Add files using upload-large-folder tool

.gitattributes

@@ -328,3 +328,4 @@ tuning-competition-baseline/.venv/lib/python3.11/site-packages/nvidia/cudnn/lib/
 .venv/lib/python3.11/site-packages/networkx/utils/__pycache__/backends.cpython-311.pyc filter=lfs diff=lfs merge=lfs -text
 .venv/lib/python3.11/site-packages/httptools/parser/url_parser.cpython-311-x86_64-linux-gnu.so filter=lfs diff=lfs merge=lfs -text
 .venv/lib/python3.11/site-packages/httptools/parser/parser.cpython-311-x86_64-linux-gnu.so filter=lfs diff=lfs merge=lfs -text
+.venv/lib/python3.11/site-packages/yarl/_quoting_c.cpython-311-x86_64-linux-gnu.so filter=lfs diff=lfs merge=lfs -text

.venv/lib/python3.11/site-packages/cryptography/__about__.py

@@ -0,0 +1,17 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+__all__ = [
+    "__author__",
+    "__copyright__",
+    "__version__",
+]
+
+__version__ = "43.0.3"
+
+
+__author__ = "The Python Cryptographic Authority and individual contributors"
+__copyright__ = f"Copyright 2013-2024 {__author__}"

.venv/lib/python3.11/site-packages/cryptography/__init__.py

@@ -0,0 +1,13 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.__about__ import __author__, __copyright__, __version__
+
+__all__ = [
+    "__author__",
+    "__copyright__",
+    "__version__",
+]

.venv/lib/python3.11/site-packages/cryptography/exceptions.py

@@ -0,0 +1,52 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import typing
+
+from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
+
+if typing.TYPE_CHECKING:
+    from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+
+_Reasons = rust_exceptions._Reasons
+
+
+class UnsupportedAlgorithm(Exception):
+    def __init__(self, message: str, reason: _Reasons | None = None) -> None:
+        super().__init__(message)
+        self._reason = reason
+
+
+class AlreadyFinalized(Exception):
+    pass
+
+
+class AlreadyUpdated(Exception):
+    pass
+
+
+class NotYetFinalized(Exception):
+    pass
+
+
+class InvalidTag(Exception):
+    pass
+
+
+class InvalidSignature(Exception):
+    pass
+
+
+class InternalError(Exception):
+    def __init__(
+        self, msg: str, err_code: list[rust_openssl.OpenSSLError]
+    ) -> None:
+        super().__init__(msg)
+        self.err_code = err_code
+
+
+class InvalidKey(Exception):
+    pass

.venv/lib/python3.11/site-packages/cryptography/fernet.py

@@ -0,0 +1,215 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import base64
+import binascii
+import os
+import time
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes, padding
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives.hmac import HMAC
+
+
+class InvalidToken(Exception):
+    pass
+
+
+_MAX_CLOCK_SKEW = 60
+
+
+class Fernet:
+    def __init__(
+        self,
+        key: bytes | str,
+        backend: typing.Any = None,
+    ) -> None:
+        try:
+            key = base64.urlsafe_b64decode(key)
+        except binascii.Error as exc:
+            raise ValueError(
+                "Fernet key must be 32 url-safe base64-encoded bytes."
+            ) from exc
+        if len(key) != 32:
+            raise ValueError(
+                "Fernet key must be 32 url-safe base64-encoded bytes."
+            )
+
+        self._signing_key = key[:16]
+        self._encryption_key = key[16:]
+
+    @classmethod
+    def generate_key(cls) -> bytes:
+        return base64.urlsafe_b64encode(os.urandom(32))
+
+    def encrypt(self, data: bytes) -> bytes:
+        return self.encrypt_at_time(data, int(time.time()))
+
+    def encrypt_at_time(self, data: bytes, current_time: int) -> bytes:
+        iv = os.urandom(16)
+        return self._encrypt_from_parts(data, current_time, iv)
+
+    def _encrypt_from_parts(
+        self, data: bytes, current_time: int, iv: bytes
+    ) -> bytes:
+        utils._check_bytes("data", data)
+
+        padder = padding.PKCS7(algorithms.AES.block_size).padder()
+        padded_data = padder.update(data) + padder.finalize()
+        encryptor = Cipher(
+            algorithms.AES(self._encryption_key),
+            modes.CBC(iv),
+        ).encryptor()
+        ciphertext = encryptor.update(padded_data) + encryptor.finalize()
+
+        basic_parts = (
+            b"\x80"
+            + current_time.to_bytes(length=8, byteorder="big")
+            + iv
+            + ciphertext
+        )
+
+        h = HMAC(self._signing_key, hashes.SHA256())
+        h.update(basic_parts)
+        hmac = h.finalize()
+        return base64.urlsafe_b64encode(basic_parts + hmac)
+
+    def decrypt(self, token: bytes | str, ttl: int | None = None) -> bytes:
+        timestamp, data = Fernet._get_unverified_token_data(token)
+        if ttl is None:
+            time_info = None
+        else:
+            time_info = (ttl, int(time.time()))
+        return self._decrypt_data(data, timestamp, time_info)
+
+    def decrypt_at_time(
+        self, token: bytes | str, ttl: int, current_time: int
+    ) -> bytes:
+        if ttl is None:
+            raise ValueError(
+                "decrypt_at_time() can only be used with a non-None ttl"
+            )
+        timestamp, data = Fernet._get_unverified_token_data(token)
+        return self._decrypt_data(data, timestamp, (ttl, current_time))
+
+    def extract_timestamp(self, token: bytes | str) -> int:
+        timestamp, data = Fernet._get_unverified_token_data(token)
+        # Verify the token was not tampered with.
+        self._verify_signature(data)
+        return timestamp
+
+    @staticmethod
+    def _get_unverified_token_data(token: bytes | str) -> tuple[int, bytes]:
+        if not isinstance(token, (str, bytes)):
+            raise TypeError("token must be bytes or str")
+
+        try:
+            data = base64.urlsafe_b64decode(token)
+        except (TypeError, binascii.Error):
+            raise InvalidToken
+
+        if not data or data[0] != 0x80:
+            raise InvalidToken
+
+        if len(data) < 9:
+            raise InvalidToken
+
+        timestamp = int.from_bytes(data[1:9], byteorder="big")
+        return timestamp, data
+
+    def _verify_signature(self, data: bytes) -> None:
+        h = HMAC(self._signing_key, hashes.SHA256())
+        h.update(data[:-32])
+        try:
+            h.verify(data[-32:])
+        except InvalidSignature:
+            raise InvalidToken
+
+    def _decrypt_data(
+        self,
+        data: bytes,
+        timestamp: int,
+        time_info: tuple[int, int] | None,
+    ) -> bytes:
+        if time_info is not None:
+            ttl, current_time = time_info
+            if timestamp + ttl < current_time:
+                raise InvalidToken
+
+            if current_time + _MAX_CLOCK_SKEW < timestamp:
+                raise InvalidToken
+
+        self._verify_signature(data)
+
+        iv = data[9:25]
+        ciphertext = data[25:-32]
+        decryptor = Cipher(
+            algorithms.AES(self._encryption_key), modes.CBC(iv)
+        ).decryptor()
+        plaintext_padded = decryptor.update(ciphertext)
+        try:
+            plaintext_padded += decryptor.finalize()
+        except ValueError:
+            raise InvalidToken
+        unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
+
+        unpadded = unpadder.update(plaintext_padded)
+        try:
+            unpadded += unpadder.finalize()
+        except ValueError:
+            raise InvalidToken
+        return unpadded
+
+
+class MultiFernet:
+    def __init__(self, fernets: typing.Iterable[Fernet]):
+        fernets = list(fernets)
+        if not fernets:
+            raise ValueError(
+                "MultiFernet requires at least one Fernet instance"
+            )
+        self._fernets = fernets
+
+    def encrypt(self, msg: bytes) -> bytes:
+        return self.encrypt_at_time(msg, int(time.time()))
+
+    def encrypt_at_time(self, msg: bytes, current_time: int) -> bytes:
+        return self._fernets[0].encrypt_at_time(msg, current_time)
+
+    def rotate(self, msg: bytes | str) -> bytes:
+        timestamp, data = Fernet._get_unverified_token_data(msg)
+        for f in self._fernets:
+            try:
+                p = f._decrypt_data(data, timestamp, None)
+                break
+            except InvalidToken:
+                pass
+        else:
+            raise InvalidToken
+
+        iv = os.urandom(16)
+        return self._fernets[0]._encrypt_from_parts(p, timestamp, iv)
+
+    def decrypt(self, msg: bytes | str, ttl: int | None = None) -> bytes:
+        for f in self._fernets:
+            try:
+                return f.decrypt(msg, ttl)
+            except InvalidToken:
+                pass
+        raise InvalidToken
+
+    def decrypt_at_time(
+        self, msg: bytes | str, ttl: int, current_time: int
+    ) -> bytes:
+        for f in self._fernets:
+            try:
+                return f.decrypt_at_time(msg, ttl, current_time)
+            except InvalidToken:
+                pass
+        raise InvalidToken

.venv/lib/python3.11/site-packages/cryptography/hazmat/__init__.py

@@ -0,0 +1,13 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+"""
+Hazardous Materials
+
+This is a "Hazardous Materials" module. You should ONLY use it if you're
+100% absolutely sure that you know what you're doing because this module
+is full of land mines, dragons, and dinosaurs with laser guns.
+"""

