ddhtddlmZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z m Z mZmZmZddlmZddlmZmZddlmZmZmZmZmZmZmZmZmZej@d k\rdd l m!Z!ndd l"m!Z! dd l#m$Z$dd l%m&Z&dd l'm(Z(ddl)m*Z*ddl+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5ddl6m7Z7m8Z8ddl9m:Z:m;Z;ddlZ>m?Z?m@Z@mAZAmBZBmCZCmDZDddlEmFZFmGZGmHZHmIZImJZJmKZKmLZLdZMe r3e=e?zZOe2e4zZPe:e;ze7ze8zZQeOePzeQzZRe=e2ze:ze7zZSe?e4ze;ze8zZThdZUd&dZVGddeZWGddeWZXGddeWZYeMr-GddeWZZGd d!eWZ[Gd"d#eZZ\Gd$d%eWZ]yy#eN$rdZMYwxYw)') annotationsN)ABCabstractmethod) TYPE_CHECKINGAnyClassVarNoReturnUnioncastoverloadInvalidKeyError) HashlibHashJWKDict) base64url_decodebase64url_encodeder_to_raw_signature force_bytesfrom_base64url_uint is_pem_format is_ssh_keyraw_to_der_signatureto_base64url_uint))Literal)InvalidSignature)default_backend)hashes)padding) ECDSA SECP256K1 SECP256R1 SECP384R1 SECP521R1 EllipticCurveEllipticCurvePrivateKeyEllipticCurvePrivateNumbersEllipticCurvePublicKeyEllipticCurvePublicNumbers)Ed448PrivateKeyEd448PublicKey)Ed25519PrivateKeyEd25519PublicKey) RSAPrivateKeyRSAPrivateNumbers RSAPublicKeyRSAPublicNumbers rsa_crt_dmp1 rsa_crt_dmq1 rsa_crt_iqmprsa_recover_prime_factors)Encoding NoEncryption PrivateFormat PublicFormatload_pem_private_keyload_pem_public_keyload_ssh_public_keyTF> ES256ES384ES512ES521EdDSAPS256PS384PS512RS256RS384RS512ES256Kctttjttjttjd}t r#|j ttjttjttjttjttjttjttjttjttjttjttjtd |S)zE Returns the algorithms that are implemented by the library. )noneHS256HS384HS512) rGrHrIr?rJr@rBrArDrErFrC) NoneAlgorithm HMACAlgorithmSHA256SHA384SHA512 has_cryptoupdate RSAAlgorithm ECAlgorithmRSAPSSAlgorithm OKPAlgorithm)default_algorithmss 0/usr/lib/python3/dist-packages/jwt/algorithms.pyget_default_algorithmsr]ps }334}334}334 !!%l&9&9:%l&9&9:%l&9&9:$[%7%78%k&8&89$[%7%78$[%7%78$&&))?)?@()?)?@()?)?@%  & ceZdZdZd dZed dZed dZeddZe e eddZ e e edddZ e edddZ e edd Z y ) AlgorithmzH The interface for an algorithm used to sign and verify tokens. cft|dd}|ttrxt|trht |t jrNt j|t}|j|t|jSt||jS)z Compute a hash digest using the specified algorithm's hash algorithm. If there is no hash algorithm, raises a NotImplementedError. hash_algN)backend)getattrNotImplementedErrorrU isinstancetype issubclassr HashAlgorithmHashrrVbytesfinalizedigest)selfbytestrrbrms r\compute_hash_digestzAlgorithm.compute_hash_digests4T2  % % 8T*8V%9%9:[[_5FGF MM' "*+ +'*1134 4r^cy)z Performs necessary validation and conversions on the key and returns the key value in the proper format for sign() and verify(). Nrnkeys r\ prepare_keyzAlgorithm.prepare_keyr^cy)zn Returns a digital signature for the specified message using the specified key value. Nrrrnmsgrts r\signzAlgorithm.signrvr^cy)zz Verifies that the specified digital signature is valid for the specified message and key values. Nrrrnryrtsigs r\verifyzAlgorithm.verifyrvr^cyNrrkey_objas_dicts