fx0xdZddlmZddlZddlZddlmZmZmZm Z ddl Z ddl m Z m Z mZmZmZmZmZ ddlZe j*dGd d Z d'd Z d(d Zd)d Zd*dZe j*dGddZe j*dGddZe j*dGddZe j*dGddZeeeeefZ e GddeZ e j*ddGddZ!e j*dGddZ"e j*ddGdd Z#e j*ddGd!d"Z$d+d#Z%d,d$Z&e'jQd%d&Z)y#e$rdZYwxYw)-z Common verification code. ) annotationsN)ProtocolSequenceUnionruntime_checkable)CertificateError DNSMismatchIPAddressMismatchMismatch SRVMismatch URIMismatchVerificationErrorT)slotscjeZdZUdZej Zded<ej Zded<y) ServiceMatchz< A match of a service id and a certificate pattern. ServiceID service_idCertificatePattern cert_patternN) __name__ __module__ __qualname____doc__attribr__annotations__r9/usr/lib/python3/dist-packages/service_identity/hazmat.pyrrs.$DGGIJ %'.twwyL$0rrc|s tdg}t||t||z}|Dcgc]}|j}}|D](}||vs|j|j |*|D]?}||vst ||j s|j|j |A|r t||Scc}w)z Verify whether *cert_patterns* are valid for *obligatory_ids* and *optional_ids*. *obligatory_ids* must be both present and match. *optional_ids* must match if a pattern of the respective type is present. z3Certificate does not contain any `subjectAltName`s.) mismatched_id)errors)r _find_matchesrappenderror_on_mismatch_contains_instance_of pattern_classr) cert_patternsobligatory_ids optional_idsr#matchesmatch matched_idsis r verify_service_identityr0)s  A  FM>:]|>G2995##9K9 @ K  MM!--A-> ?@@ K $9 1??%  MM!--A-> ?@v.. N%:sCcg}|D]7}|D]0}|j|s|jt||29|S)z Search for matching certificate patterns and service_ids. Args: service_ids: List of service IDs like DNS_ID. )rr)verifyr%r)r) service_idsr,sidcids r r$r$TsPGO  OCzz#|MN OO Nrc,tfd|DS)Nc36K|]}t|ywN) isinstance).0ecls r z(_contains_instance_of..gs.Qz!R .s)any)seqr<s `r r'r'fs .#. ..rct|tr |jd} t |y#t$rYywxYw#t $rYnwxYw t j|jddy#t $rYywxYw)z Check whether *pattern* could be/match an IP address. Args: pattern: A pattern for a host name. Returns: `True` if *pattern* could be an IP address, else `False`. asciiFT*1) r9bytesdecode UnicodeErrorint ValueError ipaddress ip_addressreplacepatterns r _is_ip_addressrNjs'5! nnW-G  G        W__S#67  s-0 ? << A  A %A55 BBcteZdZUdZej Zded<ejdZ e ddZ y) DNSPatternz7 A DNS pattern as extracted from certificates. rDrM^[a-z0-9\-_.]+$ct|ts td|j}|dk(st |sd|vrt d|d|j t}d|vr t|||S)Nz'The DNS pattern must be a bytes string.rzInvalid DNS pattern .*rL) r9rD TypeErrorstriprNr translate_TRANS_TO_LOWER_validate_pattern)clsrMs r from_byteszDNSPattern.from_bytessw'5)EF F--/ c>^G48H"%9'A#FG G##O4 7? g &7##rN)rMrDreturnrP) rrrrrrrMrrecompile_RE_LEGAL_CHARS classmethodr\rrr rPrPs> TWWYGU bjj!45O $ $rrPcPeZdZUdZej Zded<eddZ y)IPAddressPatternz? An IP address pattern as extracted from certificates. -ipaddress.IPv4Address | ipaddress.IPv6AddressrMcv |tj|S#t$rtd|ddwxYw)NrLzInvalid IP address pattern rT)rIrJrHr )r[bss r r\zIPAddressPattern.from_bytessH y33B78 8 "-bV15  s8N)rfrDr]rc) rrrrrrrMrrar\rrr rcrcs/ >ETWWYG :Frrcc|eZdZUdZej Zded<ej Zded<e ddZ y) URIPatternz8 An URI pattern as extracted from certificates. rDprotocol_patternrP dns_patternc$t|ts td|jj t }d|vsd|vs t |rtd|d|jd\}}||tj|S)Nz'The URI pattern must be a bytes string.:rUzInvalid URI pattern rT)rirj r9rDrVrWrXrYrNr splitrPr\)r[rMrihostnames r r\zURIPattern.from_bytess'5)EF F--/++O< w $'/^G5L"%9'A#FG G%,]]4%8"(-"--h7  rN)rMrDr]rh) rrrrrrrirrjrar\rrr rhrhs@ &dggie'%dggiK'  rrhc|eZdZUdZej Zded<ej Zded<e ddZ y) SRVPatternz8 