qibUddlmZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z m Z mZmZmZmZddlmZddlmZmZddlmZmZmZmZmZmZmZmZm Z  dd l!m"Z"m#Z#dd l$m%Z%dd l&m'Z'dd l(m)Z)dd l*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4ddl5m6Z6m7Z7ddl8m9Z9m:Z:ddl;mZ>m?Z?m@Z@mAZAmBZBmCZCddlDmEZEmFZFmGZGmHZHmIZImJZJmKZKefZLe1e3fZMe9e:e6e7fZNeLeMzeNzZOee3e:e7fZQe seRejddrwddlTZTeTjdk\rddl mVZVnddlWmVZVddlXmYZYmZZZeefZ[de\d<ee1e3fZ]de\d<ee9e:e6e7fZ^de\d<ee[e]e^fZ_de\d<eee3e:e7fZade\d<dZbhd Zdd0d!ZeGd"d#eZfGd$d%efZgGd&d'efZhebr-Gd(d)efZiGd*d+efZjGd,d-eiZkGd.d/efZlyy#ec$rdZbYbwxYw)1) annotationsN)ABCabstractmethod) TYPE_CHECKINGAnyClassVarLiteralNoReturnUnioncastoverloadInvalidKeyError) HashlibHashJWKDict) base64url_decodebase64url_encodeder_to_raw_signature force_bytesfrom_base64url_uint is_pem_format is_ssh_keyraw_to_der_signatureto_base64url_uint)InvalidSignatureUnsupportedAlgorithm)default_backend)hashes)padding) ECDSA SECP256K1 SECP256R1 SECP384R1 SECP521R1 EllipticCurveEllipticCurvePrivateKeyEllipticCurvePrivateNumbersEllipticCurvePublicKeyEllipticCurvePublicNumbers)Ed448PrivateKeyEd448PublicKey)Ed25519PrivateKeyEd25519PublicKey) RSAPrivateKeyRSAPrivateNumbers RSAPublicKeyRSAPublicNumbers rsa_crt_dmp1 rsa_crt_dmq1 rsa_crt_iqmprsa_recover_prime_factors)Encoding NoEncryption PrivateFormat PublicFormatload_pem_private_keyload_pem_public_keyload_ssh_public_key SPHINX_BUILD) ) TypeAlias)PrivateKeyTypesPublicKeyTypesrBAllowedRSAKeys AllowedECKeysAllowedOKPKeys AllowedKeysAllowedPrivateKeysAllowedPublicKeysTF> ES256ES384ES512ES521EdDSAPS256PS384PS512RS256RS384RS512ES256Kc4tttjttjttjd}t r<|j ttjttjttjttjtttjtttjtttjtttjtttjttjttjtd |S)zE Returns the algorithms that are implemented by the library. )noneHS256HS384HS512) rSrTrUrKrVrLrNrMrPrQrRrO) NoneAlgorithm HMACAlgorithmSHA256SHA384SHA512 has_cryptoupdate RSAAlgorithm ECAlgorithmr#r"r$r%RSAPSSAlgorithm OKPAlgorithm)default_algorithmss @/opt/pipecat/venv/lib/python3.12/site-packages/jwt/algorithms.pyget_default_algorithmsris  }334}334}334 0!!%l&9&9:%l&9&9:%l&9&9:$[%7%7C%k&8&8)D$[%7%7C$[%7%7C$&& ))?)?@()?)?@()?)?@%  & ceZdZUdZdZded<ddZddZeddZ eddZ edd Z e e edd Ze e e d dd Ze eddd Ze edd ZddZy) AlgorithmzH The interface for an algorithm used to sign and verify tokens. Nz$tuple[type[AllowedKeys], ...] | None_crypto_key_typescft|dd}|ttrxt|trht |t jrNt j|t}|j|t|jSt||jS)z Compute a hash digest using the specified algorithm's hash algorithm. If there is no hash algorithm, raises a NotImplementedError. hash_algN)backend)getattrNotImplementedErrorra isinstancetype issubclassr HashAlgorithmHashrrbbytesfinalizedigest)selfbytestrrorzs