o &g_@sXddlZddlmZddlmZmZddlmZmZddlmZm Z ddlm Z m Z ddl m Z ddlmZd Zed d d ded d d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dedd d dd Z gdZ GdddeZejZejZejZejZGdddZdS)N)common) JWException JWKeyNotFound)JWSEHeaderParameterJWSEHeaderRegistry)base64url_decodebase64url_encode) json_decode json_encode)JWA)JWKSeti AlgorithmFTzEncryption AlgorithmzCompression Algorithmz JWK Set URLz JSON Web KeyzKey IDz X.509 URLzX.509 Certificate Chainz"X.509 Certificate SHA-1 Thumbprintz$X.509 Certificate SHA-256 ThumbprintTypez Content TypeCritical) algenczipjkujwkkidx5ux5cx5tzx5t#S256typctycrit)zRSA-OAEPz RSA-OAEP-256A128KWA192KWA256KWdirzECDH-ESzECDH-ES+A128KWzECDH-ES+A192KWzECDH-ES+A256KW A128GCMKW A192GCMKW A256GCMKWzPBES2-HS256+A128KWzPBES2-HS384+A192KWzPBES2-HS512+A256KWz A128CBC-HS256z A192CBC-HS384z A256CBC-HS512A128GCMA192GCMA256GCMcs"eZdZdZdfdd ZZS)InvalidJWEDatazvInvalid JWE Object. This exception is raised when the JWE Object is invalid and/or improperly formatted. Ncs:d}|r|}nd}|r|dt|7}tt||dS)Nz!Unknown Data Verification Failurez {%s})strsuperr&__init__)selfmessage exceptionmsg __class__K/root/parts/websockify/install/lib/python3.10/site-packages/jwcrypto/jwe.pyr);szInvalidJWEData.__init__)NN)__name__ __module__ __qualname____doc__r) __classcell__r0r0r.r1r&4sr&c@seZdZdZ   d/ddZddZddZed d Zej d d Zd d Z d0ddZ ddZ ddZ d0ddZd1ddZddZddZddZdd Zd0d!d"Zed#d$Zed%d&Zed'd(Zd)d*Zd+d,Zd-d.ZdS)2JWEzGJSON Web Encryption object This object represent a JWE token. Nc Csd|_i|_d|_tt|_|r|j||dur)t|tr#||_n| d|_d|_ d|_ |r6||jd<|rKt|t rBt |}nt|||jd<|r`t|t rWt |}nt|||jd<|re||_|rp|j||ddS|rvtddS)aBCreates a JWE token. :param plaintext(bytes): An arbitrary plaintext to be encrypted. :param protected: A JSON string with the protected header. :param unprotected: A JSON string with the shared unprotected header. :param aad(bytes): Arbitrary additional authenticated data :param algs: An optional list of allowed algorithms :param recipient: An optional, default recipient key :param header: An optional header for the default recipient :param header_registry: Optional additions to the header registry Nutf-8aad protected unprotected)headerz-Header is allowed only with default recipient) _allowed_algsobjects plaintextrJWEHeaderRegistryheader_registryupdate isinstancebytesencodecek decryptlogdictr r add_recipient ValueError) r*r?r:r;r9algs recipientr<rAr0r0r1r)Ss>           z JWE.__init__cC$|jpt}||vr tdt|SNzAlgorithm not allowed)r=default_allowed_algsInvalidJWEOperationr keymgmt_algr*nameallowedr0r0r1 _jwa_keymgmt  zJWE._jwa_keymgmtcCrMrN)r=rOrPr encryption_algrRr0r0r1_jwa_encrVz JWE._jwa_enccCs|jr|jStS)zAllowed algorithms. The list of allowed algorithms. Can be changed by setting a list of algorithm names. )r=rOr*r0r0r1 allowed_algsszJWE.allowed_algscCst|ts td||_dS)NzAllowed Algs must be a list)rClist TypeErrorr=)r*rKr0r0r1rZs  cCs4t|D] }||vrtd|q|||S)NzDuplicate header: "%s")r[keysr&rB)r*h1h2kr0r0r1_merge_headerss   zJWE._merge_headerscCshi}d|jvrt|jd}|||}d|jvr&t|jd}|||}|r2t|}|||}|S)Nr:r;)r>r ra)r*r<jhphuhrhr0r0r1_get_jose_headers     zJWE._get_jose_headercCsT|dd}|durtd||}|dd}|dur!td||}||fS)NrzMissing "alg" from headersrzMissing "enc" from headers)getr&rUrX)r*rbalgnamerencnamerr0r0r1_get_alg_enc_from_headerss    zJWE._get_alg_enc_from_headersc Cst|jdd}d|jvr|dt|jd7}|d}|dd}|dkr3t|jdd }n |dur;|j}ntd ||j ||\}}} ||jd <||jd <| |jd <dS)Nr:r9.r8rDEFUnknown compressioniv ciphertexttag) rr>rgrEzlibcompressr?rJencryptrF) r*rrrbr9rudatarqrrrsr0r0r1_encrypts     z JWE._encryptc Cs|jdur tdt|jtstdt|trt|}||}||\}}i}|r0||d<|||j |j |}|d|_ d|vrI|d|d<d|vrct | dd}| ||d} t| |d<d |jvro||||d |jvr~|jd |dSd|jvsd|jvrg|jd <i} d|jvr|jd| d<d|jvr|jd| d<|jd | |jd |dS|j|dS) aEncrypt the plaintext with the given key. :param key: A JWK key or password of appropriate type for the 'alg' provided in the JOSE Headers. :param header: A JSON string representing the per-recipient header. :raises ValueError: if the plaintext is missing or not of type bytes. :raises ValueError: if the compression type is unknown. :raises InvalidJWAAlgorithm: if the 'alg' provided in the JOSE headers is missing or unknown, or otherwise not implemented. NzMissing plaintextzPlaintext must be 'bytes'r<rFek encrypted_keyz{}rr recipients)r?rJrCrDrHr rfrjwrap wrap_key_sizerFr rgrar>rxappendpoprB) r*keyr<rbrrrecwrappedhnhnr0r0r1rIsB            zJWE.add_recipientFc Cszd|jvr td|rdD] }||jvrtd|q d|jvr$tdt|jd}dD] }||vr9td|q-d |jvrTt|jd d krLtd |jd d }n|j}d |vrt|d }t|jd}|||}t||jd<|}||\} } || | ||d =d t |jdt | ddt |jdt |jdt |jdgS|j} t | dt | dt |jdd} d| vrt | d| d<d| vrt| d| d<d| vrt | d| d<d | vrg| d <| d D]%}i} d|vrt |d| d<d |vrt|d | d <| d  | qt| Sd| vr,t | d| d<d | vr9t| d | d <t| S)aSerializes the object into a JWE token. :param compact(boolean): if True generates the compact representation, otherwise generates a standard JSON format. :raises InvalidJWEOperation: if the object cannot be serialized with the compact representation and `compact` is True. :raises InvalidJWEOperation: if no recipients have been added to the object. :return: A json formatted string or a compact representation string :rtype: `str` rrNo available ciphertext)r9r;z9Can't use compact encoding when the '%s' parameter is setr:z4Can't use compact encoding without protected headers)rrz@Can't use compact encoding, '%s' must be in the protected headerr{zInvalid number of recipientsrr<rlrzrkrqrs)rrrqrsr;r9) r>rPr lenrar rfrjrxjoinrrgr~) r*compactinvalidrcrequiredrrnphrbrrobjer0r0r1 serialize s                   z JWE.serializecCs<|D]}||jvrtd||j|jstd|qdS)NzUnknown critical header: "%s"z!Unsupported critical header: "%s")rAr& supported)r*rr`r0r0r1 _check_critds   zJWE._check_critc Cs:|||j||} || |||| } |jd| |_| S)NSuccess)unwrapr}decryptrGr~rF) r*rrrenckeyr<r9rqrrrsrFrwr0r0r1_unwrap_decryptms  zJWE._unwrap_decryptc Cs@||dd}||di|D]}||jvr&|j||s&tdq||dd}||dd}t|j dd}d|j vrR|d t|j d7}| d }t |t r|}d |j vry||j d } | swtd |j d | }|D]K} z#|||| |d d|||j d|j d|j d } |jdWn&ty} z| d | } |jd| t| WYd} ~ q{d} ~ wwd|jvrtdn|||||d d|||j d|j d|j d } |dd}|dkrt| tkrtddtdt| tj |_dS|dur| |_dStd)Nr<rzFailed header checkrrr:rkr9rlr8rzKey ID {} not in key setrzrqrrrsrzKey [{}] failed: [{}]zNo working key found in key setrrmz+Compressed data