Mercurial > repos > guerler > hhblits

comparison lib/python3.8/site-packages/setuptools/ssl_support.py @ 1:64071f2a4cf0 draft default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Deleted selected files
author guerler
date Mon, 27 Jul 2020 03:55:49 -0400
parents 9e54283cc701
children
comparison
equal deleted inserted replaced
0:9e54283cc701 1:64071f2a4cf0
1 import os
2 import socket
3 import atexit
4 import re
5 import functools
6
7 from setuptools.extern.six.moves import urllib, http_client, map, filter
8
9 from pkg_resources import ResolutionError, ExtractionError
10
11 try:
12 import ssl
13 except ImportError:
14 ssl = None
15
16 __all__ = [
17 'VerifyingHTTPSHandler', 'find_ca_bundle', 'is_available', 'cert_paths',
18 'opener_for'
19 ]
20
21 cert_paths = """
22 /etc/pki/tls/certs/ca-bundle.crt
23 /etc/ssl/certs/ca-certificates.crt
24 /usr/share/ssl/certs/ca-bundle.crt
25 /usr/local/share/certs/ca-root.crt
26 /etc/ssl/cert.pem
27 /System/Library/OpenSSL/certs/cert.pem
28 /usr/local/share/certs/ca-root-nss.crt
29 /etc/ssl/ca-bundle.pem
30 """.strip().split()
31
32 try:
33 HTTPSHandler = urllib.request.HTTPSHandler
34 HTTPSConnection = http_client.HTTPSConnection
35 except AttributeError:
36 HTTPSHandler = HTTPSConnection = object
37
38 is_available = ssl is not None and object not in (
39 HTTPSHandler, HTTPSConnection)
40
41
42 try:
43 from ssl import CertificateError, match_hostname
44 except ImportError:
45 try:
46 from backports.ssl_match_hostname import CertificateError
47 from backports.ssl_match_hostname import match_hostname
48 except ImportError:
49 CertificateError = None
50 match_hostname = None
51
52 if not CertificateError:
53
54 class CertificateError(ValueError):
55 pass
56
57
58 if not match_hostname:
59
60 def _dnsname_match(dn, hostname, max_wildcards=1):
61 """Matching according to RFC 6125, section 6.4.3
62
63 https://tools.ietf.org/html/rfc6125#section-6.4.3
64 """
65 pats = []
66 if not dn:
67 return False
68
69 # Ported from python3-syntax:
70 # leftmost, *remainder = dn.split(r'.')
71 parts = dn.split(r'.')
72 leftmost = parts[0]
73 remainder = parts[1:]
74
75 wildcards = leftmost.count('*')
76 if wildcards > max_wildcards:
77 # Issue #17980: avoid denials of service by refusing more
78 # than one wildcard per fragment. A survey of established
79 # policy among SSL implementations showed it to be a
80 # reasonable choice.
81 raise CertificateError(
82 "too many wildcards in certificate DNS name: " + repr(dn))
83
84 # speed up common case w/o wildcards
85 if not wildcards:
86 return dn.lower() == hostname.lower()
87
88 # RFC 6125, section 6.4.3, subitem 1.
89 # The client SHOULD NOT attempt to match a
90 # presented identifier in which the wildcard
91 # character comprises a label other than the
92 # left-most label.
93 if leftmost == '*':
94 # When '*' is a fragment by itself, it matches a non-empty dotless
95 # fragment.
96 pats.append('[^.]+')
97 elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
98 # RFC 6125, section 6.4.3, subitem 3.
99 # The client SHOULD NOT attempt to match a presented identifier
100 # where the wildcard character is embedded within an A-label or
101 # U-label of an internationalized domain name.
102 pats.append(re.escape(leftmost))
103 else:
104 # Otherwise, '*' matches any dotless string, e.g. www*
105 pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
106
107 # add the remaining fragments, ignore any wildcards
108 for frag in remainder:
109 pats.append(re.escape(frag))
110
111 pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
112 return pat.match(hostname)
113
114 def match_hostname(cert, hostname):
115 """Verify that *cert* (in decoded format as returned by
116 SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
117 rules are followed, but IP addresses are not accepted for *hostname*.
118
119 CertificateError is raised on failure. On success, the function
120 returns nothing.
