uhUc@sdZdZdZdZdZdZdZddlZddlZej e Z y*dd l m Z dd lmZeZWn8ek rZeZd ZddlZejenXd efd YZdS(sAndg_httpsclient - module containing SSL peer verification class. sP J Kershaw (STFC)s09/12/11s2(C) 2012 Science and Technology Facilities Councils-BSD - see LICENSE file in top-level directorysPhilip.Kershaw@stfc.ac.uks$Id$iN(tSubjectAltName(tdecodersPSubjectAltName support is disabled - check pyasn1 package installation to enabletServerSSLCertVerificationcBs1eZdZi dd6dd6dd6dd6d d 6d d 6d d6dd6dd6dd6ZdZddjeejeejZ e j e Z d(Z d)d)edZdZdZedZdZd Zed!ed"ed#d$Zd%Zd&Zed!ed"ed#d'ZRS(*syCheck server identity. If hostname doesn't match, allow match of host's Distinguished Name against server DN settingtCNt commonNametOUtorganisationalUnitNametOt organisationtCt countryNamet EMAILADDRESSt emailAddresstLt localityNametSTtstateOrProvinceNametSTREETt streetAddresstDCtdomainComponenttUIDtuseridtsubjectAltNames/(%s)=t|t __hostnamet__certDNt__subj_alt_name_matchcCsd|_d|_|dk r*||_n|dk rB||_n|rstsgtjdt|_ qt |_ ntj dt|_ dS(sOverride parent class __init__ to enable setting of certDN setting @type certDN: string @param certDN: Set the expected Distinguished Name of the server to avoid errors matching hostnames. This is useful where the hostname is not fully qualified @type hostname: string @param hostname: hostname to match against peer certificate subjectAltNames or subject common name @type subj_alt_name_match: bool @param subj_alt_name_match: flag to enable/disable matching of hostname against peer certificate subjectAltNames. Nb. A setting of True will be ignored if the pyasn1 package is not installed sdOverriding "subj_alt_name_match" keyword setting: peer verification with subjectAltNames is disableds9Disabling peer verification with subject subjectAltNames!N( tNonet"_ServerSSLCertVerification__certDNt$_ServerSSLCertVerification__hostnametcertDNthostnametSUBJ_ALT_NAME_SUPPORTtlogtwarningtFalset/_ServerSSLCertVerification__subj_alt_name_matchtTruetdebug(tselfRR tsubj_alt_name_match((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyt__init__2s          c Cs|jr&tjd|jtS|dkr|j}|j}|j|jdkr|j dkrtjdtS|j r|j |}|j |kr|Sn|j |j kr|Stjd|j |j tSq||jkr|Stjd||jtSn|SdS(s Verify server certificate @type connection: OpenSSL.SSL.Connection @param connection: SSL connection object @type peerCert: basestring @param peerCert: server host certificate as OpenSSL.crypto.X509 instance @type errorStatus: int @param errorStatus: error status passed from caller. This is the value returned by the OpenSSL C function X509_STORE_CTX_get_error(). Look-up x509_vfy.h in the OpenSSL source to get the meanings of the different codes. PyOpenSSL doesn't help you! @type errorDepth: int @param errorDepth: a non-negative integer representing where in the certificate chain the error occurred. If it is zero it occured in the end entity certificate, one if it is the certificate which signed the end entity certificate and so on. @type preverifyOK: int @param preverifyOK: the error status - 0 = Error, 1 = OK of the current SSL context irrespective of any verification checks done here. If this function yields an OK status, it should enforce the preverifyOK value so that any error set upstream overrides and is honoured. @rtype: int @return: status code - 0/False = Error, 1/True = OK s4Certificate %r in peer certificate chain has expiredis?No "hostname" or "certDN" set to check peer certificate againsts7Peer certificate CN %r doesn't match the expected CN %rs7Peer certificate DN %r doesn't match the expected DN %rN( t has_expiredR"terrort get_subjectR$tget_componentstsortRRR R%t_get_subj_alt_nameR( R(t connectiontpeerCertt errorStatust errorDeptht preverifyOKt peerCertSubjt peerCertDNt dns_names((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyt__call__Ws8             csfd}|S(Ncsj|||||S(N(R9(R1R2R3R4R5(R((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pytverify_server_certs((R(R:((R(sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pytget_verify_server_cert_funcsc Csg}t}xt|jD]}|j|}|j}||jkr"|j}tj|d|}xh|D]]} t | trzxEtt | D].} | j | } |j t | jqWqzqzWq"q"W|S(sExtract subjectAltName DNS name settings from certificate extensions @param peer_cert: peer certificate in SSL connection. subjectAltName settings if any will be extracted from this @type peer_cert: OpenSSL.crypto.X509 tasn1Spec(Rtrangetget_extension_countt get_extensiontget_short_nametSUBJ_ALT_NAME_EXT_NAMEtget_datat der_decodertdecodet isinstancetlentgetComponentByPositiontappendtstrt getComponent( tclst peer_certtdns_namet general_namestitexttext_nametext_datt decoded_dattnametentryt component((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyR0s       +cCs|jS(N(R(R(((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyt _getCertDNscCst|tr|jd}|jjj|}t|dkrXtd|ntt |ddd|ddd|_ |j j nYt|tsx/|D]'}t|dkstdqqW||_ n tddS(Nt"isError parsing DN string: "%s"isSExpecting list of two element DN field, DN field value pairs for "certDN" attributes4Expecting list or string type for "certDN" attribute( RERItstript __class__t PARSER_REtsplitRFt TypeErrortlisttzipRR/(R(tvalRtdnFieldsRO((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyt _setCertDNs2  tfgettfsettdocs)Distinguished Name for Server CertificatecCs|jS(N(R(R(((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyt _getHostnamescCs+t|tstdn||_dS(Ns,Expecting string type for hostname attribute(RERIR]R(R(R`((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyt _setHostnamesshostname of server(s __hostnames__certDNs__subj_alt_name_matchN(t__name__t __module__t__doc__tDN_LUTRAtjoinR^tkeystvaluest PARSER_RE_STRtretcompileR[t __slots__RR&R*R9R;t classmethodR0RWRbtpropertyRRfRgR (((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyRs> % I        (Rjt __author__t__date__t __copyright__t __license__t __contact__t __revision__Rptloggingt getLoggerRhR"tndg.httpsclient.subj_alt_nameRtpyasn1.codec.derRRCR&R!t ImportErrorteR$tSUBJ_ALT_NAME_SUPPORT_MSGtwarningstwarntobjectR(((sI/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.pyts&