Skip to content

Commit b7013da

Browse files
smtakedaankit-bhatnagar167
smtakeda
authored and
ankit-bhatnagar167
committed
SNOW-61795: SNOW-64859: Internal change for future improvements
1 parent e06c451 commit b7013da

File tree

10 files changed

+866
-107
lines changed

10 files changed

+866
-107
lines changed

errorcode.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,8 @@
6767
ER_INVALID_OCSP_RESPONSE = 254007
6868
ER_CA_CERTIFICATE_NOT_FOUND = 254008
6969
ER_SERVER_CERTIFICATE_UNKNOWN = 254009
70+
ER_INVALID_OCSP_RESPONSE_CODE = 254010
71+
ER_INVALID_SSD = 254011
7072

7173
# converter
7274
ER_NOT_SUPPORT_DATA_TYPE = 255001

ocsp_asn1crypto.py

Lines changed: 24 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,12 @@
1717
from asn1crypto.x509 import Certificate
1818

1919
from snowflake.connector.errorcode import (
20-
ER_INVALID_OCSP_RESPONSE)
20+
ER_INVALID_OCSP_RESPONSE,
21+
ER_INVALID_OCSP_RESPONSE_CODE)
2122
from snowflake.connector.errors import OperationalError
2223
from snowflake.connector.ocsp_snowflake import SnowflakeOCSP
2324
from collections import OrderedDict
25+
from snowflake.connector.ssd_internal_keys import ret_wildcard_hkey
2426

2527
logger = getLogger(__name__)
2628

@@ -37,8 +39,11 @@ class SnowflakeOCSPAsn1Crypto(SnowflakeOCSP):
3739
'sha512': SHA512,
3840
}
3941

42+
WILDCARD_CERTID = None
43+
4044
def __init__(self, **kwargs):
4145
super(SnowflakeOCSPAsn1Crypto, self).__init__(**kwargs)
46+
self.WILDCARD_CERTID = self.encode_cert_id_key(ret_wildcard_hkey())
4247

4348
def encode_cert_id_key(self, hkey):
4449
issuer_name_hash, issuer_key_hash, serial_number = hkey
@@ -138,20 +143,20 @@ def extract_revoked_status(self, single_response):
138143
return revocation_time, revocation_reason
139144

140145
def is_valid_time(self, cert_id, ocsp_response):
141-
try:
142-
res = OCSPResponse.load(ocsp_response)
146+
res = OCSPResponse.load(ocsp_response)
143147

144-
if res['response_status'].native != 'successful':
145-
raise OperationalError(
146-
msg="Invalid Status: {0}".format(res['response_status'].native),
147-
errno=ER_INVALID_OCSP_RESPONSE)
148+
if res['response_status'].native != 'successful':
149+
raise OperationalError(
150+
msg="Invalid Status: {0}".format(res['response_status'].native),
151+
errno=ER_INVALID_OCSP_RESPONSE)
148152

149-
basic_ocsp_response = res.basic_ocsp_response
150-
tbs_response_data = basic_ocsp_response['tbs_response_data']
153+
basic_ocsp_response = res.basic_ocsp_response
154+
tbs_response_data = basic_ocsp_response['tbs_response_data']
151155

152-
single_response = tbs_response_data['responses'][0]
153-
cert_status = single_response['cert_status'].name
156+
single_response = tbs_response_data['responses'][0]
157+
cert_status = single_response['cert_status'].name
154158

159+
try:
155160
if cert_status == 'good':
156161
self._process_good_status(single_response, cert_id, ocsp_response)
157162
except Exception as ex:
@@ -161,8 +166,13 @@ def is_valid_time(self, cert_id, ocsp_response):
161166
return True
162167

163168
def process_ocsp_response(self, issuer, cert_id, ocsp_response):
164-
res = OCSPResponse.load(ocsp_response)
165-
169+
try:
170+
res = OCSPResponse.load(ocsp_response)
171+
except Exception:
172+
raise OperationalError(
173+
msg='Invalid OCSP Response',
174+
errno=ER_INVALID_OCSP_RESPONSE
175+
)
166176
if res['response_status'].native != 'successful':
167177
raise OperationalError(
168178
msg="Invalid Status: {0}".format(res['response_status'].native),
@@ -210,7 +220,7 @@ def process_ocsp_response(self, issuer, cert_id, ocsp_response):
210220
raise OperationalError(
211221
msg="Unknown revocation status was returned. OCSP response "
212222
"may be malformed: {0}".format(cert_status),
213-
errno=ER_INVALID_OCSP_RESPONSE
223+
errno=ER_INVALID_OCSP_RESPONSE_CODE
214224
)
215225

