U ڲgt @sddlmZddlZddlZddlZddlmZmZddlm Z m Z m Z m Z m Z mZmZddlmZddlmZmZddlmZmZmZmZmZmZmZmZmZzdd lm Z m!Z!dd l"m#Z#dd l$m%Z%dd l&m'Z'dd l(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2ddl3m4Z4m5Z5ddl6m7Z7m8Z8ddl9m:Z:m;Z;mZ>m?Z?m@Z@mAZAddlBmCZCmDZDmEZEmFZFmGZGmHZHmIZIdZJWneKk rdZJYnXe re:er?r@rArBrCrDrErFrG) NoneAlgorithm HMACAlgorithmSHA256SHA384SHA512 has_cryptoupdate RSAAlgorithm ECAlgorithmRSAPSSAlgorithm OKPAlgorithm)Zdefault_algorithmsrU2/tmp/pip-unpacked-wheel-ecrjo5d0/jwt/algorithms.pyget_default_algorithmsis0rWc@seZdZdZdddddZeddddd Zedddd d d Zedddd dddZe e edddddZ e e ed!dddddZ e ed"d ddddZ e edddddZ d S)# AlgorithmzH The interface for an algorithm used to sign and verify tokens. bytes)bytestrrHcCsnt|dd}|dkrttrZt|trZt|tjrZtj|t d}| |t | St || SdS)z Compute a hash digest using the specified algorithm's hash algorithm. If there is no hash algorithm, raises a NotImplementedError. hash_algN)backend)getattrNotImplementedErrorrO isinstancetype issubclassrZ HashAlgorithmZHashrrPrYfinalizedigest)selfrZr[rcrUrUrVcompute_hash_digests    zAlgorithm.compute_hash_digestrkeyrHcCsdS)z Performs necessary validation and conversions on the key and returns the key value in the proper format for sign() and verify(). NrUrdrgrUrUrV prepare_keyszAlgorithm.prepare_keymsgrgrHcCsdS)zn Returns a digital signature for the specified message using the specified key value. NrUrdrkrgrUrUrVsignszAlgorithm.signboolrkrgsigrHcCsdS)zz Verifies that the specified digital signature is valid for the specified message and key values. NrUrdrkrgrprUrUrVverifyszAlgorithm.verify Literal[True]r)as_dictrHcCsdSNrUkey_objrtrUrUrVto_jwkszAlgorithm.to_jwkFLiteral[False]strcCsdSrurUrvrUrUrVrxs JWKDict | strcCsdS)z3 Serializes a given key into a JWK NrUrvrUrUrVrxs str | JWKDictjwkrHcCsdS)zJ Deserializes a given key from JWK back into a key object NrUr~rUrUrVfrom_jwkszAlgorithm.from_jwkN)F)F) __name__ __module__ __qualname____doc__rerrirmrrr staticmethodrxrrUrUrUrVrXs,rXc@sreZdZdZdddddZddddd d Zdddd d d dZeddd ddddZedddddZ dS)rJzZ Placeholder for use when no signing or verification operations are required. z str | NoneNonerfcCs |dkr d}|dk rtd|S)Nz*When alg = "none", key value must be None.r rhrUrUrVris zNoneAlgorithm.prepare_keyrYrjcCsdS)NrUrlrUrUrVrmszNoneAlgorithm.signrnrocCsdS)NFrUrqrUrUrVrrszNoneAlgorithm.verifyFrr rwrtrHcCs tdSrur^rvrUrUrVrxszNoneAlgorithm.to_jwkr|r}cCs tdSrurrrUrUrVrszNoneAlgorithm.from_jwkN)F) rrrrrirmrrrrxrrUrUrUrVrJs rJc@seZdZUdZejZded<ejZ ded<ej Z ded<dddd d Z d d d ddZ eed dddddZeed'd dddddZed(d dddddZedd dddZd d d d d!d"Zd d d dd#d$d%Zd&S))rKzf Performs signing and verification operations using HMAC and the specified hash function. zClassVar[HashlibHash]rLrMrNrrr[rHcCs ||_dSrur[rdr[rUrUrV__init__szHMACAlgorithm.