hw8dZddlZddlZddlmZddlmZ ddl m Z ddl mZddlmZmZddlmZdd lmZdd lmZmZdd l m!Z"m#Z$dd l%m&Z'm(Z)m*Z+m,Z-m.Z/m0Z1dd l2m3Z4m5Z6ddl7m8Z9m:Z;mZ?ddl@mAZBddlCmDZEejeGZHejdejZKdZLdZMdZNdZOdZPdZQdZRdZSdZTdZUdZVdZWy)z4Support for requesting and verifying OCSP responses.N)datetime)InvalidSignature)default_backend) DSAPublicKey)ECDSAEllipticCurvePublicKey)PKCS1v15) RSAPublicKey)HashSHA1)Encoding PublicFormat)AuthorityInformationAccessExtendedKeyUsageExtensionNotFoundload_pem_x509_certificate TLSFeatureTLSFeatureType)AuthorityInformationAccessOIDExtendedKeyUsageOID)load_der_ocsp_responseOCSPCertStatusOCSPRequestBuilderOCSPResponseStatus)post)RequestExceptions9-----BEGIN CERTIFICATE[^ ]+.+?-----END CERTIFICATE[^ ]+ct|d5}|j}dddg}t}tjt D]}|j t|||S#1swYQxYw)z0Parse the tlsCAFile into a list of certificates.rbN)openread_default_backend_refindall _CERT_REGEXappend_load_pem_x509_certificate)cafilefdatatrusted_ca_certsbackend cert_datas W/var/www/html/ranktracker/api/venv/lib/python3.12/site-packages/pymongo/ocsp_support.py_load_trusted_ca_certsr.Esx fd qvvx G[[d3<  &y' : << s A..A7c|j}|D]}|j|k(s|cS|r|D]}|j|k(s|cSyN)issuersubject)certchainr* issuer_name candidates r-_get_issuer_certr7Ss[++K    + ) !I  K/   ! cF t|tr|j||t|yt|tr|j|||yt|t r|j||t |y|j|| y#t$rYywxYw)Nr) isinstance _RSAPublicKeyverify _PKCS1v15 _DSAPublicKey_EllipticCurvePublicKey_ECDSA_InvalidSignature)key signature algorithmr)s r-_verify_signaturerFds  c= ) JJy$ Y ? ] + JJy$ 2 4 5 JJy$y(9 :  JJy$ '  s",B#B,BB B B cX |jj|S#t$rYywxYwr0) extensionsget_extension_for_class_ExtensionNotFound)r3klasss r-_get_extensionrLus.66u== s  ))c|j}t|tr/|jtj t j}nmt|tr/|jtjt j}n.|jtj t j}ttt}|j||j!S)N)r+) public_keyr;r< public_bytes _EncodingDER _PublicFormatPKCS1r@X962UncompressedPointSubjectPublicKeyInfo_Hash_SHA1r!updatefinalize)r3rNpbytesdigests r-_public_key_hashr]|s"J *m,(( MM=..0 J 7 8(( NNM;;=(( MM===? 57$4$6 7F MM& ?? r8cz|Dcgc]+}t||k(r|j|jk(r|-c}Scc}wr0)r]r1r2) certificatesr1responder_key_hashr3s r-_get_certs_by_key_hashras@% ' D !%7 7 v~~%  '' 's08c||Dcgc],}|j|k(r|j|jk(r|.c}Scc}wr0)r2r1)r_r1responder_namer3s r-_get_certs_by_namerds>% ' <<> ) v~~%  '' 's19c|j}|j}|j}|||jk(s||k(rtj d|}n#tj d|j }|j#t|||}tj dn"t|||}tj d|stj dy|d}t|t}|rtj|jvrtj dyt|j|j |j"|j$stj dyt|j|j |j"|j&} | stj d | S) NzResponder is issuerzResponder is a delegatezUsing responder namezUsing key hashz%No matching or valid responder certs.rz(Delegate not authorized for OCSP signingz&Delegate signature verification failedz&Response signature verification failed)rcr`issuer_key_hashr2_LOGGERdebugr_rdrarL_ExtendedKeyUsage_ExtendedKeyUsageOID OCSP_SIGNINGvaluerFrNrDsignature_hash_algorithmtbs_certificate_bytestbs_response_bytes) r1responsename rkey_hash ikey_hashresponder_certcertsresponder_certsextrets r-_verify_response_signaturerys  " "D++I((I DFNN2i96L +, /0%%  " " .0EO MM0 14UFINO MM* + MMA B)+^->?*77syyH MMD E !!#((7744 6 MMB C !!