.venv/lib/python3.11/site-packages/cryptography/hazmat/_oid.py

@@ -0,0 +1,313 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.bindings._rust import (
+    ObjectIdentifier as ObjectIdentifier,
+)
+from cryptography.hazmat.primitives import hashes
+
+
+class ExtensionOID:
+    SUBJECT_DIRECTORY_ATTRIBUTES = ObjectIdentifier("2.5.29.9")
+    SUBJECT_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.14")
+    KEY_USAGE = ObjectIdentifier("2.5.29.15")
+    SUBJECT_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.17")
+    ISSUER_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.18")
+    BASIC_CONSTRAINTS = ObjectIdentifier("2.5.29.19")
+    NAME_CONSTRAINTS = ObjectIdentifier("2.5.29.30")
+    CRL_DISTRIBUTION_POINTS = ObjectIdentifier("2.5.29.31")
+    CERTIFICATE_POLICIES = ObjectIdentifier("2.5.29.32")
+    POLICY_MAPPINGS = ObjectIdentifier("2.5.29.33")
+    AUTHORITY_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.35")
+    POLICY_CONSTRAINTS = ObjectIdentifier("2.5.29.36")
+    EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37")
+    FRESHEST_CRL = ObjectIdentifier("2.5.29.46")
+    INHIBIT_ANY_POLICY = ObjectIdentifier("2.5.29.54")
+    ISSUING_DISTRIBUTION_POINT = ObjectIdentifier("2.5.29.28")
+    AUTHORITY_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.1")
+    SUBJECT_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.11")
+    OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5")
+    TLS_FEATURE = ObjectIdentifier("1.3.6.1.5.5.7.1.24")
+    CRL_NUMBER = ObjectIdentifier("2.5.29.20")
+    DELTA_CRL_INDICATOR = ObjectIdentifier("2.5.29.27")
+    PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS = ObjectIdentifier(
+        "1.3.6.1.4.1.11129.2.4.2"
+    )
+    PRECERT_POISON = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3")
+    SIGNED_CERTIFICATE_TIMESTAMPS = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.5")
+    MS_CERTIFICATE_TEMPLATE = ObjectIdentifier("1.3.6.1.4.1.311.21.7")
+
+
+class OCSPExtensionOID:
+    NONCE = ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")
+    ACCEPTABLE_RESPONSES = ObjectIdentifier("1.3.6.1.5.5.7.48.1.4")
+
+
+class CRLEntryExtensionOID:
+    CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29")
+    CRL_REASON = ObjectIdentifier("2.5.29.21")
+    INVALIDITY_DATE = ObjectIdentifier("2.5.29.24")
+
+
+class NameOID:
+    COMMON_NAME = ObjectIdentifier("2.5.4.3")
+    COUNTRY_NAME = ObjectIdentifier("2.5.4.6")
+    LOCALITY_NAME = ObjectIdentifier("2.5.4.7")
+    STATE_OR_PROVINCE_NAME = ObjectIdentifier("2.5.4.8")
+    STREET_ADDRESS = ObjectIdentifier("2.5.4.9")
+    ORGANIZATION_IDENTIFIER = ObjectIdentifier("2.5.4.97")
+    ORGANIZATION_NAME = ObjectIdentifier("2.5.4.10")
+    ORGANIZATIONAL_UNIT_NAME = ObjectIdentifier("2.5.4.11")
+    SERIAL_NUMBER = ObjectIdentifier("2.5.4.5")
+    SURNAME = ObjectIdentifier("2.5.4.4")
+    GIVEN_NAME = ObjectIdentifier("2.5.4.42")
+    TITLE = ObjectIdentifier("2.5.4.12")
+    INITIALS = ObjectIdentifier("2.5.4.43")
+    GENERATION_QUALIFIER = ObjectIdentifier("2.5.4.44")
+    X500_UNIQUE_IDENTIFIER = ObjectIdentifier("2.5.4.45")
+    DN_QUALIFIER = ObjectIdentifier("2.5.4.46")
+    PSEUDONYM = ObjectIdentifier("2.5.4.65")
+    USER_ID = ObjectIdentifier("0.9.2342.19200300.100.1.1")
+    DOMAIN_COMPONENT = ObjectIdentifier("0.9.2342.19200300.100.1.25")
+    EMAIL_ADDRESS = ObjectIdentifier("1.2.840.113549.1.9.1")
+    JURISDICTION_COUNTRY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.3")
+    JURISDICTION_LOCALITY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.1")
+    JURISDICTION_STATE_OR_PROVINCE_NAME = ObjectIdentifier(
+        "1.3.6.1.4.1.311.60.2.1.2"
+    )
+    BUSINESS_CATEGORY = ObjectIdentifier("2.5.4.15")
+    POSTAL_ADDRESS = ObjectIdentifier("2.5.4.16")
+    POSTAL_CODE = ObjectIdentifier("2.5.4.17")
+    INN = ObjectIdentifier("1.2.643.3.131.1.1")
+    OGRN = ObjectIdentifier("1.2.643.100.1")
+    SNILS = ObjectIdentifier("1.2.643.100.3")
+    UNSTRUCTURED_NAME = ObjectIdentifier("1.2.840.113549.1.9.2")
+
+
+class SignatureAlgorithmOID:
+    RSA_WITH_MD5 = ObjectIdentifier("1.2.840.113549.1.1.4")
+    RSA_WITH_SHA1 = ObjectIdentifier("1.2.840.113549.1.1.5")
+    # This is an alternate OID for RSA with SHA1 that is occasionally seen
+    _RSA_WITH_SHA1 = ObjectIdentifier("1.3.14.3.2.29")
+    RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14")
+    RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
+    RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
+    RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13")
+    RSA_WITH_SHA3_224 = ObjectIdentifier("2.16.840.1.101.3.4.3.13")
+    RSA_WITH_SHA3_256 = ObjectIdentifier("2.16.840.1.101.3.4.3.14")
+    RSA_WITH_SHA3_384 = ObjectIdentifier("2.16.840.1.101.3.4.3.15")
+    RSA_WITH_SHA3_512 = ObjectIdentifier("2.16.840.1.101.3.4.3.16")
+    RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10")
+    ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1")
+    ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
+    ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
+    ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3")
+    ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4")
+    ECDSA_WITH_SHA3_224 = ObjectIdentifier("2.16.840.1.101.3.4.3.9")
+    ECDSA_WITH_SHA3_256 = ObjectIdentifier("2.16.840.1.101.3.4.3.10")
+    ECDSA_WITH_SHA3_384 = ObjectIdentifier("2.16.840.1.101.3.4.3.11")
+    ECDSA_WITH_SHA3_512 = ObjectIdentifier("2.16.840.1.101.3.4.3.12")
+    DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3")
+    DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
+    DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
+    DSA_WITH_SHA384 = ObjectIdentifier("2.16.840.1.101.3.4.3.3")
+    DSA_WITH_SHA512 = ObjectIdentifier("2.16.840.1.101.3.4.3.4")
+    ED25519 = ObjectIdentifier("1.3.101.112")
+    ED448 = ObjectIdentifier("1.3.101.113")
+    GOSTR3411_94_WITH_3410_2001 = ObjectIdentifier("1.2.643.2.2.3")
+    GOSTR3410_2012_WITH_3411_2012_256 = ObjectIdentifier("1.2.643.7.1.1.3.2")
+    GOSTR3410_2012_WITH_3411_2012_512 = ObjectIdentifier("1.2.643.7.1.1.3.3")
+
+
+_SIG_OIDS_TO_HASH: dict[ObjectIdentifier, hashes.HashAlgorithm | None] = {
+    SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(),
+    SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(),
+    SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(),
+    SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(),
+    SignatureAlgorithmOID.RSA_WITH_SHA256: hashes.SHA256(),
+    SignatureAlgorithmOID.RSA_WITH_SHA384: hashes.SHA384(),
+    SignatureAlgorithmOID.RSA_WITH_SHA512: hashes.SHA512(),
+    SignatureAlgorithmOID.RSA_WITH_SHA3_224: hashes.SHA3_224(),
+    SignatureAlgorithmOID.RSA_WITH_SHA3_256: hashes.SHA3_256(),
+    SignatureAlgorithmOID.RSA_WITH_SHA3_384: hashes.SHA3_384(),
+    SignatureAlgorithmOID.RSA_WITH_SHA3_512: hashes.SHA3_512(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA1: hashes.SHA1(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA224: hashes.SHA224(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA256: hashes.SHA256(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA384: hashes.SHA384(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA512: hashes.SHA512(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA3_224: hashes.SHA3_224(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA3_256: hashes.SHA3_256(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA3_384: hashes.SHA3_384(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA3_512: hashes.SHA3_512(),
+    SignatureAlgorithmOID.DSA_WITH_SHA1: hashes.SHA1(),
+    SignatureAlgorithmOID.DSA_WITH_SHA224: hashes.SHA224(),
+    SignatureAlgorithmOID.DSA_WITH_SHA256: hashes.SHA256(),
+    SignatureAlgorithmOID.ED25519: None,
+    SignatureAlgorithmOID.ED448: None,
