o 7bV@sddlZddlZddlZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZzZddlZddlmZddlmZddlmZmZddlmZmZdd lmZmZdd lmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(dd l)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0d Z1Wn e2ydZ1YnwhdZ3ddZ4GdddZ5Gddde5Z6Gddde5Z7e1rGddde5Z8Gddde5Z9Gddde8Z:Gddde5Z;dSdS) NInvalidKeyError) base64url_decodebase64url_encodeder_to_raw_signature force_bytesfrom_base64url_uint is_pem_format is_ssh_keyraw_to_der_signatureto_base64url_uint)InvalidSignature)hashes)ecpadding)EllipticCurvePrivateKeyEllipticCurvePublicKey)Ed448PrivateKeyEd448PublicKey)Ed25519PrivateKeyEd25519PublicKey) RSAPrivateKeyRSAPrivateNumbers RSAPublicKeyRSAPublicNumbers rsa_crt_dmp1 rsa_crt_dmq1 rsa_crt_iqmprsa_recover_prime_factors)Encoding NoEncryption PrivateFormat PublicFormatload_pem_private_keyload_pem_public_keyload_ssh_public_keyTF> ES256ES384ES512ES521EdDSAPS256PS384PS512RS256RS384RS512ES256KcCstttjttjttjd}trG|ttjttjttjttjttjttjttjttjt t jt t jt t jt d |S)zE Returns the algorithms that are implemented by the library. )noneHS256HS384HS512) r/r0r1r'r2r(r*r)r,r-r.r+) NoneAlgorithm HMACAlgorithmSHA256SHA384SHA512 has_cryptoupdate RSAAlgorithm ECAlgorithmRSAPSSAlgorithm OKPAlgorithm)default_algorithmsrC0/usr/lib/python3/dist-packages/jwt/algorithms.pyget_default_algorithmsKs0rEc@s@eZdZdZddZddZddZedd Zed d Z d S) AlgorithmzH The interface for an algorithm used to sign and verify tokens. cCt)z Performs necessary validation and conversions on the key and returns the key value in the proper format for sign() and verify(). NotImplementedErrorselfkeyrCrCrD prepare_keyrzAlgorithm.prepare_keycCrG)zn Returns a digital signature for the specified message using the specified key value. rHrKmsgrLrCrCrDsignyrNzAlgorithm.signcCrG)zz Verifies that the specified digital signature is valid for the specified message and key values. rHrKrPrLsigrCrCrDverifyrNzAlgorithm.verifycCrG)z7 Serializes a given RSA key into a JWK rHkey_objrCrCrDto_jwkrNzAlgorithm.to_jwkcCrG)zb Deserializes a given RSA key from JWK back into a PublicKey or PrivateKey object rH)jwkrCrCrDfrom_jwkrNzAlgorithm.from_jwkN) __name__ __module__ __qualname____doc__rMrQrT staticmethodrWrYrCrCrCrDrFms rFc@s(eZdZdZddZddZddZdS) r7zZ Placeholder for use when no signing or verification operations are required. cCs |dkrd}|durtd|S)Nz*When alg = "none", key value must be None.rrJrCrCrDrMs zNoneAlgorithm.prepare_keycCdS)NrCrOrCrCrDrQzNoneAlgorithm.signcCr`)NFrCrRrCrCrDrTrbzNoneAlgorithm.verifyN)rZr[r\r]rMrQrTrCrCrCrDr7s  r7c@sZeZdZdZejZejZej Z ddZ ddZ e ddZe dd Zd d Zd d ZdS)r8zf Performs signing and verification operations using HMAC and the specified hash function. cC ||_dSNhash_algrKrfrCrCrD__init__ zHMACAlgorithm.