a  `T@sddlmZmZmZddlZddlZddlZddlZddlZddl m Z ddl m Z ddl mZddlmZmZmZmZddlmZmZmZddlmZmZmZmZzdd lmZd Z Wne!yd Z d d ZYn0zddl"m#Z$Wn e!yddl"m%Z$Yn0dZ&dZ'dZ(dZ)dZ*dZ+dZ,e-dZ.dZ/dZ0dZ1dZ2dZ3dZ4dZ5dZ6e-e0d e1ej7Z8e9e:e;d!d"Zdfej=d#ej?dfd$Z@e)e*e+d%ZAeBd&ZCeBd'ZDd(d)ZEe0d*e1d*fd+d,ZFd-d.ZGd/d0ZHd1d2ZId3d4ZJd5d6ZKd7d8ZLd9d:ZMd;d<ZNGd=d>d>eOZPGd?d@d@eOZQGdAdBdBeOZRGdCdDdDeOZSGdEdFdFeOZTe'eQe(eRe&eTe)eSdGeUe*eSdHeVe+eSdIeWiZXdJdKZYdTdLdMZZdUdNdOZ[dVdPdQZ\dRdSZ]dS)W)absolute_importdivisionprint_functionN)utilsUnsupportedAlgorithm) _get_backend)dsaeced25519rsa)Cipher algorithmsmodes)Encoding NoEncryption PrivateFormat PublicFormat)kdfTFcOs tddS)NzNeed bcrypt moduler)argskwargsrR/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/serialization/ssh.py _bcrypt_kdf!sr) encodebytes) encodestrings ssh-ed25519sssh-rsasssh-dsssecdsa-sha2-nistp256secdsa-sha2-nistp384secdsa-sha2-nistp521s-cert-v01@openssh.coms\A(\S+)[ \t]+(\S+)sopenssh-key-v1s#-----BEGIN OPENSSH PRIVATE KEY-----s!-----END OPENSSH PRIVATE KEY-----sbcryptsnone aes256-ctrHs(.*?) )rs aes256-cbc)Z secp256r1Z secp384r1Z secp521r1s>Is>QcCs(|j}|jtvrtd|jt|jS)z3Return SSH key_type and curve_name for private key.z)Unsupported curve for ssh private key: %r)curvename_ECDSA_KEY_TYPE ValueError) public_keyr"rrr_ecdsa_key_typeSs  r' cCsd|t||gS)N)join_base64_encode)dataprefixsuffixrrr_ssh_pem_encode]sr/cCs |rt||dkrtddS)zRequire data to be full blocksrzCorrupt data: missing paddingN)lenr%)r,Z block_lenrrr_check_block_sizeasr1cCs|r tddS)z!All data should have been parsed.zCorrupt data: unparsed dataN)r%r,rrr _check_emptygsr3c CsT|s tdt|\}}}}t|||||d} t|| d||| |d|S)z$Generate key + iv and return cipher.zKey is password-protected.TN)r% _SSH_CIPHERSrr ) ciphernamepasswordsaltroundsbackendZalgoZkey_lenmodeZiv_lenZseedrrr _init_cipherms r;cCs6t|dkrtdt|ddd|ddfS)ZUint32 Invalid dataNr)r0r%_U32unpackr2rrr_get_u32ws r@cCs6t|dkrtdt|ddd|ddfS)ZUint64r=Nr)r0r%_U64r?r2rrr_get_u64~s rCcCs8t|\}}|t|kr td|d|||dfS)zBytes with u32 length prefixr=N)r@r0r%)r,nrrr _get_sshstrs  rEcCs8t|\}}|r(t|ddkr(tdt|d|fS)z Big integer.rr=Zbig)rEsix indexbytesr%rZint_from_bytes)r,valrrr _get_mpints rJcCs4|dkrtd|sdS|dd}t||S)z!Storage format for signed bigint.rznegative mpint not allowedr)rA)r% bit_lengthrZ int_to_bytes)rInbytesrrr _to_mpints rMc@sTeZdZdZdddZddZddZd d Zd d Zd dZ dddZ ddZ dS) _FragListz,Build recursive structure without data copy.NcCsg|_|r|j|dSN)flistextend)selfZinitrrr__init__sz_FragList.