Move ssl_match_hostname to urllib3.utils

7 files changed, 14 insertions, 27 deletions

diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
index c1feaba2..b82fe71e 100644
--- a/src/urllib3/connection.py
+++ b/src/urllib3/connection.py
@@ -47,7 +47,6 @@ from .exceptions import (
     NewConnectionError,
     SystemTimeWarning,
 )
-from .packages.ssl_match_hostname import CertificateError, match_hostname
 from .util import SKIP_HEADER, SKIPPABLE_HEADERS, connection, ssl_
 from .util.ssl_ import (
     PeerCertRetType,
@@ -57,6 +56,7 @@ from .util.ssl_ import (
     resolve_ssl_version,
     ssl_wrap_socket,
 )
+from .util.ssl_match_hostname import CertificateError, match_hostname
 
 # Not a no-op, we're adding this to the namespace so it can be imported.
 ConnectionError = ConnectionError
diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
index 0fd18383..e1406531 100644
--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
@@ -32,7 +32,6 @@ from .exceptions import (
     SSLError,
     TimeoutError,
 )
-from .packages.ssl_match_hostname import CertificateError
 from .request import RequestMethods
 from .response import BaseHTTPResponse, HTTPResponse
 from .util.connection import is_connection_dropped
@@ -40,6 +39,7 @@ from .util.proxy import connection_requires_http_tunnel
 from .util.request import set_file_position
 from .util.response import assert_header_parsing
 from .util.retry import Retry
+from .util.ssl_match_hostname import CertificateError
 from .util.timeout import Timeout
 from .util.url import Url, _encode_target
 from .util.url import _normalize_host as normalize_host
diff --git a/src/urllib3/packages/__init__.py b/src/urllib3/packages/__init__.py
deleted file mode 100644
index a055732e..00000000
--- a/src/urllib3/packages/__init__.py
+++ /dev/null
@@ -1,3 +0,0 @@
-from . import ssl_match_hostname
-
-__all__ = ("ssl_match_hostname",)
diff --git a/src/urllib3/packages/__init__.pyi b/src/urllib3/packages/__init__.pyi
deleted file mode 100644
index e69de29b..00000000
--- a/src/urllib3/packages/__init__.pyi
+++ /dev/null
diff --git a/src/urllib3/packages/ssl_match_hostname/__init__.py b/src/urllib3/packages/ssl_match_hostname/__init__.py
deleted file mode 100644
index 4447ddfb..00000000
--- a/src/urllib3/packages/ssl_match_hostname/__init__.py
+++ /dev/null
@@ -1,3 +0,0 @@
-from ._implementation import CertificateError, match_hostname
-
-__all__ = ("CertificateError", "match_hostname")
diff --git a/src/urllib3/packages/ssl_match_hostname/_implementation.pyi b/src/urllib3/packages/ssl_match_hostname/_implementation.pyi
deleted file mode 100644
index ed472ba0..00000000
--- a/src/urllib3/packages/ssl_match_hostname/_implementation.pyi
+++ /dev/null
@@ -1,11 +0,0 @@
-from typing import Dict, Tuple, Union
-
-# https://github.com/python/typeshed/blob/master/stdlib/2and3/ssl.pyi
-_PCTRTT = Tuple[Tuple[str, str], ...]
-_PCTRTTT = Tuple[_PCTRTT, ...]
-_PeerCertRetDictType = Dict[str, Union[str, _PCTRTTT, _PCTRTT]]
-_PeerCertRetType = Union[_PeerCertRetDictType, bytes, None]
-
-class CertificateError(ValueError): ...
-
-def match_hostname(cert: _PeerCertRetType, hostname: str) -> None: ...
diff --git a/src/urllib3/packages/ssl_match_hostname/_implementation.py b/src/urllib3/util/ssl_match_hostname.py
index c2332ed3..9f68ac54 100644
--- a/src/urllib3/packages/ssl_match_hostname/_implementation.py
+++ b/src/urllib3/util/ssl_match_hostname.py
@@ -5,7 +5,9 @@
 
 import ipaddress
 import re
-import sys
+from typing import Any, Match, Optional, Union
+
+from .ssl_ import PeerCertRetType
 
 __version__ = "3.5.0.1"
 
@@ -14,7 +16,9 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_match(dn, hostname, max_wildcards=1):
+def _dnsname_match(
+    dn: Any, hostname: str, max_wildcards: int = 1
+) -> Union[Optional[Match[str]], bool]:
     """Matching according to RFC 6125, section 6.4.3
 
     http://tools.ietf.org/html/rfc6125#section-6.4.3
@@ -41,7 +45,7 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
 
     # speed up common case w/o wildcards
     if not wildcards:
-        return dn.lower() == hostname.lower()
+        return bool(dn.lower() == hostname.lower())
 
     # RFC 6125, section 6.4.3, subitem 1.
     # The client SHOULD NOT attempt to match a presented identifier in which
@@ -68,7 +72,7 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
     return pat.match(hostname)
 
 
-def _ipaddress_match(ipname, host_ip):
+def _ipaddress_match(ipname: Any, host_ip: str) -> bool:
     """Exact matching of IP addresses.
 
     RFC 6125 explicitly doesn't define an algorithm for this
@@ -77,10 +81,10 @@ def _ipaddress_match(ipname, host_ip):
     # OpenSSL may add a trailing newline to a subjectAltName's IP address
     # Divergence from upstream: ipaddress can't handle byte str
     ip = ipaddress.ip_address(ipname.rstrip())
-    return ip == host_ip
+    return bool(ip == host_ip)
 
 
-def match_hostname(cert, hostname):
+def match_hostname(cert: PeerCertRetType, hostname: str) -> None:
     """Verify that *cert* (in decoded format as returned by
     SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
     rules are followed, but IP addresses are not accepted for *hostname*.
@@ -101,8 +105,8 @@ def match_hostname(cert, hostname):
         # Not an IP address (common case)
         host_ip = None
     dnsnames = []
-    san = cert.get("subjectAltName", ())
-    for key, value in san:
+    san = cert.get("subjectAltName", ())  # type: ignore
+    for key, value in san:  # type: ignore
         if key == "DNS":
             if host_ip is None and _dnsname_match(value, hostname):
                 return