ó Á£ô_c@sàdZddlmZddlmZddlZddlZddlmZddlmZddlm Z ddl m Z dd l m Z dd l mZdd lmZdd lmZddlZddlZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZy$ddlm Z e!e j"dƒWne#e$fk r‰dZ nXej&e'ƒZ(de)fd„ƒYZ*d„Z+d„Z,d„Z-d„Z.d„Z/dS(s*Tools for checking certificate revocation.iÿÿÿÿ(tdatetime(t timedeltaN(tPIPE(tPopen(tx509(tInvalidSignature(tUnsupportedAlgorithm(tdefault_backend(thashes(t serialization(tOptional(tTuple(t crypto_util(terrors(tutil(tgetenv(t RenewableCert(tocsptsignature_hash_algorithmtRevocationCheckercBs8eZdZed„Zd„Zdd„Zd„ZRS(sEThis class figures out OCSP checking on this system, and performs it.c CsÄt|_|pt |_|jrÀtjdƒsKtjdƒt|_dSt dddddgdt dt d td tj ƒƒ}|j ƒ\}}d |kr±d „|_ qÀd „|_ ndS(Ntopenssls-openssl not installed, can't check revocationRs-headertvartvaltstdouttstderrtuniversal_newlinestenvs Missing =cSs d|gS(NsHost=((thost((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyt:scSs d|gS(NtHost((R((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyR<s(tFalsetbrokenRtuse_openssl_binaryRt exe_existstloggertinfotTrueRRtenv_no_snap_for_external_callst communicatet host_args(tselftenforce_openssl_binary_usagettest_host_formatt_outterr((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyt__init__*s     cCs|j|j|jƒS(s Get revoked status for a particular cert version. .. todo:: Make this a non-blocking call :param `.interfaces.RenewableCert` cert: Certificate object :returns: True if revoked; False if valid or the check failed or cert is expired. :rtype: bool (tocsp_revoked_by_pathst cert_patht chain_path(R(tcert((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyt ocsp_revoked>s i cCs—|jr tStjjtjƒƒ}tj|ƒ|kr>tSt |ƒ\}}| s^| rbtS|j r„|j |||||ƒSt ||||ƒS(sEPerforms the OCSP revocation check :param str cert_path: Certificate filepath :param str chain_path: Certificate chain :param int timeout: Timeout (in seconds) for the OCSP query :returns: True if revoked; False if valid or the check failed or cert is expired. :rtype: bool ( RRtpytztUTCtfromutcRtutcnowR tnotAftert_determine_ocsp_serverR t_check_ocsp_openssl_bint_check_ocsp_cryptography(R(R/R0ttimeouttnowturlR((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyR.Ks  c Csjtdƒ}tdƒ}d}|dk s6|dk rQ|dk rH|n|}n|dkrld|g} n4|jdƒrŽ|tdƒ}nd|d|g} ddd d |d |d |d |ddt|ƒdg|j|ƒ| } tjd|ƒtjdj| ƒƒy"t j | dtjƒ\} } Wn%t j k rYtj d|ƒtSXt|| | ƒS(Nt http_proxyt HTTP_PROXYs-urlshttp://s-hosts-pathRRs -no_nonces-issuers-certs-CAfiles -verify_others -trust_others-timeouts-headersQuerying OCSP for %st tlogs*OCSP check failed for %s (are we offline?)(RtNonet startswithtlentstrR'R"tdebugtjoinRt run_scriptR tSubprocessErrorR#Rt_translate_ocsp_query( R(R/R0RR=R;tenv_http_proxytenv_HTTP_PROXYt proxy_hostturl_optstcmdtoutputR,((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyR9is&    J"(t__name__t __module__t__doc__RR-R2R.R9(((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyR's   c Cst|dƒ"}tj|jƒtƒƒ}WdQXy`|jjtjƒ}tjj }g|j D]}|j |kra|^qa}|dj j }Wn+tj tfk rÀtjd|ƒd SX|jƒ}|jdƒdjdƒ}|rù||fStjd||ƒd S( sÎExtract the OCSP server host from a certificate. :param str cert_path: Path to the cert we're checking OCSP for :rtype tuple: :returns: (OCSP server URL or None, OCSP server host or None) trbNisCannot extract OCSP URI from %ss://it/s;Cannot process OCSP host from URL (%s) in certificate at %s(NN(NN(topenRtload_pem_x509_certificatetreadRt extensionstget_extension_for_classtAuthorityInformationAccesstAuthorityInformationAccessOIDtOCSPtvaluet access_methodtaccess_locationtExtensionNotFoundt IndexErrorR"R#RBtrstript partition( R/t file_handlerR1t extensiontocsp_oidt descriptiont descriptionsR=R((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyR8s" !   