HEX
Server: Apache
System: Linux pdx1-shared-a1-38 6.6.104-grsec-jammy+ #3 SMP Tue Sep 16 00:28:11 UTC 2025 x86_64
User: mmickelson (3396398)
PHP: 8.1.31
Disabled: NONE
Upload Files
File: //lib/python3/dist-packages/oauthlib/oauth1/rfc5849/__pycache__/signature.cpython-310.pyc
o

���a}�@s�dZddlZddlZddlZddlZddlZddlmZmZm	Z	ddl
mZddl
mZe�e�Zdededed	efd
d�ZdMded
ed	efdd�Z		dNdd�Zd	efdd�Zdedededefdd�Z		dOdefdd�Zdd �ZdOd!d"�Zd#d$�Zd%d&�ZdOd'd(�Zd)d*�Zdefd+d,�Z		dOdedefd-d.�Z iZ!defd/d0�Z"d1d2�Z#deded3efd4d5�Z$ded6efd7d8�Z%d9d:�Z&d6efd;d<�Z'd=d>�Z(defd?d@�Z)d6efdAdB�Z*defdCdD�Z+d6efdEdF�Z,dGdH�Z-dIdJ�Z.dOdKdL�Z/dS)Pa�
This module is an implementation of `section 3.4`_ of RFC 5849.

**Usage**

Steps for signing a request:

1. Collect parameters from the request using ``collect_parameters``.
2. Normalize those parameters using ``normalize_parameters``.
3. Create the *base string URI* using ``base_string_uri``.
4. Create the *signature base string* from the above three components
   using ``signature_base_string``.
5. Pass the *signature base string* and the client credentials to one of the
   sign-with-client functions. The HMAC-based signing functions needs
   client credentials with secrets. The RSA-based signing functions needs
   client credentials with an RSA private key.

To verify a request, pass the request and credentials to one of the verify
functions. The HMAC-based signing functions needs the shared secrets. The
RSA-based verify functions needs the RSA public key.

**Scope**

All of the functions in this module should be considered internal to OAuthLib,
since they are not imported into the "oauthlib.oauth1" module. Programs using
OAuthLib should not use directly invoke any of the functions in this module.

**Deprecated functions**

The "sign_" methods that are not "_with_client" have been deprecated. They may
be removed in a future release. Since they are all internal functions, this
should have no impact on properly behaving programs.

.. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4
�N)�extract_params�safe_string_equals�	urldecode�)�utils�http_method�base_str_uri�%normalized_encoded_request_parameters�returncCs>t�|���}|d7}|t�|�7}|d7}|t�|�7}|S)a�
    Construct the signature base string.

    The *signature base string* is the value that is calculated and signed by
    the client. It is also independently calculated by the server to verify
    the signature, and therefore must produce the exact same value at both
    ends or the signature won't verify.

    The rules for calculating the *signature base string* are defined in
    section 3.4.1.1`_ of RFC 5849.

    .. _`section 3.4.1.1`: https://tools.ietf.org/html/rfc5849#section-3.4.1.1
    �&)r�escape�upper)rrr	�base_string�r�C/usr/lib/python3/dist-packages/oauthlib/oauth1/rfc5849/signature.py�signature_base_string6sr�uri�hostcCs0t|t�s	td��t�|�\}}}}}}|std��|sd}|��}|��}|dur.|��}d|vr}|�dd�\}}	t|�dkrDtd��t|	�dkrM|}n:zt|	�}
Wnty^td	��w|
dksgd
|
krktd��||
fdvrt|}n|dt|
�}n
t|�dkr�td��t�||||d
d
f�}|�	dd�S)a�
    Calculates the _base string URI_.

    The *base string URI* is one of the components that make up the
     *signature base string*.

    The ``host`` is optional. If provided, it is used to override any host and
    port values in the ``uri``. The value for ``host`` is usually extracted from
    the "Host" request header from the HTTP request. Its value may be just the
    hostname, or the hostname followed by a colon and a TCP/IP port number
    (hostname:port). If a value for the``host`` is provided but it does not
    contain a port number, the default port number is used (i.e. if the ``uri``
    contained a port number, it will be discarded).

    The rules for calculating the *base string URI* are defined in
    section 3.4.1.2`_ of RFC 5849.

