B

���g�J�
@sPUdZd
dl
mZ
d
dlZd
dlmZ
yd
dlmZ
Wn$e	k
rZ


Gdd�de
�ZYnXd
dlZd
dlZd
dl
Z
d
dlmZ
d
d	lmZ
d
d
lmZ
ddlmZ
e
jr�d
d
lmZ
ddgZejjejjejjejjejejjiZ e!ed��
re!ejd��
rejj"e ej#<e!ed��
r4e!ejd��
r4ejj$e ej%<ej&ejj'ej(ejj)ej*ejj)ejj+iZ,dd�e,�-�D�
Z.e/ejdd
�e/ejdd
�BZ0de1d<e/ejdd
�Z2de1d<e/ejdd
�Z3de1d<e/ejdd
�Z4de1d<e/ejd d
�Z5de1d!<ej6j7e0ej6j8e0ej6j9e0e2Bej6j:e0e2Be3Bej6j;e0e2Be3Be4Bej6j<e0e2Be3Be4BiZ=d"e1d#<ej6j7e0e2Be3Be4Be5Bej6j8e0e3Be4Be5Bej6j9e0e4Be5Bej6j:e0e5Bej6j;e0ej6j<e0iZ>d"e1d$<d%Z?ejj@ZAe�BeC�
ZDd&d'�
d(d�ZEd&d'�
d)d�ZFd&d'�
d*d+�ZGd,d-d.�d/d0�ZHd1d2d3�d4d5�ZIGd6d7�d7�ZJejKeJ_KGd8d9�d9�ZLd:d1dddd;d<�d=d>�ZMdS)?a
Module for using pyOpenSSL as a TLS backend. This module was relevant before
the standard library ``ssl`` module supported SNI, but now that we've dropped
support for Python 2.7 all relevant Python versions support SNI so
**this module is no longer recommended**.

This needs the following packages installed:

* `pyOpenSSL`_ (tested with 16.0.0)
* `cryptography`_ (minimum 1.3.4, from pyopenssl)
* `idna`_ (minimum 2.0, from cryptography)

However, pyOpenSSL depends on cryptography, which depends on idna, so while we
use all three directly here we end up having relatively few packages required.

You can install them with the following command:

.. code-block:: bash

    $ python -m pip install pyopenssl cryptography idna

To activate certificate checking, call
:func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code
before you begin making HTTP requests. This can be done in a ``sitecustomize``
module, or at any other time before your application begins using ``urllib3``,
like this:

.. code-block:: python

    try:
        import urllib3.contrib.pyopenssl
        urllib3.contrib.pyopenssl.inject_into_urllib3()
    except ImportError:
        pass

.. _pyopenssl: https://www.pyopenssl.org
.. _cryptography: https://cryptography.io
.. _idna: https://github.com/kjd/idna
�)
�annotationsN)
�x509)
�UnsupportedExtensionc
@seZ
dZd
S)rN)�__name__�
__module__�__qualname__�rr�C/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.pyr2s
r)
�BytesIO)
�socket)
�timeout�)
�util)
�X509�inject_into_urllib3�extract_from_urllib3�PROTOCOL_TLSv1_1�TLSv1_1_METHOD�PROTOCOL_TLSv1_2�TLSv1_2_METHODc
Csi|]\}
}|
|�qSrr)�.0�
k�
vrrr	�
<dictcomp>Ysr�OP_NO_SSLv2�OP_NO_SSLv3�int�_OP_NO_SSLv2_OR_SSLv3�OP_NO_TLSv1�_OP_NO_TLSv1�
OP_NO_TLSv1_1�_OP_NO_TLSv1_1�
OP_NO_TLSv1_2�_OP_NO_TLSv1_2�
OP_NO_TLSv1_3�_OP_NO_TLSv1_3zdict[int, int]�_openssl_to_ssl_minimum_version�_openssl_to_ssl_maximum_versioni@�None)
�returncCs&t�
t
t_t
tj_d
t_d
tj_dS)z7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.TN)�_validate_dependencies_met�PyOpenSSLContextr�
SSLContext�ssl_�IS_PYOPENSSLrrrr	r�s



cCs tt
_tt
j_d
t
_d
t
j_dS)z4Undo monkey-patching by :func:`inject_into_urllib3`.FN)�orig_util_SSLContextrr,r-r.rrrr	r�s


cCsRd
dlm
}
t|dd�dkr$td�
�
d
dlm}

|
�}t|dd�dkrNtd�
�
dS)	z{
    Verifies that PyOpenSSL's package-level dependencies have been met.
    Throws `ImportError` if they are not met.
    r
)
�
Extensions�get_extension_for_classNzX'cryptography' module missing required functionality.  Try upgrading to v1.3.4 or newer.)
rZ_x509zS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.)Zcryptography.x509.extensionsr0�getattr�ImportError�OpenSSL.cryptor)r0rrrrr	r*�s




r*�strz
str | None)�namer)c
Cs:d
dd�dd�}
d|kr|S|
|�
}|dkr0dS|�d�
S)	a%
    Converts a dNSName SubjectAlternativeName field to the form used by the
    standard library on the given Python version.

