = utils.read_only_property("_g")
+    q = utils.read_only_property("_q")
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DHParameters(object):
+    @abc.abstractmethod
+    def generate_private_key(self):
+        """
+        Generates and returns a DHPrivateKey.
+        """
+
+    @abc.abstractmethod
+    def parameter_bytes(self, encoding, format):
+        """
+        Returns the parameters serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def parameter_numbers(self):
+        """
+        Returns a DHParameterNumbers.
+        """
+
+
+DHParametersWithSerialization = DHParameters
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DHPrivateKey(object):
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The DHPublicKey associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def parameters(self):
+        """
+        The DHParameters object associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def exchange(self, peer_public_key):
+        """
+        Given peer's DHPublicKey, carry out the key exchange and
+        return shared key as bytes.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DHPrivateKeyWithSerialization(DHPrivateKey):
+    @abc.abstractmethod
+    def private_numbers(self):
+        """
+        Returns a DHPrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DHPublicKey(object):
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def parameters(self):
+        """
+        The DHParameters object associated with this public key.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self):
+        """
+        Returns a DHPublicNumbers.
+        """
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding, format):
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+DHPublicKeyWithSerialization = DHPublicKey
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dsa.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/dsa.py
@@ -0,0 +1,254 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography import utils
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DSAParameters(object):
+    @abc.abstractmethod
+    def generate_private_key(self):
+        """
+        Generates and returns a DSAPrivateKey.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DSAParametersWithNumbers(DSAParameters):
+    @abc.abstractmethod
+    def parameter_numbers(self):
+        """
+        Returns a DSAParameterNumbers.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DSAPrivateKey(object):
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The DSAPublicKey associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def parameters(self):
+        """
+        The DSAParameters object associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def signer(self, signature_algorithm):
+        """
+        Returns an AsymmetricSignatureContext used for signing data.
+        """
+
+    @abc.abstractmethod
+    def sign(self, data, algorithm):
+        """
+        Signs the data
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DSAPrivateKeyWithSerialization(DSAPrivateKey):
+    @abc.abstractmethod
+    def private_numbers(self):
+        """
+        Returns a DSAPrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DSAPublicKey(object):
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def parameters(self):
+        """
+        The DSAParameters object associated with this public key.
+        """
+
+    @abc.abstractmethod
+    def verifier(self, signature, signature_algorithm):
+        """
+        Returns an AsymmetricVerificationContext used for signing data.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self):
+        """
+        Returns a DSAPublicNumbers.
+        """
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding, format):
+        """
+        Returns the key serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def verify(self, signature, data, algorithm):
+        """
+        Verifies the signature of the data.
+        """
+
+
+DSAPublicKeyWithSerialization = DSAPublicKey
+
+
+def generate_parameters(key_size, backend):
+    return backend.generate_dsa_parameters(key_size)
+
+
+def generate_private_key(key_size, backend):
+    return backend.generate_dsa_private_key_and_parameters(key_size)
+
+
+def _check_dsa_parameters(parameters):
+    if parameters.p.bit_length() not in [1024, 2048, 3072]:
+        raise ValueError("p must be exactly 1024, 2048, or 3072 bits long")
+    if parameters.q.bit_length() not in [160, 224, 256]:
+        raise ValueError("q must be exactly 160, 224, or 256 bits long")
+
+    if not (1 < parameters.g < parameters.p):
+        raise ValueError("g, p don't satisfy 1 < g < p.")
+
+
+def _check_dsa_private_numbers(numbers):
+    parameters = numbers.public_numbers.parameter_numbers
+    _check_dsa_parameters(parameters)
+    if numbers.x <= 0 or numbers.x >= parameters.q:
+        raise ValueError("x must be > 0 and < q.")
+
+    if numbers.public_numbers.y != pow(parameters.g, numbers.x, parameters.p):
+        raise ValueError("y must be equal to (g ** x % p).")
+
+
+class DSAParameterNumbers(object):
+    def __init__(self, p, q, g):
+        if (
+            not isinstance(p, six.integer_types) or
+            not isinstance(q, six.integer_types) or
+            not isinstance(g, six.integer_types)
+        ):
+            raise TypeError(
+                "DSAParameterNumbers p, q, and g arguments must be integers."
+            )
+
+        self._p = p
+        self._q = q
+        self._g = g
+
+    p = utils.read_only_property("_p")
+    q = utils.read_only_property("_q")
+    g = utils.read_only_property("_g")
+
+    def parameters(self, backend):
+        return backend.load_dsa_parameter_numbers(self)
+
+    def __eq__(self, other):
+        if not isinstance(other, DSAParameterNumbers):
+            return NotImplemented
+
+        return self.p == other.p and self.q == other.q and self.g == other.g
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __repr__(self):
+        return (
+            "<DSAParameterNumbers(p={self.p}, q={self.q}, g={self.g})>".format(
+                self=self
+            )
+        )
+
+
+class DSAPublicNumbers(object):
+    def __init__(self, y, parameter_numbers):
+        if not isinstance(y, six.integer_types):
+            raise TypeError("DSAPublicNumbers y argument must be an integer.")
