File Explorer

/proc/thread-self/root/proc/thread-self/root/proc/1/cwd/usr/lib64/python3.9
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
30 dirs
174 files
ssl.py51.4 KB · 1526 lines
1# Wrapper module for _ssl, providing some additional facilities2# implemented in Python.  Written by Bill Janssen.3 4"""This module provides some more Pythonic support for SSL.5 6Object types:7 8  SSLSocket -- subtype of socket.socket which does SSL over the socket9 10Exceptions:11 12  SSLError -- exception raised for I/O errors13 14Functions:15 16  cert_time_to_seconds -- convert time string used for certificate17                          notBefore and notAfter functions to integer18                          seconds past the Epoch (the time values19                          returned from time.time())20 21  get_server_certificate (addr, ssl_version, ca_certs, timeout) -- Retrieve the22                          certificate from the server at the specified23                          address and return it as a PEM-encoded string24 25 26Integer constants:27 28SSL_ERROR_ZERO_RETURN29SSL_ERROR_WANT_READ30SSL_ERROR_WANT_WRITE31SSL_ERROR_WANT_X509_LOOKUP32SSL_ERROR_SYSCALL33SSL_ERROR_SSL34SSL_ERROR_WANT_CONNECT35 36SSL_ERROR_EOF37SSL_ERROR_INVALID_ERROR_CODE38 39The following group define certificate requirements that one side is40allowing/requiring from the other side:41 42CERT_NONE - no certificates from the other side are required (or will43            be looked at if provided)44CERT_OPTIONAL - certificates are not required, but if provided will be45                validated, and if validation fails, the connection will46                also fail47CERT_REQUIRED - certificates are required, and will be validated, and48                if validation fails, the connection will also fail49 50The following constants identify various SSL protocol variants:51 52PROTOCOL_SSLv253PROTOCOL_SSLv354PROTOCOL_SSLv2355PROTOCOL_TLS56PROTOCOL_TLS_CLIENT57PROTOCOL_TLS_SERVER58PROTOCOL_TLSv159PROTOCOL_TLSv1_160PROTOCOL_TLSv1_261 62The following constants identify various SSL alert message descriptions as per63http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-664 65ALERT_DESCRIPTION_CLOSE_NOTIFY66ALERT_DESCRIPTION_UNEXPECTED_MESSAGE67ALERT_DESCRIPTION_BAD_RECORD_MAC68ALERT_DESCRIPTION_RECORD_OVERFLOW69ALERT_DESCRIPTION_DECOMPRESSION_FAILURE70ALERT_DESCRIPTION_HANDSHAKE_FAILURE71ALERT_DESCRIPTION_BAD_CERTIFICATE72ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE73ALERT_DESCRIPTION_CERTIFICATE_REVOKED74ALERT_DESCRIPTION_CERTIFICATE_EXPIRED75ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN76ALERT_DESCRIPTION_ILLEGAL_PARAMETER77ALERT_DESCRIPTION_UNKNOWN_CA78ALERT_DESCRIPTION_ACCESS_DENIED79ALERT_DESCRIPTION_DECODE_ERROR80ALERT_DESCRIPTION_DECRYPT_ERROR81ALERT_DESCRIPTION_PROTOCOL_VERSION82ALERT_DESCRIPTION_INSUFFICIENT_SECURITY83ALERT_DESCRIPTION_INTERNAL_ERROR84ALERT_DESCRIPTION_USER_CANCELLED85ALERT_DESCRIPTION_NO_RENEGOTIATION86ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION87ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE88ALERT_DESCRIPTION_UNRECOGNIZED_NAME89ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE90ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE91ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY92"""93 94import sys95import os96from collections import namedtuple97from enum import Enum as _Enum, IntEnum as _IntEnum, IntFlag as _IntFlag98 99import _ssl             # if we can't import it, let the error propagate100 101from _ssl import OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_INFO, OPENSSL_VERSION102from _ssl import _SSLContext, MemoryBIO, SSLSession103from _ssl import (104    SSLError, SSLZeroReturnError, SSLWantReadError, SSLWantWriteError,105    SSLSyscallError, SSLEOFError, SSLCertVerificationError106    )107from _ssl import txt2obj as _txt2obj, nid2obj as _nid2obj108from _ssl import RAND_status, RAND_add, RAND_bytes, RAND_pseudo_bytes109try:110    from _ssl import RAND_egd111except ImportError:112    # LibreSSL does not provide RAND_egd113    pass114 115 116from _ssl import (117    HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_SSLv2, HAS_SSLv3, HAS_TLSv1,118    HAS_TLSv1_1, HAS_TLSv1_2, HAS_TLSv1_3119)120from _ssl import _DEFAULT_CIPHERS, _OPENSSL_API_VERSION121 122 123_IntEnum._convert_(124    '_SSLMethod', __name__,125    lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',126    source=_ssl)127 128_IntFlag._convert_(129    'Options', __name__,130    lambda name: name.startswith('OP_'),131    source=_ssl)132 133_IntEnum._convert_(134    'AlertDescription', __name__,135    lambda name: name.startswith('ALERT_DESCRIPTION_'),136    source=_ssl)137 138_IntEnum._convert_(139    'SSLErrorNumber', __name__,140    lambda name: name.startswith('SSL_ERROR_'),141    source=_ssl)142 143_IntFlag._convert_(144    'VerifyFlags', __name__,145    lambda name: name.startswith('VERIFY_'),146    source=_ssl)147 148_IntEnum._convert_(149    'VerifyMode', __name__,150    lambda name: name.startswith('CERT_'),151    source=_ssl)152 153PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS154_PROTOCOL_NAMES = {value: name for name, value in _SSLMethod.__members__.items()}155 156_SSLv2_IF_EXISTS = getattr(_SSLMethod, 'PROTOCOL_SSLv2', None)157 158 159class TLSVersion(_IntEnum):160    MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED161    SSLv3 = _ssl.PROTO_SSLv3162    TLSv1 = _ssl.PROTO_TLSv1163    TLSv1_1 = _ssl.PROTO_TLSv1_1164    TLSv1_2 = _ssl.PROTO_TLSv1_2165    TLSv1_3 = _ssl.PROTO_TLSv1_3166    MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED167 168 169class _TLSContentType(_IntEnum):170    """Content types (record layer)171 172    See RFC 8446, section B.1173    """174    CHANGE_CIPHER_SPEC = 20175    ALERT = 21176    HANDSHAKE = 22177    APPLICATION_DATA = 23178    # pseudo content types179    HEADER = 0x100180    INNER_CONTENT_TYPE = 0x101181 182 183class _TLSAlertType(_IntEnum):184    """Alert types for TLSContentType.ALERT messages185 186    See RFC 8466, section B.2187    """188    CLOSE_NOTIFY = 0189    UNEXPECTED_MESSAGE = 10190    BAD_RECORD_MAC = 20191    DECRYPTION_FAILED = 21192    RECORD_OVERFLOW = 22193    DECOMPRESSION_FAILURE = 30194    HANDSHAKE_FAILURE = 40195    NO_CERTIFICATE = 41196    BAD_CERTIFICATE = 42197    UNSUPPORTED_CERTIFICATE = 43198    CERTIFICATE_REVOKED = 44199    CERTIFICATE_EXPIRED = 45200    CERTIFICATE_UNKNOWN = 46201    ILLEGAL_PARAMETER = 47202    UNKNOWN_CA = 48203    ACCESS_DENIED = 49204    DECODE_ERROR = 50205    DECRYPT_ERROR = 51206    EXPORT_RESTRICTION = 60207    PROTOCOL_VERSION = 70208    INSUFFICIENT_SECURITY = 71209    INTERNAL_ERROR = 80210    INAPPROPRIATE_FALLBACK = 86211    USER_CANCELED = 90212    NO_RENEGOTIATION = 100213    MISSING_EXTENSION = 109214    UNSUPPORTED_EXTENSION = 110215    CERTIFICATE_UNOBTAINABLE = 111216    UNRECOGNIZED_NAME = 112217    BAD_CERTIFICATE_STATUS_RESPONSE = 113218    BAD_CERTIFICATE_HASH_VALUE = 114219    UNKNOWN_PSK_IDENTITY = 115220    CERTIFICATE_REQUIRED = 116221    NO_APPLICATION_PROTOCOL = 