U ʹh@sUddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl mZddlmZddlmZddlmZmZmZmZmZddlmZdd lmZmZmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z%zdd l&m'Z(d Z)Wn4e*k r"d Z)ddddddddddZ(YnXdZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3dZ4dZ5e6dZ7d Z8d!Z9d"Z:d#Z;d$Ze6e9d'e:ej?Z@eAeBeCd(d)ZDe Gd*d+d+ZEeEejFd,ejGd&d&dd d-eEejFd,ejHd&d&dd d-eEejFd,ejId&d.d&d d-d/ZJd0eKd1<e.e/e0d2ZLd3dd4d5d6ZMd7dd8d9d:ZNe9d;e:d;fdd?ZOdrri bytearrayrr^rrsizerrr"r"r# put_sshstrs z_FragList.put_sshstrcCs|t|dS)z*Big-endian bigint prefixed with u32 lengthN)rr}rr"r"r# put_mpintsz_FragList.put_mpintr!cCsttt|jS)zCurrent number of bytes)summapr^rrr"r"r#r sz_FragList.sizerri)dstbufposr!cCs2|jD]&}t|}|||}}||||<q|S)zWrite into bytearray)rr^)rrrfragZflenstartr"r"r#render$s  z_FragList.renderrcCs"tt|}|||S)zReturn as bytes)rirrrtobytes)rbufr"r"r#r,s z_FragList.tobytes)N)r)r2r3r4__doc__r5rrrrrrrrrr"r"r"r#r~s  r~c@sfeZdZdZdddddZddddd Zdd d d d dZddddddZddddddZdS) _SSHFormatRSAzhFormat for RSA keys. Public: mpint e, n Private: mpint n, e, d, iqmp, p, q riz"tuple[tuple[int, int], memoryview]r`cCs$t|\}}t|\}}||f|fS)zRSA public fieldsrx)rrVertr"r"r# get_public<s  z_SSHFormatRSA.get_publicz#tuple[rsa.RSAPublicKey, memoryview]cCs.||\\}}}t||}|}||fS)zMake RSA public key from data.)rr RSAPublicNumbersrA)rrVrrtpublic_numbersrAr"r"r# load_publicDs z_SSHFormatRSA.load_publicrz$tuple[rsa.RSAPrivateKey, memoryview]rVunsafe_skip_rsa_key_validationr!c Cst|\}}t|\}}t|\}}t|\}}t|\}}t|\} }||f|kr\tdt||} t|| } t||} t|| || | || } | j|d}||fS)zMake RSA private key from data.z Corrupt data: rsa field mismatchr)rxrLr rsa_crt_dmp1 rsa_crt_dmq1rRSAPrivateNumbers private_key)rrV pubfieldsrrtrdiqmppqdmp1dmq1rprivate_numbersrr"r"r# load_privateMs0          z_SSHFormatRSA.load_privatezrsa.RSAPublicKeyr~r]rAf_pubr!cCs$|}||j||jdS)zWrite RSA public keyN)rrrrt)rrArZpubnr"r"r# encode_publices z_SSHFormatRSA.encode_publiczrsa.RSAPrivateKeyrf_privr!cCsZ|}|j}||j||j||j||j||j||jdS)zWrite RSA private keyN) rrrrtrrrrr)rrrrrr"r"r#encode_privatems     z_SSHFormatRSA.encode_privateN r2r3r4rrrrrrr"r"r"r#r3s  rc@sveZdZdZdddddZddddd Zdd d d d dZddddddZddddddZdddddZ dS) _SSHFormatDSAzhFormat for DSA keys. Public: mpint p, q, g, y Private: mpint p, q, g, y, x riztuple[tuple, memoryview]r`cCs@t|\}}t|\}}t|\}}t|\}}||||f|fS)zDSA public fieldsr)rrVrrgyr"r"r#rs     z_SSHFormatDSA.get_publicz#tuple[dsa.DSAPublicKey, memoryview]c