    .. _`section 3.4.1.2`: https://tools.ietf.org/html/rfc5849#section-3.4.1.2

    :param uri: URI
    :param host: hostname with optional port number, separated by a colon
    :return: base string URI
    zuri must be a string.zmissing scheme�/N�:rrzmissing hostzport is not an integeri��zport out of range))�http�P)�httpsi��� z%20)
�
isinstance�str�
ValueError�urlparse�lower�split�len�int�
urlunparse�replace)rr�scheme�netloc�path�params�query�fragment�hostname�port_str�port_num�vrrr�base_string_uriis>
�r/rTFcs�|durg}|p	i}g}|r|�t|��|r8dd�|��D�}|�d�}|dur8|��fdd�t�|�D��t|�p=g}|�|�g}	|D]\}
}|
�d�rUt�|�}|	�	|
|f�qG|rht
tdd	�|	��}	|	S)
a�
    Gather the request parameters from all the parameter sources.

    This function is used to extract all the parameters, which are then passed
    to ``normalize_parameters`` to produce one of the components that make up
    the *signature base string*.

    Parameters starting with `oauth_` will be unescaped.

    Body parameters must be supplied as a dict, a list of 2-tuples, or a
    form encoded query string.

    Headers must be supplied as a dict.

    The rules where the parameters must be sourced from are defined in
    `section 3.4.1.3.1`_ of RFC 5849.

    .. _`Sec 3.4.1.3.1`: https://tools.ietf.org/html/rfc5849#section-3.4.1.3.1
    NcSsi|]	\}}|��|�qSr)r��.0�kr.rrr�
<dictcomp>sz&collect_parameters.<locals>.<dictcomp>�
authorizationcs g|]}�s|ddkr|�qS)r�realmr)r1�i��
with_realmrr�
<listcomp>s��z&collect_parameters.<locals>.<listcomp>�oauth_cSs|ddkS)Nr�oauth_signaturer)r6rrr�<lambda>5sz$collect_parameters.<locals>.<lambda>)�extendr�items�getr�parse_authorization_headerr�
startswith�unescape�append�list�filter)�	uri_query�body�headers�exclude_oauth_signaturer8r(�
headers_lower�authorization_header�
bodyparams�unescaped_paramsr2r.rr7r�collect_parameters�s2

�



�rNcCs.dd�|D�}|��dd�|D�}d�|�S)aV
    Calculate the normalized request parameters.

    The *normalized request parameters* is one of the components that make up
    the *signature base string*.

    The rules for parameter normalization are defined in `section 3.4.1.3.2`_ of
    RFC 5849.

    .. _`Sec 3.4.1.3.2`: https://tools.ietf.org/html/rfc5849#section-3.4.1.3.2
    cSs$g|]\}}t�|�t�|�f�qSr�rrr0rrrr9Qs$z(normalize_parameters.<locals>.<listcomp>cSsg|]
\}}d�||��qS)z{}={})�formatr0rrrr9[sr)�sort�join)r(�
key_values�parameter_partsrrr�normalize_parameters;s
rU�hash_algorithm_name�sig_base_str�
client_secret�resource_owner_secretcCs�|}t�|pd�}|d7}|t�|pd�7}tjtjtjd�}||}|�d�}|�d�}	t�||	|�}
t	�
|
���dd��d�S)a]
    **HMAC-SHA256**

    The "HMAC-SHA256" signature method uses the HMAC-SHA256 signature
    algorithm as defined in `RFC4634`_::

        digest = HMAC-SHA256 (key, text)

    Per `section 3.4.2`_ of the spec.

    .. _`RFC4634`: https://tools.ietf.org/html/rfc4634
    .. _`section 3.4.2`: https://tools.ietf.org/html/rfc5849#section-3.4.2
    rr��SHA-1�SHA-256�SHA-512�utf-8N���)
rr�hashlib�sha1�sha256�sha512�encode�hmac�new�binascii�
b2a_base64�digest�decode)rVrWrXrY�text�key�m�hash_alg�key_utf8�	text_utf8�	signaturerrr�
_sign_hmaces�

rrc	CsPt|j�}t|j�}t|j||�}t||||�}t||j�}|s&t	�
d|�|S)aVerify a HMAC-SHA1 signature.

    Per `section 3.4`_ of the spec.