+    SignatureAlgorithmOID.GOSTR3411_94_WITH_3410_2001: None,
+    SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_256: None,
+    SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_512: None,
+}
+
+
+class PublicKeyAlgorithmOID:
+    DSA = ObjectIdentifier("1.2.840.10040.4.1")
+    EC_PUBLIC_KEY = ObjectIdentifier("1.2.840.10045.2.1")
+    RSAES_PKCS1_v1_5 = ObjectIdentifier("1.2.840.113549.1.1.1")
+    RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10")
+    X25519 = ObjectIdentifier("1.3.101.110")
+    X448 = ObjectIdentifier("1.3.101.111")
+    ED25519 = ObjectIdentifier("1.3.101.112")
+    ED448 = ObjectIdentifier("1.3.101.113")
+
+
+class ExtendedKeyUsageOID:
+    SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1")
+    CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2")
+    CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3")
+    EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4")
+    TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8")
+    OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9")
+    ANY_EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37.0")
+    SMARTCARD_LOGON = ObjectIdentifier("1.3.6.1.4.1.311.20.2.2")
+    KERBEROS_PKINIT_KDC = ObjectIdentifier("1.3.6.1.5.2.3.5")
+    IPSEC_IKE = ObjectIdentifier("1.3.6.1.5.5.7.3.17")
+    CERTIFICATE_TRANSPARENCY = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4")
+
+
+class AuthorityInformationAccessOID:
+    CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2")
+    OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1")
+
+
+class SubjectInformationAccessOID:
+    CA_REPOSITORY = ObjectIdentifier("1.3.6.1.5.5.7.48.5")
+
+
+class CertificatePoliciesOID:
+    CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1")
+    CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2")
+    ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
+
+
+class AttributeOID:
+    CHALLENGE_PASSWORD = ObjectIdentifier("1.2.840.113549.1.9.7")
+    UNSTRUCTURED_NAME = ObjectIdentifier("1.2.840.113549.1.9.2")
+
+
+_OID_NAMES = {
+    NameOID.COMMON_NAME: "commonName",
+    NameOID.COUNTRY_NAME: "countryName",
+    NameOID.LOCALITY_NAME: "localityName",
+    NameOID.STATE_OR_PROVINCE_NAME: "stateOrProvinceName",
+    NameOID.STREET_ADDRESS: "streetAddress",
+    NameOID.ORGANIZATION_NAME: "organizationName",
+    NameOID.ORGANIZATIONAL_UNIT_NAME: "organizationalUnitName",
+    NameOID.SERIAL_NUMBER: "serialNumber",
+    NameOID.SURNAME: "surname",
+    NameOID.GIVEN_NAME: "givenName",
+    NameOID.TITLE: "title",
+    NameOID.GENERATION_QUALIFIER: "generationQualifier",
+    NameOID.X500_UNIQUE_IDENTIFIER: "x500UniqueIdentifier",
+    NameOID.DN_QUALIFIER: "dnQualifier",
+    NameOID.PSEUDONYM: "pseudonym",
+    NameOID.USER_ID: "userID",
+    NameOID.DOMAIN_COMPONENT: "domainComponent",
+    NameOID.EMAIL_ADDRESS: "emailAddress",
+    NameOID.JURISDICTION_COUNTRY_NAME: "jurisdictionCountryName",
+    NameOID.JURISDICTION_LOCALITY_NAME: "jurisdictionLocalityName",
+    NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: (
+        "jurisdictionStateOrProvinceName"
+    ),
+    NameOID.BUSINESS_CATEGORY: "businessCategory",
+    NameOID.POSTAL_ADDRESS: "postalAddress",
+    NameOID.POSTAL_CODE: "postalCode",
+    NameOID.INN: "INN",
+    NameOID.OGRN: "OGRN",
+    NameOID.SNILS: "SNILS",
+    NameOID.UNSTRUCTURED_NAME: "unstructuredName",
+    SignatureAlgorithmOID.RSA_WITH_MD5: "md5WithRSAEncryption",
+    SignatureAlgorithmOID.RSA_WITH_SHA1: "sha1WithRSAEncryption",
+    SignatureAlgorithmOID.RSA_WITH_SHA224: "sha224WithRSAEncryption",
+    SignatureAlgorithmOID.RSA_WITH_SHA256: "sha256WithRSAEncryption",
+    SignatureAlgorithmOID.RSA_WITH_SHA384: "sha384WithRSAEncryption",
+    SignatureAlgorithmOID.RSA_WITH_SHA512: "sha512WithRSAEncryption",
+    SignatureAlgorithmOID.RSASSA_PSS: "RSASSA-PSS",
+    SignatureAlgorithmOID.ECDSA_WITH_SHA1: "ecdsa-with-SHA1",
+    SignatureAlgorithmOID.ECDSA_WITH_SHA224: "ecdsa-with-SHA224",
+    SignatureAlgorithmOID.ECDSA_WITH_SHA256: "ecdsa-with-SHA256",
+    SignatureAlgorithmOID.ECDSA_WITH_SHA384: "ecdsa-with-SHA384",
+    SignatureAlgorithmOID.ECDSA_WITH_SHA512: "ecdsa-with-SHA512",
+    SignatureAlgorithmOID.DSA_WITH_SHA1: "dsa-with-sha1",
+    SignatureAlgorithmOID.DSA_WITH_SHA224: "dsa-with-sha224",
+    SignatureAlgorithmOID.DSA_WITH_SHA256: "dsa-with-sha256",
+    SignatureAlgorithmOID.ED25519: "ed25519",
+    SignatureAlgorithmOID.ED448: "ed448",
+    SignatureAlgorithmOID.GOSTR3411_94_WITH_3410_2001: (
+        "GOST R 34.11-94 with GOST R 34.10-2001"
+    ),
+    SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_256: (
+        "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)"
+    ),
+    SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_512: (
+        "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)"
+    ),
+    PublicKeyAlgorithmOID.DSA: "dsaEncryption",
+    PublicKeyAlgorithmOID.EC_PUBLIC_KEY: "id-ecPublicKey",
+    PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5: "rsaEncryption",
+    PublicKeyAlgorithmOID.RSASSA_PSS: "rsassaPss",
+    PublicKeyAlgorithmOID.X25519: "X25519",
+    PublicKeyAlgorithmOID.X448: "X448",
+    ExtendedKeyUsageOID.SERVER_AUTH: "serverAuth",
+    ExtendedKeyUsageOID.CLIENT_AUTH: "clientAuth",
+    ExtendedKeyUsageOID.CODE_SIGNING: "codeSigning",
+    ExtendedKeyUsageOID.EMAIL_PROTECTION: "emailProtection",
+    ExtendedKeyUsageOID.TIME_STAMPING: "timeStamping",
+    ExtendedKeyUsageOID.OCSP_SIGNING: "OCSPSigning",
+    ExtendedKeyUsageOID.SMARTCARD_LOGON: "msSmartcardLogin",
+    ExtendedKeyUsageOID.KERBEROS_PKINIT_KDC: "pkInitKDC",
+    ExtensionOID.SUBJECT_DIRECTORY_ATTRIBUTES: "subjectDirectoryAttributes",
+    ExtensionOID.SUBJECT_KEY_IDENTIFIER: "subjectKeyIdentifier",
+    ExtensionOID.KEY_USAGE: "keyUsage",
+    ExtensionOID.SUBJECT_ALTERNATIVE_NAME: "subjectAltName",
+    ExtensionOID.ISSUER_ALTERNATIVE_NAME: "issuerAltName",
+    ExtensionOID.BASIC_CONSTRAINTS: "basicConstraints",
+    ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS: (
+        "signedCertificateTimestampList"
+    ),
+    ExtensionOID.SIGNED_CERTIFICATE_TIMESTAMPS: (
+        "signedCertificateTimestampList"
+    ),
+    ExtensionOID.PRECERT_POISON: "ctPoison",
+    ExtensionOID.MS_CERTIFICATE_TEMPLATE: "msCertificateTemplate",
+    CRLEntryExtensionOID.CRL_REASON: "cRLReason",
+    CRLEntryExtensionOID.INVALIDITY_DATE: "invalidityDate",
+    CRLEntryExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer",
+    ExtensionOID.NAME_CONSTRAINTS: "nameConstraints",
+    ExtensionOID.CRL_DISTRIBUTION_POINTS: "cRLDistributionPoints",
+    ExtensionOID.CERTIFICATE_POLICIES: "certificatePolicies",
+    ExtensionOID.POLICY_MAPPINGS: "policyMappings",
+    ExtensionOID.AUTHORITY_KEY_IDENTIFIER: "authorityKeyIdentifier",
+    ExtensionOID.POLICY_CONSTRAINTS: "policyConstraints",
+    ExtensionOID.EXTENDED_KEY_USAGE: "extendedKeyUsage",
+    ExtensionOID.FRESHEST_CRL: "freshestCRL",
+    ExtensionOID.INHIBIT_ANY_POLICY: "inhibitAnyPolicy",
+    ExtensionOID.ISSUING_DISTRIBUTION_POINT: "issuingDistributionPoint",
+    ExtensionOID.AUTHORITY_INFORMATION_ACCESS: "authorityInfoAccess",
+    ExtensionOID.SUBJECT_INFORMATION_ACCESS: "subjectInfoAccess",
+    ExtensionOID.OCSP_NO_CHECK: "OCSPNoCheck",
+    ExtensionOID.CRL_NUMBER: "cRLNumber",
+    ExtensionOID.DELTA_CRL_INDICATOR: "deltaCRLIndicator",
+    ExtensionOID.TLS_FEATURE: "TLSFeature",
+    AuthorityInformationAccessOID.OCSP: "OCSP",
+    AuthorityInformationAccessOID.CA_ISSUERS: "caIssuers",
+    SubjectInformationAccessOID.CA_REPOSITORY: "caRepository",
+    CertificatePoliciesOID.CPS_QUALIFIER: "id-qt-cps",
+    CertificatePoliciesOID.CPS_USER_NOTICE: "id-qt-unotice",
+    OCSPExtensionOID.NONCE: "OCSPNonce",
+    AttributeOID.CHALLENGE_PASSWORD: "challengePassword",
+}

