catocli 1.0.5__py3-none-any.whl → 1.0.6__py3-none-any.whl

build/lib/vendor/urllib3/util/ssl_.py

@@ -1,513 +0,0 @@
-from __future__ import annotations
-
-import hashlib
-import hmac
-import os
-import socket
-import sys
-import typing
-import warnings
-from binascii import unhexlify
-
-from ..exceptions import ProxySchemeUnsupported, SSLError
-from .url import _BRACELESS_IPV6_ADDRZ_RE, _IPV4_RE
-
-SSLContext = None
-SSLTransport = None
-HAS_NEVER_CHECK_COMMON_NAME = False
-IS_PYOPENSSL = False
-ALPN_PROTOCOLS = ["http/1.1"]
-
-_TYPE_VERSION_INFO = typing.Tuple[int, int, int, str, int]
-
-# Maps the length of a digest to a possible hash function producing this digest
-HASHFUNC_MAP = {
-    length: getattr(hashlib, algorithm, None)
-    for length, algorithm in ((32, "md5"), (40, "sha1"), (64, "sha256"))
-}
-
-
-def _is_bpo_43522_fixed(
-    implementation_name: str,
-    version_info: _TYPE_VERSION_INFO,
-    pypy_version_info: _TYPE_VERSION_INFO | None,
-) -> bool:
-    """Return True for CPython 3.8.9+, 3.9.3+ or 3.10+ and PyPy 7.3.8+ where
-    setting SSLContext.hostname_checks_common_name to False works.
-
-    Outside of CPython and PyPy we don't know which implementations work
-    or not so we conservatively use our hostname matching as we know that works
-    on all implementations.
-
-    https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
-    https://foss.heptapod.net/pypy/pypy/-/issues/3539
-    """
-    if implementation_name == "pypy":
-        # https://foss.heptapod.net/pypy/pypy/-/issues/3129
-        return pypy_version_info >= (7, 3, 8)  # type: ignore[operator]
-    elif implementation_name == "cpython":
-        major_minor = version_info[:2]
-        micro = version_info[2]
-        return (
-            (major_minor == (3, 8) and micro >= 9)
-            or (major_minor == (3, 9) and micro >= 3)
-            or major_minor >= (3, 10)
-        )
-    else:  # Defensive:
-        return False
-
-
-def _is_has_never_check_common_name_reliable(
-    openssl_version: str,
-    openssl_version_number: int,
-    implementation_name: str,
-    version_info: _TYPE_VERSION_INFO,
-    pypy_version_info: _TYPE_VERSION_INFO | None,
-) -> bool:
-    # As of May 2023, all released versions of LibreSSL fail to reject certificates with
-    # only common names, see https://github.com/urllib3/urllib3/pull/3024
-    is_openssl = openssl_version.startswith("OpenSSL ")
-    # Before fixing OpenSSL issue #14579, the SSL_new() API was not copying hostflags
-    # like X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, which tripped up CPython.
-    # https://github.com/openssl/openssl/issues/14579
-    # This was released in OpenSSL 1.1.1l+ (>=0x101010cf)
-    is_openssl_issue_14579_fixed = openssl_version_number >= 0x101010CF
-
-    return is_openssl and (
-        is_openssl_issue_14579_fixed
-        or _is_bpo_43522_fixed(implementation_name, version_info, pypy_version_info)
-    )
-
-
-if typing.TYPE_CHECKING:
-    from ssl import VerifyMode
-    from typing import TypedDict
-
-    from .ssltransport import SSLTransport as SSLTransportType
-
-    class _TYPE_PEER_CERT_RET_DICT(TypedDict, total=False):
-        subjectAltName: tuple[tuple[str, str], ...]
-        subject: tuple[tuple[tuple[str, str], ...], ...]
-        serialNumber: str
-
-
-# Mapping from 'ssl.PROTOCOL_TLSX' to 'TLSVersion.X'
-_SSL_VERSION_TO_TLS_VERSION: dict[int, int] = {}
-
-try:  # Do we have ssl at all?