CsJ||\\}}}}}t|||}t||}|||}||fS)zMake DSA public key from data.)rr DSAParameterNumbersDSAPublicNumbers _validaterA) rrVrrrrparameter_numbersrrAr"r"r#rs   z_SSHFormatDSA.load_publicrz$tuple[dsa.DSAPrivateKey, memoryview]rc Csz||\\}}}}}t|\}}||||f|kr:tdt|||} t|| } || t|| } | } | |fS)zMake DSA private key from data.z Corrupt data: dsa field mismatch) rrxrLr rrrDSAPrivateNumbersr) rrVrrrrrrxrrrrr"r"r#rs    z_SSHFormatDSA.load_privatezdsa.DSAPublicKeyr~r]rcCsL|}|j}||||j||j||j||jdS)zWrite DSA public keyN)rrrrrrrr)rrArrrr"r"r#rs    z_SSHFormatDSA.encode_publiczdsa.DSAPrivateKeyrcCs$|||||jdS)zWrite DSA private keyN)rrArrr)rrrr"r"r#rsz_SSHFormatDSA.encode_privatezdsa.DSAPublicNumbers)rr!cCs |j}|jdkrtddS)Niz#SSH supports only 1024 bit DSA keys)rrrzrL)rrrr"r"r#rsz_SSHFormatDSA._validateN) r2r3r4rrrrrrrr"r"r"r#r}s  rc@sveZdZdZdddddZddd d d Zdd d d dZddddddZddddddZddddddZ dS)_SSHFormatECDSAzFormat for ECDSA keys. Public: str curve bytes point Private: str curve bytes point mpint secret rec.EllipticCurvessh_curve_namerQcCs||_||_dSrr)rrrQr"r"r#rsz_SSHFormatECDSA.__init__riz0tuple[tuple[memoryview, memoryview], memoryview]r`cCsJt|\}}t|\}}||jkr*td|ddkr>td||f|fS)zECDSA public fieldszCurve name mismatchrrjzNeed uncompressed point)rurrLNotImplementedError)rrVrQpointr"r"r#rs    z_SSHFormatECDSA.get_public,tuple[ec.EllipticCurvePublicKey, memoryview]cCs.||\\}}}tj|j|}||fSz Make ECDSA public key from data.)rr rBZfrom_encoded_pointrQr)rrV_rrAr"r"r#rs z_SSHFormatECDSA.load_publicrz-tuple[ec.EllipticCurvePrivateKey, memoryview]rcCsH||\\}}}t|\}}||f|kr2tdt||j}||fS)z!Make ECDSA private key from data.z"Corrupt data: ecdsa field mismatch)rrxrLr derive_private_keyrQ)rrVrrZ curve_namersecretrr"r"r#rs   z_SSHFormatECDSA.load_privaterOr~r]rcCs*|tjtj}||j||dS)zWrite ECDSA public keyN) public_bytesrX962rUncompressedPointrr)rrArrr"r"r#rs  z_SSHFormatECDSA.encode_publiczec.EllipticCurvePrivateKeyrcCs,|}|}|||||jdS)zWrite ECDSA private keyN)rArrr private_value)rrrrArr"r"r#rs z_SSHFormatECDSA.encode_privateN) r2r3r4rrrrrrrr"r"r"r#rs     rc@sfeZdZdZdddddZddddd Zdd d d d dZddddddZddddddZdS)_SSHFormatEd25519z~Format for Ed25519 keys. Public: bytes point Private: bytes point bytes secret_and_point riz$tuple[tuple[memoryview], memoryview]r`cCst|\}}|f|fS)zEd25519 public fields)ru)rrVrr"r"r#rs z_SSHFormatEd25519.get_public+tuple[ed25519.Ed25519PublicKey, memoryview]cCs(||\\}}tj|}||fSz"Make Ed25519 public key from data.)rr