o vh @sddlZddlZddlZddlZddlZddlZddlmZddlm Z m Z ddl m Z m Z mZmZmZmZddlmZmZmZmZddlmZddlmZmZddlmZmZmZdd l m!Z!m"Z"m#Z#dd l$m%Z%m&Z&m'Z'dd l$m(Z)dd l*m+Z+m,Z,m-Z-m.Z.dd l/m0Z0m1Z1ddl2m3Z3m4Z4ddl5m6Z6m7Z7ddl8m9Z9ddl:m;Z;ddlm?Z?m@Z@ddlAmBZBmCZCmDZDmEZEmFZFddlGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPddlQmRZRmSZSddlTmUZUmVZVmWZWddlXmYZYeZe[Z\eddGdddZ]Gdd d eJej^Z_Gd!d"d"e_eUZ`Gd#d$d$e_eVZaGd%d&d&e_eWZb e?cd'Zd e?cd(Ze dtd)d*Zfdtd+d,Zgdtd-d.ZhejiGd/d0d0ejjZk dud1eld2eYfd3d4Zmd5ed6ejnd7elfd8d9Zod5ed6ejnd7elfd:d;Zpd6ejndd?Zqd5ed@ee!jreeffdAdBZsd5ed6ejtd7elfdCdDZud6ejtdEeds z2PubKeyCryptFilter.as_pdf_object.. /Recipientsr/EncryptMetadata) rU as_pdf_objectr* NumberObjectr} ArrayObjectrOrP BooleanObjectrQ)rWresultrOrYrJrKrs    zPubKeyCryptFilter.as_pdf_object)rErFrG__doc__rNrrIrVpropertyrHr_rcr@allow_everythingrr CertificaterBrpr2rwbytesrr __classcell__rJrJrYrKrL\s*    +rLc@eZdZdZdS)PubKeyAESCryptFilterz< AES crypt filter for public key security handlers. NrErFrGrrJrJrJrKrrc@r)PubKeyAESGCMCryptFilterz@ AES-GCM crypt filter for public key security handlers. NrrJrJrJrKrrrc@r)PubKeyRC4CryptFilterz< RC4 crypt filter for public key security handlers. NrrJrJrJrKrrrz/DefaultCryptFilterz/DefEmbeddedFilecCttt|d||dittdSNT)r}rPrOrQdefault_stream_filterdefault_string_filter)r6DEFAULT_CRYPT_FILTERrr}rOrQrJrJrK_pubkey_rc4_configrcCrr)r6rrrrJrJrK_pubkey_aes_config'rrcCstttd||dittdS)NT)rPrOrQr)r6rrrOrQrJrJrK_pubkey_gcm_config6src@s.eZdZdZedZedZedZdS)PubKeyAdbeSubFilterz{ Enum describing the different subfilters that can be used for public key encryption in the PDF specification. z/adbe.pkcs7.s3z/adbe.pkcs7.s4z/adbe.pkcs7.s5N) rErFrGrr* NameObjectS3S4S5rJrJrJrKrDs   rrvrgcCs&t|dksJ||r|SdS)Nrh)lenas_bytes)rvrgrirJrJrKconstruct_envelope_contentPsr pub_key_inforid envelope_keycCsRt}tdtdi}t|}t|tsJ|j ||d}t |||dS)N algorithmrsaes_pkcs1v15paddingralgoencrypted_data) rr rrrload_der_public_keyr{rar!encrypt _format_ktri)rrrrrpub_keyrrJrJrK_rsaes_pkcs1v15_recipientWs rc Csddlm}ddlm}||}||}ttdtd|idd|iddd}tt ||dd }t | } t | tsBJ| j||d } t||| d S) Nrget_pyca_cryptography_hash)select_suitable_signing_md rsaes_oaeprmgf1r parameters)hash_algorithmmask_gen_algorithmmgfrlabelrr)pyhanko.sign.generalrpyhanko.sign.signers.pdf_cmsrr rrrrrrrr{rar!rr) rrrrrdigest_function_name digest_specrrrrrJrJrK_rsaes_oaep_recipienths(  rrrc Cstdtd|||diS)Nktrir)rxrkey_encryption_algorithm encrypted_key)r RecipientInfoKeyTransRecipientInforrJrJrKrsrr[cCs~|j}|dkr |jd}n |dkrd}nd}|dkr%ttdtdfS|dkr4ttd td fSttd td fS) Necr)x25519 aes128_wrapz1.3.132.1.11.1 aes192_wrapz1.3.132.1.11.2 aes256_wrapz1.3.132.1.11.3)rbit_sizerSHA256rSHA384SHA512)r algo_nameapprox_sec_levelrJrJrK_choose_ecdh_settingss( rcCst|\}}}td|i}t|}t|tr&t|j}| t |} n t|t r5t }| |} nt|trDt }| |} ntt|tjjtjj} td} t||| d} | | } tj| |d}t|| t ||d| |dS)Nr kdf_digest key_wrap_algouser_keying_material) wrapping_key key_to_wraprroriginator_keyrukmr)!rrrrr{rargenerate_ec_private_keycurveexchangerr%r$generater#r"NotImplementedErrorrload public_key public_bytesEncodingDER PublicFormatSubjectPublicKeyInforkrl_kdf_for_exchangederiver aes_key_wrap _format_karir )rrrrkey_wrap_algo_idkey_exch_algo_idrrr ecdh_valueoriginator_key_inforkdfkekrrJrJrK_ecdh_recipientsT         rrrc Cs8tjdtdtjd|d||t||dgddS)Nkarir)namevalue)rr)rx originatorrrrecipient_encrypted_keys)r rKeyAgreeRecipientInfoOriginatorIdentifierOrKeyRecipientEncryptedKeyrrJrJrKrs rcertrfc Cs|j}|d}|dj}t|dksJ|js.