Update client/app.py

client/app.py

@@ -1,295 +1,145 @@
-import gradio as gr
-from PIL import Image, ImageDraw, ImageFont, ImageOps
-import base64
+import os
 import io
 import json
-import logging
-import os
-import requests
+import base64
 import struct
-import tempfile # <--- Import tempfile
+import logging
+
+import gradio as gr
+from PIL import Image
 import numpy as np
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import rsa, padding
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from cryptography.hazmat.primitives import hashes
-from gradio_client import Client, handle_file
-from huggingface_hub import InferenceClient
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
+from cryptography.exceptions import InvalidTag
+
+HEADER_BITS = 32
+AES_GCM_NONCE_SIZE = 12
 
 logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s')
 logger = logging.getLogger(__name__)
 
-# --- Constants ---
-DEFAULT_IMAGE_URL = "https://images.unsplash.com/photo-1506318137071-a8e063b4bec0?q=80&w=1200&auto=format&fit=crop"
-IMAGE_SIZE = 600
-T2I_MODEL = "sd-community/sdxl-lightning"
-T2I_PROMPT = "A stunning view of a distant galaxy, nebulae, and constellations, digital art, vibrant colors, cinematic lighting, 8k, masterpiece."
+KEYLOCK_PRIV_KEY_PEM = os.environ.get('KEYLOCK_PRIV_KEY')
+PRIVATE_KEY_OBJECT = None
+PUBLIC_KEY_PEM_STRING = ""
+KEYLOCK_STATUS_MESSAGE = ""
 
-# --- Helper Functions for Image Handling (Unchanged) ---
-
-def resize_and_crop(img: Image.Image, size: int = IMAGE_SIZE) -> Image.Image:
-    """Resizes an image to fit within a square of `size` and then center-crops it."""
+if not KEYLOCK_PRIV_KEY_PEM:
+    dev_key_path = os.path.join(os.path.dirname(__file__), '..', 'keys', 'DEMO_ONLY_THIS _IS_SECRET_keylock_priv_key.pem')
     try:
-        return ImageOps.fit(img, (size, size), Image.Resampling.LANCZOS)
-    except Exception as e:
-        logger.error(f"Failed to resize and crop image: {e}")
-        return img.resize((size, size), Image.Resampling.LANCZOS)
-
-def prepare_base_image(uploaded_image: Image.Image | None, progress) -> Image.Image:
-    """Provides a base image using a fallback logic, updating a Gradio progress object."""
-    if uploaded_image:
-        progress(0, desc="✅ Using uploaded image...")
-        return resize_and_crop(uploaded_image)
+        with open(dev_key_path, "r") as f:
+            KEYLOCK_PRIV_KEY_PEM = f.read()
+        logger.warning(f"Loaded private key from dev path. This is for local testing only.")
+        KEYLOCK_STATUS_MESSAGE = f"⚠️ Loaded from development key file. This is for local testing but insecure for production."
+    except FileNotFoundError:
+        logger.error(f"FATAL: Private key not found at '{dev_key_path}' and 'KEYLOCK_PRIV_KEY' secret is not set.")
+        KEYLOCK_STATUS_MESSAGE = "❌ NOT FOUND. The API is non-functional. Set the `KEYLOCK_PRIV_KEY` secret or provide the demo key file."
+else:
+    logger.info("Successfully loaded private key from environment variable 'KEYLOCK_PRIV_KEY'.")
+    KEYLOCK_STATUS_MESSAGE = "✅ Loaded successfully from secrets/environment variable. Recommended secure configuration."
+
+if KEYLOCK_PRIV_KEY_PEM:
     try:
-        progress(0, desc="⏳ Fetching default background...")
-        response = requests.get(DEFAULT_IMAGE_URL, timeout=15)
-        response.raise_for_status()
-        img = Image.open(io.BytesIO(response.content)).convert("RGB")
-        progress(0, desc="✅ Using default background image.")