.venv/lib/python3.11/site-packages/cryptography/hazmat/backends/__init__.py

@@ -0,0 +1,13 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from typing import Any
+
+
+def default_backend() -> Any:
+    from cryptography.hazmat.backends.openssl.backend import backend
+
+    return backend

.venv/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/__init__.py

@@ -0,0 +1,9 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.backends.openssl.backend import backend
+
+__all__ = ["backend"]

.venv/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py

@@ -0,0 +1,291 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.bindings.openssl import binding
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric import utils as asym_utils
+from cryptography.hazmat.primitives.asymmetric.padding import (
+    MGF1,
+    OAEP,
+    PSS,
+    PKCS1v15,
+)
+from cryptography.hazmat.primitives.ciphers import (
+    CipherAlgorithm,
+)
+from cryptography.hazmat.primitives.ciphers.algorithms import (
+    AES,
+)
+from cryptography.hazmat.primitives.ciphers.modes import (
+    CBC,
+    Mode,
+)
+
+
+class Backend:
+    """
+    OpenSSL API binding interfaces.
+    """
+
+    name = "openssl"
+
+    # TripleDES encryption is disallowed/deprecated throughout 2023 in
+    # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA).
+    _fips_ciphers = (AES,)
+    # Sometimes SHA1 is still permissible. That logic is contained
+    # within the various *_supported methods.
+    _fips_hashes = (
+        hashes.SHA224,
+        hashes.SHA256,
+        hashes.SHA384,
+        hashes.SHA512,
+        hashes.SHA512_224,
+        hashes.SHA512_256,
+        hashes.SHA3_224,
+        hashes.SHA3_256,
+        hashes.SHA3_384,
+        hashes.SHA3_512,
+        hashes.SHAKE128,
+        hashes.SHAKE256,
+    )
+    _fips_ecdh_curves = (
+        ec.SECP224R1,
+        ec.SECP256R1,
+        ec.SECP384R1,
+        ec.SECP521R1,
+    )
+    _fips_rsa_min_key_size = 2048
+    _fips_rsa_min_public_exponent = 65537
+    _fips_dsa_min_modulus = 1 << 2048
+    _fips_dh_min_key_size = 2048
+    _fips_dh_min_modulus = 1 << _fips_dh_min_key_size
+
+    def __init__(self) -> None:
+        self._binding = binding.Binding()
+        self._ffi = self._binding.ffi
+        self._lib = self._binding.lib
+        self._fips_enabled = rust_openssl.is_fips_enabled()
+
+    def __repr__(self) -> str:
+        return (
+            f"<OpenSSLBackend(version: {self.openssl_version_text()}, "
+            f"FIPS: {self._fips_enabled}, "
+            f"Legacy: {rust_openssl._legacy_provider_loaded})>"
+        )
+
+    def openssl_assert(self, ok: bool) -> None:
+        return binding._openssl_assert(ok)
+
+    def _enable_fips(self) -> None:
+        # This function enables FIPS mode for OpenSSL 3.0.0 on installs that
+        # have the FIPS provider installed properly.
+        rust_openssl.enable_fips(rust_openssl._providers)
+        assert rust_openssl.is_fips_enabled()
+        self._fips_enabled = rust_openssl.is_fips_enabled()
+
+    def openssl_version_text(self) -> str:
+        """
+        Friendly string name of the loaded OpenSSL library. This is not
+        necessarily the same version as it was compiled against.
+
+        Example: OpenSSL 3.2.1 30 Jan 2024
+        """
+        return rust_openssl.openssl_version_text()
+
+    def openssl_version_number(self) -> int:
+        return rust_openssl.openssl_version()
+
+    def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm):
+        if algorithm.name in ("blake2b", "blake2s"):
+            alg = f"{algorithm.name}{algorithm.digest_size * 8}".encode(
+                "ascii"
+            )
+        else:
+            alg = algorithm.name.encode("ascii")
+
+        evp_md = self._lib.EVP_get_digestbyname(alg)
+        return evp_md
+
+    def hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        if self._fips_enabled and not isinstance(algorithm, self._fips_hashes):
+            return False
+
+        evp_md = self._evp_md_from_algorithm(algorithm)
+        return evp_md != self._ffi.NULL
+
+    def signature_hash_supported(
+        self, algorithm: hashes.HashAlgorithm
+    ) -> bool:
+        # Dedicated check for hashing algorithm use in message digest for
+        # signatures, e.g. RSA PKCS#1 v1.5 SHA1 (sha1WithRSAEncryption).
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+            return False
+        return self.hash_supported(algorithm)
+
+    def scrypt_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        else:
+            return hasattr(rust_openssl.kdf, "derive_scrypt")
+
+    def hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        # FIPS mode still allows SHA1 for HMAC
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+            return True
+
+        return self.hash_supported(algorithm)
+
+    def cipher_supported(self, cipher: CipherAlgorithm, mode: Mode) -> bool:
+        if self._fips_enabled:
+            # FIPS mode requires AES. TripleDES is disallowed/deprecated in
+            # FIPS 140-3.
+            if not isinstance(cipher, self._fips_ciphers):
+                return False
+
+        return rust_openssl.ciphers.cipher_supported(cipher, mode)
+
+    def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        return self.hmac_supported(algorithm)
+
+    def _consume_errors(self) -> list[rust_openssl.OpenSSLError]:
+        return rust_openssl.capture_error_stack()
+
+    def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+            return False
+
+        return isinstance(
+            algorithm,
+            (
+                hashes.SHA1,
+                hashes.SHA224,
+                hashes.SHA256,
+                hashes.SHA384,
+                hashes.SHA512,
+            ),
+        )
+
+    def rsa_padding_supported(self, padding: AsymmetricPadding) -> bool:
+        if isinstance(padding, PKCS1v15):
+            return True
+        elif isinstance(padding, PSS) and isinstance(padding._mgf, MGF1):
+            # SHA1 is permissible in MGF1 in FIPS even when SHA1 is blocked
+            # as signature algorithm.
+            if self._fips_enabled and isinstance(
+                padding._mgf._algorithm, hashes.SHA1
+            ):
+                return True
+            else:
+                return self.hash_supported(padding._mgf._algorithm)
+        elif isinstance(padding, OAEP) and isinstance(padding._mgf, MGF1):
+            return self._oaep_hash_supported(
+                padding._mgf._algorithm
+            ) and self._oaep_hash_supported(padding._algorithm)
+        else:
+            return False
+
+    def rsa_encryption_supported(self, padding: AsymmetricPadding) -> bool:
+        if self._fips_enabled and isinstance(padding, PKCS1v15):
+            return False
+        else:
+            return self.rsa_padding_supported(padding)
+
+    def dsa_supported(self) -> bool:
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+            and not self._fips_enabled
+        )
+
+    def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        if not self.dsa_supported():
+            return False
+        return self.signature_hash_supported(algorithm)
+
+    def cmac_algorithm_supported(self, algorithm) -> bool:
+        return self.cipher_supported(
+            algorithm, CBC(b"\x00" * algorithm.block_size)
+        )
+
+    def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool:
+        if self._fips_enabled and not isinstance(
+            curve, self._fips_ecdh_curves
+        ):
+            return False
+
+        return rust_openssl.ec.curve_supported(curve)
+
+    def elliptic_curve_signature_algorithm_supported(
+        self,
+        signature_algorithm: ec.EllipticCurveSignatureAlgorithm,
+        curve: ec.EllipticCurve,
+    ) -> bool:
+        # We only support ECDSA right now.
+        if not isinstance(signature_algorithm, ec.ECDSA):
+            return False
+
+        return self.elliptic_curve_supported(curve) and (
+            isinstance(signature_algorithm.algorithm, asym_utils.Prehashed)
+            or self.hash_supported(signature_algorithm.algorithm)
+        )
+
+    def elliptic_curve_exchange_algorithm_supported(
+        self, algorithm: ec.ECDH, curve: ec.EllipticCurve
+    ) -> bool:
+        return self.elliptic_curve_supported(curve) and isinstance(
+            algorithm, ec.ECDH
+        )
+
+    def dh_supported(self) -> bool:
+        return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+
+    def dh_x942_serialization_supported(self) -> bool:
+        return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1
+
+    def x25519_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return True
+
+    def x448_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        )
+
+    def ed25519_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return True
+
+    def ed448_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        )
+
+    def ecdsa_deterministic_supported(self) -> bool:
+        return (
+            rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER
+            and not self._fips_enabled
+        )
+
+    def poly1305_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return True
+
+    def pkcs7_supported(self) -> bool:
+        return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+
+
+backend = Backend()

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/__init__.py

@@ -0,0 +1,3 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/_asymmetric.py

@@ -0,0 +1,19 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+# This exists to break an import cycle. It is normally accessible from the
+# asymmetric padding module.
+
+
+class AsymmetricPadding(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def name(self) -> str:
+        """
+        A string naming this padding (e.g. "PSS", "PKCS1").
+        """

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/_cipheralgorithm.py

@@ -0,0 +1,58 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography import utils
+
+# This exists to break an import cycle. It is normally accessible from the
+# ciphers module.
+
+
+class CipherAlgorithm(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def name(self) -> str:
+        """
+        A string naming this mode (e.g. "AES", "Camellia").
+        """
+
+    @property
+    @abc.abstractmethod
+    def key_sizes(self) -> frozenset[int]:
+        """
+        Valid key sizes for this algorithm in bits
+        """
+
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        The size of the key being used as an integer in bits (e.g. 128, 256).
+        """
+
+
+class BlockCipherAlgorithm(CipherAlgorithm):
+    key: bytes
+
+    @property
+    @abc.abstractmethod
+    def block_size(self) -> int:
+        """
+        The size of a block as an integer in bits (e.g. 64, 128).
+        """
+
+
+def _verify_key_size(algorithm: CipherAlgorithm, key: bytes) -> bytes:
+    # Verify that the key is instance of bytes
+    utils._check_byteslike("key", key)
+
+    # Verify that the key size matches the expected key size
+    if len(key) * 8 not in algorithm.key_sizes:
+        raise ValueError(
+            f"Invalid key size ({len(key) * 8}) for {algorithm.name}."
+        )
+    return key

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/_serialization.py

@@ -0,0 +1,169 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography import utils
+from cryptography.hazmat.primitives.hashes import HashAlgorithm
+
+# This exists to break an import cycle. These classes are normally accessible
+# from the serialization module.
+
+
+class PBES(utils.Enum):
+    PBESv1SHA1And3KeyTripleDESCBC = "PBESv1 using SHA1 and 3-Key TripleDES"
+    PBESv2SHA256AndAES256CBC = "PBESv2 using SHA256 PBKDF2 and AES256 CBC"
+
+
+class Encoding(utils.Enum):
+    PEM = "PEM"
+    DER = "DER"
+    OpenSSH = "OpenSSH"
+    Raw = "Raw"
+    X962 = "ANSI X9.62"
+    SMIME = "S/MIME"
+
+
+class PrivateFormat(utils.Enum):
+    PKCS8 = "PKCS8"
+    TraditionalOpenSSL = "TraditionalOpenSSL"
+    Raw = "Raw"
+    OpenSSH = "OpenSSH"
+    PKCS12 = "PKCS12"
+
+    def encryption_builder(self) -> KeySerializationEncryptionBuilder:
+        if self not in (PrivateFormat.OpenSSH, PrivateFormat.PKCS12):
+            raise ValueError(
+                "encryption_builder only supported with PrivateFormat.OpenSSH"
+                " and PrivateFormat.PKCS12"
+            )
+        return KeySerializationEncryptionBuilder(self)
+
+
+class PublicFormat(utils.Enum):
+    SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1"
+    PKCS1 = "Raw PKCS#1"
+    OpenSSH = "OpenSSH"
+    Raw = "Raw"
+    CompressedPoint = "X9.62 Compressed Point"
+    UncompressedPoint = "X9.62 Uncompressed Point"
+
+
+class ParameterFormat(utils.Enum):
+    PKCS3 = "PKCS3"
+
+
+class KeySerializationEncryption(metaclass=abc.ABCMeta):
+    pass
+
+
+class BestAvailableEncryption(KeySerializationEncryption):
+    def __init__(self, password: bytes):
+        if not isinstance(password, bytes) or len(password) == 0:
+            raise ValueError("Password must be 1 or more bytes.")
+
+        self.password = password
+
+
+class NoEncryption(KeySerializationEncryption):
+    pass
+
+
+class KeySerializationEncryptionBuilder:
+    def __init__(
+        self,
+        format: PrivateFormat,
+        *,
+        _kdf_rounds: int | None = None,
+        _hmac_hash: HashAlgorithm | None = None,
+        _key_cert_algorithm: PBES | None = None,
+    ) -> None:
+        self._format = format
+
+        self._kdf_rounds = _kdf_rounds
+        self._hmac_hash = _hmac_hash
+        self._key_cert_algorithm = _key_cert_algorithm
+
+    def kdf_rounds(self, rounds: int) -> KeySerializationEncryptionBuilder:
+        if self._kdf_rounds is not None:
+            raise ValueError("kdf_rounds already set")
+
+        if not isinstance(rounds, int):
+            raise TypeError("kdf_rounds must be an integer")
+
+        if rounds < 1:
+            raise ValueError("kdf_rounds must be a positive integer")
+
+        return KeySerializationEncryptionBuilder(
+            self._format,
+            _kdf_rounds=rounds,
+            _hmac_hash=self._hmac_hash,
+            _key_cert_algorithm=self._key_cert_algorithm,
+        )
+
+    def hmac_hash(
+        self, algorithm: HashAlgorithm
+    ) -> KeySerializationEncryptionBuilder:
+        if self._format is not PrivateFormat.PKCS12:
+            raise TypeError(
+                "hmac_hash only supported with PrivateFormat.PKCS12"
+            )
+
+        if self._hmac_hash is not None:
+            raise ValueError("hmac_hash already set")
+        return KeySerializationEncryptionBuilder(
+            self._format,
+            _kdf_rounds=self._kdf_rounds,
+            _hmac_hash=algorithm,
+            _key_cert_algorithm=self._key_cert_algorithm,
+        )
+
+    def key_cert_algorithm(
+        self, algorithm: PBES
+    ) -> KeySerializationEncryptionBuilder:
+        if self._format is not PrivateFormat.PKCS12:
+            raise TypeError(
+                "key_cert_algorithm only supported with "
+                "PrivateFormat.PKCS12"
+            )
+        if self._key_cert_algorithm is not None:
+            raise ValueError("key_cert_algorithm already set")
+        return KeySerializationEncryptionBuilder(
+            self._format,
+            _kdf_rounds=self._kdf_rounds,
+            _hmac_hash=self._hmac_hash,
+            _key_cert_algorithm=algorithm,
+        )
+
+    def build(self, password: bytes) -> KeySerializationEncryption:
+        if not isinstance(password, bytes) or len(password) == 0:
+            raise ValueError("Password must be 1 or more bytes.")
+
+        return _KeySerializationEncryption(
+            self._format,
+            password,
+            kdf_rounds=self._kdf_rounds,
+            hmac_hash=self._hmac_hash,
+            key_cert_algorithm=self._key_cert_algorithm,
+        )
+
+
+class _KeySerializationEncryption(KeySerializationEncryption):
+    def __init__(
+        self,
+        format: PrivateFormat,
+        password: bytes,
+        *,
+        kdf_rounds: int | None,
+        hmac_hash: HashAlgorithm | None,
+        key_cert_algorithm: PBES | None,
+    ):
+        self._format = format
+        self.password = password
+
+        self._kdf_rounds = kdf_rounds
+        self._hmac_hash = hmac_hash
+        self._key_cert_algorithm = key_cert_algorithm