|j}|dus#d|jvr.td|jjdt |j |j d}|dkrRt d|i}|jrLt|||St|||S|d vrct d|i} t|| |Std |d ) Nr key_enciphermentzCertificate for subject z8 does not have the 'key_encipherment' key usage bit set.)issuer serial_numberrsaissuer_and_serial_number)rrx448zCannot encrypt for key type '')rnativerrCkey_usage_valuer+ PdfWriteErrorsubjecthuman_friendlyr IssuerAndSerialNumberrrRecipientIdentifierrDrrKeyAgreementRecipientIdentifierrr) rrrfrpubkey_algo_infoalgorithm_name key_usageiss_serial_ridrka_ridrJrJrK_recipient_infos8      r$ certificatesc st|||d}tdt|dd\}}fdd|D}ttd|d} tt d| |d } t d || d } t t d | d S)N)rir)ivcsg|] }t|dqS))rf)r$)rrrrfrJrK ^s z+construct_recipient_cms.. aes256_cbcrdata) content_typecontent_encryption_algorithmencrypted_contentr)rxrecipient_infosencrypted_content_infoenveloped_data)r+content) rrkrlr.r EncryptionAlgorithmr EncryptionAlgorithmIdEncryptedContentInfo ContentType EnvelopedData ContentInfo) r%rvrgrfrienvelope_contentr&encrypted_envelope_content rec_infosrr/r0rJr'rKrm=s@    rmc@s eZdZdS)InappropriateCredentialErrorN)rErFrGrJrJrJrKr;sr;c @s^eZdZdZedejfddZdede j defddZ dede j d e j d edef d d Z d S)EnvelopeKeyDecrypterz General credential class for use with public key security handlers. This allows the key decryption process to happen offline, e.g. on a smart card. r[cCt)zI :return: Return the recipient's certificate rr^rJrJrKrszEnvelopeKeyDecrypter.certr algo_paramscCr=)a Invoke the actual key decryption algorithm. Used with key transport. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :raises InappropriateCredentialError: if the credential cannot be used for key transport. :return: The decrypted payload. r>)rWrr?rJrJrKdecryptszEnvelopeKeyDecrypter.decryptoriginator_identifierrcCr=)a" Decrypt an envelope key using a key derived from a key exchange. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :param originator_identifier: Information about the originator necessary to complete the key exchange. :param user_keying_material: The user keying material that will be used in the key derivation. :return: The decrypted payload. r>)rWrr?rArrJrJrKdecrypt_with_exchangesz*EnvelopeKeyDecrypter.decrypt_with_exchangeN)rErFrGrrrrrrr rr@r rBrJrJrJrKr<s, r<c@seZdZdefdejfgZdS)_PrivKeyAndCertkeyrN)rErFrGrrr_fieldsrJrJrJrKrCsrCc@s4eZdZdefdejdddfdejddifgZd S) ECCCMSSharedInfokey_info entityUInforT)explicitoptional suppPubInforIr)N)rErFrGrr OctetStringrErJrJrJrKrFsrFzaes(\d+)_wrap(_pad)?rrrc Cs^|dj}t|}|st|dt|d}t||dt||t d|d dS)Nr* is not a supported key wrapping algorithmr,rz>I)rGrHrK)rlength