ai_v/venv/Lib/site-packages/redis/ocsp.py

import base64
import datetime
import ssl
from urllib.parse import urljoin, urlparse

import cryptography.hazmat.primitives.hashes
import requests
from cryptography import hazmat, x509
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey
from cryptography.hazmat.primitives.asymmetric.ec import ECDSA, EllipticCurvePublicKey
from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
from cryptography.hazmat.primitives.hashes import SHA1, Hash
from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
from cryptography.x509 import ocsp

from redis.exceptions import AuthorizationError, ConnectionError


def _verify_response(issuer_cert, ocsp_response):
    pubkey = issuer_cert.public_key()
    try:
        if isinstance(pubkey, RSAPublicKey):
            pubkey.verify(
                ocsp_response.signature,
                ocsp_response.tbs_response_bytes,
                PKCS1v15(),
                ocsp_response.signature_hash_algorithm,
            )
        elif isinstance(pubkey, DSAPublicKey):
            pubkey.verify(
                ocsp_response.signature,
                ocsp_response.tbs_response_bytes,
                ocsp_response.signature_hash_algorithm,
            )
        elif isinstance(pubkey, EllipticCurvePublicKey):
            pubkey.verify(
                ocsp_response.signature,
                ocsp_response.tbs_response_bytes,
                ECDSA(ocsp_response.signature_hash_algorithm),
            )
        else:
            pubkey.verify(ocsp_response.signature, ocsp_response.tbs_response_bytes)
    except InvalidSignature:
        raise ConnectionError("failed to valid ocsp response")


def _check_certificate(issuer_cert, ocsp_bytes, validate=True):
    """A wrapper the return the validity of a known ocsp certificate"""

    ocsp_response = ocsp.load_der_ocsp_response(ocsp_bytes)

    if ocsp_response.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED:
        raise AuthorizationError("you are not authorized to view this ocsp certificate")
    if ocsp_response.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL:
        if ocsp_response.certificate_status != ocsp.OCSPCertStatus.GOOD:
            raise ConnectionError(
                f"Received an {str(ocsp_response.certificate_status).split('.')[1]} "
                "ocsp certificate status"
            )
    else:
        raise ConnectionError(
            "failed to retrieve a successful response from the ocsp responder"
        )

    if ocsp_response.this_update >= datetime.datetime.now():
        raise ConnectionError("ocsp certificate was issued in the future")

    if (
        ocsp_response.next_update
        and ocsp_response.next_update < datetime.datetime.now()
    ):
        raise ConnectionError("ocsp certificate has invalid update - in the past")

    responder_name = ocsp_response.responder_name
    issuer_hash = ocsp_response.issuer_key_hash
    responder_hash = ocsp_response.responder_key_hash

    cert_to_validate = issuer_cert
    if (
        responder_name is not None
        and responder_name == issuer_cert.subject
        or responder_hash == issuer_hash
    ):
        cert_to_validate = issuer_cert
    else:
        certs = ocsp_response.certificates
        responder_certs = _get_certificates(
            certs, issuer_cert, responder_name, responder_hash
        )

        try:
            responder_cert = responder_certs[0]
        except IndexError:
            raise ConnectionError("no certificates found for the responder")

        ext = responder_cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
        if ext is None or x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING not in ext.value:
            raise ConnectionError("delegate not autorized for ocsp signing")
        cert_to_validate = responder_cert

    if validate:
        _verify_response(cert_to_validate, ocsp_response)
    return True


def _get_certificates(certs, issuer_cert, responder_name, responder_hash):
    if responder_name is None:
        certificates = [
            c
            for c in certs
            if _get_pubkey_hash(c) == responder_hash and c.issuer == issuer_cert.subject
        ]
    else:
        certificates = [
            c
            for c in certs
            if c.subject == responder_name and c.issuer == issuer_cert.subject
        ]

    return certificates


def _get_pubkey_hash(certificate):
    pubkey = certificate.public_key()

    # https://stackoverflow.com/a/46309453/600498
    if isinstance(pubkey, RSAPublicKey):
        h = pubkey.public_bytes(Encoding.DER, PublicFormat.PKCS1)
    elif isinstance(pubkey, EllipticCurvePublicKey):
        h = pubkey.public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
    else:
        h = pubkey.public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)

    sha1 = Hash(SHA1(), backend=backends.default_backend())
    sha1.update(h)
    return sha1.finalize()


def ocsp_staple_verifier(con, ocsp_bytes, expected=None):
    """An implementation of a function for set_ocsp_client_callback in PyOpenSSL.

