def test_invalid_add_response(self): cert, issuer = _cert_and_issuer() time = datetime.datetime.utcnow() reason = x509.ReasonFlags.cessation_of_operation builder = ocsp.OCSPResponseBuilder() with pytest.raises(TypeError): builder.add_response( "bad", # type:ignore[arg-type] issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, time, time, None, None, ) with pytest.raises(TypeError): builder.add_response( cert, "bad", # type:ignore[arg-type] hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, time, time, None, None, ) with pytest.raises(ValueError): builder.add_response( cert, issuer, "notahash", # type:ignore[arg-type] ocsp.OCSPCertStatus.GOOD, time, time, None, None, ) with pytest.raises(TypeError): builder.add_response( cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, "bad", # type:ignore[arg-type] time, None, None, ) with pytest.raises(TypeError): builder.add_response( cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, time, "bad", # type:ignore[arg-type] None, None, ) with pytest.raises(TypeError): builder.add_response( cert, issuer, hashes.SHA256(), 0, # type:ignore[arg-type] time, time, None, None, ) with pytest.raises(ValueError): builder.add_response( cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, time, time, time, None, ) with pytest.raises(ValueError): builder.add_response( cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, time, time, None, reason, ) with pytest.raises(TypeError): builder.add_response( cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.REVOKED, time, time, None, reason, ) with pytest.raises(TypeError): builder.add_response( cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.REVOKED, time, time, time, 0, # type:ignore[arg-type] ) with pytest.raises(ValueError): builder.add_response( cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.REVOKED, time, time, time - datetime.timedelta(days=36500), None, )
def test_invalid_extension(self): builder = ocsp.OCSPResponseBuilder() with pytest.raises(TypeError): builder.add_extension("notanextension", True)
def process_ocsp_request(self, data): try: ocsp_req = ocsp.load_der_ocsp_request(data) # NOQA except Exception as e: log.exception(e) return self.malformed_request() # Fail if there are any critical extensions that we do not understand for ext in ocsp_req.extensions: if ext.critical and not isinstance(ext.value, OCSPNonce): # pragma: no cover # It seems impossible to get cryptography to create such a request, so it's not tested return self.malformed_request() # Get CA and certificate try: ca = self.get_ca() except CertificateAuthority.DoesNotExist: log.error('%s: Certificate Authority could not be found.', self.ca) return self.fail() try: cert = self.get_cert(ca, int_to_hex(ocsp_req.serial_number)) except Certificate.DoesNotExist: log.warning('OCSP request for unknown cert received.') return self.fail() except CertificateAuthority.DoesNotExist: log.warning('OCSP request for unknown CA received.') return self.fail() # get key/cert for OCSP responder try: responder_key = self.get_responder_key() responder_cert = self.get_responder_cert() except Exception: log.error('Could not read responder key/cert.') return self.fail() # get the certificate status if cert.revoked: status = ocsp.OCSPCertStatus.REVOKED else: status = ocsp.OCSPCertStatus.GOOD now = datetime.utcnow() builder = ocsp.OCSPResponseBuilder() expires = datetime.utcnow() + timedelta(seconds=self.expires) builder = builder.add_response( cert=cert.x509, issuer=ca.x509, algorithm=hashes.SHA1(), cert_status=status, this_update=now, next_update=expires, revocation_time=cert.get_revocation_time(), revocation_reason=cert.get_revocation_reason()).responder_id( ocsp.OCSPResponderEncoding.HASH, responder_cert) # Add the responder cert to the response, necessary because we (so far) always use delegate # certificates builder = builder.certificates([responder_cert]) # Add OCSP nonce if present try: nonce = ocsp_req.extensions.get_extension_for_class(OCSPNonce) builder = builder.add_extension(nonce.value, critical=nonce.critical) except ExtensionNotFound: pass response = builder.sign(responder_key, hashes.SHA256()) return self.http_response(response.public_bytes(Encoding.DER))