o PJBe\?@s>dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z mZmZmZmZmZmZmZmZmZedejZdId d ZdJddZdKddZdLddZdMddZ dNdOd$d%ZdPd(d)Z dQd-d.Z!dQd/d0Z"dRd2d3Z#dSd9d:Z$dTdd?d@dAdBdCZ&dUdEdFZ'GdGdHdHZ(dS)Va Low-level helpers for the SecureTransport bindings. These are Python functions that are not directly related to the high-level APIs but are necessary to get them to work. They include a whole bunch of low-level CoreFoundation messing about and memory management. The concerns in this module are almost entirely about trying to avoid memory leaks and providing appropriate and useful assistance to the higher-level code. ) annotationsN) CFArrayCFConstCFData CFDictionaryCFMutableArrayCFString CFTypeRefCoreFoundationSecKeychainRefSecuritys;-----BEGIN CERTIFICATE----- (.*?) -----END CERTIFICATE----- bytestringbytesreturnrcCsttj|t|S)zv Given a bytestring, create a CFData object from it. This CFData object must be CFReleased by the caller. )r CFDataCreatekCFAllocatorDefaultlen)rrk/home/www/facesmatcher.com/frenv/lib/python3.10/site-packages/urllib3/contrib/_securetransport/low_level.py_cf_data_from_bytes)s rtuples#list[tuple[typing.Any, typing.Any]]rcCsZt|}dd|D}dd|D}tj||}tj||}ttj|||tjtjS)zK Given a list of Python tuples, create an associated CFDictionary. cs|]}|dVqdS)rNr.0trrr <z-_cf_dictionary_from_tuples..csr)rNrrrrrr=r)rr r ZCFDictionaryCreaterZkCFTypeDictionaryKeyCallBacksZkCFTypeDictionaryValueCallBacks)rZdictionary_sizekeysvaluesZcf_keysZ cf_valuesrrr_cf_dictionary_from_tuples3sr!py_bstrr cCs t|}ttj|tj}|S)zi Given a Python binary data, create a CFString. The string must be CFReleased by the caller. )ctypesc_char_pr ZCFStringCreateWithCStringrrkCFStringEncodingUTF8)r"Zc_strcf_strrrr_cfstrKs r'lst list[bytes]rc Csd}z7ttjdttj}|std|D]}t|}|s#tdz t||Wt |qt |wW|St yU}z|rHt |t d|dd}~ww)z Given a list of Python binary data, create an associated CFMutableArray. The array must be CFReleased by the caller. Raises an ssl.SSLError on failure. NrUnable to allocate memory!zUnable to allocate array: ) r CFArrayCreateMutablerr#byrefkCFTypeArrayCallBacks MemoryErrorr'CFArrayAppendValue CFRelease BaseExceptionsslSSLError)r(Zcf_arritemr&errr_create_cfstring_arrayYs0   r6value str | NonecCsnt|ttj}t|tj}|dur,td}t ||dtj}|s)t d|j }|dur5| d}|S)z Creates a Unicode string from a CFString object. Used entirely for error reporting. Yes, it annoys me quite a lot that this function is this complex. Niz'Error copying C string from CFStringRefutf-8) r#castZPOINTERZc_void_pr ZCFStringGetCStringPtrrr%Zcreate_string_bufferZCFStringGetCStringOSErrorr7decode)r7Zvalue_as_void_pstringbufferresultrrr_cf_string_to_unicodexs   r@errorintexception_classtype[BaseException] | NoneNonecCsZ|dkrdSt|d}t|}t||dus|dkr"d|}|dur)tj}||)z[ Checks the return code and throws an exception if there is an error to report rNz OSStatus )r ZSecCopyErrorMessageStringr@r r0r2r3)rArCZcf_error_stringoutputrrr_assert_no_errors   rH pem_bundlercCs|dd}ddt|D}|stdttjdt tj }|s*tdz1|D]+}t |}|s:tdt tj|}t||sMtdt||t|q-W|Styht|w) z Given a bundle of certs in PEM format, turns them into a CFArray of certs that can be used to validate a cert chain. s  cSsg|] }t|dqS)r)base64 b64decodegroup)rmatchrrr sz(_cert_array_from_pem..zNo root certificates specifiedrr*zUnable to build cert object!)replace _PEM_CERTS_REfinditerr2r3r r+rr#r,r-rr ZSecCertificateCreateWithDatar0r/ Exception)rIZ der_certsZ cert_arrayZ der_bytesZcertdatacertrrr_cert_array_from_pems@          rUr4r boolcCt}t||kS)z= Returns True if a given CFTypeRef is a certificate. )r ZSecCertificateGetTypeIDr CFGetTypeIDr4expectedrrr_is_certr[cCrW)z; Returns True if a given CFTypeRef is an identity. )r