Edit File by line
/home/barbar84/public_h.../wp-conte.../plugins/sujqvwi/AnonR/anonr.TX.../opt/imh-pyth.../lib/python3....
File: ssl.py
# Wrapper module for _ssl, providing some additional facilities
[0] Fix | Delete
# implemented in Python. Written by Bill Janssen.
[1] Fix | Delete
[2] Fix | Delete
"""This module provides some more Pythonic support for SSL.
[3] Fix | Delete
[4] Fix | Delete
Object types:
[5] Fix | Delete
[6] Fix | Delete
SSLSocket -- subtype of socket.socket which does SSL over the socket
[7] Fix | Delete
[8] Fix | Delete
Exceptions:
[9] Fix | Delete
[10] Fix | Delete
SSLError -- exception raised for I/O errors
[11] Fix | Delete
[12] Fix | Delete
Functions:
[13] Fix | Delete
[14] Fix | Delete
cert_time_to_seconds -- convert time string used for certificate
[15] Fix | Delete
notBefore and notAfter functions to integer
[16] Fix | Delete
seconds past the Epoch (the time values
[17] Fix | Delete
returned from time.time())
[18] Fix | Delete
[19] Fix | Delete
fetch_server_certificate (HOST, PORT) -- fetch the certificate provided
[20] Fix | Delete
by the server running on HOST at port PORT. No
[21] Fix | Delete
validation of the certificate is performed.
[22] Fix | Delete
[23] Fix | Delete
Integer constants:
[24] Fix | Delete
[25] Fix | Delete
SSL_ERROR_ZERO_RETURN
[26] Fix | Delete
SSL_ERROR_WANT_READ
[27] Fix | Delete
SSL_ERROR_WANT_WRITE
[28] Fix | Delete
SSL_ERROR_WANT_X509_LOOKUP
[29] Fix | Delete
SSL_ERROR_SYSCALL
[30] Fix | Delete
SSL_ERROR_SSL
[31] Fix | Delete
SSL_ERROR_WANT_CONNECT
[32] Fix | Delete
[33] Fix | Delete
SSL_ERROR_EOF
[34] Fix | Delete
SSL_ERROR_INVALID_ERROR_CODE
[35] Fix | Delete
[36] Fix | Delete
The following group define certificate requirements that one side is
[37] Fix | Delete
allowing/requiring from the other side:
[38] Fix | Delete
[39] Fix | Delete
CERT_NONE - no certificates from the other side are required (or will
[40] Fix | Delete
be looked at if provided)
[41] Fix | Delete
CERT_OPTIONAL - certificates are not required, but if provided will be
[42] Fix | Delete
validated, and if validation fails, the connection will
[43] Fix | Delete
also fail
[44] Fix | Delete
CERT_REQUIRED - certificates are required, and will be validated, and
[45] Fix | Delete
if validation fails, the connection will also fail
[46] Fix | Delete
[47] Fix | Delete
The following constants identify various SSL protocol variants:
[48] Fix | Delete
[49] Fix | Delete
PROTOCOL_SSLv2
[50] Fix | Delete
PROTOCOL_SSLv3
[51] Fix | Delete
PROTOCOL_SSLv23
[52] Fix | Delete
PROTOCOL_TLS
[53] Fix | Delete
PROTOCOL_TLS_CLIENT
[54] Fix | Delete
PROTOCOL_TLS_SERVER
[55] Fix | Delete
PROTOCOL_TLSv1
[56] Fix | Delete
PROTOCOL_TLSv1_1
[57] Fix | Delete
PROTOCOL_TLSv1_2
[58] Fix | Delete
[59] Fix | Delete
The following constants identify various SSL alert message descriptions as per
[60] Fix | Delete
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
[61] Fix | Delete
[62] Fix | Delete
ALERT_DESCRIPTION_CLOSE_NOTIFY
[63] Fix | Delete
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE
[64] Fix | Delete
ALERT_DESCRIPTION_BAD_RECORD_MAC
[65] Fix | Delete
ALERT_DESCRIPTION_RECORD_OVERFLOW