+
+        if not isinstance(parameter_numbers, DSAParameterNumbers):
+            raise TypeError(
+                "parameter_numbers must be a DSAParameterNumbers instance."
+            )
+
+        self._y = y
+        self._parameter_numbers = parameter_numbers
+
+    y = utils.read_only_property("_y")
+    parameter_numbers = utils.read_only_property("_parameter_numbers")
+
+    def public_key(self, backend):
+        return backend.load_dsa_public_numbers(self)
+
+    def __eq__(self, other):
+        if not isinstance(other, DSAPublicNumbers):
+            return NotImplemented
+
+        return (
+            self.y == other.y and
+            self.parameter_numbers == other.parameter_numbers
+        )
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __repr__(self):
+        return (
+            "<DSAPublicNumbers(y={self.y}, "
+            "parameter_numbers={self.parameter_numbers})>".format(self=self)
+        )
+
+
+class DSAPrivateNumbers(object):
+    def __init__(self, x, public_numbers):
+        if not isinstance(x, six.integer_types):
+            raise TypeError("DSAPrivateNumbers x argument must be an integer.")
+
+        if not isinstance(public_numbers, DSAPublicNumbers):
+            raise TypeError(
+                "public_numbers must be a DSAPublicNumbers instance."
+            )
+        self._public_numbers = public_numbers
+        self._x = x
+
+    x = utils.read_only_property("_x")
+    public_numbers = utils.read_only_property("_public_numbers")
+
+    def private_key(self, backend):
+        return backend.load_dsa_private_numbers(self)
+
+    def __eq__(self, other):
+        if not isinstance(other, DSAPrivateNumbers):
+            return NotImplemented
+
+        return (
+            self.x == other.x and self.public_numbers == other.public_numbers
+        )
+
+    def __ne__(self, other):
+        return not self == other
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ec.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ec.py
@@ -0,0 +1,500 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+import warnings
+
+import six
+
+from cryptography import utils
+from cryptography.hazmat._oid import ObjectIdentifier
+
+
+class EllipticCurveOID(object):
+    SECP192R1 = ObjectIdentifier("1.2.840.10045.3.1.1")
+    SECP224R1 = ObjectIdentifier("1.3.132.0.33")
+    SECP256K1 = ObjectIdentifier("1.3.132.0.10")
+    SECP256R1 = ObjectIdentifier("1.2.840.10045.3.1.7")
+    SECP384R1 = ObjectIdentifier("1.3.132.0.34")
+    SECP521R1 = ObjectIdentifier("1.3.132.0.35")
+    BRAINPOOLP256R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.7")
+    BRAINPOOLP384R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.11")
+    BRAINPOOLP512R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.13")
+    SECT163K1 = ObjectIdentifier("1.3.132.0.1")
+    SECT163R2 = ObjectIdentifier("1.3.132.0.15")
+    SECT233K1 = ObjectIdentifier("1.3.132.0.26")
+    SECT233R1 = ObjectIdentifier("1.3.132.0.27")
+    SECT283K1 = ObjectIdentifier("1.3.132.0.16")
+    SECT283R1 = ObjectIdentifier("1.3.132.0.17")
+    SECT409K1 = ObjectIdentifier("1.3.132.0.36")
+    SECT409R1 = ObjectIdentifier("1.3.132.0.37")
+    SECT571K1 = ObjectIdentifier("1.3.132.0.38")
+    SECT571R1 = ObjectIdentifier("1.3.132.0.39")
+
+
+@six.add_metaclass(abc.ABCMeta)
+class EllipticCurve(object):
+    @abc.abstractproperty
+    def name(self):
+        """
+        The name of the curve. e.g. secp256r1.
+        """
+
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        Bit size of a secret scalar for the curve.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class EllipticCurveSignatureAlgorithm(object):
+    @abc.abstractproperty
+    def algorithm(self):
+        """
+        The digest algorithm used with this signature.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class EllipticCurvePrivateKey(object):
+    @abc.abstractmethod
+    def signer(self, signature_algorithm):
+        """
+        Returns an AsymmetricSignatureContext used for signing data.
+        """
+
+    @abc.abstractmethod
+    def exchange(self, algorithm, peer_public_key):
+        """
+        Performs a key exchange operation using the provided algorithm with the
+        provided peer's public key.
+        """
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The EllipticCurvePublicKey for this private key.
+        """
+
+    @abc.abstractproperty
+    def curve(self):
+        """
+        The EllipticCurve that this key is on.
