def clean_headers(headers):
"""Forces header keys and values to be strings, i.e not unicode.
The httplib module just concats the header keys and values in a way that
may make the message header a unicode string, which, if it then tries to
contatenate to a binary request body may result in a unicode decode error.
Args:
headers: dict, A dictionary of headers.
Returns:
The same dictionary but with all the keys converted to strings.
"""
clean = {}
try:
for k, v in six.iteritems(headers):
if not isinstance(k, six.binary_type):
k = str(k)
if not isinstance(v, six.binary_type):
v = str(v)
clean[_helpers._to_bytes(k)] = _helpers._to_bytes(v)
except UnicodeEncodeError:
from oauth2client.client import NonAsciiHeaderError
raise NonAsciiHeaderError(k, ': ', v)
return clean
def test_with_system_time(self):
digest = b'foobar'
curr_time = 1440449755.74
digester = mock.MagicMock()
digester.digest = mock.MagicMock(name='digest', return_value=digest)
with mock.patch('oauth2client.xsrfutil.hmac') as hmac:
hmac.new = mock.MagicMock(name='new', return_value=digester)
with mock.patch('oauth2client.xsrfutil.time') as time:
time.time = mock.MagicMock(name='time', return_value=curr_time)
# when= is omitted
token = xsrfutil.generate_token(TEST_KEY,
TEST_USER_ID_1,
action_id=TEST_ACTION_ID_1)
hmac.new.assert_called_once_with(TEST_KEY)
time.time.assert_called_once_with()
digester.digest.assert_called_once_with()
expected_digest_calls = [
mock.call.update(_to_bytes(str(TEST_USER_ID_1))),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(TEST_ACTION_ID_1),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(_to_bytes(str(int(curr_time)))),
]
self.assertEqual(digester.method_calls, expected_digest_calls)
expected_token_as_bytes = (digest + xsrfutil.DELIMITER +
_to_bytes(str(int(curr_time))))
expected_token = base64.urlsafe_b64encode(
expected_token_as_bytes)
self.assertEqual(token, expected_token)
def test_with_system_time(self):
digest = b'foobar'
curr_time = 1440449755.74
digester = mock.MagicMock()
digester.digest = mock.MagicMock(name='digest', return_value=digest)
with mock.patch('oauth2client.xsrfutil.hmac') as hmac:
hmac.new = mock.MagicMock(name='new', return_value=digester)
with mock.patch('oauth2client.xsrfutil.time') as time:
time.time = mock.MagicMock(name='time', return_value=curr_time)
# when= is omitted
token = xsrfutil.generate_token(TEST_KEY,
TEST_USER_ID_1,
action_id=TEST_ACTION_ID_1)
hmac.new.assert_called_once_with(TEST_KEY)
time.time.assert_called_once_with()
digester.digest.assert_called_once_with()
expected_digest_calls = [
mock.call.update(_to_bytes(str(TEST_USER_ID_1))),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(TEST_ACTION_ID_1),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(_to_bytes(str(int(curr_time)))),
]
self.assertEqual(digester.method_calls, expected_digest_calls)
expected_token_as_bytes = (digest + xsrfutil.DELIMITER +
_to_bytes(str(int(curr_time))))
expected_token = base64.urlsafe_b64encode(
expected_token_as_bytes)
self.assertEqual(token, expected_token)
def generate_token(key, user_id, action_id='', when=None):
"""Generates a URL-safe token for the given user, action, time tuple.
Args:
key: secret key to use.
user_id: the user ID of the authenticated user.
action_id: a string identifier of the action they requested
authorization for.
when: the time in seconds since the epoch at which the user was
authorized for this action. If not set the current time is used.
Returns:
A string XSRF protection token.
"""
digester = hmac.new(_to_bytes(key, encoding='utf-8'))
digester.update(_to_bytes(str(user_id), encoding='utf-8'))
digester.update(DELIMITER)
digester.update(_to_bytes(action_id, encoding='utf-8'))
digester.update(DELIMITER)
when = _to_bytes(str(when or int(time.time())), encoding='utf-8')
digester.update(when)
digest = digester.digest()
token = base64.urlsafe_b64encode(digest + DELIMITER + when)
return token
def generate_token(key, user_id, action_id='', when=None):
"""Generates a URL-safe token for the given user, action, time tuple.
Args:
key: secret key to use.
user_id: the user ID of the authenticated user.
action_id: a string identifier of the action they requested
authorization for.
when: the time in seconds since the epoch at which the user was
authorized for this action. If not set the current time is used.
Returns:
A string XSRF protection token.
