o )%aW@s.ddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddlmZmZmZmZddlmZmZmZddlmZmZmZmZz dd lmZd ZWne yvd Z d[d e!d e!de"de"de#de!f ddZYnwdZ$dZ%dZ&dZ'dZ(dZ)dZ*e+dZ,dZ-dZ.dZ/dZ0d Z1d!Z2d"Z3d#Z4e+e.d$e/ej5Z6e7e8e9d%d&Z:ej;d'eje'e(e)d)Z?e@d*ZAe@d+ZBd,d-ZCe.d.e/d.fd/d0ZDd1d2ZEd3d4ZFd5d6ZGd7d8ZHd9d:ZId;d<ZJd=d>ZKd?d@ZLGdAdBdBeMZNGdCdDdDeMZOGdEdFdFeMZPGdGdHdHeMZQGdIdJdJeMZRe%eOe&ePe$eRe'eQdKeSe(eQdLeTe)eQdMeUiZVdNdOZWejXejYejZej[ej\fZ] d\dPe!d ej^e!de]fdQdRZ_ d\dSe]d ej^e!fdTdUZ`ejXejaejbejcejdfZed\dPe!deefdVdWZfdXeede!fdYdZZgdS)]N) encodebytes)utilsUnsupportedAlgorithm) _get_backend)dsaeced25519rsa)Cipher algorithmsmodes)Encoding NoEncryption PrivateFormat PublicFormat)kdfTFpasswordsaltdesired_key_bytesroundsignore_few_roundsreturncCstd)NzNeed bcrypt moduler)rrrrrrR/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdf srs ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.coms\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnone aes256-ctrHs(.*?) )rs aes256-cbc) secp256r1 secp384r1 secp521r1s>Is>QcCs(|j}|jtvrtd|jt|jS)z3Return SSH key_type and curve_name for private key.z)Unsupported curve for ssh private key: %r)curvename_ECDSA_KEY_TYPE ValueError) public_keyr%rrr_ecdsa_key_typeSs   r* cCsd|t||gS)N)join_base64_encode)dataprefixsuffixrrr_ssh_pem_encode]sr2cCs |r t||dkrtddS)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenr()r/ block_lenrrr_check_block_sizeasr5cCs|rtddS)z!All data should have been parsed.zCorrupt data: unparsed dataN)r(r/rrr _check_emptygsr7c CsT|stdt|\}}}}t|||||d} t|| d||| |d|S)z$Generate key + iv and return cipher.zKey is password-protected.TN)r( _SSH_CIPHERSrr ) ciphernamerrrbackendalgokey_lenmodeiv_lenseedrrr _init_cipherms $r@cC6t|dkr tdt|ddd|ddfS)Uint32 Invalid dataNr)r3r(_U32unpackr6rrr_get_u32w "rGcCrA)Uint64rDNr)r3r(_U64rFr6rrr_get_u64~rHrLcCs8t|\}}|t|krtd|d|||dfS)zBytes with u32 length prefixrDN)rGr3r()r/nrrr _get_sshstrs  rNcCs4t|\}}|r|ddkrtdt|d|fS)z Big integer.rrDbig)rNr(int from_bytes)r/valrrr _get_mpints rTcCs4|dkrtd|s dS|dd}t||S)z!Storage format for signed bigint.rznegative mpint not allowedr,rJ)r( bit_lengthr int_to_bytes)rSnbytesrrr _to_mpints  rXc@sTeZdZdZdddZddZddZd d Zd d Zd dZ dddZ ddZ dS) _FragListz,Build recursive structure without data copy.NcCsg|_|r |j|dSdSN)flistextend)selfinitrrr__init__sz_FragList.__init__cCs|j|dS)zAdd plain bytesN)r[appendr]rSrrrput_rawz_FragList.put_rawcCs|jt|dS)zBig-endian uint32N)r[r`rEpackrarrrput_u32sz_FragList.put_u32cCsNt|tttfr|t||j|dS|||j |jdS)zBytes prefixed with u32 lengthN) isinstancebytes memoryview bytearrayrer3r[r`sizer\rarrr put_sshstrs z_FragList.put_sshstrcCs|t|dS)z*Big-endian bigint prefixed with u32 lengthN)rkrXrarrr put_mpintsz_FragList.put_mpintcCsttt|jS)zCurrent number of bytes)summapr3r[)r]rrrrjrcz_FragList.sizercCs2|jD]}t|}|||}}||||<q|S)zWrite into bytearray)r[r3)r]dstbufposfragflenstartrrrrenders z_FragList.rendercCs"tt|}|||S)zReturn as bytes)rhrirjrttobytes)r]bufrrrrus z_FragList.tobytesrZ)r) __name__ __module__ __qualname____doc__r_rbrerkrlrjrtrurrrrrYs    rYc@8eZdZdZddZddZddZdd Zd d Zd S) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q cCs$t|\}}t|\}}||f|fS)zRSA public fieldsrT)r]r/erMrrr get_publics   