CasperSecurity

Current Path : /lib/python3/dist-packages/certbot/__pycache__/
Upload File :
Current File : //lib/python3/dist-packages/certbot/__pycache__/ocsp.cpython-310.pyc

o

6��aM:�
@s�dZddlmZddlmZddlZddlZddlZddlmZddlmZddlm	Z	ddl
mZdd	lm
Z
dd
lmZddlmZddlmZdd
lmZddlZddlZddlmZddlmZddlmZddlmZddlmZzddlmZe ej!d�Wn
e"e#fy�dZYnwe�$e%�Z&Gdd�d�Z'de(de	ee(ee(ffdd�Z)de(de(de(de*de+f
dd�Z,d d!�Z-d"d#�Z.d$d%�Z/dS)&z*Tools for checking certificate revocation.�)�datetime)�	timedeltaN)�PIPE)�Optional)�Tuple)�x509)�InvalidSignature)�UnsupportedAlgorithm)�default_backend)�hashes)�
serialization)�crypto_util)�errors)�util)�getenv)�
RenewableCert)�ocsp�signature_hash_algorithmc@sjeZdZdZddd�Zdedefdd�Zdd
edede	defd
d�Z
d
edededede	defdd�ZdS)�RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.FcCs~d|_|pt|_|jr=t�d�st�d�d|_dStjgd�t	t	ddt�
�d�}d|jvr6dd	�|_dSd
d	�|_dSdS)NF�opensslz-openssl not installed, can't check revocationT)rr�-header�var�val)�stdout�stderr�universal_newlines�check�envz	Missing =cSs
d|gS)NzHost=���hostrr�./usr/lib/python3/dist-packages/certbot/ocsp.py�<lambda>8s
z,RevocationChecker.__init__.<locals>.<lambda>cSsd|gS)N�Hostrrrrr!r":s)
�brokenr�use_openssl_binaryr�
exe_exists�logger�info�
subprocess�runr�env_no_snap_for_external_callsr�	host_args)�self�enforce_openssl_binary_usage�test_host_formatrrr!�__init__)s


�
�zRevocationChecker.__init__�cert�returncCs|�|j|j�S)a Get revoked status for a particular cert version.

        .. todo:: Make this a non-blocking call

        :param `.interfaces.RenewableCert` cert: Certificate object
        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        )�ocsp_revoked_by_paths�	cert_path�
chain_path)r-r1rrr!�ocsp_revoked<s
zRevocationChecker.ocsp_revoked�
r4r5�timeoutcCsj|jrdStj�t���}t�|�|krdSt|�\}}|r |s"dS|j	r.|�
|||||�St||||�S)aEPerforms the OCSP revocation check

        :param str cert_path: Certificate filepath
        :param str chain_path: Certificate chain
        :param int timeout: Timeout (in seconds) for the OCSP query

        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        F)r$�pytz�UTC�fromutcr�utcnowr
�notAfter�_determine_ocsp_serverr%�_check_ocsp_openssl_bin�_check_ocsp_cryptography)r-r4r5r8�now�urlr rrr!r3Hsz'RevocationChecker.ocsp_revoked_by_pathsr rBc
Cstd�}td�}d}|dus|dur|dur|n|}|dur#d|g}	n|�d�r0|td�d�}d|d|g}	ddd	d
|d|d|d
|ddt|�dg|�|�|	}
t�d|�t�d�|
��ztj	|
tjd�\}}Wnt
jy{t�d|�YdSwt
|||�S)N�
http_proxy�
HTTP_PROXYz-urlzhttp://z-hostz-pathrrz	-no_noncez-issuerz-certz-CAfilez
-verify_otherz-trust_otherz-timeoutrzQuerying OCSP for %s� )�log�*OCSP check failed for %s (are we offline?)F)r�
startswith�len�strr,r'�debug�joinr�
run_scriptr�SubprocessErrorr(�_translate_ocsp_query)
r-r4r5r rBr8�env_http_proxy�env_HTTP_PROXY�
proxy_host�url_opts�cmd�output�errrrr!r?esB

���	�z)RevocationChecker._check_ocsp_openssl_binN)F)r7)�__name__�
__module__�__qualname__�__doc__r0r�boolr6rJ�intr3r?rrrr!r&s

����rr4r2c	s�t|d��}t�|��t��}Wd�n1swYz|j�tj�}tjj	��fdd�|j
D�}|djj
}Wntjt
fyNt�d|�YdSw|��}|�d�d	�d
�}|rc||fSt�d||�dS)z�Extract the OCSP server host from a certificate.

    :param str cert_path: Path to the cert we're checking OCSP for
    :rtype tuple:
    :returns: (OCSP server URL or None, OCSP server host or None)

