File: //var/opt/nydus/ops/oscrypto/__pycache__/trust_list.cpython-39.pyc
a
�����,�h�4������������������� ���@���sZ���d�d�l�m�Z�m�Z�m�Z�m�Z���d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l Z d�d�l
m�Z�m�Z���d�d�l
m�Z���d�d�l�m�Z���e�j�d�k�r�d�d�l�m�Z�m�Z���n,e�j�d k�r�d�d�l�m�Z�m�Z���n�d�d�l�m�Z�m�Z���g�d
��Z�e ����Z�e ����Z�d�d�d���Z�e�d�g���e�d
g���e�d�g���e�d�g���e�d�d�g���e�d�d�g���e�g�d�����d���Z�d%d�d���Z�d&d�d���Z�d'd�d���Z d(d�d���Z!d�d ��Z"d!d"��Z#d#d$��Z$d�S�))�����)���unicode_literals��division��absolute_import��print_functionN�����)���armor��Certificate)���pretty_message)���CACertsError��win32)���extract_from_system��system_path��darwin)���clear_cache��get_list��get_path)���last_update��certsz�1.3.6.1.5.5.7.3.4z�1.3.6.1.5.5.7.3.3z�1.3.6.1.5.5.7.3.8��1.3.6.1.5.5.7.3.1z�1.3.6.1.5.5.7.3.2z�1.3.6.1.5.5.7.3.13z�1.3.6.1.5.5.7.3.14)�z�1.3.6.1.5.5.7.3.5z�1.3.6.1.5.5.7.3.6z�1.3.6.1.5.5.7.3.7z�1.3.6.1.5.5.7.3.17)�z�1.2.840.113635.100.1.8z�1.2.840.113635.100.1.16z�1.2.840.113635.100.1.20z�1.3.6.1.4.1.311.10.3.2��1.2.840.113635.100.1.3z�1.2.840.113635.100.1.9z�1.2.840.113635.100.1.11�����c������������
��� ���C���s����t�|���\�}�}�|���r�t�|�|�����r�t���}�d�}�d�}�d�}�t����d��t�|�|�����r�t�|�d������*} t�|�d���D���]�\�}
}�}�t�j�d�k�r�|�|�k�r�|�|�v�r�|�|�v�r�|�r\|�t�� |
��d�����q\|�|�k�r�|�|�v�s�|�|�v�r�|�r\|�t�� |
��d�����q\ntt�j�d k���rD|�|�k���r�|�|�v���r�|�|�v���r�|�r\|�t�� |
��d�����q\|�|�k���rD|�|�v���s.|�|�v���rD|�r\|�t�� |
��d�����q\|���rZ|�t�� |
��d
����| �
t�d�|
������q\W�d
��������n�1���s�0�������Y���W�d
��������n�1���s�0�������Y���|���s�t�d�����|�S�)
a����
Get the filesystem path to a file that contains OpenSSL-compatible CA certs.
On OS X and Windows, there are extracted from the system certificate store
and cached in a file on the filesystem. This path should not be writable
by other users, otherwise they could inject CA certs into the trust list.
:param temp_dir:
The temporary directory to cache the CA certs in on OS X and Windows.
Needs to have secure permissions so other users can not modify the
contents.
:param cache_length:
The number of hours to cache the CA certs on OS X and Windows
:param cert_callback:
A callback that is called once for each certificate in the trust store.
It should accept two parameters: an asn1crypto.x509.Certificate object,
and a reason. The reason will be None if the certificate is being
exported, otherwise it will be a unicode string of the reason it won't.
This is only called on Windows and OS X when passed to this function.