    This function validates that the provide ocsp_bytes response is valid,
    and matches the expected, stapled responses.
    """
    if ocsp_bytes in [b"", None]:
        raise ConnectionError("no ocsp response present")

    issuer_cert = None
    peer_cert = con.get_peer_certificate().to_cryptography()
    for c in con.get_peer_cert_chain():
        cert = c.to_cryptography()
        if cert.subject == peer_cert.issuer:
            issuer_cert = cert
            break

    if issuer_cert is None:
        raise ConnectionError("no matching issuer cert found in certificate chain")

    if expected is not None:
        e = x509.load_pem_x509_certificate(expected)
        if peer_cert != e:
            raise ConnectionError("received and expected certificates do not match")

    return _check_certificate(issuer_cert, ocsp_bytes)


class OCSPVerifier:
    """A class to verify ssl sockets for RFC6960/RFC6961. This can be used
    when using direct validation of OCSP responses and certificate revocations.

    @see https://datatracker.ietf.org/doc/html/rfc6960
    @see https://datatracker.ietf.org/doc/html/rfc6961
    """

    def __init__(self, sock, host, port, ca_certs=None):
        self.SOCK = sock
        self.HOST = host
        self.PORT = port
        self.CA_CERTS = ca_certs

    def _bin2ascii(self, der):
        """Convert SSL certificates in a binary (DER) format to ASCII PEM."""

        pem = ssl.DER_cert_to_PEM_cert(der)
        cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())
        return cert

    def components_from_socket(self):
        """This function returns the certificate, primary issuer, and primary ocsp
        server in the chain for a socket already wrapped with ssl.
        """

        # convert the binary certifcate to text
        der = self.SOCK.getpeercert(True)
        if der is False:
            raise ConnectionError("no certificate found for ssl peer")
        cert = self._bin2ascii(der)
        return self._certificate_components(cert)

    def _certificate_components(self, cert):
        """Given an SSL certificate, retract the useful components for
        validating the certificate status with an OCSP server.

        Args:
            cert ([bytes]): A PEM encoded ssl certificate
        """

        try:
            aia = cert.extensions.get_extension_for_oid(
                x509.oid.ExtensionOID.AUTHORITY_INFORMATION_ACCESS
            ).value
        except cryptography.x509.extensions.ExtensionNotFound:
            raise ConnectionError("No AIA information present in ssl certificate")

        # fetch certificate issuers
        issuers = [
            i
            for i in aia
            if i.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS
        ]
        try:
            issuer = issuers[0].access_location.value
        except IndexError:
            issuer = None

        # now, the series of ocsp server entries
        ocsps = [
            i
            for i in aia
            if i.access_method == x509.oid.AuthorityInformationAccessOID.OCSP
        ]

        try:
            ocsp = ocsps[0].access_location.value
        except IndexError:
            raise ConnectionError("no ocsp servers in certificate")

        return cert, issuer, ocsp

    def components_from_direct_connection(self):
        """Return the certificate, primary issuer, and primary ocsp server
        from the host defined by the socket. This is useful in cases where
        different certificates are occasionally presented.
        """

        pem = ssl.get_server_certificate((self.HOST, self.PORT), ca_certs=self.CA_CERTS)
        cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())
        return self._certificate_components(cert)

    def build_certificate_url(self, server, cert, issuer_cert):
        """Return the complete url to the ocsp"""
        orb = ocsp.OCSPRequestBuilder()

        # add_certificate returns an initialized OCSPRequestBuilder
        orb = orb.add_certificate(
            cert, issuer_cert, cryptography.hazmat.primitives.hashes.SHA256()
        )
        request = orb.build()

        path = base64.b64encode(
            request.public_bytes(hazmat.primitives.serialization.Encoding.DER)
        )
        url = urljoin(server, path.decode("ascii"))
        return url

    def check_certificate(self, server, cert, issuer_url):
        """Checks the validity of an ocsp server for an issuer"""

        r = requests.get(issuer_url)
        if not r.ok:
            raise ConnectionError("failed to fetch issuer certificate")
        der = r.content
        issuer_cert = self._bin2ascii(der)

        ocsp_url = self.build_certificate_url(server, cert, issuer_cert)

        # HTTP 1.1 mandates the addition of the Host header in ocsp responses
        header = {
            "Host": urlparse(ocsp_url).netloc,
            "Content-Type": "application/ocsp-request",
        }
        r = requests.get(ocsp_url, headers=header)
        if not r.ok:
            raise ConnectionError("failed to fetch ocsp certificate")
        return _check_certificate(issuer_cert, r.content, True)

    def is_valid(self):
        """Returns the validity of the certificate wrapping our socket.
        This first retrieves for validate the certificate, issuer_url,
        and ocsp_server for certificate validate. Then retrieves the
        issuer certificate from the issuer_url, and finally checks
        the validity of OCSP revocation status.
        """

        # validate the certificate
        try:
            cert, issuer_url, ocsp_server = self.components_from_socket()
            if issuer_url is None:
                raise ConnectionError("no issuers found in certificate chain")
            return self.check_certificate(ocsp_server, cert, issuer_url)
        except AuthorizationError:
            cert, issuer_url, ocsp_server = self.components_from_direct_connection()
            if issuer_url is None:
                raise ConnectionError("no issuers found in certificate chain")
            return self.check_certificate(ocsp_server, cert, issuer_url)
feat(api): 实现图像生成及后台同步功能 - 新增图像生成接口，支持试用、积分和自定义API Key模式 - 实现生成图片结果异步上传至MinIO存储，带重试机制 - 优化积分预扣除和异常退还逻辑，保障用户积分准确 - 添加获取生成历史记录接口，支持时间范围和分页 - 提供本地字典配置接口，支持模型、比例、提示模板和尺寸 - 实现图片批量上传接口，支持S3兼容对象存储 feat(admin): 增加管理员角色管理与权限分配接口 - 实现角色列表查询、角色创建、更新及删除功能 - 增加权限列表查询接口 - 实现用户角色分配接口，便于统一管理用户权限 - 增加系统字典增删查改接口，支持分类过滤和排序 - 权限控制全面覆盖管理接口，保证安全访问 feat(auth): 完善用户登录注册及权限相关接口与页面 - 实现手机号验证码发送及校验功能，保障注册安全 - 支持手机号注册、登录及退出接口，集成日志记录 - 增加修改密码功能，验证原密码后更新 - 提供动态导航菜单接口，基于权限展示不同菜单 - 实现管理界面路由及日志、角色、字典管理页面访问权限控制 - 添加系统日志查询接口，支持关键词和等级筛选 feat(app): 初始化Flask应用并配置蓝图与数据库 - 创建应用程序工厂，加载配置，初始化数据库和Redis客户端 - 注册认证、API及管理员蓝图，整合路由 - 根路由渲染主页模板 - 应用上下文中自动创建数据库表，保证运行环境准备完毕 feat(database): 提供数据库创建与迁移支持脚本 - 新增数据库创建脚本，支持自动检测是否已存在 - 添加数据库表初始化脚本，支持创建和删除所有表 - 实现RBAC权限初始化，包含基础权限和角色创建 - 新增字段手动修复脚本，添加用户API Key和积分字段 - 强制迁移脚本支持清理连接和修复表结构，初始化默认数据及角色分配 feat(config): 新增系统配置参数 - 配置数据库、Redis、Session和MinIO相关参数 - 添加AI接口地址及试用Key配置 - 集成阿里云短信服务配置及开发模式相关参数 feat(extensions): 初始化数据库、Redis和MinIO客户端 - 创建全局SQLAlchemy数据库实例和Redis客户端 - 配置基于boto3的MinIO兼容S3客户端 chore(logs): 添加示例系统日志文件 - 记录用户请求、验证码发送成功与失败的日志信息 2026-01-12 00:53:31 +08:00			`import base64`
			`import datetime`
			`import ssl`
			`from urllib.parse import urljoin, urlparse`