rhcompute_hash_digestzAlgorithm.compute_hash_digests4T2  % % 8T*8V%9%9:[[_5FGF MM' "*+ +'*1134 4rjctr |j tdt||jsSd|jD}|jj }|jj }t d|d|d|y)acCheck that the key belongs to the right cryptographic family. Note that this method only works when ``cryptography`` is installed. :param key: Potentially a cryptography key :type key: :py:data:`PublicKeyTypes ` | :py:data:`PrivateKeyTypes ` :raises ValueError: if ``cryptography`` is not installed, or this method is called by a non-cryptography algorithm :raises InvalidKeyError: if the key doesn't match the expected key classes NzhThis method requires the cryptography library, and should only be used by cryptography-based algorithms.c34K|]}|jywN)__name__).0clss rh z2Algorithm.check_crypto_key_type..sLcS\\LszExpected one of z, got: z. Invalid Key type for )rarm ValueErrorrs __class__rr)r{key valid_classes actual_class self_classs rhcheck_crypto_key_typezAlgorithm.check_crypto_key_typesT33;z #t556LT5K5KLM==11L00J!"=/F]^h]ij  7rjcy)z Performs necessary validation and conversions on the key and returns the key value in the proper format for sign() and verify(). Nr{rs rh prepare_keyzAlgorithm.prepare_keyrjcy)zn Returns a digital signature for the specified message using the specified key value. Nrr{msgrs rhsignzAlgorithm.signrrjcy)zz Verifies that the specified digital signature is valid for the specified message and key values. Nrr{rrsigs rhverifyzAlgorithm.verifyrrjcyrrkey_objas_dicts rhto_jwkzAlgorithm.to_jwk s BErjcyrrrs rhrzAlgorithm.to_jwks rjcy)z3 Serializes a given key into a JWK Nrrs rhrzAlgorithm.to_jwkrrjcy)zJ Deserializes a given key from JWK back into a key object Nrjwks rhfrom_jwkzAlgorithm.from_jwkrrjcy)z Return a warning message if the key is below the minimum recommended length for this algorithm, or None if adequate. Nrrs rhcheck_key_lengthzAlgorithm.check_key_length#s rj)r|rxreturnrx)rz PublicKeyTypes | PrivateKeyTypesrNone)rrrr)rrxrrrrx)rrxrrrrxrbool)rrr Literal[True]rrF)rrrLiteral[False]rstr)rrrrr JWKDict | str)r str | JWKDictrr)rrr str | None)r __module__ __qualname____doc__rm__annotations__r}rrrrrr staticmethodrrrrrjrhrlrls ?C;B5,.      DE 05-     rjrlcNeZdZdZddZd dZd dZed d dZed dZ y)r\zZ Placeholder for use when no signing or verification operations are required. c.|dk(rd}| td|S)Nr?z*When alg = "none", key value must be None.rrs rhrzNoneAlgorithm.prepare_key1s$ "9C ?!"NO O rjcy)Nrjrrs rhrzNoneAlgorithm.sign:srjcy)NFrrs rhrzNoneAlgorithm.verify=srjctrrrrs rhrzNoneAlgorithm.to_jwk@ !