o RDiD@slddlmZddlZddlmZmZddlmZddlmZm Z ddl m Z ddl m Z ddlmZdd lmZmZdd lmZmZmZmZmZmZmZmZdd lmZdd lmZdd l m!Z!ddl"m#Z#m$Z$ddl%m&Z&m'Z'ddl(m)Z)ddl*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7ddl8m9Z9ddl:m;Z;mGddde;Z?dS)) annotationsN) b64decode b64encode) OrderedDict)datetimetimezone) getLogger)getenv)DigestAlgorithm)Integer OctetString)CertId OCSPRequest OCSPResponseRequestRequestsSingleResponse TBSRequestVersion) Certificate)InvalidSignature)default_backend)hashes serialization)paddingutils) DSAPublicKey)ECDSAEllipticCurvePublicKey) RSAPublicKey) Connection)&ER_OCSP_RESPONSE_ATTACHED_CERT_EXPIRED&ER_OCSP_RESPONSE_ATTACHED_CERT_INVALID$ER_OCSP_RESPONSE_CERT_STATUS_INVALID"ER_OCSP_RESPONSE_INVALID_SIGNATUREER_OCSP_RESPONSE_LOAD_FAILURE$ER_OCSP_RESPONSE_STATUS_UNSUCCESSFUL)RevocationCheckError) SnowflakeOCSPgenerate_cache_keycseZdZdZejejejdZddZ d>d d Z d d Z d dZ d?d@ddZ dAddZddZddZddZdBd"d#Zd$d%ZdCfd*d+ Z dDd-d.Zd/d0Zd1d2ZdEd6d7ZdFd:d;ZdGdReads a certificate file including certificates in PEM format.Nzreading certificate bundle: %srbr)pemT)multiple CERTIFICATE) r(ROOT_CERTIFICATES_DICTloggerdebugopen asn1cryptorLunarmorreadrr7subjectr+) r8ca_bundle_filestorage all_certsrL pem_certs type_name_ der_bytescrtr;r;r<read_cert_bundleSs     "z(SnowflakeOCSPAsn1Crypto.read_cert_bundleissuerrrVtuple[CertId, OCSPRequest]cCs^ttdddt|jjt|jj|jd}tdtt dt t d|igdi}||fS) zCreates CertId and OCSPRequest.r.Nr/r2 tbs_requestrreq_cert)version request_list) r r r r`r. public_keyr6rrrrr)r8r`rVr: ocsp_requestr;r;r<create_ocsp_requestbs0   z+SnowflakeOCSPAsn1Crypto.create_ocsp_requestcCs|j}|r |d}|Sd}|S)Nr) ocsp_urls)r8certurlsocsp_urlr;r;r<extract_ocsp_urls  z(SnowflakeOCSPAsn1Crypto.extract_ocsp_urlcCs|Sr@)rG)r8rgr;r;r<decode_ocsp_requestrBz+SnowflakeOCSPAsn1Crypto.decode_ocsp_requestcCs||}t|d}|SrE)rnrrH)r8rgdatab64datar;r;r<decode_ocsp_request_b64s z/SnowflakeOCSPAsn1Crypto.decode_ocsp_request_b64single_responsertuple[datetime, datetime]cCs|dj}|dj}||fS)zExtracts GOOD status. this_update next_updatenative)r8rrthis_update_nativenext_update_nativer;r;r<extract_good_statuss  z+SnowflakeOCSPAsn1Crypto.extract_good_statuscCs$|d}|jd}|jd}||fS)zExtracts REVOKED status. cert_statusrevocation_timerevocation_reasonrv)r8rr revoked_infor|r}r;r;r<extract_revoked_statuss  z.SnowflakeOCSPAsn1Crypto.extract_revoked_statuscur_timer ocsp_certtuple[bool, str | None]csT|dddj}|dddj}||ks||kr(d|||tj}d|fSdS)Ntbs_certificatevalidity not_before not_afterzCertificate attached to OCSP response is invalid. OCSP response current time - {} certificate not before time - {} certificate not after time - {}. Consider running curl -o ocsp.der {}F)TN)rwformatsuperdebug_ocsp_failure_url)r8rr val_startval_end debug_msg __class__r;r<check_cert_time_validitys z0SnowflakeOCSPAsn1Crypto.check_cert_time_validityboolc Cs t|}|djdkrtd|djtd|j}|djrK|dd}td|dd d jt t j } | ||\}}|sKt|d S|d } | d d} | dj} z| dkri|| ||WdSWdSty} z td| WYd} ~ d Sd} ~ ww)Nresponse_status successfulInvalid Status: {}msgerrnocertsrzOVerifying the attached certificate is signed by the issuer. Valid Not After: %srrrFtbs_response_data responsesr{goodz#Failed to validate ocsp response %sT)rr7rwr'rr&basic_ocsp_responserPrQrnowrutcrname_process_good_status Exception) r8r: ocsp_responseresrrr cert_validrrrrr{exr;r;r< is_valid_timesB         z%SnowflakeOCSPAsn1Crypto.is_valid_timec Cszt|}|jdurtd}|durtdtdWn ty'tdtdw|djdkr;td|djt d|j }|d jrt d |d d }t d t d |dddjt tj}z ||j|j||dWnty} zt| jtdd} ~ ww|||\} } | st| tdnt d|}|d} t dz||dj|dj|| Wnty} zt| jtdd} ~ ww| dd } | dj}|jdurtd}|dkrd}n |dkrd}n|dkrd}z5|dkr|| ||WdS|dkr|| |WdS|dkr!