__init__cCs$t|}t|s t|rtd|S)NzdThe specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.)rr r rrJrCrCrDrMs zHMACAlgorithm.prepare_keycCsttt|ddS)Noct)kkty)jsondumpsrrdecoderUrCrCrDrWs zHMACAlgorithm.to_jwkcCshzt|tr t|}n t|tr|}ntWn ty"tdw|ddkr.tdt|dS)NKey is not valid JSONrlrjzNot an HMAC keyrk) isinstancestrrmloadsdict ValueErrorrgetr)rXobjrCrCrDrYs     zHMACAlgorithm.from_jwkcCst|||jSrd)hmacnewrfdigestrOrCrCrDrQzHMACAlgorithm.signcCst||||Srd)rxcompare_digestrQrRrCrCrDrTr{zHMACAlgorithm.verifyN)rZr[r\r]hashlibsha256r9sha384r:sha512r;rhrMr^rWrYrQrTrCrCrCrDr8s   r8c@sZeZdZdZejZejZejZddZddZ e ddZ e dd Z d d Z d d ZdS)r>z~ Performs signing and verification operations using RSASSA-PKCS-v1_5 and the specified hash function. cCrcrdrergrCrCrDrhrizRSAAlgorithm.__init__cCsxt|ttfr |St|ttfstdt|}z|dr%t|}W|St |dd}W|St y;t |}Y|Sw)NExpecting a PEM-formatted key.sssh-rsapassword) rqrrbytesrr TypeErrorr startswithr&r$rur%rJrCrCrDrMs   zRSAAlgorithm.prepare_keyc Csd}t|ddrE|}ddgt|jjt|jjt|jt|jt|j t|j t|j t|j d }n!t|ddrb|}ddgt|jt|jd}nt dt|S)Nprivate_numbersRSArQ) rlkey_opsnedpqdpdqqirT)rlrrrNot a public or private key)getattrrr public_numbersrrorrrrdmp1dmq1iqmprrmrn)rVrwnumbersrCrCrDrWs.           zRSAAlgorithm.to_jwkc szt|tr t|n t|tr|ntWn ty"tdwddkr.tddvrdvrdvrdvrBtd gd }fd d |D}t|}|r]t |s]td t t dt d}|rt t dt dt dt dt dt d|d}|St d}t |j||j\}}t |||t||t||t|||d}|Sdvrdvrt t dt d}|Std)NrprlrzNot an RSA keyrrrothz5Unsupported RSA private key: > 2 primes not supported)rrrrrcsg|]}|vqSrCrC).0proprwrCrD Asz)RSAAlgorithm.from_jwk..z@RSA key must include all parameters if any are present besides drrrrr)rrrrrrrr)rqrrrmrsrtrurrvanyallrr rrrrrrr private_key public_key) rX other_props props_foundany_props_foundrrrrrrCrrDrY*sx                  zRSAAlgorithm.from_jwkcCs||t|Srd)rQrPKCS1v15rfrOrCrCrDrQtszRSAAlgorithm.signcCs4z|||t|WdStyYdSw)NTF)rTrrrfrrRrCrCrDrTws  zRSAAlgorithm.verifyN)rZr[r\r]rr9r:r;rhrMr^rWrYrQrTrCrCrCrDr>s # I r>c@sNeZdZdZejZejZejZddZddZ ddZ dd Z e d d Z d S) r?zr Performs signing and verification operations using ECDSA and the specified hash function cCrcrdrergrCrCrDrhrizECAlgorithm.__init__cCsxt|ttfr |St|ttfstdt|}z|dr%t|}W|St |}W|St y;t |dd}Y|Sw)Nrs ecdsa-sha2-r) rqrrrrrrrrr&r%rur$rJrCrCrDrMs    zECAlgorithm.prepare_keycCs"||t|}t||jSrd)rQrECDSArfrcurve)rKrPrLder_sigrCrCrDrQs zECAlgorithm.signcCslzt||j}Wn tyYdSwzt|tr|}|||t| WdSt y5YdSw)NFT) r rrurqrrrTrrrfr)rKrPrLrSrrCrCrDrTs   zECAlgorithm.verifycCs&zt|tr t|}n t|tr|}ntWn ty"tdw|ddkr.tdd|vs6d|vr:tdt|d}t|d}|d}|dkrmt |t |kr_d krintd t }nktd |d krt |t |krd krntd t }nKtd |dkrt |t |krdkrntdt }n+td|dkrt |t |krd krntdt }n tdtd|t jtj|ddtj|dd|d}d|vr|St|d}t |t |krtdt ||t tj|dd|S)NrprlECzNot an Elliptic curve keyxycrvzP-256 z)Coords