##rjctrrrs rhrzNoneAlgorithm.from_jwkDrrjN)rrrr)rrxrrrrx)rrxrrrrxrrr)rrrrrr )rrrr ) rrrrrrrrrrrrjrhr\r\+s> $$$$rjr\ceZdZUdZej Zded<ejZ ded<ejZ ded<ddZ ddZ eeddZeeddd Zeddd Zedd Zdd Zdd ZddZy)r]zf Performs signing and verification operations using HMAC and the specified hash function. zClassVar[HashlibHash]r^r_r`c||_yrror{ros rh__init__zHMACAlgorithm.__init__Ss   rjc^t|}t|s t|r td|S)NzdThe specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.)rrrr)r{r key_bytess rhrzHMACAlgorithm.prepare_keyVs5$  #z)'<!9  rjcyrrrs rhrzHMACAlgorithm.to_jwkasILrjcyrrrs rhrzHMACAlgorithm.to_jwkesNQrjc~tt|jdd}|r|Stj|S)Noct)kkty)rrdecodejsondumps)rrrs rhrzHMACAlgorithm.to_jwkis<"+g"67>>@  J::c? "rjc t|trtj|}nt|tr|}nt |jddk7r t dt|dS#t $r t ddwxYw)NKey is not valid JSONrrzNot an HMAC keyr) rsrrloadsdictrrgetr)robjs rhrzHMACAlgorithm.from_jwkus E#s##zz#C&   775>U "!"34 4C))  E!"9: D Es ?A..Bc|jj}t||kr;dt|d|d|jjj dSy)NzThe HMAC key is z> bytes long, which is below the minimum recommended length of z bytes for z. See RFC 7518 Section 3.2.)ro digest_sizelennameupper)r{r min_lengths rhrzHMACAlgorithm.check_key_lengthse]]_00 s8j "3s8*-55?L ==?''--/01,-  rjc`tj|||jjSr)hmacnewrorzrs rhrzHMACAlgorithm.signs"xxS$--07799rjcNtj||j||Sr)rcompare_digestrrs rhrzHMACAlgorithm.verifys ""3 #s(;<*7995<<>*7995<<>+GLL9@@B+GLL9@@B+GLL9@@B (+!002! (z*7995<<>*7995<<> &&CDD zz#&rjc : t|trtj|}nt|tr|}nt |jddk7r t ddd|vrTd|vrOd|vrJd|vr t d gd }|Dcgc]}||v}}t|}|rt|s t d dtt|dt|d}|rjtt|dt|d t|d t|dt|dt|d|}|j'St|d}t|j||j\} } t|| | t!|| t#|| t%| | |}|j'Sd|vr6d|vr2tt|dt|dj)St d#t $r t ddwxYwcc}w)NrrrzNot an RSA keyrrrothz5Unsupported RSA private key: > 2 primes not supported)rrrrrz@RSA key must include all parameters if any are present besides drrrrr)rrrrrrrr)rsrrrrrrranyallr2rr0r6rrr3r4r5rr) rr other_propsprop props_foundany_props_foundrrrrrs rhrzRSAAlgorithm.from_jwks: Ic3'**S/CT*C$$wwu~&%&67TAczcSjSCZC<)O; 7BCtts{C C"%k"2"3{+;)Z "2'C1'C1" #/-c#h7-c#h7-c#h70T;0T;0T;'5G2**,,,CH5A4&((!^-=-=DAq0)!Q/)!Q/)!Q/'5G**,,s ''C1'C1*, &&CDD{ I%&=>DH IDs?G? H?Hcl|j|tj|j}|Sr)rr PKCS1v15ror{rr signatures rhrzRSAAlgorithm.signHs)"xxW-=-=-?QI rjc |j||tj|jy#t$rYywxYw)NTF)rr rrorrs rhrzRSAAlgorithm.verifyLs=  3W%5%5%7I#  s47 AAN)rotype[hashes.HashAlgorithm]rr)rrErr)rzAllowedRSAKeys | str | bytesrrE)rrErrrrr)rrErrrr)rrErrrr)rrrrErrxrr/rrxrrxrr1rrxrr)rrrrrr^rr_r`ALLOWED_RSA_KEY_TYPESrmrrrrr rrrrrrrjrhrcrcs 8>}}4D7=}}4D7=}}4D1'+ }+ %  <  S  S  X  X $ ' $ 'L E E E EN  rjrcceZdZUdZej Zded<ejZded<ejZded<e Z d ddZ ddZ dd Z dd Zdd Zeedd Zeeddd ZedddZeddZy)rdzr Performs signing and verification operations using ECDSA and the specified hash function rr^r_r`Nc ||_||_yr)roexpected_curve)r{rors rhrzECAlgorithm.