§ LÜd\?ãóP—dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddlZddlm Z mZmZmZmZmZmZmZmZmZejdej¦«Zdd„Zd?d„Zd@d„Z dAdBd„ZdCd"„Z dDd&„Z!dDd'„Z"dEd)„Z#dFd/„Z$dGd1„Z%d2d3d4d5d6d7œZ&dHd9„Z'Gd:„d;¦«Z(dS)Ia¦ Low-level helpers for the SecureTransport bindings. These are Python functions that are not directly related to the high-level APIs but are necessary to get them to work. They include a whole bunch of low-level CoreFoundation messing about and memory management. The concerns in this module are almost entirely about trying to avoid memory leaks and providing appropriate and useful assistance to the higher-level code. é)ÚannotationsNé) ÚCFArrayÚCFConstÚCFDataÚCFDictionaryÚCFMutableArrayÚCFStringÚ CFTypeRefÚCoreFoundationÚSecKeychainRefÚSecuritys;-----BEGIN CERTIFICATE----- (.*?) -----END CERTIFICATE-----Ú bytestringÚbytesÚreturnrcó\—tjtj|t|¦«¦«S)zv Given a bytestring, create a CFData object from it. This CFData object must be CFReleased by the caller. )rÚCFDataCreateÚkCFAllocatorDefaultÚlen)rs úPF:\djangOuth\env\Lib\site-packages\urllib3/contrib/_securetransport/low_level.pyÚ_cf_data_from_bytesr)s)€õ Ô&ÝÔ*¨J½¸J¹¼ñôðóÚtuplesú#list[tuple[typing.Any, typing.Any]]rcó—t|¦«}d„|D¦«}d„|D¦«}tj|z|Ž}tj|z|Ž}tjtj|||tjtj¦«S)zK Given a list of Python tuples, create an associated CFDictionary. c3ó&K—|]}|dV—Œ dS)rN©©Ú.0Úts rú z-_cf_dictionary_from_tuples..<s&èè€Ð!Ð!QˆAˆaŒDÐ!Ð!Ð!Ð!Ð!Ð!rc3ó&K—|]}|dV—Œ dS)rNrrs rr!z-_cf_dictionary_from_tuples..=s&èè€Ð #Ð #qˆaŒdÐ #Ð #Ð #Ð #Ð #Ð #r)rrrÚCFDictionaryCreaterÚkCFTypeDictionaryKeyCallBacksÚkCFTypeDictionaryValueCallBacks)rÚdictionary_sizeÚkeysÚvaluesÚcf_keysÚ cf_valuess rÚ_cf_dictionary_from_tuplesr+3s‹€õ˜&‘k”k€Oð"Ð!˜&Ð!Ñ!Ô!€DØ #Ð #˜FÐ #Ñ #Ô #€FÝÔ'¨/Ñ9¸DÐA€GÝÔ)¨OÑ;¸fÐE€IåÔ,ÝÔ*ØØØÝÔ4ÝÔ6ñ ôðrÚpy_bstrr có‚—tj|¦«}tjtj|t j¦«}|S)zi Given a Python binary data, create a CFString. The string must be CFReleased by the caller. )ÚctypesÚc_char_prÚCFStringCreateWithCStringrrÚkCFStringEncodingUTF8)r,Úc_strÚcf_strs rÚ_cfstrr4Ks;€õ ŒO˜GÑ$Ô$€EÝ Ô 5ÝÔ*Ø