3 LY"@sddlZddlZddlZddlZddlmZmZmZddlZddlm Z m Z y ddl Z Wne k rpdZ YnXdddddgZ d jjZyejjZejZWnek reZZYnXe dk oeeefkZydd l mZmZWnRe k r6ydd lmZdd lmZWne k r0dZdZYnXYnXesNGd ddeZesfdddZddZGdddeZGdddeZdddZdaddZ ddZ!dS)N)urllib http_clientmap)ResolutionErrorExtractionErrorVerifyingHTTPSHandlerfind_ca_bundle is_available cert_paths opener_fora /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt /usr/share/ssl/certs/ca-bundle.crt /usr/local/share/certs/ca-root.crt /etc/ssl/cert.pem /System/Library/OpenSSL/certs/cert.pem /usr/local/share/certs/ca-root-nss.crt /etc/ssl/ca-bundle.pem )CertificateErrormatch_hostname)r )r c@s eZdZdS)r N)__name__ __module__ __qualname__rrp/private/var/folders/7d/20zwc49s3kn54d3vgq8bd4640000gn/T/pip-build-an2lx5zf/setuptools/setuptools/ssl_support.pyr 5sr c Csg}|s dS|jd}|d}|dd}|jd}||krLtdt||s`|j|jkS|dkrt|jdn>|jd s|jd r|jtj|n|jtj|j d d x|D]}|jtj|qWtj d d j |dtj } | j |S)zpMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 F.rrN*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountr reprlowerappend startswithreescapereplacecompilejoin IGNORECASEmatch) dnhostname max_wildcardspatspartsleftmost remainder wildcardsfragpatrrr_dnsname_match;s*     r-cCs|s tdg}|jdf}x0|D](\}}|dkr"t||r@dS|j|q"W|sxF|jdfD]6}x0|D](\}}|dkrjt||rdS|j|qjWq`Wt|dkrtd|d jtt|fn*t|dkrtd ||d fntd dS) a=Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed, but IP addresses are not accepted for *hostname*. CertificateError is raised on failure. On success, the function returns nothing. zempty or no certificatesubjectAltNameDNSNsubject commonNamerz&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorgetr-rlenr r rr)certr$dnsnamessankeyvaluesubrrrr os.     r c@s eZdZdZddZddZdS)rz=Simple verifying handler: no auth, subclasses, timeouts, etc.cCs||_tj|dS)N) ca_bundle HTTPSHandler__init__)selfr;rrrr=szVerifyingHTTPSHandler.__init__csjfdd|S)Ncst|jf|S)N)VerifyingHTTPSConnr;)hostkw)r>rrsz2VerifyingHTTPSHandler.https_open..)do_open)r>reqr)r>r https_opensz VerifyingHTTPSHandler.https_openN)rrr__doc__r=rErrrrrsc@s eZdZdZddZddZdS)r?z@Simple verifying connection: no auth, subclasses, timeouts, etc.cKstj||f|||_dS)N)HTTPSConnectionr=r;)r>r@r;rArrrr=szVerifyingHTTPSConn.__init__c Cstj|j|jft|dd}t|drHt|ddrH||_|j|j}n|j}t j |t j |j d|_yt |jj|Wn.tk r|jjtj|jjYnXdS)Nsource_address_tunnel _tunnel_host) cert_reqsca_certs)socketcreate_connectionr@portgetattrhasattrsockrIrJssl wrap_socket CERT_REQUIREDr;r getpeercertr shutdown SHUT_RDWRclose)r>rR actual_hostrrrconnects zVerifyingHTTPSConn.connectN)rrrrFr=r[rrrrr?sr?cCstjjt|ptjS)z@Get a urlopen() replacement that uses ca_bundle for verification)rrequest build_openerrropen)r;rrrr sc s^tdk rtjSyddlmWntk r2dSXGfdddddgdatjS)Nr)CertFilecs0eZdZffffdd ZfddZZS)z$get_win_certfile..MyCertFilecs<j|x|D]}|j|qW|j|tj|jdS)N)r=ZaddstoreZaddcertsatexitregisterrY)r>storescertsstore)r_rrr=s    z-get_win_certfile..MyCertFile.__init__c s,yt|jWntk r&YnXdS)N)superrYOSError)r>) MyCertFile __class__rrrYsz*get_win_certfile..MyCertFile.close)rrrr=rY __classcell__r)r_rg)rhrrgsrgCAROOT)rb) _wincertsnameZ wincertstorer_ ImportErrorrr)r_rgrget_win_certfilesroc Cs^tjdkrtSxtD]}tjj|r|SqWyddl}|jStt t fk rXdSXdS)z*Return an existing CA bundle path, or NonentrN) osrmror pathisfilecertifiwherernrr)Z cert_pathrtrrrrs   )r)N)"rqrMr`rZsetuptools.extern.six.movesrrr pkg_resourcesrrrSrn__all__striprr r\r<rGAttributeErrorobjectr r r Zbackports.ssl_match_hostnamer2r-rr?r rlrorrrrrsN      4) #