def download_ocsp_response_cache(url):
"""
Downloads OCSP response cache from Snowflake.
"""
logger = getLogger(__name__)
ocsp_validation_cache = {}
import binascii
try:
with requests.Session() as session:
session.mount('http://', HTTPAdapter(max_retries=5))
session.mount('https://', HTTPAdapter(max_retries=5))
response = session.request(
method=u'get',
url=url,
timeout=10, # socket timeout
verify=True, # for HTTPS (future use)
)
if response.status_code == OK:
try:
_decode_ocsp_response_cache(response.json(),
ocsp_validation_cache)
except (ValueError, binascii.Error) as err:
logger.debug(
'Failed to convert OCSP cache server response to '
'JSON. The cache was corrupted. No worry. It will'
'validate with OCSP server: %s', err)
else:
logger.debug("Failed to get OCSP response cache from %s: %s", url,
response.status_code)
except Exception as e:
logger.debug("Failed to get OCSP response cache from %s: %s", url, e)
return ocsp_validation_cache
def execute_ocsp_request(ocsp_uri, cert_id, proxies=None, do_retry=True):
"""
Executes OCSP request for the given cert id
"""
logger = getLogger(__name__)
request = Request()
request['reqCert'] = cert_id
request_list = univ.SequenceOf(componentType=Request())
request_list[0] = request
tbs_request = TBSRequest()
tbs_request['requestList'] = request_list
tbs_request['version'] = Version(0).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
ocsp_request = OCSPRequest()
ocsp_request['tbsRequest'] = tbs_request
# no signature for the client
# no nonce is set, because not all OCSP resopnder implements it yet
# transform objects into data in requests
data = der_encoder.encode(ocsp_request)
parsed_url = urlsplit(ocsp_uri)
max_retry = 100 if do_retry else 1
# NOTE: This retry is to retry getting HTTP 200.
headers = {
'Content-Type': 'application/ocsp-request',
'Content-Length': '{0}'.format(len(data)),
'Host': parsed_url.hostname,
}
logger.debug('url: %s, headers: %s, proxies: %s', ocsp_uri, headers,
proxies)
with requests.Session() as session:
session.mount('http://', HTTPAdapter(max_retries=5))
session.mount('https://', HTTPAdapter(max_retries=5))
for attempt in range(max_retry):
response = session.post(ocsp_uri,
headers=headers,
proxies=proxies,
data=data,
timeout=60)
if response.status_code == OK:
logger.debug("OCSP response was successfully returned")
break
elif max_retry > 1:
wait_time = 2**attempt
wait_time = 16 if wait_time > 16 else wait_time
logger.debug("OCSP server returned %s. Retrying in %s(s)",
response.status_code, wait_time)
time.sleep(wait_time)
else:
logger.error("Failed to get OCSP response after %s attempt.",
max_retry)
return response.content
def execute_ocsp_request(ocsp_uri, cert_id, proxies=None, do_retry=True):
"""
Executes OCSP request for the given cert id
"""
global SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN
logger = getLogger(__name__)
request = Request()
request['reqCert'] = cert_id
request_list = univ.SequenceOf(componentType=Request())
request_list[0] = request
tbs_request = TBSRequest()
tbs_request['requestList'] = request_list
tbs_request['version'] = Version(0).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
ocsp_request = OCSPRequest()
ocsp_request['tbsRequest'] = tbs_request
# no signature for the client
# no nonce is set, because not all OCSP resopnder implements it yet
# transform objects into data in requests
data = der_encoder.encode(ocsp_request)
b64data = b64encode(data).decode('ascii')
if SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN:
parsed_url = urlsplit(ocsp_uri)
target_url = SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN.format(
parsed_url.hostname, b64data)
else:
target_url = u"{0}/{1}".format(ocsp_uri, b64data)
max_retry = 100 if do_retry else 1
# NOTE: This retry is to retry getting HTTP 200.
logger.debug('url: %s, proxies: %s', target_url, proxies)
with requests.Session() as session:
session.mount('http://', HTTPAdapter(max_retries=5))
session.mount('https://', HTTPAdapter(max_retries=5))
for attempt in range(max_retry):
response = session.get(target_url, proxies=proxies, timeout=60)
if response.status_code == OK:
logger.debug("OCSP response was successfully returned")
break
elif max_retry > 1:
wait_time = 2**attempt
wait_time = 16 if wait_time > 16 else wait_time
logger.debug("OCSP server returned %s. Retrying in %s(s)",
response.status_code, wait_time)
time.sleep(wait_time)
else:
logger.error("Failed to get OCSP response after %s attempt.",
max_retry)
return response.content
def get_session(self):
if self._session is None:
self._session = requests.Session(**self._session_kwargs)
self._session.headers.update(Authorization="Bearer " +
self.get_oauth2_token())
adapter = HTTPAdapter(max_retries=self.retry_policy)
self._session.mount('http://', adapter)
self._session.mount('https://', adapter)
return self._session
def download_ocsp_response_cache(url):
"""
Downloads OCSP response cache from Snowflake.
"""
import binascii
with requests.Session() as session:
session.mount('http://', HTTPAdapter(max_retries=5))
session.mount('https://', HTTPAdapter(max_retries=5))
response = session.get(url)
if response.status_code == OK:
try:
_decode_ocsp_response_cache(response.json(), OCSP_VALIDATION_CACHE)
except (ValueError, binascii.Error) as err:
logger = getLogger(__name__)
logger.info(
'Failed to convert OCSP cache server response to '
'JSON. The cache was corrupted. No worry. It will'
'validate with OCSP server: %s', err)
else:
logger = getLogger(__name__)
logger.info("Failed to get OCSP response cache from %s: %s", url,
response.status_code)
def make_requests_session(self):
s = requests.Session()
s.mount(u'http://', HTTPAdapter(max_retries=REQUESTS_RETRY))
s.mount(u'https://', HTTPAdapter(max_retries=REQUESTS_RETRY))
s._reuse_count = itertools.count()
return s