z_SSHFormatRSA.get_publiccCs0||\\}}}t||}||}||fS)zMake RSA public key from data.)rr RSAPublicNumbersr))r]key_typer/r:r~rMpublic_numbersr)rrr load_publics  z_SSHFormatRSA.load_publicc Cst|\}}t|\}}t|\}}t|\}}t|\}}t|\} }||f|kr.tdt||} t|| } t||} t|| || | || } | |}||fS)zMake RSA private key from data.z Corrupt data: rsa field mismatch)rTr(r rsa_crt_dmp1 rsa_crt_dmq1rRSAPrivateNumbers private_key)r]r/ pubfieldsr:rMr~diqmppqdmp1dmq1rprivate_numbersrrrr load_privates           z_SSHFormatRSA.load_privatecCs$|}||j||jdS)zWrite RSA public keyN)rrlr~rM)r]r)f_pubpubnrrr encode_publics z_SSHFormatRSA.encode_publiccCsZ|}|j}||j||j||j||j||j||jdS)zWrite RSA private keyN) rrrlrMr~rrrr)r]rf_privrrrrrencode_privates     z_SSHFormatRSA.encode_privateN rwrxryrzrrrrrrrrrr|s r|c@@eZdZdZddZddZddZdd Zd d Zd d Z dS) _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x cCs@t|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsr})r]r/rrgyrrrrs    z_SSHFormatDSA.get_publicc CsL||\\}}}}}t|||}t||} || | |} | |fS)zMake DSA public key from data.)rrDSAParameterNumbersDSAPublicNumbers _validater)) r]rr/r:rrrrparameter_numbersrr)rrrrs    z_SSHFormatDSA.load_publicc Cs|||\\}}}}}t|\}}||||f|krtdt|||} t|| } || t|| } | |} | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rrTr(rrrrDSAPrivateNumbersr) r]r/rr:rrrrxrrrrrrrr's     z_SSHFormatDSA.load_privatecCsL|}|j}||||j||j||j||jdS)zWrite DSA public keyN)rrrrlrrrr)r]r)rrrrrrr5s    z_SSHFormatDSA.encode_publiccCs$|||||jdS)zWrite DSA private keyN)rr)rlrr)r]rrrrrr@sz_SSHFormatDSA.encode_privatecCs |j}|jdkrtddS)Niz#SSH supports only 1024 bit DSA keys)rrrUr()r]rrrrrrEsz_SSHFormatDSA._validateN) rwrxryrzrrrrrrrrrrr s  rc@r)_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret cCs||_||_dSrZ)ssh_curve_namer%)r]rr%rrrr_Ws z_SSHFormatECDSA.__init__cCsJt|\}}t|\}}||jkrtd|ddkrtd||f|fS)zECDSA public fieldszCurve name mismatchrrCzNeed uncompressed point)rNrr(NotImplementedError)r]r/r%pointrrrr[s     z_SSHFormatECDSA.get_publiccCs.||\\}}}tj|j|}||fS)z Make ECDSA public key from data.)rrEllipticCurvePublicKeyfrom_encoded_pointr%ru)r]rr/r: curve_namerr)rrrres  z_SSHFormatECDSA.load_publiccCsJ||\\}}}t|\}}||f|krtdt||j|}||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rrTr(rderive_private_keyr%)r]r/rr:rrsecretrrrrrms   z_SSHFormatECDSA.load_privatecCs*|tjtj}||j||dS)zWrite ECDSA public keyN) public_bytesrX962rUncompressedPointrkr)r]r)rrrrrrws  z_SSHFormatECDSA.encode_publiccCs,|}|}|||||jdS)zWrite ECDSA private keyN)r)rrrl private_value)r]rrr)rrrrrs z_SSHFormatECDSA.encode_privateN) rwrxryrzr_rrrrrrrrrrKs   rc@r{) _SSHFormatEd25519z~Format for Ed25519 keys. Public: bytes point Private: bytes point bytes secret_and_point cCst|\}}|f|fS)zEd25519 public fields)rN)r]r/rrrrrs  z_SSHFormatEd25519.get_publiccCs(||\\}}tj|}||fS)z"Make Ed25519 public key from data.)rr Ed25519PublicKeyfrom_public_bytesru)r]rr/r:rr)rrrrs z_SSHFormatEd25519.load_publicc Csb||\\}}t|\}}|dd}|dd}||ks#|f|kr'tdtj|}||fS)z#Make Ed25519 private key from data.Nr!z$Corrupt data: ed25519 field mismatch)rrNr(r Ed25519PrivateKeyfrom_private_bytes) r]r/rr:rkeypairrpoint2rrrrrs    z_SSHFormatEd25519.load_privatecCs|tjtj}||dS)zWrite Ed25519 public keyN)rrRawrrk)r]r)rraw_public_keyrrrrsz_SSHFormatEd25519.encode_publiccCsR|}|tjtjt}|tjtj}t||g}| ||| |dS)zWrite