bioproject_to_srr_2: urllib3/util/ssl

comparison urllib3/util/ssl_.py @ 7:5eb2d5e3bf22

planemo upload for repository https://toolrepo.galaxytrakr.org/view/jpayne/bioproject_to_srr_2/556cac4fb538

author	jpayne
date	Sun, 05 May 2024 23:32:17 -0400
parents
children

comparison

equal deleted inserted replaced

-:b2745907b1eb
+:5eb2d5e3bf22
+from __future__ import annotations
+import hmac
+import os
+import socket
+import sys
+import typing
+import warnings
+from binascii import unhexlify
+from hashlib import md5, sha1, sha256
+from ..exceptions import ProxySchemeUnsupported, SSLError
+from .url import _BRACELESS_IPV6_ADDRZ_RE, _IPV4_RE
+SSLContext = None
+SSLTransport = None
+HAS_NEVER_CHECK_COMMON_NAME = False
+IS_PYOPENSSL = False
+ALPN_PROTOCOLS = ["http/1.1"]
+_TYPE_VERSION_INFO = typing.Tuple[int, int, int, str, int]
+# Maps the length of a digest to a possible hash function producing this digest
+HASHFUNC_MAP = {32: md5, 40: sha1, 64: sha256}
+def _is_bpo_43522_fixed(
+implementation_name: str,
+version_info: _TYPE_VERSION_INFO,
+pypy_version_info: _TYPE_VERSION_INFO | None,
+) -> bool:
+"""Return True for CPython 3.8.9+, 3.9.3+ or 3.10+ and PyPy 7.3.8+ where
+setting SSLContext.hostname_checks_common_name to False works.
+Outside of CPython and PyPy we don't know which implementations work
+or not so we conservatively use our hostname matching as we know that works
+on all implementations.
+https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
+https://foss.heptapod.net/pypy/pypy/-/issues/3539
+"""
+if implementation_name == "pypy":
+# https://foss.heptapod.net/pypy/pypy/-/issues/3129
+return pypy_version_info >= (7, 3, 8)  # type: ignore[operator]
+elif implementation_name == "cpython":
+major_minor = version_info[:2]
+micro = version_info[2]
+return (
+(major_minor == (3, 8) and micro >= 9)
+or (major_minor == (3, 9) and micro >= 3)
+or major_minor >= (3, 10)
+)
+else:  # Defensive:
+return False
+def _is_has_never_check_common_name_reliable(
+openssl_version: str,
+openssl_version_number: int,
+implementation_name: str,
+version_info: _TYPE_VERSION_INFO,
+pypy_version_info: _TYPE_VERSION_INFO | None,
+) -> bool:
+# As of May 2023, all released versions of LibreSSL fail to reject certificates with
+# only common names, see https://github.com/urllib3/urllib3/pull/3024
+is_openssl = openssl_version.startswith("OpenSSL ")
+# Before fixing OpenSSL issue #14579, the SSL_new() API was not copying hostflags
+# like X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, which tripped up CPython.
+# https://github.com/openssl/openssl/issues/14579
+# This was released in OpenSSL 1.1.1l+ (>=0x101010cf)
+is_openssl_issue_14579_fixed = openssl_version_number >= 0x101010CF
+return is_openssl and (
+is_openssl_issue_14579_fixed
+or _is_bpo_43522_fixed(implementation_name, version_info, pypy_version_info)
+)
+if typing.TYPE_CHECKING:
+from ssl import VerifyMode
+from typing import Literal, TypedDict
+from .ssltransport import SSLTransport as SSLTransportType
+class _TYPE_PEER_CERT_RET_DICT(TypedDict, total=False):
+subjectAltName: tuple[tuple[str, str], ...]
+subject: tuple[tuple[tuple[str, str], ...], ...]
+serialNumber: str
+# Mapping from 'ssl.PROTOCOL_TLSX' to 'TLSVersion.X'
+_SSL_VERSION_TO_TLS_VERSION: dict[int, int] = {}
+try:  # Do we have ssl at all?
