PYTHON-2147 Use verified peer cert chain in OCSP when available (#877)

ShaneHarvey · ShaneHarvey · commit cbae04f13c89 · 2022-02-16T17:13:50.000-08:00
(cherry picked from commit 7a8f6b3)
diff --git a/pymongo/ocsp_support.py b/pymongo/ocsp_support.py
@@ -275,12 +275,18 @@ def _ocsp_callback(conn, ocsp_bytes, user_data):
         _LOGGER.debug("No peer cert?")
         return 0
     cert = cert.to_cryptography()
-    chain = conn.get_peer_cert_chain()
+    # Use the verified chain when available (pyopenssl>=20.0).
+    if hasattr(conn, "get_verified_chain"):
+        chain = conn.get_verified_chain()
+        trusted_ca_certs = None
+    else:
+        chain = conn.get_peer_cert_chain()
+        trusted_ca_certs = user_data.trusted_ca_certs
     if not chain:
         _LOGGER.debug("No peer cert chain?")
         return 0
     chain = [cer.to_cryptography() for cer in chain]
-    issuer = _get_issuer_cert(cert, chain, user_data.trusted_ca_certs)
+    issuer = _get_issuer_cert(cert, chain, trusted_ca_certs)
     must_staple = False
     # https://tools.ietf.org/html/rfc7633#section-4.2.3.1
     ext = _get_extension(cert, _TLSFeature)
diff --git a/pymongo/pyopenssl_context.py b/pymongo/pyopenssl_context.py
@@ -274,7 +274,9 @@ def load_verify_locations(self, cafile=None, capath=None):
         ssl.CERT_NONE.
         """
         self._ctx.load_verify_locations(cafile, capath)
-        self._callback_data.trusted_ca_certs = _load_trusted_ca_certs(cafile)
+        # Manually load the CA certs when get_verified_chain is not available (pyopenssl<20).
+        if not hasattr(_SSL.Connection, "get_verified_chain"):
+            self._callback_data.trusted_ca_certs = _load_trusted_ca_certs(cafile)
 
     def _load_certifi(self):
         """Attempt to load CA certs from certifi."""