[66] Fix | Delete
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE
[67] Fix | Delete
ALERT_DESCRIPTION_HANDSHAKE_FAILURE
[68] Fix | Delete
ALERT_DESCRIPTION_BAD_CERTIFICATE
[69] Fix | Delete
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE
[70] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_REVOKED
[71] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED
[72] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN
[73] Fix | Delete
ALERT_DESCRIPTION_ILLEGAL_PARAMETER
[74] Fix | Delete
ALERT_DESCRIPTION_UNKNOWN_CA
[75] Fix | Delete
ALERT_DESCRIPTION_ACCESS_DENIED
[76] Fix | Delete
ALERT_DESCRIPTION_DECODE_ERROR
[77] Fix | Delete
ALERT_DESCRIPTION_DECRYPT_ERROR
[78] Fix | Delete
ALERT_DESCRIPTION_PROTOCOL_VERSION
[79] Fix | Delete
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY
[80] Fix | Delete
ALERT_DESCRIPTION_INTERNAL_ERROR
[81] Fix | Delete
ALERT_DESCRIPTION_USER_CANCELLED
[82] Fix | Delete
ALERT_DESCRIPTION_NO_RENEGOTIATION
[83] Fix | Delete
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION
[84] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE
[85] Fix | Delete
ALERT_DESCRIPTION_UNRECOGNIZED_NAME
[86] Fix | Delete
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE
[87] Fix | Delete
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE
[88] Fix | Delete
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY
[89] Fix | Delete
"""
[90] Fix | Delete
[91] Fix | Delete
import sys
[92] Fix | Delete
import os
[93] Fix | Delete
from collections import namedtuple
[94] Fix | Delete
from enum import Enum as _Enum, IntEnum as _IntEnum, IntFlag as _IntFlag
[95] Fix | Delete
[96] Fix | Delete
import _ssl # if we can't import it, let the error propagate
[97] Fix | Delete
[98] Fix | Delete
from _ssl import OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_INFO, OPENSSL_VERSION
[99] Fix | Delete
from _ssl import _SSLContext, MemoryBIO, SSLSession
[100] Fix | Delete
from _ssl import (
[101] Fix | Delete
SSLError, SSLZeroReturnError, SSLWantReadError, SSLWantWriteError,
[102] Fix | Delete
SSLSyscallError, SSLEOFError, SSLCertVerificationError
[103] Fix | Delete
)
[104] Fix | Delete
from _ssl import txt2obj as _txt2obj, nid2obj as _nid2obj
[105] Fix | Delete
from _ssl import RAND_status, RAND_add, RAND_bytes, RAND_pseudo_bytes
[106] Fix | Delete
try:
[107] Fix | Delete
from _ssl import RAND_egd
[108] Fix | Delete
except ImportError:
[109] Fix | Delete
# LibreSSL does not provide RAND_egd
[110] Fix | Delete
pass
[111] Fix | Delete
[112] Fix | Delete
[113] Fix | Delete
from _ssl import (
[114] Fix | Delete
HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,
[115] Fix | Delete
HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3
[116] Fix | Delete
)
[117] Fix | Delete
from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION
[118] Fix | Delete
[119] Fix | Delete
[120] Fix | Delete
_IntEnum._convert_(
[121] Fix | Delete
'_SSLMethod', __name__,
[122] Fix | Delete
lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
[123] Fix | Delete
source=_ssl)
[124] Fix | Delete
[125] Fix | Delete
_IntFlag._convert_(
[126] Fix | Delete
'Options', __name__,
