def validate_and_extract_assertion(token, key):
# type (str, str) -> JSONDict
"""Decode a web token into a assertion dictionary.
This attempts to rectify both ecdsa and openssl generated
signatures. We use the built-in cryptography library since it wraps
libssl and is faster than the python only approach.
:param token: VAPID auth token
:type token: str
:param key: bitarray containing public key
:type key: str or bitarray
:return dict of the VAPID claims
:raise InvalidSignature
"""
# convert the signature if needed.
try:
sig_material, signature = VerifyJWT.extract_signature(token)
pkey = ec.EllipticCurvePublicKey.from_encoded_point(
ec.SECP256R1(),
key
)
# cffi issue #320: public_key & verify allocate approx.
if _JWT_MEMORY_PRESSURE: # pragma: nocover
add_memory_pressure(_JWT_MEMORY_PRESSURE)
# NOTE: verify() will take any string as the signature. It appears
# to be doing lazy verification and matching strings rather than
# comparing content values. If the signatures start failing for
# some unknown reason in the future, decode the signature and
# make sure it matches how we're reconstructing it.
# This will raise an InvalidSignature exception if failure.
# It will be captured externally.
pkey.verify(
signature,
sig_material.encode('utf8'),
ec.ECDSA(hashes.SHA256()))
return VerifyJWT.extract_assertion(sig_material)
except InvalidSignature:
raise
except (ValueError, TypeError, binascii.Error, PyAsn1Error):
raise InvalidSignature()
except Exception: # pragma: no cover
Logger().failure("Unexpected error processing JWT")
raise InvalidSignature()
def decode(token, key):
"""Decode a web token into an assertion dictionary
This attempts to rectify both ecdsa and openssl generated signatures.
:param token: VAPID auth token
:type token: str
:param key: bitarray containing the public key
:type key: str
:return dict of the VAPID claims
:raise InvalidSignature
"""
try:
sig_material, signature = extract_signature(token)
dkey = b64urldecode(key.encode('utf8'))
pkey = ec.EllipticCurvePublicNumbers.from_encoded_point(
ec.SECP256R1(),
dkey,
).public_key(default_backend())
pkey.verify(signature, sig_material, ec.ECDSA(hashes.SHA256()))
return json.loads(
b64urldecode(sig_material.split(b'.')[1]).decode('utf8'))
except InvalidSignature:
raise
except (ValueError, TypeError, binascii.Error):
raise InvalidSignature()
def verify_signature(self, key_url: str, signature: bytes):
"""
Use the public key (found either by fetching it online or pulling it
from the local cache to verify the signature against the image data.
This method returns the domain of the verified server on success, and
raises an InvalidSignature on failure.
:param key_url: The URL for the public key we'll use to verify the file
:param signature: The signature found in the file
"""
try:
self._get_public_key(key_url).verify(
binascii.unhexlify(signature),
self.get_raw_data(),
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)
except (InvalidSignature, binascii.Error):
self.logger.error("Bad signature")
raise InvalidSignature()
return re.sub(r":.*", "", urllib.parse.urlparse(key_url).netloc)
def verify_signature(self, key_url, signature):
block_size = 16 * 1024
chosen_hash = hashes.SHA512()
hasher = hashes.Hash(chosen_hash, default_backend())
raw = self.get_raw_data()
buffer = raw.read(block_size)
while len(buffer) > 0:
hasher.update(buffer)
buffer = raw.read(block_size)
try:
self._get_public_key(key_url).verify(
binascii.unhexlify(signature),
hasher.finalize(),
padding.PSS(
mgf=padding.MGF1(hashes.SHA512()),
salt_length=padding.PSS.MAX_LENGTH
),
utils.Prehashed(chosen_hash)
)
except (InvalidSignature, binascii.Error):
self.logger.error("Bad signature")
raise InvalidSignature()
return re.sub(r":.*", "", urllib.parse.urlparse(key_url).netloc)
def decrypt(self, k, a, iv, e, t):
""" Decrypt according to the selected encryption and hashing
functions.
