| Server IP : 209.38.156.173 / Your IP : 216.73.216.122 [ Web Server : Apache/2.4.52 (Ubuntu) System : Linux lakekumayuhotel 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 User : root ( 0) PHP Version : 8.1.2-1ubuntu2.22 Disable Function : NONE Domains : 2 Domains MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /proc/thread-self/root/usr/lib/python3/dist-packages/certbot/__pycache__/ |
Upload File : |
o
����6��aM:�������������������
���@���s���d�Z�ddlmZ�ddlmZ�ddlZddlZddlZddlmZ�ddlmZ�ddlm Z �ddl
m
Z
�dd l
m
Z
�dd
l
mZ�dd
lmZ�dd
lmZ�dd
lmZ�ddlZddlZddlmZ�ddlmZ�ddlmZ�ddlmZ�ddl
m
Z
�zddl
m Z �e e j!d��W�n
�e"e#fy����dZ Y�nw�e�$e%�Z&G�dd��d�Z'de(de ee(�ee(�f�fdd�Z)de(de(d
e(d
e*de+f
d
d �Z,d d!��Z-d"d#��Z.d$d%��Z/dS�)&z*Tools for checking certificate revocation.�����)�datetime)� timedeltaN)�PIPE)�Optional)�Tuple)�x509)�InvalidSignature)�UnsupportedAlgorithm)�default_backend)�hashes)�
serialization)�
crypto_util)�errors)�util)�getenv)�
RenewableCert)�ocsp�signature_hash_algorithmc����������������
���@���sj���e�Zd�ZdZddd�Zdedefdd�Zdd
ed
ed
e defd
d�Z
d
ed
ededed
e def
dd�Z
dS�)�RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.Fc�����������������C���s~���d|�_�|pt
�|�_|�jr=t�d�st�d��d|�_�d�S�tjg�d�t t ddt�
��d�}d|j
v�r6dd ��|�_
d�S�d
d ��|�_
d�S�d�S�)
NF�opensslz-openssl not installed, can't check revocationT)r���r����-header�var�val)�stdout�stderr�universal_newlines�check�envz Missing =c�����������������S���s
���d|��gS�)NzHost=����hostr
���r
����./usr/lib/python3/dist-packages/certbot/ocsp.py�<lambda>8���s���
�z,RevocationChecker.__init__.<locals>.<lambda>c�����������������S���s���d|�gS�)N�Hostr
���r ���r
���r
���r!���r"���:���s����)
�brokenr����use_openssl_binaryr����
exe_exists�logger�info�
subprocess�runr����
env_no_snap_for_external_callsr���� host_args)�self�
enforce_openssl_binary_usage�test_host_formatr
���r
���r!����__init__)���s
���
�
�zRevocationChecker.__init__�cert�returnc�����������������C���s���|���|j|j�S�)a ��Get revoked status for a particular cert version.
.. todo:: Make this a non-blocking call
:param `.interfaces.RenewableCert` cert: Certificate object
:returns: True if revoked; False if valid or the check failed or cert is expired.
:rtype: bool
)�ocsp_revoked_by_paths� cert_path�
chain_path)r-���r1���r
���r
���r!����
ocsp_revoked<���s���
z
RevocationChecker.ocsp_revoked�
���r4���r5����timeoutc�����������������C���sj���|�j�rdS�tj�t����}t�|�|krdS�t|�\}}|r |s"dS�|�j r.|��
|||||�S�t
||||�S�)aE��Performs the OCSP revocation check
:param str cert_path: Certificate filepath
:param str chain_path: Certificate chain
:param int timeout: Timeout (in seconds) for the OCSP query
:returns: True if revoked; False if valid or the check failed or cert is expired.
