o r rb)r*r<jhphuhrhr0r0r1_get_jose_headers     zJWE._get_jose_headercCsT|dd}|durtd||}|dd}|dur!td||}||fS)NrzMissing "alg" from headersrzMissing "enc" from headers)getr&rVrY)r*rcalgnamerencnamerr0r0r1_get_alg_enc_from_headerss    zJWE._get_alg_enc_from_headersc Cst|jdd}d|jvr|dt|jd7}|d}|dd}|dkr3t|jdd }n |dur;|j}ntd ||j ||\}}} ||jd <||jd <| |jd <dS)Nr:r9.r8rDEFUnknown compressioniv ciphertexttag) rr>rhrFzlibcompressr?rKencryptrG) r*rrrcr9rvdatarrrsrtr0r0r1_encrypts     z JWE._encryptc Cs|jdur tdt|jtstdt|trt|}||}||\}}i}|r0||d<|||j |j |}|d|_ d|vrI|d|d<d|vrct | dd}| ||d} t| |d<d |jvro||||d |jvr~|jd |dS|jrd|jvsd|jvrg|jd <i} d|jvr|jd| d<d|jvr|jd| d<|jd | |jd |dS|j|dS|g|jd <dS) aEncrypt the plaintext with the given key. :param key: A JWK key or password of appropriate type for the 'alg' provided in the JOSE Headers. :param header: A JSON string representing the per-recipient header. :raises ValueError: if the plaintext is missing or not of type bytes. :raises ValueError: if the compression type is unknown. :raises InvalidJWAAlgorithm: if the 'alg' provided in the JOSE headers is missing or unknown, or otherwise not implemented. NzMissing plaintextzPlaintext must be 'bytes'r<rGek encrypted_keyz{}rs recipients)r?rKrDrErIr rgrkwrap wrap_key_sizerGr rhrbr>ryappendrBpoprC) r*keyr<rcrrrecwrappedhnhnr0r0r1rJsF            zJWE.add_recipientFc Cszd|jvr td|rdD] }||jvrtd|q d|jvr$tdt|jd}dD] }||vr9td|q-d |jvrTt|jd d krLtd |jd d }n|j}d |vrt|d }t|jd}|||}t||jd<|}||\} } || | ||d =d t |jdt | ddt |jdt |jdt |jdgS|j} t | dt | dt |jdd} d| vrt | d| d<d| vrt| d| d<d| vrt | d| d<d | vrg| d <| d D]%}i} d|vrt |d| d<d |vrt|d | d <| d  | qt| Sd| vr,t | d| d<d | vr9t| d | d <t| S)aSerializes the object into a JWE token. :param compact(boolean): if True generates the compact representation, otherwise generates a standard JSON format. :raises InvalidJWEOperation: if the object cannot be serialized with the compact representation and `compact` is True. :raises InvalidJWEOperation: if no recipients have been added to the object. :return: A json formatted string or a compact representation string :rtype: `str` rsNo available ciphertext)r9r;z9Can't use compact encoding when the '%s' parameter is setr:z4Can't use compact encoding without protected headers)rrz@Can't use compact encoding, '%s' must be in the protected headerr|zInvalid number of recipientsrr<rmr{rlrrrt)rsrrrtr;r9) r>rQr lenrbr rgrkryjoinrrhr) r*compactinvalidrdrequiredrrnphrcrrobjer0r0r1 serializes                   z JWE.serializecCs<|D]}||jvrtd||j|jstd|qdS)NzUnknown critical header: "%s"z!Unsupported critical header: "%s")rAr& supported)r*rrar0r0r1 _check_critjs   zJWE._check_critc Cs:|||j||} || |||| } |jd| |_| S)NSuccess)unwrapr~decryptrHrrG) r*rrrenckeyr<r9rrrsrtrGrxr0r0r1_unwrap_decryptss  zJWE._unwrap_decryptc Csv||dd}||di|D]}||jvr&|j||s&tdq||dd}||dd}t|j dd}d|j vrR|d t|j d7}| d }t |t r|} d |j vry||j d } | swtd |j d | } | D]K} z#|||| |d d|||j d|j d|j d } |jdWn&ty} z| d | }|jd|t| WYd} ~ q{d} ~ wwd|jvrtdn|||||d d|||j d|j d|j d } |dd}|dkr-t| tkrtddtdtjtj d}|| ||_|js|js+d|_tdd|ddS|dur7| |_dSt d)Nr<rzFailed header checkrrr:rlr9rmr8rzKey ID {} not in key setr{rrrsrtrzKey [{}] failed: [{}]zNo working key found in key setrrnz+Compressed data exceeds maximum allowedsizez ())wbitsz2Compressed data exceeds maximum allowedoutput sizerq)!rgrhrrA check_headerr&rVrYrr>rFrDr jose_headerget_keysrformatrrHr Exception thumbprintreprrdefault_max_compressed_sizeru decompressobj MAX_WBITS decompressr?unconsumed_taileofrK)r*rppe max_plaintextrchdrrrr9r^kid_keysrarxrkeyidrvdor0r0r1_decrypt|s                    z JWE._decryptrc Cs*d|_|dkr t}d|jvrtdg|_d}d|jvrR|jdD]/}z |j|||dWq!tyP}zt|trrQrHrrrDrrrr&)r*rr missingkeyrrr0r0r1rsB      z JWE.decryptc Cs6i|_d|_d|_i}zzt|}t|d|d<t|d|d<t|d|d<d|vr:t|d}|d|d<d|vrFt|d|d<d|vrRt|d|d<d |vrg|d <|d D]#}i}d |vrnt|d |d <d |vrzt|d |d <|d |q^nd |vrt|d |d <d |vrt|d |d <WnXty}zL| d }t |d krt |t|d}|d|d<t|d} | dkrt|d|d <t|d|d<t|d|d<t|d|d<WYd}~nd}~ww||_Wnt y}zt dt ||d}~ww|r||dSdS)aDeserialize a JWE token. NOTE: Destroys any current status and tries to import the raw JWE provided. If a key is provided a decryption step will be attempted after the object is successfully deserialized. :param raw_jwe: a 'raw' JWE token (JSON Encoded or Compact notation) string. :param key: A (:class:`jwcrypto.jwk.JWK`) decryption key, or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the 'kid' header or (deprecated) a string containing a password (optional). :raises InvalidJWEData: if the raw object is an invalid JWE token. :raises InvalidJWEOperation: if the decryption fails. Nrrrsrtr:r8r;r9r|r{r<rmrrrrozInvalid format)r>r?rGr rdecoder rrKsplitrr&rrr) r*raw_jwerodjweprrrxekeyr0r0r1 deserializesp         zJWE.deserializecCs|jstd|jS)NzPlaintext not available)r?rQrZr0r0r1payload?sz JWE.payloadcCs*||jd}t|dkrtd|S)Nr<rzJOSE Header not available)rgr>rhrrQ)r*rcr0r0r1rEs zJWE.jose_headercCs|}|||S)aCreates a JWE object from a serialized JWE token. :param token: A string with the json or compat representation of the token. :raises InvalidJWEData: if the raw object is an invalid JWE token. :return: A JWE token :rtype: JWE )r)clstokenrr0r0r1from_jose_tokenLs zJWE.from_jose_tokencCsht|tsdSz ||kWSty3d|ji}||jd|ji}||j||kYSw)NFr?)rDr7rrr?rCr>)r*otherdata1data2r0r0r1__eq__]s       z JWE.__eq__cCs&z|WSty|YSwN)rr__repr__rZr0r0r1__str__is    z JWE.__str__c Csz d|dWStyGt|j}|jd}|jd}|jd}|j}d|dd|dd |dd |d |d YSw) NzJWE.from_json_token("z")r:r;r9zJWE(plaintext=z, z protected=z unprotected=zaad=z, algs=r)rrrr?r>rhr=)r*r?r:r;r9rLr0r0r1ros         z JWE.__repr__) NNNNNNNNTr)F)r)r2r3r4r5r)rVrYpropertyr[setterrbrgrkryrJrrrrrrrrr classmethodrrrrr0r0r0r1r7Ns@ 3      :X F 1L    r7)rujwcryptorjwcrypto.commonrrrrrrr r jwcrypto.jwar jwcrypto.jwkr rrr@rPr&InvalidCEKeyLengthInvalidJWEKeyLengthInvalidJWEKeyTyperQr7r0r0r0r1sJ