U d@@s2dZddlmZddlZddlZddlZddl Z ddl m Z ddlmZddlmZmZmZmZmZmZmZddlmZddlmZdd lmZ dd l!m"Z#dd l!m$Z%dd l&m'Z(dd l&m)Z*ddl+m,Z-ddl+m.Z.ddl/m0Z0ddl1m2Z2m3Z3ddl4m5Z6ddl4m7Z7ddl8m9Z9er6ddlm:Z:ddlm;Z;edZWne?k rhdZ>YnXej@ZAejBZBejCZCejDZDeEeddZFdZGdZHejIZJejKejLejMejNejOejNejPBiZQddeQRDZSdddd d!ZTejUejVejWfZXd"dd#d$d%ZYGd&d'd'ejZZ[Gd(d)d)Z\Gd*d+d+Z]dS),zMA CPython compatible SSLContext implementation wrapping PyOpenSSL's context. ) annotationsN)EINTR) ip_address) TYPE_CHECKINGAnyCallableListOptionalTypeVarUnion)load_der_x509_certificate)SSL)crypto)CertificateError)VerificationError)verify_hostname)verify_ip_address)ConfigurationError)_CertificateError) _OCSPCache)_load_trusted_ca_certs_ocsp_callback) SocketChecker)_errno_from_exception)validate_boolean) VerifyMode) Certificate_TTFOP_NO_RENEGOTIATIONcCsi|]\}}||qSr).0keyvaluerr=/tmp/pip-unpacked-wheel-oblwsawz/pymongo/pyopenssl_context.py Psr$rbool)addressreturnc Cs.zt|WdSttfk r(YdSXdS)NTF) _ip_address ValueError UnicodeError)r&rrr#_is_ip_addressUs r+ BaseException)excr'cCs |jdkS)zrEstartr-Z want_readZ want_writerrr#_callrs,      z_sslConn._callNone)r/r>r'cs|jtjf||Sr5)rMr8 do_handshake)r:r/r>r;rr#rOsz_sslConn.do_handshakebytesc s\z|jtjf||WStjk rV}z|jrDt|rDWY dSW5d}~XYnXdS)N)rMr8recvrH SysCallErrorr4r0r:r/r>r-r;rr#rRs  z _sslConn.recvintc s\z|jtjf||WStjk rV}z|jrDt|rDWY dSW5d}~XYnXdSNr)rMr8 recv_intorHrSr4r0rTr;rr#rWs  z_sslConn.recv_intor)bufflagsr'c st|}t|}d}||krz|tj||d|}Wn8tk rr}zt|tkr`WYqW5d}~XYnX|dkrtd||7}qdS)Nrzconnection closed) memoryviewlenrMr8sendOSErrorr_EINTR)r:rXrYview total_length total_sentsentr-r;rr#sendalls z_sslConn.sendall)r) __name__ __module__ __qualname__r9rMrOrRrWrc __classcell__rrr;r#r1js   r1c@seZdZdZddddZdS) _CallbackDataz0Data class which is passed to the OCSP callback.rNr'cCsd|_d|_t|_dSr5)trusted_ca_certscheck_ocsp_endpointrZocsp_response_cacher:rrr#r9sz_CallbackData.__init__N)rdrerf__doc__r9rrrr#rhsrhc @sTeZdZdZdZddddZedddd Zd dd d Zd d dddZ eee Z ddddZ dd dddZ ee e Z ddddZdd dddZeeeZd dddZdd dddZeeeZdd6dddd#d7d8d9d:d;Zd S)? SSLContextzUA CPython compatible SSLContext implementation wrapping PyOpenSSL's context. ) _protocol_ctx_callback_data_check_hostnamerU)protocolcCs@||_t|j|_t|_d|_d|j_|jjt |jddS)NT)callbackdata) rorHContextrprhrqrrrkZset_ocsp_client_callbackr)r:rsrrr#r9s zSSLContext.__init__ricCs|jS)zhThe protocol version chosen when constructing the context. This attribute is read-only. )rorlrrr#rsszSSLContext.protocolrcCst|jS)zWhether to try to verify other peers' certificates and how to behave if verification fails. This attribute must be one of ssl.CERT_NONE, ssl.CERT_OPTIONAL or ssl.CERT_REQUIRED. )_REVERSE_VERIFY_MAPrpZget_verify_moderlrrr#Z__get_verify_modeszSSLContext.__get_verify_moderN)r"r'cCs.ddddddddd}|jt||dS) zSetter for verify_mode.z_SSL.Connectionz _crypto.X509rUr%)connobjx509objerrnumerrdepthretcoder'cSst|Sr5)r%)rxryrzr{r|rrr#_cbsz)SSLContext.__set_verify_mode.._cbN)rpZ set_verify _VERIFY_MAP)r:r"r}rrr#Z__set_verify_modeszSSLContext.__set_verify_moder%cCs|jSr5)rrrlrrr#Z__get_check_hostnameszSSLContext.__get_check_hostnamercCstd|||_dS)Ncheck_hostname)rrrr:r"rrr#Z__set_check_hostnames zSSLContext.__set_check_hostnamezOptional[bool]cCs|jjSr5)rqrkrlrrr#Z__get_check_ocsp_endpointsz$SSLContext.__get_check_ocsp_endpointcCstd|||j_dS)NZ check_ocsp)rrqrkrrrr#Z__set_check_ocsp_endpoints z$SSLContext.__set_check_ocsp_endpointcCs |jdSrV)rp set_optionsrlrrr#Z __get_options szSSLContext.__get_optionscCs|jt|dSr5)rprrUrrrr#Z __set_optionsszSSLContext.