%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python3/dist-packages/twisted/internet/__pycache__/
Upload File :
Create Path :
Current File : //lib/python3/dist-packages/twisted/internet/__pycache__/_sslverify.cpython-312.pyc

�

Ϫ�f���$�ddlmZddlZddlmZddlmZddlmZddl	m
Z
ddlmZm
Z
ddlmZmZdd	lmZddlZdd
lmZmZmZmZddlmZddlmZmZdd
lm Z ddl!m"Z"m#Z#ddl$m%Z%m&Z&m'Z'm(Z(ddl)m*Z*m+Z+ddl,m-Z-ddl.m/Z/m0Z0ddl1m2Z2ddl3m4Z4ddl5m6Z6Gd�de�Z7e7jpejre7jtejve7jxejze7j|ej~e7j�eAedd�iZBd�ZCGd�deD�ZEd�ZFd�ZGd�ZHd �ZIeI�\ZJZKZLGd!�d"e�ZMeMj�eMj�zeM_Od#�ZPd$d$d%d%d&d&d'd'd(d(d)d)d*d+�
ZQGd,�d-e
eReSf�ZTeTZUGd.�d/�ZVd0�ZWGd1�d2eV�ZXGd3�d4eV�ZYGd5�d6eX�ZZGd7�d8�Z[Gd9�d:e[�Z\Gd;�d<e�Z]e
e]�Gd=�d>��Z^d?�Z_e
e]�Gd@�dA��Z`dB�ZadC�Zbe
e'�GdD�dE��Zc			d_ddF�dG�Zde
e(�GdH�dI��Zee0edJdKdd�dL�eej��ee_fe0edJdKdd�dL�eej��ee_ge
e&�ej�dMdM�N�GdO�dP���ZiedQ�R�dS��ZjedT�R�dU��Zke
e%�GdV�dW��Zlelj�dX�ZndYZoGdZ�d[�ZpGd\�d]�Zqd^�Zry)`�)�annotationsN)�hexlify)�	lru_cache��md5)�Dict)�	Interface�implementer)�SSL�crypto)�lib)�FlagConstant�Flags�
NamedConstant�Names)�Version)�isIPAddress�
isIPv6Address)�Deferred)�CertificateError�VerifyError)�IAcceptableCiphers�ICipher�IOpenSSLClientConnectionCreator�IOpenSSLContextFactory)�log�util)�nativeString)�_mutuallyExclusiveArguments�
deprecated)�Failure)�secureRandom�)�
_idnaBytesc�V�eZdZdZe�Ze�Ze�Ze�Ze�Z	y)�
TLSVersionzD
    TLS versions that we can negotiate with the client/server.
    N)
�__name__�
__module__�__qualname__�__doc__r�SSLv3�TLSv1_0�TLSv1_1�TLSv1_2�TLSv1_3���=/usr/lib/python3/dist-packages/twisted/internet/_sslverify.pyr&r&'s,���
�O�E��o�G��o�G��o�G��o�Gr1r&�
OP_NO_TLSv1_3c��ttj��}|d|j|�D�cgc]}|��}}|r1|j	||j|�dD�cgc]}|��c}�|Scc}wcc}w)a�
    Given a pair of L{TLSVersion} constants, figure out what versions we want
    to disable (as OpenSSL is an exclusion based API).

    @param oldest: The oldest L{TLSVersion} we want to allow.
    @type oldest: L{TLSVersion} constant

    @param newest: The newest L{TLSVersion} we want to allow, or L{None} for no
        upper limit.
    @type newest: L{TLSVersion} constant or L{None}

    @return: The versions we want to disable.
    @rtype: L{list} of L{TLSVersion} constants.
    N)�listr&�
iterconstants�index�extend)�oldest�newest�versions�x�excludedVersionss     r2�_getExcludedTLSProtocolsr>?s{���J�,�,�.�/�H�#+�,D�h�n�n�V�.D�#E�F�a��F��F�
����H�X�^�^�F�5K�5M�,N� O�q�� O�P����G��!Ps�	A4�"	A9c��eZdZdZy)�SimpleVerificationErrorz/
    Not a very useful verification error.
    N)r'r(r)r*r0r1r2r@r@Ws��r1r@c��|j�j�j}||k7r#tt	|�dzt	|�z��y)a�
    Check only the common name in the certificate presented by the peer and
    only for an exact match.

    This is to provide I{something} in the way of hostname verification to
    users who haven't installed C{service_identity}. This check is overly
    strict, relies on a deprecated TLS feature (you're supposed to ignore the
    commonName if the subjectAlternativeName extensions are present, I
    believe), and lots of valid certificates will fail.

    @param connection: the OpenSSL connection to verify.
    @type connection: L{OpenSSL.SSL.Connection}

    @param hostname: The hostname expected by the user.
    @type hostname: L{unicode}

    @raise twisted.internet.ssl.VerificationError: if the common name and
        hostname don't match.
    z!=N)�get_peer_certificate�get_subject�
commonNamer@�repr)�
connection�hostnamerDs   r2�simpleVerifyHostnamerH]sL��(�0�0�2�>�>�@�K�K�J��X��%�d�:�&6��&=��X��&N�O�O�r1c��td��)a5
    Always fails validation of IP addresses

    @param connection: the OpenSSL connection to verify.
    @type connection: L{OpenSSL.SSL.Connection}

    @param hostname: The hostname expected by the user.
    @type hostname: L{unicode}

    @raise twisted.internet.ssl.VerificationError: Always raised
    z&Cannot verify certificate IP addresses)r@)rFrGs  r2�simpleVerifyIPAddressrJvs��"�"J�
K�Kr1c�L�d�|jd�ddD�\}}||fdk\S)z�
    Check pyOpenSSL version string whether we can use it for host verification.

    @param version: A pyOpenSSL version string.
    @type version: L{str}

    @rtype: L{bool}
    c3�2K�|]}t|����y�w�N)�int)�.0�parts  r2�	<genexpr>z#_usablePyOpenSSL.<locals>.<genexpr>�s����A�$�C��I�A����.N�)r�)�split)�version�major�minors   r2�_usablePyOpenSSLrZ�s2��B�'�-�-��*<�R�a�*@�A�L�E�5��5�>�W�$�$r1c���d}	ddlm}ddlm}m}|||fS#t
$r9}t
jdt|�zdz|ztdd��Yd	}~nd	}~wwxYwtttfS)
a
    Determine if C{service_identity} is installed. If so, use it. If not, use
    simplistic and incorrect checking as implemented in
    L{simpleVerifyHostname}.

    @return: 2-tuple of (C{verify_hostname}, C{VerificationError})
    @rtype: L{tuple}
    z�Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.r)�VerificationError)�verify_hostname�verify_ip_addresszHYou do not have a working installation of the service_identity module: 'z�'.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  �)�category�filename�linenoN)
�service_identityr\�service_identity.pyopensslr]r^�ImportError�warnings�
warn_explicit�str�UserWarningrHrJr@)�
whatsWrongr\r]r^�es     r2�_selectVerifyImplementationrl�s���	9��
�6�Q�� 1�3D�D�D���
����
)�+.�q�6�
2�5<�
<�?I�	
I�!���
	
�
	
��
�� �!6�8O�O�Os��	A�/A�Ac�0�eZdZdZed�Zed�Zy)�ProtocolNegotiationSupporta�
    L{ProtocolNegotiationSupport} defines flags which are used to indicate the
    level of NPN/ALPN support provided by the TLS backend.

    @cvar NOSUPPORT: There is no support for NPN or ALPN. This is exclusive
        with both L{NPN} and L{ALPN}.
    @cvar NPN: The implementation supports Next Protocol Negotiation.
    @cvar ALPN: The implementation supports Application Layer Protocol
        Negotiation.
    r#rTN)r'r(r)r*r�NPN�ALPNr0r1r2rnrn�s��	��v�
�C����Dr1rnc�Z�tj}tjtj�}	|jd��|tjz}	|jd��|tjz}|S#ttf$rY�9wxYw#ttf$rY|SwxYw)ay
    Checks whether your versions of PyOpenSSL and OpenSSL are recent enough to
    support protocol negotiation, and if they are, what kind of protocol
    negotiation is supported.

    @return: A combination of flags from L{ProtocolNegotiationSupport} that
        indicate which mechanisms for protocol negotiation are supported.
    @rtype: L{constantly.FlagConstant}
    c��yrMr0��cs r2�<lambda>z/protocolNegotiationMechanisms.<locals>.<lambda>���r1c��yrMr0rss r2ruz/protocolNegotiationMechanisms.<locals>.<lambda>�rvr1)rn�	NOSUPPORTr�Context�
SSLv23_METHOD�set_npn_advertise_callbackro�AttributeError�NotImplementedError�set_alpn_select_callbackrp)�support�ctxs  r2�protocolNegotiationMechanismsr��s���)�2�2�G�

�+�+�c�'�'�
(�C�2��&�&�~�6�	�-�1�1�1��3��$�$�^�4�	�-�2�2�2���N��
�/�0�
��
��
�/�0�
���N�
�s#�B�B�B�B�B*�)B*rD�organizationName�organizationalUnitName�localityName�stateOrProvinceName�countryName�emailAddress)
�CNrD�Or��OUr��Lr��STr��Cr�r�c�@�eZdZdZdZd�Zd�Zd�Zdd�Zd�Z	d�Z
d	�Zy
)�DistinguishedNameag
    Identify and describe an entity.

