SNOW-2067577 OCSP: stop certificates chain traversal as soon as a trusted one met (#2299)

Author: sfc-gh-mmishchenko

DESCRIPTION.md

@@ -8,6 +8,30 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 
 # Release Notes
 - v3.13.3(TBD)
+- v3.15(TBD)
+  - Bumped up min boto and botocore version to 1.24
+  - OCSP: terminate certificates chain traversal if a trusted certificate already reached
+
+- v3.14.1(April 21, 2025)
+  - Added support for Python 3.13.
+    - NOTE: Windows 64 support is still experimental and should not yet be used for production environments.
+  - Dropped support for Python 3.8.
+  - Added basic decimal floating-point type support.
+  - Added experimental authentication methods.
+  - Added support of GCS regional endpoints.
+  - Added support of GCS virtual urls. See more: https://cloud.google.com/storage/docs/request-endpoints#xml-api
+  - Added `client_fetch_threads` experimental parameter to better utilize threads for fetching query results.
+  - Added `check_arrow_conversion_error_on_every_column` connection property that can be set to `False` to restore previous behaviour in which driver will ignore errors until it occurs in the last column. This flag's purpose is to unblock workflows that may be impacted by the bugfix and will be removed in later releases.
+  - Lowered log levels from info to debug for some of the messages to make the output easier to follow.
+  - Allowed the connector to inherit a UUID4 generated upstream, provided in statement parameters (field: `requestId`), rather than automatically generate a UUID4 to use for the HTTP Request ID.
+  - Improved logging in urllib3, boto3, botocore - assured data masking even after migration to the external owned library in the future.
+  - Improved error message for client-side query cancellations due to timeouts.
+  - Improved security and robustness for the temporary credentials cache storage.
+  - Fixed a bug that caused driver to fail silently on `TO_DATE` arrow to python conversion when invalid date was followed by the correct one.
+  - Fixed expired S3 credentials update and increment retry when expired credentials are found.
+  - Deprecated `insecure_mode` connection property and replaced it with `disable_ocsp_checks` with the same behavior as the former property.
+
+- v3.14.0(March 03, 2025)
   - Bumped pyOpenSSL dependency upper boundary from <25.0.0 to <26.0.0.
   - Removed the workaround for a Python 2.7 bug.
   - Added a <19.0.0 pin to pyarrow as a workaround to a bug affecting Azure Batch.

src/snowflake/connector/ocsp_asn1crypto.py

@@ -398,15 +398,22 @@ def extract_certificate_chain(
         from OpenSSL.crypto import FILETYPE_ASN1, dump_certificate
 
         cert_map = OrderedDict()
-        logger.debug("# of certificates: %s", len(connection.get_peer_cert_chain()))
-
-        for cert_openssl in connection.get_peer_cert_chain():
+        cert_chain = connection.get_peer_cert_chain()
+        logger.debug("# of certificates: %s", len(cert_chain))
+        self._lazy_read_ca_bundle()
+        for cert_openssl in cert_chain:
             cert_der = dump_certificate(FILETYPE_ASN1, cert_openssl)
             cert = Certificate.load(cert_der)
             logger.debug(
                 "subject: %s, issuer: %s", cert.subject.native, cert.issuer.native
             )
             cert_map[cert.subject.sha256] = cert
+            if cert.issuer.sha256 in SnowflakeOCSP.ROOT_CERTIFICATES_DICT:
+                logger.debug(
+                    "A trusted root certificate found: %s, stopping chain traversal here",
+                    cert.subject.native,
+                )
+                break
 
         return self.create_pair_issuer_subject(cert_map)
 

src/snowflake/connector/tool/dump_ocsp_response.py

@@ -5,38 +5,55 @@
 
 from __future__ import annotations
 
+import logging
+import sys
 import time
-from os import path
+from argparse import ArgumentParser, Namespace
 from time import gmtime, strftime
 
 from asn1crypto import ocsp as asn1crypto_ocsp
 
 from snowflake.connector.compat import urlsplit
 from snowflake.connector.ocsp_asn1crypto import SnowflakeOCSPAsn1Crypto as SFOCSP
+from snowflake.connector.ocsp_snowflake import OCSPTelemetryData
 from snowflake.connector.ssl_wrap_socket import _openssl_connect
 
 
+def _parse_args() -> Namespace:
+    parser = ArgumentParser(
+        prog="dump_ocsp_response",
+        description="Dump OCSP Response for the URLs (an internal tool).",
+    )
+    parser.add_argument(
+        "-o",
+        "--output-file",
+        required=False,
+        help="Dump output file",
+        type=str,
+        default=None,
+    )
+    parser.add_argument(
+        "--log-level",
+        required=False,
+        help="Log level",
+        choices=["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"],
+    )
+    parser.add_argument("--log-file", required=False, help="Log file", default=None)
+    parser.add_argument("urls", nargs="+", help="URLs to dump OCSP Response for")
+    return parser.parse_args()
+
+
 def main() -> None:
     """Internal Tool: OCSP response dumper."""
-
-    def help() -> None:
-        print("Dump OCSP Response for the URL. ")
-        print(
-            """
-Usage: {} <url> [<url> ...]
-""".format(
-                path.basename(sys.argv[0])
+    args = _parse_args()
+    if args.log_level:
+        if args.log_file:
+            logging.basicConfig(
+                filename=args.log_file, level=getattr(logging, args.log_level.upper())
             )
-        )
-        sys.exit(2)
-
-    import sys
-
-    if len(sys.argv) < 2:
-        help()
-
-    urls = sys.argv[1:]
-    dump_ocsp_response(urls, output_filename=None)
+        else:
+            logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
+    dump_ocsp_response(args.urls, output_filename=args.output_file)
 
 
 def dump_good_status(current_time, single_response) -> None:
@@ -91,7 +108,7 @@ def dump_ocsp_response(urls, output_filename):
         for issuer, subject in cert_data:
             _, _ = ocsp.create_ocsp_request(issuer, subject)
             _, _, _, cert_id, ocsp_response_der = ocsp.validate_by_direct_connection(
-                issuer, subject
+                issuer, subject, OCSPTelemetryData()
             )
             ocsp_response = asn1crypto_ocsp.OCSPResponse.load(ocsp_response_der)
             print("------------------------------------------------------------")
@@ -119,7 +136,7 @@ def dump_ocsp_response(urls, output_filename):
 
         if output_filename:
             SFOCSP.OCSP_CACHE.write_ocsp_response_cache_file(ocsp, output_filename)
-    return SFOCSP.OCSP_CACHE.CACHE
+    return SFOCSP.OCSP_CACHE
 
 
 if __name__ == "__main__":

tox.ini

@@ -84,6 +84,7 @@ deps =
     pytest-timeout
     pytest-xdist
     mock
+    certifi<2025.4.26
 skip_install = True
 setenv = {[testenv]setenv}
 passenv = {[testenv]passenv}