rJfrom_public_bytesr)rrVrrAr"r"r#rs z_SSHFormatEd25519.load_publicrz,tuple[ed25519.Ed25519PrivateKey, memoryview]rc Csb||\\}}t|\}}|dd}|dd}||ksF|f|krNtdtj|}||fS)z#Make Ed25519 private key from data.Nr6z$Corrupt data: ed25519 field mismatch)rrurLr rIfrom_private_bytes) rrVrrrZkeypairrZpoint2rr"r"r#r%s    z_SSHFormatEd25519.load_privatezed25519.Ed25519PublicKeyr~r]rcCs|tjtj}||dS)zWrite Ed25519 public keyN)rrRawrr)rrArraw_public_keyr"r"r#r3s z_SSHFormatEd25519.encode_publiczed25519.Ed25519PrivateKeyrcCsR|}|tjtjt}|tjtj}t||g}| ||| |dS)zWrite Ed25519 private keyN) rA private_bytesrrrrrrr~rr)rrrrAZraw_private_keyrZ f_keypairr"r"r#r<s  z _SSHFormatEd25519.encode_privateNrr"r"r"r#r s    rrcCs2t|\}}|ds*td|d||fS)z! U2F application strings sssh:z4U2F application string does not start with b'ssh:' ())rur startswithrL)rV applicationr"r"r#load_applicationMs   rc@s0eZdZdZdddddZddddd Zd S) _SSHFormatSKEd25519z The format of a sk-ssh-ed25519@openssh.com public key is: string "sk-ssh-ed25519@openssh.com" string public key string application (user-specified, but typically "ssh:") rirr`cCs&tt|\}}t|\}}||fSr)_lookup_kformatrKrrrrVrArr"r"r#rcs z_SSHFormatSKEd25519.load_publictyping.NoReturncCs tddS)Nz,sk-ssh-ed25519 private keys cannot be loadedrrrVr"r"r#rksz_SSHFormatSKEd25519.get_publicNr2r3r4rrrr"r"r"r#rZsrc@s0eZdZdZdddddZddddd Zd S) _SSHFormatSKECDSAz The format of a sk-ecdsa-sha2-nistp256@openssh.com public key is: string "sk-ecdsa-sha2-nistp256@openssh.com" string curve name ec_point Q string application (user-specified, but typically "ssh:") rirr`cCs&tt|\}}t|\}}||fSr)r_ECDSA_NISTP256rrrr"r"r#r}s z_SSHFormatSKECDSA.load_publicrcCs tddS)Nz4sk-ecdsa-sha2-nistp256 private keys cannot be loadedrrr"r"r#rsz_SSHFormatSKECDSA.get_publicNrr"r"r"r#rss rsnistp256snistp384snistp521rMcCs8t|tst|}|tkr&t|Std|dS)z"Return valid format or throw errorzUnsupported key type: N)r>rrir _KEY_FORMATSrrr"r"r#rs   rrz typing.AnySSHPrivateKeyTypes)rVrbackendrr!cCstd||dk r td|t|}|s6td|d}|d}t t |||}| t srtdt |t t d}t|\}}t|\}}t|\} }t|\} }| dkrtdt|\} }t| \} } t| } | | \}} t| |tks|tkr(|}|tkr0td||tkrHtd|t|j}t|j}t|\}}t|jrt|}t ||krtd nt|t||t| \}}t|\}}t|t||||}|}t ||}t|jrt |t!s t"t|#|n t|$n0|r6t%d t|\}}t|d }t||t|\}}t|\}}||krtd t|\}}|| krtd | j&|||d\}}t|\}}|t'dt |krtdt |t(j)rt*j+dtj,dd|S)z.Load private key from OpenSSH custom encoding.rVNrzNot OpenSSH private key formatr'zOnly one key supportedzUnsupported cipher: zUnsupported KDF: z+Corrupt