a �DOg2�� @s�dZddlZddlZddlmZddlmZmZ m Z ddl Z ddl m Z mZmZddl mZmZmZddl mZmZmZmZmZmZmZddl mZmZdd l mZmZm Z m!Z!zdd l m"Z"Wne#y�Yn0dd l m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-dd l m.Z.m/Z/e j0d e1dd�e d�e j0de1dd�e d�e j0de1dd�e d�e j0de1dd�e d�e j0de1dd�e d�e j0de1dd�e d�e2j3Z4e2_4dd�e2j5�6�D�Z7e8e2dd�Z9Gdd�de �Z:Gd d!�d!e �Z;Gd"d#�d#e �Zd&k�r dd'l m?Z?m@Z@dd(lAmAZAmBZBmCZCdd)lAmDZDmEZEddlAZFddlGZGddlHZHddlIZIeJZKd*gZLeMe d+�ZNe.ZOeZPd,d-�ZQd.d/�ZRd0d1�ZSd2d3�ZTed4d5�ZUd6d7�ZVGd8d9�d9ed9d:��ZWGd;d<�d�d>e�ZYeXjZfdddd?�d@dA�Z[e3fe\dBeXjZddddddC�dDdE�Z]e[Z^e]Z_GdFdG�dG�Z`dHdI�ZaGdJdK�dKeA�ZbebeY_ce`eY_ddddBe\e3ddLdLdf dMdN�ZedOdP�ZfdQZgdRZhdSdT�ZidUdV�Zje3dfdWdX�ZkdYdZ�ZldS)[a� This module provides some more Pythonic support for SSL. Object types: SSLSocket -- subtype of socket.socket which does SSL over the socket Exceptions: SSLError -- exception raised for I/O errors Functions: cert_time_to_seconds -- convert time string used for certificate notBefore and notAfter functions to integer seconds past the Epoch (the time values returned from time.time()) get_server_certificate (addr, ssl_version, ca_certs, timeout) -- Retrieve the certificate from the server at the specified address and return it as a PEM-encoded string Integer constants: SSL_ERROR_ZERO_RETURN SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE SSL_ERROR_WANT_X509_LOOKUP SSL_ERROR_SYSCALL SSL_ERROR_SSL SSL_ERROR_WANT_CONNECT SSL_ERROR_EOF SSL_ERROR_INVALID_ERROR_CODE The following group define certificate requirements that one side is allowing/requiring from the other side: CERT_NONE - no certificates from the other side are required (or will be looked at if provided) CERT_OPTIONAL - certificates are not required, but if provided will be validated, and if validation fails, the connection will also fail CERT_REQUIRED - certificates are required, and will be validated, and if validation fails, the connection will also fail The following constants identify various SSL protocol variants: PROTOCOL_SSLv2 PROTOCOL_SSLv3 PROTOCOL_SSLv23 PROTOCOL_TLS PROTOCOL_TLS_CLIENT PROTOCOL_TLS_SERVER PROTOCOL_TLSv1 PROTOCOL_TLSv1_1 PROTOCOL_TLSv1_2 The following constants identify various SSL alert message descriptions as per http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 ALERT_DESCRIPTION_CLOSE_NOTIFY ALERT_DESCRIPTION_UNEXPECTED_MESSAGE ALERT_DESCRIPTION_BAD_RECORD_MAC ALERT_DESCRIPTION_RECORD_OVERFLOW