import sys

from _typeshed import ReadableBuffer, StrOrBytesPath

from collections.abc import Callable

from ssl import (

SSLCertVerificationError as SSLCertVerificationError,

SSLContext,

SSLEOFError as SSLEOFError,

SSLError as SSLError,

SSLObject,

SSLSyscallError as SSLSyscallError,

SSLWantReadError as SSLWantReadError,

SSLWantWriteError as SSLWantWriteError,

SSLZeroReturnError as SSLZeroReturnError,

)

from typing import Any, ClassVar, Final, Literal, TypedDict, final, overload, type_check_only

from typing_extensions import NotRequired, Self, TypeAlias, deprecated, disjoint_base

_PasswordType: TypeAlias = Callable[[], str | bytes | bytearray] | str | bytes | bytearray

_PCTRTT: TypeAlias = tuple[tuple[str, str], ...]

_PCTRTTT: TypeAlias = tuple[_PCTRTT, ...]

_PeerCertRetDictType: TypeAlias = dict[str, str | _PCTRTTT | _PCTRTT]

@type_check_only

class _Cipher(TypedDict):

aead: bool

alg_bits: int

auth: str

description: str

digest: str | None

id: int

kea: str

name: str

protocol: str

strength_bits: int

symmetric: str

@type_check_only

class _CertInfo(TypedDict):

subject: tuple[tuple[tuple[str, str], ...], ...]

issuer: tuple[tuple[tuple[str, str], ...], ...]

version: int

serialNumber: str

notBefore: str

notAfter: str

subjectAltName: NotRequired[tuple[tuple[str, str], ...] | None]

OCSP: NotRequired[tuple[str, ...] | None]

caIssuers: NotRequired[tuple[str, ...] | None]

crlDistributionPoints: NotRequired[tuple[str, ...] | None]

def RAND_add(string: str | ReadableBuffer, entropy: float, /) -> None: ...

def RAND_bytes(n: int, /) -> bytes: ...

if sys.version_info < (3, 12):

@deprecated("Deprecated since Python 3.6; removed in Python 3.12. Use `ssl.RAND_bytes()` instead.")

def RAND_pseudo_bytes(n: int, /) -> tuple[bytes, bool]: ...

if sys.version_info < (3, 10):

@deprecated("Unsupported by OpenSSL since 1.1.1; removed in Python 3.10.")

def RAND_egd(path: str) -> None: ...

def RAND_status() -> bool: ...

def get_default_verify_paths() -> tuple[str, str, str, str]: ...

if sys.platform == "win32":

_EnumRetType: TypeAlias = list[tuple[bytes, str, set[str] | bool]]

def enum_certificates(store_name: str) -> _EnumRetType: ...

def enum_crls(store_name: str) -> _EnumRetType: ...

def txt2obj(txt: str, name: bool = False) -> tuple[int, str, str, str]: ...

def nid2obj(nid: int, /) -> tuple[int, str, str, str]: ...

@disjoint_base

class _SSLContext:

check_hostname: bool

keylog_filename: str | None

maximum_version: int

minimum_version: int

num_tickets: int

options: int

post_handshake_auth: bool

protocol: int

if sys.version_info >= (3, 10):

security_level: int

sni_callback: Callable[[SSLObject, str, SSLContext], None | int] | None

verify_flags: int

verify_mode: int

def __new__(cls, protocol: int, /) -> Self: ...

def cert_store_stats(self) -> dict[str, int]: ...

@overload

def get_ca_certs(self, binary_form: Literal[False] = False) -> list[_PeerCertRetDictType]: ...

@overload

def get_ca_certs(self, binary_form: Literal[True]) -> list[bytes]: ...

@overload

def get_ca_certs(self, binary_form: bool = False) -> Any: ...

def get_ciphers(self) -> list[_Cipher]: ...

def load_cert_chain(

self, certfile: StrOrBytesPath, keyfile: StrOrBytesPath | None = None, password: _PasswordType | None = None

) -> None: ...

def load_dh_params(self, path: str, /) -> None: ...

def load_verify_locations(

self,

cafile: StrOrBytesPath | None = None,

capath: StrOrBytesPath | None = None,

cadata: str | ReadableBuffer | None = None,

) -> None: ...

def session_stats(self) -> dict[str, int]: ...

def set_ciphers(self, cipherlist: str, /) -> None: ...

def set_default_verify_paths(self) -> None: ...

def set_ecdh_curve(self, name: str, /) -> None: ...

if sys.version_info >= (3, 13):

def set_psk_client_callback(self, callback: Callable[[str | None], tuple[str | None, bytes]] | None) -> None: ...

def set_psk_server_callback(

self, callback: Callable[[str | None], bytes] | None, identity_hint: str | None = None

) -> None: ...

