o Sbd;@sdZddlZddlZddlZddlZddl m Z ddl m ZddlmZddlmZddlmZddlmZdd lmZdd lmZdd lmZ dd l!m"Z#dd l!m$Z$ddl%m&Z&ddl'm(Z(m)Z)ddl*m+Z,ddl*m-Z-zddl.Z.dZ/Wn e0ydZ/Ynwej1Z2ej3Z3ej4Z4ej5Z5e6eddZ7dZ8dZ9ej:Z;ejej?ej@ej?ejABiZBeCddeBDDZEddZFejGejHejIfZJddZKGdddejLZMGdddeNZOGdd d eNZPdS)!zMA CPython compatible SSLContext implementation wrapping PyOpenSSL's context. N)EINTR) ip_address)load_der_x509_certificate)SSL)crypto)CertificateError)VerificationError)verify_hostname)verify_ip_address)ConfigurationError)_CertificateError) _OCSPCache)_load_trusted_ca_certs_ocsp_callback) SocketChecker)_errno_from_exceptionTFOP_NO_RENEGOTIATIONccs|] \}}||fVqdSN).0keyvaluerr@/tmp/pip-target-onvjaxws/lib/python/pymongo/pyopenssl_context.py Fsrc Cs(zt|WdSttfyYdSw)NTF) _ip_address ValueError UnicodeError)addressrrr_is_ip_addressKs rcCs |jdkS)zNr)r<r'r# recv_intor3rAr&r"rBr,rrrErCz_sslConn.recv_intorc st|}t|}d}d}||krOz|tt|j||d|}Wnttfy<}z t|t kr7WYd}~q d}~ww|dkrEt d||7}||ksdSdS)NrzConnection closed) memoryviewlenr<r'r#sendIOErrorOSErrorr_EINTR Exception)r)bufflagsview total_length total_sentsentr!r,rrsendalls&  z_sslConn.sendall)r) __name__ __module__ __qualname__r(r<r=r@rErS __classcell__rrr,rr#`s     r#c@seZdZdZddZdS) _CallbackDataz0Data class which is passed to the OCSP callback.cCsd|_d|_t|_dSr)trusted_ca_certscheck_ocsp_endpointr Zocsp_response_cacher)rrrr(s z_CallbackData.__init__N)rTrUrV__doc__r(rrrrrXs rXc@seZdZdZdZddZeddZddZd d Z eee Z d d Z d dZ ee e Z ddZddZeeeZddZddZeeeZd(ddZd(ddZddZddZd d!Zd"d#Z $ % %  d)d&d'ZdS)* SSLContextzUA CPython compatible SSLContext implementation wrapping PyOpenSSL's context. ) _protocol_ctx_callback_data_check_hostnamecCs@||_t|j|_t|_d|_d|j_|jjt |jddS)NT)callbackdata) r^r3Contextr_rXr`rarZZset_ocsp_client_callbackr)r)protocolrrrr(s zSSLContext.__init__cC|jS)zhThe protocol version chosen when constructing the context. This attribute is read-only. )r^r[rrrreszSSLContext.protocolcCst|jS)zWhether to try to verify other peers' certificates and how to behave if verification fails. This attribute must be one of ssl.CERT_NONE, ssl.CERT_OPTIONAL or ssl.CERT_REQUIRED. )_REVERSE_VERIFY_MAPr_Zget_verify_moder[rrrZ__get_verify_modezSSLContext.__get_verify_modecCsdd}|jt||dS)zSetter for verify_mode.cSs|Srr)ZconnobjZx509objZerrnumZerrdepthretcoderrr_cbsz)SSLContext.__set_verify_mode.._cbN)r_Z set_verify _VERIFY_MAP)r)rrjrrrZ__set_verify_modeszSSLContext.__set_verify_modecCrfr)rar[rrrZ__get_check_hostnameszSSLContext.__get_check_hostnamecCst|ts td||_dS)Nz$check_hostname must be True or False)r2bool TypeErrorrar)rrrrZ__set_check_hostnames  zSSLContext.__set_check_hostnamecCs|jjSr)r`rZr[rrrZ__get_check_ocsp_endpointsz$SSLContext.__get_check_ocsp_endpointcCst|ts td||j_dS)Nz check_ocsp must be True or False)r2rlrmr`rZrnrrrZ__set_check_ocsp_endpoints  z$SSLContext.__set_check_ocsp_endpointcCs |jdSrD)r_ set_optionsr[rrrZ __get_optionss zSSLContext.__get_optionscCs|jt|dSr)r_rointrnrrrZ __set_optionsszSSLContext.