+        """
+
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        Bit size of a secret scalar for the curve.
+        """
+
+    @abc.abstractmethod
+    def sign(self, data, signature_algorithm):
+        """
+        Signs the data
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class EllipticCurvePrivateKeyWithSerialization(EllipticCurvePrivateKey):
+    @abc.abstractmethod
+    def private_numbers(self):
+        """
+        Returns an EllipticCurvePrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class EllipticCurvePublicKey(object):
+    @abc.abstractmethod
+    def verifier(self, signature, signature_algorithm):
+        """
+        Returns an AsymmetricVerificationContext used for signing data.
+        """
+
+    @abc.abstractproperty
+    def curve(self):
+        """
+        The EllipticCurve that this key is on.
+        """
+
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        Bit size of a secret scalar for the curve.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self):
+        """
+        Returns an EllipticCurvePublicNumbers.
+        """
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding, format):
+        """
+        Returns the key serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def verify(self, signature, data, signature_algorithm):
+        """
+        Verifies the signature of the data.
+        """
+
+    @classmethod
+    def from_encoded_point(cls, curve, data):
+        utils._check_bytes("data", data)
+
+        if not isinstance(curve, EllipticCurve):
+            raise TypeError("curve must be an EllipticCurve instance")
+
+        if len(data) == 0:
+            raise ValueError("data must not be an empty byte string")
+
+        if six.indexbytes(data, 0) not in [0x02, 0x03, 0x04]:
+            raise ValueError("Unsupported elliptic curve point type")
+
+        from cryptography.hazmat.backends.openssl.backend import backend
+        return backend.load_elliptic_curve_public_bytes(curve, data)
+
+
+EllipticCurvePublicKeyWithSerialization = EllipticCurvePublicKey
+
+
+@utils.register_interface(EllipticCurve)
+class SECT571R1(object):
+    name = "sect571r1"
+    key_size = 570
+
+
+@utils.register_interface(EllipticCurve)
+class SECT409R1(object):
+    name = "sect409r1"
+    key_size = 409
+
+
+@utils.register_interface(EllipticCurve)
+class SECT283R1(object):
+    name = "sect283r1"
+    key_size = 283
+
+
+@utils.register_interface(EllipticCurve)
+class SECT233R1(object):
+    name = "sect233r1"
+    key_size = 233
+
+
+@utils.register_interface(EllipticCurve)
+class SECT163R2(object):
+    name = "sect163r2"
+    key_size = 163
+
+
+@utils.register_interface(EllipticCurve)
+class SECT571K1(object):
+    name = "sect571k1"
+    key_size = 571
+
+
+@utils.register_interface(EllipticCurve)
+class SECT409K1(object):
+    name = "sect409k1"
+    key_size = 409
+
+
+@utils.register_interface(EllipticCurve)
+class SECT283K1(object):
+    name = "sect283k1"
+    key_size = 283
+
+
+@utils.register_interface(EllipticCurve)
+class SECT233K1(object):
+    name = "sect233k1"
+    key_size = 233
+
+
+@utils.register_interface(EllipticCurve)
+class SECT163K1(object):
+    name = "sect163k1"
+    key_size = 163
+
+
+@utils.register_interface(EllipticCurve)
+class SECP521R1(object):
+    name = "secp521r1"
+    key_size = 521
+
+
+@utils.register_interface(EllipticCurve)
+class SECP384R1(object):
+    name = "secp384r1"
+    key_size = 384
+
+
+@utils.register_interface(EllipticCurve)
+class SECP256R1(object):
+    name = "secp256r1"
+    key_size = 256
+
+
+@utils.register_interface(EllipticCurve)
+class SECP256K1(object):
+    name = "secp256k1"
+    key_size = 256
+
+
+@utils.register_interface(EllipticCurve)
+class SECP224R1(object):
+    name = "secp224r1"
+    key_size = 224
+
+
+@utils.register_interface(EllipticCurve)
+class SECP192R1(object):
+    name = "secp192r1"
+    key_size = 192
+
+
+@utils.register_interface(EllipticCurve)
+class BrainpoolP256R1(object):
+    name = "brainpoolP256r1"
+    key_size = 256
+
+
+@utils.register_interface(EllipticCurve)
+class BrainpoolP384R1(object):
+    name = "brainpoolP384r1"
+    key_size = 384
+
+
+@utils.register_interface(EllipticCurve)
+class BrainpoolP512R1(object):
+    name = "brainpoolP512r1"
+    key_size = 512
+
+
+_CURVE_TYPES = {
+    "prime192v1": SECP192R1,
+    "prime256v1": SECP256R1,
+
+    "secp192r1": SECP192R1,
+    "secp224r1": SECP224R1,
+    "secp256r1": SECP256R1,
+    "secp384r1": SECP384R1,
+    "secp521r1": SECP521R1,
+    "secp256k1": SECP256K1,
+
+    "sect163k1": SECT163K1,
+    "sect233k1": SECT233K1,
+    "sect283k1": SECT283K1,
+    "sect409k1": SECT409K1,
+    "sect571k1": SECT571K1,
+
+    "sect163r2": SECT163R2,
+    "sect233r1": SECT233R1,
+    "sect283r1": SECT283R1,
+    "sect409r1": SECT409R1,
+    "sect571r1": SECT571R1,
+
+    "brainpoolP256r1": BrainpoolP256R1,
+    "brainpoolP384r1": BrainpoolP384R1,
+    "brainpoolP512r1": BrainpoolP512R1,
+}
+
+
+@utils.register_interface(EllipticCurveSignatureAlgorithm)
+class ECDSA(object):
+    def __init__(self, algorithm):
+        self._algorithm = algorithm
+
+    algorithm = utils.read_only_property("_algorithm")
+
+
+def generate_private_key(curve, backend):
+    return backend.generate_elliptic_curve_private_key(curve)
+
+
+def derive_private_key(private_value, curve, backend):
+    if not isinstance(private_value, six.integer_types):
+        raise TypeError("private_value must be an integer type.")
