)!dZddlZddlZddlZddlmZddlmZejZejZdZ dZ dZ eje ZGddeZd Z dd lmZej&Zej(Zej*Z dd lmZej0Zej2ZereZeZn ereZeZneZeZdd Zd ZdZdZddZ y#e$r dZdZeZYPwxYw#e$rdZdZY@wxYw)z-Crypto-related routines for oauth2client_4_0.N)_helpers)_pure_python_crypti,iQceZdZdZy)AppIdentityErrorz!Error to indicate crypto failure.N)__name__ __module__ __qualname____doc__1platform/bq/third_party/oauth2client_4_0/crypt.pyrr%s+r rctd)Nz#pkcs12_key_as_pem requires OpenSSL.)NotImplementedError)argskwargss r _bad_pkcs12_key_as_pemr)s C DDr )_openssl_crypt)_pycrypto_cryptcddd}|||d<tjtj|tjtj|g}dj|}|j |}|j tj|t jt|dj|S)aRMake a signed JWT. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: signer: crypt.Signer, Cryptographic signer. payload: dict, Dictionary of data to convert to JSON and then sign. key_id: string, (Optional) Key ID header. Returns: string, The JWT for the payload. JWTRS256)typalgkid.) r_urlsafe_b64encode _json_encodejoinsignappendloggerdebugstr)signerpayloadkey_idheadersegments signing_input signatures r make_signed_jwtr+Ks7 +F u  ##H$9$9&$AB##H$9$9'$BCHIIh'M M*I OOH// :; LLX 99X r c||D]-}tj|d}|j||s-ytd)aVerifies signed content using a list of certificates. Args: message: string or bytes, The message to verify. signature: string or bytes, The signature on the message. certs: iterable, certificates in PEM format. Raises: AppIdentityError: If none of the certificates can verify the message against the signature. T) is_x509_certNzInvalid token signature)Verifier from_stringverifyr)messager*certspemverifiers r _verify_signaturer5jsB''$'? ??7I .  4 55r c|y|jd}|tdj|||k7rtdj|||y)aAChecks audience field from a JWT payload. Does nothing if the passed in ``audience`` is null. Args: payload_dict: dict, A dictionary containing a JWT payload. audience: string or NoneType, an audience to check for in the JWT payload. Raises: AppIdentityError: If there is no ``'aud'`` field in the payload dictionary but there is an ``audience`` to check. AppIdentityError: If the ``'aud'`` field in the payload dictionary does not match the ``audience``. NaudzNo aud field in token: {0}z Wrong recipient, {0} != {1}: {2})getrformat) payload_dictaudienceaudience_in_payloads r _check_audiencer=sn &**51" ( / / =? ?h&AHH < 9: :'r cttj}|jd}|tdj ||jd}|tdj |||t zk\rtdj ||t z }||krtdj ||||t z}||kDrtdj |||y) aVerifies the issued at and expiration from a JWT payload. Makes sure the current time (in UTC) falls between the issued at and expiration for the JWT (with some skew allowed for via ``CLOCK_SKEW_SECS``). Args: payload_dict: dict, A dictionary containing a JWT payload. Raises: AppIdentityError: If there is no ``'iat'`` field in the payload dictionary. AppIdentityError: If there is no ``'exp'`` field in the payload dictionary. AppIdentityError: If the JWT expiration is too far in the future (i.e. if the expiration would imply a token lifetime longer than what is allowed.) AppIdentityError: If the token appears to have been issued in the future (up to clock skew). AppIdentityError: If the token appears to have expired in the past (up to clock skew). iatNzNo iat field in token: {0}expzNo exp field in token: {0}z exp field too far in future: {0}z$Token used too early, {0} < {1}: {2}z#Token used too late, {0} > {1}: {2})inttimer8rr9MAX_TOKEN_LIFETIME_SECSCLOCK_SKEW_SECS)r:now issued_at expirationearliestlatests r _verify_time_rangerJs0 diik C  'I ( / / =? ?!!%(J ( / / =? ?S222 . 5 5l CE E?*H X~ELL < )* */ )F V|DKK  '( (r ctj|}|jddk7rtdj ||j d\}}}|dz|z}tj |}tj |} tjtj|}t|||jt|t|||S#tdj |xYw)aVerify a JWT against public certs. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: jwt: string, A JWT. certs: dict, Dictionary where values of public keys in PEM format. audience: string, The audience, 'aud', that this JWT should contain. If None then the JWT's 'aud' parameter is not verified. Returns: dict, The deserialized JSON payload in the JWT. Raises: AppIdentityError: if any checks are failed. rz&Wrong number of segments in token: {0}zCan't parse token: {0})r _to_bytescountrr9split_urlsafe_b64decodejsonloads _from_bytesr5valuesrJr=) jwtr2r;r'r%r*message_to_sign payload_bytesr:s r verify_signed_jwt_with_certsrXs"   S !C yy! 4 ; ;C @B B"%4FGYtmg-O++I6I//8MPzz("6"6}"EF oy%,,.A|$L(+ P8?? NOOs (C((D)N)!r rQloggingrBoauth2client_4_0rr RsaSigner RsaVerifierrDAUTH_TOKEN_LIFETIME_SECSrC getLoggerrr! Exceptionrrr OpenSSLSignerOpenSSLVerifierpkcs12_key_as_pem ImportErrorrPyCryptoSignerPyCryptoVerifierSignerr.r+r5r=rJrXr r r rgs,"4  %/  ( (  ,,    8 $,y,E//"00M$44O&88 0$33N&77  FH FH FH>6*:82(j+}/OM./Ns$*CC CC C$#C$