ALERT_DESCRIPTION_DECOMPRESSION_FAILURE ALERT_DESCRIPTION_HANDSHAKE_FAILURE ALERT_DESCRIPTION_BAD_CERTIFICATE ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE ALERT_DESCRIPTION_CERTIFICATE_REVOKED ALERT_DESCRIPTION_CERTIFICATE_EXPIRED ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN ALERT_DESCRIPTION_ILLEGAL_PARAMETER ALERT_DESCRIPTION_UNKNOWN_CA ALERT_DESCRIPTION_ACCESS_DENIED ALERT_DESCRIPTION_DECODE_ERROR ALERT_DESCRIPTION_DECRYPT_ERROR ALERT_DESCRIPTION_PROTOCOL_VERSION ALERT_DESCRIPTION_INSUFFICIENT_SECURITY ALERT_DESCRIPTION_INTERNAL_ERROR ALERT_DESCRIPTION_USER_CANCELLED ALERT_DESCRIPTION_NO_RENEGOTIATION ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE ALERT_DESCRIPTION_UNRECOGNIZED_NAME ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY �N)� namedtuple)�Enum�IntEnum�IntFlag)�OPENSSL_VERSION_NUMBER�OPENSSL_VERSION_INFO�OPENSSL_VERSION)� _SSLContext� MemoryBIO� SSLSession)�SSLError�SSLZeroReturnError�SSLWantReadError�SSLWantWriteError�SSLSyscallError� SSLEOFError�SSLCertVerificationError)�txt2obj�nid2obj)� RAND_status�RAND_add� RAND_bytes�RAND_pseudo_bytes)�RAND_egd) �HAS_SNI�HAS_ECDH�HAS_NPN�HAS_ALPN� HAS_SSLv2� HAS_SSLv3� HAS_TLSv1� HAS_TLSv1_1� HAS_TLSv1_2� HAS_TLSv1_3)�_DEFAULT_CIPHERS�_OPENSSL_API_VERSION� _SSLMethodcCs|�d�o|dkS)NZ PROTOCOL_�PROTOCOL_SSLv23�� startswith��name�r,�/usr/lib64/python3.9/ssl.py�}�r.)�source�OptionscCs |�d�S)NZOP_r(r*r,r,r-r.�r/ZAlertDescriptioncCs |�d�S)NZALERT_DESCRIPTION_r(r*r,r,r-r.�r/ZSSLErrorNumbercCs |�d�S)NZ SSL_ERROR_r(r*r,r,r-r.�r/� VerifyFlagscCs |�d�S)NZVERIFY_r(r*r,r,r-r.�r/� VerifyModecCs |�d�S)NZCERT_r(r*r,r,r-r.�r/cCsi|]\}}||�qSr,r,)�.0r+�valuer,r,r-� �r/r6ZPROTOCOL_SSLv2c@s6eZdZejZejZejZ ej Z ej Z ejZejZdS)� TLSVersionN)�__name__� __module__� __qualname__�_sslZPROTO_MINIMUM_SUPPORTEDZMINIMUM_SUPPORTEDZ PROTO_SSLv3�SSLv3Z PROTO_TLSv1ZTLSv1Z PROTO_TLSv1_1ZTLSv1_1Z PROTO_TLSv1_2ZTLSv1_2Z PROTO_TLSv1_3ZTLSv1_3ZPROTO_MAXIMUM_SUPPORTEDZMAXIMUM_SUPPORTEDr,r,r,r-r7�sr7c@s(eZdZdZdZdZdZdZdZdZ dS) �_TLSContentTypez@Content types (record layer) See RFC 8446, section B.1 ������N) r8r9r:�__doc__�CHANGE_CIPHER_SPEC�ALERTZ HANDSHAKEZAPPLICATION_DATA�HEADERZINNER_CONTENT_TYPEr,r,r,r-r=�sr=c@s�eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$S)%� _TLSAlertTypezQAlert types for TLSContentType.ALERT messages See RFC 8466, section B.2 r� r>r?r@��(�)�*�+�,�-�.