a |f^k@sJddlmZmZddlmZmZddlmZmZddlmZmZddl m Z ddl m Z m Z eddd d ed ddd ed ddd ed dd d edddd edddd edddd edddd eddd d eddd d edd d d edd d d d ZgdZGdddeZGdddeZGdddeZGdddZGd d!d!Zd S)") JWException JWKeyNotFound)JWSEHeaderParameterJWSEHeaderRegistry)base64url_decodebase64url_encode) json_decode json_encode)JWA)JWKJWKSetZ AlgorithmFTNz JWK Set URLz JSON Web KeyzKey IDz X.509 URLzX.509 Certificate Chainz"X.509 Certificate SHA-1 Thumbprintz$X.509 Certificate SHA-256 ThumbprintTypez Content TypeZCriticalzBase64url-Encode Payload) algZjkuZjwkkidZx5uZx5cZx5tzx5t#S256typZctycritb64)ZHS256ZHS384ZHS512ZRS256ZRS384ZRS512ZES256ZES384ZES512ZPS256ZPS384ZPS512ZEdDSAZES256Kcs"eZdZdZdfdd ZZS)InvalidJWSSignaturez_Invalid JWS Signature. This exception is raised when a signature cannot be validated. Ncs>d}|rt|}nd}|r*|dt|7}tt||dS)Nz&Unknown Signature Verification Failure {%s})strsuperr__init__selfmessage exceptionmsg __class__FD:\Projects\storyit_web\backend\venv\Lib\site-packages\jwcrypto/jws.pyr+s zInvalidJWSSignature.__init__)NN__name__ __module__ __qualname____doc__r __classcell__rrrr r%srcs"eZdZdZdfdd ZZS)InvalidJWSObjectzvInvalid JWS Object. This exception is raised when the JWS Object is invalid and/or improperly formatted. Ncs<d}|r|d|7}|r(|dt|7}tt||dS)NzInvalid JWS Objectz [%s]r)rrr'rrrrr r=s  zInvalidJWSObject.__init__)NNr!rrrr r'6sr'cs"eZdZdZdfdd ZZS)InvalidJWSOperationzInvalid JWS Object. This exception is raised when a requested operation cannot be execute due to unsatisfied conditions. Ncs:d}|r|}nd}|r&|dt|7}tt||dS)NzUnknown Operation Failurer)rrr(rrrrr rMszInvalidJWSOperation.__init__)NNr!rrrr r(Fsr(c@s:eZdZdZd ddZddZddZd d Zd d ZdS)JWSCorezThe inner JWS Core object. This object SHOULD NOT be used directly, the JWS object should be used instead as JWS perform necessary checks on the validity of the object and requested operations. NcCsl||_||||_||_|durPt|tr4t|}t||_t | d|_ n i|_d|_ | ||_ dS)aCore JWS token handling. :param alg: The algorithm used to produce the signature. See RFC 7518 :param key: A (:class:`jwcrypto.jwk.JWK`) verification or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header. A JWKSet is allowed only for verification operations. :param header: A JSON string representing the protected header. :param payload(bytes): An arbitrary value :param algs: An optional list of allowed algorithms :raises ValueError: if the key is not a (:class:`jwcrypto.jwk.JWK`) :raises InvalidJWAAlgorithm: if the algorithm is not valid, is unknown or otherwise not yet implemented. :raises InvalidJWSOperation: if the algorithm is not allowed. Nutf-8)r_jwaenginekey isinstancedictr rheaderrencode protected_payloadpayload)rrr.r1r5algsrrr ras  zJWSCore.__init__cCs&|dur t}||vrtdt|S)NzAlgorithm not allowed)default_allowed_algsr(r Z signing_alg)rnameallowedrrr r,s z JWSCore._jwacCs8|jddrt|dSt|tr*|S|dSdS)NrTr*)r1getrr2r/bytesrr5rrr r4s  zJWSCore._payloadcCsPt|jtstdd|jd|jg}|j |j|}|j|jt |dS)zGenerates a signaturezkey is not a JWK object.r*)r3r5 signature) r/r.r ValueErrorjoinr3r2r5r-signr)rsiginr>rrr rAs z JWSCore.signc Csbz.d|jd|jg}|j|j||Wn.ty\}ztd|WYd}~n d}~00dS)zVerifies a signature :raises InvalidJWSSignature: if the verification fails. :return: Returns True or an Exception :rtype: `bool` r=r*zVerification failedNT) r@r3r2r5r-verifyr. Exceptionr)rr>rBerrr rCs zJWSCore.verify)N) r"r#r$r%rr,r4rArCrrrr r)Xs  !  