o NK&h@sddlmZddlZddlZddlmZddlmZmZm Z ddl m Z gdZ dddej jfd6ddZd7ddZd8ddZd9ddZd:d!d"Zd;d'd(Zd) annotationsN)Iterable)AnyOptionalUnion)logger)zECDHE-ECDSA-CHACHA20-POLY1305zECDHE-ECDSA-AES256-GCM-SHA384zECDHE-ECDSA-AES128-GCM-SHA256zECDHE-RSA-CHACHA20-POLY1305zECDHE-RSA-AES256-GCM-SHA384zECDHE-RSA-AES128-GCM-SHA256certfile Optional[str]keyfilepasswordpurpose ssl.Purposereturnssl.SSLContextcCs^tj|d}tjj|_|dt|dg|tj j ur"t |_ |r-|r-| ||||S)z>Create a context with secure crypto and HTTP/1.1 in protocols.)r :zhttp/1.1)sslcreate_default_context TLSVersionTLSv1_2minimum_version set_ciphersjoin CIPHERS_TLS12set_alpn_protocolsPurpose CLIENT_AUTHserver_name_callback sni_callbackload_cert_chain)rr r r contextr I/var/www/html/venv/lib/python3.10/site-packages/sanic/http/tls/context.pycreate_contexts    r"ctxdef&Union[None, ssl.SSLContext, dict, str]Optional[ssl.SSLContext]cCsV|dus t|tjr |St|trt|St|tr!tdi|Stdt|d)z:Convert an ssl argument shorthand to an SSLContext object.NzInvalid ssl argument z8. Expecting a list of certdirs, a dict or an SSLContext.r ) isinstancer SSLContextstr load_cert_dirdict CertSimple ValueErrortype)r#r r r!shorthand_to_ctx*s  r.ssldef3Union[None, ssl.SSLContext, dict, str, list, tuple]cCs$t|ttfrttt|St|S)zBProcess app.run ssl argument from easy formats to full SSLContext.)r&listtuple CertSelectormapr.)r/r r r!process_to_context:s r5pr(cCsztj|rtd|dtj|d}tj|d}t|tjs*td|t|tjs8td|t||S)Nz Certificate folder expected but z is a file.z privkey.pemz fullchain.pemz+Certificate not found or permission denied )ospathisfiler,raccessR_OKr+)r6r rr r r!r)Es  r)selfr3 server_namecCsP|s |jr|jStd|jD] }t||r|Sq|jr!|jStd|)zFind the first certificate that matches the given SNI. :raises ssl.CertificateError: No matching certificate found. :return: A matching ssl.SSLContext object if found.z4The client provided no SNI to match for certificate.z'No certificate found matching hostname )sanic_fallbackr, sanic_selectmatch_hostname)r<r=ctxr r r! find_certUs  rBrA#Union[ssl.SSLContext, CertSelector]hostnameboolcCsjtt|didg}|}|D] }|dr+|ddd|ddkr*d Sq||kr2d Sqd S) z:Match names from CertSelector against a received hostname.sanicnamesz*..NTF)r*getattrgetlower startswithsplit)rArDrGnamer r r!r@hs r@sslobj ssl.SSLObject Optional[int]c CsZt|||z t|||_WdSty,}ztd|tjWYd}~Sd}~ww)z&Select a certificate matching the SNI.zRejecting TLS connection: N)rrBrr,rwarningr#ALERT_DESCRIPTION_UNRECOGNIZED_NAME)rRr=rAer r r!selector_sni_callbackys rXNonecCs ||_dS)z3Store the received SNI as sslobj.sanic_server_name.N)sanic_server_name)rRr=rAr r r!rs rc@s$eZdZUded<edddZdS) SanicSSLContextzdict[str, os.PathLike]rFrrcCs ||_|SN __class__)clsrr r r!create_from_ssl_contextsz'SanicSSLContext.create_from_ssl_contextN)rr)__name__ __module__ __qualname____annotations__ classmethodr`r r r r!r[s r[c@s*eZdZUdZded<ddZddZdS) r+z9A wrapper for creating SSLContext with a sanic attribute.zdict[str, Any]rFc Ks|ddp|}|d<|ddp|}|d<|dd}|r"|s&tdi}d|vrFtj|}dd |d D|d<d d |d D}t|||}||_i|||_|S)N certificatecertr keyr z*SSL dict needs filenames for cert and key.rGcSsg|] \}}|dvr|qS))DNSz IP Addressr ).0trQr r r! s z&CertSimple.__new__..subjectAltNamecSs i|] }|D]\}}||qqSr r )rjitemkvr r r! s z&CertSimple.__new__..subject) poprMr,r_ssl_test_decode_certr"r^rF) r_rgrhkwrr r rrr<r r r!__new__s     zCertSimple.__new__cKsdSr\r )r<rgrhrvr r r!__init__szCertSimple.__init__N)rarbrc__doc__rdrwrxr r r r!r+s  r+cs.eZdZdZfddZdfdd ZZS) r3a$Automatically select SSL certificate based on the hostname that the client is trying to access, via SSL SNI. Paths to certificate folders with privkey.pem and fullchain.pem in them should be provided, and will be matched in the order given whenever there is a new connection. cs t|Sr\)superrw)r_ctxsr]r r!rws zCertSelector.__new__r{"Iterable[Optional[ssl.SSLContext]]cstt|_g|_d|_g}t|D]$\}}|sqtt|di dg}||7}|j ||dkr8||_q|s?t dt dd|dS)NrFrGrz3No certificates with SubjectAlternativeNames found.zCertificate vhosts: z, )rzrxrXrr?r> enumerater*rLrMappendr,rinfor)r<r{ all_namesirArGr]r r!rxs&  zCertSelector.__init__)r{r|)rarbrcryrwrx __classcell__r r r]r!r3s ) rr r r r r r r rr)r#r$rr%)r/r0rr%)r6r(rr)r<r3r=r()rArCrDr(rrE)rRrSr=r(rAr3rrT)rRrSr=r(rArrrY) __future__rr7rcollections.abcrtypingrrr sanic.logrrrrr"r.r5r)rBr@rXrr'r[r+r3r r r r!s,