o \|]aV@sddlZddlZddlZddlmZddlmZmZmZm Z m Z m Z m Z zZddl Zddl mZddlmZddlmZmZddlmZmZdd lmZmZdd lmZmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&dd l'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.d Z/Wn e0ydZ/YnwhdZ1ddZ2GdddZ3Gddde3Z4Gddde3Z5e/rGddde3Z6Gddde3Z7Gddde6Z8Gddde3Z9dSdS) NInvalidKeyError)base64url_decodebase64url_encodeder_to_raw_signature force_bytesfrom_base64url_uintraw_to_der_signatureto_base64url_uint)InvalidSignature)hashes)ecpadding)EllipticCurvePrivateKeyEllipticCurvePublicKey)Ed448PrivateKeyEd448PublicKey)Ed25519PrivateKeyEd25519PublicKey) RSAPrivateKeyRSAPrivateNumbers RSAPublicKeyRSAPublicNumbers rsa_crt_dmp1 rsa_crt_dmq1 rsa_crt_iqmprsa_recover_prime_factors)Encoding NoEncryption PrivateFormat PublicFormatload_pem_private_keyload_pem_public_keyload_ssh_public_keyTF> ES256ES384ES512ES521EdDSAPS256PS384PS512RS256RS384RS512ES256KcCstttjttjttjd}trG|ttjttjttjttjttjttjttjttjt t jt t jt t jt d |S)zE Returns the algorithms that are implemented by the library. )ZnoneZHS256ZHS384ZHS512) r-r.r/r%r0r&r(r'r*r+r,r)) NoneAlgorithm HMACAlgorithmSHA256SHA384SHA512 has_cryptoupdate RSAAlgorithm ECAlgorithmRSAPSSAlgorithm OKPAlgorithm)Zdefault_algorithmsr<0/usr/lib/python3/dist-packages/jwt/algorithms.pyget_default_algorithmsIs0r>c@s@eZdZdZddZddZddZedd Zed d Z d S) AlgorithmzH The interface for an algorithm used to sign and verify tokens. cCt)z Performs necessary validation and conversions on the key and returns the key value in the proper format for sign() and verify(). NotImplementedErrorselfkeyr<r<r= prepare_keypzAlgorithm.prepare_keycCr@)zn Returns a digital signature for the specified message using the specified key value. rArDmsgrEr<r<r=signwrGzAlgorithm.signcCr@)zz Verifies that the specified digital signature is valid for the specified message and key values. rArDrIrEsigr<r<r=verify~rGzAlgorithm.verifycCr@)z7 Serializes a given RSA key into a JWK rAkey_objr<r<r=to_jwkrGzAlgorithm.to_jwkcCr@)zb Deserializes a given RSA key from JWK back into a PublicKey or PrivateKey object rA)jwkr<r<r=from_jwkrGzAlgorithm.from_jwkN) __name__ __module__ __qualname____doc__rFrJrM staticmethodrPrRr<r<r<r=r?ks r?c@s(eZdZdZddZddZddZdS) r1zZ Placeholder for use when no signing or verification operations are required. cCs |dkrd}|durtd|S)Nz*When alg = "none", key value must be None.rrCr<r<r=rFs zNoneAlgorithm.prepare_keycCdS)Nr<rHr<r<r=rJzNoneAlgorithm.signcCrY)NFr<rKr<r<r=rMr[zNoneAlgorithm.verifyN)rSrTrUrVrFrJrMr<r<r<r=r1s  r1c@sZeZdZdZejZejZej Z ddZ ddZ e ddZe dd Zd d Zd d ZdS)r2zf Performs signing and verification operations using HMAC and the specified hash function. cC ||_dSNhash_algrDr_r<r<r=__init__ zHMACAlgorithm.