r)c@seZdZdZd+ddZeddZejddZedd Zd d Z d,d d Z ddZ d-ddZ ddZ ddZd.ddZd/ddZd0ddZeddZdd Zed!d"Zed#d$Zd%d&Zd'd(Zd)d*ZdS)1JWSzFJSON Web Signature object This object represent a JWS token. NcCs:i|_||jd<d|_d|_tt|_|r6|j|dS)zCreates a JWS object. :param payload(bytes): An arbitrary value (optional). :param header_registry: Optional additions to the header registry r5N)objects verifylog _allowed_algsrJWSHeaderRegistryheader_registryupdate)rr5rKrrr rs  z JWS.__init__cCs|jr |jStSdS)zAllowed algorithms. The list of allowed algorithms. Can be changed by setting a list of algorithm names. N)rIr7rrrr allowed_algsszJWS.allowed_algscCst|tstd||_dS)NzAllowed Algs must be a list)r/list TypeErrorrI)rr6rrr rNs cCs|jddS)NvalidF)rGr:rMrrr is_validsz JWS.is_validcGsd}g}|dur|d|vrZ|d}|D]4}||jvr@td|q$|j|js$td|q$|}d|vr|t|dts|td|D]l}|durq|duri}t|D]:}||jvr|j|jrtd|||vrtd|q||q|D]}||vrtd|q|S) NrzUnknown critical header: "%s"z!Unsupported critical header: "%s"rzb64 header must be a booleanz"%s" must be protectedzDuplicate header: "%s"zMissing critical header "%s") rKr' supportedr/boolrOkeysZ mustprotectrL)rr3headersr1rkZhnhrrr _merge_check_headerssD      zJWS._merge_check_headersc Csi}|dur&t|}t|ts&td|rr3r1pZchk_hdrshdrZ resulting_algZsignerrUZkid_keysrWZsigner2rEZkeyidrrr _verifyst                z JWS._verifycCs6|d}|dur2|dus&t|dkr*|Std|S)Nr5rz4Object Payload present but Detached Payload provided)r:lenr()robjZdpoprrr _get_obj_payloadEs  zJWS._get_obj_payloadc Csg|_d|jd<|j}d}d|vr|||}z4|||||d|dd|ddd|d<WnFty}z.t|trd}|jdt |WYd}~n d}~00nd |vrR|||}|d D]}z4|||||d|dd|ddd|d<WqtyL}z0t|tr$d}|jdt |WYd}~qd}~00qnt d |j s|rptd t d t |jdS) a Verifies a JWS token. :param key: A (:class:`jwcrypto.jwk.JWK`) verification or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header. :param alg: The signing algorithm (optional). Usually the algorithm is known as it is provided with the JOSE Headers of the token. :param detached_payload: A detached payload to verify the signature against. Only valid for tokens that are not carrying a payload. :raises InvalidJWSSignature: if the verification fails. :raises InvalidJWSOperation: if a detached_payload is provided but an object payload exists :raises JWKeyNotFound: if key is a JWKSet and the key is not found. FrQr>r3Nr1Tz Failed: [%s] signatureszNo signatures availabler[z&Verification failed for all signatures) rHrGrfrbr:rDr/rr\r_rrR) rr.rZdetached_payloadrdZ missingkeyr5rEorrr rCOsP      ,       .z JWS.verifycCsRdtt|di}d|vr:tt|d}|d|d<d|vrN|d|d<|S)Nr>r3r*r1)rrdecode)rsrhr`rrr _deserialize_signatures zJWS._deserialize_signaturecCsn|durd}n,t|}|d}|dur:t|ts:td|d}||krPdS|durb||d<ntddS)Nrzb64 header must be booleanzconflicting b64 values)rr:r/rTr')rrhr3Zb64nr`rrrr _deserialize_b64s    zJWS._deserialize_b64c Csi|_i}zLzt|}d|vrbg|d<|dD].