ÝÔ%ñô€Fð €MrÚlstúlist[bytes]r cóø—d} tjtjdtjtj¦«¦«}|st d¦«‚|D]e}t|¦«}|st d¦«‚ tj||¦«tj |¦«ŒM#tj |¦«wxYwn@#t$r3}|rtj |¦«tjd|›¦«d‚d}~wwxYw|S)zª Given a list of Python binary data, create an associated CFMutableArray. The array must be CFReleased by the caller. Raises an ssl.SSLError on failure. NrúUnable to allocate memory!zUnable to allocate array: ) rÚCFArrayCreateMutablerr.ÚbyrefÚkCFTypeArrayCallBacksÚMemoryErrorr4ÚCFArrayAppendValueÚ CFReleaseÚ BaseExceptionÚsslÚSSLError)r5Úcf_arrÚitemr3Úes rÚ_create_cfstring_arrayrEYs-€ð€FðGÝÔ4ÝÔ.Ø ÝŒLÔ=Ñ>Ô>ñ ô ˆð ð <ÝÐ:Ñ;Ô;Ð;Øð 1ð 1ˆDÝ˜D‘\”\ˆFØð @Ý!Ð">Ñ?Ô?Ð?ð 1ÝÔ1°&¸&ÑAÔAÐAåÔ(¨Ñ0Ô0Ð0Ð0ø•Ô(¨Ñ0Ô0Ð0Ð0øøøð 1øõðGðGðGØð -ÝÔ$ VÑ,Ô,Ð,ÝŒlÐ;¸Ð;Ð;Ñ<Ô<À$ÐFøøøøðGøøøð€Ms0„A1B:Á6B ÂB:Â B6Â6B:Â: C7Ã.C2Ã2C7Úvalueú str | Nonecór—tj|tjtj¦«¦«}t j|tj¦«}|€Mtjd¦«}t j ||dtj¦«}|std¦«‚|j}|| d¦«}|S)z¨ Creates a Unicode string from a CFString object. Used entirely for error reporting. Yes, it annoys me quite a lot that this function is this complex. Niz'Error copying C string from CFStringRefúutf-8) r.ÚcastÚPOINTERÚc_void_prÚCFStringGetCStringPtrrr1Úcreate_string_bufferÚCFStringGetCStringÚOSErrorrFÚdecode)rFÚvalue_as_void_pÚstringÚbufferÚresults rÚ_cf_string_to_unicoderVxs€õ”k %¬½¼Ñ)HÔ)HÑIÔI€Oå Ô 1ØÔ6ñô€Fð€~ÝÔ,¨TÑ2Ô2ˆÝÔ2Ø˜V T7Ô+Hñ ô ˆðð EÝÐCÑDÔDÐDØ”ˆØ ÐØ—’˜wÑ'Ô'ˆØ€MrÚerrorÚintÚexception_classútype[BaseException] | NoneÚNonecóÎ—|dkrdStj|d¦«}t|¦«}tj|¦«||dkrd|›}|€t j}||¦«‚)z[ Checks the return code and throws an exception if there is an error to report rNÚz OSStatus )rÚSecCopyErrorMessageStringrVrr>r@rA)rWrYÚcf_error_stringÚoutputs rÚ_assert_no_errorra‘sy€ð ‚z€zØˆåÔ8¸ÀÑEÔE€OÝ " ?Ñ 3Ô 3€FÝÔ˜_Ñ-Ô-Ð-à €~˜ 2š˜Ø$˜UÐ$Ð$ˆàÐÝœ,ˆà ˆ/˜&Ñ !Ô !Ð!rÚ pem_bundlercóÌ—| dd¦«}d„t |¦«D¦«}|stjd¦«‚tjt jdtj t j ¦«¦«}|stjd¦«‚ |D]™}t|¦«}|stjd¦«‚tj t j|¦«}tj|¦«|stjd¦«‚tj||¦«tj|¦«Œšn##t $rtj|¦«‚wxYw|S)z‚ Given a bundle of certs in PEM format, turns them into a CFArray of certs that can be used to validate a cert chain. s ó có\—g|])}tj| d¦«¦«‘Œ*S)r)Úbase64Ú b64decodeÚgroup)rÚmatchs rú z(_cert_array_from_pem..