o ;h,@sddlZddlZddlZddlmZmZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZddlmZmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZdd lm Z m!Z!ddZ"dddZ#ddZ$ddZ%dddZ&GdddZ'dS)N)urljoinurlparse)hazmatx509)InvalidSignature)backends) DSAPublicKey)ECDSAEllipticCurvePublicKey)PKCS1v15) RSAPublicKey)SHA1Hash)Encoding PublicFormat)ocsp)AuthorizationErrorConnectionErrorcCs|}zEt|tr||j|jt|jWdSt|tr+||j|j|jWdSt|t r?||j|jt |jWdS||j|jWdSt yTt dw)Nzfailed to valid ocsp response) public_key isinstancer verify signatureZtbs_response_bytesr Zsignature_hash_algorithmrr r rr) issuer_cert ocsp_responsepubkeyr=/var/www/html/venv/lib/python3.10/site-packages/redis/ocsp.py_verify_responses2     rTc CsNt|}|jtjjkrtd|jtjjkr/|jtjj kr.t dt |j dddnt d|j tjkr?t d|jrN|jtjkrNt d|j}|j}|j}|}|d urb||jksf||kri|}n5|j}t||||} z| d } Wn tyt d w| jtj} | d ustjjj| jvrt d | }|rt ||d S)z=A wrapper the return the validity of a known ocsp certificatez4you are not authorized to view this ocsp certificatez Received an .z ocsp certificate statusz@failed to retrieve a successful response from the ocsp responderz)ocsp certificate was issued in the futurez1ocsp certificate has invalid update - in the pastNrz'no certificates found for the responderz'delegate not autorized for ocsp signingT)!rZload_der_ocsp_responseZresponse_statusZOCSPResponseStatus UNAUTHORIZEDrZ SUCCESSFULZcertificate_statusZOCSPCertStatusZGOODrstrsplitZ this_updatedatetimenowZ next_updateresponder_nameZissuer_key_hashZresponder_key_hashsubject certificates_get_certificates IndexError extensionsZget_extension_for_classrZExtendedKeyUsageoidZExtendedKeyUsageOIDZ OCSP_SIGNINGvaluer) r ocsp_bytesvalidaterr%Z issuer_hashresponder_hashZcert_to_validatecertsZresponder_certsZresponder_certextrrr_check_certificate2sT     r2cs8durfdd|D}|Sfdd|D}|S)Ncs(g|]}t|kr|jjkr|qSr)_get_pubkey_hashissuerr&.0c)rr/rr os z%_get_certificates..cs&g|]}|jkr|jjkr|qSr)r&r4r5)rr%rrr8us r)r0rr%r/r'r)rr/r%rr(ms  r(cCst|}t|tr|tjtj}nt|tr |tj tj }n|tjtj }t t td}|||S)N)backend)rrr public_bytesrDERrZPKCS1r ZX962ZUncompressedPointZSubjectPublicKeyInforr rdefault_backendupdatefinalize)Z certificaterhsha1rrrr3~s   r3cCs|dvrtdd}|}|D]}|}|j|jkr$|}nq|dur-td|dur>t|}||kr>tdt||S)zAn implementation of a function for set_ocsp_client_callback in PyOpenSSL. This function validates that the provide ocsp_bytes response is valid, and matches the expected, stapled responses. )Nzno ocsp response presentNz2no matching issuer cert found in certificate chainz/received and expected certificates do not match) rZget_peer_certificateZto_cryptographyZget_peer_cert_chainr&r4rload_pem_x509_certificater2)conr-expectedrZ peer_certr7certerrrocsp_staple_verifiers"     rGc@sReZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ dS) OCSPVerifieraA class to verify ssl sockets for RFC6960/RFC6961. This can be used when using direct validation of OCSP responses and certificate revocations. @see https://datatracker.ietf.org/doc/html/rfc6960 @see https://datatracker.ietf.org/doc/html/rfc6961 NcCs||_||_||_||_dSN)SOCKHOSTPORTCA_CERTS)selfsockhostportca_certsrrr__init__s zOCSPVerifier.