o

����S�b�;����������������������@���s���d�Z�ddlZddlZddlmZ�ddlmZ	�ddl
mZ�ddl
mZ�ddlmZ�ddlmZ�dd	lmZ�dd
lmZ�ddlmZ�ddlmZ�dd
l m!Z"�ddl m#Z$�ddl%m&Z'�ddl%m(Z)�ddl%m*Z+�ddl%m,Z-�ddl%m.Z/�ddl%m0Z1�ddl2m3Z4�ddl2m5Z6�ddl2m7Z8�ddl2m9Z:�ddl;m<Z=�ddl;m>Z?�ddl@mAZB�ddlCmDZE�ddlFmGZG�e�HeI�ZJe�KdejL�ZMdd ��ZNd!d"��ZOd#d$��ZPd%d&��ZQd'd(��ZRd)d*��ZSd+d,��ZTd-d.��ZUd/d0��ZVd1d2��ZWd3d4��ZXd5d6��ZYdS�)7z4Support for requesting and verifying OCSP responses.�����N)�datetime)�InvalidSignature)�default_backend)�DSAPublicKey)�ECDSA)�EllipticCurvePublicKey)�PKCS1v15)�RSAPublicKey)�SHA1)�Hash)�Encoding)�PublicFormat)�AuthorityInformationAccess)�ExtendedKeyUsage)�ExtensionNotFound)�
TLSFeature)�TLSFeatureType)�load_pem_x509_certificate)�OCSPCertStatus)�OCSPRequestBuilder)�OCSPResponseStatus)�load_der_ocsp_response)�AuthorityInformationAccessOID)�ExtendedKeyUsageOID)�post)�RequestException)�_csots9���-----BEGIN CERTIFICATE[^
]+.+?-----END CERTIFICATE[^
]+c�����������������C���sb���t�|�d��}|���}W�d����n1�sw���Y��g�}t��}t�t|�D�]
}|�t||���q$|S�)z0Parse the tlsCAFile into a list of certificates.�rbN)�open�read�_default_backend�_re�findall�_CERT_REGEX�append�_load_pem_x509_certificate)�cafile�f�data�trusted_ca_certs�backendZ	cert_data��r+����;/tmp/pip-target-onvjaxws/lib/python/pymongo/ocsp_support.py�_load_trusted_ca_certsA���s���
�r-���c�����������������C���sF���|�j�}|D�]}|j|kr|��S�q|r!|D�]}|j|kr |��S�qd�S��N)�issuer�subject)�cert�chainr)���Zissuer_name�	candidater+���r+���r,����_get_issuer_certN���s���
�
�r4���c�����������������C���s����z:t�|�t�r|��||t��|��W�dS�t�|�t�r!|��|||��W�dS�t�|�t�r2|��||t|���W�dS�|��||��W�dS��tyD���Y�dS�w�)Nr�������)�
isinstance�
_RSAPublicKey�verify�	_PKCS1v15�
_DSAPublicKey�_EllipticCurvePublicKey�_ECDSA�_InvalidSignature)�key�	signature�	algorithmr(���r+���r+���r,����_verify_signature_���s���
	
�
����rA���c�����������������C���s$���z|�j��|�W�S��ty���Y�d�S�w�r.���)�
extensionsZget_extension_for_class�_ExtensionNotFound)r1����klassr+���r+���r,����_get_extensionp���s
����rE���c�����������������C���sr���|�����}t|t�r|�tjtj�}nt|t�r |�tj	tj
�}n|�tjtj�}tt
��t��d�}|�|��|���S�)N)r*���)�
public_keyr6���r7����public_bytes�	_Encoding�DER�
_PublicFormatZPKCS1r;���ZX962ZUncompressedPointZSubjectPublicKeyInfo�_Hash�_SHA1r ����update�finalize)r1���rF���Zpbytes�digestr+���r+���r,����_public_key_hashw���s���


rP���c���������������������������fdd�|�D��S�)Nc��������������������s(���g�|�]}t�|��kr|j��jkr|�qS�r+���)rP���r/���r0�����.0r1����r/����responder_key_hashr+���r,����
<listcomp>����s����
�
��z*_get_certs_by_key_hash.<locals>.<listcomp>r+���)�certificatesr/���rU���r+���rT���r,����_get_certs_by_key_hash���������rX���c��������������������rQ���)Nc��������������������s&���g�|�]}|j��kr|j��j�kr|�qS�r+���)r0���r/���rR����r/����responder_namer+���r,���rV�������s�����
��z&_get_certs_by_name.<locals>.<listcomp>r+���)rW���r/���r[���r+���rZ���r,����_get_certs_by_name����rY���r\���c�����������
������C���s��|j�}|j}|j}|d�ur||�jks||krt�d��|�}nXt�d��|j}|j�d�ur7t||�|�}t�d��nt||�|�}t�d��|sKt�d��dS�|d�}t	|t
�}|r\tj|j
vrct�d��dS�t|����|j|j|j�svt�d��dS�t|���|j|j|j�}	|	s�t�d	��|	S�)
NzResponder is issuerzResponder is a delegatezUsing responder namezUsing key hashz%No matching or valid responder certs.r���z(Delegate not authorized for OCSP signingz&Delegate signature verification failedz&Response signature verification failed)r[���rU���Zissuer_key_hashr0����_LOGGER�debugrW���r\���rX���rE����_ExtendedKeyUsage�_ExtendedKeyUsageOIDZOCSP_SIGNING�valuerA���rF���r?���Zsignature_hash_algorithmZtbs_certificate_bytesZtbs_response_bytes)
r/����response�nameZ	rkey_hashZ	ikey_hashZresponder_cert�certsZresponder_certs�ext�retr+���r+���r,����_verify_response_signature����sL���






