o

<iM�
@
s(UdZd
dl
mZ
d
dlZd
dlmZ
zd
dlmZ
Wne	y,


Gdd�de
�ZYn
wd
dlZd
dlZd
dl
Z
d
dlmZ
d
d	lmZ
d
d
lmZ
ddlmZ
e
jrZd
d
lmZ
ddgZejjejjejjejjejejjiZ de!d<e"ed�r�e"ejd�r�ejj#e ej$<e"ed�r�e"ejd�r�ejj%e ej&<ej'ejj(ej)ejj*ej+ejj*ejj,iZ-dd�e-�.�D�
Z/e0ejdd
�e0ejdd
�BZ1de!d<e0ejdd
�Z2de!d<e0ejdd
�Z3de!d<e0ejd d
�Z4de!d!<e0ejd"d
�Z5de!d#<ej6j7e1ej6j8e1ej6j9e1e2Bej6j:e1e2Be3Bej6j;e1e2Be3Be4Bej6j<e1e2Be3Be4BiZ=de!d$<ej6j7e1e2Be3Be4Be5Bej6j8e1e3Be4Be5Bej6j9e1e4Be5Bej6j:e1e5Bej6j;e1ej6j<e1iZ>de!d%<d&Z?ejj@ZAe�BeC�
ZDdDd)d�ZEdDd*d�ZFdDd+d,�ZGdEd0d1�ZHdFd5d6�ZIGd7d8�d8�ZJejKeJ_KGd9d:�d:�ZLdGdBdC�ZMdS)Ha�
Module for using pyOpenSSL as a TLS backend. This module was relevant before
the standard library ``ssl`` module supported SNI, but now that we've dropped
support for Python 2.7 all relevant Python versions support SNI so
**this module is no longer recommended**.

This needs the following packages installed:

* `pyOpenSSL`_ (tested with 16.0.0)
* `cryptography`_ (minimum 1.3.4, from pyopenssl)
* `idna`_ (minimum 2.0)

However, pyOpenSSL depends on cryptography, so while we use all three directly here we
end up having relatively few packages required.

You can install them with the following command:

.. code-block:: bash

    $ python -m pip install pyopenssl cryptography idna

To activate certificate checking, call
:func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code
before you begin making HTTP requests. This can be done in a ``sitecustomize``
module, or at any other time before your application begins using ``urllib3``,
like this:

.. code-block:: python

    try:
        import urllib3.contrib.pyopenssl
        urllib3.contrib.pyopenssl.inject_into_urllib3()
    except ImportError:
        pass

.. _pyopenssl: https://www.pyopenssl.org
.. _cryptography: https://cryptography.io
.. _idna: https://github.com/kjd/idna
�)
�annotationsN)
�x509)
�UnsupportedExtensionc
@
seZ
dZd
S)rN)�__name__�
__module__�__qualname__�rr�G/opt/osm/venv/lib/python3.10/site-packages/urllib3/contrib/pyopenssl.pyr2s
r)
�BytesIO)
�socket)
�timeout�)
�util�
�X509�inject_into_urllib3�extract_from_urllib3zdict[int, int]�_openssl_versions�PROTOCOL_TLSv1_1�TLSv1_1_METHOD�PROTOCOL_TLSv1_2�TLSv1_2_METHODc
C
si|]\}
}||
�qSrr)�.0�
k�
vrrr	�
<dictcomp>Ysr�OP_NO_SSLv2�OP_NO_SSLv3�int�_OP_NO_SSLv2_OR_SSLv3�OP_NO_TLSv1�_OP_NO_TLSv1�
OP_NO_TLSv1_1�_OP_NO_TLSv1_1�
OP_NO_TLSv1_2�_OP_NO_TLSv1_2�
OP_NO_TLSv1_3�_OP_NO_TLSv1_3�_openssl_to_ssl_minimum_version�_openssl_to_ssl_maximum_versioni@�return�NonecC
s&t�
t
t_t
tj_d
t_d
tj_dS)z7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.TN)�_validate_dependencies_met�PyOpenSSLContextr�
SSLContext�ssl_�IS_PYOPENSSLrrrr	r�s



cC
s tt
_tt
j_d
t
_d
t
j_dS)z4Undo monkey-patching by :func:`inject_into_urllib3`.FN)�orig_util_SSLContextrr.r/r0rrrr	r�s


cC
sRd
dlm
}
t|dd�durtd�
�
d
dlm}

|
�}t|dd�dur'td�
�
dS)	z{
    Verifies that PyOpenSSL's package-level dependencies have been met.
    Throws `ImportError` if they are not met.
    r
)
�
Extensions�get_extension_for_classNzX'cryptography' module missing required functionality.  Try upgrading to v1.3.4 or newer.rZ_x509zS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.)Zcryptography.x509.extensionsr2�getattr�ImportError�OpenSSL.cryptor)r2rrrrr	r,�s

�


��r,�name�str�
str | Nonec
C
s4d
dd�}
d|vr|S|
|�
}|durdS|�d	�
S)a%
    Converts a dNSName SubjectAlternativeName field to the form used by the
    standard library on the given Python version.