"""
digester = hmac.new(_to_bytes(key, encoding='utf-8'))
digester.update(_to_bytes(str(user_id), encoding='utf-8'))
digester.update(DELIMITER)
digester.update(_to_bytes(action_id, encoding='utf-8'))
digester.update(DELIMITER)
when = _to_bytes(str(when or int(time.time())), encoding='utf-8')
digester.update(when)
digest = digester.digest()
token = base64.urlsafe_b64encode(digest + DELIMITER + when)
return token
def test_it(self):
digest = b'foobar'
digester = mock.MagicMock()
digester.digest = mock.MagicMock(name='digest', return_value=digest)
with mock.patch('oauth2client.contrib.xsrfutil.hmac') as hmac:
hmac.new = mock.MagicMock(name='new', return_value=digester)
token = xsrfutil.generate_token(TEST_KEY,
TEST_USER_ID_1,
action_id=TEST_ACTION_ID_1,
when=TEST_TIME)
hmac.new.assert_called_once_with(TEST_KEY)
digester.digest.assert_called_once_with()
expected_digest_calls = [
mock.call.update(_helpers._to_bytes(str(TEST_USER_ID_1))),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(TEST_ACTION_ID_1),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(_helpers._to_bytes(str(TEST_TIME))),
]
self.assertEqual(digester.method_calls, expected_digest_calls)
expected_token_as_bytes = (digest + xsrfutil.DELIMITER +
_helpers._to_bytes(str(TEST_TIME)))
expected_token = base64.urlsafe_b64encode(expected_token_as_bytes)
self.assertEqual(token, expected_token)
def test_it(self):
digest = b'foobar'
digester = mock.Mock()
digester.digest = mock.Mock(name='digest', return_value=digest)
with mock.patch('oauth2client.contrib.xsrfutil.hmac') as hmac:
hmac.new = mock.Mock(name='new', return_value=digester)
token = xsrfutil.generate_token(TEST_KEY,
TEST_USER_ID_1,
action_id=TEST_ACTION_ID_1,
when=TEST_TIME)
hmac.new.assert_called_once_with(TEST_KEY)
digester.digest.assert_called_once_with()
expected_digest_calls = [
mock.call.update(_helpers._to_bytes(str(TEST_USER_ID_1))),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(TEST_ACTION_ID_1),
mock.call.update(xsrfutil.DELIMITER),
mock.call.update(_helpers._to_bytes(str(TEST_TIME))),
]
self.assertEqual(digester.method_calls, expected_digest_calls)
expected_token_as_bytes = (digest + xsrfutil.DELIMITER +
_helpers._to_bytes(str(TEST_TIME)))
expected_token = base64.urlsafe_b64encode(
expected_token_as_bytes)
self.assertEqual(token, expected_token)
def clean_headers(headers):
"""Forces header keys and values to be strings, i.e not unicode.
The httplib module just concats the header keys and values in a way that
may make the message header a unicode string, which, if it then tries to
contatenate to a binary request body may result in a unicode decode error.
Args:
headers: dict, A dictionary of headers.
Returns:
The same dictionary but with all the keys converted to strings.
"""
clean = {}
try:
for k, v in six.iteritems(headers):
if not isinstance(k, six.binary_type):
k = str(k)
if not isinstance(v, six.binary_type):
v = str(v)
clean[_to_bytes(k)] = _to_bytes(v)
except UnicodeEncodeError:
from oauth2client.client import NonAsciiHeaderError
raise NonAsciiHeaderError(k, ': ', v)
return clean
def from_string(cls, key_pem, is_x509_cert):
"""Construct an RsaVerifier instance from a string.
Args:
key_pem: string, public key in PEM format.
is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
is expected to be an RSA key in PEM format.
Returns:
RsaVerifier instance.
Raises:
ValueError: if the key_pem can't be parsed. In either case, error
will begin with 'No PEM start marker'. If
``is_x509_cert`` is True, will fail to find the
"-----BEGIN CERTIFICATE-----" error, otherwise fails
to find "-----BEGIN RSA PUBLIC KEY-----".
"""
key_pem = _to_bytes(key_pem)
if is_x509_cert:
der = rsa.pem.load_pem(key_pem, 'CERTIFICATE')
asn1_cert, remaining = decoder.decode(der, asn1Spec=Certificate())
if remaining != b'':
raise ValueError('Unused bytes', remaining)
cert_info = asn1_cert['tbsCertificate']['subjectPublicKeyInfo']
key_bytes = _bit_list_to_bytes(cert_info['subjectPublicKey'])
pubkey = rsa.PublicKey.load_pkcs1(key_bytes, 'DER')
else:
pubkey = rsa.PublicKey.load_pkcs1(key_pem, 'PEM')
return cls(pubkey)
def from_string(key, password='******'):
"""Construct a Signer instance from a string.
Args:
key: string, private key in PEM format.
password: string, password for private key file. Unused for PEM
files.
Returns:
Signer instance.
Raises:
NotImplementedError if the key isn't in PEM format.