@final

class MemoryBIO:

eof: bool

pending: int

def __new__(self) -> Self: ...

def read(self, size: int = -1, /) -> bytes: ...

def write(self, b: ReadableBuffer, /) -> int: ...

def write_eof(self) -> None: ...

@final

class SSLSession:

__hash__: ClassVar[None] # type: ignore[assignment]

@property

def has_ticket(self) -> bool: ...

@property

def id(self) -> bytes: ...

@property

def ticket_lifetime_hint(self) -> int: ...

@property

def time(self) -> int: ...

@property

def timeout(self) -> int: ...

# _ssl.Certificate is weird: it can't be instantiated or subclassed.

# Instances can only be created via methods of the private _ssl._SSLSocket class,

# for which the relevant method signatures are:

#

# class _SSLSocket:

# def get_unverified_chain(self) -> list[Certificate] | None: ...

# def get_verified_chain(self) -> list[Certificate] | None: ...

#

# You can find a _ssl._SSLSocket object as the _sslobj attribute of a ssl.SSLSocket object

if sys.version_info >= (3, 10):

@final

class Certificate:

def get_info(self) -> _CertInfo: ...

@overload

def public_bytes(self) -> str: ...

@overload

def public_bytes(self, format: Literal[1] = 1, /) -> str: ... # ENCODING_PEM

@overload

def public_bytes(self, format: Literal[2], /) -> bytes: ... # ENCODING_DER

@overload

def public_bytes(self, format: int, /) -> str | bytes: ...

if sys.version_info < (3, 12):

err_codes_to_names: dict[tuple[int, int], str]

err_names_to_codes: dict[str, tuple[int, int]]

lib_codes_to_names: dict[int, str]

_DEFAULT_CIPHERS: Final[str]

# SSL error numbers

SSL_ERROR_ZERO_RETURN: Final = 6

SSL_ERROR_WANT_READ: Final = 2

SSL_ERROR_WANT_WRITE: Final = 3

SSL_ERROR_WANT_X509_LOOKUP: Final = 4

SSL_ERROR_SYSCALL: Final = 5

SSL_ERROR_SSL: Final = 1

SSL_ERROR_WANT_CONNECT: Final = 7

SSL_ERROR_EOF: Final = 8

SSL_ERROR_INVALID_ERROR_CODE: Final = 10

# verify modes

CERT_NONE: Final = 0

CERT_OPTIONAL: Final = 1

CERT_REQUIRED: Final = 2

# verify flags

VERIFY_DEFAULT: Final = 0

VERIFY_CRL_CHECK_LEAF: Final = 0x04

VERIFY_CRL_CHECK_CHAIN: Final = 0x0C

VERIFY_X509_STRICT: Final = 0x20

VERIFY_X509_TRUSTED_FIRST: Final = 0x8000

if sys.version_info >= (3, 10):