[127] Fix | Delete
lambda name: name.startswith('OP_'),
[128] Fix | Delete
source=_ssl)
[129] Fix | Delete
[130] Fix | Delete
_IntEnum._convert_(
[131] Fix | Delete
'AlertDescription', __name__,
[132] Fix | Delete
lambda name: name.startswith('ALERT_DESCRIPTION_'),
[133] Fix | Delete
source=_ssl)
[134] Fix | Delete
[135] Fix | Delete
_IntEnum._convert_(
[136] Fix | Delete
'SSLErrorNumber', __name__,
[137] Fix | Delete
lambda name: name.startswith('SSL_ERROR_'),
[138] Fix | Delete
source=_ssl)
[139] Fix | Delete
[140] Fix | Delete
_IntFlag._convert_(
[141] Fix | Delete
'VerifyFlags', __name__,
[142] Fix | Delete
lambda name: name.startswith('VERIFY_'),
[143] Fix | Delete
source=_ssl)
[144] Fix | Delete
[145] Fix | Delete
_IntEnum._convert_(
[146] Fix | Delete
'VerifyMode', __name__,
[147] Fix | Delete
lambda name: name.startswith('CERT_'),
[148] Fix | Delete
source=_ssl)
[149] Fix | Delete
[150] Fix | Delete
PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS
[151] Fix | Delete
_PROTOCOL_NAMES = {value: name for name, value in _SSLMethod.__members__.items()}
[152] Fix | Delete
[153] Fix | Delete
_SSLv2_IF_EXISTS = getattr(_SSLMethod, 'PROTOCOL_SSLv2', None)
[154] Fix | Delete
[155] Fix | Delete
[156] Fix | Delete
class TLSVersion(_IntEnum):
[157] Fix | Delete
MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
[158] Fix | Delete
SSLv3 = _ssl.PROTO_SSLv3
[159] Fix | Delete
TLSv1 = _ssl.PROTO_TLSv1
[160] Fix | Delete
TLSv1_1 = _ssl.PROTO_TLSv1_1
[161] Fix | Delete
TLSv1_2 = _ssl.PROTO_TLSv1_2
[162] Fix | Delete
TLSv1_3 = _ssl.PROTO_TLSv1_3
[163] Fix | Delete
MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
[164] Fix | Delete
[165] Fix | Delete
[166] Fix | Delete
class _TLSContentType(_IntEnum):
[167] Fix | Delete
"""Content types (record layer)
[168] Fix | Delete
[169] Fix | Delete
See RFC 8446, section B.1
[170] Fix | Delete
"""
[171] Fix | Delete
CHANGE_CIPHER_SPEC = 20
[172] Fix | Delete
ALERT = 21
[173] Fix | Delete
HANDSHAKE = 22
[174] Fix | Delete
APPLICATION_DATA = 23
[175] Fix | Delete
# pseudo content types
[176] Fix | Delete
HEADER = 0x100
[177] Fix | Delete
INNER_CONTENT_TYPE = 0x101
[178] Fix | Delete
[179] Fix | Delete
[180] Fix | Delete
class _TLSAlertType(_IntEnum):
[181] Fix | Delete
"""Alert types for TLSContentType.ALERT messages
[182] Fix | Delete
[183] Fix | Delete
See RFC 8466, section B.2
[184] Fix | Delete
"""
[185] Fix | Delete
CLOSE_NOTIFY = 0
[186] Fix | Delete
UNEXPECTED_MESSAGE = 10
[187] Fix | Delete
BAD_RECORD_MAC = 20
[188] Fix | Delete
DECRYPTION_FAILED = 21
[189] Fix | Delete
RECORD_OVERFLOW = 22
[190] Fix | Delete
DECOMPRESSION_FAILURE = 30
[191] Fix | Delete
HANDSHAKE_FAILURE = 40
[192] Fix | Delete
NO_CERTIFICATE = 41
[193] Fix | Delete
BAD_CERTIFICATE = 42
[194] Fix | Delete
UNSUPPORTED_CERTIFICATE = 43
[195] Fix | Delete
CERTIFICATE_REVOKED = 44
[196] Fix | Delete
CERTIFICATE_EXPIRED = 45
[197] Fix | Delete
CERTIFICATE_UNKNOWN = 46
[198] Fix | Delete
ILLEGAL_PARAMETER = 47
[199] Fix | Delete
UNKNOWN_CA = 48
[200] Fix | Delete
ACCESS_DENIED = 49
[201] Fix | Delete
DECODE_ERROR = 50
[202] Fix | Delete
DECRYPT_ERROR = 51