120222 223 224class _TLSMessageType(_IntEnum):225    """Message types (handshake protocol)226 227    See RFC 8446, section B.3228    """229    HELLO_REQUEST = 0230    CLIENT_HELLO = 1231    SERVER_HELLO = 2232    HELLO_VERIFY_REQUEST = 3233    NEWSESSION_TICKET = 4234    END_OF_EARLY_DATA = 5235    HELLO_RETRY_REQUEST = 6236    ENCRYPTED_EXTENSIONS = 8237    CERTIFICATE = 11238    SERVER_KEY_EXCHANGE = 12239    CERTIFICATE_REQUEST = 13240    SERVER_DONE = 14241    CERTIFICATE_VERIFY = 15242    CLIENT_KEY_EXCHANGE = 16243    FINISHED = 20244    CERTIFICATE_URL = 21245    CERTIFICATE_STATUS = 22246    SUPPLEMENTAL_DATA = 23247    KEY_UPDATE = 24248    NEXT_PROTO = 67249    MESSAGE_HASH = 254250    CHANGE_CIPHER_SPEC = 0x0101251 252 253if sys.platform == "win32":254    from _ssl import enum_certificates, enum_crls255 256from socket import socket, SOCK_STREAM, create_connection257from socket import SOL_SOCKET, SO_TYPE258import socket as _socket259import base64        # for DER-to-PEM translation260import errno261import warnings262 263 264socket_error = OSError  # keep that public name in module namespace265 266CHANNEL_BINDING_TYPES = ['tls-unique']267 268HAS_NEVER_CHECK_COMMON_NAME = hasattr(_ssl, 'HOSTFLAG_NEVER_CHECK_SUBJECT')269 270 271_RESTRICTED_SERVER_CIPHERS = _DEFAULT_CIPHERS272 273CertificateError = SSLCertVerificationError274 275 276def _dnsname_match(dn, hostname):277    """Matching according to RFC 6125, section 6.4.3278 279    - Hostnames are compared lower case.280    - For IDNA, both dn and hostname must be encoded as IDN A-label (ACE).281    - Partial wildcards like 'www*.example.org', multiple wildcards, sole282      wildcard or wildcards in labels other then the left-most label are not283      supported and a CertificateError is raised.284    - A wildcard must match at least one character.285    """286    if not dn:287        return False288 289    wildcards = dn.count('*')290    # speed up common case w/o wildcards291    if not wildcards:292        return dn.lower() == hostname.lower()293 294    if wildcards > 1:295        raise CertificateError(296            "too many wildcards in certificate DNS name: {!r}.".format(dn))297 298    dn_leftmost, sep, dn_remainder = dn.partition('.')299 300    if '*' in dn_remainder:301        # Only match wildcard in leftmost segment.302        raise CertificateError(303            "wildcard can only be present in the leftmost label: "304            "{!r}.".format(dn))305 306    if not sep:307        # no right side308        raise CertificateError(309            "sole wildcard without additional labels are not support: "310            "{!r}.".format(dn))311 312    if dn_leftmost != '*':313        # no partial wildcard matching314        raise CertificateError(315            "partial wildcards in leftmost label are not supported: "316            "{!r}.".format(dn))317 318    hostname_leftmost, sep, hostname_remainder = hostname.partition('.')319    if not hostname_leftmost or not sep:320        # wildcard must match at least one char321        return False322    return dn_remainder.lower() == hostname_remainder.lower()323 324 325def _inet_paton(ipname):326    """Try to convert an IP address to packed binary form327 328    Supports IPv4 addresses on all platforms and IPv6 on platforms with IPv6329    support.330    """331    # inet_aton() also accepts strings like '1', '127.1', some also trailing332    # data like '127.0.0.1 whatever'.333    try:334        addr = _socket.inet_aton(ipname)335    except OSError:336        # not an IPv4 address337        pass338    else:339        if _socket.inet_ntoa(addr) == ipname:340            # only accept injective ipnames341            return addr342        else:343            # refuse for short IPv4 notation and additional trailing data344            raise ValueError(345                "{!r} is not a quad-dotted IPv4 address.".format(ipname)346            )347 348    try:349        return _socket.inet_pton(_socket.AF_INET6, ipname)350    except OSError:351        raise ValueError("{!r} is neither an IPv4 nor an IP6 "352                         "address.".format(ipname))353    except AttributeError:354        # AF_INET6 not available355        pass356 357    raise ValueError("{!r} is not an IPv4 address.".format(ipname))358 359 360def _ipaddress_match(cert_ipaddress, host_ip):361    """Exact matching of IP addresses.362 363    RFC 6125 explicitly doesn't define an algorithm for this364    (section 1.7.2 - "Out of Scope").365    """366    # OpenSSL may add a trailing newline to a subjectAltName's IP address,367    # commonly woth IPv6 addresses. Strip off trailing \n.368    ip = _inet_paton(cert_ipaddress.rstrip())369    return ip == host_ip370 371 372def match_hostname(cert, hostname):373    """Verify that *cert* (in decoded format as returned by374    SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125375    rules are followed.376 377    The function matches IP addresses rather than dNSNames if hostname is a378    valid ipaddress string. IPv4 addresses are supported on all platforms.379    IPv6 addresses are supported on platforms with IPv6 support (AF_INET6380    and inet_pton).381 382    CertificateError is raised on failure. On success, the function383    returns nothing.384    """385    if not cert:386        raise ValueError("empty or no certificate, match_hostname needs a "387                         "SSL socket or SSL context with either "388                         "CERT_OPTIONAL or CERT_REQUIRED")389    try:390        host_ip = _inet_paton(hostname)391    except ValueError:392        # Not an IP address (common case)393        host_ip = None394    dnsnames = []395    san = cert.get('subjectAltName', ())396    for key, value in san:397        if key == 'DNS':398            if host_ip is None and _dnsname_match(value, hostname):399                return400            dnsnames.append(value)401        elif key == 'IP Address':402            if host_ip is not None and _ipaddress_match(value, host_ip):403                return404            dnsnames.append(value)405    if not dnsnames:406        # The subject is only checked when there is no dNSName entry407        # in subjectAltName408        for sub in cert.get('subject', ()):409            for key, value in sub:410                # XXX according to RFC 2818, the most specific Common Name411                # must be used.412                if key == 'commonName':413                    if _dnsname_match(value, hostname):414                        return415                    dnsnames.append(value)416    if len(dnsnames) > 1:417        raise CertificateError("hostname %r "418            "doesn't match either of %s"419            % (hostname, ', '.join(map(repr, dnsnames))))420    elif len(dnsnames) == 1:421        raise CertificateError("hostname %r "422            "doesn't match %r"423            % (hostname, dnsnames[0]))424    else:425        raise CertificateError("no appropriate commonName or "426            "subjectAltName fields were found")427 428 429DefaultVerifyPaths = namedtuple("DefaultVerifyPaths",430    "cafile capath openssl_cafile_env openssl_cafile openssl_capath_env "431    "openssl_capath")432 433def get_default_verify_paths():434    """Return paths to default cafile and capath.435    """436    parts = _ssl.get_default_verify_paths()437 438    # environment vars shadow paths439    cafile = os.environ.get(parts[0], parts[1])440    capath = os.environ.get(parts[2], parts[3])441 442    return DefaultVerifyPaths(cafile if os.path.isfile(cafile) else None,443                              capath if os.path.isdir(capath) else None,444                              *parts)445 446 447class _ASN1Object(namedtuple("_ASN1Object", "nid shortname longname oid")):448    """ASN.1 object identifier lookup449    """450    __slots__ = ()451 452    def __new__(cls, oid):453        return super().