U ֞\.@sdZddlmZmZmZddlZddlZddlZddlm Z m Z ddl m Z m Z mZmZmZmZz ddlZWnek rdZYnXejddGd d d eZd d Zd dZddZddZejdddGdddeZejddGdddeZejdddGdddeZejdddGdddeZejdddGdddeZejddGdd d eZ ejdddGd!d"d"eZ!ejdddGd#d$d$eZ"d%d&Z#d'd(Z$e d)d*Z%dS)+z Common verification code. )absolute_importdivisionprint_functionN) maketrans text_type)CertificateError DNSMismatchIPAddressMismatch SRVMismatch URIMismatchVerificationErrorT)slotsc@s eZdZdZeZeZdS) ServiceMatchz< A match of a service id and a certificate pattern. N)__name__ __module__ __qualname____doc__attrib service_id cert_patternrr:/usr/lib/python3/dist-packages/service_identity/_common.pyrsrcCsg}t||t||}dd|D}|D]}||kr*||j|dq*|D]*}||krNt||jrN||j|dqN|rt|d|S)z Verify whether *cert_patterns* are valid for *obligatory_ids* and *optional_ids*. *obligatory_ids* must be both present and match. *optional_ids* must match if a pattern of the respective type is present. cSsg|] }|jqSr)r).0matchrrr 4sz+verify_service_identity..)Z mismatched_id)errors) _find_matchesappenderror_on_mismatch_contains_instance_of pattern_classr ) cert_patternsZobligatory_idsZ optional_idsrmatchesZ matched_idsirrrverify_service_identity's$   r&cCs8g}|D]*}|D] }||r|t||dqq|S)a Search for matching certificate patterns and service_ids. :param cert_ids: List certificate IDs like DNSPattern. :type cert_ids: `list` :param service_ids: List of service IDs like DNS_ID. :type service_ids: `list` :rtype: `list` of `ServiceMatch` )rr)verifyrr)r#Z service_idsr$ZsidZcidrrrrIs  rcCs|D]}t||rdSqdS)zB :type seq: iterable :type cl: type :rtype: bool TF) isinstance)seqZclerrrr!]s r!cCst|tr0z|d}Wntk r.YdSXzt|WdStk rRYnXzt|ddWntk rYdSXdS)z Check whether *pattern* could be/match an IP address. :param pattern: A pattern for a host name. :type pattern: `bytes` or `unicode` :return: `True` if *pattern* could be an IP address, else `False`. :rtype: bool asciiFT*1) r(bytesdecode UnicodeErrorint ValueError ipaddress ip_addressreplacepatternrrr_is_ip_addressjs r8F)Zinitrc@s*eZdZdZeZedZ ddZ dS) DNSPatternz7 A DNS pattern as extracted from certificates. ^[a-z0-9\-_.]+$cCsdt|tstd|}|dks2t|s2d|kr@td||t|_ d|j kr`t |j dS)( :type pattern: `bytes` z'The DNS pattern must be a bytes string.zInvalid DNS pattern {0!r}.*N) r(r. TypeErrorstripr8rformat translate_TRANS_TO_LOWERr7_validate_patternselfr7rrr__init__s   zDNSPattern.__init__N) rrrrrrr7recompile_RE_LEGAL_CHARSrGrrrrr9s r9c@s$eZdZdZeZeddZdS)IPAddressPatternz? An IP address pattern as extracted from certificates. cCs:z|t|dWStk r4td|YnXdS)Nr6z Invalid IP address pattern {!r}.)r3r4r2rrA)clsZbsrrr from_bytess zIPAddressPattern.from_bytesN) rrrrrrr7 classmethodrMrrrrrKsrKc@s(eZdZdZeZeZddZdS) URIPatternz8 An URI pattern as extracted from certificates. cCsdt|tstd|t}d|ks8d|ks8t|rFtd|| d\|_ }t ||_ dS)r;z'The URI pattern must be a bytes string.:r>zInvalid URI pattern {0!r}.N) r(r.r?r@rBrCr8rrAsplitprotocol_patternr9 dns_pattern)rFr7hostnamerrrrGs zURIPattern.