U 3 d@sldZddlZddlZddlZddlZddlmZmZGdddejZ ddZ dd Z Gd d d ej Z dS) zCExtensions to allow HTTPS requests with SSL certificate validation.N)six http_clientc@s eZdZdZddZddZdS)InvalidCertificateExceptionz?Raised when a certificate is provided with an invalid hostname.cCs"tj|||_||_||_dS)zConstructor. Args: host: The hostname the connection was made to. cert: The SSL certificate (as a dictionary) the host returned. N)r HTTPException__init__hostcertreason)selfrrr r 9/tmp/pip-unpacked-wheel-d7dsrkjd/boto/https_connection.pyr"s z$InvalidCertificateException.__init__cCsd|j|j|jfS)Nz0Host %s returned an invalid certificate (%s): %s)rr r)r r r r __str__.sz#InvalidCertificateException.__str__N)__name__ __module__ __qualname____doc__rr r r r r rs rcCs0d|krdd|dDSdd|dDSdS)zReturns a list of valid host globs for an SSL certificate. Args: cert: A dictionary representing an SSL certificate. Returns: list: A list of valid host globs. subjectAltNamecSs$g|]}|ddkr|dqS)rZdnslower.0xr r r <sz(GetValidHostsForCert..cSs,g|]$}|dddkr|ddqS)rZ commonnamerrrr r r r>ssubjectNr )rr r r GetValidHostsForCert3srcCsVt|}tjd|||D]4}|dddd}td|f|tjrdSqdS) aValidates that a given hostname is valid for an SSL certificate. Args: cert: A dictionary representing an SSL certificate. hostname: The hostname to test. Returns: bool: Whether or not the hostname is valid for this certificate. z@validating server certificate: hostname=%s, certificate hosts=%s.z\.*z[^.]*z^%s$TF)rbotologdebugreplaceresearchI)rhostnamehostsrZhost_rer r r ValidateCertificateHostnameBs r'c@s2eZdZdZejZeddddfddZddZdS)CertValidatingHTTPSConnectionzDAn HTTPConnection that connects over SSL and validates certificates.NcKs>tjr||d<tjj|f||d|||_||_||_dS)a*Constructor. Args: host: The hostname. Can be in 'host:port' form. port: The port. Defaults to 443. key_file: A file containing the client's private key cert_file: A file containing the client's certificates ca_certs: A file contianing a set of concatenated certificate authority certs for validating the server against. strict: When true, causes BadStatusLine to be raised if the status line can't be parsed as a valid HTTP/1.0 or 1.1 status line. strict)rportN)rPY2rHTTPConnectionrkey_file cert_fileca_certs)r rr*r-r.r/r)kwargsr r r r[s z&CertValidatingHTTPSConnection.__init__cCst|dr"t|j|jf|j}nt|j|jf}d}|jrN|d|j7}n|d7}tj |t j ||j |j t j|jd|_|j}|jddd}t||st||d|d S) z(Connect to a host on a given (SSL) port.timeoutzwrapping ssl socket; zCA certificate file=%szusing system provided SSL certs)keyfilecertfile cert_reqsr/:rz/remote hostname "%s" does not match certificateN)hasattrsocketcreate_connectionrr*r1r/rrr ssl wrap_socketr-r. CERT_REQUIREDsock getpeercertsplitr'r)r r<msgrr%r r r connectts,     z%CertValidatingHTTPSConnection.connect) rrrrr HTTPS_PORT default_portrr@r r r r r(Vs r()rr"r7r9rZ boto.compatrrrrrr'r,r(r r r r s