U dht @sddlmZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z m Z mZmZmZddlmZddlmZmZddlmZmZmZmZmZmZmZmZmZej d krdd l m!Z!n dd l"m!Z!zdd l#m$Z$dd l%m&Z&dd l'm(Z(ddl)m*Z*ddl+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5ddl6m7Z7m8Z8ddl9m:Z:m;Z;ddlZ>m?Z?m@Z@mAZAmBZBmCZCmDZDddlEmFZFmGZGmHZHmIZImJZJmKZKmLZLdZMWneNk rdZMYnXe re=e?BZOe2e4BZPe:e;Be7Be8BZQeOePBeQBZRe=e2Be:Be7BZSe?e4Be;Be8BZTddddddddddd d!h ZUd"d#d$d%ZVGd&d'd'eZWGd(d)d)eWZXGd*d+d+eWZYeMrGd,d-d-eWZZGd.d/d/eWZ[Gd0d1d1eZZ\Gd2d3d3eWZ]dS)4) annotationsN)ABCabstractmethod) TYPE_CHECKINGAnyClassVarNoReturnUnioncastoverloadInvalidKeyError) HashlibHashJWKDict) base64url_decodebase64url_encodeder_to_raw_signature force_bytesfrom_base64url_uint is_pem_format is_ssh_keyraw_to_der_signatureto_base64url_uint))Literal)InvalidSignature)default_backend)hashes)padding) ECDSA SECP256K1 SECP256R1 SECP384R1 SECP521R1 EllipticCurveEllipticCurvePrivateKeyEllipticCurvePrivateNumbersEllipticCurvePublicKeyEllipticCurvePublicNumbers)Ed448PrivateKeyEd448PublicKey)Ed25519PrivateKeyEd25519PublicKey) RSAPrivateKeyRSAPrivateNumbers RSAPublicKeyRSAPublicNumbers rsa_crt_dmp1 rsa_crt_dmq1 rsa_crt_iqmprsa_recover_prime_factors)Encoding NoEncryption PrivateFormat PublicFormatload_pem_private_keyload_pem_public_keyload_ssh_public_keyTFRS256RS384RS512ES256ES256KES384ES521ES512PS256PS384PS512EdDSAzdict[str, Algorithm])returncCstttjttjttjd}tr|ttjttjttjttjttjttjttjttjt t jt t jt t jt d |S)zE Returns the algorithms that are implemented by the library. )noneZHS256ZHS384ZHS512) r>r?r@rArBrCrDrErFrGrHrI) NoneAlgorithm HMACAlgorithmSHA256SHA384SHA512 has_cryptoupdate RSAAlgorithm ECAlgorithmRSAPSSAlgorithm OKPAlgorithm)Zdefault_algorithmsrW2/tmp/pip-unpacked-wheel-z041_nl0/jwt/algorithms.pyget_default_algorithmsps0rYc@seZdZdZdddddZeddddd Zedddd d d Zedddd dddZe e edddddZ e e ed!dddddZ e ed"d ddddZ e edddddZ d S)# AlgorithmzH The interface for an algorithm used to sign and verify tokens. bytes)bytestrrJcCsnt|dd}|dkrttrZt|trZt|tjrZtj|t d}| |t | St || SdS)z Compute a hash digest using the specified algorithm's hash algorithm. If there is no hash algorithm, raises a NotImplementedError. hash_algN)backend)getattrNotImplementedErrorrQ isinstancetype issubclassrZ HashAlgorithmZHashrrRr[finalizedigest)selfr\r]rerWrWrXcompute_hash_digests    zAlgorithm.compute_hash_digestrkeyrJcCsdS)z Performs necessary validation and conversions on the key and returns the key value in the proper format for sign() and verify(). NrWrfrirWrWrX prepare_keyszAlgorithm.prepare_keymsgrirJcCsdS)zn Returns a digital signature for the specified message using the specified key value. NrWrfrmrirWrWrXsignszAlgorithm.signboolrmrisigrJcCsdS)zz Verifies that the specified digital signature is valid for the specified message and key