-    import ssl
-    from ssl import (  # type: ignore[assignment]
-        CERT_REQUIRED,
-        HAS_NEVER_CHECK_COMMON_NAME,
-        OP_NO_COMPRESSION,
-        OP_NO_TICKET,
-        OPENSSL_VERSION,
-        OPENSSL_VERSION_NUMBER,
-        PROTOCOL_TLS,
-        PROTOCOL_TLS_CLIENT,
-        OP_NO_SSLv2,
-        OP_NO_SSLv3,
-        SSLContext,
-        TLSVersion,
-    )
-
-    PROTOCOL_SSLv23 = PROTOCOL_TLS
-
-    # Setting SSLContext.hostname_checks_common_name = False didn't work before CPython
-    # 3.8.9, 3.9.3, and 3.10 (but OK on PyPy) or OpenSSL 1.1.1l+
-    if HAS_NEVER_CHECK_COMMON_NAME and not _is_has_never_check_common_name_reliable(
-        OPENSSL_VERSION,
-        OPENSSL_VERSION_NUMBER,
-        sys.implementation.name,
-        sys.version_info,
-        sys.pypy_version_info if sys.implementation.name == "pypy" else None,  # type: ignore[attr-defined]
-    ):
-        HAS_NEVER_CHECK_COMMON_NAME = False
-
-    # Need to be careful here in case old TLS versions get
-    # removed in future 'ssl' module implementations.
-    for attr in ("TLSv1", "TLSv1_1", "TLSv1_2"):
-        try:
-            _SSL_VERSION_TO_TLS_VERSION[getattr(ssl, f"PROTOCOL_{attr}")] = getattr(
-                TLSVersion, attr
-            )
-        except AttributeError:  # Defensive:
-            continue
-
-    from .ssltransport import SSLTransport  # type: ignore[assignment]
-except ImportError:
-    OP_NO_COMPRESSION = 0x20000  # type: ignore[assignment]
-    OP_NO_TICKET = 0x4000  # type: ignore[assignment]
-    OP_NO_SSLv2 = 0x1000000  # type: ignore[assignment]
-    OP_NO_SSLv3 = 0x2000000  # type: ignore[assignment]
-    PROTOCOL_SSLv23 = PROTOCOL_TLS = 2  # type: ignore[assignment]
-    PROTOCOL_TLS_CLIENT = 16  # type: ignore[assignment]
-
-
-_TYPE_PEER_CERT_RET = typing.Union["_TYPE_PEER_CERT_RET_DICT", bytes, None]
-
-
-def assert_fingerprint(cert: bytes | None, fingerprint: str) -> None:
-    """
-    Checks if given fingerprint matches the supplied certificate.
-
-    :param cert:
-        Certificate as bytes object.
-    :param fingerprint:
-        Fingerprint as string of hexdigits, can be interspersed by colons.
-    """
-
-    if cert is None:
-        raise SSLError("No certificate for the peer.")
-
-    fingerprint = fingerprint.replace(":", "").lower()
-    digest_length = len(fingerprint)
-    if digest_length not in HASHFUNC_MAP:
-        raise SSLError(f"Fingerprint of invalid length: {fingerprint}")
-    hashfunc = HASHFUNC_MAP.get(digest_length)
-    if hashfunc is None:
-        raise SSLError(
-            f"Hash function implementation unavailable for fingerprint length: {digest_length}"
-        )
-
-    # We need encode() here for py32; works on py2 and p33.
-    fingerprint_bytes = unhexlify(fingerprint.encode())
-
-    cert_digest = hashfunc(cert).digest()
-
-    if not hmac.compare_digest(cert_digest, fingerprint_bytes):
-        raise SSLError(
-            f'Fingerprints did not match. Expected "{fingerprint}", got "{cert_digest.hex()}"'
-        )
-
-
-def resolve_cert_reqs(candidate: None | int | str) -> VerifyMode:
-    """
-    Resolves the argument to a numeric constant, which can be passed to
-    the wrap_socket function/method from the ssl module.