:rtype: bool
F)
r$����pytz�UTC�fromutcr����utcnowr
����notAfter�_determine_ocsp_serverr%����_check_ocsp_openssl_bin�_check_ocsp_cryptography)r-���r4���r5���r8����now�urlr ���r
���r
���r!���r3���H���s���
z'RevocationChecker.ocsp_revoked_by_pathsr ���rB���c�����������
������C���s��t�d�}t�d�}d�}|d�us|d�ur|d�ur|n|}|d�u�r#d|g} n|�d�r0|td�d���}d|d|g} ddd d
|d
|d
|d
|ddt|�dg|��|��| �}
t�d|��t�d�|
���z
tj |
tjd�\}
}
W�n�t
j
y{���t�
d|��Y�dS�w�t
||
|
�S�)N�
http_proxy�
HTTP_PROXYz-urlzhttp://z-hostz-pathr���r���z -no_noncez-issuerz-certz-CAfilez
-verify_otherz
-trust_otherz-timeoutr���zQuerying OCSP for %s� )�log�*OCSP check failed for %s (are we offline?)F)r����
startswith�len�strr,���r'����debug�joinr����
run_scriptr����SubprocessErrorr(����_translate_ocsp_query)
r-���r4���r5���r ���rB���r8����env_http_proxy�env_HTTP_PROXY�
proxy_host�url_opts�cmd�output�errr
���r
���r!���r?���e���sB���
���
�
z)RevocationChecker._check_ocsp_openssl_binN)F)r7���)
�__name__�
__module__�
__qualname__�__doc__r0���r����boolr6���rJ����intr3���r?���r
���r
���r
���r!���r���&���s
����
����r���r4���r2���c�������������� ������s����t�|�d��}t�|���t���}W�d����n1�sw���Y��z
|j�tj�}tjj ����fdd�|j
D��}|d�j
j
}W�n�tj
t
fyN���t�d|���Y�dS�w�|���}|�d�d ��d
�}|rc||fS�t�d
||���dS�)
z�Extract the OCSP server host from a certificate.
:param str cert_path: Path to the cert we're checking OCSP for
:rtype tuple:
:returns: (OCSP server URL or None, OCSP server host or None)
�rbNc��������������������s���g�|�] }|j���kr|�qS�r
���)�
access_method)�.0�
description��ocsp_oidr
���r!����
<listcomp>����s����
�z*_determine_ocsp_server.<locals>.<listcomp>r���z Cannot extract OCSP URI from %s)NNz://�����/z;Cannot process OCSP host from URL (%s) in certificate at %s)�openr����load_pem_x509_certificate�readr
����
extensions�get_extension_for_class�AuthorityInformationAccess�
AuthorityInformationAccessOID�OCSP�value�access_location�ExtensionNotFound�
IndexErrorr'���r(����rstrip� partition)r4����
file_handlerr1���� extension�
descriptionsrB���r ���r
���ra���r!���r>�������s$���
�
�r>���r5���rB���r8���c��������������
���C���s(��t�|d��}t�|���t���}W�d�����n1�sw���Y��t�|�d��}t�|���t���}W�d�����n1�s7w���Y��t���}|�||t� ���}|�
��}|�
t
j
j�} z
tj|| ddi|d�}
W�n�tjjyu���tjd|�dd��Y�dS�w�|
jd kr�t�d
|�|
j��dS�t�|
j�}
|
jtjjkr�t�d
|�|
j��dS�z t
|
|||���W�n_�t
y��}
�zt�t
|
���W�Y�d�}
~
dS�d�}
~
w�t j y��}
�zt�t
|
���W�Y�d�}
~
dS�d�}
~
w�t!y����t�d
|���Y�dS��t"�y�}
�zt�d
|�t
|
���W�Y�d�}
~
dS�d�}
~
ww�t�#d|�|
j$��|
j$tj%j&kS�)Nr]���z
Content-Typezapplication/ocsp-request)�data�headersr8���rG���T)�exc_infoF�����z*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.z%OCSP certificate status for %s is: %s)'rf���r���rg���rh���r
���r����OCSPRequestBuilder�add_certificater
����SHA1�build�
public_bytesr
����Encoding�DER�requests�post�
exceptions�RequestExceptionr'���r(����
status_code�load_der_ocsp_response�content�response_status�OCSPResponseStatus�
SUCCESSFUL�warning�_check_ocsp_responser ���rJ���r����Errorr����AssertionErrorrK����certificate_status�OCSPCertStatus�REVOKED)r4���r5���rB���r8���rt����issuerr1����builder�request�request_binary�response�
response_ocsp�e�errorr
���r
���r!���r@�������sd���
�
�
��
�
��
�
� �
���r@���c�����������������C���s����|�j�|j�kr
td��t|�||��t|�jt|j��r%|�j|jks%|�j|jkr)td��t� ��}|�j