			`import cryptography.hazmat.primitives.hashes`
			`import requests`
			`from cryptography import hazmat, x509`
			`from cryptography.exceptions import InvalidSignature`
			`from cryptography.hazmat import backends`
			`from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey`
			`from cryptography.hazmat.primitives.asymmetric.ec import ECDSA, EllipticCurvePublicKey`
			`from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15`
			`from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey`
			`from cryptography.hazmat.primitives.hashes import SHA1, Hash`
			`from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat`
			`from cryptography.x509 import ocsp`

			`from redis.exceptions import AuthorizationError, ConnectionError`


			`def _verify_response(issuer_cert, ocsp_response):`
			`pubkey = issuer_cert.public_key()`
			`try:`
			`if isinstance(pubkey, RSAPublicKey):`
			`pubkey.verify(`
			`ocsp_response.signature,`
			`ocsp_response.tbs_response_bytes,`
			`PKCS1v15(),`
			`ocsp_response.signature_hash_algorithm,`
			`)`
			`elif isinstance(pubkey, DSAPublicKey):`
			`pubkey.verify(`
			`ocsp_response.signature,`
			`ocsp_response.tbs_response_bytes,`
			`ocsp_response.signature_hash_algorithm,`
			`)`
			`elif isinstance(pubkey, EllipticCurvePublicKey):`
			`pubkey.verify(`
			`ocsp_response.signature,`
			`ocsp_response.tbs_response_bytes,`
			`ECDSA(ocsp_response.signature_hash_algorithm),`
			`)`
			`else:`
			`pubkey.verify(ocsp_response.signature, ocsp_response.tbs_response_bytes)`
			`except InvalidSignature:`
			`raise ConnectionError("failed to valid ocsp response")`


			`def _check_certificate(issuer_cert, ocsp_bytes, validate=True):`
			`"""A wrapper the return the validity of a known ocsp certificate"""`

			`ocsp_response = ocsp.load_der_ocsp_response(ocsp_bytes)`

			`if ocsp_response.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED:`
			`raise AuthorizationError("you are not authorized to view this ocsp certificate")`
			`if ocsp_response.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL:`
			`if ocsp_response.certificate_status != ocsp.OCSPCertStatus.GOOD:`
			`raise ConnectionError(`
			`f"Received an {str(ocsp_response.certificate_status).split('.')[1]} "`
			`"ocsp certificate status"`
			`)`
			`else:`
			`raise ConnectionError(`
			`"failed to retrieve a successful response from the ocsp responder"`
			`)`

			`if ocsp_response.this_update >= datetime.datetime.now():`
			`raise ConnectionError("ocsp certificate was issued in the future")`

			`if (`
			`ocsp_response.next_update`
			`and ocsp_response.next_update < datetime.datetime.now()`
			`):`
			`raise ConnectionError("ocsp certificate has invalid update - in the past")`

			`responder_name = ocsp_response.responder_name`
			`issuer_hash = ocsp_response.issuer_key_hash`
			`responder_hash = ocsp_response.responder_key_hash`

			`cert_to_validate = issuer_cert`
			`if (`
			`responder_name is not None`
			`and responder_name == issuer_cert.subject`
			`or responder_hash == issuer_hash`
			`):`
			`cert_to_validate = issuer_cert`
			`else:`
			`certs = ocsp_response.certificates`
			`responder_certs = _get_certificates(`
			`certs, issuer_cert, responder_name, responder_hash`
			`)`

