_fx0dZddlmZddlZddlZddlmZmZmZm Z ddl Z ddl m Z m Z mZmZmZmZmZ ddlZn #e$rdZYnwxYwe jdGd d Zd:dZd;dZdd5Z%d?d7Z&e'(d8d9Z)dS)@z Common verification code. ) annotationsN)ProtocolSequenceUnionruntime_checkable)CertificateError DNSMismatchIPAddressMismatchMismatch SRVMismatch URIMismatchVerificationErrorT)slotscdeZdZUdZejZded<ejZded<dS) ServiceMatchz< A match of a service id and a certificate pattern. ServiceID service_idCertificatePattern cert_patternN) __name__ __module__ __qualname____doc__attribr__annotations__rI/var/www/html/env/lib/python3.11/site-packages/service_identity/hazmat.pyrrsP$DGIIJ%%%%'.twyyL000000rr cert_patternsSequence[CertificatePattern]obligatory_idsSequence[ServiceID] optional_idsreturnlist[ServiceMatch]c|stdg}t||t||z}d|D}|D]/}||vr)|||0|D]D}||vr>t ||jr)|||E|rt ||S)z Verify whether *cert_patterns* are valid for *obligatory_ids* and *optional_ids*. *obligatory_ids* must be both present and match. *optional_ids* must match if a pattern of the respective type is present. z3Certificate does not contain any `subjectAltName`s.cg|] }|j Sr)r).0matchs r z+verify_service_identity..?s9995#999r) mismatched_id)errors)r _find_matchesappenderror_on_mismatch_contains_instance_of pattern_classr)r!r#r%r.matches matched_idsis r verify_service_identityr7)s   A   FM>::]|>>G:9999K @@ K   MM!--A->> ? ? ? @@ K  $9 1?% %  MM!--A->> ? ? ? /v.... Nr service_idscg}|D]@}|D];}||r$|t||z(_contains_instance_of..gs-..Qz!R  ......r)any)r=r?s `r r2r2fs& ....#... . ..rpattern str | bytesc:t|tr( |d}n#t$rYdSwxYw t |dS#t $rYnwxYw t j|ddn#t $rYdSwxYwdS)z Check whether *pattern* could be/match an IP address. Args: pattern: A pattern for a host name. Returns: `True` if *pattern* could be an IP address, else `False`. asciiFT*1) rEbytesdecode UnicodeErrorint ValueError ipaddress ip_addressreplacerIs r _is_ip_addressrXjs'5!! nnW--GG   55   G t      W__S#667777 uu 4s/- ;;A AA!(B BBcteZdZUdZejZded<ej dZ e ddZ dS) DNSPatternz7 A DNS pattern as extracted from certificates. rOrI^[a-z0-9\-_.]+$r&c<t|tstd|}|dkst |sd|vrt d|d|t}d|vrt|||S)Nz'The DNS pattern must be a bytes string.rzInvalid DNS pattern .*rW) rErO TypeErrorstriprXr translate_TRANS_TO_LOWER_validate_pattern)clsrIs r from_byteszDNSPattern.from_bytess'5)) GEFF F--// c>>^G44>8H8H"#F'#F#F#FGG G##O44 7?? g & & &s7####rN)rIrOr&rZ) rrrrrrrIrrecompile_RE_LEGAL_CHARS classmethodrfrrr rZrZsk TWYYG bj!455O $ $ $[ $ $ $rrZcTeZdZUdZejZded<ed dZ dS) IPAddressPatternz? An IP address pattern as extracted from certificates. -ipaddress.IPv4Address | ipaddress.IPv6AddressrIbsrOr&c |tj|S#t$rtd|ddwxYw)NrWzInvalid IP address pattern r^)rTrUrSr )rerns r rfzIPAddressPattern.from_bytessc 3y3B77888 8   "5b555  s ?N)rnrOr&rl) rrrrrrrIrrjrfrrr rlrlsZ >ETWYYGFFFF[rrlc|eZdZUdZejZded<ejZded<e d dZ d S) URIPatternz8 An URI pattern as extracted from certificates. rOprotocol_patternrZ dns_patternrIr&cpt|tstd|t }d|vsd|vst |rtd|d|d\}}||t |S)Nz'The URI pattern must be a bytes string.:r_zInvalid URI