should be 32 bytes for curve P-256zP-3840z)Coords should be 48 bytes for curve P-384zP-521Bz)Coords should be 66 bytes for curve P-521 secp256k1z-Coords should be 32 bytes for curve secp256k1Invalid curve: big) byteorder)rrrrz!D should be {} bytes for curve {})rqrrrmrsrtrurrvrlenr SECP256R1 SECP384R1 SECP521R1 SECP256K1EllipticCurvePublicNumbersint from_bytesrEllipticCurvePrivateNumbersr)rXrwrrr curve_objrrrCrCrDrYsv            zECAlgorithm.from_jwkN)rZr[r\r]rr9r:r;rhrMrQrTr^rYrCrCrCrDr?~sr?c@s eZdZdZddZddZdS)r@zA Performs a signature using RSASSA-PSS with MGF1 cCs*||tjt||jjd|S)Nmgf salt_length)rQrPSSMGF1rf digest_sizerOrCrCrDrQs zRSAPSSAlgorithm.signc CsHz|||tjt||jjd|WdSty#YdSw)NrTF)rTrrrrfrrrRrCrCrDrTs  zRSAPSSAlgorithm.verifyN)rZr[r\r]rQrTrCrCrCrDr@s r@c@sHeZdZdZddZddZddZdd Zed d Z ed d Z dS)rAz Performs signing and verification operations using EdDSA This class requires ``cryptography>=2.6`` to be installed. cKsdSrdrC)rKkwargsrCrCrDrhrbzOKPAlgorithm.__init__cCst|ttfr6t|tr|d}|d}d|vrt|}nd|vr*t|dd}n |dddkr6t|}t|tt t t fsCt d|S) Nutf-8z-----BEGIN PUBLICz-----BEGIN PRIVATErrzssh-zcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for EdDSA algorithms) rqrrrencoderor%r$r&rrrrr)rKrLstr_keyrCrCrDrMs$     zOKPAlgorithm.prepare_keycCs$t|tur t|dn|}||S)aR Sign a message ``msg`` using the EdDSA private key ``key`` :param str|bytes msg: Message to sign :param Ed25519PrivateKey}Ed448PrivateKey key: A :class:`.Ed25519PrivateKey` or :class:`.Ed448PrivateKey` iinstance :return bytes signature: The signature, as bytes r)typerrQrOrCrCrDrQ6s zOKPAlgorithm.signcCsvz.t|tur t|dn|}t|turt|dn|}t|ttfr&|}|||WdStjj y:YdSw)a Verify a given ``msg`` against a signature ``sig`` using the EdDSA key ``key`` :param str|bytes sig: EdDSA signature to check ``msg`` against :param str|bytes msg: Message to sign :param Ed25519PrivateKey|Ed25519PublicKey|Ed448PrivateKey|Ed448PublicKey key: A private or public EdDSA key instance :return bool verified: True if signature is valid, False if not. rTF) rrrqrrrrT cryptography exceptionsrrRrCrCrDrTAs  zOKPAlgorithm.verifycCst|ttfr(|jtjtjd}t|trdnd}tt t | d|dSt|t t frd|jtjtjtd}|jtjtjd}t|t rLdnd}tt t | t t | d|dStd) N)encodingformatEd25519Ed448OKP)rrlr)rrencryption_algorithm)rrrlrr)rqrr public_bytesr Rawr#rmrnrrrorr private_bytesr"r!rr)rLrrrrCrCrDrWVs> zOKPAlgorithm.to_jwkc Cszt|tr t|}n t|tr|}ntWn ty"tdw|ddkr.td|d}|dkrB|dkrBtd|d |vrJtd t|d }z+d |vrf|dkr`t |WSt |WSt|d }|dkrwt |WSt |WSty}ztd |d}~ww) NrprlrzNot an Octet Key PairrrrrrzOKP should have "x" parameterrzInvalid key parameter)rqrrrmrsrtrurrvrrfrom_public_bytesrrfrom_private_bytesr)rXrwrrrerrrCrCrDrY~s>          zOKPAlgorithm.from_jwkN) rZr[r\r]rhrMrQrTr^rWrYrCrCrCrDrAs  'rA)r?r@rArCrCrCrDsB ,   ($  ")9x