WwgXddlZddlmZddlmZddlmZmZmZddlm Z m Z m Z ddl m Z ddlmZddlmZdd lmZdd lmZmZmZdd lmZdd lmZmZmZmZmZm Z dd l!m"Z"ddl#m$Z$m%Z%m&Z&ddl'm(Z(m)Z)m*Z*ddl+m,Z,ddl-m.Z.m/Z/ddl0m1Z1ddl2m3Z3m4Z4m5Z5dZ6de jndede"fdZ8de jndedede"def dZ9de jnfdZ:eGdde,Z;dee jne jxfded e.d!e;d"e=f d#Z>d e.d$e(d!e;d"ee jnfd%Z?de jnded&e=d"ee=fd'Z@de jnded(e"d e.ded&e=d!e;ded"e=fd)ZAd e.ded*eed"e=fd+ZBd,ed e.d!e;d"e=fd-ZCdee jne jxfded e.d$e(d!e;d"ee jnf d.ZDdee jne jxfded/e"d e.ded!e;ded"e=fd0ZE d:dee jne jxfd/e"dedeefd1ZFed23Gd4d5ZGed23Gd6d7ZH d:dee jne jxfd/e"d8e1d*edeed"eHf d9ZIy);N) dataclass)datetime)ListOptionalUnion)cmscrlx509) CRLReason) PublicKeyInfo)InvalidSignature) ValProcState) AuthorityAuthorityWithCert TrustAnchor)ValidationContext)OCSPNoMatchesErrorOCSPValidationError OCSPValidationIndeterminateErrorPathValidationErrorPSSParameterMismatch RevokedError)ValidationPath)CertRevTrustPolicyRevocationCheckingPolicyRevocationCheckingRule)CertificateCollectionLayeredCertificateStoreSimpleCertificateStore)Errors) OCSPContainerRevinfoUsabilityRating)RevinfoManager)ConsListextract_ac_issuer_dir_name validate_sigzXUnable to verify OCSP response since response signing certificate could not be validatedresponder_certissueree_pathct|tr|j|j|}|St t |g|}|S)N trust_anchorintermleaf) isinstancertruncate_to_and_append certificaterr)r'r(r)responder_chains b/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko_certvalidator/revinfo/validate_ocsp.py_delegated_ocsp_response_pathr47sR&+,!88     )$V,Rn  validation_context proc_statecK|j|r-tjd|jjz|ddlm}|jddz}|jtttjtj}tt|gd ||j|j |j" }t%t|g| } t'|j(j+| | } ||| | d{t1|||} |j3|| yt1|||} t'|j(j+| | } ||| | d{y7l#t$r} t-t.| d} ~ wwxYw7(#t$r} t-t.| d} ~ wwxYww)NzVRecursion detected in OCSP responder authorisation check for responder certificate %s.r)intl_validate_pathT) never_defz OCSP responder)ee_certificate_ruleintermediate_ca_cert_rule)revocation_checking_policyF) trust_rootsallow_fetchingrevinfo_policymomentalgorithm_usage_policytime_tolerancer+)cert_path_stackee_name_override)pathr7)check_path_verif_recursionr from_statesubjecthuman_friendlypyhanko_certvalidator.validater9 describe_certocsp_no_check_valuerrrNO_CHECKrrrAalgorithm_policyrCrrrDconsrOCSP_PROVENANCE_ERRr4record_validation)r'r(r6r)r7r9ocsp_ee_name_overrider@vcocsp_trunc_pathocsp_trunc_proc_stateer2ocsp_proc_states r3#_validate_delegated_ocsp_provenancerYEs,,^<",, (*8*@*@*O*O P   B   4 03DD))5,'?$:$C$C*@*I*I( $V,- )%,,#5#F#F-<<  )$V,Rn !-&66;;OL2!  