maojian
/
CnOCRService
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
图片解析应用
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
0 Tags
49 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
CnOCRService/Lib/site-packages/redis/ocsp.py

307 lines
11 KiB
Raw Permalink Normal View History

图片解析应用
7 months ago
  1. import base64
  2. import datetime
  3. import ssl
  4. from urllib.parse import urljoin, urlparse
  6. import cryptography.hazmat.primitives.hashes
  7. import requests
  8. from cryptography import hazmat, x509
  9. from cryptography.exceptions import InvalidSignature
  10. from cryptography.hazmat import backends
  11. from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey
  12. from cryptography.hazmat.primitives.asymmetric.ec import ECDSA, EllipticCurvePublicKey
  13. from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
  14. from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
  15. from cryptography.hazmat.primitives.hashes import SHA1, Hash
  16. from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
  17. from cryptography.x509 import ocsp
  18. from redis.exceptions import AuthorizationError, ConnectionError
  21. def _verify_response(issuer_cert, ocsp_response):
  22. pubkey = issuer_cert.public_key()
  23. try:
  24. if isinstance(pubkey, RSAPublicKey):
  25. pubkey.verify(
  26. ocsp_response.signature,
  27. ocsp_response.tbs_response_bytes,
  28. PKCS1v15(),
  29. ocsp_response.signature_hash_algorithm,
  30. )
  31. elif isinstance(pubkey, DSAPublicKey):
  32. pubkey.verify(
  33. ocsp_response.signature,
  34. ocsp_response.tbs_response_bytes,
  35. ocsp_response.signature_hash_algorithm,
  36. )
  37. elif isinstance(pubkey, EllipticCurvePublicKey):
  38. pubkey.verify(
  39. ocsp_response.signature,
  40. ocsp_response.tbs_response_bytes,
  41. ECDSA(ocsp_response.signature_hash_algorithm),
  42. )
  43. else:
  44. pubkey.verify(ocsp_response.signature, ocsp_response.tbs_response_bytes)
  45. except InvalidSignature:
  46. raise ConnectionError("failed to valid ocsp response")
  49. def _check_certificate(issuer_cert, ocsp_bytes, validate=True):
  50. """A wrapper the return the validity of a known ocsp certificate"""
  52. ocsp_response = ocsp.load_der_ocsp_response(ocsp_bytes)
  54. if ocsp_response.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED:
  55. raise AuthorizationError("you are not authorized to view this ocsp certificate")
  56. if ocsp_response.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL:
  57. if ocsp_response.certificate_status != ocsp.OCSPCertStatus.GOOD:
  58. raise ConnectionError(
  59. f'Received an {str(ocsp_response.certificate_status).split(".")[1]} '
  60. "ocsp certificate status"
  61. )
  62. else:
  63. raise ConnectionError(
  64. "failed to retrieve a successful response from the ocsp responder"
  65. )
  67. if ocsp_response.this_update >= datetime.datetime.now():
  68. raise ConnectionError("ocsp certificate was issued in the future")
  70. if (
  71. ocsp_response.next_update
  72. and ocsp_response.next_update < datetime.datetime.now()
  73. ):
  74. raise ConnectionError("ocsp certificate has invalid update - in the past")
  76. responder_name = ocsp_response.responder_name
  77. issuer_hash = ocsp_response.issuer_key_hash
  78. responder_hash = ocsp_response.responder_key_hash
  80. cert_to_validate = issuer_cert
  81. if (
  82. responder_name is not None
  83. and responder_name == issuer_cert.subject
  84. or responder_hash == issuer_hash
  85. ):
  86. cert_to_validate = issuer_cert
  87. else:
  88. certs = ocsp_response.certificates
  89. responder_certs = _get_certificates(
  90. certs, issuer_cert, responder_name, responder_hash
  91. )
  93. try:
  94. responder_cert = responder_certs[0]
  95. except IndexError:
  96. raise ConnectionError("no certificates found for the responder")
  98. ext = responder_cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
  99. if ext is None or x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING not in ext.value:
  100. raise ConnectionError("delegate not autorized for ocsp signing")
  101. cert_to_validate = responder_cert
  103. if validate:
  104. _verify_response(cert_to_validate, ocsp_response)
  105. return True
  108. def _get_certificates(certs, issuer_cert, responder_name, responder_hash):
  109. if responder_name is None:
  110. certificates = [
  111. c
  112. for c in certs
  113. if _get_pubkey_hash(c) == responder_hash and c.issuer == issuer_cert.subject
  114. ]
  115. else:
  116. certificates = [
  117. c
  118. for c in certs
  119. if c.subject == responder_name and c.issuer == issuer_cert.subject
  120. ]
  122. return certificates
  125. def _get_pubkey_hash(certificate):
  126. pubkey = certificate.public_key()
  128. # https://stackoverflow.com/a/46309453/600498
  129. if isinstance(pubkey, RSAPublicKey):
  130. h = pubkey.public_bytes(Encoding.DER, PublicFormat.PKCS1)
  131. elif isinstance(pubkey, EllipticCurvePublicKey):
  132. h = pubkey.public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
  133. else:
  134. h = pubkey.public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
  136. sha1 = Hash(SHA1(), backend=backends.default_backend())
  137. sha1.update(h)
  138. return sha1.finalize()
  141. def ocsp_staple_verifier(con, ocsp_bytes, expected=None):
  142. """An implementation of a function for set_ocsp_client_callback in PyOpenSSL.
  144. This function validates that the provide ocsp_bytes response is valid,
  145. and matches the expected, stapled responses.
