From 557774d3e6de714ce4c2f642c7d8aa3ad2577d0d Mon Sep 17 00:00:00 2001
From: Mark Keller <mark.keller@snowflake.com>
Date: Mon, 25 Nov 2024 13:30:41 -0800
Subject: [PATCH] SNOW-1820480 making OCSP validation code more resillient
 (#2107)

---
 DESCRIPTION.md                             |  1 +
 src/snowflake/connector/ocsp_asn1crypto.py | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/DESCRIPTION.md b/DESCRIPTION.md
index 9513fa71f..f20039dd4 100644
--- a/DESCRIPTION.md
+++ b/DESCRIPTION.md
@@ -11,6 +11,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 - v3.12.4(TBD)
   - Fixed a bug where multipart uploads to Azure would be missing their MD5 hashes.
   - Fixed a bug where OpenTelemetry header injection would sometimes cause Exceptions to be thrown.
+  - Fixed a bug where OCSP checks would throw TypeError and make mainly GCP blob storage unreachable.
 
 - v3.12.3(October 25,2024)
   - Improved the error message for SSL-related issues to provide clearer guidance when an SSL error occurs.
diff --git a/src/snowflake/connector/ocsp_asn1crypto.py b/src/snowflake/connector/ocsp_asn1crypto.py
index 8fc21302b..e7dbbf9e7 100644
--- a/src/snowflake/connector/ocsp_asn1crypto.py
+++ b/src/snowflake/connector/ocsp_asn1crypto.py
@@ -5,6 +5,7 @@
 
 from __future__ import annotations
 
+import typing
 from base64 import b64decode, b64encode
 from collections import OrderedDict
 from datetime import datetime, timezone
@@ -28,6 +29,9 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding, utils
+from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey
+from cryptography.hazmat.primitives.asymmetric.ec import ECDSA, EllipticCurvePublicKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from OpenSSL.SSL import Connection
 
 from snowflake.connector.errorcode import (
@@ -368,9 +372,21 @@ def verify_signature(self, signature_algorithm, signature, cert, data):
         hasher = hashes.Hash(chosen_hash, backend)
         hasher.update(data.dump())
         digest = hasher.finalize()
+        additional_kwargs: dict[str, typing.Any] = dict()
+        if isinstance(public_key, RSAPublicKey):
+            additional_kwargs["padding"] = padding.PKCS1v15()
+            additional_kwargs["algorithm"] = utils.Prehashed(chosen_hash)
+        elif isinstance(public_key, DSAPublicKey):
+            additional_kwargs["algorithm"] = utils.Prehashed(chosen_hash)
+        elif isinstance(public_key, EllipticCurvePublicKey):
+            additional_kwargs["signature_algorithm"] = ECDSA(
+                utils.Prehashed(chosen_hash)
+            )
         try:
             public_key.verify(
-                signature, digest, padding.PKCS1v15(), utils.Prehashed(chosen_hash)
+                signature,
+                digest,
+                **additional_kwargs,
             )
         except InvalidSignature:
             raise RevocationCheckError(msg="Failed to verify the signature")