exceeds maximum allowedsizez ()rp)rfrgrrA check_headerr&rUrXrr>rErCr jose_headerget_keysrformatrrGr~ Exception thumbprintreprrdefault_max_compressed_sizert decompress MAX_WBITSr?rJ)r*rpperbhdrrrr9r]kid_keysr`rwrkeyidrur0r0r1_decryptvsx                   z JWE._decryptc Csd|jvr tdg|_d}d|jvrG|jdD]-}z|||WqtyE}zt|tr1d}|jdt|WYd}~qd}~wwn-z |||jWn#tys}zt|tr_d}|jdt|WYd}~nd}~ww|j s|r}tdt d t|jdS) a@Decrypt a JWE token. :param key: The (:class:`jwcrypto.jwk.JWK`) decryption key. :param key: A (:class:`jwcrypto.jwk.JWK`) decryption key, or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header or (deprecated) a string containing a password. :raises InvalidJWEOperation: if the key is not a JWK object. :raises InvalidJWEData: if the ciphertext can't be decrypted or the object is otherwise malformed. :raises JWKeyNotFound: if key is a JWKSet and the key is not found. rrrFr{Tz Failed: [%s]NzKey Not found in JWKSetz%No recipient matched the provided key) r>rPrGrrrCrr~rr?r&)r*r missingkeyrrr0r0r1rs<      z JWE.decryptc Cs6i|_d|_d|_i}zzt|}t|d|d<t|d|d<t|d|d<d|vr:t|d}|d|d<d|vrFt|d|d<d|vrRt|d|d<d |vrg|d <|d D]#}i}d |vrnt|d |d <d |vrzt|d |d <|d |q^nd |vrt|d |d <d |vrt|d |d <WnXty}zL| d }t |d krt |t|d}|d|d<t|d} | dkrt|d|d <t|d|d<t|d|d<t|d|d<WYd}~nd}~ww||_Wnt y}zt dt ||d}~ww|r||dSdS)aDeserialize a JWE token. NOTE: Destroys any current status and tries to import the raw JWE provided. If a key is provided a decryption step will be attempted after the object is successfully deserialized. :param raw_jwe: a 'raw' JWE token (JSON Encoded or Compact notation) string. :param key: A (:class:`jwcrypto.jwk.JWK`) decryption key, or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header or (deprecated) a string containing a password (optional). :raises InvalidJWEData: if the raw object is an invalid JWE token. :raises InvalidJWEOperation: if the decryption fails. Nrqrrrsr:r8r;r9r{rzr<rlrrrrnzInvalid format)r>r?rFr rdecoder r~rJsplitrr&rrr) r*raw_jwerodjweprrrwekeyr0r0r1 deserializesp         zJWE.deserializecCs|jstd|jS)NzPlaintext not available)r?rPrYr0r0r1payload+sz JWE.payloadcCs*||jd}t|dkrtd|S)Nr<rzJOSE Header not available)rfr>rgrrP)r*rbr0r0r1r1s zJWE.jose_headercCs|}|||S)aCreates a JWE object from a serialized JWE token. :param token: A string with the json or compat representation of the token. :raises InvalidJWEData: if the raw object is an invalid JWE token. :return: A JWE token :rtype: JWE )r)clstokenrr0r0r1from_jose_token8s zJWE.from_jose_tokencCsht|tsdSz ||kWSty3d|ji}||jd|ji}||j||kYSw)NFr?)rCr7rrr?rBr>)r*otherdata1data2r0r0r1__eq__Is       z JWE.__eq__cCs&z|WSty|YSwN)rr__repr__rYr0r0r1__str__Us    z JWE.__str__c Csz d|dWStyGt|j}|jd}|jd}|jd}|j}d|dd|dd |dd |d |d YSw) NzJWE.from_json_token("z")r:r;r9zJWE(plaintext=z, z protected=z unprotected=zaad=z, algs=r)rrrr?r>rgr=)r*r?r:r;r9rKr0r0r1r[s         z JWE.__repr__)NNNNNNNNr)F)r2r3r4r5r)rUrXpropertyrZsetterrarfrjrxrIrrrrrrrr classmethodrrrrr0r0r0r1r7Ms@ 1      7X  @ )L    r7)rtjwcryptorjwcrypto.commonrrrrrrr r jwcrypto.jwar jwcrypto.jwkr rr@rOr&InvalidCEKeyLengthInvalidJWEKeyLengthInvalidJWEKeyTyperPr7r0r0r0r1sH