HEX
Server: LiteSpeed
System: Linux us-phx-web1284.main-hosting.eu 4.18.0-553.109.1.lve.el8.x86_64 #1 SMP Thu Mar 5 20:23:46 UTC 2026 x86_64
User: u300739242 (300739242)
PHP: 8.2.30
Disabled: system, shell_exec, passthru, mysql_list_dbs, ini_alter, dl, symlink, link, chgrp, leak, popen, apache_child_terminate, virtual, mb_send_mail
$ pwd: /opt/alt/python311/lib/python3.11/site-packages/redis/__pycache__/
Upload Files
File: //opt/alt/python311/lib/python3.11/site-packages/redis/__pycache__/ocsp.cpython-311.pyc
�

$�;f�,���ddlZddlZddlZddlmZmZddlZddlZddlm	Z	m
Z
ddlmZddl
mZddlmZddlmZmZddlmZdd	lmZdd
lmZmZddlmZmZddlmZdd
lm Z m!Z!d�Z"dd�Z#d�Z$d�Z%dd�Z&Gd�d��Z'dS)�N)�urljoin�urlparse)�hazmat�x509)�InvalidSignature)�backends)�DSAPublicKey)�ECDSA�EllipticCurvePublicKey)�PKCS1v15)�RSAPublicKey)�SHA1�Hash)�Encoding�PublicFormat)�ocsp)�AuthorizationError�ConnectionErrorc�L�|���}	t|t��r5|�|j|jt
��|j��dSt|t��r(|�|j|j|j��dSt|t��r5|�|j|jt|j����dS|�|j|j��dS#t$rtd���wxYw)Nzfailed to valid ocsp response)
�
public_key�
isinstancer
�verify�	signature�tbs_response_bytesr�signature_hash_algorithmr	rr
rr)�issuer_cert�
ocsp_response�pubkeys   �=/opt/alt/python311/lib/python3.11/site-packages/redis/ocsp.py�_verify_responser sG��
�
#�
#�
%�
%�F�?��f�l�+�+�	U��M�M��'��0��
�
��6�	
�
�
�
�
����
-�
-�
	U��M�M��'��0��6�
�
�
�
�
�
�� 6�
7�
7�	U��M�M��'��0��m�<�=�=�
�
�
�
�
�
�M�M�-�1�=�3S�T�T�T�T�T���?�?�?��=�>�>�>�?���s�AD	� ;D	�AD	�' D	�	D#Tc��tj|��}|jtjjkrtd���|jtjjkrY|jtjj	kr>tdt|j���d��d�d����ntd���|j
tj���krtd���|jr6|jtj���krtd���|j}|j}|j}|}|�||jks||kr|}n�|j}t-||||��}		|	d
}
n#t.$rtd���wxYw|
j�t4j��}|�t4jjj|jvrtd���|
}|rtA||��d
S)z=A wrapper the return the validity of a known ocsp certificatez4you are not authorized to view this ocsp certificatezReceived an �.�z ocsp certificate statusz?failed to retrieve a sucessful response from the ocsp responderz)ocsp certificate was issued in the futurez1ocsp certificate has invalid update - in the pastNrz'no certificates found for the responderz'delegate not autorized for ocsp signingT)!r�load_der_ocsp_response�response_status�OCSPResponseStatus�UNAUTHORIZEDr�
SUCCESSFUL�certificate_status�OCSPCertStatus�GOODr�str�split�this_update�datetime�now�next_update�responder_name�issuer_key_hash�responder_key_hash�subject�certificates�_get_certificates�
IndexError�
extensions�get_extension_for_classr�ExtendedKeyUsage�oid�ExtendedKeyUsageOID�OCSP_SIGNING�valuer )r�
ocsp_bytes�validaterr2�issuer_hash�responder_hash�cert_to_validate�certs�responder_certs�responder_cert�exts            r�_check_certificaterI2s8���/�
�;�;�M��$��(?�(L�L�L� �!W�X�X�X��$��(?�(J�J�J��+�t�/B�/G�G�G�!�*�s�=�#C�D�D�J�J�3�O�O�PQ�R�*�*�*���
�H��M�
�
�	
�� �H�$5�$9�$9�$;�$;�;�;��I�J�J�J�	�!�S��%��(9�(=�(=�(?�(?�?�?��Q�R�R�R�"�1�N��/�K�"�5�N�"���"��k�1�1�1��[�(�(�&����*��+��;���
�
��	M�,�Q�/�N�N���	M�	M�	M�!�"K�L�L�L�	M�����'�?�?��@U�V�V���;�$�(�6�C�3�9�T�T�!�"K�L�L�L�)���:��)�=�9�9�9��4s�:F�Fc�N��������fd�|D��}n��fd�|D��}|S)Nc�Z��g|]'}t|���k�|j�jk�%|��(S�)�_get_pubkey_hash�issuerr5)�.0�crrCs  ��r�
<listcomp>z%_get_certificates.<locals>.<listcomp>osE���
�
�
����"�"�n�4�4���[�EX�9X�9X�
�9X�9X�9X�c�J��g|]}|j�k�
|j�jk�|�� SrL)r5rN)rOrPrr2s  ��rrQz%_get_certificates.<locals>.<listcomp>us?���
�
�
���y�N�*�*�q�x�;�;N�/N�/N�
�/N�/N�/NrRrL)rErr2rCr6s ``` rr7r7mso�������
�
�
�
�
��
�
�
���
�
�
�
�
��
�
�
���rRc�,�|���}t|t��r+|�tjtj��}njt|t��r+|�tj	tj
��}n*|�tjtj��}tt��tj�����}|�|��|���S)N)�backend)rrr
�public_bytesr�DERr�PKCS1r�X962�UncompressedPoint�SubjectPublicKeyInforrr�default_backend�update�finalize)�certificater�h�sha1s    rrMrM~s���
�
#�
#�
%�
%�F��&�,�'�'�Q������l�.@�A�A���	�F�2�	3�	3�Q�����
�|�/M�N�N��������l�.O�P�P������� 8� :� :�;�;�;�D��K�K��N�N�N��=�=�?�?�rRc��|dvrtd���d}|������}|���D]*}|���}|j|jkr|}n�+|�td���|�)t
j|��}||krtd���t||��S)z�An implemention of a function for set_ocsp_client_callback in PyOpenSSL.

