def test_verify_crl_unreachable(cert_builder, private_key):
"""Unreachable CRL distribution point results in error."""
ldap_uri = 'http://invalid.example.org/crl/foobar.crl'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
with pytest.raises(Exception, match="Unable to retrieve CRL:"):
crl_verify(cert_tmp)
def test_verify_crl_unreachable(cert_builder, private_key):
"""Unreachable CRL distribution point results in error."""
ldap_uri = 'http://invalid.example.org/crl/foobar.crl'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
with pytest.raises(Exception, match="Unable to retrieve CRL:"):
crl_verify(cert, cert_tmp)
def test_verify_crl_unknown_scheme(cert_builder, private_key):
"""Unknown distribution point URI schemes should be ignored."""
ldap_uri = 'ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
# Must not raise exception
crl_verify(cert_tmp)
def test_verify_crl_unknown_scheme(cert_builder, private_key):
"""Unknown distribution point URI schemes should be ignored."""
ldap_uri = 'ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
# Must not raise exception
crl_verify(cert, cert_tmp)