+
+    if private_value <= 0:
+        raise ValueError("private_value must be a positive integer.")
+
+    if not isinstance(curve, EllipticCurve):
+        raise TypeError("curve must provide the EllipticCurve interface.")
+
+    return backend.derive_elliptic_curve_private_key(private_value, curve)
+
+
+class EllipticCurvePublicNumbers(object):
+    def __init__(self, x, y, curve):
+        if (
+            not isinstance(x, six.integer_types) or
+            not isinstance(y, six.integer_types)
+        ):
+            raise TypeError("x and y must be integers.")
+
+        if not isinstance(curve, EllipticCurve):
+            raise TypeError("curve must provide the EllipticCurve interface.")
+
+        self._y = y
+        self._x = x
+        self._curve = curve
+
+    def public_key(self, backend):
+        return backend.load_elliptic_curve_public_numbers(self)
+
+    def encode_point(self):
+        warnings.warn(
+            "encode_point has been deprecated on EllipticCurvePublicNumbers"
+            " and will be removed in a future version. Please use "
+            "EllipticCurvePublicKey.public_bytes to obtain both "
+            "compressed and uncompressed point encoding.",
+            utils.DeprecatedIn25,
+            stacklevel=2,
+        )
+        # key_size is in bits. Convert to bytes and round up
+        byte_length = (self.curve.key_size + 7) // 8
+        return (
+            b'\x04' + utils.int_to_bytes(self.x, byte_length) +
+            utils.int_to_bytes(self.y, byte_length)
+        )
+
+    @classmethod
+    def from_encoded_point(cls, curve, data):
+        if not isinstance(curve, EllipticCurve):
+            raise TypeError("curve must be an EllipticCurve instance")
+
+        warnings.warn(
+            "Support for unsafe construction of public numbers from "
+            "encoded data will be removed in a future version. "
+            "Please use EllipticCurvePublicKey.from_encoded_point",
+            utils.DeprecatedIn25,
+            stacklevel=2,
+        )
+
+        if data.startswith(b'\x04'):
+            # key_size is in bits. Convert to bytes and round up
+            byte_length = (curve.key_size + 7) // 8
+            if len(data) == 2 * byte_length + 1:
+                x = utils.int_from_bytes(data[1:byte_length + 1], 'big')
+                y = utils.int_from_bytes(data[byte_length + 1:], 'big')
+                return cls(x, y, curve)
+            else:
+                raise ValueError('Invalid elliptic curve point data length')
+        else:
+            raise ValueError('Unsupported elliptic curve point type')
+
+    curve = utils.read_only_property("_curve")
+    x = utils.read_only_property("_x")
+    y = utils.read_only_property("_y")
+
+    def __eq__(self, other):
+        if not isinstance(other, EllipticCurvePublicNumbers):
+            return NotImplemented
+
+        return (
+            self.x == other.x and
+            self.y == other.y and
+            self.curve.name == other.curve.name and
+            self.curve.key_size == other.curve.key_size
+        )
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __hash__(self):
+        return hash((self.x, self.y, self.curve.name, self.curve.key_size))
+
+    def __repr__(self):
+        return (
+            "<EllipticCurvePublicNumbers(curve={0.curve.name}, x={0.x}, "
+            "y={0.y}>".format(self)
+        )
+
+
+class EllipticCurvePrivateNumbers(object):
+    def __init__(self, private_value, public_numbers):
+        if not isinstance(private_value, six.integer_types):
+            raise TypeError("private_value must be an integer.")