    This function validates that the provide ocsp_bytes response is valid,
    and matches the expected, stapled responses.
    )rRNzno ocsp response presentNz2no matching issuer cert found in certificate chainz/received and expected certificates do not match)	r�get_peer_certificate�to_cryptography�get_peer_cert_chainr5rNr�load_pem_x509_certificaterI)�conr@�expectedr�	peer_certrP�cert�es        r�ocsp_staple_verifierrl�s����[� � ��8�9�9�9��K��(�(�*�*�:�:�<�<�I�
�
$�
$�
&�
&����� � �"�"���<�9�+�+�+��K��E�,����R�S�S�S����*�8�4�4����>�>�!�"S�T�T�T��k�:�6�6�6rRc�D�eZdZdZdd�Zd�Zd�Zd�Zd�Zd�Z	d	�Z
d
�ZdS)�OCSPVerifieraA class to verify ssl sockets for RFC6960/RFC6961. This can be used
    when using direct validation of OCSP responses and certificate revocations.

    @see https://datatracker.ietf.org/doc/html/rfc6960
    @see https://datatracker.ietf.org/doc/html/rfc6961
    Nc�>�||_||_||_||_dS�N)�SOCK�HOST�PORT�CA_CERTS)�self�sock�host�port�ca_certss     r�__init__zOCSPVerifier.__init__�s"����	���	���	� ��
�
�
rRc��tj|��}tj|���tj����}|S)z?Convert SSL certificates in a binary (DER) format to ASCII PEM.)�ssl�DER_cert_to_PEM_certrrf�encoderr\)ru�der�pemrjs    r�
_bin2asciizOCSPVerifier._bin2ascii�s<���&�s�+�+���-�c�j�j�l�l�H�<T�<V�<V�W�W���rRc��|j�d��}|durtd���|�|��}|�|��S)z�This function returns the certificate, primary issuer, and primary ocsp server
        in the chain for a socket already wrapped with ssl.
        TFz!no certificate found for ssl peer)rq�getpeercertrr��_certificate_components)rurrjs   r�components_from_socketz#OCSPVerifier.components_from_socket�sV���i�#�#�D�)�)���%�<�<�!�"E�F�F�F����s�#�#���+�+�D�1�1�1rRc��	|j�tjjj��j}n,#tjjj$rtd���wxYwd�|D��}	|dj
j}n#t$rd}YnwxYwd�|D��}	|dj
j}n#t$rtd���wxYw|||fS)z�Given an SSL certificate, retract the useful components for
        validating the certificate status with an OCSP server.

        Args:
            cert ([bytes]): A PEM encoded ssl certificate
        z-No AIA information present in ssl certificatec�P�g|]#}|jtjjjk�!|��$SrL)�
access_methodrr<�AuthorityInformationAccessOID�
CA_ISSUERS�rO�is  rrQz8OCSPVerifier._certificate_components.<locals>.<listcomp>�s7��
�
�
����$�(�"H�"S�S�S�
�S�S�SrRrNc�P�g|]#}|jtjjjk�!|��$SrL)r�rr<r��OCSPr�s  rrQz8OCSPVerifier._certificate_components.<locals>.<listcomp>�s7��
�
�
����$�(�"H�"M�M�M�
�M�M�MrRzno ocsp servers in certificate)r9�get_extension_for_oidrr<�ExtensionOID�AUTHORITY_INFORMATION_ACCESSr?�cryptography�ExtensionNotFoundr�access_locationr8)rurj�aia�issuersrN�ocspsrs       rr�z$OCSPVerifier._certificate_components�s5��	S��/�7�7���%�B����
�C��� �+�=�	S�	S�	S�!�"Q�R�R�R�	S����
�
��
�
�
��
	��Q�Z�/�5�F�F���	�	�	��F�F�F�	����
�
��
�
�
��	D���8�+�1�D�D���	D�	D�	D�!�"B�C�C�C�	D�����V�T�!�!s'�36�)A�/B�B�B�!B4�4Cc���tj|j|jf|j���}tj|���tj	����}|�
|��S)z�Return the certificate, primary issuer, and primary ocsp server
        from the host defined by the socket. This is useful in cases where
        different certificates are occasionally presented.
