def side_effect(cls):
raise x509.ExtensionNotFound('mocked',
x509.SubjectKeyIdentifier.oid)
def test_revoke_resiliency(self, mock_ocsp_response, mock_post, mock_check):
# Server return an invalid HTTP response
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=400)
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# OCSP response in invalid
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.UNAUTHORIZED)
mock_post.return_value = mock.Mock(status_code=200)
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# OCSP response is valid, but certificate status is unknown
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# The OCSP response says that the certificate is revoked, but certificate
# does not contain the OCSP extension.
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
with mock.patch('cryptography.x509.Extensions.get_extension_for_class',
side_effect=x509.ExtensionNotFound(
'Not found', x509.AuthorityInformationAccessOID.OCSP)):
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# Valid response, OCSP extension is present,
# but OCSP response uses an unsupported signature.
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
mock_check.side_effect = UnsupportedAlgorithm('foo')
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# And now, the signature itself is invalid.
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
mock_check.side_effect = InvalidSignature('foo')
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# Finally, assertion error on OCSP response validity
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
mock_check.side_effect = AssertionError('foo')
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
def side_effect(cls):
raise x509.ExtensionNotFound('mocked',
x509.AuthorityKeyIdentifier.oid)
def test_revoke_resiliency(self):
# Server return an invalid HTTP response
with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
http_status_code=400):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OCSP response in invalid
with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN,
ocsp_lib.OCSPResponseStatus.UNAUTHORIZED):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OCSP response is valid, but certificate status is unknown
with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# The OCSP response says that the certificate is revoked, but certificate
# does not contain the OCSP extension.
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL):
with mock.patch(
'cryptography.x509.Extensions.get_extension_for_class',
side_effect=x509.ExtensionNotFound(
'Not found', x509.AuthorityInformationAccessOID.OCSP)):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OCSP response uses an unsupported signature.
with _ocsp_mock(
ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
check_signature_side_effect=UnsupportedAlgorithm('foo')):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OSCP signature response is invalid.
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
check_signature_side_effect=InvalidSignature('foo')):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# Assertion error on OCSP response validity
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
check_signature_side_effect=AssertionError('foo')):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# No responder cert in OCSP response
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL) as mocks:
mocks['mock_response'].return_value.certificates = []
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# Responder cert is not signed by certificate issuer
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL) as mocks:
cert = mocks['mock_response'].return_value.certificates[0]
mocks['mock_response'].return_value.certificates[0] = mock.Mock(
issuer='fake', subject=cert.subject)
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL):
# This mock is necessary to avoid the first call contained in _determine_ocsp_server
# of the method cryptography.x509.Extensions.get_extension_for_class.
with mock.patch(
'certbot.ocsp._determine_ocsp_server') as mock_server:
mock_server.return_value = ('https://example.com',
'example.com')
with mock.patch(
'cryptography.x509.Extensions.get_extension_for_class',
side_effect=x509.ExtensionNotFound(
'Not found',
x509.AuthorityInformationAccessOID.OCSP)):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
