h1xdZddlmZddlZddlZddlmZmZmZm Z ddl Z ddl m Z m Z mZmZmZmZmZ ddlZe j*dGd d Z d'd Z d(d Zd)d Zd*dZe j*dGddZe j*dGddZe j*dGddZe j*dGddZeeeeefZ e GddeZ e j*ddGddZ!e j*dGddZ"e j*ddGdd Z#e j*ddGd!d"Z$d+d#Z%d,d$Z&e'jQd%d&Z)y#e$rdZYwxYw)-z Common verification code. ) annotationsN)ProtocolSequenceUnionruntime_checkable)CertificateError DNSMismatchIPAddressMismatchMismatch SRVMismatch URIMismatchVerificationErrorT)slotscjeZdZUdZej Zded<ej Zded<y) ServiceMatchz< A match of a service id and a certificate pattern. ServiceID service_idCertificatePattern cert_patternN) __name__ __module__ __qualname____doc__attribr__annotations__rS/var/www/Befach/backend/env/lib/python3.12/site-packages/service_identity/hazmat.pyrrs.$DGGIJ %'.twwyL$0rrc|s d}t|g}t||t||z}|Dcgc]}|j}}|D](}||vs|j|j |*|D]?}||vst ||j s|j|j |A|r t||Scc}w)z Verify whether *cert_patterns* are valid for *obligatory_ids* and *optional_ids*. *obligatory_ids* must be both present and match. *optional_ids* must match if a pattern of the respective type is present. z3Certificate does not contain any `subjectAltName`s.) mismatched_id)errors)r _find_matchesrappenderror_on_mismatch_contains_instance_of pattern_classr) cert_patternsobligatory_ids optional_idsmsgr#matchesmatch matched_idsis r verify_service_identityr1)s Cs## FM>:]|>G2995##9K9  K  MM##!#4   K $9 1??%  MM##!#4 v.. N-:sCcg}|D]7}|D]0}|j|s|jt||29|S)z Search for matching certificate patterns and service_ids. Args: service_ids: List of service IDs like DNS_ID. )rr)verifyr%r)r) service_idsr-sidcids r r$r$WsEG Czz# ccB! Nrc,tfd|DS)Nc36K|]}t|ywN) isinstance).0ecls r z(_contains_instance_of..ms.Qz!R .s)any)seqr=s `r r'r'ls .#. ..rct|tr |jd} t |y#t$rYywxYw#t $rYnwxYw t j|jddy#t $rYywxYw)z Check whether *pattern* could be/match an IP address. Args: pattern: A pattern for a host name. Returns: `True` if *pattern* could be an IP address, else `False`. asciiFT*1) r:bytesdecode UnicodeErrorint ValueError ipaddress ip_addressreplacepatterns r _is_ip_addressrOps'5! nnW-G G       W__S#67  s-0 ? << A  A %A55 BBcteZdZUdZej Zded<ejdZ e ddZ y) DNSPatternz7 A DNS pattern as extracted from certificates. rErN^[a-z0-9\-_.]+$ct|ts d}t||j}|dk(st |sd|vrd|d}t ||j t}d|vr t|||S)Nz'The DNS pattern must be a bytes string.rzInvalid DNS pattern .*rM) r:rE TypeErrorstriprOr translate_TRANS_TO_LOWER_validate_pattern)clsrNr,s r from_byteszDNSPattern.from_bytess~'5);CC. --/ c>^G48H( 15C"3' '##O4 7? g &7##rN)rNrEreturnrQ) rrrrrrrNrrecompile_RE_LEGAL_CHARS classmethodr]rrr rQrQs> TWWYGU bjj!45O$$rrQcPeZdZUdZej Zded<eddZ y)IPAddressPatternz? An IP address pattern as extracted from certificates. -ipaddress.IPv4Address | ipaddress.IPv6AddressrNcz |tj|S#t$rd|d}t|dwxYw)NrMzInvalid IP address pattern rU)rJrKrIr )r\bsr,s r r]zIPAddressPattern.from_bytessG 2y33B78 8 2/vQ7C"3'T 1 2s:N)rgrEr^rd) rrrrrrrNrrbr]rrr rdrds/ >ETWWYG :F22rrdc|eZdZUdZej Zded<ej Zded<e ddZ y) URIPatternz8 An URI pattern as extracted from certificates. rEprotocol_patternrQ dns_patternc,t|ts d}t||jj t }d|vsd|vs t |rd|d}t||jd\}}||tj|S)Nz'The URI pattern must be a bytes string.:rVzInvalid URI pattern rU)rjrk r:rErWrXrYrZrOr splitrQr])r\rNr,rjhostnames r r]zURIPattern.from_bytess'5);CC. --/++O< w $'/^G5L( 15C"3' '%,]]4%8"(-"--h7  rN)rNrEr^ri) rrrrrrrjrrkrbr]rrr riris@ &dggie'%dggiK'  rric|eZdZUdZej Zded<ej Zded<e ddZ y) SRVPatternz8 An SRV pattern as extracted from certificates. rE name_patternrQrkcDt|ts d}t||jj t }|ddk7sd|vsd|vs