o ckF[@sldZddlZddlZddlZddlZddlmZmZGdddejZ ddZ dd Z Gd d d ej Z dS) zCExtensions to allow HTTPS requests with SSL certificate validation.N)six http_clientc@s eZdZdZddZddZdS)InvalidCertificateExceptionz?Raised when a certificate is provided with an invalid hostname.cCs"tj|||_||_||_dS)zConstructor. Args: host: The hostname the connection was made to. cert: The SSL certificate (as a dictionary) the host returned. N)r HTTPException__init__hostcertreason)selfrrr r 7/usr/lib/python3/dist-packages/boto/https_connection.pyr"s  z$InvalidCertificateException.__init__cCsd|j|j|jfS)Nz0Host %s returned an invalid certificate (%s): %s)rr r)r r r r __str__.sz#InvalidCertificateException.__str__N)__name__ __module__ __qualname____doc__rr r r r r rs rcCs,d|vr dd|dDSdd|dDS)zReturns a list of valid host globs for an SSL certificate. Args: cert: A dictionary representing an SSL certificate. Returns: list: A list of valid host globs. subjectAltNamecSs$g|]}|ddkr|dqS)rdnslower.0xr r r <s$z(GetValidHostsForCert..cSs,g|]}|dddkr|ddqS)r commonnamerrrr r r r>s subjectr )rr r r GetValidHostsForCert3srcCsVt|}tjd|||D]}|dddd}td|f|tjr(dSqdS) aValidates that a given hostname is valid for an SSL certificate. Args: cert: A dictionary representing an SSL certificate. hostname: The hostname to test. Returns: bool: Whether or not the hostname is valid for this certificate. z@validating server certificate: hostname=%s, certificate hosts=%s.z\.*z[^.]*z^%s$TF)rbotologdebugreplaceresearchI)rhostnamehostsrhost_rer r r ValidateCertificateHostnameBs r*c@s2eZdZdZejZeddddfddZddZdS)CertValidatingHTTPSConnectionzDAn HTTPConnection that connects over SSL and validates certificates.NcKs>tjr||d<tjj|f||d|||_||_||_dS)a*Constructor. Args: host: The hostname. Can be in 'host:port' form. port: The port. Defaults to 443. key_file: A file containing the client's private key cert_file: A file containing the client's certificates ca_certs: A file contianing a set of concatenated certificate authority certs for validating the server against. strict: When true, causes BadStatusLine to be raised if the status line can't be parsed as a valid HTTP/1.0 or 1.1 status line. strict)rportN)rPY2rHTTPConnectionrkey_file cert_fileca_certs)r rr-r0r1r2r,kwargsr r r r[s  z&CertValidatingHTTPSConnection.__init__cCst|drt|j|jf|j}n t|j|jf}d}|jr'|d|j7}n|d7}tj |t j ||j |j t j|jd|_|j}|jddd}t||s[t||d|d S) z(Connect to a host on a given (SSL) port.timeoutzwrapping ssl socket; zCA certificate file=%szusing system provided SSL certs)keyfilecertfile cert_reqsr2:rz/remote hostname "%s" does not match certificateN)hasattrsocketcreate_connectionrr-r4r2r r!r"ssl wrap_socketr0r1 CERT_REQUIREDsock getpeercertsplitr*r)r r?msgrr'r r r connectts.     z%CertValidatingHTTPSConnection.connect) rrrrr HTTPS_PORT default_portrrCr r r r r+Vs r+)rr$r:r<r boto.compatrrrrrr*r/r+r r r r s