sharedinfo) rAES_WRAP_PATTERN fullmatchrintgroupr'rFstructpackr{)rrrr wrap_match kek_bit_lenrJrJrKrs$   rc @seZdZdZedZedefddZ de fddZ ede fd d Z d e jd efd dZede jfddZedddZedddZde dejde fddZde dejdejdee de f ddZdS)SimpleEnvelopeKeyDecrypterz Implementation of :class:`.EnvelopeKeyDecrypter` where the private key is an RSA or ECC key residing in memory. :param cert: The recipient's certificate. :param private_key: The recipient's private key. z1\.3\.132\.1\.11\.(\d+)r[cCsdS)N raw_privkeyrJclsrJrJrKget_namesz#SimpleEnvelopeKeyDecrypter.get_namecCs|j|jd}t|S)N)rDr) private_keyrrCr{)rWvaluesrJrJrK _ser_values z%SimpleEnvelopeKeyDecrypter._ser_valuer*c CsPzt|}|d}|d}Wnty!}ztd|d}~wwt||dS)NrDrz-Failed to decode serialised pubkey credentialrr])rCr ValueErrorr+ PdfReadErrorrX)r[r*decodedrDrerJrJrK _deser_values   z'SimpleEnvelopeKeyDecrypter._deser_valuerr]cCs||_||_dSr])r]_cert)rWrr]rJrJrKrVs z#SimpleEnvelopeKeyDecrypter.__init__cCr\r])rfr^rJrJrKrr`zSimpleEnvelopeKeyDecrypter.certNc Csxddlm}z|||d}ddlm}||}Wntttfy5}ztjd|dWYd}~dSd}~wwt||dS) a Load a key decrypter using key material from files on disk. :param key_file: File containing the recipient's private key. :param cert_file: File containing the recipient's certificate. :param key_passphrase: Passphrase for the key file, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. r)load_private_key_from_pemder) passphrase)load_cert_from_pemderz%Could not load cryptographic materialexc_infoNr`) keysrgriIOErrorrarbloggererrorrX)key_file cert_filekey_passphrasergr]rirrdrJrJrKrs    zSimpleEnvelopeKeyDecrypter.loadc Csz4t|d }|}Wdn1swYt||\}}}ddlm}m} ||}| |}Wn!ttt fyU} zt j d|d| dWYd} ~ dSd} ~ wwt ||dS) aZ Load a key decrypter using key material from a PKCS#12 file on disk. :param pfx_file: Path to the PKCS#12 file containing the key material. :param passphrase: Passphrase for the private key, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. rbNr)(translate_pyca_cryptography_cert_to_asn1'translate_pyca_cryptography_key_to_asn1zCould not open PKCS#12 file .rjr`) openreadr(load_key_and_certificates keys.internalrtrurmrarbrnrorX) r[pfx_filerhf pfx_bytesr]r other_certsrtrurdrJrJrK load_pkcs126s      z&SimpleEnvelopeKeyDecrypter.load_pkcs12rr?c Cs|dj}|dkr t}nD|dkrIddlm}|d}|d}|dj}|dkr0td |d tt||ddjd ||d djd d}ntd|dtj|j d d} t | t sdt d| j||dS)a Decrypt the payload using RSA with PKCS#1 v1.5 padding or OAEP. Other schemes are not (currently) supported by this implementation. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. Must use ``rsaes_pkcs1v15`` or ``rsaes_oaep``. :return: The decrypted payload. rrrrrrrrz#Only MGF1 is implemented, but got 'r)rrNrzSOnly 'rsaes_pkcs1v15' and 'rsaes_oaep' are supported for envelope decryption, not 'z'.passwordz5The loaded key does not seem to be an RSA private keyr)rrrrrrrrload_der_private_keyr]r{rar r;r@) rWrr?rrr oaep_paramsrmgf_namepriv_keyrJrJrKr@WsH         z"SimpleEnvelopeKeyDecrypter.decryptrArcCs|d}|j|j}d}|r%ttttd| dd}|s+t dt j |d}|dj} t| sFt | d| drNtjntj} t|||d } |jd krat d |j} t| } tj|jdd }d }t|trt| tr| j j|j jkrt!