From 3313a20f1bb80356863d5224ed5070d79cedb30e Mon Sep 17 00:00:00 2001 From: Mark Keller Date: Fri, 22 Nov 2024 17:10:46 -0800 Subject: [PATCH 1/2] making OCSP validation code more resilient --- src/snowflake/connector/ocsp_asn1crypto.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/snowflake/connector/ocsp_asn1crypto.py b/src/snowflake/connector/ocsp_asn1crypto.py index 8fc21302b..e7dbbf9e7 100644 --- a/src/snowflake/connector/ocsp_asn1crypto.py +++ b/src/snowflake/connector/ocsp_asn1crypto.py @@ -5,6 +5,7 @@ from __future__ import annotations +import typing from base64 import b64decode, b64encode from collections import OrderedDict from datetime import datetime, timezone @@ -28,6 +29,9 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding, utils +from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey +from cryptography.hazmat.primitives.asymmetric.ec import ECDSA, EllipticCurvePublicKey +from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey from OpenSSL.SSL import Connection from snowflake.connector.errorcode import ( @@ -368,9 +372,21 @@ def verify_signature(self, signature_algorithm, signature, cert, data): hasher = hashes.Hash(chosen_hash, backend) hasher.update(data.dump()) digest = hasher.finalize() + additional_kwargs: dict[str, typing.Any] = dict() + if isinstance(public_key, RSAPublicKey): + additional_kwargs["padding"] = padding.PKCS1v15() + additional_kwargs["algorithm"] = utils.Prehashed(chosen_hash) + elif isinstance(public_key, DSAPublicKey): + additional_kwargs["algorithm"] = utils.Prehashed(chosen_hash) + elif isinstance(public_key, EllipticCurvePublicKey): + additional_kwargs["signature_algorithm"] = ECDSA( + utils.Prehashed(chosen_hash) + ) try: public_key.verify( - signature, digest, padding.PKCS1v15(), utils.Prehashed(chosen_hash) + signature, + digest, + **additional_kwargs, ) except InvalidSignature: raise RevocationCheckError(msg="Failed to verify the signature") From cfc6c09929f0ec59d5f4783a5beb8f51b0003fe6 Mon Sep 17 00:00:00 2001 From: Mark Keller Date: Mon, 25 Nov 2024 10:37:35 -0800 Subject: [PATCH 2/2] adding changelog --- DESCRIPTION.md | 1 + 1 file changed, 1 insertion(+) diff --git a/DESCRIPTION.md b/DESCRIPTION.md index 9513fa71f..f20039dd4 100644 --- a/DESCRIPTION.md +++ b/DESCRIPTION.md @@ -11,6 +11,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne - v3.12.4(TBD) - Fixed a bug where multipart uploads to Azure would be missing their MD5 hashes. - Fixed a bug where OpenTelemetry header injection would sometimes cause Exceptions to be thrown. + - Fixed a bug where OCSP checks would throw TypeError and make mainly GCP blob storage unreachable. - v3.12.3(October 25,2024) - Improved the error message for SSL-related issues to provide clearer guidance when an SSL error occurs.