ZSecIdentityGetTypeIDr rXrYrrr _is_identityr\r]tuple[SecKeychainRef, str]c Cstd}t|ddd}t|dd}t}tj|| d}t }t |t ||ddt|}t|||fS)a This function creates a temporary Mac keychain that we can use to work with credentials. This keychain uses a one-time password and a temporary file to store the data. We expect to have one keychain per socket. The returned SecKeychainRef must be freed by the caller, including calling SecKeychainDelete. Returns a tuple of the SecKeychainRef and the path to the temporary directory that contains it. (Nr9F)osurandomrK b16encoder<tempfilemkdtemppathjoinencoder r ZSecKeychainCreaterr#r,rH)Z random_bytesfilenamepasswordZ tempdirectoryZ keychain_pathkeychainstatusrrr_temporary_keychains rmrkr rfstr'tuple[list[CFTypeRef], list[CFTypeRef]]c Cs*g}g}d}t|d }|}Wdn1swYzhttj|t|}t}t|ddddd|t |}t |t |} t | D],} t|| } t | tj} t| rht| || qJt| rvt| || qJW|rt|t|||fS|rt|t|w)z Given a single file, loads all the trust objects from it into arrays and the keychain. Returns a tuple of lists: the first list is a list of identities, the second a list of certs. Nrbr)openreadr rrrZ CFArrayRefr Z SecItemImportr#r,rHZCFArrayGetCountrangeZCFArrayGetValueAtIndexr:r r[ZCFRetainappendr]r0) rkrf certificates identitiesZ result_arrayfZ raw_filedataZfiledatar?Z result_countindexr4rrr_load_items_from_file sR               rypathsc Gsg}g}dd|D}ze|D]}t||\}}||||q|sEt}t||dt|} t| ||t | dt t j dtt j} t||D]} t | | qW| Wt||D]} t | qhSt||D]} t | qww)z Load certificates and maybe keys from a number of files. Has the end goal of returning a CFArray containing one SecIdentityRef, and then zero or more SecCertificateRef objects, suitable for use as a client certificate trust chain. css|]}|r|VqdSNr)rrfrrrrfrz*_load_client_cert_chain..r)ryextendr ZSecIdentityRefZ SecIdentityCreateWithCertificater#r,rHrtr r0popr+rr- itertoolschainr/) rkrzrurvZfiltered_paths file_pathZnew_identitiesZ new_certsZ new_identityrlZ trust_chainr4objrrr_load_client_cert_chainBs:       r)r)r)rr)rr)rr)ZSSLv2SSLv3TLSv1zTLSv1.1zTLSv1.2versionc CsHt|\}}d}d}td||}t|}d}td|||||}|S)z6 Builds a TLS alert record for an unknown CA. r0z>BBz>BBBH)TLS_PROTOCOL_VERSIONSstructpackr) rZver_majZver_minZseverity_fatalZdescription_unknown_camsgZmsg_lenZrecord_type_alertrecordrrr_build_tls_unknown_ca_alerts rc@seZdZdZdZdZdZdZdZdZ dZ d Z dZ dZ dZdZdZd ZdZd Zd ZdZd ZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(d Z)d!Z*d"Z+d#S)$ SecurityConstzU A class object that acts as essentially a namespace for Security constants. rrrr` iriiiiiiiiiiiiiiiiiii iQi,iRN),__name__ __module__ __qualname____doc__Z"kSSLSessionOptionBreakOnServerAuthZ kSSLProtocol2Z kSSLProtocol3Z kTLSProtocol1ZkTLSProtocol11ZkTLSProtocol12ZkTLSProtocol13ZkTLSProtocolMaxSupportedZkSSLClientSideZkSSLStreamTypeZkSecFormatPEMSequenceZkSecTrustResultInvalidZkSecTrustResultProceedZkSecTrustResultDenyZkSecTrustResultUnspecifiedZ&kSecTrustResultRecoverableTrustFailureZ kSecTrustResultFatalTrustFailureZkSecTrustResultOtherErrorZerrSSLProtocolZerrSSLWouldBlockZerrSSLClosedGracefulZerrSSLClosedNoNotifyZerrSSLClosedAbortZerrSSLXCertChainInvalidZ errSSLCryptoZerrSSLInternalZerrSSLCertExpiredZerrSSLCertNotYetValidZerrSSLUnknownRootCertZerrSSLNoRootCertZerrSSLHostNameMismatchZerrSSLPeerHandshakeFailZerrSSLPeerUserCancelledZerrSSLWeakPeerEphemeralDHKeyZerrSSLServerAuthCompletedZerrSSLRecordOverflowZerrSecVerifyFailedZerrSecNoTrustSettingsZerrSecItemNotFoundZerrSecInvalidTrustSettingsrrrrrsTr)rrrr)rrrr)r"rrr )r(r)rr)r7r rr8r{)rArBrCrDrrE)rIrrr)r4r rrV)rr^)rkr rfrnrro)rkr rzr8rr)rrnrr))r __future__rrKr#r~rarer2rrdtypingZbindingsrrrrrr r r r r compileDOTALLrQrr!r'r6r@rHrUr[r]rmryrrrrrrrrsH 0      .   # 9L