:param k: Encryption key (optional)
:param a: Additional Authenticated Data
:param iv: Initialization Vector
:param e: Ciphertext
:param t: Authentication Tag
Returns plaintext or raises an error
"""
hkey = k[:_inbytes(self.keysize)]
dkey = k[_inbytes(self.keysize):]
# verify mac
if not constant_time.bytes_eq(t, self._mac(hkey, a, iv, e)):
raise InvalidSignature('Failed to verify MAC')
# decrypt
cipher = Cipher(algorithms.AES(dkey), modes.CBC(iv),
backend=self.backend)
decryptor = cipher.decryptor()
d = decryptor.update(e) + decryptor.finalize()
unpadder = PKCS7(self.blocksize).unpadder()
return unpadder.update(d) + unpadder.finalize()
def validate(ticket):
try:
utils.verify_signature(ticket.get_unique_repr(), ticket.signature,
ticket.node.public_key)
except InvalidSignature:
ticket.errors = "Invalid ballot claim ticket signature"
raise InvalidSignature(ticket.errors)
def test_invalid_encryption_jwt(self, mock_jwt):
schema = self._make_fut()
schema.context['conf'].use_cryptography = True
# use a deeply superclassed error to make sure that it gets picked up.
mock_jwt.side_effect = InvalidSignature("invalid signature")
header = {"typ": "JWT", "alg": "ES256"}
payload = {
"aud": "https://push.example.com",
"exp": int(time.time()) + 86400,
"sub": "mailto:[email protected]"
}
token, crypto_key = self._gen_jwt(header, payload)
self.fernet_mock.decrypt.return_value = ('a'*32) + \
sha256(utils.base64url_decode(crypto_key)).digest()
auth = "Bearer %s" % token
ckey = 'keyid="a1"; dh="foo";p256ecdsa="%s"' % crypto_key
info = self._make_test_data(body="asdfasdfasdfasdf",
path_kwargs=dict(
api_ver="v2",
token="asdfasdf",
),
headers={
"content-encoding": "aesgcm",
"encryption": "salt=stuff",
"authorization": auth,
"crypto-key": ckey
})
with pytest.raises(InvalidRequest) as cm:
schema.load(info)
assert cm.value.status_code == 401
assert cm.value.errno == 109
def verify_signature(self, payload):
public_cert, signature, signed_data = self._disect_receipt(payload)
try:
verify(
cert=public_cert,
signature=signature,
data=signed_data,
digest='sha1',
)
except crypto.Error:
raise InvalidSignature("invalid signature")
def decode(token, key):
# type (str, str) -> dict()
"""Decode a web token into a assertion dictionary.
This attempts to rectify both ecdsa and openssl generated
signatures. We use the built-in cryptography library since it wraps
libssl and is faster than the python only approach.
:param token: VAPID auth token
:type token: str
:param key: bitarray containing public key
:type key: str or bitarray
:return dict of the VAPID claims
:raise InvalidSignature
"""
# convert the signature if needed.
try:
sig_material, signature = VerifyJWT.extract_signature(token)
pkey = ec.EllipticCurvePublicNumbers.from_encoded_point(
ec.SECP256R1(), key).public_key(default_backend())
# NOTE: verify() will take any string as the signature. It appears
# to be doing lazy verification and matching strings rather than
# comparing content values. If the signatures start failing for
# some unknown reason in the future, decode the signature and
# make sure it matches how we're reconstructing it.
# This will raise an InvalidSignature exception if failure.
# It will be captured externally.
pkey.verify(signature, sig_material.encode('utf8'),
ec.ECDSA(hashes.SHA256()))
return json.loads(
base64.urlsafe_b64decode(
repad(sig_material.split('.')[1]).encode('utf8')))
except (ValueError, TypeError, binascii.Error, PyAsn1Error):
raise InvalidSignature()
except Exception: # pragma: no cover
Logger().failure("Unexpected error processing JWT")
raise InvalidSignature()
def validate_transaction(transaction):
"""Validates a transaction's signature and returns whether its content matches the signature. Note that this validation
may not be enough for a transaction; the content for a specific transaction may need further validation. Use this method
as a first-step verification of any transaction.
