U ~fh{F@sndZddlmZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZddlmZddlmZdd lmZdd lmZdd lmZdd lmZ dd l!m"Z#ddl$m%Z&ddl'm(Z)ddl*m+Z,ddl*m-Z.ddl/m0Z1ddl/m2Z3ddl4m5Z6ddl4m7Z8ddl4m9Z:ddl4m;Z<ddl4m=Z>ddl4m?Z@ddlAmBZCddlAmDZEddlAmFZGddlAmHZIddlJmKZLddlJmMZNdd lOmPZQdd!lRmSZTdd"lUmVZVdd#lWmXZXmYZYe rndd$lZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZadd%lbmcZcdd&l*mdZddd'l4meZemfZfdd(lgmhZhmiZidd)lAmjZjmkZkdd*llmmZmdd+lWmnZndd,lompZpee[je_j"e\je^jqe]jreaj(e`j%fZseteuZvewd-ejxZyd.d/d0d1d2Zzd3d4d5d6d7d8d9Z{d:d;dd?d@Z|d3dAdBdCdDdEZ}d3d;dFdGdHZ~d4d3dId/dJdKdLZd4d3dMd/dNdOdPZd3dQd=dRdSdTZd3d3dUdVdWdXZd3dQd=dRdYdZZd3d3d[d\d]d^d_d`Zdad;dbdcdddedfZdS)gz4Support for requesting and verifying OCSP responses.) annotationsN)datetime)timezone) TYPE_CHECKINGIterableOptionalTypeUnion)InvalidSignature)default_backend) DSAPublicKey)ECDSA)EllipticCurvePublicKey)PKCS1v15) RSAPublicKey) X448PublicKey)X25519PublicKey)SHA1)Hash)Encoding) PublicFormat)AuthorityInformationAccess)ExtendedKeyUsage)ExtensionNotFound) TLSFeature)TLSFeatureType)load_pem_x509_certificate)OCSPCertStatus)OCSPRequestBuilder)OCSPResponseStatus)load_der_ocsp_response)AuthorityInformationAccessOID)ExtendedKeyUsageOID)post)RequestException)_csot) _next_update _this_update)dsaeced448ed25519rsax448x25519) Prehashed) HashAlgorithm) CertificateName) ExtensionExtensionTypeVar) OCSPRequest OCSPResponse) Connection) _OCSPCache) _CallbackDatas9-----BEGIN CERTIFICATE[^ ]+.+?-----END CERTIFICATE[^ ]+strzlist[Certificate])cafilereturnc CsNt|d}|}W5QRXg}t}tt|D]}|t||q4|S)z0Parse the tlsCAFile into a list of certificates.rb)openread_default_backend_refindall _CERT_REGEXappend_load_pem_x509_certificate)r;fdatatrusted_ca_certsbackendZ cert_datarJ8/tmp/pip-unpacked-wheel-36gvocj8/pymongo/ocsp_support.py_load_trusted_ca_certsis rLr1zIterable[Certificate]zOptional[list[Certificate]]zOptional[Certificate])certchainrHr<cCsF|j}|D]}|j|kr |Sq |rB|D]}|j|kr*|Sq*dSN)issuersubject)rMrNrHZ issuer_name candidaterJrJrK_get_issuer_certvs    rSCertificateIssuerPublicKeyTypesbytesz%Union[Prehashed, HashAlgorithm, None]int)key signature algorithmrGr<cCszzt|tr |||t|nXt|tr:||||n>t|trX|||t|n t|ttfrlWdS|||Wnt k rYdSXdS)Nr) isinstance _RSAPublicKeyverify _PKCS1v15 _DSAPublicKey_EllipticCurvePublicKey_ECDSA_X25519PublicKey_X448PublicKey_InvalidSignature)rWrXrYrGrJrJrK_verify_signatures    rezType[ExtensionTypeVar]z%Optional[Extension[ExtensionTypeVar]])rMklassr<cCs*z|j|WStk r$YdSXdSrO) extensionsZget_extension_for_class_ExtensionNotFound)rMrfrJrJrK_get_extensionsri)rMr<cCsr|}t|tr$|tjtj}n,t|tr@|tj tj }n|tjtj }t t td}|||S)N)rI) public_keyr[r\ public_bytes _EncodingDER _PublicFormatZPKCS1r`ZX962ZUncompressedPointZSubjectPublicKeyInfo_Hash_SHA1r@updatefinalize)rMrjZpbytesdigestrJrJrK_public_key_hashs   