||"t#| }n,t|t$rt| t%st!||"| }nt|t&rt| t'st!||"| }nt(d| )|}| ||dS)am Decrypt the payload using a key agreed via ephemeral-static standard (non-cofactor) ECDH with X9.63 key derivation. Other schemes aer not supported at this time. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :param originator_identifier: The originator info, which must be an EC key. :param user_keying_material: The user keying material that will be used in the key derivation. :return: The decrypted payload. rN)0123r,zGOnly dhSinglePass-stdDH algorithms from SEC 1 / RFC 5753 are supported.rrM_padrrz Only originator_key is supportedrzCOriginator's public key is not compatible with selected private keyz4The loaded key does not seem to be an EC private key)r wrapped_key)*dhsinglepass_stddh_arc_patternrQdottedrSHA224rrrgetrSrr rrr{rrPendswithraes_key_unwrap_with_paddingaes_key_unwraprrchosenuntagrrrr]rarrrrarrr$r%r"r#r;r)rWrr?rAroidmatchrrr unwrap_keyroriginator_pub_key_infooriginator_pub_keyr mismatch_msgr derived_kekrJrJrKrBs~              z0SimpleEnvelopeKeyDecrypter.decrypt_with_exchanger])rErFrGrrecompiler classmethodstrr\rr_rerrrrVrr staticmethodrrr rr@r rrBrJrJrJrKrXsB      6rXed decrypterc Cs|dD]}|jdkra|j}|dj}t|tjstd|d}|dj}|jj|kr`|jj |kr`z| |dj|dWSt yN}z|d}~wt y_}zt d |d}~wwq|jd kr|j}|d D]^} | dj}t|tjs~td|d}|dj}|jj|kr|jj |krz|j| dj|d|d |d jdWSt y}z|d}~wt y}zt d |d}~wwqmqtddS)Nr.rrz;Recipient identifier must be of type IssuerAndSerialNumber.rrrrzFailed to decrypt envelope keyrr r r)rArzLRecipientInfo must be of type KeyTransRecipientInfo or KeyAgreeRecipientInfo)rrrar rrrrrrr@r; Exceptionr+rbrB) rrrec_inforissuer_and_serialrserialrdrrecipient_enc_keyrJrJrKread_envelope_keys               r recipient_cmsc CsD|dj}|dkrtd||d}|d}t||}|dur#dS|d}|dj}z|j}WnttfyA|d j}Ynw|d krJtd |d krX|j} t ||| } n/|d krf|j} t ||| } n!|dkrt|j} t ||| } n|dkr~t ||} n td|d| dd} d} t | dkrt| dd} | | fS)Nr+r0z7Recipient CMS content type must be enveloped data, not r1r/)NNr,r-rdesz2Support for DES has been dropped in pyHanko 0.26.0aes tripledesrc2rc4zCipher z is not allowed in PDF 2.0.rh)rr+rbrencryption_cipherraKeyErrorr encryption_ivr-r1r/r0rr@ from_bytes) rrr+rr/rrr9 cipher_namer&r1rvrgrJrJrKrq;sd       rqcfdictcCs\z|d}Wn tytdwt|tjr|f}dd|D}|dd}||dS)Nrz.PubKey CF dictionary must have /Recipients keycSg|] }tj|jqSrJr r7roriginal_bytesrxrJrJrKr(sz0_read_generic_pubkey_cf_info..rTr)rr+rbrar*rr)rrOrecipient_objsrQrJrJrK_read_generic_pubkey_cf_infozs     rcCs(|dd}td|d|dt|S)Nr(rr}rPrJ)rrr)rrP keylen_bitsrJrJrK_build_legacy_pubkey_cfs rcCtdd|dt|S)NrrrJrrrrPrJrJrK_build_aes128_pubkey_cf rcCr)NrrrJrrrJrJrK_build_aes256_pubkey_cfrrcCstdd|it|S)NrPrJ)rrrrJrJrK_build_aesgcm_pubkey_cfs rc seZdZUdZedeedeedeede edddiZ e eje fe d <ed ejd d ed ed fd eejd edededdf ddZ   d6dedededdeedeef fdd ZedefddZede efddZ!ed ej"d!ede#fd"d#Z$ed$ej"dedffd%d& Z%ed$ej"fd'd(Z&ed$ej"fd)d*Z'ed$ej"fd+d,Z(d-d.Z)eefd eejd edefd/d0Z* d7d1e+e,e-fde.fd2d3Z/defd4d5Z0Z1S)8rMz