o `f,@sddlZddlZddlZddlmZmZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZddlmZmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZdd lm Z m!Z!ddZ"dddZ#ddZ$ddZ%dddZ&GdddZ'dS)N)urljoinurlparse)hazmatx509)InvalidSignature)backends) DSAPublicKey)ECDSAEllipticCurvePublicKey)PKCS1v15) RSAPublicKey)SHA1Hash)Encoding PublicFormat)ocsp)AuthorizationErrorConnectionErrorcCs|}zEt|tr||j|jt|jWdSt|tr+||j|j|jWdSt|t r?||j|jt |jWdS||j|jWdSt yTt dw)Nzfailed to valid ocsp response) public_key isinstancer verify signaturetbs_response_bytesr signature_hash_algorithmrr r rr) issuer_cert ocsp_responsepubkeyrC/home/ubuntu/webapp/venv/lib/python3.10/site-packages/redis/ocsp.py_verify_responses2     rTc CsNt|}|jtjjkrtd|jtjjkr/|jtjj kr.t dt |j dddnt d|j tjkr?t d|jrN|jtjkrNt d|j}|j}|j}|}|d urb||jksf||kri|}n5|j}t||||} z| d } Wn tyt d w| jtj} | d ustjjj| jvrt d | }|rt ||d S)z=A wrapper the return the validity of a known ocsp certificatez4you are not authorized to view this ocsp certificatez Received an .z ocsp certificate statusz@failed to retrieve a successful response from the ocsp responderz)ocsp certificate was issued in the futurez1ocsp certificate has invalid update - in the pastNrz'no certificates found for the responderz'delegate not autorized for ocsp signingT)!rload_der_ocsp_responseresponse_statusOCSPResponseStatus UNAUTHORIZEDr SUCCESSFULcertificate_statusOCSPCertStatusGOODrstrsplit this_updatedatetimenow next_updateresponder_nameissuer_key_hashresponder_key_hashsubject certificates_get_certificates IndexError extensionsget_extension_for_classrExtendedKeyUsageoidExtendedKeyUsageOID OCSP_SIGNINGvaluer) r ocsp_bytesvalidaterr0 issuer_hashresponder_hashcert_to_validatecertsresponder_certsresponder_certextrrr_check_certificate1sT     rGcs8durfdd|D}|Sfdd|D}|S)Ncs(g|]}t|kr|jjkr|qSr)_get_pubkey_hashissuerr3.0c)rrArr ns z%_get_certificates..cs&g|]}|jkr|jjkr|qSr)r3rIrJ)rr0rrrMts r)rCrr0rAr4r)rrAr0rr5ls  r5cCst|}t|tr|tjtj}nt|tr |tj tj }n|tjtj }t t td}|||S)N)backend)rrr public_bytesrDERrPKCS1r X962UncompressedPointSubjectPublicKeyInforr rdefault_backendupdatefinalize) certificaterhsha1rrrrH}s   rHcCs|dvrtdd}|}|D]}|}|j|jkr$|}nq|dur-td|dur>t|}||kr>tdt||S)zAn implementation of a function for set_ocsp_client_callback in PyOpenSSL. This function validates that the provide ocsp_bytes response is valid, and matches the expected, stapled responses. )Nzno ocsp response presentNz2no matching issuer cert found in certificate chainz/received and expected certificates do not match) rget_peer_certificateto_cryptographyget_peer_cert_chainr3rIrload_pem_x509_certificaterG)conr>expectedr peer_certrLcerterrrocsp_staple_verifiers"     rec@sReZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ dS) OCSPVerifieraA class to verify ssl sockets for RFC6960/RFC6961. This can be used when using direct validation of OCSP responses and certificate revocations. @see https://datatracker.ietf.org/doc/html/rfc6960 @see https://datatracker.ietf.org/doc/html/rfc6961 NcCs||_||_||_||_dSN)SOCKHOSTPORTCA_CERTS)selfsockhostportca_certsrrr__init__s zOCSPVerifier.