An SRV pattern as extracted from certificates. rD name_patternrPrjc<t|ts td|jj t }|ddk7sd|vsd|vs t |rtd|d|jdd\}}||ddtj| S) Nz'The SRV pattern must be a bytes string.r_.rUzInvalid SRV pattern rTr)rrrjrm)r[rMnameros r r\zSRVPattern.from_bytess'5)EF F--/++O< AJ' !7"wg&"%9'A#FG G tQ/habz/D/DX/N  rN)rMrDr]rq) rrrrrrrrrrjrar\rrr rqrqs? "$'')L%#%dggiK'  rrqc8eZdZeddZeddZddZy)rcyr8rselfs r r(zServiceID.pattern_class rcyr8rrys r r&zServiceID.error_on_mismatchr{rcyr8rrzrMs r r2zServiceID.verifys rN)r]ztype[CertificatePattern])r]ztype[Mismatch]rMrr]bool)rrrpropertyr(r&r2rrr rrs-      rrF)initrczeZdZUdZej Zded<ejdZ e Z e ZddZd dZy) DNS_IDz) A DNS service ID, aka hostname. rDrorQct|ts td|j}|r t |r t dt d|Dr'trtj|}ntd|jd}|jt|_ |jj|j t dy)NzDNS-ID must be a text string.zInvalid DNS-ID.c38K|]}t|dkDyw)N)ord)r:cs r r=z"DNS_ID.__init__.. s.s1v|.sz+idna library is required for non-ASCII IDs.rA)r9strrVrWrNrHr>idnaencode ImportErrorrXrYror`r-)rzroascii_ids r __init__zDNS_ID.__init__s(C(;< <>>#>(3./ / .X. .;;x0!A w/H **?;    % %dmm 4 <./ / =rcpt||jr t|j|jSy)zC https://tools.ietf.org/search/rfc6125#section-6.4 F)r9r(_hostname_matchesrMror~s r r2z DNS_ID.verify.s, gt11 2$W__dmmD DrN)rorr)rrrrrrrorr^r_r`rPr(r r&rr2rrr rr sCdggiHe!bjj!45OM#0,rrcfeZdZUdZej ejZde d<e Z e Z ddZy) IPAddress_IDz# An IP address service ID. ) converterrdipcbt||jr|j|jk(Sy)zC https://tools.ietf.org/search/rfc2818#section-3.1 F)r9r(rrMr~s r r2zIPAddress_ID.verifyEs* gt11 277goo- -rNr)rrrrrrrIrJrrrcr(r r&r2rrr rr8s=9@&&9B5%M)rrceZdZUdZej Zded<ej Zded<e Z e Z d dZ d dZy) URI_IDz An URI service ID. rDprotocolrdns_idcFt|ts td|j}d|vs t |r t d|j d\}}|jdjt|_ t|jd|_ y)NzURI-ID must be a text string.:zInvalid URI-ID.rA/) r9rrVrWrNrHrnrrXrYrrr)rzuriprotros r rzURI_ID.__init__[s~#s#;< <iik c>^C0./ /3h G,66G X^^C01 rct||jr@|j|jk(xr%|jj |j Sy)zE https://tools.ietf.org/search/rfc6125#section-6.5.2 F)r9r(rirrr2rjr~s r r2z URI_ID.verifyhsM gt11 2((DMM9<KK&&w':':;  rN)rrr)rrrrrrrrrrhr(rr&rr2rrr rrOsBdggiHeTWWYFFM# 2 rrceZdZUdZej Zded<ej Zded<e Z e Z d dZ d dZy) SRV_IDz An SRV service ID. rDrvrrc@t|ts td|j}d|vst |s|ddk7r t d|j dd\}}|ddjdjt|_ t||_ y)NzSRV-ID must be a text string.rTr_zInvalid SRV-ID.rrA) r9rrVrWrNrHrnrrXrYrvrr)rzsrvrvros r rzSRV_ID.__init__s#s#;< <iik c>^C0CFcM./ /3*hHOOG,66G X& rct||jr@|j|jk(xr%|jj |j Sy)zE https://tools.ietf.org/search/rfc6125#section-6.5.1 F)r9r(rvrrrr2rjr~s r r2z SRV_ID.verifysO gt11 299 4 449K9K##: rN)rrr)rrrrrrrvrrrqr(r r&rr2rrr rrusB$'')D%TWWYFFM# ' rrcd|vrN|jdd\}}|jdd\}}||k7ry|jdry|dk(xs||k(S||k(S)zT :return: `True` if *cert_pattern* matches *actual_hostname*, else `False`. rUrurFsxn--)rn startswith)ractual_hostname cert_head cert_tail actual_head actual_tails r rrsv |+11$: 9#2#8#8q#A [  #  ! !' *D .s %!s1v: %sz contains empty parts.N)countr rnrformatr>)rcntpartss r rZrZs   T "C Qw#L#33P Q     t $E 5zA~#L#34    58 F<(   %u %%#L#33I J  &rsABCDEFGHIJKLMNOPQRSTUVWXYZsabcdefghijklmnopqrstuvwxyz)r)Sequence[CertificatePattern]r*Sequence[ServiceID]r+rr]list[ServiceMatch])r)rr3rr]r)r?zSequence[object]r<typer]r)rMz str | bytesr]r)rrDrrDr]r)rrDr]None)*r __future__rrIr^typingrrrrr exceptionsr r r r r rrrrsrr0r$r'rNrPrcrhrqrrrrrrrrZrD maketransrYrrr rsF# ??  d111(/('(&( (V/$$/<d$$$6d$d   8d   > J(88       U$)) )Xd,U$"" "JU$!! !H+$ ://!#@]  DsF..F98F9