Security handler for public key encryption in PDF. As with the standard security handler, you essentially shouldn't ever have to instantiate these yourself (see :meth:`build_from_certs`). z/V2z/AESV2z/AESV3z/AESV4z /IdentitycCstSr])r7)___rJrJrKszPubKeySecurityHandler._known_crypt_filtersrTrergrfpdf_macr[c Ks|rtjntj} d} |tjkr |rtd|dd} nt|d|d} | r3|tjkr3|tj M}t d} nd} ||| |f|| d| d| }|j |||d|S)aO Create a new public key security handler. This method takes many parameters, but only ``certs`` is mandatory. The default behaviour is to create a public key encryption handler where the underlying symmetric encryption is provided by AES-256. Any remaining keyword arguments will be passed to the constructor. :param certs: The recipients' certificates. :param keylen_bytes: The key length (in bytes). This is only relevant for legacy security handlers. :param version: The security handler version to use. :param use_aes: Use AES-128 instead of RC4 (only meaningful if the ``version`` parameter is :attr:`~.SecurityHandlerVersion.RC4_OR_AES128`). :param use_crypt_filters: Whether to use crypt filters. This is mandatory for security handlers of version :attr:`~.SecurityHandlerVersion.RC4_OR_AES128` or higher. :param perms: Permission flags. :param encrypt_metadata: Whether to encrypt document metadata. .. warning:: See :class:`.SecurityHandler` for some background on the way pyHanko interprets this value. :param pdf_mac: Include an ISO 32004 MAC. .. warning:: Only works for PDF 2.0 security handlers. :param policy: Encryption policy choices for the chosen set of recipients. :return: An instance of :class:`.PubKeySecurityHandler`. Nr)rQrOrr)rQcrypt_filter_configrkdf_saltrgrf) rrrr9 RC4_OR_AES128rrryr@TOLERATE_MISSING_PDF_MACrkrlrp)r[re keylen_bytesrxuse_aesuse_crypt_filtersrgrQrfrrX subfiltercfcrshrJrJrKbuild_from_certssB8    z&PubKeySecurityHandler.build_from_certsNrxpubkey_handler_subfilterrr6rrc s|tjkr|tjkrtd|durK|tjkr td||d}n+|tjkr-t|||d}n|tj kr9t ||d}n|tj krFt d||d}ntdt j||||||d||_||_d|_dS)NzESubfilter /adbe.pkcs7.s5 is required for security handlers beyond V4.)r}rQrOrrz1Failed to impute a reasonable crypt filter config)rQcompat_entriesr)r9rrrr+rjRC4_40rRC4_LONGER_KEYSAES_GCMrryrrUrVrrQrS) rWrxr legacy_keylenrQrrrrrYrJrKrVsT       zPubKeySecurityHandler.__init__cCs tdS)Nz /Adobe.PubSec)r*rrZrJrJrKr\Ys zPubKeySecurityHandler.get_namecCsddtDS)NcSsh|]}|jqSrJ)rrrJrJrK _szCPubKeySecurityHandler.support_generic_subfilters..)rrZrJrJrKsupport_generic_subfilters]sz0PubKeySecurityHandler.support_generic_subfiltersrrPcCs$t|j||}|durtd|S)NzJAn absent CFM or CFM of /None doesn't make sense in a PubSec CF dictionary)r:rr+rb)r[rrPcfrJrJrKread_cf_dictionaryasz(PubKeySecurityHandler.read_cf_dictionary encrypt_dictcsRt|}||}|dur|tjkrtd|dur'|tjkr'td|S)Nz=Crypt filters require /adbe.pkcs7.s5 as the declared handler.z./adbe.pkcs7.s5 handler requires crypt filters.)rUprocess_crypt_filters_determine_subfilterrrr+rb)r[rrrrYrJrKros  