ɯeiDzddlmZddlZddlmZmZddlmZddlmZm Z ddl m Z ddl m Z ddlmZdd lmZmZdd lmZmZmZmZmZmZmZmZdd lmZdd lmZdd l m!Z!ddl"m#Z#m$Z$ddl%m&Z&m'Z'ddl(m)Z)ddl*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7ddl8m9Z9ddl:m;Z;mGdde;Z?y)) annotationsN) b64decode b64encode) OrderedDict)datetimetimezone) getLogger)getenv)DigestAlgorithm)Integer OctetString)CertId OCSPRequest OCSPResponseRequestRequestsSingleResponse TBSRequestVersion) Certificate)InvalidSignature)default_backend)hashes serialization)paddingutils) DSAPublicKey)ECDSAEllipticCurvePublicKey) RSAPublicKey) Connection)&ER_OCSP_RESPONSE_ATTACHED_CERT_EXPIRED&ER_OCSP_RESPONSE_ATTACHED_CERT_INVALID$ER_OCSP_RESPONSE_CERT_STATUS_INVALID"ER_OCSP_RESPONSE_INVALID_SIGNATUREER_OCSP_RESPONSE_LOAD_FAILURE$ER_OCSP_RESPONSE_STATUS_UNSUCCESSFUL)RevocationCheckError) SnowflakeOCSPgenerate_cache_keyceZdZdZej ej ejdZdZ ddZ dZ dZ dddZ ddZd Zd Zd Z dd Zd Z dfd Z ddZdZdZ ddZ ddZddZxZS)SnowflakeOCSPAsn1CryptozOCSP checks by asn1crypto.)sha256sha384sha512c|\}}}tj|}tj|}tj|}tt ddd|||d}|S)Nsha1 algorithm parametershash_algorithmissuer_name_hashissuer_key_hash serial_number)r loadr rr )selfhkeyr7r8r9cert_ids e/var/www/html/glpi_dashboard/venv/lib/python3.12/site-packages/snowflake/connector/ocsp_asn1crypto.pyencode_cert_id_keyz*SnowflakeOCSPAsn1Crypto.encode_cert_id_key9sp;?8/=&++,<=%**?; ]3 "1"(=#%5#2!.    ct|SN)r*)r;r=s r>decode_cert_id_keyz*SnowflakeOCSPAsn1Crypto.decode_cert_id_keyJs !'**r@c>tjt|SrB)rr:r)r;cert_id_base64s r>decode_cert_id_base64z-SnowflakeOCSPAsn1Crypto.decode_cert_id_base64Ms{{9^455r@cpt|j|jjdSNascii)rr?dumpdecode)r;r<s r>encode_cert_id_base64z-SnowflakeOCSPAsn1Crypto.encode_cert_id_base64Ps,006;;=>EEgNNr@cd|tj}tjd|t |d5}ddlm}|j|jd}|D]:\}}}|dk(s tj|} | || jj<< dddy#1swYyxYw) z>Reads a certificate file including certificates in PEM format.Nzreading certificate bundle: %srbr)pemT)multiple CERTIFICATE) r)ROOT_CERTIFICATES_DICTloggerdebugopen asn1cryptorOunarmorreadrr:subjectr-) r;ca_bundle_filestorage all_certsrO pem_certs type_name_ der_bytescrts r>read_cert_bundlez(SnowflakeOCSPAsn1Crypto.read_cert_bundleSs ?#::G 5~F .$ ' 69 & INN$4t DI+4 6' 1i -%**95C25GCKK../ 6  6 6 6s6B&,0B&&B/c 8ttdddt|jjt|j j|j d}tdttdttd|igdi}||fS) zCreates CertId and OCSPRequest.r1Nr2r5 tbs_requestrreq_cert)version request_list) rr r issuerr1 public_keyr9rrrrr)r;rhrYr= ocsp_requests r>create_ocsp_requestz+SnowflakeOCSPAsn1Crypto.create_ocsp_requestbs "1"(=#%00C0C$D#.v/@/@/E/E#F!(!6!6    #z#*1:(0 '(2G%&!")    $ $$r@c4|j}|r|d}|Sd}|S)Nr) ocsp_urls)r;certurlsocsp_urls r>extract_ocsp_urlz(SnowflakeOCSPAsn1Crypto.extract_ocsp_urls'~~"47)-r@c"|jSrB)rJ)r;rjs r>decode_ocsp_requestz+SnowflakeOCSPAsn1Crypto.decode_ocsp_requests  ""r@c\|j|}t|jd}|SrH)rsrrK)r;rjdatab64datas r>decode_ocsp_request_b64z/SnowflakeOCSPAsn1Crypto.decode_ocsp_request_b64s+'' 5D/((1r@cF|dj}|dj}||fS)zExtracts GOOD status. this_update next_updatenative)r;single_responsethis_update_nativenext_update_natives r>extract_good_statusz+SnowflakeOCSPAsn1Crypto.extract_good_statuss2-];BB,];BB!