:raises:
oscrypto.errors.CACertsError - when an error occurs exporting/locating certs
:return:
The full filesystem path to a CA certs file
z�2.5.29.37.0r����r������wbTr����z�implicitly distrusted for TLSz�explicitly distrusted for TLSr����N��CERTIFICATEz�No CA certs found)
��_ca_path��_cached_path_needs_update��set� path_lock��openr������sys��platformr������load��writer����r
���)
��temp_dir��cache_length�
cert_callback��ca_path��tempZ empty_setZ�any_purposeZ apple_sslZ�win_server_auth��f��cert�
trust_oids��reject_oids��r+����D/opt/nydus/tmp/pip-target-wkfpz8uv/lib/python/oscrypto/trust_list.pyr����A���sT�������������������������
�������������������������������������������������������R�����r����Tc��������������������C���s����t�|���s�t��n��t�|���slg�}�t�|���D�]4\�}�}�}�|�r@t�|���}�t�|���}�|���t���|���|�|�f�����q"|�t�d�<�t�����t�d�<�W�d���������n�1�s�0�������Y���t t�d�����S�)�af���
Retrieves (and caches in memory) the list of CA certs from the OS. Includes
trust information from the OS - purposes the certificate should be trusted
or rejected for.
Trust information is encoded via object identifiers (OIDs) that are sourced
from various RFCs and vendors (Apple and Microsoft). This trust information
augments what is in the certificate itself. Any OID that is in the set of
trusted purposes indicates the certificate has been explicitly trusted for
a purpose beyond the extended key purpose extension. Any OID in the reject
set is a purpose that the certificate should not be trusted for, even if
present in the extended key purpose extension.
*A list of common trust OIDs can be found as part of the `KeyPurposeId()`
class in the `asn1crypto.x509` module of the `asn1crypto` package.*
:param cache_length:
The number of hours to cache the CA certs in memory before they are
refreshed
:param map_vendor_oids:
A bool indicating if the following mapping of OIDs should happen for
trust information from the OS trust list:
- 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.1 (server_auth)
- 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.2 (client_auth)
- 1.2.840.113635.100.1.8 (apple_smime) -> 1.3.6.1.5.5.7.3.4 (email_protection)
- 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.13 (eap_over_ppp)
- 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.14 (eap_over_lan)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.5 (ipsec_end_system)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.6 (ipsec_tunnel)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.7 (ipsec_user)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.17 (ipsec_ike)
- 1.2.840.113635.100.1.16 (apple_code_signing) -> 1.3.6.1.5.5.7.3.3 (code_signing)
- 1.2.840.113635.100.1.20 (apple_time_stamping) -> 1.3.6.1.5.5.7.3.8 (time_stamping)
- 1.3.6.1.4.1.311.10.3.2 (microsoft_time_stamp_signing) -> 1.3.6.1.5.5.7.3.8 (time_stamping)
:param cert_callback:
A callback that is called once for each certificate in the trust store.
It should accept two parameters: an asn1crypto.x509.Certificate object,
and a reason. The reason will be None if the certificate is being
exported, otherwise it will be a unicode string of the reason it won't.
:raises:
oscrypto.errors.CACertsError - when an error occurs exporting/locating certs
:return:
A (copied) list of 3-element tuples containing CA certs from the OS
trust ilst:
- 0: an asn1crypto.x509.Certificate object
- 1: a set of unicode strings of OIDs of trusted purposes
- 2: a set of unicode strings of OIDs of rejected purposes
r����r����N)
��_in_memory_up_to_date��memory_lockr����� _map_oids��appendr����r �����_module_values��time��list)�r#���Z�map_vendor_oidsr$���r����Z
cert_bytesr)���r*���r+���r+���r,���r��������s�����6��������������������*�r����c��������������������C���s����t�� ��d�t�d�<�d�t�d�<�W�d���������n�1�s*0�������Y���t�|���\�}�}�|�r~t��&��t�j���|���r`t���|�����W�d���������n�1�st0�������Y���d�S�)�a����
Clears any cached info that was exported from the OS trust store. This will
ensure the latest changes are returned from calls to get_list() and
get_path(), but at the expense of re-exporting and parsing all certificates.
:param temp_dir:
The temporary directory to cache the CA certs in on OS X and Windows.
Needs to have secure permissions so other users can not modify the
contents. Must be the same value passed to get_path().
