U ~fhlJ@sdZddlmZddlZddlZddlZddlZ ddl Z ddl m ZddlmZddlmZmZmZmZmZmZddlmZddlZddlmZddlmZ dd l!m"Z#dd l!m$Z$dd l%m&Z&dd l'm(Z(m)Z)dd l*m+Z,ddl*m-Z-ddl.m/Z/erddlm0Z0edZ1zddl2Z2dZ3Wne4k r8dZ3YnXej5Z6ej7Z7ej8Z8ej9Z9e:eddZ;dZZ?ej@ejAejBejCejDejCejEBiZFddeFGDZHdddddZIejJejKejLfZMejJZNejKZOejLZPdddddZQGd d!d!ejRZSGd"d#d#ZTGd$d%d%ZUdS)&zMA CPython compatible SSLContext implementation wrapping PyOpenSSL's context. ) annotationsN)EINTR) ip_address) TYPE_CHECKINGAnyCallableOptionalTypeVarUnion)SSL)crypto)ConfigurationError)_CertificateError) _OCSPCache)_load_trusted_ca_certs_ocsp_callback) SocketChecker)_errno_from_exception)validate_boolean) VerifyMode_TTFOP_NO_RENEGOTIATIONcCsi|]\}}||qSr).0keyvaluerr=/tmp/pip-unpacked-wheel-36gvocj8/pymongo/pyopenssl_context.py Msrrbool)addressreturnc Cs.zt|WdSttfk r(YdSXdS)NTF) _ip_address ValueError UnicodeError)rrrr_is_ip_addressRs r$ BaseException)excr cCs |jdkS)zstartr&Z want_readZ want_writerrr_callrs,       z_sslConn._callNone)r(r7r cs|jtjf||Sr.)rFr1 do_handshake)r3r(r7r4rrrHsz_sslConn.do_handshakebytesc s\z|jtjf||WStjk rV}z|jrDt|rDWY dSW5d}~XYnXdS)N)rFr1recvrA SysCallErrorr-r)r3r(r7r&r4rrrKs  z _sslConn.recvintc s\z|jtjf||WStjk rV}z|jrDt|rDWY dSW5d}~XYnXdSNr)rFr1 recv_intorArLr-r)rMr4rrrPs  z_sslConn.recv_intor)bufflagsr c st|}t|}d}||krz|tj||d|}Wn8tk rr}zt|tkr`WYqW5d}~XYnX|dkrtd||7}qdS)Nrzconnection closed) memoryviewlenrFr1sendOSErrorr_EINTR)r3rQrRview total_length total_sentsentr&r4rrsendalls z_sslConn.sendall)r) __name__ __module__ __qualname__r2rFrHrKrPr\ __classcell__rrr4rr*js   r*c@seZdZdZddddZdS) _CallbackDataz0Data class which is passed to the OCSP callback.rGr cCsd|_d|_t|_dSr.)trusted_ca_certscheck_ocsp_endpointrZocsp_response_cacher3rrrr2sz_CallbackData.__init__N)r]r^r___doc__r2rrrrrasrac @speZdZdZdZddddZedddd Zd dd d Zd d dddZ eee Z ddddZ dd dddZ ee e Z ddddZdd dddZeeeZd dddZdd dddZeeeZd>d!d"d#d d$d%d&Zd?d#d#d d'd(d)Zd dd*d+Zd,d d-d.d/Zd dd0d1Zd dd2d3Zd@d6dddd#d7d8d9d:d;ZdAd6dddd#d7d8d9d._cbN)riZ set_verify _VERIFY_MAP)r3rrvrrrZ__set_verify_modeszSSLContext.__set_verify_modercCs|jSr.)rkrerrrZ__get_check_hostnameszSSLContext.__get_check_hostnamercCstd|||_dS)Ncheck_hostname)rrkr3rrrrZ__set_check_hostnames zSSLContext.__set_check_hostnamezOptional[bool]cCs|jjSr.)rjrdrerrrZ__get_check_ocsp_endpointsz$SSLContext.__get_check_ocsp_endpointcCstd|||j_dS)NZ check_ocsp)rrjrdryrrrZ__set_check_ocsp_endpoints z$SSLContext.__set_check_ocsp_endpointcCs |jdSrO)ri set_optionsrerrrZ __get_options szSSLContext.__get_optionscCs|jt|dSr.)rirzrNryrrrZ __set_optionsszSSLContext.__set_optionsNzUnion[str, bytes]zUnion[str, bytes, None]z Optional[str])certfilekeyfilepasswordr csRr(dddddfdd }|j||j||j|p@||jdS) aLoad a private key and the corresponding certificate. The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate's authenticity. The keyfile string, if present, must point to a file containing the private key. Otherwise the private key will be taken from certfile as well. rNrzOptional[bytes]rI) _max_length _prompt_twice _user_datar csdk s tdS)Nzutf-8)AssertionErrorencode)r~rrr}rr_pwcb*s z)SSLContext.load_cert_chain.._pwcbN)riZ set_passwd_cbZuse_certificate_chain_fileZuse_privatekey_fileZcheck_privatekey)r3r{r|r}rrrrload_cert_chains   