[203] Fix | Delete
EXPORT_RESTRICTION = 60
[204] Fix | Delete
PROTOCOL_VERSION = 70
[205] Fix | Delete
INSUFFICIENT_SECURITY = 71
[206] Fix | Delete
INTERNAL_ERROR = 80
[207] Fix | Delete
INAPPROPRIATE_FALLBACK = 86
[208] Fix | Delete
USER_CANCELED = 90
[209] Fix | Delete
NO_RENEGOTIATION = 100
[210] Fix | Delete
MISSING_EXTENSION = 109
[211] Fix | Delete
UNSUPPORTED_EXTENSION = 110
[212] Fix | Delete
CERTIFICATE_UNOBTAINABLE = 111
[213] Fix | Delete
UNRECOGNIZED_NAME = 112
[214] Fix | Delete
BAD_CERTIFICATE_STATUS_RESPONSE = 113
[215] Fix | Delete
BAD_CERTIFICATE_HASH_VALUE = 114
[216] Fix | Delete
UNKNOWN_PSK_IDENTITY = 115
[217] Fix | Delete
CERTIFICATE_REQUIRED = 116
[218] Fix | Delete
NO_APPLICATION_PROTOCOL = 120
[219] Fix | Delete
[220] Fix | Delete
[221] Fix | Delete
class _TLSMessageType(_IntEnum):
[222] Fix | Delete
"""Message types (handshake protocol)
[223] Fix | Delete
[224] Fix | Delete
See RFC 8446, section B.3
[225] Fix | Delete
"""
[226] Fix | Delete
HELLO_REQUEST = 0
[227] Fix | Delete
CLIENT_HELLO = 1
[228] Fix | Delete
SERVER_HELLO = 2
[229] Fix | Delete
HELLO_VERIFY_REQUEST = 3
[230] Fix | Delete
NEWSESSION_TICKET = 4
[231] Fix | Delete
END_OF_EARLY_DATA = 5
[232] Fix | Delete
HELLO_RETRY_REQUEST = 6
[233] Fix | Delete
ENCRYPTED_EXTENSIONS = 8
[234] Fix | Delete
CERTIFICATE = 11
[235] Fix | Delete
SERVER_KEY_EXCHANGE = 12
[236] Fix | Delete
CERTIFICATE_REQUEST = 13
[237] Fix | Delete
SERVER_DONE = 14
[238] Fix | Delete
CERTIFICATE_VERIFY = 15
[239] Fix | Delete
CLIENT_KEY_EXCHANGE = 16
[240] Fix | Delete
FINISHED = 20
[241] Fix | Delete
CERTIFICATE_URL = 21
[242] Fix | Delete
CERTIFICATE_STATUS = 22
[243] Fix | Delete
SUPPLEMENTAL_DATA = 23
[244] Fix | Delete
KEY_UPDATE = 24
[245] Fix | Delete
NEXT_PROTO = 67
[246] Fix | Delete
MESSAGE_HASH = 254
[247] Fix | Delete
CHANGE_CIPHER_SPEC = 0x0101
[248] Fix | Delete
[249] Fix | Delete
[250] Fix | Delete
if sys.platform == "win32":
[251] Fix | Delete
from _ssl import enum_certificates, enum_crls
[252] Fix | Delete
[253] Fix | Delete
from socket import socket, SOCK_STREAM, create_connection
[254] Fix | Delete
from socket import SOL_SOCKET, SO_TYPE
[255] Fix | Delete
import socket as _socket
[256] Fix | Delete
import base64 # for DER-to-PEM translation
[257] Fix | Delete
import errno
[258] Fix | Delete
import warnings
[259] Fix | Delete
[260] Fix | Delete
[261] Fix | Delete
socket_error = OSError # keep that public name in module namespace
[262] Fix | Delete
[263] Fix | Delete
CHANNEL_BINDING_TYPES = ['tls-unique']
[264] Fix | Delete
[265] Fix | Delete
HAS_NEVER_CHECK_COMMON_NAME = hasattr(_ssl, 'HOSTFLAG_NEVER_CHECK_SUBJECT')
[266] Fix | Delete
[267] Fix | Delete
[268] Fix | Delete
_RESTRICTED_SERVER_CIPHERS = _DEFAULT_CIPHERS
[269] Fix | Delete
[270] Fix | Delete
CertificateError = SSLCertVerificationError
[271] Fix | Delete
[272] Fix | Delete
[273] Fix | Delete
def _dnsname_match(dn, hostname):
[274] Fix | Delete
"""Matching according to RFC 6125, section 6.4.3
[275] Fix | Delete
[276] Fix | Delete
- Hostnames are compared lower case.
[277] Fix | Delete
- For IDNA, both dn and hostname must be encoded as IDN A-label (ACE).