B$5J  8 FG  ,,^_M7 FG '&66;;OL2  B$"$*  1 # B%&9: A B*  # B%&9: A BssDGF F !F%AG9F2F0F2 G F F-F((F--G0F22 G;G  GGcB|j}|duxrd|jvS)N ocsp_signing)extended_key_usage_valuenative)r'extended_key_usages r3 _ocsp_allowedr_s/'@@$& 8 077 7r5ceZdZUdZeed<y) _OCSPErrsrmismatch_failuresN)__name__ __module__ __qualname__rbint__annotations__r5r3raras sr5racert ocsp_responseerrsreturnc|j}||xjdz c_y|d}|ddj}t|tj }|r#t |j|}|j} n)t|} t | |}|ddj} t |j|} |dj| k7} |d j|k7} |dj| k7}| s|r| r|xjdz c_y| r|jd |y|r|jd |y| r|jd |yy )NFcert_idhash_algorithm algorithmac_info serial_numberissuer_key_hashissuer_name_hashz-OCSP response issuer name hash does not matchz6OCSP response certificate serial number does not matchz,OCSP response issuer key hash does not matchT) extract_single_responserbr]r/r Certificategetattrr(rsr% public_keyappend)rir(rjrk cert_responseresponse_cert_idissuer_hash_algois_pkccert_issuer_name_hashcert_serial_numberiss_namecert_issuer_key_hashkey_hash_mismatch name_mismatchserial_mismatchs r3_match_ocsp_certidrs "99;M !#$Y/'(89+FMM d.. /F ' 5E F!//-d3 '2B C!)__=DD"6#4#46FG *+226JJ +,337LL )004FF .? !# ;]  D   :M  r5 cert_storecd|j}|J|dr#ttj|d|g}|d}|djdk(r!|dj }|j |}n'|j|dj}|r|dnd}|s|jd||S)Ncertstbs_response_data responder_idby_keyrzVUnable to verify OCSP response since response signing certificate could not be located) extract_basic_ocsp_responserr from_certsnamer]retrieve_by_key_identifierretrieve_by_namechosenrz)rjrrkresponse tbs_responsekey_identifierr'candidate_responder_certss r3_identify_responder_certrs88:H   , # . .x/@ A: N /0LN#((H4%n5<<#>>~N$.$?$?  ( / /% !-F %a (4    /  r5r~ct|trP|jj|jk(r-|j}t |d}t |d}||k(St |r|syy)z This function checks OCSP conditions that don't require path validation to pass. If ``None`` is returned, path validation is necessary to proceed. signature_valueFN)r/rr1 issuer_serialbytesr_)r'r(r~ issuer_cert issuer_sig responder_sigs r3_precheck_ocsp_responder_authr ss 6,-    , ,0L0L L(( ;'89: n->?@ ]**> *& r5 cert_pathcKt|||}||} n t|||||d{d} | s|jd|| S7#t$r+} |j| jd|d} Yd} ~ Gd} ~ wwxYww)N)r'r(r6r)r7TrFzWUnable to verify OCSP response since response was signed by an unauthorized certificate)rrYrrzargs) r'r(rrjr6r~rkr7 simple_checkauth_okrWs r3_check_ocsp_authorisationr0s1PL 5-#5!%   G   4  N# #  KKq = 1G s=A?AAAA?A A<!A72A?7A<<A? control_timec&|j}|y|dj}|dk(ry|dk(rd|dj}|d}|jt j d}|dj}|||krt j||d | y) NF cert_statusgoodTrevokedrevocation_reason unspecifiedrevocation_timez OCSP response)reason revocation_dt revinfo_typer7)rvrrr]r r rformat)rjr7rr{statusrevocation_inforrs r3_check_ocsp_statusrUs "99;M= ) . .F  ' 6==+,?