�/�0�1�2�3�<�F�G�P�V�Z�d�m�n�o�p�q�r�s�t�xN)&r8r9r:rDZ CLOSE_NOTIFYZUNEXPECTED_MESSAGEZBAD_RECORD_MACZDECRYPTION_FAILEDZRECORD_OVERFLOWZDECOMPRESSION_FAILUREZHANDSHAKE_FAILUREZNO_CERTIFICATEZBAD_CERTIFICATEZUNSUPPORTED_CERTIFICATEZCERTIFICATE_REVOKEDZCERTIFICATE_EXPIREDZCERTIFICATE_UNKNOWNZILLEGAL_PARAMETERZ UNKNOWN_CAZ ACCESS_DENIEDZ DECODE_ERRORZ DECRYPT_ERRORZEXPORT_RESTRICTIONZPROTOCOL_VERSIONZINSUFFICIENT_SECURITYZINTERNAL_ERRORZINAPPROPRIATE_FALLBACKZ USER_CANCELEDZNO_RENEGOTIATIONZMISSING_EXTENSIONZUNSUPPORTED_EXTENSIONZCERTIFICATE_UNOBTAINABLEZUNRECOGNIZED_NAMEZBAD_CERTIFICATE_STATUS_RESPONSEZBAD_CERTIFICATE_HASH_VALUEZUNKNOWN_PSK_IDENTITYZCERTIFICATE_REQUIREDZNO_APPLICATION_PROTOCOLr,r,r,r-rH�sFrHc@sheZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdS)�_TLSMessageTypezFMessage types (handshake protocol) See RFC 8446, section B.3 r�������� � � ���r>r?r@rA��C��rCN)r8r9r:rDZ HELLO_REQUESTZ CLIENT_HELLOZ SERVER_HELLOZHELLO_VERIFY_REQUESTZNEWSESSION_TICKETZEND_OF_EARLY_DATAZHELLO_RETRY_REQUESTZENCRYPTED_EXTENSIONSZ CERTIFICATEZSERVER_KEY_EXCHANGEZCERTIFICATE_REQUESTZ SERVER_DONEZCERTIFICATE_VERIFYZCLIENT_KEY_EXCHANGE�FINISHEDZCERTIFICATE_URLZCERTIFICATE_STATUSZSUPPLEMENTAL_DATAZ KEY_UPDATEZ NEXT_PROTOZ MESSAGE_HASHrEr,r,r,r-rg�s.rg�win32)�enum_certificates� enum_crls)�socket� SOCK_STREAM�create_connection)� SOL_SOCKET�SO_TYPE� tls-unique�HOSTFLAG_NEVER_CHECK_SUBJECTcCs�|sdS|�d�}|s&|��|��kS|dkrsole wildcard without additional labels are not support: {!r}.z.shim_cb)Z sni_callback�callable� TypeError)r�r�r�r,r�r-�set_servername_callbacks z"SSLContext.set_servername_callbackcCs`t�}|D]F}t|d�}t|�dks0t|�dkr8td��|�t|��|�|�q |�|�dS)Nr�rr�z)ALPN protocols must be 1 to 255 in length)r�r�r�r r�r�Z_set_alpn_protocols)r�Zalpn_protocolsr�r�r�r,r,r-�set_alpn_protocols!s  zSSLContext.set_alpn_protocolscCstt�}zYn0|tjkrPt}n|tjkr`t}nt}z ||�}Wnty�Yn0�||||||�Sr�)r7r�r=rGrFrHrg)�conn� direction�versionZ content_typeZmsg_type�dataZmsg_enum��callbackr,r-r�s(        �z'SSLContext._msg_callback..inner)r�r�r�r��hasattrr�r�)r�rrr�rr-r��s  cs tt�j�Sr�)r&r�r�r�r�r,r-r��szSSLContext.protocolcs tt�j�Sr�)r2r�� verify_flagsr�r�r,r-r �szSSLContext.verify_flagscsttt�j�||�dSr�)r�r�r r�r�r�r,r-r �scs.t�j}z t|�WSty(|YS0dSr�)r�� verify_moder3r�r�r�r,r-r �s   zSSLContext.verify_modecsttt�j�||�dSr�)r�r�r r�r�r�r,r-r �s)FTTNN)FNN)!r8r9r:rDr�r�r�� PROTOCOL_TLSr�r�r�r�r�r�r�r�r�r�r�rr �propertyr��setterr�r�r;r�r�r�r r r�r,r,r�r-r��sj � �         &%r�)r�r�r�cCs�t|t�st|��tt�}|tjkr0t|_d|_ |s<|s<|rL|� |||�n|jt