__new__(cls, *_txt2obj(oid, name=False))454 455    @classmethod456    def fromnid(cls, nid):457        """Create _ASN1Object from OpenSSL numeric ID458        """459        return super().__new__(cls, *_nid2obj(nid))460 461    @classmethod462    def fromname(cls, name):463        """Create _ASN1Object from short name, long name or OID464        """465        return super().__new__(cls, *_txt2obj(name, name=True))466 467 468class Purpose(_ASN1Object, _Enum):469    """SSLContext purpose flags with X509v3 Extended Key Usage objects470    """471    SERVER_AUTH = '1.3.6.1.5.5.7.3.1'472    CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'473 474 475class SSLContext(_SSLContext):476    """An SSLContext holds various SSL-related configuration options and477    data, such as certificates and possibly a private key."""478    _windows_cert_stores = ("CA", "ROOT")479 480    sslsocket_class = None  # SSLSocket is assigned later.481    sslobject_class = None  # SSLObject is assigned later.482 483    def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs):484        self = _SSLContext.__new__(cls, protocol)485        return self486 487    def _encode_hostname(self, hostname):488        if hostname is None:489            return None490        elif isinstance(hostname, str):491            return hostname.encode('idna').decode('ascii')492        else:493            return hostname.decode('ascii')494 495    def wrap_socket(self, sock, server_side=False,496                    do_handshake_on_connect=True,497                    suppress_ragged_eofs=True,498                    server_hostname=None, session=None):499        # SSLSocket class handles server_hostname encoding before it calls500        # ctx._wrap_socket()501        return self.sslsocket_class._create(502            sock=sock,503            server_side=server_side,504            do_handshake_on_connect=do_handshake_on_connect,505            suppress_ragged_eofs=suppress_ragged_eofs,506            server_hostname=server_hostname,507            context=self,508            session=session509        )510 511    def wrap_bio(self, incoming, outgoing, server_side=False,512                 server_hostname=None, session=None):513        # Need to encode server_hostname here because _wrap_bio() can only514        # handle ASCII str.515        return self.sslobject_class._create(516            incoming, outgoing, server_side=server_side,517            server_hostname=self._encode_hostname(server_hostname),518            session=session, context=self,519        )520 521    def set_npn_protocols(self, npn_protocols):522        protos = bytearray()523        if not npn_protocols:524            raise SSLError('NPN protocols must not be empty')525        for protocol in npn_protocols:526            b = bytes(protocol, 'ascii')527            if len(b) == 0 or len(b) > 255:528                raise SSLError('NPN protocols must be 1 to 255 in length')529            protos.append(len(b))530            protos.extend(b)531 532        self._set_npn_protocols(protos)533 534    def set_servername_callback(self, server_name_callback):535        if server_name_callback is None:536            self.sni_callback = None537        else:538            if not callable(server_name_callback):539                raise TypeError("not a callable object")540 541            def shim_cb(sslobj, servername, sslctx):542                servername = self._encode_hostname(servername)543                return server_name_callback(sslobj, servername, sslctx)544 545            self.sni_callback = shim_cb546 547    def set_alpn_protocols(self, alpn_protocols):548        protos = bytearray()549        for protocol in alpn_protocols:550            b = bytes(protocol, 'ascii')551            if len(b) == 0 or len(b) > 255:552                raise SSLError('ALPN protocols must be 1 to 255 in length')553            protos.append(len(b))554            protos.extend(b)555 556        self._set_alpn_protocols(protos)557 558    def _load_windows_store_certs(self, storename, purpose):559        certs = bytearray()560        try:561            for cert, encoding, trust in enum_certificates(storename):562                # CA certs are never PKCS#7 encoded563                if encoding == "x509_asn":564                    if trust is True or purpose.oid in trust:565                        certs.extend(cert)566        except PermissionError:567            warnings.warn("unable to enumerate Windows certificate store")568        if certs:569            self.load_verify_locations(cadata=certs)570        return certs571 572    def load_default_certs(self, purpose=Purpose.SERVER_AUTH):573        if not isinstance(purpose, _ASN1Object):574            raise TypeError(purpose)575        if sys.platform == "win32":576            for storename in self._windows_cert_stores:577                self._load_windows_store_certs(storename, purpose)578        self.set_default_verify_paths()579 580    if hasattr(_SSLContext, 'minimum_version'):581        @property582        def minimum_version(self):583            return TLSVersion(super().minimum_version)584 585        @minimum_version.setter586        def minimum_version(self, value):587            if value == TLSVersion.SSLv3:588                self.options &= ~Options.OP_NO_SSLv3589            super(SSLContext, SSLContext).minimum_version.__set__(self, value)590 591        @property592        def maximum_version(self):593            return TLSVersion(super().maximum_version)594 595        @maximum_version.setter596        def maximum_version(self, value):597            super(SSLContext, SSLContext).maximum_version.__set__(self, value)598 599    @property600    def options(self):601        return Options(super().options)602 603    @options.setter604    def options(self, value):605        super(SSLContext, SSLContext).options.