"""
parsed_pem_key = _parse_pem_key(_to_bytes(key))
if parsed_pem_key:
pkey = RSA.importKey(parsed_pem_key)
else:
raise NotImplementedError(
'PKCS12 format is not supported by the PyCrypto library. '
'Try converting to a "PEM" '
'(openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > '
'privatekey.pem) '
'or using PyOpenSSL if native code is an option.')
return PyCryptoSigner(pkey)
def test_no_newline_in_received_header(self):
non_zero_port = 1
sock = mock.MagicMock()
header_without_newline = ''
sock.recv(6).decode = mock.MagicMock(
name='decode', return_value=header_without_newline)
with mock.patch('oauth2client.devshell.os') as os_mod:
os_mod.getenv = mock.MagicMock(name='getenv',
return_value=non_zero_port)
with mock.patch('oauth2client.devshell.socket') as socket:
socket.socket = mock.MagicMock(name='socket',
return_value=sock)
self.assertRaises(CommunicationError, _SendRecv)
os_mod.getenv.assert_called_once_with(DEVSHELL_ENV, 0)
socket.socket.assert_called_once_with()
sock.recv(6).decode.assert_called_once_with()
data = CREDENTIAL_INFO_REQUEST_JSON
msg = _to_bytes('%s\n%s' % (len(data), data), encoding='utf-8')
expected_sock_calls = [
mock.call.recv(6), # From the set-up above
mock.call.connect(('localhost', non_zero_port)),
mock.call.sendall(msg),
mock.call.recv(6),
mock.call.recv(6), # From the check above
]
self.assertEqual(sock.method_calls, expected_sock_calls)
def test_token_length_differs_from_generated(self):
token_time = 123456789
# Make sure it isn't too old.
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1
key = object()
user_id = object()
action_id = object()
token = base64.b64encode(_to_bytes(str(token_time)))
generated_token = b'a'
# Make sure the token length comparison will fail.
self.assertNotEqual(len(token), len(generated_token))
with mock.patch('oauth2client.contrib.xsrfutil.generate_token',
return_value=generated_token) as gen_tok:
self.assertFalse(
xsrfutil.validate_token(key,
token,
user_id,
current_time=curr_time,
action_id=action_id))
gen_tok.assert_called_once_with(key,
user_id,
action_id=action_id,
when=token_time)
def _SendRecv():
"""Communicate with the Developer Shell server socket."""
port = int(os.getenv(DEVSHELL_ENV, 0))
if port == 0:
raise NoDevshellServer()
import socket
sock = socket.socket()
sock.connect(('localhost', port))
data = CREDENTIAL_INFO_REQUEST_JSON
msg = '%s\n%s' % (len(data), data)
sock.sendall(_to_bytes(msg, encoding='utf-8'))
header = sock.recv(6).decode()
if '\n' not in header:
raise CommunicationError('saw no newline in the first 6 bytes')
len_str, json_str = header.split('\n', 1)
to_read = int(len_str) - len(json_str)
if to_read > 0:
json_str += sock.recv(to_read, socket.MSG_WAITALL).decode()
return CredentialInfoResponse(json_str)
def _SendRecv():
"""Communicate with the Developer Shell server socket."""
port = int(os.getenv(DEVSHELL_ENV, 0))
if port == 0:
raise NoDevshellServer()
import socket
sock = socket.socket()
sock.connect(("localhost", port))
data = CREDENTIAL_INFO_REQUEST_JSON
msg = "%s\n%s" % (len(data), data)
sock.sendall(_to_bytes(msg, encoding="utf-8"))
header = sock.recv(6).decode()
if "\n" not in header:
raise CommunicationError("saw no newline in the first 6 bytes")
len_str, json_str = header.split("\n", 1)
to_read = int(len_str) - len(json_str)
if to_read > 0:
json_str += sock.recv(to_read, socket.MSG_WAITALL).decode()
return CredentialInfoResponse(json_str)
def test_token_differs_from_generated_but_same_length(self):
token_time = 123456789
# Make sure it isn't too old.
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1
key = object()
user_id = object()
action_id = object()
token = base64.b64encode(_to_bytes(str(token_time)))
# It is encoded as b'MTIzNDU2Nzg5', which has length 12.
generated_token = b'M' * 12
# Make sure the token length comparison will succeed, but the token
# comparison will fail.
self.assertEqual(len(token), len(generated_token))
self.assertNotEqual(token, generated_token)
with mock.patch('oauth2client.xsrfutil.generate_token',
return_value=generated_token) as gen_tok:
self.assertFalse(
xsrfutil.validate_token(key,
token,
user_id,
current_time=curr_time,
action_id=action_id))
gen_tok.assert_called_once_with(key,
user_id,
action_id=action_id,
when=token_time)
def from_string(cls, key_pem, is_x509_cert):
"""Construct an RsaVerifier instance from a string.
Args:
key_pem: string, public key in PEM format.
is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
is expected to be an RSA key in PEM format.
Returns:
RsaVerifier instance.
Raises:
ValueError: if the key_pem can't be parsed. In either case, error
will begin with 'No PEM start marker'. If
``is_x509_cert`` is True, will fail to find the
"-----BEGIN CERTIFICATE-----" error, otherwise fails
to find "-----BEGIN RSA PUBLIC KEY-----".
