I sometimes - but not always - get an error message from the Google Identity Toolkit that says: "Plaintext too large". It seems that it is in the section when it should try to verify the signature (using RSA). Since it checks the hash of the SHA256 hash of the payload, there should be no change in the size of the plaintext.
If I register the token that he is trying to use and pass it to the https://jwt.io/ debugger along with the Google RSA certificate (from https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys , use the key identifier which jwt.io places in the red box at the top under "kid"), he says the signature is valid.
This happens only part of the time, maybe a little over half. If I re-authenticate, that seems fine.
This seems to only happen with new authentications; if it has already been authenticated, everything works fine, even if I'm not currently using a session cookie: my code checks for gtoken authentication for every request. When I log in, everything will be fine until I log out (again, via gitkit). But then, if I log in again later, I would probably hit this error.
I use App Engine for my infrastructure. This happens with both dev_appserver and the deployed App Engine, and with both desktop browsers using the gitkit JavaScript library and iOS application using the Objective-C gitkit library. (I have not tested iOS against dev_appserver, only in deployment.)
The code I use is as follows:
gtoken = cookie["gtoken"].value logging.debug("Verifying Google Identity Toolkit token: %s", gtoken) gitkit_user = gitkit_instance.VerifyGitkitToken(gtoken)
The following is a stack trace (starting at the line above):
File "/base/data/home/apps/redacted/redacted.py", line 218, in redacted: gitkit_user = gitkit_instance.VerifyGitkitToken(gtoken) File "/base/data/home/apps/redacted/lib/identitytoolkit/gitkitclient.py", line 266, in VerifyGitkitToken parsed = crypt.verify_signed_jwt_with_certs(jwt, certs, aud) File "/base/data/home/apps/redacted/lib/oauth2client/crypt.py", line 240, in verify_signed_jwt_with_certs _verify_signature(message_to_sign, signature, certs.values()) File "/base/data/home/apps/redacted/lib/oauth2client/crypt.py", line 119, in _verify_signature if verifier.verify(message, signature): File "/base/data/home/apps/redacted/lib/oauth2client/_pycrypto_crypt.py", line 52, in verify SHA256.new(message), signature) File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/pycrypto-2.6/Crypto/Signature/PKCS1_v1_5.py", line 148, in verify m = self._key.encrypt(S, 0)[0] File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/pycrypto-2.6/Crypto/PublicKey/RSA.py", line 150, in encrypt return pubkey.pubkey.encrypt(self, plaintext, K) File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/pycrypto-2.6/Crypto/PublicKey/pubkey.py", line 75, in encrypt ciphertext=self._encrypt(plaintext, K) File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/pycrypto-2.6/Crypto/PublicKey/RSA.py", line 224, in _encrypt return (self.key._encrypt(c),) ValueError: Plaintext too large
The "Plaintext too large" error should only occur when the payload size exceeds the RSA key size. Since it checks the SHA256 hash for a 2048-bit RSA key, this should be fine, so I am wondering if there is a problem downloading the key from googleapis.com. The next step is to use the API statistics module to search for urlfetch calls in queries where this happens, and to increase _pycrypto_crypt.py to register the RSA key with which it is trying to verify. But I thought that I would check here in Qaru and see if anyone has already followed this path.
Update: with some additional protocols I learned something. First, instead of using the key identifier specified in the JWT headers, the gitkit API (or one of the libraries that it uses) iterates over each key in the Google Identity Toolkit. Secondly, when I received an error at a time when I had enough registration, she tested one of the keys, which is really in the key set, which deprives my theory of problems with loading keys. But he is really trying to check a 256-byte string for a 2048-bit key, so this should be fine.
Finally, although it usually iterates through all the keys, while I get this error, it gets an error the first time I click on it. This makes me wonder if in some cases I import broken pycrypto at an early stage.
As you can see from the backtrace, I am using Pycrypto, supplied by Google, although it is locally compiled in my "lib" directory (which is located in sys.path), which was saved there when I sold it in the Google Identity Toolkit.