-    Defaults to :data:`ssl.CERT_REQUIRED`.
-    If given a string it is assumed to be the name of the constant in the
-    :mod:`ssl` module or its abbreviation.
-    (So you can specify `REQUIRED` instead of `CERT_REQUIRED`.
-    If it's neither `None` nor a string we assume it is already the numeric
-    constant which can directly be passed to wrap_socket.
-    """
-    if candidate is None:
-        return CERT_REQUIRED
-
-    if isinstance(candidate, str):
-        res = getattr(ssl, candidate, None)
-        if res is None:
-            res = getattr(ssl, "CERT_" + candidate)
-        return res  # type: ignore[no-any-return]
-
-    return candidate  # type: ignore[return-value]
-
-
-def resolve_ssl_version(candidate: None | int | str) -> int:
-    """
-    like resolve_cert_reqs
-    """
-    if candidate is None:
-        return PROTOCOL_TLS
-
-    if isinstance(candidate, str):
-        res = getattr(ssl, candidate, None)
-        if res is None:
-            res = getattr(ssl, "PROTOCOL_" + candidate)
-        return typing.cast(int, res)
-
-    return candidate
-
-
-def create_urllib3_context(
-    ssl_version: int | None = None,
-    cert_reqs: int | None = None,
-    options: int | None = None,
-    ciphers: str | None = None,
-    ssl_minimum_version: int | None = None,
-    ssl_maximum_version: int | None = None,
-) -> ssl.SSLContext:
-    """Creates and configures an :class:`ssl.SSLContext` instance for use with urllib3.
-
-    :param ssl_version:
-        The desired protocol version to use. This will default to
-        PROTOCOL_SSLv23 which will negotiate the highest protocol that both
-        the server and your installation of OpenSSL support.
-
-        This parameter is deprecated instead use 'ssl_minimum_version'.
-    :param ssl_minimum_version:
-        The minimum version of TLS to be used. Use the 'ssl.TLSVersion' enum for specifying the value.
-    :param ssl_maximum_version:
-        The maximum version of TLS to be used. Use the 'ssl.TLSVersion' enum for specifying the value.
-        Not recommended to set to anything other than 'ssl.TLSVersion.MAXIMUM_SUPPORTED' which is the
-        default value.
-    :param cert_reqs:
-        Whether to require the certificate verification. This defaults to
-        ``ssl.CERT_REQUIRED``.
-    :param options:
-        Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``,
-        ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``, and ``ssl.OP_NO_TICKET``.
-    :param ciphers:
-        Which cipher suites to allow the server to select. Defaults to either system configured
-        ciphers if OpenSSL 1.1.1+, otherwise uses a secure default set of ciphers.
-    :returns:
-        Constructed SSLContext object with specified options
-    :rtype: SSLContext
-    """
-    if SSLContext is None:
-        raise TypeError("Can't create an SSLContext object without an ssl module")
-
-    # This means 'ssl_version' was specified as an exact value.
-    if ssl_version not in (None, PROTOCOL_TLS, PROTOCOL_TLS_CLIENT):
-        # Disallow setting 'ssl_version' and 'ssl_minimum|maximum_version'
-        # to avoid conflicts.
-        if ssl_minimum_version is not None or ssl_maximum_version is not None:
-            raise ValueError(
-                "Can't specify both 'ssl_version' and either "
-                "'ssl_minimum_version' or 'ssl_maximum_version'"
-            )
-
-        # 'ssl_version' is deprecated and will be removed in the future.
-        else:
-            # Use 'ssl_minimum_version' and 'ssl_maximum_version' instead.
