a !f]@sPddlZddlmZddlmZmZddlmZmZddlmZm Z ddlm Z m Z ddl m Z ddlmZed d d ded d d ded d d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dd ZgdZGdddeZejZejZejZejZGdddZdS)N)common) JWException JWKeyNotFound)JWSEHeaderParameterJWSEHeaderRegistry)base64url_decodebase64url_encode) json_decode json_encode)JWA)JWKSetZ AlgorithmFTzEncryption AlgorithmzCompression Algorithmz JWK Set URLz JSON Web KeyzKey IDz X.509 URLzX.509 Certificate Chainz"X.509 Certificate SHA-1 Thumbprintz$X.509 Certificate SHA-256 ThumbprintTypez Content TypeZCritical) algenczipZjkuZjwkkidZx5uZx5cZx5tzx5t#S256typZctycrit)zRSA-OAEPz RSA-OAEP-256ZA128KWZA192KWZA256KWdirzECDH-ESzECDH-ES+A128KWzECDH-ES+A192KWzECDH-ES+A256KWZ A128GCMKWZ A192GCMKWZ A256GCMKWzPBES2-HS256+A128KWzPBES2-HS384+A192KWzPBES2-HS512+A256KWz A128CBC-HS256z A192CBC-HS384z A256CBC-HS512ZA128GCMZA192GCMZA256GCMcs"eZdZdZdfdd ZZS)InvalidJWEDatazvInvalid JWE Object. This exception is raised when the JWE Object is invalid and/or improperly formatted. Ncs:d}|r|}nd}|r&|dt|7}tt||dS)Nz!Unknown Data Verification Failurez {%s})strsuperr__init__)selfmessage exceptionmsg __class__M/var/www/html/python-backend/venv/lib/python3.9/site-packages/jwcrypto/jwe.pyr8szInvalidJWEData.__init__)NN)__name__ __module__ __qualname____doc__r __classcell__rrrr r1src@seZdZdZd/ddZddZddZed d Zej d d Zd d Z d0ddZ ddZ ddZ d1ddZd2ddZddZddZddZdd Zd3d!d"Zed#d$Zed%d&Zed'd(Zd)d*Zd+d,Zd-d.ZdS)4JWEzGJSON Web Encryption object This object represent a JWE token. Nc Csd|_i|_d|_tt|_|r,|j||durRt|trF||_n | d|_d|_ d|_ |rl||jd<|rt|t rt |}nt|||jd<|rt|t rt |}nt|||jd<|r||_|r|j||dn |rtddS)aBCreates a JWE token. :param plaintext(bytes): An arbitrary plaintext to be encrypted. :param protected: A JSON string with the protected header. :param unprotected: A JSON string with the shared unprotected header. :param aad(bytes): Arbitrary additional authenticated data :param algs: An optional list of allowed algorithms :param recipient: An optional, default recipient key :param header: An optional header for the default recipient :param header_registry: Optional additions to the header registry Nutf-8aad protected unprotected)headerz-Header is allowed only with default recipient) _allowed_algsobjects plaintextrJWEHeaderRegistryheader_registryupdate isinstancebytesencodecek decryptlogdictr r add_recipient ValueError) rr.r)r*r(algsZ recipientr+r0rrr rPs<           z JWE.__init__cCs$|jpt}||vrtdt|SNzAlgorithm not allowed)r,default_allowed_algsInvalidJWEOperationr Z keymgmt_algrnameallowedrrr _jwa_keymgmts zJWE._jwa_keymgmtcCs$|jpt}||vrtdt|Sr;)r,r<r=r Zencryption_algr>rrr _jwa_encs z JWE._jwa_enccCs|jr |jStSdS)zAllowed algorithms. The list of allowed algorithms. Can be changed by setting a list of algorithm names. N)r,r<rrrr allowed_algsszJWE.allowed_algscCst|tstd||_dS)NzAllowed Algs must be a list)r2list TypeErrorr,)rr:rrr rDs cCs4t|D]}||vr td|q |||S)NzDuplicate header: "%s")rEkeysrr1)rZh1Zh2krrr _merge_headerss  zJWE._merge_headerscCshi}d|jvr(t|jd}|||}d|jvrLt|jd}|||}|rdt|}|||}|S)Nr)r*)r-r rI)rr+jhphZuhZrhrrr _get_jose_headers     