U dsE@sbdZddlmZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZmZddlmZddlmZdd lmZdd lmZdd lmZdd lm Z!dd l"m#Z$ddl%m&Z'ddl(m)Z*ddl+m,Z-ddl+m.Z/ddl0m1Z2ddl0m3Z4ddl5m6Z7ddl5m8Z9ddl5m:Z;ddl5mZ?ddl5m@ZAddlBmCZDddlBmEZFddlBmGZHddlBmIZJddlKmLZMddlKmNZOdd lPmQZRdd!lSmTZUdd"lVmWZWe rbdd#lXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_dd$l`maZadd%l+mbZbdd&l5mcZcmdZddd'lemfZfmgZgdd(lBmhZhmiZidd)ljmkZkdd*llmmZmdd+lnmoZoeeYje]j#eZje\jpe[jqe_j)e^j&fZresetZuevd,ejwZxd-d.d/d0d1Zyd2d3d4d5d6d7d8Zzd9d:d;d:dd?Z{d2d@dAdBdCdDZ|d2d:dEdFdGZ}d3d2dHd.dIdJdKZ~d3d2dLd.dMdNdOZd2dPdt|trX|||t|n t|ttfrlWdS|||Wnt k rYdSXdS)Nr) isinstance _RSAPublicKeyverify _PKCS1v15 _DSAPublicKey_EllipticCurvePublicKey_ECDSA_X25519PublicKey_X448PublicKey_InvalidSignature)rVrWrXrFrIrIrJ_verify_signatures    rdzType[ExtensionTypeVar]z%Optional[Extension[ExtensionTypeVar]])rLklassr;cCs*z|j|WStk r$YdSXdSrN) extensionsZget_extension_for_class_ExtensionNotFound)rLrerIrIrJ_get_extensionsrh)rLr;cCsr|}t|tr$|tjtj}n,t|tr@|tj tj }n|tjtj }t t td}|||S)N)rH) public_keyrZr[ public_bytes _EncodingDER _PublicFormatZPKCS1r_ZX962ZUncompressedPointZSubjectPublicKeyInfo_Hash_SHA1r?updatefinalize)rLriZpbytesdigestrIrIrJ_public_key_hashs   rszOptional[bytes]) certificatesrOresponder_key_hashr;csfdd|DS)Ncs(g|] }t|kr|jjkr|qSrI)rsrOrP.0rLrOrurIrJ s z*_get_certs_by_key_hash..rI)rtrOrurIrxrJ_get_certs_by_key_hashs rzzOptional[Name])rtrOresponder_namer;csfdd|DS)Ncs&g|]}|jkr|jjkr|qSrI)rPrOrvrOr{rIrJrys z&_get_certs_by_name..rI)rtrOr{rIr|rJ_get_certs_by_names r}r5)rOresponser;c Cs|j}|j}|j}|dk r$||jks,||kr          rr6zOptional[_CallbackData]bool)conn ocsp_bytes user_datar;cCsj|st|}|dkr&tddS|}t|drF|}d}n|}|j}|sftddSdd|D}t |||}d} t |t } | dk r| j D] } | t jkrtdd } qq|j} |d krtd | rtd dS|jstd d St |t} | dkr tdd Sdd| j D}|sDtdd S|dkr\tddStd|D]d}td|t|||| }|dkrqjtd|j|jtjkrd S|jtjkrjdSqjtdd Std|dkrtddSt|}td|j|jtjkr(dSt||s8dS|| t||<td|j|jtjkrfdSd S)zCCallback for use with OpenSSL.SSL.Context.set_ocsp_client_callback.Nz No peer cert?Fget_verified_chainzNo peer cert chain?cSsg|] }|qSrI)to_cryptography)rwZcerrIrIrJrybsz"_ocsp_callback..z!Peer presented a must-staple certTz$Peer did not staple an OCSP responsez5Must-staple cert with no stapled response, hard fail.z.OCSP endpoint checking is disabled, soft fail.z*No authority access information, soft failcSs g|]}|jtjkr|jjqSrI)Z access_method_AuthorityInformationAccessOIDZOCSPZaccess_locationr)rwdescrIrIrJrys zNo OCSP URI, soft failzNo issuer cert?zRequesting OCSP dataz Trying %szOCSP cert status: %rz)No definitive OCSP cert status, soft failzPeer stapled an OCSP responser)AssertionErrorZget_peer_certificaterrrhasattrrZget_peer_cert_chainrGrRrh _TLSFeaturer_TLSFeatureTypeZstatus_requestrZcheck_ocsp_endpoint_AuthorityInformationAccessrZcertificate_status_OCSPCertStatusZGOODZREVOKEDrrrrrr)rrrZpycertrLZpychainrGrMrOZ must_stapleZext_tlsZfeaturerZext_aiaurisrr~rIrIrJ_ocsp_callbackOs                           r)__doc__ __future__rloggingZ_loggingrer@rrrtypingrrrrr r Zcryptography.exceptionsr rcZcryptography.hazmat.backendsr r?Z-cryptography.hazmat.primitives.asymmetric.dsar r^Z,cryptography.hazmat.primitives.asymmetric.ecrr`rr_Z1cryptography.hazmat.primitives.asymmetric.paddingrr]Z-cryptography.hazmat.primitives.asymmetric.rsarr[Z.cryptography.hazmat.primitives.asymmetric.x448rrbZ0cryptography.hazmat.primitives.asymmetric.x25519rraZ%cryptography.hazmat.primitives.hashesrrorrnZ,cryptography.hazmat.primitives.serializationrrkrrmZcryptography.x509rrrrrrgrrrrrrDZcryptography.x509.ocsprrrrr rr!rZcryptography.x509.oidr"rr#rrequestsr$rZrequests.exceptionsr%rZpymongor&Z)cryptography.hazmat.primitives.asymmetricr'r(r)r*r+r,r-Z/cryptography.hazmat.primitives.asymmetric.utilsr.r/r0r1Zcryptography.x509.extensionsr2r3r4r5Z OpenSSL.SSLr6Zpymongo.ocsp_cacher7Zpymongo.pyopenssl_contextr8ZEd25519PublicKeyZEd448PublicKeyrS getLogger__name__rcompileDOTALLrBrKrRrdrhrsrzr}rrrrrrIrIrIrJs                                $          6-