°s:€ðððØ-2Ô˜Ÿš Q™œÑ(Ô(ðððrzNo root certificates specifiedrr8zUnable to build cert object!)ÚreplaceÚ _PEM_CERTS_REÚfinditerr@rArr9rr.r:r;rrÚSecCertificateCreateWithDatar>r=Ú Exception)rbÚ der_certsÚ cert_arrayÚ der_bytesÚcertdataÚcerts rÚ_cert_array_from_pemru¨s€ð×#Ò# G¨UÑ3Ô3€JððÝ6C×6LÒ6LÈZÑ6XÔ6Xðñô€Iðð=ÝŒlÐ;Ñ<Ô<Ð<åÔ4ÝÔ*Ø ÝŒ•^Ô9Ñ:Ô:ñô€Jð ð9ÝŒlÐ7Ñ8Ô8Ð8ðØ"ð +ð +ˆIÝ*¨9Ñ5Ô5ˆHØð AÝ”lÐ#?Ñ@Ô@Ð@ÝÔ8ÝÔ2°HñôˆDõ Ô$ XÑ.Ô.Ð.Øð CÝ”lÐ#AÑBÔBÐBåÔ-¨j¸$Ñ?Ô?Ð?ÝÔ$ TÑ*Ô*Ð*Ð*ð +øõðððõ Ô Ñ,Ô,Ð,Ø ðøøøðÐs Â$BEÅ E!rCrÚboolcóX—tj¦«}tj|¦«|kS)z= Returns True if a given CFTypeRef is a certificate. )rÚSecCertificateGetTypeIDrÚCFGetTypeID©rCÚexpecteds rÚ_is_certr|Ös(€õÔ/Ñ1Ô1€HÝÔ% dÑ+Ô+¨xÒ7Ð7rcóX—tj¦«}tj|¦«|kS)z; Returns True if a given CFTypeRef is an identity. )rÚSecIdentityGetTypeIDrryrzs rÚ_is_identityrÞs(€õÔ,Ñ.Ô.€HÝÔ% dÑ+Ô+¨xÒ7Ð7rútuple[SecKeychainRef, str]c ó—tjd¦«}tj|dd…¦« d¦«}tj|dd…¦«}tj¦«}tj ||¦« d¦«}tj¦«}tj|t|¦«|ddtj|¦«¦«}t!|¦«||fS)a³ This function creates a temporary Mac keychain that we can use to work with credentials. This keychain uses a one-time password and a temporary file to store the data. We expect to have one keychain per socket. The returned SecKeychainRef must be freed by the caller, including calling SecKeychainDelete. Returns a tuple of the SecKeychainRef and the path to the temporary directory that contains it. é(NérIF)ÚosÚurandomrfÚ b16encoderQÚtempfileÚmkdtempÚpathÚjoinÚencoderr ÚSecKeychainCreaterr.r:ra)Úrandom_bytesÚfilenameÚpasswordÚ tempdirectoryÚ keychain_pathÚkeychainÚstatuss rÚ_temporary_keychainr”æsÞ€õ"”:˜b‘>”>€LÝÔ ¨R¨a¨RÔ 0Ñ1Ô1×8Ò8¸ÑAÔA€HÝÔ ¨Q¨R¨RÔ 0Ñ1Ô1€HÝÔ$Ñ&Ô&€Må”G—L’L °Ñ9Ô9×@Ò@ÀÑIÔI€MõÔ&Ñ(Ô(€HÝ Ô 'Ø•s˜8‘}”} h°°t½V¼\È(Ñ=SÔ=Sñô€FõVÑÔÐð]Ð"Ð"rr’r r‰Ústrú'tuple[list[CFTypeRef], list[CFTypeRef]]cóÔ—g}g}d}t|d¦«5}| ¦«}ddd¦«n#1swxYwY tjtj|t|¦«¦«}tj¦«}tj|ddddd|tj |¦«¦«}t|¦«tj|¦«} t| ¦«D]§} tj|| ¦«}tj|tj¦«}t#|¦«r*tj|¦«| |¦«Œot)|¦«r)tj|¦«| |¦«Œ¨ |rtj|¦«tj|¦«n/#|rtj|¦«tj|¦«wxYw||fS)zÊ Given a single file, loads all the trust objects from it