U c( @sdZddlZddlZddlZddlmZmZddlmZm Z m Z m Z m Z m Z ddlmZddlmZddlmZd d d d d dddddddg ZeeZeddddgZedddgZedddgZeddgZeeeeeddd Z eeddd Z!ee j"e j#fee j$d!d"d#Z%e j"eeed$d%d Z&ee j'ed&d'd Z(d(d Z)d)d*Z*d+d Z+d,d-Z,d.dZ-ee j"e j#fd/d0dZ.d1dZ/dS)2zd Internal backend-agnostic utilities to help process fetched certificates, CRLs and OCSP responses. N)OptionalUnion)algoscmscoreocsppemx509)errors) Authority)get_ac_extension_valueunpack_cert_contentformat_ocsp_requestprocess_ocsp_response_dataqueue_fetch_taskcrl_job_results_as_completedocsp_job_get_earliestcomplete_certificate_fetch_jobsgather_aia_issuer_urls$ACCEPTABLE_STRICT_CERT_CONTENT_TYPESACCEPTABLE_CERT_PEM_ALIASESACCEPTABLE_PKCS7_DER_ALIASESACCEPTABLE_CERT_DER_ALIASESzapplication/pkix-certzapplication/pkcs7-mimezapplication/x-x509-ca-certz application/x-pkcs7-certificateszapplication/x-pem-filez text/plainzapplication/octet-stream) response_data content_typeurl permit_pemccs|dks|tkrDt|sD|dkr4td|dtj|Vn|tkr^t ||EdHnp|r|t krt|rtj |ddD]2\}}}|dkrt ||EdHqtj|Vqnt d|d|ddS) Nz)Response to certificate fetch request to zb did not include a content type, assuming response body is a single DER-encoded X.509 certificate.T)multipleZPKCS7z-Expected PEM data when extracting certs from z payload. Source URL: .) rrdetectloggerwarningr Certificateloadr_unpack_der_pkcs7rZunarmor ValueError)rrrr type_name_datar*O/tmp/pip-unpacked-wheel-rwcmptg8/pyhanko_certvalidator/fetchers/common_utils.pyrDs,   ) pkcs7_data pkcs7_urlccsptj|}|dj}|dkr4td|d|d|d}t|dtjrl|dD]}|jdkrT|jVqTdS) Nr signed_dataziExpected CMS SignedData when extracting certs from application/pkcs7-mime payload, but content type was 'z'. Source URL: rcontentZ certificatesZ certificate) rZ ContentInfor$nativer& isinstanceZCertificateSetnameZchosen)r,r-Z content_infoZcms_ctr.Z cert_choicer*r*r+r%gs    r%)cert authorityreturncCsXt|tjr|j}n|ddj}t|j|}tt d|i|t|j ||d}|S)NZac_info serial_number algorithm)Zhash_algorithmZissuer_name_hashZissuer_key_hashr6) r1r r#r6r0getattrr2rCertIdrZDigestAlgorithmZ public_key)r3r4certid_hash_algor6Z iss_name_hashcert_idr*r*r+ get_certidws    r<)r3r4r:request_noncesc Csrt|||d}td|i}tdt|gi}|rdtddtt dd}t |g|d<t d |iS) N)r:Zreq_certZ request_listnonceF)Zextn_idcriticalZ extn_valueZrequest_extensions tbs_request) r<rRequestZ TBSRequestZRequestsZTBSRequestExtensionrZ OctetStringosurandomZTBSRequestExtensions OCSPRequest)r3r4r:r=r;requestrAZnonce_extensionr*r*r+rs, )r ocsp_requestocsp_urlcCsztj|}Wntk r.tdYnX|dj}|dkrTtd||f|j}|r~|j}|r~|j|jkr~td|S)Nz)Failed to parse response from OCSP serverZresponse_statusZ successfulz5OCSP server at %s returned an error. Status was '%s'.zQUnable to verify OCSP response since the request and response nonces do not match) rZ OCSPResponser$r&r OCSPFetchErrorr0ZOCSPValidationErrorZ nonce_value)rrGrHZ ocsp_responsestatusZ request_nonceZresponse_noncer*r*r+rs& c sXz(||}tdt|dt|WStk r<YnXzP||}tdt|d|IdHtdt|dt||WStk rRtdt|dt||<}z|IdH}WnBtk r}z"td t|d ||}W5d}~XYnX|||<td t|d ||=| t|YSXdS) NzResult for fetch job with tag z was available in cache.zWaiting for fetch job with tag z to return...z,Received completion signal for job with tag rz Starting new fetch job with tag z...zNew fetch job with tag z threw an exception: z returned.) r!debugrepr_return_or_raiseKeyErrorwaitasyncioEvent Exceptionset)resultsZ running_jobstagZ async_funresultZ wait_eventer*r*r+rs> cCst|tr||SN)r1rR)rVr*r*r+rMs rMc Csnd}d}tt|D]B}z|IdH}|VWqtjk rV}z|}W5d}~XYqXq|dk rj|sj|dS)NF)rP as_completedlistr Z CRLFetchError)jobslast_eZat_least_one_successZcrl_jobZ fetched_crlrWr*r*r+rs   cs<tj|}|z|IdHWntjk r6YnXdSrX)rPZgathercancelZCancelledError)Z pending_taskspendingr*r*r+ cancel_alls  r_c sdd|D}d}}|r~tj|tjdIdH\}}|D]B}z|IdH}WqWq8tjk rx}z|}W5d}~XYq8Xq8q|dk rt|IdH|S|ptddS)NcSsg|]}t|qSr*)rPZ create_task).0coror*r*r+ sz)ocsp_job_get_earliest..)Z return_whenzNo OCSP results)rPrOZFIRST_COMPLETEDr rIr_)r[queueZ ocsp_respr\doneZocsp_jobrWr*r*r+rs"  )r3ccspt|tjr|j}n t|d}|dkr*dS|D]<}|djdkr.|d}|jdkrTq.|j}|dr.|Vq.dS)NZauthority_information_accessZ access_methodZ ca_issuersZaccess_locationZuniform_resource_identifierhttp)r1r r#Z"authority_information_access_valuer r0r2 startswith)r3Z aia_valueentrylocationrr*r*r+r/s    c Csrt|D]b}z|IdH}Wn>tjk rZ}ztd|dWYq W5d}~XYnX|D] }|Vq`q dS)Nz8Error during certificate fetch job, skipping... (Error: ))rPrYr ZCertificateFetchErrorr!r")Z fetch_jobsZ fetch_jobZ certs_fetchedrWr3r*r*r+rBs )0__doc__rPloggingrCtypingrrZ asn1cryptorrrrrr r r4r utilr __all__ getLogger__name__r! frozensetrrrrbytesstrboolrr%r#ZAttributeCertificateV2r9r<rrErrrMrr_rrrr*r*r*r+s         #  $ ,