"""
key_pem = _helpers._to_bytes(key_pem)
if is_x509_cert:
der = rsa.pem.load_pem(key_pem, 'CERTIFICATE')
asn1_cert, remaining = decoder.decode(der, asn1Spec=Certificate())
if remaining != b'':
raise ValueError('Unused bytes', remaining)
cert_info = asn1_cert['tbsCertificate']['subjectPublicKeyInfo']
key_bytes = _bit_list_to_bytes(cert_info['subjectPublicKey'])
pubkey = rsa.PublicKey.load_pkcs1(key_bytes, 'DER')
else:
pubkey = rsa.PublicKey.load_pkcs1(key_pem, 'PEM')
return cls(pubkey)
def test_no_newline_in_received_header(self):
non_zero_port = 1
sock = mock.MagicMock()
header_without_newline = ''
sock.recv(6).decode = mock.MagicMock(
name='decode', return_value=header_without_newline)
with mock.patch('oauth2client.contrib.devshell.os') as os_mod:
os_mod.getenv = mock.MagicMock(name='getenv',
return_value=non_zero_port)
with mock.patch('oauth2client.contrib.devshell.socket') as socket:
socket.socket = mock.MagicMock(name='socket',
return_value=sock)
with self.assertRaises(CommunicationError):
_SendRecv()
os_mod.getenv.assert_called_once_with(DEVSHELL_ENV, 0)
socket.socket.assert_called_once_with()
sock.recv(6).decode.assert_called_once_with()
data = CREDENTIAL_INFO_REQUEST_JSON
msg = _to_bytes('{0}\n{1}'.format(len(data), data),
encoding='utf-8')
expected_sock_calls = [
mock.call.recv(6), # From the set-up above
mock.call.connect(('localhost', non_zero_port)),
mock.call.sendall(msg),
mock.call.recv(6),
mock.call.recv(6), # From the check above
]
self.assertEqual(sock.method_calls, expected_sock_calls)
def test_no_newline_in_received_header(self):
non_zero_port = 1
sock = mock.MagicMock()
header_without_newline = ""
sock.recv(6).decode = mock.MagicMock(name="decode", return_value=header_without_newline)
with mock.patch("oauth2client.devshell.os") as os_mod:
os_mod.getenv = mock.MagicMock(name="getenv", return_value=non_zero_port)
with mock.patch("oauth2client.devshell.socket") as socket:
socket.socket = mock.MagicMock(name="socket", return_value=sock)
self.assertRaises(CommunicationError, _SendRecv)
os_mod.getenv.assert_called_once_with(DEVSHELL_ENV, 0)
socket.socket.assert_called_once_with()
sock.recv(6).decode.assert_called_once_with()
data = CREDENTIAL_INFO_REQUEST_JSON
msg = _to_bytes("%s\n%s" % (len(data), data), encoding="utf-8")
expected_sock_calls = [
mock.call.recv(6), # From the set-up above
mock.call.connect(("localhost", non_zero_port)),
mock.call.sendall(msg),
mock.call.recv(6),
mock.call.recv(6), # From the check above
]
self.assertEqual(sock.method_calls, expected_sock_calls)
def from_string(key, password='******'):
"""Construct a Signer instance from a string.
Args:
key: string, private key in PEM format.
password: string, password for private key file. Unused for PEM
files.
Returns:
Signer instance.
Raises:
NotImplementedError if the key isn't in PEM format.
"""
parsed_pem_key = _parse_pem_key(_to_bytes(key))
if parsed_pem_key:
pkey = RSA.importKey(parsed_pem_key)
else:
raise NotImplementedError(
'PKCS12 format is not supported by the PyCrypto library. '
'Try converting to a "PEM" '
'(openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > '
'privatekey.pem) '
'or using PyOpenSSL if native code is an option.')
return PyCryptoSigner(pkey)
def _get_private_key(private_key_pkcs8_text):
"""Get an RSA private key object from a pkcs8 representation."""
private_key_pkcs8_text = _to_bytes(private_key_pkcs8_text)
der = rsa.pem.load_pem(private_key_pkcs8_text, 'PRIVATE KEY')
asn1_private_key, _ = decoder.decode(der, asn1Spec=PrivateKeyInfo())
return rsa.PrivateKey.load_pkcs1(
asn1_private_key.getComponentByName('privateKey').asOctets(),
format='DER')
def test_token_too_old_explicit_current_time(self):
token_time = 123456789
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS + 1
key = user_id = None
token = base64.b64encode(_to_bytes(str(token_time)))
self.assertFalse(xsrfutil.validate_token(key, token, user_id,
current_time=curr_time))
def _get_private_key(private_key_pkcs8_text):
"""Get an RSA private key object from a pkcs8 representation."""
private_key_pkcs8_text = _to_bytes(private_key_pkcs8_text)
der = rsa.pem.load_pem(private_key_pkcs8_text, 'PRIVATE KEY')
asn1_private_key, _ = decoder.decode(der, asn1Spec=PrivateKeyInfo())
return rsa.PrivateKey.load_pkcs1(
asn1_private_key.getComponentByName('privateKey').asOctets(),
format='DER')
def test_token_too_old_implicit_current_time(self):
token_time = 123456789
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS + 1
key = user_id = None
token = base64.b64encode(_to_bytes(str(token_time)))
with mock.patch('oauth2client.xsrfutil.time') as time:
time.time = mock.MagicMock(name='time', return_value=curr_time)
self.assertFalse(xsrfutil.validate_token(key, token, user_id))
time.time.assert_called_once_with()
def test_token_too_old_implicit_current_time(self):
token_time = 123456789
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS + 1
key = user_id = None
token = base64.b64encode(_to_bytes(str(token_time)))
with mock.patch('oauth2client.xsrfutil.time') as time:
time.time = mock.MagicMock(name='time', return_value=curr_time)
self.assertFalse(xsrfutil.validate_token(key, token, user_id))
time.time.assert_called_once_with()
def sign(self, message):
"""Signs a message.