    Cryptography produces a dNSName as a unicode string that was idna-decoded
    from ASCII bytes. We need to idna-encode that string to get it back, and
    then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib
    uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8).

    If the name cannot be idna-encoded then we return None signalling that
    the name given should be skipped.
    r7r8r*�bytes | Nonec
S
sld
dl}
z%dD]}|�
|�
r#|t|�
d�}|�d�
|
�|�

WSq|
�|�
WS|
jjy5


YdSw)z�
        Borrowed wholesale from the Python Cryptography Project. It turns out
        that we can't just safely call `idna.encode`: it can explode for
        wildcard names. This avoids that problem.
        r
N)z*.�
.�ascii)�idna�
startswith�len�encode�core�	IDNAError)r7r=�prefixrrr	�idna_encode�s




�

�z'_dnsname_to_stdlib.<locals>.idna_encode�
:N�utf-8)r7r8r*r:)
�decode)r7rD�encoded_namerrr	�_dnsname_to_stdlib�s





rI�	peer_certr�list[tuple[str, str]]c
C
s�|��}
z
|
j
�tj�
j}Wn+tjy


gYStjttj	t
fy9
}
zt�d
|�
gWYd}~Sd}~w
wdd�t
t|�tj�
�D�
}|�dd�|�tj�
D�
�

|S)zU
    Given an PyOpenSSL certificate, provides all the subject alternative names.
    z�A problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %sNc
S
sg|]
}
|
du
rd
|
f�qS)N�DNSr�rr7rrr	�
<listcomp>
s

�z%get_subj_alt_name.<locals>.<listcomp>c
s
s�|]	}
dt|
�
fV
qd
S)z
IP AddressN)
r8rMrrr	�	<genexpr>
s�

�z$get_subj_alt_name.<locals>.<genexpr>)Zto_cryptography�
extensionsr3rZSubjectAlternativeName�valueZExtensionNotFoundZDuplicateExtensionrZUnsupportedGeneralNameType�UnicodeError�log�warning�maprIZget_values_for_typeZDNSName�extendZ	IPAddress)rJ�cert�ext�
e�namesrrr	�get_subj_alt_name�s2






�
����


�r[c@
s�eZ
dZd
Z	d6d7dd�Zd8dd�Zd9dd�Zd:dd�Zd;dd�Zd<dd�Z	d=dd �Z
d>d!d"�Zd?d$d%�Zd9d&d'�Z
d9d(d)�Z	*d@dAd-d.�ZdBd0d1�ZdCd3d4�Zd5S)D�
WrappedSocketz@API-compatibility wrapper for Python OpenSSL's Connection-class.T�
connection�OpenSSL.SSL.Connectionr�
socket_cls�suppress_ragged_eofs�boolr*r+cC
s"|
|_||_
||_d
|_d|_dS�Nr
F)r]rr`�_io_refs�_closed)�selfr]rr`rrr	�__init__
s





zWrappedSocket.__init__rc

C
�
|j�
�S�
N)r�fileno�
rerrr	ri!
�

zWrappedSocket.filenoc

C
s.|jd
kr|jd8_|j
r|��
dSdS)Nr
�
)rcrd�closerjrrr	�_decref_socketios%
s





�zWrappedSocket._decref_socketios�args�
typing.Any�kwargs�bytesc

O
s
z|jj
|
i|�
�
}W|Stjjy4
}
z|jr%|jd
kr%WYd}~dSt|jdt|�
�|�d}~w
tjj	yI


|j�
�tjjkrHYdS�tjjys
}
zt
�|j|j���satd�
|�|j
|
i|�
�
WYd}~Sd}~w
tjjy�
}
z	t�d|���
|�d}~w
w)N����zUnexpected EOF�r
�The read operation timed out�read error: )r]�recv�OpenSSL�SSL�SysCallErrorr`ro�OSErrorr8�ZeroReturnError�get_shutdown�RECEIVED_SHUTDOWN�
WantReadErrorr�
wait_for_readr�
gettimeoutr�Error�ssl�SSLError)rerorq�datarYrrr	rx+
s*

�

�






�
��zWrappedSocket.recvc

O
s
z
|jj
|
i|�
�
WStjjy2
}
z|jr#|jd
kr#WYd}~dSt|jdt|�
�|�d}~w
tjj	yG


|j�
�tjjkrFYdS�tjjyq
}
zt
�|j|j���s_td�
|�|j
|
i|�
�
WYd}~Sd}~w
tjjy�
}
z	t�d|���
|�d}~w
w)Nrsr
rvrw)r]�	recv_intoryrzr{r`ror|r8r}r~rr�rr�rr�rr�r�r�)rerorqrYrrr	r�D
s(