-        return resize_and_crop(img)
+        PRIVATE_KEY_OBJECT = serialization.load_pem_private_key(KEYLOCK_PRIV_KEY_PEM.encode(), password=None)
+        public_key = PRIVATE_KEY_OBJECT.public_key()
+        PUBLIC_KEY_PEM_STRING = public_key.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo
+        ).decode('utf-8')
+        KEYLOCK_STATUS_MESSAGE += "\n✅ Public key derived successfully."
     except Exception as e:
-        logger.warning(f"Could not fetch default image: {e}. Falling back to AI generation.")
+        logger.error(f"Failed to load private key or derive public key: {e}", exc_info=True)
+        PRIVATE_KEY_OBJECT = None
+        PUBLIC_KEY_PEM_STRING = f"Error: Could not process the configured private key. Details: {e}"
+        KEYLOCK_STATUS_MESSAGE += f"\n❌ Failed to parse key: {e}"
+
+MOCK_USER_DATABASE = {
+    "sk-12345-abcde": {"user": "demo-user", "permissions": "read"},
+    "sk-67890-fghij": {"user": "admin-user", "permissions": "read,write,delete"}
+}
+
+def example_authenticate(api_key: str, user_id: str) -> bool:
+    if not api_key or not user_id:
+        return False
+    db_entry = MOCK_USER_DATABASE.get(api_key)
+    if db_entry and db_entry.get("user") == user_id:
+        logger.info(f"Authentication successful for user '{user_id}'.")
+        return True
+    else:
+        logger.warning(f"Authentication failed for user '{user_id}' with key '{api_key[:8]}...'.")
+        return False
+
+def get_public_key():
+    if not PUBLIC_KEY_PEM_STRING or "Error" in PUBLIC_KEY_PEM_STRING:
+        raise gr.Error("Server key is not configured correctly.")
+    return PUBLIC_KEY_PEM_STRING
+
+def get_server_info():
+    return {
+        "name": "KeyLock Auth Server",
+        "version": "1.3",
+        "documentation": "This server decrypts data hidden in KeyLock images and performs a mock authentication. Use /keylock-pub to get the public key, and POST to /keylock-server with a base64 image string to decrypt and authenticate.",
+        "endpoints": {
+            "/keylock-pub": "GET - Returns the server's public key.",
+            "/keylock-info": "GET - Returns this information object.",
+            "/keylock-server": "POST - Decrypts a KeyLock image and attempts authentication."
+        }
+    }
+
+def decode_data(image_base64_string: str) -> dict:
+    if not PRIVATE_KEY_OBJECT:
+        error_msg = "Server Error: The API is not configured with a private key."
+        logger.error(error_msg)
+        raise gr.Error(error_msg)
     try:
-        progress(0, desc=f"⏳ Generating image with {T2I_MODEL}...")
-        client = InferenceClient()
-        image_bytes = client.text_to_image(T2I_PROMPT, model=T2I_MODEL)
-        img = Image.open(io.BytesIO(image_bytes)).convert("RGB")
-        progress(0, desc="✅ New image generated.")
-        return resize_and_crop(img)
+        image_buffer = base64.b64decode(image_base64_string)
+        img = Image.open(io.BytesIO(image_buffer)).convert("RGB")
+        pixel_data = np.array(img).ravel()
+        header_binary_string = "".join(str(pixel & 1) for pixel in pixel_data[:HEADER_BITS])
+        data_length = int(header_binary_string, 2)
+        if data_length == 0: raise ValueError("No data found in image.")
+        data_bits_count = data_length * 8
+        end_offset = HEADER_BITS + data_bits_count
+        if pixel_data.size < end_offset: raise ValueError("Image data corrupt or truncated.")
