o F @sdZddlZddlZddlZddlmZdZdZdZe e Z Gddde Z dd Zzdd lmZejZejZejZWneyKdZdZeZYnwerSeZeZn$zdd lmZejZejZWneyvdd lmZejZejZYnwdd dZddZddZddZdddZ dS)z)Crypto-related routines for oauth2client.N)_helpersi,iQc@seZdZdZdS)AppIdentityErrorz!Error to indicate crypto failure.N)__name__ __module__ __qualname____doc__rr;/tmp/google-cloud-sdk/lib/third_party/oauth2client/crypt.pyr srcOstd)Nz#pkcs12_key_as_pem requires OpenSSL.)NotImplementedError)argskwargsrrr _bad_pkcs12_key_as_pem$sr )_openssl_crypt)_pycrypto_crypt)_pure_python_cryptcCsvddd}|dur ||d<tt|tt|g}d|}||}|t|tt|d|S)aRMake a signed JWT. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: signer: crypt.Signer, Cryptographic signer. payload: dict, Dictionary of data to convert to JSON and then sign. key_id: string, (Optional) Key ID header. Returns: string, The JWT for the payload. JWTRS256)typalgNkid.) r_urlsafe_b64encode _json_encodejoinsignappendloggerdebugstr)signerpayloadkey_idheadersegments signing_input signaturerrr make_signed_jwtAs    r&cCs2|D]}tj|dd}|||rdSqtd)aVerifies signed content using a list of certificates. Args: message: string or bytes, The message to verify. signature: string or bytes, The signature on the message. certs: iterable, certificates in PEM format. Raises: AppIdentityError: If none of the certificates can verify the message against the signature. T) is_x509_certNzInvalid token signature)Verifier from_stringverifyr)messager%certspemverifierrrr _verify_signature`s   r/cCsJ|durdS|d}|durtd|||kr#td|||dS)aAChecks audience field from a JWT payload. Does nothing if the passed in ``audience`` is null. Args: payload_dict: dict, A dictionary containing a JWT payload. audience: string or NoneType, an audience to check for in the JWT payload. Raises: AppIdentityError: If there is no ``'aud'`` field in the payload dictionary but there is an ``audience`` to check. AppIdentityError: If the ``'aud'`` field in the payload dictionary does not match the ``audience``. NaudzNo aud field in token: {0}z Wrong recipient, {0} != {1}: {2})getrformat) payload_dictaudienceaudience_in_payloadrrr _check_audienceus r6cCstt}|d}|durtd||d}|dur&td|||tkr3td||t}||krDtd||||t}||krUtd|||dS) aVerifies the issued at and expiration from a JWT payload. Makes sure the current time (in UTC) falls between the issued at and expiration for the JWT (with some skew allowed for via ``CLOCK_SKEW_SECS``). Args: payload_dict: dict, A dictionary containing a JWT payload. Raises: AppIdentityError: If there is no ``'iat'`` field in the payload dictionary. AppIdentityError: If there is no ``'exp'`` field in the payload dictionary. AppIdentityError: If the JWT expiration is too far in the future (i.e. if the expiration would imply a token lifetime longer than what is allowed.) AppIdentityError: If the token appears to have been issued in the future (up to clock skew). AppIdentityError: If the token appears to have expired in the past (up to clock skew). iatNzNo iat field in token: {0}expzNo exp field in token: {0}z exp field too far in future: {0}z$Token used too early, {0} < {1}: {2}z#Token used too late, {0} > {1}: {2})inttimer1rr2MAX_TOKEN_LIFETIME_SECSCLOCK_SKEW_SECS)r3now issued_at expirationearliestlatestrrr _verify_time_ranges4    rBc Cst|}|ddkrtd||d\}}}|d|}t|}t|}z tt |}Wn td|t ||| t |t |||S)aVerify a JWT against public certs. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: jwt: string, A JWT. certs: dict, Dictionary where values of public keys in PEM format. audience: string, The audience, 'aud', that this JWT should contain. If None then the JWT's 'aud' parameter is not verified. Returns: dict, The deserialized JSON payload in the JWT. Raises: AppIdentityError: if any checks are failed. rz&Wrong number of segments in token: {0}zCan't parse token: {0})r _to_bytescountrr2split_urlsafe_b64decodejsonloads _from_bytesr/valuesrBr6) jwtr,r4r"r r%message_to_sign payload_bytesr3rrr verify_signed_jwt_with_certss"     rO)N)!rrHloggingr: oauth2clientrr<AUTH_TOKEN_LIFETIME_SECSr; getLoggerrr Exceptionrr r OpenSSLSignerOpenSSLVerifierpkcs12_key_as_pem ImportErrorSignerr(rPyCryptoSignerPyCryptoVerifierr RsaSigner RsaVerifierr&r/r6rBrOrrrr sL           5