jam.jose.algorithms¶
Classes:
| Name | Description |
|---|---|
AESCBCEncAlgorithm |
AES-CBC + HMAC content encryption - RFC 7518 Section 5.2. |
AESGCMEncAlgorithm |
AES-GCM content encryption - RFC 7518 Section 5.1. |
AESGCMKeyAlgorithm |
AES-GCM Key Wrap algorithms - RFC 7518 Section 4.7. |
AESKeyWrapAlgorithm |
AES Key Wrap algorithms - RFC 7518 Section 4.4. |
BaseAlgorithm |
Base class for JWT signing algorithms. |
BaseEncAlgorithm |
Base class for JWE content encryption algorithms - RFC 7518 Section 5. |
BaseKeyAlgorithm |
Base class for JWE key management algorithms - RFC 7518 Section 4. |
ECDHKeyAlgorithm |
ECDH-ES Key Management algorithms - RFC 7518 Section 4.6. |
ESAlgorithm |
ECDSA algorithms (ES256, ES384, ES512). |
HSAlgorithm |
HMAC-based algorithms (HS256, HS384, HS512). |
PBES2KeyAlgorithm |
PBES2 Key Management algorithms - RFC 7518 Section 4.8. |
PSAlgorithm |
RSA PSS algorithms (PS256, PS384, PS512). |
RSAKeyAlgorithm |
RSA Key Management algorithms - RFC 7518 Section 4.2. |
RSAlgorithm |
RSA PKCS1v15 algorithms (RS256, RS384, RS512). |
Functions:
| Name | Description |
|---|---|
create_algorithm |
Create algorithm instance based on algorithm name. |
create_enc_algorithm |
Create JWE content encryption algorithm instance. |
create_key_algorithm |
Create JWE key management algorithm instance. |
AESCBCEncAlgorithm(enc: str, logger: BaseLogger)
Bases: BaseEncAlgorithm
AES-CBC + HMAC content encryption - RFC 7518 Section 5.2.
Methods:
| Name | Description |
|---|---|
decrypt |
Decrypt using AES-CBC + HMAC. |
encrypt |
Encrypt using AES-CBC + HMAC. |
get_iv_length |
Get the IV length for the content encryption algorithm. |
get_key_length |
Get the key length for the content encryption algorithm. |
AESGCMEncAlgorithm(enc: str, logger: BaseLogger)
Bases: BaseEncAlgorithm
AES-GCM content encryption - RFC 7518 Section 5.1.
Methods:
| Name | Description |
|---|---|
decrypt |
Decrypt using AES-GCM. |
encrypt |
Encrypt using AES-GCM. |
get_iv_length |
Get the IV length for the content encryption algorithm. |
get_key_length |
Get the key length for the content encryption algorithm. |
AESGCMKeyAlgorithm(
alg: str,
key: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseKeyAlgorithm
AES-GCM Key Wrap algorithms - RFC 7518 Section 4.7.
Methods:
| Name | Description |
|---|---|
unwrap_key |
Unwrap CEK using AES-GCM. |
wrap_key |
Wrap CEK using AES-GCM. |
AESKeyWrapAlgorithm(
alg: str,
key: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseKeyAlgorithm
AES Key Wrap algorithms - RFC 7518 Section 4.4.