data: invalid tag length for cipherz4Password was given but private key is not encrypted.rrzCorrupt data: broken checksumzCorrupt data: key type mismatchrzCorrupt data: invalid paddingDSSH DSA keys are deprecated and will be removed in a future release. stacklevel)-r_check_byteslike _check_bytes_PEM_RCsearchrLrendbinascii a2b_base64rir _SK_MAGICr^rurqrrrb_NONErr8r_BCRYPTr-r0r1rr_rh decryptorupdater>rAssertionErrorfinalize_with_tagfinalizerer_PADDINGr rFwarningswarnDeprecatedIn40)rVrrrmp1Zp2rdkdfnameZ kdfoptionsnkeysZpubdataZ pub_key_typekformatrZciphername_bytesblklenr0ZedatatagrZkbufrrfdecck1ck2rMrrr"r"r#load_ssh_private_keys                                r r)rrencryption_algorithmr!cCstd|t|tjr*tjdtjddt|}t |}t }|rt }t |j }t}t} t|trt|jdk rt|j} td} || || t||| | } nt}}d}d} d} td} d }t }|||||t | | g}||||||||td|||t }|t|||||||| |||||}|}tt ||}|!|||}| dk r| "#|||||dt$|d|S) z3Serialize private key with OpenSSH custom encoding.rISSH DSA key support is deprecated and will be removed in a future releaserjrNr&rrr'rY)%rrr>r rFrrrrNrr~_DEFAULT_CIPHERr8r-r_DEFAULT_ROUNDSr _kdf_roundsosurandomrrrhrrrArrrrrrirr encryptor update_intor\)rrrrMrZ f_kdfoptionsrdrrrrrfrZcheckvalcommentZ f_public_keyZ f_secretsZf_mainslenmlenrZofsr"r"r#_serialize_ssh_private_keysl                      rc@seZdZdZdZdS)SSHCertificateTyper'rN)r2r3r4USERZHOSTr"r"r"r#rwsrc@seZdZdddddddddddddddddddd Zedd d d Zd d ddZedd ddZedd ddZedd ddZ edd ddZ edd ddZ edd ddZ edd ddZ edd dd Zd d d!d"Zdd d#d$Zd%d d&d'Zd(S))SSHCertificateriSSHPublicKeyTypesr list[bytes]dict[bytes, bytes]r)_nonce _public_key_serial_cctype_key_id_valid_principals _valid_after _valid_before_critical_options _extensions _sig_type_sig_key_inner_sig_type _signature_tbs_cert_body_cert_key_type _cert_bodycCs||_||_||_zt||_Wntk r<tdYnX||_||_||_||_ | |_ | |_ | |_ | |_ | |_||_||_||_||_dS)NzInvalid certificate type)r!r"r#r_typerLr%r&r'r(r)r*r+r,r-r.r0r1r/)rr!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r"r"r#r}s(zSSHCertificate.__init__rcCs t|jSr)rr!rr"r"r#nonceszSSHCertificate.nonceSSHCertPublicKeyTypescCstt|jSr)typingcastr4r"rr"r"r#rAszSSHCertificate.public_keycCs|jSr)r#rr"r"r#serialszSSHCertificate.serialrcCs|jSr)r2rr"r"r#typeszSSHCertificate.typecCs t|jSr)rr%rr"r"r#key_idszSSHCertificate.key_idcCs|jSr)r&rr"r"r#valid_principalsszSSHCertificate.valid_principalscCs|jSr)r(rr"r"r# valid_beforeszSSHCertificate.valid_beforecCs|jSr)r'rr"r"r# valid_afterszSSHCertificate.valid_aftercCs|jSr)r)rr"r"r#critical_optionsszSSHCertificate.critical_optionscCs|jSr)r*rr"r"r# extensionsszSSHCertificate.extensionscCs&t|j}||j\}}t||Sr)rr+rr,rb)rZ sigformat signature_keyZ sigkey_restr"r"r#r?s zSSHCertificate.signature_keycCs"t|jdtjt|jddS)N F)newline)rr0r b2a_base64r1rr"r"r#rs zSSHCertificate.public_bytesr]cCs|}t|tjr.