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/__init__.py

@@ -0,0 +1,3 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/dh.py

@@ -0,0 +1,135 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization
+
+generate_parameters = rust_openssl.dh.generate_parameters
+
+
+DHPrivateNumbers = rust_openssl.dh.DHPrivateNumbers
+DHPublicNumbers = rust_openssl.dh.DHPublicNumbers
+DHParameterNumbers = rust_openssl.dh.DHParameterNumbers
+
+
+class DHParameters(metaclass=abc.ABCMeta):
+    @abc.abstractmethod
+    def generate_private_key(self) -> DHPrivateKey:
+        """
+        Generates and returns a DHPrivateKey.
+        """
+
+    @abc.abstractmethod
+    def parameter_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.ParameterFormat,
+    ) -> bytes:
+        """
+        Returns the parameters serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def parameter_numbers(self) -> DHParameterNumbers:
+        """
+        Returns a DHParameterNumbers.
+        """
+
+
+DHParametersWithSerialization = DHParameters
+DHParameters.register(rust_openssl.dh.DHParameters)
+
+
+class DHPublicKey(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def parameters(self) -> DHParameters:
+        """
+        The DHParameters object associated with this public key.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self) -> DHPublicNumbers:
+        """
+        Returns a DHPublicNumbers.
+        """
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+DHPublicKeyWithSerialization = DHPublicKey
+DHPublicKey.register(rust_openssl.dh.DHPublicKey)
+
+
+class DHPrivateKey(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def public_key(self) -> DHPublicKey:
+        """
+        The DHPublicKey associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def parameters(self) -> DHParameters:
+        """
+        The DHParameters object associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def exchange(self, peer_public_key: DHPublicKey) -> bytes:
+        """
+        Given peer's DHPublicKey, carry out the key exchange and
+        return shared key as bytes.
+        """
+
+    @abc.abstractmethod
+    def private_numbers(self) -> DHPrivateNumbers:
+        """
+        Returns a DHPrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+DHPrivateKeyWithSerialization = DHPrivateKey
+DHPrivateKey.register(rust_openssl.dh.DHPrivateKey)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/dsa.py

@@ -0,0 +1,154 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+import typing
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import utils as asym_utils
+
+
+class DSAParameters(metaclass=abc.ABCMeta):
+    @abc.abstractmethod
+    def generate_private_key(self) -> DSAPrivateKey:
+        """
+        Generates and returns a DSAPrivateKey.
+        """
+
+    @abc.abstractmethod
+    def parameter_numbers(self) -> DSAParameterNumbers:
+        """
+        Returns a DSAParameterNumbers.
+        """
+
+
+DSAParametersWithNumbers = DSAParameters
+DSAParameters.register(rust_openssl.dsa.DSAParameters)
+
+
+class DSAPrivateKey(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def public_key(self) -> DSAPublicKey:
+        """
+        The DSAPublicKey associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def parameters(self) -> DSAParameters:
+        """
+        The DSAParameters object associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def sign(
+        self,
+        data: bytes,
+        algorithm: asym_utils.Prehashed | hashes.HashAlgorithm,
+    ) -> bytes:
+        """
+        Signs the data
+        """
+
+    @abc.abstractmethod
+    def private_numbers(self) -> DSAPrivateNumbers:
+        """
+        Returns a DSAPrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+DSAPrivateKeyWithSerialization = DSAPrivateKey
+DSAPrivateKey.register(rust_openssl.dsa.DSAPrivateKey)
+
+
+class DSAPublicKey(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        The bit length of the prime modulus.
+        """
+
+    @abc.abstractmethod
+    def parameters(self) -> DSAParameters:
+        """
+        The DSAParameters object associated with this public key.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self) -> DSAPublicNumbers:
+        """
+        Returns a DSAPublicNumbers.
+        """
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def verify(
+        self,
+        signature: bytes,
+        data: bytes,
+        algorithm: asym_utils.Prehashed | hashes.HashAlgorithm,
+    ) -> None:
+        """
+        Verifies the signature of the data.
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+DSAPublicKeyWithSerialization = DSAPublicKey
+DSAPublicKey.register(rust_openssl.dsa.DSAPublicKey)
+
+DSAPrivateNumbers = rust_openssl.dsa.DSAPrivateNumbers
+DSAPublicNumbers = rust_openssl.dsa.DSAPublicNumbers
+DSAParameterNumbers = rust_openssl.dsa.DSAParameterNumbers
+
+
+def generate_parameters(
+    key_size: int, backend: typing.Any = None
+) -> DSAParameters:
+    if key_size not in (1024, 2048, 3072, 4096):
+        raise ValueError("Key size must be 1024, 2048, 3072, or 4096 bits.")
+
+    return rust_openssl.dsa.generate_parameters(key_size)
+
+
+def generate_private_key(
+    key_size: int, backend: typing.Any = None
+) -> DSAPrivateKey:
+    parameters = generate_parameters(key_size)
+    return parameters.generate_private_key()