+import ssl
+from ssl import (  # type: ignore[assignment]
+CERT_REQUIRED,
+HAS_NEVER_CHECK_COMMON_NAME,
+OP_NO_COMPRESSION,
+OP_NO_TICKET,
+OPENSSL_VERSION,
+OPENSSL_VERSION_NUMBER,
+PROTOCOL_TLS,
+PROTOCOL_TLS_CLIENT,
+OP_NO_SSLv2,
+OP_NO_SSLv3,
+SSLContext,
+TLSVersion,
+)
+PROTOCOL_SSLv23 = PROTOCOL_TLS
+# Setting SSLContext.hostname_checks_common_name = False didn't work before CPython
+# 3.8.9, 3.9.3, and 3.10 (but OK on PyPy) or OpenSSL 1.1.1l+
+if HAS_NEVER_CHECK_COMMON_NAME and not _is_has_never_check_common_name_reliable(
+OPENSSL_VERSION,
+OPENSSL_VERSION_NUMBER,
+sys.implementation.name,
+sys.version_info,
+sys.pypy_version_info if sys.implementation.name == "pypy" else None,  # type: ignore[attr-defined]
+):
+HAS_NEVER_CHECK_COMMON_NAME = False
+# Need to be careful here in case old TLS versions get
+# removed in future 'ssl' module implementations.
+for attr in ("TLSv1", "TLSv1_1", "TLSv1_2"):
+try:
+_SSL_VERSION_TO_TLS_VERSION[getattr(ssl, f"PROTOCOL_{attr}")] = getattr(
+TLSVersion, attr
+)
+except AttributeError:  # Defensive:
+continue
+from .ssltransport import SSLTransport  # type: ignore[assignment]
+except ImportError:
+OP_NO_COMPRESSION = 0x20000  # type: ignore[assignment]
+OP_NO_TICKET = 0x4000  # type: ignore[assignment]
+OP_NO_SSLv2 = 0x1000000  # type: ignore[assignment]
+OP_NO_SSLv3 = 0x2000000  # type: ignore[assignment]
+PROTOCOL_SSLv23 = PROTOCOL_TLS = 2  # type: ignore[assignment]
+PROTOCOL_TLS_CLIENT = 16  # type: ignore[assignment]
+_TYPE_PEER_CERT_RET = typing.Union["_TYPE_PEER_CERT_RET_DICT", bytes, None]
+def assert_fingerprint(cert: bytes | None, fingerprint: str) -> None:
+"""
+Checks if given fingerprint matches the supplied certificate.
+:param cert:
+Certificate as bytes object.
+:param fingerprint:
+Fingerprint as string of hexdigits, can be interspersed by colons.
+"""
+if cert is None:
+raise SSLError("No certificate for the peer.")
+fingerprint = fingerprint.replace(":", "").lower()
+digest_length = len(fingerprint)
+hashfunc = HASHFUNC_MAP.get(digest_length)
+if not hashfunc:
+raise SSLError(f"Fingerprint of invalid length: {fingerprint}")
+# We need encode() here for py32; works on py2 and p33.
+fingerprint_bytes = unhexlify(fingerprint.encode())
+cert_digest = hashfunc(cert).digest()
+if not hmac.compare_digest(cert_digest, fingerprint_bytes):
+raise SSLError(
+f'Fingerprints did not match. Expected "{fingerprint}", got "{cert_digest.hex()}"'
+)
+def resolve_cert_reqs(candidate: None | int | str) -> VerifyMode:
+"""
+Resolves the argument to a numeric constant, which can be passed to
+the wrap_socket function/method from the ssl module.
+Defaults to :data:`ssl.CERT_REQUIRED`.
+If given a string it is assumed to be the name of the constant in the
+:mod:`ssl` module or its abbreviation.
+(So you can specify `REQUIRED` instead of `CERT_REQUIRED`.
+If it's neither `None` nor a string we assume it is already the numeric
+constant which can directly be passed to wrap_socket.