Methods:
| Name | Description |
|---|---|
unwrap_key |
Unwrap CEK using AES Key Wrap. |
wrap_key |
Wrap CEK using AES Key Wrap. |
BaseAlgorithm(
alg: str,
secret: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: ABC
Base class for JWT signing algorithms.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
alg
|
str
|
Algorithm name |
required |
secret
|
KeyLike
|
Secret key |
required |
password
|
bytes | None
|
Password for private key |
required |
logger
|
BaseLogger
|
Logger instance |
required |
Methods:
| Name | Description |
|---|---|
sign |
Sign data. |
verify |
Verify signature. |
abstractmethod
¶
sign(data: bytes) -> str
Sign data.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
data
|
bytes
|
Data to sign |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
Base64url encoded signature |
abstractmethod
¶
verify(sig: bytes, data: bytes, key: KeyLike) -> None
Verify signature.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
sig
|
bytes
|
Signature to verify |
required |
data
|
bytes
|
Data that was signed |
required |
key
|
KeyLike
|
Key for verification |
required |
Raises:
| Type | Description |
|---|---|
ValueError
|
If signature is invalid |
BaseEncAlgorithm(enc: str, logger: BaseLogger)
Bases: ABC
Base class for JWE content encryption algorithms - RFC 7518 Section 5.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
enc
|
str
|
Algorithm name. |
required |
logger
|
BaseLogger
|
Logger instance. |
required |
Methods:
| Name | Description |
|---|---|
decrypt |
Decrypt ciphertext. |
encrypt |
Encrypt plaintext. |
get_iv_length |
Return IV length in bytes. |
get_key_length |
Return key length in bytes. |
abstractmethod
¶
decrypt(
ciphertext: bytes,
iv: bytes,
tag: bytes,
aad: bytes,
key: bytes,
) -> bytes
Decrypt ciphertext.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
ciphertext
|
bytes
|
Encrypted data. |
required |
iv
|
bytes
|
Initialization vector. |
required |
tag
|
bytes
|
Authentication tag. |
required |
aad
|
bytes
|
Additional authenticated data. |
required |
key
|
bytes
|
Encryption key. |
required |
Returns:
| Type | Description |
|---|---|
bytes
|
Decrypted plaintext. |
abstractmethod
¶
encrypt(
plaintext: bytes, iv: bytes, aad: bytes, key: bytes
) -> tuple[bytes, bytes]
Encrypt plaintext.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
plaintext
|
bytes
|
Data to encrypt. |
required |
iv
|
bytes
|
Initialization vector. |
required |
aad
|
bytes
|
Additional authenticated data. |
required |
key
|
bytes
|
Encryption key. |
required |
Returns:
| Type | Description |
|---|---|
tuple[bytes, bytes]
|
Tuple of (ciphertext, tag). |
BaseKeyAlgorithm(
alg: str,
key: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: ABC
Base class for JWE key management algorithms - RFC 7518 Section 4.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
alg
|
str
|
Algorithm name. |
required |
key
|
KeyLike
|
Key for wrapping/unwrapping. |
required |
password
|
bytes | None
|
Password for encrypted private keys. |
required |
logger
|
BaseLogger
|
Logger instance. |
required |
Methods:
| Name | Description |
|---|---|
unwrap_key |
Unwrap CEK. |
wrap_key |
Wrap CEK (Content Encryption Key). |
abstractmethod
¶
unwrap_key(
encrypted_key: bytes, header: dict[str, Any]
) -> bytes
Unwrap CEK.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
encrypted_key
|
bytes
|
Wrapped CEK. |
required |
header
|
dict[str, Any]
|
JWE header (may contain needed parameters). |
required |
Returns:
| Type | Description |
|---|---|
bytes
|
Unwrapped CEK. |
abstractmethod
¶
wrap_key(cek: bytes) -> tuple[bytes, dict[str, Any]]
Wrap CEK (Content Encryption Key).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
cek
|
bytes
|
Content Encryption Key to wrap. |
required |
Returns:
| Type | Description |
|---|---|
tuple[bytes, dict[str, Any]]
|
Tuple of (encrypted_key, header_updates). |
ECDHKeyAlgorithm(
alg: str,
key: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseKeyAlgorithm
ECDH-ES Key Management algorithms - RFC 7518 Section 4.6.
Methods:
| Name | Description |
|---|---|
unwrap_key |
Unwrap CEK using ECDH. |
wrap_key |
Wrap CEK using ECDH. |
ESAlgorithm(
alg: str,
secret: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseAlgorithm
ECDSA algorithms (ES256, ES384, ES512).
Methods:
| Name | Description |
|---|---|
sign |
Sign data using ECDSA. |
verify |
Verify ECDSA signature. |
sign(data: bytes) -> str
Sign data using ECDSA.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
data
|
bytes
|
Data to sign |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
Base64url encoded signature |
verify(sig: bytes, data: bytes, key: KeyLike) -> None
Verify ECDSA signature.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
sig
|
bytes
|
Signature to verify |
required |
data
|
bytes
|
Data that was signed |
required |
key
|
KeyLike
|
Key for verification |
required |
Raises:
| Type | Description |
|---|---|
JamJWSVerificationError
|
If signature is invalid |
HSAlgorithm(
alg: str,
secret: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseAlgorithm
HMAC-based algorithms (HS256, HS384, HS512).
