o c<@sdZddlZddlZddlZddlmZmZmZmZm Z m Z m Z m Z m Z ddlmZddlZddlmZmZmZmZddlmZddlmZGdd d ZGd d d ejZGd d d ejZGdddejZGdddZedkr{ee dSdS)zJSON Web Signature.N) AnyDict FrozenSetListMappingOptionalTupleTypecast)crypto)b64errors json_utiljwa)jwk)utilc@sBeZdZdZdZ ededefddZededefddZd S) MediaTypez MediaType field encoder/decoder.z application/valuereturncCs(d|vrd|vr td|j|S|S)zDecoder./;zUnexpected semi-colon)r DeserializationErrorPREFIXclsrr7/opt/certbot/lib/python3.10/site-packages/josepy/jws.pydecodes   zMediaType.decodecCs.d|vr||js J|t|jdS|S)zEncoder.rN) startswithrlenrrrrencode)szMediaType.encodeN) __name__ __module__ __qualname____doc__r classmethodstrrr rrrrrs rc@seZdZUdZejdejjddZ e eje d<ejdddZ e e e d<ejdejjddZe eje d<ejdddZe ee d<ejd ddZe e e d <ejd dd d Zeejd fe d <ejdejddZe e e d<ejdejddZe e e d<ejdejejddZe ee d<ejdejejddZe ee d<ejddd d Z ee!d fe d<e"eej#fe d<de"eej#ffddZ$de!ddfddZ%de&jfddZ'e j(de!de!fdd Z ej)d!d"Zej(d#d"Zd$S)%Headera6JOSE Header. .. warning:: This class supports **only** Registered Header Parameter Names (as defined in section 4.1 of the protocol). If you need Public Header Parameter Names (4.2) or Private Header Parameter Names (4.3), you must subclass and override :meth:`from_json` and :meth:`to_partial_json` appropriately. .. warning:: This class does not support any extensions through the "crit" (Critical) Header Parameter (4.1.11) and as a conforming implementation, :meth:`from_json` treats its occurrence as an error. Please subclass if you seek for a different behaviour. :ivar x5tS256: "x5t#S256" :ivar str typ: MIME Media Type, inc. :const:`MediaType.PREFIX`. :ivar str cty: Content-Type, inc. :const:`MediaType.PREFIX`. algT)decoder omitemptyjku)r*rkidx5ux5crr*default.x5tzx5t#S256x5tS256typ)encoderr)r*ctycrit_fieldsrcsfddjDS)z4Fields that would not be omitted in the JSON object.cs,i|]\}}|t|s|t|qSr)omitgetattr).0namefieldselfrr ]sz&Header.not_omitted..)r7itemsr=rr=r not_omitted[s zHeader.not_omittedothercCsbt|t|stdt||}|}t||r#td||t|di|S)NzHeader cannot be added to: {0}z+Addition of overlapping headers not definedr) isinstancetype TypeErrorformatrAset intersectionupdate)r>rBnot_omitted_selfnot_omitted_otherrrr__add__as zHeader.__add__cCs|jdur td|jS)zFind key based on header. .. todo:: Supports only "jwk" header parameter lookup. :returns: (Public) key found in the header. :rtype: .JWK :raises josepy.errors.Error: if key could not be found Nz No key found)rr Errorr=rrrfind_keyos zHeader.find_key unused_valuecCs td)Nz("crit" is not supported, please subclass)r r)rOrrrr6~sz Header.critcCsdd|DS)NcSs"g|] }tttj|jqSr)base64 b64encoder dump_certificate FILETYPE_ASN1wrappedr:certrrr s  zHeader.x5c..rrrrrr.sz Header.x5cc Cs:z tdd|DWStjy}zt|d}~ww)Nc ss*|]}tttjt|VqdSN)rComparableX509r load_certificaterSrP b64decoderUrrr szHeader.x5c..)tupler rMr r)rerrorrrrr.s  N)*r!r"r#r$rr<r JWASignature from_jsonr(r__annotations__r+bytesjwk_modJWKrr,r&r-r.rrrZdecode_b64joser1r2rr rr3r5r6rrFieldrArLjosepyrNr)r4rrrrr'3sF   "    r'cseZdZUdZeZeed<dZej ddddZ e ed<ej ddeej d Z eed<ej d ejejd Zeed <e jd e d e fddZ e jd e d e fddZ ded dffdd Zeded ee effddZede ded efddZd'dedeejd efddZedefdedejdej dede!ded dfd d!Z"d ee efffd"d# Z#ed$e$e efd ee efffd%d& Z%Z&S)( SignatureaJWS Signature. :ivar combined: Combined Header (protected and unprotected, :class:`Header`). :ivar unicode protected: JWS protected header (Jose Base-64 decoded). :ivar header: JWS Unprotected Header (:class:`Header`). :ivar str signature: The signature. combined)rj protectedTr/header)r*r0r) signature)r)r4rrcCst|dSNutf-8)rencode_b64joser rXrrrrkszSignature.protectedcCst|dSro)rrfrrXrrrrkskwargsNc s8d|vr ||}tjdi||jjdusJdS)Nrjr)_with_combinedsuper__init__rjr()r>rr __class__rrrus zSignature.