Ed25519 private keyN) r) private_bytesrrrrrrrYrrk)r]rrr)raw_private_keyr f_keypairrrrrs   z _SSHFormatEd25519.encode_privateNrrrrrrs  rsnistp256snistp384snistp521cCs2t|ts t|}|tvrt|Std|)z"Return valid format or throw errorzUnsupported key type: %r)rfrgrhru _KEY_FORMATSr)rrrr_lookup_kformats   rr/cCsJtd|t|}|durtd|t|}|std|d}|d}t t |||}| t s=tdt |tt d}t|\}}t|\}}t|\}}t|\} }| dkrgtdt|\} }t| \} } t| } | | \} } t| t|\}}t|||fttfkr|}|tvrtd||tkrtd|t|d }t||t|\}}t|\}}t|t|||||}t ||}nd }t||t|\}}t|\}}||krtd t|\}}|| krtd | || |\}}t|\}}|tdt|kr#td |S)z.Load private key from OpenSSH custom encoding.r/NrzNot OpenSSH private key formatrzOnly one key supportedzUnsupported cipher: %rzUnsupported KDF: %rrJzCorrupt data: broken checksumzCorrupt data: key type mismatchzCorrupt data: invalid padding)r_check_bytesliker _check_bytes_PEM_RCsearchr(rsendbinascii a2b_base64rh startswith _SK_MAGICr3rNrGrrr7_NONErur8r_BCRYPTr5r@ decryptorupdater_PADDING)r/rr:mp1p2r9kdfname kdfoptionsnkeyspubdata pub_key_typekformatredatablklenrkbufrciphck1ck2rrcommentrrrload_ssh_private_keysn                         rrcCs>|dur td||rt|tkrtdt|tjr#t| }nt|t j r,t }nt|t jr5t}n t|tjr>t}ntdt|}t}|rst}t|d}t}t}td} || ||td} t||| || } nt}}d}d} d} td } d }t}||| | |t| | g}|||!|||||"t#d||$|t}|"t%|||||||| |||||$}|$}t&t'||}|(|||}| dur | )*|||||dt+|d|}t'||||<|S) z3Serialize private key with OpenSSH custom encoding.NrzNPasswords longer than 72 bytes are not supported by OpenSSH private key formatUnsupported key typerrrJrrCr,),rrr3 _MAX_PASSWORDr(rfrEllipticCurvePrivateKeyr*r)r RSAPrivateKey_SSH_RSAr DSAPrivateKey_SSH_DSAr r _SSH_ED25519rrY_DEFAULT_CIPHERr8r_DEFAULT_ROUNDSosurandomrkrerr@rrrrbrrjrrhrirt encryptor update_intor2)rrrr f_kdfoptionsr9rrrrr:rrcheckvalr f_public_key f_secretsf_mainslenmlenrvofstxtrrrserialize_ssh_private_key(sv                         rc Cs|t|}td|t|}|std|d}}|d}d}t|tt dkr9d}|dtt }t |}z t t |}Wnt t jfyTtdwt|\}}||krctd|rkt|\} }||||\} }|rt|\} }t|\} }t|\} }t|\}}t|\}}t|\}}t|\}}t|\}}t|\}}t|\}}t|\}}t|| S) z-Load public key from OpenSSH one-line format.r/zInvalid line formatrFNTzInvalid key format)rrr_SSH_PUBKEY_RCmatchr(group _CERT_SUFFIXr3rrhrr TypeErrorErrorrNrrLrGr7)r/r:rr orig_key_typekey_body with_certrinner_key_typenoncer)serialcctypekey_id principals valid_after valid_before crit_options extensionsreservedsig_key signaturerrrload_ssh_public_keysJ                r r)cCst|tjr t|}nt|tjrt}nt|tjrt }n t|t j r&t }nt dt|}t}|||||t|}d|d|gS)z&One-line public key format for OpenSSHrr, )rfrrr*r RSAPublicKeyrr DSAPublicKeyrr rrr(rrYrkrr b2a_base64rustripr-)r)rrrpubrrrserialize_ssh_public_keys       r)FrZ)hrrrestructtypingbase64rr. cryptographyrcryptography.exceptionsrcryptography.hazmat.backendsr)cryptography.hazmat.primitives.asymmetricrrr r &cryptography.hazmat.primitives.ciphersr r r ,cryptography.hazmat.primitives.serializationrrrrbcryptrr_bcrypt_supported ImportErrorrgrQboolrrr_ECDSA_NISTP256_ECDSA_NISTP384_ECDSA_NISTP521rcompilerr _SK_START_SK_ENDrrrrrDOTALLrrhrirangerAESCTRCBCr8r'StructrErKr*r2r5r7r@rGrLrNrTrXobjectrYr|rrr SECP256R1 SECP384R1 SECP521R1rrUnionrrrr_SSH_PRIVATE_KEY_TYPESOptionalrrrr rr_SSH_PUBLIC_KEY_TYPESr rrrrrs             0>>=:    N U+