HEX

File: //snap/certbot/5057/lib/python3.12/site-packages/certbot/__pycache__/ocsp.cpython-312.pyc
�

�F�h�*�
��dZddlmZddlmZddlmZddlZddlmZddlmZddl	m
Z
dd	l	mZdd
lm
Z
ddlmZddlmZdd
lmZddlZddlmZddlmZddlmZej2e�ZGd�d�Zdedeeeeeffd�Zdededede de!f
d�Z"dddddejFdeddf
d�Z$dddejFdeddfd �Z%y)!z*Tools for checking certificate revocation.�)�datetime)�	timedelta)�timezoneN)�Optional)�x509)�InvalidSignature)�UnsupportedAlgorithm)�default_backend)�hashes)�
serialization)�ocsp)�crypto_util)�errors)�
RenewableCertc	�:�eZdZdZdedefd�Zd
dedededefd�Z	y	)�RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.�cert�returnc�N�|j|j|j�S)a Get revoked status for a particular cert version.

        .. todo:: Make this a non-blocking call

        :param `.interfaces.RenewableCert` cert: Certificate object
        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        )�ocsp_revoked_by_paths�	cert_path�
chain_path)�selfrs  �|/build/snapcraft-certbot-c9aaebe726f8beb59a0eb2d8e1671bc4/parts/certbot/install/lib/python3.12/site-packages/certbot/ocsp.py�ocsp_revokedzRevocationChecker.ocsp_revokeds���)�)�$�.�.�$�/�/�J�J�rr�timeoutc��tjtj�}t	j
|�|kryt
|�\}}|r|syt||||�S)aEPerforms the OCSP revocation check

        :param str cert_path: Certificate filepath
        :param str chain_path: Certificate chain
        :param int timeout: Timeout (in seconds) for the OCSP query

        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        F)r�nowr�utcr�notAfter�_determine_ocsp_server�_check_ocsp_cryptography)rrrrr�url�hosts       rrz'RevocationChecker.ocsp_revoked_by_paths&sS���l�l�8�<�<�(�����	�*�c�1��*�9�5�	��T��3��'�	�:�s�G�L�LrN)�
)
�__name__�
__module__�__qualname__�__doc__r�boolr�str�intr�rrrrsB��O�
K��
K�4�
K�M�s�M��M�c�M�[_�Mrrrrc��t|d�5}tj|j�t	��}ddd�	j
j
tj�}tjj}|jD�cgc]}|j|k(r|��}}|djj}|j#�}|j%d�dj#d�}|r||fStj!d	||�y#1swY��xYwcc}w#tjtf$rtj!d|�YywxYw)
z�Extract the OCSP server host from a certificate.

    :param str cert_path: Path to the cert we're checking OCSP for
    :rtype tuple:
    :returns: (OCSP server URL or None, OCSP server host or None)