    Distinguished names are used to provide a minimal amount of identifying
    information about a certificate issuer or subject.  They are commonly
    created with one or more of the following fields::

        commonName (CN)
        organizationName (O)
        organizationalUnitName (OU)
        localityName (L)
        stateOrProvinceName (ST)
        countryName (C)
        emailAddress

    A L{DistinguishedName} should be constructed using keyword arguments whose
    keys can be any of the field names above (as a native string), and the
    values are either Unicode text which is encodable to ASCII, or L{bytes}
    limited to the ASCII subset. Any fields passed to the constructor will be
    set as attributes, accessible using both their extended name and their
    shortened acronym. The attribute values will be the ASCII-encoded
    bytes. For example::

        >>> dn = DistinguishedName(commonName=b'www.example.com',
        ...                        C='US')
        >>> dn.C
        b'US'
        >>> dn.countryName
        b'US'
        >>> hasattr(dn, "organizationName")
        False

    L{DistinguishedName} instances can also be used as dictionaries; the keys
    are extended name of the fields::

        >>> dn.keys()
        ['countryName', 'commonName']
        >>> dn['countryName']
        b'US'

    r0c�N�|j�D]\}}t|||��yrM)�items�setattr)�self�kw�k�vs    r2�__init__zDistinguishedName.__init__/s'���H�H�J�	 �D�A�q��D�!�Q��	 r1c�T�tD]}t||d�}|��t|||��!yrM)�
_x509names�getattrr�)r��x509name�name�values    r2�	_copyFromzDistinguishedName._copyFrom3s1���	+�D��H�d�D�1�E�� ���d�E�*�	+r1c�`�|j�D]\}}t||t|���yrM)r�r�r)r�r�r�r�s    r2�	_copyIntozDistinguishedName._copyInto9s+���J�J�L�	2�D�A�q��H�a��a��1�	2r1c�8�dtj|�ddzS)Nz<DN %s>r#���)�dict�__repr__�r�s r2r�zDistinguishedName.__repr__=s���D�M�M�$�/��"�5�6�6r1c�L�	|t|S#t$rt|��wxYwrM)r��KeyErrorr|)r��attrs  r2�__getattr__zDistinguishedName.__getattr__@s1��	'��
�4�(�)�)���	'� ��&�&�	'�s��#c��|tvrt|�d���t|}t|t�s|j	d�}|||<y)Nz' is not a valid OpenSSL X509 name field�ascii)r�r|�
isinstance�bytes�encode)r�r�r��realAttrs    r2�__setattr__zDistinguishedName.__setattr__FsH���z�!� �D�6�)P�!Q�R�R��d�#���%��'��L�L��)�E���X�r1c�|�g}d}d�}t|t��D]X}tj|�}t	t|�|�}t
||d�}|��=|j|t|�f��Z|dz
}t|�D]"\}\}}|j|�dz|z||<�$dj|�S)zh
        Return a multi-line, human-readable representation of this DN.

        @rtype: L{str}
        rc�4�t|j��SrM)�set�values)�mappings r2�uniqueValuesz/DistinguishedName.inspect.<locals>.uniqueValuesWs���w�~�~�'�(�(r1NrTz: �
)�sortedr�r�nameToLabel�max�lenr��appendr�	enumerate�rjust�join)	r��l�lablenr�r��labelr��n�attribs	         r2�inspectzDistinguishedName.inspectNs���
����	)���Z�0�1�	3�A��$�$�Q�'�E���U��V�,�F���a��&�A��}����%��a��1�2�	3�	�!���"+�A�,�	7��A���v��;�;�v�&��-��6�A�a�D�	7��y�y��|�r1N��returnrh)r'r(r)r*�	__slots__r�r�r�r�r�r�r�r0r1r2r�r�s2��(�T�I� �+�2�7�'��r1r�c�(�eZdZdZd�Zd�Zd�Zd�Zy)�CertBasez�
    Base class for public (certificate only) and private (certificate + key
    pair) certificates.

    @ivar original: The underlying OpenSSL certificate object.
    @type original: L{OpenSSL.crypto.X509}
    c��||_yrM��original)r�r�s  r2r�zCertBase.__init__rs	�� ��
r1c�t�t�}|jt|jd|z���|S)N�get_)r�r�r�r�)r��suffix�dns   r2�	_copyNamezCertBase._copyNameus0��
�
 ��
���<�W�T�]�]�F�V�O�<�>�?��	r1c�$�|jd�S)z�
        Retrieve the subject of this certificate.

        @return: A copy of the subject of this certificate.
        @rtype: L{DistinguishedName}
        �subject�r�r�s r2�
getSubjectzCertBase.getSubjectzs���~�~�i�(�(r1c�J�|turt|jg�StS)aM
        Convert this L{CertBase} into a provider of the given interface.

        @param interface: The interface to conform to.
        @type interface: L{zope.interface.interfaces.IInterface}

        @return: an L{IOpenSSLTrustRoot} provider or L{NotImplemented}
        @rtype: L{IOpenSSLTrustRoot} or L{NotImplemented}
        )�IOpenSSLTrustRoot�OpenSSLCertificateAuthoritiesr��NotImplemented)r��	interfaces  r2�__conform__zCertBase.__conform__�s$���)�)�0�$�-�-��A�A��r1N)r'r(r)r*r�r�r�r�r0r1r2r�r�is���!��
)�r1r�c���t|j�d|�d�d�}|�tdj||���|�}|�tdj||���||�S)a
    (private) Helper for L{Certificate.peerFromTransport} and
    L{Certificate.hostFromTransport} which checks for incompatible handle types
    and null certificates and raises the appropriate exception or returns the
    appropriate certificate object.
    r��_certificateNz2non-TLS transport {!r} did not have {} certificatez.TLS transport {!r} did not have {} certificate)r��	getHandler�format)�Class�	transport�
methodName�method�certs     r2�_handleattrhelperr��s����Y�(�(�*�d�:�,�l�,K�T�
R�F�
�~��@�G�G��:�
�
�	
�
�8�D��|��<�C�C��:�
�
�	
�
��;�r1c���eZdZdZdd�Zdd�Zeejdfd��Z	e	Z
d�Zed��Zed��Z
ed	��Zd
�Zejfdd�Zd�Zdd
�Zd�Zd�Zd�Zd�Zy)�Certificatez
    An x509 certificate.
    c��dj|jj|j�j|j�j�S)Nz<{} Subject={} Issuer={}>)r��	__class__r'r�rD�	getIssuerr�s r2r�zCertificate.__repr__�sB��*�1�1��N�N�#�#��O�O��(�(��N�N��'�'�
�	
r1c�p�t|t�r!|j�|j�k(StSrM)r�r��dumpr�)r��others  r2�__eq__zCertificate.__eq__�s)���e�[�)��9�9�;�%�*�*�,�.�.��r1r0c�<�|tj||�g|���S)zc
        Load a certificate from an ASN.1- or PEM-format string.

        @rtype: C{Class}
        )r�load_certificate)r��requestDatar��argss    r2�loadzCertificate.load�s!���V�,�,�V�[�A�I�D�I�Ir1c�@�|jtj�S)z\
        Dump this certificate to a PEM-format data string.

        @rtype: L{str}
        )r�r�FILETYPE_PEMr�s r2�dumpPEMzCertificate.dumpPEM�s���y�y��,�,�-�-r1c�B�|j|tj�S)z]
        Load a certificate from a PEM-format data string.

        @rtype: C{Class}
        )r�rr��r��datas  r2�loadPEMzCertificate.loadPEM�s���z�z�$�� 3� 3�4�4r1c��t||d�S)a	
        Get the certificate for the remote end of the given transport.

        @param transport: an L{ISystemHandle} provider

        @rtype: C{Class}

        @raise CertificateError: if the given transport does not have a peer
            certificate.
        �peer�r��r�r�s  r2�peerFromTransportzCertificate.peerFromTransport����!��	�6�:�:r1c��t||d�S)a
        Get the certificate for the local end of the given transport.

        @param transport: an L{ISystemHandle} provider; the transport we will

        @rtype: C{Class}

        @raise CertificateError: if the given transport does not have a host
            certificate.
        �hostr�r�s  r2�hostFromTransportzCertificate.hostFromTransport�rr1c�H�t|jj��S)zX
        Get the public key for this certificate.

        @rtype: L{PublicKey}
        )�	PublicKeyr��
get_pubkeyr�s r2�getPublicKeyzCertificate.getPublicKey�s������1�1�3�4�4r1c�B�tj||j�SrM)r�dump_certificater��r�r�s  r2r�zCertificate.dump�s���&�&�v�t�}�}�=�=r1c�6�|jj�S)zY
        Retrieve the serial number of this certificate.

        @rtype: L{int}
        )r��get_serial_numberr�s r2�serialNumberzCertificate.serialNumbers���}�}�.�.�0�0r1c�8�|jj|�S)a
        Return a digest hash of this certificate using the specified hash
        algorithm.

        @param method: One of C{'md5'} or C{'sha'}.