__init__ str | bytesrYrfcCs$t|}t|st|r td|S)NzdThe specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.)rrrrrdrg key_bytesrUrUrVris zHMACAlgorithm.prepare_keyrsrrcCsdSrurUrvrUrUrVrx szHMACAlgorithm.to_jwkFryrzcCsdSrurUrvrUrUrVrxsrnr{cCs,tt|dd}|r|St|SdS)Noct)kkty)rrdecodejsondumps)rwrtr~rUrUrVrxs r|r}cCsnz.t|trt|}nt|tr(|}ntWntk rJtdYnX|ddkrbtdt|dS)NKey is not valid JSONrrzNot an HMAC keyr) r_rzrloadsdict ValueErrorrgetr)r~objrUrUrVr"s   zHMACAlgorithm.from_jwkrjcCst|||jSru)hmacnewr[rcrlrUrUrVrm3szHMACAlgorithm.signrocCst||||Sru)rcompare_digestrmrqrUrUrVrr6szHMACAlgorithm.verifyN)F)F)rrrrhashlibsha256rL__annotations__sha384rMsha512rNrrir rrxrrmrrrUrUrUrVrKs&   rKc@seZdZUdZejZded<ejZded<ejZded<dddd d Z d d d ddZ e e d dddddZ e e d*d dddddZ e d+d dddddZ e dd dddZd d!d d"d#d$Zd d%d dd&d'd(Zd)S),rQz~ Performs signing and verification operations using RSASSA-PKCS-v1_5 and the specified hash function. $ClassVar[type[hashes.HashAlgorithm]]rLrMrNtype[hashes.HashAlgorithm]rrcCs ||_dSrurrrUrUrVrFszRSAAlgorithm.__init__zAllowedRSAKeys | str | bytesAllowedRSAKeysrfc Cst|ttfr|St|ttfs(tdt|}z2|drLttt |WSttt |ddWSWnJt k rzttt |WYSt t fk rtdYnXYnXdS)NExpecting a PEM-formatted key.sssh-rsapasswordz(Could not parse the provided public key.)r_r-r/rYrz TypeErrorr startswithr r;r9rr:rrrrUrUrVriIs"  zRSAAlgorithm.prepare_keyrsrrcCsdSrurUrvrUrUrVrx_szRSAAlgorithm.to_jwkFryrzcCsdSrurUrvrUrUrVrxesrnr{c Csd}t|dr|}ddgt|jjt|jjt|jt|jt|j t|j t|j t|j d }n@t|dr|}ddgt|jt|jd}nt d|r|St|SdS)Nprivate_numbersRSArm) rkey_opsnedpqdpdqqirr)rrrrNot a public or private key)hasattrrrpublic_numbersrrrrrrdmp1dmq1iqmprrr)rwrtrnumbersrUrUrVrxks2          r|r}c sz.t|trt|nt|tr(|ntWntk rJtdYnXddkrbtddkrdkrdkrdkrtd d d d d dg}fdd|D}t|}|rt |stdt t dt d}|r4t t dt d t d t d t d t d|d}nHt d}t |j||j\}}t |||t||t||t|||d}|Sdkrdkrt t dt dStddS)NrrrzNot an RSA keyrrrZothz5Unsupported RSA private key: > 2 primes not supportedrrrrrcsg|] }|kqSrUrU).0proprrUrV sz)RSAAlgorithm.from_jwk..z@RSA key must include all parameters if any are present besides d)rrrrrrrr)r_rzrrrrrranyallr0rr.r4rrr1r2r3 private_key public_key) r~Z other_propsZ props_foundZany_props_foundrrrrrrUrrVrst                