&)c\ddlZddlZddlZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZ ddlZddlmZddlmZddlmZmZddlmZmZdd lmZmZdd lmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(dd l)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0d Z1n #e2$rdZ1YnwxYwhdZ3dZ4GddZ5Gdde5Z6Gdde5Z7e1r:Gdde5Z8Gdde5Z9Gdde8Z:Gdde5Z;dSdS)NInvalidKeyError) base64url_decodebase64url_encodeder_to_raw_signature force_bytesfrom_base64url_uint is_pem_format is_ssh_keyraw_to_der_signatureto_base64url_uint)InvalidSignature)hashes)ecpadding)EllipticCurvePrivateKeyEllipticCurvePublicKey)Ed448PrivateKeyEd448PublicKey)Ed25519PrivateKeyEd25519PublicKey) RSAPrivateKeyRSAPrivateNumbers RSAPublicKeyRSAPublicNumbers rsa_crt_dmp1 rsa_crt_dmq1 rsa_crt_iqmprsa_recover_prime_factors)Encoding NoEncryption PrivateFormat PublicFormatload_pem_private_keyload_pem_public_keyload_ssh_public_keyTF> ES256ES384ES512ES521EdDSAPS256PS384PS512RS256RS384RS512ES256Kctttjttjttjd}t r+|ttjttjttjttjttjttjttjttjttjttjttjtd |S)zE Returns the algorithms that are implemented by the library. )noneHS256HS384HS512) r0r1r2r(r3r)r+r*r-r.r/r,) NoneAlgorithm HMACAlgorithmSHA256SHA384SHA512 has_cryptoupdate RSAAlgorithm ECAlgorithmRSAPSSAlgorithm OKPAlgorithm)default_algorithmss 0/usr/lib/python3/dist-packages/jwt/algorithms.pyget_default_algorithmsrFKs }344}344}344  !!%l&9::%l&9::%l&9::$[%788%k&899$[%788$[%788$&))?@@()?@@()?@@%     & cPeZdZdZdZdZdZedZedZ dS) AlgorithmzH The interface for an algorithm used to sign and verify tokens. ct)z Performs necessary validation and conversions on the key and returns the key value in the proper format for sign() and verify(). NotImplementedErrorselfkeys rE prepare_keyzAlgorithm.prepare_keyr "!rGct)zn Returns a digital signature for the specified message using the specified key value. rKrNmsgrOs rEsignzAlgorithm.signyrQrGct)zz Verifies that the specified digital signature is valid for the specified message and key values. rKrNrTrOsigs rEverifyzAlgorithm.verifyrQrGct)z7 Serializes a given RSA key into a JWK rKkey_objs rEto_jwkzAlgorithm.to_jwkrQrGct)zb Deserializes a given RSA key from JWK back into a PublicKey or PrivateKey object rK)jwks rEfrom_jwkzAlgorithm.from_jwkrQrGN) __name__ __module__ __qualname____doc__rPrUrY staticmethodr]r`rGrErIrIms"""""""""""\" ""\"""rGrIc$eZdZdZdZdZdZdS)r9zZ Placeholder for use when no signing or verification operations are required. c8|dkrd}|td|S)Nz*When alg = "none", key value must be None.rrMs rErPzNoneAlgorithm.prepare_keys) "99C ?!"NOO O rGcdS)NrGrfrSs rErUzNoneAlgorithm.signssrGcdS)NFrfrWs rErYzNoneAlgorithm.verifysurGN)rarbrcrdrPrUrYrfrGrEr9r9sK rGr9ceZdZdZejZejZej Z dZ dZ e dZe dZdZdZdS) r:zf Performs signing and verification operations using HMAC and the specified hash function. c||_dSNhash_algrNrps rE__init__zHMACAlgorithm.