r\to_jwkzAlgorithm.to_jwk r^cyrrrrs r\rzAlgorithm.to_jwkrr^cy)z3 Serializes a given key into a JWK Nrrrs r\rzAlgorithm.to_jwkrvr^cy)zJ Deserializes a given key from JWK back into a key object Nrrjwks r\from_jwkzAlgorithm.from_jwkrvr^N)rorkreturnrk)rtrrr)ryrkrtrrrk)ryrkrtrr}rkrbool)r Literal[True]rrF)rLiteral[False]rstr)rrrUnion[JWKDict, str])r str | JWKDictrr) __name__ __module__ __qualname____doc__rprrurzr~r staticmethodrrrrr^r\r`r`s5,              r^r`cNeZdZdZddZd dZd dZed d dZed dZ y)rPzZ Placeholder for use when no signing or verification operations are required. c.|dk(rd}| td|S)Nz*When alg = "none", key value must be None.rrss r\ruzNoneAlgorithm.prepare_keys$ "9C ?!"NO O r^cy)Nr^rrrxs r\rzzNoneAlgorithm.signsr^cy)NFrrr|s r\r~zNoneAlgorithm.verifysr^ctrrers r\rzNoneAlgorithm.to_jwk !##r^ctrrrs r\rzNoneAlgorithm.from_jwkrr^N)rtz str | NonerNone)ryrkrtrrrk)ryrkrtrr}rkrrr)rrrrrr )rrrr ) rrrrrurzr~rrrrrr^r\rPrPs> $$$$r^rPceZdZUdZej Zded<ejZ ded<ejZ ded<ddZ ddZ eeddZeeddd Zeddd Zedd Zdd Zdd Zy)rQzf Performs signing and verification operations using HMAC and the specified hash function. zClassVar[HashlibHash]rRrSrTc||_yrrbrnrbs r\__init__zHMACAlgorithm.__init__s   r^c^t|}t|s t|r td|S)NzdThe specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.)rrrrrnrt key_bytess r\ruzHMACAlgorithm.prepare_keys5$  #z)'<!9  r^cyrrrrs r\rzHMACAlgorithm.to_jwk r^cyrrrrs r\rzHMACAlgorithm.to_jwkrr^c~tt|jdd}|r|Stj|S)Noct)kkty)rrdecodejsondumps)rrrs r\rzHMACAlgorithm.to_jwks<"+g"67>>@  J::c? "r^c  t|trtj|}nt|tr|}nt |jddk7r t dt|dS#t $r t dwxYw)NKey is not valid JSONrrzNot an HMAC keyr) rfrrloadsdict ValueErrorrgetr)robjs r\rzHMACAlgorithm.from_jwk)s} ;#s##zz#C&   775>U "!"34 4C))  ;!"9: : ;s ?A..Bc`tj|||jjSr)hmacnewrbrmrxs r\rzzHMACAlgorithm.sign:s"xxS$--07799r^cNtj||j||Sr)rcompare_digestrzr|s r\r~zHMACAlgorithm.verify=s ""3 #s(;<r<rr=rs r\ruzRSAAlgorithm.prepare_keyPs# |<= cE3<0 @AA#C(I J'' 3 .A).LMM%';IPT'U JL*=i*HII Js)B 0B "B0/B0cyrrrrs r\rzRSAAlgorithm.to_jwkc r^cyrrrrs r\rzRSAAlgorithm.to_jwkhrr^c d}t|dr;|j}ddgt|jjj t|jj j t|jj t|jj t|jj t|jj t|jj t|jj d }nrt|dr[|j}ddgt|jj t|j j d}n td|r|Stj|S)Nprivate_numbersRSArz) rkey_opsnedpqdpdqqir~)rrrrNot a public or private key)hasattrrrpublic_numbersrrrrrrdmp1dmq1iqmprrr)rrrnumberss r\rzRSAAlgorithm.to_jwkmsd*.Cw 12!113! &x*7+A+A+C+CDKKM*7+A+A+C+CDKKM*7995<<>*7995<<>*7995<<>+GLL9@@B+GLL9@@B+GLL9@@B (+!002! (z*7995<<>*7995<<> &&CDD zz#&r^c 4 t|trtj|}nt|tr|}nt |jddk7r t dd|vrSd|vrNd|vrId|vr t d gd }|Dcgc]}||v}}t|}|rt|s t d tt|dt|d}|rjtt|dt|d t|d t|dt|dt|d|}|j'St|d}t|j||j\} } t|| | t!|| t#|| t%| | |}|j'Sd|vr6d|vr2tt|dt|dj)St d#t $r t dwxYwcc}w)NrrrzNot an RSA keyrrrothz5Unsupported RSA private key: > 2 primes not supported)rrrrrz@RSA key must include all parameters if any are present besides drrrrr)rrrrrrrr)rfrrrrrrranyallr3rr1r7rrr4r5r6 private_key public_key) rr other_propsprop props_foundany_props_foundrrrrrs r\rzRSAAlgorithm.from_jwks0 ?c3'**S/CT*C$$wwu~&%&677czcSjSCZC<)O; 7BCtts{C C"%k"2"3{+;)Z"2'C1'C1" #/-c#h7-c#h7-c#h70T;0T;0T;'5G2**,,,CH5A4&((!