__set__(self, value)606 607    if hasattr(_ssl, 'HOSTFLAG_NEVER_CHECK_SUBJECT'):608        @property609        def hostname_checks_common_name(self):610            ncs = self._host_flags & _ssl.HOSTFLAG_NEVER_CHECK_SUBJECT611            return ncs != _ssl.HOSTFLAG_NEVER_CHECK_SUBJECT612 613        @hostname_checks_common_name.setter614        def hostname_checks_common_name(self, value):615            if value:616                self._host_flags &= ~_ssl.HOSTFLAG_NEVER_CHECK_SUBJECT617            else:618                self._host_flags |= _ssl.HOSTFLAG_NEVER_CHECK_SUBJECT619    else:620        @property621        def hostname_checks_common_name(self):622            return True623 624    @property625    def _msg_callback(self):626        """TLS message callback627 628        The message callback provides a debugging hook to analyze TLS629        connections. The callback is called for any TLS protocol message630        (header, handshake, alert, and more), but not for application data.631        Due to technical  limitations, the callback can't be used to filter632        traffic or to abort a connection. Any exception raised in the633        callback is delayed until the handshake, read, or write operation634        has been performed.635 636        def msg_cb(conn, direction, version, content_type, msg_type, data):637            pass638 639        conn640            :class:`SSLSocket` or :class:`SSLObject` instance641        direction642            ``read`` or ``write``643        version644            :class:`TLSVersion` enum member or int for unknown version. For a645            frame header, it's the header version.646        content_type647            :class:`_TLSContentType` enum member or int for unsupported648            content type.649        msg_type650            Either a :class:`_TLSContentType` enum number for a header651            message, a :class:`_TLSAlertType` enum member for an alert652            message, a :class:`_TLSMessageType` enum member for other653            messages, or int for unsupported message types.654        data655            Raw, decrypted message content as bytes656        """657        inner = super()._msg_callback658        if inner is not None:659            return inner.user_function660        else:661            return None662 663    @_msg_callback.setter664    def _msg_callback(self, callback):665        if callback is None:666            super(SSLContext, SSLContext)._msg_callback.__set__(self, None)667            return668 669        if not hasattr(callback, '__call__'):670            raise TypeError(f"{callback} is not callable.")671 672        def inner(conn, direction, version, content_type, msg_type, data):673            try:674                version = TLSVersion(version)675            except ValueError:676                pass677 678            try:679                content_type = _TLSContentType(content_type)680            except ValueError:681                pass682 683            if content_type == _TLSContentType.HEADER:684                msg_enum = _TLSContentType685            elif content_type == _TLSContentType.ALERT:686                msg_enum = _TLSAlertType687            else:688                msg_enum = _TLSMessageType689            try:690                msg_type = msg_enum(msg_type)691            except ValueError:692                pass693 694            return callback(conn, direction, version,695                            content_type, msg_type, data)696 697        inner.user_function = callback698 699        super(SSLContext, SSLContext)._msg_callback.__set__(self, inner)700 701    @property702    def protocol(self):703        return _SSLMethod(super().protocol)704 705    @property706    def verify_flags(self):707        return VerifyFlags(super().verify_flags)708 709    @verify_flags.setter710    def verify_flags(self, value):711        super(SSLContext, SSLContext).verify_flags.__set__(self, value)712 713    @property714    def verify_mode(self):715        value = super().verify_mode716        try:717            return VerifyMode(value)718        except ValueError:719            return value720 721    @verify_mode.setter722    def verify_mode(self, value):723        super(SSLContext, SSLContext).verify_mode.__set__(self, value)724 725 726def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,727                           capath=None, cadata=None):728    """Create a SSLContext object with default settings.729 730    NOTE: The protocol and settings may change anytime without prior731          deprecation. The values represent a fair balance between maximum732          compatibility and security.733    """734    if not isinstance(purpose, _ASN1Object):735        raise TypeError(purpose)736 737    # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,738    # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE739    # by default.740    context = SSLContext(PROTOCOL_TLS)741 742    if purpose == Purpose.SERVER_AUTH:743        # verify certs and host name in client mode744        context.verify_mode = CERT_REQUIRED745        context.check_hostname = True746 747    if cafile or capath or cadata:748        context.load_verify_locations(cafile, capath, cadata)749    elif context.verify_mode != CERT_NONE:750        # no explicit cafile, capath or cadata but the verify mode is751        # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system752        # root CA certificates for the given purpose. This may fail silently.753        context.load_default_certs(purpose)754    # OpenSSL 1.1.1 keylog file755    if hasattr(context, 'keylog_filename'):756        keylogfile = os.environ.get('SSLKEYLOGFILE')757        if keylogfile and not sys.flags.ignore_environment:758            context.keylog_filename = keylogfile759    return context760 761def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=CERT_NONE,762                           check_hostname=False, purpose=Purpose.SERVER_AUTH,763                           certfile=None, keyfile=None,764                           cafile=None, capath=None, cadata=None):765    """Create a SSLContext object for Python stdlib modules766 767    All Python stdlib modules shall use this function to create SSLContext768    objects in order to keep common settings in one place. The configuration769    is less restrict than create_default_context()'s to increase backward770    compatibility.771    """772    if not isinstance(purpose, _ASN1Object):773        raise TypeError(purpose)774 775    # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,776    # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE777    # by default.778    context = SSLContext(protocol)779 780    if not check_hostname:781        context.check_hostname = False782    if cert_reqs is not None:783        context.verify_mode = cert_reqs784    if check_hostname:785        context.check_hostname = True786 787    if keyfile and not certfile:788        raise ValueError("certfile must be specified")789    if certfile or keyfile:790        context.load_cert_chain(certfile, keyfile)791 792    # load CA root certs793    if cafile or capath or cadata:794        context.load_verify_locations(cafile, capath, cadata)795    elif context.verify_mode != CERT_NONE:796        # no explicit cafile, capath or cadata but the verify mode is797        # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system798        # root CA certificates for the given purpose. This