Ñò ›ˆQc @sÕddkZddkZddkZddkZddklZddklZdZdZ dZ de fd„ƒYZ de fd „ƒYZd e fd „ƒYZd „Zd „Zd„Zd„Zd„ZdS(iÿÿÿÿN(tcrypto(t simplejsoni,i€QtAppIdentityErrorcBseZRS((t__name__t __module__(((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyR stVerifiercBs/eZdZd„Zd„Zed„ƒZRS(s$Verifies the signature on a message.cCs ||_dS(s^Constructor. Args: pubkey, OpenSSL.crypto.PKey, The public key to verify with. N(t_pubkey(tselftpubkey((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyt__init__'scCs0y!ti|i||dƒtSWntSXdS(s*Verifies a message against a signature. Args: message: string, The message to verify. signature: string, The signature on the message. Returns: True if message was singed by the private key associated with the public key that this object was constructed with. tsha256N(RtverifyRtTruetFalse(Rtmessaget signature((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyR /s cCs?|otiti|ƒ}ntiti|ƒ}t|ƒS(sXConstruct a Verified instance from a string. Args: key_pem: string, public key in PEM format. is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it is expected to be an RSA key in PEM format. Returns: Verifier instance. Raises: OpenSSL.crypto.Error if the key_pem can't be parsed. (Rtload_certificatet FILETYPE_PEMtload_privatekeyR(tkey_pemt is_x509_certR((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyt from_string@s(RRt__doc__R R t staticmethodR(((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyR$s  tSignercBs2eZdZd„Zd„Zedd„ƒZRS(s"Signs messages with a private key.cCs ||_dS(s[Constructor. Args: pkey, OpenSSL.crypto.PKey, The private key to sign with. N(t_key(Rtpkey((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyR YscCsti|i|dƒS(s™Signs a message. Args: message: string, Message to be signed. Returns: string, The signature of the message for the given key. R (RtsignR(RR((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyRas t notasecretcCs"ti||ƒiƒ}t|ƒS(s Construct a Signer instance from a string. Args: key: string, private key in P12 format. password: string, password for the private key file. Returns: Signer instance. Raises: OpenSSL.crypto.Error if the key can't be parsed. (Rt load_pkcs12tget_privatekeyR(tkeytpasswordR((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyRls(RRRR RRR(((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyRVs   cCsti|ƒidƒS(Nt=(tbase64turlsafe_b64encodetrstrip(t raw_bytes((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyt_urlsafe_b64encode~scCs8|idƒ}|ddt|ƒd}ti|ƒS(NtasciiR!i(tencodetlenR"turlsafe_b64decode(t b64stringtpadded((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyt_urlsafe_b64decode‚scCsti|ddƒS(Nt separatorst,t:(R/R0(Rtdumps(tdata((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyt _json_encode‰scCs‰hdd6dd6}tt|ƒƒtt|ƒƒg}di|ƒ}|i|ƒ}|it|ƒƒtit|ƒƒdi|ƒS(s Make a signed JWT. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: signer: crypt.Signer, Cryptographic signer. payload: dict, Dictionary of data to convert to JSON and then sign. Returns: string, The JWT for the payload. tJWTttyptRS256talgt.(R&R3tjoinRtappendtloggingtdebugtstr(tsignertpayloadtheadertsegmentst signing_inputR((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pytmake_signed_jwts c Csw|idƒ}t|ƒdjotd|ƒ‚nd|d|df}t|dƒ}t|dƒ}yti|ƒ}Wntd|ƒ‚nXt}xJ|iƒD]<\} } ti | t ƒ} | i ||ƒo t }Pq®q®W|ptd |ƒ‚n|i d ƒ} | djotd |ƒ‚n| t} ttiƒƒ}|i d ƒ}|djotd |ƒ‚n||tjotd|ƒ‚n|t}|| jotd|| |fƒ‚n||jotd|||fƒ‚n|dj o^|i dƒ}|djotd|ƒ‚n||jotd|||fƒ‚qsn|S(sÓVerify a JWT against public certs. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: jwt: string, A JWT. certs: dict, Dictionary where values of public keys in PEM format. audience: string, The audience, 'aud', that this JWT should contain. If None then the JWT's 'aud' parameter is not verified. Returns: dict, The deserialized JSON payload in the JWT. Raises: AppIdentityError if any checks are failed. R8is%Wrong number of segments in token: %ss%s.%siiisCan't parse token: %ssInvalid token signature: %stiatsNo iat field in token: %stexpsNo exp field in token: %ssexp field too far in future: %ss!Token used too early, %d < %d: %ss Token used too late, %d > %d: %staudsNo aud field in token: %ssWrong recipient, %s != %s: %sN(tsplitR)RR-RtloadsR titemsRRR R tgettNonetCLOCK_SKEW_SECStlongttimetMAX_TOKEN_LIFETIME_SECS(tjwttcertstaudienceRAtsignedRt json_bodytparsedtverifiedtkeynametpemtverifierRDtearliesttnowREtlatestRF((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pytverify_signed_jwt_with_certs©s\           (R"thashlibR;RNtOpenSSLRtanyjsonRRLtAUTH_TOKEN_LIFETIME_SECSROt ExceptionRtobjectRRR&R-R3RCR](((sc/Users/riccardo/git/gcloud/packages/gcutil-1.7.1/lib/google_api_python_client/oauth2client/crypt.pyts    2(