|
Server : Apache/2.4.41 (Ubuntu) System : Linux vmi1525618.contaboserver.net 5.4.0-105-generic #119-Ubuntu SMP Mon Mar 7 18:49:24 UTC 2022 x86_64 User : www-data ( 33) PHP Version : 8.2.12 Disable Function : NONE Directory : /lib/python3/dist-packages/certbot/__pycache__/ |
Upload File : |
U
�����]Q3������������������� ���@���sD��d�Z�ddlZddlZddlmZmZ�ddlmZmZ�z
ddlm Z �e
e j
d��W�n
�e
e
fk
rl���dZ Y�nX�ddlmZ�ddlmZ�dd lmZ�dd
lmZ�dd
lmZmZ�ddlZddlZdd
lmZm
Z
�dd
l
m
Z
�ddl
m Z �ddl m!Z!�ddl
m"Z"�e�#e$�Z%G�dd��de&�Z'dd��Z(dd��Z)dd��Z*dd��Z+dd
��Z,dS�)
z*Tools for checking certificate revocation.�����N)�datetime� timedelta)�Popen�PIPE)�ocsp�signature_hash_algorithm)�x509)�default_backend)�
serialization)�hashes)�UnsupportedAlgorithm�InvalidSignature)�Optional�Tuple)�
crypto_util)�errors)�
RenewableCert)�utilc�������������������@���s*���e�Zd�ZdZd
dd�Zdd��Zdd��Zd S�)
�RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.Fc�����������������C���s~���d|�_�|pt
�|�_|�jrzt�d�s6t�d��d|�_�d�S�tdddddgttdd �}|� ��\}}d
|krpd
d
��|�_
n
d
d
��|�_
d�S�)NF�opensslz-openssl not installed, can't check revocationTr����-header�var�val)�stdout�stderrZuniversal_newlinesz Missing =c�����������������S���s
���d|��gS�)NzHost=����hostr���r����./usr/lib/python3/dist-packages/certbot/ocsp.py�<lambda>1��������z,RevocationChecker.__init__.<locals>.<lambda>c�����������������S���s���d|�gS�)NZHostr���r
���r���r���r
���r ���3���r ���)
�brokenr����use_openssl_binaryr���Z
exe_exists�logger�infor���r���Z
communicate� host_args)�selfZ
enforce_openssl_binary_usageZtest_host_formatZ_out�errr���r���r
����__init__"���s ����
���
zRevocationChecker.__init__c�����������������C���sp���|j�|j�}}|�jrdS�tj�t����}|j|kr6dS�t |�\}}|rJ|sNdS�|�j
rd|��
||||�S�t
|||�S�)a
��Get revoked status for a particular cert version.
.. todo:: Make this a non-blocking call
:param `.storage.RenewableCert` cert: Certificate object
:returns: True if revoked; False if valid or the check failed or cert is expired.
:rtype: bool
F)
�cert�chainr!����pytzZUTCZfromutcr����utcnowZ
target_expiry�_determine_ocsp_serverr"����_check_ocsp_openssl_bin�_check_ocsp_cryptography)r&���r)���� cert_path�
chain_path�now�urlr
���r���r���r
����
ocsp_revoked5���s����
z
RevocationChecker.ocsp_revokedc�����������������C���s����dddd|d|d|d|d|d d
g|���|��}t�d
|��t�d
�|���ztj|tjd
�\}}W�n$�tjk
r����t�d|��Y�dS�X�t |||�S�)Nr���r���z -no_noncez-issuerz-certz-urlz-CAfilez
-verify_otherz
-trust_otherr���zQuerying OCSP for %s� )�log�*OCSP check failed for %s (are we offline?)F)
r%���r#����debug�joinr���Z
run_scriptr���ZSubprocessErrorr$����_translate_ocsp_query)r&���r0���r1���r
���r3����cmd�outputr'���r���r���r
���r.���T���s2�����������
z)RevocationChecker._check_ocsp_openssl_binN)F)�__name__�
__module__�
__qualname__�__doc__r(���r4���r.���r���r���r���r
���r��� ���s���
r���c�������������� ������s����t�|�d��}t�|���t���}W�5�Q�R�X�z:|j�tj�}tjj ����fdd�|j
D��}|d�j
j
}W�n(�tj
t
fk
r����t�d|���Y�dS�X�|���}|�d�d��d �}|r�||fS�t�d
||���dS�)
z�Extract the OCSP server host from a certificate.
