def test_invalid_add_response(self):
cert, issuer = _cert_and_issuer()
time = datetime.datetime.utcnow()
reason = x509.ReasonFlags.cessation_of_operation
builder = ocsp.OCSPResponseBuilder()
with pytest.raises(TypeError):
builder.add_response(
"bad", # type:ignore[arg-type]
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.GOOD,
time,
time,
None,
None,
)
with pytest.raises(TypeError):
builder.add_response(
cert,
"bad", # type:ignore[arg-type]
hashes.SHA256(),
ocsp.OCSPCertStatus.GOOD,
time,
time,
None,
None,
)
with pytest.raises(ValueError):
builder.add_response(
cert,
issuer,
"notahash", # type:ignore[arg-type]
ocsp.OCSPCertStatus.GOOD,
time,
time,
None,
None,
)
with pytest.raises(TypeError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.GOOD,
"bad", # type:ignore[arg-type]
time,
None,
None,
)
with pytest.raises(TypeError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.GOOD,
time,
"bad", # type:ignore[arg-type]
None,
None,
)
with pytest.raises(TypeError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
0, # type:ignore[arg-type]
time,
time,
None,
None,
)
with pytest.raises(ValueError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.GOOD,
time,
time,
time,
None,
)
with pytest.raises(ValueError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.GOOD,
time,
time,
None,
reason,
)
with pytest.raises(TypeError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.REVOKED,
time,
time,
None,
reason,
)
with pytest.raises(TypeError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.REVOKED,
time,
time,
time,
0, # type:ignore[arg-type]
)
with pytest.raises(ValueError):
builder.add_response(
cert,
issuer,
hashes.SHA256(),
ocsp.OCSPCertStatus.REVOKED,
time,
time,
time - datetime.timedelta(days=36500),
None,
)
def test_invalid_extension(self):
builder = ocsp.OCSPResponseBuilder()
with pytest.raises(TypeError):
builder.add_extension("notanextension", True)
def process_ocsp_request(self, data):
try:
ocsp_req = ocsp.load_der_ocsp_request(data) # NOQA
except Exception as e:
log.exception(e)
return self.malformed_request()
# Fail if there are any critical extensions that we do not understand
for ext in ocsp_req.extensions:
if ext.critical and not isinstance(ext.value,
OCSPNonce): # pragma: no cover
# It seems impossible to get cryptography to create such a request, so it's not tested
return self.malformed_request()
# Get CA and certificate
try:
ca = self.get_ca()
except CertificateAuthority.DoesNotExist:
log.error('%s: Certificate Authority could not be found.', self.ca)
return self.fail()
try:
cert = self.get_cert(ca, int_to_hex(ocsp_req.serial_number))
except Certificate.DoesNotExist:
log.warning('OCSP request for unknown cert received.')
return self.fail()
except CertificateAuthority.DoesNotExist:
log.warning('OCSP request for unknown CA received.')
return self.fail()
# get key/cert for OCSP responder
try:
responder_key = self.get_responder_key()
responder_cert = self.get_responder_cert()
except Exception:
log.error('Could not read responder key/cert.')
return self.fail()
# get the certificate status
if cert.revoked:
status = ocsp.OCSPCertStatus.REVOKED
else:
status = ocsp.OCSPCertStatus.GOOD
now = datetime.utcnow()
builder = ocsp.OCSPResponseBuilder()
expires = datetime.utcnow() + timedelta(seconds=self.expires)
builder = builder.add_response(
cert=cert.x509,
issuer=ca.x509,
algorithm=hashes.SHA1(),
cert_status=status,
this_update=now,
next_update=expires,
revocation_time=cert.get_revocation_time(),
revocation_reason=cert.get_revocation_reason()).responder_id(
ocsp.OCSPResponderEncoding.HASH, responder_cert)
# Add the responder cert to the response, necessary because we (so far) always use delegate
# certificates
builder = builder.certificates([responder_cert])
# Add OCSP nonce if present
try:
nonce = ocsp_req.extensions.get_extension_for_class(OCSPNonce)
builder = builder.add_extension(nonce.value,
critical=nonce.critical)
except ExtensionNotFound:
pass
response = builder.sign(responder_key, hashes.SHA256())
return self.http_response(response.public_bytes(Encoding.DER))