Args:
transaction transaction to be validated
"""
try:
utils.verify_signature(
transaction.get_unique_repr(**transaction.signature_kwargs),
transaction.signature, transaction.node.public_key)
except InvalidSignature as e:
public_key = transaction.node.public_key
raise InvalidSignature(
'Invalid signature by public key: {}'.format(hash(public_key)))
def extract_signature(auth):
"""Extracts the payload and signature from a JWT, converting from RFC7518
to RFC 3279
:param auth: A JWT Authorization Token.
:type auth: str
:return tuple containing the signature material and signature
"""
payload, asig = auth.encode('utf8').rsplit(b'.', 1)
sig = b64urldecode(asig)
if len(sig) != 64:
raise InvalidSignature()
encoded = utils.encode_dss_signature(s=int(binascii.hexlify(sig[32:]), 16),
r=int(binascii.hexlify(sig[:32]), 16))
return payload, encoded
def decrypt_and_verify(destination_private_key, sender_public_key, ciphertext, output_plaintext_file):
print 'starting decryption'
out = open(output_plaintext_file, 'w+')
try:
destination_key_length = (destination_private_key.key_size)/8
# Ciphertext format: encrypted_key + iv + ciphertext
encrypted_key = ciphertext[:destination_key_length]
iv = ciphertext[destination_key_length:destination_key_length+AES_IV_SIZE]
cipher_text = ciphertext[destination_key_length+AES_IV_SIZE:]
# Fetch AES key by decrypting using RSA
aes_key = rsa_decrypt(destination_private_key, encrypted_key)
print 'decrypting...'
# Decrypt ciphertext using AES to obtain digest and plaintext
cipher = Cipher(algorithms.AES(aes_key), modes.CTR(iv), backend=default_backend())
decryptor = cipher.decryptor()
decrypted_text = decryptor.update(cipher_text) + decryptor.finalize()
sender_key_length = (sender_public_key.key_size)/8
signed_digest = decrypted_text[:sender_key_length]
decrypted_text = decrypted_text[sender_key_length:]
# Generate an HMAC of decrypted text and verify it using sender's public key.
# Throw an exception if verification fails.
digest = generate_hmac(aes_key, decrypted_text)
verify_signature(sender_public_key, signed_digest, digest)
print 'writing decrypted text to file...'
# Write decrypted text to output file.
out.write(decrypted_text)
print 'successfully stored decrypted text at location: ', output_plaintext_file
out.close()
except InvalidSignature, e:
raise InvalidSignature('Invalid signature')
def _verifyidtoken(token):
# Open file containing Firebase's certificates
with open('esloq/firebase_certs.txt', 'r') as f:
data = f.read()
certs = eval(data)
with open('esloq/tests/cert.pem', 'r') as f:
test_cert = f.read()
certs["0"] = test_cert
jwt_header = jwt.get_unverified_header(token)
# Try to extract certificate, if it is not present, download the new certificates.
try:
certs[jwt_header["kid"]]
except KeyError:
url = "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
with urllib.request.urlopen(url) as response:
html = response.read()
with open('esloq/firebase_certs.txt', 'wb') as f:
f.write(html)
certs = eval(html)
certificate_text = bytes(certs[jwt_header["kid"]], "ASCII")
public_key = load_pem_x509_certificate(certificate_text,
default_backend()).public_key()
try:
verified_jwt = jwt.decode(
token,
public_key,
audience='decoded-totem-95010',
issuer='https://securetoken.google.com/decoded-totem-95010',
algorithm='RS256',
leeway=10)
return verified_jwt
except:
raise InvalidSignature("Invalid authorization token.")
def test_verify(self, *args):
with patch(
'cryptography.hazmat.primitives.serialization.load_pem_public_key'
) as load_public_key_mock:
mock_message = {}
mock_signature = 'some-value'
mock_public_key = 'some-value'
verified = Crypt.verify(mock_message, mock_signature,
mock_public_key)
load_public_key_mock.assert_called()
args[0].assert_called_with(mock_message)
args[1].assert_called()
expect(verified).to(be_true)
with patch(
'cryptography.hazmat.primitives.serialization.load_pem_public_key'
) as load_public_key_mock:
load_public_key_mock.side_effect = InvalidSignature()
mock_message = {}
mock_signature = 'some-value'
mock_public_key = 'some-value'
verified = Crypt.verify(mock_message, mock_signature,
mock_public_key)
expect(verified).to(be_false)
def verify(self, signature):
if isinstance(signature, six.text_type):
raise TypeError("Unicode-objects must be encoded before verifying")
digest = self.finalize()
if not constant_time.bytes_eq(digest, signature):
raise InvalidSignature("Signature did not match digest.")
