o c~@srdZddlZddlZzddlZWn eydZYnwdZGdddeZdddZd d Z d d Z d dZ dS)zJThe match_hostname() function from Python 3.3.3, essential when using SSL.Nz3.5.0.1c@s eZdZdS)CertificateErrorN)__name__ __module__ __qualname__rrL/opt/certbot/lib/python3.10/site-packages/urllib3/util/ssl_match_hostname.pyrsrc Csg}|sdS|d}|d}|dd}|d}||kr&tdt||s0||kS|dkr:|dn|d sD|d rM|t|n |t| d d |D] }|t|q[t d d |dtj } | |S)zhMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 F.rrN*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountrreprlowerappend startswithreescapereplacecompilejoin IGNORECASEmatch) dnhostname max_wildcardspatspartsleftmost remainder wildcardsfragpatrrr_dnsname_matchs,      r"cCs&t|trtjdkrt|ddd}|S)N)asciistrict)encodingerrors) isinstancestrsys version_infounicode)objrrr _to_unicodeOsr.cCstt|}||kS)zExact matching of IP addresses. RFC 6125 explicitly doesn't define an algorithm for this (section 1.7.2 - "Out of Scope"). ) ipaddress ip_addressr.rstrip)ipnamehost_ipiprrr_ipaddress_matchVsr5c Csf|stdz tt|}Wnttfyd}Ynty,tdur)d}nYnwg}|dd}|D]/\}}|dkrQ|durKt||rKdS||q7|dkrf|durat ||radS||q7|s|ddD]}|D]\}}|dkrt||rdS||qsqot |d krt d |d t t|ft |d krt d ||d ft d)a)Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed, but IP addresses are not accepted for *hostname*. CertificateError is raised on failure. On success, the function returns nothing. ztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDNsubjectAltNamerDNSz IP Addresssubject commonNamerz&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorr/r0r. UnicodeErrorAttributeErrorgetr"rr5lenrrmapr )certrr3dnsnamessankeyvaluesubrrrmatch_hostnamebs\          rF)r) __doc__rr*r/ ImportError __version__r:rr"r.r5rFrrrrs   6