:param str cert_path: Path to the cert we're checking OCSP for
:rtype tuple:
:returns: (OCSP server URL or None, OCSP server host or None)
�rbc��������������������s���g�|�]}|j���kr|�qS�r���)Z
access_method)�.0Z
description�Zocsp_oidr���r
����
<listcomp>x���s����
�z*_determine_ocsp_server.<locals>.<listcomp>r���z Cannot extract OCSP URI from %s)NNz://�����/z4Cannot process OCSP host from URL (%s) in cert at %s)�openr����load_pem_x509_certificate�readr ����
extensions�get_extension_for_classZAuthorityInformationAccessZ
AuthorityInformationAccessOIDZOCSP�valueZaccess_location�ExtensionNotFound�
IndexErrorr#���r$����rstrip� partition)r0����
file_handlerr)���� extensionZ
descriptionsr3���r
���r���rC���r
���r-���j���s ����
r-���c�����������
���
���C���s���t�|d��}t�|���t���}W�5�Q�R�X�t�|�d��}t�|���t���}W�5�Q�R�X�t���}|�||t� ���}|�
��}|�
t
j
j�}ztj||ddid�} W�n*�tjjk
r����tjd|�dd��Y�dS�X�| jd kr�t�d
|�| j��dS�t�| j�}
|
jtjjk�rt�d
|�|
j��dS�zt
|
|||���W�n��t
k
�rV�}
�zt�t
|
���W�5�d�}
~
X�Y�n��t j k
�r��}
�zt�t
|
���W�5�d�}
~
X�Y�nt�t!k
�r����t�d
|���Y�nT�t"k
�r��}
�zt�d
|�t
|
���W�5�d�}
~
X�Y�n X�t�#d|�|
j$��|
j$tj%j&kS�dS�)NrA���z
Content-Typezapplication/ocsp-request)�dataZheadersr7���T)�exc_infoF�����z*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.z%OCSP certificate status for %s is: %s)'rG���r���rH���rI���r ���r���ZOCSPRequestBuilderZadd_certificater
���ZSHA1ZbuildZ
public_bytesr
���ZEncodingZDER�requestsZpost�
exceptionsZRequestExceptionr#���r$���Z
status_codeZload_der_ocsp_responseZcontentZresponse_statusZOCSPResponseStatusZ
SUCCESSFUL�error�_check_ocsp_responser
����strr����Errorr
����AssertionErrorr8���Zcertificate_statusZOCSPCertStatusZREVOKED)
r0���r1���r3���rQ����issuerr)���ZbuilderZrequestZrequest_binaryZresponse�
response_ocsp�erX���r���r���r
���r/�������sR����
�
��
$��r/���c�����������������C���s����|�j�|j�krtd��t|�||��t|�jt|j��rJ|�j|jksJ|�j|jkrRtd��t� ��}|�j
shtd��|�j
|t
dd��kr�td��|�j
r�|�j
|t
dd��k�r�td��dS�) z4Verify that the OCSP is valid for serveral criteriaszMthe certificate in response does not correspond to the certificate in requestz<the issuer does not correspond to issuer of the certificate.z
param thisUpdate is not set.����)Zminutesz"param thisUpdate is in the future.z param nextUpdate is in the past.N)
Z
serial_numberr\����
_check_ocsp_response_signature�
isinstanceZhash_algorithm�typeZissuer_key_hashZissuer_name_hashr���r,���Z
this_updater���Z
next_update)r^���Z
request_ocsp�
issuer_certr0���r2���r���r���r
���rY�������s ����
�
�
rY���c�������������� ������s������j�|jkr
t�d|��|}n�t�d|����fdd���jD��}|sJtd��|d�}|j|jkrftd��z"|j�t j
�}t j
j
j
|jk}W�n
�t jtfk
r����d}Y�nX�|s�td ��|j}t�|���|j|j|����j}t�|�����j��j|��d
S�)
zIVerify an OCSP response signature against certificate issuer or responderzGOCSP response for certificate %s is signed by the certificate's issuer.zGOCSP response for certificate %s is delegated to an external responder.c��������������������s
���g�|�]}|j���jkr|�qS�r���)�subject�responder_name)rB���r)����r^���r���r
���rD�������s����
�z2_check_ocsp_response_signature.<locals>.<listcomp>z0no matching responder certificate could be foundr���z?responder certificate is not signed by the certificate's issuerFz<responder is not authorized by issuer to sign OCSP responsesN)rf���re���r#���r8���Z
certificatesr\���r]���rJ���rK���r���ZExtendedKeyUsageZoidZExtendedKeyUsageOIDZ
OCSP_SIGNINGrL���rM���rN���r���r���Zverify_signed_payloadZ
public_keyZ signatureZtbs_certificate_bytesZtbs_response_bytes)r^���rd���r0���Zresponder_certZresponder_certsrR���Zdelegate_authorizedZ
chosen_hashr���rg���r
���ra�������s>����
��
����ra���c����������� ���������s����d}��fdd�|D��}�fdd�|D��\}}}|r<|��d�nd}d|ksT|rP|sT|rrt�d ����t�d
�|��d
S�|r~|s~d
S�|r�|��d�}|r�t�d
|��d
S�t�d�|��d
S�dS�)z7Parse openssl's weird output to work out what it means.)�good�revoked�unknownc��������������������s���g�|�]}d�����|��qS�)z{0}: (WARNING.*)?{1})�format)rB����s)r0���r���r
���rD�����s�����z)_translate_ocsp_query.<locals>.<listcomp>c�����������������3���s ���|�]}t�j|��t�jd��V��qdS�))�flagsN)�re�search�DOTALL)rB����p)�
ocsp_outputr���r
���� <genexpr>��s�����z(_translate_ocsp_query.<locals>.<genexpr>����NzResponse verify OKz#Revocation status for %s is unknownz Uncertain output:
%s
stderr:
%sFzOCSP revocation warning: %sTz2Unable to properly parse OCSP output: %s
stderr:%s)�groupr#���r$���r8����warning) r0���rr���Z
ocsp_errorsZstatesZpatternsrh���ri���rj���rv���r���)r0���rr���r
���r:���
��s(����
��r:���)-r@���Zloggingrn���r���r����
subprocessr���r���Zcryptography.x509r����getattrZ
OCSPResponse�
ImportError�AttributeErrorZ
cryptographyr���Z
cryptography.hazmat.backendsr ���Z
cryptography.hazmat.primitivesr
���r
���Zcryptography.exceptionsr
���r
���r+���rV���Zacme.magic_typingr���r���Zcertbotr���r���Zcertbot.storager���r���Z getLoggerr=���r#����objectr���r-���r/���rY���ra���r:���r���r���r���r
����<module>���s8���
K 1"1