    �rbNrzCannot extract OCSP URI from %s)NNz://��/z;Cannot process OCSP host from URL (%s) in certificate at %s)�openr�load_pem_x509_certificate�readr
�
extensions�get_extension_for_class�AuthorityInformationAccess�AuthorityInformationAccessOID�OCSP�value�
access_method�access_location�ExtensionNotFound�
IndexError�logger�info�rstrip�	partition)	r�file_handlerr�	extension�ocsp_oid�description�descriptionsr$r%s	         rr"r"?s?��
�i��	�V�,��-�-�l�.?�.?�.A�?�CT�U��V�	��O�O�;�;�D�<[�<[�\�	��5�5�:�:��7@���B��&�4�4��@�$�B��B��1�o�-�-�3�3��
�*�*�,�C��=�=����"�)�)�#�.�D���D�y��
�K�K�M�s�T]�^��'V�V��
B��
�"�"�J�/�����5�y�A���s0�-D�AD)�D$�,D)�D!�$D)�)/E�Err$rc�(�t|d�5}tj|j�t	��}ddd�t|d�5}tj|j�t	��}ddd�tj�}|jtj��}|j�}|jtjj�}		tj ||	ddi|��}
|
j*d	k7r"t&j)d
||
j*�ytj,|
j.�}|j0t
j2j4k7r"t&j7d||j0�y	t9||||�t&j;d||j<�|j<t
j>j@k(S#1swY���xYw#1swY���xYw#tj"j$$rt&j)d|d��YywxYw#tB$r(}t&j7tE|��Yd}~yd}~wtFjH$r(}t&j7tE|��Yd}~yd}~wtJ$rt&j7d
|�YytL$r*}
t&j7d|tE|
��Yd}
~
yd}
~
wwxYw)Nr0zContent-Typezapplication/ocsp-request)�data�headersrz*OCSP check failed for %s (are we offline?)T)�exc_infoF��z*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz%OCSP certificate status for %s is: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.)'r3rr4r5r
r
�OCSPRequestBuilder�add_certificater�SHA1�build�public_bytesr�Encoding�DER�requests�post�
exceptions�RequestExceptionr@rA�status_code�load_der_ocsp_response�content�response_status�OCSPResponseStatus�
SUCCESSFUL�warning�_check_ocsp_response�debug�certificate_status�OCSPCertStatus�REVOKEDr	r,r�Errorr�AssertionError)rrr$rrD�issuerr�builder�request�request_binary�response�
response_ocsp�e�errors              rr#r#]s���	
�j�$�	�X�<��/�/��0A�0A�0C�_�EV�W��X�	
�i��	�V�,��-�-�l�.?�.?�.A�?�CT�U��V��%�%�'�G��%�%�d�F�F�K�K�M�B�G��m�m�o�G��)�)�-�*@�*@�*D�*D�E�N���=�=��>�*8�:T�)U�)0�2�����s�"����@�)�X�Ma�Ma�b���/�/��0@�0@�A�M��$�$��(?�(?�(J�(J�J����@��
� =� =�	?��O��]�G�V�Y�G�	���<��
� @� @�	B��/�/�4�3F�3F�3N�3N�N�N�UX�X��V�V�����/�/�����@�)�VZ��[����$ �����s�1�v������<�<�����s�1�v������O����B�I�N���S����:�I�s�5�z�R�R���S�s_�-H�-H�6H�+I�H�H�5I�I�	L�J�L�J;�;"L�L�' L�Lrlzocsp.OCSPResponse�request_ocspzocsp.OCSPRequest�issuer_certc�\�|j|jk7rtd��t|||�t|jt|j��r2|j|jk7s|j|jk7rtd��tjtj�}|jstd��|j|td��zkDrtd��|jr(|j|td��z
krtd��yy)	z2Verify that the OCSP is valid for several criteriazMthe certificate in response does not correspond to the certificate in requestz<the issuer does not correspond to issuer of the certificate.zparam thisUpdate is not set.�)�minutesz"param thisUpdate is in the future.z param nextUpdate is in the past.N)�
serial_numberrf�_check_ocsp_response_signature�
isinstance�hash_algorithm�type�issuer_key_hash�issuer_name_hashrrrr �this_update_utcr�next_update_utc)rlrorprrs     rr`r`�s���"�"�l�&@�&@�@��=�>�	>�#�=�+�y�I�
�}�3�3�T�,�:U�:U�5V�W��,�,��0L�0L�L��-�-��1N�1N�N��[�\�\��,�,�x�|�|�
$�C��(�(��;�<�<��$�$�s�Y�q�-A�'A�A��A�B�B��$�$��)F�)F��y�ab�Oc�Ic�)c��?�@�@�*d�$rc�B�dtjdtfd�}|j|jk(s|j
||�k(rtjd|�|}�nDtjd|�|jD�cgc]2}|j|jk(s|j
||�k(r|��4}}|std��|d}|j|jk7rtd��	|jjtj�}tjjj |j"v}|std
��|j(}	|	sJ�t+j,|j/�|j0|j2|	�|j(}
|
std��t+j,|j/�|j0|j4|
�ycc}w#tj$t&f$rd	}Y��wxYw)
zIVerify an OCSP response signature against certificate issuer or responderrrc�p�tjj|j��jS)N)r�SubjectKeyIdentifier�from_public_key�
public_key�digest)rs r�	_key_hashz1_check_ocsp_response_signature.<locals>._key_hash�s&���(�(�8�8����9J�K�R�R�RrzGOCSP response for certificate %s is signed by the certificate's issuer.zGOCSP response for certificate %s is delegated to an external responder.z0no matching responder certificate could be foundrz?responder certificate is not signed by the certificate's issuerFz<responder is not authorized by issuer to sign OCSP responsesz#no signature hash algorithm definedN)r�Certificate�bytes�responder_name�subject�responder_key_hashr@ra�certificatesrfrgr6r7�ExtendedKeyUsage�oid�ExtendedKeyUsageOID�OCSP_SIGNINGr;r>r?�signature_hash_algorithmr�verify_signed_payloadr��	signature�tbs_certificate_bytes�tbs_response_bytes)rlrprr��responder_certr�responder_certsrE�delegate_authorized�chosen_cert_hash�chosen_response_hashs           rruru�s��S��(�(�S�U�S�	�$�$��(;�(;�;��/�/�9�[�3I�I����_��	 �$��	���^��	 �-:�,F�,F�S�D�+�:�:�d�l�l�J�+�>�>�)�D�/�Q� �S��S�� �!S�T�T�
)��+��� � �K�$7�$7�7� �"@�A�
A�	(�&�1�1�I�I�$�J_�J_�`�I�"&�(�(�">�">�"K�"K�y���"^��#� �!_�`�`�*�B�B�����	�)�)�+�*@�*@�*B�N�D\�D\�*8�*N�*N�P`�	b�)�A�A�� ��B�C�C��%�%�n�&?�&?�&A�=�CZ�CZ�&3�&F�&F�H\�^��KS��$�&�&�
�3�	(�"'��	(�s�7G;�7AH�H�H)&r*rrr�logging�typingr�cryptographyr�cryptography.exceptionsrr	�cryptography.hazmat.backendsr
�cryptography.hazmat.primitivesrr�cryptography.x509r
rU�certbotrr�certbot.interfacesr�	getLoggerr'r@rr,�tupler"r-r+r#r�r`rur.rr�<module>r�s��0�������4�8�8�1�8�"����,�	��	�	�8�	$��$M�$M�N�c��e�H�S�M�8�C�=�4P�.Q��<.��.��.�3�.�QT�.�Y]�.�b!A�(;�!A�K]�!A�&*�&6�&6�!A�CF�!A�KO�!A�H7^�2E�7^�04�0@�0@�7^�MP�7^�UY�7^r