o vhX@s\ddlZddlmZddlmZddlmZmZmZddlm Z m Z m Z ddl m Z ddlmZddlmZdd lmZdd lmZmZmZdd lmZdd lmZmZmZmZmZm Z dd l!m"Z"ddl#m$Z$m%Z%m&Z&ddl'm(Z(m)Z)m*Z*ddl+m,Z,ddl-m.Z.m/Z/ddl0m1Z1ddl2m3Z3m4Z4m5Z5dZ6de j7dede"fddZ8de j7dedede"def ddZ9de j7fddZ:eGd d!d!e,Z;d"ee j7e jd#e.d(e(d$e;d%ee j7fd)d*Z?de j7ded+e=d%ee=fd,d-Z@de j7ded.e"d#e.ded+e=d$e;ded%e=fd/d0ZAd#e.ded1eed%e=fd2d3ZBd4ed#e.d$e;d%e=fd5d6ZCd"ee j7e jd?Gd@dAdAZGed>d?GdBdCdCZH dGd"ee j7e jalgorithm_policyr@rr rAconsrOCSP_PROVENANCE_ERRr3record_validation)r&r'r4r(r5r6ocsp_ee_name_overrider=vcocsp_trunc_pathocsp_trunc_proc_stateer0ocsp_proc_stater1r1r2#_validate_delegated_ocsp_provenanceDs|        rVcCs|j}|duo d|jvS)N ocsp_signing)extended_key_usage_valuenative)r&extended_key_usager1r1r2 _ocsp_allowedsr[c@seZdZUdZeed<dS) _OCSPErrsrmismatch_failuresN)__name__ __module__ __qualname__r]int__annotations__r1r1r1r2r\s r\cert ocsp_responseerrsreturncCs|}|dur|jd7_dS|d}|ddj}t|tj}|r.t|j|}|j} nt |} t| |}|ddj} t|j |} |dj| k} |d j|k} |dj| k}| s]|rh| rh|jd7_dS| rr| d |dS|r|| d |dS| r| d |dSd S)NFcert_idhash_algorithm algorithmac_info serial_numberissuer_key_hashissuer_name_hashz-OCSP response issuer name hash does not matchz6OCSP response certificate serial number does not matchz,OCSP response issuer key hash does not matchT) extract_single_responser]rYr-r Certificategetattrr'rlr$ public_keyappend)rcr'rdre cert_responseresponse_cert_idissuer_hash_algois_pkccert_issuer_name_hashcert_serial_numberiss_namecert_issuer_key_hashkey_hash_mismatch name_mismatchserial_mismatchr1r1r2_match_ocsp_certidsP        r cert_storecCs|}|dus J|drtt|d|g}|d}|djdkr/|dj}||}n||dj}|r=|dnd}|sG| d||S)Ncertstbs_response_data responder_idby_keyrzVUnable to verify OCSP response since response signing certificate could not be located) extract_basic_ocsp_responserr from_certsnamerYretrieve_by_key_identifierretrieve_by_namechosenrs)rdrreresponse tbs_responsekey_identifierr&candidate_responder_certsr1r1r2_identify_responder_certs*   rrwcCsRt|tr|jj|jkr|j}t|d}t|d}||kSt|r%|s'dSdS)z This function checks OCSP conditions that don't require path validation to pass. If ``None`` is returned, path validation is necessary to proceed. signature_valueFN)r-rr/ issuer_serialbytesr[)r&r'rw issuer_cert issuer_sig responder_sigr1r1r2_precheck_ocsp_responder_auth s   r cert_pathc st|||}|dur|} n.zt|||||dIdHd} Wnty;} z|| jd|d} WYd} ~ nd} ~ ww| sD|d|| S)N)r&r'r4r(r5TrFzWUnable to verify OCSP response since response was signed by an unauthorized certificate)rrVrrsargs) r&r'rrdr4rwrer5 simple_checkauth_okrTr1r1r2_check_ocsp_authorisation/s0  r control_timecCs|}|dur dS|dj}|dkrdS|dkrB|dj}|d}|jdur,td}|dj}|dus9||krBtj||d |d dS) NF cert_statusgoodTrevokedrevocation_reason unspecifiedrevocation_timez OCSP response)reason revocation_dt revinfo_typer5)rorrrYrr rformat)rdr5rrtstatusrevocation_inforrr1r1r2_check_ocsp_statusTs(     r responder_keycCs|}|dur dS|d}zt|dj||d||dddWdSty5|d|YdStyD|d |YdSw) NFr signaturesignature_algorithm parameters)r signed_datasigned_digest_algorithmpublic_key_inforTz\The signature parameters on the OCSP response do not match the constraints on the public keyz(Unable to verify OCSP response signature)rr%rYdumprrsr )rrdrerrr1r1r2_verify_ocsp_signaturess.   