~f, ddlZddlZddlZddlmZmZddlZddlZddlm Z m Z ddl m Z ddl mZddlmZddlmZmZddlmZdd lmZdd lmZmZdd lmZmZdd lmZdd lm Z m!Z!dZ"ddZ#dZ$dZ%ddZ&GddZ'y)N)urljoinurlparse)hazmatx509)InvalidSignature)backends) DSAPublicKey)ECDSAEllipticCurvePublicKey)PKCS1v15) RSAPublicKey)SHA1Hash)Encoding PublicFormat)ocsp)AuthorizationErrorConnectionErrorcR|j} t|tr;|j|j|j t |jyt|tr2|j|j|j |jyt|tr;|j|j|j t|jy|j|j|j y#t$r tdwxYw)Nzfailed to valid ocsp response) public_key isinstancer verify signaturetbs_response_bytesr signature_hash_algorithmr r r rr) issuer_cert ocsp_responsepubkeys S/var/lib/jenkins/workspace/mettalog/venv/lib/python3.12/site-packages/redis/ocsp.py_verify_responser s  # # %F? fl + MM''00 66    - MM''0066   6 7 MM''00m<<=  MM-11=3S3S T ?=>>?s A DADA D*&DD&cvtj|}|jtjjk(r t d|jtjj k(r[|jtjjk7r?tdt|jjdddtd|jtjjk\r td|j r6|j tjjkr td|j"}|j$}|j&}|}|||j(k(s||k(r|}n|j*}t-||||} | d } | j0j3t4j6} | 0t4j8j:j<| j>vr td | }|r tA||y #t.$r td wxYw) z=A wrapper the return the validity of a known ocsp certificatez4you are not authorized to view this ocsp certificatez Received an .z ocsp certificate statusz@failed to retrieve a successful response from the ocsp responderz)ocsp certificate was issued in the futurez1ocsp certificate has invalid update - in the pastrz'no certificates found for the responderz'delegate not autorized for ocsp signingT)!rload_der_ocsp_responseresponse_statusOCSPResponseStatus UNAUTHORIZEDr SUCCESSFULcertificate_statusOCSPCertStatusGOODrstrsplit this_updatedatetimenow next_updateresponder_nameissuer_key_hashresponder_key_hashsubject certificates_get_certificates IndexError extensionsget_extension_for_classrExtendedKeyUsageoidExtendedKeyUsageOID OCSP_SIGNINGvaluer ) r ocsp_bytesvalidaterr2 issuer_hashresponder_hashcert_to_validatecertsresponder_certsresponder_certexts r_check_certificaterI1s// ;M$$(?(?(L(LL !WXX$$(?(?(J(JJ  + +t/B/B/G/G G!s=#C#CDJJ3OPQRST**   N    H$5$5$9$9$;;IJJ !!  % %(9(9(=(=(? ?QRR"11N//K"55N"" k11 1 [ (&**+ ;  M,Q/N''??@U@UV ;$((66CC399T!"KL L))=9  M!"KL L Ms 'H##H8c|8|Dcgc]+}t||k(r|j|jk(r|-}}|S|Dcgc],}|j|k(r|j|jk(r|.}}|Scc}wcc}wN)_get_pubkey_hashissuerr5)rErr2rCcr6s rr7r7ls "n4[EXEX9X      yyN*qxx;;N;N/N     s 0A41A9c |j}t|tr/|jtj t j}nmt|tr/|jtjt j}n.|jtj t j}tttj}|j!||j#S)N)backend)rrr public_bytesrDERrPKCS1r X962UncompressedPointSubjectPublicKeyInforrrdefault_backendupdatefinalize) certificaterhsha1s rrLrL}s  # # %F&,'    l.@.@ A F2 3    |/M/M N    l.O.O P  8 8 : ;DKKN ==?cd|dvr tdd}|jj}|jD]/}|j}|j|j k(s-|}n| td|%t j|}||k7r tdt||S)zAn implementation of a function for set_ocsp_client_callback in PyOpenSSL. This function validates that the provide ocsp_bytes response is valid, and matches the expected, stapled responses. )r]Nzno ocsp response presentNz2no matching issuer cert found in certificate chainz/received and expected certificates do not match) rget_peer_certificateto_cryptographyget_peer_cert_chainr5rMrload_pem_x509_certificaterI)conr@expectedr peer_certrNcertes rocsp_staple_verifierrhs [ 899K((*::!"ST T k: 66r]cBeZdZdZd dZdZdZdZdZdZ d Z d Z y) OCSPVerifieraA class to verify ssl sockets for RFC6960/RFC6961. This can be used when using direct validation of OCSP responses and certificate revocations. @see https://datatracker.ietf.org/doc/html/rfc6960 @see https://datatracker.ietf.org/doc/html/rfc6961 Nc<||_||_||_||_yrK)SOCKHOSTPORTCA_CERTS)selfsockhostportca_certss r__init__zOCSPVerifier.__init__s     r]ctj|}tj|j t j }|S)z?Convert SSL certificates in a binary (DER) format to ASCII PEM.)sslDER_cert_to_PEM_certrrbencoderrW)rpderpemrfs r _bin2asciizOCSPVerifier._bin2asciis:&&s+--cjjlHrs`  *,%4(FVFF<O"@?88v"  78JIJIr]