-            ssl_minimum_version = _SSL_VERSION_TO_TLS_VERSION.get(
-                ssl_version, TLSVersion.MINIMUM_SUPPORTED
-            )
-            ssl_maximum_version = _SSL_VERSION_TO_TLS_VERSION.get(
-                ssl_version, TLSVersion.MAXIMUM_SUPPORTED
-            )
-
-            # This warning message is pushing users to use 'ssl_minimum_version'
-            # instead of both min/max. Best practice is to only set the minimum version and
-            # keep the maximum version to be it's default value: 'TLSVersion.MAXIMUM_SUPPORTED'
-            warnings.warn(
-                "'ssl_version' option is deprecated and will be "
-                "removed in urllib3 v2.1.0. Instead use 'ssl_minimum_version'",
-                category=DeprecationWarning,
-                stacklevel=2,
-            )
-
-    # PROTOCOL_TLS is deprecated in Python 3.10 so we always use PROTOCOL_TLS_CLIENT
-    context = SSLContext(PROTOCOL_TLS_CLIENT)
-
-    if ssl_minimum_version is not None:
-        context.minimum_version = ssl_minimum_version
-    else:  # Python <3.10 defaults to 'MINIMUM_SUPPORTED' so explicitly set TLSv1.2 here
-        context.minimum_version = TLSVersion.TLSv1_2
-
-    if ssl_maximum_version is not None:
-        context.maximum_version = ssl_maximum_version
-
-    # Unless we're given ciphers defer to either system ciphers in
-    # the case of OpenSSL 1.1.1+ or use our own secure default ciphers.
-    if ciphers:
-        context.set_ciphers(ciphers)
-
-    # Setting the default here, as we may have no ssl module on import
-    cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
-
-    if options is None:
-        options = 0
-        # SSLv2 is easily broken and is considered harmful and dangerous
-        options |= OP_NO_SSLv2
-        # SSLv3 has several problems and is now dangerous
-        options |= OP_NO_SSLv3
-        # Disable compression to prevent CRIME attacks for OpenSSL 1.0+
-        # (issue #309)
-        options |= OP_NO_COMPRESSION
-        # TLSv1.2 only. Unless set explicitly, do not request tickets.
-        # This may save some bandwidth on wire, and although the ticket is encrypted,
-        # there is a risk associated with it being on wire,
-        # if the server is not rotating its ticketing keys properly.
-        options |= OP_NO_TICKET
-
-    context.options |= options
-
-    # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
-    # necessary for conditional client cert authentication with TLS 1.3.
-    # The attribute is None for OpenSSL <= 1.1.0 or does not exist when using
-    # an SSLContext created by pyOpenSSL.
-    if getattr(context, "post_handshake_auth", None) is not None:
-        context.post_handshake_auth = True
-
-    # The order of the below lines setting verify_mode and check_hostname
-    # matter due to safe-guards SSLContext has to prevent an SSLContext with
-    # check_hostname=True, verify_mode=NONE/OPTIONAL.
-    # We always set 'check_hostname=False' for pyOpenSSL so we rely on our own
-    # 'ssl.match_hostname()' implementation.
-    if cert_reqs == ssl.CERT_REQUIRED and not IS_PYOPENSSL:
-        context.verify_mode = cert_reqs
-        context.check_hostname = True
-    else:
-        context.check_hostname = False
-        context.verify_mode = cert_reqs
-
-    try:
-        context.hostname_checks_common_name = False
-    except AttributeError:  # Defensive: for CPython < 3.8.9 and 3.9.3; for PyPy < 7.3.8
-        pass
-
-    # Enable logging of TLS session keys via defacto standard environment variable
-    # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). Skip empty values.
-    if hasattr(context, "keylog_filename"):
-        sslkeylogfile = os.environ.get("SSLKEYLOGFILE")
-        if sslkeylogfile:
-            context.keylog_filename = sslkeylogfile
-
-    return context
-
-
-@typing.overload
-def ssl_wrap_socket(
-    sock: socket.socket,
-    keyfile: str | None = ...,
-    certfile: str | None = ...,
-    cert_reqs: int | None = ...,
-    ca_certs: str | None = ...,
-    server_hostname: str | None = ...,
-    ssl_version: int | None = ...,
-    ciphers: str | None = ...,
-    ssl_context: ssl.SSLContext | None = ...,
-    ca_cert_dir: str | None = ...,
-    key_password: str | None = ...,
-    ca_cert_data: None | str | bytes = ...,
-    tls_in_tls: typing.Literal[False] = ...,
-) -> ssl.SSLSocket:
-    ...