+
+        if not isinstance(public_numbers, EllipticCurvePublicNumbers):
+            raise TypeError(
+                "public_numbers must be an EllipticCurvePublicNumbers "
+                "instance."
+            )
+
+        self._private_value = private_value
+        self._public_numbers = public_numbers
+
+    def private_key(self, backend):
+        return backend.load_elliptic_curve_private_numbers(self)
+
+    private_value = utils.read_only_property("_private_value")
+    public_numbers = utils.read_only_property("_public_numbers")
+
+    def __eq__(self, other):
+        if not isinstance(other, EllipticCurvePrivateNumbers):
+            return NotImplemented
+
+        return (
+            self.private_value == other.private_value and
+            self.public_numbers == other.public_numbers
+        )
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __hash__(self):
+        return hash((self.private_value, self.public_numbers))
+
+
+class ECDH(object):
+    pass
+
+
+_OID_TO_CURVE = {
+    EllipticCurveOID.SECP192R1: SECP192R1,
+    EllipticCurveOID.SECP224R1: SECP224R1,
+    EllipticCurveOID.SECP256K1: SECP256K1,
+    EllipticCurveOID.SECP256R1: SECP256R1,
+    EllipticCurveOID.SECP384R1: SECP384R1,
+    EllipticCurveOID.SECP521R1: SECP521R1,
+    EllipticCurveOID.BRAINPOOLP256R1: BrainpoolP256R1,
+    EllipticCurveOID.BRAINPOOLP384R1: BrainpoolP384R1,
+    EllipticCurveOID.BRAINPOOLP512R1: BrainpoolP512R1,
+    EllipticCurveOID.SECT163K1: SECT163K1,
+    EllipticCurveOID.SECT163R2: SECT163R2,
+    EllipticCurveOID.SECT233K1: SECT233K1,
+    EllipticCurveOID.SECT233R1: SECT233R1,
+    EllipticCurveOID.SECT283K1: SECT283K1,
+    EllipticCurveOID.SECT283R1: SECT283R1,
+    EllipticCurveOID.SECT409K1: SECT409K1,
+    EllipticCurveOID.SECT409R1: SECT409R1,
+    EllipticCurveOID.SECT571K1: SECT571K1,
+    EllipticCurveOID.SECT571R1: SECT571R1,
+}
+
+
+def get_curve_for_oid(oid):
+    try:
+        return _OID_TO_CURVE[oid]
+    except KeyError:
+        raise LookupError(
+            "The provided object identifier has no matching elliptic "
+            "curve class"
+        )
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed25519.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed25519.py
@@ -0,0 +1,84 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+
+
+_ED25519_KEY_SIZE = 32
+_ED25519_SIG_SIZE = 64
+
+
+@six.add_metaclass(abc.ABCMeta)
+class Ed25519PublicKey(object):
+    @classmethod
+    def from_public_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.ed25519_supported():
+            raise UnsupportedAlgorithm(
+                "ed25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+            )
+
+        return backend.ed25519_load_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding, format):
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def verify(self, signature, data):
+        """
+        Verify the signature.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class Ed25519PrivateKey(object):
+    @classmethod
+    def generate(cls):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.ed25519_supported():
+            raise UnsupportedAlgorithm(
+                "ed25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+            )
+
+        return backend.ed25519_generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.ed25519_supported():
+            raise UnsupportedAlgorithm(
+                "ed25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+            )
+
+        return backend.ed25519_load_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The Ed25519PublicKey derived from the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """
+        The serialized bytes of the private key.
+        """
+
+    @abc.abstractmethod
+    def sign(self, data):
+        """
+        Signs the data.
+        """
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed448.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/ed448.py
@@ -0,0 +1,79 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+
+
+@six.add_metaclass(abc.ABCMeta)
+class Ed448PublicKey(object):
+    @classmethod
+    def from_public_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.ed448_supported():
+            raise UnsupportedAlgorithm(
+                "ed448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+            )
+
+        return backend.ed448_load_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding, format):
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def verify(self, signature, data):
+        """
+        Verify the signature.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class Ed448PrivateKey(object):
+    @classmethod
+    def generate(cls):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.ed448_supported():
+            raise UnsupportedAlgorithm(
+                "ed448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+            )
+        return backend.ed448_generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.ed448_supported():
+            raise UnsupportedAlgorithm(
+                "ed448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+            )
+
+        return backend.ed448_load_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The Ed448PublicKey derived from the private key.
+        """
+
+    @abc.abstractmethod
+    def sign(self, data):
+        """
+        Signs the data.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """
+        The serialized bytes of the private key.