    .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4

    To satisfy `RFC2616 section 5.2`_ item 1, the request argument's uri
    attribute MUST be an absolute URI whose netloc part identifies the
    origin server or gateway on which the resource resides. Any Host
    item of the request argument's headers dict attribute will be
    ignored.

    .. _`RFC2616 section 5.2`: https://tools.ietf.org/html/rfc2616#section-5.2

    z-Verify HMAC failed: signature base string: %s)rUr(r/rrrrrrrq�log�debug)	rV�requestrXrY�norm_params�bs_urirWrq�matchrrr�_verify_hmac�s

��rycC�td||j|j�S�Nr[�rrrXrY�rW�clientrrr�sign_hmac_sha1_with_client���rcC�td|||�Sr{�ry�rurXrYrrr�verify_hmac_sha1��r�cC�2t�dt�t|t�r|�d�n|}td|||�S)aU
    Deprecated function for calculating a HMAC-SHA1 signature.

    This function has been replaced by invoking ``sign_hmac`` with "SHA-1"
    as the hash algorithm name.

    This function was invoked by sign_hmac_sha1_with_client and
    test_signatures.py, but does any application invoke it directly? If not,
    it can be removed.
    z8use sign_hmac_sha1_with_client instead of sign_hmac_sha1�asciir[��warnings�warn�DeprecationWarningr�bytesrjrr�rrXrYrrr�sign_hmac_sha1�s����r�cCrz�Nr\r|r}rrr�sign_hmac_sha256_with_client�r�r�cCr�r�r�r�rrr�verify_hmac_sha256�s�r�cCr�)a[
    Deprecated function for calculating a HMAC-SHA256 signature.

    This function has been replaced by invoking ``sign_hmac`` with "SHA-256"
    as the hash algorithm name.

    This function was invoked by sign_hmac_sha256_with_client and
    test_signatures.py, but does any application invoke it directly? If not,
    it can be removed.
    z<use sign_hmac_sha256_with_client instead of sign_hmac_sha256r�r\r�r�rrr�sign_hmac_sha256�s�	���r�cCrz�Nr]r|r}rrr�sign_hmac_sha512_with_clients�r�cCr�r�r�r�rrr�verify_hmac_sha512s�r�cCsN|tvrt|Sddlm}|jj|jj|jjd�}|�||�}|t|<|S)z�
    Obtains an RSAAlgorithm object that implements RSA with the hash algorithm.

    This method maintains the ``_jwt_rsa`` cache.

    Returns a jwt.algorithm.RSAAlgorithm.
    rNrZ)�_jwt_rsa�jwt.algorithms�
algorithms�hashes�SHA1�SHA256�SHA512�RSAAlgorithm)rV�jwt_algorithmsrmr.rrr�_get_jwt_rsa_algorithm#s�r�cCst|t�r
|�d�}|�|�S)a$
    Prepare a PEM encoded key (public or private), by invoking the `prepare_key`
    method on alg with the keystr.

    The keystr should be a string or bytes.  If the keystr is bytes, it is
    decoded as UTF-8 before being passed to prepare_key. Otherwise, it
    is passed directly.
    r^)rr�rj�prepare_key)�alg�keystrrrr�_prepare_key_plus?s
	

r��rsa_private_keycCsXt|�}|std|jjd��|�d�}t||�}|�||�}t�|�dd��	d�S)a
    Calculate the signature for an RSA-based signature method.

    The ``alg`` is used to calculate the digest over the signature base string.
    For the "RSA_SHA1" signature method, the alg must be SHA-1. While OAuth 1.0a
    only defines the RSA-SHA1 signature method, this function can be used for
    other non-standard signature methods that only differ from RSA-SHA1 by the
    digest algorithm.

    Signing for the RSA-SHA1 signature method is defined in
    `section 3.4.3`_ of RFC 5849.

    The RSASSA-PKCS1-v1_5 signature algorithm used defined by
    `RFC3447, Section 8.2`_ (also known as PKCS#1), with the `alg` as the
    hash function for EMSA-PKCS1-v1_5.  To
    use this method, the client MUST have established client credentials
    with the server that included its RSA public key (in a manner that is
    beyond the scope of this specification).

