U g,@sddlZddlZddlZddlmZmZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZddlmZmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZdd lm Z m!Z!ddZ"dddZ#ddZ$ddZ%dddZ&GdddZ'dS)N)urljoinurlparse)hazmatx509)InvalidSignature)backends) DSAPublicKey)ECDSAEllipticCurvePublicKey)PKCS1v15) RSAPublicKey)SHA1Hash)Encoding PublicFormat)ocsp)AuthorizationErrorConnectionErrorcCs|}z|t|tr.||j|jt|jnTt|trN||j|j|jn4t|t rr||j|jt |jn||j|jWnt k rt dYnXdS)Nzfailed to valid ocsp response) public_key isinstancer verify signaturetbs_response_bytesr signature_hash_algorithmrr r rr) issuer_cert ocsp_responsepubkeyr./tmp/pip-unpacked-wheel-f3sx1i9r/redis/ocsp.py_verify_responses0   rTc Cs\t|}|jtjjkr td|jtjjkr^|jtjj krft dt |j dddnt d|j tjkr~t d|jr|jtjkrt d|j}|j}|j}|}|d k r||jks||kr|}nv|j}t||||} z | d } Wntk rt d YnX| jtj} | d ksns z%_get_certificates..cs&g|]}|jkr|jjkr|qSr)r/rArB)rr,rrrEts r)r=rr,r<r0r)rr<r,rr1ls  r1cCst|}t|tr$|tjtj}n,t|tr@|tj tj }n|tjtj }t t td}|||S)N)backend)rrr public_bytesrDERrPKCS1r X962UncompressedPointSubjectPublicKeyInforr rdefault_backendupdatefinalize) certificaterhsha1rrrr@}s   r@cCs|dkrtdd}|}|D] }|}|j|jkr(|}qJq(|dkrZtd|dk r|t|}||kr|tdt||S)zAn implementation of a function for set_ocsp_client_callback in PyOpenSSL. This function validates that the provide ocsp_bytes response is valid, and matches the expected, stapled responses. )Nzno ocsp response presentNz2no matching issuer cert found in certificate chainz/received and expected certificates do not match) rget_peer_certificateto_cryptographyget_peer_cert_chainr/rArload_pem_x509_certificater?)conr:expectedrZ peer_certrDcerterrrocsp_staple_verifiers     r\c@sReZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ dS) OCSPVerifieraA class to verify ssl sockets for RFC6960/RFC6961. This can be used when using direct validation of OCSP responses and certificate revocations. @see https://datatracker.ietf.org/doc/html/rfc6960 @see https://datatracker.ietf.org/doc/html/rfc6961 NcCs||_||_||_||_dS)N)SOCKHOSTPORTCA_CERTS)selfsockhostportca_certsrrr__init__szOCSPVerifier.__init__cCs"t|}t|t}|S)z?Convert SSL certificates in a binary (DER) format to ASCII PEM.)sslDER_cert_to_PEM_certrrWencoderrM)rbderpemrZrrr _bin2asciis zOCSPVerifier._bin2asciicCs0|jd}|dkrtd||}||S)zThis function returns the certificate, primary issuer, and primary ocsp server in the chain for a socket already wrapped with ssl. TFz!no certificate found for ssl peer)r^ getpeercertrrm_certificate_components)rbrkrZrrrcomponents_from_sockets   z#OCSPVerifier.components_from_socketcCsz|jtjjjj}Wn"tjjjk r:t dYnXdd|D}z|dj j}Wnt k rrd}YnXdd|D}z|dj j}Wnt k rt dYnX|||fS)zGiven an SSL certificate, retract the useful components for validating the certificate status with an OCSP server. Args: cert ([bytes]): A PEM encoded ssl certificate z-No AIA information present in ssl certificatecSs g|]}|jtjjjkr|qSr) access_methodrr6AuthorityInformationAccessOID CA_ISSUERSrCirrrrEsz8OCSPVerifier._certificate_components..rNcSs g|]}|jtjjjkr|qSr)rqrr6rrOCSPrtrrrrEszno ocsp servers in certificate) r3get_extension_for_oidrr6 ExtensionOIDAUTHORITY_INFORMATION_ACCESSr9 cryptographyExtensionNotFoundraccess_locationr2)rbrZZaiaZissuersrAZocspsrrrrros*  z$OCSPVerifier._certificate_componentscCs6tj|j|jf|jd}t|t }| |S)zReturn the certificate, primary issuer, and primary ocsp server from the host defined by the socket. This is useful in cases where different certificates are occasionally presented. )rf) rhget_server_certificater_r`rarrWrjrrMro)rbrlrZrrr!components_from_direct_connectionsz.OCSPVerifier.components_from_direct_connectioncCsTt}|||tjjj}|}t | tjj j j}t||d}|S)z#Return the complete url to the ocspascii)rZOCSPRequestBuilderZadd_certificaterzr primitiveshashesSHA256buildbase64 b64encoderG serializationrrHrdecode)rbserverrZrZorbrequestpathurlrrrbuild_certificate_urls z"OCSPVerifier.build_certificate_urlc Cspt|}|jstd|j}||}||||}t|jdd}tj||d}|jsbtdt ||jdS)z3Checks the validity of an ocsp server for an issuerz"failed to fetch issuer certificatezapplication/ocsp-request)Hostz Content-Type)headersz failed to fetch ocsp certificateT) requestsgetokrcontentrmrrnetlocr?) rbrrZ issuer_urlrrkrZocsp_urlheaderrrrcheck_certificate s  zOCSPVerifier.check_certificatecCstz.|\}}}|dkr td||||WStk rn|\}}}|dkr\td||||YSXdS)aDReturns the validity of the certificate wrapping our socket. This first retrieves for validate the certificate, issuer_url, and ocsp_server for certificate validate. Then retrieves the issuer certificate from the issuer_url, and finally checks the validity of OCSP revocation status. Nz%no issuers found in certificate chain)rprrrr~)rbrZrZ ocsp_serverrrris_valid!s zOCSPVerifier.is_valid)N) __name__ __module__ __qualname____doc__rgrmrpror~rrrrrrrr]s  ( r])T)N)(rr)rh urllib.parserr%cryptography.hazmat.primitives.hashesrzrrrcryptography.exceptionsrZcryptography.hazmatrZ-cryptography.hazmat.primitives.asymmetric.dsarZ,cryptography.hazmat.primitives.asymmetric.ecr r Z1cryptography.hazmat.primitives.asymmetric.paddingr Z-cryptography.hazmat.primitives.asymmetric.rsar r r,cryptography.hazmat.primitives.serializationrrcryptography.x509rZredis.exceptionsrrrr?r1r@r\r]rrrrs,       ;