    �rbNcsg|]	}|j�kr|�qSr)�
access_method)�.0�description��ocsp_oidrr!�
<listcomp>�s
�z*_determine_ocsp_server.<locals>.<listcomp>rzCannot extract OCSP URI from %s)NNz://��/z;Cannot process OCSP host from URL (%s) in certificate at %s)�openr�load_pem_x509_certificate�readr
�
extensions�get_extension_for_class�AuthorityInformationAccess�AuthorityInformationAccessOID�OCSP�value�access_location�ExtensionNotFound�
IndexErrorr'r(�rstrip�	partition)r4�file_handlerr1�	extension�descriptionsrBr rrar!r>�s$��r>r5rBr8c
Cs(t|d��}t�|��t��}Wd�n1swYt|d��}t�|��t��}Wd�n1s7wYt��}|�||t�	��}|�
�}|�tj
j�}	z
tj||	ddi|d�}
Wntjjyutjd|dd�YdSw|
jd	kr�t�d
||
j�dSt�|
j�}|jtjjkr�t�d||j�dSz	t||||�Wn_ty�}zt�t|��WYd}~dSd}~wtj y�}zt�t|��WYd}~dSd}~wt!y�t�d|�YdSt"�y}
zt�d
|t|
��WYd}
~
dSd}
~
wwt�#d||j$�|j$tj%j&kS)Nr]zContent-Typezapplication/ocsp-request)�data�headersr8rGT)�exc_infoF��z*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.z%OCSP certificate status for %s is: %s)'rfrrgrhr
r�OCSPRequestBuilder�add_certificater�SHA1�build�public_bytesr�Encoding�DER�requests�post�
exceptions�RequestExceptionr'r(�status_code�load_der_ocsp_response�content�response_status�OCSPResponseStatus�
SUCCESSFUL�warning�_check_ocsp_responser	rJr�Errorr�AssertionErrorrK�certificate_status�OCSPCertStatus�REVOKED)r4r5rBr8rt�issuerr1�builder�request�request_binary�response�
response_ocsp�e�errorrrr!r@�sd��
��
�
����	����r@cCs�|j|jkr
td��t|||�t|jt|j��r%|j|jks%|j|jkr)td��t�	�}|j
s4td��|j
|tdd�krBtd��|jrS|j|tdd�krUtd��dSdS)	z2Verify that the OCSP is valid for several criteriazMthe certificate in response does not correspond to the certificate in requestz<the issuer does not correspond to issuer of the certificate.zparam thisUpdate is not set.�)�minutesz"param thisUpdate is in the future.z param nextUpdate is in the past.N)
�
serial_numberr��_check_ocsp_response_signature�
isinstance�hash_algorithm�type�issuer_key_hash�issuer_name_hashrr<�this_updater�next_update)r��request_ocsp�issuer_certr4rArrr!r��s�r�c	s
dd���j|jks�j�|�krt�d|�|}nZt�d|���fdd��jD�}|s1td��|d}|j|jkr?td	��z|j�	t
j�}t
jj
j|jv}Wnt
jtfy^d
}Ynw|setd��|j}t�|��|j|j|��j}t�|���j�j|�dS)
zIVerify an OCSP response signature against certificate issuer or respondercSstj�|���jS)N)r�SubjectKeyIdentifier�from_public_key�
public_key�digest)r1rrr!�	_key_hash�sz1_check_ocsp_response_signature.<locals>._key_hashzGOCSP response for certificate %s is signed by the certificate's issuer.zGOCSP response for certificate %s is delegated to an external responder.cs*g|]}�j|jks�j�|�kr|�qSr)�responder_name�subject�responder_key_hash)r_r1�r�r�rr!rcs
�z2_check_ocsp_response_signature.<locals>.<listcomp>z0no matching responder certificate could be foundrz?responder certificate is not signed by the certificate's issuerFz<responder is not authorized by issuer to sign OCSP responsesN)r�r�r�r'rK�certificatesr�r�rirjr�ExtendedKeyUsage�oid�ExtendedKeyUsageOID�OCSP_SIGNINGrnrprqrr
�verify_signed_payloadr��	signature�tbs_certificate_bytes�tbs_response_bytes)r�r�r4�responder_cert�responder_certsru�delegate_authorized�chosen_hashrr�r!r��s@�����r�c	s�d}�fdd�|D�}�fdd�|D�\}}}|r|�d�nd}d|vs*|r(|s*|r9t�d	��t�d
�|�dS|r?|s?dS|rP|�d�}|rNt�d|�d
St�d�|�dS)z7Parse openssl's weird output to work out what it means.)�good�revoked�unknowncsg|]}d��|��qS)z{0}: (WARNING.*)?{1})�format)r_�s)r4rr!rc6sz)_translate_ocsp_query.<locals>.<listcomp>c3s"�|]}tj|�tjd�VqdS))�flagsN)�re�search�DOTALL)r_�p)�ocsp_outputrr!�	<genexpr>7s� z(_translate_ocsp_query.<locals>.<genexpr>�NzResponse verify OKz#Revocation status for %s is unknownzUncertain output:
%s
stderr:
%sFzOCSP revocation warning: %sTz2Unable to properly parse OCSP output: %s
stderr:%s)�groupr'r(rKr�)	r4r��ocsp_errors�states�patternsr�r�r�r�r)r4r�r!rO2s&
�rO)0rZrr�loggingr�r)r�typingrr�cryptographyr�cryptography.exceptionsrr	�cryptography.hazmat.backendsr
�cryptography.hazmat.primitivesrrr9r��certbotr
rr�certbot.compat.osr�certbot.interfacesr�cryptography.x509r�getattr�OCSPResponse�ImportError�AttributeError�	getLoggerrWr'rrJr>r\r[r@r�r�rOrrrr!�<module>sF�
"e1"6
Hacker Blog, Shell İndir, Sql İnjection, XSS Attacks, LFI Attacks, Social Hacking, Exploit Bot, Proxy Tools, Web Shell, PHP Shell, Alfa Shell İndir, Hacking Training Set, DDoS Script, Denial Of Service, Botnet, RFI Attacks, Encryption
Telegram @BIBIL_0DAY