__init__cCsZd|vsJ|d|jdj}|d|jdj}|r%||j|}n|}||d<|S)Nrjrmrk)getr7r0 header_cls json_loads)rrrrmrkrjrrrrss zSignature._with_combinedpayloadcCst|ddt|S)Nrp.)r rQr )rrkr{rrr_msgszSignature._msgkeycCsJ|dur |jn|}|jjstd|jjj|j|j||j |dS)zvVerify. :param bytes payload: Payload to verify. :param JWK key: Key used for verification. Nz Not signature algorithm defined.)r~sigmsg) rjrNr(rhrMverifyr~rnr}rk)r>r{r~ actual_keyrrrrs  zSignature.verifyr( include_jwkprotectc Kst||jsJ|}||d<|r||d<t||jjs!J||jjs*Ji}|D] } | |vr;|| || <q.|rI|jdi|} nd} |jdi|} | |j | | |} || | | dS)aDSign. :param bytes payload: Payload to sign. :param JWK key: Key for signature. :param JWASignature alg: Signature algorithm to use to sign. :param bool include_jwk: If True, insert the JWK inside the signature headers. :param FrozenSet protect: List of headers to protect. r(rrl)rkrmrnNr) rCkty public_keyrGissubsetryr7pop json_dumpssignr~r}) rr{r~r(rrrr header_paramsprotected_paramsrmrkrnrrrrs$  zSignature.signcs t}|ds|d=|S)Nrm)rtfields_to_partial_jsonrA)r>fieldsrvrrrs  z Signature.fields_to_partial_jsonjobjcs4t|}||}d|dvrtd|S)Nr(rjzalg not present)rtfields_from_jsonrsrAr r)rrrfields_with_combinedrvrrrs   zSignature.fields_from_jsonrY)'r!r"r#r$r'ryrb __slots__rr<rkr&rarmrfrqrnrcr4r)rrur%rrsr}rrhreboolr frozensetr`rrrrr __classcell__rrrvrrisL    $0ric@seZdZUdZdZeed<eeed<eZ dde e j de fdd Zeded eddfd d Zedefd dZdefddZededdfddZdde deeeffddZedeeefddfddZdS)JWSzgJSON Web Signature. :ivar str payload: JWS Payload. :ivar str signature: JWS Signatures. r{ signaturesr{rNr~rcstfddjDS)Verify.c3s|] }|jVqdSrY)rr{r:rr~r>rrr]szJWS.verify..)allr)r>r~rrrrsz JWS.verifyrrcKs |||jjdd|i|fdS)Sign.r{rNr) signature_clsr)rr{rrrrrrszJWS.signcCst|jdks J|jdS)zPGet a singleton signature. :rtype: :class:`JWS.signature_cls` r)rrr=rrrrn%s z JWS.signaturecCs\t|jdks Jd|jjvsJt|jjddt|j dt|jjS)z7Compact serialization. :rtype: bytes rr(rpr|) rrrnrmrAr rQrkr r{r=rrr to_compact/s  zJWS.to_compactcompactcCsbz |d\}}}Wn tytdw|jt|dt|d}|t||fdS)zACompact deserialization. :param bytes compact: r|zOCompact JWS serialization should comprise of exactly 3 dot-separated componentsrp)rkrnr)split ValueErrorr rrr r\r)rrrkr{rnrrrr from_compactAs zJWS.from_compactTflatcCsN|jsJt|j}|r!t|jdkr!|jd}||d<|S||jdS)Nrrr{r)rrrqr{rto_partial_json)r>rr{retrrrrTs  zJWS.to_partial_jsonrcsd|vr d|vr tdd|vr*dd|D}t|dj|fdSt|dtfdd |dDdS) NrnrzFlat mixed with non-flatcSsi|] \}}|dkr||qS)r{r)r:r~rrrrr?gsz!JWS.from_json..r{rc3s|] }j|VqdSrY)rrarrrrr]lsz JWS.from_json..)r rr@rrfrrar^)rrfilteredrrrrabs   z JWS.from_jsonrY)T)r!r"r#r$rrcrbrrirrrhrerrr%rrpropertyrnrrrr&rrrarrrrrs"    rc@seZdZdZedejddfddZedejdefddZ ed e de j fd d Z ed e de fd d Zed e deejfddZeddeedeefddZdS)CLIzJWS CLI.argsrNcCs|jj|j}|j|jdurg|_|jr |jdt j t j  ||jt|jd}|jr@t|ddSt|dS)rNr()r{r~r(rrp)r(rloadr~readcloserrappendrrsysstdinr rGprintrrjson_dumps_pretty)rrr~rrrrrss   zCLI.signc Cs|jrttj}n&z ttttj}Wnt j y3}z t |WYd}~dSd}~ww|j durQ|j dus@J|j |j }|j nd}tj|j|j|d S)rNF)r~)rrrrrrr r rzr rMrr~rrrrstdoutwriter{rr)rrrr_r~rrrrs   z CLI.verifyargcCs tj|SrY)rr`rarrrrr _alg_types z CLI._alg_typecCs|tjjvsJ|SrY)riryr7rrrr _header_typeszCLI._header_typecCs|tjjvsJtjj|SrY)rdreTYPESrrrr _kty_types z CLI._kty_typecCs|dur tjdd}t}|jddd|}|d}|j|jd|jdd t d d d |jd d|j t j d|jddd|j d|d}|j|jd|jdd t d dd |jd|jdd ||}||S)z Parse arguments and sign/verify.Nrz --compact store_true)actionr)funcz-kz--keyrbT)rDrequiredz-az--alg)rDr0z-pz --protectr)rrDrFz--kty)rargvargparseArgumentParser add_argumentadd_subparsers add_parser set_defaultsrFileTyperrRS256rrr parse_argsr)rrparser subparsers parser_sign parser_verifyparsedrrrruns4      zCLI.runrY)r!r"r#r$r%r Namespacerrrrrr`rrr rdrerrr&rrrrrrrps"r__main__)!r$rrPrtypingrrrrrrrr r OpenSSLr rhr r rrrrdrrJSONObjectWithFieldsr'rirrr!exitrrrrrs$,   azbV