o ����S�b�;����������������������@���s���d�Z�ddlZddlZddlmZ�ddlmZ �ddl mZ�ddl mZ�ddlmZ�ddlmZ�dd lmZ�dd lmZ�ddlmZ�ddlmZ�dd l m!Z"�ddl m#Z$�ddl%m&Z'�ddl%m(Z)�ddl%m*Z+�ddl%m,Z-�ddl%m.Z/�ddl%m0Z1�ddl2m3Z4�ddl2m5Z6�ddl2m7Z8�ddl2m9Z:�ddl;m<Z=�ddl;m>Z?�ddl@mAZB�ddlCmDZE�ddlFmGZG�e�HeI�ZJe�KdejL�ZMdd ��ZNd!d"��ZOd#d$��ZPd%d&��ZQd'd(��ZRd)d*��ZSd+d,��ZTd-d.��ZUd/d0��ZVd1d2��ZWd3d4��ZXd5d6��ZYdS�)7z4Support for requesting and verifying OCSP responses.�����N)�datetime)�InvalidSignature)�default_backend)�DSAPublicKey)�ECDSA)�EllipticCurvePublicKey)�PKCS1v15)�RSAPublicKey)�SHA1)�Hash)�Encoding)�PublicFormat)�AuthorityInformationAccess)�ExtendedKeyUsage)�ExtensionNotFound)� TLSFeature)�TLSFeatureType)�load_pem_x509_certificate)�OCSPCertStatus)�OCSPRequestBuilder)�OCSPResponseStatus)�load_der_ocsp_response)�AuthorityInformationAccessOID)�ExtendedKeyUsageOID)�post)�RequestException)�_csots9���-----BEGIN CERTIFICATE[^ ]+.+?-----END CERTIFICATE[^ ]+c�����������������C���sb���t�|�d��}|���}W�d����n1�sw���Y��g�}t��}t�t|�D�] }|�t||���q$|S�)z0Parse the tlsCAFile into a list of certificates.�rbN)�open�read�_default_backend�_re�findall�_CERT_REGEX�append�_load_pem_x509_certificate)�cafile�f�data�trusted_ca_certs�backendZ cert_data��r+����;/tmp/pip-target-onvjaxws/lib/python/pymongo/ocsp_support.py�_load_trusted_ca_certsA���s��� �r-���c�����������������C���sF���|�j�}|D�]}|j|kr|��S�q|r!|D�]}|j|kr |��S�qd�S��N)�issuer�subject)�cert�chainr)���Zissuer_name� candidater+���r+���r,����_get_issuer_certN���s��� � �r4���c�����������������C���s����z:t�|�t�r|��||t��|��W�dS�t�|�t�r!|��|||��W�dS�t�|�t�r2|��||t|���W�dS�|��||��W�dS��tyD���Y�dS�w�)Nr�������)� isinstance� _RSAPublicKey�verify� _PKCS1v15� _DSAPublicKey�_EllipticCurvePublicKey�_ECDSA�_InvalidSignature)�key� signature� algorithmr(���r+���r+���r,����_verify_signature_���s��� � ����rA���c�����������������C���s$���z|�j��|�W�S��ty���Y�d�S�w�r.���)� extensionsZget_extension_for_class�_ExtensionNotFound)r1����klassr+���r+���r,����_get_extensionp���s ����rE���c�����������������C���sr���|�����}t|t�r|�tjtj�}nt|t�r |�tj tj �}n|�tjtj�}tt ��t��d�}|�|��|���S�)N)r*���)� public_keyr6���r7����public_bytes� _Encoding�DER� _PublicFormatZPKCS1r;���ZX962ZUncompressedPointZSubjectPublicKeyInfo�_Hash�_SHA1r ����update�finalize)r1���rF���Zpbytes�digestr+���r+���r,����_public_key_hashw���s��� rP���c���������������������������fdd�|�D��S�)Nc��������������������s(���g�|�]}t�|��kr|j��jkr|�qS�r+���)rP���r/���r0�����.0r1����r/����responder_key_hashr+���r,���� <listcomp>����s���� � ��z*_get_certs_by_key_hash.<locals>.<listcomp>r+���)�certificatesr/���rU���r+���rT���r,����_get_certs_by_key_hash���������rX���c��������������������rQ���)Nc��������������������s&���g�|�]}|j��kr|j��j�kr|�qS�r+���)r0���r/���rR����r/����responder_namer+���r,���rV�������s����� ��z&_get_certs_by_name.<locals>.<listcomp>r+���)rW���r/���r[���r+���rZ���r,����_get_certs_by_name����rY���r\���c����������� ������C���s��|j�}|j}|j}|d�ur||�jks||krt�d��|�}nXt�d��|j}|j�d�ur7t||�|�}t�d��nt||�|�}t�d��|sKt�d��dS�|d�}t |t �}|r\tj|j vrct�d��dS�t|����|j|j|j�svt�d��dS�t|���|j|j|j�} | s�t�d ��| S�) NzResponder is issuerzResponder is a delegatezUsing responder namezUsing key hashz%No matching or valid responder certs.r���z(Delegate not authorized for OCSP signingz&Delegate signature verification failedz&Response signature verification failed)r[���rU���Zissuer_key_hashr0����_LOGGER�debugrW���r\���rX���rE����_ExtendedKeyUsage�_ExtendedKeyUsageOIDZOCSP_SIGNING�valuerA���rF���r?���Zsignature_hash_algorithmZtbs_certificate_bytesZtbs_response_bytes) r/����response�nameZ rkey_hashZ ikey_hashZresponder_cert�certsZresponder_certs�ext�retr+���r+���r,����_verify_response_signature����sL��� � � rg���c�����������������C���s���t���}|�|�|t���}|���S�r.