a Ch@sTddlZddlZddlZddlmZmZddlmZddlm Z Gddde Z dS)N)CalledProcessErrorcall)mkstemp)ConfigGeneratorc@seZdZdZhdZddddddd Zd d d d ddddddddd ZdddddddddZdddddddddd ddddd!d"d#Zddddd$d%d&d'd(d)d* Z d+d,d-d.d/d0d1d2Z d3d4d5d6d7d8d9d:d;Z e dd?Zd@S)A NSSGeneratornss>rZsslZtls HMAC-SHA1HMAC-MD5z HMAC-SHA256z HMAC-SHA384z HMAC-SHA512)ZAEADr r z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512SHA1MD5ZSHA224ZSHA256ZSHA384ZSHA512) r r zSHA2-224zSHA2-256zSHA2-384zSHA2-512zSHA3-256zSHA3-384zSHA3-512z SHAKE-128z SHAKE-256ZGOSTR94Z CURVE25519 SECP256R1 SECP384R1 SECP521R1Zmlkem768x25519Zsecp256r1mlkem768Zsecp384r1mlkem1024)ZX25519ZX448rrrzMLKEM768-X25519z P256-MLKEM768zP384-MLKEM1024Zrc2Zrc4z aes256-gcmz aes128-gcmz aes256-cbcz aes128-cbczcamellia256-cbczcamellia128-cbczchacha20-poly1305z des-ede3-cbc)z AES-256-CTRz AES-128-CTRzRC2-CBCzRC4-128z AES-256-GCMz AES-128-GCMz AES-256-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzCAMELLIA-256-GCMzCAMELLIA-128-GCMz AES-256-CCMz AES-128-CCMzCHACHA20-POLY1305z3DES-CBCRSADHE-RSADHE-DSSzECDHE-RSA:ECDHE-ECDSAzECDH-RSA:ECDH-ECDSAz DH-RSA:DH-DSS) ZPSKzDHE-PSKz ECDHE-PSKzRSA-PSKrrrZECDHEZECDHZDHzssl3.0ztls1.0ztls1.1ztls1.2ztls1.3zdtls1.0zdtls1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2zRSA-PSSzRSA-PKCSZECDSAZDSAZED25519z ML-DSA-44z ML-DSA-65z ML-DSA-87)zRSA-PSS-zRSA-zECDSA-zDSA-z EDDSA-ED25519ZMLDSA44ZMLDSA65ZMLDSA87c Cs|j}d}|d7}|d7}|d7}d}|dD].}z|||j|}Wq.tyZYq.0q.|dD].}z|||j|}WqftyYqf0qf|dD].}z|||j|}WqtyYq0q|d D]0}z|||j|}WqtyYq0q|d D]2}z|||j|}Wnty>Yn0qt d d d k}|j ddkrv|sv||d}t }|dD]N}|j D]<\}} ||r| |vr|| ||| }qqq|jr|j|j} ||d| }n ||d}|jr,|j|j} ||d| }n ||d}||dt|jd}||dt|jd}||dt|jd}||d7}|S)Nz library= z name=Policy zNSS=flags=policyOnly,moduleDB zconfig="disallow=ALL allow=r ZmacgroupZcipherhashZ key_exchangeZNSS_NO_TLS_REQUIRE_EMS01Z__emsZENFORCEzTLS-REQUIRE-EMSsignztls-version-min=ztls-version-min=0zdtls-version-min=zdtls-version-min=0zDH-MIN=Z min_dh_sizezDSA-MIN=Z min_dsa_sizezRSA-MIN=Z min_rsa_sizez" )Zenabledappendmac_mapKeyError curve_map cipher_maphash_mapkey_exchange_maposgetenvZenumssetsign_prefix_ordmapitems startswithaddZmin_tls_version protocol_mapZmin_dtls_versionstrZintegers) clsZpolicypZcfgsiZno_tls_require_emsZenabled_sigalgsprefixZsigalgZminverr.9/usr/share/crypto-policies/python/policygenerators/nss.pygenerate_configmsn                    zNSSGenerator.generate_configc CsVtjd}t|}tdddk}d}z|ds:d}WntyX|dYn0|rf|sfd nd }t \}}d } zt |d } | |Wdn1s0Yzt d |d|ddd} Wnt y|dYn0Wt|n t|0| dkr.|d|d|dS| rR|d|d|dSdS)NZnss3ZNSS_LAXrrTs3.80Fz9Cannot determine nss version with ctypes, assuming >=3.80z-f value -f identifierr wz/usr/bin/nss-policy-check  z >/dev/null)shellz+/usr/bin/nss-policy-check: Execution failedz*There is a warning in NSS generated policyzPolicy: z)There is an error in NSS generated policy)ctypesutilZ find_libraryZCDLLr r!ZNSS_VersionCheckAttributeErrorZeprintrfdopenwriterrunlink) r)ZconfigZnss_pathZnss_libZnss_laxZnss_is_lax_by_defaultoptionsfdpathretfr.r.r/ test_configsH     (     zNSSGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrr'r# classmethodr0rAr.r.r.r/rs     Gr) r6Z ctypes.utilr subprocessrrZtempfilerZconfiggeneratorrrr.r.r.r/s