values. NrWrfrmrirrrWrWrXverifyszAlgorithm.verify Literal[True]r)as_dictrJcCsdSNrWkey_objrvrWrWrXto_jwkszAlgorithm.to_jwkFLiteral[False]strcCsdSrwrWrxrWrWrXrzsUnion[JWKDict, str]cCsdS)z3 Serializes a given key into a JWK NrWrxrWrWrXrzs str | JWKDictjwkrJcCsdS)zJ Deserializes a given key from JWK back into a key object NrWrrWrWrXfrom_jwkszAlgorithm.from_jwkN)F)F) __name__ __module__ __qualname____doc__rgrrkrortr staticmethodrzrrWrWrWrXrZs,rZc@sreZdZdZdddddZddddd d Zdddd d d dZeddd ddddZedddddZ dS)rLzZ Placeholder for use when no signing or verification operations are required. z str | NoneNonerhcCs |dkr d}|dk rtd|S)Nz*When alg = "none", key value must be None.r rjrWrWrXrks zNoneAlgorithm.prepare_keyr[rlcCsdS)NrWrnrWrWrXroszNoneAlgorithm.signrprqcCsdS)NFrWrsrWrWrXrtszNoneAlgorithm.verifyFrrryrvrJcCs tdSrwr`rxrWrWrXrzszNoneAlgorithm.to_jwkr~rcCs tdSrwrrrWrWrXrszNoneAlgorithm.from_jwkN)F) rrrrrkrortrrzrrWrWrWrXrLs rLc@seZdZUdZejZded<ejZ ded<ej Z ded<dddd d Z d d d ddZ eed dddddZeed'd dddddZed(d dddddZedd dddZd d d d d!d"Zd d d dd#d$d%Zd&S))rMzf Performs signing and verification operations using HMAC and the specified hash function. zClassVar[HashlibHash]rNrOrPrrr]rJcCs ||_dSrwr]rfr]rWrWrX__init__szHMACAlgorithm.__init__ str | bytesr[rhcCs$t|}t|st|r td|S)NzdThe specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.)rrrrrfri key_bytesrWrWrXrks zHMACAlgorithm.prepare_keyrurrcCsdSrwrWrxrWrWrXrzszHMACAlgorithm.to_jwkFr{r|cCsdSrwrWrxrWrWrXrzsrpr}cCs,tt|dd}|r|St|SdS)Noct)kkty)rrdecodejsondumps)ryrvrrWrWrXrzs r~rcCsnz.t|trt|}nt|tr(|}ntWntk rJtdYnX|ddkrbtdt|dS)NKey is not valid JSONrrzNot an HMAC keyr) rar|rloadsdict ValueErrorrgetr)robjrWrWrXr)s   zHMACAlgorithm.from_jwkrlcCst|||jSrw)hmacnewr]rernrWrWrXro:szHMACAlgorithm.signrqcCst||||Srw)rcompare_digestrorsrWrWrXrt=szHMACAlgorithm.verifyN)F)F)rrrrhashlibsha256rN__annotations__sha384rOsha512rPrrkr rrzrrortrWrWrWrXrMs$   rMc@seZdZUdZejZded<ejZded<ejZded<dddd d Z d d d ddZ e e d dddddZ e e d*d dddddZ e d+d dddddZ e dd dddZd d!d d"d#d$Zd d%d dd&d'd(Zd)S),rSz~ Performs signing and verification operations using RSASSA-PKCS-v1_5 and the specified hash function. $ClassVar[type[hashes.HashAlgorithm]]rNrOrPtype[hashes.HashAlgorithm]rrcCs ||_dSrwrrrWrWrXrMszRSAAlgorithm.__init__zAllowedRSAKeys | str | bytesAllowedRSAKeysrhcCst|ttfr|St|ttfs(tdt|}z2|drLttt |WSttt |ddWSWn"t k rttt |YSXdS)NExpecting a PEM-formatted key.sssh-rsapassword) rar/r1r[r| TypeErrorr startswithr r=r;rr<rrWrWrXrkPs  zRSAAlgorithm.prepare_keyrurrcCsdSrwrWrxrWrWrXrzcszRSAAlgorithm.to_jwkFr{r|cCsdSrwrWrxrWrWrXrzhsrpr}c Csd}t|dr|}ddgt|jjt|jjt|jt|jt|j t|j t|j t|j d }n@t|dr|}ddgt|jt|jd}nt d|r|St|SdS)Nprivate_numbersRSAro) rkey_opsnedpqdpdqqirt)rrrrNot a public or private key)hasattrrrpublic_numbersrrrrrrdmp1dmq1iqmprrr)ryrvrnumbersrWrWrXrzms2          r~rc