may fail silently.799        context.load_default_certs(purpose)800    # OpenSSL 1.1.1 keylog file801    if hasattr(context, 'keylog_filename'):802        keylogfile = os.environ.get('SSLKEYLOGFILE')803        if keylogfile and not sys.flags.ignore_environment:804            context.keylog_filename = keylogfile805    return context806 807# Used by http.client if no context is explicitly passed.808_create_default_https_context = create_default_context809 810 811# Backwards compatibility alias, even though it's not a public name.812_create_stdlib_context = _create_unverified_context813 814 815class SSLObject:816    """This class implements an interface on top of a low-level SSL object as817    implemented by OpenSSL. This object captures the state of an SSL connection818    but does not provide any network IO itself. IO needs to be performed819    through separate "BIO" objects which are OpenSSL's IO abstraction layer.820 821    This class does not have a public constructor. Instances are returned by822    ``SSLContext.wrap_bio``. This class is typically used by framework authors823    that want to implement asynchronous IO for SSL through memory buffers.824 825    When compared to ``SSLSocket``, this object lacks the following features:826 827     * Any form of network IO, including methods such as ``recv`` and ``send``.828     * The ``do_handshake_on_connect`` and ``suppress_ragged_eofs`` machinery.829    """830    def __init__(self, *args, **kwargs):831        raise TypeError(832            f"{self.__class__.__name__} does not have a public "833            f"constructor. Instances are returned by SSLContext.wrap_bio()."834        )835 836    @classmethod837    def _create(cls, incoming, outgoing, server_side=False,838                 server_hostname=None, session=None, context=None):839        self = cls.__new__(cls)840        sslobj = context._wrap_bio(841            incoming, outgoing, server_side=server_side,842            server_hostname=server_hostname,843            owner=self, session=session844        )845        self._sslobj = sslobj846        return self847 848    @property849    def context(self):850        """The SSLContext that is currently in use."""851        return self._sslobj.context852 853    @context.setter854    def context(self, ctx):855        self._sslobj.context = ctx856 857    @property858    def session(self):859        """The SSLSession for client socket."""860        return self._sslobj.session861 862    @session.setter863    def session(self, session):864        self._sslobj.session = session865 866    @property867    def session_reused(self):868        """Was the client session reused during handshake"""869        return self._sslobj.session_reused870 871    @property872    def server_side(self):873        """Whether this is a server-side socket."""874        return self._sslobj.server_side875 876    @property877    def server_hostname(self):878        """The currently set server hostname (for SNI), or ``None`` if no879        server hostname is set."""880        return self._sslobj.server_hostname881 882    def read(self, len=1024, buffer=None):883        """Read up to 'len' bytes from the SSL object and return them.884 885        If 'buffer' is provided, read into this buffer and return the number of886        bytes read.887        """888        if buffer is not None:889            v = self._sslobj.read(len, buffer)890        else:891            v = self._sslobj.read(len)892        return v893 894    def write(self, data):895        """Write 'data' to the SSL object and return the number of bytes896        written.897 898        The 'data' argument must support the buffer interface.899        """900        return self._sslobj.write(data)901 902    def getpeercert(self, binary_form=False):903        """Returns a formatted version of the data in the certificate provided904        by the other end of the SSL channel.905 906        Return None if no certificate was provided, {} if a certificate was907        provided, but not validated.908        """909        return self._sslobj.getpeercert(binary_form)910 911    def selected_npn_protocol(self):912        """Return the currently selected NPN protocol as a string, or ``None``913        if a next protocol was not negotiated or if NPN is not supported by one914        of the peers."""915        if _ssl.HAS_NPN:916            return self._sslobj.selected_npn_protocol()917 918    def selected_alpn_protocol(self):919        """Return the currently selected ALPN protocol as a string, or ``None``920        if a next protocol was not negotiated or if ALPN is not supported by one921        of the peers."""922        if _ssl.HAS_ALPN:923            return self._sslobj.selected_alpn_protocol()924 925    def cipher(self):926        """Return the currently selected cipher as a 3-tuple ``(name,927        ssl_version, secret_bits)``."""928        return self._sslobj.cipher()929 930    def shared_ciphers(self):931        """Return a list of ciphers shared by the client during the handshake or932        None if this is not a valid server connection.933        """934        return self._sslobj.shared_ciphers()935 936    def compression(self):937        """Return the current compression algorithm in use, or ``None`` if938        compression was not negotiated or not supported by one of the peers."""939        return self._sslobj.compression()940 941    def pending(self):942        """Return the number of bytes that can be read immediately."""943        return self._sslobj.pending()944 945    def do_handshake(self):946        """Start the SSL/TLS handshake."""947        self._sslobj.do_handshake()948 949    def unwrap(self):950        """Start the SSL shutdown handshake."""951        return self._sslobj.shutdown()952 953    def get_channel_binding(self, cb_type="tls-unique"):954        """Get channel binding data for current connection.  Raise ValueError955        if the requested `cb_type` is not supported.  Return bytes of the data956        or None if the data is not available (e.g. before the handshake)."""957        return self._sslobj.get_channel_binding(cb_type)958 959    def version(self):960        """Return a string identifying the protocol version used by the961        current SSL channel. """962        return self._sslobj.version()963 964    def verify_client_post_handshake(self):965        return self._sslobj.verify_client_post_handshake()966 967 968def _sslcopydoc(func):969    """Copy docstring from SSLObject to SSLSocket"""970    func.__doc__ = getattr(SSLObject, func.__name__).__doc__971    return func972 973 974class SSLSocket(socket):975    """This class implements a subtype of socket.socket that wraps976    the underlying OS socket in an SSL context when necessary, and977    provides read and write methods over that channel. """978 979    def __init__(self, *args, **kwargs):980        raise TypeError(981            f"{self.__class__.