o \q@sdZddlmZmZmZddlZddlmZmZm Z m Z m Z m Z m Z ddlmZddlmZddlmZdd lmZmZmZmZmZmZmZmZdd lmZd gZd d Z d dZ!e dZ"ddZ#dS)zL `cryptography.x509 `_-specific code. )absolute_importdivisionprint_functionN)DNSName ExtensionOID IPAddressNameOIDObjectIdentifier OtherNameUniformResourceIdentifier)ExtensionNotFound)decode) IA5String)DNS_IDCertificateError DNSPattern IPAddress_IDIPAddressPattern SRVPattern URIPatternverify_service_identity)SubjectAltNameWarningverify_certificate_hostnamecCtt|t|ggddS)a Verify whether *certificate* is valid for *hostname*. .. note:: Nothing is verified about the *authority* of the certificate; the caller must verify that the certificate chains to an appropriate trust root themselves. :param cryptography.x509.Certificate certificate: A cryptography X509 certificate object. :param unicode hostname: The hostname that *certificate* should be valid for. :raises service_identity.VerificationError: If *certificate* is not valid for *hostname*. :raises service_identity.CertificateError: If *certificate* contains invalid/unexpected data. :returns: ``None``  cert_patternsobligatory_ids optional_idsN)r extract_idsr) certificatehostnamer"?/usr/lib/python3/dist-packages/service_identity/cryptography.pyr&s  cCr)a Verify whether *certificate* is valid for *ip_address*. .. note:: Nothing is verified about the *authority* of the certificate; the caller must verify that the certificate chains to an appropriate trust root themselves. :param cryptography.x509.Certificate certificate: A cryptography X509 certificate object. :param unicode ip_address: The IP address that *connection* should be valid for. Can be an IPv4 or IPv6 address. :raises service_identity.VerificationError: If *certificate* is not valid for *ip_address*. :raises service_identity.CertificateError: If *certificate* contains invalid/unexpected data. :returns: ``None`` .. versionadded:: 18.1.0 rN)rrr)r ip_addressr"r"r#verify_certificate_ip_addressAs  r%z1.3.6.1.5.5.7.8.7cCsg}z |jtj}Wn tyYnSw|dd|jtD|dd|jt D|dd|jt D|jt D]!}|j t krft|j\}}t|trb|t|qEtdqE|sdd|jtjD}tt|d}dd|D}td |t|S) a Extract all valid IDs from a certificate for service verification. If *cert* doesn't contain any identifiers, the ``CN``s are used as DNS-IDs as fallback. :param cryptography.x509.Certificate cert: The certificate to be dissected. :return: List of IDs. cSg|] }t|dqSzutf-8rencode).0namer"r"r# u zextract_ids..cSr&r')rr))r*urir"r"r#r,{r-cSsg|]}t|qSr")r)r*ipr"r"r#r,szUnexpected certificate content.cSsg|]}|jqSr")valuer*nr"r"r#r,ss cSr&r'r(r1r"r"r#r,szCertificate with CN {!r} has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818.) extensionsget_extension_for_oidrSUBJECT_ALTERNATIVE_NAMEr extendr0get_values_for_typerr rr type_id ID_ON_DNS_SRVr isinstancerappendrasOctetsrsubjectget_attributes_for_oidr COMMON_NAMEnextiterwarningswarnformatr)certidsextothersrv_cnscnr"r"r#rasX       r)$__doc__ __future__rrrrBcryptography.x509rrrrr r r cryptography.x509.extensionsr pyasn1.codec.der.decoderr pyasn1.type.charr_commonrrrrrrrr exceptionsr__all__rr%r9rr"r"r"r#s$  (