o

����S�b�;����������������������@���s�
��d�Z�d
dl
Zd
dlZd
dlmZ
�d
dlmZ	
�d
dl
mZ
�d
dl
mZ
�d
dlmZ
�d
dlmZ
�d
d	lmZ
�d
d
lmZ
�d
dlmZ
�d
dlmZ
�d
d
l m!Z"
�d
dl m#Z$
�d
dl%m&Z'
�d
dl%m(Z)
�d
dl%m*Z+
�d
dl%m,Z-
�d
dl%m.Z/
�d
dl%m0Z1
�d
dl2m3Z4
�d
dl2m5Z6
�d
dl2m7Z8
�d
dl2m9Z:
�d
dl;m<Z=
�d
dl;m>Z?
�d
dl@mAZB
�d
dlCmDZE
�d
dlFmGZG
�e�HeI�
ZJe�KdejL�ZMdd ��ZNd!d"��ZOd#d$��ZPd%d&��ZQd'd(��ZRd)d*��ZSd+d,��ZTd-d.��ZUd/d0��ZVd1d2��ZWd3d4��ZXd5d6��ZYdS�)7z4Support for requesting and verifying OCSP responses.�����N)
�datetime)
�InvalidSignature)
�default_backend)
�DSAPublicKey)
�ECDSA)
�EllipticCurvePublicKey)
�PKCS1v15)
�RSAPublicKey)
�SHA1)
�Hash)
�Encoding)
�PublicFormat)
�AuthorityInformationAccess)
�ExtendedKeyUsage)
�ExtensionNotFound)
�
TLSFeature)
�TLSFeatureType)
�load_pem_x509_certificate)
�OCSPCertStatus)
�OCSPRequestBuilder)
�OCSPResponseStatus)
�load_der_ocsp_response)
�AuthorityInformationAccessOID)
�ExtendedKeyUsageOID)
�post)
�RequestException)
�_csots9���-----BEGIN CERTIFICATE[^
]+.+?-----END CERTIFICATE[^
]+c
�����������������C���sb���t�|�d
��}
|
�
��}W�d���
�n1�sw

�
�
�Y�
�g�}t��}t�t|�D�]
}|�t||��

�q$|S�)z0Parse the tlsCAFile into a list of certificates.�rbN)�open�read�_default_backend�_re�findall�_CERT_REGEX�append�_load_pem_x509_certificate)�cafile�
f�data�trusted_ca_certs�backendZ	cert_data��r+����;/tmp/pip-target-onvjaxws/lib/python/pymongo/ocsp_support.py�_load_trusted_ca_certsA���s���

�



r-���c�����������������C���sF���|�j�}|
D�]}|j
|kr|�
�S�q|r!|D�]}|j
|kr |�
�S�qd�S��
N)�issuer�subject)�cert�chainr)���Zissuer_name�	candidater+���r+���r,����_get_issuer_certN���s���




�



�r4���c�����������������C���s����z:t�|�t
�r|��|
|t��|�
�W�dS�t�|�t�r!|��|
||�
�W�dS�t�|�t�r2|��|
|t|�
�
�W�dS�|��|
|�
�W�dS��tyD
�
�
�Y�d
S�w�)Nr
����
���)�
isinstance�
_RSAPublicKey�verify�	_PKCS1v15�
_DSAPublicKey�_EllipticCurvePublicKey�_ECDSA�_InvalidSignature)�key�	signature�	algorithmr(���r+���r+���r,����_verify_signature_���s���


	
�

�
��
�rA���c�����������������C���s$���z|�j��
|
�
W�S��ty
�
�
�Y�d�S�w�r.���)�
extensionsZget_extension_for_class�_ExtensionNotFound)r1����klassr+���r+���r,����_get_extensionp���s
���



�rE���c
�����������������C���sr���|�����}
t
|
t�r|
�tjtj�}nt
|
t�r |
�tj	tj
�}n|
�tjtj�}tt
��t��d
�}|�|�

�|���S�)N)
r*���)�
public_keyr6���r7����public_bytes�	_Encoding�DER�
_PublicFormatZPKCS1r;���ZX962ZUncompressedPointZSubjectPublicKeyInfo�_Hash�_SHA1r ����update�finalize)r1���rF���Zpbytes�digestr+���r+���r,����_public_key_hashw���s���









rP���c���������������������������
fd
d�|�D��
S�)Nc
��������������������s(���g�|�]}
t�|
�
�
kr|
j
��jkr|
�qS�r+���)rP���r/���r0�����.0r1����r/����responder_key_hashr+���r,����
<listcomp>����s����

�
�
�z*_get_certs_by_key_hash.<locals>.<listcomp>r+���)�certificatesr/���rU���r+���rT���r,����_get_certs_by_key_hash��������
�rX���c��������������������rQ���)Nc
��������������������s&���g�|�]}
|
j��
kr|
j
��j�kr|
�qS�r+���)r0���r/���rR����r/����responder_namer+���r,���rV�������s����
�
�
�z&_get_certs_by_name.<locals>.<listcomp>r+���)rW���r/���r[���r+���rZ���r,����_get_certs_by_name����rY���r\���c�����������
������C���s
��|
j�}|
j
}|
j}|d�u
r||�jks||krt�d
�

�|�}nXt�d�

�|
j}|
j�d�u
r7t||�|�}t�d�

�nt||�|�}t�d�

�|sKt�d�

�dS�|d�}t	|t
�}|r\tj|j
v
rct�d�

�dS�t|����|j|j|j�svt�d�

�dS�t|���|
j|
j|
j�}	|	s�t�d	�

�|	S�)
NzResponder is issuerzResponder is a delegatezUsing responder namezUsing key hashz%No matching or valid responder certs.r
���z(Delegate not authorized for OCSP signingz&Delegate signature verification failedz&Response signature verification failed)r[���rU���Zissuer_key_hashr0����_LOGGER�debugrW���r\���rX���rE����_ExtendedKeyUsage�_ExtendedKeyUsageOIDZOCSP_SIGNING�valuerA���rF���r?���Zsignature_hash_algorithmZtbs_certificate_bytesZtbs_response_bytes)
r/����response�nameZ	rkey_hashZ	ikey_hashZresponder_cert�certsZresponder_certs�ext�retr+���r+���r,����_verify_response_signature����sL���

























�





�


rg���c�����������������C���s���t���}|�
|�|
t���}|���S�r.���)�_OCSPRequestBuilderZadd_certificaterL����build)r1���r/���Zbuilderr+���r+���r,����_build_ocsp_request����s���

rj���c�����������������C���s^���t��
d
�

�t|�|
�}|sdS�t���}|
j|krt��
d�

�dS�|
jr-|
j|k�r-t��
d�

�dS�dS�)NzVerifying responser
���zthisUpdate is in the futureznextUpdate is in the pastr5���)r]���r^���rg����	_datetime�utcnowZthis_updateZnext_update)r/���rb����res�nowr+���r+���r,����_verify_response����s���












ro���c�����������	���
���C���s$
��t�|�|
�}z||�}t
�d
�

�W�|S��ty�
�
�
�tt�d�
d�}zt||�t	j
�
ddi
|d�}W�n�tyJ
�}
�zt
�d|�
�W�Y�d�}~Y�d�S�d�}~w
w�|jdkrZt
�d	|j�
�Y�d�S�t
|j�
}t
�d
|j�
�|jtjkroY�d�S�|j|jkr}t
�d�

�Y�d�S�t|
|�s�Y�d�S�t
�d�

�|||<�Y�|S�w�)
NzUsing cached OCSP response.����g����MbP?zContent-Typezapplication/ocsp-request)r(����headers�timeoutzHTTP request failed: %s�����zHTTP request returned %d�OCSP response status: %rz-Response serial number does not match requestzCaching OCSP response.)rj���r]���r^����KeyError�maxr���Zclamp_remaining�_postrG���rH���rI����_RequestException�status_code�_load_der_ocsp_response�content�response_status�_OCSPResponseStatus�
SUCCESSFULZ
serial_numberro���)	r1���r/����uri�ocsp_response_cacheZocsp_requestZ
ocsp_responserr���rb����excr+���r+���r,����_get_ocsp_response����sF���




$�







�

��
















�r����c�����������������C���sN��|�����}|d
u�rt
�d�

�dS�|���}t|�d�r|����}d
}n|����}|j}|s/t
�d�

�dS�dd��|D��
}t|||�}d}t	|t
�}|d
u
r[|jD�]}	|	tj
krZt
�d	�

�d
}
�n
qJ|j}
|
dkr�t
�d�

�|rpt
�d
�

�dS�|jszt
�d�

�dS�t	|t�}|d
u�r�t
�d�

�dS�dd��|jD��
}|s�t
�d�

�dS�|d
u�r�t
�d�

�dS�t
�d�

�|D�]-}t
�d|�
�t||||
�}
|
d
u�r�q�t
�d|
j�
�|
jtjkr�
�dS�|
jtjkr�
�dS�q�t
�d�

�dS�t
�d�

�|d
u�r�t
�d�

�dS�t|
�
}
t
�d|
j�
�|
jtjk�
rdS�t||
��
sdS�|
|
t||�<�t
�d|
j�
�|
jtjk�
r%dS�dS�)zCCallback for use with OpenSSL.SSL.Context.set_ocsp_client_callback.Nz
No peer cert?r
����get_verified_chainzNo peer cert chain?c
�����������������S���s���g�|�]}
|
�����qS�r+���)
�to_cryptography)rS���Zcerr+���r+���r,���rV���&
��s����z"_ocsp_callback.<locals>.<listcomp>Fz!Peer presented a must-staple certT�����z$Peer did not staple an OCSP responsez5Must-staple cert with no stapled response, hard fail.z.OCSP endpoint checking is disabled, soft fail.r5���z*No authority access information, soft failc
�����������������S���s ���g�|�]}
|
j�t
jkr|
jj�qS�r+���)Z
access_method�_AuthorityInformationAccessOIDZOCSPZaccess_locationra���)rS���Zdescr+���r+���r,���rV���C
��s����

�
�zNo OCSP URI, soft failzNo issuer cert?zRequesting OCSP dataz	Trying %szOCSP cert status: %rz)No definitive OCSP cert status, soft failzPeer stapled an OCSP responsert���)Zget_peer_certificater]���r^���r�����hasattrr����Zget_peer_cert_chainr)���r4���rE����_TLSFeaturera����_TLSFeatureTypeZstatus_requestr����Zcheck_ocsp_endpoint�_AuthorityInformationAccessr����Zcertificate_status�_OCSPCertStatusZGOODZREVOKEDrz���r|���r}���r~���ro���rj���)�connZ
ocsp_bytes�	user_datar1���r2���r)���r/���Zmust_staplere����featurer�����urisr���rb���r+���r+���r,����_ocsp_callback
��s����

























�













�















�















r����)Z�__doc__�loggingZ_logging�rer!���r���rk���Zcryptography.exceptionsr���r=���Zcryptography.hazmat.backendsr���r ���Z-cryptography.hazmat.primitives.asymmetric.dsar���r:���Z,cryptography.hazmat.primitives.asymmetric.ecr���r<���r���r;���Z1cryptography.hazmat.primitives.asymmetric.paddingr���r9���Z-cryptography.hazmat.primitives.asymmetric.rsar	���r7���Z%cryptography.hazmat.primitives.hashesr
���rL���r���rK���Z,cryptography.hazmat.primitives.serializationr���rH���r
���rJ���Zcryptography.x509r���r����r���r_���r���rC���r���r����r���r����r���r%���Zcryptography.x509.ocspr���r����r���rh���r���r}���r���rz���Zcryptography.x509.oidr���r����r���r`����requestsr���rw���Zrequests.exceptionsr���rx���Zpymongor����	getLogger�__name__r]����compile�DOTALLr#���r-���r4���rA���rE���rP���rX���r\���rg���rj���ro���r����r����r+���r+���r+���r,����<module>
���s\���

























�
6+