        )ry)r|�get_server_certificaterrrsrtrrfr~rr\r�)rur�rjs   r�!components_from_direct_connectionz.OCSPVerifier.components_from_direct_connection�s[���(�$�)�T�Y�)?�$�-�X�X�X���-�c�j�j�l�l�H�<T�<V�<V�W�W���+�+�D�1�1�1rRc��tj��}|�||tjjj�����}|���}tj
|�tjjj
j����}t||�d����}|S)z#Return the complete url to the ocsp�ascii)r�OCSPRequestBuilder�add_certificater�r�
primitives�hashes�SHA256�build�base64�	b64encoderV�
serializationrrWr�decode)ru�serverrjr�orb�request�path�urls        r�build_certificate_urlz"OCSPVerifier.build_certificate_url�s����%�'�'���!�!��+�|�2�=�D�K�K�M�M�
�
���)�)�+�+����� � ��!2�!@�!I�!M�N�N�
�
���f�d�k�k�'�2�2�3�3���
rRc�n�tj|��}|jstd���|j}|�|��}|�|||��}t|��jdd�}tj||���}|jstd���t||jd��S)z5Checks the validitity of an ocsp server for an issuerz"failed to fetch issuer certificatezapplication/ocsp-request)�HostzContent-Type)�headersz failed to fetch ocsp certificateT)
�requests�get�okr�contentr�r�r�netlocrI)	rur�rj�
issuer_url�rrr�ocsp_url�headers	         r�check_certificatezOCSPVerifier.check_certificate
s���
�L��$�$���t�	H�!�"F�G�G�G��i���o�o�c�*�*���-�-�f�d�K�H�H���X�&�&�-�6�
�
��
�L��6�2�2�2���t�	F�!�"D�E�E�E�!�+�q�y�$�?�?�?rRc�$�	|���\}}}|�td���|�|||��S#t$rC|���\}}}|�td���|�|||��cYSwxYw)aDReturns the validity of the certificate wrapping our socket.
        This first retrieves for validate the certificate, issuer_url,
        and ocsp_server for certificate validate. Then retrieves the
        issuer certificate from the issuer_url, and finally checks
        the valididy of OCSP revocation status.
        Nz%no issuers found in certificate chain)r�rr�rr�)rurjr��ocsp_servers    r�is_validzOCSPVerifier.is_valid"s���		I�,0�,G�,G�,I�,I�)�D�*�k��!�%�&M�N�N�N��)�)�+�t�Z�H�H�H��!�	I�	I�	I�,0�,R�,R�,T�,T�)�D�*�k��!�%�&M�N�N�N��)�)�+�t�Z�H�H�H�H�H�		I���s�?A�A
B�Brp)�__name__�
__module__�__qualname__�__doc__rzr�r�r�r�r�r�r�rLrRrrnrn�s���������!�!�!�!����
2�
2�
2�&"�&"�&"�P2�2�2���� @�@�@�*I�I�I�I�IrRrn)Trp)(r�r/r|�urllib.parserr�%cryptography.hazmat.primitives.hashesr�r�rr�cryptography.exceptionsr�cryptography.hazmatr�-cryptography.hazmat.primitives.asymmetric.dsar	�,cryptography.hazmat.primitives.asymmetric.ecr
r�1cryptography.hazmat.primitives.asymmetric.paddingr�-cryptography.hazmat.primitives.asymmetric.rsar
rr�,cryptography.hazmat.primitives.serializationrr�cryptography.x509r�redis.exceptionsrrr rIr7rMrlrnrLrRr�<module>r�s���
�
�
�
�����
�
�
�
�*�*�*�*�*�*�*�*�,�,�,�,�����%�%�%�%�%�%�%�%�4�4�4�4�4�4�(�(�(�(�(�(�F�F�F�F�F�F�V�V�V�V�V�V�V�V�F�F�F�F�F�F�F�F�F�F�F�F�<�<�<�<�<�<�<�<�O�O�O�O�O�O�O�O�"�"�"�"�"�"�@�@�@�@�@�@�@�@�?�?�?�88�8�8�8�v���"
�
�
� 7�7�7�7�8JI�JI�JI�JI�JI�JI�JI�JI�JI�JIrR
@ Telegram