S9i\?tdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z mZmZmZmZmZmZmZmZmZej.dej0ZddZ ddZdd Zdd Zd d Z d! d"d Zd#d Z d$dZ!d$dZ"d%dZ# d&dZ$d'dZ%ddddddZ&d(dZ'GddZ(y))a Low-level helpers for the SecureTransport bindings. These are Python functions that are not directly related to the high-level APIs but are necessary to get them to work. They include a whole bunch of low-level CoreFoundation messing about and memory management. The concerns in this module are almost entirely about trying to avoid memory leaks and providing appropriate and useful assistance to the higher-level code. ) annotationsN) CFArrayCFConstCFData CFDictionaryCFMutableArrayCFString CFTypeRefCoreFoundationSecKeychainRefSecuritys;-----BEGIN CERTIFICATE----- (.*?) -----END CERTIFICATE-----c^tjtj|t|S)zv Given a bytestring, create a CFData object from it. This CFData object must be CFReleased by the caller. )r CFDataCreatekCFAllocatorDefaultlen) bytestrings L/usr/lib/python3/dist-packages/urllib3/contrib/_securetransport/low_level.py_cf_data_from_bytesr)s(  & &**JJ ct|}d|D}d|D}tj|z|}tj|z|}tjtj|||tj tj S)zK Given a list of Python tuples, create an associated CFDictionary. c3&K|] }|d yw)rN.0ts r z-_cf_dictionary_from_tuples..<s !QAaD !c3&K|] }|d yw)rNrrs rrz-_cf_dictionary_from_tuples..=s #qad #r)rr r CFDictionaryCreaterkCFTypeDictionaryKeyCallBackskCFTypeDictionaryValueCallBacks)tuplesdictionary_sizekeysvaluescf_keys cf_valuess r_cf_dictionary_from_tuplesr)3s &kO "& !D #F #F''/9DAG))O;fEI  , ,**4466  rctj|}tjtj|t j }|S)zi Given a Python binary data, create a CFString. The string must be CFReleased by the caller. )ctypesc_char_pr CFStringCreateWithCStringrrkCFStringEncodingUTF8)py_bstrc_strcf_strs r_cfstrr2Ks> OOG $E  5 5** %%F Mrcd} tjtjdtjtj }|s t d|D]F}t|}|s t d tj||tj|H |S#tj|wxYw#t$r5}|rtj|tjd|dd}~wwxYw)z Given a list of Python binary data, create an associated CFMutableArray. The array must be CFReleased by the caller. Raises an ssl.SSLError on failure. NrUnable to allocate memory!zUnable to allocate array: ) r CFArrayCreateMutablerr+byrefkCFTypeArrayCallBacks MemoryErrorr2CFArrayAppendValue CFRelease BaseExceptionsslSSLError)lstcf_arritemr1es r_create_cfstring_arrayrBYsFG44  . . LL== >  :; ; 1DD\F!">?? 111&&A((0 1 M ((0 G   $ $V ,ll7s;<$FGs0A0B?5B% B?%B<<B?? C=0C88C=ctj|tjtj}t j |t j}|Ttjd}t j||dt j}|s td|j}||jd}|S)z Creates a Unicode string from a CFString object. Used entirely for error reporting. Yes, it annoys me quite a lot that this function is this complex. iz'Error copying C string from CFStringRefutf-8) r+castPOINTERc_void_pr CFStringGetCStringPtrrr.create_string_bufferCFStringGetCStringOSErrorvaluedecode)rLvalue_as_void_pstringbufferresults r_cf_string_to_unicoderRxskk%)HIO  1 166F~,,T222 VT7+H+H CD D w' Mrc|dk(rytj|d}t|}tj|||dk(rd|}|t j }||)z[ Checks the return code and throws an exception if there is an error to report rNz OSStatus )rSecCopyErrorMessageStringrRr r:r<r=)errorexception_classcf_error_stringoutputs r_assert_no_errorrZsi z88EO "? 3F_- ~2UG$,, & !!rc6|jdd}tj|Dcgc]&}tj|j d(}}|st jdtjtjdtjtj}|st jd |D]}t|}|st jdtj tj|}tj"||st jdtj$||tj"| |Scc}w#t&$rtj"|wxYw)z Given a bundle of certs in PEM format, turns them into a CFArray of certs that can be used to validate a cert chain. s  rzNo root certificates specifiedrr4zUnable to build cert object!)replace _PEM_CERTS_REfinditerbase64 b64decodegroupr<r=r r5rr+r6r7rrSecCertificateCreateWithDatar:r9 Exception) pem_bundlematch der_certs cert_array der_bytescertdatacerts r_cert_array_from_pemrlsh ##GU3J7D6L6LZ6X-2Q(I ll;<<44**  ^99:J ll788" +I*95Hll#?@@8822HD  $ $X .ll#ABB  - -j$ ?  $ $T * +( G8    , s+E3 B$E88 FcZtj}tj||k(S)z= Returns True if a given CFTypeRef is a certificate. )rSecCertificateGetTypeIDr CFGetTypeIDr@expecteds r_is_certrrs(//1H  % %d +x 77rcZtj}tj||k(S)z; Returns True if a given CFTypeRef is an identity. )rSecIdentityGetTypeIDr rorps r _is_identityrus(,,.H  % %d +x 77rc tjd}tj|ddj d}tj|dd}t j }tjj||jd}tj}tj|t||ddtj|}t!