Ñò ñ1Mc@sÙdZdddddgZddklZlZlZddkZdefd „ƒYZdefd „ƒYZ defd „ƒYZ defd „ƒYZ ddd „ƒYZ e djoddkZeiƒndS(s± SSL peer certificate checking routines Copyright (c) 2004-2007 Open Source Applications Foundation. All rights reserved. Copyright 2008 Heikki Toivonen. All rights reserved. tSSLVerificationErrort NoCertificatetWrongCertificatet WrongHosttCheckeriÿÿÿÿ(tutiltEVPtm2NcBseZRS((t__name__t __module__(((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyRscBseZRS((RR (((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyRscBseZRS((RR (((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyRscBseZdd„Zd„ZRS(t commonNamecCsI|djotdƒ‚nti|ƒ||_||_||_dS(sz This exception will be raised if the certificate returned by the peer was issued for a different host than we tried to connect to. This could be due to a server misconfiguration or an active attack. @param expectedHost: The name of the host we expected to find in the certificate. @param actualHost: The name of the host we actually found in the certificate. @param fieldName: The field name where we noticed the error. This should be either 'commonName' or 'subjectAltName'. R tsubjectAltNames@Unknown fieldName, should be either commonName or subjectAltNameN(s commonNamessubjectAltName(t ValueErrorRt__init__t expectedHostt actualHostt fieldName(tselfRRR((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyR s    cCsCd|i|i|if}t|tƒo|idƒ}n|S(Ns<Peer certificate %s does not match host, expected %s, got %stutf8(RRRt isinstancetunicodetencode(Rts((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyt__str__/s (RR R R(((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyRs cBsGeZeidƒZdddd„Zdd„Zd„Zd„Z RS(s^[0-9]+(\.[0-9]+)*$tsha1cCs||_||_||_dS(N(thostt fingerprinttdigest(RRt peerCertHashtpeerCertDigest((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyR ;s  c CsŸ|djotdƒ‚n|dj o ||_n|ioð|idjotd|iƒ‚n|idjot|iƒdjp&|idjo&t|iƒdjotdƒ‚n|iƒ}t i |iƒ}|i |ƒ|i ƒ}t i|ƒt|idƒjotd ƒ‚q1n|io`t}t|_ye|id ƒiƒ}|i|i|ƒo t}n-|io"td |id |d d ƒ‚nWntj onX|pËt}d} xx|iƒitiƒD]^} t}| iƒiƒ} | p | } n| d| 7} |i|i| ƒo t}PqñqñW|ptdƒ‚n|p"td |id | d dƒ‚q—q›ntS(Nspeer did not return certificateRtmd5sunsupported digest "%s"i(i s2peer certificate fingerprint length does not matchis+peer certificate fingerprint does not matchR RRRtt,s!no commonName in peer certificateR (ssha1smd5(tNoneRRRRR tlenRtas_derRt MessageDigesttupdatetfinalRt octx_to_numtinttFalsetuseSubjectAltNameOnlytget_extt get_valuet_splitSubjectAltNametTrueRt LookupErrort get_subjecttget_entries_by_nidRtNID_commonNametget_datatas_textt_match( RtpeerCertRtdertmdRthostValidationPassedR t hasCommonNamet commonNamestentryR ((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyt__call__@sb    &&   "      cCsst|_xc|idƒD]R}|iƒiƒ}|d djo)t|_|i||dƒotSqqWtS(sg >>> check = Checker() >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:my.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:*.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com') False >>> check.useSubjectAltNameOnly True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, othername:') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, DNS:my.example.org') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, DNS:my.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:my.example.com, DNS:my.example.org') True >>> check.useSubjectAltNameOnly True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='othername:') False >>> check.useSubjectAltNameOnly False R isdns:(R)R*tsplittlowertstripR.R5(RRR tcertHost((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyR-s   cCsá|iƒ}|iƒ}||jotS|idƒdjotS|ii|ƒp|ii|iddƒƒotS|idƒdjotS|iddƒ}|iddƒ}ti d |ƒi|ƒotStS( s >>> check = Checker() >>> check._match(host='my.example.com', certHost='my.example.com') True >>> check._match(host='my.example.com', certHost='*.example.com') True >>> check._match(host='my.example.com', certHost='m*.example.com') True >>> check._match(host='my.example.com', certHost='m*.EXAMPLE.com') True >>> check._match(host='my.example.com', certHost='m*ample.com') False >>> check._match(host='my.example.com', certHost='*.*.com') False >>> check._match(host='1.2.3.4', certHost='1.2.3.4') True >>> check._match(host='1.2.3.4', certHost='*.2.3.4') False >>> check._match(host='1234', certHost='1234') True t*iRs\iÿÿÿÿt.s\.s[^\.]*s^%s$( R?R.tcountR)tnumericIpMatchtmatchtreplacetfindtretcompile(RRRA((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyR5§s    N( RR RIRJRER!R R=R-R5(((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyR7s  ? (t__main__((t__doc__t__all__tM2CryptoRRRRIt ExceptionRRRRRRtdoctestttestmod(((s:/usr/lib/python2.6/vendor-packages/M2Crypto/SSL/Checker.pyts   §