Nr����r����)�r.���r1���r����r������os��path��exists��remove)�r"���r%���r&���r+���r+���r,���r��������s����������&���������r����c��������������������C���sV���t���}�|�d�u�rN|�d�u�r�t�����}�t�j���|���s8t�t�d�|�������t�j���|�d���}�|�d�f�S�|�d�f�S�)�a����
Returns the file path to the CA certs file
:param temp_dir:
The temporary directory to cache the CA certs in on OS X and Windows.
Needs to have secure permissions so other users can not modify the
contents.
:return:
A 2-element tuple:
- 0: A unicode string of the file path
- 1: A bool if the file is a temporary file
NzR
The temp dir specified, "%s", is not a directory
z�oscrypto-ca-bundle.crtTF) r
�����tempfile�
gettempdirr4���r5�����isdirr
���r �����join)�r"���r%���r+���r+���r,���r��������s����������������������������r����c��������������������C���s,���t���}�|�D�]�}�|�t�v�r
|�t�|���O�}�q
|�|�B�S�)�a����
Takes a set of unicode string OIDs and converts vendor-specific OIDs into
generics OIDs from RFCs.
- 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.1 (server_auth)
- 1.2.840.113635.100.1.3 (apple_ssl) -> 1.3.6.1.5.5.7.3.2 (client_auth)
- 1.2.840.113635.100.1.8 (apple_smime) -> 1.3.6.1.5.5.7.3.4 (email_protection)
- 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.13 (eap_over_ppp)
- 1.2.840.113635.100.1.9 (apple_eap) -> 1.3.6.1.5.5.7.3.14 (eap_over_lan)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.5 (ipsec_end_system)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.6 (ipsec_tunnel)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.7 (ipsec_user)
- 1.2.840.113635.100.1.11 (apple_ipsec) -> 1.3.6.1.5.5.7.3.17 (ipsec_ike)
- 1.2.840.113635.100.1.16 (apple_code_signing) -> 1.3.6.1.5.5.7.3.3 (code_signing)
- 1.2.840.113635.100.1.20 (apple_time_stamping) -> 1.3.6.1.5.5.7.3.8 (time_stamping)
- 1.3.6.1.4.1.311.10.3.2 (microsoft_time_stamp_signing) -> 1.3.6.1.5.5.7.3.8 (time_stamping)
:param oids:
A set of unicode strings
:return:
The original set of OIDs with any mapped OIDs added
)�r������_oid_map)�Z�oidsZ�new_oids��oidr+���r+���r,���r/���
���s
�������������r/���c��������������������C���sN���t�j���|���}�|�s�d�S�t���|���}�|�j�t�����|�d���d�����k�r<d�S�|�j�d�k�rJd�S�d�S�)�a_���
Checks to see if a cache file needs to be refreshed
:param ca_path:
A unicode string of the path to the cache file
:param cache_length:
An integer representing the number of hours the cache is valid for
:return:
A boolean - True if the cache needs to be updated, False if the file
is up-to-date
T�<���r����F)�r4���r5���r6�����stat��st_mtimer2�����st_size)�r%���r#���r6�����statsr+���r+���r,���r����-���s������������
�����
���r����c��������������������C���s,���t�d���o*t�d���o*t�d���t�����|�d���d�����k�S�)�a����
Checks to see if the in-memory cache of certificates is fresh
:param cache_length:
An integer representing the number of hours the cache is valid for
:return:
A boolean - True if the cache is up-to-date, False if it needs to be
refreshed
r����r����r>���)�r1���r2���)�r#���r+���r+���r,���r-���K���s
����
��������r-���)�Nr����N)�r����TN)�N)�N)%�
__future__r����r����r����r����r4���r2���r����r8���� threadingZ�_asn1r����r������_errorsr �����errorsr
���r����Z�_win.trust_listr����r
���Z�_mac.trust_listZ�_linux_bsd.trust_list��__all__��Lockr����r.���r1���r����r<���r����r����r����r����r/���r����r-���r+���r+���r+���r,�����<module>����sP���������������������
���
�����������������������������������������
���
L
E
�
$� ��