into arrays and the keychain. Returns a tuple of lists: the first list is a list of identities, the second a list of certs. NÚrbr)ÚopenÚreadrrrrÚ CFArrayRefrÚ SecItemImportr.r:raÚCFArrayGetCountÚrangeÚCFArrayGetValueAtIndexrJrr|ÚCFRetainÚappendrr>)r’r‰ÚcertificatesÚ identitiesÚresult_arrayÚfÚraw_filedataÚfiledatarUÚresult_countÚindexrCs rÚ_load_items_from_filerª s,€ð€LØ€JØ€Lå ˆdDÑ Ô ð ˜QØ—v’v‘x”xˆð ð ð ñ ô ð ð ð ð ð ð øøøð ð ð ð ð$+Ý!Ô.ÝÔ.°½cÀ,Ñ>OÔ>Oñ ô ˆõ&Ô0Ñ2Ô2ˆÝÔ'ØØØØØ ØØÝŒL˜Ñ&Ô&ñ ô ˆõ ˜Ñ Ô Ð õ&Ô5°lÑCÔCˆÝ˜<Ñ(Ô(ð (ð (ˆEÝ!Ô8¸ÀuÑMÔMˆDÝ”;˜t¥^Ô%=Ñ>Ô>ˆDå˜‰~Œ~ð (ÝÔ'¨Ñ-Ô-Ð-Ø×#Ò# DÑ)Ô)Ð)Ð)Ý˜dÑ#Ô#ð (ÝÔ'¨Ñ-Ô-Ð-Ø×!Ò! $Ñ'Ô'Ð'øð (ðð 3ÝÔ$ \Ñ2Ô2Ð2åÔ Ñ*Ô*Ð*Ð*øðð 3ÝÔ$ \Ñ2Ô2Ð2åÔ Ñ*Ô*Ð*Ð*øøøà˜Ð%Ð%s—8¸<¿<ÁEF7Æ7,G#ÚpathscóT—g}g}d„|D¦«} |D]?}t||¦«\}}| |¦«| |¦«Œ@|sŒtj¦«}tj||dtj|¦«¦«} t| ¦«| |¦«tj | d¦«¦«tjtj dtjtj¦«¦«} tj||¦«D]}tj| |¦«Œ| tj||¦«D]}tj |¦«ŒS#tj||¦«D]}tj |¦«ŒwxYw)zü Load certificates and maybe keys from a number of files. Has the end goal of returning a CFArray containing one SecIdentityRef, and then zero or more SecCertificateRef objects, suitable for use as a client certificate trust chain. c3óK—|]}|¯|V—Œ dS©Nr)rr‰s rr!z*_load_client_cert_chain..fs'èè€Ð5Ð5˜t°Ð5dÐ5Ð5Ð5Ð5Ð5Ð5rr)rªÚextendrÚSecIdentityRefÚ SecIdentityCreateWithCertificater.r:rar¡rr>Úpopr9rr;Ú itertoolsÚchainr=) r’r«r¢r£Úfiltered_pathsÚ file_pathÚnew_identitiesÚ new_certsÚnew_identityr“Útrust_chainrCÚobjs rÚ_load_client_cert_chainr¼BsÍ€ð@€LØ€Jð6Ð5 uÐ5Ñ5Ô5€Nð"*Ø'ð +ð +ˆIÝ(=¸hÈ Ñ(RÔ(RÑ%ˆN˜IØ×Ò˜nÑ-Ô-Ð-Ø×Ò Ñ*Ô*Ð*Ð*ðð :Ý#Ô2Ñ4Ô4ˆLÝÔ>Ø˜, qœ/6¬<¸Ñ+EÔ+EñôˆFõ ˜VÑ$Ô$Ð$Ø×Ò˜lÑ+Ô+Ð+õ Ô$ \×%5Ò%5°aÑ%8Ô%8Ñ9Ô9Ð9õ%Ô9ÝÔ.Ø ÝŒLÔ=Ñ>Ô>ñ ô ˆõ ”O J°Ñ=Ô=ð Að AˆDõ Ô-¨k¸4Ñ@Ô@Ð@Ð@àå”? :¨|Ñ<Ô<ð *ð *ˆCÝÔ$ SÑ)Ô)Ð)Ð)ð *ø•9”? :¨|Ñ<Ô<ð *ð *ˆCÝÔ$ SÑ)Ô)Ð)Ð)ð *øøøs’D:E9Å9.F')ré)ér)r¾r)r¾r½)r¾r¾)ÚSSLv2ÚSSLv3ÚTLSv1zTLSv1.1zTLSv1.2Úversioncó²—t|\}}d}d}tjd||¦«}t|¦«}d}tjd||||¦«|z}|S)z6 Builds a TLS alert record for an unknown CA. r½é0z>BBéz>BBBH)ÚTLS_PROTOCOL_VERSIONSÚstructÚpackr) rÂÚver_majÚver_minÚseverity_fatalÚdescription_unknown_caÚmsgÚmsg_lenÚrecord_type_alertÚrecords rÚ_build_tls_unknown_ca_alertrÑ–sf€õ-¨WÔ5Ñ€GˆWØ€NØ!