o 6 hX@s,ddlZddlZddlZddlmZddlmZddlmZddl m Z ddl m Z m Z mZddlmZmZdd lmZmZmZe je jdddfd d Zd d ZddZddZddZddZddZddZddZ ddZ!ddZ"d d!Z#d"d#Z$d$d%Z%d&d'Z&d(d)Z'd*d+Z(d,d-Z)d.d/Z*dS)0N)Mappingpack)jwk)get_random_bytes) ALGORITHMSJWE_SIZE_LIMITZIPS)JWEError JWEParseError)base64url_decodebase64url_encode ensure_binaryc Cst|}|tjvrtd||tjvrtd|t||}t|||||}t||}t||||||\}} } } t ||| | | } | S)aEncrypts plaintext and returns a JWE cmpact serialization string. Args: plaintext (bytes): A bytes object to encrypt key (str or dict): The key(s) to use for encrypting the content. Can be individual JWK or JWK set. encryption (str, optional): The content encryption algorithm used to perform authenticated encryption on the plaintext to produce the ciphertext and the Authentication Tag. Defaults to A256GCM. algorithm (str, optional): The cryptographic algorithm used to encrypt or determine the value of the CEK. Defaults to dir. zip (str, optional): The compression algorithm) applied to the plaintext before encryption. Defaults to None. cty (str, optional): The media type for the secured content. See http://www.iana.org/assignments/media-types/media-types.xhtml kid (str, optional): Key ID for the provided key Returns: bytes: The string representation of the header, encrypted key, initialization vector, ciphertext, and authentication tag. Raises: JWEError: If there is an error signing the token. Examples: >>> from jose import jwe >>> jwe.encrypt('Hello, World!', 'asecret128bitkey', algorithm='dir', encryption='A128GCM') 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..McILMB3dYsNJSuhcDzQshA.OfX9H_mcUpHDeRM4IA.CcnTWqaqxNsjT4eCaUABSg' Algorithm %s not supported.) rr SUPPORTEDr r construct_encoded_header _compress_encrypt_and_auth_jwe_compact_serialize) plaintextkey encryption algorithmzipctykidencoded_headerenc_cekiv cipher_textauth_tag jwe_stringr$\/var/www/html/construction_image-detection-poc/venv/lib/python3.10/site-packages/jose/jwe.pyencrypts      r&c Cst|tkrtdt|dtdt|\}}}}}}z |d}|d} |tjvr1td|| tjvr>> from jose import jwe >>> jwe.decrypt(jwe_string, 'asecret128bitkey') 'Hello, World!' z JWE string z bytes exceeds  bytesalgencrz!alg and enc headers are required!Talg  is not implementedFenc Nr)lenr r _jwe_compact_deserializerrKeyErrorr rrDIR_get_key_bytes_from_key unwrap_keyNotImplementedError Exception_get_random_cek_bytes_for_enc_decrypt_and_auth _decompressget)jwe_strrheaderr encrypted_keyr r!r"r(r) cek_valid cek_bytesprotected_headeraad plain_texter$r$r%decrypt<sP                rCcCst|d}|S)a+Returns the decoded headers without verification of any kind. Args: jwe_str (str): A compact serialized JWE to decode the headers from. Returns: dict: The dict representation of the JWE headers. Raises: JWEError: If there is an exception decoding the JWE. r)r/)r:r;r$r$r%get_unverified_headers rDc Cs||tjvrt||\}}}t|||||} n|tjvr$t||}|} ntd|d|||||} || krr)r!r r@r"encryption_keymac_keykey_lenauth_tag_checkrr$r$r%r7s   r7c CsTt|d}|d|}t||}|| d}|d\}}t||}|||fS)Nr-)r. _get_hmac_keysplitrr) r>r)derived_key_len mac_key_bytesrKencryption_key_bytesencryption_alg_rJr$r$r%rGs     rGc Cs\t|}z|dd\}}}}}t|}Wnty tdttjfy-tdwzt |}WntyH}ztd|d}~wwt |t sRtdzt|} Wnttjfyftdwzt|} Wnttjfy{td wzt|} Wnttjfytd wzt|} Wnttjfytd w||| | | | fS) z Deserialize and verify the header and segments are appropriate. Args: jwe_bytes (bytes): The compact serialized JWE Returns: (dict, bytes, bytes, bytes, bytes, bytes) .zNot enough segmentszInvalid headerzInvalid header string: Nz,Invalid header string: must be a json objectzInvalid encrypted keyz Invalid IVzInvalid cyphertextzInvalid auth tag) rrQr ValueErrorr TypeErrorbinasciiErrorjsonloads isinstancer) jwe_bytesheader_segmentencrypted_key_segment iv_segmentcipher_text_segmentauth_tag_segment header_datar;rBr<r ciphertextr"r$r$r%r/sP       r/cCsL||d}|r ||d<|r||d<|r||d<tj|dddd}t|S) a Generate an appropriate JOSE header based on the values provided Args: alg (str): Key wrap/negotiation algorithm enc (str): Encryption algorithm zip (str): Compression method cty (str): Content type of the encrypted data kid (str): ID for the key used for the operation Returns: bytes: JSON object of header based on input )r(r)rrr),:T) separators