|t|jt|jnt|tj rt |j\}}t |\}}t |t ||}t|j}||t|jt|nnt|tjst|jtkrt}n*|jtkrt}n|jtkstt}|t|jt|jt|dSr)r?r>r rJverifyrr.r/r rBrxrb asym_utilsencode_dss_signature_get_ec_hash_algrQECDSAr rDrr-rErSHA1_SSH_RSA_SHA256SHA256_SSH_RSA_SHA512SHA512r PKCS1v15)rr?rrVsZ computed_sighash_algr"r"r#verify_cert_signatures<         z$SSHCertificate.verify_cert_signatureN)r2r3r4rpropertyr3rAr7r8r9r:r;r<r=r>r?rrQr"r"r"r#r|s..)rrzhashes.HashAlgorithm)rQr!cCsDt|tjrtSt|tjr(tSt|tjs8tt SdSr) r>r SECP256R1rrJ SECP384R1SHA384 SECP521R1rrL)rQr"r"r#rFs   rFz"SSHCertificate | SSHPublicKeyTypesc"Cstd|t|}|s"td|d}}|d}d}|tr^d}|dtt }|t krr|srt dt |}zt t |}Wn"tt jfk rtdYnX|r|} t|\} }| |krtd |rt|\} }||\} }|rpt|\} }t|\}}t|\}}t|\}}g}|rPt|\}}|t|q,t|\}}t|\}}t|\}}t|}t|\}}t|}t|\}}t|\}}t|\}}|t kr|st d | dt| }t|\}}t|t|\}} |tkr|tttfks,|tkr4||kr4td t| \}!} t| t| | | |||||||||||!||| St|| SdS) NrVzInvalid line formatr'rFTz-DSA keys aren't supported in SSH certificateszInvalid formatzInvalid key formatz3DSA signatures aren't supported in SSH certificatesz!Signature key type does not match)rr_SSH_PUBKEY_RCmatchrLgroupendswith _CERT_SUFFIXr^rHrrrirrreErrorrurrsrqrr_parse_exts_optsrbrErIrKr)"rV_legacy_dsa_allowedrrMZ orig_key_typeZkey_bodyZ with_certrrestZ cert_bodyZinner_key_typer3rAr7Zcctyper9Z principalsr:Z principalr<r;Z crit_optionsr=extsr>rZ sig_key_rawZsig_typeZsig_keyZ tbs_cert_bodyZ signature_rawZinner_sig_typeZsig_rest signaturer"r"r#_load_ssh_public_identitys                      rbcCst|Sr)rbrar"r"r#load_ssh_public_identityfsrcr ) exts_optsr!cCsi}d}|rt|\}}t|}||kr0td|dk rH||krHtdt|\}}t|dkrt|\}}t|dkrtdt|||<|}q|S)NzDuplicate namezFields not lexically sortedrz!Unexpected extra data after value)rurrLr^)rdresult last_namerRZbnamevalueextrar"r"r#r]ls"      r]rzhashes.MD5 | hashes.SHA256)r<hash_algorithmr!cCsjt|tjtjfstdt|}t|}t}||| ||| }t |}| || S)Nz+hash_algorithm must be either MD5 or SHA256)r>rMD5rJrerNrr~rrrHashrr)r<rirMrrZssh_binary_dataZhash_objr"r"r#ssh_key_fingerprints    rl)rVrr!cCsFt|dd}t|tr |}n|}t|tjrBtjdtj dd|S)NT)r^rrr) rbr>rrAr rGrrrr)rVrZ cert_or_keyrAr"r"r#load_ssh_public_keys    