^-=-=DAq0)!Q/)!Q/)!Q/'5G**,,s ''C1'C1*, &&CDD{ ?%&=>> ?Ds?G= H=Hch|j|tj|jSr)rzr!PKCS1v15rbrxs r\rzzRSAAlgorithm.signs$88C!1!1!3T]]_E Er^c |j||tj|jy#t$rYywxYw)NTF)r~r!rrbrr|s r\r~zRSAAlgorithm.verifys=  3W%5%5%7I#  s47 AANrbztype[hashes.HashAlgorithm]rr)rtzAllowedRSAKeys | str | bytesrAllowedRSAKeys)rrrrrrr)rrrrrr)rrrrrr)rrrrryrkrtr0rrkryrkrtr2r}rkrr)rrrrr rRrrSrTrrur rrrrzr~rrr^r\rWrWCs 8>}}4D7=}}4D7=}}4D % J&             5:& '#& '.2& ' & ' & 'P E E E EN F r^rWceZdZUdZej Zded<ejZded<ejZded<ddZ ddZ ddZ dd Z e edd Ze eddd Ze d dd Zedd Zy)rXzr Performs signing and verification operations using ECDSA and the specified hash function rrRrSrTc||_yrrrs r\rzECAlgorithm.__init__rr^cZt|ttfr|St|ttfs t dt |} |jdr t|}n t|}t|ttfs td|S#t$rt|d}Y;wxYw)Nrs ecdsa-sha2-rzcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for ECDSA algorithms) rfr(r*rkrrrrr>r=rr<r)rnrtr crypto_keys r\ruzECAlgorithm.prepare_keys# 79OPQ cE3<0 @AA#C(I  L''7!4Y!?J!4Y!?J 46LM&y  L1)dK  Ls(BB*)B*c|j|t|j}t||jSr)rzr"rbrcurve)rnryrtder_sigs r\rzzECAlgorithm.signs.hhsE$--/$:;G'; ;r^c t||j} t|tr|j n|}|j ||t|jy#t$rYywxYw#t$rYywxYw)NFT) rrrrfr(rr~r"rbr)rnryrtr}rrs r\r~zECAlgorithm.verifys .sCII> "#'>?NN$ !!'3dmmo0FG  $  s#A&A A5& A21A25 BBcyrrrrs r\rzECAlgorithm.to_jwk)rr^cyrrrrs r\rzECAlgorithm.to_jwk.rr^ct|tr|jj}n,t|tr|j}n t dt|j trd}not|j trd}nRt|j trd}n5t|j trd}nt d|j d|t|jjt|jjd}t|tr4t|jj j|d <|r|St#j$|S) NrP-256P-384P-521 secp256k1Invalid curve: EC)rcrvxyr)rfr(rrr*rrr$r%r&r#rr rr r private_valuerr)rrrr rs r\rzECAlgorithm.to_jwk3s9'#:;!(!3!3!5!D!D!FG%;> ?s ?JJ1Nr)rtzAllowedECKeys | str | bytesr AllowedECKeys)ryrkrtr(rrk)ryrkrtz'AllowedECKeys'r}rkrr)rrrrrrr)rrrrrr)rrrrrr)rrrr)rrrrr rRrrSrTrrurzr~r rrrrrr^r\rXrXs 8>}}4D7=}}4D7=}}4D % < <  "             49$ '"$ '-1$ ' $ ' $ 'L A  A r^rXc eZdZdZddZddZy)rYzA Performs a signature using RSASSA-PSS with MGF1 c |j|tjtj|j |j j |j S)Nmgf salt_length)rzr!PSSMGF1rb digest_sizerxs r\rzzRSAPSSAlgorithm.signsN88  T]]_5 $  ; ;   r^c  |j||tjtj|j |j j |j y#t $rYywxYw)NrTF)r~r!rrrbrrr|s r\r~zRSAPSSAlgorithm.verifysh  KK#LL9$(MMO$?$?MMO#  sA0A33 A?>A?Nrr)rrrrrzr~rrr^r\rYrYs   r^rYceZdZdZd dZd dZ d dZ ddZee ddZ ee dddZ e dddZ e dd Z y )rZz Performs signing and verification operations using EdDSA This class requires ``cryptography>=2.6`` to be installed. c yrrr)rnkwargss r\rzOKPAlgorithm.