def verify(self, signature):
digest = self.finalize()
if not constant_time.bytes_eq(digest, signature):
raise InvalidSignature("Signature did not match digest.")
def verify(self, tag):
mac = self.finalize()
if not constant_time.bytes_eqa(mac, tag):
raise InvalidSignature("Value did not match computed tag.")
def verify(self, signature):
if not isinstance(signature, bytes):
raise TypeError("signature must be bytes.")
digest = self.finalize()
if not constant_time.bytes_eq(digest, signature):
raise InvalidSignature("Signature did not match digest.")
def verify(self, *args, **kwargs):
raise InvalidSignature()
def verify_signature(self, packed_message: bytes, key: Key,
signature: bytes, operation: TagOperation):
if not self.crypto.is_valid_signature(key, packed_message, signature):
raise InvalidSignature(f'Invalid signature for {operation}')
def test_revoke_resiliency(self, mock_ocsp_response, mock_post, mock_check):
# Server return an invalid HTTP response
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=400)
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# OCSP response in invalid
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.UNAUTHORIZED)
mock_post.return_value = mock.Mock(status_code=200)
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# OCSP response is valid, but certificate status is unknown
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# The OCSP response says that the certificate is revoked, but certificate
# does not contain the OCSP extension.
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
with mock.patch('cryptography.x509.Extensions.get_extension_for_class',
side_effect=x509.ExtensionNotFound(
'Not found', x509.AuthorityInformationAccessOID.OCSP)):
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# Valid response, OCSP extension is present,
# but OCSP response uses an unsupported signature.
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
mock_check.side_effect = UnsupportedAlgorithm('foo')
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# And now, the signature itself is invalid.
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
mock_check.side_effect = InvalidSignature('foo')
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
# Finally, assertion error on OCSP response validity
mock_ocsp_response.return_value = _construct_mock_ocsp_response(
ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL)
mock_post.return_value = mock.Mock(status_code=200)
mock_check.side_effect = AssertionError('foo')
revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path)
self.assertFalse(revoked)
def verify(self, signature: bytes, data: bytes) -> None:
try:
self._key.verify(data, signature)
except BadSignatureError as e:
raise InvalidSignature(str(e))
def verify(self, key, payload, signature):
raise InvalidSignature('The "none" signature cannot be verified')
### Task 1 ###
# If a server signs a message with its private key, we can verify with its public key.
# First choose a message and have the server sign it:
message = b"Insert your verification message here"
signed_message = server.sign_document(message)
# To sign the message, the server will encrypt a hash of it using its private key, we can repeat this process
# and verify it with the public key
try:
# Verify the signed message using public_key.verify()
# Documentation here: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#verification
# For padding, use PSS with MGF1-SHA256 as per the documentation
# Verify will raise an exception if the signature fails. Replace this line with a verification:
raise InvalidSignature("We've not implemented verification yet!")
print("The server successfully signed the message.")
except InvalidSignature:
print("The server failed our signature verification!")
### Task 2 ###
# Encrypt a message using the server's public key, so that only the server can read it
# Documentation here: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption
# For padding, use OAEP with MGF1-SHA256 as per the documentation
message = b"Insert your secret message here"
ciphertext = None
print("The encrypted message is:", ciphertext)
# Submit the ciphertext to the server, which will attempt to output the decrypted version.
def verify_from(
self,
stranger: 'Character',
message_kit: Union[UmbralMessageKit, bytes],
signature: Signature = None,
decrypt=False,
label=None,
) -> bytes:
"""
Inverse of encrypt_for.
:param stranger: A Character instance representing
the actor whom the sender claims to be. We check the public key
owned by this Character instance to verify.
:param message_kit: the message to be (perhaps decrypted and) verified.
:param signature: The signature to check.
:param decrypt: Whether or not to decrypt the messages.