|||fS)a This function creates a temporary Mac keychain that we can use to work with credentials. This keychain uses a one-time password and a temporary file to store the data. We expect to have one keychain per socket. The returned SecKeychainRef must be freed by the caller, including calling SecKeychainDelete. Returns a tuple of the SecKeychainRef and the path to the temporary directory that contains it. (NrDF)osurandomr` b16encoderMtempfilemkdtemppathjoinencoderr SecKeychainCreaterr+r6rZ) random_bytesfilenamepassword tempdirectory keychain_pathkeychainstatuss r_temporary_keychainrs"::b>L Ra 0188AH QR 01H$$&MGGLL9@@IM&&(H  ' 's8}htV\\(=SFV ] ""rc g}g}d}t|d5}|j}ddd tjtjt |}tj }tj|ddddd|tj|}t|tj|} t| D]} tj|| } tj| tj } t#| r'tj$| |j'| ot)| s{tj$| |j'|  |rtj*|tj*|||fS#1swY{xYw#|rtj*|tj*wxYw)z Given a single file, loads all the trust objects from it into arrays and the keychain. Returns a tuple of lists: the first list is a list of identities, the second a list of certs. Nrbr)openreadr rrr CFArrayRefr SecItemImportr+r6rZCFArrayGetCountrangeCFArrayGetValueAtIndexrEr rrCFRetainappendrur:) rr~ certificates identities result_arrayf raw_filedatafiledatarQ result_countindexr@s r_load_items_from_filer sLJL dD  Qvvx  $+!..  . . c,>O &002 ''       LL &    &55lC <( (E!88uMD;;t^%=%=>D~''-##D)d#''-!!$' (   $ $\ 2  *  %%S  H   $ $\ 2  *sFDF*(F*F'*.GcPg}g}d|D} |D]3}t||\}}|j||j|5|stj}tj||dt j |} t| |j|tj|jdtjtjdt j tj} tj ||D]} tj"| | | tj ||D]} tj| S#tj ||D]} tj| wxYw)z Load certificates and maybe keys from a number of files. Has the end goal of returning a CFArray containing one SecIdentityRef, and then zero or more SecCertificateRef objects, suitable for use as a client certificate trust chain. c3&K|] }|s| ywNr)rr~s rrz*_load_client_cert_chain..fs5td5sr)rextendrSecIdentityRef SecIdentityCreateWithCertificater+r6rZrr r:popr5rr7 itertoolschainr9) rpathsrrfiltered_paths file_pathnew_identities new_certs new_identityr trust_chainr@objs r_load_client_cert_chainrBs|@LJ6u5N"*' +I(=h (R %NI   n -    * +#224L>>,q/6<< +EF V $   l +  $ $\%5%5a%8 9%99  . . LL== > OOJ = AD  - -k4 @ A ??:|< *C  $ $S ) *9??:|< *C  $ $S ) *s D3E332F%)r)r)rr)rr)rr)SSLv2SSLv3TLSv1zTLSv1.1zTLSv1.2ct|\}}d}d}tjd||}t|}d}tjd|||||z}|S)z6 Builds a TLS alert record for an unknown CA. r0z>BBz>BBBH)TLS_PROTOCOL_VERSIONSstructpackr) versionver_majver_minseverity_fataldescription_unknown_camsgmsg_lenrecord_type_alertrecords r_build_tls_unknown_ca_alertrsb-W5GWN! ++e^-C DC#hG [["3Wgw ORU UF MrceZdZdZdZdZdZdZdZdZ dZ d Z dZ dZ dZdZdZd ZdZd Zd ZdZd ZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(d Z)d!Z*d"Z+y#)$ SecurityConstzU A class object that acts as essentially a namespace for Security constants. rrrrx iriiiiiiiiiiiiiiiiiii iQi,iRN),__name__ __module__ __qualname____doc__"kSSLSessionOptionBreakOnServerAuth kSSLProtocol2 kSSLProtocol3 kTLSProtocol1kTLSProtocol11kTLSProtocol12kTLSProtocol13kTLSProtocolMaxSupportedkSSLClientSidekSSLStreamTypekSecFormatPEMSequencekSecTrustResultInvalidkSecTrustResultProceedkSecTrustResultDenykSecTrustResultUnspecified&kSecTrustResultRecoverableTrustFailure kSecTrustResultFatalTrustFailurekSecTrustResultOtherErrorerrSSLProtocolerrSSLWouldBlockerrSSLClosedGracefulerrSSLClosedNoNotifyerrSSLClosedAborterrSSLXCertChainInvalid errSSLCryptoerrSSLInternalerrSSLCertExpirederrSSLCertNotYetValiderrSSLUnknownRootCerterrSSLNoRootCerterrSSLHostNameMismatcherrSSLPeerHandshakeFailerrSSLPeerUserCancellederrSSLWeakPeerEphemeralDHKeyerrSSLServerAuthCompletederrSSLRecordOverflowerrSecVerifyFailederrSecNoTrustSettingserrSecItemNotFounderrSecInvalidTrustSettingsrrrrrs*+&MMMNNN"NN!"-.*'($ !N  #LN!!"###( % "!'rr)rbytesreturnr)r#z#list[tuple[typing.Any, typing.Any]]rr)r/rrr )r>z list[bytes]rr )rLr r str | Noner)rVintrWztype[BaseException] | NonerNone)rerrr)r@r rbool)rztuple[SecKeychainRef, str])rr r~strrz'tuple[list[CFTypeRef], list[CFTypeRef]])rr rrrr)rrrr))r __future__rr`r+rryrer<rr|typingbindingsrrrrr r r r r rcompileDOTALLr^rr)r2rBrRrZrlrrrurrrrrrrrrrs#       Dbii  /0 >4?C" "!;" ".+\88 #F6&6&$'6&,6&rH*X    6(6(r