#555r@cP|d}|jd}|jd}||fS)zExtracts REVOKED status. cert_statusrevocation_timerevocation_reasonr{)r;r} revoked_inforrs r>extract_revoked_statusz.SnowflakeOCSPAsn1Crypto.extract_revoked_statuss;&}5 &--.?@(//0CD 111r@c|dddj}|dddj}||kDs||kr dj|||t| }d|fSy)Ntbs_certificatevalidity not_before not_afterzCertificate attached to OCSP response is invalid. OCSP response current time - {} certificate not before time - {} certificate not after time - {}. Consider running curl -o ocsp.der {}F)TN)r|formatsuperdebug_ocsp_failure_url)r;cur_time ocsp_cert val_startval_end debug_msg __class__s r>check_cert_time_validityz0SnowflakeOCSPAsn1Crypto.check_cert_time_validitys/0<\JQQ -.z:;GNN g I!5LLRFG2 M )# #r@ctj|}|djdk7r-tdj |djt |j }|djr|dd}tjd|dd d jtjtj} |j||\}}|stj|y |d } | d d} | dj} | dk(r|j| ||y#t $r } tjd| Yd} ~ y d} ~ wwxYw)Nresponse_status successfulInvalid Status: {}msgerrnocertsrzOVerifying the attached certificate is signed by the issuer. Valid Not After: %srrrFtbs_response_data responsesrgoodz#Failed to validate ocsp response %sT)rr:r|r(rr'basic_ocsp_responserSrTrnowrutcrname_process_good_status Exception) r;r= ocsp_responseresrrr cert_validrrr}rexs r> is_valid_timez%SnowflakeOCSPAsn1Crypto.is_valid_times\ .  ! ( (L 8&(//4E0F0M0MN:  "55 w ' . .+G4Q7I LL2+,Z8ELL   ||HLL1H %)$A$A(I$V !J  Y'/0CD+K8;%m499  f$))/7MR    LL> C sD(( E1E  Ec tj|}|jtd}|t dt |djdk7r-t dj|djt|j}|d jrtjd |d d }tjd tjd |dddjtjtj } |j#|j$|j&||d|j-||\} } | s(t | t.tjd|}|d} tjd |j#|dj$|dj|| | dd } | dj2}|j"td}|dk(rd}n|dk(rd}n|dk(rd} |dk(r|j5| ||y|dk(r|j7| |y|dk(r|j9|ydj|} t | t:#t $rt dt wxYw#t$r } t | j(t*d} ~ wwxYw#t$r } t | j(t0d} ~ wwxYw#t$rB}dj|j(|j<} t | |j>d}~wwxYw)N$SF_TEST_OCSP_FORCE_BAD_OCSP_RESPONSEz Force fail)rzInvalid OCSP Responserrrrrz.Certificate is attached in Basic OCSP Responserz:Verifying the attached certificate is signed by the issuerzValid Not After: %srrrzNCertificate is NOT attached in Basic OCSP Response. Using issuer's certificaterz4Verifying the OCSP response is signed by the issuer.signature_algorithm signaturerrSF_TEST_OCSP_CERT_STATUSrevokedunknownrzJUnknown revocation status was returned.OCSP response may be malformed: {}.z'{} Consider running curl -o ocsp.der {}) rr: test_moder r(r&rr|rr'rrSrTrrrrverify_signature hash_algorrr#rr"r%rr_process_revoked_status_process_unknown_statusr$rr)r;rhr=rrocsp_load_failurerrrrcerrrr}rtest_cert_statusop_ers r>process_ocsp_responsez-SnowflakeOCSPAsn1Crypto.process_ocsp_responsesk ##M2C~~)$*+Q$R!$0.$,I  ! ( (L 8&(//4E0F0M0MN:  "55 w ' . . LLI J+G4Q7I LLO  LL%+,Z8ELL   ||HLL1H %%''''/0 %)$A$A(I$V !J *!)O LL- I/0CD KL   ! !#$9:DD#K077!  ,K8;%m499 >> %%&@A 9,' !Y.' !V+$  If$))/7MR ),,_gF ),,W5::@&:M+!)My &+3P  H( *'M 8$ &GG#E  >$ IAHH 466I'9EKKH H  Ise?I>,J .KK4-K4K4"K4>J K%KK K1K,,K14 L?==L::L?c0t}tj|jj t}|t j vrt j |}ntj}tj||}|j|j |j} t} t|tr0tj | d<t#j$|| d<nZt|t&rt#j$|| d<n1t|t(r!t+t#j$|| d< |j,|| fi| y#t.$r t1dwxYw)N)backendrr3rzFailed to verify the signaturer)rrload_der_public_keyrirJr,#SIGNATURE_ALGORITHM_TO_DIGEST_CLASSrSHA1Hashupdatefinalizedict isinstancer rPKCS1v15r Prehashedrrrverifyrr() r;rrrnrurri chosen_hashhasherdigestadditional_kwargss r>rz(SnowflakeOCSPAsn1Crypto.verify_signatureas]!#"66 OO "O,=  &JJ K2UU#K !++-K['2 diik""376 j, /+2+;+;+= i (-2__[-I k *  L 1-2__[-I k *  $: ;7< ,8 3 4 M J   $    M&+KL L Ms *E??Fcdddlm}m}t}|j }t j dt||j|D]}|||}tj|}t j d|jj|jj|||jj<|jjtj vst j d|jjn|j#|S)zHGets certificate chain and extract the key info from OpenSSL connection.r) FILETYPE_ASN1dump_certificatez# of certificates: %szsubject: %s, issuer: %szCA trusted root certificate found: %s, stopping chain traversal here)OpenSSL.cryptorrrget_peer_cert_chainrSrTlen_lazy_read_ca_bundlerr:rYr|rhr-r)rRcreate_pair_issuer_subject) r; connectionrrcert_map cert_chain cert_opensslcert_derrns r>extract_certificate_chainz1SnowflakeOCSPAsn1Crypto.extract_certificate_chains C=335  ,c*o> !!#& L' |DH##H-D LL)4<<+>+> @R@R -1HT\\(( ){{!!]%I%II YLL'' ..x88r@cg}|D]}||}|js|jr |js-|jj}||vrl|j t jd|jj|tjvr tdtj|}n||}|j||f|S)z1Creates pairs of issuer and subject certificates.znot found issuer_der: %szCA certificate is NOT found in the root certificate list. Make sure you use the latest Python Connector package and the URL is valid.r) ocsp_no_check_valuecarmrhr-rrSrTr|r)rRr(append)r;rissuer_subject subject_derrY issuer_hashrhs r>rz2SnowflakeOCSPAsn1Crypto.create_pair_issuer_subjects# 5K{+G**gjjARAR!..//K(*))+ 79N9NOm&J&JJ.I '==kJ!+.  ! !67"3 4- 5.r@c.|jjSrB)rYr|)r;rYs r> subject_namez$SnowflakeOCSPAsn1Crypto.subject_names%%%r@)r=rreturnztuple[bytes, bytes, bytes]rB)rNone)rhrrYrrztuple[CertId, OCSPRequest])r}rrztuple[datetime, datetime])rrrrrztuple[bool, str | None])rbool)rr!r%list[tuple[Certificate, Certificate]])rrrr)rYrrr)__name__ __module__ __qualname____doc__rSHA256SHA384SHA512rr?rCrFrLrbrkrqrsrwrrrrrrrrr __classcell__)rs@r>r,r,/s$------+' "+6O 6"%"%"% $ "%H # 6-6 "62 -8 ,0dlI\#MJ9$9 .94# .<&r@r,)@ __future__rtypingbase64rr collectionsrrrloggingr osr asn1crypto.algosr asn1crypto.corer r asn1crypto.ocsprrrrrrrrasn1crypto.x509rcryptography.exceptionsrcryptography.hazmat.backendsrcryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrr-cryptography.hazmat.primitives.asymmetric.dsar,cryptography.hazmat.primitives.asymmetric.ecrr-cryptography.hazmat.primitives.asymmetric.rsar OpenSSL.SSLr!snowflake.connector.errorcoder"r#r$r%r&r'snowflake.connector.errorsr("snowflake.connector.ocsp_snowflaker)r*rrSr,r@r>rsv" '#',0   (48@DFVF"<P 8 P&mP&r@