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py

@@ -0,0 +1,403 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat._oid import ObjectIdentifier
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import utils as asym_utils
+
+
+class EllipticCurveOID:
+    SECP192R1 = ObjectIdentifier("1.2.840.10045.3.1.1")
+    SECP224R1 = ObjectIdentifier("1.3.132.0.33")
+    SECP256K1 = ObjectIdentifier("1.3.132.0.10")
+    SECP256R1 = ObjectIdentifier("1.2.840.10045.3.1.7")
+    SECP384R1 = ObjectIdentifier("1.3.132.0.34")
+    SECP521R1 = ObjectIdentifier("1.3.132.0.35")
+    BRAINPOOLP256R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.7")
+    BRAINPOOLP384R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.11")
+    BRAINPOOLP512R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.13")
+    SECT163K1 = ObjectIdentifier("1.3.132.0.1")
+    SECT163R2 = ObjectIdentifier("1.3.132.0.15")
+    SECT233K1 = ObjectIdentifier("1.3.132.0.26")
+    SECT233R1 = ObjectIdentifier("1.3.132.0.27")
+    SECT283K1 = ObjectIdentifier("1.3.132.0.16")
+    SECT283R1 = ObjectIdentifier("1.3.132.0.17")
+    SECT409K1 = ObjectIdentifier("1.3.132.0.36")
+    SECT409R1 = ObjectIdentifier("1.3.132.0.37")
+    SECT571K1 = ObjectIdentifier("1.3.132.0.38")
+    SECT571R1 = ObjectIdentifier("1.3.132.0.39")
+
+
+class EllipticCurve(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def name(self) -> str:
+        """
+        The name of the curve. e.g. secp256r1.
+        """
+
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        Bit size of a secret scalar for the curve.
+        """
+
+
+class EllipticCurveSignatureAlgorithm(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def algorithm(
+        self,
+    ) -> asym_utils.Prehashed | hashes.HashAlgorithm:
+        """
+        The digest algorithm used with this signature.
+        """
+
+
+class EllipticCurvePrivateKey(metaclass=abc.ABCMeta):
+    @abc.abstractmethod
+    def exchange(
+        self, algorithm: ECDH, peer_public_key: EllipticCurvePublicKey
+    ) -> bytes:
+        """
+        Performs a key exchange operation using the provided algorithm with the
+        provided peer's public key.
+        """
+
+    @abc.abstractmethod
+    def public_key(self) -> EllipticCurvePublicKey:
+        """
+        The EllipticCurvePublicKey for this private key.
+        """
+
+    @property
+    @abc.abstractmethod
+    def curve(self) -> EllipticCurve:
+        """
+        The EllipticCurve that this key is on.
+        """
+
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        Bit size of a secret scalar for the curve.
+        """
+
+    @abc.abstractmethod
+    def sign(
+        self,
+        data: bytes,
+        signature_algorithm: EllipticCurveSignatureAlgorithm,
+    ) -> bytes:
+        """
+        Signs the data
+        """
+
+    @abc.abstractmethod
+    def private_numbers(self) -> EllipticCurvePrivateNumbers:
+        """
+        Returns an EllipticCurvePrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+EllipticCurvePrivateKeyWithSerialization = EllipticCurvePrivateKey
+EllipticCurvePrivateKey.register(rust_openssl.ec.ECPrivateKey)
+
+
+class EllipticCurvePublicKey(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def curve(self) -> EllipticCurve:
+        """
+        The EllipticCurve that this key is on.
+        """
+
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        Bit size of a secret scalar for the curve.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self) -> EllipticCurvePublicNumbers:
+        """
+        Returns an EllipticCurvePublicNumbers.
+        """
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def verify(
+        self,
+        signature: bytes,
+        data: bytes,
+        signature_algorithm: EllipticCurveSignatureAlgorithm,
+    ) -> None:
+        """
+        Verifies the signature of the data.
+        """
+
+    @classmethod
+    def from_encoded_point(
+        cls, curve: EllipticCurve, data: bytes
+    ) -> EllipticCurvePublicKey:
+        utils._check_bytes("data", data)
+
+        if len(data) == 0:
+            raise ValueError("data must not be an empty byte string")
+
+        if data[0] not in [0x02, 0x03, 0x04]:
+            raise ValueError("Unsupported elliptic curve point type")
+
+        return rust_openssl.ec.from_public_bytes(curve, data)
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+EllipticCurvePublicKeyWithSerialization = EllipticCurvePublicKey
+EllipticCurvePublicKey.register(rust_openssl.ec.ECPublicKey)
+
+EllipticCurvePrivateNumbers = rust_openssl.ec.EllipticCurvePrivateNumbers
+EllipticCurvePublicNumbers = rust_openssl.ec.EllipticCurvePublicNumbers
+
+
+class SECT571R1(EllipticCurve):
+    name = "sect571r1"
+    key_size = 570
+
+
+class SECT409R1(EllipticCurve):
+    name = "sect409r1"
+    key_size = 409
+
+
+class SECT283R1(EllipticCurve):
+    name = "sect283r1"
+    key_size = 283
+
+
+class SECT233R1(EllipticCurve):
+    name = "sect233r1"
+    key_size = 233
+
+
+class SECT163R2(EllipticCurve):
+    name = "sect163r2"
+    key_size = 163
+
+
+class SECT571K1(EllipticCurve):
+    name = "sect571k1"
+    key_size = 571
+
+
+class SECT409K1(EllipticCurve):
+    name = "sect409k1"
+    key_size = 409
+
+
+class SECT283K1(EllipticCurve):
+    name = "sect283k1"
+    key_size = 283
+
+
+class SECT233K1(EllipticCurve):
+    name = "sect233k1"
+    key_size = 233
+
+
+class SECT163K1(EllipticCurve):
+    name = "sect163k1"
+    key_size = 163
+
+
+class SECP521R1(EllipticCurve):
+    name = "secp521r1"
+    key_size = 521
+
+
+class SECP384R1(EllipticCurve):
+    name = "secp384r1"
+    key_size = 384
+
+
+class SECP256R1(EllipticCurve):
+    name = "secp256r1"
+    key_size = 256
+
+
+class SECP256K1(EllipticCurve):
+    name = "secp256k1"
+    key_size = 256
+
+
+class SECP224R1(EllipticCurve):
+    name = "secp224r1"
+    key_size = 224
+
+
+class SECP192R1(EllipticCurve):
+    name = "secp192r1"
+    key_size = 192
+
+
+class BrainpoolP256R1(EllipticCurve):
+    name = "brainpoolP256r1"
+    key_size = 256
+
+
+class BrainpoolP384R1(EllipticCurve):
+    name = "brainpoolP384r1"
+    key_size = 384
+
+
+class BrainpoolP512R1(EllipticCurve):
+    name = "brainpoolP512r1"
+    key_size = 512
+
+
+_CURVE_TYPES: dict[str, EllipticCurve] = {
+    "prime192v1": SECP192R1(),
+    "prime256v1": SECP256R1(),
+    "secp192r1": SECP192R1(),
+    "secp224r1": SECP224R1(),
+    "secp256r1": SECP256R1(),
+    "secp384r1": SECP384R1(),
+    "secp521r1": SECP521R1(),
+    "secp256k1": SECP256K1(),
+    "sect163k1": SECT163K1(),
+    "sect233k1": SECT233K1(),
+    "sect283k1": SECT283K1(),
+    "sect409k1": SECT409K1(),
+    "sect571k1": SECT571K1(),
+    "sect163r2": SECT163R2(),
+    "sect233r1": SECT233R1(),
+    "sect283r1": SECT283R1(),
+    "sect409r1": SECT409R1(),
+    "sect571r1": SECT571R1(),
+    "brainpoolP256r1": BrainpoolP256R1(),
+    "brainpoolP384r1": BrainpoolP384R1(),
+    "brainpoolP512r1": BrainpoolP512R1(),
+}
+
+
+class ECDSA(EllipticCurveSignatureAlgorithm):
+    def __init__(
+        self,
+        algorithm: asym_utils.Prehashed | hashes.HashAlgorithm,
+        deterministic_signing: bool = False,
+    ):
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if (
+            deterministic_signing
+            and not backend.ecdsa_deterministic_supported()
+        ):
+            raise UnsupportedAlgorithm(
+                "ECDSA with deterministic signature (RFC 6979) is not "
+                "supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+        self._algorithm = algorithm
+        self._deterministic_signing = deterministic_signing
+
+    @property
+    def algorithm(
+        self,
+    ) -> asym_utils.Prehashed | hashes.HashAlgorithm:
+        return self._algorithm
+
+    @property
+    def deterministic_signing(
+        self,
+    ) -> bool:
+        return self._deterministic_signing
+
+
+generate_private_key = rust_openssl.ec.generate_private_key
+
+
+def derive_private_key(
+    private_value: int,
+    curve: EllipticCurve,
+    backend: typing.Any = None,
+) -> EllipticCurvePrivateKey:
+    if not isinstance(private_value, int):
+        raise TypeError("private_value must be an integer type.")
+
+    if private_value <= 0:
+        raise ValueError("private_value must be a positive integer.")
+
+    return rust_openssl.ec.derive_private_key(private_value, curve)
+
+
+class ECDH:
+    pass
+
+
+_OID_TO_CURVE = {
+    EllipticCurveOID.SECP192R1: SECP192R1,
+    EllipticCurveOID.SECP224R1: SECP224R1,
+    EllipticCurveOID.SECP256K1: SECP256K1,
+    EllipticCurveOID.SECP256R1: SECP256R1,
+    EllipticCurveOID.SECP384R1: SECP384R1,
+    EllipticCurveOID.SECP521R1: SECP521R1,
+    EllipticCurveOID.BRAINPOOLP256R1: BrainpoolP256R1,
+    EllipticCurveOID.BRAINPOOLP384R1: BrainpoolP384R1,
+    EllipticCurveOID.BRAINPOOLP512R1: BrainpoolP512R1,
+    EllipticCurveOID.SECT163K1: SECT163K1,
+    EllipticCurveOID.SECT163R2: SECT163R2,
+    EllipticCurveOID.SECT233K1: SECT233K1,
+    EllipticCurveOID.SECT233R1: SECT233R1,
+    EllipticCurveOID.SECT283K1: SECT283K1,
+    EllipticCurveOID.SECT283R1: SECT283R1,
+    EllipticCurveOID.SECT409K1: SECT409K1,
+    EllipticCurveOID.SECT409R1: SECT409R1,
+    EllipticCurveOID.SECT571K1: SECT571K1,
+    EllipticCurveOID.SECT571R1: SECT571R1,
+}
+
+
+def get_curve_for_oid(oid: ObjectIdentifier) -> type[EllipticCurve]:
+    try:
+        return _OID_TO_CURVE[oid]
+    except KeyError:
+        raise LookupError(
+            "The provided object identifier has no matching elliptic "
+            "curve class"
+        )

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py

@@ -0,0 +1,116 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization
+
+
+class Ed25519PublicKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def from_public_bytes(cls, data: bytes) -> Ed25519PublicKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.ed25519_supported():
+            raise UnsupportedAlgorithm(
+                "ed25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.ed25519.from_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def public_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the public key.
+        Equivalent to public_bytes(Raw, Raw).
+        """
+
+    @abc.abstractmethod
+    def verify(self, signature: bytes, data: bytes) -> None:
+        """
+        Verify the signature.
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+Ed25519PublicKey.register(rust_openssl.ed25519.Ed25519PublicKey)
+
+
+class Ed25519PrivateKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def generate(cls) -> Ed25519PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.ed25519_supported():
+            raise UnsupportedAlgorithm(
+                "ed25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.ed25519.generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data: bytes) -> Ed25519PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.ed25519_supported():
+            raise UnsupportedAlgorithm(
+                "ed25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.ed25519.from_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self) -> Ed25519PublicKey:
+        """
+        The Ed25519PublicKey derived from the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        The serialized bytes of the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the private key.
+        Equivalent to private_bytes(Raw, Raw, NoEncryption()).
+        """
+
+    @abc.abstractmethod
+    def sign(self, data: bytes) -> bytes:
+        """
+        Signs the data.
+        """
+
+
+Ed25519PrivateKey.register(rust_openssl.ed25519.Ed25519PrivateKey)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/ed448.py

@@ -0,0 +1,118 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization
+
+
+class Ed448PublicKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def from_public_bytes(cls, data: bytes) -> Ed448PublicKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.ed448_supported():
+            raise UnsupportedAlgorithm(
+                "ed448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.ed448.from_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def public_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the public key.
+        Equivalent to public_bytes(Raw, Raw).
+        """
+
+    @abc.abstractmethod
+    def verify(self, signature: bytes, data: bytes) -> None:
+        """
+        Verify the signature.
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+if hasattr(rust_openssl, "ed448"):
+    Ed448PublicKey.register(rust_openssl.ed448.Ed448PublicKey)
+
+
+class Ed448PrivateKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def generate(cls) -> Ed448PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.ed448_supported():
+            raise UnsupportedAlgorithm(
+                "ed448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.ed448.generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data: bytes) -> Ed448PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.ed448_supported():
+            raise UnsupportedAlgorithm(
+                "ed448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.ed448.from_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self) -> Ed448PublicKey:
+        """
+        The Ed448PublicKey derived from the private key.
+        """
+
+    @abc.abstractmethod
+    def sign(self, data: bytes) -> bytes:
+        """
+        Signs the data.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        The serialized bytes of the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the private key.
+        Equivalent to private_bytes(Raw, Raw, NoEncryption()).
+        """
+
+
+if hasattr(rust_openssl, "x448"):
+    Ed448PrivateKey.register(rust_openssl.ed448.Ed448PrivateKey)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/padding.py

@@ -0,0 +1,113 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives._asymmetric import (
+    AsymmetricPadding as AsymmetricPadding,
+)
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+
+class PKCS1v15(AsymmetricPadding):
+    name = "EMSA-PKCS1-v1_5"
+
+
+class _MaxLength:
+    "Sentinel value for `MAX_LENGTH`."
+
+
+class _Auto:
+    "Sentinel value for `AUTO`."
+
+
+class _DigestLength:
+    "Sentinel value for `DIGEST_LENGTH`."
+
+
+class PSS(AsymmetricPadding):
+    MAX_LENGTH = _MaxLength()
+    AUTO = _Auto()
+    DIGEST_LENGTH = _DigestLength()
+    name = "EMSA-PSS"
+    _salt_length: int | _MaxLength | _Auto | _DigestLength
+
+    def __init__(
+        self,
+        mgf: MGF,
+        salt_length: int | _MaxLength | _Auto | _DigestLength,
+    ) -> None:
+        self._mgf = mgf
+
+        if not isinstance(
+            salt_length, (int, _MaxLength, _Auto, _DigestLength)
+        ):
+            raise TypeError(
+                "salt_length must be an integer, MAX_LENGTH, "
+                "DIGEST_LENGTH, or AUTO"
+            )
+
+        if isinstance(salt_length, int) and salt_length < 0:
+            raise ValueError("salt_length must be zero or greater.")
+
+        self._salt_length = salt_length
+
+    @property
+    def mgf(self) -> MGF:
+        return self._mgf
+
+
+class OAEP(AsymmetricPadding):
+    name = "EME-OAEP"
+
+    def __init__(
+        self,
+        mgf: MGF,
+        algorithm: hashes.HashAlgorithm,
+        label: bytes | None,
+    ):
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError("Expected instance of hashes.HashAlgorithm.")
+
+        self._mgf = mgf
+        self._algorithm = algorithm
+        self._label = label
+
+    @property
+    def algorithm(self) -> hashes.HashAlgorithm:
+        return self._algorithm
+
+    @property
+    def mgf(self) -> MGF:
+        return self._mgf
+
+
+class MGF(metaclass=abc.ABCMeta):
+    _algorithm: hashes.HashAlgorithm
+
+
+class MGF1(MGF):
+    MAX_LENGTH = _MaxLength()
+
+    def __init__(self, algorithm: hashes.HashAlgorithm):
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError("Expected instance of hashes.HashAlgorithm.")
+
+        self._algorithm = algorithm
+
+
+def calculate_max_pss_salt_length(
+    key: rsa.RSAPrivateKey | rsa.RSAPublicKey,
+    hash_algorithm: hashes.HashAlgorithm,
+) -> int:
+    if not isinstance(key, (rsa.RSAPrivateKey, rsa.RSAPublicKey)):
+        raise TypeError("key must be an RSA public or private key")
+    # bit length - 1 per RFC 3447
+    emlen = (key.key_size + 6) // 8
+    salt_length = emlen - hash_algorithm.digest_size - 2
+    assert salt_length >= 0
+    return salt_length

