o tl~i\?@s>dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z mZmZmZmZmZmZmZmZmZedejZdId d ZdJddZdKddZdLddZdMddZ dNdOd$d%ZdPd(d)Z dQd-d.Z!dQd/d0Z"dRd2d3Z#dSd9d:Z$dTdd?d@dAdBdCZ&dUdEdFZ'GdGdHdHZ(dS)Va Low-level helpers for the SecureTransport bindings. These are Python functions that are not directly related to the high-level APIs but are necessary to get them to work. They include a whole bunch of low-level CoreFoundation messing about and memory management. The concerns in this module are almost entirely about trying to avoid memory leaks and providing appropriate and useful assistance to the higher-level code. ) annotationsN) CFArrayCFConstCFData CFDictionaryCFMutableArrayCFString CFTypeRefCoreFoundationSecKeychainRefSecuritys;-----BEGIN CERTIFICATE----- (.*?) -----END CERTIFICATE----- bytestringbytesreturnrcCsttj|t|S)zv Given a bytestring, create a CFData object from it. This CFData object must be CFReleased by the caller. )r CFDataCreatekCFAllocatorDefaultlen)rrq/var/www/newdalilibackend/backend/venv/lib/python3.10/site-packages/urllib3/contrib/_securetransport/low_level.py_cf_data_from_bytes)s rtuples#list[tuple[typing.Any, typing.Any]]rcCsZt|}dd|D}dd|D}tj||}tj||}ttj|||tjtjS)zK Given a list of Python tuples, create an associated CFDictionary. cs|]}|dVqdS)rNr.0trrr <z-_cf_dictionary_from_tuples..csr)rNrrrrrr=r)rr r CFDictionaryCreaterkCFTypeDictionaryKeyCallBackskCFTypeDictionaryValueCallBacks)rdictionary_sizekeysvaluescf_keys cf_valuesrrr_cf_dictionary_from_tuples3sr'py_bstrr cCs t|}ttj|tj}|S)zi Given a Python binary data, create a CFString. The string must be CFReleased by the caller. )ctypesc_char_pr CFStringCreateWithCStringrrkCFStringEncodingUTF8)r(c_strcf_strrrr_cfstrKs r/lst list[bytes]rc Csd}z7ttjdttj}|std|D]}t|}|s#tdz t||Wt |qt |wW|St yU}z|rHt |t d|dd}~ww)z Given a list of Python binary data, create an associated CFMutableArray. The array must be CFReleased by the caller. Raises an ssl.SSLError on failure. NrUnable to allocate memory!zUnable to allocate array: ) r CFArrayCreateMutablerr)byrefkCFTypeArrayCallBacks MemoryErrorr/CFArrayAppendValue CFRelease BaseExceptionsslSSLError)r0cf_arritemr.errr_create_cfstring_arrayYs0   r?value str | NonecCsnt|ttj}t|tj}|dur,td}t ||dtj}|s)t d|j }|dur5| d}|S)z Creates a Unicode string from a CFString object. Used entirely for error reporting. Yes, it annoys me quite a lot that this function is this complex. Niz'Error copying C string from CFStringRefutf-8) r)castPOINTERc_void_pr CFStringGetCStringPtrrr,create_string_bufferCFStringGetCStringOSErrorr@decode)r@value_as_void_pstringbufferresultrrr_cf_string_to_unicodexs   rOerrorintexception_classtype[BaseException] | NoneNonecCsZ|dkrdSt|d}t|}t||dus|dkr"d|}|dur)tj}||)z[ Checks the return code and throws an exception if there is an error to report rNz OSStatus )r SecCopyErrorMessageStringrOr r8r:r;)rPrRcf_error_stringoutputrrr_assert_no_errors   rY pem_bundlercCs|dd}ddt|D}|stdttjdt tj }|s*tdz1|D]+}t |}|s:tdt tj|}t||sMtdt||t|q-W|Styht|w) z Given a bundle of certs in PEM format, turns them into a CFArray of certs that can be used to validate a cert chain. s  cSsg|] }t|dqS)r)base64 b64decodegroup)rmatchrrr sz(_cert_array_from_pem..zNo root certificates specifiedrr2zUnable to build cert object!)replace _PEM_CERTS_REfinditerr:r;r r3rr)r4r5rr SecCertificateCreateWithDatar8r7 Exception)rZ der_certs cert_array der_bytescertdatacertrrr_cert_array_from_pems@          rkr=r boolcCt}t||kS)z= Returns True if a given CFTypeRef is a certificate. )r SecCertificateGetTypeIDr CFGetTypeIDr=expectedrrr_is_certrrcCrm)z; Returns True if a