B ?F[@sldZddlZddlZddlZddlZddlmZmZGdddejZ ddZ dd Z Gd d d ej Z dS) zCExtensions to allow HTTPS requests with SSL certificate validation.N)six http_clientc@s eZdZdZddZddZdS)InvalidCertificateExceptionz?Raised when a certificate is provided with an invalid hostname.cCs"tj|||_||_||_dS)zConstructor. Args: host: The hostname the connection was made to. cert: The SSL certificate (as a dictionary) the host returned. N)r HTTPException__init__hostcertreason)selfrrr r 4lib/python3.7/site-packages/boto/https_connection.pyr"s z$InvalidCertificateException.__init__cCsd|j|j|jfS)Nz0Host %s returned an invalid certificate (%s): %s)rr r)r r r r __str__.sz#InvalidCertificateException.__str__N)__name__ __module__ __qualname____doc__rr r r r r rs rcCs0d|krdd|dDSdd|dDSdS)zReturns a list of valid host globs for an SSL certificate. Args: cert: A dictionary representing an SSL certificate. Returns: list: A list of valid host globs. ZsubjectAltNamecSs$g|]}|ddkr|dqS)rZdns)lower).0xr r r <sz(GetValidHostsForCert..cSs,g|]$}|dddkr|ddqS)rZ commonnamer)r)rrr r r r>sZsubjectNr )rr r r GetValidHostsForCert3srcCsXt|}tjd||x:|D]2}|dddd}td|f|tjrdSqWdS) aValidates that a given hostname is valid for an SSL certificate. Args: cert: A dictionary representing an SSL certificate. hostname: The hostname to test. Returns: bool: Whether or not the hostname is valid for this certificate. z@validating server certificate: hostname=%s, certificate hosts=%s.z\.*z[^.]*z^%s$TF)rbotologdebugreplaceresearchI)rhostnameZhostsrZhost_rer r r ValidateCertificateHostnameBs  r"c@s2eZdZdZejZeddddfddZddZdS)CertValidatingHTTPSConnectionzDAn HTTPConnection that connects over SSL and validates certificates.NcKs>tjr||d<tjj|f||d|||_||_||_dS)a*Constructor. Args: host: The hostname. Can be in 'host:port' form. port: The port. Defaults to 443. key_file: A file containing the client's private key cert_file: A file containing the client's certificates ca_certs: A file contianing a set of concatenated certificate authority certs for validating the server against. strict: When true, causes BadStatusLine to be raised if the status line can't be parsed as a valid HTTP/1.0 or 1.1 status line. strict)rportN)rZPY2rHTTPConnectionrkey_file cert_fileca_certs)r rr%r'r(r)r$kwargsr r r r[s z&CertValidatingHTTPSConnection.__init__cCst|dr"t|j|jf|j}nt|j|jf}d}|jrN|d|j7}n|d7}tj |t j ||j |j t j|jd|_|j}|jddd}t||st||d|d S) z(Connect to a host on a given (SSL) port.timeoutzwrapping ssl socket; zCA certificate file=%szusing system provided SSL certs)ZkeyfileZcertfileZ cert_reqsr):rz/remote hostname "%s" does not match certificateN)hasattrsocketZcreate_connectionrr%r+r)rrrsslZ wrap_socketr'r(Z CERT_REQUIREDsockZ getpeercertsplitr"r)r r0msgrr!r r r connectts&      z%CertValidatingHTTPSConnection.connect) rrrrrZ HTTPS_PORTZ default_portrr3r r r r r#Vs r#)rrr.r/rZ boto.compatrrrrrr"r&r#r r r r s