Generate a JWE Compact Serialization. The JWE Compact Serialization represents encrypted content as a compact, URL-safe string. This string is:: BASE64URL(UTF8(JWE Protected Header)) || '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE
(self, protected, payload, key, sender_key=None)
| 64 | cls.ZIP_REGISTRY[algorithm.name] = algorithm |
| 65 | |
| 66 | def serialize_compact(self, protected, payload, key, sender_key=None): |
| 67 | """Generate a JWE Compact Serialization. |
| 68 | |
| 69 | The JWE Compact Serialization represents encrypted content as a compact, |
| 70 | URL-safe string. This string is:: |
| 71 | |
| 72 | BASE64URL(UTF8(JWE Protected Header)) || '.' || |
| 73 | BASE64URL(JWE Encrypted Key) || '.' || |
| 74 | BASE64URL(JWE Initialization Vector) || '.' || |
| 75 | BASE64URL(JWE Ciphertext) || '.' || |
| 76 | BASE64URL(JWE Authentication Tag) |
| 77 | |
| 78 | Only one recipient is supported by the JWE Compact Serialization and |
| 79 | it provides no syntax to represent JWE Shared Unprotected Header, JWE |
| 80 | Per-Recipient Unprotected Header, or JWE AAD values. |
| 81 | |
| 82 | :param protected: A dict of protected header |
| 83 | :param payload: Payload (bytes or a value convertible to bytes) |
| 84 | :param key: Public key used to encrypt payload |
| 85 | :param sender_key: Sender's private key in case |
| 86 | JWEAlgorithmWithTagAwareKeyAgreement is used |
| 87 | :return: JWE compact serialization as bytes |
| 88 | """ |
| 89 | # step 1: Prepare algorithms & key |
| 90 | alg = self.get_header_alg(protected) |
| 91 | enc = self.get_header_enc(protected) |
| 92 | zip_alg = self.get_header_zip(protected) |
| 93 | |
| 94 | self._validate_sender_key(sender_key, alg) |
| 95 | self._validate_private_headers(protected, alg) |
| 96 | |
| 97 | key = prepare_key(alg, protected, key) |
| 98 | if sender_key is not None: |
| 99 | sender_key = alg.prepare_key(sender_key) |
| 100 | |
| 101 | # self._post_validate_header(protected, algorithm) |
| 102 | |
| 103 | # step 2: Generate a random Content Encryption Key (CEK) |
| 104 | # use enc_alg.generate_cek() in scope of upcoming .wrap |
| 105 | # or .generate_keys_and_prepare_headers call |
| 106 | |
| 107 | # step 3: Encrypt the CEK with the recipient's public key |
| 108 | if ( |
| 109 | isinstance(alg, JWEAlgorithmWithTagAwareKeyAgreement) |
| 110 | and alg.key_size is not None |
| 111 | ): |
| 112 | # For a JWE algorithm with tag-aware key agreement in case key agreement |
| 113 | # with key wrapping mode is used: |
| 114 | # Defer key agreement with key wrapping until |
| 115 | # authentication tag is computed |
| 116 | prep = alg.generate_keys_and_prepare_headers(enc, key, sender_key) |
| 117 | epk = prep["epk"] |
| 118 | cek = prep["cek"] |
| 119 | protected.update(prep["header"]) |
| 120 | else: |
| 121 | # In any other case: |
| 122 | # Keep the normal steps order defined by RFC 7516 |
| 123 | if isinstance(alg, JWEAlgorithmWithTagAwareKeyAgreement): |