rtzOptional[bytes]) certificatesrPresponder_key_hashr<csfdd|DS)Ncs(g|] }t|kr|jjkr|qSrJ)rtrPrQ.0rMrPrvrJrK s z*_get_certs_by_key_hash..rJ)rurPrvrJryrK_get_certs_by_key_hashs r{zOptional[Name])rurPresponder_namer<csfdd|DS)Ncs&g|]}|jkr|jjkr|qSrJ)rQrPrwrPr|rJrKrzs z&_get_certs_by_name..rJ)rurPr|rJr}rK_get_certs_by_names r~r6)rPresponser<c Cs|j}|j}|j}|dk r$||jks,||kr          rr7zOptional[_CallbackData]bool)conn ocsp_bytes user_datar<cCsj|st|}|dkr&tddS|}t|drF|}d}n|}|j}|sftddSdd|D}t |||}d} t |t } | dk r| j D] } | t jkrtdd } qq|j} |d krtd | rtd dS|jstd d St |t} | dkr tdd Sdd| j D}|sDtdd S|dkr\tddStd|D]d}td|t|||| }|dkrqjtd|j|jtjkrd S|jtjkrjdSqjtdd Std|dkrtddSt|}td|j|jtjkr(dSt||s8dS|| t||<td|j|jtjkrfdSd S)zCCallback for use with OpenSSL.SSL.Context.set_ocsp_client_callback.Nz No peer cert?Fget_verified_chainzNo peer cert chain?cSsg|] }|qSrJ)to_cryptography)rxZcerrJrJrKrzhsz"_ocsp_callback..z!Peer presented a must-staple certTz$Peer did not staple an OCSP responsez5Must-staple cert with no stapled response, hard fail.z.OCSP endpoint checking is disabled, soft fail.z*No authority access information, soft failcSs g|]}|jtjkr|jjqSrJ)Z access_method_AuthorityInformationAccessOIDZOCSPZaccess_locationr)rxdescrJrJrKrzs zNo OCSP URI, soft failzNo issuer cert?zRequesting OCSP dataz Trying %szOCSP cert status: %rz)No definitive OCSP cert status, soft failzPeer stapled an OCSP responser)AssertionErrorZget_peer_certificaterrrhasattrrZget_peer_cert_chainrHrSri _TLSFeaturer_TLSFeatureTypeZstatus_requestrZcheck_ocsp_endpoint_AuthorityInformationAccessrZcertificate_status_OCSPCertStatusZGOODZREVOKEDrrrrrr)rrrZpycertrMZpychainrHrNrPZ must_stapleZext_tlsZfeaturerZext_aiaurisrrrJrJrK_ocsp_callbackUs                           r)__doc__ __future__rloggingZ_loggingrerArrrtypingrrrrr Zcryptography.exceptionsr rdZcryptography.hazmat.backendsr r@Z-cryptography.hazmat.primitives.asymmetric.dsar r_Z,cryptography.hazmat.primitives.asymmetric.ecr rarr`Z1cryptography.hazmat.primitives.asymmetric.paddingrr^Z-cryptography.hazmat.primitives.asymmetric.rsarr\Z.cryptography.hazmat.primitives.asymmetric.x448rrcZ0cryptography.hazmat.primitives.asymmetric.x25519rrbZ%cryptography.hazmat.primitives.hashesrrprroZ,cryptography.hazmat.primitives.serializationrrlrrnZcryptography.x509rrrrrrhrrrrrrEZcryptography.x509.ocsprrrrrrr rZcryptography.x509.oidr!rr"rrequestsr#rZrequests.exceptionsr$rZpymongor%Zpymongo.ocsp_cacher&r'Z)cryptography.hazmat.primitives.asymmetricr(r)r*r+r,r-r.Z/cryptography.hazmat.primitives.asymmetric.utilsr/r0r1r2Zcryptography.x509.extensionsr3r4r5r6Z OpenSSL.SSLr7r8Zpymongo.pyopenssl_contextr9ZEd25519PublicKeyZEd448PublicKeyrT getLogger__name__rcompileDOTALLrCrLrSrerirtr{r~rrrrrrJrJrJrKs                               $          6-