__name__} does not have a public "982            f"constructor. Instances are returned by "983            f"SSLContext.wrap_socket()."984        )985 986    @classmethod987    def _create(cls, sock, server_side=False, do_handshake_on_connect=True,988                suppress_ragged_eofs=True, server_hostname=None,989                context=None, session=None):990        if sock.getsockopt(SOL_SOCKET, SO_TYPE) != SOCK_STREAM:991            raise NotImplementedError("only stream sockets are supported")992        if server_side:993            if server_hostname:994                raise ValueError("server_hostname can only be specified "995                                 "in client mode")996            if session is not None:997                raise ValueError("session can only be specified in "998                                 "client mode")999        if context.check_hostname and not server_hostname:1000            raise ValueError("check_hostname requires server_hostname")1001 1002        kwargs = dict(1003            family=sock.family, type=sock.type, proto=sock.proto,1004            fileno=sock.fileno()1005        )1006        self = cls.__new__(cls, **kwargs)1007        super(SSLSocket, self).__init__(**kwargs)1008        sock_timeout = sock.gettimeout()1009        sock.detach()1010 1011        self._context = context1012        self._session = session1013        self._closed = False1014        self._sslobj = None1015        self.server_side = server_side1016        self.server_hostname = context._encode_hostname(server_hostname)1017        self.do_handshake_on_connect = do_handshake_on_connect1018        self.suppress_ragged_eofs = suppress_ragged_eofs1019 1020        # See if we are connected1021        try:1022            self.getpeername()1023        except OSError as e:1024            if e.errno != errno.ENOTCONN:1025                raise1026            connected = False1027            blocking = self.getblocking()1028            self.setblocking(False)1029            try:1030                # We are not connected so this is not supposed to block, but1031                # testing revealed otherwise on macOS and Windows so we do1032                # the non-blocking dance regardless. Our raise when any data1033                # is found means consuming the data is harmless.1034                notconn_pre_handshake_data = self.recv(1)1035            except OSError as e:1036                # EINVAL occurs for recv(1) on non-connected on unix sockets.1037                if e.errno not in (errno.ENOTCONN, errno.EINVAL):1038                    raise1039                notconn_pre_handshake_data = b''1040            self.setblocking(blocking)1041            if notconn_pre_handshake_data:1042                # This prevents pending data sent to the socket before it was1043                # closed from escaping to the caller who could otherwise1044                # presume it came through a successful TLS connection.1045                reason = "Closed before TLS handshake with data in recv buffer."1046                notconn_pre_handshake_data_error = SSLError(e.errno, reason)1047                # Add the SSLError attributes that _ssl.c always adds.1048                notconn_pre_handshake_data_error.reason = reason1049                notconn_pre_handshake_data_error.library = None1050                try:1051                    self.close()1052                except OSError:1053                    pass1054                try:1055                    raise notconn_pre_handshake_data_error1056                finally:1057                    # Explicitly break the reference cycle.1058                    notconn_pre_handshake_data_error = None1059        else:1060            connected = True1061 1062        self.settimeout(sock_timeout)  # Must come after setblocking() calls.1063        self._connected = connected1064        if connected:1065            # create the SSL object1066            try:1067                self._sslobj = self._context._wrap_socket(1068                    self, server_side, self.server_hostname,1069                    owner=self, session=self._session,1070                )1071                if do_handshake_on_connect:1072                    timeout = self.gettimeout()1073                    if timeout == 0.0:1074                        # non-blocking1075                        raise ValueError("do_handshake_on_connect should not be specified for non-blocking sockets")1076                    self.do_handshake()1077            except (OSError, ValueError):1078                self.close()1079                raise1080        return self1081 1082    @property1083    @_sslcopydoc1084    def context(self):1085        return self._context1086 1087    @context.setter1088    def context(self, ctx):1089        self._context = ctx1090        self._sslobj.context = ctx1091 1092    @property1093    @_sslcopydoc1094    def session(self):1095        if self._sslobj is not None:1096            return self._sslobj.session1097 1098    @session.setter1099    def session(self, session):1100        self._session = session1101        if self._sslobj is not None:1102            self._sslobj.session = session1103 1104    @property1105    @_sslcopydoc1106    def session_reused(self):1107        if self._sslobj is not None:1108            return self._sslobj.session_reused1109 1110    def dup(self):1111        raise NotImplementedError("Can't dup() %s instances" %1112                                  self.__class__.__name__)1113 1114    def _checkClosed(self, msg=None):1115        # raise an exception here if you wish to check for spurious closes1116        pass1117 1118    def _check_connected(self):1119        if not self._connected:1120            # getpeername() will raise ENOTCONN if the socket is really1121            # not connected; note that we can be connected even without1122            # _connected being set, e.g. if connect() first returned1123            # EAGAIN.1124            self.getpeername()1125 1126    def read(self, len=1024, buffer=None):1127        """Read up to LEN bytes and return them.1128        Return zero-length string on EOF."""1129 1130        self._checkClosed()1131        if self._sslobj is None:1132            raise ValueError("Read on closed or unwrapped SSL socket.")1133        try:1134            if buffer is not None:1135                return self._sslobj.read(len, buffer)1136            else:1137                return self._sslobj.read(len)1138        except SSLError as x:1139            if x.args[0] == SSL_ERROR_EOF and self.suppress_ragged_eofs:1140                if buffer is not None:1141                    return 01142                else:1143                    return b''1144            else:1145                raise1146 1147    def write(self, data):1148        """Write DATA to the underlying SSL channel.  