ok

Mini Shell

Direktori : /lib/python3.6/site-packages/certbot/__pycache__/
Upload File :
Current File : //lib/python3.6/site-packages/certbot/__pycache__/ocsp.cpython-36.pyc

3

گa�:�@s�dZddlmZddlmZddlZddlZddlZddlmZddlmZddlm	Z	ddl
mZdd	lm
Z
dd
lmZddlmZddlmZdd
lmZddlmZddlZddlZddlmZddlmZddlmZddlmZddlmZej e!�Z"Gdd�d�Z#e$e	ee$ee$fd�dd�Z%e$e$e$e&e'd�dd�Z(ddej)e$dd�dd �Z*dej)e$dd!�d"d#�Z+e$e$e$e'd$�d%d&�Z,dS)'z*Tools for checking certificate revocation.�)�datetime)�	timedeltaN)�PIPE)�Optional)�Tuple)�x509)�InvalidSignature)�UnsupportedAlgorithm)�default_backend)�hashes)�
serialization)�ocsp)�crypto_util)�errors)�util)�getenv)�
RenewableCertc@s`eZdZdZdedd�dd�Zeed�dd	�Zdeee	ed�dd
�Z
eeeee	ed�dd�ZdS)�RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.FN)�enforce_openssl_binary_usage�returncCsxd|_||_|jrttjd�s0tjd�d|_dStjdddddgttddtj	�d	�}d
|j
krjdd�|_n
d
d�|_dS)NF�opensslz-openssl not installed, can't check revocationTr
z-header�var�val)�stdout�stderrZuniversal_newlinesZcheck�envz	Missing =cSs
d|gS)NzHost=�)�hostrr�/usr/lib/python3.6/ocsp.py�<lambda>1sz,RevocationChecker.__init__.<locals>.<lambda>cSsd|gS)NZHostr)rrrrr3s)�broken�use_openssl_binaryrZ
exe_exists�logger�info�
subprocessZrunrZenv_no_snap_for_external_callsr�	host_args)�selfrZtest_host_formatrrr�__init__"s


zRevocationChecker.__init__)�certrcCs|j|j|j�S)a Get revoked status for a particular cert version.

        .. todo:: Make this a non-blocking call

        :param `.interfaces.RenewableCert` cert: Certificate object
        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        )�ocsp_revoked_by_paths�	cert_path�
chain_path)r&r(rrr�ocsp_revoked5s
zRevocationChecker.ocsp_revoked�
)r*r+�timeoutrcCsn|jr
dStjjtj��}tj|�|kr,dSt|�\}}|sD|rHdS|j	r`|j
|||||�St||||�S)aEPerforms the OCSP revocation check

        :param str cert_path: Certificate filepath
        :param str chain_path: Certificate chain
        :param int timeout: Timeout (in seconds) for the OCSP query

        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        F)r �pytzZUTCZfromutcr�utcnowrZnotAfter�_determine_ocsp_serverr!�_check_ocsp_openssl_bin�_check_ocsp_cryptography)r&r*r+r.�now�urlrrrrr)Asz'RevocationChecker.ocsp_revoked_by_paths)r*r+rr5r.rc
Cstd�}td�}d}|dk	s$|dk	r4|dk	r0|n|}|dkrFd|g}	n&|jd�r`|td�d�}d|d|g}	ddd	d
|d|d|d
|ddt|�dg|j|�|	}
tjd|�tjdj|
��ytj	|
tjd�\}}Wn"t
jk
r�tjd|�dSXt
|||�S)NZ
http_proxyZ
HTTP_PROXYz-urlzhttp://z-hostz-pathrr
z	-no_noncez-issuerz-certz-CAfilez
-verify_otherz-trust_otherz-timeoutz-headerzQuerying OCSP for %s� )�logz*OCSP check failed for %s (are we offline?)F)r�
startswith�len�strr%r"�debug�joinrZ
run_scriptrZSubprocessErrorr#�_translate_ocsp_query)
r&r*r+rr5r.Zenv_http_proxyZenv_HTTP_PROXYZ
proxy_hostZurl_opts�cmd�output�errrrrr2^s&


4z)RevocationChecker._check_ocsp_openssl_bin)F)r-)�__name__�
__module__�__qualname__�__doc__�boolr'rr,r:�intr)r2rrrrrsr)r*rcs�t|d��}tj|j�t��}WdQRXy:|jjtj�}tjj	��fdd�|j
D�}|djj
}Wn&tjt
fk
r�tjd|�dSX|j�}|jd�djd	�}|r�||fStjd
||�dS)
z�Extract the OCSP server host from a certificate.

    :param str cert_path: Path to the cert we're checking OCSP for
    :rtype tuple:
    :returns: (OCSP server URL or None, OCSP server host or None)