zRSAAlgorithm.from_jwkrYr-rjcCs||t|Sru)rmrPKCS1v15r[rlrUrUrVrmszRSAAlgorithm.signr/rocCs:z|||t|WdStk r4YdSXdS)NTF)rrrrr[rrqrUrUrVrrs zRSAAlgorithm.verifyN)F)F)rrrrrrLrrMrNrrir rrxrrmrrrUrUrUrVrQ<s& &GrQc@seZdZUdZejZded<ejZded<ejZded<dddd d Z d d d ddZ ddddddZ dd dddddZ e ed dddddZe ed)d dd dd!dZed*d dd"dd#dZed$d d%d&d'Zd(S)+rRzr Performs signing and verification operations using ECDSA and the specified hash function rrLrMrNrrrcCs ||_dSrurrrUrUrVrszECAlgorithm.__init__zAllowedECKeys | str | bytes AllowedECKeysrfcCst|ttfr|St|ttfs(tdt|}z |drFt|}nt |}Wn t k rpt |dd}YnXt|ttfst d|S)Nrs ecdsa-sha2-rzcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for ECDSA algorithms) r_r%r'rYrzrrrr;r:rr9r)rdrgrZ crypto_keyrUrUrVris&   zECAlgorithm.prepare_keyrYr%rjcCs ||t|}t||jSru)rmrr[rcurve)rdrkrgder_sigrUrUrVrmszECAlgorithm.signrnrocCsvzt||j}Wntk r&YdSXz2t|tr<|n|}|||t|WdSt k rpYdSXdS)NFT) rrrr_r%rrrrr[r)rdrkrgrprrrUrUrVrrs zECAlgorithm.verifyrsrrcCsdSrurUrvrUrUrVrx%szECAlgorithm.to_jwkFryrzcCsdSrurUrvrUrUrVrx+sr{cCst|tr|}nt|tr,|}ntdt|jtrFd}nFt|jtrXd}n4t|jt rjd}n"t|jt r|d}ntd|jd|t |j  t |j d}t|trt |j |d <|r|St|SdS) NrP-256P-384P-521 secp256k1Invalid curve: EC)rcrvxyr)r_r%rrr'rrr!r"r#r rrrrrZ private_valuerr)rwrtrrrrUrUrVrx1s4           r|r}cCs$z.t|trt|}nt|tr(|}ntWntk rJtdYnX|ddkrbtdd|ksrd|krztdt|d}t|d}|d}|dkrt |t |krd krnnt }ntd n|d krt |t |krd krnnt }ntd n|dkrZt |t |krDdkrPnnt }ntdnN|dkrt |t |krd krnnt }ntdntd|ttj|ddtj|dd|d}d|kr|St|d}t |t |kr tdt ||ttj|dd|S)NrrrzNot an Elliptic curve keyrrrr z)Coords should be 32 bytes for curve P-256r0z)Coords should be 48 bytes for curve P-384rBz)Coords should be 66 bytes for curve P-521rz-Coords should be 32 bytes for curve secp256k1rbig) byteorder)rrrrz!D should be {} bytes for curve {})r_rzrrrrrrrlenr!r"r#r r(int from_bytesrr&r)r~rrrrZ curve_objrrrUrUrVrVsh       $  $  $    zECAlgorithm.from_jwkN)F)F)rrrrrrLrrMrNrrirmrrr rrxrrUrUrUrVrRs& $rRc@s6eZdZdZddddddZddddd d d Zd S) rSzA Performs a signature using RSASSA-PSS with MGF1 rYr-rjcCs,||tjt||jd|S)NZmgfZ salt_length)rmrPSSMGF1r[ digest_sizerlrUrUrVrms zRSAPSSAlgorithm.signr/rnroc CsPz4|||tjt||jd|WdStk rJYdSXdS)NrTF)rrrrrr[rrrqrUrUrVrrs  zRSAPSSAlgorithm.verifyN)rrrrrmrrrUrUrUrVrSs rSc@seZdZdZdddddZddd d d Zd d ddddZd dd ddddZee ddddddZ ee d&ddddddZ e d'ddddd dZ e d!dd"d#d$Z d%S)(rTz Performs signing and verification operations using EdDSA This class requires ``cryptography>=2.6`` to be installed. rr)kwargsrHcKsdSrurU)rdrrUrUrVrszOKPAlgorithm.