ó 9(Zc@ sdZddlmZddlZddlZddlZddlmZddlm Z m Z m Z ddl m Z mZmZmZmZddlmZddlmZdd lmZdd lmZdd lmZmZmZmZdd lm Z dd l!m"Z"m#Z#m$Z$ej%e&ƒZ'd„Z(d„Z)dd„Z+dd„Z,d„Z-dd„Z.dd„Z/dd„Z0d„Z1dS(sCComponents for handling AWS Encryption SDK message deserialization.iÿÿÿÿ(tdivisionN(t InvalidTag(tNotSupportedErrortSerializationErrortUnknownIdentityError(t Algorithmt ContentTypet ObjectTypetSequenceIdentifiertSerializationVersion(tdecrypt(tMAX_FRAME_SIZE(tdeserialize_encryption_context(tto_str(t EncryptedDatat MessageFootertMessageFrameBodytMessageHeaderAuthentication(t TeeStream(tEncryptedDataKeyt MasterKeyInfot MessageHeaderc C sitjdƒy8td|jd|dt|jd|jƒd|ƒWntk rdtdƒ‚nXdS( sþValidates the header using the header authentication data. :param header: Deserialized header :type header: aws_encryption_sdk.structures.MessageHeader :param header_auth: Deserialized header auth :type header_auth: aws_encryption_sdk.internal.structures.MessageHeaderAuthentication :type stream: io.BytesIO :param bytes raw_header: Raw header bytes :param bytes data_key: Data key with which to perform validation :raises SerializationError: if header authorization fails sStarting header validationt algorithmtkeytencrypted_datattassociated_datasHeader authorization failedN( t_LOGGERtdebugR RRtivttagRR(theadert header_autht raw_headertdata_key((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytvalidate_header(s    c C sÔtjdƒtjƒ}t||ƒ}td|ƒ\}}yt|ƒ}Wn+tk rz}tdj |ƒ|ƒ‚nXyt |ƒ}Wn+tk r¸}tdj |ƒ|ƒ‚nXi|d6|d6}td|ƒ\} } } yt j | ƒ} Wn+t k r%}tdj | ƒ|ƒ‚nX| jsGtd j | ƒƒ‚n| |d <| |d BBs-Unsupported type {} discovered in data streamsUnsupported version {}tversionttypes>H16sHsUnknown algorithm {}sUnsupported algorithm: {}Rt message_idtencryption_contexts>Hs>{}st key_providert provider_idtkey_infotencrypted_data_keytencrypted_data_keyss>BsUnknown content type {}t content_types>IisHContent AAD length field is currently unused, its value must be always 0tcontent_aad_lengthsISpecified IV length ({length}) does not match algorithm IV length ({alg})tlengthtalgtheader_iv_lengthsCSpecified frame length larger than allowed maximum: {found} > {max}tfoundtmaxs2Non-zero frame length found for non-framed messaget frame_length( RRtiotBytesIORt unpack_valuesRt ValueErrorRtformatR Rt get_by_idtKeyErrorRtallowedR treadtsettrangetaddRRR RRtiv_lent FRAMED_DATAR t NO_FRAMINGRtgetvalue(tstreamtteet tee_streamt version_idtmessage_type_idt message_typeterrorR$Rt algorithm_idR&tser_encryption_context_lengthR0tencrypted_data_key_countR,t_tkey_provider_lengthtkey_provider_identifiertkey_provider_information_lengthtkey_provider_informationtencrypted_data_key_lengthR+tcontent_type_idR-R.t iv_lengthR4((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytdeserialize_header@s”                          cC sAtjdƒdjd|jd|jƒ}tt|||ƒŒS(sDeserializes a MessageHeaderAuthentication object from a source stream. :param stream: Source data stream :type stream: io.BytesIO :param algorithm: The Algorithm object type contained in the header :type algorith: aws_encryption_sdk.identifiers.Algorithm :param verifier: Signature verifier object (optional) :type verifier: aws_encryption_sdk.internal.crypto.Verifier :returns: Deserialized MessageHeaderAuthentication object :rtype: aws_encryption_sdk.internal.structures.MessageHeaderAuthentication s$Starting header auth deserializations>{iv_len}s{tag_len}sRAttag_len(RRR9RARXRR7(RERtverifiert format_string((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytdeserialize_header_auth«s    cC stjdƒtdj|jjƒ||ƒ\}}|jƒ}|j|dƒtddjd|jjƒd|dd ƒ\}|j|d ƒ|||fS( s¿Deserializes the IV and Tag from a non-framed stream. :param stream: Source data stream :type stream: io.BytesIO :param header: Deserialized header :type header: aws_encryption_sdk.structures.MessageHeader :param verifier: Signature verifier object (optional) :type verifier: aws_encryption_sdk.internal.crypto.Verifier :returns: IV, Tag, and Data Length values for body :rtype: tuple of bytes, bytes, and int s/Starting non-framed body iv/tag deserializations>{}sQiRZs >{auth_len}stauth_lenRERYiN( RRR7R9RRAttelltseekR\tNone(RERRYtdata_ivt data_lengtht body_starttdata_tag((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytdeserialize_non_framed_values¿s   cC s"tdjd|jjƒ||ƒS(sAUpdates verifier with data