U cZ @sddlZddlmZmZddlmZddlmZmZmZddl m Z m Z m Z ddl mZddlmZddlmZdd lmZdd lmZmZmZdd lmZdd lmZmZmZmZm Z m!Z!dd l"m#Z#ddl$m%Z%m&Z&m'Z'ddl(m)Z)m*Z*m+Z+ddl,m-Z-m.Z.ddl/m0Z0ddl1m2Z2m3Z3m4Z4dZ5e j6ee#dddZ7e j6eee#edddZ8e j6dddZ9eGdddZ:ee j6e j;fee-e:ee j6eed?d?ZGdDee j6e j;fe#e0eeeeGd@dAdBZHdS)EN) dataclassfield)datetime)ListOptionalUnion)cmscrlx509) CRLReason) PublicKeyInfo)InvalidSignature) ValProcState) AuthorityAuthorityWithCert TrustAnchor)ValidationContext)OCSPNoMatchesErrorOCSPValidationError OCSPValidationIndeterminateErrorPathValidationErrorPSSParameterMismatch RevokedError)ValidationPath)CertRevTrustPolicyRevocationCheckingPolicyRevocationCheckingRule)CertificateCollectionLayeredCertificateStoreSimpleCertificateStore) OCSPContainerRevinfoUsabilityRating)RevinfoManager)ConsListextract_ac_issuer_dir_name validate_sigzXUnable to verify OCSP response since response signing certificate could not be validated)responder_certissueree_pathcCs0t|tr||j|}ntt|g|d}|S)NZ trust_anchorZintermZleaf) isinstancerZtruncate_to_and_append certificaterr)r&r'r(responder_chainr-O/tmp/pip-unpacked-wheel-rwcmptg8/pyhanko_certvalidator/revinfo/validate_ocsp.py_delegated_ocsp_response_path6s r/r&r'validation_contextr( proc_statec sn||rtd|jj|ddlm}|jddd}|jdk rt t t j t j dd}t t|gd ||j|j|jd }tt|g|d } t|j| |d } z||| | d IdHWn,tk r} ztt| W5d} ~ XYnXt|||} ||| nht|||} t|j| |d } z||| | d IdHWn.tk rh} ztt| W5d} ~ XYnXdS)NzVRecursion detected in OCSP responder authorisation check for responder certificate %s.r)intl_validate_pathT)Z never_defz OCSP responder)Zee_certificate_ruleZintermediate_ca_cert_rule)Zrevocation_checking_policyF)Z trust_rootsZallow_fetchingrevinfo_policymomentZalgorithm_usage_policytime_tolerancer))cert_path_stackZee_name_override)pathr2)Zcheck_path_verif_recursionrZ from_statesubjectZhuman_friendlyZpyhanko_certvalidator.validater3 describe_certZocsp_no_check_valuerrrZNO_CHECKrrr5Zalgorithm_policyr6rrr7ZconsrOCSP_PROVENANCE_ERRr/Zrecord_validation)r&r'r1r(r2r3Zocsp_ee_name_overrider4ZvcZocsp_trunc_pathZocsp_trunc_proc_stateer,Zocsp_proc_stater-r-r.#_validate_delegated_ocsp_provenanceEs      r=)r&cCs|j}|dk od|jkS)NZ ocsp_signing)Zextended_key_usage_valuenative)r&Zextended_key_usager-r-r. _ocsp_allowedsr?c@s,eZdZUeedZeed<dZeed<dS) _OCSPErrs)default_factoryfailuresrmismatch_failuresN) __name__ __module__ __qualname__rlistrB__annotations__rCintr-r-r-r.r@s r@)certr' ocsp_responseerrsreturncCs |}|dkr"|jd7_dS|d}|ddj}t|tj}|r\t|j|}|j} n t |} t| |}|ddj} t|j |} |dj| k} |d j|k} |dj| k}| s|r| r|jd7_dS| r|j d |fdS|r|j d |fdS| r|j d |fdSd S)NFZcert_idZhash_algorithm algorithmZac_info serial_numberZissuer_key_hashZissuer_name_hashz-OCSP response issuer name hash does not matchz6OCSP response certificate serial number does not matchz,OCSP response issuer key hash does not matchT) extract_single_responserCr>r*r Certificategetattrr'rPr$ public_keyrBappend)rJr'rKrL cert_responseZresponse_cert_idZissuer_hash_algois_pkcZcert_issuer_name_hashZcert_serial_numberZiss_nameZcert_issuer_key_hashZkey_hash_mismatchZ name_mismatchZserial_mismatchr-r-r._match_ocsp_certidsR        rX)rK cert_storerLrMcCs|}|dk st|dr2tt|d|g}|d}|djdkr^|dj}||}n ||dj }|rz|dnd}|s|j d|f|S)Ncertstbs_response_dataZ responder_idby_keyrzVUnable to verify OCSP response since response signing certificate could not be located) extract_basic_ocsp_responseAssertionErrorrrZ from_certsnamer>Zretrieve_by_key_identifierZretrieve_by_namechosenrBrU)rKrYrLresponse tbs_responseZkey_identifierr&Zcandidate_responder_certsr-r-r._identify_responder_certs,    rc)r&r'rWrMcCsRt|tr>|jj|jkr>|j}t|d}t|d}||kSt|rJ|sNdSdS)z This function checks OCSP conditions that don't require path validation to pass. If ``None`` is returned, path validation is necessary to proceed. Zsignature_valueFN)r*rr+Z issuer_serialbytesr?)r&r'rWZ issuer_certZ issuer_sigZ responder_sigr-r-r._precheck_ocsp_responder_auths    re) r&r' cert_pathrKr1rWrLr2rMc st|||}|dk r|} n^z t|||||dIdHd} Wn<tk rv} z|j| jd|fd} W5d} ~ XYnX| s|jd|f| S)Nr0TrFzWUnable to verify OCSP response since response was signed by an unauthorized certificate)rer=rrBrUargs) r&r'rfrKr1rWrLr2Z simple_checkZauth_okr<r-r-r._check_ocsp_authorisation7s,  rh)rKr2 control_timerMcCs|}|dkrdS|dj}|dkr*dS|dkr|dj}|d}|jdkrXtd}|dj}|dksr||krtj||d |d dS) NFZ cert_statusZgoodTZrevokedZrevocation_reason unspecifiedZrevocation_timez OCSP response)reason revocation_dtZ revinfo_typer2)rQr_r`r>r r rformat)rKr2rirVstatusZrevocation_inforkrlr-r-r._check_ocsp_status_s(     ro) responder_keyrKrLrMcCs|}|dkrdS|dj}|dj}|d}z,t|dj|||||dddWdStk r|jd|fYn$t k r|jd |fYnXdS) NFZsignature_algorithmr[ signature parameters)rqZ signed_dataZpublic_key_infoZsig_algo hash_algorrTz\The signature parameters on the OCSP response do not match the constraints on the public keyz(Unable to verify OCSP response signature) r]signature_algorsr%r>dumprrBrUr )rprKrLrartrsrbr-r-r._verify_ocsp_signature~s6    rv)rJr'rKrYrLrMcCsJt||||d}|sdSt|||d}|s.dSt|j||d}|sFdS|S)N)r'rKrL)rYrL)rprKrL)rXrcrvrT)rJr'rKrYrLmatchedr&Z signature_okr-r-r._assess_ocsp_relevances.rx)rJr'r8rKr1rLr2rMc st||||j|d}|dkr dS|j|j|jd}|j} | tjkrz| tjkrRd} n| tj krbd} nd} |j | |fdSt |||||t |tj||dIdH} | sdS|j} | jr| jnd} t||| S)NrJr'rKrYrLF)policy timing_paramsz"OCSP response is not recent enoughzOCSP response is too recentz0OCSP response freshness could not be established)r'rfrKr1rWrLr2)rxcertificate_registryZ usable_atr4r{ratingr!OKZSTALEZTOO_NEWrBrUrhr*r rRZpoint_in_time_validationZvalidation_timero)rJr'r8rKr1rLr2r&Zfreshness_resultr}msgZ authorisedZtimingrir-r-r._handle_single_ocsp_respsL      r)rJr8r1r2c s|ptt|d}|}z||}Wn"tk rLtd|YnXt}|j ||IdH}|D]v}z,t |||||||dIdH} | rWdSWqlt k r} z&d} t j | | d|j| |fW5d} ~ XYqlXql|jt|krtd|dtd |d |jdS) aa Verifies an OCSP response, checking to make sure the certificate has not been revoked. Fulfills the requirements of https://tools.ietf.org/html/rfc6960#section-3.2. :param cert: An asn1cyrpto.x509.Certificate object or an asn1crypto.cms.AttributeCertificateV2 object to verify the OCSP response for :param path: A pyhanko_certvalidator.path.ValidationPath object of the cert's validation path, or in the case of an AC, the AA's validation path. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for caching validation information :param proc_state: Internal state for error reporting and policy application decisions. :raises: pyhanko_certvalidator.errors.OCSPNoMatchesError - when none of the OCSP responses match the certificate pyhanko_certvalidator.errors.OCSPValidationIndeterminateError - when the OCSP response could not be verified pyhanko_certvalidator.errors.RevokedError - when the OCSP response indicates the certificate has been revoked r7z6Could not determine issuer certificate for %s in path.N)rJr'r8rKr1rLr28Generic processing error while validating OCSP response.exc_infoz"No OCSP responses were issued for .zUnable to determine if z@ is revoked due to insufficient information from OCSP responses.)rr#singr:find_issuing_authority LookupErrorrr@revinfo_managerasync_retrieve_ocspsr ValueErrorloggingdebugrBrUrClenr) rJr8r1r2Zcert_descriptionZ cert_issuerrLocsp_responsesrKZ ocsp_goodr<rr-r-r.verify_ocsp_responsesP!   $  rT)frozenc@seZdZUeed<eed<dS)OCSPResponseOfInterestrK prov_pathN)rDrErFr rHrr-r-r-r.rMs rc@s*eZdZUdZeeed<eeed<dS)OCSPCollectionResultzd The result of an OCSP collection operation for AdES point-in-time validation purposes. responses failure_msgsN)rDrErF__doc__rrrHstrr-r-r-r.rSs   r)rJr8rrir2rMc sJ|ptt|d}z||}Wn(tk rJtd|dYnXg}|||IdH}|j}t } |D]} | j } | j } | dksr| |ksr|| |krqrzHt ||| |j | d} | dkrWqrt| ||d}t| |d}||Wqrtk r.}z&d}tj||d | j|| fW5d}~XYqrXqrt|d d | jDd S) a5 Collect potentially relevant OCSP responses with the associated validation paths. Will not perform actual path validation. :param cert: The certificate under scrutiny. :param path: The path currently being evaluated. :param revinfo_manager: The revocation info manager. :param control_time: The control time before which the validation info should have been issued. :param proc_state: The state of any prior validation process. :return: A :class:`.OCSPCollectionResult`. rz+Could not determine issuer certificate for z in path.Nry)r()rKrrrcSsg|] }|dqS)rr-).0fr-r-r. sz9collect_relevant_responses_with_paths..)rr)rr#rrrrr:r poe_managerr@Z issuance_dateZocsp_response_datarxr|r/rrUrrrrBr)rJr8rrir2Zcert_issuer_authZrelevantrrrLZocsp_response_contZissuedZocsp_resp_datar&resultr<rr-r-r.%collect_relevant_responses_with_pathsesh   $r)N)N)IrZ dataclassesrrrtypingrrrZ asn1cryptorr r Zasn1crypto.crlr Zasn1crypto.keysr Zcryptography.exceptionsr Zpyhanko_certvalidator._staterZpyhanko_certvalidator.authorityrrrZpyhanko_certvalidator.contextrZpyhanko_certvalidator.errorsrrrrrrZpyhanko_certvalidator.pathrZ!pyhanko_certvalidator.policy_declrrrZpyhanko_certvalidator.registryrrrZ&pyhanko_certvalidator.revinfo.archivalr r!Z%pyhanko_certvalidator.revinfo.managerr"Zpyhanko_certvalidator.utilr#r$r%r;rRr/r=r?r@ZAttributeCertificateV2boolrXrcrerhrorvrxrrrrrr-r-r-r.s           Y A ( % )  (  < R