���)�_OCSPRequestBuilderZadd_certificaterL����build)r1���r/���Zbuilderr+���r+���r,����_build_ocsp_request����s���rj���c�����������������C���s^���t��d��t|�|�}|sdS�t���}|j|krt��d��dS�|jr-|j|k�r-t��d��dS�dS�)NzVerifying responser���zthisUpdate is in the futureznextUpdate is in the pastr5���)r]���r^���rg���� _datetime�utcnowZthis_updateZnext_update)r/���rb����res�nowr+���r+���r,����_verify_response����s��� ro���c����������� ��� ���C���s$��t�|�|�}z||�}t�d��W�|S��ty����tt�d�d�}zt||�t j �ddi|d�}W�n�tyJ�}�zt�d|��W�Y�d�}~Y�d�S�d�}~ww�|jdkrZt�d |j��Y�d�S�t |j�}t�d |j��|jtjkroY�d�S�|j|jkr}t�d��Y�d�S�t||�s�Y�d�S�t�d��|||<�Y�|S�w�) NzUsing cached OCSP response.����g����MbP?zContent-Typezapplication/ocsp-request)r(����headers�timeoutzHTTP request failed: %s�����zHTTP request returned %d�OCSP response status: %rz-Response serial number does not match requestzCaching OCSP response.)rj���r]���r^����KeyError�maxr���Zclamp_remaining�_postrG���rH���rI����_RequestException�status_code�_load_der_ocsp_response�content�response_status�_OCSPResponseStatus� SUCCESSFULZ serial_numberro���) r1���r/����uri�ocsp_response_cacheZocsp_requestZ ocsp_responserr���rb����excr+���r+���r,����_get_ocsp_response����sF��� $� ��� �r����c�����������������C���sN��|�����}|du�rt�d��dS�|���}t|�d�r|����}d}n|����}|j}|s/t�d��dS�dd��|D��}t|||�}d}t |t �}|dur[|jD�]} | tj krZt�d ��d }�nqJ|j} |dkr�t�d��|rpt�d ��dS�|jszt�d��dS�t |t�}|du�r�t�d��dS�dd��|jD��}|s�t�d��dS�|du�r�t�d��dS�t�d��|D�]-}t�d|��t|||| �} | du�r�q�t�d| j��| jtjkr��dS�| jtjkr��dS�q�t�d��dS�t�d��|du�r�t�d��dS�t|�} t�d| j��| jtjk�rdS�t|| ��sdS�| | t||�<�t�d| j��| jtjk�r%dS�dS�)zCCallback for use with OpenSSL.SSL.Context.set_ocsp_client_callback.Nz No peer cert?r����get_verified_chainzNo peer cert chain?c�����������������S���s���g�|�]}|�����qS�r+���)�to_cryptography)rS���Zcerr+���r+���r,���rV���&��s����z"_ocsp_callback.<locals>.<listcomp>Fz!Peer presented a must-staple certT�����z$Peer did not staple an OCSP responsez5Must-staple cert with no stapled response, hard fail.z.OCSP endpoint checking is disabled, soft fail.r5���z*No authority access information, soft failc�����������������S���s ���g�|�]}|j�tjkr|jj�qS�r+���)Z access_method�_AuthorityInformationAccessOIDZOCSPZaccess_locationra���)rS���Zdescr+���r+���r,���rV���C��s���� ��zNo OCSP URI, soft failzNo issuer cert?zRequesting OCSP dataz Trying %szOCSP cert status: %rz)No definitive OCSP cert status, soft failzPeer stapled an OCSP responsert���)Zget_peer_certificater]���r^���r�����hasattrr����Zget_peer_cert_chainr)���r4���rE����_TLSFeaturera����_TLSFeatureTypeZstatus_requestr����Zcheck_ocsp_endpoint�_AuthorityInformationAccessr����Zcertificate_status�_OCSPCertStatusZGOODZREVOKEDrz���r|���r}���r~���ro���rj���)�connZ ocsp_bytes� user_datar1���r2���r)���r/���Zmust_staplere����featurer�����urisr���rb���r+���r+���r,����_ocsp_callback��s���� � � � r����)Z�__doc__�loggingZ_logging�rer!���r���rk���Zcryptography.exceptionsr���r=���Zcryptography.hazmat.backendsr���r ���Z-cryptography.hazmat.primitives.asymmetric.dsar���r:���Z,cryptography.hazmat.primitives.asymmetric.ecr���r<���r���r;���Z1cryptography.hazmat.primitives.asymmetric.paddingr���r9���Z-cryptography.hazmat.primitives.asymmetric.rsar ���r7���Z%cryptography.hazmat.primitives.hashesr ���rL���r���rK���Z,cryptography.hazmat.primitives.serializationr���rH���r ���rJ���Zcryptography.x509r���r����r���r_���r���rC���r���r����r���r����r���r%���Zcryptography.x509.ocspr���r����r���rh���r���r}���r���rz���Zcryptography.x509.oidr���r����r���r`����requestsr���rw���Zrequests.exceptionsr���rx���Zpymongor���� getLogger�__name__r]����compile�DOTALLr#���r-���r4���rA���rE���rP���rX���r\���rg���rj���ro���r����r����r+���r+���r+���r,����<module>���s\��� � 6+