    Cryptography produces a dNSName as a unicode string that was idna-decoded
    from ASCII bytes. We need to idna-encode that string to get it back, and
    then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib
    uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8).

    If the name cannot be idna-encoded then we return None signalling that
    the name given should be skipped.
    r5zbytes | None)r6r)c
Ssld
dl}
yFx:dD]2}|�
|�
r|t|�
d�}|�d�
|
�|�
SqW|
�|�
S|
jjk
rf


dSXdS)z�
        Borrowed wholesale from the Python Cryptography Project. It turns out
        that we can't just safely call `idna.encode`: it can explode for
        wildcard names. This avoids that problem.
        r
N)z*.�
.�ascii)�idna�
startswith�len�encode�core�	IDNAError)r6r9�prefixrrr	�idna_encode�s









z'_dnsname_to_stdlib.<locals>.idna_encode�
:Nzutf-8)
�decode)r6r@�encoded_namerrr	�_dnsname_to_stdlib�s



rDrzlist[tuple[str, str]])�	peer_certr)c
Cs�|��}
y|
j
�tj�
j}WnNtjk
r2


gStjttj	t
fk
rj
}
zt�d
|�
gSd}~XYnXdd�t
t|�tj�
�D�
}|�dd�|�tj�
D�
�

|S)zU
    Given an PyOpenSSL certificate, provides all the subject alternative names.
    z�A problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %sNc
Ssg|]}
|
dk	rd
|
f�qS)N�DNSr)rr6rrr	�
<listcomp>
s

z%get_subj_alt_name.<locals>.<listcomp>c
ss|]}
dt|
�
fV
qd
S)z
IP AddressN)
r5)rr6rrr	�	<genexpr>
sz$get_subj_alt_name.<locals>.<genexpr>)Zto_cryptography�
extensionsr1rZSubjectAlternativeName�valueZExtensionNotFoundZDuplicateExtensionrZUnsupportedGeneralNameType�UnicodeError�log�warning�maprDZget_values_for_typeZDNSName�extendZ	IPAddress)rE�cert�ext�
e�namesrrr	�get_subj_alt_name�s&










rTc@s�eZ
dZd
Zd/ddddd�dd	�Zd
d�
dd
�Zdd�
dd�Zdddd�dd�Zddd
d�dd�Zddd�dd�Z	dd
d�dd�Z
ddd�dd�Zdd�
d d!�Zdd�
d"d#�Z
dd�
d$d%�Zd0dd'd(�d)d*�Zd+d�
d,d-�Zd.S)1�
WrappedSocketz@API-compatibility wrapper for Python OpenSSL's Connection-class.TzOpenSSL.SSL.Connection�
socket_cls�boolr()�
connectionr�suppress_ragged_eofsr)cCs"|
|_||_
||_d
|_d|_dS)Nr
F)rXrrY�_io_refs�_closed)�selfrXrrYrrr	�__init__
s




zWrappedSocket.__init__r)
r)c

Cs
|j�
�S)
N)r�fileno)
r\rrr	r^!
s
zWrappedSocket.filenoc

Cs*|jd
kr|jd8_|j
r&|��
dS)Nr
�
)rZr[�close)
r\rrr	�_decref_socketios%
s




zWrappedSocket._decref_socketiosz
typing.Any�bytes)�args�kwargsr)c

Os$
y|jj
|
|�
}W�
ntjjk
rd
}
z.|jr>|jd
kr>dSt|jdt|�
�|�Wdd}~XYn�tjj	k
r�


|j�
�tjjkr�dS�Yn�tjjk
r�
}
z0t
�|j|j���s�td�
|�n|j
|
|�
SWdd}~XYn>tjjk
�
r
}
zt�d|���
|�Wdd}~XYnX|SdS)N)���zUnexpected EOF�r
zThe read operation timed outzread error: )rX�recv�OpenSSL�SSL�SysCallErrorrYrc�OSErrorr5�ZeroReturnError�get_shutdown�RECEIVED_SHUTDOWN�
WantReadErrorr�
wait_for_readr�
gettimeoutr�Error�ssl�SSLError)r\rcrd�datarRrrr	rg+
s"




