o ֞\.@sdZddlmZmZmZddlZddlZddlZddlm Z m Z ddl m Z m Z mZmZmZmZzddlZWn eyAdZYnwejddGd d d eZd d Zd dZddZddZejdddGdddeZejddGdddeZejdddGdddeZejdddGdddeZejdddGdddeZejddGdd d eZ ejdddGd!d"d"eZ!ejdddGd#d$d$eZ"d%d&Z#d'd(Z$e d)d*Z%dS)+z Common verification code. )absolute_importdivisionprint_functionN) maketrans text_type)CertificateError DNSMismatchIPAddressMismatch SRVMismatch URIMismatchVerificationErrorT)slotsc@s eZdZdZeZeZdS) ServiceMatchz< A match of a service id and a certificate pattern. N)__name__ __module__ __qualname____doc__attrib service_id cert_patternrr:/usr/lib/python3/dist-packages/service_identity/_common.pyrs rcCsg}t||t||}dd|D}|D]}||vr$||j|dq|D]}||vr4sz+verify_service_identity..)Z mismatched_id)errors) _find_matchesappenderror_on_mismatch_contains_instance_of pattern_classr ) cert_patternsZobligatory_idsZ optional_idsrmatchesZ matched_idsirrrverify_service_identity's$   r&cCs8g}|D]}|D]}||r|t||dqq|S)a Search for matching certificate patterns and service_ids. :param cert_ids: List certificate IDs like DNSPattern. :type cert_ids: `list` :param service_ids: List of service IDs like DNS_ID. :type service_ids: `list` :rtype: `list` of `ServiceMatch` )rr)verifyrr)r#Z service_idsr$ZsidZcidrrrrIs  rcCs|D] }t||r dSqdS)zB :type seq: iterable :type cl: type :rtype: bool TF) isinstance)seqZclerrrr!]s  r!cCs~t|trz|d}Wn tyYdSwzt|WdSty'Ynwz t|ddWdSty>YdSw)z Check whether *pattern* could be/match an IP address. :param pattern: A pattern for a host name. :type pattern: `bytes` or `unicode` :return: `True` if *pattern* could be an IP address, else `False`. :rtype: bool asciiFT*1) r(bytesdecode UnicodeErrorint ValueError ipaddress ip_addressreplacepatternrrr_is_ip_addressjs$    r8F)Zinitrc@s*eZdZdZeZedZ ddZ dS) DNSPatternz7 A DNS pattern as extracted from certificates. ^[a-z0-9\-_.]+$cCsht|ts td|}|dkst|sd|vr td||t|_ d|j vr2t |j dSdS)( :type pattern: `bytes` z'The DNS pattern must be a bytes string.zInvalid DNS pattern {0!r}.*N) r(r. TypeErrorstripr8rformat translate_TRANS_TO_LOWERr7_validate_patternselfr7rrr__init__s   zDNSPattern.__init__N) rrrrrrr7recompile_RE_LEGAL_CHARSrGrrrrr9s   r9c@s$eZdZdZeZeddZdS)IPAddressPatternz? An IP address pattern as extracted from certificates. cCs0z |t|dWStytd|w)Nr6z Invalid IP address pattern {!r}.)r3r4r2rrA)clsbsrrr from_bytess zIPAddressPattern.from_bytesN) rrrrrrr7 classmethodrNrrrrrKs rKc@(eZdZdZeZeZddZdS) URIPatternz8 An URI pattern as extracted from certificates. cCsdt|ts td|t}d|vsd|vst|r#td|| d\|_ }t ||_ dS)r;z'The URI pattern must be a bytes string.:r>zInvalid URI pattern {0!r}.N) r(r.r?r@rBrCr8rrAsplitprotocol_patternr9 dns_pattern)rFr7hostnamerrrrGs zURIPattern.