+        """
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/padding.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/padding.py
@@ -0,0 +1,79 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+import math
+
+import six
+
+from cryptography import utils
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+
+@six.add_metaclass(abc.ABCMeta)
+class AsymmetricPadding(object):
+    @abc.abstractproperty
+    def name(self):
+        """
+        A string naming this padding (e.g. "PSS", "PKCS1").
+        """
+
+
+@utils.register_interface(AsymmetricPadding)
+class PKCS1v15(object):
+    name = "EMSA-PKCS1-v1_5"
+
+
+@utils.register_interface(AsymmetricPadding)
+class PSS(object):
+    MAX_LENGTH = object()
+    name = "EMSA-PSS"
+
+    def __init__(self, mgf, salt_length):
+        self._mgf = mgf
+
+        if (not isinstance(salt_length, six.integer_types) and
+                salt_length is not self.MAX_LENGTH):
+            raise TypeError("salt_length must be an integer.")
+
+        if salt_length is not self.MAX_LENGTH and salt_length < 0:
+            raise ValueError("salt_length must be zero or greater.")
+
+        self._salt_length = salt_length
+
+
+@utils.register_interface(AsymmetricPadding)
+class OAEP(object):
+    name = "EME-OAEP"
+
+    def __init__(self, mgf, algorithm, label):
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError("Expected instance of hashes.HashAlgorithm.")
+
+        self._mgf = mgf
+        self._algorithm = algorithm
+        self._label = label
+
+
+class MGF1(object):
+    MAX_LENGTH = object()
+
+    def __init__(self, algorithm):
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError("Expected instance of hashes.HashAlgorithm.")
+
+        self._algorithm = algorithm
+
+
+def calculate_max_pss_salt_length(key, hash_algorithm):
+    if not isinstance(key, (rsa.RSAPrivateKey, rsa.RSAPublicKey)):
+        raise TypeError("key must be an RSA public or private key")
+    # bit length - 1 per RFC 3447
+    emlen = int(math.ceil((key.key_size - 1) / 8.0))
+    salt_length = emlen - hash_algorithm.digest_size - 2
+    assert salt_length >= 0
+    return salt_length
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/rsa.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/rsa.py
@@ -0,0 +1,368 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+try:
+    # Only available in math in 3.5+
+    from math import gcd
+except ImportError:
+    from fractions import gcd
+
+import six
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.backends.interfaces import RSABackend
+
+
+@six.add_metaclass(abc.ABCMeta)
+class RSAPrivateKey(object):
+    @abc.abstractmethod
+    def signer(self, padding, algorithm):
+        """
+        Returns an AsymmetricSignatureContext used for signing data.
+        """
+
+    @abc.abstractmethod
+    def decrypt(self, ciphertext, padding):
+        """
+        Decrypts the provided ciphertext.
+        """
+
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        The bit length of the public modulus.
+        """
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The RSAPublicKey associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def sign(self, data, padding, algorithm):
+        """
+        Signs the data.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class RSAPrivateKeyWithSerialization(RSAPrivateKey):
+    @abc.abstractmethod
+    def private_numbers(self):
+        """
+        Returns an RSAPrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class RSAPublicKey(object):
+    @abc.abstractmethod
+    def verifier(self, signature, padding, algorithm):
+        """
+        Returns an AsymmetricVerificationContext used for verifying signatures.
+        """
+
+    @abc.abstractmethod
+    def encrypt(self, plaintext, padding):
+        """
+        Encrypts the given plaintext.
+        """
+
+    @abc.abstractproperty
+    def key_size(self):
+        """
+        The bit length of the public modulus.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self):
+        """
+        Returns an RSAPublicNumbers
+        """
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding, format):
+        """
+        Returns the key serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def verify(self, signature, data, padding, algorithm):
+        """
+        Verifies the signature of the data.
+        """
+
+
+RSAPublicKeyWithSerialization = RSAPublicKey
+
+
+def generate_private_key(public_exponent, key_size, backend):
+    if not isinstance(backend, RSABackend):
+        raise UnsupportedAlgorithm(
+            "Backend object does not implement RSABackend.",
+            _Reasons.BACKEND_MISSING_INTERFACE
+        )
+
+    _verify_rsa_parameters(public_exponent, key_size)
+    return backend.generate_rsa_private_key(public_exponent, key_size)
+
+
+def _verify_rsa_parameters(public_exponent, key_size):
+    if public_exponent < 3:
+        raise ValueError("public_exponent must be >= 3.")
+
+    if public_exponent & 1 == 0:
+        raise ValueError("public_exponent must be odd.")
+
+    if key_size < 512:
+        raise ValueError("key_size must be at least 512-bits.")
+
+
+def _check_private_key_components(p, q, private_exponent, dmp1, dmq1, iqmp,
+                                  public_exponent, modulus):
+    if modulus < 3:
+        raise ValueError("modulus must be >= 3.")