+        data_binary_string = "".join(str(pixel & 1) for pixel in pixel_data[HEADER_BITS:end_offset])
+        crypto_payload = int(data_binary_string, 2).to_bytes(data_length, byteorder='big')
+        offset = 4
+        encrypted_aes_key_len = struct.unpack('>I', crypto_payload[:offset])[0]
+        encrypted_aes_key = crypto_payload[offset : offset + encrypted_aes_key_len]
+        offset += encrypted_aes_key_len
+        nonce = crypto_payload[offset : offset + AES_GCM_NONCE_SIZE]
+        offset += AES_GCM_NONCE_SIZE
+        ciphertext_with_tag = crypto_payload[offset:]
+        recovered_aes_key = PRIVATE_KEY_OBJECT.decrypt(encrypted_aes_key, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None))
+        decrypted_bytes = AESGCM(recovered_aes_key).decrypt(nonce, ciphertext_with_tag, None)
+        decrypted_payload = json.loads(decrypted_bytes.decode('utf-8'))
+        logger.info(f"Successfully decoded payload: {decrypted_payload}")
+        api_key = decrypted_payload.get('API_KEY')
+        user_id = decrypted_payload.get('USER')
+        is_authenticated = example_authenticate(api_key=api_key, user_id=user_id)
+        if is_authenticated:
+            return {
+                "authentication_status": "Success",
+                "message": f"User '{user_id}' successfully authenticated.",
+                "granted_permissions": MOCK_USER_DATABASE[api_key]['permissions'],
+                "decoded_payload": decrypted_payload
+            }
+        else:
+            return {
+                "authentication_status": "Failed",
+                "message": "Authentication failed. Invalid credentials provided in the image.",
+                "decoded_payload": decrypted_payload
+            }
+    except (ValueError, InvalidTag, TypeError, struct.error) as e:
+        logger.warning(f"Decryption failed: {e}")
+        raise gr.Error(f"Decryption failed. Image may be corrupt or used the wrong public key. Details: {e}")
     except Exception as e:
-        logger.error(f"Fatal: All image sources failed. Text-to-image failed with: {e}")
-        raise gr.Error(f"Failed to obtain a base image. AI generation error: {e}")
-
-# --- Core Cryptography and Image Creation (Unchanged) ---
+        logger.error(f"An unexpected server error occurred during decryption: {e}", exc_info=True)
+        raise gr.Error(f"An unexpected server error occurred. Details: {e}")
 
 def generate_rsa_keys():
     private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     private_pem = private_key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()).decode('utf-8')
     public_pem = private_key.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode('utf-8')
-    return private_pem, public_pem
-
-def create_encrypted_image(secret_data_str: str, public_key_pem: str, base_image: Image.Image, overlay_option: str) -> Image.Image:
-    if not secret_data_str.strip(): raise ValueError("Secret data cannot be empty.")
-    if not public_key_pem.strip(): raise ValueError("Public Key cannot be empty.")
-    data_dict = {}
-    for line in secret_data_str.splitlines():
-        line = line.strip()
-        if not line or line.startswith('#'): continue
-        parts = line.split(':', 1) if ':' in line else line.split('=', 1)
-        if len(parts) == 2: data_dict[parts[0].strip()] = parts[1].strip().strip("'\"")
-    if not data_dict: raise ValueError("No valid key-value pairs found.")
-    json_bytes = json.dumps(data_dict).encode('utf-8')
-    public_key = serialization.load_pem_public_key(public_key_pem.encode('utf-8'))
-    aes_key, nonce = os.urandom(32), os.urandom(12)
-    ciphertext = AESGCM(aes_key).encrypt(nonce, json_bytes, None)
-    rsa_encrypted_key = public_key.encrypt(aes_key, padding.OAEP(mgf=padding.MGF1(hashes.SHA256()), algorithm=hashes.SHA256(), label=None))
-    encrypted_payload = struct.pack('>I', len(rsa_encrypted_key)) + rsa_encrypted_key + nonce + ciphertext
-    img = base_image.copy().convert("RGB")
-    width, height = img.size
-    # (Overlay drawing code is unchanged and correct)
-    draw = ImageDraw.Draw(img, "RGBA")
-    try:
-        font_bold = ImageFont.truetype("DejaVuSans-Bold.ttf", 30)
-        font_regular = ImageFont.truetype("DejaVuSans.ttf", 15)
-    except IOError:
-        font_bold = ImageFont.load_default(size=28)