        @return: The digest of the object, formatted as b":"-delimited hex
            pairs
        @rtype: L{bytes}
        )r��digest)r�r�s  r2rzCertificate.digests���}�}�#�#�F�+�+r1c��djd|j�j�d|j�j�d|j	�zdt|j
��zg�S)Nr�zCertificate For Subject:z
Issuer:z
Serial Number: %dz
Digest: %s)r�r�r�r�rrrr�s r2�_inspectzCertificate._inspectsh���y�y�*����!�)�)�+����� �(�(�*�%��(9�(9�(;�;��|�D�K�K�M�:�:�

�	
�		
r1c�|�dj|j�|j�j�f�S)z�
        Return a multi-line, human-readable representation of this
        Certificate, including information about the subject, issuer, and
        public key.
        r�)r�rrr�r�s r2r�zCertificate.inspect!s0���y�y�$�-�-�/�4�+<�+<�+>�+F�+F�+H�I�J�Jr1c�$�|jd�S)z�
        Retrieve the issuer of this certificate.

        @rtype: L{DistinguishedName}
        @return: A copy of the issuer of this certificate.
        �issuerr�r�s r2r�zCertificate.getIssuer)s���~�~�h�'�'r1c��td��)Nz'Possible, but doubtful we need this yet)r})r��authoritiess  r2�optionszCertificate.options2s��!�"K�L�Lr1Nr�)r��objectr��bool)r�rNr�r�r)r'r(r)r*r�r��classmethodr�
FILETYPE_ASN1r��_loadr�r�rrrr�rrrr�r�rr0r1r2r�r��s����
��
�(.�(<�(<�2�J��J�
�E�.��5��5��;��;��;��;�5�"(�!5�!5�>�1�,�

�K�(�Mr1r�c�V�eZdZdZeejfd��Zejfd�Zy)�CertificateRequestz�
    An x509 certificate request.

    Certificate requests are given to certificate authorities to be signed and
    returned resulting in an actual certificate.
    c���tj||�}t�}|j|j	��|j|j
��std|�d���||�S)NzCan't verify that request for z is self-signed.)r�load_certificate_requestr�r�rC�verifyrr)r�r��
requestFormat�reqr�s     r2r�zCertificateRequest.load>sb���-�-�m�[�I��
�
 ��
���S�_�_�&�'��z�z�#�.�.�*�+�� >�r�f�DT�U�V�V��S�z�r1c�B�tj||j�SrM)r�dump_certificate_requestr�rs  r2r�zCertificateRequest.dumpGs���.�.�v�t�}�}�E�Er1N)	r'r(r)r*rrrr�r�r0r1r2rr6s5����/5�/C�/C����!�.�.�Fr1rc��eZdZdZdd�Zd�Zejfd�Ze	ejfd��Z
d�Zd�Ze	d��Z
e	d	��Zd
�Zejdfd�Zejejfd
�Z		dd�Zy)�PrivateCertificatez.
    An x509 certificate and private key.
    c�^�tj|�dzt|j�zS)Nz with )r�r�rE�
privateKeyr�s r2r�zPrivateCertificate.__repr__Ps&���#�#�D�)�H�4�t�D�O�O�7L�L�Lr1c�h�|j|j��std��||_|S)Nz1Certificate public and private keys do not match.)�matchesrrr*)r�r*s  r2�_setPrivateKeyz!PrivateCertificate._setPrivateKeySs1���!�!�$�"3�"3�"5�6��Q�R�R�$����r1c�<�|j||j|�S)z}
        Create a new L{PrivateCertificate} from the given certificate data and
        this instance's private key.
        )r�r*�r��newCertDatar�s   r2�newCertificatez!PrivateCertificate.newCertificateYs��
�y�y��d�o�o�v�>�>r1c�D�|j||�j|�SrM)rr-)r�r�r*r�s    r2r�zPrivateCertificate.load`s���{�{�4��(�7�7�
�C�Cr1c�~�djtj|�|jj	�g�S)Nr�)r�r�rr*r�r�s r2r�zPrivateCertificate.inspectds.���y�y�+�.�.�t�4�d�o�o�6M�6M�6O�P�Q�Qr1c��|jtj�|jjtj�zS)zi
        Dump both public and private parts of a private certificate to
        PEM-format data.
        )r�rr�r*r�s r2r�zPrivateCertificate.dumpPEMgs:��
�y�y��,�,�-����0D�0D����1
�
�	
r1c��|j|tj|tj�tj�S)zv
        Load both private and public parts of a private certificate from a
        chunk of PEM-format data.
        )r��KeyPairrr�r�s  r2r�zPrivateCertificate.loadPEMps3���z�z��'�,�,�t�V�%8�%8�9�6�;N�;N�
�	
r1c�H�||j�}|j|�SrM)r�r-)r��certificateInstancer*�privcerts    r2�fromCertificateAndKeyPairz,PrivateCertificate.fromCertificateAndKeyPairzs$���,�5�5�6���&�&�z�2�2r1c
���t|jj|j��}|r<|jtt	|D�cgc]}|j��c}����tdi|��Scc}w)a$
        Create a context factory using this L{PrivateCertificate}'s certificate
        and private key.

        @param authorities: A list of L{Certificate} object

        @return: A context factory.
        @rtype: L{CertificateOptions <twisted.internet.ssl.CertificateOptions>}
        �r*�certificate)�	trustRootr0)r�r*r��updater��OpenSSLCertificateOptions)r�rr�auths    r2rzPrivateCertificate.optionsse���$�/�/�":�":��
�
�V����N�N��;�3>�?�4����?���
�)�3�7�3�3��	@s�A5�sha256c�X�|jj|j�||�SrM)r*�certificateRequestr�)r�r��digestAlgorithms   r2rDz%PrivateCertificate.certificateRequest�s'�����1�1��O�O��v��
�	
r1c�b�|j�}|jj||||||�SrM)r�r*�signCertificateRequest)r�r��verifyDNCallbackrr#�certificateFormatrs       r2rGz)PrivateCertificate.signCertificateRequest�s9�����"�����5�5�������

�	
r1c�\�|jj|j�||||�SrM)r*�signRequestObjectr�)r�rDr�secondsToExpiryrEs     r2rKz$PrivateCertificate.signRequestObject�s1�����0�0��O�O������
�	
r1Nr���3�rB)r'r(r)r*r�r-rrr1rr�r�r�r�r:rrDrGrKr0r1r2r(r(Ks����M��28�1E�1E�?��-3�-A�-A�D��D�R�
��
��
��3��3�4�*)/�(<�(<�h�
��*�*� �.�.�

�,+� �

r1r(c�0�eZdZdZd�Zd�Zdd�Zd�Zd�Zy)	ran
    A L{PublicKey} is a representation of the public part of a key pair.

    You can't do a whole lot with it aside from comparing it to other
    L{PublicKey} objects.

    @note: If constructing a L{PublicKey} manually, be sure to pass only a
        L{OpenSSL.crypto.PKey} that does not contain a private key!

    @ivar original: The original private key.
    c��||_y)zv
        @param osslpkey: The underlying pyOpenSSL key object.
        @type osslpkey: L{OpenSSL.crypto.PKey}
        Nr�)r��osslpkeys  r2r�zPublicKey.__init__�s��
!��
r1c�D�|j�|j�k(S)a
        Does this L{PublicKey} contain the same value as another L{PublicKey}?

        @param otherKey: The key to compare C{self} to.
        @type otherKey: L{PublicKey}

        @return: L{True} if these keys match, L{False} if not.
        @rtype: L{bool}
        ��keyHash)r��otherKeys  r2r,zPublicKey.matches�s���|�|�~��!1�!1�!3�3�3r1c�X�d|jj�d|j��d�S)N�<� �>)r�r'rTr�s r2r�zPublicKey.__repr__�s)���4�>�>�*�*�+�1�T�\�\�^�,<�A�>�>r1c��tjtj|j�}t	�}|j|�|j
�S)at
        Compute a hash of the underlying PKey object.

        The purpose of this method is to allow you to determine if two
        certificates share the same public key; it is not really useful for
        anything else.

        In versions of Twisted prior to 15.0, C{keyHash} used a technique
        involving certificate requests for computing the hash that was not
        stable in the face of changes to the underlying OpenSSL library.

