a ù!fÿ ã@s>dZddlZddlZddlZddlmZddlmZejZejZdZ dZ dZ e  e ¡ZGdd„deƒZd d „Zz"dd lmZejZejZejZWney®dZdZeZYn0zdd lmZejZejZWneyædZdZYn0eröeZeZnereZeZneZeZdd d„Zdd„Zdd„Zdd„Zddd„Z dS)z)Crypto-related routines for oauth2client.éN)Ú_helpers)Ú_pure_python_crypti,i€Qc@seZdZdZdS)ÚAppIdentityErrorz!Error to indicate crypto failure.N)Ú__name__Ú __module__Ú __qualname__Ú__doc__©r r úS/var/www/html/python-backend/venv/lib/python3.9/site-packages/oauth2client/crypt.pyr$srcOs tdƒ‚dS)Nz#pkcs12_key_as_pem requires OpenSSL.)ÚNotImplementedError)ÚargsÚkwargsr r r Ú_bad_pkcs12_key_as_pem(sr)Ú_openssl_crypt)Ú_pycrypto_cryptcCsvdddœ}|dur||d<t t |¡¡t t |¡¡g}d |¡}| |¡}| t |¡¡t t|ƒ¡d |¡S)aRMake a signed JWT. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: signer: crypt.Signer, Cryptographic signer. payload: dict, Dictionary of data to convert to JSON and then sign. key_id: string, (Optional) Key ID header. Returns: string, The JWT for the payload. ZJWTZRS256)ÚtypÚalgNÚkidó.) rZ_urlsafe_b64encodeZ _json_encodeÚjoinÚsignÚappendÚloggerÚdebugÚstr)ZsignerÚpayloadZkey_idÚheaderÚsegmentsZ signing_inputÚ signaturer r r Úmake_signed_jwtJs þ  rcCs6|D]$}tj|dd}| ||¡rdSqtdƒ‚dS)a€Verifies signed content using a list of certificates. Args: message: string or bytes, The message to verify. signature: string or bytes, The signature on the message. certs: iterable, certificates in PEM format. Raises: AppIdentityError: If none of the certificates can verify the message against the signature. T)Z is_x509_certNzInvalid token signature)ÚVerifierZ from_stringÚverifyr)ÚmessagerÚcertsÚpemZverifierr r r Ú_verify_signatureis  r%cCsJ|dur dS| d¡}|dur,td |¡ƒ‚||krFtd |||¡ƒ‚dS)aAChecks audience field from a JWT payload. Does nothing if the passed in ``audience`` is null. Args: payload_dict: dict, A dictionary containing a JWT payload. audience: string or NoneType, an audience to check for in the JWT payload. Raises: AppIdentityError: If there is no ``'aud'`` field in the payload dictionary but there is an ``audience`` to check. AppIdentityError: If the ``'aud'`` field in the payload dictionary does not match the ``audience``. NZaudzNo aud field in token: {0}z Wrong recipient, {0} != {1}: {2})ÚgetrÚformat)Ú payload_dictÚaudienceZaudience_in_payloadr r r Ú_check_audience~s ÿÿr*cCs®tt ¡ƒ}| d¡}|dur,td |¡ƒ‚| d¡}|durLtd |¡ƒ‚||tkrftd |¡ƒ‚|t}||krˆtd |||¡ƒ‚|t}||krªtd |||¡ƒ‚dS) aÜVerifies the issued at and expiration from a JWT payload. Makes sure the current time (in UTC) falls between the issued at and expiration for the JWT (with some skew allowed for via ``CLOCK_SKEW_SECS``). Args: payload_dict: dict, A dictionary containing a JWT payload. Raises: AppIdentityError: If there is no ``'iat'`` field in the payload dictionary. AppIdentityError: If there is no ``'exp'`` field in the payload dictionary. AppIdentityError: If the JWT expiration is too far in the future (i.e. if the expiration would imply a token lifetime longer than what is allowed.) AppIdentityError: If the token appears to have been issued in the future (up to clock skew). AppIdentityError: If the token appears to have expired in the past (up to clock skew). ZiatNzNo iat field in token: {0}ÚexpzNo exp field in token: {0}z exp field too far in future: {0}z$Token used too early, {0} < {1}: {2}z#Token used too late, {0} > {1}: {2})ÚintÚtimer&rr'ÚMAX_TOKEN_LIFETIME_SECSÚCLOCK_SKEW_SECS)r(ÚnowZ issued_atZ expirationZearliestZlatestr r r Ú_verify_time_rangešs2  ÿ ÿ ÿÿÿr1c Cs¬t |¡}| d¡dkr&td |¡ƒ‚| d¡\}}}|d|}t |¡}t |¡}zt t  |¡¡}Wntd |¡ƒ‚Yn0t |||  ¡ƒt |ƒt ||ƒ|S)aþVerify a JWT against public certs. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: jwt: string, A JWT. certs: dict, Dictionary where values of public keys in PEM format. audience: string, The audience, 'aud', that this JWT should contain. If None then the JWT's 'aud' parameter is not verified. Returns: dict, The deserialized JSON payload in the JWT. Raises: AppIdentityError: if any checks are failed. réz&Wrong number of segments in token: {0}zCan't parse token: {0})rÚ _to_bytesÚcountrr'ÚsplitZ_urlsafe_b64decodeÚjsonÚloadsZ _from_bytesr%Úvaluesr1r*) Zjwtr#r)rrrZmessage_to_signZ payload_bytesr(r r r Úverify_signed_jwt_with_certsÏs" ÿ    r9)N)N)!rr6Úloggingr-Z oauth2clientrrZ RsaSignerZ RsaVerifierr/ZAUTH_TOKEN_LIFETIME_SECSr.Ú getLoggerrrÚ ExceptionrrrZ OpenSSLSignerZOpenSSLVerifierZpkcs12_key_as_pemÚ ImportErrorrZPyCryptoSignerZPyCryptoVerifierZSignerr rr%r*r1r9r r r r ÚsT            5