-        font_regular = ImageFont.load_default(size=14)
-    overlay_color, title_color = (15, 23, 42, 190), (226, 232, 240)
-    key_color, value_color = (148, 163, 184), (241, 245, 249)
-    draw.rectangle([0, 20, width, 80], fill=overlay_color)
-    draw.text((width / 2, 50), "KeyLock Secure Data", fill=title_color, font=font_bold, anchor="ms")
-    if overlay_option != "None":
-        lines = list(data_dict.keys()) if overlay_option == "Keys Only" else [f"{k}: {v}" for k, v in data_dict.items()]
-        line_heights = [draw.textbbox((0, 0), line, font=font_regular)[3] for line in lines]
-        total_text_height = sum(line_heights) + (len(lines) - 1) * 6
-        box_height = total_text_height + 30
-        box_y0 = height - box_height - 20
-        draw.rectangle([20, box_y0, width - 20, height - 20], fill=overlay_color)
-        current_y = box_y0 + 15
-        for i, (key, value) in enumerate(data_dict.items()):
-            if overlay_option == "Keys Only": draw.text((35, current_y), key, fill=key_color, font=font_regular)
-            else:
-                key_text = f"{key}:"; draw.text((35, current_y), key_text, fill=key_color, font=font_regular)
-                key_bbox = draw.textbbox((35, current_y), key_text, font=font_regular)
-                draw.text((key_bbox[2] + 8, current_y), str(value), fill=value_color, font=font_regular)
-            current_y += line_heights[i] + 6
-    # (Steganography code is unchanged and correct)
-    pixel_data = np.array(img.convert("RGB")).ravel()
-    header = struct.pack('>I', len(encrypted_payload))
-    binary_payload = ''.join(format(b, '08b') for b in header + encrypted_payload)
-    if len(binary_payload) > pixel_data.size: raise ValueError(f"Data is too large. Max: {pixel_data.size // 8} bytes.")
-    pixel_data[:len(binary_payload)] = (pixel_data[:len(binary_payload)] & 0xFE) | np.array(list(binary_payload), dtype=np.uint8)
-    stego_pixels = pixel_data.reshape((height, width, 3))
-    return Image.fromarray(stego_pixels, 'RGB')
-
-# --- New Server Management and Gradio Wrappers ---
-
-def add_server(url: str, current_servers: list):
-    # This function is correct from the previous fix. Unchanged.
-    if not url or not url.startswith(('http://', 'https://')): raise gr.Error("Please enter a valid server URL (e.g., https://...).")
-    url = url.strip().rstrip('/')
-    if any(s['url'] == url for s in current_servers):
-        gr.Info(f"Server at {url} is already in the list.")
-        return current_servers, f"ℹ️ Server at {url} is already in the list.", gr.Button(interactive=True)
-    status = f"⏳ Testing server at {url}..."
-    yield current_servers, status, gr.Button(interactive=False)
-    try:
-        client = Client(url, verbose=False)
-        server_info = client.predict(api_name="/keylock-info")
-        if not isinstance(server_info, dict): raise TypeError(f"Expected dict from /keylock-info, but got {type(server_info)}")
-        server_name = server_info.get("name", url)
-        public_key = client.predict(api_name="/keylock-pub")
-        if not isinstance(public_key, str): raise TypeError(f"Expected a string from /keylock-pub, but got {type(public_key)}")
-        if not public_key.strip().startswith("-----BEGIN PUBLIC KEY-----"): raise ValueError("Received invalid public key format from server.")
-        new_server = {"name": f"{server_name} ({url.split('//')[1].split('/')[0]})", "url": url, "public_key": public_key, "api_endpoint": "/keylock-server"}
-        updated_servers = current_servers + [new_server]
-        status_message = f"✅ Successfully added server: {server_name}"; gr.Info(status_message)
-        yield updated_servers, status_message, gr.Button(interactive=True)
-    except Exception as e:
-        logger.error(f"Failed to add server at {url}: {e}", exc_info=True)
-        status_message = f"❌ Failed to connect or validate server at {url}. Error: {e}"; gr.Error(status_message)
-        yield current_servers, status_message, gr.Button(interactive=True)
-
-def create_keylock_wrapper(service_name: str, secret_data: str, available_servers: list, uploaded_image: Image.Image | None, overlay_option: str, progress=gr.Progress(track_tqdm=True)):
-    """
-    Creates the encrypted image and returns it to two separate components:
-    1. A gr.Image for visual preview (which may be re-encoded by Gradio).