+"""
+if candidate is None:
+return CERT_REQUIRED
+if isinstance(candidate, str):
+res = getattr(ssl, candidate, None)
+if res is None:
+res = getattr(ssl, "CERT_" + candidate)
+return res  # type: ignore[no-any-return]
+return candidate  # type: ignore[return-value]
+def resolve_ssl_version(candidate: None | int | str) -> int:
+"""
+like resolve_cert_reqs
+"""
+if candidate is None:
+return PROTOCOL_TLS
+if isinstance(candidate, str):
+res = getattr(ssl, candidate, None)
+if res is None:
+res = getattr(ssl, "PROTOCOL_" + candidate)
+return typing.cast(int, res)
+return candidate
+def create_urllib3_context(
+ssl_version: int | None = None,
+cert_reqs: int | None = None,
+options: int | None = None,
+ciphers: str | None = None,
+ssl_minimum_version: int | None = None,
+ssl_maximum_version: int | None = None,
+) -> ssl.SSLContext:
+"""Creates and configures an :class:`ssl.SSLContext` instance for use with urllib3.
+:param ssl_version:
+The desired protocol version to use. This will default to
+PROTOCOL_SSLv23 which will negotiate the highest protocol that both
+the server and your installation of OpenSSL support.
+This parameter is deprecated instead use 'ssl_minimum_version'.
+:param ssl_minimum_version:
+The minimum version of TLS to be used. Use the 'ssl.TLSVersion' enum for specifying the value.
+:param ssl_maximum_version:
+The maximum version of TLS to be used. Use the 'ssl.TLSVersion' enum for specifying the value.
+Not recommended to set to anything other than 'ssl.TLSVersion.MAXIMUM_SUPPORTED' which is the
+default value.
+:param cert_reqs:
+Whether to require the certificate verification. This defaults to
+``ssl.CERT_REQUIRED``.
+:param options:
+Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``,
+``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``, and ``ssl.OP_NO_TICKET``.
+:param ciphers:
+Which cipher suites to allow the server to select. Defaults to either system configured
+ciphers if OpenSSL 1.1.1+, otherwise uses a secure default set of ciphers.
+:returns:
+Constructed SSLContext object with specified options
+:rtype: SSLContext
+"""
+if SSLContext is None:
+raise TypeError("Can't create an SSLContext object without an ssl module")
+# This means 'ssl_version' was specified as an exact value.
+if ssl_version not in (None, PROTOCOL_TLS, PROTOCOL_TLS_CLIENT):
+# Disallow setting 'ssl_version' and 'ssl_minimum|maximum_version'
+# to avoid conflicts.
+if ssl_minimum_version is not None or ssl_maximum_version is not None:
+raise ValueError(
+"Can't specify both 'ssl_version' and either "
+"'ssl_minimum_version' or 'ssl_maximum_version'"
+)
+# 'ssl_version' is deprecated and will be removed in the future.
+else:
+# Use 'ssl_minimum_version' and 'ssl_maximum_version' instead.
+ssl_minimum_version = _SSL_VERSION_TO_TLS_VERSION.get(
+ssl_version, TLSVersion.MINIMUM_SUPPORTED
+)
+ssl_maximum_version = _SSL_VERSION_TO_TLS_VERSION.get(
+ssl_version, TLSVersion.MAXIMUM_SUPPORTED
+)
+# This warning message is pushing users to use 'ssl_minimum_version'
+# instead of both min/max. Best practice is to only set the minimum version and
+# keep the maximum version to be it's default value: 'TLSVersion.MAXIMUM_SUPPORTED'
+warnings.warn(
+"'ssl_version' option is deprecated and will be "
+"removed in urllib3 v2.1.0. Instead use 'ssl_minimum_version'",
+category=DeprecationWarning,
+stacklevel=2,
+)
+# PROTOCOL_TLS is deprecated in Python 3.10 so we always use PROTOCOL_TLS_CLIENT
+context = SSLContext(PROTOCOL_TLS_CLIENT)
+if ssl_minimum_version is not None:
+context.minimum_version = ssl_minimum_version
+else:  # Python <3.10 defaults to 'MINIMUM_SUPPORTED' so explicitly set TLSv1.2 here
+context.minimum_version = TLSVersion.TLSv1_2
+if ssl_maximum_version is not None:
+context.maximum_version = ssl_maximum_version
+# Unless we're given ciphers defer to either system ciphers in
+# the case of OpenSSL 1.1.1+ or use our own secure default ciphers.