Returns1149        number of bytes of DATA actually transmitted."""1150 1151        self._checkClosed()1152        if self._sslobj is None:1153            raise ValueError("Write on closed or unwrapped SSL socket.")1154        return self._sslobj.write(data)1155 1156    @_sslcopydoc1157    def getpeercert(self, binary_form=False):1158        self._checkClosed()1159        self._check_connected()1160        return self._sslobj.getpeercert(binary_form)1161 1162    @_sslcopydoc1163    def selected_npn_protocol(self):1164        self._checkClosed()1165        if self._sslobj is None or not _ssl.HAS_NPN:1166            return None1167        else:1168            return self._sslobj.selected_npn_protocol()1169 1170    @_sslcopydoc1171    def selected_alpn_protocol(self):1172        self._checkClosed()1173        if self._sslobj is None or not _ssl.HAS_ALPN:1174            return None1175        else:1176            return self._sslobj.selected_alpn_protocol()1177 1178    @_sslcopydoc1179    def cipher(self):1180        self._checkClosed()1181        if self._sslobj is None:1182            return None1183        else:1184            return self._sslobj.cipher()1185 1186    @_sslcopydoc1187    def shared_ciphers(self):1188        self._checkClosed()1189        if self._sslobj is None:1190            return None1191        else:1192            return self._sslobj.shared_ciphers()1193 1194    @_sslcopydoc1195    def compression(self):1196        self._checkClosed()1197        if self._sslobj is None:1198            return None1199        else:1200            return self._sslobj.compression()1201 1202    def send(self, data, flags=0):1203        self._checkClosed()1204        if self._sslobj is not None:1205            if flags != 0:1206                raise ValueError(1207                    "non-zero flags not allowed in calls to send() on %s" %1208                    self.__class__)1209            return self._sslobj.write(data)1210        else:1211            return super().send(data, flags)1212 1213    def sendto(self, data, flags_or_addr, addr=None):1214        self._checkClosed()1215        if self._sslobj is not None:1216            raise ValueError("sendto not allowed on instances of %s" %1217                             self.__class__)1218        elif addr is None:1219            return super().sendto(data, flags_or_addr)1220        else:1221            return super().sendto(data, flags_or_addr, addr)1222 1223    def sendmsg(self, *args, **kwargs):1224        # Ensure programs don't send data unencrypted if they try to1225        # use this method.1226        raise NotImplementedError("sendmsg not allowed on instances of %s" %1227                                  self.__class__)1228 1229    def sendall(self, data, flags=0):1230        self._checkClosed()1231        if self._sslobj is not None:1232            if flags != 0:1233                raise ValueError(1234                    "non-zero flags not allowed in calls to sendall() on %s" %1235                    self.__class__)1236            count = 01237            with memoryview(data) as view, view.cast("B") as byte_view:1238                amount = len(byte_view)1239                while count < amount:1240                    v = self.send(byte_view[count:])1241                    count += v1242        else:1243            return super().sendall(data, flags)1244 1245    def sendfile(self, file, offset=0, count=None):1246        """Send a file, possibly by using os.sendfile() if this is a1247        clear-text socket.  Return the total number of bytes sent.1248        """1249        if self._sslobj is not None:1250            return self._sendfile_use_send(file, offset, count)1251        else:1252            # os.sendfile() works with plain sockets only1253            return super().sendfile(file, offset, count)1254 1255    def recv(self, buflen=1024, flags=0):1256        self._checkClosed()1257        if self._sslobj is not None:1258            if flags != 0:1259                raise ValueError(1260                    "non-zero flags not allowed in calls to recv() on %s" %1261                    self.__class__)1262            return self.read(buflen)1263        else:1264            return super().recv(buflen, flags)1265 1266    def recv_into(self, buffer, nbytes=None, flags=0):1267        self._checkClosed()1268        if buffer and (nbytes is None):1269            nbytes = len(buffer)1270        elif nbytes is None:1271            nbytes = 10241272        if self._sslobj is not None:1273            if flags != 0:1274                raise ValueError(1275                  "non-zero flags not allowed in calls to recv_into() on %s" %1276                  self.__class__)1277            return self.read(nbytes, buffer)1278        else:1279            return super().recv_into(buffer, nbytes, flags)1280 1281    def recvfrom(self, buflen=1024, flags=0):1282        self._checkClosed()1283        if self._sslobj is not None:1284            raise ValueError("recvfrom not allowed on instances of %s" %1285                             self.__class__)1286        else:1287            return super().recvfrom(buflen, flags)1288 1289    def recvfrom_into(self, buffer, nbytes=None, flags=0):1290        self._checkClosed()1291        if self._sslobj is not None:1292            raise ValueError("recvfrom_into not allowed on instances of %s" %1293                             self.__class__)1294        else:1295            return super().recvfrom_into(buffer, nbytes, flags)1296 1297    def recvmsg(self, *args, **kwargs):1298        raise NotImplementedError("recvmsg not allowed on instances of %s" %1299                                  self.__class__)1300 1301    def recvmsg_into(self, *args, **kwargs):1302        raise NotImplementedError("recvmsg_into not allowed on instances of "1303                                  "%s" % self.__class__)1304 1305    @_sslcopydoc1306    def pending(self):1307        self._checkClosed()1308        if self._sslobj is not None:1309            return self._sslobj.pending()1310        else:1311            return 01312 1313    def shutdown(self, how):1314        self._checkClosed()1315        self._sslobj = None1316        super().shutdown(how)1317 1318    @_sslcopydoc1319    def unwrap(self):1320        if self._sslobj:1321            s = self._sslobj.shutdown()1322            self._sslobj = None1323            return s1324        else:1325            raise ValueError("No SSL wrapper around " + str(self))1326 1327    @_sslcopydoc1328    def verify_client_post_handshake(self):1329        if self._sslobj:1330            return self._sslobj.verify_client_post_handshake()1331        else:1332            raise ValueError("No SSL wrapper around " + str(self))1333 1334    def _real_close(self):1335        self._sslobj = None1336        super()._real_close()1337 1338    @_sslcopydoc1339    def do_handshake(self, block=False):1340        self._check_connected()1341        timeout = self.gettimeout()1342        try:1343            if timeout == 0.0 and block:1344                self.settimeout(None)1345            self._sslobj.do_handshake()1346        finally:1347            self.settimeout(timeout)1348 1349    def _real_connect(self, addr, connect_ex):1350        if self.server_side:1351            raise ValueError("can't connect in server-side mode")1352        # Here we assume that the socket is client-side, and not1353        # connected at the time of the call.  