s4td��|�j
|t
dd��krBtd��|�j
rS|�j
|t
dd��k�rUtd��dS�dS�) z2Verify that the OCSP is valid for several criteriazMthe certificate in response does not correspond to the certificate in requestz<the issuer does not correspond to issuer of the certificate.z
param thisUpdate is not set.����)�minutesz"param thisUpdate is in the future.z param nextUpdate is in the past.N)
�
serial_numberr�����
_check_ocsp_response_signature�
isinstance�hash_algorithm�type�issuer_key_hash�issuer_name_hashr���r<����
this_updater����
next_update)r�����
request_ocsp�
issuer_certr4���rA���r
���r
���r!���r��������s"���
�
�
�r����c�������������� ������s
��dd�����j�|jks�j��|�krt�d|��|}nZt�d|�����fdd��jD��}|s1td��|d�}|j|jkr?td ��z|j� t
j
�}t
j
j
j|jv�}W�n�t
jtfy^���d
}Y�nw�|setd
��|j}t�|���|j|j|���j}t�|����j�j|��d
S�)
zIVerify an OCSP response signature against certificate issuer or responderc�����������������S���s���t�j�|�����jS�)N)r����SubjectKeyIdentifier�from_public_key�
public_key�digest)r1���r
���r
���r!���� _key_hash����s���z1_check_ocsp_response_signature.<locals>._key_hashzGOCSP response for certificate %s is signed by the certificate's issuer.zGOCSP response for certificate %s is delegated to an external responder.c��������������������s*���g�|�]}�j�|jks�j��|�kr|�qS�r
���)�responder_name�subject�responder_key_hash)r_���r1����r����r����r
���r!���rc���
��s
����
�
�z2_check_ocsp_response_signature.<locals>.<listcomp>z0no matching responder certificate could be foundr���z?responder certificate is not signed by the certificate's issuerFz<responder is not authorized by issuer to sign OCSP responsesN)r����r����r����r'���rK����
certificatesr����r����ri���rj���r����ExtendedKeyUsage�oid�ExtendedKeyUsageOID�
OCSP_SIGNINGrn���rp���rq���r���r
����verify_signed_payloadr����� signature�tbs_certificate_bytes�tbs_response_bytes)r����r����r4����responder_cert�responder_certsru����delegate_authorized�
chosen_hashr
���r����r!���r��������sB���
���
���r����c����������� ���������s����d}��fdd�|D��}�fdd�|D��\}}}|r
|��d�nd}d|vs*|r(|s*|r9t�d ����t�d
�|��d
S�|r?|s?d
S�|rP|��d�}|rNt�d
|��d
S�t�d�|��d
S�)z7Parse openssl's weird output to work out what it means.)�good�revoked�unknownc��������������������s���g�|�]}d�����|��qS�)z{0}: (WARNING.*)?{1})�format)r_����s)r4���r
���r!���rc���6��s����z)_translate_ocsp_query.<locals>.<listcomp>c�����������������3���s"�����|�]
}t�j|��t�jd��V��qdS�))�flagsN)�re�search�DOTALL)r_����p)�
ocsp_outputr
���r!���� <genexpr>7��s���� �z(_translate_ocsp_query.<locals>.<genexpr>����NzResponse verify OKz#Revocation status for %s is unknownz Uncertain output:
%s
stderr:
%sFzOCSP revocation warning: %sTz2Unable to properly parse OCSP output: %s
stderr:%s)�groupr'���r(���rK���r����) r4���r�����
ocsp_errors�states�patternsr����r����r����r����r
���)r4���r����r!���rO���2��s&���
�rO���)0rZ���r���r����loggingr����r)���r����typingr���r����
cryptographyr����cryptography.exceptionsr���r ����
cryptography.hazmat.backendsr
����
cryptography.hazmat.primitivesr
���r
���r9���r�����certbotr
���r���r����certbot.compat.osr����certbot.interfacesr����cryptography.x509r����getattr�
OCSPResponse�
ImportError�AttributeError� getLoggerrW���r'���r���rJ���r>���r\���r[���r@���r����r����rO���r
���r
���r
���r!����<module>���sF����
�
"e
1"
6