SNOW-1348650: implement ocsp validation (#2025)

Author: sfc-gh-aling

ci/test_fips.sh

@@ -21,6 +21,6 @@ python -c  "from cryptography.hazmat.backends.openssl import backend;print('Cryp
 pip freeze
 
 cd $CONNECTOR_DIR
-pytest -vvv --cov=snowflake.connector --cov-report=xml:coverage.xml test
+pytest -vvv --cov=snowflake.connector --cov-report=xml:coverage.xml test --ignore=test/integ/aio --ignore=test/unit/aio
 
 deactivate

src/snowflake/connector/aio/_network.py

@@ -81,6 +81,7 @@
     SQLSTATE_CONNECTION_WAS_NOT_ESTABLISHED,
 )
 from ..time_util import TimeoutBackoffCtx, get_time_millis
+from ._ssl_connector import SnowflakeSSLConnector
 
 if TYPE_CHECKING:
     from snowflake.connector.aio import SnowflakeConnection
@@ -816,7 +817,9 @@ async def _request_exec(
             raise err
 
     def make_requests_session(self) -> aiohttp.ClientSession:
-        s = aiohttp.ClientSession()
+        s = aiohttp.ClientSession(
+            connector=SnowflakeSSLConnector(snowflake_ocsp_mode=self._ocsp_mode)
+        )
         # TODO: sync feature parity, proxy support
         # s.mount("http://", ProxySupportAdapter(max_retries=REQUESTS_RETRY))
         # s.mount("https://", ProxySupportAdapter(max_retries=REQUESTS_RETRY))

src/snowflake/connector/aio/_ocsp_asn1crypto.py

@@ -0,0 +1,49 @@
+#
+# Copyright (c) 2012-2023 Snowflake Computing Inc. All rights reserved.
+#
+
+from __future__ import annotations
+
+import ssl
+from collections import OrderedDict
+from logging import getLogger
+
+from aiohttp.client_proto import ResponseHandler
+from asn1crypto.x509 import Certificate
+
+from ..ocsp_asn1crypto import SnowflakeOCSPAsn1Crypto as SnowflakeOCSPAsn1CryptoSync
+from ._ocsp_snowflake import SnowflakeOCSP
+
+logger = getLogger(__name__)
+
+
+class SnowflakeOCSPAsn1Crypto(SnowflakeOCSP, SnowflakeOCSPAsn1CryptoSync):
+
+    def extract_certificate_chain(self, connection: ResponseHandler):
+        ssl_object = connection.transport.get_extra_info("ssl_object")
+        if not ssl_object:
+            raise RuntimeError(
+                "Unable to get the SSL object from the asyncio transport to perform OCSP validation."
+                "Please open an issue on the Snowflake Python Connector GitHub repository "
+                "and provide your execution environment"
+                " details: https://github.com/snowflakedb/snowflake-connector-python/issues/new/choose."
+                "As a workaround, you can create the connection with `insecure_mode=True` to skip OCSP Validation."
+            )
+
+        cert_map = OrderedDict()
+        # in Python 3.10, get_unverified_chain was introduced as a
+        # private method: https://github.com/python/cpython/pull/25467
+        # which returns all the peer certs in the chain.
+        # Python 3.13 will have the method get_unverified_chain publicly available on ssl.SSLSocket class
+        # https://docs.python.org/pl/3.13/library/ssl.html#ssl.SSLSocket.get_unverified_chain
+        unverified_chain = ssl_object._sslobj.get_unverified_chain()
+        logger.debug("# of certificates: %s", len(unverified_chain))
+
+        for cert in unverified_chain:
+            cert = Certificate.load(ssl.PEM_cert_to_DER_cert(cert.public_bytes()))
+            logger.debug(
+                "subject: %s, issuer: %s", cert.subject.native, cert.issuer.native
+            )
+            cert_map[cert.subject.sha256] = cert
+
+        return self.create_pair_issuer_subject(cert_map)