__init___s %DM"0D rjc|jyt|j|js:td|jjd|jjdy)z9Validate that the key's curve matches the expected curve.NzThe key's curve 'z%' does not match the expected curve 'z' for this algorithm)rrscurverrrs rh_validate_curvezECAlgorithm._validate_curvegsg""*cii)<)<=%' '78"116677KM>rjct||jr|j||St|ttfs t dt |} |jdr t|}n t|}|j|tt|}|j||S#t$rDt|d}|j|tt|}|j||cYSwxYw)Nrs ecdsa-sha2-r)rsrmrrxrrrrr=r<rr r)rr;r')r{rrr ec_public_keyrec_private_keys rhrzECAlgorithm.prepare_keyrs#t556$$S) cE3<0 @AA#C(I  &''71DY1OJ!4Y!?J**:6 $%;Z H $$]3$$ &29tL **;7!%&={!K$$^4%%  &sAB33A D?Dc|j|t|j}t||jSr)rr!rorr)r{rrder_sigs rhrzECAlgorithm.signs.hhsE$--/$:;G'; ;rjc t||j} t|tr|j n|}|j ||t|jy#t$rYywxYw#t$rYywxYw)NFT) rrrrsr'rrr!ror)r{rrrr!rs rhrzECAlgorithm.verifys .sCII> "#'>?NN$ !!'3dmmo0FG  $  s#A&A A5& A21A25 BBcyrrrs rhrzECAlgorithm.to_jwksORrjcyrrrs rhrzECAlgorithm.to_jwksTWrjct|tr|jj}n,t|tr|j}n t dt|j trd}not|j trd}nRt|j trd}n5t|j trd}nt d|j d|t|j|j jjt|j|j jjd }t|trJt|j!j"|j jj|d <|r|St%j&|S) NrP-256P-384P-521 secp256k1Invalid curve: EC) bit_length)rcrvxyr)rsr'rrr)rrr#r$r%r"rr.rrr/r private_valuerr)rrrr-rs rhrzECAlgorithm.to_jwksf'#:;!(!3!3!5!D!D!FG%;DH Is ?JJr)rorrztype[EllipticCurve] | Nonerr)rrFrr)rzAllowedECKeys | str | bytesrrF)rrxrr'rrx)rrxrrFrrxrr)rrFrrrrr)rrFrrrr)rrFrrrr)rrrrF)rrrrrr^rr_r`ALLOWED_EC_KEY_TYPESrmrrrrrr rrrrrjrhrdrdSs 8>}}4D7=}}4D7=}}4D0 :> 10 17 1  1  &> <  "  R  R  W  W ) ' ) 'V G  G rjrdc eZdZdZddZddZy)rezA Performs a signature using RSASSA-PSS with MGF1 c |j|tjtj|j |j j |j }|S)Nmgf salt_length)rr PSSMGF1rorrs rhrzRSAPSSAlgorithm.sign*sS"xx  T]]_5 $  ; ;   I rjc  |j||tjtj|j |j j |j y#t $rYywxYw)Nr=TF)rr r@rArorrrs rhrzRSAPSSAlgorithm.verify5sh  KK#LL9$(MMO$?$?MMO#  sA0A33 A?>A?Nrr)rrrrrrrrjrhrere%s   rjreceZdZdZeZd dZd dZ d dZ ddZ e e ddZ e e dddZ e dddZ e dd Z y )rfz Performs signing and verification operations using EdDSA This class requires ``cryptography>=2.6`` to be installed. c yrr)r{kwargss rhrzOKPAlgorithm.__init__Ms rjct|ttfs|j||St|tr|j dn|}t|tr|j dn|}d|vr t |}n1d|vrt|d}n|dddk(r t|}n td|j|td |S) Nutf-8z-----BEGIN PUBLICz-----BEGIN PRIVATErrzssh-rrG) rsrrxrrencoder<r;r=rr )r{rkey_strr loaded_keys rhrzOKPAlgorithm.prepare_keyPscC<0**3/ -7U-Ccjj)G/9#s/C 7+I#g-0; %01)dK 1'0; %&CDD  & &z 2(*5 5rjcnt|tr|jdn|}|j|}|S)aS Sign a message ``msg`` using the EdDSA private key ``key`` :param str|bytes msg: Message to sign :param Ed25519PrivateKey}Ed448PrivateKey key: A :class:`.Ed25519PrivateKey` or :class:`.Ed448PrivateKey` isinstance :return bytes signature: The signature, as bytes rG)rsrrIr)r{rr msg_bytesrs rhrzOKPAlgorithm.signfs10:#s/C 7+I"xx 2I rjc$ t|tr|jdn|}t|tr|jdn|}t|ttfr|j n|}|j ||y#t$rYywxYw)a Verify a given ``msg`` against a signature ``sig`` using the EdDSA key ``key`` :param str|bytes sig: EdDSA signature to check ``msg`` against :param str|bytes msg: Message to sign :param Ed25519PrivateKey|Ed25519PublicKey|Ed448PrivateKey|Ed448PublicKey key: A private or public EdDSA key instance :return bool verified: True if signature is valid, False if not. rGTF)rsrrIr-r+rrr)r{rrrrM sig_bytesrs rhrzOKPAlgorithm.verifyts 3=c33GCJJw/S 3=c33GCJJw/S "#(9?'KLNN$ !!)Y7#  sBB BBcyrrrrs rhrzOKPAlgorithm.to_jwksLOrjcyrrrQs rhrzOKPAlgorithm.to_jwksQTrjcFt|ttfr|jtj t j }t|trdnd}tt|jd|d}|r|Stj|St|ttfr|jtj tj t!}|j#jtj t j }t|trdnd}tt|jtt|jd|d}|r|Stj|St%d) N)encodingformatEd25519Ed448OKP)r.rr-)rTrUencryption_algorithm)r.rrr-r)rsr.r, public_bytesr7Rawr:rrrrrr-r+ private_bytesr9r8rr)rrr.r-rrs rhrzOKPAlgorithm.to_jwks\# 0.AB$$%\\'++%$.c3C#Di'*+a.9@@B  J::c?*# 1?CD%%%\\(,,)5& NN$11%\\'++2 $.c3D#Ei7)+a.9@@B)+a.9@@B  J::c?*!"?@ @rjc t|trtj|}nt|tr|}nt |jddk7r t d|jd}|dk7r|dk7rt d|d |vr t d t|jd } d |vr/|dk(rtj|Stj|St|jd }|dk(rtj|Stj|S#t $r t ddwxYw#t $r}t d |d}~wwxYw) NrrrXzNot an Octet Key Pairr-rVrWr*r.zOKP should have "x" parameterrzInvalid key parameter)rsrrrrrrrrr.from_public_bytesr,r-from_private_bytesr+)rrrr.rerrs rhrzOKPAlgorithm.from_jwksZ Ic3'**S/CT*C$$wwu~&%&=>>GGENE !ew&6%w&?@@#~%&EFF .A Hc> )/AA!DD);;A>>$SWWS\2I%,??BB&99!<<- I%&=>DH I. H%&=>CG Hs5?D/3EE&3EE/E E" EE"N)rErrr)rzAllowedOKPKeys | str | bytesrrG)rrrz#Ed25519PrivateKey | Ed448PrivateKeyrrx)rrrrGrrrr)rrGrrrrr)rrGrrrr)rrGrrrr)rrrrG)rrrrALLOWED_OKP_KEY_TYPESrmrrrrr rrrrrjrhrfrfDs 2  6, " )L    " )7 >I   4  O  O  T  T , A , A\  H  Hrjrf)rzdict[str, Algorithm])m __future__rrrrosabcrrtypingrrrr r r r r exceptionsrtypesrrutilsrrrrrrrrrcryptography.exceptionsrrcryptography.hazmat.backendsrcryptography.hazmat.primitivesr)cryptography.hazmat.primitives.asymmetricr ,cryptography.hazmat.primitives.asymmetric.ecr!r"r#r$r%r&r'r(r)r*/cryptography.hazmat.primitives.asymmetric.ed448r+r,1cryptography.hazmat.primitives.asymmetric.ed25519r-r.-cryptography.hazmat.primitives.asymmetric.rsar/r0r1r2r3r4r5r6,cryptography.hazmat.primitives.serializationr7r8r9r:r;r<r=rr:raALLOWED_KEY_TYPESALLOWED_PRIVATE_KEY_TYPESALLOWED_PUBLIC_KEY_TYPESrgetenvsys version_inforBtyping_extensions/cryptography.hazmat.primitives.asymmetric.typesrCrDrErrFrGrHrIrJraModuleNotFoundErrorrequires_cryptographyrirlr\r]rcrdrerfrrjrhr|sq" #   ('   iN<5A      +L935KL   447LL  !   YRYY~r:;   w & ( 4 %*-*E$F F#( #%; ;$ y %* /. P%   "'~}n'T!U YU(- 24E V) I (- 02BN R( 9 J  DiiX$I$bHybHY _JsDGGG