-
-
-@typing.overload
-def ssl_wrap_socket(
-    sock: socket.socket,
-    keyfile: str | None = ...,
-    certfile: str | None = ...,
-    cert_reqs: int | None = ...,
-    ca_certs: str | None = ...,
-    server_hostname: str | None = ...,
-    ssl_version: int | None = ...,
-    ciphers: str | None = ...,
-    ssl_context: ssl.SSLContext | None = ...,
-    ca_cert_dir: str | None = ...,
-    key_password: str | None = ...,
-    ca_cert_data: None | str | bytes = ...,
-    tls_in_tls: bool = ...,
-) -> ssl.SSLSocket | SSLTransportType:
-    ...
-
-
-def ssl_wrap_socket(
-    sock: socket.socket,
-    keyfile: str | None = None,
-    certfile: str | None = None,
-    cert_reqs: int | None = None,
-    ca_certs: str | None = None,
-    server_hostname: str | None = None,
-    ssl_version: int | None = None,
-    ciphers: str | None = None,
-    ssl_context: ssl.SSLContext | None = None,
-    ca_cert_dir: str | None = None,
-    key_password: str | None = None,
-    ca_cert_data: None | str | bytes = None,
-    tls_in_tls: bool = False,
-) -> ssl.SSLSocket | SSLTransportType:
-    """
-    All arguments except for server_hostname, ssl_context, tls_in_tls, ca_cert_data and
-    ca_cert_dir have the same meaning as they do when using
-    :func:`ssl.create_default_context`, :meth:`ssl.SSLContext.load_cert_chain`,
-    :meth:`ssl.SSLContext.set_ciphers` and :meth:`ssl.SSLContext.wrap_socket`.
-
-    :param server_hostname:
-        When SNI is supported, the expected hostname of the certificate
-    :param ssl_context:
-        A pre-made :class:`SSLContext` object. If none is provided, one will
-        be created using :func:`create_urllib3_context`.
-    :param ciphers:
-        A string of ciphers we wish the client to support.
-    :param ca_cert_dir:
-        A directory containing CA certificates in multiple separate files, as
-        supported by OpenSSL's -CApath flag or the capath argument to
-        SSLContext.load_verify_locations().
-    :param key_password:
-        Optional password if the keyfile is encrypted.
-    :param ca_cert_data:
-        Optional string containing CA certificates in PEM format suitable for
-        passing as the cadata parameter to SSLContext.load_verify_locations()
-    :param tls_in_tls:
-        Use SSLTransport to wrap the existing socket.
-    """
-    context = ssl_context
-    if context is None:
-        # Note: This branch of code and all the variables in it are only used in tests.
-        # We should consider deprecating and removing this code.
-        context = create_urllib3_context(ssl_version, cert_reqs, ciphers=ciphers)
-
-    if ca_certs or ca_cert_dir or ca_cert_data:
-        try:
-            context.load_verify_locations(ca_certs, ca_cert_dir, ca_cert_data)
-        except OSError as e:
-            raise SSLError(e) from e
-
-    elif ssl_context is None and hasattr(context, "load_default_certs"):
-        # try to load OS default certs; works well on Windows.
-        context.load_default_certs()
-
-    # Attempt to detect if we get the goofy behavior of the
-    # keyfile being encrypted and OpenSSL asking for the
-    # passphrase via the terminal and instead error out.