�






�
��zWrappedSocket.recv_intor�floatcC
s|j�
|
�
Srh)r�
settimeout)rerrrr	r�[
s
zWrappedSocket.settimeoutr�c
C
s�	z|j�
|
�
WStjjy*
}
zt�|j|j���s t	�|�WYd}~qd}~w
tjj
yB
}
zt|jdt
|�
�|�d}~w
w�NTr
)r]�sendryrzZWantWriteErrorr�wait_for_writerr�rr{r|ror8)rer�rYrrr	�_send_until_done^
s






�

��zWrappedSocket._send_until_donecC
sBd
}|t|
�
kr|�
|
||t��
}||7}|t|
�
ksdSdS�Nr
)r?r��SSL_WRITE_BLOCKSIZE)rer��
total_sent�sentrrr	�sendalli
s



��zWrappedSocket.sendall�howc
C
s@z|j�
�
WdStjjy
}
z	t�d
|���
|�d}~w
w)Nzshutdown error: )r]�shutdownryrzr�r�r�)rer�rYrrr	r�q
s



��zWrappedSocket.shutdownc

C
s d
|_|j
dk
r|��
dSdSr�)rdrc�_real_closerjrrr	rmw
s



�zWrappedSocket.closec

C
s&z|j�
�WStjjy


YdSwrh)r]rmryrzr�rjrrr	r�|
s




�zWrappedSocket._real_closeF�binary_form�"dict[str, list[typing.Any]] | NonecC
sD|j�
�}|s	|S|
rtj�tjj|�Sd
|��jff
f
t|�
d�S)N�
commonName)�subject�subjectAltName)	r]Zget_peer_certificateryZcryptoZdump_certificateZ
FILETYPE_ASN1Zget_subjectZCNr[)rer�rrrr	�getpeercert�
s



�zWrappedSocket.getpeercertr8c

C
rgrh)r]Zget_protocol_version_namerjrrr	�version�
rkzWrappedSocket.versionr9c
C
s|j�
�}
|
r|
��SdSrh)r]Zget_alpn_proto_negotiatedrG)reZ
alpn_protorrr	�selected_alpn_protocol�
s


z$WrappedSocket.selected_alpn_protocolN)
T)r]r^rr_r`rar*r+�r*r�r*r+)rorprqrpr*rr)rorprqrpr*r)rr�r*r+)r�rrr*r)r�rrr*r+)r�rr*r+)
F)r�rar*r�)r*r8)r*r9)rrr�__doc__rfrirnrxr�r�r�r�r�rmr�r�r�r�rrrr	r\
s$
�









�
r\c@
s
eZ
dZd
ZdBdd�ZedCdd	��
ZejdDdd	��
ZedCdd
��
ZejdDdd
��
ZedCdd��
Z	e	jdEdd��
Z	dFdd�Z
dGdd�Z			dHdIdd �Z		dJdKd%d&�Z
dLd)d*�Z	+	,	,	dMdNd6d7�ZdFd8d9�ZedCd:d;��
ZejdOd=d;��
ZedCd>d?��
ZejdPdAd?��
ZdS)Qr-z�
    I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible
    for translating the interface of the standard library ``SSLContext`` object
    to calls into PyOpenSSL.
    �protocolrr*r+cC
sFt|
|_
tj�|j
�
|_d
|_d|_tj	j
|_tj	j|_
tj|_dSrb)rr�ryrz�Context�_ctx�_options�check_hostnamer��
TLSVersion�MINIMUM_SUPPORTED�_minimum_version�MAXIMUM_SUPPORTED�_maximum_version�VERIFY_X509_TRUSTED_FIRST�
_verify_flags)rer�rrr	rf�
s









zPyOpenSSLContext.__init__c


C
�|jSrh)
r�rjrrr	�options�
�zPyOpenSSLContext.optionsrQcC
�|
|_|�
�
dSrh)r��_set_ctx_options�rerQrrr	r��
�
c


C
r�rh)
r�rjrrr	�verify_flags�
r�zPyOpenSSLContext.verify_flagscC
s|
|_|j
���|j�

dSrh)r�r�Zget_cert_storeZ	set_flagsr�rrr	r��
s
c

C
st|j
��Srh)�_openssl_to_stdlib_verifyr�Zget_verify_moderjrrr	�verify_mode�
szPyOpenSSLContext.verify_mode�ssl.VerifyModecC
s|j�
t|
t�
dSrh)r�Z
set_verify�_stdlib_to_openssl_verify�_verify_callbackr�rrr	r��
sc