&






$zWrappedSocket.recvc

Os
y|jj
|
|�
Stjjk
r^
}
z.|jr8|jd
kr8dSt|jdt|�
�|�Wdd}~XYn�tjj	k
r�


|j�
�tjjkr�dS�Yn�tjjk
r�
}
z0t
�|j|j���s�td�
|�n|j
|
|�
SWdd}~XYn:tjjk
�
r
}
zt�d|���
|�Wdd}~XYnXdS)N)rezUnexpected EOFr
zThe read operation timed outzread error: )rX�	recv_intorhrirjrYrcrkr5rlrmrnrorrprrqrrrrsrt)r\rcrdrRrrr	rvD
s 




&






zWrappedSocket.recv_into�float)rr)cCs|j�
|
�
S)
N)r�
settimeout)r\rrrr	rx[
s
zWrappedSocket.settimeout)rur)c
Cs�x�y|j�
|
�
Stjjk
rR
}
z"t�|j|j���s@t	�|�wWdd}~XYqtjj
k
r�
}
zt|jd
t
|�
�|�Wdd}~XYqXqWdS)Nr
)rX�sendrhriZWantWriteErrorr�wait_for_writerrqrrjrkrcr5)r\rurRrrr	�_send_until_done^
s








zWrappedSocket._send_until_donecCs8d
}x.|t|
�
kr2|�
|
||t��
}||7}qWdS)Nr
)r;r{�SSL_WRITE_BLOCKSIZE)r\ru�
total_sent�sentrrr	�sendalli
s




zWrappedSocket.sendallc

Cs|j�
�
dS)
N)rX�shutdown)
r\rrr	r�q
szWrappedSocket.shutdownc

Csd
|_|j
dk
r|��
dS)NTr
)r[rZ�_real_close)
r\rrr	r`u
s



zWrappedSocket.closec

Cs(y
|j�
�Stjjk
r"


dSXdS)
N)rXr`rhrirr)
r\rrr	r�z
s




zWrappedSocket._real_closeFz"dict[str, list[typing.Any]] | None)�binary_formr)cCsD|j�
�}|s|S|
r(tj�tjj|�Sd
|��jff
f
t|�
d�S)N�
commonName)�subject�subjectAltName)	rXZget_peer_certificaterhZcryptoZdump_certificateZ
FILETYPE_ASN1Zget_subjectZCNrT)r\r�rrrr	�getpeercert�
s



zWrappedSocket.getpeercertr5c

Cs
|j�
�S)
N)rXZget_protocol_version_name)
r\rrr	�version�
s
zWrappedSocket.versionN)
T)
F)rrr�__doc__r]r^rargrvrxr{rr�r`r�r�r�rrrr	rU
s
rUc@sB
eZ
dZd
Zddd�dd�Zedd�
dd	��
Zejddd
�dd	��
Zedd�
dd
��
Zejddd
�dd
��
Zdd�
dd�Z	ddd�dd�Z
d7ddddd�dd�Zd8ddddd�dd�Zd dd!�d"d#�Z
d9d&d'd'd'd(d)d*�d+d,�Zdd�
d-d.�Zedd�
d/d0��
Zejddd1�d2d0��
Zedd�
d3d4��
Zejddd5�d6d4��
ZdS):r+z�
    I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible
    for translating the interface of the standard library ``SSLContext`` object
    to calls into PyOpenSSL.
    rr()�protocolr)cCs>t|
|_
tj�|j
�
|_d
|_d|_tj	j
|_tj	j|_
dS)Nr
F)�_openssl_versionsr�rhri�Context�_ctx�_options�check_hostnamers�
TLSVersion�MINIMUM_SUPPORTED�_minimum_version�MAXIMUM_SUPPORTED�_maximum_version)r\r�rrr	r]�
s







zPyOpenSSLContext.__init__)
r)c


Cs|jS)
N)
r�)
r\rrr	�options�
szPyOpenSSLContext.options)rJr)cCs|
|_|�
�
dS)
N)r��_set_ctx_options)r\rJrrr	r��
s
c

Cst|j
��S)
N)�_openssl_to_stdlib_verifyr�Zget_verify_mode)
r\rrr	�verify_mode�
szPyOpenSSLContext.verify_modezssl.VerifyModecCs|j�
t|
t�
dS)
N)r�Z
set_verify�_stdlib_to_openssl_verify�_verify_callback)r\rJrrr	r��
sc