z+PubKeySecurityHandler.process_crypt_filtersc Csh|dd}|ddkrtd|d}t|ddd}|jd td d }t||||d d ddS)Nrrrrz"Key length must be a multiple of 8rcSsdd|DS)NcSrrJrrrJrJrKr(szSPubKeySecurityHandler.gather_pub_key_metadata....rJ)lstrJrJrKrsz?PubKeySecurityHandler.gather_pub_key_metadata..rTdefault/KDFSaltcSst|tjtjfr |jSdSr])rar*TextStringObjectrr)rrJrJrKrs  )rrrQr)rr+rj get_and_applyrHdict)r[rrr}rOrQrJrJrKgather_pub_key_metadatas*   z-PubKeySecurityHandler.gather_pub_key_metadatacCsLztj|dtd|vrtjdWStjdWSty%td|dw)N /SubFilterz/CFrz8Invalid /SubFilter in public key encryption dictionary: )r+rrrrrarb)r[rrJrJrKrs" z*PubKeySecurityHandler._determine_subfiltercCs6t|d}td|||||d||S)N/V)rxrrrJ)r9 from_numberrMrrr)r[rvrJrJrKinstantiate_from_pdf_objectsz1PubKeySecurityHandler.instantiate_from_pdf_objectcCst}t||d<|jj|d<|j|d<|jr%t |j|d<|j s.|jt j kr8t |jd|d<|jt j krFt|j|d<|jtjkrV||j|S|}t|tsattdd |jD|d <|S) Nz/Filterrrrrrrcsrr]rrrJrJrKrs  z6PubKeySecurityHandler.as_pdf_object..r)r*DictionaryObjectrr\rrrxr _kdf_saltr_compat_entriesr9rrr}rrQrrrzrget_stream_filterrarLrbrrO)rWr default_cfrJrJrKrs0        z#PubKeySecurityHandler.as_pdf_objectcCs0|jD]}t|ts q|j|||dqdS)Nr)rstandard_filtersrarLrp)rWrergrfrrJrJrKrps  z$PubKeySecurityHandler.add_recipientsrtc Cst|trt|}t|tstdt|d|}n|}t }|j D])}t|t s0q(| |}|jtjkr?|S|j}|durQt|tsMJ||M}q(t|trZ||_ttj|S)a Authenticate a user to this security handler. :param credential: The credential to use (an instance of :class:`.EnvelopeKeyDecrypter` in this case). :param id1: First part of the document ID. Public key encryption handlers ignore this key. :return: An :class:`AuthResult` object indicating the level of access obtained. zRPubkey authentication credential must be an instance of EnvelopeKeyDecrypter, not rvN)rar<r; deserialiser<r+rbtyper@rrrrLrwstatusr3rspermission_flags _credentialr2rr) rWrtid1deser_credentialactual_credentialrgrrcf_flagsrJrJrKrws2        z"PubKeySecurityHandler.authenticatecCs |jjSr])rget_for_stream shared_keyr^rJrJrKget_file_encryption_key"s z-PubKeySecurityHandler.get_file_encryption_key)TNNTNr])2rErFrGrr*rrrrrrrr5rIrr9ryr@rrBrrrrHrrrlistrrVrr\rrrr4rrrrrrrpr r<r<r2rwrrrJrJrYrKrMs        ` C  !  !   2rM)NT)T)abcenumloggingrrkrT dataclassesrhashlibrrtypingrrrrr r asn1cryptor r r rasn1crypto.algosrasn1crypto.cmsrrasn1crypto.keysrrrcryptography.hazmat.primitivesrrr,cryptography.hazmat.primitives.asymmetric.ecrrrrr1cryptography.hazmat.primitives.asymmetric.paddingrrrr-cryptography.hazmat.primitives.asymmetric.rsar r!.cryptography.hazmat.primitives.asymmetric.x448r"r#0cryptography.hazmat.primitives.asymmetric.x25519r$r%"cryptography.hazmat.primitives.kdfr&*cryptography.hazmat.primitives.kdf.x963kdfr',cryptography.hazmat.primitives.serializationr(r*r+_utilr-r.r/r0r1apir2r3r4r5r6r7r8r9r:cred_serr;r< filter_mixinsr=r>r? permissionsr@ getLoggerrErnrBABCrLrrrrrDEF_EMBEDDED_FILErrruniqueEnumrrrrrrr HashAlgorithmrrrrrr$r7rmrbr;r<SequencerCrFrrPrrXregisterr6rrqrrrrrrrMrJrJrJrKs<       ,            !   ! :  0 G;    B ?