given CFTypeRef is an identity. )r SecIdentityGetTypeIDr rorprrr _is_identityrsrutuple[SecKeychainRef, str]c Cstd}t|ddd}t|dd}t}tj|| d}t }t |t ||ddt|}t|||fS)a This function creates a temporary Mac keychain that we can use to work with credentials. This keychain uses a one-time password and a temporary file to store the data. We expect to have one keychain per socket. The returned SecKeychainRef must be freed by the caller, including calling SecKeychainDelete. Returns a tuple of the SecKeychainRef and the path to the temporary directory that contains it. (NrBF)osurandomr\ b16encoderJtempfilemkdtemppathjoinencoder r SecKeychainCreaterr)r4rY) random_bytesfilenamepassword tempdirectory keychain_pathkeychainstatusrrr_temporary_keychains rrr r~str'tuple[list[CFTypeRef], list[CFTypeRef]]c Cs*g}g}d}t|d }|}Wdn1swYzhttj|t|}t}t|ddddd|t |}t |t |} t | D],} t|| } t | tj} t| rht| || qJt| rvt| || qJW|rt|t|||fS|rt|t|w)z Given a single file, loads all the trust objects from it into arrays and the keychain. Returns a tuple of lists: the first list is a list of identities, the second a list of certs. Nrbr)openreadr rrr CFArrayRefr SecItemImportr)r4rYCFArrayGetCountrangeCFArrayGetValueAtIndexrCr rrCFRetainappendrur8) rr~ certificates identities result_arrayf raw_filedatafiledatarN result_countindexr=rrr_load_items_from_file sR               rpathsc Gsg}g}dd|D}ze|D]}t||\}}||||q|sEt}t||dt|} t| ||t | dt t j dtt j} t||D]} t | | qW| Wt||D]} t | qhSt||D]} t | qww)z Load certificates and maybe keys from a number of files. Has the end goal of returning a CFArray containing one SecIdentityRef, and then zero or more SecCertificateRef objects, suitable for use as a client certificate trust chain. css|]}|r|VqdSNr)rr~rrrrfrz*_load_client_cert_chain..r)rextendr SecIdentityRef SecIdentityCreateWithCertificater)r4rYrr r8popr3rr5 itertoolschainr7) rrrrfiltered_paths file_pathnew_identities new_certs new_identityr trust_chainr=objrrr_load_client_cert_chainBs:       r)r)r)rr)rr)rr)SSLv2SSLv3TLSv1zTLSv1.1zTLSv1.2versionc CsHt|\}}d}d}td||}t|}d}td|||||}|S)z6 Builds a TLS alert record for an unknown CA. r0z>BBz>BBBH)TLS_PROTOCOL_VERSIONSstructpackr) rver_majver_minseverity_fataldescription_unknown_camsgmsg_lenrecord_type_alertrecordrrr_build_tls_unknown_ca_alerts rc@seZdZdZdZdZdZdZdZdZ dZ d Z dZ dZ dZdZdZd ZdZd Zd ZdZd ZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(d Z)d!Z*d"Z+d#S)$ SecurityConstzU A class object that acts as essentially a namespace for Security constants. rrrrx iriiiiiiiiiiiiiiiiiii iQi,iRN),__name__ __module__ __qualname____doc__"kSSLSessionOptionBreakOnServerAuth kSSLProtocol2 kSSLProtocol3 kTLSProtocol1kTLSProtocol11kTLSProtocol12kTLSProtocol13kTLSProtocolMaxSupportedkSSLClientSidekSSLStreamTypekSecFormatPEMSequencekSecTrustResultInvalidkSecTrustResultProceedkSecTrustResultDenykSecTrustResultUnspecified&kSecTrustResultRecoverableTrustFailure kSecTrustResultFatalTrustFailurekSecTrustResultOtherErrorerrSSLProtocolerrSSLWouldBlockerrSSLClosedGracefulerrSSLClosedNoNotifyerrSSLClosedAborterrSSLXCertChainInvalid errSSLCryptoerrSSLInternalerrSSLCertExpirederrSSLCertNotYetValiderrSSLUnknownRootCerterrSSLNoRootCerterrSSLHostNameMismatcherrSSLPeerHandshakeFailerrSSLPeerUserCancellederrSSLWeakPeerEphemeralDHKeyerrSSLServerAuthCompletederrSSLRecordOverflowerrSecVerifyFailederrSecNoTrustSettingserrSecItemNotFounderrSecInvalidTrustSettingsrrrrrsTr)rrrr)rrrr)r(rrr )r0r1rr)r@r rrAr)rPrQrRrSrrT)rZrrr)r=r rrl)rrv)rr r~rrr)rr rrArr)rrrr))r __future__rr\r)rryrer:rr|typingbindingsrrrrrr r r r r compileDOTALLrbrr'r/r?rOrYrkrrrurrrrrrrrrrsH 0      .   # 9L