c CsUt|dƒ"}tj|jƒtƒƒ}WdQXt|dƒ"}tj|jƒtƒƒ}WdQXtjƒ}|j||tj ƒƒ}|j ƒ}|j t j jƒ} y,tj|d| didd6d|ƒ} Wn.tjjk r tjd|dtƒtSX| jd kr4tjd || jƒtStj| jƒ} | jtjjkrutjd || jƒtSyt| |||ƒWn™tk r´} tjt | ƒƒnt!j"k rÜ} tjt | ƒƒnut#k rütjd |ƒnUt$k r'} tjd |t | ƒƒn*Xtj%d|| j&ƒ| j&tj'j(kStS(NRTtdatatheaderssapplication/ocsp-requests Content-TypeR;s*OCSP check failed for %s (are we offline?)texc_infoiÈs*OCSP check failed for %s (HTTP status: %d)s'Invalid OCSP response status for %s: %ss)Invalid signature on OCSP response for %ss!Invalid OCSP response for %s: %s.s%OCSP certificate status for %s is: %s()RVRRWRXRRtOCSPRequestBuildertadd_certificateRtSHA1tbuildt public_bytesR tEncodingtDERtrequeststpostt exceptionstRequestExceptionR"R#R$Rt status_codetload_der_ocsp_responsetcontenttresponse_statustOCSPResponseStatust SUCCESSFULterrort_check_ocsp_responseRRER tErrorRtAssertionErrorRFtcertificate_statustOCSPCertStatustREVOKED(R/R0R=R;RetissuerR1tbuildertrequesttrequest_binarytresponset response_ocspteR~((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyR:®sJ!!         cCs|j|jkr!tdƒ‚nt|||ƒt|jt|jƒƒ sq|j|jksq|j|jkr€tdƒ‚ntj ƒ}|j s¤tdƒ‚n|j |t ddƒkrÏtdƒ‚n|j r|j |t ddƒkrtdƒ‚ndS( s2Verify that the OCSP is valid for several criteriasMthe certificate in response does not correspond to the certificate in requests<the issuer does not correspond to issuer of the certificate.sparam thisUpdate is not set.tminutesis"param thisUpdate is in the future.s param nextUpdate is in the past.N( t serial_numberRt_check_ocsp_response_signaturet isinstancethash_algorithmttypetissuer_key_hashtissuer_name_hashRR6t this_updateRt next_update(RŠt request_ocspt issuer_certR/R<((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyRàs  %c CsŸd„}|j|jks0|j||ƒkrItjd|ƒ|}n'tjd|ƒg|jD]3}|j|jks|j||ƒkrc|^qc}|s±tdƒ‚n|d}|j|jkrÜtdƒ‚ny1|jj t j ƒ}t j j j|jk}Wn t jtfk r/t}nX|sEtdƒ‚n|j} tj|jƒ|j|j| ƒ|j} tj|jƒ|j|j| ƒdS( sIVerify an OCSP response signature against certificate issuer or respondercSstjj|jƒƒjS(N(RtSubjectKeyIdentifiertfrom_public_keyt public_keytdigest(R1((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyt _key_hashssGOCSP response for certificate %s is signed by the certificate's issuer.sGOCSP response for certificate %s is delegated to an external responder.s0no matching responder certificate could be foundis?responder certificate is not signed by the certificate's issuers<responder is not authorized by issuer to sign OCSP responsesN(tresponder_nametsubjecttresponder_key_hashR"RFt certificatesRR…RYRZRtExtendedKeyUsagetoidtExtendedKeyUsageOIDt OCSP_SIGNINGR^RaRbRRR tverify_signed_payloadRšt signaturettbs_certificate_bytesttbs_response_bytes( RŠR—R/Rœtresponder_certR1tresponder_certsRftdelegate_authorizedt chosen_hash((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyRŽs:    !     c sd }g|D]}dj||ƒ^q }‡fd†|Dƒ\}}}|r_|jdƒnd } d|ksƒ|r}| sƒ|rªtjd|ƒtjd ˆ|ƒtS|r»| r»tS|rí|jdƒ} | rétjd | ƒntStjd ˆ|ƒtSd S(s7Parse openssl's weird output to work out what it means.tgoodtrevokedtunknowns{0}: (WARNING.*)?{1}c3s*|] }tj|ˆdtjƒVqdS(tflagsN(tretsearchtDOTALL(t.0tp(t ocsp_output(s0/usr/lib/python2.7/site-packages/certbot/ocsp.pys =sisResponse verify OKs#Revocation status for %s is unknownsUncertain output: %s stderr: %ssOCSP revocation warning: %ss2Unable to properly parse OCSP output: %s stderr:%sN(sgoodsrevokedsunknown( tformattgroupRBR"R#RFRR$twarning( R/R¶t ocsp_errorststateststpatternsR­R®R¯R¹((R¶s0/usr/lib/python2.7/site-packages/certbot/ocsp.pyRJ8s$%   (0RSRRtloggingR±t subprocessRRt cryptographyRtcryptography.exceptionsRRtcryptography.hazmat.backendsRtcryptography.hazmat.primitivesRR R3Rttacme.magic_typingR R tcertbotR R Rtcertbot.compat.osRtcertbot.interfacesRtcryptography.x509Rtgetattrt OCSPResponset ImportErrortAttributeErrorRBt getLoggerRQR"tobjectRR8R:RRŽRJ(((s0/usr/lib/python2.7/site-packages/certbot/ocsp.pytsB     h  2 " 6