__set_optionsNzUnion[str, bytes]zUnion[str, bytes, None]z Optional[str])certfilekeyfilepasswordr'csRr(dddddfdd }|j||j||j|p@||jdS)aLoad a private key and the corresponding certificate. The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate's authenticity. The keyfile string, if present, must point to a file containing the private key. Otherwise the private key will be taken from certfile as well. rUr%rP) max_length prompt_twice user_datar'csdk s tdS)Nzutf-8)AssertionErrorencode)rrrrrr#_pwcb*s z)SSLContext.load_cert_chain.._pwcbN)rpZ set_passwd_cbZuse_certificate_chain_fileZuse_privatekey_fileZcheck_privatekey)r:rrrrrrr#load_cert_chains   zSSLContext.load_cert_chain)cafilecapathr'cCs6|j||ttjds2|dk s&tt||j_dS)zLoad a set of "certification authority"(CA) certificates used to validate other peers' certificates when `~verify_mode` is other than ssl.CERT_NONE. Zget_verified_chainN) rpload_verify_locationshasattrrH Connectionrrrqrj)r:rrrrr#r6s  z SSLContext.load_verify_locationscCs tr|tntddS)z&Attempt to load CA certs from certifi.ztlsAllowInvalidCertificates is False but no system CA certificates could be loaded. Please install the certifi package, or provide a path to a CA file using the tlsCAFile optionN) _HAVE_CERTIFIrcertifiwhere_ConfigurationErrorrlrrr# _load_certifiCs zSSLContext._load_certifistr)storer'cCs\|j}tjjj}t|D]8\}}}|dkr|dks@||kr|tj t |qdS)z2Attempt to load CA certs from Windows trust store.x509_asnTN) rpZget_cert_store _stdlibsslPurpose SERVER_AUTHoidenum_certificatesZadd_cert_cryptoZX509Zfrom_cryptography_load_der_x509_certificate)r:rZ cert_storercertencodingtrustrrr#_load_wincertsOs  zSSLContext._load_wincertscCsbtjdkrBzdD]}||qWqTtk r>|YqTXntjdkrT||jdS)z7A PyOpenSSL version of load_default_certs from CPython.win32)CAROOTdarwinN)_sysplatformrPermissionErrorrrpset_default_verify_paths)r: storenamerrr#load_default_certsZs  zSSLContext.load_default_certscCs|jdS)zmSpecify that the platform provided CA certificates are to be used for verification purposes. N)rprrlrrr#rjsz#SSLContext.set_default_verify_pathsFTz_socket.socketzOptional[_SSL.Session]r1)r3 server_sidedo_handshake_on_connectr4server_hostnamesessionr'c Cst|j||}|r|||dkr.|n8|rJt|sJ||d|jtj kr^| | |r| |j r|dk rz"t|rt||n t||Wn2ttfk r}ztt|W5d}~XYnX|S)zZWrap an existing Python socket connection and return a TLS socket object. TidnaN)r1rpZ set_sessionZset_accept_stater+Zset_tlsext_host_namer verify_moder CERT_NONEZ request_ocspZset_connect_staterOr_verify_ip_address_verify_hostname_SICertificateError_SIVerificationErrorrr) r:r3rrr4rrZssl_connr-rrr# wrap_socketrs(      zSSLContext.wrap_socket)NN)NN)FTTNN)rdrerfrm __slots__r9propertyrsZ_SSLContext__get_verify_modeZ_SSLContext__set_verify_moderZ_SSLContext__get_check_hostnameZ_SSLContext__set_check_hostnamerZ$_SSLContext__get_check_ocsp_endpointZ$_SSLContext__set_check_ocsp_endpointrkZ_SSLContext__get_optionsZ_SSLContext__set_optionsoptionsrrrrrrrrrrr#rnsB         rn)^rm __future__rsocketrDsslrsysrtimer@errnorr^ ipaddressrr(typingrrrrr r r Zcryptography.x509r rZOpenSSLr rHrrZservice_identityrrrrZservice_identity.pyopensslrrrrZpymongo.errorsrrrZpymongo.ocsp_cacherZpymongo.ocsp_supportrrZpymongo.socket_checkerrr6rZpymongo.write_concernrrrrrr ImportErrorZ SSLv23_METHODPROTOCOL_SSLv23 OP_NO_SSLv2 OP_NO_SSLv3OP_NO_COMPRESSIONgetattrrHAS_SNI IS_PYOPENSSLErrorrFrZ VERIFY_NONE CERT_OPTIONALZ VERIFY_PEER CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTr~itemsrwr+rIrJZWantX509LookupErrorrBr0rr1rhrnrrrr#sj   $                   M