a `u! @sddlZddlZddlZddlZddlZddlZddlZddl m Z m Z z ddl Z Wne yjdZ Yn0gdZdZzejjZejjZWneyeZZYn0e duoeeefvZzddl mZmZWnNe y&zddlmZddlmZWne y dZdZYn0Yn0es>Gdd d eZesVdd d Zd dZGdddeZGdddeZdddZ ddZ!e!ddZ"ddZ#ddZ$dS)N)ResolutionErrorExtractionError)VerifyingHTTPSHandlerfind_ca_bundle is_available cert_paths opener_fora /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt /usr/share/ssl/certs/ca-bundle.crt /usr/local/share/certs/ca-root.crt /etc/ssl/cert.pem /System/Library/OpenSSL/certs/cert.pem /usr/local/share/certs/ca-root-nss.crt /etc/ssl/ca-bundle.pem )CertificateErrormatch_hostname)r )r c@s eZdZdS)r N)__name__ __module__ __qualname__rr8/usr/lib/python3/dist-packages/setuptools/ssl_support.pyr 7sr c Csg}|s dS|d}|d}|dd}|d}||krLtdt||s`||kS|dkrt|dn>|d s|d r|t|n|t| d d |D]}|t|qt d d |dtj } | |S)zqMatching according to RFC 6125, section 6.4.3 https://tools.ietf.org/html/rfc6125#section-6.4.3 F.rrN*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountr reprlowerappend startswithreescapereplacecompilejoin IGNORECASEmatch) ZdnhostnameZ max_wildcardsZpatspartsZleftmostZ remainderZ wildcardsZfragZpatrrr_dnsname_match=s,     r"cCs|s tdg}|dd}|D]*\}}|dkr t||r@dS||q |s|ddD]6}|D],\}}|dkrdt||rdS||qdq\t|dkrtd |d tt|fn*t|dkrtd ||d fntd dS)a=Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed, but IP addresses are not accepted for *hostname*. CertificateError is raised on failure. On success, the function returns nothing. zempty or no certificateZsubjectAltNamerZDNSNZsubjectZ commonNamerz&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorgetr"rlenr rmapr)Zcertr ZdnsnamesZsankeyvaluesubrrrr ss>         r c@s eZdZdZddZddZdS)rz=Simple verifying handler: no auth, subclasses, timeouts, etc.cCs||_t|dSN) ca_bundle HTTPSHandler__init__)selfr+rrrr-szVerifyingHTTPSHandler.__init__csfdd|S)Ncst|jfi|Sr*)VerifyingHTTPSConnr+)hostkwr.rrz2VerifyingHTTPSHandler.https_open..)Zdo_open)r.Zreqrr2r https_opens z VerifyingHTTPSHandler.https_openN)r r r __doc__r-r5rrrrrsrc@s eZdZdZddZddZdS)r/z@Simple verifying connection: no auth, subclasses, timeouts, etc.cKstj||fi|||_dSr*)HTTPSConnectionr-r+)r.r0r+r1rrrr-szVerifyingHTTPSConn.__init__cCst|j|jft|dd}t|drHt|ddrH||_||j}n|j}tt drxt j |j d}|j ||d|_nt j |t j |j d|_zt|j|Wn,ty|jtj|jYn0dS)NZsource_address_tunnel _tunnel_hostcreate_default_context)Zcafile)Zserver_hostname)Z cert_reqsZca_certs)socketZcreate_connectionr0Zportgetattrhasattrsockr8r9sslr:r+Z wrap_socketZ CERT_REQUIREDr Z getpeercertr ZshutdownZ SHUT_RDWRclose)r.r>Z actual_hostctxrrrconnects(    zVerifyingHTTPSConn.connectN)r r r r6r-rBrrrrr/sr/cCstjt|ptjS)z@Get a urlopen() replacement that uses ca_bundle for verification)urllibrequestZ build_openerrropen)r+rrrrs rcstfdd}|S)Ncs tds|i|_jS)Nalways_returns)r=rF)argskwargsfuncrrwrappers zonce..wrapper) functoolswraps)rJrKrrIroncesrNcsXz ddl}Wnty YdS0Gfddd|j}|d|d|jS)Nrcs,eZdZfddZfddZZS)z"get_win_certfile..CertFilecst|t|jdSr*)superr-atexitregisterr@r2CertFile __class__rrr-sz+get_win_certfile..CertFile.__init__cs*zt|Wnty$Yn0dSr*)rOr@OSErrorr2rRrrr@s z(get_win_certfile..CertFile.close)r r r r-r@ __classcell__rrS)rTrrSsrSZCAZROOT) wincertstore ImportErrorrSZaddstorename)rXZ _wincertsrrWrget_win_certfiles     r[cCs$ttjjt}tp"t|dp"tS)z*Return an existing CA bundle path, or NoneN)filterospathisfilerr[next_certifi_where)Zextant_cert_pathsrrrrs rc Cs,ztdWStttfy&Yn0dS)NZcertifi) __import__whererYrrrrrrrasra)r)N)%r]r;rPrrLZurllib.requestrCZ http.clientZhttpZ pkg_resourcesrrr?rY__all__striprrrDr,Zclientr7AttributeErrorobjectrr r Zbackports.ssl_match_hostnamer#r"rr/rrNr[rrarrrrsV         6*(