+
+    if p >= modulus:
+        raise ValueError("p must be < modulus.")
+
+    if q >= modulus:
+        raise ValueError("q must be < modulus.")
+
+    if dmp1 >= modulus:
+        raise ValueError("dmp1 must be < modulus.")
+
+    if dmq1 >= modulus:
+        raise ValueError("dmq1 must be < modulus.")
+
+    if iqmp >= modulus:
+        raise ValueError("iqmp must be < modulus.")
+
+    if private_exponent >= modulus:
+        raise ValueError("private_exponent must be < modulus.")
+
+    if public_exponent < 3 or public_exponent >= modulus:
+        raise ValueError("public_exponent must be >= 3 and < modulus.")
+
+    if public_exponent & 1 == 0:
+        raise ValueError("public_exponent must be odd.")
+
+    if dmp1 & 1 == 0:
+        raise ValueError("dmp1 must be odd.")
+
+    if dmq1 & 1 == 0:
+        raise ValueError("dmq1 must be odd.")
+
+    if p * q != modulus:
+        raise ValueError("p*q must equal modulus.")
+
+
+def _check_public_key_components(e, n):
+    if n < 3:
+        raise ValueError("n must be >= 3.")
+
+    if e < 3 or e >= n:
+        raise ValueError("e must be >= 3 and < n.")
+
+    if e & 1 == 0:
+        raise ValueError("e must be odd.")
+
+
+def _modinv(e, m):
+    """
+    Modular Multiplicative Inverse. Returns x such that: (x*e) mod m == 1
+    """
+    x1, y1, x2, y2 = 1, 0, 0, 1
+    a, b = e, m
+    while b > 0:
+        q, r = divmod(a, b)
+        xn, yn = x1 - q * x2, y1 - q * y2
+        a, b, x1, y1, x2, y2 = b, r, x2, y2, xn, yn
+    return x1 % m
+
+
+def rsa_crt_iqmp(p, q):
+    """
+    Compute the CRT (q ** -1) % p value from RSA primes p and q.
+    """
+    return _modinv(q, p)
+
+
+def rsa_crt_dmp1(private_exponent, p):
+    """
+    Compute the CRT private_exponent % (p - 1) value from the RSA
+    private_exponent (d) and p.
+    """
+    return private_exponent % (p - 1)
+
+
+def rsa_crt_dmq1(private_exponent, q):
+    """
+    Compute the CRT private_exponent % (q - 1) value from the RSA
+    private_exponent (d) and q.
+    """
+    return private_exponent % (q - 1)
+
+
+# Controls the number of iterations rsa_recover_prime_factors will perform
+# to obtain the prime factors. Each iteration increments by 2 so the actual
+# maximum attempts is half this number.
+_MAX_RECOVERY_ATTEMPTS = 1000
+
+
+def rsa_recover_prime_factors(n, e, d):
+    """
+    Compute factors p and q from the private exponent d. We assume that n has
+    no more than two factors. This function is adapted from code in PyCrypto.
+    """
+    # See 8.2.2(i) in Handbook of Applied Cryptography.
+    ktot = d * e - 1
+    # The quantity d*e-1 is a multiple of phi(n), even,
+    # and can be represented as t*2^s.
+    t = ktot
+    while t % 2 == 0:
+        t = t // 2
+    # Cycle through all multiplicative inverses in Zn.
+    # The algorithm is non-deterministic, but there is a 50% chance
+    # any candidate a leads to successful factoring.
+    # See "Digitalized Signatures and Public Key Functions as Intractable
+    # as Factorization", M. Rabin, 1979
+    spotted = False
+    a = 2
+    while not spotted and a < _MAX_RECOVERY_ATTEMPTS:
+        k = t
+        # Cycle through all values a^{t*2^i}=a^k
+        while k < ktot:
+            cand = pow(a, k, n)
+            # Check if a^k is a non-trivial root of unity (mod n)
+            if cand != 1 and cand != (n - 1) and pow(cand, 2, n) == 1:
+                # We have found a number such that (cand-1)(cand+1)=0 (mod n).
+                # Either of the terms divides n.
+                p = gcd(cand + 1, n)
+                spotted = True
+                break
+            k *= 2
+        # This value was not any good... let's try another!
+        a += 2
+    if not spotted:
+        raise ValueError("Unable to compute factors p and q from exponent d.")
+    # Found !
+    q, r = divmod(n, p)
+    assert r == 0
+    p, q = sorted((p, q), reverse=True)
+    return (p, q)
+
+
+class RSAPrivateNumbers(object):
+    def __init__(self, p, q, d, dmp1, dmq1, iqmp,
+                 public_numbers):
+        if (
+            not isinstance(p, six.integer_types) or
+            not isinstance(q, six.integer_types) or
+            not isinstance(d, six.integer_types) or
+            not isinstance(dmp1, six.integer_types) or
+            not isinstance(dmq1, six.integer_types) or
+            not isinstance(iqmp, six.integer_types)
+        ):
+            raise TypeError(
+                "RSAPrivateNumbers p, q, d, dmp1, dmq1, iqmp arguments must"
+                " all be an integers."