�
�
rg���c�����������������C���s���t���}|�|�|t���}|���S�r.���)�_OCSPRequestBuilderZadd_certificaterL����build)r1���r/���Zbuilderr+���r+���r,����_build_ocsp_request����s���rj���c�����������������C���s^���t��d��t|�|�}|sdS�t���}|j|krt��d��dS�|jr-|j|k�r-t��d��dS�dS�)NzVerifying responser���zthisUpdate is in the futureznextUpdate is in the pastr5���)r]���r^���rg����	_datetime�utcnowZthis_updateZnext_update)r/���rb����res�nowr+���r+���r,����_verify_response����s���




ro���c�����������	���
���C���s$��t�|�|�}z||�}t�d��W�|S��ty����tt�d�d�}zt||�t	j
�ddi|d�}W�n�tyJ�}�zt�d|��W�Y�d�}~Y�d�S�d�}~ww�|jdkrZt�d	|j��Y�d�S�t
|j�}t�d
|j��|jtjkroY�d�S�|j|jkr}t�d��Y�d�S�t||�s�Y�d�S�t�d��|||<�Y�|S�w�)
NzUsing cached OCSP response.����g����MbP?zContent-Typezapplication/ocsp-request)r(����headers�timeoutzHTTP request failed: %s�����zHTTP request returned %d�OCSP response status: %rz-Response serial number does not match requestzCaching OCSP response.)rj���r]���r^����KeyError�maxr���Zclamp_remaining�_postrG���rH���rI����_RequestException�status_code�_load_der_ocsp_response�content�response_status�_OCSPResponseStatus�
SUCCESSFULZ
serial_numberro���)	r1���r/����uri�ocsp_response_cacheZocsp_requestZ
ocsp_responserr���rb����excr+���r+���r,����_get_ocsp_response����sF���
$�

���





�r����c�����������������C���sN��|�����}|du�rt�d��dS�|���}t|�d�r|����}d}n|����}|j}|s/t�d��dS�dd��|D��}t|||�}d}t	|t
�}|dur[|jD�]}	|	tj
krZt�d	��d
}�nqJ|j}
|dkr�t�d��|rpt�d
��dS�|jszt�d��dS�t	|t�}|du�r�t�d��dS�dd��|jD��}|s�t�d��dS�|du�r�t�d��dS�t�d��|D�]-}t�d|��t||||
�}
|
du�r�q�t�d|
j��|
jtjkr��dS�|
jtjkr��dS�q�t�d��dS�t�d��|du�r�t�d��dS�t|�}
t�d|
j��|
jtjk�rdS�t||
��sdS�|
|
t||�<�t�d|
j��|
jtjk�r%dS�dS�)zCCallback for use with OpenSSL.SSL.Context.set_ocsp_client_callback.Nz
No peer cert?r����get_verified_chainzNo peer cert chain?c�����������������S���s���g�|�]}|�����qS�r+���)�to_cryptography)rS���Zcerr+���r+���r,���rV���&��s����z"_ocsp_callback.<locals>.<listcomp>Fz!Peer presented a must-staple certT�����z$Peer did not staple an OCSP responsez5Must-staple cert with no stapled response, hard fail.z.OCSP endpoint checking is disabled, soft fail.r5���z*No authority access information, soft failc�����������������S���s ���g�|�]}|j�tjkr|jj�qS�r+���)Z
access_method�_AuthorityInformationAccessOIDZOCSPZaccess_locationra���)rS���Zdescr+���r+���r,���rV���C��s����
��zNo OCSP URI, soft failzNo issuer cert?zRequesting OCSP dataz	Trying %szOCSP cert status: %rz)No definitive OCSP cert status, soft failzPeer stapled an OCSP responsert���)Zget_peer_certificater]���r^���r�����hasattrr����Zget_peer_cert_chainr)���r4���rE����_TLSFeaturera����_TLSFeatureTypeZstatus_requestr����Zcheck_ocsp_endpoint�_AuthorityInformationAccessr����Zcertificate_status�_OCSPCertStatusZGOODZREVOKEDrz���r|���r}���r~���ro���rj���)�connZ
ocsp_bytes�	user_datar1���r2���r)���r/���Zmust_staplere����featurer�����urisr���rb���r+���r+���r,����_ocsp_callback��s����






�




�


�


r����)Z�__doc__�loggingZ_logging�rer!���r���rk���Zcryptography.exceptionsr���r=���Zcryptography.hazmat.backendsr���r ���Z-cryptography.hazmat.primitives.asymmetric.dsar���r:���Z,cryptography.hazmat.primitives.asymmetric.ecr���r<���r���r;���Z1cryptography.hazmat.primitives.asymmetric.paddingr���r9���Z-cryptography.hazmat.primitives.asymmetric.rsar	���r7���Z%cryptography.hazmat.primitives.hashesr
���rL���r���rK���Z,cryptography.hazmat.primitives.serializationr���rH���r
���rJ���Zcryptography.x509r���r����r���r_���r���rC���r���r����r���r����r���r%���Zcryptography.x509.ocspr���r����r���rh���r���r}���r���rz���Zcryptography.x509.oidr���r����r���r`����requestsr���rw���Zrequests.exceptionsr���rx���Zpymongor����	getLogger�__name__r]����compile�DOTALLr#���r-���r4���rA���rE���rP���rX���r\���rg���rj���ro���r����r����r+���r+���r+���r,����<module>���s\���
�
6+