216226
def verify_signature(self, signature_algorithm, signature, cert, data):

ocsp_pyasn1.py

Lines changed: 30 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727

2828
from snowflake.connector.ocsp_snowflake import SnowflakeOCSP
2929
from .compat import (PY2)
30-
from .errorcode import (ER_INVALID_OCSP_RESPONSE)
30+
from .errorcode import (ER_INVALID_OCSP_RESPONSE, ER_INVALID_OCSP_RESPONSE_CODE)
3131
from .errors import (OperationalError)
3232
from .rfc6960 import (
3333
OCSPRequest,
@@ -39,6 +39,8 @@
3939
BasicOCSPResponse,
4040
Version)
4141

42+
from snowflake.connector.ssd_internal_keys import ret_wildcard_hkey
43+
4244
logger = getLogger(__name__)
4345

4446

@@ -63,6 +65,8 @@ class SnowflakeOCSPPyasn1(SnowflakeOCSP):
6365
sha512WithRSAEncryption: SHA512,
6466
}
6567

68+
WILDCARD_CERTID = None
69+
6670
@staticmethod
6771
def _get_pyasn1_version():
6872
with SnowflakeOCSPPyasn1.PYASN1_VERSION_LOCK:
@@ -78,6 +82,7 @@ def _get_pyasn1_version():
7882

7983
def __init__(self, **kwargs):
8084
super(SnowflakeOCSPPyasn1, self).__init__(**kwargs)
85+
self.WILDCARD_CERTID = self.encode_cert_id_key(ret_wildcard_hkey())
8186

8287
def encode_cert_id_key(self, hkey):
8388
issuer_name_hash, issuer_key_hash, serial_number = hkey
@@ -350,26 +355,26 @@ def _convert_generalized_time_to_datetime(self, gentime):
350355
return datetime.strptime(str(gentime), '%Y%m%d%H%M%SZ')
351356

352357
def is_valid_time(self, cert_id, ocsp_response):
353-
try:
354-
res = der_decoder.decode(ocsp_response, OCSPResponse())[0]
358+
res = der_decoder.decode(ocsp_response, OCSPResponse())[0]
355359

356-
if res.getComponentByName('responseStatus') != OCSPResponseStatus(
357-
'successful'):
358-
raise OperationalError(
359-
msg="Invalid Status: {0}".format(
360-
res.getComponentByName('response_status')),
361-
errno=ER_INVALID_OCSP_RESPONSE)
360+
if res.getComponentByName('responseStatus') != OCSPResponseStatus(
361+
'successful'):
362+
raise OperationalError(
363+
msg="Invalid Status: {0}".format(
364+
res.getComponentByName('response_status')),
365+
errno=ER_INVALID_OCSP_RESPONSE)
362366

363-
response_bytes = res.getComponentByName('responseBytes')
364-
basic_ocsp_response = der_decoder.decode(
365-
response_bytes.getComponentByName('response'),
366-
BasicOCSPResponse())[0]
367+
response_bytes = res.getComponentByName('responseBytes')
368+
basic_ocsp_response = der_decoder.decode(
369+
response_bytes.getComponentByName('response'),
370+
BasicOCSPResponse())[0]
367371

368-
tbs_response_data = basic_ocsp_response.getComponentByName(
369-
'tbsResponseData')
372+
tbs_response_data = basic_ocsp_response.getComponentByName(
373+
'tbsResponseData')
370374

371-
single_response = tbs_response_data.getComponentByName('responses')[0]
372-
cert_status = single_response.getComponentByName('certStatus')
375+
single_response = tbs_response_data.getComponentByName('responses')[0]
376+
cert_status = single_response.getComponentByName('certStatus')
377+
try:
373378
if cert_status.getName() == 'good':
374379
self._process_good_status(single_response, cert_id, ocsp_response)
375380
except Exception as ex:
@@ -379,7 +384,13 @@ def is_valid_time(self, cert_id, ocsp_response):
379384
return True
380385

381386
def process_ocsp_response(self, issuer, cert_id, ocsp_response):
382-
res = der_decoder.decode(ocsp_response, OCSPResponse())[0]
387+
try:
388+
res = der_decoder.decode(ocsp_response, OCSPResponse())[0]
389+
except Exception:
390+
raise OperationalError(
391+
msg='Invalid OCSP Response',
392+
errno=ER_INVALID_OCSP_RESPONSE
393+
)
383394

384395
if res.getComponentByName('responseStatus') != OCSPResponseStatus(
385396
'successful'):
@@ -435,7 +446,7 @@ def process_ocsp_response(self, issuer, cert_id, ocsp_response):
435446
raise OperationalError(
436447
msg="Unknown revocation status was returned. OCSP response "
437448
"may be malformed: {0}".format(cert_status),
438-
errno=ER_INVALID_OCSP_RESPONSE
449+
errno=ER_INVALID_OCSP_RESPONSE_CODE
439450
)
440451

441452
def verify_signature(self, signature_algorithm, signature, cert, data):

0 commit comments

Comments
 (0)