__init__cs2tgd}tfdd|DrtdS)N)s-----BEGIN PUBLIC KEY-----s-----BEGIN CERTIFICATE-----s-----BEGIN RSA PUBLIC KEY-----ssh-rsac3s|]}|vVqdSr]r<).0Z string_valuerEr<r= sz,HMACAlgorithm.prepare_key..zdThe specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.)ranyr)rDrEZinvalid_stringsr<rer=rFszHMACAlgorithm.prepare_keycCsttt|ddS)Noct)kkty)jsondumpsrrdecoderNr<r<r=rPs zHMACAlgorithm.to_jwkcCshzt|tr t|}n t|tr|}ntWn ty"tdw|ddkr.tdt|dS)NKey is not valid JSONrjrhzNot an HMAC keyri) isinstancestrrkloadsdict ValueErrorrgetr)rQobjr<r<r=rRs     zHMACAlgorithm.from_jwkcCst|||jSr])hmacnewr_ZdigestrHr<r<r=rJzHMACAlgorithm.signcCst||||Sr])rvZcompare_digestrJrKr<r<r=rMrxzHMACAlgorithm.verifyN)rSrTrUrVhashlibZsha256r3Zsha384r4Zsha512r5rarFrWrPrRrJrMr<r<r<r=r2s   r2c@sZeZdZdZejZejZejZddZddZ e ddZ e dd Z d d Z d d ZdS)r8z~ Performs signing and verification operations using RSASSA-PKCS-v1_5 and the specified hash function. cCr\r]r^r`r<r<r=rarbzRSAAlgorithm.__init__cCsxt|ttfr |St|ttfstdt|}z|dr%t|}W|St |dd}W|St y;t |}Y|Sw)NExpecting a PEM-formatted key.rcZpassword) rorrbytesrp TypeErrorr startswithr$r"rsr#rCr<r<r=rFs   zRSAAlgorithm.prepare_keyc Csd}t|ddrE|}ddgt|jjt|jjt|jt|jt|j t|j t|j t|j d }n!t|ddrb|}ddgt|jt|jd}nt dt|S)Nprivate_numbersRSArJ) rjkey_opsnedpqdpdqqirM)rjrrrNot a public or private key)getattrrr public_numbersrrmrrrrdmp1dmq1iqmprrkrl)rOrunumbersr<r<r=rP s.           zRSAAlgorithm.to_jwkc szt|tr t|n t|tr|ntWn ty"tdwddkr.tddvrdvrdvrdvrBtd gd }fd d |D}t|}|r]t |s]td t t dt d}|rt t dt dt dt dt dt d|d}|St d}t |j||j\}}t |||t||t||t|||d}|Sdvrdvrt t dt d}|Std)NrnrjrzNot an RSA keyrrrZothz5Unsupported RSA private key: > 2 primes not supported)rrrrrcsg|]}|vqSr<r<)rdZproprur<r= Fsz)RSAAlgorithm.from_jwk..z@RSA key must include all parameters if any are present besides drrrrr)rrrrrrrr)rorprkrqrrrsrrtrgallrr rrrrrrr private_key public_key) rQZ other_propsZ props_foundZany_props_foundrrrrrr<rr=rR/sx                  zRSAAlgorithm.from_jwkcCs||t|Sr])rJrPKCS1v15r_rHr<r<r=rJyszRSAAlgorithm.signcCs4z|||t|WdStyYdSw)NTF)rMrrr_r rKr<r<r=rM|s  zRSAAlgorithm.verifyN)rSrTrUrVr r3r4r5rarFrWrPrRrJrMr<r<r<r=r8s # I r8c@sNeZdZdZejZejZejZddZddZ ddZ dd Z e d d Z d S) r9zr Performs signing and verification operations using ECDSA and the specified hash function cCr\r]r^r`r<r<r=rarbzECAlgorithm.__init__cCsxt|ttfr |St|ttfstdt|}z|dr%t|}W|St |}W|St y;t |dd}Y|Sw)Nrzs ecdsa-sha2-r{) rorrr|rpr}rr~r$r#rsr"rCr<r<r=rFs    zECAlgorithm.prepare_keycCs"||t|}t||jSr])rJrECDSAr_rcurve)rDrIrEder_sigr<r<r=rJs zECAlgorithm.signcCslzt||j}Wn tyYdSwzt|tr|}|||t| WdSt y5YdSw)NFT) r rrsrorrrMrrr_r )rDrIrErLrr<r<r=rMs   zECAlgorithm.verifycCs&zt|tr t|}n t|tr|}ntWn ty"tdw|ddkr.tdd|vs6d|vr:tdt|d}t|d}|d}|dkrmt |t |kr_d krintd t }nktd |d krt |t |krd krntd t }nKtd |dkrt |t |krdkrntdt }n+td|dkrt |t |krd krntdt }n tdtd|t jtj|ddtj|dd|d}d|vr|St|d}t |t |krtdt ||t tj|dd|S)NrnrjZECzNot an Elliptic curve keyxycrvzP-256 z)Coords should be 32 bytes for curve P-256zP-3840z)Coords should be 48 bytes for curve P-384zP-521Bz)Coords should be 66 bytes for curve P-521Z secp256k1z-Coords should be 32 bytes for curve secp256k1Invalid curve: Zbig) byteorder)rrrrz!D should be {} bytes for curve {})rorprkrqrrrsrrtrlenrZ SECP256R1Z SECP384R1Z SECP521R1Z SECP256K1ZEllipticCurvePublicNumbersint from_bytesrZEllipticCurvePrivateNumbersr)rQrurrrZ curve_objrrr<r<r=rRsv            zECAlgorithm.from_jwkN)rSrTrUrVr r3r4r5rarFrJrMrWrRr<r<r<r=r9sr9c@s eZdZdZddZddZdS)r:zA Performs a signature using RSASSA-PSS with MGF1 cCs*||tjt||jjd|S)NZmgfZ salt_length)rJrPSSMGF1r_ digest_sizerHr<r<r=rJs zRSAPSSAlgorithm.signc CsHz|||tjt||jjd|WdSty#YdSw)NrTF)rMrrrr_rr rKr<r<r=rM s  zRSAPSSAlgorithm.verifyN)rSrTrUrVrJrMr<r<r<r=r:s r:c@sHeZdZdZddZddZddZdd Zed d Z ed d Z dS)r;z Performs signing and verification operations using EdDSA This class requires ``cryptography>=2.6`` to be installed. cKsdSr]r<)rDkwargsr<r<r=ra r[zOKPAlgorithm.__init__cCst|ttttfr |St|ttfr?t|tr|d}|d}d|vr)t |Sd|vr3t |ddS|dddkr?t |St d) Nutf-8z-----BEGIN PUBLICz-----BEGIN PRIVATEr{rzssh-z)Expecting a PEM-formatted or OpenSSH key.) rorrrrr|rpencodermr#r"r$r})rDrEZstr_keyr<r<r=rF#s      zOKPAlgorithm.prepare_keycCs$t|tur t|dn|}||S)aR Sign a message ``msg`` using the EdDSA private key ``key`` :param str|bytes msg: Message to sign :param Ed25519PrivateKey}Ed448PrivateKey key: A :class:`.Ed25519PrivateKey` or :class:`.Ed448PrivateKey` iinstance :return bytes signature: The signature, as bytes r)typer|rJrHr<r<r=rJ9s zOKPAlgorithm.signcCsvz.t|tur t|dn|}t|turt|dn|}t|ttfr&|}|||WdStjj y:YdSw)a Verify a given ``msg`` against a signature ``sig`` using the EdDSA key ``key`` :param str|bytes sig: EdDSA signature to check ``msg`` against :param str|bytes msg: Message to sign :param Ed25519PrivateKey|Ed25519PublicKey|Ed448PrivateKey|Ed448PublicKey key: A private or public EdDSA key instance :return bool verified: True if signature is valid, False if not. rTF) rr|rorrrrM cryptography exceptionsr rKr<r<r=rMDs  zOKPAlgorithm.verifycCst|ttfr(|jtjtjd}t|trdnd}tt t | d|dSt|t t frd|jtjtjtd}|jtjtjd}t|t rLdnd}tt t | t t | d|dStd) N)encodingformatEd25519Ed448OKP)rrjr)rrZencryption_algorithm)rrrjrr)rorrZ public_bytesrZRawr!rkrlrrrmrrZ private_bytesr rrr)rErrrr<r<r=rPYs> zOKPAlgorithm.to_jwkc Cszt|tr t|}n t|tr|}ntWn ty"tdw|ddkr.td|d}|dkrB|dkrBtd|d |vrJtd t|d }z+d |vrf|dkr`t |WSt |WSt|d }|dkrwt |WSt |WSty}ztd |d}~ww) NrnrjrzNot an Octet Key PairrrrrrzOKP should have "x" parameterrzInvalid key parameter)rorprkrqrrrsrrtrrZfrom_public_bytesrrZfrom_private_bytesr)rQrurrrerrr<r<r=rRs>          zOKPAlgorithm.from_jwkN) rSrTrUrVrarFrJrMrWrPrRr<r<r<r=r;s  'r;):ryrvrkrrZutilsrrrrr r r Zcryptography.exceptionsrr Zcryptography.hazmat.primitivesr Z)cryptography.hazmat.primitives.asymmetricrrZ,cryptography.hazmat.primitives.asymmetric.ecrrZ/cryptography.hazmat.primitives.asymmetric.ed448rrZ1cryptography.hazmat.primitives.asymmetric.ed25519rrZ-cryptography.hazmat.primitives.asymmetric.rsarrrrrrrrZ,cryptography.hazmat.primitives.serializationrrr r!r"r#r$r6ModuleNotFoundErrorZrequires_cryptographyr>r?r1r2r8r9r:r;r<r<r<r=sB $   ($  ")@x