Args:
message: bytes, Message to be signed.
Returns:
string, The signature of the message for the given key.
"""
message = _helpers._to_bytes(message, encoding='utf-8')
return rsa.pkcs1.sign(message, self._key, 'SHA-256')
def test_token_too_old_explicit_current_time(self):
token_time = 123456789
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS + 1
key = user_id = None
token = base64.b64encode(_to_bytes(str(token_time)))
self.assertFalse(
xsrfutil.validate_token(key,
token,
user_id,
current_time=curr_time))
def sign(self, message):
"""Signs a message.
Args:
message: string, Message to be signed.
Returns:
string, The signature of the message for the given key.
"""
message = _helpers._to_bytes(message, encoding='utf-8')
return PKCS1_v1_5.new(self._key).sign(SHA256.new(message))
def sign(self, message):
"""Signs a message.
Args:
message: bytes, Message to be signed.
Returns:
string, The signature of the message for the given key.
"""
message = _helpers._to_bytes(message, encoding='utf-8')
return rsa.pkcs1.sign(message, self._key, 'SHA-256')
def sign(self, message):
"""Signs a message.
Args:
message: string, Message to be signed.
Returns:
string, The signature of the message for the given key.
"""
message = _to_bytes(message, encoding='utf-8')
return PKCS1_v1_5.new(self._key).sign(SHA256.new(message))
def verify(self, message, signature):
"""Verifies a message against a signature.
Args:
message: string or bytes, The message to verify. If string, will be
encoded to bytes as utf-8.
signature: string or bytes, The signature on the message. If string,
will be encoded to bytes as utf-8.
Returns:
True if message was signed by the private key associated with the
public key that this object was constructed with.
"""
message = _to_bytes(message, encoding='utf-8')
signature = _to_bytes(signature, encoding='utf-8')
try:
crypto.verify(self._pubkey, signature, message, 'sha256')
return True
except crypto.Error:
return False
def sign(self, message):
"""Signs a message.
Args:
message: bytes, Message to be signed.
Returns:
string, The signature of the message for the given key.
"""
message = _to_bytes(message, encoding='utf-8')
return crypto.sign(self._key, message, 'sha256')
def from_string(key, password=b'notasecret'):
"""Construct a Signer instance from a string.
Args:
key: string, private key in PKCS12 or PEM format.
password: string, password for the private key file.
Returns:
Signer instance.
Raises:
OpenSSL.crypto.Error if the key can't be parsed.
"""
key = _helpers._to_bytes(key)
parsed_pem_key = _helpers._parse_pem_key(key)
if parsed_pem_key:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key)
else:
password = _helpers._to_bytes(password, encoding='utf-8')
pkey = crypto.load_pkcs12(key, password).get_privatekey()
return OpenSSLSigner(pkey)
def from_string(key, password=b'notasecret'):
"""Construct a Signer instance from a string.
Args:
key: string, private key in PKCS12 or PEM format.
password: string, password for the private key file.
Returns:
Signer instance.
Raises:
OpenSSL.crypto.Error if the key can't be parsed.
"""
key = _to_bytes(key)
parsed_pem_key = _parse_pem_key(key)
if parsed_pem_key:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key)
else:
password = _to_bytes(password, encoding='utf-8')
pkey = crypto.load_pkcs12(key, password).get_privatekey()
return OpenSSLSigner(pkey)
def pkcs12_key_as_pem(private_key_bytes, private_key_password):
"""Convert the contents of a PKCS#12 key to PEM using pyOpenSSL.
Args:
private_key_bytes: Bytes. PKCS#12 key in DER format.
private_key_password: String. Password for PKCS#12 key.
Returns:
String. PEM contents of ``private_key_bytes``.
"""
private_key_password = _helpers._to_bytes(private_key_password)
pkcs12 = crypto.load_pkcs12(private_key_bytes, private_key_password)
return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkcs12.get_privatekey())
def pkcs12_key_as_pem(private_key_bytes, private_key_password):
"""Convert the contents of a PKCS#12 key to PEM using pyOpenSSL.
Args:
private_key_bytes: Bytes. PKCS#12 key in DER format.
private_key_password: String. Password for PKCS#12 key.
Returns:
String. PEM contents of ``private_key_bytes``.