__init__cCs|j|dS)zAdd plain bytesN)rPappendrRrIrrrput_rawsz_FragList.put_rawcCs|jt|dS)zBig-endian uint32N)rPrTr>ZpackrUrrrput_u32sz_FragList.put_u32cCsLt|tttfr,|t||j|n|||j |jdS)zBytes prefixed with u32 lengthN) isinstancebytes memoryview bytearrayrWr0rPrTsizerQrUrrr put_sshstrs z_FragList.put_sshstrcCs|t|dS)z*Big-endian bigint prefixed with u32 lengthN)r]rMrUrrr put_mpintsz_FragList.put_mpintcCsttt|jS)zCurrent number of bytes)summapr0rP)rRrrrr\sz_FragList.sizercCs2|jD]&}t|}|||}}||||<q|S)zWrite into bytearray)rPr0)rRZdstbufposZfragZflenstartrrrrenders  z_FragList.rendercCs"tt|}|||S)zReturn as bytes)rZr[r\rctobytes)rRbufrrrrds z_FragList.tobytes)N)r) __name__ __module__ __qualname____doc__rSrVrWr]r^r\rcrdrrrrrNs   rNc@s8eZdZdZddZddZddZdd Zd d Zd S) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q cCs$t|\}}t|\}}||f|fS)zRSA public fieldsrJ)rRr,erDrrr get_publics  z_SSHFormatRSA.get_publiccCs0||\\}}}t||}||}||fS)zMake RSA public key from data.)rmr RSAPublicNumbersr&)rRkey_typer,r9rlrDpublic_numbersr&rrr load_publics  z_SSHFormatRSA.load_publicc Cst|\}}t|\}}t|\}}t|\}}t|\}}t|\} }||f|kr\tdt||} t|| } t||} t|| || | || } | |}||fS)zMake RSA private key from data.z Corrupt data: rsa field mismatch)rJr%r Z rsa_crt_dmp1Z rsa_crt_dmq1rnZRSAPrivateNumbers private_key)rRr, pubfieldsr9rDrldiqmppqZdmp1Zdmq1rpprivate_numbersrrrrr load_privates            z_SSHFormatRSA.load_privatecCs$|}||j||jdS)zWrite RSA public keyN)rpr^rlrD)rRr&f_pubZpubnrrr encode_publics z_SSHFormatRSA.encode_publiccCsZ|}|j}||j||j||j||j||j||jdS)zWrite RSA private keyN) rxrpr^rDrlrtrurvrw)rRrrf_privrxrprrrencode_privates     z_SSHFormatRSA.encode_privateN rfrgrhrirmrqryr{r}rrrrrjs rjc@s@eZdZdZddZddZddZdd Zd d Zd d Z dS) _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x cCs@t|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsrk)rRr,rvrwgyrrrrms     z_SSHFormatDSA.get_publicc CsL||\\}}}}}t|||}t||} || | |} | |fS)zMake DSA public key from data.)rmr DSAParameterNumbersDSAPublicNumbers _validater&) rRror,r9rvrwrrparameter_numbersrpr&rrrrqs    z_SSHFormatDSA.load_publicc Cs|||\\}}}}}t|\}}||||f|kr:tdt|||} t|| } || t|| } | |} | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rmrJr%r rrrZDSAPrivateNumbersrr) rRr,rsr9rvrwrrxrrprxrrrrrry's     z_SSHFormatDSA.load_privatecCsL|}|j}||||j||j||j||jdS)zWrite DSA public keyN)rprrr^rvrwrr)rRr&rzrprrrrr{5s    z_SSHFormatDSA.encode_publiccCs$|||||jdS)zWrite DSA private keyN)r{r&r^rxr)rRrrr|rrrr}@sz_SSHFormatDSA.encode_privatecCs |j}|jdkrtddS)Niz#SSH supports only 1024 bit DSA keys)rrvrKr%)rRrprrrrrEsz_SSHFormatDSA._validateN) rfrgrhrirmrqryr{r}rrrrrr s  rc@s@eZdZdZddZddZddZdd Zd d Zd d Z dS)_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret cCs||_||_dSrO)ssh_curve_namer")rRrr"rrrrSWsz_SSHFormatECDSA.