__init__s   rGc~t|}t|st|rtd|S)NzdThe specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.)r r r rrMs rErPzHMACAlgorithm.prepare_keysJ#    C !9   rGctjtt|ddS)Noct)kkty)jsondumpsrr decoder[s rEr]zHMACAlgorithm.to_jwksBz%k'&:&:;;BBDD     rGcL t|trtj|}nt|tr|}nt n#t $rt dwxYw|ddkrt dt|dS)NKey is not valid JSONrwruzNot an HMAC keyrv) isinstancestrrxloadsdict ValueErrorrgetr)r_objs rEr`zHMACAlgorithm.from_jwks ;#s## !jooC&& !   ; ; ;!"9:: : ; 775>>U " "!"344 4C))) A A A&c\tj|||jSrn)hmacnewrpdigestrSs rErUzHMACAlgorithm.signs$xS$-0077999rGcTtj||||Srn)rcompare_digestrUrWs rErYzHMACAlgorithm.verifys#"3 #s(;(;<<>*--C-c22CC.sTBBBC / / /)#.. /Js6BB-,B-c d}t|ddrM|}ddgt|jjt|jjt|jt|jt|j t|j t|j t|j d }nt|ddre|}ddgt|jt|jd}ntdtj|S)Nprivate_numbersRSArU) rwkey_opsnedpqdpdqqirY)rwrrrNot a public or private key)getattrrrpublic_numbersrrzrrrrdmp1dmq1iqmprrxry)r\rnumberss rEr]zRSAAlgorithm.to_jwksCw 1488 E!1133! &x*7+A+CDDKKMM*7+A+CDDKKMM*7955<<>>*7955<<>>*7955<<>>+GL99@@BB+GL99@@BB+GL99@@BB  (D11 E!0022! (z*7955<<>>*7955<<>> &&CDDD:c?? "rGc < t|trtj| nt|tr| nt n#t $rt dwxYw ddkrt dd vrd vrd vrd vrt d gd } fd |D}t|}|rt|st d tt dt d}|rtt dt d t dt dt dt d|}nst d}t|j||j\}}t|||t!||t#||t%|||}|Sd vrNd vrJtt dt d}|St d)Nr|rwrzNot an RSA keyrrrothz5Unsupported RSA private key: > 2 primes not supported)rrrrrcg|]}|vSrfrf).0proprs rE z)RSAAlgorithm.from_jwk..AsCCCtts{CCCrGz@RSA key must include all parameters if any are present besides drrrrr)rrrrrrrr)r}r~rxrrrrranyallrr rr rrrrr private_key public_key) r_ other_props props_foundany_props_foundrrrrrrs @rEr`zRSAAlgorithm.from_jwk*s ?c3''%*S//CCT**%CC$$ ? ? ?%&=>>> ?wwu~~&&%&6777czzcSjjSCZZC<<)O;:: CCCC{CCC "%k"2"2"3{+;+;)Z"2'C11'C11"" #/-c#h77-c#h77-c#h770T;;0T;;0T;;'5GG,CH55A4&(!^-=DAq0)!Q//)!Q//)!Q//'5G**,,,s *'C11'C11 ))+++%&CDDDs A A A'cv||tj|Srn)rUrPKCS1v15rprSs rErUzRSAAlgorithm.signts)88C!1!3!3T]]__EE ErGc |||tj|dS#t$rYdSwxYw)NTF)rYrrrprrWs rErYzRSAAlgorithm.verifywsW  3W%5%7%7IIIt#   uu s;? A  A N)rarbrcrdrr;r<r=rrrPrer]r`rUrYrfrGrEr@r@s   % % %   $ ! #! # ! #F G EG E G ER F F F     rGr@ceZdZdZejZejZejZdZdZ dZ dZ e dZ e dZdS) rAzr Performs signing and verification operations using ECDSA and the specified hash function c||_dSrnrorqs rErrzECAlgorithm.