HOME


Mini Shell 1.0
DIR: /snap/certbot/current/lib64/python3.12/site-packages/certbot/__pycache__/
Upload File :
Current File : //snap/certbot/current/lib64/python3.12/site-packages/certbot/__pycache__/ocsp.cpython-312.pyc
�


N�g�:�
���dZddlmZddlmZddlZddlZddlZddlmZddlmZddlm	Z	ddl
mZdd	lm
Z
dd
lmZddlmZddlmZdd
lmZddlmZddlZddlZddlmZddlmZddlmZddlmZddlmZej@e!�Z"Gd�d�Z#de$de	ee$ee$ffd�Z%de$de$de$de&de'f
d�Z(dddd d!ejRde$ddf
d"�Z*ddd!ejRde$ddfd#�Z+de$d$e$d%e$de'fd&�Z,y)'z*Tools for checking certificate revocation.�)�datetime)�	timedeltaN)�PIPE)�Optional)�Tuple)�x509)�InvalidSignature)�UnsupportedAlgorithm)�default_backend)�hashes)�
serialization)�ocsp)�crypto_util)�errors)�util)�getenv)�
RenewableCertc�l�eZdZdZddeddfd�Zdedefd�Zdded	ed
e	defd�Z
ded	eded
ed
e	defd�Zy)�RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.�enforce_openssl_binary_usage�returnNc	�J�d|_||_|jr�tjd�stjd�d|_yt
jgd�ttddtj���}d|jvr	d�|_yd	�|_yy)
NF�opensslz-openssl not installed, can't check revocationT)rr�-header�var�val)�stdout�stderr�universal_newlines�check�envz	Missing =c��d|zgS)NzHost=���hosts �|/build/snapcraft-certbot-2c33630aaf29c47357e5a1683f659d3d/parts/certbot/install/lib/python3.12/site-packages/certbot/ocsp.py�<lambda>z,RevocationChecker.__init__.<locals>.<lambda>0s
��w��~�.>��c�
�d|gS)N�Hostr#r$s r&r'z,RevocationChecker.__init__.<locals>.<lambda>2s
��v�t�n�r()�broken�use_openssl_binaryr�
exe_exists�logger�info�
subprocess�runr�env_no_snap_for_external_callsr�	host_args)�selfr�test_host_formats   r&�__init__zRevocationChecker.__init__!s������">����"�"��?�?�9�-����K�L�"���� *�~�~�.Z�,0��RV�+0�d�6Y�6Y�6[� ]���.�5�5�5�!>���!<���#r(�certc�N�|j|j|j�S)a Get revoked status for a particular cert version.

        .. todo:: Make this a non-blocking call

        :param `.interfaces.RenewableCert` cert: Certificate object
        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        )�ocsp_revoked_by_paths�	cert_path�
chain_path)r4r7s  r&�ocsp_revokedzRevocationChecker.ocsp_revoked4s���)�)�$�.�.�$�/�/�J�Jr(r:r;�timeoutc��|jrytjtj�}tj|�|kryt|�\}}|r|sy|jr|j|||||�St||||�S)aEPerforms the OCSP revocation check

        :param str cert_path: Certificate filepath
        :param str chain_path: Certificate chain
        :param int timeout: Timeout (in seconds) for the OCSP query

        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        F)r+r�now�pytz�UTCr�notAfter�_determine_ocsp_serverr,�_check_ocsp_openssl_bin�_check_ocsp_cryptography)r4r:r;r=r?�urlr%s       r&r9z'RevocationChecker.ocsp_revoked_by_paths@s����;�;��
�l�l�4�8�8�$�����	�*�c�1��*�9�5�	��T��3���"�"��/�/�	�:�t�S�RY�Z�Z�'�	�:�s�G�L�Lr(r%rFc�:�td�}td�}d}|�|�|�|n|}|�d|g}	n%|jd�r|td�d}d|d|g}	ddd	d
|d|d|d
|ddt|�dg|j	|�z|	z}
t
j
d|�t
j
dj|
��	tj|
t
j��\}}t|||�S#tj$rt
jd|�YywxYw)N�
http_proxy�
HTTP_PROXYz-urlzhttp://z-hostz-pathrrz	-no_noncez-issuerz-certz-CAfilez
-verify_otherz-trust_otherz-timeoutrzQuerying OCSP for %s� )�log�*OCSP check failed for %s (are we offline?)F)r�
startswith�len�strr3r.�debug�joinr�
run_scriptr�SubprocessErrorr/�_translate_ocsp_query)
r4r:r;r%rFr=�env_http_proxy�env_HTTP_PROXY�
proxy_host�url_opts�cmd�output�errs
             r&rDz)RevocationChecker._check_ocsp_openssl_bin]s:�� ��-����-���
��%��)C�+9�+E��>�J�����}�H��$�$�Y�/�'��I���8�
���W�c�:�H��&���*��	��*��
���3�w�<���!�N�N�4�0�1�4<�<��	���+�Y�7����S�X�X�c�]�#�	��/�/�#�6�<�<�@�K�F�C�%�Y���<�<���%�%�	��K�K�D�i�P��	�s�9(C.�.)D�D)F)�
)�__name__�
__module__�__qualname__�__doc__�boolr6rr<rO�intr9rDr#r(r&rrs���O�=�T�=�d�=�&
K��
K�4�
K�M�s�M��M�c�M�[_�M�:#=��#=�#�#=�&)�#=�03�#=�>A�#=�FJ�#=r(rr:rc��t|d�5}tj|j�t	��}ddd�	j
j
tj�}tjj}|jD�cgc]}|j|k(r|��}}|djj}|j#�}|j%d�dj#d�}|r||fStj!d	||�y#1swY��xYwcc}w#tjtf$rtj!d|�YywxYw)
z�Extract the OCSP server host from a certificate.

