N3{Y@scddlZddlZddlZddlZddlZddlmZmZddlmZyddl Z Wne k rdZ YnXdddddgZ d j j ZeZZxpd d d gfd ddgffD]J\ZZx;eD]3ZyedeefWqe k r(YqXqWqWe dk oLeeefkZyddl mZmZWnWe k ry$ddlmZddlmZWne k rdZdZYnXYnXesGdddeZnesdddZddZnGdddeZGdddeZdddZdadd Z d!dZ!dS)"N)ResolutionErrorExtractionError)urllib2VerifyingHTTPSHandlerfind_ca_bundle is_available cert_paths opener_forz /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt /usr/share/ssl/certs/ca-bundle.crt /usr/local/share/certs/ca-root.crt /etc/ssl/cert.pem /System/Library/OpenSSL/certs/cert.pem HTTPSHandlerrzurllib.requestHTTPSConnectionhttplibz http.clientzfrom %s import %s)CertificateErrormatch_hostname)r )rc@seZdZdS)r N)__name__ __module__ __qualname__rr1/tmp/pip-r2rszybt-build/setuptools/ssl_support.pyr 8s r c CsXg}|sdS|jd}|d}|dd}|jd}||krmtdt|n|s|j|jkS|dkr|jdnY|jd s|jd r|jtj|n"|jtj|j d d x$|D]}|jtj|qWtj d d j |dtj } | j |S)zpMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 F.rrN*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountr reprlowerappend startswithreescapereplacecompilejoin IGNORECASEmatch) dnhostname max_wildcardspatspartsleftmost remainder wildcardsfragpatrrr_dnsname_match<s*   " &r.cCs[|stdng}|jdf}xC|D];\}}|dkr4t||r_dS|j|q4q4W|sxc|jdfD]L}xC|D];\}}|dkrt||rdS|j|qqWqWnt|dkrtd|d jtt|fn;t|dkrKtd ||d fn td dS) a=Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed, but IP addresses are not accepted for *hostname*. CertificateError is raised on failure. On success, the function returns nothing. zempty or no certificatesubjectAltNameDNSNsubject commonNamerz&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorgetr.rlenr r!mapr)certr%dnsnamessankeyvaluesubrrrrps.  %rc@s.eZdZdZddZddZdS)rz=Simple verifying handler: no auth, subclasses, timeouts, etc.cCs||_tj|dS)N) ca_bundler __init__)selfr=rrrr>s zVerifyingHTTPSHandler.__init__csjfdd|S)Ncst|j|S)N)VerifyingHTTPSConnr=)hostkw)r?rrsz2VerifyingHTTPSHandler.https_open..)do_open)r?reqr)r?r https_opensz VerifyingHTTPSHandler.https_openN)rrr__doc__r>rFrrrrrs  c@s.eZdZdZddZddZdS)r@z@Simple verifying connection: no auth, subclasses, timeouts, etc.cKs tj|||||_dS)N)r r>r=)r?rAr=rBrrrr>szVerifyingHTTPSConn.__init__c Cstj|j|jft|dd}t|drat|ddra||_|jntj |dtj d|j |_yt |jj |jWn5tk r|jjtj|jjYnXdS)Nsource_address_tunnel _tunnel_host cert_reqsca_certs)socketcreate_connectionrAportgetattrhasattrsockrIssl wrap_socket CERT_REQUIREDr=r getpeercertr shutdown SHUT_RDWRclose)r?rRrrrconnects$!    zVerifyingHTTPSConn.connectN)rrrrGr>rZrrrrr@s  r@cCstjt|ptjS)z@Get a urlopen() replacement that uses ca_bundle for verification)r build_openerrropen)r=rrrr sc sxtdk rtjSyddlmWntk r?dSYnXGfddd}|dddgatjS)Nr)CertFilecs(eZdZfffddZdS)z$get_win_certfile..MyCertFilecsLj|x|D]}|j|qW|j|tj|jdS)N)r>ZaddstoreZaddcertsatexitregisterrY)r?storescertsstore)r]rrr>s    z-get_win_certfile..MyCertFile.__init__N)rrrr>r)r]rr MyCertFiles rcr`CAROOT) _wincertsnameZ wincertstorer] ImportError)rcr)r]rget_win_certfiles   ric CswtjdkrtSx$tD]}tjj|r|SqWytjddSWntt t fk rrdSYnXdS)z*Return an existing CA bundle path, or NonentZcertifiz cacert.pemN) osrgrirpathisfile pkg_resourcesresource_filenamerhrr)Z cert_pathrrrrs )"rkrMr^rrnrrZsetuptools.compatrrSrh__all__striprrobjectr r whatwheremoduleexecrr rZbackports.ssl_match_hostnamer3r.rr@r rfrirrrrrsV               4)