zJWE._get_jose_headercCsT|dd}|durtd||}|dd}|durBtd||}||fS)NrzMissing "alg" from headersrzMissing "enc" from headers)getrrArB)rrJZalgnamerZencnamerrrr _get_alg_enc_from_headerss    zJWE._get_alg_enc_from_headersc Cst|jdd}d|jvr2|dt|jd7}|d}|dd}|dkrft|jdd }n|durv|j}ntd ||j ||\}}} ||jd <||jd <| |jd <dS)Nr)r(.r'rDEFUnknown compressioniv ciphertexttag) rr-rMr4zlibcompressr.r9Zencryptr5) rrrrJr(rYdatarUrVrWrrr _encrypts     z JWE._encryptc Cs|jdurtdt|jts&tdt|tr8t|}||}||\}}i}|r`||d<|||j |j |}|d|_ d|vr|d|d<d|vrt | dd}| ||d} t| |d<d |jvr||||d |jvr|jd |nd|jvsd|jvrzg|jd <i} d|jvr<|jd| d<d|jvrX|jd| d<|jd | |jd |n |j|dS) aEncrypt the plaintext with the given key. :param key: A JWK key or password of appropriate type for the 'alg' provided in the JOSE Headers. :param header: A JSON string representing the per-recipient header. :raises ValueError: if the plaintext is missing or not of type bytes. :raises ValueError: if the compression type is unknown. :raises InvalidJWAAlgorithm: if the 'alg' provided in the JOSE headers is missing or unknown, or otherwise not implemented. NzMissing plaintextzPlaintext must be 'bytes'r+r5Zek encrypted_keyz{}rV recipients)r.r9r2r3r7r rLrNwrap wrap_key_sizer5r rMrIr-r[appendpopr1) rkeyr+rJrrrecwrappedhZnhnrrr r8sB            zJWE.add_recipientFc Csd|jvrtd|rbdD]}||jvrtd|qd|jvrLtdn,t|jd}dD]}||vr^td|q^d |jvrt|jd d krtd |jd d }n|j}d |vrt|d }t|jd}|||}t||jd<|}||\} } || | ||d =d t |jdt | ddt |jdt |jdt |jdgS|j} t | dt | dt |jdd} d| vrt | d| d<d| vrt| d| d<d| vrt | d| d<d | vrFg| d <| d D]L}i} d|vrt |d| d<d |vr2t|d | d <| d  | qn4d| vr`t | d| d<d | vrzt| d | d <t| SdS)aSerializes the object into a JWE token. :param compact(boolean): if True generates the compact representation, otherwise generates a standard JSON format. :raises InvalidJWEOperation: if the object cannot be serialized with the compact representation and `compact` is True. :raises InvalidJWEOperation: if no recipients have been added to the object. :return: A json formatted string or a compact representation string :rtype: `str` rVNo available ciphertext)r(r*z9Can't use compact encoding when the '%s' parameter is setr)z4Can't use compact encoding without protected headers)rrz@Can't use compact encoding, '%s' must be in the protected headerr]zInvalid number of recipientsrr+rPr\rOrUrW)rVrUrWr*r(N) r-r=r lenrIr rLrNr[joinrrMr`) rcompactinvalidrKrequiredrcreZnphrJrrobjerrr serialize s                        z JWE.serializecCs>|D]4}||jvr td|q|j|jstd|qdS)NzUnknown critical header: "%s"z!Unsupported critical header: "%s")r0r supported)rrrHrrr _check_critas  zJWE._check_critc Cs:|||j||} || |||| } |jd| |_| S)NSuccess)unwrapr_decryptr6r`r5) rrrrbZenckeyr+r(rUrVrWr5rZrrr _unwrap_decryptjs  zJWE._unwrap_decryptc Cs,||dd}||di|D]$}||jvr(|j||s(tdq(||dd}||dd}t|j dd}d|j vr|d t|j d7}| d }t |t r|}d |j vr||j d } | std |j d | }|D]} zL|||| |d d|||j d|j d|j d } |jdWqWqty} z4| d | } |jd| t| WYd} ~ qd} ~ 00qd|jvrtdn4|||||d d|||j d|j d|j d } |dd}|dkrt| tj |_n|dur | |_ntddS)Nr+rzFailed header checkrrr)rOr(rPr'rzKey ID {} not in key setr\rUrVrWrszKey [{}] failed: [{}]zNo working key found in key