__set_optionsNcsFrfdd}|j||j||j|p||jdS)aLoad a private key and the corresponding certificate. The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate's authenticity. The keyfile string, if present, must point to a file containing the private key. Otherwise the private key will be taken from certfile as well. cs dS)Nzutf-8)encode) max_lengthZ prompt_twice user_datapasswordrr_pwcbs z)SSLContext.load_cert_chain.._pwcbN)r_Z set_passwd_cbZuse_certificate_chain_fileZuse_privatekey_fileZcheck_privatekey)r)certfilekeyfilerurvrrtrload_cert_chains    zSSLContext.load_cert_chaincCs.|j||ttjdst||j_dSdS)zLoad a set of "certification authority"(CA) certificates used to validate other peers' certificates when `~verify_mode` is other than ssl.CERT_NONE. get_verified_chainN)r_load_verify_locationshasattrr3 Connectionrr`rY)r)cafilecapathrrrr{s z SSLContext.load_verify_locationscCstr |tdStd)z&Attempt to load CA certs from certifi.ztlsAllowInvalidCertificates is False but no system CA certificates could be loaded. Please install the certifi package, or provide a path to a CA file using the tlsCAFile optionN) _HAVE_CERTIFIr{certifiwhere_ConfigurationErrorr[rrr _load_certifi%s zSSLContext._load_certificCs\|j}tjjj}t|D]\}}}|dkr+|dus ||vr+|tj t |qdS)z2Attempt to load CA certs from Windows trust store.x509_asnTN) r_Zget_cert_store _stdlibsslPurpose SERVER_AUTHoidenum_certificatesZadd_cert_cryptoZX509Zfrom_cryptography_load_der_x509_certificate)r)storeZ cert_storercertencodingtrustrrr_load_wincerts1s  zSSLContext._load_wincertscCs^tjdkrz dD]}||qWnty|Yn wtjdkr(||jdS)z7A PyOpenSSL version of load_default_certs from CPython.win32)CAROOTdarwinN)_sysplatformrPermissionErrorrr_set_default_verify_paths)r) storenamerrrload_default_certs<s     zSSLContext.load_default_certscCs|jdS)zdSpecify that the platform provided CA certificates are to be used for verification purposes.N)r_rr[rrrrLrhz#SSLContext.set_default_verify_pathsFTc Cst|j||}|r|||dur|n|r%t|s%||d|jtj kr/| | |ri| |j ri|durizt|rMt||W|St||W|Sttfyh}ztt|d}~ww|S)zTWrap an existing Python socket sock and return a TLS socket object. TidnaN)r#r_Z set_sessionZset_accept_staterZset_tlsext_host_namerq verify_moder CERT_NONEZ request_ocspZset_connect_stater=check_hostname_verify_ip_address_verify_hostname_SICertificateError_SIVerificationErrorr str) r)r+ server_sidedo_handshake_on_connectr&server_hostnamesessionZssl_connr!rrr wrap_socketSs0        zSSLContext.wrap_socket)NN)FTTNN)rTrUrVr\ __slots__r(propertyreZ_SSLContext__get_verify_modeZ_SSLContext__set_verify_moderZ_SSLContext__get_check_hostnameZ_SSLContext__set_check_hostnamerZ$_SSLContext__get_check_ocsp_endpointZ$_SSLContext__set_check_ocsp_endpointrZZ_SSLContext__get_optionsZ_SSLContext__set_optionsoptionsryr{rrrrrrrrrr]s<           r])Qr\socketr7sslrsysrtimer/errnorrK ipaddressrrZcryptography.x509rrZOpenSSLrr3rrZservice_identityrrrrZservice_identity.pyopensslr rr rZpymongo.errorsr rr Zpymongo.ocsp_cacher Zpymongo.ocsp_supportrrZpymongo.socket_checkerrr$rrr ImportErrorZ SSLv23_METHODPROTOCOL_SSLv23 OP_NO_SSLv2 OP_NO_SSLv3OP_NO_COMPRESSIONgetattrrHAS_SNI IS_PYOPENSSLErrorSSLErrorrZ VERIFY_NONE CERT_OPTIONALZ VERIFY_PEER CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTrkdictitemsrgrr4r5ZWantX509LookupErrorr1r"r}r#objectrXr]rrrrsZ                 I