ó ñ1Mc@s×dZdddddgZddlmZmZmZddlZdefd „ƒYZdefd „ƒYZ defd „ƒYZ defd „ƒYZ ddd „ƒYZ e dkrÓddlZejƒndS(s± SSL peer certificate checking routines Copyright (c) 2004-2007 Open Source Applications Foundation. All rights reserved. Copyright 2008 Heikki Toivonen. All rights reserved. tSSLVerificationErrort NoCertificatetWrongCertificatet WrongHosttCheckeriÿÿÿÿ(tutiltEVPtm2NcBseZRS((t__name__t __module__(((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyRscBseZRS((RR (((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyRscBseZRS((RR (((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyRscBseZdd„Zd„ZRS(t commonNamecCsG|dkrtdƒ‚ntj|ƒ||_||_||_dS(sz This exception will be raised if the certificate returned by the peer was issued for a different host than we tried to connect to. This could be due to a server misconfiguration or an active attack. @param expectedHost: The name of the host we expected to find in the certificate. @param actualHost: The name of the host we actually found in the certificate. @param fieldName: The field name where we noticed the error. This should be either 'commonName' or 'subjectAltName'. R tsubjectAltNames@Unknown fieldName, should be either commonName or subjectAltNameN(s commonNamessubjectAltName(t ValueErrorRt__init__t expectedHostt actualHostt fieldName(tselfRRR((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyR s    cCsAd|j|j|jf}t|tƒr=|jdƒ}n|S(Ns<Peer certificate %s does not match host, expected %s, got %stutf8(RRRt isinstancetunicodetencode(Rts((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyt__str__/s (RR R R(((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyRs cBsGeZejdƒZdddd„Zdd„Zd„Zd„Z RS(s^[0-9]+(\.[0-9]+)*$tsha1cCs||_||_||_dS(N(thostt fingerprinttdigest(RRt peerCertHashtpeerCertDigest((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyR ;s  c Cs~|dkrtdƒ‚n|dk r3||_n|jr"|jdkratd|jƒ‚n|jdkr…t|jƒdks©|jdkr¸t|jƒdkr¸tdƒ‚n|jƒ}t j |jƒ}|j |ƒ|j ƒ}t j|ƒt|jdƒkr"td ƒ‚q"n|jrzt}t|_ya|jd ƒjƒ}|j|j|ƒrpt}n*|jrštd |jd |d d ƒ‚nWntk r®nX|szt}d} xt|jƒjtjƒD]Z} t}| jƒjƒ} | s| } n| d| 7} |j|j| ƒrÚt}PqÚqÚW|sMtdƒ‚n|swtd |jd | d dƒ‚qwqzntS(Nspeer did not return certificateRtmd5sunsupported digest "%s"i(i s2peer certificate fingerprint length does not matchis+peer certificate fingerprint does not matchR RRRtt,s!no commonName in peer certificateR (ssha1smd5(tNoneRRRRR tlenRtas_derRt MessageDigesttupdatetfinalRt octx_to_numtinttFalsetuseSubjectAltNameOnlytget_extt get_valuet_splitSubjectAltNametTrueRt LookupErrort get_subjecttget_entries_by_nidRtNID_commonNametget_datatas_textt_match( RtpeerCertRtdertmdRthostValidationPassedR t hasCommonNamet commonNamestentryR ((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyt__call__@s`    $$   !      cCsot|_x_|jdƒD]N}|jƒjƒ}|d dkrt|_|j||dƒrgtSqqWtS(sg >>> check = Checker() >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:my.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:*.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com') False >>> check.useSubjectAltNameOnly True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, othername:') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, DNS:my.example.org') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, DNS:my.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:my.example.com, DNS:my.example.org') True >>> check.useSubjectAltNameOnly True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='othername:') False >>> check.useSubjectAltNameOnly False R isdns:(R)R*tsplittlowertstripR.R5(RRR tcertHost((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyR-s   cCsÖ|jƒ}|jƒ}||kr(tS|jdƒdkrAtS|jj|ƒsq|jj|jddƒƒrutS|jdƒdkrŽtS|jddƒ}|jddƒ}tj d |ƒj|ƒrÒtStS( s >>> check = Checker() >>> check._match(host='my.example.com', certHost='my.example.com') True >>> check._match(host='my.example.com', certHost='*.example.com') True >>> check._match(host='my.example.com', certHost='m*.example.com') True >>> check._match(host='my.example.com', certHost='m*.EXAMPLE.com') True >>> check._match(host='my.example.com', certHost='m*ample.com') False >>> check._match(host='my.example.com', certHost='*.*.com') False >>> check._match(host='1.2.3.4', certHost='1.2.3.4') True >>> check._match(host='1.2.3.4', certHost='*.2.3.4') False >>> check._match(host='1234', certHost='1234') True t*iRs\iÿÿÿÿt.s\.s[^\.]*s^%s$( R?R.tcountR)tnumericIpMatchtmatchtreplacetfindtretcompile(RRRA((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyR5§s    N( RR RIRJRER!R R=R-R5(((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyR7s  ? (t__main__((t__doc__t__all__tM2CryptoRRRRIt ExceptionRRRRRRtdoctestttestmod(((s:/usr/lib/python2.7/vendor-packages/M2Crypto/SSL/Checker.pyts   §