C
s|j�
�
dSrh)r��set_default_verify_pathsrjrrr	r��
s
z)PyOpenSSLContext.set_default_verify_paths�ciphers�bytes | strcC
s$t|
t
�r
|
�d
�
}
|j�|
�

dS)NrF)�
isinstancer8r@r�Zset_cipher_list)rer�rrr	�set_ciphers�
s




zPyOpenSSLContext.set_ciphersN�cafiler9�capath�cadatar:c
C
s�|
du
r	|
�d
�
}
|du
r|�d
�
}z|j
�|
|�
|du
r)|j
�t|�
�

WdSWdStjjyB
}
z	t�d|���
|�d}~w
w)NrFz%unable to load trusted certificates: )	r@r��load_verify_locationsr
ryrzr�r�r�)rer�r�r�rYrrr	r��
s








�
��z&PyOpenSSLContext.load_verify_locations�certfiler8�keyfile�passwordc

s�z)|j�
|
�

�du
rt�t�s��d
�
�|j��f
dd��

|j�|p%|
�

WdStjj	y@
}
z	t
�d|���
|�d}~w
w)NrFc


s�Srhr)
�
_�
r�rr	�<lambda>�
sz2PyOpenSSLContext.load_cert_chain.<locals>.<lambda>z"Unable to load certificate chain: )r�Zuse_certificate_chain_filer�rrr@Z
set_passwd_cbZuse_privatekey_fileryrzr�r�r�)rer�r�r�rYrr�r	�load_cert_chain�
s









��z PyOpenSSLContext.load_cert_chain�	protocols�list[bytes | str]cC
sd
d�|
D�
}
|j�
|
�
S)Nc
S
sg|]	}
tj�
|
d��qS)
r<)r�to_bytes)r�
prrr	rN�
sz7PyOpenSSLContext.set_alpn_protocols.<locals>.<listcomp>)r�Zset_alpn_protos)rer�rrr	�set_alpn_protocols�
s

z#PyOpenSSLContext.set_alpn_protocolsFT�sockr_�server_sidera�do_handshake_on_connectr`�server_hostname�bytes | str | Noner\c
C
s�tj
�|j|
�}|rtj�|�
st|t�r|�	d
�
}|�
|�

|��
	z|��
Wn7tj
j
yK
}
zt�|
|
���sAtd�
|�WYd}~q#d}~w
tj
jya
}
z	t�d|���
|�d}~w
w	t||
�S)NrFTzselect timed outzbad handshake: )ryrz�
Connectionr�rr/�is_ipaddressr�r8r@Zset_tlsext_host_nameZset_connect_state�do_handshaker�r�r�rr�r�r�r\)rer�r�r�r`r��cnxrYrrr	�wrap_socket�
s(












�

��
zPyOpenSSLContext.wrap_socketc

C
s&|j�
|jt|jBt|jB�

dSrh)r�Zset_optionsr�r(r�r)r�rjrrr	r�s


���z!PyOpenSSLContext._set_ctx_optionsc


C
r�rh)
r�rjrrr	�minimum_versionr�z PyOpenSSLContext.minimum_versionr�cC
r�rh)r�r�)rer�rrr	r�r�c


C
r�rh)
r�rjrrr	�maximum_version#r�z PyOpenSSLContext.maximum_versionr�cC
r�rh)r�r�)rer�rrr	r�'r�)r�rr*r+r�)rQrr*r+)rQr�r*r+r�)r�r�r*r+)NNN)r�r9r�r9r�r:r*r+)NN)r�r8r�r9r�r9r*r+)r�r�r*r+)FTTN)r�r_r�rar�rar`rar�r�r*r\)r�rr*r+)r�rr*r+)rrrr�rf�propertyr��setterr�r�r�r�r�r�r�r�r�r�r�rrrr	r-�
sN

	









�
�



�




r-r�r^r�err_no�	err_depth�return_coderacC
s|d
kSr�r)r�rr�r�r�rrr	r�-sr�r�)r7r8r*r9)rJrr*rK)r�r^rrr�rr�rr�rr*ra)Nr��
__future__rZOpenSSL.SSLryZcryptographyrZcryptography.x509rr5�	Exception�loggingr��typing�ior
rr_r�r�
TYPE_CHECKINGr6r�__all__r/�PROTOCOL_TLSrzZ
SSLv23_METHOD�PROTOCOL_TLS_CLIENT�PROTOCOL_TLSv1ZTLSv1_METHODr�__annotations__�hasattrrrrr�	CERT_NONEZVERIFY_NONE�
CERT_OPTIONALZVERIFY_PEER�
CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTr��itemsr�r4rr!r#r%r'r�r��TLSv1�TLSv1_1�TLSv1_2�TLSv1_3r�r(r)r�r.r1�	getLoggerrrSrrr,rIr[r\�makefiler-r�rrrr	�<module>
s�(


�








�







��
�








�


����



�



	

)0