U af4 @s`ddlmZmZmZmZddlZddlZddlZddlZddl Z ddl m Z m Z ddl mZddlmZejdkrddlmZmZn,ejd krddlmZmZnddlmZmZd d d gZe Ze Zddd ZedgedgedgedgeddgeddgeddddgdZd'dd Zd(dd Zd)dd Z d*dd Z!d!d"Z"d#d$Z#d%d&Z$dS)+)unicode_literalsdivisionabsolute_importprint_functionN)armor Certificate)pretty_message) CACertsErrorwin32)extract_from_system system_pathdarwin clear_cacheget_listget_path) last_updatecertsz1.3.6.1.5.5.7.3.4z1.3.6.1.5.5.7.3.3z1.3.6.1.5.5.7.3.81.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2z1.3.6.1.5.5.7.3.13z1.3.6.1.5.5.7.3.14z1.3.6.1.5.5.7.3.5z1.3.6.1.5.5.7.3.6z1.3.6.1.5.5.7.3.7z1.3.6.1.5.5.7.3.17)z1.2.840.113635.100.1.8z1.2.840.113635.100.1.16z1.2.840.113635.100.1.20z1.3.6.1.4.1.311.10.3.21.2.840.113635.100.1.3z1.2.840.113635.100.1.9z1.2.840.113635.100.1.11c Cst|\}}|rt||rt}d}d}d}tDt||rvt|d } t|dD] \} } } tjdkr| |kr|| kr|| kr|r\|t | dq\| |kr|| ks|| kr|r\|t | dq\nttjd krD| |kr|| kr|| kr|r\|t | dq\| |krD|| ks.|| krD|r\|t | dq\|rZ|t | d | t d | q\W5QRXW5QRX|st d |S) a Get the filesystem path to a file that contains OpenSSL-compatible CA certs. On OS X and Windows, there are extracted from the system certificate store and cached in a file on the filesystem. This path should not be writable by other users, otherwise they could inject CA certs into the trust list. :param temp_dir: The temporary directory to cache the CA certs in on OS X and Windows. Needs to have secure permissions so other users can not modify the contents. :param cache_length: The number of hours to cache the CA certs on OS X and Windows :param cert_callback: A callback that is called once for each certificate in the trust store. It should accept two parameters: an asn1crypto.x509.Certificate object, and a reason. The reason will be None if the certificate is being exported, otherwise it will be a unicode string of the reason it won't. This is only called on Windows and OS X when passed to this function. :raises: oscrypto.errors.CACertsError - when an error occurs exporting/locating certs :return: The full filesystem path to a CA certs file z 2.5.29.37.0rrwbTrzimplicitly distrusted for TLSzexplicitly distrusted for TLSr N CERTIFICATEzNo CA certs found) _ca_path_cached_path_needs_updateset path_lockopenr sysplatformrloadwriterr ) temp_dir cache_length cert_callbackca_pathtempZ empty_setZ any_purposeZ apple_sslZwin_server_authfcert trust_oids reject_oidsr+D/opt/nydus/tmp/pip-target-53d1vnqk/lib/python/oscrypto/trust_list.pyrAsT    &Tc Cst|svtdt|slg}t|D]4\}}}|r@t|}t|}|t|||fq"|td<ttd<W5QRXt tdS)af Retrieves (and caches in memory) the list of CA certs from the OS. Includes trust information from the OS - purposes the certificate should be trusted or rejected for. Trust information is encoded via object identifiers (OIDs) that are sourced from various RFCs and vendors (Apple and Microsoft). This trust information augments what is in the certificate itself. Any OID that is in the set of trusted purposes indicates the certificate has been explicitly trusted for a purpose beyond the extended key purpose extension. Any OID in the reject set is a purpose that the certificate should not be trusted for, even if present in the extended key purpose extension. *A list of common trust OIDs can be found as part of the `KeyPurposeId()` class in the `asn1crypto.x509` module of the `asn1crypto` package.