+            )
+
+        if not isinstance(public_numbers, RSAPublicNumbers):
+            raise TypeError(
+                "RSAPrivateNumbers public_numbers must be an RSAPublicNumbers"
+                " instance."
+            )
+
+        self._p = p
+        self._q = q
+        self._d = d
+        self._dmp1 = dmp1
+        self._dmq1 = dmq1
+        self._iqmp = iqmp
+        self._public_numbers = public_numbers
+
+    p = utils.read_only_property("_p")
+    q = utils.read_only_property("_q")
+    d = utils.read_only_property("_d")
+    dmp1 = utils.read_only_property("_dmp1")
+    dmq1 = utils.read_only_property("_dmq1")
+    iqmp = utils.read_only_property("_iqmp")
+    public_numbers = utils.read_only_property("_public_numbers")
+
+    def private_key(self, backend):
+        return backend.load_rsa_private_numbers(self)
+
+    def __eq__(self, other):
+        if not isinstance(other, RSAPrivateNumbers):
+            return NotImplemented
+
+        return (
+            self.p == other.p and
+            self.q == other.q and
+            self.d == other.d and
+            self.dmp1 == other.dmp1 and
+            self.dmq1 == other.dmq1 and
+            self.iqmp == other.iqmp and
+            self.public_numbers == other.public_numbers
+        )
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __hash__(self):
+        return hash((
+            self.p,
+            self.q,
+            self.d,
+            self.dmp1,
+            self.dmq1,
+            self.iqmp,
+            self.public_numbers,
+        ))
+
+
+class RSAPublicNumbers(object):
+    def __init__(self, e, n):
+        if (
+            not isinstance(e, six.integer_types) or
+            not isinstance(n, six.integer_types)
+        ):
+            raise TypeError("RSAPublicNumbers arguments must be integers.")
+
+        self._e = e
+        self._n = n
+
+    e = utils.read_only_property("_e")
+    n = utils.read_only_property("_n")
+
+    def public_key(self, backend):
+        return backend.load_rsa_public_numbers(self)
+
+    def __repr__(self):
+        return "<RSAPublicNumbers(e={0.e}, n={0.n})>".format(self)
+
+    def __eq__(self, other):
+        if not isinstance(other, RSAPublicNumbers):
+            return NotImplemented
+
+        return self.e == other.e and self.n == other.n
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __hash__(self):
+        return hash((self.e, self.n))
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/utils.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -0,0 +1,38 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from asn1crypto.algos import DSASignature
+
+import six
+
+from cryptography import utils
+from cryptography.hazmat.primitives import hashes
+
+
+def decode_dss_signature(signature):
+    data = DSASignature.load(signature, strict=True).native
+    return data['r'], data['s']
+
+
+def encode_dss_signature(r, s):
+    if (
+        not isinstance(r, six.integer_types) or
+        not isinstance(s, six.integer_types)
+    ):
+        raise ValueError("Both r and s must be integers")
+
+    return DSASignature({'r': r, 's': s}).dump()
+
+
+class Prehashed(object):
+    def __init__(self, algorithm):
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError("Expected instance of HashAlgorithm.")
+
+        self._algorithm = algorithm
+        self._digest_size = algorithm.digest_size
+
+    digest_size = utils.read_only_property("_digest_size")
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x25519.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x25519.py
@@ -0,0 +1,73 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X25519PublicKey(object):
+    @classmethod
+    def from_public_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+
+        return backend.x25519_load_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding=None, format=None):
+        """
+        The serialized bytes of the public key.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X25519PrivateKey(object):
+    @classmethod
+    def generate(cls):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+        return backend.x25519_generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+
+        return backend.x25519_load_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """
+        The serialized bytes of the private key.
+        """
+
+    @abc.abstractmethod
+    def exchange(self, peer_public_key):
+        """
+        Performs a key exchange operation using the provided peer's public key.
+        """
diff --git a/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x448.py b/FigENC_MacOS.app/Contents/Resources/cryptography/hazmat/primitives/asymmetric/x448.py
@@ -0,0 +1,73 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X448PublicKey(object):
+    @classmethod
+    def from_public_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+
+        return backend.x448_load_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(self, encoding, format):
+        """
+        The serialized bytes of the public key.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X448PrivateKey(object):
+    @classmethod
+    def generate(cls):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+        return backend.x448_generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+
+        return backend.x448_load_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(self, encoding, format, encryption_algorithm):
+        """