__init__N) rrrrrrrRrSrGrrrrrOsrOc@s(eZdZdZeZeZddZdS) SRVPatternz8 An SRV pattern as extracted from certificates. cCs~t|tstd|t}|ddksDd|ksDd|ksDt|rRtd|| dd\}}|dd|_ t ||_ dS) r;z'The SRV pattern must be a bytes string.r_.r>zInvalid SRV pattern {0!r}.rN) r(r.r?r@rBrCr8rrArQ name_patternr9rS)rFr7namerTrrrrGs"  zSRVPattern.__init__N) rrrrrrrXrSrGrrrrrUsrUc@s:eZdZdZeZedZ e Z e Z ddZddZdS)DNS_IDz) A DNS service ID, aka hostname. r:cCst|tstd|}|dks*t|r2tdtdd|Dr^trTt|}qht dn |d}| t |_ |j |j dkrtddS) z+ :type hostname: `unicode` z DNS-ID must be a unicode string.zInvalid DNS-ID.css|]}t|dkVqdS)N)ord)rcrrr sz"DNS_ID.__init__..z+idna library is required for non-ASCII IDs.r+N)r(rr?r@r8r2anyidnaencode ImportErrorrBrCrTrJr)rFrTZascii_idrrrrGs    zDNS_ID.__init__cCs"t||jrt|j|jSdSdS)zC https://tools.ietf.org/search/rfc6125#section-6.4 FN)r(r"_hostname_matchesr7rTrErrrr's z DNS_ID.verifyN)rrrrrrrTrHrIrJr9r"r r rGr'rrrrrZs rZc@s.eZdZdZejejdZe Z e Z ddZ dS) IPAddress_IDz# An IP address service ID. )Z convertercCs |j|jkS)zC https://tools.ietf.org/search/rfc2818#section-3.1 )ipr7rErrrr',szIPAddress_ID.verifyN)rrrrrrr3r4rfrKr"r r r'rrrrre!s rec@s8eZdZdZeZeZeZ e Z ddZ ddZ dS)URI_IDz An URI service ID. cCsft|tstd|}d|ks*t|r2td|d\}}|dt |_ t |d|_ dS)z& :type uri: `unicode` z URI-ID must be a unicode string.:zInvalid URI-ID.r+/N) r(rr?r@r8r2rQrbrBrCprotocolrZdns_id)rFZuriZprotrTrrrrG?s zURI_ID.__init__cCs.t||jr&|j|jko$|j|jSdSdS)zE https://tools.ietf.org/search/rfc6125#section-6.5.2 FN)r(r"rRrjrkr'rSrErrrr'Os    z URI_ID.verifyN)rrrrrrrjrkrOr"r r rGr'rrrrrg3srgc@s8eZdZdZeZeZeZ e Z ddZ ddZ dS)SRV_IDz An SRV service ID. cCsvt|tstd|}d|ks6t|s6|ddkr>td|dd\}}|dddt |_ t ||_ dS) z& :type srv: `unicode` z SRV-ID must be a unicode string..r_zInvalid SRV-ID.rNr+) r(rr?r@r8r2rQrbrBrCrYrZrk)rFZsrvrYrTrrrrGhs zSRV_ID.__init__cCs.t||jr&|j|jko$|j|jSdSdS)zE https://tools.ietf.org/search/rfc6125#section-6.5.1 FN)r(r"rYrXrkr'rSrErrrr'xs  z SRV_ID.verifyN)rrrrrrrYrkrUr"r r rGr'rrrrrl\srlcCs^d|krR|dd\}}|dd\}}||kr4dS|drBdS|dkpP||kS||kSdS)z :type cert_pattern: `bytes` :type actual_hostname: `bytes` :return: `True` if *cert_pattern* matches *actual_hostname*, else `False`. :rtype: `bool` r>rWrFsxn--N)rQ startswith)rZactual_hostnameZ cert_headZ cert_tailZ actual_headZ actual_tailrrrrds rdcCs|d}|dkr td||d}t|dkrDtd|d|dkr^td|td d |Dr~td |d S) z Check whether the usage of wildcards within *cert_pattern* conforms with our expectations. :type hostname: `bytes` :return: None r>rz7Certificate's DNS-ID {0!r} contains too many wildcards.rWzJCertificate's DNS-ID {0!r} has too few host components for wildcard usage.rzECertificate's DNS-ID {0!r} has a wildcard outside the left-most part.css|]}t| VqdS)N)len)rprrrr_sz$_validate_pattern..z0Certificate's DNS-ID {0!r} contains empty parts.N)countrrArQrqr`)rZcntpartsrrrrDs4    rDsABCDEFGHIJKLMNOPQRSTUVWXYZsabcdefghijklmnopqrstuvwxyz)&rZ __future__rrrr3rHrZ_compatrr exceptionsrr r r r r rarcsobjectrr&rr!r8r9rKrOrUrZrergrlrdrDrCrrrrsL     "      /  ( '%