U

��\q�@s�dZd
dl
mZmZmZ
d
dlZd
dlmZmZm	Z	m
Z
mZmZm
Z

d
dlmZ
d
dlmZ
d
dlmZ
dd	lmZmZmZmZmZmZmZmZ
dd
lmZ
dg
Zdd�Z d
d�Z!ed�
Z"dd�Z#dS)zL
`cryptography.x509 <https://github.com/pyca/cryptography>`_-specific code.
�)�absolute_import�division�print_functionN)�DNSName�ExtensionOID�	IPAddress�NameOID�ObjectIdentifier�	OtherName�UniformResourceIdentifier)
�ExtensionNotFound)
�decode)
�	IA5String�
)�DNS_ID�CertificateError�
DNSPattern�IPAddress_ID�IPAddressPattern�
SRVPattern�
URIPattern�verify_service_identity)
�SubjectAltNameWarning�verify_certificate_hostnamecCstt
|�
t|
�
g
gd
�
dS)a�
    Verify whether *certificate* is valid for *hostname*.

    .. note:: Nothing is verified about the *authority* of the certificate;
       the caller must verify that the certificate chains to an appropriate
       trust root themselves.

    :param cryptography.x509.Certificate certificate: A cryptography X509
        certificate object.
    :param unicode hostname: The hostname that *certificate* should be valid
        for.

    :raises service_identity.VerificationError: If *certificate* is not valid
        for *hostname*.
    :raises service_identity.CertificateError: If *certificate* contains
        invalid/unexpected data.

    :returns: ``None``
    �Z
cert_patternsZobligatory_idsZoptional_idsN)r�extract_idsr)�certificateZhostname�r�?/usr/lib/python3/dist-packages/service_identity/cryptography.pyr&s



�cCstt
|�
t|
�
g
gd
�
dS)a�
    Verify whether *certificate* is valid for *ip_address*.

    .. note:: Nothing is verified about the *authority* of the certificate;
       the caller must verify that the certificate chains to an appropriate
       trust root themselves.

    :param cryptography.x509.Certificate certificate: A cryptography X509
        certificate object.
    :param unicode ip_address: The IP address that *connection* should be valid
        for.  Can be an IPv4 or IPv6 address.

    :raises service_identity.VerificationError: If *certificate* is not valid
        for *ip_address*.
    :raises service_identity.CertificateError: If *certificate* contains
        invalid/unexpected data.

    :returns: ``None``

    .. versionadded:: 18.1.0
    rN)rrr)rZ
ip_addressrrr�verify_certificate_ip_addressAs



�rz1.3.6.1.5.5.7.8.7c
Cs 
g}
z|j�
tj�
}Wntk
r*


Yn�X|
�d
d�|j�t�
D�
�

|
�dd�|j�t	�
D�
�

|
�dd�|j�t
�
D�
�

|j�t�
D]B}|jt
kr�t|j�
\}}t|t�r�|
�t|���
�

q�td�
�
q�|
�
sdd�|j�tj�
D�
}tt|�
d�}dd�|D�
}
t�d	�|�
t�
|
S)
a

    Extract all valid IDs from a certificate for service verification.

    If *cert* doesn't contain any identifiers, the ``CN``s are used as DNS-IDs
    as fallback.

    :param cryptography.x509.Certificate cert: The certificate to be dissected.

    :return: List of IDs.
    c
Ssg|]}
t|
�
d�
�
�qS�
zutf-8�r�encode)�.0�namerrr�
<listcomp>us�zextract_ids.<locals>.<listcomp>c
Ssg|]}
t|
�
d�
�
�qSr )rr")r#Zurirrrr%{s�c
Ssg|]}
t|
�
�qSr)
r)r#Ziprrrr%�s�zUnexpected certificate content.c
Ssg|]
}
|
j�qSr)
�value�r#�
nrrrr%�s�s<not given>c
Ssg|]}
t|
�
d�
�
�qSr r!r'rrrr%�sz�Certificate with CN {!r} has no `subjectAltName`, falling back to check for a `commonName` for now.  This feature is being removed by major browsers and deprecated by RFC 2818.)�
extensionsZget_extension_for_oidrZSUBJECT_ALTERNATIVE_NAMEr�extendr&Zget_values_for_typerrrr
Ztype_id�
ID_ON_DNS_SRVr
�
isinstancer�appendrZasOctetsrZsubjectZget_attributes_for_oidrZCOMMON_NAME�next�iter�warnings�warn�formatr)ZcertZidsZext�otherZsrv�
_ZcnsZcnrrrrasV


�


��

���

��






�


��r)$�__doc__Z
__future__rrrr0Zcryptography.x509rrrrr	r
rZcryptography.x509.extensionsrZpyasn1.codec.der.decoderr
Zpyasn1.type.charrZ_commonrrrrrrrr�
exceptionsr�__all__rrr+rrrrr�<module>
s$	

(