"""
private_key_password = _to_bytes(private_key_password)
pkcs12 = crypto.load_pkcs12(private_key_bytes, private_key_password)
return crypto.dump_privatekey(crypto.FILETYPE_PEM,
pkcs12.get_privatekey())
def verify(self, message, signature):
"""Verifies a message against a signature.
Args:
message: string or bytes, The message to verify. If string, will be
encoded to bytes as utf-8.
signature: string or bytes, The signature on the message.
Returns:
True if message was signed by the private key associated with the
public key that this object was constructed with.
"""
message = _to_bytes(message, encoding='utf-8')
return PKCS1_v1_5.new(self._pubkey).verify(
SHA256.new(message), signature)
def verify(self, message, signature):
"""Verifies a message against a signature.
Args:
message: string or bytes, The message to verify. If string, will be
encoded to bytes as utf-8.
signature: string or bytes, The signature on the message.
Returns:
True if message was signed by the private key associated with the
public key that this object was constructed with.
"""
message = _helpers._to_bytes(message, encoding='utf-8')
return PKCS1_v1_5.new(self._pubkey).verify(SHA256.new(message),
signature)
def pkcs12_key_as_pem(private_key_text, private_key_password):
"""Convert the contents of a PKCS12 key to PEM using OpenSSL.
Args:
private_key_text: String. Private key.
private_key_password: String. Password for PKCS12.
Returns:
String. PEM contents of ``private_key_text``.
"""
decoded_body = base64.b64decode(private_key_text)
private_key_password = _to_bytes(private_key_password)
pkcs12 = crypto.load_pkcs12(decoded_body, private_key_password)
return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkcs12.get_privatekey())
def test_success(self):
token_time = 123456789
# Make sure it isn't too old.
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1
key = object()
user_id = object()
action_id = object()
token = base64.b64encode(_to_bytes(str(token_time)))
with mock.patch('oauth2client.xsrfutil.generate_token',
return_value=token) as gen_tok:
self.assertTrue(xsrfutil.validate_token(key, token, user_id,
current_time=curr_time,
action_id=action_id))
gen_tok.assert_called_once_with(key, user_id, action_id=action_id,
when=token_time)
def pkcs12_key_as_pem(private_key_text, private_key_password):
"""Convert the contents of a PKCS12 key to PEM using OpenSSL.
Args:
private_key_text: String. Private key.
private_key_password: String. Password for PKCS12.
Returns:
String. PEM contents of ``private_key_text``.
"""
decoded_body = base64.b64decode(private_key_text)
private_key_password = _to_bytes(private_key_password)
pkcs12 = crypto.load_pkcs12(decoded_body, private_key_password)
return crypto.dump_privatekey(crypto.FILETYPE_PEM,
pkcs12.get_privatekey())
def verify(self, message, signature):
"""Verifies a message against a signature.
Args:
message: string or bytes, The message to verify. If string, will be
encoded to bytes as utf-8.
signature: string or bytes, The signature on the message. If
string, will be encoded to bytes as utf-8.
Returns:
True if message was signed by the private key associated with the
public key that this object was constructed with.
"""
message = _to_bytes(message, encoding='utf-8')
try:
return rsa.pkcs1.verify(message, signature, self._pubkey)
except (ValueError, rsa.pkcs1.VerificationError):
return False
def verify(self, message, signature):
"""Verifies a message against a signature.
Args:
message: string or bytes, The message to verify. If string, will be
encoded to bytes as utf-8.
signature: string or bytes, The signature on the message. If
string, will be encoded to bytes as utf-8.
Returns:
True if message was signed by the private key associated with the
public key that this object was constructed with.
"""
message = _helpers._to_bytes(message, encoding='utf-8')
try:
return rsa.pkcs1.verify(message, signature, self._pubkey)
except (ValueError, rsa.pkcs1.VerificationError):
return False
def verify_signed_jwt_with_certs(jwt, certs, audience=None):
"""Verify a JWT against public certs.
See http://self-issued.info/docs/draft-jones-json-web-token.html.
Args:
jwt: string, A JWT.
certs: dict, Dictionary where values of public keys in PEM format.
audience: string, The audience, 'aud', that this JWT should contain. If
None then the JWT's 'aud' parameter is not verified.
Returns:
dict, The deserialized JSON payload in the JWT.
Raises:
AppIdentityError: if any checks are failed.
"""
jwt = _helpers._to_bytes(jwt)
if jwt.count(b'.') != 2:
raise AppIdentityError(
'Wrong number of segments in token: {0}'.format(jwt))
header, payload, signature = jwt.split(b'.')
