U eJ @sXUdZddlmZddlZddlmZzddlmZWn$e k rZGddde ZYnXddl Z ddl Z ddl Z ddlmZdd lmZdd lmZd d lmZe jrdd lmZddgZejjejjejjejje jejjiZ de!d<e"e dre"ejdrejj#e e j$<e"e drde!d%<d&Z?ejj@ZAe BeCZDd'd(d)dZEd'd(d*dZFd'd(d+d,ZGd-d.d/d0d1ZHd2d3d4d5d6ZIGd7d8d8ZJejKeJ_KGd9d:d:ZLd;d2ddddd?ZMdS)@a Module for using pyOpenSSL as a TLS backend. This module was relevant before the standard library ``ssl`` module supported SNI, but now that we've dropped support for Python 2.7 all relevant Python versions support SNI so **this module is no longer recommended**. This needs the following packages installed: * `pyOpenSSL`_ (tested with 16.0.0) * `cryptography`_ (minimum 1.3.4, from pyopenssl) * `idna`_ (minimum 2.0) However, pyOpenSSL depends on cryptography, so while we use all three directly here we end up having relatively few packages required. You can install them with the following command: .. code-block:: bash $ python -m pip install pyopenssl cryptography idna To activate certificate checking, call :func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code before you begin making HTTP requests. This can be done in a ``sitecustomize`` module, or at any other time before your application begins using ``urllib3``, like this: .. code-block:: python try: import urllib3.contrib.pyopenssl urllib3.contrib.pyopenssl.inject_into_urllib3() except ImportError: pass .. _pyopenssl: https://www.pyopenssl.org .. _cryptography: https://cryptography.io .. _idna: https://github.com/kjd/idna ) annotationsN)x509)UnsupportedExtensionc@s eZdZdS)rN)__name__ __module__ __qualname__rrG/opt/hc_python/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.pyr2sr)BytesIO)socket)timeout)utilX509inject_into_urllib3extract_from_urllib3zdict[int, int]_openssl_versionsPROTOCOL_TLSv1_1TLSv1_1_METHODPROTOCOL_TLSv1_2TLSv1_2_METHODcCsi|]\}}||qSrr).0kvrrr Ysr OP_NO_SSLv2 OP_NO_SSLv3int_OP_NO_SSLv2_OR_SSLv3 OP_NO_TLSv1 _OP_NO_TLSv1 OP_NO_TLSv1_1_OP_NO_TLSv1_1 OP_NO_TLSv1_2_OP_NO_TLSv1_2 OP_NO_TLSv1_3_OP_NO_TLSv1_3_openssl_to_ssl_minimum_version_openssl_to_ssl_maximum_versioni@NonereturncCs&ttt_ttj_dt_dtj_dS)z7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.TN)_validate_dependencies_metPyOpenSSLContextr SSLContextssl_ IS_PYOPENSSLrrrr rs cCs tt_ttj_dt_dtj_dS)z4Undo monkey-patching by :func:`inject_into_urllib3`.FN)orig_util_SSLContextrr/r0r1rrrr rscCsRddlm}t|dddkr$tdddlm}|}t|dddkrNtddS) z{ Verifies that PyOpenSSL's package-level dependencies have been met. Throws `ImportError` if they are not met. r) Extensionsget_extension_for_classNzX'cryptography' module missing required functionality. Try upgrading to v1.3.4 or newer.rZ_x509zS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.)Zcryptography.x509.extensionsr3getattr ImportErrorOpenSSL.cryptor)r3rrrrr r-s  r-str str | Nonenamer,cCs:ddddd}d|kr|S||}|dkr0dS|dS) a% Converts a dNSName SubjectAlternativeName field to the form used by the standard library on the given Python version. Cryptography produces a dNSName as a unicode string that was idna-decoded from ASCII bytes. We need to idna-encode that string to get it back, and then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8). If