U ]Q3 @sDdZddlZddlZddlmZmZddlmZmZzddlm Z e e j dWne e fk rldZ YnXddlmZddlmZdd lmZdd lmZdd lmZmZddlZddlZdd lmZmZdd lmZddlmZddl m!Z!ddlm"Z"e#e$Z%Gddde&Z'ddZ(ddZ)ddZ*ddZ+ddZ,dS)z*Tools for checking certificate revocation.N)datetime timedelta)PopenPIPE)ocspsignature_hash_algorithm)x509)default_backend) serialization)hashes)UnsupportedAlgorithmInvalidSignature)OptionalTuple) crypto_util)errors) RenewableCert)utilc@s*eZdZdZd ddZddZddZd S) RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.FcCs~d|_|pt |_|jrztds6tdd|_dStdddddgttdd }| \}}d |krpd d |_ n d d |_ dS)NFopensslz-openssl not installed, can't check revocationTr-headervarval)stdoutstderrZuniversal_newlinesz Missing =cSs d|gS)NzHost=hostrr./usr/lib/python3/dist-packages/certbot/ocsp.py1z,RevocationChecker.__init__..cSsd|gS)NZHostrrrrrr3r ) brokenruse_openssl_binaryrZ exe_existsloggerinforrZ communicate host_args)selfZenforce_openssl_binary_usageZtest_host_formatZ_outerrrrr__init__"s      zRevocationChecker.__init__cCsp|j|j}}|jrdStjt}|j|kr6dSt |\}}|rJ|sNdS|j rd| ||||St |||S)aGet revoked status for a particular cert version. .. todo:: Make this a non-blocking call :param `.storage.RenewableCert` cert: Certificate object :returns: True if revoked; False if valid or the check failed or cert is expired. :rtype: bool F) certchainr!pytzZUTCZfromutcrutcnowZ target_expiry_determine_ocsp_serverr"_check_ocsp_openssl_bin_check_ocsp_cryptography)r&r) cert_path chain_pathnowurlrrrr ocsp_revoked5s   zRevocationChecker.ocsp_revokedcCsdddd|d|d|d|d|d d g||}td |td |ztj|tjd \}}Wn$tjk rtd|YdSXt |||S)Nrrz -no_noncez-issuerz-certz-urlz-CAfilez -verify_otherz -trust_otherrzQuerying OCSP for %s )log*OCSP check failed for %s (are we offline?)F) r%r#debugjoinrZ run_scriptrZSubprocessErrorr$_translate_ocsp_query)r&r0r1rr3cmdoutputr'rrrr.Ts2  z)RevocationChecker._check_ocsp_openssl_binN)F)__name__ __module__ __qualname____doc__r(r4r.rrrrrs rc st|d}t|t}W5QRXz:|jtj}tjj fdd|j D}|dj j }Wn(tj t fk rtd|YdSX|}|ddd }|r||fStd ||dS) zExtract the OCSP server host from a certificate. :param str cert_path: Path to the cert we're checking OCSP for :rtype tuple: :returns: (OCSP server URL or None, OCSP server host or None) rbcsg|]}|jkr|qSr)Z access_method).0Z descriptionZocsp_oidrr xs z*_determine_ocsp_server..rzCannot extract OCSP URI from %s)NNz:///z4Cannot process OCSP host from URL (%s) in cert at %s)openrload_pem_x509_certificatereadr extensionsget_extension_for_classZAuthorityInformationAccessZAuthorityInformationAccessOIDZOCSPvalueZaccess_locationExtensionNotFound IndexErrorr#r$rstrip partition)r0 file_handlerr) extensionZ descriptionsr3rrrCrr-js  r-c Cst|d}t|t}W5QRXt|d}t|t}W5QRXt}|||t }| }| t j j}ztj||ddid} Wn*tjjk rtjd|ddYdSX| jd krtd || jdSt| j} | jtjjkrtd || jdSzt| |||Wntk rV} ztt| W5d} ~ XYntj k r} ztt| W5d} ~ XYntt!k rtd |YnTt"k r} ztd |t| W5d} ~ XYn Xt#d|| j$| j$tj%j&kSdS)NrAz Content-Typezapplication/ocsp-request)dataZheadersr7T)exc_infoFz*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.z%OCSP certificate status for %s is: %s)'rGrrHrIr rZOCSPRequestBuilderZadd_certificater ZSHA1ZbuildZ public_bytesr ZEncodingZDERrequestsZpost exceptionsZRequestExceptionr#r$Z status_codeZload_der_ocsp_responseZcontentZresponse_statusZOCSPResponseStatusZ SUCCESSFULerror_check_ocsp_responser strrErrorr AssertionErrorr8Zcertificate_statusZOCSPCertStatusZREVOKED) r0r1r3rQissuerr)ZbuilderZrequestZrequest_binaryZresponse response_ocsperXrrrr/sR     $r/cCs|j|jkrtdt|||t|jt|jrJ|j|jksJ|j|jkrRtdt }|j shtd|j |t ddkrtd|j r|j |t ddkrtddS) z4Verify that the OCSP is valid for serveral criteriaszMthe certificate in response does not correspond to the certificate in requestz.z0no matching responder certificate could be foundrz?responder certificate is not signed by the certificate's issuerFz   rac sd}fdd|D}fdd|D\}}}|r<|dnd}d|ksT|rP|sT|rrtd td |d S|r~|s~d S|r|d}|rtd |d Std|d SdS)z7Parse openssl's weird output to work out what it means.)goodrevokedunknowncsg|]}d|qS)z{0}: (WARNING.*)?{1})format)rBs)r0rrrDsz)_translate_ocsp_query..c3s |]}tj|tjdVqdS))flagsN)researchDOTALL)rBp) ocsp_outputrr sz(_translate_ocsp_query..NzResponse verify OKz#Revocation status for %s is unknownzUncertain output: %s stderr: %sFzOCSP revocation warning: %sTz2Unable to properly parse OCSP output: %s stderr:%s)groupr#r$r8warning) r0rrZ ocsp_errorsZstatesZpatternsrhrirjrvr)r0rrrr: s(   r:)-r@Zloggingrnrr subprocessrrZcryptography.x509rgetattrZ OCSPResponse ImportErrorAttributeErrorZ cryptographyrZcryptography.hazmat.backendsr Zcryptography.hazmat.primitivesr r Zcryptography.exceptionsr r r+rVZacme.magic_typingrrZcertbotrrZcertbot.storagerrZ getLoggerr=r#objectrr-r/rYrar:rrrrs8           K1"1