rmcCslt|tjrtjdtjddt|}t|}t }| || ||t |}d|d|gS)z&One-line public key format for OpenSSHrrjrrYr@)r>r rGrrrrrNrr~rrrrBrstriprZ)rArMrrZpubr"r"r#serialize_ssh_public_keys   roc @seZdZddddgdddggf ddddddddd d d d d Zd ddddZdddddZdddddZdddddZdddddZd d!Z d"dd#d$d%Z d"dd&d'd(Z dddd)d*d+Z dddd)d,d-Z d.d/d0d1d2ZdS)3SSHCertificateBuilderNFzSSHCertPublicKeyTypes | Noner/zSSHCertificateType | Nonercrrzlist[tuple[bytes, bytes]] r"r#r2r%r&_valid_for_all_principalsr(r'r)r*c Cs@||_||_||_||_||_||_||_||_| |_| |_ dSrrr) rr"r#r2r%r&rsr(r'r)r*r"r"r#rs zSSHCertificateBuilder.__init__r4rPc Cs^t|tjtjtjfstd|jdk r0t dt ||j |j |j |j|j|j|j|j|jd S)Nr=zpublic_key already setrr)r>r rBr rDr rJrer"rLrqr#r2r%r&rsr(r'r)r*)rrAr"r"r#rAs, z SSHCertificateBuilder.public_keyr)r7r!c Cspt|tstdd|kr&dks0ntd|jdk rBtdt|j||j|j|j |j |j |j |j |jd S)Nzserial must be an integerrz"serial must be between 0 and 2**64zserial already setrr)r>rrerLr#rqr"r2r%r&rsr(r'r)r*)rr7r"r"r#r7s$  zSSHCertificateBuilder.serialr)r8r!c CsRt|tstd|jdk r$tdt|j|j||j|j |j |j |j |j |jd S)Nz"type must be an SSHCertificateTypeztype already setrr)r>rrer2rLrqr"r#r%r&rsr(r'r)r*)rr8r"r"r#r8s   zSSHCertificateBuilder.typer)r9r!c CsRt|tstd|jdk r$tdt|j|j|j||j |j |j |j |j |jd S)Nzkey_id must be byteszkey_id already setrr)r>rrer%rLrqr"r#r2r&rsr(r'r)r*)rr9r"r"r#r9's   zSSHCertificateBuilder.key_id)r:r!c Cs||jrtdtdd|Dr$|s,td|jr:tdt|tkrNtdt|j|j |j |j ||j|j |j |j|jd S)NzDPrincipals can't be set because the cert is valid for all principalscss|]}t|tVqdSr)r>r).0rr"r"r# Csz9SSHCertificateBuilder.valid_principals..z5principals must be a list of bytes and can't be emptyzvalid_principals already setz:Reached or exceeded the maximum number of valid_principalsrr)rsrLallrer&r^_SSHKEY_CERT_MAX_PRINCIPALSrqr"r#r2r%r(r'r)r*)rr:r"r"r#r::s: z&SSHCertificateBuilder.valid_principalsc CsJ|jrtd|jrtdt|j|j|j|j|jd|j|j |j |j d S)Nz@valid_principals already set, can't set valid_for_all_principalsz$valid_for_all_principals already setTrr) r&rLrsrqr"r#r2r%r(r'r)r*rr"r"r#valid_for_all_principals^s$z.SSHCertificateBuilder.valid_for_all_principalsz int | float)r;r!c Csvt|ttfstdt|}|dks.|dkr6td|jdk rHtdt|j|j|j |j |j |j ||j |j|jd S)Nz$valid_before must be an int or floatrrtzvalid_before must [0, 2**64)zvalid_before already setrr)r>rfloatrerLr(rqr"r#r2r%r&rsr'r)r*)rr;r"r"r#r;ts& z"SSHCertificateBuilder.valid_before)r<r!c Csvt|ttfstdt|}|dks.