ÐÝ Œ+e˜^Ð-CÑ DÔ D€CÝ#‰hŒh€GØÐÝ Œ[˜Ð"3°W¸gÀwÑ OÔ OÐRUÑ U€FØ€Mrcó²—eZdZdZdZdZdZdZdZdZ dZ d ZdZdZ dZdZdZd ZdZdZdZdZd ZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(d Z)d!Z*d"Z+d#S)$Ú SecurityConstzU A class object that acts as essentially a namespace for Security constants. rrr½éérƒé içr¾ééi¸ÙÿÿiµÙÿÿi³Ùÿÿi¨Ùÿÿi²Ùÿÿi±Ùÿÿi¯Ùÿÿi®ÙÿÿiªÙÿÿi©Ùÿÿi¬Ùÿÿi«ÙÿÿiÙÿÿi Ùÿÿi‘Ùÿÿi†ÙÿÿiÙÿÿi‰Ùÿÿi ÷þÿiQÿÿi,ÿÿiRÿÿN),Ú__name__Ú __module__Ú__qualname__Ú__doc__Ú"kSSLSessionOptionBreakOnServerAuthÚ kSSLProtocol2Ú kSSLProtocol3Ú kTLSProtocol1ÚkTLSProtocol11ÚkTLSProtocol12ÚkTLSProtocol13ÚkTLSProtocolMaxSupportedÚkSSLClientSideÚkSSLStreamTypeÚkSecFormatPEMSequenceÚkSecTrustResultInvalidÚkSecTrustResultProceedÚkSecTrustResultDenyÚkSecTrustResultUnspecifiedÚ&kSecTrustResultRecoverableTrustFailureÚ kSecTrustResultFatalTrustFailureÚkSecTrustResultOtherErrorÚerrSSLProtocolÚerrSSLWouldBlockÚerrSSLClosedGracefulÚerrSSLClosedNoNotifyÚerrSSLClosedAbortÚerrSSLXCertChainInvalidÚerrSSLCryptoÚerrSSLInternalÚerrSSLCertExpiredÚerrSSLCertNotYetValidÚerrSSLUnknownRootCertÚerrSSLNoRootCertÚerrSSLHostNameMismatchÚerrSSLPeerHandshakeFailÚerrSSLPeerUserCancelledÚerrSSLWeakPeerEphemeralDHKeyÚerrSSLServerAuthCompletedÚerrSSLRecordOverflowÚerrSecVerifyFailedÚerrSecNoTrustSettingsÚerrSecItemNotFoundÚerrSecInvalidTrustSettingsrrrrÓrÓ¤s€€€€€ððð*+Ð&à€MØ€MØ€MØ€NØ€Nà€NØ"Ðà€NØ€NàÐàÐØÐðÐØ!"ÐØ-.Ð*Ø'(Ð$Ø !Ðà€NØÐØ ÐØ ÐØÐà#ÐØ€LØ€NØÐØ!ÐØ!ÐØÐØ"ÐØ#ÐØ#ÐØ#(Ð Ø %ÐØ ÐàÐØ"ÐØÐØ!'ÐÐÐrrÓ)rrrr)rrrr)r,rrr )r5r6rr )rFr rrGr®)rWrXrYrZrr[)rbrrr)rCrrrv)rr€)r’r r‰r•rr–)r’r r«rGrr)rÂr•rr))rÜÚ __future__rrfr.r³r„Úrer@rÇr‡ÚtypingÚbindingsrrrrr r rrr rÚcompileÚDOTALLrlrr+r4rErVrarur|rr”rªr¼rÆrÑrÓrrrúrsrðððð#Ð"Ð"Ð"Ð"Ð"à € € € Ø € € € ØÐÐÐØ € € € Ø € € € Ø € € € Ø € € € Ø€€€Ø € € € ððððððððððððððððððððððððð” ØDÀbÄiñô€ ð ðððððððð0ðððððððð>ðððð4?Cð"ð"ð"ð"ð"ð.+ð+ð+ð+ð\8ð8ð8ð8ð8ð8ð8ð8ð #ð #ð #ð #ðF6&ð6&ð6&ð6&ðrH*ðH*ðH*ðH*ðXØ Ø ØØððÐððððð6(ð6(ð6(ð6(ð6(ñ6(ô6(ð6(ð6(ð6(r