for authentication tag. .. note:: This is meant to be used in conjunction with deserialize_non_framed_values to update the verifier over information which has already been retrieved. :param stream: Source data stream :type stream: io.BytesIO :param header: Deserialized header :type header: aws_encryption_sdk.structures.MessageHeader :param verifier: Signature verifier object :type verifier: aws_encryption_sdk.internal.crypto.Verifier :returns: Data authentication tag value :rtype: bytes s >{auth_len}sR\(R7R9RR\(RERRY((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytupdate_verifier_with_tagÜsc C sztjdƒi}t}td||ƒ\}|tjjkrktjdƒtd||ƒ\}t}ntjdt|ƒƒ||d<||dIsDeserializing final frames&Deserializing frame sequence number %st final_frametsequence_numbers >{iv_len}sRARs/Invalid final frame length: {final} >= {normal}tfinaltnormals>{content_len}s{auth_len}st content_lenR\t ciphertextR(RRtFalseR7RtSEQUENCE_NUMBER_ENDtvaluetTruetintR9RRAR4RR\R( RERRYt frame_dataRfRgtframe_ivtcontent_lengtht frame_contentt frame_tag((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytdeserialize_frameós@              cC s£tjdƒd}|dkr,td|ƒSy4td|ƒ\}tdjd|ƒ|ƒ\}Wntk rtdƒ‚nX|r–|j|ƒntd|ƒS( s…Deserializes a footer. :param stream: Source data stream :type stream: io.BytesIO :param verifier: Signature verifier object (optional) :type verifier: aws_encryption_sdk.internal.crypto.Verifier :returns: Deserialized footer :rtype: aws_encryption_sdk.internal.structures.MessageFooter :raises SerializationError: if verifier supplied and no footer found sStarting footer deserializationRt signatures>Hs >{sig_len}stsig_lensNo signature found in messageN(RRR_RR7R9Rtverify(RERYRwRx((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytdeserialize_footer's    cC s|yD|jtj|ƒƒ}|r1|j|ƒntj||ƒ}Wn1tjk rw}tdt|ƒ|jƒ‚nX|S(sqHelper function to unpack struct data from a stream and update the signature verifier. :param str format_string: Struct format string :param stream: Source data stream :type stream: io.BytesIO :param verifier: Signature verifier object :type verifier: aws_encryption_sdk.internal.crypto.Verifier :returns: Unpacked values :rtype: tuple s Unexpected deserialization error( R=tstructtcalcsizetupdatetunpackRKRR%targs(RZRERYt message_bytestvaluesRK((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pyR7Cs c C so||jjkr3tdd d|jdd ƒ}n8|jjj|ƒsWtdƒ‚n|jjt|ƒ}y tj d|d ƒ\}}Wn tj k r¯tdƒ‚nX|d}||j j krÛtdƒ‚n|d}t|ƒ|krtd ƒ‚n|jd | }|jd |} | sAt| ƒ|krPtd ƒ‚ntd|d|d| ƒ}|S( sExtracts and deserializes EncryptedData from a Wrapped EncryptedDataKey. :param wrapping_algorithm: Wrapping Algorithm with which to wrap plaintext_data_key :type wrapping_algorithm: aws_encryption_sdk.identifiers.WrappingAlgorithm :param bytes wrapping_key_id: Key ID of wrapping MasterKey :param wrapped_encrypted_key: Raw Wrapped EncryptedKey :type wrapped_encrypted_key: aws_encryption_sdk.structures.EncryptedDataKey :returns: EncryptedData of deserialized Wrapped EncryptedKey :rtype: aws_encryption_sdk.internal.structures.EncryptedData :raises SerializationError: if wrapping_key_id does not match deserialized wrapping key id :raises SerializationError: if wrapping_algorithm IV length does not match deserialized IV length RRkRs(Master Key mismatch for wrapped data keys>IIis)Malformed key info: key info missing datas0Wrapping Algorithm mismatch for wrapped data keys!Malformed key info: incomplete iviÿÿÿÿs0Malformed key info: incomplete ciphertext or tagN( R(R*RR_R+t startswithRtlenR{R~RKRRA( twrapping_algorithmtwrapping_key_idtwrapped_encrypted_keytencrypted_wrapped_keyt _key_infoRXRARRkR((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pytdeserialize_wrapped_keyXs6       (2t__doc__t __future__RR5tloggingR{tcryptography.exceptionsRtaws_encryption_sdk.exceptionsRRRtaws_encryption_sdk.identifiersRRRRR t-aws_encryption_sdk.internal.crypto.encryptionR t$aws_encryption_sdk.internal.defaultsR t9aws_encryption_sdk.internal.formatting.encryption_contextR t#aws_encryption_sdk.internal.str_opsR t&aws_encryption_sdk.internal.structuresRRRRt)aws_encryption_sdk.internal.utils.streamsRtaws_encryption_sdk.structuresRRRt getLoggert__name__RR#RWR_R[RdReRvRzR7R‰(((s^/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/internal/formatting/deserialize.pyt s0   ("  k    4