U d,@sddlZddlZddlZddlmZmZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZddlmZmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZdd lm Z m!Z!ddZ"dddZ#ddZ$ddZ%dddZ&GdddZ'dS)N)urljoinurlparse)hazmatx509)InvalidSignature)backends) DSAPublicKey)ECDSAEllipticCurvePublicKey)PKCS1v15) RSAPublicKey)SHA1Hash)Encoding PublicFormat)ocsp)AuthorizationErrorConnectionErrorcCs|}z|t|tr.||j|jt|jnTt|trN||j|j|jn4t|t rr||j|jt |jn||j|jWnt k rt dYnXdS)Nzfailed to valid ocsp response) public_key isinstancer verify signatureZtbs_response_bytesr Zsignature_hash_algorithmrr r rr) issuer_cert ocsp_responsepubkeyr./tmp/pip-unpacked-wheel-f5h5_hbx/redis/ocsp.py_verify_responses0   rTc Cs\t|}|jtjjkr td|jtjjkr^|jtjj krft dt |j dddnt d|j tjkr~t d|jr|jtjkrt d|j}|j}|j}|}|d k r||jks||kr|}nv|j}t||||} z | d } Wntk rt d YnX| jtj} | d ksos z%_get_certificates..cs&g|]}|jkr|jjkr|qSr)r&r4r5)rr%rrr8us r)r0rr%r/r'r)rr/r%rr(ms  r(cCst|}t|tr$|tjtj}n,t|tr@|tj tj }n|tjtj }t t td}|||S)N)backend)rrr public_bytesrDERrZPKCS1r ZX962ZUncompressedPointZSubjectPublicKeyInforr rdefault_backendupdatefinalize)Z certificaterhsha1rrrr3~s   r3cCs|dkrtdd}|}|D] }|}|j|jkr(|}qJq(|dkrZtd|dk r|t|}||kr|tdt||S)zAn implemention of a function for set_ocsp_client_callback in PyOpenSSL. This function validates that the provide ocsp_bytes response is valid, and matches the expected, stapled responses. )Nzno ocsp response presentNz2no matching issuer cert found in certificate chainz/received and expected certificates do not match) rZget_peer_certificateZto_cryptographyZget_peer_cert_chainr&r4rload_pem_x509_certificater2)conr-expectedrZ peer_certr7certerrrocsp_staple_verifiers     rGc@sReZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ dS) OCSPVerifieraA class to verify ssl sockets for RFC6960/RFC6961. This can be used when using direct validation of OCSP responses and certificate revocations. @see https://datatracker.ietf.org/doc/html/rfc6960 @see https://datatracker.ietf.org/doc/html/rfc6961 NcCs||_||_||_||_dS)N)SOCKHOSTPORTCA_CERTS)selfsockhostportca_certsrrr__init__szOCSPVerifier.__init__cCs"t|}t|t}|S)z?Convert SSL certificates in a binary (DER) format to ASCII PEM.)sslDER_cert_to_PEM_certrrBencoderr<)rMderpemrErrr _bin2asciis zOCSPVerifier._bin2asciicCs0|jd}|dkrtd||}||S)zThis function returns the certificate, primary issuer, and primary ocsp server in the chain for a socket already wrapped with ssl. TFz!no certificate found for ssl peer)rI getpeercertrrX_certificate_components)rMrVrErrrcomponents_from_sockets   z#OCSPVerifier.components_from_socketcCsz|jtjjjj}Wn"tjjjk r:t dYnXdd|D}z|dj j}Wnt k rrd}YnXdd|D}z|dj j}Wnt k rt dYnX|||fS)zGiven an SSL certificate, retract the useful components for validating the certificate status with an OCSP server. Args: cert ([bytes]): A PEM encoded ssl certificate z-No AIA information present in ssl certificatecSs g|]}|jtjjjkr|qSr) access_methodrr+AuthorityInformationAccessOIDZ CA_ISSUERSr6irrrr8sz8OCSPVerifier._certificate_components..rNcSs g|]}|jtjjjkr|qSr)r\rr+r]ZOCSPr^rrrr8szno ocsp servers in certificate) r*Zget_extension_for_oidrr+Z ExtensionOIDZAUTHORITY_INFORMATION_ACCESSr, cryptographyZExtensionNotFoundrZaccess_locationr))rMrEZaiaZissuersr4ZocspsrrrrrZs*  z$OCSPVerifier._certificate_componentscCs6tj|j|jf|jd}t|t }| |S)zReturn the certificate, primary issuer, and primary ocsp server from the host defined by the socket. This is useful in cases where different certificates are occasionally presented. )rQ) rSget_server_certificaterJrKrLrrBrUrr<rZ)rMrWrErrr!components_from_direct_connectionsz.OCSPVerifier.components_from_direct_connectioncCsTt}|||tjjj}|}t | tjj j j}t||d}|S)z#Return the complete url to the ocspascii)rZOCSPRequestBuilderZadd_certificater`rZ primitiveshashesSHA256buildbase64 b64encoder:Z serializationrr;rdecode)rMserverrErZorbrequestpathurlrrrbuild_certificate_urls z"OCSPVerifier.build_certificate_urlc Cspt|}|jstd|j}||}||||}t|jdd}tj||d}|jsbtdt ||jdS)z5Checks the validitity of an ocsp server for an issuerz"failed to fetch issuer certificatezapplication/ocsp-request)Hostz Content-Type)headersz failed to fetch ocsp certificateT) requestsgetokrcontentrXrnrnetlocr2) rMrjrE issuer_urlrrVrZocsp_urlheaderrrrcheck_certificate s  zOCSPVerifier.check_certificatecCstz.|\}}}|dkr td||||WStk rn|\}}}|dkr\td||||YSXdS)aDReturns the validity of the certificate wrapping our socket. This first retrieves for validate the certificate, issuer_url, and ocsp_server for certificate validate. Then retrieves the issuer certificate from the issuer_url, and finally checks the valididy of OCSP revocation status. Nz%no issuers found in certificate chain)r[rryrrb)rMrErvZ ocsp_serverrrris_valid"s zOCSPVerifier.is_valid)N) __name__ __module__ __qualname____doc__rRrXr[rZrbrnryrzrrrrrHs  ( rH)T)N)(rgr#rS urllib.parserrZ%cryptography.hazmat.primitives.hashesr`rqrrZcryptography.exceptionsrZcryptography.hazmatrZ-cryptography.hazmat.primitives.asymmetric.dsarZ,cryptography.hazmat.primitives.asymmetric.ecr r Z1cryptography.hazmat.primitives.asymmetric.paddingr Z-cryptography.hazmat.primitives.asymmetric.rsar r rZ,cryptography.hazmat.primitives.serializationrrZcryptography.x509rZredis.exceptionsrrrr2r(r3rGrHrrrrs,       ;