-    2. A gr.File for a guaranteed, uncorrupted PNG download.
-    """
-    if not service_name: raise gr.Error("Please add and select a target server.")
-    server = next((s for s in available_servers if s['name'] == service_name), None)
-    if not server: raise gr.Error(f"Could not find config for '{service_name}'. Please re-add it.")
-    
-    png_path = None # Initialize to handle potential errors
-    try:
-        base_image = prepare_base_image(uploaded_image, progress)
-        progress(0.5, desc="Encrypting and embedding data...")
-        created_image = create_encrypted_image(secret_data, server['public_key'], base_image, overlay_option)
-        
-        # Save image to a temporary PNG file to prevent re-encoding.
-        # This temporary file will be served by gr.File for perfect data integrity.
-        with tempfile.NamedTemporaryFile(suffix=".png", delete=False) as temp_f:
-            png_path = temp_f.name
-            created_image.save(png_path, "PNG", compress_level=1)
-        
-        status_message = f"✅ Success! Image created for '{service_name}'. Use the link to download the uncorrupted file."
-        # Return path to both preview and file components. Make file component visible.
-        return png_path, png_path, status_message, gr.Tabs(selected=1), gr.File(visible=True)
-
-    except Exception as e:
-        logger.error(f"Error creating image: {e}", exc_info=True)
-        if png_path and os.path.exists(png_path):
-            os.remove(png_path) # Clean up temp file on error
-        # Return Nones and hide file component
-        return None, None, f"❌ Error: {e}", gr.Tabs(), gr.File(visible=False)
-
-def send_keylock_wrapper(service_name: str, image_path: str, available_servers: list):
-    # This function now expects a file path `image_path` from gr.Image
-    if not service_name: raise gr.Error("Please select a target server.")
-    if image_path is None: raise gr.Error("Please create or upload an image to send.")
-    
-    server = next((s for s in available_servers if s['name'] == service_name), None)
-    if not server: raise gr.Error(f"Config Error for '{service_name}'. Please re-add it.")
-
-    server_url, api_name = server['url'], server['api_endpoint']
-    yield None, f"⏳ Connecting to remote server: {server_url}"
-    try:
-        # The input `image_path` is a path to a temporary file created by gr.Image.
-        # We read it directly to ensure we get the correct bytes.
-        with open(image_path, "rb") as img_file:
-            b64_string = base64.b64encode(img_file.read()).decode("utf-8")
-            
-        client = Client(server_url)
-        result = client.predict(image_base64_string=b64_string, api_name=api_name)
-
-        if isinstance(result, str) and os.path.exists(result):
-             with open(result, 'r', encoding='utf-8') as f: decrypted_data = json.load(f)
-        else: decrypted_data = result
-
-        yield decrypted_data, "✅ Success! Data decrypted by remote server."
-    except Exception as e:
-        logger.error(f"Error sending to server: {e}", exc_info=True)
-        yield None, f"❌ Error calling server API: {e}"
-
-# --- Gradio UI ---
-theme = gr.themes.Soft(primary_hue="blue", secondary_hue="sky", neutral_hue="slate")
-
-with gr.Blocks(theme=theme, title="KeyLock Operations Dashboard") as demo:
-    servers_state = gr.State([])
-
-    gr.Markdown("# 🔑 KeyLock Operations Dashboard")
-    gr.Markdown("A client to discover KeyLock servers, create encrypted images, and test decryption against live APIs.")
-
-    with gr.Accordion("🔗 Add a KeyLock Server", open=True):
-        with gr.Row():
-            server_url_input = gr.Textbox(label="Server Base URL", placeholder="https://your-hf-space-name.hf.space")
-            add_server_button = gr.Button("Test & Add Server", variant="secondary")
-    global_status = gr.Textbox(label="Status", interactive=False, lines=1, value="Enter a server URL to begin.")
-
-    with gr.Tabs() as tabs:
-        with gr.TabItem("① Create KeyLock", id=0):
-            with gr.Row(variant="panel"):
-                with gr.Column(scale=2):
-                    creator_service_dropdown = gr.Dropdown(label="Target Server", interactive=True, info="Select a server to encrypt data for.")
