U \q@sdZddlmZmZmZddlZddlmZmZm Z m Z m Z m Z m Z ddlmZddlmZddlmZdd lmZmZmZmZmZmZmZmZdd lmZd gZd d Z d dZ!e dZ"ddZ#dS)zL `cryptography.x509 `_-specific code. )absolute_importdivisionprint_functionN)DNSName ExtensionOID IPAddressNameOIDObjectIdentifier OtherNameUniformResourceIdentifier)ExtensionNotFound)decode) IA5String)DNS_IDCertificateError DNSPattern IPAddress_IDIPAddressPattern SRVPattern URIPatternverify_service_identity)SubjectAltNameWarningverify_certificate_hostnamecCstt|t|ggddS)a Verify whether *certificate* is valid for *hostname*. .. note:: Nothing is verified about the *authority* of the certificate; the caller must verify that the certificate chains to an appropriate trust root themselves. :param cryptography.x509.Certificate certificate: A cryptography X509 certificate object. :param unicode hostname: The hostname that *certificate* should be valid for. :raises service_identity.VerificationError: If *certificate* is not valid for *hostname*. :raises service_identity.CertificateError: If *certificate* contains invalid/unexpected data. :returns: ``None`` Z cert_patternsZobligatory_idsZ optional_idsN)r extract_idsr) certificateZhostnamer?/usr/lib/python3/dist-packages/service_identity/cryptography.pyr&s cCstt|t|ggddS)a Verify whether *certificate* is valid for *ip_address*. .. note:: Nothing is verified about the *authority* of the certificate; the caller must verify that the certificate chains to an appropriate trust root themselves. :param cryptography.x509.Certificate certificate: A cryptography X509 certificate object. :param unicode ip_address: The IP address that *connection* should be valid for. Can be an IPv4 or IPv6 address. :raises service_identity.VerificationError: If *certificate* is not valid for *ip_address*. :raises service_identity.CertificateError: If *certificate* contains invalid/unexpected data. :returns: ``None`` .. versionadded:: 18.1.0 rN)rrr)rZ ip_addressrrrverify_certificate_ip_addressAs rz1.3.6.1.5.5.7.8.7cCs g}z|jtj}Wntk r*YnX|dd|jtD|dd|jt D|dd|jt D|jt D]B}|j t krt|j\}}t|tr|t|qtdq|sdd|jtjD}tt|d}dd|D}td |t|S) a Extract all valid IDs from a certificate for service verification. If *cert* doesn't contain any identifiers, the ``CN``s are used as DNS-IDs as fallback. :param cryptography.x509.Certificate cert: The certificate to be dissected. :return: List of IDs. cSsg|]}t|dqSzutf-8rencode).0namerrr uszextract_ids..cSsg|]}t|dqSr )rr")r#Zurirrrr%{scSsg|] }t|qSr)r)r#Ziprrrr%szUnexpected certificate content.cSsg|] }|jqSr)valuer#nrrrr%ss cSsg|]}t|dqSr r!r'rrrr%szCertificate with CN {!r} has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818.) extensionsZget_extension_for_oidrZSUBJECT_ALTERNATIVE_NAMEr extendr&Zget_values_for_typerr rr Ztype_id ID_ON_DNS_SRVr isinstancerappendrZasOctetsrZsubjectZget_attributes_for_oidrZ COMMON_NAMEnextiterwarningswarnformatr)ZcertZidsZextotherZsrv_ZcnsZcnrrrrasV       r)$__doc__Z __future__rrrr0Zcryptography.x509rrrrr r r Zcryptography.x509.extensionsr Zpyasn1.codec.der.decoderr Zpyasn1.type.charrZ_commonrrrrrrrr exceptionsr__all__rrr+rrrrrs$   (