kr`|� |�t |d�r�tj�d�}|r�tjjs�||_|S)z�Create a SSLContext object with default settings. NOTE: The protocol and settings may change anytime without prior deprecation. The values represent a fair balance between maximum compatibility and security. T�keylog_filename� SSLKEYLOGFILE)r�r�r�r�r r�r�� CERT_REQUIREDr �check_hostnamer�� CERT_NONEr�rr�r�r�r��flags�ignore_environmentr)r�r�r�r�r�� keylogfiler,r,r-�create_default_context�s        rF)� cert_reqsrr��certfile�keyfiler�r�r�c Cs�t|t�st|��t|�} |s$d| _|dur2|| _|r�sz&SSLObject.verify_client_post_handshake)FNNN)r*N)F)r�)r8r9r:rDr r�r�r r�r r�r)r�r�r+r.r0r2r3r4r5r6r7r8r:r;rr>r,r,r,r-r-sD�           rcCstt|j�j|_|S)z*Copy docstring from SSLObject to SSLSocket)�getattrrr8rD)�funcr,r,r-� _sslcopydoc�srAcseZdZdZdd�ZedX�fdd� �Zeed d ���Z e j d d ��Z eed d ���Z e j dd ��Z eedd���Z dd�Z dYdd�Zdd�ZdZdd�Zdd�Zed[dd��Zedd��Zed d!��Zed"d#��Zed$d%��Zed&d'��Zd\�fd)d*� Zd]�fd+d,� Zd-d.�Zd^�fd/d0� Zd_�fd1d2� Zd`�fd3d4� Zda�fd5d6� Zdb�fd7d8� Zdc�fd9d:� Z d;d<�Z!d=d>�Z"ed?d@��Z#�fdAdB�Z$edCdD��Z%edEdF��Z&�fdGdH�Z'edddIdJ��Z(�fdKdL�Z)dMdN�Z*dOdP�Z+�fdQdR�Z,ededTdU��Z-edVdW��Z.�Z/S)f� SSLSocketz�This class implements a subtype of socket.socket that wraps the underlying OS socket in an SSL context when necessary, and provides read and write methods over that channel. cOst|jj�d���dS)NzX does not have a public constructor. Instances are returned by SSLContext.wrap_socket().rrr,r,r-r �s �zSSLSocket.__init__FTNc sf|�tt�tkrtd��|r8|r(td��|dur8td��|jrJ|sJtd��t|j|j |j |� �d�}|j |fi|��} t t| �jfi|��|��} |��|| _|| _d| _d| _|| _|�|�| _|| _|| _z | ��Wn�t�y�} z�| jtjkr��d} | ��} | � d�z| �!d�}Wn@t�yb} z&| jtjtj"fv�rJ�d}WYd} ~ n d} ~ 00| � | �|�r�d }t#| j|�}||_$d|_%z | �&�Wnt�y�Yn0z |�Wd}nd}0WYd} ~ nd} ~ 00d } | �'| �| | _(| �rbzH| jj)| || j| | jd �| _|�r<| ��}|d k�r4td ��| �*�Wn"ttf�y`| �&��Yn0| S)Nz!only stream sockets are supportedz4server_hostname can only be specified in client modez,session can only be specified in client modez'check_hostname requires server_hostname)�family�type�proto�filenoFrhr/z5Closed before TLS handshake with data in recv buffer.T�r!r��zHdo_handshake_on_connect should not be specified for non-blocking sockets)+� getsockoptrr�r}�NotImplementedErrorr�r�dictrCrDrErFr�r�rBr � gettimeout�detach�_context�_session�_closedr"r�r�r�r�r�� getpeernamer��errnoZENOTCONN� getblocking� setblocking�recv�EINVALr �reasonZlibrary�close� settimeout� _connected� _wrap_socketr8)r�r�r�r�r�r�r�r�r�r�Z