-    if keyfile and key_password is None and _is_key_file_encrypted(keyfile):
-        raise SSLError("Client private key is encrypted, password is required")
-
-    if certfile:
-        if key_password is None:
-            context.load_cert_chain(certfile, keyfile)
-        else:
-            context.load_cert_chain(certfile, keyfile, key_password)
-
-    context.set_alpn_protocols(ALPN_PROTOCOLS)
-
-    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
-    return ssl_sock
-
-
-def is_ipaddress(hostname: str | bytes) -> bool:
-    """Detects whether the hostname given is an IPv4 or IPv6 address.
-    Also detects IPv6 addresses with Zone IDs.
-
-    :param str hostname: Hostname to examine.
-    :return: True if the hostname is an IP address, False otherwise.
-    """
-    if isinstance(hostname, bytes):
-        # IDN A-label bytes are ASCII compatible.
-        hostname = hostname.decode("ascii")
-    return bool(_IPV4_RE.match(hostname) or _BRACELESS_IPV6_ADDRZ_RE.match(hostname))
-
-
-def _is_key_file_encrypted(key_file: str) -> bool:
-    """Detects if a key file is encrypted or not."""
-    with open(key_file) as f:
-        for line in f:
-            # Look for Proc-Type: 4,ENCRYPTED
-            if "ENCRYPTED" in line:
-                return True
-
-    return False
-
-
-def _ssl_wrap_socket_impl(
-    sock: socket.socket,
-    ssl_context: ssl.SSLContext,
-    tls_in_tls: bool,
-    server_hostname: str | None = None,
-) -> ssl.SSLSocket | SSLTransportType:
-    if tls_in_tls:
-        if not SSLTransport:
-            # Import error, ssl is not available.
-            raise ProxySchemeUnsupported(
-                "TLS in TLS requires support for the 'ssl' module"
-            )
-
-        SSLTransport._validate_ssl_context_for_tls_in_tls(ssl_context)
-        return SSLTransport(sock, ssl_context, server_hostname)
-
-    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)

build/lib/vendor/urllib3/util/ssl_match_hostname.py

@@ -1,159 +0,0 @@
-"""The match_hostname() function from Python 3.5, essential when using SSL."""
-
-# Note: This file is under the PSF license as the code comes from the python
-# stdlib.   http://docs.python.org/3/license.html
-# It is modified to remove commonName support.
-
-from __future__ import annotations
-
-import ipaddress
-import re
-import typing
-from ipaddress import IPv4Address, IPv6Address
-
-if typing.TYPE_CHECKING:
-    from .ssl_ import _TYPE_PEER_CERT_RET_DICT
-
-__version__ = "3.5.0.1"
-
-
-class CertificateError(ValueError):
-    pass
-
-
-def _dnsname_match(
-    dn: typing.Any, hostname: str, max_wildcards: int = 1
-) -> typing.Match[str] | None | bool:
-    """Matching according to RFC 6125, section 6.4.3
-
-    http://tools.ietf.org/html/rfc6125#section-6.4.3
-    """
-    pats = []
-    if not dn:
-        return False
-
-    # Ported from python3-syntax:
-    # leftmost, *remainder = dn.split(r'.')
-    parts = dn.split(r".")
-    leftmost = parts[0]
-    remainder = parts[1:]
-
-    wildcards = leftmost.count("*")
-    if wildcards > max_wildcards:
-        # Issue #17980: avoid denials of service by refusing more
-        # than one wildcard per fragment.  A survey of established
-        # policy among SSL implementations showed it to be a
-        # reasonable choice.
-        raise CertificateError(
-            "too many wildcards in certificate DNS name: " + repr(dn)
-        )
-
-    # speed up common case w/o wildcards
-    if not wildcards:
-        return bool(dn.lower() == hostname.lower())
-
-    # RFC 6125, section 6.4.3, subitem 1.
-    # The client SHOULD NOT attempt to match a presented identifier in which
-    # the wildcard character comprises a label other than the left-most label.
-    if leftmost == "*":
-        # When '*' is a fragment by itself, it matches a non-empty dotless
-        # fragment.
-        pats.append("[^.]+")
-    elif leftmost.startswith("xn--") or hostname.startswith("xn--"):
-        # RFC 6125, section 6.4.3, subitem 3.