[278] Fix | Delete
- Partial wildcards like 'www*.example.org', multiple wildcards, sole
[279] Fix | Delete
wildcard or wildcards in labels other then the left-most label are not
[280] Fix | Delete
supported and a CertificateError is raised.
[281] Fix | Delete
- A wildcard must match at least one character.
[282] Fix | Delete
"""
[283] Fix | Delete
if not dn:
[284] Fix | Delete
return False
[285] Fix | Delete
[286] Fix | Delete
wildcards = dn.count('*')
[287] Fix | Delete
# speed up common case w/o wildcards
[288] Fix | Delete
if not wildcards:
[289] Fix | Delete
return dn.lower() == hostname.lower()
[290] Fix | Delete
[291] Fix | Delete
if wildcards > 1:
[292] Fix | Delete
raise CertificateError(
[293] Fix | Delete
"too many wildcards in certificate DNS name: {!r}.".format(dn))
[294] Fix | Delete
[295] Fix | Delete
dn_leftmost, sep, dn_remainder = dn.partition('.')
[296] Fix | Delete
[297] Fix | Delete
if '*' in dn_remainder:
[298] Fix | Delete
# Only match wildcard in leftmost segment.
[299] Fix | Delete
raise CertificateError(
[300] Fix | Delete
"wildcard can only be present in the leftmost label: "
[301] Fix | Delete
"{!r}.".format(dn))
[302] Fix | Delete
[303] Fix | Delete
if not sep:
[304] Fix | Delete
# no right side
[305] Fix | Delete
raise CertificateError(
[306] Fix | Delete
"sole wildcard without additional labels are not support: "
[307] Fix | Delete
"{!r}.".format(dn))
[308] Fix | Delete
[309] Fix | Delete
if dn_leftmost != '*':
[310] Fix | Delete
# no partial wildcard matching
[311] Fix | Delete
raise CertificateError(
[312] Fix | Delete
"partial wildcards in leftmost label are not supported: "
[313] Fix | Delete
"{!r}.".format(dn))
[314] Fix | Delete
[315] Fix | Delete
hostname_leftmost, sep, hostname_remainder = hostname.partition('.')
[316] Fix | Delete
if not hostname_leftmost or not sep:
[317] Fix | Delete
# wildcard must match at least one char
[318] Fix | Delete
return False
[319] Fix | Delete
return dn_remainder.lower() == hostname_remainder.lower()
[320] Fix | Delete
[321] Fix | Delete
[322] Fix | Delete
def _inet_paton(ipname):
[323] Fix | Delete
"""Try to convert an IP address to packed binary form
[324] Fix | Delete
[325] Fix | Delete
Supports IPv4 addresses on all platforms and IPv6 on platforms with IPv6
[326] Fix | Delete
support.
[327] Fix | Delete
"""
[328] Fix | Delete
# inet_aton() also accepts strings like '1', '127.1', some also trailing
[329] Fix | Delete
# data like '127.0.0.1 whatever'.
[330] Fix | Delete
try:
[331] Fix | Delete
addr = _socket.inet_aton(ipname)
[332] Fix | Delete
except OSError:
[333] Fix | Delete
# not an IPv4 address
[334] Fix | Delete
pass
[335] Fix | Delete
else:
[336] Fix | Delete
if _socket.inet_ntoa(addr) == ipname:
[337] Fix | Delete
# only accept injective ipnames
[338] Fix | Delete
return addr
[339] Fix | Delete
else:
[340] Fix | Delete
# refuse for short IPv4 notation and additional trailing data
[341] Fix | Delete
raise ValueError(
[342] Fix | Delete
"{!r} is not a quad-dotted IPv4 address.".format(ipname)
[343] Fix | Delete
)
[344] Fix | Delete
[345] Fix | Delete
try:
[346] Fix | Delete
return _socket.inet_pton(_socket.AF_INET6, ipname)
[347] Fix | Delete
except OSError:
[348] Fix | Delete
raise ValueError("{!r} is neither an IPv4 nor an IP6 "
[349] Fix | Delete
"address.".format(ipname))
[350] Fix | Delete
except AttributeError:
[351] Fix | Delete
# AF_INET6 not available
[352] Fix | Delete
pass
[353] Fix | Delete
[354] Fix | Delete
raise ValueError("{!r} is not an IPv4 address.".format(ipname))
[355] Fix | Delete
[356] Fix | Delete
[357] Fix | Delete
def _ipaddress_match(cert_ipaddress, host_ip):
[358] Fix | Delete
"""Exact matching of IP addresses.