Methods:
| Name | Description |
|---|---|
sign |
Sign data using HMAC. |
verify |
Verify HMAC signature. |
sign(data: bytes) -> str
Sign data using HMAC.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
data
|
bytes
|
Data to sign |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
Base64url encoded signature |
verify(sig: bytes, data: bytes, key: KeyLike) -> None
Verify HMAC signature.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
sig
|
bytes
|
Signature to verify |
required |
data
|
bytes
|
Data that was signed |
required |
key
|
KeyLike
|
Key for verification |
required |
Raises:
| Type | Description |
|---|---|
JamJWSVerificationError
|
If signature is invalid |
PBES2KeyAlgorithm(
alg: str,
key: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseKeyAlgorithm
PBES2 Key Management algorithms - RFC 7518 Section 4.8.
Methods:
| Name | Description |
|---|---|
unwrap_key |
Unwrap CEK using PBES2. |
wrap_key |
Wrap CEK using PBES2. |
PSAlgorithm(
alg: str,
secret: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseAlgorithm
RSA PSS algorithms (PS256, PS384, PS512).
Methods:
| Name | Description |
|---|---|
sign |
Sign data using RSA PSS. |
verify |
Verify RSA PSS signature. |
sign(data: bytes) -> str
Sign data using RSA PSS.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
data
|
bytes
|
Data to sign |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
Base64url encoded signature |
verify(sig: bytes, data: bytes, key: KeyLike) -> None
Verify RSA PSS signature.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
sig
|
bytes
|
Signature to verify |
required |
data
|
bytes
|
Data that was signed |
required |
key
|
KeyLike
|
Key for verification |
required |
Raises:
| Type | Description |
|---|---|
JamJWSVerificationError
|
If signature is invalid |
RSAKeyAlgorithm(
alg: str,
key: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseKeyAlgorithm
RSA Key Management algorithms - RFC 7518 Section 4.2.
Methods:
| Name | Description |
|---|---|
unwrap_key |
Unwrap CEK using RSA. |
wrap_key |
Wrap CEK using RSA. |
RSAlgorithm(
alg: str,
secret: KeyLike,
password: bytes | None,
logger: BaseLogger,
)
Bases: BaseAlgorithm
RSA PKCS1v15 algorithms (RS256, RS384, RS512).
Methods:
| Name | Description |
|---|---|
sign |
Sign data using RSA PKCS1v15. |
verify |
Verify RSA PKCS1v15 signature. |
sign(data: bytes) -> str
Sign data using RSA PKCS1v15.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
data
|
bytes
|
Data to sign |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
Base64url encoded signature |
verify(sig: bytes, data: bytes, key: KeyLike) -> None
Verify RSA PKCS1v15 signature.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
sig
|
bytes
|
Signature to verify |
required |
data
|
bytes
|
Data that was signed |
required |
key
|
KeyLike
|
Key for verification |
required |
Raises:
| Type | Description |
|---|---|
JamJWSVerificationError
|
If signature is invalid |
create_algorithm(
alg: str,
secret: KeyLike,
password: bytes | None,
logger: BaseLogger,
) -> BaseAlgorithm
Create algorithm instance based on algorithm name.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
alg
|
str
|
Algorithm name |
required |
secret
|
KeyLike
|
Secret key |
required |
password
|
bytes | None
|
Password for private key |
required |
logger
|
BaseLogger
|
Logger instance |
required |
Returns:
| Name | Type | Description |
|---|---|---|
BaseAlgorithm |
BaseAlgorithm
|
Algorithm instance |
Raises:
| Type | Description |
|---|---|
ValueError
|
If algorithm is not supported |
create_enc_algorithm(
enc: str, logger: BaseLogger
) -> BaseEncAlgorithm
Create JWE content encryption algorithm instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
enc
|
str
|
Algorithm name. |
required |
logger
|
BaseLogger
|
Logger instance. |
required |
Returns:
| Type | Description |
|---|---|
BaseEncAlgorithm
|
BaseEncAlgorithm instance. |
Raises:
| Type | Description |
|---|---|
ValueError
|
If algorithm is not supported. |
create_key_algorithm(
alg: str,
key: KeyLike,
password: bytes | None,
logger: BaseLogger,
) -> BaseKeyAlgorithm
Create JWE key management algorithm instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
alg
|
str
|
Algorithm name. |
required |
key
|
KeyLike
|
Key for wrapping/unwrapping. |
required |
password
|
bytes | None
|
Password for encrypted private keys. |
required |
logger
|
BaseLogger
|
Logger instance. |
required |
Returns:
| Type | Description |
|---|---|
BaseKeyAlgorithm
|
BaseKeyAlgorithm instance. |
Raises:
| Type | Description |
|---|---|
ValueError
|
If algorithm is not supported. |