sock_timeout�eZ connected�blockingZnotconn_pre_handshake_datarWZ notconn_pre_handshake_data_error�timeoutr�r,r-r��s�  �       " �  zSSLSocket._createcCs|jSr�)rNr�r,r,r-r�8szSSLSocket.contextcCs||_||j_dSr�)rNr"r�r$r,r,r-r�=scCs|jdur|jjSdSr�r&r�r,r,r-r�Bs zSSLSocket.sessioncCs||_|jdur||j_dSr�)rOr"r�r'r,r,r-r�Hs cCs|jdur|jjSdSr�r(r�r,r,r-r)Ns zSSLSocket.session_reusedcCstd|jj��dS)NzCan't dup() %s instances)rJr�r8r�r,r,r-�dupTs�z SSLSocket.dupcCsdSr�r,)r��msgr,r,r-� _checkClosedXszSSLSocket._checkClosedcCs|js|��dSr�)rZrQr�r,r,r-�_check_connected\szSSLSocket._check_connectedr*c Cs�|��|jdurtd��z*|dur4|j�||�WS|j�|�WSWn`ty�}zH|jdtkr�|jr�|dur~WYd}~dSWYd}~dSn�WYd}~n d}~00dS)zORead up to LEN bytes and return them. Return zero-length string on EOF.Nz'Read on closed or unwrapped SSL socket.rr/)rar"r�r+r r�Z SSL_ERROR_EOFr�)r�r�r,�xr,r,r-r+ds zSSLSocket.readcCs&|��|jdurtd��|j�|�S)zhWrite DATA to the underlying SSL channel. Returns number of bytes of DATA actually transmitted.Nz(Write on closed or unwrapped SSL socket.)rar"r�r.r/r,r,r-r.ys zSSLSocket.writecCs|��|��|j�|�Sr�)rarbr"r0r1r,r,r-r0�szSSLSocket.getpeercertcCs*|��|jdustjsdS|j��SdSr�)rar"r;rr2r�r,r,r-r2�szSSLSocket.selected_npn_protocolcCs*|��|jdustjsdS|j��SdSr�)rar"r;rr3r�r,r,r-r3�sz SSLSocket.selected_alpn_protocolcCs$|��|jdurdS|j��SdSr�)rar"r4r�r,r,r-r4�s zSSLSocket.ciphercCs$|��|jdurdS|j��SdSr�)rar"r5r�r,r,r-r5�s zSSLSocket.shared_cipherscCs$|��|jdurdS|j��SdSr�)rar"r6r�r,r,r-r6�s zSSLSocket.compressionrcsF|��|jdur4|dkr(td|j��|j�|�St��||�SdS)Nrz3non-zero flags not allowed in calls to send() on %s)rar"r�r�r.r��send)r�rrr�r,r-rd�s �� zSSLSocket.sendcsL|��|jdur"td|j��n&|dur8t��||�St��|||�SdS)Nz%sendto not allowed on instances of %s)rar"r�r�r��sendto)r�rZ flags_or_addrr�r�r,r-re�s �zSSLSocket.sendtocOstd|j��dS)Nz&sendmsg not allowed on instances of %s�rJr�rr,r,r-�sendmsg�s�zSSLSocket.sendmsgc s�|��|jdur�|dkr(td|j��d}t|��f}|�d��<}t|�}||krn|�||d��}||7}qJWd�n1s�0YWd�q�1s�0Ynt�� ||�SdS)Nrz6non-zero flags not allowed in calls to sendall() on %s�B) rar"r�r�� memoryview�castr�rdr��sendall)r�rrr��view� byte_view�amountr-r�r,r-rk�s ��HzSSLSocket.sendallcs,|jdur|�|||�St��|||�SdS)z�Send a file, possibly by using os.sendfile() if this is a clear-text socket. Return the total number of bytes sent. N)r"�_sendfile_use_sendr��sendfile)r��file�offsetr�r�r,r-rp�s zSSLSocket.sendfilecsD|��|jdur2|dkr(td|j��|�|�St��||�SdS)Nrz3non-zero