o h|F@sdZddlmZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZddlmZddlmZdd lmZdd lmZdd lmZdd lmZ dd l!m"Z#ddl$m%Z&ddl'm(Z)ddl*m+Z,ddl*m-Z.ddl/m0Z1ddl/m2Z3ddl4m5Z6ddl4m7Z8ddl4m9Z:ddl4m;Z<ddl4m=Z>ddl4m?Z@ddlAmBZCddlAmDZEddlAmFZGddlAmHZIddlJmKZLddlJmMZNdd lOmPZQdd!lRmSZTdd"lUmVZVdd#lWmXZXmYZYe r7dd$lZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZadd%lbmcZcdd&l*mdZddd'l4meZemfZfdd(lgmhZhmiZidd)lAmjZjmkZkdd*llmmZmdd+lWmnZndd,lompZpee[je_j"e\je^jqe]jreaj(e`j%fZseteuZvewd-ejxZydpd2d3Zzdqd;d<Z{drdEdFZ|dsdJdKZ}dtdLdMZ~dudRdSZdvdVdWZdwdZd[Zdxd]d^Zdwd_d`ZdydfdgZdzdndoZdS){z4Support for requesting and verifying OCSP responses.) annotationsN)datetime)timezone) TYPE_CHECKINGIterableOptionalTypeUnion)InvalidSignature)default_backend) DSAPublicKey)ECDSA)EllipticCurvePublicKey)PKCS1v15) RSAPublicKey) X448PublicKey)X25519PublicKey)SHA1)Hash)Encoding) PublicFormat)AuthorityInformationAccess)ExtendedKeyUsage)ExtensionNotFound) TLSFeature)TLSFeatureType)load_pem_x509_certificate)OCSPCertStatus)OCSPRequestBuilder)OCSPResponseStatus)load_der_ocsp_response)AuthorityInformationAccessOID)ExtendedKeyUsageOID)post)RequestException)_csot) _next_update _this_update)dsaeced448ed25519rsax448x25519) Prehashed) HashAlgorithm) CertificateName) ExtensionExtensionTypeVar) OCSPRequest OCSPResponse) Connection) _OCSPCache) _CallbackDatas9-----BEGIN CERTIFICATE[^ ]+.+?-----END CERTIFICATE[^ ]+cafilestrreturnlist[Certificate]cCsbt|d }|}Wdn1swYg}t}tt|D] }|t||q$|S)z0Parse the tlsCAFile into a list of certificates.rbN)openread_default_backend_refindall _CERT_REGEXappend_load_pem_x509_certificate)r:fdatatrusted_ca_certsbackendZ cert_datarKG/var/www/html/venv/lib/python3.10/site-packages/pymongo/ocsp_support.py_load_trusted_ca_certsis  rMcertr1chainIterable[Certificate]rIOptional[list[Certificate]]Optional[Certificate]cCsF|j}|D] }|j|kr|Sq|r!|D] }|j|kr |SqdSN)issuersubject)rNrOrIZ issuer_name candidaterKrKrL_get_issuer_certvs  rWkeyCertificateIssuerPublicKeyTypes signaturebytes algorithm%Union[Prehashed, HashAlgorithm, None]rHintcCszDt|tr|||t|WdSt|tr!||||WdSt|tr2|||t|WdSt|ttfrs z*_get_certs_by_key_hash..rK)r|rTr}rKrrL_get_certs_by_key_hash rresponder_nameOptional[Name]cr)Ncs&g|]}|jkr|jjkr|qSrK)rUrTrrTrrKrLrs z&_get_certs_by_name..rK)r|rTrrKrrL_get_certs_by_namerrresponser6c Cs|j}|j}|j}|dur||jks||krtd|}nXtd|j}|jdur7t|||}tdn t|||}td|sKtddS|d}t |t }|r\t j |j vrctddSt||j|j|jsvtddSt||j|j|j} | std | S) NzResponder is issuerzResponder is a delegatezUsing responder namezUsing key hashz%No matching or valid responder certs.rz(Delegate not authorized for OCSP signingz&Delegate signature verification failedz&Response signature verification failed)rr}Zissuer_key_hashrU_LOGGERdebugr|rrrp_ExtendedKeyUsage_ExtendedKeyUsageOIDZ OCSP_SIGNINGvaluerjrqrZZsignature_hash_algorithmZtbs_certificate_bytesZtbs_response_bytes) rTrnameZ rkey_hashZ ikey_hashZresponder_certcertsZresponder_certsextretrKrKrL_verify_response_signaturesL            rr5cCst}|||t}|SrS)_OCSPRequestBuilderZadd_certificaterwbuild)rNrTbuilderrKrKrL_build_ocsp_requestsrcCstdt||}|sdSt|}tjtjd}|r&|jdur&|j dd}|r3||kr3tddSt |}|rD||krDtddSdS)NzVerifying responser)tz)tzinfozthisUpdate is in the futureznextUpdate is in the pastr_) rrrr' _datetimenowrutcrreplacer&)rTrresZ this_updaterZ next_updaterKrKrL_verify_responses       ruriUnion[str, bytes]ocsp_response_cacher8Optional[OCSPResponse]c Cs$t||}z ||}tdW|Styttdd}zt||t j ddi|d}Wnt yJ}ztd|WYd}~YdSd}~ww|j dkrZtd |j YdSt |j}td |j|jtjkroYdS|j|jkr}td YdSt||sYdStd |||<Y|Sw) NzUsing cached OCSP response.gMbP?z Content-Typezapplication/ocsp-request)rHheaderstimeoutzHTTP request failed: %szHTTP request returned %dOCSP response status: %rz-Response serial number does not match requestzCaching OCSP response.)rrrKeyErrormaxr%Zclamp_remaining_postrrrsrt_RequestException status_code_load_der_ocsp_responsecontentresponse_status_OCSPResponseStatus SUCCESSFULZ serial_numberr) rNrTrrZ ocsp_requestZ ocsp_responserrexcrKrKrL_get_ocsp_response(sF  $            rconnr7 ocsp_bytes user_dataOptional[_CallbackData]boolcCsV|sJ|}|durtddS|}t|dr#|}d}n|}|j}|s3tddSdd|D}t|||}d} t |t } | dur_| j D]} | t j kr^tdd } nqN|j} |d krtd | rttd dS|js~td d St |t} | durtdd Sdd| j D}|stdd S|durtddStd|D]-}td|t|||| }|durqtd|j|jtjkrd S|jtjkrdSqtdd Std|durtddSt|}td|j|jtjkr dSt||sdS|| t||<td|j|jtjkr)dSd S)zCCallback for use with OpenSSL.SSL.Context.set_ocsp_client_callback.Nz No peer cert?Fget_verified_chainzNo peer cert chain?cSsg|]}|qSrK)to_cryptography)rZcerrKrKrLrhsz"_ocsp_callback..z!Peer presented a must-staple certTz$Peer did not staple an OCSP responsez5Must-staple cert with no stapled response, hard fail.z.OCSP endpoint checking is disabled, soft fail.z*No authority access information, soft failcSs g|] }|jtjkr|jjqSrK)Z access_method_AuthorityInformationAccessOIDZOCSPZaccess_locationr)rZdescrKrKrLrs  zNo OCSP URI, soft failzNo issuer cert?zRequesting OCSP dataz Trying %szOCSP cert status: %rz)No definitive OCSP cert status, soft failzPeer stapled an OCSP responser)Zget_peer_certificaterrrhasattrrZget_peer_cert_chainrIrWrp _TLSFeaturer_TLSFeatureTypeZstatus_requestrZcheck_ocsp_endpoint_AuthorityInformationAccessrZcertificate_status_OCSPCertStatusZGOODZREVOKEDrrrrrr)rrrZpycertrNZpychainrIrOrTZ must_stapleZext_tlsfeaturerZext_aiaurisrrrKrKrL_ocsp_callbackUs                       r)r:r;r<r=)rNr1rOrPrIrQr<rR) rXrYrZr[r\r]rHr[r<r^)rNr1rkrlr<rm)rNr1r<r[)r|rPrTr1r}r~r<r=)r|rPrTr1rrr<r=)rTr1rr6r<r^)rNr1rTr1r<r5) rNr1rTr1rrrr8r<r)rr7rr[rrr<r)__doc__ __future__rloggingZ_loggingrerBrrrtypingrrrrr Zcryptography.exceptionsr riZcryptography.hazmat.backendsr rAZ-cryptography.hazmat.primitives.asymmetric.dsar rdZ,cryptography.hazmat.primitives.asymmetric.ecr rfrreZ1cryptography.hazmat.primitives.asymmetric.paddingrrcZ-cryptography.hazmat.primitives.asymmetric.rsarraZ.cryptography.hazmat.primitives.asymmetric.x448rrhZ0cryptography.hazmat.primitives.asymmetric.x25519rrgZ%cryptography.hazmat.primitives.hashesrrwrrvZ,cryptography.hazmat.primitives.serializationrrsrruZcryptography.x509rrrrrrorrrrrrFZcryptography.x509.ocsprrrrrrr rZcryptography.x509.oidr!rr"rrequestsr#rZrequests.exceptionsr$rZpymongor%Zpymongo.ocsp_cacher&r'Z)cryptography.hazmat.primitives.asymmetricr(r)r*r+r,r-r.Z/cryptography.hazmat.primitives.asymmetric.utilsr/r0r1r2Zcryptography.x509.extensionsr3r4r5r6Z OpenSSL.SSLr7r8Zpymongo.pyopenssl_contextr9ZEd25519PublicKeyZEd448PublicKeyrY getLogger__name__rcompileDOTALLrDrMrWrjrpr{rrrrrrrrKrKrKrLs                               $          6  -