__init__rrGct|ttfr|St|ttfst dt |} |drt|}nt|}n!#t$rt|d}YnwxYwt|ttfstd|S)Nrs ecdsa-sha2-rzcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for ECDSA algorithms) r}rrrr~rr rr'r&rr%rrMs rErPzECAlgorithm.prepare_keys# 79OPQQ  cE3<00 B @AAAc""C  ?>>.113-c22CC-c22C ? ? ?*3>>> ?c$;=S#TUU %yJs4BB-,B-c||tj|}t ||jSrn)rUrECDSArprcurve)rNrTrOder_sigs rErUzECAlgorithm.signs9hhsBHT]]__$=$=>>G';; ;rGcB t||j}n#t$rYdSwxYw t|tr|}|||tj| dS#t$rYdSwxYw)NFT) r rrr}rrrYrrrpr)rNrTrOrXrs rErYzECAlgorithm.verifys .sCI>>   uu  c#:;;+..**C 7C$--//)B)BCCCt#   uu s &&A$B BBct|tr'|}n9t|tr|}nt dt|jtjrd}n}t|jtj rd}n[t|jtj rd}n9t|jtj rd}nt d|jd|t|j t|jd}t|tr;t|j|d <t%j|S) NrP-256P-384P-521 secp256k1Invalid curve: EC)rwcrvxyr)r}rrrrrrr SECP256R1 SECP384R1 SECP521R1 SECP256K1rrrzrr private_valuerxry)r\rrrs rEr]zECAlgorithm.to_jwks'#:;; E!(!3!3!5!5!D!D!F!FG%;<< E!(!7!7!9!9%&CDDD'-66 IGM2<88 IGM2<88 IGM2<88 I!%&G &G&GHHH&~'788??AA&~'788??AA C'#:;; ,++--;&((C:c?? "rGc t|trtj|}nt|tr|}nt n#t $rt dwxYw|ddkrt dd|vsd|vrt dt|d}t|d}|d}|dkrNt|t|cxkrd krnntj }nt d |d krMt|t|cxkrd krnntj }nt d |dkrMt|t|cxkrdkrnntj }ntt d|dkrMt|t|cxkrd krnntj}n!t dt d|tjt |dt |d|}d|vr|St|d}t|t|krt dt||tjt |d|S)Nr|rwrzNot an Elliptic curve keyrrrr z)Coords should be 32 bytes for curve P-256r0z)Coords should be 48 bytes for curve P-384rBz)Coords should be 66 bytes for curve P-521rz-Coords should be 32 bytes for curve secp256k1rbig) byteorder)rrrrz!D should be {} bytes for curve {})r}r~rxrrrrrrlenrrrrrEllipticCurvePublicNumbersint from_bytesrEllipticCurvePrivateNumbersr)r_rrrr curve_objrrs rEr`zECAlgorithm.from_jwksG ?c3''%*S//CCT**%CC$$ ? ? ?%&=>>> ?wwu~~%%%&ABBB#~~C%&ABBB ..A ..AGGENNEq66SVV))))r))))) " II)*UVVV'!!q66SVV))))r))))) " II)*UVVV'!!q66SVV))))r))))) " II)*UVVV+%%q66SVV))))r))))) " II)G&&?&?&?@@@:..e.44..e.44N #~~%00222 ..A1vvQ%7Q1qE22Nkmm rN)rarbrcrdrr;r<r=rrrPrUrYrer]r`rfrGrErArA~s   % % %   8 < < <     # #  #D ? ?  ? ? ? rGrAceZdZdZdZdZdS)rBzA Performs a signature using RSASSA-PSS with MGF1 c ||tjtj||jj|S)Nmgf salt_length)rUrPSSMGF1rp digest_sizerSs rErUzRSAPSSAlgorithm.sign$sY88  T]]__55 $ 9   rGc  |||tjtj||jj|dS#t $rYdSwxYw)NrTF)rYrrrrprrrWs rErYzRSAPSSAlgorithm.verify.s  K#L99$(M$=MMOOt#   uu sA,A00 A>=A>N)rarbrcrdrUrYrfrGrErBrBs<          rGrBcVeZdZdZdZdZdZdZedZ edZ dS) rCz Performs signing and verification operations using EdDSA This class requires ``cryptography>=2.6`` to be installed. c dSrnrf)rNkwargss rErrzOKPAlgorithm.