||WdSd|} t| tdtyG}zd|j|j} t| |jdd}~ww)N$SF_TEST_OCSP_FORCE_BAD_OCSP_RESPONSEz Force fail)rzInvalid OCSP Responserrrrrz.Certificate is attached in Basic OCSP Responserz:Verifying the attached certificate is signed by the issuerzValid Not After: %srrrzNCertificate is NOT attached in Basic OCSP Response. Using issuer's certificaterz4Verifying the OCSP response is signed by the issuer.signature_algorithm signaturerr{SF_TEST_OCSP_CERT_STATUSrevokedunknownrzJUnknown revocation status was returned.OCSP response may be malformed: {}.z'{} Consider running curl -o ocsp.der {}) rr7 test_moder r'r%rrwrr&rrPrQrrrrverify_signature hash_algorrr"rr!r$rr_process_revoked_status_process_unknown_statusr#rr)r8r`r:rrocsp_load_failurerrrrcerrrrrr{test_cert_statusop_err;r;r<process_ocsp_responses              z-SnowflakeOCSPAsn1Crypto.process_ocsp_responsec Cst}tj|jtd}|tjvrtj|}nt}t ||}| || } t } t |trEt| d<t|| d<nt |trRt|| d<nt |tr`tt|| d<z |j|| fi| WdStyytddw)N)backendrr0rzFailed to verify the signaturer)rrload_der_public_keyrfrGr*#SIGNATURE_ALGORITHM_TO_DIGEST_CLASSrSHA1Hashupdatefinalizedict isinstancerrPKCS1v15r Prehashedrrrverifyrr') r8rrrjrorrf chosen_hashhasherdigestadditional_kwargsr;r;r<rasD        z(SnowflakeOCSPAsn1Crypto.verify_signature connectionr %list[tuple[Certificate, Certificate]]c Csddlm}m}t}|}tdt|||D].}|||}t |}td|j j |j j |||j j<|j jtjvrKtd|j j nq||S)zHGets certificate chain and extract the key info from OpenSSL connection.r) FILETYPE_ASN1dump_certificatez# of certificates: %szsubject: %s, issuer: %szCA trusted root certificate found: %s, stopping chain traversal here)OpenSSL.cryptorrrget_peer_cert_chainrPrQlen_lazy_read_ca_bundlerr7rVrwr`r+r(rOcreate_pair_issuer_subject) r8rrrcert_map cert_chain cert_opensslcert_derrjr;r;r<extract_certificate_chains(    z1SnowflakeOCSPAsn1Crypto.extract_certificate_chainrrcCsg}|D]?}||}|js|jr|jsq|jj}||vr8|td|jj|t j vr2t ddt j |}n||}| ||fq|S)z1Creates pairs of issuer and subject certificates.znot found issuer_der: %szCA certificate is NOT found in the root certificate list. Make sure you use the latest Python Connector package and the URL is valid.r) ocsp_no_check_valuecarir`r+rrPrQrwr(rOr'append)r8rissuer_subject subject_derrV issuer_hashr`r;r;r<rs"  z2SnowflakeOCSPAsn1Crypto.create_pair_issuer_subjectcCs|jjSr@)rVrw)r8rVr;r;r< subject_namerBz$SnowflakeOCSPAsn1Crypto.subject_name)r:r r>r?r@)r>rJ)r`rrVrr>ra)rrrr>rs)rrrrr>r)r>r)rr r>r)rrr>r)rVrr>r)__name__ __module__ __qualname____doc__rSHA256SHA384SHA512rr=rArDrIr_rhrmrnrqrzrrrrrrrr __classcell__r;r;rr<r*/s2   $   2n % r*)@ __future__rtypingbase64rr collectionsrrrloggingrosr asn1crypto.algosr asn1crypto.corer r asn1crypto.ocspr rrrrrrrasn1crypto.x509rcryptography.exceptionsrcryptography.hazmat.backendsrcryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrr-cryptography.hazmat.primitives.asymmetric.dsar,cryptography.hazmat.primitives.asymmetric.ecrr-cryptography.hazmat.primitives.asymmetric.rsar OpenSSL.SSLr snowflake.connector.errorcoder!r"r#r$r%r&snowflake.connector.errorsr'"snowflake.connector.ocsp_snowflaker(r)rrPr*r;r;r;r<s0     (