  146. """
  147. if ocsp_bytes in [b"", None]:
  148. raise ConnectionError("no ocsp response present")
  150. issuer_cert = None
  151. peer_cert = con.get_peer_certificate().to_cryptography()
  152. for c in con.get_peer_cert_chain():
  153. cert = c.to_cryptography()
  154. if cert.subject == peer_cert.issuer:
  155. issuer_cert = cert
  156. break
  158. if issuer_cert is None:
  159. raise ConnectionError("no matching issuer cert found in certificate chain")
  161. if expected is not None:
  162. e = x509.load_pem_x509_certificate(expected)
  163. if peer_cert != e:
  164. raise ConnectionError("received and expected certificates do not match")
  166. return _check_certificate(issuer_cert, ocsp_bytes)
  169. class OCSPVerifier:
  170. """A class to verify ssl sockets for RFC6960/RFC6961. This can be used
  171. when using direct validation of OCSP responses and certificate revocations.
  173. @see https://datatracker.ietf.org/doc/html/rfc6960
  174. @see https://datatracker.ietf.org/doc/html/rfc6961
  175. """
  177. def __init__(self, sock, host, port, ca_certs=None):
  178. self.SOCK = sock
  179. self.HOST = host
  180. self.PORT = port
  181. self.CA_CERTS = ca_certs
  183. def _bin2ascii(self, der):
  184. """Convert SSL certificates in a binary (DER) format to ASCII PEM."""
  186. pem = ssl.DER_cert_to_PEM_cert(der)
  187. cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())
  188. return cert
  190. def components_from_socket(self):
  191. """This function returns the certificate, primary issuer, and primary ocsp
  192. server in the chain for a socket already wrapped with ssl.
  193. """
  195. # convert the binary certifcate to text
  196. der = self.SOCK.getpeercert(True)
  197. if der is False:
  198. raise ConnectionError("no certificate found for ssl peer")
  199. cert = self._bin2ascii(der)
  200. return self._certificate_components(cert)
  202. def _certificate_components(self, cert):
  203. """Given an SSL certificate, retract the useful components for
  204. validating the certificate status with an OCSP server.
  206. Args:
  207. cert ([bytes]): A PEM encoded ssl certificate
  208. """
  210. try:
  211. aia = cert.extensions.get_extension_for_oid(
  212. x509.oid.ExtensionOID.AUTHORITY_INFORMATION_ACCESS
  213. ).value
  214. except cryptography.x509.extensions.ExtensionNotFound:
  215. raise ConnectionError("No AIA information present in ssl certificate")
  217. # fetch certificate issuers
  218. issuers = [
  219. i
  220. for i in aia
  221. if i.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS
  222. ]
  223. try:
  224. issuer = issuers[0].access_location.value
  225. except IndexError:
  226. issuer = None
  228. # now, the series of ocsp server entries
  229. ocsps = [
  230. i
  231. for i in aia
  232. if i.access_method == x509.oid.AuthorityInformationAccessOID.OCSP
  233. ]
  235. try:
  236. ocsp = ocsps[0].access_location.value
  237. except IndexError:
  238. raise ConnectionError("no ocsp servers in certificate")
  240. return cert, issuer, ocsp
  242. def components_from_direct_connection(self):
  243. """Return the certificate, primary issuer, and primary ocsp server
  244. from the host defined by the socket. This is useful in cases where
  245. different certificates are occasionally presented.
  246. """
  248. pem = ssl.get_server_certificate((self.HOST, self.PORT), ca_certs=self.CA_CERTS)
  249. cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())
  250. return self._certificate_components(cert)
  252. def build_certificate_url(self, server, cert, issuer_cert):
  253. """Return the complete url to the ocsp"""
  254. orb = ocsp.OCSPRequestBuilder()
  256. # add_certificate returns an initialized OCSPRequestBuilder
  257. orb = orb.add_certificate(
  258. cert, issuer_cert, cryptography.hazmat.primitives.hashes.SHA256()
  259. )
  260. request = orb.build()
  262. path = base64.b64encode(
  263. request.public_bytes(hazmat.primitives.serialization.Encoding.DER)
  264. )
  265. url = urljoin(server, path.decode("ascii"))
  266. return url
  268. def check_certificate(self, server, cert, issuer_url):
  269. """Checks the validity of an ocsp server for an issuer"""
  271. r = requests.get(issuer_url)
  272. if not r.ok:
  273. raise ConnectionError("failed to fetch issuer certificate")
  274. der = r.content
  275. issuer_cert = self._bin2ascii(der)
  277. ocsp_url = self.build_certificate_url(server, cert, issuer_cert)
  279. # HTTP 1.1 mandates the addition of the Host header in ocsp responses
  280. header = {
  281. "Host": urlparse(ocsp_url).netloc,
  282. "Content-Type": "application/ocsp-request",
  283. }
  284. r = requests.get(ocsp_url, headers=header)
  285. if not r.ok:
  286. raise ConnectionError("failed to fetch ocsp certificate")
  287. return _check_certificate(issuer_cert, r.content, True)
  289. def is_valid(self):
  290. """Returns the validity of the certificate wrapping our socket.
  291. This first retrieves for validate the certificate, issuer_url,
  292. and ocsp_server for certificate validate. Then retrieves the
  293. issuer certificate from the issuer_url, and finally checks
  294. the validity of OCSP revocation status.
  295. """
  297. # validate the certificate
  298. try:
  299. cert, issuer_url, ocsp_server = self.components_from_socket()
  300. if issuer_url is None:
  301. raise ConnectionError("no issuers found in certificate chain")
  302. return self.check_certificate(ocsp_server, cert, issuer_url)
  303. except AuthorizationError:
  304. cert, issuer_url, ocsp_server = self.components_from_direct_connection()
  305. if issuer_url is None:
  306. raise ConnectionError("no issuers found in certificate chain")
  307. return self.check_certificate(ocsp_server, cert, issuer_url)