message_to_sign = header + b'.' + payload
signature = _helpers._urlsafe_b64decode(signature)
# Parse token.
payload_bytes = _helpers._urlsafe_b64decode(payload)
try:
payload_dict = json.loads(_helpers._from_bytes(payload_bytes))
except:
raise AppIdentityError('Can\'t parse token: {0}'.format(payload_bytes))
# Verify that the signature matches the message.
_verify_signature(message_to_sign, signature, certs.values())
# Verify the issued at and created times in the payload.
_verify_time_range(payload_dict)
# Check audience.
_check_audience(payload_dict, audience)
return payload_dict
def _refresh_success_helper(self, bytes_response=False):
access_token = u'this-is-a-token'
return_val = json.dumps({u'access_token': access_token})
if bytes_response:
return_val = _to_bytes(return_val)
http = mock.MagicMock()
http.request = mock.MagicMock(
return_value=(mock.Mock(status=http_client.OK), return_val))
credentials = AppAssertionCredentials()
self.assertEquals(None, credentials.access_token)
credentials.refresh(http)
self.assertEquals(access_token, credentials.access_token)
base_metadata_uri = (
'http://metadata.google.internal/computeMetadata/v1/instance/'
'service-accounts/default/token')
http.request.assert_called_once_with(
base_metadata_uri, headers={'Metadata-Flavor': 'Google'})
def _refresh_success_helper(self, bytes_response=False):
access_token = u'this-is-a-token'
return_val = json.dumps({u'access_token': access_token})
if bytes_response:
return_val = _to_bytes(return_val)
http = mock.MagicMock()
http.request = mock.MagicMock(return_value=(mock.Mock(
status=http_client.OK), return_val))
credentials = AppAssertionCredentials()
self.assertEquals(None, credentials.access_token)
credentials.refresh(http)
self.assertEquals(access_token, credentials.access_token)
base_metadata_uri = (
'http://metadata.google.internal/computeMetadata/v1/instance/'
'service-accounts/default/token')
http.request.assert_called_once_with(
base_metadata_uri, headers={'Metadata-Flavor': 'Google'})
def test_bad_message_to_mock_server(self):
request_content = CREDENTIAL_INFO_REQUEST_JSON + "extrastuff"
request_message = _to_bytes("%d\n%s" % (len(request_content), request_content))
response_message = "foobar"
with _AuthReferenceServer(response_message) as auth_server:
self.assertFalse(auth_server.bad_request)
sock = socket.socket()
port = int(os.getenv(DEVSHELL_ENV, 0))
sock.connect(("localhost", port))
sock.sendall(request_message)
# Mimic the receive part of _SendRecv
header = sock.recv(6).decode()
len_str, result = header.split("\n", 1)
to_read = int(len_str) - len(result)
result += sock.recv(to_read, socket.MSG_WAITALL).decode()
self.assertTrue(auth_server.bad_request)
self.assertEqual(result, response_message)
def from_string(key_pem, is_x509_cert):
"""Construct a Verified instance from a string.
Args:
key_pem: string, public key in PEM format.
is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
is expected to be an RSA key in PEM format.
Returns:
Verifier instance.
Raises:
OpenSSL.crypto.Error: if the key_pem can't be parsed.
"""
key_pem = _to_bytes(key_pem)
if is_x509_cert:
pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, key_pem)
else:
pubkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
return OpenSSLVerifier(pubkey)
def _refresh_success_helper(self, bytes_response=False):
access_token = u'this-is-a-token'
return_val = json.dumps({u'accessToken': access_token})
if bytes_response:
return_val = _to_bytes(return_val)
http = mock.MagicMock()
http.request = mock.MagicMock(
return_value=(mock.Mock(status=http_client.OK), return_val))
scopes = ['http://example.com/a', 'http://example.com/b']
credentials = AppAssertionCredentials(scope=scopes)
self.assertEquals(None, credentials.access_token)
credentials.refresh(http)
self.assertEquals(access_token, credentials.access_token)
base_metadata_uri = ('http://metadata.google.internal/0.1/meta-data/'
'service-accounts/default/acquire')
escaped_scopes = urllib.parse.quote(' '.join(scopes), safe='')
request_uri = base_metadata_uri + '?scope=' + escaped_scopes
http.request.assert_called_once_with(request_uri)
def test_token_length_differs_from_generated(self):
token_time = 123456789
# Make sure it isn't too old.
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1
key = object()
user_id = object()
action_id = object()
token = base64.b64encode(_to_bytes(str(token_time)))
generated_token = b'a'
# Make sure the token length comparison will fail.
self.assertNotEqual(len(token), len(generated_token))
with mock.patch('oauth2client.xsrfutil.generate_token',
return_value=generated_token) as gen_tok:
self.assertFalse(xsrfutil.validate_token(key, token, user_id,
current_time=curr_time,
action_id=action_id))
gen_tok.assert_called_once_with(key, user_id, action_id=action_id,
when=token_time)
def from_string(key_pem, is_x509_cert):
"""Construct a Verified instance from a string.
Args:
key_pem: string, public key in PEM format.
is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
is expected to be an RSA key in PEM format.
Returns:
Verifier instance.
Raises:
OpenSSL.crypto.Error: if the key_pem can't be parsed.