rcCsJt||||d}|s dSt|||d}|sdSt|j||d}|s#dS|S)N)r'rdre)rre)rrdre)rrrrr)rcr'rdrrematchedr& signature_okr1r1r2_assess_ocsp_relevances$rrCc st||||j|d}|durdS|j|j|jd}|j} | tjkrD| tjkr0d} | |j n | tj kr8d} nd} |j | |dddSt |||||t|tj||d IdH} | s[dS|j} | jrd| jnd} t||| S) Nrcr'rdrreF)policy timing_paramsz"OCSP response is not recent enoughzOCSP response is too recentz0OCSP response freshness could not be establishedT)is_freshness_failure)r'rrdr4rwrer5)rcertificate_registry usable_atr=rratingr!OKSTALE update_stalelast_usable_atTOO_NEWrsrr-r rppoint_in_time_validationvalidation_timer)rcr'rCrdr4rer5r&freshness_resultrmsg authorisedtimingrr1r1r2_handle_single_ocsp_respsP        rc s"|p tt|d}|}z||}Wnty$td|wt}|j ||IdH}|D]9}zt |||||||dIdH} | rKWdSWq4t ym} zd} t j | | d|| |WYd} ~ q4d} ~ ww|jt|kr}td|dtd |d |j|jr|jd dd ) aa Verifies an OCSP response, checking to make sure the certificate has not been revoked. Fulfills the requirements of https://tools.ietf.org/html/rfc6960#section-3.2. :param cert: An asn1cyrpto.x509.Certificate object or an asn1crypto.cms.AttributeCertificateV2 object to verify the OCSP response for :param path: A pyhanko_certvalidator.path.ValidationPath object of the cert's validation path, or in the case of an AC, the AA's validation path. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for caching validation information :param proc_state: Internal state for error reporting and policy application decisions. :raises: pyhanko_certvalidator.errors.OCSPNoMatchesError - when none of the OCSP responses match the certificate pyhanko_certvalidator.errors.OCSPValidationIndeterminateError - when the OCSP response could not be verified pyhanko_certvalidator.errors.RevokedError - when the OCSP response indicates the certificate has been revoked rAz6Could not determine issuer certificate for %s in path.N)rcr'rCrdr4rer58Generic processing error while validating OCSP response.exc_infoz"No OCSP responses were issued for .zUnable to determine if z@ is revoked due to insufficient information from OCSP responses.)failures suspect_stale)r r#singrIfind_issuing_authority LookupErrorrr\revinfo_managerasync_retrieve_ocspsr ValueErrorloggingdebugrsr]lenrrfreshness_failures_onlystale_last_usable_at) rcrCr4r5cert_description cert_issuerreocsp_responsesrd ocsp_goodrTrr1r1r2verify_ocsp_responses^!      rT)frozenc@seZdZUeed<eed<dS)OCSPResponseOfInterestrd prov_pathN)r^r_r`r rbrr1r1r1r2r:s  rc@s,eZdZUdZeeed< eeed<dS)OCSPCollectionResultzd The result of an OCSP collection operation for AdES point-in-time validation purposes. responses failure_msgsN)r^r_r`__doc__rrrbstrr1r1r1r2r@s   rrc s:|p tt|d}z||}Wnty#td|dwg}|||IdH}|j}t } |D]Y} | j } | dusJ| |ksJ|| |krKq7z$t ||| |j | d} | dur\Wq7t | ||d}t| |d} || Wq7ty}zd}tj||d | || WYd}~q7d}~wwt|d d | jDd S) a5 Collect potentially relevant OCSP responses with the associated validation paths. Will not perform actual path validation. :param cert: The certificate under scrutiny. :param path: The path currently being evaluated. :param revinfo_manager: The revocation info manager. :param control_time: The control time before which the validation info should have been issued. :param proc_state: The state of any prior validation process. :return: A :class:`.OCSPCollectionResult`. rz+Could not determine issuer certificate for z in path.Nr)r()rdrrrcSsg|]}|dqS)rr1).0fr1r1r2 sz9collect_relevant_responses_with_paths..)rr)r r#rrrrrIr poe_managerr\ issuance_daterrr3rrsrrrrr)rcrCrrr5cert_issuer_authrelevantrrreocsp_response_contissuedr&resultrTrr1r1r2%collect_relevant_responses_with_pathsRsd   r)N)Jr dataclassesrrtypingrrr asn1cryptorrr asn1crypto.crlr asn1crypto.keysr cryptography.exceptionsr pyhanko_certvalidator._stater pyhanko_certvalidator.authorityrrrpyhanko_certvalidator.contextrpyhanko_certvalidator.errorsrrrrrrpyhanko_certvalidator.pathr!pyhanko_certvalidator.policy_declrrrpyhanko_certvalidator.registryrrr)pyhanko_certvalidator.revinfo._err_gatherr&pyhanko_certvalidator.revinfo.archivalr r!%pyhanko_certvalidator.revinfo.managerr"pyhanko_certvalidator.utilr#r$r%rNrpr3rVr[r\AttributeCertificateV2boolrrrrrrrrrrrrr1r1r1r2sL             X = % $ %    < U