flags not allowed in calls to recv() on %s)rar"r�r�r+r�rU�r��buflenrr�r,r-rU�s �� zSSLSocket.recvcsj|��|r|durt|�}n |dur*d}|jdurV|dkrJtd|j��|�||�St��|||�SdS)Nr*rz8non-zero flags not allowed in calls to recv_into() on %s)rar�r"r�r�r+r�� recv_into�r�r,�nbytesrr�r,r-ru�s   �� zSSLSocket.recv_intocs4|��|jdur"td|j��nt��||�SdS)Nz'recvfrom not allowed on instances of %s)rar"r�r�r��recvfromrsr�r,r-rx�s  �zSSLSocket.recvfromcs6|��|jdur"td|j��nt��|||�SdS)Nz,recvfrom_into not allowed on instances of %s)rar"r�r�r�� recvfrom_intorvr�r,r-rys  �zSSLSocket.recvfrom_intocOstd|j��dS)Nz&recvmsg not allowed on instances of %srfrr,r,r-�recvmsgs�zSSLSocket.recvmsgcOstd|j��dS)Nz+recvmsg_into not allowed on instances of %srfrr,r,r-� recvmsg_intos�zSSLSocket.recvmsg_intocCs$|��|jdur|j��SdSdS)Nr)rar"r7r�r,r,r-r7s  zSSLSocket.pendingcs|��d|_t��|�dSr�)rar"r�r9)r��howr�r,r-r9szSSLSocket.shutdowncCs.|jr|j��}d|_|Stdt|���dS�NzNo SSL wrapper around )r"r9r�r�)r��sr,r,r-r:$s  zSSLSocket.unwrapcCs$|jr|j��Stdt|���dSr})r"r>r�r�r�r,r,r-r>-s z&SSLSocket.verify_client_post_handshakecsd|_t���dSr�)r"r�� _real_closer�r�r,r-r4szSSLSocket._real_closec CsP|��|��}z.|dkr(|r(|�d�|j��W|�|�n |�|�0dS)NrH)rbrLrYr"r8)r��blockr^r,r,r-r88s   zSSLSocket.do_handshakec s�|jrtd��|js|jdur&td��|jj|d|j||jd�|_z@|rVt�� |�}nd}t�� |�|s~d|_|j r~|� �|WSt tfy�d|_�Yn0dS)Nz!can't connect in server-side modez/attempt to connect already-connected SSLSocket!FrGT)r�r�rZr"r�r[r�rOr�� connect_ex�connectr�r8r�)r�r�r��rcr�r,r-� _real_connectCs*� zSSLSocket._real_connectcCs|�|d�dS)�QConnects to remote ADDR, and then wraps the connection in an SSL channel.FN�r��r�r�r,r,r-r�]szSSLSocket.connectcCs |�|d�S)r�Tr�r�r,r,r-r�bszSSLSocket.connect_excs.t���\}}|jj||j|jdd�}||fS)z�Accepts a new connection from a remote client, and returns a tuple containing that new connection wrapped with a server-side SSL channel, and the address of the remote client.T)r�r�r�)r��acceptr�r�r�r�)r�Znewsockr�r�r,r-r�gs�zSSLSocket.acceptr�cCs4|jdur|j�|�S|tvr,td�|���dSdS)Nz({0} channel binding type not implemented)r"r;�CHANNEL_BINDING_TYPESr�r�r<r,r,r-r;ss  �zSSLSocket.get_channel_bindingcCs|jdur|j��SdSdSr�r=r�r,r,r-r~s  zSSLSocket.version)FTTNNN)N)r*N)F)r)N)r)rN)r*r)Nr)r*r)Nr)F)r�)0r8r9r:rDr r�r�r rAr�r r�r)r_rarbr+r.r0r2r3r4r5r6rdrergrkrprUrurxryrzr{r7r9r:r>rr8r�r�r�r�r;rr�r,r,r�r-rB�s��_                          rBTc Csl|r|std��|r |s td��t|�} || _|r<| �|�|rL| �||�| rZ| �| �| j||||d�S)Nz5certfile