__init__s r^c~t|ttfr{t|tr|jdn|}t|tr|j dn|}d|vr t |}n%d|vrt |d}n|dddk(r t|}t|ttttfs td|S) Nutf-8z-----BEGIN PUBLICz-----BEGIN PRIVATErrzssh-zcExpecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for EdDSA algorithms) rfrkrrencoder=r<r>r.r/r,r-r)rnrtkey_strrs r\ruzOKPAlgorithm.prepare_keys#s|,1;C1G#**W-S3=c33GCJJw/S &'1-i8C)W4.y4HCQq\V+-i8C"$4o~V&yJr^cjt|tr|jdn|}|j|S)aS Sign a message ``msg`` using the EdDSA private key ``key`` :param str|bytes msg: Message to sign :param Ed25519PrivateKey}Ed448PrivateKey key: A :class:`.Ed25519PrivateKey` or :class:`.Ed448PrivateKey` isinstance :return bytes signature: The signature, as bytes r%)rfrr'rz)rnryrt msg_bytess r\rzzOKPAlgorithm.signs,0:#s/C 7+I88I& &r^c$ t|tr|jdn|}t|tr|jdn|}t|ttfr|j n|}|j ||y#t$rYywxYw)a Verify a given ``msg`` against a signature ``sig`` using the EdDSA key ``key`` :param str|bytes sig: EdDSA signature to check ``msg`` against :param str|bytes msg: Message to sign :param Ed25519PrivateKey|Ed25519PublicKey|Ed448PrivateKey|Ed448PublicKey key: A private or public EdDSA key instance :return bool verified: True if signature is valid, False if not. r%TF)rfrr'r.r,rr~r)rnryrtr}r* sig_bytesrs r\r~zOKPAlgorithm.verifys 3=c33GCJJw/S 3=c33GCJJw/S "#(9?'KLNN$ !!)Y7#  sBB BBcyrrrrtrs r\rzOKPAlgorithm.to_jwkrr^cyrrrr.s r\rzOKPAlgorithm.to_jwk rr^cFt|ttfr|jtj t j }t|trdnd}tt|jd|d}|r|Stj|St|ttfr|jtj tj t!}|j#jtj t j }t|trdnd}tt|jtt|jd|d}|r|Stj|St%d) N)encodingformatEd25519Ed448OKP)r rr )r1r2encryption_algorithm)r rrr r)rfr/r- public_bytesr8Rawr;rrrrrr.r, private_bytesr:r9rr)rtrr r rrs r\rzOKPAlgorithm.to_jwks\# 0.AB$$%\\'++%$.c3C#Di'*+a.9@@B  J::c?*# 1?CD%%%\\(,,)5& NN$11%\\'++2 $.c3D#Ei7)+a.9@@B)+a.9@@B  J::c?*!"?@ @r^c t|trtj|}nt|tr|}nt |jddk7r t d|jd}|dk7r|dk7rt d|d |vr t d t|jd } d |vr/|dk(rtj|Stj|St|jd }|dk(rtj|Stj|S#t $r t dwxYw#t $r}t d |d}~wwxYw) Nrrr5zNot an Octet Key Pairr r3r4rr zOKP should have "x" parameterrzInvalid key parameter)rfrrrrrrrrr/from_public_bytesr-r.from_private_bytesr,)rrrr rerrs r\rzOKPAlgorithm.from_jwk=sU ?c3'**S/CT*C$$wwu~&%&=>>GGENE !ew&6%w&?@@#~%&EFF .A Hc> )/AA!DD);;A>>$SWWS\2I%,??BB&99!<<- ?%&=>> ?. H%&=>CG Hs5?D/3EE&3EE/E E! EE!N)r#rrr)rtzAllowedOKPKeys | str | bytesrAllowedOKPKeys)ryrrtz#Ed25519PrivateKey | Ed448PrivateKeyrrk)ryrrtr>r}rrr)rtr>rrrrr)rtr>rrrr)rtr>rrrr)rrrr>) rrrrrrurzr~r rrrrrr^r\rZrZs   . '" ')L '  ' " )7 >I   4             , A , A\  H  Hr^rZ)rzdict[str, Algorithm])^ __future__rrrrsysabcrrtypingrrrr r r r exceptionsrtypesrrutilsrrrrrrrrr version_infortyping_extensionscryptography.exceptionsrcryptography.hazmat.backendsrcryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr!,cryptography.hazmat.primitives.asymmetric.ecr"r#r$r%r&r'r(r)r*r+/cryptography.hazmat.primitives.asymmetric.ed448r,r-1cryptography.hazmat.primitives.asymmetric.ed25519r.r/-cryptography.hazmat.primitives.asymmetric.rsar0r1r2r3r4r5r6r7,cryptography.hazmat.primitives.serializationr8r9r:r;r<r=r>rUModuleNotFoundErrorrrr> AllowedKeysAllowedPrivateKeysAllowedPublicKeysrequires_cryptographyr]r`rPrQrWrXrYrZrrr^r\rVs" #PPP''   v)/8<5A      J "\1N+.DDM,,>O!=0>AK//2CCoU --0@@>Q  DH H V$I$