__init__Ds DrGct|ttfrt|tr|d}|d}d|vrt |}n3d|vrt |d}n|dddkrt|}t|ttttfstd|S) Nutf-8z-----BEGIN PUBLICz-----BEGIN PRIVATErrzssh-zcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for EdDSA algorithms) r}rr~encoderzr&r%r'rrrrr)rNrOstr_keys rErPzOKPAlgorithm.prepare_keyGs#s|,, 3c3''.**W--C**W--&'11-c22CC)W44.sTBBBCCQqS\V++-c22C"$4o~V &yJrGc|t|turt|dn|}||S)aS Sign a message ``msg`` using the EdDSA private key ``key`` :param str|bytes msg: Message to sign :param Ed25519PrivateKey}Ed448PrivateKey key: A :class:`.Ed25519PrivateKey` or :class:`.Ed448PrivateKey` isinstance :return bytes signature: The signature, as bytes r)typerrUrSs rErUzOKPAlgorithm.sign_s8*.c%)?)?%W%%%SC88C== rGcj t|turt|dn|}t|turt|dn|}t|ttfr|}|||dS#tjj $rYdSwxYw)a Verify a given ``msg`` against a signature ``sig`` using the EdDSA key ``key`` :param str|bytes sig: EdDSA signature to check ``msg`` against :param str|bytes msg: Message to sign :param Ed25519PrivateKey|Ed25519PublicKey|Ed448PrivateKey|Ed448PublicKey key: A private or public EdDSA key instance :return bool verified: True if signature is valid, False if not. rTF) rrr}rrrrY cryptography exceptionsrrWs rErYzOKPAlgorithm.verifyjs -1#YYe-C-CeC)))-1#YYe-C-CeC)))c$5#GHH+..**C 3$$$t*;   uu sBBB21B2ct|ttfr|tjt j}t|trdnd}tjtt| d|dSt|ttfr|tjtjt!}|tjt j}t|trdnd}tjtt| tt| d|dSt%d) N)encodingformatEd25519Ed448OKP)rrwr)rrencryption_algorithm)rrrwrr)r}rr public_bytesr!Rawr$rxryrr rzrr private_bytesr#r"rr)rOrrrs rEr]zOKPAlgorithm.to_jwks# 0.ABB $$%\'+%$.c3C#D#DQii'z-k!nn==DDFF$"# 1?CDD %%%\(,)5& NN$$11%\'+2 $.c3D#E#ERii7z-k!nn==DDFF-k!nn==DDFF$" ""?@@ @rGc< t|trtj|}nt|tr|}nt n#t $rt dwxYw|ddkrt d|d}|dkr|dkrt d|d |vrt d t|d } d |vr.|dkrtj |Stj |St|d }|dkrtj |Stj |S#t $r}t d |d}~wwxYw) Nr|rwrzNot an Octet Key PairrrrrrzOKP should have "x" parameterrzInvalid key parameter)r}r~rxrrrrrrrfrom_public_bytesrrfrom_private_bytesr)r_rrrrerrs rEr`zOKPAlgorithm.from_jwks ?c3''%*S//CCT**%CC$$ ? ? ?%&=>>> ?wwu~~&&%&=>>>GGENNE !!ew&6&6%&?&?&?@@@#~~%&EFFF ..A Hc>> ))/A!DDD);A>>>$SWWS\\22I%%,?BBB&9!<<< H H H%&=>>CG Hs6A A A&:E<E<,;E<(E<< FFFN) rarbrcrdrrrPrUrYrer]r`rfrGrErCrC=s        0 ! ! !   * % A% A % AN  H H  H H HrGrC)ModuleNotFoundErrorrequires_cryptographyrFrIr9r:r@rArBrCrfrGrErs ''''''                      '""""888888555555EEEEEEEE                    JJJJJ    D&"&"&"&"&"&"&"&"RI,6=6=6=6=6=I6=6=6=rcHUUUUUyUUUn_____i___B,