__init__cCsNt|\}}t|\}}||jkr*tdt|ddkrBtd||f|fS)zECDSA public fieldszCurve name mismatchrr<zNeed uncompressed point)rErr%rGrHNotImplementedError)rRr,r"pointrrrrm[s   z_SSHFormatECDSA.get_publiccCs.||\\}}}tj|j|}||fS)z Make ECDSA public key from data.)rmr EllipticCurvePublicKeyZfrom_encoded_pointr"rd)rRror,r9 curve_namerr&rrrrqes  z_SSHFormatECDSA.load_publiccCsJ||\\}}}t|\}}||f|kr2tdt||j|}||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rmrJr%r Zderive_private_keyr")rRr,rsr9rrsecretrrrrrryms   z_SSHFormatECDSA.load_privatecCs*|tjtj}||j||dS)zWrite ECDSA public keyN) public_bytesrZX962rZUncompressedPointr]r)rRr&rzrrrrr{ws  z_SSHFormatECDSA.encode_publiccCs,|}|}|||||jdS)zWrite ECDSA private keyN)r&rxr{r^Z private_value)rRrrr|r&rxrrrr}s z_SSHFormatECDSA.encode_privateN) rfrgrhrirSrmrqryr{r}rrrrrKs   rc@s8eZdZdZddZddZddZdd Zd d Zd S) _SSHFormatEd25519z~Format for Ed25519 keys. Public: bytes point Private: bytes point bytes secret_and_point cCst|\}}|f|fS)zEd25519 public fields)rE)rRr,rrrrrms z_SSHFormatEd25519.get_publiccCs(||\\}}tj|}||fS)z"Make Ed25519 public key from data.)rmr Ed25519PublicKeyZfrom_public_bytesrd)rRror,r9rr&rrrrqs z_SSHFormatEd25519.load_publicc Csb||\\}}t|\}}|dd}|dd}||ksF|f|krNtdtj|}||fS)z#Make Ed25519 private key from data.Nr!z$Corrupt data: ed25519 field mismatch)rmrEr%r Ed25519PrivateKeyZfrom_private_bytes) rRr,rsr9rZkeypairrZpoint2rrrrrrys    z_SSHFormatEd25519.load_privatecCs|tjtj}||dS)zWrite Ed25519 public keyN)rrRawrr])rRr&rzraw_public_keyrrrr{sz_SSHFormatEd25519.encode_publiccCsR|}|tjtjt}|tjtj}t||g}| ||| |dS)zWrite Ed25519 private keyN) r&Z private_bytesrrrrrrrNr{r])rRrrr|r&Zraw_private_keyrZ f_keypairrrrr}s   z _SSHFormatEd25519.encode_privateNr~rrrrrs   rsnistp256snistp384snistp521cCs6t|tst|}|tvr&t|Std|dS)z"Return valid format or throw errorzUnsupported key type: %rN)rXrYrZrd _KEY_FORMATSr)rorrr_lookup_kformats   rcCsRtd|t|}|dur(td|t|}|s>td|d}|d}t t |||}| t sztdt |tt d}t|\}}t|\}}t|\}}t|\} }| dkrtdt|\} }t| \} } t| } | | \} } t| t|\}}t|||fttfkr|}|tvrHtd||tkr^td|t|d }t||t|\}}t|\}}t|t|||||}t ||}nd }t||t|\}}t|\}}||krtd t|\}}|| krtd | || |\}}t|\}}|tdt|krNtd |S)z.Load private key from OpenSSH custom encoding.r,Nr6zNot OpenSSH private key formatrzOnly one key supportedzUnsupported cipher: %rzUnsupported KDF: %rrAzCorrupt