+if ciphers:
+context.set_ciphers(ciphers)
+# Setting the default here, as we may have no ssl module on import
+cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
+if options is None:
+options = 0
+# SSLv2 is easily broken and is considered harmful and dangerous
+options |= OP_NO_SSLv2
+# SSLv3 has several problems and is now dangerous
+options |= OP_NO_SSLv3
+# Disable compression to prevent CRIME attacks for OpenSSL 1.0+
+# (issue #309)
+options |= OP_NO_COMPRESSION
+# TLSv1.2 only. Unless set explicitly, do not request tickets.
+# This may save some bandwidth on wire, and although the ticket is encrypted,
+# there is a risk associated with it being on wire,
+# if the server is not rotating its ticketing keys properly.
+options |= OP_NO_TICKET
+context.options |= options
+# Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
+# necessary for conditional client cert authentication with TLS 1.3.
+# The attribute is None for OpenSSL <= 1.1.0 or does not exist when using
+# an SSLContext created by pyOpenSSL.
+if getattr(context, "post_handshake_auth", None) is not None:
+context.post_handshake_auth = True
+# The order of the below lines setting verify_mode and check_hostname
+# matter due to safe-guards SSLContext has to prevent an SSLContext with
+# check_hostname=True, verify_mode=NONE/OPTIONAL.
+# We always set 'check_hostname=False' for pyOpenSSL so we rely on our own
+# 'ssl.match_hostname()' implementation.
+if cert_reqs == ssl.CERT_REQUIRED and not IS_PYOPENSSL:
+context.verify_mode = cert_reqs
+context.check_hostname = True
+else:
+context.check_hostname = False
+context.verify_mode = cert_reqs
+try:
+context.hostname_checks_common_name = False
+except AttributeError:  # Defensive: for CPython < 3.8.9 and 3.9.3; for PyPy < 7.3.8
+pass
+# Enable logging of TLS session keys via defacto standard environment variable
+# 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). Skip empty values.
+if hasattr(context, "keylog_filename"):
+sslkeylogfile = os.environ.get("SSLKEYLOGFILE")
+if sslkeylogfile:
+context.keylog_filename = sslkeylogfile
+return context
+@typing.overload
+def ssl_wrap_socket(
+sock: socket.socket,
+keyfile: str | None = ...,
+certfile: str | None = ...,
+cert_reqs: int | None = ...,
+ca_certs: str | None = ...,
+server_hostname: str | None = ...,
+ssl_version: int | None = ...,
+ciphers: str | None = ...,
+ssl_context: ssl.SSLContext | None = ...,
+ca_cert_dir: str | None = ...,
+key_password: str | None = ...,
+ca_cert_data: None | str | bytes = ...,
+tls_in_tls: Literal[False] = ...,
+) -> ssl.SSLSocket:
+...
+@typing.overload
+def ssl_wrap_socket(
+sock: socket.socket,
+keyfile: str | None = ...,
+certfile: str | None = ...,
+cert_reqs: int | None = ...,
+ca_certs: str | None = ...,
+server_hostname: str | None = ...,
+ssl_version: int | None = ...,
+ciphers: str | None = ...,
+ssl_context: ssl.SSLContext | None = ...,
+ca_cert_dir: str | None = ...,
+key_password: str | None = ...,
+ca_cert_data: None | str | bytes = ...,
+tls_in_tls: bool = ...,
+) -> ssl.SSLSocket | SSLTransportType:
+...
+def ssl_wrap_socket(
+sock: socket.socket,
+keyfile: str | None = None,
+certfile: str | None = None,
+cert_reqs: int | None = None,
+ca_certs: str | None = None,
+server_hostname: str | None = None,
+ssl_version: int | None = None,
+ciphers: str | None = None,
+ssl_context: ssl.SSLContext | None = None,
+ca_cert_dir: str | None = None,
+key_password: str | None = None,
+ca_cert_data: None | str | bytes = None,
+tls_in_tls: bool = False,
+) -> ssl.SSLSocket | SSLTransportType:
+"""
+All arguments except for server_hostname, ssl_context, tls_in_tls, ca_cert_data and
+ca_cert_dir have the same meaning as they do when using
+:func:`ssl.create_default_context`, :meth:`ssl.SSLContext.load_cert_chain`,
+:meth:`ssl.SSLContext.set_ciphers` and :meth:`ssl.SSLContext.wrap_socket`.