        @return: Return a 32-character hexadecimal string uniquely identifying
            this public key, I{for this version of Twisted}.
        @rtype: native L{str}
        )r�dump_publickeyrr�rr?�	hexdigest)r��raw�hs   r2rTzPublicKey.keyHash�s>�� �#�#�F�$8�$8�$�-�-�H���E��	����
��{�{�}�r1c�(�d|j���S)NzPublic Key with Hash: rSr�s r2r�zPublicKey.inspect�s��'�����'7�8�8r1Nr�)	r'r(r)r*r�r,r�rTr�r0r1r2rr�s ��
�!�
4�?��*9r1rc�r�eZdZeej
fd��Zej
fd�Zee	dddd�d�d��Z
ee	dddd�d�d��Zd	�Zeejd
fd��Zej
fd�Zdd�Zej
d
fd�Zej
ej
dd
fd�Z		dd�Zd�Zy)r6c�:�|tj||��SrM)r�load_privatekey)r�r�r�s   r2r�zKeyPair.load�s���V�+�+�F�D�9�:�:r1c�B�tj||j�SrM)r�dump_privatekeyr�rs  r2r�zKeyPair.dump�s���%�%�f�d�m�m�<�<r1�Twisted�r�a real persistence systemc�"�|j�SrM)r�r�s r2�__getstate__zKeyPair.__getstate__�s���y�y�{�r1c�j�|jtjtj|��yrM)r�rrbr�r��states  r2�__setstate__zKeyPair.__setstate__s!���
�
�f�,�,�V�-A�-A�5�I�Jr1c���|jj�}|tjk(rd}n|tjk(rd}nd}|jj�||j
�f}d|zS)N�RSA�DSAz(Unknown Type!)z %s-bit %s Key Pair with Hash: %s)r��typer�TYPE_RSA�TYPE_DSA�bitsrT)r��t�tsr�s    r2r�zKeyPair.inspectse���M�M��� ��������B�
�&�/�/�
!��B�"�B�
�]�]�
�
�
!�2�t�|�|�~�6��1�A�5�5r1ic�^�tj�}|j||�||�SrM)r�PKey�generate_key)r��kind�size�pkeys    r2�generatezKeyPair.generates'���{�{�}�����$��%��T�{�r1c�0�tj|||�SrM)r(r�r/s   r2r1zKeyPair.newCertificates��!�&�&�{�D�&�A�Ar1rBc���tj�}|j|j�|j	|j��|j
|j|�t|�SrM)r�X509Req�
set_pubkeyr�r�rC�signr)r��distinguishedNamerEr$s    r2�
requestObjectzKeyPair.requestObjectsP���n�n������t�}�}�%��#�#�C�O�O�$5�6��������0�!�#�&�&r1c�D�|j||�j|�S)z�
        Create a certificate request signed with this key.

        @return: a string, formatted according to the 'format' argument.
        )r�r�)r�r�r�rEs    r2rDzKeyPair.certificateRequest"s#���!�!�"3�_�E�J�J�6�R�Rr1rNc		������������tj||���j�����}	���������f	d�}
t|	t�r|	j|
�S|
|	�S)a&
        Given a blob of certificate request data and a certificate authority's
        DistinguishedName, return a blob of signed certificate data.

        If verifyDNCallback returns a Deferred, I will return a Deferred which
        fires the data when that Deferred has completed.
        c��	�|stdj�	�����j������j��S)Nz)DN callback {!r} rejected request DN {!r})rr�rKr�)
r�rIrEr��hlreq�issuerDistinguishedNamerLr�rrHs
 ���������r2�verifiedz0KeyPair.signCertificateRequest.<locals>.verifiedCsW����!�?�F�F�(�"����
�)�)�'�������d�$�%�

&r1)rr�r�r�r�addCallback)
r�r�r�rHrr#rIrLrE�vvalr�r�r�s
`` `` ```  @@r2rGzKeyPair.signCertificateRequest,sa����$#�'�'��]�C��
�
�
�
����#��
	&�
	&��d�H�%��#�#�H�-�-��D�>�!r1c��|j}tj�}|j|j	��|j|j
��|j|j��|jd�|j|�|j|�|j|j|�t|�S)zW
        Sign a CertificateRequest instance, returning a Certificate instance.
        r)r�r�X509r��
get_issuer�set_subjectrCr�r�gmtime_adj_notBefore�gmtime_adj_notAfter�set_serial_numberr�r�)r�r�r�rrLrEr$r�s        r2rKzKeyPair.signRequestObjectWs����$�$���{�{�}���)�)�$�/�/�*;�<�������*�+�������(�)��!�!�!�$�� � ��1����|�,��	�	�$�-�-��1��4� � r1c��tdi|��}tj|j||j	|�|�|�S)Nr0)�DNr(r:rKr�)r�rr�r�s    r2�selfSignedCertzKeyPair.selfSignedCertms?��
�X�"�X��!�;�;��"�"�2�t�'9�'9�"�'=�|�L�d�
�	
r1N)rBrM)r'r(r)rrrr�r�r rrirmr�rrr}r1r�rDrGrKr�r0r1r2r6r6�s����!'�!5�!5�;��;�!�.�.�=���	�2�q�!�,�.I�J��K����	�2�q�!�,�.I�J�K�K�K�	6��#�_�_�4����
28�1E�1E�B�'�)/�(<�(<�h�S� �*�*� �.�.�*� �)"�`+� �
!�,
r1r6c��eZdZdZd�Zy)r�z�
    Trust settings for an OpenSSL context.

    Note that this interface's methods are private, so things outside of
    Twisted shouldn't implement it.
    c��y)aI
        Add certificate-authority certificates to an SSL context whose
        connections should trust those authorities.

        @param context: An SSL context for a connection which should be
            verified by some certificate authority.
        @type context: L{OpenSSL.SSL.Context}

        @return: L{None}
        Nr0)�contexts r2�_addCACertsToContextz&IOpenSSLTrustRoot._addCACertsToContext|rvr1N�r'r(r)r*r�r0r1r2r�r�ts���
r1r�c��eZdZdZd�Zd�Zy)r�zy
    Trust an explicitly specified set of certificates, represented by a list of
    L{OpenSSL.crypto.X509} objects.
    c��||_y)z�
        @param caCerts: The certificate authorities to trust when using this
            object as a C{trustRoot} for L{OpenSSLCertificateOptions}.
        @type caCerts: L{list} of L{OpenSSL.crypto.X509}
        N)�_caCerts)r��caCertss  r2r�z&OpenSSLCertificateAuthorities.__init__�s�� ��
r1c�h�|j�}|jD]}|j|��yrM)�get_cert_storer��add_cert)r�r��storer�s    r2r�z2OpenSSLCertificateAuthorities._addCACertsToContext�s/���&�&�(���M�M�	!�D��N�N�4� �	!r1N)r'r(r)r*r�r�r0r1r2r�r��s���
 �!r1r�c��g}|D];}t|t�r
|j}ntd��|j	|��=t|�S)a
    Builds an object that trusts multiple root L{Certificate}s.

    When passed to L{optionsForClientTLS}, connections using those options will
    reject any server certificate not signed by at least one of the
    certificates in the `certificates` list.

    @since: 16.0

    @param certificates: All certificates which will be trusted.
    @type certificates: C{iterable} of L{CertBase}

    @rtype: L{IOpenSSLTrustRoot}
    @return: an object suitable for use as the trustRoot= keyword argument to
        L{optionsForClientTLS}
    zBcertificates items must be twisted.internet.ssl.CertBase instances)r�r�r��	TypeErrorr�r�)�certificates�certsr�s   r2�trustRootFromCertificatesr��sV��$
�E�����d�H�%��=�=�D��W��
�	���T���)��/�/r1c��eZdZdZd�Zy)�OpenSSLDefaultPathsz�
    Trust the set of default verify paths that OpenSSL was built with, as
    specified by U{SSL_CTX_set_default_verify_paths
    <https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html>}.
    c�$�|j�yrM)�set_default_verify_paths)r�r�s  r2r�z(OpenSSLDefaultPaths._addCACertsToContext�s���(�(�*r1Nr�r0r1r2r�r��s���+r1r�c��t�S)aD

    Attempt to discover a set of trusted certificate authority certificates
    (or, in other words: trust roots, or root certificates) whose trust is
    managed and updated by tools outside of Twisted.

    If you are writing any client-side TLS code with Twisted, you should use
    this as the C{trustRoot} argument to L{CertificateOptions
    <twisted.internet.ssl.CertificateOptions>}.

    The result of this function should be like the up-to-date list of
    certificates in a web browser.  When developing code that uses
    C{platformTrust}, you can think of it that way.  However, the choice of
    which certificate authorities to trust is never Twisted's responsibility.
    Unless you're writing a very unusual application or library, it's not your
    code's responsibility either.  The user may use platform-specific tools for
    defining which server certificates should be trusted by programs using TLS.
    The purpose of using this API is to respect that decision as much as
    possible.

    This should be a set of trust settings most appropriate for I{client} TLS
    connections; i.e. those which need to verify a server's authenticity.  You
    should probably use this by default for any client TLS connection that you
    create.  For servers, however, client certificates are typically not
    verified; or, if they are, their verification will depend on a custom,
    application-specific certificate authority.

    @since: 14.0

    @note: Currently, L{platformTrust} depends entirely upon your OpenSSL build
        supporting a set of "L{default verify paths <OpenSSLDefaultPaths>}"
        which correspond to certificate authority trust roots.  Unfortunately,
        whether this is true of your system is both outside of Twisted's
        control and difficult (if not impossible) for Twisted to detect
        automatically.

        Nevertheless, this ought to work as desired by default on:

            - Ubuntu Linux machines with the U{ca-certificates
              <https://launchpad.net/ubuntu/+source/ca-certificates>} package
              installed,

            - macOS when using the system-installed version of OpenSSL (i.e.
              I{not} one installed via MacPorts or Homebrew),

            - any build of OpenSSL which has had certificate authority
              certificates installed into its default verify paths (by default,
              C{/usr/local/ssl/certs} if you've built your own OpenSSL), or

            - any process where the C{SSL_CERT_FILE} environment variable is
              set to the path of a file containing your desired CA certificates
              bundle.