    .. _`section 3.4.3`: https://tools.ietf.org/html/rfc5849#section-3.4.3
    .. _`RFC3447, Section 8.2`: https://tools.ietf.org/html/rfc3447#section-8.2
    z&rsa_private_key required for RSA with z signature methodr�Nr_)
r�rrn�namerdr��signrgrhrj)rVrWr�r�rmrl�srrr�	_sign_rsaMs��


r��rsa_public_keyc
Cs�z?t|j�}t|j�}t|j||�}t�|j�	d��}t
|�}t||�}|�|�	d�||�}	|	s=t
�d|jjd|�|	WStyIYdSw)a�
    Verify a base64 encoded signature for a RSA-based signature method.

    The ``alg`` is used to calculate the digest over the signature base string.
    For the "RSA_SHA1" signature method, the alg must be SHA-1. While OAuth 1.0a
    only defines the RSA-SHA1 signature method, this function can be used for
    other non-standard signature methods that only differ from RSA-SHA1 by the
    digest algorithm.

    Verification for the RSA-SHA1 signature method is defined in
    `section 3.4.3`_ of RFC 5849.

    .. _`section 3.4.3`: https://tools.ietf.org/html/rfc5849#section-3.4.3

        To satisfy `RFC2616 section 5.2`_ item 1, the request argument's uri
        attribute MUST be an absolute URI whose netloc part identifies the
        origin server or gateway on which the resource resides. Any Host
        item of the request argument's headers dict attribute will be
        ignored.

        .. _`RFC2616 Sec 5.2`: https://tools.ietf.org/html/rfc2616#section-5.2
    r�zVerify failed: RSA with z: signature base string=%sF)rUr(r/rrrrg�
a2b_base64rqrdr�r��verifyrsrtrnr��UnicodeError)
rVrur�rvrwrW�sigr�rl�	verify_okrrr�_verify_rsa�s(

�
���r�cCs&t|t�r
|�d�n|}td||j�S)Nr�r[)rr�rjr��rsa_keyr}rrr�sign_rsa_sha1_with_client�s
��r�cC�td||�Sr{�r��rur�rrr�verify_rsa_sha1��r�cCs,t�dt�t|t�r|�d�}td||�S)aR
    Deprecated function for calculating a RSA-SHA1 signature.

    This function has been replaced by invoking ``sign_rsa`` with "SHA-1"
    as the hash algorithm name.

    This function was invoked by sign_rsa_sha1_with_client and
    test_signatures.py, but does any application invoke it directly? If not,
    it can be removed.
    z4use _sign_rsa("SHA-1", ...) instead of sign_rsa_sha1r�r[)r�r�r�rr�rjr�)rr�rrr�
sign_rsa_sha1�s�

r�cC�td||j�Sr��r�r�r}rrr�sign_rsa_sha256_with_clientr�r�cCr�r�r�r�rrr�verify_rsa_sha256r�r�cCr�r�r�r}rrr�sign_rsa_sha512_with_client
r�r�cCr�r�r�r�rrr�verify_rsa_sha512r�r�cCst|j|j�S�N)�sign_plaintextrXrY)�_signature_base_stringr~rrr�sign_plaintext_with_clientsr�cCs,t�|pd�}|d7}|t�|pd�7}|S)a�Sign a request using plaintext.

    Per `section 3.4.4`_ of the spec.

    The "PLAINTEXT" method does not employ a signature algorithm.  It
    MUST be used with a transport-layer mechanism such as TLS or SSL (or
    sent over a secure channel with equivalent protections).  It does not
    utilize the signature base string or the "oauth_timestamp" and
    "oauth_nonce" parameters.

    .. _`section 3.4.4`: https://tools.ietf.org/html/rfc5849#section-3.4.4

    rrrO)rXrYrqrrrr�sr�cCs(t||�}t||j�}|st�d�|S)z�Verify a PLAINTEXT signature.

    Per `section 3.4`_ of the spec.

    .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4
    zVerify PLAINTEXT failed)r�rrqrsrt)rurXrYrqrxrrr�verify_plaintext@s


r�r�)rNNTF)NN)0�__doc__rgr`re�loggingr��oauthlib.commonrrr�urllib.parse�parserrr�	getLogger�__name__rsrrr/rNrUrrryrr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrrr�<module>s�$
���
�3{
�W*��
�C�!

��
�	�
�>
�Q
#