__init__cCs"t|}t|t}|S)z?Convert SSL certificates in a binary (DER) format to ASCII PEM.)sslDER_cert_to_PEM_certrr_encoderrU)rlderpemrcrrr _bin2asciis zOCSPVerifier._bin2asciicCs0|jd}|durtd||}||S)zThis function returns the certificate, primary issuer, and primary ocsp server in the chain for a socket already wrapped with ssl. TFz!no certificate found for ssl peer)rh getpeercertrrw_certificate_components)rlrurcrrrcomponents_from_sockets   z#OCSPVerifier.components_from_socketcCsz |jtjjjj}Wntjjjyt dwdd|D}z|dj j}Wn t y5d}Ynwdd|D}z|dj j}Wn t yPt dw|||fS)zGiven an SSL certificate, retract the useful components for validating the certificate status with an OCSP server. Args: cert ([bytes]): A PEM encoded ssl certificate z-No AIA information present in ssl certificatecS g|] }|jtjjjkr|qSr) access_methodrr:AuthorityInformationAccessOID CA_ISSUERSrKirrrrM z8OCSPVerifier._certificate_components..rNcSr{r)r|rr:r}OCSPrrrrrMrzno ocsp servers in certificate) r7get_extension_for_oidrr: ExtensionOIDAUTHORITY_INFORMATION_ACCESSr= cryptographyExtensionNotFoundraccess_locationr6)rlrcaiaissuersrIocspsrrrrrys4   z$OCSPVerifier._certificate_componentscCs6tj|j|jf|jd}t|t }| |S)zReturn the certificate, primary issuer, and primary ocsp server from the host defined by the socket. This is useful in cases where different certificates are occasionally presented. )rp) rrget_server_certificaterirjrkrr_rtrrUry)rlrvrcrrr!components_from_direct_connections z.OCSPVerifier.components_from_direct_connectioncCsTt}|||tjjj}|}t | tjj j j}t||d}|S)z#Return the complete url to the ocspascii)rOCSPRequestBuilderadd_certificaterr primitiveshashesSHA256buildbase64 b64encoderO serializationrrPrdecode)rlserverrcrorbrequestpathurlrrrbuild_certificate_urlsz"OCSPVerifier.build_certificate_urlc Cspt|}|js td|j}||}||||}t|jdd}tj||d}|js1tdt ||jdS)z3Checks the validity of an ocsp server for an issuerz"failed to fetch issuer certificatezapplication/ocsp-request)Hostz Content-Type)headersz failed to fetch ocsp certificateT) requestsgetokrcontentrwrrnetlocrG) rlrrc issuer_urlrrurocsp_urlheaderrrrcheck_certificate s  zOCSPVerifier.check_certificatecCsnz|\}}}|durtd||||WSty6|\}}}|dur-td||||YSw)aDReturns the validity of the certificate wrapping our socket. This first retrieves for validate the certificate, issuer_url, and ocsp_server for certificate validate. Then retrieves the issuer certificate from the issuer_url, and finally checks the validity of OCSP revocation status. Nz%no issuers found in certificate chain)rzrrrr)rlrcr ocsp_serverrrris_valid!s  zOCSPVerifier.is_validrg) __name__ __module__ __qualname____doc__rqrwrzryrrrrrrrrrfs  (  rf)Trg)(rr-rr urllib.parserr%cryptography.hazmat.primitives.hashesrrrrcryptography.exceptionsrcryptography.hazmatr-cryptography.hazmat.primitives.asymmetric.dsar,cryptography.hazmat.primitives.asymmetric.ecr r 1cryptography.hazmat.primitives.asymmetric.paddingr -cryptography.hazmat.primitives.asymmetric.rsar r r,cryptography.hazmat.primitives.serializationrrcryptography.x509rredis.exceptionsrrrrGr5rHrerfrrrrs.       ;