We connect it, then wrap it.1354        if self._connected or self._sslobj is not None:1355            raise ValueError("attempt to connect already-connected SSLSocket!")1356        self._sslobj = self.context._wrap_socket(1357            self, False, self.server_hostname,1358            owner=self, session=self._session1359        )1360        try:1361            if connect_ex:1362                rc = super().connect_ex(addr)1363            else:1364                rc = None1365                super().connect(addr)1366            if not rc:1367                self._connected = True1368                if self.do_handshake_on_connect:1369                    self.do_handshake()1370            return rc1371        except (OSError, ValueError):1372            self._sslobj = None1373            raise1374 1375    def connect(self, addr):1376        """Connects to remote ADDR, and then wraps the connection in1377        an SSL channel."""1378        self._real_connect(addr, False)1379 1380    def connect_ex(self, addr):1381        """Connects to remote ADDR, and then wraps the connection in1382        an SSL channel."""1383        return self._real_connect(addr, True)1384 1385    def accept(self):1386        """Accepts a new connection from a remote client, and returns1387        a tuple containing that new connection wrapped with a server-side1388        SSL channel, and the address of the remote client."""1389 1390        newsock, addr = super().accept()1391        newsock = self.context.wrap_socket(newsock,1392                    do_handshake_on_connect=self.do_handshake_on_connect,1393                    suppress_ragged_eofs=self.suppress_ragged_eofs,1394                    server_side=True)1395        return newsock, addr1396 1397    @_sslcopydoc1398    def get_channel_binding(self, cb_type="tls-unique"):1399        if self._sslobj is not None:1400            return self._sslobj.get_channel_binding(cb_type)1401        else:1402            if cb_type not in CHANNEL_BINDING_TYPES:1403                raise ValueError(1404                    "{0} channel binding type not implemented".format(cb_type)1405                )1406            return None1407 1408    @_sslcopydoc1409    def version(self):1410        if self._sslobj is not None:1411            return self._sslobj.version()1412        else:1413            return None1414 1415 1416# Python does not support forward declaration of types.1417SSLContext.sslsocket_class = SSLSocket1418SSLContext.sslobject_class = SSLObject1419 1420 1421def wrap_socket(sock, keyfile=None, certfile=None,1422                server_side=False, cert_reqs=CERT_NONE,1423                ssl_version=PROTOCOL_TLS, ca_certs=None,1424                do_handshake_on_connect=True,1425                suppress_ragged_eofs=True,1426                ciphers=None):1427 1428    if server_side and not certfile:1429        raise ValueError("certfile must be specified for server-side "1430                         "operations")1431    if keyfile and not certfile:1432        raise ValueError("certfile must be specified")1433    context = SSLContext(ssl_version)1434    context.verify_mode = cert_reqs1435    if ca_certs:1436        context.load_verify_locations(ca_certs)1437    if certfile:1438        context.load_cert_chain(certfile, keyfile)1439    if ciphers:1440        context.set_ciphers(ciphers)1441    return context.wrap_socket(1442        sock=sock, server_side=server_side,1443        do_handshake_on_connect=do_handshake_on_connect,1444        suppress_ragged_eofs=suppress_ragged_eofs1445    )1446 1447# some utility functions1448 1449def cert_time_to_seconds(cert_time):1450    """Return the time in seconds since the Epoch, given the timestring1451    representing the "notBefore" or "notAfter" date from a certificate1452    in ``"%b %d %H:%M:%S %Y %Z"`` strptime format (C locale).1453 1454    "notBefore" or "notAfter" dates must use UTC (RFC 5280).1455 1456    Month is one of: Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec1457    UTC should be specified as GMT (see ASN1_TIME_print())1458    """1459    from time import strptime1460    from calendar import timegm1461 1462    months = (1463        "Jan","Feb","Mar","Apr","May","Jun",1464        "Jul","Aug","Sep","Oct","Nov","Dec"1465    )1466    time_format = ' %d %H:%M:%S %Y GMT' # NOTE: no month, fixed GMT1467    try:1468        month_number = months.index(cert_time[:3].title()) + 11469    except ValueError:1470        raise ValueError('time data %r does not match '1471                         'format "%%b%s"' % (cert_time, time_format))1472    else:1473        # found valid month1474        tt = strptime(cert_time[3:], time_format)1475        # return an integer, the previous mktime()-based implementation1476        # returned a float (fractional seconds are always zero here).1477        return timegm((tt[0], month_number) + tt[2:6])1478 1479PEM_HEADER = "-----BEGIN CERTIFICATE-----"1480PEM_FOOTER = "-----END CERTIFICATE-----"1481 1482def DER_cert_to_PEM_cert(der_cert_bytes):1483    """Takes a certificate in binary DER format and returns the1484    PEM version of it as a string."""1485 1486    f = str(base64.standard_b64encode(der_cert_bytes), 'ASCII', 'strict')1487    ss = [PEM_HEADER]1488    ss += [f[i:i+64] for i in range(0, len(f), 64)]1489    ss.append(PEM_FOOTER + '\n')1490    return '\n'.join(ss)1491 1492def PEM_cert_to_DER_cert(pem_cert_string):1493    """Takes a certificate in ASCII PEM format and returns the1494    DER-encoded version of it as a byte sequence"""1495 1496    if not pem_cert_string.startswith(PEM_HEADER):1497        raise ValueError("Invalid PEM encoding; must start with %s"1498                         % PEM_HEADER)1499    if not pem_cert_string.strip().endswith(PEM_FOOTER):1500        raise ValueError("Invalid PEM encoding; must end with %s"1501                         % PEM_FOOTER)1502    d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]1503    return base64.decodebytes(d.encode('ASCII', 'strict'))1504 1505def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None):1506    """Retrieve the certificate from the server at the specified address,1507    and return it as a PEM-encoded string.1508    If 'ca_certs' is specified, validate the server cert against it.1509    If 'ssl_version' is specified, use it in the connection attempt."""1510 1511    host, port = addr1512    if ca_certs is not None:1513        cert_reqs = CERT_REQUIRED1514    else:1515        cert_reqs = CERT_NONE1516    context = _create_stdlib_context(ssl_version,1517                                     cert_reqs=cert_reqs,1518                                     cafile=ca_certs)1519    with  create_connection(addr) as sock:1520        with context.wrap_socket(sock) as sslsock:1521            dercert = sslsock.getpeercert(True)1522    return DER_cert_to_PEM_cert(dercert)1523 1524def get_protocol_name(protocol_code):1525    return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')1526