setrrQrT)rLrMrrr0Z check_headerrrArBrr-r4r2r jose_headerZget_keysrformatrvr6r` ExceptionZ thumbprintreprrX decompress MAX_WBITSr.r9)rrbZpperJhdrrrr(rGZkid_keysrHrZroZkeyidrYrrr _decryptssd                    z JWE._decryptc Csd|jvrtdg|_d}d|jvr|jdD]\}z|||Wq0ty}z.t|trbd}|jdt|WYd}~q0d}~00q0nZz|||jWnFty}z.t|trd}|jdt|WYd}~n d}~00|j s|rtdt d t|jdS) a@Decrypt a JWE token. :param key: The (:class:`jwcrypto.jwk.JWK`) decryption key. :param key: A (:class:`jwcrypto.jwk.JWK`) decryption key, or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header or (deprecated) a string containing a password. :raises InvalidJWEOperation: if the key is not a JWK object. :raises InvalidJWEData: if the ciphertext can't be decrypted or the object is otherwise malformed. :raises JWKeyNotFound: if key is a JWKSet and the key is not found. rVrgFr]Tz Failed: [%s]NzKey Not found in JWKSetz%No recipient matched the provided key) r-r=r6rrzr2rr`r{r.r)rrbZ missingkeyrcrorrr rus0   . *z JWE.decryptc CsNi|_d|_d|_i}zz&t|}t|d|d<t|d|d<t|d|d<d|vrxt|d}|d|d<d|vrt|d|d<d|vrt|d|d<d |vr g|d <|d D]F}i}d |vrt|d |d <d |vrt|d |d <|d |qn4d |vr&t|d |d <d |vr@t|d |d <Wnty}z| d }t |d krtt |t|d}|d|d<t|d} | dkrt|d|d <t|d|d<t|d|d<t|d|d<WYd}~n d}~00||_Wn6t y8}zt dt ||WYd}~n d}~00|rJ||dS)aDeserialize a JWE token. NOTE: Destroys any current status and tries to import the raw JWE provided. If a key is provided a decryption step will be attempted after the object is successfully deserialized. :param raw_jwe: a 'raw' JWE token (JSON Encoded or Compact notation) string. :param key: A (:class:`jwcrypto.jwk.JWK`) decryption key, or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header or (deprecated) a string containing a password (optional). :raises InvalidJWEData: if the raw object is an invalid JWE token. :raises InvalidJWEOperation: if the decryption fails. NrUrVrWr)r'r*r(r]r\r+rPrrhrwrRzInvalid format)r-r.r5r rdecoder r`r9splitrirrzr{ru) rZraw_jwerboZdjweprcrorZZekeyrrr deserializesb           & &zJWE.deserializecCs|jstd|jS)NzPlaintext not available)r.r=rCrrr payload$sz JWE.payloadcCs*||jd}t|dkr&td|S)Nr+rzJOSE Header not available)rLr-rMrir=)rrJrrr rx*s zJWE.jose_headercCs|}|||S)aCreates a JWE object from a serialized JWE token. :param token: A string with the json or compat representation of the token. :raises InvalidJWEData: if the raw object is an invalid JWE token. :return: A JWE token :rtype: JWE )r)clstokenrnrrr from_jose_token1s  zJWE.from_jose_tokencCslt|tsdSz||kWStyfd|ji}||jd|ji}||j||kYS0dS)NFr.)r2r&rprzr.r1r-)rotherZdata1Zdata2rrr __eq__Bs      z JWE.__eq__cCs*z |WSty$|YS0dS)N)rprz__repr__rCrrr __str__Ns  z JWE.__str__c Cszd|dWStyt|j}|jd}|jd}|jd}|j}d|dd|dd |dd |d |d YS0dS) NzJWE.from_json_token("z")r)r*r(zJWE(plaintext=z, z protected=z unprotected=zaad=z, algs=))rprzr{r.r-rMr,)rr.r)r*r(r:rrr rTs        z JWE.__repr__)NNNNNNNN)N)N)F)N)r!r"r#r$rrArBpropertyrDsetterrIrLrNr[r8rprrrvrrurrrx classmethodrrrrrrrr r&Js> 1     7 X  <) L    r&)rXZjwcryptorZjwcrypto.commonrrrrrrr r Z jwcrypto.jwar Z jwcrypto.jwkr r/r<rZInvalidCEKeyLengthZInvalidJWEKeyLengthZInvalidJWEKeyTyper=r&rrrr s@