|dkr6td|jdk rHtdt|j|j|j |j |j |j |j ||j|jd S)Nz#valid_after must be an int or floatrrtzvalid_after must [0, 2**64)zvalid_after already setrr)r>rrzrerLr'rqr"r#r2r%r&rsr(r)r*)rr<r"r"r#r<s& z!SSHCertificateBuilder.valid_after)rRrgr!c Csrt|trt|tstd|dd|jDkr8tdt|j|j|j|j |j |j |j |j |j||ff|jd S)Nname and value must be bytescSsg|] \}}|qSr"r"rurRrr"r"r# sz=SSHCertificateBuilder.add_critical_option..zDuplicate critical option namerr)r>rrer)rLrqr"r#r2r%r&rsr(r'r*rrRrgr"r"r#add_critical_options z)SSHCertificateBuilder.add_critical_optionc Csrt|trt|tstd|dd|jDkr8tdt|j|j|j|j |j |j |j |j |j|j||ffd S)Nr{cSsg|] \}}|qSr"r"r|r"r"r#r}sz7SSHCertificateBuilder.add_extension..zDuplicate extension namerr)r>rrer*rLrqr"r#r2r%r&rsr(r'r)r~r"r"r# add_extensions z#SSHCertificateBuilder.add_extensionSSHCertPrivateKeyTypesr)rr!c Cst|tjtjtjfstd|jdkr0t d|j dkr>dn|j }|j dkrVt d|j dkrddn|j }|j s~|js~t d|jdkrt d|jdkrt d|j|jkrt d |jjd d d |jjd d d t|j}|t}td}t|}t}||||||j|||||j j||t} |j D]} | | qT|| ||j||jt} |jD]L\} } | | t | dkrt}|| | |n | | q|| t}|jD]L\} } || t | dkr@t}|| ||n || q|||dt|}t|}t}||||!|||t|tjr|"|}t}||||||nt|tjrnt#|j$}|"|t%|}t&'|\}}t}||t}|(||(|||||nTt|tjst)t}|t*|"|t+,t-.}||||t/0|1}t23t4t5d6|d|gS)NzUnsupported private key typezpublic_key must be setrztype must be setrYzAvalid_principals must be set if valid_for_all_principals is Falsezvalid_before must be setzvalid_after must be setz-valid_after must be earlier than valid_beforecSs|dSNrr"rr"r"r#rYz,SSHCertificateBuilder.sign..)r<cSs|dSrr"rr"r"r#rrYr6r@)7r>r r?r rCr rIrer"rLr#r2r%r&rsr(r'r)sortr*rNr[rrrr~rrrrrgrr^rAsignrFrQrGrDdecode_dss_signaturerrrKr rMrrLrrBrnr5r6rrcrZ)rrr7r9rMZ cert_prefixr3rfZ fprincipalsrZfcritrRrgZfoptvalZfextZfextvalZca_typeZcaformatZcafraZfsigrPrNrOZfsigblobZ cert_datar"r"r#rs                             zSSHCertificateBuilder.sign)r2r3r4rrAr7r8r9r:ryr;r<rrrr"r"r"r#rqs,"$rq)F)N)F)N) __future__rrenumrrer5rbase64rr[ dataclassesr cryptographyrcryptography.exceptionsrcryptography.hazmat.primitivesr)cryptography.hazmat.primitives.asymmetricr r r r r rD&cryptography.hazmat.primitives.ciphersrrrr,cryptography.hazmat.primitives.serializationrrrrrrbcryptrr$Z_bcrypt_supported ImportErrorrKrErHrZ_ECDSA_NISTP384Z_ECDSA_NISTP521r[Z_SK_SSH_ED25519Z_SK_SSH_ECDSA_NISTP256rIrKcompilerWrZ _SK_STARTZ_SK_ENDrrrrDOTALLrrirrangerr)AESZCTRCBCGCMr8r5rSrNr@r\r_rbrhrqrsrurxr}r~rrrrrrrrSrTrVrrUnionr?rCrFrIrr rrBrDrGrJrr4EnumrrrFrbrcr]rlrmrorrxrqr"r"r"r#sD                 6JFGC       rM _