-                    creator_secret_input = gr.Textbox(lines=5, label="Secret Data (key:value format)", placeholder="API_KEY: sk-123...\nUSER: demo-user")
-                    creator_base_image_input = gr.Image(label="Optional Base Image (600x600 recommended)", type="pil", sources=["upload"])
-                    creator_overlay_option = gr.Radio(label="Overlay Content", choices=["Keys and Values", "Keys Only", "None"], value="Keys and Values")
-                    creator_button = gr.Button("✨ Create Auth Image", variant="primary")
-                with gr.Column(scale=3):
-                    # Use two components: one for preview, one for lossless download
-                    creator_image_preview = gr.Image(label="Image Preview (for display only)", type="filepath", height=500)
-                    creator_file_output = gr.File(label="Download Uncorrupted PNG File", file_count="single", visible=False)
-
-        with gr.TabItem("② Send KeyLock", id=1):
-            with gr.Row(variant="panel"):
-                with gr.Column(scale=1):
-                    send_service_dropdown = gr.Dropdown(label="Target Server", interactive=True)
-                    # This component will receive the file path from the preview image
-                    client_image_input = gr.Image(type="filepath", label="Upload or Drag Encrypted Image", sources=["upload", "clipboard"])
-                    client_button = gr.Button("🔓 Decrypt via Remote Server", variant="primary")
-                with gr.Column(scale=1):
-                    client_json_output = gr.JSON(label="Decrypted Data from Server")
-
-        with gr.TabItem("ℹ️ Key Generation", id=2):
-            with gr.Accordion("🔑 RSA Key Pair Generator", open=True):
-                gr.Markdown("Use this utility to generate a new key pair for a new server. The server administrator must configure the server with the private key.")
-                gen_keys_button = gr.Button("⚙️ Generate New 2048-bit Key Pair")
-                output_private_key = gr.Textbox(lines=10, label="Generated Private Key (KEEP THIS SECRET!)", interactive=False, show_copy_button=True)
-                output_public_key = gr.Textbox(lines=10, label="Generated Public Key", interactive=False, show_copy_button=True)
-
-    # --- Event Handlers ---
-    def sync_dropdowns(x): return x
-
-    def update_dropdowns_from_state(servers_list):
-        server_names = [s['name'] for s in servers_list] if servers_list else []
-        selected = server_names[-1] if server_names else None
-        dropdown_update = gr.Dropdown(choices=server_names, value=selected, label="Target Server", interactive=True)
-        return dropdown_update, dropdown_update
-
-    add_server_button.click(fn=add_server, inputs=[server_url_input, servers_state], outputs=[servers_state, global_status, add_server_button]).then(fn=lambda: "", outputs=[server_url_input])
-
-    servers_state.change(fn=update_dropdowns_from_state, inputs=servers_state, outputs=[creator_service_dropdown, send_service_dropdown])
-
-    gen_keys_button.click(fn=generate_rsa_keys, inputs=None, outputs=[output_private_key, output_public_key])
-
-    creator_button.click(
-        fn=create_keylock_wrapper,
-        inputs=[creator_service_dropdown, creator_secret_input, servers_state, creator_base_image_input, creator_overlay_option],
-        outputs=[creator_image_preview, creator_file_output, global_status, tabs, creator_file_output]
-    )
-
-    client_button.click(
-        fn=send_keylock_wrapper,
-        inputs=[send_service_dropdown, client_image_input, servers_state],
-        outputs=[client_json_output, global_status]
-    )
-
-    creator_service_dropdown.change(fn=sync_dropdowns, inputs=creator_service_dropdown, outputs=send_service_dropdown)
-    send_service_dropdown.change(fn=sync_dropdowns, inputs=send_service_dropdown, outputs=creator_service_dropdown)
-    
-    # When a new image preview is generated, auto-populate it in the sender tab.
-    # This works because both components now use file paths.
-    creator_image_preview.change(fn=lambda x: x, inputs=creator_image_preview, outputs=client_image_input)
-
-if __name__ == "__main__":
-    demo.launch()
+    return private_pem, public_pem