			`try:`
			`responder_cert = responder_certs[0]`
			`except IndexError:`
			`raise ConnectionError("no certificates found for the responder")`

			`ext = responder_cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)`
			`if ext is None or x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING not in ext.value:`
			`raise ConnectionError("delegate not autorized for ocsp signing")`
			`cert_to_validate = responder_cert`

			`if validate:`
			`_verify_response(cert_to_validate, ocsp_response)`
			`return True`


			`def _get_certificates(certs, issuer_cert, responder_name, responder_hash):`
			`if responder_name is None:`
			`certificates = [`
			`c`
			`for c in certs`
			`if _get_pubkey_hash(c) == responder_hash and c.issuer == issuer_cert.subject`
			`]`
			`else:`
			`certificates = [`
			`c`
			`for c in certs`
			`if c.subject == responder_name and c.issuer == issuer_cert.subject`
			`]`

			`return certificates`


			`def _get_pubkey_hash(certificate):`
			`pubkey = certificate.public_key()`

			`# https://stackoverflow.com/a/46309453/600498`
			`if isinstance(pubkey, RSAPublicKey):`
			`h = pubkey.public_bytes(Encoding.DER, PublicFormat.PKCS1)`
			`elif isinstance(pubkey, EllipticCurvePublicKey):`
			`h = pubkey.public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)`
			`else:`
			`h = pubkey.public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)`

			`sha1 = Hash(SHA1(), backend=backends.default_backend())`
			`sha1.update(h)`
			`return sha1.finalize()`


			`def ocsp_staple_verifier(con, ocsp_bytes, expected=None):`
			`"""An implementation of a function for set_ocsp_client_callback in PyOpenSSL.`

			`This function validates that the provide ocsp_bytes response is valid,`
			`and matches the expected, stapled responses.`
			`"""`
			`if ocsp_bytes in [b"", None]:`
			`raise ConnectionError("no ocsp response present")`

			`issuer_cert = None`
			`peer_cert = con.get_peer_certificate().to_cryptography()`
			`for c in con.get_peer_cert_chain():`
			`cert = c.to_cryptography()`
			`if cert.subject == peer_cert.issuer:`
			`issuer_cert = cert`
			`break`

			`if issuer_cert is None:`
			`raise ConnectionError("no matching issuer cert found in certificate chain")`

			`if expected is not None:`
			`e = x509.load_pem_x509_certificate(expected)`
			`if peer_cert != e:`
			`raise ConnectionError("received and expected certificates do not match")`

			`return _check_certificate(issuer_cert, ocsp_bytes)`


			`class OCSPVerifier:`
			`"""A class to verify ssl sockets for RFC6960/RFC6961. This can be used`
			`when using direct validation of OCSP responses and certificate revocations.`

			`@see https://datatracker.ietf.org/doc/html/rfc6960`
			`@see https://datatracker.ietf.org/doc/html/rfc6961`
			`"""`

			`def __init__(self, sock, host, port, ca_certs=None):`
			`self.SOCK = sock`
			`self.HOST = host`
			`self.PORT = port`
			`self.CA_CERTS = ca_certs`

			`def _bin2ascii(self, der):`
			`"""Convert SSL certificates in a binary (DER) format to ASCII PEM."""`

			`pem = ssl.DER_cert_to_PEM_cert(der)`
			`cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())`
			`return cert`

			`def components_from_socket(self):`
			`"""This function returns the certificate, primary issuer, and primary ocsp`
			`server in the chain for a socket already wrapped with ssl.`
			`"""`

			`# convert the binary certifcate to text`
			`der = self.SOCK.getpeercert(True)`
			`if der is False:`
			`raise ConnectionError("no certificate found for ssl peer")`
			`cert = self._bin2ascii(der)`
			`return self._certificate_components(cert)`