[359] Fix | Delete
[360] Fix | Delete
RFC 6125 explicitly doesn't define an algorithm for this
[361] Fix | Delete
(section 1.7.2 - "Out of Scope").
[362] Fix | Delete
"""
[363] Fix | Delete
# OpenSSL may add a trailing newline to a subjectAltName's IP address,
[364] Fix | Delete
# commonly woth IPv6 addresses. Strip off trailing \n.
[365] Fix | Delete
ip = _inet_paton(cert_ipaddress.rstrip())
[366] Fix | Delete
return ip == host_ip
[367] Fix | Delete
[368] Fix | Delete
[369] Fix | Delete
def match_hostname(cert, hostname):
[370] Fix | Delete
"""Verify that *cert* (in decoded format as returned by
[371] Fix | Delete
SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
[372] Fix | Delete
rules are followed.
[373] Fix | Delete
[374] Fix | Delete
The function matches IP addresses rather than dNSNames if hostname is a
[375] Fix | Delete
valid ipaddress string. IPv4 addresses are supported on all platforms.
[376] Fix | Delete
IPv6 addresses are supported on platforms with IPv6 support (AF_INET6
[377] Fix | Delete
and inet_pton).
[378] Fix | Delete
[379] Fix | Delete
CertificateError is raised on failure. On success, the function
[380] Fix | Delete
returns nothing.
[381] Fix | Delete
"""
[382] Fix | Delete
if not cert:
[383] Fix | Delete
raise ValueError("empty or no certificate, match_hostname needs a "
[384] Fix | Delete
"SSL socket or SSL context with either "
[385] Fix | Delete
"CERT_OPTIONAL or CERT_REQUIRED")
[386] Fix | Delete
try:
[387] Fix | Delete
host_ip = _inet_paton(hostname)
[388] Fix | Delete
except ValueError:
[389] Fix | Delete
# Not an IP address (common case)
[390] Fix | Delete
host_ip = None
[391] Fix | Delete
dnsnames = []
[392] Fix | Delete
san = cert.get('subjectAltName', ())
[393] Fix | Delete
for key, value in san:
[394] Fix | Delete
if key == 'DNS':
[395] Fix | Delete
if host_ip is None and _dnsname_match(value, hostname):
[396] Fix | Delete
return
[397] Fix | Delete
dnsnames.append(value)
[398] Fix | Delete
elif key == 'IP Address':
[399] Fix | Delete
if host_ip is not None and _ipaddress_match(value, host_ip):
[400] Fix | Delete
return
[401] Fix | Delete
dnsnames.append(value)
[402] Fix | Delete
if not dnsnames:
[403] Fix | Delete
# The subject is only checked when there is no dNSName entry
[404] Fix | Delete
# in subjectAltName
[405] Fix | Delete
for sub in cert.get('subject', ()):
[406] Fix | Delete
for key, value in sub:
[407] Fix | Delete
# XXX according to RFC 2818, the most specific Common Name
[408] Fix | Delete
# must be used.
[409] Fix | Delete
if key == 'commonName':
[410] Fix | Delete
if _dnsname_match(value, hostname):
[411] Fix | Delete
return
[412] Fix | Delete
dnsnames.append(value)
[413] Fix | Delete
if len(dnsnames) > 1:
[414] Fix | Delete
raise CertificateError("hostname %r "
[415] Fix | Delete
"doesn't match either of %s"
[416] Fix | Delete
% (hostname, ', '.join(map(repr, dnsnames))))
[417] Fix | Delete
elif len(dnsnames) == 1:
[418] Fix | Delete
raise CertificateError("hostname %r "
[419] Fix | Delete
"doesn't match %r"
[420] Fix | Delete
% (hostname, dnsnames[0]))
[421] Fix | Delete
else:
[422] Fix | Delete
raise CertificateError("no appropriate commonName or "
[423] Fix | Delete
"subjectAltName fields were found")
[424] Fix | Delete
[425] Fix | Delete
[426] Fix | Delete
DefaultVerifyPaths = namedtuple("DefaultVerifyPaths",
[427] Fix | Delete
"cafile capath openssl_cafile_env openssl_cafile openssl_capath_env "
[428] Fix | Delete
"openssl_capath")
[429] Fix | Delete
[430] Fix | Delete
def get_default_verify_paths():
[431] Fix | Delete
"""Return paths to default cafile and capath.
