i6dZddlmZddlZddlZd dZd d ZdS) zHAES-256-GCM utilities for QQBot scan-to-configure credential decryption.) annotationsNreturnstrcrtjtjdS)a Generate a 256-bit random AES key and return it as base64. The key is passed to ``create_bind_task`` so the server can encrypt the bot's *client_secret* before returning it. Only this CLI holds the key, ensuring the secret never travels in plaintext. )base64 b64encodeosurandomdecodeC/home/ubuntu/.hermes/hermes-agent/gateway/platforms/qqbot/crypto.pygenerate_bind_keyr s)  BJrNN + + 2 2 4 44rencrypted_base64 key_base64cddlm}tj|}tj|}|dd}|dd}||}|||d}|dS)uDecrypt a base64-encoded AES-256-GCM ciphertext. Ciphertext layout (after base64-decoding):: IV (12 bytes) ‖ ciphertext (N bytes) ‖ AuthTag (16 bytes) Args: encrypted_base64: The ``bot_encrypt_secret`` value from ``poll_bind_result``. key_base64: The base64 AES key generated by :func:`generate_bind_key`. Returns: The decrypted *client_secret* as a UTF-8 string. r)AESGCMN zutf-8)+cryptography.hazmat.primitives.ciphers.aeadrr b64decodedecryptr ) rrrkeyrawivciphertext_with_tagaesgcm plaintexts rdecrypt_secretrs CBBBBB  : & &C  + , ,C SbSBbcc( VC[[Fr#6==I   G $ $$r)rr)rrrrrr)__doc__ __future__rrr rrr rrr"saNN"""""" 5555%%%%%%r