        Hopefully soon, this API will be updated to use more sophisticated
        trust-root discovery mechanisms.  Until then, you can follow tickets in
        the Twisted tracker for progress on this implementation on U{Microsoft
        Windows <https://twistedmatrix.com/trac/ticket/6371>}, U{macOS
        <https://twistedmatrix.com/trac/ticket/6372>}, and U{a fallback for
        other platforms which do not have native trust management tools
        <https://twistedmatrix.com/trac/ticket/6934>}.

    @return: an appropriate trust settings object for your platform.
    @rtype: L{IOpenSSLTrustRoot}

    @raise NotImplementedError: if this platform is not yet supported by
        Twisted.  At present, only OpenSSL is supported.
    )r�r0r1r2�
platformTrustr��s��F� � r1c����fd�}|S)a-
    Wrap up an C{info_callback} for pyOpenSSL so that if something goes wrong
    the error is immediately logged and the connection is dropped if possible.

    This wrapper exists because some versions of pyOpenSSL don't handle errors
    from callbacks at I{all}, and those which do write tracebacks directly to
    stderr rather than to a supplied logging system.  This reports unexpected
    errors to the Twisted logging system.

    Also, this terminates the connection immediately if possible because if
    you've got bugs in your verification logic it's much safer to just give up.

    @param wrapped: A valid C{info_callback} for pyOpenSSL.
    @type wrapped: L{callable}

    @return: A valid C{info_callback} for pyOpenSSL that handles any errors in
        C{wrapped}.
    @rtype: L{callable}
    c���	�|||�S#t$rBt�}tj|d�|j	�j|�YywxYw)NzError during info_callback)�
BaseExceptionr!r�err�get_app_data�failVerification)rF�where�ret�f�wrappeds    �r2�infoCallbackz%_tolerateErrors.<locals>.infoCallback$sS���	:��:�u�c�2�2���	:��	�A��G�G�A�3�4��#�#�%�6�6�q�9�	:�s�	
�AA�Ar0)r�r�s` r2�_tolerateErrorsr�s���*:��r1c�"�eZdZdZd�Zd�Zd�Zy)�ClientTLSOptionsa
    Client creator for TLS.

    Private implementation type (not exposed to applications) for public
    L{optionsForClientTLS} API.

    @ivar _ctx: The context to use for new connections.
    @type _ctx: L{OpenSSL.SSL.Context}

    @ivar _hostname: The hostname to verify, as specified by the application,
        as some human-readable text.
    @type _hostname: L{unicode}

    @ivar _hostnameBytes: The hostname to verify, decoded into IDNA-encoded
        bytes.  This is passed to APIs which think that hostnames are bytes,
        such as OpenSSL's SNI implementation.
    @type _hostnameBytes: L{bytes}

    @ivar _hostnameASCII: The hostname, as transcoded into IDNA ASCII-range
        unicode code points.  This is pre-transcoded because the
        C{service_identity} package is rather strict about requiring the
        C{idna} package from PyPI for internationalized domain names, rather
        than working with Python's built-in (but sometimes broken) IDNA
        encoding.  ASCII values, however, will always work.
    @type _hostnameASCII: L{unicode}

    @ivar _hostnameIsDnsName: Whether or not the C{_hostname} is a DNSName.
        Will be L{False} if C{_hostname} is an IP address or L{True} if
        C{_hostname} is a DNSName
    @type _hostnameIsDnsName: L{bool}
    c�>�||_||_t|�st|�r|j	d�|_d|_nt|�|_d|_|j
jd�|_	|jt|j��y)a
        Initialize L{ClientTLSOptions}.

        @param hostname: The hostname to verify as input by a human.
        @type hostname: L{unicode}

        @param ctx: an L{OpenSSL.SSL.Context} to use for new connections.
        @type ctx: L{OpenSSL.SSL.Context}.
        r�FTN)
�_ctx�	_hostnamerrr��_hostnameBytes�_hostnameIsDnsNamer$�decode�_hostnameASCII�set_info_callbackr��_identityVerifyingInfoCallback)r�rGr�s   r2r�zClientTLSOptions.__init__Qs�����	�!����x� �M�(�$;�"*�/�/�'�":�D��&+�D�#�",�X�"6�D��&*�D�#�"�1�1�8�8��A������o�d�.Q�.Q�R�Sr1c�l�|j}tj|d�}|j|�|S)ap
        Create a TLS connection for a client.

        @note: This will call C{set_app_data} on its connection.  If you're
            delegating to this implementation of this method, don't ever call
            C{set_app_data} or C{set_info_callback} on the returned connection,
            or you'll break the implementation of various features of this
            class.

        @param tlsProtocol: the TLS protocol initiating the connection.
        @type tlsProtocol: L{twisted.protocols.tls.TLSMemoryBIOProtocol}

        @return: the configured client connection.
        @rtype: L{OpenSSL.SSL.Connection}
        N)r�r�
Connection�set_app_data)r��tlsProtocolr�rFs    r2�clientConnectionForTLSz'ClientTLSOptions.clientConnectionForTLShs1�� �)�)���^�^�G�T�2�
�����,��r1c��|tjzr(|jr|j|j�y|tj
zr;	|jrt
||j�yt||j�yy#t$r.t�}|j�}|j|�YywxYw)a
        U{info_callback
        <http://pythonhosted.org/pyOpenSSL/api/ssl.html#OpenSSL.SSL.Context.set_info_callback>
        } for pyOpenSSL that verifies the hostname in the presented certificate
        matches the one passed to this L{ClientTLSOptions}.

        @param connection: the connection which is handshaking.
        @type connection: L{OpenSSL.SSL.Connection}

        @param where: flags indicating progress through a TLS handshake.
        @type where: L{int}

        @param ret: ignored
        @type ret: ignored
        N)
r�SSL_CB_HANDSHAKE_STARTr��set_tlsext_host_namer��SSL_CB_HANDSHAKE_DONE�verifyHostnamer��verifyIPAddressr\r!r�r�)r�rFr�r�r�r�s      r2r�z/ClientTLSOptions._identityVerifyingInfoCallback}s���$�3�-�-�-�$�2I�2I��+�+�D�,?�,?�@�
�S�.�.�
.�
.��*�*�"�:�t�/B�/B�C�#�J��0C�0C�D�/��%�
.��I��&�3�3�5�	��*�*�1�-�
.�s�"B�3B�4C�CN)r'r(r)r*r�r�r�r0r1r2r�r�/s���@T�.�*.r1r�)�extraCertificateOptionsc�<�|�i}|�
t�}t|t�s"td|jj
z��|r1|j
|jj|j��td||d�|��}t||j��S)a�	
    Create a L{client connection creator <IOpenSSLClientConnectionCreator>} for
    use with APIs such as L{SSL4ClientEndpoint
    <twisted.internet.endpoints.SSL4ClientEndpoint>}, L{connectSSL
    <twisted.internet.interfaces.IReactorSSL.connectSSL>}, and L{startTLS
    <twisted.internet.interfaces.ITLSTransport.startTLS>}.

    @since: 14.0

    @param hostname: The expected name of the remote host. This serves two
        purposes: first, and most importantly, it verifies that the certificate
        received from the server correctly identifies the specified hostname.
        The second purpose is to use the U{Server Name Indication extension
        <https://en.wikipedia.org/wiki/Server_Name_Indication>} to indicate to
        the server which certificate should be used.
    @type hostname: L{unicode}

    @param trustRoot: Specification of trust requirements of peers. This may be
        a L{Certificate} or the result of L{platformTrust}. By default it is
        L{platformTrust} and you probably shouldn't adjust it unless you really
        know what you're doing. Be aware that clients using this interface
        I{must} verify the server; you cannot explicitly pass L{None} since
        that just means to use L{platformTrust}.
    @type trustRoot: L{IOpenSSLTrustRoot}

    @param clientCertificate: The certificate and private key that the client
        will use to authenticate to the server. If unspecified, the client will
        not authenticate.
    @type clientCertificate: L{PrivateCertificate}

    @param acceptableProtocols: The protocols this peer is willing to speak
        after the TLS negotiation has completed, advertised over both ALPN and
        NPN. If this argument is specified, and no overlap can be found with
        the other peer, the connection will fail to be established. If the
        remote peer does not offer NPN or ALPN, the connection will be
        established, but no protocol wil be negotiated. Protocols earlier in
        the list are preferred over those later in the list.
    @type acceptableProtocols: L{list} of L{bytes}

    @param extraCertificateOptions: A dictionary of additional keyword arguments
        to be presented to L{CertificateOptions}. Please avoid using this unless
        you absolutely need to; any time you need to pass an option here that is
        a bug in this interface.
    @type extraCertificateOptions: L{dict}

    @return: A client connection creator.
    @rtype: L{IOpenSSLClientConnectionCreator}
    z6optionsForClientTLS requires text for host names, not r<)r>�acceptableProtocolsr0)r�r�rhr�r�r'r?r*r�r@r��
getContext)rGr>�clientCertificater�r��certificateOptionss      r2�optionsForClientTLSr��s���p�&�"$����!�O�	��h��$��D�� � �)�)�
*�
�	
���&�&�(�3�3�<�<�)�2�2�	'�	
�3���/��"���
�H�&8�&C�&C�&E�F�Fr1c
���eZdZdZej
ZdZee	jZe	jZ
eddgddgddgddgdd	gd	dgdd
gg�																				dd��Zd�Zd
�Zd�Zd�Zy)r@a�
    A L{CertificateOptions <twisted.internet.ssl.CertificateOptions>} specifies
    the security properties for a client or server TLS connection used with
    OpenSSL.