+:param server_hostname:
+When SNI is supported, the expected hostname of the certificate
+:param ssl_context:
+A pre-made :class:`SSLContext` object. If none is provided, one will
+be created using :func:`create_urllib3_context`.
+:param ciphers:
+A string of ciphers we wish the client to support.
+:param ca_cert_dir:
+A directory containing CA certificates in multiple separate files, as
+supported by OpenSSL's -CApath flag or the capath argument to
+SSLContext.load_verify_locations().
+:param key_password:
+Optional password if the keyfile is encrypted.
+:param ca_cert_data:
+Optional string containing CA certificates in PEM format suitable for
+passing as the cadata parameter to SSLContext.load_verify_locations()
+:param tls_in_tls:
+Use SSLTransport to wrap the existing socket.
+"""
+context = ssl_context
+if context is None:
+# Note: This branch of code and all the variables in it are only used in tests.
+# We should consider deprecating and removing this code.
+context = create_urllib3_context(ssl_version, cert_reqs, ciphers=ciphers)
+if ca_certs or ca_cert_dir or ca_cert_data:
+try:
+context.load_verify_locations(ca_certs, ca_cert_dir, ca_cert_data)
+except OSError as e:
+raise SSLError(e) from e
+elif ssl_context is None and hasattr(context, "load_default_certs"):
+# try to load OS default certs; works well on Windows.
+context.load_default_certs()
+# Attempt to detect if we get the goofy behavior of the
+# keyfile being encrypted and OpenSSL asking for the
+# passphrase via the terminal and instead error out.
+if keyfile and key_password is None and _is_key_file_encrypted(keyfile):
+raise SSLError("Client private key is encrypted, password is required")
+if certfile:
+if key_password is None:
+context.load_cert_chain(certfile, keyfile)
+else:
+context.load_cert_chain(certfile, keyfile, key_password)
+try:
+context.set_alpn_protocols(ALPN_PROTOCOLS)
+except NotImplementedError:  # Defensive: in CI, we always have set_alpn_protocols
+pass
+ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
+return ssl_sock
+def is_ipaddress(hostname: str | bytes) -> bool:
+"""Detects whether the hostname given is an IPv4 or IPv6 address.
+Also detects IPv6 addresses with Zone IDs.
+:param str hostname: Hostname to examine.
+:return: True if the hostname is an IP address, False otherwise.
+"""
+if isinstance(hostname, bytes):
+# IDN A-label bytes are ASCII compatible.
+hostname = hostname.decode("ascii")
+return bool(_IPV4_RE.match(hostname) or _BRACELESS_IPV6_ADDRZ_RE.match(hostname))
+def _is_key_file_encrypted(key_file: str) -> bool:
+"""Detects if a key file is encrypted or not."""
+with open(key_file) as f:
+for line in f:
+# Look for Proc-Type: 4,ENCRYPTED
+if "ENCRYPTED" in line:
+return True
+return False
+def _ssl_wrap_socket_impl(
+sock: socket.socket,
+ssl_context: ssl.SSLContext,
+tls_in_tls: bool,
+server_hostname: str | None = None,
+) -> ssl.SSLSocket | SSLTransportType:
+if tls_in_tls:
+if not SSLTransport:
+# Import error, ssl is not available.
+raise ProxySchemeUnsupported(
+"TLS in TLS requires support for the 'ssl' module"
+)
+SSLTransport._validate_ssl_context_for_tls_in_tls(ssl_context)
+return SSLTransport(sock, ssl_context, server_hostname)
+return ssl_context.wrap_socket(sock, server_hostname=server_hostname)

Mercurial > repos > jpayne > bioproject_to_srr_2

comparison urllib3/util/ssl_.py @ 7:5eb2d5e3bf22