sz.t|trt|nt|tr(|ntWntk rJtdYnXddkrbtddkrdkrdkrdkrtd d d d d dg}fdd|D}t|}|rt |stdt t dt d}|r4t t dt d t d t d t d t d|d}nHt d}t |j||j\}}t |||t||t||t|||d}|Sdkrdkrt t dt dStddS)NrrrzNot an RSA keyrrrZothz5Unsupported RSA private key: > 2 primes not supportedrrrrrcsg|] }|kqSrWrW).0proprrWrX sz)RSAAlgorithm.from_jwk..z@RSA key must include all parameters if any are present besides d)rrrrrrrr)rar|rrrrrranyallr2rr0r6rrr3r4r5 private_key public_key) rZ other_propsZ props_foundZany_props_foundrrrrrrWrrXrst                zRSAAlgorithm.from_jwkr[r/rlcCs||t|Srw)ror PKCS1v15r]rnrWrWrXroszRSAAlgorithm.signr1rqcCs:z|||t|WdStk r4YdSXdS)NTF)rtr rr]rrsrWrWrXrts zRSAAlgorithm.verifyN)F)F)rrrrrrNrrOrPrrkr rrzrrortrWrWrWrXrSCs& (GrSc@seZdZUdZejZded<ejZded<ejZded<dddd d Z d d d ddZ ddddddZ dddddddZ e ed dddddZe ed*d d d!dd"dZed+d dd#dd$dZed%d d&d'd(Zd)S),rTzr Performs signing and verification operations using ECDSA and the specified hash function rrNrOrPrrrcCs ||_dSrwrrrWrWrXrszECAlgorithm.__init__zAllowedECKeys | str | bytes AllowedECKeysrhcCst|ttfr|St|ttfs(tdt|}z |drFt|}nt |}Wn t k rpt |dd}YnXt|ttfst d|S)Nrs ecdsa-sha2-rzcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for ECDSA algorithms) rar'r)r[r|rrrr=r<rr;r)rfrirZ crypto_keyrWrWrXrks&   zECAlgorithm.prepare_keyr[r'rlcCs ||t|}t||jSrw)ror!r]rcurve)rfrmrider_sigrWrWrXroszECAlgorithm.signz'AllowedECKeys'rprqcCsvzt||j}Wntk r&YdSXz2t|tr<|n|}|||t|WdSt k rpYdSXdS)NFT) rrrrar'rrtr!r]r)rfrmrirrrrrWrWrXrts zECAlgorithm.verifyrurrcCsdSrwrWrxrWrWrXrz)szECAlgorithm.to_jwkFr{r|cCsdSrwrWrxrWrWrXrz.sr}cCst|tr|}nt|tr,|}ntdt|jtrFd}nFt|jtrXd}n4t|jt rjd}n"t|jt r|d}ntd|jd|t |j  t |j d}t|trt |j |d <|r|St|SdS) NrP-256P-384P-521 secp256k1Invalid curve: EC)rcrvxyr)rar'rrr)rrr#r$r%r"rrrrrZ private_valuerr)ryrvrrrrWrWrXrz3s4           r~rcCs$z.t|trt|}nt|tr(|}ntWntk rJtdYnX|ddkrbtdd|ksrd|krztdt|d}t|d}|d}|dkrt |t |krd krnnt }ntd n|d krt |t |krd krnnt }ntd n|dkrZt |t |krDdkrPnnt }ntdnN|dkrt |t |krd krnnt }ntdntd|ttj|ddtj|dd|d}d|kr|St|d}t |t |kr tdt ||ttj|dd|S)NrrrzNot an Elliptic curve keyrrrr z)Coords should be 32 bytes for curve P-256r0z)Coords should be 48 bytes for curve P-384rBz)Coords should be 66 bytes for curve P-521rz-Coords should be 32 bytes for curve secp256k1rbig) byteorder)rrrrz!D should be {} bytes for curve {})rar|rrrrrrrlenr#r$r%r"r*int from_bytesrr(r)rrrrrZ curve_objrrrWrWrXrZsh       $  $  $    zECAlgorithm.from_jwkN)F)F)rrrrrrNrrOrPrrkrortr rrzrrWrWrWrXrTs& &rTc@s6eZdZdZddddddZddddd d d Zd S) rUzA Performs a signature using RSASSA-PSS with MGF1 r[r/rlcCs,||tjt||jd|S)NZmgfZ salt_length)ror PSSMGF1r] digest_sizernrWrWrXros zRSAPSSAlgorithm.signr1rprqc CsPz4|||tjt||jd|WdStk rJYdSXdS)NrTF)rtr rrr]rrrsrWrWrXrts  zRSAPSSAlgorithm.verifyN)rrrrrortrWrWrWrXrUs rUc@seZdZdZdddddZddd d d Zd d ddddZd dd ddddZee ddddddZ ee d&ddddddZ e d'ddddd dZ e d!dd"d#d$Z d%S)(rVz Performs signing and verification operations using EdDSA This class requires ``cryptography>=2.6`` to be installed. rr)kwargsrJcKsdSrwrW)rfrrWrWrXrszOKPAlgorithm.