    �rbNcsg|]}|j�kr|�qSr)Z
access_method)�.0�description)�ocsp_oidrr�
<listcomp>�sz*_determine_ocsp_server.<locals>.<listcomp>rzCannot extract OCSP URI from %sz://��/z;Cannot process OCSP host from URL (%s) in certificate at %s)NN)NN)�openr�load_pem_x509_certificate�readr
�
extensions�get_extension_for_classZAuthorityInformationAccessZAuthorityInformationAccessOIDZOCSP�valueZaccess_location�ExtensionNotFound�
IndexErrorr"r#�rstrip�	partition)r*�file_handlerr(�	extensionZdescriptionsr5rr)rJrr1�s r1)r*r+r5r.rc'Cst|d��}tj|j�t��}WdQRXt|d��}tj|j�t��}WdQRXtj�}|j||tj	��}|j
�}|jtj
j�}	ytj||	ddi|d�}
Wn(tjjk
r�tjd|dd�dSX|
jd	kr�tjd
||
j�dStj|
j�}|jtjjk�rtjd||j�dSyt||||�Wn�tk
�rV}ztjt|��WYdd}~Xn�tj k
�r�}ztjt|��WYdd}~Xntt!k
�r�tjd|�YnTt"k
�r�}
ztjd
|t|
��WYdd}
~
Xn Xtj#d||j$�|j$tj%j&kSdS)NrGzContent-Typezapplication/ocsp-request)�dataZheadersr.z*OCSP check failed for %s (are we offline?)T)�exc_infoF��z*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.z%OCSP certificate status for %s is: %s)'rNrrOrPr
r
ZOCSPRequestBuilderZadd_certificaterZSHA1ZbuildZpublic_bytesrZEncodingZDER�requestsZpost�
exceptionsZRequestExceptionr"r#Zstatus_codeZload_der_ocsp_responseZcontentZresponse_statusZOCSPResponseStatusZ
SUCCESSFUL�warning�_check_ocsp_responser	r:r�Errorr�AssertionErrorr;Zcertificate_statusZOCSPCertStatusZREVOKED)r*r+r5r.rX�issuerr(ZbuilderZrequestZrequest_binaryZresponse�
response_ocsp�e�errorrrrr3�sJ

$
r3zocsp.OCSPResponsezocsp.OCSPRequest)rd�request_ocsp�issuer_certr*rcCs�|j|jkrtd��t|||�t|jt|j��sL|j|jksL|j|jkrTtd��tj	�}|j
sjtd��|j
|tdd�kr�td��|jr�|j|tdd�kr�td��dS)	z2Verify that the OCSP is valid for several criteriazMthe certificate in response does not correspond to the certificate in requestz<the issuer does not correspond to issuer of the certificate.zparam thisUpdate is not set.�)Zminutesz"param thisUpdate is in the future.z param nextUpdate is in the past.N)
Z
serial_numberrb�_check_ocsp_response_signature�
isinstanceZhash_algorithm�typeZissuer_key_hashZissuer_name_hashrr0Zthis_updaterZnext_update)rdrgrhr*r4rrrr`�sr`)rdrhr*rc	
s$tjtd�dd���j|jks,�j�|�kr>tjd|�|}n�tjd|���fdd��jD�}|slt	d��|d	}|j
|jkr�t	d
��y"|jjtj
�}tjjj|jk}Wntjtfk
r�d}YnX|s�t	d��|j}tj|j�|j|j|��j}|�st	d
��tj|j��j�j|�dS)zIVerify an OCSP response signature against certificate issuer or responder)r(rcSstjj|j��jS)N)rZSubjectKeyIdentifierZfrom_public_key�
public_keyZdigest)r(rrr�	_key_hash�sz1_check_ocsp_response_signature.<locals>._key_hashzGOCSP response for certificate %s is signed by the certificate's issuer.zGOCSP response for certificate %s is delegated to an external responder.cs*g|]"}�j|jks"�j�|�kr|�qSr)�responder_name�subject�responder_key_hash)rHr()rnrdrrrKsz2_check_ocsp_response_signature.<locals>.<listcomp>z0no matching responder certificate could be foundrz?responder certificate is not signed by the certificate's issuerFz<responder is not authorized by issuer to sign OCSP responsesz#no signature hash algorithm definedN)r�Certificate�bytesrorprqr"r;ZcertificatesrbrcrQrRZExtendedKeyUsageZoidZExtendedKeyUsageOIDZOCSP_SIGNINGrSrTrUZsignature_hash_algorithmrZverify_signed_payloadrmZ	signatureZtbs_certificate_bytesZtbs_response_bytes)	rdrhr*Zresponder_certZresponder_certsrYZdelegate_authorizedZchosen_cert_hashZchosen_response_hashr)rnrdrrj�s:

rj)r*�ocsp_output�ocsp_errorsrc	s�d}�fdd�|D�}�fdd�|D�\}}}|r<|jd�nd	}d
|ksT|rP|sT|rrtjd��tjd�|�d
S|r�|r�d
S|r�|jd�}|r�tjd|�dStjd�|�d
Sd	S)z7Parse openssl's weird output to work out what it means.�good�revoked�unknowncsg|]}dj�|��qS)z{0}: (WARNING.*)?{1})�format)rH�s)r*rrrK3sz)_translate_ocsp_query.<locals>.<listcomp>c3s |]}tj|�tjd�VqdS))�flagsN)�re�search�DOTALL)rH�p)rtrr�	<genexpr>4sz(_translate_ocsp_query.<locals>.<genexpr>�NzResponse verify OKz#Revocation status for %s is unknownzUncertain output:
%s
stderr:
%sFzOCSP revocation warning: %sTz2Unable to properly parse OCSP output: %s
stderr:%s)rvrwrx)�groupr"r#r;r_)	r*rtruZstatesZpatternsrvrwrxr_r)r*rtrr=/s$

r=)-rDrrZloggingr|r$rZtypingrrZcryptographyrZcryptography.exceptionsrr	Zcryptography.hazmat.backendsr
Zcryptography.hazmat.primitivesrrZcryptography.x509r
r/r]ZcertbotrrrZcertbot.compat.osrZcertbot.interfacesrZ	getLoggerrAr"rr:r1rFrEr3rrr`rjr=rrrr�<module>s>
e 1"8

Zerion Mini Shell 1.0