def side_effect(cls): raise x509.ExtensionNotFound('mocked', x509.SubjectKeyIdentifier.oid)
def test_revoke_resiliency(self, mock_ocsp_response, mock_post, mock_check): # Server return an invalid HTTP response mock_ocsp_response.return_value = _construct_mock_ocsp_response( ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) mock_post.return_value = mock.Mock(status_code=400) revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path) self.assertFalse(revoked) # OCSP response in invalid mock_ocsp_response.return_value = _construct_mock_ocsp_response( ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.UNAUTHORIZED) mock_post.return_value = mock.Mock(status_code=200) revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path) self.assertFalse(revoked) # OCSP response is valid, but certificate status is unknown mock_ocsp_response.return_value = _construct_mock_ocsp_response( ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) mock_post.return_value = mock.Mock(status_code=200) revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path) self.assertFalse(revoked) # The OCSP response says that the certificate is revoked, but certificate # does not contain the OCSP extension. mock_ocsp_response.return_value = _construct_mock_ocsp_response( ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) mock_post.return_value = mock.Mock(status_code=200) with mock.patch('cryptography.x509.Extensions.get_extension_for_class', side_effect=x509.ExtensionNotFound( 'Not found', x509.AuthorityInformationAccessOID.OCSP)): revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path) self.assertFalse(revoked) # Valid response, OCSP extension is present, # but OCSP response uses an unsupported signature. mock_ocsp_response.return_value = _construct_mock_ocsp_response( ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) mock_post.return_value = mock.Mock(status_code=200) mock_check.side_effect = UnsupportedAlgorithm('foo') revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path) self.assertFalse(revoked) # And now, the signature itself is invalid. mock_ocsp_response.return_value = _construct_mock_ocsp_response( ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) mock_post.return_value = mock.Mock(status_code=200) mock_check.side_effect = InvalidSignature('foo') revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path) self.assertFalse(revoked) # Finally, assertion error on OCSP response validity mock_ocsp_response.return_value = _construct_mock_ocsp_response( ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) mock_post.return_value = mock.Mock(status_code=200) mock_check.side_effect = AssertionError('foo') revoked = self.checker.ocsp_revoked(self.cert_path, self.chain_path) self.assertFalse(revoked)
def side_effect(cls): raise x509.ExtensionNotFound('mocked', x509.AuthorityKeyIdentifier.oid)
def test_revoke_resiliency(self): # Server return an invalid HTTP response with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL, http_status_code=400): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # OCSP response in invalid with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.UNAUTHORIZED): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # OCSP response is valid, but certificate status is unknown with _ocsp_mock(ocsp_lib.OCSPCertStatus.UNKNOWN, ocsp_lib.OCSPResponseStatus.SUCCESSFUL): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # The OCSP response says that the certificate is revoked, but certificate # does not contain the OCSP extension. with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL): with mock.patch( 'cryptography.x509.Extensions.get_extension_for_class', side_effect=x509.ExtensionNotFound( 'Not found', x509.AuthorityInformationAccessOID.OCSP)): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # OCSP response uses an unsupported signature. with _ocsp_mock( ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL, check_signature_side_effect=UnsupportedAlgorithm('foo')): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # OSCP signature response is invalid. with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL, check_signature_side_effect=InvalidSignature('foo')): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # Assertion error on OCSP response validity with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL, check_signature_side_effect=AssertionError('foo')): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # No responder cert in OCSP response with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) as mocks: mocks['mock_response'].return_value.certificates = [] revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) # Responder cert is not signed by certificate issuer with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL) as mocks: cert = mocks['mock_response'].return_value.certificates[0] mocks['mock_response'].return_value.certificates[0] = mock.Mock( issuer='fake', subject=cert.subject) revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False) with _ocsp_mock(ocsp_lib.OCSPCertStatus.REVOKED, ocsp_lib.OCSPResponseStatus.SUCCESSFUL): # This mock is necessary to avoid the first call contained in _determine_ocsp_server # of the method cryptography.x509.Extensions.get_extension_for_class. with mock.patch( 'certbot.ocsp._determine_ocsp_server') as mock_server: mock_server.return_value = ('https://example.com', 'example.com') with mock.patch( 'cryptography.x509.Extensions.get_extension_for_class', side_effect=x509.ExtensionNotFound( 'Not found', x509.AuthorityInformationAccessOID.OCSP)): revoked = self.checker.ocsp_revoked(self.cert_obj) self.assertIs(revoked, False)