Spade
Mini Shell
| Directory:~$ /proc/self/root/usr/lib/python2.7/site-packages/ndg/httpsclient/ |
| [Home] [System Details] [Kill Me] |
�
0�Pc@s�dZdZdZdZdZdZdZddlZddlZej e
�Z
y*dd l
m
Z
dd
lmZeZWn8ek
r�ZeZd
ZddlZeje�nXd
efd
��YZdS(sAndg_httpsclient
- module containing SSL peer verification class.
sP J Kershaw (STFC)s09/12/11s2(C) 2012 Science and Technology Facilities
Councils-BSD - see LICENSE file in top-level
directorysPhilip.Kershaw@stfc.ac.uks$Id$i����N(tSubjectAltName(tdecodersPSubjectAltName
support is disabled - check pyasn1 package installation to
enabletServerSSLCertVerificationcBs
eZdZi
dd6dd6dd6dd6d d
6d
d
6d
d6dd6dd6dd6ZdZddjej�ej��Ze j
e�Z
d'Z
d(d(ed�Zd
�Zed
��Zd
�Zd �Zed
ed!ed"d#�Zd$�Zd%�Zed ed!ed"d&�ZRS()syCheck
server identity. If hostname doesn't match, allow match of
host's Distinguished Name against server DN settingtCNt
commonNametOUtorganisationalUnitNametOt
organisationtCt
countryNamet
EMAILADDRESSt
emailAddresstLt
localityNametSTtstateOrProvinceNametSTREETt
streetAddresstDCtdomainComponenttUIDtuseridtsubjectAltNames/(%s)=t|t
__hostnamet__certDNt__subj_alt_name_matchcCs�d|_d|_|dk r*||_n|dk rB||_n|rstsgtjd�t|_ q�t
|_ ntj
d�t|_ dS(s�Override parent class __init__ to enable
setting of certDN
setting
@type certDN: string
@param certDN: Set the expected Distinguished Name of the
server to avoid errors matching hostnames. This is useful
where the hostname is not fully qualified
@type hostname: string
@param hostname: hostname to match against peer certificate
subjectAltNames or subject common name
@type subj_alt_name_match: bool
@param subj_alt_name_match: flag to enable/disable matching of
hostname
against peer certificate subjectAltNames. Nb. A setting of True
will
be ignored if the pyasn1 package is not installed
sdOverriding "subj_alt_name_match" keyword setting: peer
verification with subjectAltNames is disableds9Disabling peer verification
with subject
subjectAltNames!N(
tNonet"_ServerSSLCertVerification__certDNt$_ServerSSLCertVerification__hostnametcertDNthostnametSUBJ_ALT_NAME_SUPPORTtlogtwarningtFalset/_ServerSSLCertVerification__subj_alt_name_matchtTruetdebug(tselfR R
tsubj_alt_name_match((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyt__init__0s
c Cs |j�r&tjd|j��tS|dkr|j�}|j�}|j�|jdkr�|j dkr�tjd�tS|j
r�|j
|�}|j |kr�|Sn|j
|j kr�|Stjd|j
|j �tSq||jkr�|Stjd||j�tSn|SdS(s
Verify server certificate
@type connection: OpenSSL.SSL.Connection
@param connection: SSL connection object
@type peerCert: basestring
@param peerCert: server host certificate as OpenSSL.crypto.X509
instance
@type errorStatus: int
@param errorStatus: error status passed from caller. This is the
value
returned by the OpenSSL C function X509_STORE_CTX_get_error().
Look-up
x509_vfy.h in the OpenSSL source to get the meanings of the
different
codes. PyOpenSSL doesn't help you!
@type errorDepth: int
@param errorDepth: a non-negative integer representing where in the
certificate chain the error occurred. If it is zero it occured in
the
end entity certificate, one if it is the certificate which signed
the
end entity certificate and so on.
@type preverifyOK: int
@param preverifyOK: the error status - 0 = Error, 1 = OK of the
current
SSL context irrespective of any verification checks done here. If
this
function yields an OK status, it should enforce the preverifyOK
value
so that any error set upstream overrides and is honoured.
@rtype: int
@return: status code - 0/False = Error, 1/True = OK
s4Certificate %r in peer certificate chain has expiredis?No
"hostname" or "certDN" set to check peer certificate
againsts7Peer certificate CN %r doesn't match the expected CN %rs7Peer
certificate DN %r doesn't match the expected DN
%rN(
t
has_expiredR"terrort
get_subjectR$tget_componentstsortR R
R
R%t_get_subj_alt_nameR( R(t
connectiontpeerCertt
errorStatust
errorDeptht
preverifyOKt
peerCertSubjt
peerCertDNt dns_names((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyt__call__Us8
c
Cs�g}t�}x�t|j��D]�}|j|�}|j�}||jkr"|j�}tj|d|�}xh|D]]} t | t�rzxEtt
| ��D].}
| j
|
�}
|j
t
|
j���q�WqzqzWq"q"W|S(sExtract
subjectAltName DNS name settings from certificate extensions
@param peer_cert: peer certificate in SSL connection.
subjectAltName
settings if any will be extracted from this
@type peer_cert: OpenSSL.crypto.X509
tasn1Spec(Rtrangetget_extension_countt
get_extensiontget_short_nametSUBJ_ALT_NAME_EXT_NAMEtget_datat
der_decodertdecodet
isinstancetlentgetComponentByPositiontappendtstrt
getComponent(
tclst peer_certtdns_namet
general_namestitexttext_nametext_datt
decoded_dattnametentryt component((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyR0�s
+cCs|jS(N(R
(R(((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyt
_getCertDN�scCs�t|t�r�|jd�}|jjj|�}t|�dkrXtd|��nt|ddd�|ddd��|_ |j j
�nYt|t
�s�x/|D]'}t|�dks�td��q�q�W||_ n
td��dS(Nt"is
Error
parsing DN string: "%s"isSExpecting list of two element DN
field, DN field value pairs for "certDN" attributes4Expecting
list or string type for "certDN" attribute(
RCt
basestringtstript __class__t PARSER_REtsplitRDt TypeErrortzipR
R/tlist(R(tvalR tdnFieldsRM((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyt
_setCertDN�s,
tfgettfsettdocs)Distinguished
Name for Server
CertificatecCs|jS(N(R
(R(((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyt
_getHostname�scCs+t|t�s
td��n||_dS(Ns,Expecting
string type for hostname
attribute(RCRWR\R
(R(R_((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyt
_setHostname�sshostname
of server(s
__hostnames__certDNs__subj_alt_name_matchN(t__name__t
__module__t__doc__tDN_LUTR?tjointkeystvaluest
PARSER_RE_STRtretcompileRZt __slots__R
R&R*R9t
classmethodR0RURatpropertyR ReRfR
(((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyRs:
#% I
(Rit
__author__t__date__t
__copyright__t
__license__t
__contact__t
__revision__Rotloggingt getLoggerRgR"t
ndg.httpsclient.subj_alt_nameRtpyasn1.codec.derRRAR&R!t
ImportErrorteR$tSUBJ_ALT_NAME_SUPPORT_MSGtwarningstwarntobjectR(((sI/usr/lib/python2.7/site-packages/ndg/httpsclient/ssl_peer_verification.pyt<module>s&