__init__cCs"t|}t|t}|S)z?Convert SSL certificates in a binary (DER) format to ASCII PEM.)sslDER_cert_to_PEM_certrrBencoderr<)rNderpemrErrr _bin2asciis zOCSPVerifier._bin2asciicCs0|jd}|durtd||}||S)zThis function returns the certificate, primary issuer, and primary ocsp server in the chain for a socket already wrapped with ssl. TFz!no certificate found for ssl peer)rJ getpeercertrrY_certificate_components)rNrWrErrrcomponents_from_sockets   z#OCSPVerifier.components_from_socketcCsz |jtjjjj}Wntjjjyt dwdd|D}z|dj j}Wn t y5d}Ynwdd|D}z|dj j}Wn t yPt dw|||fS)zGiven an SSL certificate, retract the useful components for validating the certificate status with an OCSP server. Args: cert ([bytes]): A PEM encoded ssl certificate z-No AIA information present in ssl certificatecS g|] }|jtjjjkr|qSr) access_methodrr+AuthorityInformationAccessOIDZ CA_ISSUERSr6irrrr8 z8OCSPVerifier._certificate_components..rNcSr]r)r^rr+r_ZOCSPr`rrrr8rbzno ocsp servers in certificate) r*Zget_extension_for_oidrr+Z ExtensionOIDZAUTHORITY_INFORMATION_ACCESSr, cryptographyZExtensionNotFoundrZaccess_locationr))rNrEZaiaZissuersr4Zocspsrrrrr[s4   z$OCSPVerifier._certificate_componentscCs6tj|j|jf|jd}t|t }| |S)zReturn the certificate, primary issuer, and primary ocsp server from the host defined by the socket. This is useful in cases where different certificates are occasionally presented. )rR) rTget_server_certificaterKrLrMrrBrVrr<r[)rNrXrErrr!components_from_direct_connections z.OCSPVerifier.components_from_direct_connectioncCsTt}|||tjjj}|}t | tjj j j}t||d}|S)z#Return the complete url to the ocspascii)rZOCSPRequestBuilderZadd_certificatercrZ primitiveshashesSHA256buildbase64 b64encoder:Z serializationrr;rdecode)rNserverrErZorbrequestpathurlrrrbuild_certificate_urlsz"OCSPVerifier.build_certificate_urlc Cspt|}|js td|j}||}||||}t|jdd}tj||d}|js1tdt ||jdS)z3Checks the validity of an ocsp server for an issuerz"failed to fetch issuer certificatezapplication/ocsp-request)Hostz Content-Type)headersz failed to fetch ocsp certificateT) requestsgetokrcontentrYrqrnetlocr2) rNrmrE issuer_urlrrWrZocsp_urlheaderrrrcheck_certificate s  zOCSPVerifier.check_certificatecCsnz|\}}}|durtd||||WSty6|\}}}|dur-td||||YSw)aDReturns the validity of the certificate wrapping our socket. This first retrieves for validate the certificate, issuer_url, and ocsp_server for certificate validate. Then retrieves the issuer certificate from the issuer_url, and finally checks the validity of OCSP revocation status. Nz%no issuers found in certificate chain)r\rr|rre)rNrEryZ ocsp_serverrrris_valid"s  zOCSPVerifier.is_validrI) __name__ __module__ __qualname____doc__rSrYr\r[rerqr|r}rrrrrHs  (  rH)TrI)(rjr#rT urllib.parserrZ%cryptography.hazmat.primitives.hashesrcrtrrZcryptography.exceptionsrZcryptography.hazmatrZ-cryptography.hazmat.primitives.asymmetric.dsarZ,cryptography.hazmat.primitives.asymmetric.ecr r Z1cryptography.hazmat.primitives.asymmetric.paddingr Z-cryptography.hazmat.primitives.asymmetric.rsar r rZ,cryptography.hazmat.primitives.serializationrrZcryptography.x509rZredis.exceptionsrrrr2r(r3rGrHrrrrs.       ;