-        # The client SHOULD NOT attempt to match a presented identifier
-        # where the wildcard character is embedded within an A-label or
-        # U-label of an internationalized domain name.
-        pats.append(re.escape(leftmost))
-    else:
-        # Otherwise, '*' matches any dotless string, e.g. www*
-        pats.append(re.escape(leftmost).replace(r"\*", "[^.]*"))
-
-    # add the remaining fragments, ignore any wildcards
-    for frag in remainder:
-        pats.append(re.escape(frag))
-
-    pat = re.compile(r"\A" + r"\.".join(pats) + r"\Z", re.IGNORECASE)
-    return pat.match(hostname)
-
-
-def _ipaddress_match(ipname: str, host_ip: IPv4Address | IPv6Address) -> bool:
-    """Exact matching of IP addresses.
-
-    RFC 9110 section 4.3.5: "A reference identity of IP-ID contains the decoded
-    bytes of the IP address. An IP version 4 address is 4 octets, and an IP
-    version 6 address is 16 octets. [...] A reference identity of type IP-ID
-    matches if the address is identical to an iPAddress value of the
-    subjectAltName extension of the certificate."
-    """
-    # OpenSSL may add a trailing newline to a subjectAltName's IP address
-    # Divergence from upstream: ipaddress can't handle byte str
-    ip = ipaddress.ip_address(ipname.rstrip())
-    return bool(ip.packed == host_ip.packed)
-
-
-def match_hostname(
-    cert: _TYPE_PEER_CERT_RET_DICT | None,
-    hostname: str,
-    hostname_checks_common_name: bool = False,
-) -> None:
-    """Verify that *cert* (in decoded format as returned by
-    SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
-    rules are followed, but IP addresses are not accepted for *hostname*.
-
-    CertificateError is raised on failure. On success, the function
-    returns nothing.
-    """
-    if not cert:
-        raise ValueError(
-            "empty or no certificate, match_hostname needs a "
-            "SSL socket or SSL context with either "
-            "CERT_OPTIONAL or CERT_REQUIRED"
-        )
-    try:
-        # Divergence from upstream: ipaddress can't handle byte str
-        #
-        # The ipaddress module shipped with Python < 3.9 does not support
-        # scoped IPv6 addresses so we unconditionally strip the Zone IDs for
-        # now. Once we drop support for Python 3.9 we can remove this branch.
-        if "%" in hostname:
-            host_ip = ipaddress.ip_address(hostname[: hostname.rfind("%")])
-        else:
-            host_ip = ipaddress.ip_address(hostname)
-
-    except ValueError:
-        # Not an IP address (common case)
-        host_ip = None
-    dnsnames = []
-    san: tuple[tuple[str, str], ...] = cert.get("subjectAltName", ())
-    key: str
-    value: str
-    for key, value in san:
-        if key == "DNS":
-            if host_ip is None and _dnsname_match(value, hostname):
-                return
-            dnsnames.append(value)
-        elif key == "IP Address":
-            if host_ip is not None and _ipaddress_match(value, host_ip):
-                return
-            dnsnames.append(value)
-
-    # We only check 'commonName' if it's enabled and we're not verifying
-    # an IP address. IP addresses aren't valid within 'commonName'.
-    if hostname_checks_common_name and host_ip is None and not dnsnames:
-        for sub in cert.get("subject", ()):
-            for key, value in sub:
-                if key == "commonName":
-                    if _dnsname_match(value, hostname):
-                        return
-                    dnsnames.append(value)
-
-    if len(dnsnames) > 1:
-        raise CertificateError(
-            "hostname %r "
-            "doesn't match either of %s" % (hostname, ", ".join(map(repr, dnsnames)))
-        )
-    elif len(dnsnames) == 1:
-        raise CertificateError(f"hostname {hostname!r} doesn't match {dnsnames[0]!r}")
-    else:
-        raise CertificateError("no appropriate subjectAltName fields were found")