pattern r^)rrrs rErOr`rarbrcrXr splitrZrf)rerIrrhostnames r rfzURIPattern.from_bytess'5)) GEFF F--//++O<< w  $'//^G5L5L/"#F'#F#F#FGG G%,]]4%8%8"(s-"--h77    rN)rIrOr&rq) rrrrrrrrrrsrjrfrrr rqrqss &dgii''''%dgiiK''''   [   rrqc|eZdZUdZejZded<ejZded<e d dZ d S) SRVPatternz8 An SRV pattern as extracted from certificates. rO name_patternrZrsrIr&ct|tstd|t }|ddksd|vsd|vst |rtd|d|dd\}}||ddt | S) Nz'The SRV pattern must be a bytes string.r_.r_zInvalid SRV pattern r^r)r{rsrv)rerInamerxs r rfzSRVPattern.from_bytess'5)) GEFF F--//++O<< AJ' ! !7""wg&&##F'#F#F#FGG G tQ//hsabbz/D/DX/N/N    rN)rIrOr&rz) rrrrrrr{rrsrjrfrrr rzrzsr "$'))L####%dgiiK''''   [   rrzcFeZdZed dZed dZd d Zd S)rr&type[CertificatePattern]cdSrDrselfs r r3zServiceID.pattern_class rtype[Mismatch]cdSrDrrs r r1zServiceID.error_on_mismatchrrrIrrAcdSrDrrrIs r r:zServiceID.verifys rN)r&r)r&rrIrr&rA)rrrpropertyr3r1r:rrr rrsf    X    X       rrF)initrcteZdZUdZejZded<ej dZ e Z e Zd dZdd Zd S)DNS_IDz) A DNS service ID, aka hostname. rOrxr[strct|tstd|}|rt |rt dt d|Dr+trtj|}n$td|d}| t|_ |j |j t ddS)NzDNS-ID must be a text string.zInvalid DNS-ID.c3<K|]}t|dkVdS)N)ord)r*cs r rGz"DNS_ID.__init__.. s,..s1vv|......rz+idna library is required for non-ASCII IDs.rL)rErr`rarXrSrHidnaencode ImportErrorrbrcrxrir+)rrxascii_ids r __init__zDNS_ID.__init__s(C(( =;<< <>>## 0>(33 0.// / ..X... . . 0 ;x00!A w//H **?;;   % %dm 4 4 <.// / = >^C00>.// /3h G,,66GG X^^C0011 rrIrr&rAct||jr/|j|jko|j|jSdS)zE https://tools.ietf.org/search/rfc6125#section-6.5.2 F)rEr3rrrrr:rsrs r r:z URI_ID.verifyhsM gt1 2 2 (DM9<K&&w':;;  urN)rrr)rrrrrrrrrrqr3rr1rr:rrr rrOsdgiiHTWYYFM# 2 2 2 2      rrc|eZdZUdZejZded<ejZded<e Z e Z ddZ dd ZdS)SRV_IDz An SRV service ID. rOrrrsrvrct|tstd|}d|vst |s |ddkrt d|dd\}}|dddt|_ t||_ dS)NzSRV-ID must be a text string.r^r_zInvalid SRV-ID.rrL) rErr`rarXrSrwrrbrcrrr)rrrrxs r rzSRV_ID.__init__s#s## =;<< <iikk c>>^C00>CFcMM.// /3**hHOOG,,66GG X&& rrIrr&rAct||jr/|j|jko|j|jSdS)zE https://tools.ietf.org/search/rfc6125#section-6.5.1 F)rEr3rr{rr:rsrs r r:z SRV_ID.verifysQ gt1 2 2 9 449K9K#:: urN)rrr)rrrrrrrrrrzr3r r1rr:rrr rrus$'))DTWYYFM# ' ' ' '      rrrrOactual_hostnamecd|vr]|dd\}}|dd\}}||krdS|drdS|dkp||kS||kS)zT :return: `True` if *cert_pattern* matches *actual_hostname*, else `False`. r_r~rFsxn--)rw startswith)rr cert_head cert_tail actual_head actual_tails r rrs |+11$:: 9#2#8#8q#A#A [  # #5  ! !' * * 5D .s* % %!s1vv: % % % % % %rz contains empty parts.N)countr rwrformatrH)rcntpartss r rdrds    T " "C Qww QL Q Q Q      t $ $E 5zzA~~ L       58 F<((    % %u % % %%%  JL J J J     rsABCDEFGHIJKLMNOPQRSTUVWXYZsabcdefghijklmnopqrstuvwxyz)r!r"r#r$r%r$r&r')r!r"r8r$r&r')r=r>r?r@r&rA)rIrJr&rA)rrOrrOr&rA)rrOr&r)*r __future__rrTrgtypingrrrrr exceptionsr r r r r rrrrsrr7r/r2rXrZrlrqrzrrrrrrrrdrO maketransrcrrr rsN#""""" ???????????? KKKK DDDd11111111((((V$////<d$$$$$$$$6d$d        8d        > J(88            U$))))))) )Xd,U$""""""" "JU$!!!!!!! !H++++$    ://!#@s9AA