* :param cache_length: The number of hours to cache the CA certs in memory before they are refreshed :param map_vendor_oids: A bool indicating if the following mapping of OIDs should happen for trust information from the OS trust list: - 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.1 (server_auth) - 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.2 (client_auth) - 1.2.840.113635.100.1.8 (apple_smime) -> 1.3.6.1.5.5.7.3.4 (email_protection) - 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.13 (eap_over_ppp) - 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.14 (eap_over_lan) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.5 (ipsec_end_system) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.6 (ipsec_tunnel) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.7 (ipsec_user) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.17 (ipsec_ike) - 1.2.840.113635.100.1.16 (apple_code_signing) -> 1.3.6.1.5.5.7.3.3 (code_signing) - 1.2.840.113635.100.1.20 (apple_time_stamping) -> 1.3.6.1.5.5.7.3.8 (time_stamping) - 1.3.6.1.4.1.311.10.3.2 (microsoft_time_stamp_signing) -> 1.3.6.1.5.5.7.3.8 (time_stamping) :param cert_callback: A callback that is called once for each certificate in the trust store. It should accept two parameters: an asn1crypto.x509.Certificate object, and a reason. The reason will be None if the certificate is being exported, otherwise it will be a unicode string of the reason it won't. :raises: oscrypto.errors.CACertsError - when an error occurs exporting/locating certs :return: A (copied) list of 3-element tuples containing CA certs from the OS trust ilst: - 0: an asn1crypto.x509.Certificate object - 1: a set of unicode strings of OIDs of trusted purposes - 2: a set of unicode strings of OIDs of rejected purposes rr) _in_memory_up_to_date memory_lockr _map_oidsappendrr _module_valuestimelist)r#Zmap_vendor_oidsr$rZ cert_bytesr)r*r+r+r,rs6c CsZtdtd<dtd<W5QRXt|\}}|rVttj|rLt|W5QRXdS)a Clears any cached info that was exported from the OS trust store. This will ensure the latest changes are returned from calls to get_list() and get_path(), but at the expense of re-exporting and parsing all certificates. :param temp_dir: The temporary directory to cache the CA certs in on OS X and Windows. Needs to have secure permissions so other users can not modify the contents. Must be the same value passed to get_path(). Nrr)r.r1rrospathexistsremove)r"r%r&r+r+r,rs   cCsVt}|dkrN|dkrt}tj|s8ttd|tj|d}|dfS|dfS)a Returns the file path to the CA certs file :param temp_dir: The temporary directory to cache the CA certs in on OS X and Windows. Needs to have secure permissions so other users can not modify the contents. :return: A 2-element tuple: - 0: A unicode string of the file path - 1: A bool if the file is a temporary file NzR The temp dir specified, "%s", is not a directory zoscrypto-ca-bundle.crtTF) r tempfile gettempdirr4r5isdirr r join)r"r%r+r+r,rs rcCs,t}|D]}|tkr |t|O}q ||BS)a Takes a set of unicode string OIDs and converts vendor-specific OIDs into generics OIDs from RFCs. - 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.1 (server_auth) - 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.2 (client_auth) - 1.2.840.113635.100.1.8 (apple_smime) -> 1.3.6.1.5.5.7.3.4 (email_protection) - 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.13 (eap_over_ppp) - 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.14 (eap_over_lan) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.5 (ipsec_end_system) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.6 (ipsec_tunnel) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.7 (ipsec_user) - 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.17 (ipsec_ike) - 1.2.840.113635.100.1.16 (apple_code_signing) -> 1.3.6.1.5.5.7.3.3 (code_signing) - 1.2.840.113635.100.1.20 (apple_time_stamping) -> 1.3.6.1.5.5.7.3.8 (time_stamping) - 1.3.6.1.4.1.311.10.3.2 (microsoft_time_stamp_signing) -> 1.3.6.1.5.5.7.3.8 (time_stamping) :param oids: A set of unicode strings :return: The original set of OIDs with any mapped OIDs added )r_oid_map)ZoidsZnew_oidsoidr+r+r,r/ s r/cCsNtj|}|sdSt|}|jt|ddkr)r1r2)r#r+r+r,r-Ks r-)NrN)rTN)N)N)% __future__rrrrr4r2rr8 threadingZ_asn1rr_errorsr errorsr rZ_win.trust_listr r Z_mac.trust_listZ_linux_bsd.trust_list__all__Lockrr.r1rr<rrrrr/rr-r+r+r+r,s`     L E  $