F SrSSKrSSKrSSKrSSKJr SrSrSr\R"\ 5r "SS\ 5r SrSS KJr \R r\R"r\R$r\(a\r\rOSS KJr \R.r\R0rSS jrS rSrSrSSjr g!\a SrSr\rNMf=f!\a! SS KJr \R4r\R6rNLf=f)z)Crypto-related routines for oauth2client.N)_helpersi,iQc\rSrSrSrSrg)AppIdentityError z!Error to indicate crypto failure.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r%lib/third_party/oauth2client/crypt.pyrr s+rrc[S5e)Nz#pkcs12_key_as_pem requires OpenSSL.)NotImplementedError)argskwargss r_bad_pkcs12_key_as_pemr$s C DDr)_openssl_crypt)_pycrypto_crypt)_pure_python_cryptcSSS.nUbX#S'[R"[R"U55[R"[R"U55/nSRU5nUR U5nUR [R"U55 [ R[U55 SRU5$)a2Make a signed JWT. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: signer: crypt.Signer, Cryptographic signer. payload: dict, Dictionary of data to convert to JSON and then sign. key_id: string, (Optional) Key ID header. Returns: string, The JWT for the payload. JWTRS256)typalgkid.) r_urlsafe_b64encode _json_encodejoinsignappendloggerdebugstr)signerpayloadkey_idheadersegments signing_input signatures rmake_signed_jwtr.As7 +F u  ##H$9$9&$AB##H$9$9'$BCHIIh'M M*I OOH// :; LLX 99X rcUH/n[RUSS9nURX5(dM/ g [S5e)a`Verifies signed content using a list of certificates. Args: message: string or bytes, The message to verify. signature: string or bytes, The signature on the message. certs: iterable, certificates in PEM format. Raises: AppIdentityError: If none of the certificates can verify the message against the signature. T) is_x509_certNzInvalid token signature)Verifier from_stringverifyr)messager-certspemverifiers r_verify_signaturer8`sC''$'? ??7 . .  4 55rcUcgURS5nUc[SRU55eX!:wa[SRX!U55eg)aChecks audience field from a JWT payload. Does nothing if the passed in ``audience`` is null. Args: payload_dict: dict, A dictionary containing a JWT payload. audience: string or NoneType, an audience to check for in the JWT payload. Raises: AppIdentityError: If there is no ``'aud'`` field in the payload dictionary but there is an ``audience`` to check. AppIdentityError: If the ``'aud'`` field in the payload dictionary does not match the ``audience``. NaudzNo aud field in token: {0}z Wrong recipient, {0} != {1}: {2})getrformat) payload_dictaudienceaudience_in_payloads r_check_audiencer@usj &**51" ( / / =? ?&AHH < 9: :'rc[[R"55nURS5nUc[SR U55eURS5nUc[SR U55eX1[ -:a[SR U55eU[ - nX:a[SR XU55eU[ -nX:a[SR XU55eg) aVerifies the issued at and expiration from a JWT payload. Makes sure the current time (in UTC) falls between the issued at and expiration for the JWT (with some skew allowed for via ``CLOCK_SKEW_SECS``). Args: payload_dict: dict, A dictionary containing a JWT payload. Raises: AppIdentityError: If there is no ``'iat'`` field in the payload dictionary. AppIdentityError: If there is no ``'exp'`` field in the payload dictionary. AppIdentityError: If the JWT expiration is too far in the future (i.e. if the expiration would imply a token lifetime longer than what is allowed.) AppIdentityError: If the token appears to have been issued in the future (up to clock skew). AppIdentityError: If the token appears to have expired in the past (up to clock skew). iatNzNo iat field in token: {0}expzNo exp field in token: {0}z exp field too far in future: {0}z$Token used too early, {0} < {1}: {2}z#Token used too late, {0} > {1}: {2})inttimer;rr<MAX_TOKEN_LIFETIME_SECSCLOCK_SKEW_SECS)r=now issued_at expirationearliestlatests r_verify_time_rangerMs 0 diik C  'I ( / / =? ?!!%(J ( / / =? ?222 . 5 5l CE E?*H ~ELL < )* */ )F |DKK  '( (rc[R"U5nURS5S:wa[SR U55eUR S5up4nUS-U-n[R "U5n[R "U5n[R"[R"U55n[XeUR55 [U5 [X5 U$! [SR U55e=f)aVerify a JWT against public certs. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: jwt: string, A JWT. certs: dict, Dictionary where values of public keys in PEM format. audience: string, The audience, 'aud', that this JWT should contain. If None then the JWT's 'aud' parameter is not verified. Returns: dict, The deserialized JSON payload in the JWT. Raises: AppIdentityError: if any checks are failed. rz&Wrong number of segments in token: {0}zCan't parse token: {0})r _to_bytescountrr<split_urlsafe_b64decodejsonloads _from_bytesr8valuesrMr@) jwtr5r>r*r(r-message_to_sign payload_bytesr=s rverify_signed_jwt_with_certsr[s"   S !C yy! 4 ; ;C @B B"%4FYtmg-O++I6I//8MPzz("6"6}"EF o%,,.A|$L+ P8?? NOOs *C++D)N)!r rTloggingrE oauth2clientrrGAUTH_TOKEN_LIFETIME_SECSrF getLoggerrr$ Exceptionrrr OpenSSLSignerOpenSSLVerifierpkcs12_key_as_pem ImportErrorSignerr1rPyCryptoSignerPyCryptoVerifierr RsaSigner RsaVerifierr.r8r@rMr[rrrrjs 0  !   8 $,y,E/+"00M$44O&88 FH20 //"33>6*:82(j+s/OM./ 23#--%112s#*B%3B7% B43B47$CC