must be specified for server-side operationsr)r�r�r�r�)r�r�r r�rZ set_ciphersr�) r�rrr�r� ssl_version�ca_certsr�r�Zciphersr�r,r,r-r��s"   �r�cCs�ddlm}ddlm}d}d}z|�|dd����d}Wn"ty`td ||f��Yn00||dd�|�}||d|f|d d ��SdS) a�Return the time in seconds since the Epoch, given the timestring representing the "notBefore" or "notAfter" date from a certificate in ``"%b %d %H:%M:%S %Y %Z"`` strptime format (C locale). "notBefore" or "notAfter" dates must use UTC (RFC 5280). Month is one of: Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec UTC should be specified as GMT (see ASN1_TIME_print()) r)�strptime)�timegm) ZJanZFebZMarZAprZMayZJunZJulZAugZSepZOctZNovZDecz %d %H:%M:%S %Y GMTNrjrhz*time data %r does not match format "%%b%s"rirm)�timer�Zcalendarr��index�titler�)Z cert_timer�r�ZmonthsZ time_formatZ month_number�ttr,r,r-�cert_time_to_seconds�s   � r�z-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----csRtt�|�dd��tg}|�fdd�tdt��d�D�7}|�td�d�|�S)z[Takes a certificate in binary DER format and returns the PEM version of it as a string.�ASCII�strictcsg|]}�||d��qS)�@r,)r4�i��fr,r-� �r/z(DER_cert_to_PEM_cert..rr�� ) r��base64Zstandard_b64encode� PEM_HEADER�ranger�r�� PEM_FOOTERr�)Zder_cert_bytes�ssr,r�r-�DER_cert_to_PEM_cert�s "r�cCs\|�t�stdt��|���t�s0tdt��|��tt�tt� �}t�|� dd��S)zhTakes a certificate in ASCII PEM format and returns the DER-encoded version of it as a byte sequencez(Invalid PEM encoding; must start with %sz&Invalid PEM encoding; must end with %sr�r�) r)r�r��strip�endswithr�r�r�Z decodebytesr�)Zpem_cert_string�dr,r,r-�PEM_cert_to_DER_cert�s ��r�c Cs�|\}}|durt}nt}t|||d�}t|��D}|�|��}|�d�} Wd�n1s\0YWd�n1sz0Yt| �S)z�Retrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. If 'ca_certs' is specified, validate the server cert against it. If 'ssl_version' is specified, use it in the connection attempt.N)rr�T)rr�_create_stdlib_contextr~r�r0r�) r�r�r��host�portrr�r�ZsslsockZdercertr,r,r-�get_server_certificate�s�  Fr�cCs t�|d�S)Nz )�_PROTOCOL_NAMESr�)Z protocol_coder,r,r-�get_protocol_name�sr�)mrDr�r�� collectionsr�enumrZ_Enumr�_IntEnumrZ_IntFlagr;rrrr r r r r rrrrrrr�rr�rrrrr� ImportErrorrrrrrrr r!r"r#r$r%� _convert_r8r&r r'� __members__�itemsr�r?Z_SSLv2_IF_EXISTSr7r=rHrgr�rzr{r|r}r~rr�r�r�rRr�r�Z socket_errorr�rZHAS_NEVER_CHECK_COMMON_NAMEZ_RESTRICTED_SERVER_CIPHERSr�r�r�r�r�r�r�r�r�r�r�rrrZ_create_default_https_contextr�rrArBr�r�r�r�r�r�r�r�r�r�r,r,r,r-�s�Z $ 0������   )  1# 9�z� #� />