data: broken checksumzCorrupt data: key type mismatchzCorrupt data: invalid padding)r_check_bytesliker _check_bytes_PEM_RCsearchr%rbendbinascii a2b_base64rZ startswith _SK_MAGICr0rEr@rrmr3_NONErdr4r_BCRYPTr1r;Z decryptorupdatery_PADDING)r,r6r9mZp1Zp2r5kdfnameZ kdfoptionsnkeysZpubdataZ pub_key_typekformatrsZedatablklenr7Zkbufr8ciphZck1Zck2rorrcommentrrrload_ssh_private_keysn                            rcCs>|durtd||r,t|tkr,tdt|tjrFt| }n>t|t j rXt }n,t|t jrjt}nt|tjr|t}ntdt|}t}|rt}t|d}t}t}td} || ||td} t||| || } nt}}d}d} d} td } d }t}||| | |t| | g}|||!|||||"t#d||$|t}|"t%|||||||| |||||$}|$}t&t'||}|(|||}| dur| )*|||||dt+|d|}t'||||<|S) z3Serialize private key with OpenSSH custom encoding.Nr6zNPasswords longer than 72 bytes are not supported by OpenSSH private key formatUnsupported key typerrrArr<r)),rrr0 _MAX_PASSWORDr%rXr ZEllipticCurvePrivateKeyr'r&r Z RSAPrivateKey_SSH_RSAr Z DSAPrivateKey_SSH_DSAr r _SSH_ED25519rrN_DEFAULT_CIPHERr4r_DEFAULT_ROUNDSosurandomr]rWrr;rr{r}rVrr\rrZr[rcZ encryptorZ update_intor/)rrr6rorZ f_kdfoptionsr5rrr8r7r9rrZcheckvalrZ f_public_keyZ f_secretsZf_mainZslenZmlenreZofsZtxtrrrserialize_ssh_private_keysv                         rc Cst|}td|t|}|s*td|d}}|d}d}t|tt dkrrd}|dtt }t |}zt t |}Wn t t jfytdYn0t|\}}||krtd|rt|\} }||||\} }|rvt|\} }t|\} }t|\} }t|\}}t|\}}t|\}}t|\}}t|\}}t|\}}t|\}}t|\}}t|| S) z-Load public key from OpenSSH one-line format.r,zInvalid line formatrFNTzInvalid key format)rrr_SSH_PUBKEY_RCmatchr%group _CERT_SUFFIXr0rrZrr TypeErrorErrorrErqrCr@r3)r,r9rroZ orig_key_typeZkey_bodyZ with_certrZinner_key_typeZnoncer&serialZcctypeZkey_idZ principalsZ valid_afterZ valid_beforeZ crit_options extensionsZreservedZsig_keyZ signaturerrrload_ssh_public_keymsH                rcCst|tjrt|}n>t|tjr(t}n,t|tjr:t }nt|t j rLt }nt dt|}t}|||||t|}d|d|gS)z&One-line public key format for OpenSSHrr) )rXr rr'r Z RSAPublicKeyrr Z DSAPublicKeyrr rrr%rrNr]r{rZ b2a_base64rdstripr*)r&rorrzZpubrrrserialize_ssh_public_keys       r)N)N)N)^Z __future__rrrrrreZstructrGZ cryptographyrZcryptography.exceptionsrZcryptography.hazmat.backendsrZ)cryptography.hazmat.primitives.asymmetricr r r r Z&cryptography.hazmat.primitives.ciphersr rrZ,cryptography.hazmat.primitives.serializationrrrrZbcryptrrZ_bcrypt_supported ImportErrorbase64rr+rrrrZ_ECDSA_NISTP256Z_ECDSA_NISTP384Z_ECDSA_NISTP521rcompilerrZ _SK_STARTZ_SK_ENDrrrrrDOTALLrrZr[rangerZAESZCTRZCBCr4r$ZStructr>rBr'r/r1r3r;r@rCrErJrMobjectrNrjrrrZ SECP256R1Z SECP384R1Z SECP521R1rrrrrrrrrrs           0>>=:  J O +