__init__zAllowedOKPKeys | str | bytesAllowedOKPKeysrfcCst|ttfr~t|tr"|dn|}t|tr:|dn|}d|krPt|}n.d|krft|dd}n|dddkr~t|}t|tt t t fst d|S) Nutf-8z-----BEGIN PUBLICz-----BEGIN PRIVATErrzssh-zcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for EdDSA algorithms) r_rYrzrencoder:r9r;r+r,r)r*r)rdrgZkey_strrrUrUrVris"  zOKPAlgorithm.prepare_keyrz#Ed25519PrivateKey | Ed448PrivateKeyrYrjcCs"t|tr|dn|}||S)aS Sign a message ``msg`` using the EdDSA private key ``key`` :param str|bytes msg: Message to sign :param Ed25519PrivateKey}Ed448PrivateKey key: A :class:`.Ed25519PrivateKey` or :class:`.Ed448PrivateKey` isinstance :return bytes signature: The signature, as bytes r)r_rzrrm)rdrkrg msg_bytesrUrUrVrms zOKPAlgorithm.signrnrocCsxz\t|tr|dn|}t|tr.|dn|}t|ttfrH|n|}|||WdStk rrYdSXdS)a Verify a given ``msg`` against a signature ``sig`` using the EdDSA key ``key`` :param str|bytes sig: EdDSA signature to check ``msg`` against :param str|bytes msg: Message to sign :param Ed25519PrivateKey|Ed25519PublicKey|Ed448PrivateKey|Ed448PublicKey key: A private or public EdDSA key instance :return bool verified: True if signature is valid, False if not. rTFN)r_rzrr+r)rrrr)rdrkrgrprZ sig_bytesrrUrUrVrrs   zOKPAlgorithm.verifyrsr)rgrtrHcCsdSrurUrgrtrUrUrVrxszOKPAlgorithm.to_jwkFryrzcCsdSrurUrrUrUrVrxsr{cCst|ttfr\|jtjtjd}t|tr.dnd}tt| d|d}|rR|St |St|t t fr|jtjtjtd}|jtjtjd}t|t rdnd}tt| tt| d|d}|r|St |StddS) N)encodingformatEd25519Ed448OKP)rrr)rrZencryption_algorithm)rrrrr)r_r,r*Z public_bytesr5ZRawr8rrrrrr+r)Z private_bytesr7r6rr)rgrtrrrrrUrUrVrx sB  r|r}c Cs2z.t|trt|}nt|tr(|}ntWntk rJtdYnX|ddkrbtd|d}|dkr|dkrtd|d |krtd t|d }zVd |kr|dkrt |WSt |WSt|d }|dkrt |WSt |WStk r,}ztd |W5d}~XYnXdS) NrrrzNot an Octet Key PairrrrrrzOKP should have "x" parameterrzInvalid key parameter)r_rzrrrrrrrr,Zfrom_public_bytesr*r+Zfrom_private_bytesr))r~rrrrerrrUrUrVr;s6        zOKPAlgorithm.from_jwkN)F)F) rrrrrrirmrrr rrxrrUrUrUrVrTs  .rT)[ __future__rrrrabcrrtypingrrrrr r r exceptionsrtypesrrutilsrrrrrrrrrZcryptography.exceptionsrrZcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrZ)cryptography.hazmat.primitives.asymmetricrZ,cryptography.hazmat.primitives.asymmetric.ecrr r!r"r#r$r%r&r'r(Z/cryptography.hazmat.primitives.asymmetric.ed448r)r*Z1cryptography.hazmat.primitives.asymmetric.ed25519r+r,Z-cryptography.hazmat.primitives.asymmetric.rsar-r.r/r0r1r2r3r4Z,cryptography.hazmat.primitives.serializationr5r6r7r8r9r:r;rOModuleNotFoundErrorrrrZ AllowedKeysZAllowedPrivateKeysZAllowedPublicKeysZrequires_cryptographyrWrXrJrKrQrRrSrTrUrUrUrVsn $ ,    0 ( $   "IH)7