3 K],!"@sddlZddlZddlZddlZddlZddlmZmZmZm Z ddl m Z m Z y ddl Z Wnek rtdZ YnXdddddgZd jjZyejjZejZWnek reZZYnXe dk oeeefkZydd l mZmZWnRek r:ydd lmZdd lmZWnek r4dZdZYnXYnXesRGd ddeZesjdddZddZGdddeZGdddeZd ddZ ddZ!e!ddZ"ddZ#ddZ$dS)!N)urllib http_clientmapfilter)ResolutionErrorExtractionErrorVerifyingHTTPSHandlerfind_ca_bundle is_available cert_paths opener_fora /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt /usr/share/ssl/certs/ca-bundle.crt /usr/local/share/certs/ca-root.crt /etc/ssl/cert.pem /System/Library/OpenSSL/certs/cert.pem /usr/local/share/certs/ca-root-nss.crt /etc/ssl/ca-bundle.pem )CertificateErrormatch_hostname)r )rc@s eZdZdS)r N)__name__ __module__ __qualname__rr!/usr/lib/python3.6/ssl_support.pyr 5sr c Csg}|s dS|jd}|d}|dd}|jd}||krLtdt||s`|j|jkS|dkrt|jdn>|jd s|jd r|jtj|n|jtj|j d d x|D]}|jtj|qWtj d d j |dtj } | j |S)zpMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 F.rrN*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountr reprlowerappend startswithreescapereplacecompilejoin IGNORECASEmatch) ZdnhostnameZ max_wildcardsZpatspartsZleftmostZ remainderZ wildcardsZfragZpatrrr_dnsname_match;s*     r&cCs|s tdg}|jdf}x0|D](\}}|dkr"t||r@dS|j|q"W|sxF|jdfD]6}x0|D](\}}|dkrjt||rdS|j|qjWq`Wt|dkrtd|d jtt|fn*t|dkrtd ||d fntd dS) a=Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed, but IP addresses are not accepted for *hostname*. CertificateError is raised on failure. On success, the function returns nothing. zempty or no certificateZsubjectAltNameZDNSNZsubjectZ commonNamerz&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorgetr&rlenr r!rr)Zcertr$ZdnsnamesZsankeyvaluesubrrrros.     rc@s eZdZdZddZddZdS)rz=Simple verifying handler: no auth, subclasses, timeouts, etc.cCs||_tj|dS)N) ca_bundle HTTPSHandler__init__)selfr-rrrr/szVerifyingHTTPSHandler.__init__csjfdd|S)Ncst|jf|S)N)VerifyingHTTPSConnr-)hostkw)r0rrsz2VerifyingHTTPSHandler.https_open..)Zdo_open)r0Zreqr)r0r https_opensz VerifyingHTTPSHandler.https_openN)rrr__doc__r/r5rrrrrsc@s eZdZdZddZddZdS)r1z@Simple verifying connection: no auth, subclasses, timeouts, etc.cKstj||f|||_dS)N)HTTPSConnectionr/r-)r0r2r-r3rrrr/szVerifyingHTTPSConn.__init__c Cstj|j|jft|dd}t|drHt|ddrH||_|j|j}n|j}tt drxt j |j d}|j ||d|_nt j |t j |j d|_yt|jj|Wn.tk r|jjtj|jjYnXdS)NZsource_address_tunnel _tunnel_hostcreate_default_context)Zcafile)Zserver_hostname)Z cert_reqsZca_certs)socketZcreate_connectionr2Zportgetattrhasattrsockr8r9sslr:r-Z wrap_socketZ CERT_REQUIREDrZ getpeercertr ZshutdownZ SHUT_RDWRclose)r0r>Z actual_hostZctxrrrconnects$  zVerifyingHTTPSConn.connectN)rrrr6r/rArrrrr1sr1cCstjjt|ptjS)z@Get a urlopen() replacement that uses ca_bundle for verification)rrequestZ build_openerrr open)r-rrrr scstjfdd}|S)Ncstds||_jS)Nalways_returns)r=rD)argskwargs)funcrrwrappers  zonce..wrapper) functoolswraps)rGrHr)rGroncesrKc sXy ddl}Wntk r dSXGfddd|j}|jd|jd|jS)Nrcs,eZdZfddZfddZZS)z"get_win_certfile..CertFilecst|jtj|jdS)N)superr/atexitregisterr@)r0)CertFile __class__rrr/sz+get_win_certfile..CertFile.__init__c s,yt|jWntk r&YnXdS)N)rLr@OSError)r0)rOrPrrr@sz(get_win_certfile..CertFile.close)rrrr/r@ __classcell__r)rO)rPrrOsrOZCAZROOT) wincertstore ImportErrorrOZaddstorename)rSZ _wincertsr)rOrget_win_certfiles    rVcCs$ttjjt}tp"t|dp"tS)z*Return an existing CA bundle path, or NoneN)rospathisfiler rVnext_certifi_where)Zextant_cert_pathsrrrr s c Cs,y tdjStttfk r&YnXdS)NZcertifi) __import__whererTrrrrrrr[s r[)r)N)%rWr;rMrrIZsetuptools.extern.six.movesrrrrZ pkg_resourcesrrr?rT__all__striprr rBr.r7AttributeErrorobjectr r rZbackports.ssl_match_hostnamer'r&rr1r rKrVr r[rrrrsP      4) (