zSSLContext.load_cert_chain)cafilecapathr cCs6|j||ttjds2|dk s&tt||j_dS)zLoad a set of "certification authority"(CA) certificates used to validate other peers' certificates when `~verify_mode` is other than ssl.CERT_NONE. Zget_verified_chainN) riload_verify_locationshasattrrA Connectionrrrjrc)r3rrrrrr6s  z SSLContext.load_verify_locationscCs tr|tntddS)z&Attempt to load CA certs from certifi.ztlsAllowInvalidCertificates is False but no system CA certificates could be loaded. Please install the certifi package, or provide a path to a CA file using the tlsCAFile optionN) _HAVE_CERTIFIrcertifiwhere_ConfigurationErrorrerrr _load_certifiCs zSSLContext._load_certifistr)storer cCsj|j}|dk sttjjj}t|D]:\}}}|dkr*|dksL||kr*|t j t |q*dS)z2Attempt to load CA certs from Windows trust store.Nx509_asnT)riZget_cert_storer _stdlibsslPurpose SERVER_AUTHoidenum_certificatesZadd_cert_cryptoZX509Zfrom_cryptographyx509Zload_der_x509_certificate)r3rZ cert_storercertencodingtrustrrr_load_wincertsOs   zSSLContext._load_wincertscCsbtjdkrBzdD]}||qWqTtk r>|YqTXntjdkrT||jdS)z7A PyOpenSSL version of load_default_certs from CPython.win32)CAROOTdarwinN)_sysplatformrPermissionErrorrriset_default_verify_paths)r3 storenamerrrload_default_certs\s  zSSLContext.load_default_certscCs|jdS)zmSpecify that the platform provided CA certificates are to be used for verification purposes. N)rirrerrrrlsz#SSLContext.set_default_verify_pathsFTz_socket.socketzOptional[_SSL.Session]r*)r, server_sidedo_handshake_on_connectr-server_hostnamesessionr c st|j||}t}|r$|||dkr6|nD|rRt|sR||d|j t j krr| d|j IdH||r| d|jIdH|jr|dk rddlm} z&t|r| ||n | ||Wn:tjtjfk r} ztt| dW5d} ~ XYnX|SzZWrap an existing Python socket connection and return a TLS socket object. TidnaNr) pyopenssl)r*riasyncioZget_running_loop set_sessionset_accept_stater$set_tlsext_host_namer verify_moder CERT_NONEZrun_in_executor request_ocspset_connect_staterHrxservice_identityrverify_ip_addressverify_hostnameSICertificateErrorSIVerificationErrorrr) r3r,rrr-rrssl_connZlooprr&rrr a_wrap_socketts2       zSSLContext.a_wrap_socketc Cst|j||}|r|||dkr.|n8|rJt|sJ||d|jtj kr^| | |r| |j r|dk rddlm}z&t|r|||n |||Wn8tjtjfk r} ztt| dW5d} ~ XYnX|Sr)r*rirrr$rrrrrrrrHrxrrrrrrrr) r3r,rrr-rrrrr&rrr wrap_sockets0       zSSLContext.wrap_socket)NN)NN)FTTNN)FTTNN)r]r^r_rf __slots__r2propertyrlZ_SSLContext__get_verify_modeZ_SSLContext__set_verify_moderZ_SSLContext__get_check_hostnameZ_SSLContext__set_check_hostnamerxZ$_SSLContext__get_check_ocsp_endpointZ$_SSLContext__set_check_ocsp_endpointrdZ_SSLContext__get_optionsZ_SSLContext__set_optionsoptionsrrrrrrrrrrrrrgsN         7rg)Vrf __future__rrsocketr=sslrsysrtimer9errnorrW ipaddressrr!typingrrrrr r Zcryptography.x509rrZOpenSSLr rAr rZpymongo.errorsr rrZpymongo.ocsp_cacherZpymongo.ocsp_supportrrZpymongo.socket_checkerrr/rZpymongo.write_concernrrrrr ImportErrorZ SSLv23_METHODPROTOCOL_SSLv23 OP_NO_SSLv2 OP_NO_SSLv3OP_NO_COMPRESSIONgetattrrHAS_SNI IS_PYOPENSSLErrorr?rZ VERIFY_NONE CERT_OPTIONALZ VERIFY_PEER CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTrwitemsrpr$rBrCZWantX509LookupErrorr;ZBLOCKING_IO_READ_ERRORZBLOCKING_IO_WRITE_ERRORZBLOCKING_IO_LOOKUP_ERRORr)rr*rargrrrrsj                  M