}||}|d||||dq0n||}|||dd|vr|ddrtt|d|d<n |d|d<WntyN| d}t |dkrt dd tt|d } t | d kr"| d |d<|||dtt|d |d<tt|d |d<Yn0||_Wn0t y} zt d| WYd } ~ n d } ~ 00|r|||d S)awDeserialize a JWS token. NOTE: Destroys any current status and tries to import the raw JWS provided. If a key is provided a verification step will be attempted after the object is successfully deserialized. :param raw_jws: a 'raw' JWS token (JSON Encoded or Compact notation) string. :param key: A (:class:`jwcrypto.jwk.JWK`) verification or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header (optional). :param alg: The signing algorithm (optional). Usually the algorithm is known as it is provided with the JOSE Headers of the token. :raises InvalidJWSObject: if the raw object is an invalid JWS token. :raises InvalidJWSSignature: if the verification fails. :raises JWKeyNotFound: if key is a JWKSet and the key is not found. rgr3r5rT.zUnrecognized representationNrr*r>zInvalid format)rGrrkr\rlr:rrr?splitrcr'rirDrC) rZraw_jwsr.rrhZdjwsrjosdatar`rErrr deserializesD        zJWS.deserializec Csd}|r$t|trt|}t|}nt}dt|vr^|dg}d|vrVtd|d}d|jvr~||jdkr~tdd}|rt|trt|}t|}| ||}d|vr|dur|d}n||dkrt d|durt d t ||||jd |j } | } t| d dd } |r,|| d <|r:|| d<d|jvrX|jd| nd |jvrg|jd<d |jd i} d |jvr|jd | d <d|jvr|jd| d<d|jvr|jd| d<|jd| |jd| n|j| ||jd<dS)a Adds a new signature to the object. :param key: A (:class:`jwcrypto.jwk.JWK`) key of appropriate for the "alg" provided. :param alg: An optional algorithm name. If already provided as an element of the protected or unprotected header it can be safely omitted. :param protected: The Protected Header (optional) :param header: The Unprotected Header (optional) :raises InvalidJWSObject: if invalid headers are provided. :raises ValueError: if the key is not a (:class:`jwcrypto.jwk.JWK`) :raises ValueError: if the algorithm is missing or is not provided by one of the headers. :raises InvalidJWAAlgorithm: if the algorithm is not valid, is unknown or otherwise not yet implemented. Trrz"b64 header must always be criticalzMixed b64 headers on signaturesNrzF"alg" value mismatch, specified "alg" does not match JOSE header valuez"alg" not specifiedr5r>)r>rQr3r1rgrQ)r/r0r rrOrUr:r'rGrYr?r)rNrArr\poprL) rr.rr3r1rr`rrXcsigrhnrrr add_signaturesl                zJWS.add_signatureFc CsX|rd|jvrtdd|jvr*td|jdds@tdd|jvrxt|jd}d |vrhtd t|jd}ntd |jd r|jd drt|jd }qt|jd tr|jd d}n |jd }d|vrtdnd}d ||t|jdgS|j}i}|jd d}|jd drzNo available signaturerQFzNo valid signature foundr3rz5Compact encoding must carry 'alg' in protected headerz3Can't use compact encoding without protected headerr5rTr*rmzKCan't use compact encoding with unencoded payload that uses the . characterr+r1rN) rGr(rr:rrr/r;rir@r\rcr ) rcompactr`r3r5rdrwrhrjrrr serialize=sp               z JWS.serializecCs|jstd|jdS)NzPayload not verifiedr5)rRr(rGr:rMrrr r5sz JWS.payloadcCs|jdddS)Nr5)rGrurMrrr detach_payloadszJWS.detach_payloadcCs|j}d|vrr3r1rgzJOSE Header(s) not available)rGrrYr:r\r()rrdr`ZjhlrhZjhrrr r]s"   zJWS.jose_headercCs|}|||S)aCreates a JWS object from a serialized JWS token. :param token: A string with the json or compat representation of the token. :raises InvalidJWSObject: if the raw object is an invalid JWS token. :return: A JWS token :rtype: JWS )rt)clstokenrdrrr from_jose_tokens  zJWS.from_jose_tokencCsDt|tsdSz||kWSty>|j|jkYS0dS)NF)r/rFr{rDrG)rotherrrr __eq__s   z JWS.__eq__cCs*z |WSty$|YS0dS)N)r{rD__repr__rMrrr __str__s  z JWS.__str__cCsFzd|dWSty@|jdd}d|dYS0dS)NzJWS.from_json_token("z")r5r*z JWS(payload=))r{rDrGrir<rrr rs  z JWS.__repr__)NN)N)NN)NN)NNN)F)r"r#r$r%rpropertyrNsetterrRrYrbrfrCrkrlrtryr{r5r|r] classmethodrrrrrrrr rFs6    ' C ;  > [ P   rF)Zjwcrypto.commonrrrrrrrr Z jwcrypto.jwar Z jwcrypto.jwkr r rJr7rr'r(r)rFrrrr s8            V