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/rsa.py

@@ -0,0 +1,260 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+import typing
+from math import gcd
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization, hashes
+from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding
+from cryptography.hazmat.primitives.asymmetric import utils as asym_utils
+
+
+class RSAPrivateKey(metaclass=abc.ABCMeta):
+    @abc.abstractmethod
+    def decrypt(self, ciphertext: bytes, padding: AsymmetricPadding) -> bytes:
+        """
+        Decrypts the provided ciphertext.
+        """
+
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        The bit length of the public modulus.
+        """
+
+    @abc.abstractmethod
+    def public_key(self) -> RSAPublicKey:
+        """
+        The RSAPublicKey associated with this private key.
+        """
+
+    @abc.abstractmethod
+    def sign(
+        self,
+        data: bytes,
+        padding: AsymmetricPadding,
+        algorithm: asym_utils.Prehashed | hashes.HashAlgorithm,
+    ) -> bytes:
+        """
+        Signs the data.
+        """
+
+    @abc.abstractmethod
+    def private_numbers(self) -> RSAPrivateNumbers:
+        """
+        Returns an RSAPrivateNumbers.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+
+RSAPrivateKeyWithSerialization = RSAPrivateKey
+RSAPrivateKey.register(rust_openssl.rsa.RSAPrivateKey)
+
+
+class RSAPublicKey(metaclass=abc.ABCMeta):
+    @abc.abstractmethod
+    def encrypt(self, plaintext: bytes, padding: AsymmetricPadding) -> bytes:
+        """
+        Encrypts the given plaintext.
+        """
+
+    @property
+    @abc.abstractmethod
+    def key_size(self) -> int:
+        """
+        The bit length of the public modulus.
+        """
+
+    @abc.abstractmethod
+    def public_numbers(self) -> RSAPublicNumbers:
+        """
+        Returns an RSAPublicNumbers
+        """
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        Returns the key serialized as bytes.
+        """
+
+    @abc.abstractmethod
+    def verify(
+        self,
+        signature: bytes,
+        data: bytes,
+        padding: AsymmetricPadding,
+        algorithm: asym_utils.Prehashed | hashes.HashAlgorithm,
+    ) -> None:
+        """
+        Verifies the signature of the data.
+        """
+
+    @abc.abstractmethod
+    def recover_data_from_signature(
+        self,
+        signature: bytes,
+        padding: AsymmetricPadding,
+        algorithm: hashes.HashAlgorithm | None,
+    ) -> bytes:
+        """
+        Recovers the original data from the signature.
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+RSAPublicKeyWithSerialization = RSAPublicKey
+RSAPublicKey.register(rust_openssl.rsa.RSAPublicKey)
+
+RSAPrivateNumbers = rust_openssl.rsa.RSAPrivateNumbers
+RSAPublicNumbers = rust_openssl.rsa.RSAPublicNumbers
+
+
+def generate_private_key(
+    public_exponent: int,
+    key_size: int,
+    backend: typing.Any = None,
+) -> RSAPrivateKey:
+    _verify_rsa_parameters(public_exponent, key_size)
+    return rust_openssl.rsa.generate_private_key(public_exponent, key_size)
+
+
+def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None:
+    if public_exponent not in (3, 65537):
+        raise ValueError(
+            "public_exponent must be either 3 (for legacy compatibility) or "
+            "65537. Almost everyone should choose 65537 here!"
+        )
+
+    if key_size < 1024:
+        raise ValueError("key_size must be at least 1024-bits.")
+
+
+def _modinv(e: int, m: int) -> int:
+    """
+    Modular Multiplicative Inverse. Returns x such that: (x*e) mod m == 1
+    """
+    x1, x2 = 1, 0
+    a, b = e, m
+    while b > 0:
+        q, r = divmod(a, b)
+        xn = x1 - q * x2
+        a, b, x1, x2 = b, r, x2, xn
+    return x1 % m
+
+
+def rsa_crt_iqmp(p: int, q: int) -> int:
+    """
+    Compute the CRT (q ** -1) % p value from RSA primes p and q.
+    """
+    return _modinv(q, p)
+
+
+def rsa_crt_dmp1(private_exponent: int, p: int) -> int:
+    """
+    Compute the CRT private_exponent % (p - 1) value from the RSA
+    private_exponent (d) and p.
+    """
+    return private_exponent % (p - 1)
+
+
+def rsa_crt_dmq1(private_exponent: int, q: int) -> int:
+    """
+    Compute the CRT private_exponent % (q - 1) value from the RSA
+    private_exponent (d) and q.
+    """
+    return private_exponent % (q - 1)
+
+
+def rsa_recover_private_exponent(e: int, p: int, q: int) -> int:
+    """
+    Compute the RSA private_exponent (d) given the public exponent (e)
+    and the RSA primes p and q.
+
+    This uses the Carmichael totient function to generate the
+    smallest possible working value of the private exponent.
+    """
+    # This lambda_n is the Carmichael totient function.
+    # The original RSA paper uses the Euler totient function
+    # here: phi_n = (p - 1) * (q - 1)
+    # Either version of the private exponent will work, but the
+    # one generated by the older formulation may be larger
+    # than necessary. (lambda_n always divides phi_n)
+    #
+    # TODO: Replace with lcm(p - 1, q - 1) once the minimum
+    # supported Python version is >= 3.9.
+    lambda_n = (p - 1) * (q - 1) // gcd(p - 1, q - 1)
+    return _modinv(e, lambda_n)
+
+
+# Controls the number of iterations rsa_recover_prime_factors will perform
+# to obtain the prime factors. Each iteration increments by 2 so the actual
+# maximum attempts is half this number.
+_MAX_RECOVERY_ATTEMPTS = 1000
+
+
+def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]:
+    """
+    Compute factors p and q from the private exponent d. We assume that n has
+    no more than two factors. This function is adapted from code in PyCrypto.
+    """
+    # See 8.2.2(i) in Handbook of Applied Cryptography.
+    ktot = d * e - 1
+    # The quantity d*e-1 is a multiple of phi(n), even,
+    # and can be represented as t*2^s.
+    t = ktot
+    while t % 2 == 0:
+        t = t // 2
+    # Cycle through all multiplicative inverses in Zn.
+    # The algorithm is non-deterministic, but there is a 50% chance
+    # any candidate a leads to successful factoring.
+    # See "Digitalized Signatures and Public Key Functions as Intractable
+    # as Factorization", M. Rabin, 1979
+    spotted = False
+    a = 2
+    while not spotted and a < _MAX_RECOVERY_ATTEMPTS:
+        k = t
+        # Cycle through all values a^{t*2^i}=a^k
+        while k < ktot:
+            cand = pow(a, k, n)
+            # Check if a^k is a non-trivial root of unity (mod n)
+            if cand != 1 and cand != (n - 1) and pow(cand, 2, n) == 1:
+                # We have found a number such that (cand-1)(cand+1)=0 (mod n).
+                # Either of the terms divides n.
+                p = gcd(cand + 1, n)
+                spotted = True
+                break
+            k *= 2
+        # This value was not any good... let's try another!
+        a += 2
+    if not spotted:
+        raise ValueError("Unable to compute factors p and q from exponent d.")
+    # Found !
+    q, r = divmod(n, p)
+    assert r == 0
+    p, q = sorted((p, q), reverse=True)
+    return (p, q)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/types.py

@@ -0,0 +1,111 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import typing
+
+from cryptography import utils
+from cryptography.hazmat.primitives.asymmetric import (
+    dh,
+    dsa,
+    ec,
+    ed448,
+    ed25519,
+    rsa,
+    x448,
+    x25519,
+)
+
+# Every asymmetric key type
+PublicKeyTypes = typing.Union[
+    dh.DHPublicKey,
+    dsa.DSAPublicKey,
+    rsa.RSAPublicKey,
+    ec.EllipticCurvePublicKey,
+    ed25519.Ed25519PublicKey,
+    ed448.Ed448PublicKey,
+    x25519.X25519PublicKey,
+    x448.X448PublicKey,
+]
+PUBLIC_KEY_TYPES = PublicKeyTypes
+utils.deprecated(
+    PUBLIC_KEY_TYPES,
+    __name__,
+    "Use PublicKeyTypes instead",
+    utils.DeprecatedIn40,
+    name="PUBLIC_KEY_TYPES",
+)
+# Every asymmetric key type
+PrivateKeyTypes = typing.Union[
+    dh.DHPrivateKey,
+    ed25519.Ed25519PrivateKey,
+    ed448.Ed448PrivateKey,
+    rsa.RSAPrivateKey,
+    dsa.DSAPrivateKey,
+    ec.EllipticCurvePrivateKey,
+    x25519.X25519PrivateKey,
+    x448.X448PrivateKey,
+]
+PRIVATE_KEY_TYPES = PrivateKeyTypes
+utils.deprecated(
+    PRIVATE_KEY_TYPES,
+    __name__,
+    "Use PrivateKeyTypes instead",
+    utils.DeprecatedIn40,
+    name="PRIVATE_KEY_TYPES",
+)
+# Just the key types we allow to be used for x509 signing. This mirrors
+# the certificate public key types
+CertificateIssuerPrivateKeyTypes = typing.Union[
+    ed25519.Ed25519PrivateKey,
+    ed448.Ed448PrivateKey,
+    rsa.RSAPrivateKey,
+    dsa.DSAPrivateKey,
+    ec.EllipticCurvePrivateKey,
+]
+CERTIFICATE_PRIVATE_KEY_TYPES = CertificateIssuerPrivateKeyTypes
+utils.deprecated(
+    CERTIFICATE_PRIVATE_KEY_TYPES,
+    __name__,
+    "Use CertificateIssuerPrivateKeyTypes instead",
+    utils.DeprecatedIn40,
+    name="CERTIFICATE_PRIVATE_KEY_TYPES",
+)
+# Just the key types we allow to be used for x509 signing. This mirrors
+# the certificate private key types
+CertificateIssuerPublicKeyTypes = typing.Union[
+    dsa.DSAPublicKey,
+    rsa.RSAPublicKey,
+    ec.EllipticCurvePublicKey,
+    ed25519.Ed25519PublicKey,
+    ed448.Ed448PublicKey,
+]
+CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES = CertificateIssuerPublicKeyTypes
+utils.deprecated(
+    CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES,
+    __name__,
+    "Use CertificateIssuerPublicKeyTypes instead",
+    utils.DeprecatedIn40,
+    name="CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES",
+)
+# This type removes DHPublicKey. x448/x25519 can be a public key
+# but cannot be used in signing so they are allowed here.
+CertificatePublicKeyTypes = typing.Union[
+    dsa.DSAPublicKey,
+    rsa.RSAPublicKey,
+    ec.EllipticCurvePublicKey,
+    ed25519.Ed25519PublicKey,
+    ed448.Ed448PublicKey,
+    x25519.X25519PublicKey,
+    x448.X448PublicKey,
+]
+CERTIFICATE_PUBLIC_KEY_TYPES = CertificatePublicKeyTypes
+utils.deprecated(
+    CERTIFICATE_PUBLIC_KEY_TYPES,
+    __name__,
+    "Use CertificatePublicKeyTypes instead",
+    utils.DeprecatedIn40,
+    name="CERTIFICATE_PUBLIC_KEY_TYPES",
+)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/utils.py