__init__N) rrrrrrrTrUrGrrrrrQ  rQc@rP) SRVPatternz8 An SRV pattern as extracted from certificates. cCs~t|ts td|t}|ddks"d|vs"d|vs"t|r)td|| dd\}}|dd|_ t ||_ dS) r;z'The SRV pattern must be a bytes string.r_.r>zInvalid SRV pattern {0!r}.rN) r(r.r?r@rBrCr8rrArS name_patternr9rU)rFr7namerVrrrrGs"  zSRVPattern.__init__N) rrrrrrr[rUrGrrrrrXrWrXc@s:eZdZdZeZedZ e Z e Z ddZddZdS)DNS_IDz) A DNS service ID, aka hostname. r:cCst|ts td|}|dkst|rtdtdd|Dr.tr*t|}n t d|d}| t |_ |j |j durFtddS) z+ :type hostname: `unicode` z DNS-ID must be a unicode string.zInvalid DNS-ID.css|] }t|dkVqdS)N)ord)rcrrr sz"DNS_ID.__init__..z+idna library is required for non-ASCII IDs.r+N)r(rr?r@r8r2anyidnaencode ImportErrorrBrCrVrJr)rFrVZascii_idrrrrGs    zDNS_ID.__init__cCst||jr t|j|jSdS)zC https://tools.ietf.org/search/rfc6125#section-6.4 F)r(r"_hostname_matchesr7rVrErrrr's z DNS_ID.verifyN)rrrrrrrVrHrIrJr9r"r r rGr'rrrrr]s  r]c@s.eZdZdZejejdZe Z e Z ddZ dS) IPAddress_IDz# An IP address service ID. )Z convertercCs |j|jkS)zC https://tools.ietf.org/search/rfc2818#section-3.1 )ipr7rErrrr',s zIPAddress_ID.verifyN)rrrrrrr3r4rirKr"r r r'rrrrrh!s  rhc@8eZdZdZeZeZeZ e Z ddZ ddZ dS)URI_IDz An URI service ID. cCsft|ts td|}d|vst|rtd|d\}}|dt |_ t |d|_ dS)z& :type uri: `unicode` z URI-ID must be a unicode string.:zInvalid URI-ID.r+/N) r(rr?r@r8r2rSrerBrCprotocolr]dns_id)rFZuriZprotrVrrrrG?s zURI_ID.__init__cCs*t||jr|j|jko|j|jSdS)zE https://tools.ietf.org/search/rfc6125#section-6.5.2 F)r(r"rTrnror'rUrErrrr'Os   z URI_ID.verifyN)rrrrrrrnrorQr"r r rGr'rrrrrk3 rkc@rj)SRV_IDz An SRV service ID. cCsvt|ts td|}d|vst|s|ddkrtd|dd\}}|dddt |_ t ||_ dS) z& :type srv: `unicode` z SRV-ID must be a unicode string..r_zInvalid SRV-ID.rNr+) r(rr?r@r8r2rSrerBrCr\r]ro)rFZsrvr\rVrrrrGhs zSRV_ID.__init__cCs*t||jr|j|jko|j|jSdS)zE https://tools.ietf.org/search/rfc6125#section-6.5.1 F)r(r"r\r[ror'rUrErrrr'xs z SRV_ID.verifyN)rrrrrrr\rorXr"r r rGr'rrrrrq\rprqcCsZd|vr)|dd\}}|dd\}}||krdS|dr!dS|dkp(||kS||kS)z :type cert_pattern: `bytes` :type actual_hostname: `bytes` :return: `True` if *cert_pattern* matches *actual_hostname*, else `False`. :rtype: `bool` r>rZrFsxn--)rS startswith)rZactual_hostnameZ cert_headZ cert_tailZ actual_headZ actual_tailrrrrgs rgcCs|d}|dkrtd||d}t|dkr"td|d|dvr/td|td d |Dr?td |d S) z Check whether the usage of wildcards within *cert_pattern* conforms with our expectations. :type hostname: `bytes` :return: None r>rz7Certificate's DNS-ID {0!r} contains too many wildcards.rZzJCertificate's DNS-ID {0!r} has too few host components for wildcard usage.rzECertificate's DNS-ID {0!r} has a wildcard outside the left-most part.css|]}t| VqdS)N)len)rprrrrbsz$_validate_pattern..z0Certificate's DNS-ID {0!r} contains empty parts.N)countrrArSrvrc)rZcntpartsrrrrDs2    rDsABCDEFGHIJKLMNOPQRSTUVWXYZsabcdefghijklmnopqrstuvwxyz)&rZ __future__rrrr3rHrZ_compatrr exceptionsrr r r r r rdrfsobjectrr&rr!r8r9rKrQrXr]rhrkrqrgrDrCrrrrsN     "      /  ('%