@ == ]]=1F"12C"D"K"K  =L#@%%+,%   r5 responder_keyc|j}|y|d} t|dj|j|d||ddy#t$r|j d|Yyt $r|j d |YywxYw) NFr signaturesignature_algorithm parameters)r signed_datasigned_digest_algorithmpublic_key_inforTz\The signature parameters on the OCSP response do not match the constraints on the public keyz(Unable to verify OCSP response signature)rr&r]dumprrzr )rrjrkrrs r3_verify_ocsp_signaturerts88:H/0LO{+22$))+$,-B$C) 56|D      0    O > N Os4AB ,B B ct||||}|syt|||}|syt|j||}|sy|S)N)r(rjrk)rrk)rrjrk)rrrry)rir(rjrrkmatchedr' signature_oks r3_assess_ocsp_relevancers_! V=tG -*4N )$//# L  r5rFc bKt||||j|}|y|j|j|j}|j } | t jk7r^| t jk(rd} |j|jn| t jk(rd} nd} |j| |dyt|||||t|tj || d{} | sy|j} | j"r | j$nd} t'||| S7:w) Nrir(rjrrkF)policy timing_paramsz"OCSP response is not recent enoughzOCSP response is too recentz0OCSP response freshness could not be establishedT)is_freshness_failure)r(rrjr6r~rkr7)rcertificate_registry usable_atr@rratingr"OKSTALE update_stalelast_usable_atTOO_NEWrzrr/r rwpoint_in_time_validationvalidation_timer)rir(rFrjr6rkr7r'freshness_resultrmsg authorisedtimingrs r3_handle_single_ocsp_resprsD, #%::  N$..!00(66/ $ $F '*** +11 16C   .== > -55 5/CDC CT B1#-$ 0 01   J   - -F"("A"At mZ FF# sC0D/2D-3;D/c K|xsttj|}|j} |j |}t}|jj||d{}|D]!} t|||||||d{} | ry#|jt!|k(rt d|dt#d |d |j$|j&r|j( d #t $rt d|jwxYw77#t$r5} d} tj| | |j| |Yd} ~ d} ~ wwxYww) aa Verifies an OCSP response, checking to make sure the certificate has not been revoked. Fulfills the requirements of https://tools.ietf.org/html/rfc6960#section-3.2. :param cert: An asn1cyrpto.x509.Certificate object or an asn1crypto.cms.AttributeCertificateV2 object to verify the OCSP response for :param path: A pyhanko_certvalidator.path.ValidationPath object of the cert's validation path, or in the case of an AC, the AA's validation path. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for caching validation information :param proc_state: Internal state for error reporting and policy application decisions. :raises: pyhanko_certvalidator.errors.OCSPNoMatchesError - when none of the OCSP responses match the certificate pyhanko_certvalidator.errors.OCSPValidationIndeterminateError - when the OCSP response could not be verified pyhanko_certvalidator.errors.RevokedError - when the OCSP response indicates the certificate has been revoked rDz6Could not determine issuer certificate for %s in path.N)rir(rFrjr6rkr78Generic processing error while validating OCSP response.exc_infoz"No OCSP responses were issued for .zUnable to determine if z@ is revoked due to insufficient information from OCSP responses.)failures suspect_stale)rr$singrLfind_issuing_authority LookupErrorrrarevinfo_managerasync_retrieve_ocspsr ValueErrorloggingdebugrzrblenrrfreshness_failures_onlystale_last_usable_at) rirFr6r7cert_description cert_issuerrkocsp_responsesrj ocsp_goodrWrs r3verify_ocsp_responsersBP|HMM$rs4!((%%$)45 <6  =A) $$ .7 BP UB$$UB UB*UB UB  UBp$"2"2  :   #"<"<< =: :!:  :  :z" "%" "d "J!$$!.7!AE! d^!H"$$" ""! " * "  " "" "J 8$ > 1>FO :   #"<"<< = !&    d :5G   #"<"<< =5G 5G 5G! 5G * 5G  5G5G 5Gx*. R   #"<"<< =R R*R& Rj $  $,*. L   #"<"<< =L L$L L & L  Lr5