#))##  %C  >? Jr8clt}|j||t}|jSr0)_OCSPRequestBuilderadd_certificaterXbuild)r3r1builders r-_build_ocsp_requestrs,!#G%%dFEG t ||j t jddid}n-#t$r!}tjd|Yd}~Yyd}~wwxYw|jdk7r"tjd|jYyt|j}tjd |j|jtjk7rYy|j|jk7rtjd Yyt!||sYytjd |||<Y|SwxYw) NzUsing cached OCSP response.z Content-Typezapplication/ocsp-request)r)headerstimeoutzHTTP request failed: %szHTTP request returned %dOCSP response status: %rz-Response serial number does not match requestzCaching OCSP response.)rrgrhKeyError_postrOrPrQ_RequestException status_code_load_der_ocsp_responsecontentresponse_status_OCSPResponseStatus SUCCESSFUL serial_numberr)r3r1uriocsp_response_cache ocsp_request ocsp_responserpexcs r-_get_ocsp_responsersQ&tV4L :+L9  34@ ? : !..y}}=')CD H !  MM3S 9    3 & MM4h6J6J K/0@0@A  & (E(E G  ( (,?,J,J J  & &,*D*D D MMI J 6 ./,9L) ?:sQ* E2.A$#E2$ B-B E2 B2E2AE2.E2 E2E21E2c|j}|tjdy|j}|j }|stjdy|Dcgc]}|j}}t |||j }d}t|t}|=|jD].} | tjk(stjdd}n|j} |dk(rtjd|rtjd y|jstjd y t|t}|tjd y |jD cgc]5} | jt j"k(r| j$j7} } | stjd y |tjdytjd| D]} tjd| t'||| | }|*tjd|j(|j(t*j,k(ry |j(t*j.k(sytjdy tjd|tjdyt1|}tjd|j2|j2t4j6k7ryt9||sy|| t;||<tjd|j(|j(t*j.k(ryy cc}wcc} w)zCCallback for use with OpenSSL.SSL.Context.set_ocsp_client_callback.z No peer cert?rzNo peer cert chain?Fz!Peer presented a must-staple certTr8z$Peer did not staple an OCSP responsez5Must-staple cert with no stapled response, hard fail.z.OCSP endpoint checking is disabled, soft fail.r:z*No authority access information, soft failzNo OCSP URI, soft failzNo issuer cert?zRequesting OCSP dataz Trying %szOCSP cert status: %rz)No definitive OCSP cert status, soft failzPeer stapled an OCSP responser)get_peer_certificatergrhto_cryptographyget_peer_cert_chainr7r*rL _TLSFeaturerl_TLSFeatureTypestatus_requestrcheck_ocsp_endpoint_AuthorityInformationAccess access_method_AuthorityInformationAccessOIDOCSPaccess_locationrcertificate_status_OCSPCertStatusGOODREVOKEDrrrrrr)conn ocsp_bytes user_datar3r4cerr1 must_staplerwfeaturerdescurisrrps r-_ocsp_callbackrs   $ $ &D | o&    !D  $ $ &E  +,.3 4sS " 4E 4 dE9+E+E FFK { +C yy G/888 AB"    $77S <=  MMQ R,, MMJ KT#>? ; MMF GIIN%%)G)L)LL$$**NN MM2 3 > MM+ , ,- C MM+s +)fc#68H MM0(2M2M N**o.B.BB**o.E.EE   AB MM12 ~ '(&z2H MM"H$<$<>#6#A#AA FH -=E+D&9: MM((*E*EF""o&=&== ] 5:Ns %M1=:M6)X__doc__logging_loggingrer"rrcryptography.exceptionsrrBcryptography.hazmat.backendsrr!-cryptography.hazmat.primitives.asymmetric.dsarr?,cryptography.hazmat.primitives.asymmetric.ecrrArr@1cryptography.hazmat.primitives.asymmetric.paddingr r>-cryptography.hazmat.primitives.asymmetric.rsar r<%cryptography.hazmat.primitives.hashesr rWr rX,cryptography.hazmat.primitives.serializationr rPrrRcryptography.x509rrrrirrJrr&rrrrcryptography.x509.oidrrrrjcryptography.x509.ocsprrrrrr{rrrequestsrrrequests.exceptionsrr getLogger__name__rgcompileDOTALLr$r.r7rFrLr]rardryrrrrr8r-rs;*IL#7##''1// #E (  X &ckkDJJ " "(''1h *$NY r8