@@ -0,0 +1,24 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.bindings._rust import asn1
+from cryptography.hazmat.primitives import hashes
+
+decode_dss_signature = asn1.decode_dss_signature
+encode_dss_signature = asn1.encode_dss_signature
+
+
+class Prehashed:
+    def __init__(self, algorithm: hashes.HashAlgorithm):
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise TypeError("Expected instance of HashAlgorithm.")
+
+        self._algorithm = algorithm
+        self._digest_size = algorithm.digest_size
+
+    @property
+    def digest_size(self) -> int:
+        return self._digest_size

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py

@@ -0,0 +1,109 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization
+
+
+class X25519PublicKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def from_public_bytes(cls, data: bytes) -> X25519PublicKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM,
+            )
+
+        return rust_openssl.x25519.from_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def public_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the public key.
+        Equivalent to public_bytes(Raw, Raw).
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+X25519PublicKey.register(rust_openssl.x25519.X25519PublicKey)
+
+
+class X25519PrivateKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def generate(cls) -> X25519PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM,
+            )
+        return rust_openssl.x25519.generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data: bytes) -> X25519PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM,
+            )
+
+        return rust_openssl.x25519.from_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self) -> X25519PublicKey:
+        """
+        Returns the public key associated with this private key
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        The serialized bytes of the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the private key.
+        Equivalent to private_bytes(Raw, Raw, NoEncryption()).
+        """
+
+    @abc.abstractmethod
+    def exchange(self, peer_public_key: X25519PublicKey) -> bytes:
+        """
+        Performs a key exchange operation using the provided peer's public key.
+        """
+
+
+X25519PrivateKey.register(rust_openssl.x25519.X25519PrivateKey)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/asymmetric/x448.py

@@ -0,0 +1,112 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization
+
+
+class X448PublicKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def from_public_bytes(cls, data: bytes) -> X448PublicKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM,
+            )
+
+        return rust_openssl.x448.from_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def public_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the public key.
+        Equivalent to public_bytes(Raw, Raw).
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+
+if hasattr(rust_openssl, "x448"):
+    X448PublicKey.register(rust_openssl.x448.X448PublicKey)
+
+
+class X448PrivateKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def generate(cls) -> X448PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM,
+            )
+
+        return rust_openssl.x448.generate_key()
+
+    @classmethod
+    def from_private_bytes(cls, data: bytes) -> X448PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM,
+            )
+
+        return rust_openssl.x448.from_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self) -> X448PublicKey:
+        """
+        Returns the public key associated with this private key
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        The serialized bytes of the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the private key.
+        Equivalent to private_bytes(Raw, Raw, NoEncryption()).
+        """
+
+    @abc.abstractmethod
+    def exchange(self, peer_public_key: X448PublicKey) -> bytes:
+        """
+        Performs a key exchange operation using the provided peer's public key.
+        """
+
+
+if hasattr(rust_openssl, "x448"):
+    X448PrivateKey.register(rust_openssl.x448.X448PrivateKey)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/cmac.py

@@ -0,0 +1,10 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+
+__all__ = ["CMAC"]
+CMAC = rust_openssl.cmac.CMAC

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/constant_time.py

@@ -0,0 +1,14 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import hmac
+
+
+def bytes_eq(a: bytes, b: bytes) -> bool:
+    if not isinstance(a, bytes) or not isinstance(b, bytes):
+        raise TypeError("a and b must be bytes.")
+
+    return hmac.compare_digest(a, b)

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/hashes.py

@@ -0,0 +1,242 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+
+__all__ = [
+    "MD5",
+    "SHA1",
+    "SHA3_224",
+    "SHA3_256",
+    "SHA3_384",
+    "SHA3_512",
+    "SHA224",
+    "SHA256",
+    "SHA384",
+    "SHA512",
+    "SHA512_224",
+    "SHA512_256",
+    "SHAKE128",
+    "SHAKE256",
+    "SM3",
+    "BLAKE2b",
+    "BLAKE2s",
+    "ExtendableOutputFunction",
+    "Hash",
+    "HashAlgorithm",
+    "HashContext",
+]
+
+
+class HashAlgorithm(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def name(self) -> str:
+        """
+        A string naming this algorithm (e.g. "sha256", "md5").
+        """
+
+    @property
+    @abc.abstractmethod
+    def digest_size(self) -> int:
+        """
+        The size of the resulting digest in bytes.
+        """
+
+    @property
+    @abc.abstractmethod
+    def block_size(self) -> int | None:
+        """
+        The internal block size of the hash function, or None if the hash
+        function does not use blocks internally (e.g. SHA3).
+        """
+
+
+class HashContext(metaclass=abc.ABCMeta):
+    @property
+    @abc.abstractmethod
+    def algorithm(self) -> HashAlgorithm:
+        """
+        A HashAlgorithm that will be used by this context.
+        """
+
+    @abc.abstractmethod
+    def update(self, data: bytes) -> None:
+        """
+        Processes the provided bytes through the hash.
+        """
+
+    @abc.abstractmethod
+    def finalize(self) -> bytes:
+        """
+        Finalizes the hash context and returns the hash digest as bytes.
+        """
+
+    @abc.abstractmethod
+    def copy(self) -> HashContext:
+        """
+        Return a HashContext that is a copy of the current context.
+        """
+
+
+Hash = rust_openssl.hashes.Hash
+HashContext.register(Hash)
+
+
+class ExtendableOutputFunction(metaclass=abc.ABCMeta):
+    """
+    An interface for extendable output functions.
+    """
+
+
+class SHA1(HashAlgorithm):
+    name = "sha1"
+    digest_size = 20
+    block_size = 64
+
+
+class SHA512_224(HashAlgorithm):  # noqa: N801
+    name = "sha512-224"
+    digest_size = 28
+    block_size = 128
+
+
+class SHA512_256(HashAlgorithm):  # noqa: N801
+    name = "sha512-256"
+    digest_size = 32
+    block_size = 128
+
+
+class SHA224(HashAlgorithm):
+    name = "sha224"
+    digest_size = 28
+    block_size = 64
+
+
+class SHA256(HashAlgorithm):
+    name = "sha256"
+    digest_size = 32
+    block_size = 64
+
+
+class SHA384(HashAlgorithm):
+    name = "sha384"
+    digest_size = 48
+    block_size = 128
+
+
+class SHA512(HashAlgorithm):
+    name = "sha512"
+    digest_size = 64
+    block_size = 128
+
+
+class SHA3_224(HashAlgorithm):  # noqa: N801
+    name = "sha3-224"
+    digest_size = 28
+    block_size = None
+
+
+class SHA3_256(HashAlgorithm):  # noqa: N801
+    name = "sha3-256"
+    digest_size = 32
+    block_size = None
+
+
+class SHA3_384(HashAlgorithm):  # noqa: N801
+    name = "sha3-384"
+    digest_size = 48
+    block_size = None
+
+
+class SHA3_512(HashAlgorithm):  # noqa: N801
+    name = "sha3-512"
+    digest_size = 64
+    block_size = None
+
+
+class SHAKE128(HashAlgorithm, ExtendableOutputFunction):
+    name = "shake128"
+    block_size = None
+
+    def __init__(self, digest_size: int):
+        if not isinstance(digest_size, int):
+            raise TypeError("digest_size must be an integer")
+
+        if digest_size < 1:
+            raise ValueError("digest_size must be a positive integer")
+
+        self._digest_size = digest_size
+
+    @property
+    def digest_size(self) -> int:
+        return self._digest_size
+
+
+class SHAKE256(HashAlgorithm, ExtendableOutputFunction):
+    name = "shake256"
+    block_size = None
+
+    def __init__(self, digest_size: int):
+        if not isinstance(digest_size, int):
+            raise TypeError("digest_size must be an integer")
+
+        if digest_size < 1:
+            raise ValueError("digest_size must be a positive integer")
+
+        self._digest_size = digest_size
+
+    @property
+    def digest_size(self) -> int:
+        return self._digest_size
+
+
+class MD5(HashAlgorithm):
+    name = "md5"
+    digest_size = 16
+    block_size = 64
+
+
+class BLAKE2b(HashAlgorithm):
+    name = "blake2b"
+    _max_digest_size = 64
+    _min_digest_size = 1
+    block_size = 128
+
+    def __init__(self, digest_size: int):
+        if digest_size != 64:
+            raise ValueError("Digest size must be 64")
+
+        self._digest_size = digest_size
+
+    @property
+    def digest_size(self) -> int:
+        return self._digest_size
+
+
+class BLAKE2s(HashAlgorithm):
+    name = "blake2s"
+    block_size = 64
+    _max_digest_size = 32
+    _min_digest_size = 1
+
+    def __init__(self, digest_size: int):
+        if digest_size != 32:
+            raise ValueError("Digest size must be 32")
+
+        self._digest_size = digest_size
+
+    @property
+    def digest_size(self) -> int:
+        return self._digest_size
+
+
+class SM3(HashAlgorithm):
+    name = "sm3"
+    digest_size = 32
+    block_size = 64

.venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/hmac.py

@@ -0,0 +1,13 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import hashes
+
+__all__ = ["HMAC"]
+
+HMAC = rust_openssl.hmac.HMAC
+hashes.HashContext.register(HMAC)