PYTHON-2147 Use verified peer cert chain in OCSP when available (#877)

(cherry picked from commit 7a8f6b3442)
2022-02-16 17:11:12 -08:00 · 2022-02-16 17:11:12 -08:00 · cbae04f13c
commit cbae04f13c
parent 22e84f081d
2 changed files with 11 additions and 3 deletions
--- a/pymongo/ocsp_support.py
+++ b/pymongo/ocsp_support.py
@ -275,12 +275,18 @@ def _ocsp_callback(conn, ocsp_bytes, user_data):
        _LOGGER.debug("No peer cert?")
        return 0
    cert = cert.to_cryptography()
-    chain = conn.get_peer_cert_chain()
+    # Use the verified chain when available (pyopenssl>=20.0).
+    if hasattr(conn, "get_verified_chain"):
+        chain = conn.get_verified_chain()
+        trusted_ca_certs = None
+    else:
+        chain = conn.get_peer_cert_chain()
+        trusted_ca_certs = user_data.trusted_ca_certs
    if not chain:
        _LOGGER.debug("No peer cert chain?")
        return 0
    chain = [cer.to_cryptography() for cer in chain]
-    issuer = _get_issuer_cert(cert, chain, user_data.trusted_ca_certs)
+    issuer = _get_issuer_cert(cert, chain, trusted_ca_certs)
    must_staple = False
    # https://tools.ietf.org/html/rfc7633#section-4.2.3.1
    ext = _get_extension(cert, _TLSFeature)
--- a/pymongo/pyopenssl_context.py
+++ b/pymongo/pyopenssl_context.py
@ -274,7 +274,9 @@ class SSLContext(object):
        ssl.CERT_NONE.
        """
        self._ctx.load_verify_locations(cafile, capath)
-        self._callback_data.trusted_ca_certs = _load_trusted_ca_certs(cafile)
+        # Manually load the CA certs when get_verified_chain is not available (pyopenssl<20).
+        if not hasattr(_SSL.Connection, "get_verified_chain"):
+            self._callback_data.trusted_ca_certs = _load_trusted_ca_certs(cafile)

    def _load_certifi(self):
        """Attempt to load CA certs from certifi."""