121 """
122 if not cert:
123 raise ValueError("empty or no certificate")
124 dnsnames = []
125 san = cert.get('subjectAltName', ())
126 for key, value in san:
127 if key == 'DNS':
128 if _dnsname_match(value, hostname):
129 return
130 dnsnames.append(value)
131 if not dnsnames:
132 # The subject is only checked when there is no dNSName entry
133 # in subjectAltName
134 for sub in cert.get('subject', ()):
135 for key, value in sub:
136 # XXX according to RFC 2818, the most specific Common Name
137 # must be used.
138 if key == 'commonName':
139 if _dnsname_match(value, hostname):
140 return
141 dnsnames.append(value)
142 if len(dnsnames) > 1:
143 raise CertificateError(
144 "hostname %r doesn't match either of %s"
145 % (hostname, ', '.join(map(repr, dnsnames))))
146 elif len(dnsnames) == 1:
147 raise CertificateError(
148 "hostname %r doesn't match %r"
149 % (hostname, dnsnames[0]))
150 else:
151 raise CertificateError(
152 "no appropriate commonName or "
153 "subjectAltName fields were found")
154
155
156 class VerifyingHTTPSHandler(HTTPSHandler):
157 """Simple verifying handler: no auth, subclasses, timeouts, etc."""
158
159 def __init__(self, ca_bundle):
160 self.ca_bundle = ca_bundle
161 HTTPSHandler.__init__(self)
162
163 def https_open(self, req):
164 return self.do_open(
165 lambda host, **kw: VerifyingHTTPSConn(host, self.ca_bundle, **kw),
166 req
167 )
168
169
170 class VerifyingHTTPSConn(HTTPSConnection):
171 """Simple verifying connection: no auth, subclasses, timeouts, etc."""
172
173 def __init__(self, host, ca_bundle, **kw):
174 HTTPSConnection.__init__(self, host, **kw)
175 self.ca_bundle = ca_bundle
176
177 def connect(self):
178 sock = socket.create_connection(
179 (self.host, self.port), getattr(self, 'source_address', None)
180 )
181
182 # Handle the socket if a (proxy) tunnel is present
183 if hasattr(self, '_tunnel') and getattr(self, '_tunnel_host', None):
184 self.sock = sock
185 self._tunnel()
186 # http://bugs.python.org/issue7776: Python>=3.4.1 and >=2.7.7
187 # change self.host to mean the proxy server host when tunneling is
188 # being used. Adapt, since we are interested in the destination
189 # host for the match_hostname() comparison.
190 actual_host = self._tunnel_host
191 else:
192 actual_host = self.host
193
194 if hasattr(ssl, 'create_default_context'):
195 ctx = ssl.create_default_context(cafile=self.ca_bundle)
196 self.sock = ctx.wrap_socket(sock, server_hostname=actual_host)
197 else:
198 # This is for python < 2.7.9 and < 3.4?
199 self.sock = ssl.wrap_socket(
200 sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=self.ca_bundle
201 )
202 try:
203 match_hostname(self.sock.getpeercert(), actual_host)
204 except CertificateError:
205 self.sock.shutdown(socket.SHUT_RDWR)
206 self.sock.close()
207 raise
208
209
210 def opener_for(ca_bundle=None):
211 """Get a urlopen() replacement that uses ca_bundle for verification"""
212 return urllib.request.build_opener(
213 VerifyingHTTPSHandler(ca_bundle or find_ca_bundle())
214 ).open
215
216
217 # from jaraco.functools
218 def once(func):
219 @functools.wraps(func)
220 def wrapper(*args, **kwargs):
221 if not hasattr(func, 'always_returns'):
222 func.always_returns = func(*args, **kwargs)
223 return func.always_returns
224 return wrapper
225
226
227 @once
228 def get_win_certfile():
229 try:
230 import wincertstore
231 except ImportError:
232 return None
233
234 class CertFile(wincertstore.CertFile):
235 def __init__(self):
236 super(CertFile, self).__init__()
237 atexit.register(self.close)
238
239 def close(self):
240 try:
241 super(CertFile, self).close()
242 except OSError:
243 pass
244
245 _wincerts = CertFile()
246 _wincerts.addstore('CA')
247 _wincerts.addstore('ROOT')
248 return _wincerts.name
249
250
251 def find_ca_bundle():
252 """Return an existing CA bundle path, or None"""
253 extant_cert_paths = filter(os.path.isfile, cert_paths)
254 return (
255 get_win_certfile()
256 or next(extant_cert_paths, None)
257 or _certifi_where()
258 )
259
260
261 def _certifi_where():
262 try:
263 return __import__('certifi').where()
264 except (ImportError, ResolutionError, ExtractionError):
265 pass