__init__zAllowedOKPKeys | str | bytesAllowedOKPKeysrhcCst|ttfr~t|tr"|dn|}t|tr:|dn|}d|krPt|}n.d|krft|dd}n|dddkr~t|}t|tt t t fst d|S) Nutf-8z-----BEGIN PUBLICz-----BEGIN PRIVATErrzssh-zcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for EdDSA algorithms) rar[r|rencoder<r;r=r-r.r+r,r)rfriZkey_strrrWrWrXrks"  zOKPAlgorithm.prepare_keyrz#Ed25519PrivateKey | Ed448PrivateKeyr[rlcCs"t|tr|dn|}||S)aS Sign a message ``msg`` using the EdDSA private key ``key`` :param str|bytes msg: Message to sign :param Ed25519PrivateKey}Ed448PrivateKey key: A :class:`.Ed25519PrivateKey` or :class:`.Ed448PrivateKey` isinstance :return bytes signature: The signature, as bytes r)rar|rro)rfrmri msg_bytesrWrWrXros zOKPAlgorithm.signrprqcCsxz\t|tr|dn|}t|tr.|dn|}t|ttfrH|n|}|||WdStk rrYdSXdS)a Verify a given ``msg`` against a signature ``sig`` using the EdDSA key ``key`` :param str|bytes sig: EdDSA signature to check ``msg`` against :param str|bytes msg: Message to sign :param Ed25519PrivateKey|Ed25519PublicKey|Ed448PrivateKey|Ed448PublicKey key: A private or public EdDSA key instance :return bool verified: True if signature is valid, False if not. rTFN)rar|rr-r+rrtr)rfrmrirrrZ sig_bytesrrWrWrXrts   zOKPAlgorithm.verifyrur)rirvrJcCsdSrwrWrirvrWrWrXrzszOKPAlgorithm.to_jwkFr{r|cCsdSrwrWrrWrWrXrz sr}cCst|ttfr\|jtjtjd}t|tr.dnd}tt| d|d}|rR|St |St|t t fr|jtjtjtd}|jtjtjd}t|t rdnd}tt| tt| d|d}|r|St |StddS) N)encodingformatEd25519Ed448OKP)rrr)rrZencryption_algorithm)rrrrr)rar.r,Z public_bytesr7ZRawr:rrrrrr-r+Z private_bytesr9r8rr)rirvrrrrrWrWrXrzsB  r~rc Cs2z.t|trt|}nt|tr(|}ntWntk rJtdYnX|ddkrbtd|d}|dkr|dkrtd|d |krtd t|d }zVd |kr|dkrt |WSt |WSt|d }|dkrt |WSt |WStk r,}ztd |W5d}~XYnXdS) NrrrzNot an Octet Key PairrrrrrzOKP should have "x" parameterrzInvalid key parameter)rar|rrrrrrrr.Zfrom_public_bytesr,r-Zfrom_private_bytesr+)rrrrrerrrWrWrXr=s6        zOKPAlgorithm.from_jwkN)F)F) rrrrrrkrortr rrzrrWrWrWrXrVs .rV)^ __future__rrrrsysabcrrtypingrrrrr r r exceptionsrtypesrrutilsrrrrrrrrr version_inforZtyping_extensionsZcryptography.exceptionsrZcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrZ)cryptography.hazmat.primitives.asymmetricr Z,cryptography.hazmat.primitives.asymmetric.ecr!r"r#r$r%r&r'r(r)r*Z/cryptography.hazmat.primitives.asymmetric.ed448r+r,Z1cryptography.hazmat.primitives.asymmetric.ed25519r-r.Z-cryptography.hazmat.primitives.asymmetric.rsar/r0r1r2r3r4r5r6Z,cryptography.hazmat.primitives.serializationr7r8r9r:r;r<r=rQModuleNotFoundErrorrrrZ AllowedKeysZAllowedPrivateKeysZAllowedPublicKeysZrequires_cryptographyrYrZrLrMrSrTrUrVrWrWrWrXsv $ ,      0 ( $   "KF&7