[432] Fix | Delete
"""
[433] Fix | Delete
parts = _ssl.get_default_verify_paths()
[434] Fix | Delete
[435] Fix | Delete
# environment vars shadow paths
[436] Fix | Delete
cafile = os.environ.get(parts[0], parts[1])
[437] Fix | Delete
capath = os.environ.get(parts[2], parts[3])
[438] Fix | Delete
[439] Fix | Delete
return DefaultVerifyPaths(cafile if os.path.isfile(cafile) else None,
[440] Fix | Delete
capath if os.path.isdir(capath) else None,
[441] Fix | Delete
*parts)
[442] Fix | Delete
[443] Fix | Delete
[444] Fix | Delete
class _ASN1Object(namedtuple("_ASN1Object", "nid shortname longname oid")):
[445] Fix | Delete
"""ASN.1 object identifier lookup
[446] Fix | Delete
"""
[447] Fix | Delete
__slots__ = ()
[448] Fix | Delete
[449] Fix | Delete
def __new__(cls, oid):
[450] Fix | Delete
return super().__new__(cls, *_txt2obj(oid, name=False))
[451] Fix | Delete
[452] Fix | Delete
@classmethod
[453] Fix | Delete
def fromnid(cls, nid):
[454] Fix | Delete
"""Create _ASN1Object from OpenSSL numeric ID
[455] Fix | Delete
"""
[456] Fix | Delete
return super().__new__(cls, *_nid2obj(nid))
[457] Fix | Delete
[458] Fix | Delete
@classmethod
[459] Fix | Delete
def fromname(cls, name):
[460] Fix | Delete
"""Create _ASN1Object from short name, long name or OID
[461] Fix | Delete
"""
[462] Fix | Delete
return super().__new__(cls, *_txt2obj(name, name=True))
[463] Fix | Delete
[464] Fix | Delete
[465] Fix | Delete
class Purpose(_ASN1Object, _Enum):
[466] Fix | Delete
"""SSLContext purpose flags with X509v3 Extended Key Usage objects
[467] Fix | Delete
"""
[468] Fix | Delete
SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
[469] Fix | Delete
CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
[470] Fix | Delete
[471] Fix | Delete
[472] Fix | Delete
class SSLContext(_SSLContext):
[473] Fix | Delete
"""An SSLContext holds various SSL-related configuration options and
[474] Fix | Delete
data, such as certificates and possibly a private key."""
[475] Fix | Delete
_windows_cert_stores = ("CA", "ROOT")
[476] Fix | Delete
[477] Fix | Delete
sslsocket_class = None # SSLSocket is assigned later.
[478] Fix | Delete
sslobject_class = None # SSLObject is assigned later.
[479] Fix | Delete
[480] Fix | Delete
def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs):
[481] Fix | Delete
self = _SSLContext.__new__(cls, protocol)
[482] Fix | Delete
return self
[483] Fix | Delete
[484] Fix | Delete
def _encode_hostname(self, hostname):
[485] Fix | Delete
if hostname is None:
[486] Fix | Delete
return None
[487] Fix | Delete
elif isinstance(hostname, str):
[488] Fix | Delete
return hostname.encode('idna').decode('ascii')
[489] Fix | Delete
else:
[490] Fix | Delete
return hostname.decode('ascii')
[491] Fix | Delete
[492] Fix | Delete
def wrap_socket(self, sock, server_side=False,
[493] Fix | Delete
do_handshake_on_connect=True,
[494] Fix | Delete
suppress_ragged_eofs=True,
[495] Fix | Delete
server_hostname=None, session=None):
[496] Fix | Delete
# SSLSocket class handles server_hostname encoding before it calls
[497] Fix | Delete
# ctx._wrap_socket()
[498] Fix | Delete
return self.sslsocket_class._create(
[499] Fix | Delete
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
Function