:param label: A label used for decrypting messages encrypted under its associated policy encrypting key
:return: Whether or not the signature is valid, the decrypted plaintext or NO_DECRYPTION_PERFORMED
"""
#
# Optional Sanity Check
#
# In the spirit of duck-typing, we want to accept a message kit object, or bytes
# If the higher-order object MessageKit is passed, we can perform an additional
# eager sanity check before performing decryption.
with contextlib.suppress(AttributeError):
sender_verifying_key = stranger.stamp.as_umbral_pubkey()
if message_kit.sender_verifying_key:
if not message_kit.sender_verifying_key == sender_verifying_key:
raise ValueError(
"This MessageKit doesn't appear to have come from {}".
format(stranger))
#
# Decrypt
#
signature_from_kit = None
if decrypt:
# We are decrypting the message; let's do that first and see what the sig header says.
cleartext_with_sig_header = self.decrypt(message_kit=message_kit,
label=label)
sig_header, cleartext = default_constant_splitter(
cleartext_with_sig_header, return_remainder=True)
if sig_header == SIGNATURE_IS_ON_CIPHERTEXT:
# The ciphertext is what is signed - note that for later.
message = message_kit.ciphertext
if not signature:
raise ValueError(
"Can't check a signature on the ciphertext if don't provide one."
)
elif sig_header == SIGNATURE_TO_FOLLOW:
# The signature follows in this cleartext - split it off.
signature_from_kit, cleartext = signature_splitter(
cleartext, return_remainder=True)
message = cleartext
else:
# Not decrypting - the message is the object passed in as a message kit. Cast it.
message = bytes(message_kit)
cleartext = NO_DECRYPTION_PERFORMED
#
# Verify Signature
#
if signature and signature_from_kit:
if signature != signature_from_kit:
raise ValueError(
"The MessageKit has a Signature, but it's not the same one you provided. Something's up."
)
signature_to_use = signature or signature_from_kit
if signature_to_use:
is_valid = signature_to_use.verify(
message,
sender_verifying_key) # FIXME: Message is undefined here
if not is_valid:
raise InvalidSignature(
"Signature for message isn't valid: {}".format(
signature_to_use))
else:
raise InvalidSignature(
"No signature provided -- signature presumed invalid.")
return cleartext
def verify(self, key, payload, signature):
if key.key_type != 'oct' or key.get_op_key() != '':
raise InvalidSignature('The "none" signature cannot be verified')
def test_revoke_resiliency(self):
# Server return an invalid HTTP response
with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
http_status_code=400):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OCSP response in invalid
with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN,
ocsp_lib.OCSPResponseStatus.UNAUTHORIZED):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OCSP response is valid, but certificate status is unknown
with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# The OCSP response says that the certificate is revoked, but certificate
# does not contain the OCSP extension.
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL):
with mock.patch(
'cryptography.x509.Extensions.get_extension_for_class',
side_effect=x509.ExtensionNotFound(
'Not found', x509.AuthorityInformationAccessOID.OCSP)):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OCSP response uses an unsupported signature.
with _ocsp_mock(
ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
check_signature_side_effect=UnsupportedAlgorithm('foo')):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# OSCP signature response is invalid.
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
check_signature_side_effect=InvalidSignature('foo')):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# Assertion error on OCSP response validity
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL,
check_signature_side_effect=AssertionError('foo')):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# No responder cert in OCSP response
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL) as mocks:
mocks['mock_response'].return_value.certificates = []
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
# Responder cert is not signed by certificate issuer
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL) as mocks:
cert = mocks['mock_response'].return_value.certificates[0]
mocks['mock_response'].return_value.certificates[0] = mock.Mock(
issuer='fake', subject=cert.subject)
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED,
ocsp_lib.OCSPResponseStatus.SUCCESSFUL):
# This mock is necessary to avoid the first call contained in _determine_ocsp_server
# of the method cryptography.x509.Extensions.get_extension_for_class.
with mock.patch(
'certbot.ocsp._determine_ocsp_server') as mock_server:
mock_server.return_value = ('https://example.com',
'example.com')
with mock.patch(
'cryptography.x509.Extensions.get_extension_for_class',
side_effect=x509.ExtensionNotFound(
'Not found',
x509.AuthorityInformationAccessOID.OCSP)):
revoked = self.checker.ocsp_revoked(self.cert_obj)
self.assertIs(revoked, False)