t |rd|d}t||jdd\}}||ddtj| S) Nz'The SRV pattern must be a bytes string.r_.rVzInvalid SRV pattern rUr)rsrkrn)r\rNr,namerps r r]zSRVPattern.from_bytess'5);CC. --/++O< AJ' !7"wg&( 15C"3' ' tQ/habz/D/DX/N  rN)rNrEr^rr) rrrrrrrsrrkrbr]rrr rrrrs? "$'')L%#%dggiK'  rrrc8eZdZeddZeddZddZy)rcyr9rselfs r r(zServiceID.pattern_class s9rrF)initrczeZdZUdZej Zded<ejdZ e Z e ZddZd dZy) DNS_IDz) A DNS service ID, aka hostname. rErprRct|ts d}t||j}|r t |r d}t |t d|Dr)trtj|}nd}t||jd}|jt|_ |jj|j d}t |y)NzDNS-ID must be a text string.zInvalid DNS-ID.c38K|]}t|dkDyw)N)ord)r;cs r r>z"DNS_ID.__init__..+s.s1v|.sz+idna library is required for non-ASCII IDs.rB)r:strrWrXrOrIr?idnaencode ImportErrorrYrZrprar.)r{rpr,ascii_ids r __init__zDNS_ID.__init__!s(C(1CC. >>#>(3#CS/ ! .X. .;;x0C!#&&w/H **?;    % %dmm 4 <#CS/ ! =rcpt||jr t|j|jSy)zC https://tools.ietf.org/search/rfc6125#section-6.4 F)r:r(_hostname_matchesrNrpr~s r r3z DNS_ID.verify9s, gt11 2$W__dmmD DrN)rprr)rrrrrrrprr_r`rarQr(r r&rr3rrr rrsCdggiHe!bjj!45OM#"0rrcfeZdZUdZej ejZde d<e Z e Z ddZy) IPAddress_IDz# An IP address service ID. ) converterreipcbt||jr|j|jk(Sy)zC https://tools.ietf.org/search/rfc2818#section-3.1 F)r:r(rrNr~s r r3zIPAddress_ID.verifyPs* gt11 277goo- -rNr)rrrrrrrJrKrrrdr(r r&r3rrr rrCs=9@&&9B5%M)rrceZdZUdZej Zded<ej Zded<e Z e Z d dZ d dZy) URI_IDz An URI service ID. rEprotocolrdns_idcNt|ts d}t||j}d|vs t |r d}t ||j d\}}|jdjt|_ t|jd|_ y)NzURI-ID must be a text string.:zInvalid URI-ID.rB/) r:rrWrXrOrIrorrYrZrrr)r{urir,protrps r rzURI_ID.__init__fs#s#1CC. iik c>^C0#CS/ !3h G,66G X^^C01 rct||jr@|j|jk(xr%|jj |j Sy)zE https://tools.ietf.org/search/rfc6125#section-6.5.2 F)r:r(rjrrr3rkr~s r r3z URI_ID.verifyusM gt11 2((DMM9<KK&&w':':;  rN)rrr)rrrrrrrrrrir(rr&rr3rrr rrZsBdggiHeTWWYFFM# 2 rrceZdZUdZej Zded<ej Zded<e Z e Z d dZ d dZy) SRV_IDz An SRV service ID. rErwrrcHt|ts d}t||j}d|vst |s|ddk7r d}t ||j dd\}}|ddjdjt|_ t||_ y)NzSRV-ID must be a text string.rUr_zInvalid SRV-ID.rrB) r:rrWrXrOrIrorrYrZrwrr)r{srvr,rwrps r rzSRV_ID.__init__s#s#1CC. iik c>^C0CFcM#CS/ !3*hHOOG,66G X& rct||jr@|j|jk(xr%|jj |j Sy)zE https://tools.ietf.org/search/rfc6125#section-6.5.1 F)r:r(rwrsrr3rkr~s r r3z SRV_ID.verifysO gt11 299 4 449K9K##: rN)rrr)rrrrrrrwrrrrr(r r&rr3rrr rrsB$'')D%TWWYFFM# ' rrcd|vrH|jdd\}}|jdd\}}||k7ry|jdry|d|fvS||k(S)zT :return: `True` if *cert_pattern* matches *actual_hostname*, else `False`. rVrvrFsxn--)ro startswith)ractual_hostname cert_head cert_tail actual_head actual_tails r rrsq |+11$: 9#2#8#8q#A [  #  ! !' *T;/// ? **rc(|jd}|dkDrd|d}t||jd}t|dkrd|d}t|d|dvrd|d }t|t d |Drd|d }t|y ) zh Check whether the usage of wildcards within *cert_pattern* conforms with our expectations. rVrzCertificate's DNS-ID z contains too many wildcards.rvz0 has too few host components for wildcard usage.rz+ has a wildcard outside the left-most part.c34K|]}t| ywr9)len)r;ps r r>z$_validate_pattern..s %!s1v: %sz contains empty parts.N)countr rorr?)rcntr,partss r r[r[s   T "C Qw%l%55RSs##   t $E 5zA~%l%55efs## 58%l%55`as## %u %%%l%55KLs##&rsABCDEFGHIJKLMNOPQRSTUVWXYZsabcdefghijklmnopqrstuvwxyz)r)Sequence[CertificatePattern]r*Sequence[ServiceID]r+rr^list[ServiceMatch])r)rr4rr^r)r@zSequence[object]r=typer^r)rNz str | bytesr^r)rrErrEr^r)rrEr^None)*r __future__rrJr_typingrrrrr exceptionsr r r r r rrrrsrr1r$r'rOrQrdrirrrrrrrrrr[rE maketransrZrrr rsG# ??  d111+/+'+&+ +\/$*/>d$$$:d222"d   <d   B J(88 ???U$++ +\d,U$$$ $NU$## #L+$$.//!#@o  DsF..F98F9