    @ivar _options: Any option flags to set on the L{OpenSSL.SSL.Context}
        object that will be created.
    @type _options: L{int}

    @ivar _cipherString: An OpenSSL-specific cipher string.
    @type _cipherString: L{unicode}

    @ivar _defaultMinimumTLSVersion: The default TLS version that will be
        negotiated.  This should be a "safe default", with wide client and
        server support, vs an optimally secure one that excludes a large number
        of users.  As of May 2022, TLSv1.2 is that safe default.
    @type _defaultMinimumTLSVersion: L{TLSVersion} constant
    Nr>�requireCertificater"r�r��insecurelyLowerMinimumTo�raiseMinimumTo�lowerMaximumSecurityToc
��|du|duk7rtd��||_||_tjtj
ztjz|_tj|_	|��tj|_|r#|r||kDrtd��||jkDr|}|�|j}|r||kDr|}|r||kDrtd��t||�}|D]}|xjt|zc_� n#tj dt"d��||_|r
|std��||_|
�d||fvrtd	��|
�|
|_ng|_||_||_||_||_|	|_|	r4|xjtj2tj4zzc_|
|_||_|r#|xjtj:zc_||_|s#|xjtj>zc_||_ tCtjDtFtH�
�|_%|�tL}djOd�|jQtSd
|j|j��D��|_*|jTdk(rtd��|�|j$r%tW|�}nd|_d|_tY|�}||_-|�t]�st_d��||_0y)a�
        Create an OpenSSL context SSL connection context factory.

        @param privateKey: A PKey object holding the private key.

        @param certificate: An X509 object holding the certificate.

        @param method: Deprecated, use a combination of
            C{insecurelyLowerMinimumTo}, C{raiseMinimumTo}, or
            C{lowerMaximumSecurityTo} instead.  The SSL protocol to use, one of
            C{TLS_METHOD}, C{TLSv1_2_METHOD}, or C{TLSv1_2_METHOD} (or any
            future method constants provided by pyOpenSSL).  By default, a
            setting will be used which allows TLSv1.2 and TLSv1.3.  Can not be
            used with C{insecurelyLowerMinimumTo}, C{raiseMinimumTo}, or
            C{lowerMaximumSecurityTo}.

        @param verify: Please use a C{trustRoot} keyword argument instead,
            since it provides the same functionality in a less error-prone way.
            By default this is L{False}.

            If L{True}, verify certificates received from the peer and fail the
            handshake if verification fails.  Otherwise, allow anonymous
            sessions and sessions with certificates which fail validation.

        @param caCerts: Please use a C{trustRoot} keyword argument instead,
            since it provides the same functionality in a less error-prone way.

            List of certificate authority certificate objects to use to verify
            the peer's certificate.  Only used if verify is L{True} and will be
            ignored otherwise.  Since verify is L{False} by default, this is
            L{None} by default.

        @type caCerts: L{list} of L{OpenSSL.crypto.X509}

        @param verifyDepth: Depth in certificate chain down to which to verify.
            If unspecified, use the underlying default (9).

        @param requireCertificate: Please use a C{trustRoot} keyword argument
            instead, since it provides the same functionality in a less
            error-prone way.

            If L{True}, do not allow anonymous sessions; defaults to L{True}.

        @param verifyOnce: If True, do not re-verify the certificate on session
            resumption.

        @param enableSingleUseKeys: If L{True}, generate a new key whenever
            ephemeral DH and ECDH parameters are used to prevent small subgroup
            attacks and to ensure perfect forward secrecy.

        @param enableSessions: This allows a shortened handshake to be used
            when a known client reconnects to the same process.  If True,
            enable OpenSSL's session caching.  Note that session caching only
            works on a single Twisted node at once.  Also, it is currently
            somewhat risky due to U{a crashing bug when using OpenSSL 1.1.1
            <https://twistedmatrix.com/trac/ticket/9764>}.

        @param fixBrokenPeers: If True, enable various non-spec protocol fixes
            for broken SSL implementations.  This should be entirely safe,
            according to the OpenSSL documentation, but YMMV.  This option is
            now off by default, because it causes problems with connections
            between peers using OpenSSL 0.9.8a.

        @param enableSessionTickets: If L{True}, enable session ticket
            extension for session resumption per RFC 5077.  Note there is no
            support for controlling session tickets.  This option is off by
            default, as some server implementations don't correctly process
            incoming empty session ticket extensions in the hello.

        @param extraCertChain: List of certificates that I{complete} your
            verification chain if the certificate authority that signed your
            C{certificate} isn't widely supported.  Do I{not} add
            C{certificate} to it.
        @type extraCertChain: C{list} of L{OpenSSL.crypto.X509}

        @param acceptableCiphers: Ciphers that are acceptable for connections.
            Uses a secure default if left L{None}.
        @type acceptableCiphers: L{IAcceptableCiphers}

        @param dhParameters: Key generation parameters that are required for
            Diffie-Hellman key exchange.  If this argument is left L{None},
            C{EDH} ciphers are I{disabled} regardless of C{acceptableCiphers}.
        @type dhParameters: L{DiffieHellmanParameters
            <twisted.internet.ssl.DiffieHellmanParameters>}

        @param trustRoot: Specification of trust requirements of peers.  If
            this argument is specified, the peer is verified.  It requires a
            certificate, and that certificate must be signed by one of the
            certificate authorities specified by this object.

            Note that since this option specifies the same information as
            C{caCerts}, C{verify}, and C{requireCertificate}, specifying any of
            those options in combination with this one will raise a
            L{TypeError}.

        @type trustRoot: L{IOpenSSLTrustRoot}

        @param acceptableProtocols: The protocols this peer is willing to speak
            after the TLS negotiation has completed, advertised over both ALPN
            and NPN.  If this argument is specified, and no overlap can be
            found with the other peer, the connection will fail to be
            established.  If the remote peer does not offer NPN or ALPN, the
            connection will be established, but no protocol wil be negotiated.
            Protocols earlier in the list are preferred over those later in the
            list.
        @type acceptableProtocols: L{list} of L{bytes}

        @param raiseMinimumTo: The minimum TLS version that you want to use, or
            Twisted's default if it is higher.  Use this if you want to make
            your client/server more secure than Twisted's default, but will
            accept Twisted's default instead if it moves higher than this
            value.  You probably want to use this over
            C{insecurelyLowerMinimumTo}.
        @type raiseMinimumTo: L{TLSVersion} constant

        @param insecurelyLowerMinimumTo: The minimum TLS version to use,
            possibly lower than Twisted's default.  If not specified, it is a
            generally considered safe default (TLSv1.0).  If you want to raise
            your minimum TLS version to above that of this default, use
            C{raiseMinimumTo}.  DO NOT use this argument unless you are
            absolutely sure this is what you want.
        @type insecurelyLowerMinimumTo: L{TLSVersion} constant

        @param lowerMaximumSecurityTo: The maximum TLS version to use.  If not
            specified, it is the most recent your OpenSSL supports.  You only
            want to set this if the peer that you are communicating with has
            problems with more recent TLS versions, it lowers your security
            when communicating with newer peers.  DO NOT use this argument
            unless you are absolutely sure this is what you want.
        @type lowerMaximumSecurityTo: L{TLSVersion} constant

        @raise ValueError: when C{privateKey} or C{certificate} are set without
            setting the respective other.
        @raise ValueError: when C{verify} is L{True} but C{caCerts} doesn't
            specify any CA certificates.
        @raise ValueError: when C{extraCertChain} is passed without specifying
            C{privateKey} or C{certificate}.
        @raise ValueError: when C{acceptableCiphers} doesn't yield any usable
            ciphers for the current platform.

        @raise TypeError: if C{trustRoot} is passed in combination with
            C{caCert}, C{verify}, or C{requireCertificate}.  Please prefer
            C{trustRoot} in new code, as its semantics are less tricky.
        @raise TypeError: if C{method} is passed in combination with
            C{tlsProtocols}.  Please prefer the more explicit C{tlsProtocols}
            in new code.