VERIFY_ALLOW_PROXY_CERTS: Final = 0x40

VERIFY_X509_PARTIAL_CHAIN: Final = 0x80000

# alert descriptions

ALERT_DESCRIPTION_CLOSE_NOTIFY: Final = 0

ALERT_DESCRIPTION_UNEXPECTED_MESSAGE: Final = 10

ALERT_DESCRIPTION_BAD_RECORD_MAC: Final = 20

ALERT_DESCRIPTION_RECORD_OVERFLOW: Final = 22

ALERT_DESCRIPTION_DECOMPRESSION_FAILURE: Final = 30

ALERT_DESCRIPTION_HANDSHAKE_FAILURE: Final = 40

ALERT_DESCRIPTION_BAD_CERTIFICATE: Final = 42

ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE: Final = 43

ALERT_DESCRIPTION_CERTIFICATE_REVOKED: Final = 44

ALERT_DESCRIPTION_CERTIFICATE_EXPIRED: Final = 45

ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN: Final = 46

ALERT_DESCRIPTION_ILLEGAL_PARAMETER: Final = 47

ALERT_DESCRIPTION_UNKNOWN_CA: Final = 48

ALERT_DESCRIPTION_ACCESS_DENIED: Final = 49

ALERT_DESCRIPTION_DECODE_ERROR: Final = 50

ALERT_DESCRIPTION_DECRYPT_ERROR: Final = 51

ALERT_DESCRIPTION_PROTOCOL_VERSION: Final = 70

ALERT_DESCRIPTION_INSUFFICIENT_SECURITY: Final = 71

ALERT_DESCRIPTION_INTERNAL_ERROR: Final = 80

ALERT_DESCRIPTION_USER_CANCELLED: Final = 90

ALERT_DESCRIPTION_NO_RENEGOTIATION: Final = 100

ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION: Final = 110

ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE: Final = 111

ALERT_DESCRIPTION_UNRECOGNIZED_NAME: Final = 112

ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE: Final = 113

ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE: Final = 114

ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY: Final = 115

# protocol versions

PROTOCOL_SSLv23: Final = 2

PROTOCOL_TLS: Final = 2

PROTOCOL_TLS_CLIENT: Final = 16

PROTOCOL_TLS_SERVER: Final = 17

PROTOCOL_TLSv1: Final = 3

PROTOCOL_TLSv1_1: Final = 4

PROTOCOL_TLSv1_2: Final = 5

# protocol options

OP_ALL: Final[int]

OP_NO_SSLv2: Final = 0x0

OP_NO_SSLv3: Final = 0x2000000

OP_NO_TLSv1: Final = 0x4000000

OP_NO_TLSv1_1: Final = 0x10000000

OP_NO_TLSv1_2: Final = 0x8000000

OP_NO_TLSv1_3: Final = 0x20000000

OP_CIPHER_SERVER_PREFERENCE: Final = 0x400000

OP_SINGLE_DH_USE: Final = 0x0

OP_NO_TICKET: Final = 0x4000

OP_SINGLE_ECDH_USE: Final = 0x0

OP_NO_COMPRESSION: Final = 0x20000

OP_ENABLE_MIDDLEBOX_COMPAT: Final = 0x100000

OP_NO_RENEGOTIATION: Final = 0x40000000

if sys.version_info >= (3, 11) or sys.platform == "linux":

OP_IGNORE_UNEXPECTED_EOF: Final = 0x80

if sys.version_info >= (3, 12):

OP_LEGACY_SERVER_CONNECT: Final = 0x4

OP_ENABLE_KTLS: Final = 0x8

# host flags

HOSTFLAG_ALWAYS_CHECK_SUBJECT: Final = 0x1

HOSTFLAG_NEVER_CHECK_SUBJECT: Final = 0x20

HOSTFLAG_NO_WILDCARDS: Final = 0x2

HOSTFLAG_NO_PARTIAL_WILDCARDS: Final = 0x4

HOSTFLAG_MULTI_LABEL_WILDCARDS: Final = 0x8

HOSTFLAG_SINGLE_LABEL_SUBDOMAINS: Final = 0x10

if sys.version_info >= (3, 10):

# certificate file types

ENCODING_PEM: Final = 1

ENCODING_DER: Final = 2

# protocol versions

PROTO_MINIMUM_SUPPORTED: Final = -2

PROTO_MAXIMUM_SUPPORTED: Final = -1

PROTO_SSLv3: Final[int]

PROTO_TLSv1: Final[int]

PROTO_TLSv1_1: Final[int]

PROTO_TLSv1_2: Final[int]

PROTO_TLSv1_3: Final[int]

# feature support

HAS_SNI: Final[bool]

HAS_TLS_UNIQUE: Final[bool]

HAS_ECDH: Final[bool]

HAS_NPN: Final[bool]

if sys.version_info >= (3, 13):

HAS_PSK: Final[bool]

HAS_ALPN: Final[bool]

HAS_SSLv2: Final[bool]

HAS_SSLv3: Final[bool]

HAS_TLSv1: Final[bool]

HAS_TLSv1_1: Final[bool]

HAS_TLSv1_2: Final[bool]

HAS_TLSv1_3: Final[bool]

if sys.version_info >= (3, 14):

HAS_PHA: Final[bool]

# version info

OPENSSL_VERSION_NUMBER: Final[int]

OPENSSL_VERSION_INFO: Final[tuple[int, int, int, int, int]]

OPENSSL_VERSION: Final[str]

_OPENSSL_API_VERSION: Final[tuple[int, int, int, int, int]]