			`def _certificate_components(self, cert):`
			`"""Given an SSL certificate, retract the useful components for`
			`validating the certificate status with an OCSP server.`

			`Args:`
			`cert ([bytes]): A PEM encoded ssl certificate`
			`"""`

			`try:`
			`aia = cert.extensions.get_extension_for_oid(`
			`x509.oid.ExtensionOID.AUTHORITY_INFORMATION_ACCESS`
			`).value`
			`except cryptography.x509.extensions.ExtensionNotFound:`
			`raise ConnectionError("No AIA information present in ssl certificate")`

			`# fetch certificate issuers`
			`issuers = [`
			`i`
			`for i in aia`
			`if i.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS`
			`]`
			`try:`
			`issuer = issuers[0].access_location.value`
			`except IndexError:`
			`issuer = None`

			`# now, the series of ocsp server entries`
			`ocsps = [`
			`i`
			`for i in aia`
			`if i.access_method == x509.oid.AuthorityInformationAccessOID.OCSP`
			`]`

			`try:`
			`ocsp = ocsps[0].access_location.value`
			`except IndexError:`
			`raise ConnectionError("no ocsp servers in certificate")`

			`return cert, issuer, ocsp`

			`def components_from_direct_connection(self):`
			`"""Return the certificate, primary issuer, and primary ocsp server`
			`from the host defined by the socket. This is useful in cases where`
			`different certificates are occasionally presented.`
			`"""`

			`pem = ssl.get_server_certificate((self.HOST, self.PORT), ca_certs=self.CA_CERTS)`
			`cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())`
			`return self._certificate_components(cert)`

			`def build_certificate_url(self, server, cert, issuer_cert):`
			`"""Return the complete url to the ocsp"""`
			`orb = ocsp.OCSPRequestBuilder()`

			`# add_certificate returns an initialized OCSPRequestBuilder`
			`orb = orb.add_certificate(`
			`cert, issuer_cert, cryptography.hazmat.primitives.hashes.SHA256()`
			`)`
			`request = orb.build()`

			`path = base64.b64encode(`
			`request.public_bytes(hazmat.primitives.serialization.Encoding.DER)`
			`)`
			`url = urljoin(server, path.decode("ascii"))`
			`return url`

			`def check_certificate(self, server, cert, issuer_url):`
			`"""Checks the validity of an ocsp server for an issuer"""`

			`r = requests.get(issuer_url)`
			`if not r.ok:`
			`raise ConnectionError("failed to fetch issuer certificate")`
			`der = r.content`
			`issuer_cert = self._bin2ascii(der)`

			`ocsp_url = self.build_certificate_url(server, cert, issuer_cert)`

			`# HTTP 1.1 mandates the addition of the Host header in ocsp responses`
			`header = {`
			`"Host": urlparse(ocsp_url).netloc,`
			`"Content-Type": "application/ocsp-request",`
			`}`
			`r = requests.get(ocsp_url, headers=header)`
			`if not r.ok:`
			`raise ConnectionError("failed to fetch ocsp certificate")`
			`return _check_certificate(issuer_cert, r.content, True)`

			`def is_valid(self):`
			`"""Returns the validity of the certificate wrapping our socket.`
			`This first retrieves for validate the certificate, issuer_url,`
			`and ocsp_server for certificate validate. Then retrieves the`
			`issuer certificate from the issuer_url, and finally checks`
			`the validity of OCSP revocation status.`
			`"""`

			`# validate the certificate`
			`try:`
			`cert, issuer_url, ocsp_server = self.components_from_socket()`
			`if issuer_url is None:`
			`raise ConnectionError("no issuers found in certificate chain")`
			`return self.check_certificate(ocsp_server, cert, issuer_url)`
			`except AuthorizationError:`
			`cert, issuer_url, ocsp_server = self.components_from_direct_connection()`
			`if issuer_url is None:`
			`raise ConnectionError("no issuers found in certificate chain")`
			`return self.check_certificate(ocsp_server, cert, issuer_url)`