    :param str cert_path: Path to the cert we're checking OCSP for
    :rtype tuple:
    :returns: (OCSP server URL or None, OCSP server host or None)

    �rbNrzCannot extract OCSP URI from %s)NNz://��/z;Cannot process OCSP host from URL (%s) in certificate at %s)�openr�load_pem_x509_certificate�readr�
extensions�get_extension_for_class�AuthorityInformationAccess�AuthorityInformationAccessOID�OCSP�value�
access_method�access_location�ExtensionNotFound�
IndexErrorr.r/�rstrip�	partition)	r:�file_handlerr7�	extension�ocsp_oid�description�descriptionsrFr%s	         r&rCrC�s?��
�i��	�V�,��-�-�l�.?�.?�.A�?�CT�U��V�	��O�O�;�;�D�<[�<[�\�	��5�5�:�:��7@���B��&�4�4��@�$�B��B��1�o�-�-�3�3��
�*�*�,�C��=�=����"�)�)�#�.�D���D�y��
�K�K�M�s�T]�^��'V�V��
B��
�"�"�J�/�����5�y�A���s0�-D�AD)�D$�,D)�D!�$D)�)/E�Er;rFr=c�(�t|d�5}tj|j�t	��}ddd�t|d�5}tj|j�t	��}ddd�tj�}|jtj��}|j�}|jtjj�}		tj ||	ddi|��}
|
j*d	k7r"t&j)d
||
j*�ytj,|
j.�}|j0t
j2j4k7r"t&j7d||j0�y	t9||||�t&j;d||j<�|j<t
j>j@k(S#1swY���xYw#1swY���xYw#tj"j$$rt&j)d|d��YywxYw#tB$r(}t&j7tE|��Yd}~yd}~wtFjH$r(}t&j7tE|��Yd}~yd}~wtJ$rt&j7d
|�YytL$r*}
t&j7d|tE|
��Yd}
~
yd}
~
wwxYw)NrdzContent-Typezapplication/ocsp-request)�data�headersr=rLT)�exc_infoF��z*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz%OCSP certificate status for %s is: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.)'rgrrhrirr�OCSPRequestBuilder�add_certificater�SHA1�build�public_bytesr
�Encoding�DER�requests�post�
exceptions�RequestExceptionr.r/�status_code�load_der_ocsp_response�content�response_status�OCSPResponseStatus�
SUCCESSFUL�warning�_check_ocsp_responserP�certificate_status�OCSPCertStatus�REVOKEDr
rOr�Errorr	�AssertionError)r:r;rFr=rv�issuerr7�builder�request�request_binary�response�
response_ocsp�e�errors              r&rErE�s���	
�j�$�	�X�<��/�/��0A�0A�0C�_�EV�W��X�	
�i��	�V�,��-�-�l�.?�.?�.A�?�CT�U��V��%�%�'�G��%�%�d�F�F�K�K�M�B�G��m�m�o�G��)�)�-�*@�*@�*D�*D�E�N���=�=��>�*8�:T�)U�)0�2�����s�"����@�)�X�Ma�Ma�b���/�/��0@�0@�A�M��$�$��(?�(?�(J�(J�J����@��
� =� =�	?��O��]�G�V�Y�G�	���<��
� @� @�	B��/�/�4�3F�3F�3N�3N�N�N�UX�X��V�V�����/�/�����@�)�VZ��[����$ �����s�1�v������<�<�����s�1�v������O����B�I�N���S����:�I�s�5�z�R�R���S�s_�-H�-H�6H�+I�H�H�5I�I�	L�J�L�J;�;"L�L�' L�Lr�zocsp.OCSPResponse�request_ocspzocsp.OCSPRequest�issuer_certc�\�|j|jk7rtd��t|||�t|jt|j��r2|j|jk7s|j|jk7rtd��tjtj�}|jstd��|j|td��zkDrtd��|jr(|j|td��z
krtd��yy)	z2Verify that the OCSP is valid for several criteriazMthe certificate in response does not correspond to the certificate in requestz<the issuer does not correspond to issuer of the certificate.zparam thisUpdate is not set.�)�minutesz"param thisUpdate is in the future.z param nextUpdate is in the past.N)�
serial_numberr��_check_ocsp_response_signature�
isinstance�hash_algorithm�type�issuer_key_hash�issuer_name_hashrr?r@rA�this_update_utcr�next_update_utc)r�r�r�r:r?s     r&r�r��s���"�"�l�&@�&@�@��=�>�	>�#�=�+�y�I�
�}�3�3�T�,�:U�:U�5V�W��,�,��0L�0L�L��-�-��1N�1N�N��[�\�\��,�,�t�x�x�
 �C��(�(��;�<�<��$�$�s�Y�q�-A�'A�A��A�B�B��$�$��)F�)F��y�ab�Oc�Ic�)c��?�@�@�*d�$r(c�B�dtjdtfd�}|j|jk(s|j
||�k(rtjd|�|}�nDtjd|�|jD�cgc]2}|j|jk(s|j
||�k(r|��4}}|std��|d}|j|jk7rtd��	|jjtj�}tjjj |j"v}|std
��|j(}	|	sJ�t+j,|j/�|j0|j2|	�|j(}
|
std��t+j,|j/�|j0|j4|
�ycc}w#tj$t&f$rd	}Y��wxYw)
zIVerify an OCSP response signature against certificate issuer or responderr7rc�p�tjj|j��jS)N)r�SubjectKeyIdentifier�from_public_key�
public_key�digest)r7s r&�	_key_hashz1_check_ocsp_response_signature.<locals>._key_hash�s&���(�(�8�8����9J�K�R�R�Rr(zGOCSP response for certificate %s is signed by the certificate's issuer.zGOCSP response for certificate %s is delegated to an external responder.z0no matching responder certificate could be foundrz?responder certificate is not signed by the certificate's issuerFz<responder is not authorized by issuer to sign OCSP responsesz#no signature hash algorithm definedN)r�Certificate�bytes�responder_name�subject�responder_key_hashr.rP�certificatesr�r�rjrk�ExtendedKeyUsage�oid�ExtendedKeyUsageOID�OCSP_SIGNINGrorrrs�signature_hash_algorithmr�verify_signed_payloadr��	signature�tbs_certificate_bytes�tbs_response_bytes)r�r�r:r��responder_certr7�responder_certsrw�delegate_authorized�chosen_cert_hash�chosen_response_hashs           r&r�r��s��S��(�(�S�U�S�	�$�$��(;�(;�;��/�/�9�[�3I�I����_��	 �$��	���^��	 �-:�,F�,F�S�D�+�:�:�d�l�l�J�+�>�>�)�D�/�Q� �S��S�� �!S�T�T�
)��+��� � �K�$7�$7�7� �"@�A�
A�	(�&�1�1�I�I�$�J_�J_�`�I�"&�(�(�">�">�"K�"K�y���"^��#� �!_�`�`�*�B�B�����	�)�)�+�*@�*@�*B�N�D\�D\�*8�*N�*N�P`�	b�)�A�A�� ��B�C�C��%�%�n�&?�&?�&A�=�CZ�CZ�&3�&F�&F�H\�^��KS��$�&�&�
�3�	(�"'��	(�s�7G;�7AH�H�H�ocsp_output�ocsp_errorsc���d}|D�cgc]}dj||���}}�fd�|D�\}}}|r|jd�nd}	d|vs|r|	s|r.tjd|�tj	d�|�y	|r|	sy	|r*|jd�}	|	rtjd
|	�ytjd�|�y	cc}w)
z7Parse openssl's weird output to work out what it means.)�good�revoked�unknownz{0}: (WARNING.*)?{1}c3�j�K�|]*}tj|�tj�����,y�w))�flagsN)�re�search�DOTALL)�.0�pr�s  �r&�	<genexpr>z(_translate_ocsp_query.<locals>.<genexpr>5s%�����[�Q�b�i�i��;�b�i�i�H�H�[�s�03�NzResponse verify OKz#Revocation status for %s is unknownzUncertain output:
%s
stderr:
%sFzOCSP revocation warning: %sTz2Unable to properly parse OCSP output: %s
stderr:%s)�format�groupr.r/rPr�)
r:r�r��states�s�patternsr�r�r�r�s
 `        r&rTrT0s����,�F�FL�M��'�.�.�y�!�<�M�H�M�[�RZ�[��D�'�7�#�d�j�j��m��G��K�/�T�g�'����9�9�E����9�;��T��	
�g��	��-�-��"����K�K�5�w�?�����L�"�K�	1���'Ns�C)-r`rr�loggingr�r0r�typingrr�cryptographyr�cryptography.exceptionsr	r
�cryptography.hazmat.backendsr�cryptography.hazmat.primitivesrr
�cryptography.x509rr@r��certbotrrr�certbot.compat.osr�certbot.interfacesr�	getLoggerr]r.rrOrCrbrarEr�r�r�rTr#r(r&�<module>r�sF��0����	������4�8�8�1�8�"������$�,�	��	�	�8�	$��b=�b=�J�c��e�H�S�M�8�C�=�4P�.Q��<.��.��.�3�.�QT�.�Y]�.�b!A�(;�!A�K]�!A�&*�&6�&6�!A�CF�!A�KO�!A�H7^�2E�7^�04�0@�0@�7^�MP�7^�UY�7^�t�S��s����QU�r(