Pf,ddlZddlZddlZddlmZmZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZddlmZmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZdd lm Z m!Z!dZ"ddZ#dZ$dZ%ddZ&GddZ'dS)N)urljoinurlparse)hazmatx509)InvalidSignature)backends) DSAPublicKey)ECDSAEllipticCurvePublicKey)PKCS1v15) RSAPublicKey)SHA1Hash)Encoding PublicFormat)ocsp)AuthorizationErrorConnectionErrorcL|} t|tr5||j|jt |jdSt|tr(||j|j|jdSt|tr5||j|jt|jdS||j|jdS#t$rtdwxYw)Nzfailed to valid ocsp response) public_key isinstancer verify signaturetbs_response_bytesr signature_hash_algorithmr r r rr) issuer_cert ocsp_responsepubkeys >>?sAD ;D AD ' D D#Tctj|}|jtjjkrt d|jtjjkrY|jtjj kr>tdt|j dddntd|j tjkrtd|jr6|jtjkrtd|j}|j}|j}|}| ||jks||kr|}n|j}t-||||} | d } n#t.$rtd wxYw| jt4j} | t4jjj| jvrtd | }|rtA||d S)z=A wrapper the return the validity of a known ocsp certificatez4you are not authorized to view this ocsp certificatez Received an .z ocsp certificate statusz@failed to retrieve a successful response from the ocsp responderz)ocsp certificate was issued in the futurez1ocsp certificate has invalid update - in the pastNrz'no certificates found for the responderz'delegate not autorized for ocsp signingT)!rload_der_ocsp_responseresponse_statusOCSPResponseStatus UNAUTHORIZEDr SUCCESSFULcertificate_statusOCSPCertStatusGOODrstrsplit this_updatedatetimenow next_updateresponder_nameissuer_key_hashresponder_key_hashsubject certificates_get_certificates IndexError extensionsget_extension_for_classrExtendedKeyUsageoidExtendedKeyUsageOID OCSP_SIGNINGvaluer ) r ocsp_bytesvalidaterr2 issuer_hashresponder_hashcert_to_validatecertsresponder_certsresponder_certexts r_check_certificaterI1s8/ ;;M$(?(LLL !WXXX$(?(JJJ  +t/B/G G G!*s=#CDDJJ3OOPQR***  H  N    H$5$9$9$;$;;;IJJJ !S  %(9(=(=(?(? ? ?QRRR"1N/K"5N"" k1 1 1 [ ( (&*+ ;   M,Q/NN M M M!"KLL L M'??@UVV ;$(6C39TT!"KLL L):)=999 4s :FFcNfd|D}nfd|D}|S)NcZg|]'}t|k|jjk%|(S)_get_pubkey_hashissuerr5).0crrCs r z%_get_certificates..nsE   ""n44[EX9X9X 9X9X9XcJg|]}|jk |jjk| SrL)r5rN)rOrPrr2s rrQz%_get_certificates..ts?   yN**qx;;N/N/N /N/N/NrRrL)rErr2rCr6s ``` rr7r7lso                rRc,|}t|tr+|tjt j}njt|tr+|tj t j }n*|tjt j }tttj}|||S)N)backend)rrr public_bytesrDERrPKCS1r X962UncompressedPointSubjectPublicKeyInforrrdefault_backendupdatefinalize) certificaterhsha1s rrMrM}s  # # % %F&,''Q    l.@ A A F2 3 3Q    |/M N N    l.O P P  8 : : ; ; ;DKKNNN ==??rRc|dvrtdd}|}|D]*}|}|j|jkr|}n+|td|)t j|}||krtdt||S)zAn implementation of a function for set_ocsp_client_callback in PyOpenSSL. This function validates that the provide ocsp_bytes response is valid, and matches the expected, stapled responses. )rRNzno ocsp response presentNz2no matching issuer cert found in certificate chainz/received and expected certificates do not match) rget_peer_certificateto_cryptographyget_peer_cert_chainr5rNrload_pem_x509_certificaterI)conr@expectedr peer_certrPcertes rocsp_staple_verifierrls [  8999K((**::<>!"STT T k: 6 66rRcDeZdZdZd dZdZdZdZdZdZ d Z d Z dS) OCSPVerifieraA class to verify ssl sockets for RFC6960/RFC6961. This can be used when using direct validation of OCSP responses and certificate revocations. @see https://datatracker.ietf.org/doc/html/rfc6960 @see https://datatracker.ietf.org/doc/html/rfc6961 Nc>||_||_||_||_dSN)SOCKHOSTPORTCA_CERTS)selfsockhostportca_certss r__init__zOCSPVerifier.__init__s"     rRctj|}tj|t j}|S)z?Convert SSL certificates in a binary (DER) format to ASCII PEM.)sslDER_cert_to_PEM_certrrfencoderr\)ruderpemrjs r _bin2asciizOCSPVerifier._bin2asciis<&s++-cjjllH.s7   $("H"SSS SSSrRrNcPg|]#}|jtjjjk!|$SrL)rrr<rOCSPrs rrQz8OCSPVerifier._certificate_components..s7   $("H"MMM MMMrRzno ocsp servers in certificate) r9get_extension_for_oidrr< ExtensionOIDAUTHORITY_INFORMATION_ACCESSr? cryptographyExtensionNotFoundraccess_locationr8)rurjaiaissuersrNocspsrs rrz$OCSPVerifier._certificate_componentss5 S/77%B C += S S S!"QRR R S       QZ/5FF   FFF        D8+1DD D D D!"BCC C DVT!!s'36)A/B BB!B44Cctj|j|jf|j}t j|tj }| |S)zReturn the certificate, primary issuer, and primary ocsp server from the host defined by the socket. This is useful in cases where different certificates are occasionally presented. )ry) r|get_server_certificaterrrsrtrrfr~rr\r)rurrjs r!components_from_direct_connectionz.OCSPVerifier.components_from_direct_connections[ ($)TY)?$-XXX-cjjllHrs  ********,,,,%%%%%%%%444444((((((FFFFFFVVVVVVVVFFFFFFFFFFFF<<<<<<<<OOOOOOOO""""""@@@@@@@@???88888v"    77778JIJIJIJIJIJIJIJIJIJIrR