sort_keyszutf-8)r]dumpsencoder)r(r)rrrr; json_headerr$r$r%rQs rcCs td|S)Nz!Qr)int_valr$r$r% _big_endianms rpcCsz t|||\}}Wntytd|dw|tjvr9t||\}} } |||\} } } t| | || | }n|tjvrNt ||}|||\} } }ntd|d|| | |fS)a/ Generate a content encryption key (cek) and initialization vector (iv) based on enc and alg, compress the plaintext based on zip, encrypt the compressed plaintext using the cek and iv based on enc Args: key (Key): The key provided for encryption alg (str): The algorithm use for key wrap/negotiation enc (str): The encryption algorithm with which to encrypt the plaintext zip (str): The compression algorithm with which to compress the plaintext plaintext (bytes): The data to encrypt aad (str): Additional authentication data utilized for generating an auth tag Returns: (bytes, bytes, bytes, bytes): A tuple of the following data (key wrapped cek, iv, cipher text, auth tag) r+r,r-rE) _get_cekr4r rrFrGr&rHrIrr)rr(r)rrr@r>kw_cekrJrKrLr rgtagr"r$r$r%rqs     rcCs|d\}}t||}|S)z Get an HMACKey for the provided encryption algorithm and key bytes Args: enc (str): Encryption algorithm mac_key_bytes (bytes): vytes for the HMAC key Returns: (HMACKey): The key to perform HMAC actions rO)rQrr)r)rSrVhash_algrKr$r$r%rPs rPcCsR|tjvr td|d|dur|}|S|tjkr!t|}|Std|d)z Compress the plaintext based on the algorithm supplied Args: zip (str): Compression Algorithm plaintext (bytes): plaintext to compress Returns: (bytes): Compressed plaintext ZIP  is not supported!NrE)r rr4DEFzlibcompress)rr compressedr$r$r%rs  rcCst|tjvr td|d|dur|}|S|tjkr2t}|j|td}|jr0t dtd|Std|d)z Decompress the plaintext based on the algorithm supplied Args: zip (str): Compression Algorithm plaintext (bytes): plaintext to decompress Returns: (bytes): Compressed plaintext rurvN) max_lengthz Decompressed JWE string exceeds r'rE) r rr4rwrx decompressobj decompressr unconsumed_tailr )rrz decompressed decompressorr$r$r%r8s  r8cCs4|tjkrt|\}}||fSt||\}}||fS)a  Get the content encryption key Args: enc (str): Encryption algorithm alg (str): kwy wrap/negotiation algorithm key (Key): Key provided to encryption method Return: (bytes, bytes): Tuple of (cek bytes and wrapped cek) )rr1_get_direct_key_wrap_cek_get_key_wrap_cek)r)r(rcek wrapped_cekr$r$r%rqs rqcCs:|}|ddkrt|}d}||fStd|d)z Get the cek and wrapped cek from the encryption key direct Args: key (Key): Key provided to encryption method Return: (Key, bytes): Tuple of (cek Key object and wrapped cek) ktyoctr*zJWK type {} not supported!)to_dictr2r4format)rjwk_datar>rr$r$r%rs  rcCs|}|d}t|}|S)z Get the raw key bytes from a Key object Args: key (Key): Key from which to extract the raw key bytes Returns: (bytes) key data k)rr )rr encoded_keyr>r$r$r%r2s r2cCst|}||}||fS)a_get_rsa_key_wrap_cek Get the content encryption key for RSA key wrap Args: enc (str): Encryption algorithm key (Key): Key provided to encryption method Returns: (Key, bytes): Tuple of (cek Key object and wrapped cek) )r6wrap_key)r)rr>rr$r$r%rs rcCst|tjkrd}n*|tjkrd}n"|tjtjfvrd}n|tjkr#d}n|tjkr+d}nt|dt|d}|S)z Get the random cek bytes based on the encryptionn algorithm Args: enc (str): Encryption algorithm Returns: (bytes) random bytes for cek key iiz not supported) rA128GCMA192GCM A128CBC_HS256A256GCM A192CBC_HS384 A256CBC_HS512r4r)r)num_bitsr>r$r$r%r6s     r6c Cs:tt|d}||||}||}|d|}|S)aZ Get ann auth tag from the provided data Args: ciphertext (bytes): Encrypted value iv (bytes): Initialization vector aad (bytes): Additional Authenticated Data mac_key (bytes): Key to use in generating the MAC tag_length (int): How log the tag should be Returns: (bytes) Auth tag rr)rpr.sign) rgr r@rK tag_lengthalauth_tag_input signaturer"r$r$r%rH9s   rHc CsLt|}t|}t|}t|}t|}|d|d|d|d|S)ay Generate a compact serialized JWE Args: encoded_header (bytes): Base64 URL Encoded JWE header JSON encrypted_cek (bytes): Encrypted content encryption key (cek) iv (bytes): Initialization vector (IV) cipher_text (bytes): Cipher text auth_tag (bytes): JWE Auth Tag Returns: (str): JWE compact serialized string rW)rr) r encrypted_cekr r!r"encoded_encrypted_cek encoded_ivencoded_cipher_textencoded_auth_tagr$r$r%rNs.r)+r[r]rxcollections.abcrstructrrbackendsr constantsrr r exceptionsr r utilsr rrrr1r&rCrDr7rGr/rrprrPrr8rqrr2rr6rHrr$r$r$r%s<    . & J%