        @raises NotImplementedError: If acceptableProtocols were provided but
            no negotiation mechanism is available.
        Nz5Specify neither or both of privateKey and certificatez<raiseMinimumTo needs to be lower than lowerMaximumSecurityTozFinsecurelyLowerMinimumTo needs to be lower than lowerMaximumSecurityToz�Passing method to twisted.internet.ssl.CertificateOptions was deprecated in Twisted 17.1.0. Please use a combination of insecurelyLowerMinimumTo, raiseMinimumTo, and lowerMaximumSecurityTo instead, as Twisted will correctly configure the method.�)�
stacklevelzZSpecify client CA certificate information if and only if enabling certificate verificationzZA private key and a certificate are required when adding a supplemental certificate chain.)�
openSSLlib�
openSSLcrypto�:c3�4K�|]}|j���y�wrM)�fullName)rOrts  r2rQz5OpenSSLCertificateOptions.__init__.<locals>.<genexpr>2s����&
��
�J�J�&
�s��ALLr_zGSupplied IAcceptableCiphers yielded no usable ciphers on this platform.Tz5No support for protocol negotiation on this platform.)1�
ValueErrorr*r=r�OP_NO_SSLv2�OP_NO_COMPRESSION�OP_CIPHER_SERVER_PREFERENCE�_options�MODE_RELEASE_BUFFERS�_mode�
TLS_METHODr��_defaultMinimumTLSVersionr>�_tlsDisableFlagsrf�warn�DeprecationWarningr"�extraCertChainr��verifyDepthr��
verifyOnce�enableSingleUseKeys�OP_SINGLE_DH_USE�OP_SINGLE_ECDH_USE�enableSessions�fixBrokenPeers�OP_ALL�enableSessionTickets�OP_NO_TICKET�dhParameters�!_ChooseDiffieHellmanEllipticCurve�OPENSSL_VERSION_NUMBER�pyOpenSSLlibr�
_ecChooser�defaultCiphersr��
selectCiphers�_expandCipherString�
_cipherStringr�r�r>r�r}�_acceptableProtocols)r�r*r=r�r"r�r�r�r�r�r�r�r�r��acceptableCiphersr�r>r�r�r�r�r=rWs                       r2r�z"OpenSSLCertificateOptions.__init__s'��r
�$��K�4�$7�8��T�U�U�$���&���
�O�O�c�3�3�3�c�6U�6U�U�	
�
��-�-��
��>��.�.�D�K��)�n�?U�.U�$�1���
"�D�$B�$B�B�/=�,�'�/�+/�+I�+I�(�
+�0�3I�I�/E�,�'�,�/E�E� �-���
 8�(�*@� ��,�
;���
�
�!1�'�!:�:�
�
;�
�M�M�,�#��

�!�D�K��'��=��
�����%�$�:�{�2K�*K��@��
��%�"0�D��"$�D�����&���"4���$���#6�� ���M�M�S�1�1�C�4J�4J�J�J�M�,���,�����M�M�S�Z�Z�'�M�$8��!�#��M�M�S�-�-�-�M�(���;��&�&�#� �
����$� .�� �X�X�&
�&�4�4�#�E�4�;�;��
�
�F��&
�
�������#��$��
�
���{�{�9�'�B�	��D�K�&*�D�#�)�)�4�I�"����*�3P�3R�%�G��
�%8��!r1c�b�|jj�}	|d=|S#t$rY|SwxYw)N�_context)�__dict__�copyr�)r��ds  r2riz&OpenSSLCertificateOptions.__getstate__Ns@���M�M��� ��	��*�
�����	����	�s�!�	.�.c��||_yrM)r
rks  r2rmz&OpenSSLCertificateOptions.__setstate__Vs	����
r1c�\�|j�|j�|_|jS)z:
        Return an L{OpenSSL.SSL.Context} object.
        )r	�_makeContextr�s r2r�z$OpenSSLCertificateOptions.getContextYs(���=�=� � �-�-�/�D�M��}�}�r1c�F�|j|j�}|j|j�|j	|j
�|j�t|j�h|j|j�|j|j�|jD]}|j|��|j�tj}|jritj }|j"r|tj$z}|j&r|tj(z}|j*j-|�|j/|�|j0�|j3|j0�t5t7d��}|j9|�|j:r |j=tj>�n|j=tj@�|jBr/|jE|jBjFjH�|jK|jLjOd��|jPjS|�|jTrtW||jT�|S)N�r�),�_contextFactoryr��set_optionsr��set_moder�r=r*�use_certificate�use_privatekeyr��add_extra_chain_cert�check_privatekeyr�VERIFY_NONEr"�VERIFY_PEERr��VERIFY_FAIL_IF_NO_PEER_CERTr��VERIFY_CLIENT_ONCEr>r��
set_verifyr��set_verify_depthrr"�set_session_idr��set_session_cache_mode�SESS_CACHE_SERVER�SESS_CACHE_OFFr��load_tmp_dh�_dhFile�path�set_cipher_listrr�r�configureECDHCurver�_setAcceptableProtocols)r�r��	extraCert�verifyFlags�sessionIDContexts     r2rz&OpenSSLCertificateOptions._makeContextas����"�"�4�;�;�/������
�
�&����T�Z�Z� ����'�D�O�O�,G����� 0� 0�1����t���/�!�0�0�
4�	��(�(��3�
4�
� � �"��o�o���;�;��/�/�K��&�&��s�>�>�>������s�5�5�5���N�N�/�/��4����{�#����'�� � ��!1�!1�2�#�<��?�3��	���+�,�����&�&�s�'<�'<�=��&�&�s�'9�'9�:�����O�O�D�-�-�5�5�:�:�;����D�.�.�5�5�g�>�?����*�*�3�/��$�$�
$�C��)B�)B�C��
r1)NNNFN�	TTTFFFNNNNNNNN)r'r(r)r*rryrr	r�r&r/�_OP_NO_TLSv1_3r.r�rr�rirmr�rr0r1r2r@r@�s����(�k�k�O��H�%�j�&8�&8�9�N� *� 2� 2�� �
�.�/�
�(�#�
�)�$�
�1�2�
�'�(�
�9�:�
�/�0�	
�
��������� ���"����� ��!%�#�+y8�
�y8�v	���8r1r@rerfrgT)�frozen�auto_attribsc��eZdZUdZded<y)�
OpenSSLCipherz�
    A representation of an OpenSSL cipher.

    @ivar fullName: The full name of the cipher. For example
        C{u"ECDHE-RSA-AES256-GCM-SHA384"}.
    @type fullName: L{unicode}
    rhr�N)r'r(r)r*�__annotations__r0r1r2r1r1�s����Mr1r1� )�maxsizec��tj|�}|j|�	|j|j	d��tj|d�}|j�}t|dt�rtd�|D��Std�|D��S#tj
$rK}|jdst�cYd}~S|jddddk(rt�cYd}~S�d}~wwxYw)af
    Expand C{cipherString} according to C{method} and C{options} to a tuple of
    explicit ciphers that are supported by the current platform.

    @param cipherString: An OpenSSL cipher string to expand.
    @type cipherString: L{unicode}

    @param method: An OpenSSL method like C{SSL.TLS_METHOD} used for
        determining the effective ciphers.

    @param options: OpenSSL options like C{SSL.OP_NO_SSLv3} ORed together.
    @type options: L{int}

    @return: The effective list of explicit ciphers that results from the
        arguments on the current platform.
    @rtype: L{tuple} of L{ICipher}
    r�rNrTzno cipher matchc3�2K�|]}t|����y�wrM)r1�rO�ciphers  r2rQz&_expandCipherString.<locals>.<genexpr>�s����A�v�]�6�*�A�rRc3�PK�|]}t|jd����� y�w)r�N)r1r�r7s  r2rQz&_expandCipherString.<locals>.<genexpr>�s����Q�v�]�6�=�=��#9�:�Q�s�$&)rryrr&r��Errorr��tupler��get_cipher_listr�rh)�cipherStringr�rr�rk�conn�cipherss       r2rr�s���&�+�+�f�
�C��O�O�G������L�/�/��8�9��>�>�#�t�$�D��"�"�$�G��'�!�*�c�"��A��A�A�A��Q��Q�Q�Q��!�9�9�
�
�v�v�a�y��7�N��6�6�!�9�Q�<��?�/�/��7�N���
�s/� B%�%D�8C>�D�!C>�7D�=C>�>D�c�,��t�fd�|D��S)a�
    Caclulate the acceptable list of ciphers from the ciphers we want and the
    ciphers we have support for.

    @param wantedCiphers: The ciphers we want to use.
    @type wantedCiphers: L{tuple} of L{OpenSSLCipher}

    @param availableCiphers: The ciphers we have available to use.
    @type availableCiphers: L{tuple} of L{OpenSSLCipher}

    @rtype: L{tuple} of L{OpenSSLCipher}
    c3�,�K�|]}|�vs�|���
y�wrMr0)rOr8�availableCipherss  �r2rQz!_selectCiphers.<locals>.<genexpr>�s�����R�F�v�AQ�7Q��R�s�	�)r;)�
wantedCiphersrCs `r2�_selectCiphersrE�s����R�m�R�R�Rr1c�,�eZdZdZd�Zd�Zed��Zy)�OpenSSLAcceptableCipherszN
    A representation of ciphers that are acceptable for TLS connections.
    c�$�t|�|_yrM)r;�_ciphers)r�r?s  r2r�z!OpenSSLAcceptableCiphers.__init__�s
���g���
r1c�@�t|jt|��SrM)rErIr;)r�rCs  r2rz&OpenSSLAcceptableCiphers.selectCiphers�s���d�m�m�U�3C�-D�E�Er1c��|tt|�tjtjtj
z��S)aR
        Create a new instance using an OpenSSL cipher string.