Cs|j�
�
dS)
N)r��set_default_verify_paths)
r\rrr	r��
s
z)PyOpenSSLContext.set_default_verify_pathszbytes | str)�ciphersr)cCs$t|
t
�r|
�d
�
}
|j�|
�

dS)Nzutf-8)�
isinstancer5r<r�Zset_cipher_list)r\r�rrr	�set_ciphers�
s




zPyOpenSSLContext.set_ciphersNz
str | Nonezbytes | None)�cafile�capath�cadatar)c
Cs�|
dk	r|
�d
�
}
|dk	r$|�d
�
}y*|j
�|
|�
|dk	rL|j
�t|�
�

Wn8tjjk
r�
}
zt�d|���
|�Wdd}~XYnXdS)Nzutf-8z%unable to load trusted certificates: )	r<r��load_verify_locationsr
rhrirrrsrt)r\r�r�r�rRrrr	r��
s










z&PyOpenSSLContext.load_verify_locationsr5)�certfile�keyfile�passwordr)c
s�yP|j�
|
�

�dk	r>t�t�s*��d
�
�|j��f
dd��

|j�|pJ|
�

Wn8tjj	k
r�
}
zt
�d|���
|�Wdd}~XYnXdS)Nzutf-8c

s�S)
Nr)
�
_)
r�rr	�<lambda>�
rfz2PyOpenSSLContext.load_cert_chain.<locals>.<lambda>z"Unable to load certificate chain: )r�Zuse_certificate_chain_filer�rbr<Z
set_passwd_cbZuse_privatekey_filerhrirrrsrt)r\r�r�r�rRr)
r�r	�load_cert_chain�
s









z PyOpenSSLContext.load_cert_chainzlist[bytes | str])�	protocolsr)cCsd
d�|
D�
}
|j�
|
�
S)Nc
Ssg|]}
tj�
|
d��qS)
r8)r�to_bytes)r�
prrr	rG�
sz7PyOpenSSLContext.set_alpn_protocols.<locals>.<listcomp>)r�Zset_alpn_protos)r\r�rrr	�set_alpn_protocols�
s

z#PyOpenSSLContext.set_alpn_protocolsFTrVrWzbytes | str | NonerU)�sock�server_side�do_handshake_on_connectrY�server_hostnamer)c
Cs�tj
�|j|
�}|r>tj�|�
s>t|t�r4|�	d
�
}|�
|�

|��
x�y|��
Wnxtj
j
k
r�
}
z t�|
|
���s�td�
|�wHWdd}~XYn8tj
jk
r�
}
zt�d|���
|�Wdd}~XYnXPqHWt||
�S)Nzutf-8zselect timed outzbad handshake: )rhri�
Connectionr�rr-�is_ipaddressr�r5r<Zset_tlsext_host_nameZset_connect_state�do_handshakerorprqrrrrsrtrU)r\r�r�r�rYr��cnxrRrrr	�wrap_socket�
s"














$
zPyOpenSSLContext.wrap_socketc

Cs&|j�
|jt|jBt|jB�

dS)
N)r�Zset_optionsr�r&r�r'r�)
r\rrr	r�s
z!PyOpenSSLContext._set_ctx_optionsc


Cs|jS)
N)
r�)
r\rrr	�minimum_version
sz PyOpenSSLContext.minimum_version)r�r)cCs|
|_|�
�
dS)
N)r�r�)r\r�rrr	r�s
c


Cs|jS)
N)
r�)
r\rrr	�maximum_versionsz PyOpenSSLContext.maximum_version)r�r)cCs|
|_|�
�
dS)
N)r�r�)r\r�rrr	r�s
)NNN)NN)FTTN)rrrr�r]�propertyr��setterr�r�r�r�r�r�r�r�r�r�rrrr	r+�
s.





r+zOpenSSL.SSL.ConnectionrW)r�r�err_no�	err_depth�return_coder)cCs|d
kS)Nr
r)r�rr�r�r�rrr	r�sr�)Nr��
__future__rZOpenSSL.SSLrhZcryptographyrZcryptography.x509rr3�	Exception�loggingrs�typing�ior
rrVr�r�
TYPE_CHECKINGr4r�__all__r-�PROTOCOL_TLSriZ
SSLv23_METHOD�PROTOCOL_TLS_CLIENT�PROTOCOL_TLSv1ZTLSv1_METHODr��hasattrrrrr�	CERT_NONEZVERIFY_NONE�
CERT_OPTIONALZVERIFY_PEER�
CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTr��itemsr�r2r�__annotations__rr!r#r%r�r��TLSv1�TLSv1_1�TLSv1_2�TLSv1_3r�r&r'r|r,r/�	getLoggerrrLrrr*rDrTrU�makefiler+r�rrrr	�<module>'s�

































	)0