| 133 | raise InvalidToken |
| 134 | |
| 135 | def _decrypt_data( |
| 136 | self, |
| 137 | data: bytes, |
| 138 | timestamp: int, |
| 139 | time_info: tuple[int, int] | None, |
| 140 | ) -> bytes: |
| 141 | if time_info is not None: |
| 142 | ttl, current_time = time_info |
| 143 | if timestamp + ttl < current_time: |
| 144 | raise InvalidToken |
| 145 | |
| 146 | if current_time + _MAX_CLOCK_SKEW < timestamp: |
| 147 | raise InvalidToken |
| 148 | |
| 149 | self._verify_signature(data) |
| 150 | |
| 151 | iv = data[9:25] |
| 152 | ciphertext = data[25:-32] |
| 153 | decryptor = Cipher( |
| 154 | algorithms.AES(self._encryption_key), modes.CBC(iv) |
| 155 | ).decryptor() |
| 156 | plaintext_padded = decryptor.update(ciphertext) |
| 157 | try: |
| 158 | plaintext_padded += decryptor.finalize() |
| 159 | except ValueError: |
| 160 | raise InvalidToken |
| 161 | unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() |
| 162 | |
| 163 | unpadded = unpadder.update(plaintext_padded) |
| 164 | try: |
| 165 | unpadded += unpadder.finalize() |
| 166 | except ValueError: |
| 167 | raise InvalidToken |
| 168 | return unpadded |
| 169 | |
| 170 | |
| 171 | class MultiFernet: |