        @param cipherString: An OpenSSL cipher string that describes what
            cipher suites are acceptable.
            See the documentation of U{OpenSSL
            <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>} or
            U{Apache
            <http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite>}
            for details.
        @type cipherString: L{unicode}

        @return: Instance representing C{cipherString}.
        @rtype: L{twisted.internet.ssl.AcceptableCiphers}
        )rrrr�r��OP_NO_SSLv3)�clsr=s  r2�fromOpenSSLCipherStringz0OpenSSLAcceptableCiphers.fromOpenSSLCipherString�s8��"���\�*�������#�/�/�1�
�
�	
r1N)r'r(r)r*r�rrrNr0r1r2rGrG�s&���'�F��
��
r1rGz�TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS�
prime256v1c�.�eZdZdZd�Zd�Zd�Zd�Zd�Zy)r�a
    Chooses the best elliptic curve for Elliptic Curve Diffie-Hellman
    key exchange, and provides a C{configureECDHCurve} method to set
    the curve, when appropriate, on a new L{OpenSSL.SSL.Context}.

    The C{configureECDHCurve} method will be set to one of the
    following based on the provided OpenSSL version and configuration:

        - L{_configureOpenSSL110}

        - L{_configureOpenSSL102}

        - L{_configureOpenSSL101}

        - L{_configureOpenSSL101NoCurves}.

    @param openSSLVersion: The OpenSSL version number.
    @type openSSLVersion: L{int}

    @see: L{OpenSSL.SSL.OPENSSL_VERSION_NUMBER}

    @param openSSLlib: The OpenSSL C{cffi} library module.
    @param openSSLcrypto: The OpenSSL L{crypto} module.

    @see: L{crypto}
    c��||_||_|dk\r|j|_y|dk\r|j|_y	|jt�|_|j|_y#t$r|j|_YywxYw)Nii )�_openSSLlib�_openSSLcrypto�_configureOpenSSL110r'�_configureOpenSSL102�get_elliptic_curve�_defaultCurveName�_ecCurve�_configureOpenSSL101r��_configureOpenSSL101NoCurves)r��openSSLVersionr�r�s    r2r�z*_ChooseDiffieHellmanEllipticCurve.__init__Hs���%���+����Z�'�&*�&?�&?�D�#�
�z�
)�&*�&?�&?�D�#�
D� -� @� @�AR� S��
�+/�*C�*C��'���
L�+/�*K�*K��'�
L�s�A*�*B�Bc��y)z�
        OpenSSL 1.1.0 Contexts are preconfigured with an optimal set
        of ECDH curves.  This method does nothing.

        @param ctx: L{OpenSSL.SSL.Context}
        Nr0�r�r�s  r2rTz6_ChooseDiffieHellmanEllipticCurve._configureOpenSSL110Yrvr1c�t�|j}	|jj|d�y#t$rYywxYw)a
        Have the context automatically choose elliptic curves for
        ECDH.  Run on OpenSSL 1.0.2 and OpenSSL 1.1.0+, but only has
        an effect on OpenSSL 1.0.2.

        @param ctx: The context which .
        @type ctx: L{OpenSSL.SSL.Context}
        TN)r	rR�SSL_CTX_set_ecdh_autor�)r�r��ctxPtrs   r2rUz6_ChooseDiffieHellmanEllipticCurve._configureOpenSSL102as:������	����2�2�6�4�@���	��	�s�+�	7�7c�Z�	|j|j�y#t$rYywxYw)z�
        Set the default elliptic curve for ECDH on the context.  Only
        run on OpenSSL 1.0.1.

        @param ctx: The context on which to set the ECDH curve.
        @type ctx: L{OpenSSL.SSL.Context}
        N)�set_tmp_ecdhrXr�r]s  r2rYz6_ChooseDiffieHellmanEllipticCurve._configureOpenSSL101ps+��	����T�]�]�+���	��	�s��	*�*c��y)z�
        No elliptic curves are available on OpenSSL 1.0.1. We can't
        set anything, so do nothing.

        @param ctx: The context on which to set the ECDH curve.
        @type ctx: L{OpenSSL.SSL.Context}
        Nr0r]s  r2rZz>_ChooseDiffieHellmanEllipticCurve._configureOpenSSL101NoCurves}rvr1N)	r'r(r)r*r�rTrUrYrZr0r1r2r�r�,s!���6D�"�
��r1r�c�&�eZdZdZd�Zed��Zy)�OpenSSLDiffieHellmanParameterszn
    A representation of key generation parameters that are required for
    Diffie-Hellman key exchange.
    c��||_yrM)r$)r��
parameterss  r2r�z'OpenSSLDiffieHellmanParameters.__init__�s	��!��r1c��||�S)a�
        Load parameters from a file.

        Such a file can be generated using the C{openssl} command line tool as
        following:

        C{openssl dhparam -out dh_param_2048.pem -2 2048}

        Please refer to U{OpenSSL's C{dhparam} documentation
        <http://www.openssl.org/docs/apps/dhparam.html>} for further details.

        @param filePath: A file containing parameters for Diffie-Hellman key
            exchange.
        @type filePath: L{FilePath <twisted.python.filepath.FilePath>}

        @return: An instance that loads its parameters from C{filePath}.
        @rtype: L{DiffieHellmanParameters
            <twisted.internet.ssl.DiffieHellmanParameters>}
        r0)rM�filePaths  r2�fromFilez'OpenSSLDiffieHellmanParameters.fromFile�s��*�8�}�r1N)r'r(r)r*r�rrjr0r1r2rere�s ���
"����r1rec�
���fd�}�syt�}|tjzr'�fd�}|j|�|j	|�|tj
zr#|j
|�|j��yy)a�
    Called to set up the L{OpenSSL.SSL.Context} for doing NPN and/or ALPN
    negotiation.

    @param context: The context which is set up.
    @type context: L{OpenSSL.SSL.Context}

    @param acceptableProtocols: The protocols this peer is willing to speak
        after the TLS negotiation has completed, advertised over both ALPN and
        NPN. If this argument is specified, and no overlap can be found with
        the other peer, the connection will fail to be established. If the
        remote peer does not offer NPN or ALPN, the connection will be
        established, but no protocol wil be negotiated. Protocols earlier in
        the list are preferred over those later in the list.
    @type acceptableProtocols: L{list} of L{bytes}
    c�R��t|�t��z}�D]
}||vs�|cSy)at
        NPN client-side and ALPN server-side callback used to select
        the next protocol. Prefers protocols found earlier in
        C{_acceptableProtocols}.

        @param conn: The context which is set up.
        @type conn: L{OpenSSL.SSL.Connection}

        @param conn: Protocols advertised by the other side.
        @type conn: L{list} of L{bytes}
        r1)r�)r>�	protocols�overlap�pr�s    �r2�protoSelectCallbackz4_setAcceptableProtocols.<locals>.protoSelectCallback�s9����i�.�3�':�#;�;��$�	�A��G�|���	�r1Nc����SrMr0)r>r�s �r2�npnAdvertiseCallbackz5_setAcceptableProtocols.<locals>.npnAdvertiseCallback�s	���&�&r1)r�rnror{�set_npn_select_callbackrpr~�set_alpn_protos)r�r�rp�	supportedrrs `   r2r(r(�s~���$�0��-�/�I��-�1�1�1�	'�	�*�*�+?�@��'�'�(;�<��-�2�2�2��(�(�)<�=���� 3�4�3r1)NNN)s�
__future__rrf�binasciir�	functoolsr�hashlibr�typingr�zope.interfacer	r
�OpenSSLrr�
OpenSSL._utilr
rr��
constantlyrrrr�incrementalr�twisted.internet.abstractrr�twisted.internet.deferr�twisted.internet.errorrr�twisted.internet.interfacesrrrr�twisted.pythonrr�twisted.python.compatr�twisted.python.deprecaterr �twisted.python.failurer!�twisted.python.randbytesr"�_idnar$r&r+rLr,�OP_NO_TLSv1r-�
OP_NO_TLSv1_1r.�
OP_NO_TLSv1_2r/r�r�r>�	Exceptionr@rHrJrZrlr�r�r\rnrorxr�r�rhr�r�r�r�r�r�rr(rr6r�r�r�r�r�r�r�r�r@rirm�sr1rrErGrNrrWr�rer(r0r1r2�<module>r�s���
#������1��-��@�@��@�+�@���%�.�L�*�1��	��	����c�o�o�����������)�)�����)�)������_�d�;�	���0�i��P�2L�
%�"P�J6Q�5R�2���!2�
 ��
 �*�"�"�%?�%C�%C�C��$�
�>��	�*�
"�6�	�"�
�0�	� �"��
�"a��S�%�Z�(�a�H��&�&�R�0IM�(�IM�XF��F�*m
��m
�`99�99�xz
�i�z
�z�	��*
�
��!�!� �!�(0�>
�
��+�+� �+�C!�L�@
�
,�-�j.�j.�.�j.�^���	KG�!�
KG�\
�
#�$�m�m�%�m�`
*���I�r�1�a� �"=�*��(�(�**��&�*���I�r�1�a� �"=�*��(�(�**��&�

�W������t�$�'�	�	�(��	��2��&R��&R�R�3��
S��
S� 
�
� �"
�"
�!�"
�h*�A�A����!��X�X�v��B95r1

Zerion Mini Shell 1.0