"""
key_pem = _helpers._to_bytes(key_pem)
if is_x509_cert:
pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, key_pem)
else:
pubkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
return OpenSSLVerifier(pubkey)
def test_bad_message_to_mock_server(self):
request_content = CREDENTIAL_INFO_REQUEST_JSON + 'extrastuff'
request_message = _to_bytes(
'%d\n%s' % (len(request_content), request_content))
response_message = 'foobar'
with _AuthReferenceServer(response_message) as auth_server:
self.assertFalse(auth_server.bad_request)
sock = socket.socket()
port = int(os.getenv(DEVSHELL_ENV, 0))
sock.connect(('localhost', port))
sock.sendall(request_message)
# Mimic the receive part of _SendRecv
header = sock.recv(6).decode()
len_str, result = header.split('\n', 1)
to_read = int(len_str) - len(result)
result += sock.recv(to_read, socket.MSG_WAITALL).decode()
self.assertTrue(auth_server.bad_request)
self.assertEqual(result, response_message)
def test_bad_message_to_mock_server(self):
request_content = devshell.CREDENTIAL_INFO_REQUEST_JSON + 'extrastuff'
request_message = _helpers._to_bytes(
'{0}\n{1}'.format(len(request_content), request_content))
response_message = 'foobar'
with _AuthReferenceServer(response_message) as auth_server:
self.assertFalse(auth_server.bad_request)
sock = socket.socket()
port = int(os.getenv(devshell.DEVSHELL_ENV, 0))
sock.connect(('localhost', port))
sock.sendall(request_message)
# Mimic the receive part of _SendRecv
header = sock.recv(6).decode()
len_str, result = header.split('\n', 1)
to_read = int(len_str) - len(result)
result += sock.recv(to_read, socket.MSG_WAITALL).decode()
self.assertTrue(auth_server.bad_request)
self.assertEqual(result, response_message)
def _refresh_success_helper(self, bytes_response=False):
access_token = u'this-is-a-token'
return_val = json.dumps({u'accessToken': access_token})
if bytes_response:
return_val = _to_bytes(return_val)
http = mock.MagicMock()
http.request = mock.MagicMock(
return_value=(mock.Mock(status=200), return_val))
scopes = ['http://example.com/a', 'http://example.com/b']
credentials = AppAssertionCredentials(scope=scopes)
self.assertEquals(None, credentials.access_token)
credentials.refresh(http)
self.assertEquals(access_token, credentials.access_token)
base_metadata_uri = ('http://metadata.google.internal/0.1/meta-data/'
'service-accounts/default/acquire')
escaped_scopes = urllib.parse.quote(' '.join(scopes), safe='')
request_uri = base_metadata_uri + '?scope=' + escaped_scopes
http.request.assert_called_once_with(request_uri)
def _write_credentials_file(credentials_file, credentials):
"""Writes credentials to a file.
Refer to :func:`_load_credentials_file` for the format.
Args:
credentials_file: An open file handle, must be read/write.
credentials: A dictionary mapping user-defined keys to an instance of
:class:`oauth2client.client.Credentials`.
"""
data = {"file_version": 2, "credentials": {}}
for key, credential in iteritems(credentials):
credential_json = credential.to_json()
encoded_credential = _helpers._from_bytes(base64.b64encode(_helpers._to_bytes(credential_json)))
data["credentials"][key] = encoded_credential
credentials_file.seek(0)
json.dump(data, credentials_file)
credentials_file.truncate()
def test_success(self):
token_time = 123456789
# Make sure it isn't too old.
curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1
key = object()
user_id = object()
action_id = object()
token = base64.b64encode(_to_bytes(str(token_time)))
with mock.patch('oauth2client.xsrfutil.generate_token',
return_value=token) as gen_tok:
self.assertTrue(
xsrfutil.validate_token(key,
token,
user_id,
current_time=curr_time,
action_id=action_id))
gen_tok.assert_called_once_with(key,
user_id,
action_id=action_id,
when=token_time)
def _write_credentials_file(credentials_file, credentials):
"""Writes credentials to a file.
Refer to :func:`_load_credentials_file` for the format.
Args:
credentials_file: An open file handle, must be read/write.
credentials: A dictionary mapping user-defined keys to an instance of
:class:`oauth2client.client.Credentials`.
"""
data = {'file_version': 2, 'credentials': {}}
for key, credential in iteritems(credentials):
credential_json = credential.to_json()
encoded_credential = _helpers._from_bytes(
base64.b64encode(_helpers._to_bytes(credential_json)))
data['credentials'][key] = encoded_credential
credentials_file.seek(0)
json.dump(data, credentials_file)
credentials_file.truncate()
def from_string(key_pem, is_x509_cert):
"""Construct a Verified instance from a string.
Args:
key_pem: string, public key in PEM format.
is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
is expected to be an RSA key in PEM format.
Returns:
Verifier instance.
"""
if is_x509_cert:
key_pem = _helpers._to_bytes(key_pem)
pemLines = key_pem.replace(b' ', b'').split()
certDer = _helpers._urlsafe_b64decode(b''.join(pemLines[1:-1]))
certSeq = DerSequence()
certSeq.decode(certDer)
tbsSeq = DerSequence()
tbsSeq.decode(certSeq[0])
pubkey = RSA.importKey(tbsSeq[6])
else:
pubkey = RSA.importKey(key_pem)
return PyCryptoVerifier(pubkey)