the name cannot be idna-encoded then we return None signalling that the name given should be skipped. r8 bytes | Noner:cSsrddl}zJdD]8}||r|t|d}|d||WSq||WS|jjk rlYdSXdS)z Borrowed wholesale from the Python Cryptography Project. It turns out that we can't just safely call `idna.encode`: it can explode for wildcard names. This avoids that problem. rN)z*..ascii)idna startswithlenencodecore IDNAError)r;r?prefixrrr idna_encodes  z'_dnsname_to_stdlib..idna_encode:Nutf-8)decode)r;rF encoded_namerrr _dnsname_to_stdlibsrKrzlist[tuple[str, str]]) peer_certr,c Cs|}z|jtjj}WnZtjk r6gYStjttj t fk rv}zt d|gWYSd}~XYnXddt t|tjD}|dd|tjD|S)zU Given an PyOpenSSL certificate, provides all the subject alternative names. zA problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %sNcSsg|]}|dk rd|fqS)NDNSrrr;rrr sz%get_subj_alt_name..css|]}dt|fVqdS)z IP AddressN)r8rNrrr sz$get_subj_alt_name..)Zto_cryptography extensionsr4rZSubjectAlternativeNamevalueZExtensionNotFoundZDuplicateExtensionrZUnsupportedGeneralNameType UnicodeErrorlogwarningmaprKZget_values_for_typeZDNSNameextendZ IPAddress)rLcertextenamesrrr get_subj_alt_names.   r\c@seZdZdZd/ddddddd Zd d d d Zdd ddZddddddZddd dddZdddddZ dd dddZ dddddZ dd d d!Z dd d"d#Z dd d$d%Zd0dd'd(d)d*Zd+d d,d-Zd.S)1 WrappedSocketz@API-compatibility wrapper for Python OpenSSL's Connection-class.TOpenSSL.SSL.Connection socket_clsboolr*) connectionr suppress_ragged_eofsr,cCs"||_||_||_d|_d|_dSNrF)rar rb_io_refs_closed)selfrar rbrrr __init__s zWrappedSocket.__init__rr+cCs |jSN)r filenorfrrr ri!szWrappedSocket.filenocCs*|jdkr|jd8_|jr&|dS)Nr)rdrecloserjrrr _decref_socketios%s zWrappedSocket._decref_socketiosz typing.Anybytes)argskwargsr,c Os4z|jj||}Wntjjk rj}z4|jrD|jdkrDWYdSt|jdt||W5d}~XYntjj k r|j tjj krYdSYntjj k r}z8t |j|jstd|n|j||WYSW5d}~XYn>tjjk r*}ztd||W5d}~XYnX|SdS)NzUnexpected EOFrThe read operation timed out read error: )rarecvOpenSSLSSL SysCallErrorrbroOSErrorr8ZeroReturnError get_shutdownRECEIVED_SHUTDOWN WantReadErrorr wait_for_readr gettimeoutr ErrorsslSSLError)rfrorpdatarZrrr rv+s" & $$zWrappedSocket.recvc Os,z|jj||WStjjk rf}z4|jr@|jdkr@WYdSt|jdt||W5d}~XYntjj k r|j tjj krYdSYntjj k r}z8t |j|jstd|n|j||WYSW5d}~XYn:tjjk r&}ztd||W5d}~XYnXdS)Nrqrrtru)ra recv_intorwrxryrbrorzr8r{r|r}r~rrr rr rrr)rfrorprZrrr rDs  & $zWrappedSocket.recv_intofloat)r r,cCs |j|Srh)r settimeout)rfr rrr r[szWrappedSocket.settimeout)rr,c Csz|j|WStjjk rX}z(t|j|js@t |WYqW5d}~XYqtjj k r}zt |j dt ||W5d}~XYqXqdSNr)rasendrwrxZWantWriteErrorrwait_for_writer rr ryrzror8)rfrrZrrr _send_until_done^szWrappedSocket._send_until_donecCs4d}|t|kr0||||t}||7}qdSr)rArSSL_WRITE_BLOCKSIZE)rfr total_sentsentrrr sendallis  zWrappedSocket.sendallcCs|jdSrh)rashutdownrjrrr rqszWrappedSocket.shutdowncCsd|_|jdkr|dS)NTr)rerd _real_closerjrrr rlus zWrappedSocket.closecCs,z |jWStjjk r&YdSXdSrh)rarlrwrxrrjrrr rzs zWrappedSocket._real_closeFz"dict[str, list[typing.Any]] | None) binary_formr,cCsD|j}|s|S|r(tjtjj|Sd|jffft|dS)N commonName)subjectsubjectAltName) raZget_peer_certificaterwZcryptoZdump_certificateZ FILETYPE_ASN1Z get_subjectZCNr\)rfrrrrr getpeercerts zWrappedSocket.getpeercertr8cCs |jSrh)raZget_protocol_version_namerjrrr versionszWrappedSocket.versionN)T)F)rrr__doc__rgrirmrvrrrrrrlrrrrrrr r]s   r]c@sBeZdZdZdddddZedddd Zejddd d d Zeddd d Zejddd dd ZddddZ dddddZ d7dddddddZ d8dddddddZ d dd!d"d#Z d9d&d'd'd'd(d)d*d+d,Zddd-d.Zeddd/d0Zejddd1d2d0Zeddd3d4Zejddd5d6d4ZdS):r.z I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible for translating the interface of the standard library ``SSLContext`` object to calls into PyOpenSSL. rr*)protocolr,cCs>t||_tj|j|_d|_d|_tj j |_ tj j |_ dSrc)rrrwrxContext_ctx_optionscheck_hostnamer TLSVersionMINIMUM_SUPPORTED_minimum_versionMAXIMUM_SUPPORTED_maximum_version)rfrrrr rgs   zPyOpenSSLContext.__init__r+cCs|jSrh)rrjrrr optionsszPyOpenSSLContext.options)rRr,cCs||_|dSrh)r_set_ctx_optionsrfrRrrr rscCst|jSrh)_openssl_to_stdlib_verifyrZget_verify_moderjrrr verify_modeszPyOpenSSLContext.verify_modezssl.VerifyModecCs|jt|tdSrh)rZ set_verify_stdlib_to_openssl_verify_verify_callbackrrrr rscCs|jdSrh)rset_default_verify_pathsrjrrr rsz)PyOpenSSLContext.set_default_verify_pathsz bytes | str)ciphersr,cCs$t|tr|d}|j|dS)NrH) isinstancer8rBrZset_cipher_list)rfrrrr set_cipherss  zPyOpenSSLContext.set_ciphersNr9r<)cafilecapathcadatar,c Cs|dk r|d}|dk r$|d}z*|j|||dk rL|jt|Wn8tjjk r}ztd||W5d}~XYnXdS)NrHz%unable to load trusted certificates: ) rBrload_verify_locationsr rwrxrrr)rfrrrrZrrr rs  z&PyOpenSSLContext.load_verify_locationsr8)certfilekeyfilepasswordr,c szP|j|dk r>tts*d|jfdd|j|pJ|Wn8tjj k r}zt d||W5d}~XYnXdS)NrHcsSrhr)_rrr rsz2PyOpenSSLContext.load_cert_chain..z"Unable to load certificate chain: ) rZuse_certificate_chain_filerrnrBZ set_passwd_cbZuse_privatekey_filerwrxrrr)rfrrrrZrrr load_cert_chains   z PyOpenSSLContext.load_cert_chainzlist[bytes | str]) protocolsr,cCsdd|D}|j|S)NcSsg|]}tj|dqS)r>)rto_bytes)rprrr rOsz7PyOpenSSLContext.set_alpn_protocols..)rZset_alpn_protos)rfrrrr set_alpn_protocolssz#PyOpenSSLContext.set_alpn_protocolsFTr_r`zbytes | str | Noner])sock server_sidedo_handshake_on_connectrbserver_hostnamer,c Cstj|j|}|r>tj|s>t|tr4| d}| || z | Wqtjj k r}z&t||std|WYqFW5d}~XYqtjjk r}ztd||W5d}~XYqXqqFt||S)NrHzselect timed outzbad handshake: )rwrx Connectionrrr0 is_ipaddressrr8rBZset_tlsext_host_nameZset_connect_state do_handshaker~rrr rrrr])rfrrrrbrcnxrZrrr wrap_sockets      $zPyOpenSSLContext.wrap_socketcCs&|j|jt|jBt|jBdSrh)rZ set_optionsrr(rr)rrjrrr rsz!PyOpenSSLContext._set_ctx_optionscCs|jSrh)rrjrrr minimum_version sz PyOpenSSLContext.minimum_version)rr,cCs||_|dSrh)rr)rfrrrr rscCs|jSrh)rrjrrr maximum_versionsz PyOpenSSLContext.maximum_version)rr,cCs||_|dSrh)rr)rfrrrr rs)NNN)NN)FTTN)rrrrrgpropertyrsetterrrrrrrrrrrrrrr r.sDr.r^r`)rrerr_no err_depth return_coder,cCs|dkSrr)rrrrrrrr rsr)Nr __future__rZ OpenSSL.SSLrwZ cryptographyrZcryptography.x509rr6 Exceptionloggingrtypingior r r_r r TYPE_CHECKINGr7r__all__r0 PROTOCOL_TLSrxZ SSLv23_METHODPROTOCOL_TLS_CLIENTPROTOCOL_TLSv1Z TLSv1_METHODr__annotations__hasattrrrrr CERT_NONEZ VERIFY_NONE CERT_OPTIONALZ VERIFY_PEER CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTritemsrr5rr!r#r%r'rrTLSv1TLSv1_1TLSv1_2TLSv1_3rr(r)rr/r2 getLoggerrrTrrr-rKr\r]makefiler.rrrrr s(               )0