M/eDdZddlZddlmZddlmZddlZddlZddlmZddlmZddl m Z ddl m Z dd l m Z dd lmZdd lmZddlZddlZdd lmZdd lmZdZGddej6ZGddej6Zej< ddZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'e(dk(r4ejRejTejVdde,gzyy)zTests for ocsp.pyN)datetime) timedelta)mock)x509)InvalidSignature)UnsupportedAlgorithm)default_backend)hashesocsp)errors)utilz;Missing = in header key=value ocsp: Use -help for summary. c~eZdZdZdZej dej dej ddZej dej dej d d Zd Z ej d ej d d Z y)OCSPTestOpenSSLz5 OCSP revocation tests using OpenSSL binary. c ddlm}tjd5}tjd5}t|_d|_|jd|_ddddddy#1swYxYw#1swYyxYw)Nrr certbot.ocsp.subprocess.runcertbot.util.exe_existsTenforce_openssl_binary_usage) certbotr rpatchoutstderr return_valueRevocationCheckerchecker)selfr mock_run mock_existss C/usr/lib/python3/dist-packages/certbot/_internal/tests/ocsp_test.pysetUpzOCSPTestOpenSSL.setUp s ZZ5 6 Y(56 Y+"%+/ (#55SW5X  Y Y Y Y Y Y Ys"A9*A-A9-A6 2A99Bzcertbot.ocsp.logger.inforrc"t|j_d|_ddlm}|j d}|j dk(sJ|jddgk(sJtjdd |j_|j d}|jdd dgk(sJ|jd usJd |_d|_|j d}|j dk(sJ|j dk(sJ|jdusJy) NTrr rxzHost=x HostF) rrrrr r call_count host_args partitionbroken)rrrmock_logr rs r test_initzOCSPTestOpenSSL.test_init(s(+$#'   ((d(K""a'''  %(333'*}}T':1'=$((d(K  %&#666~~&&&#(  ((d(K""a'''""a'''~~%%%#certbot.ocsp._determine_ocsp_server!certbot.ocsp.crypto_util.notAfterzcertbot.util.run_scriptcHtjtj}t j }d|_d|_|tdz|_ d|j_ d|_ |jj|dusJd|j_ ttdd|_ |jj|dusJ|jd k(sJd |_ |jj|dusJt!j"d |_|jj|dusJ|jdk(sJ||_ d|_ |j}|jj|dusJ|j|k(sJy) Nr$yr&hoursT)r5Fr#r)z http://x.cozx.coz#Unable to load certificate launcher)rnowpytzUTCr MagicMock cert_path chain_pathrrrr+ ocsp_revokedtuple openssl_happyr(r SubprocessError side_effect)rrmock_namock_determiner6cert_obj count_befores r test_ocsp_revokedz!OCSPTestOpenSSL.test_ocsp_revoked@s~ll488$>># !"YQ%77" &.#||((2e;;;#  %mAB&7 8||((2e;;;""a'''&=#||((2e;;;%556[\||((2e;;;""a''' #&.#%00 ||((2e;;;((L888r.cjtjd}ddlm}|j |}d|k(sJy)Nocsp_certificate.pemrr )zhttp://ocsp.test4.buypass.comzocsp.test4.buypass.com) test_util vector_pathrr _determine_ocsp_server)rr:r results r test_determine_ocsp_serverz*OCSPTestOpenSSL.test_determine_ocsp_server`s4))*@A  ,,Y7JfTTTr.zcertbot.ocsp.loggerc\t|_ddlm}|jt dusJ|jtdusJ|j jdk(sJ|jjdk(sJd|j _|jtdusJ|j jdk(sJ|jjdk(sJ|jtdusJ|j jdk(sJ|jtdusJ|jjdk(sJd|j_|jtdusJ|jjdk(sJ|jtdusJ|jjdk(sJy)Nrr Fr#r&T)openssl_confusedrrr _translate_ocsp_queryr>debugr(warningopenssl_unknownopenssl_expired_ocspopenssl_brokeninfoopenssl_revokedopenssl_expired_ocsp_revoked)rrr,r s r test_translate_ocspz#OCSPTestOpenSSL.test_translate_ocspgs!1 )t))=9UBBB)t))+;<EEE~~((A---**a///$%!)t))?;uDDD~~((A---**a///)t))+?@EIII~~((A---)t))>:eCCC**a///#$  )t))?;tCCC}}''1,,,)t))+GHDPPP}}''1,,,r.N) __name__ __module__ __qualname____doc__r!rrr-rErLrXr.r rrsYTZZ*+TZZ-.TZZ)*&+/,&*TZZ56TZZ34TZZ)*9+579:UTZZ%&TZZ)*-+'-r.rceZdZdZdZej dej ddZdZdZ dZ d Z y ) OSCPTestCryptographyz; OCSP revokation tests using Cryptography >= 2.4.0 cVddlm}|j|_t j d|_t j d|_tj|_ |j |j_|j|j_tjtj}tjd|t!dz|_|j"j%|j'|j"j(y) Nrr rGocsp_issuer_certificate.pemr0r&r3)r)rr rrrHrIr:r;rr9rCrr6r7r8rr mock_notAfterstart addCleanupstop)rr r6s r r!zOSCPTestCryptography.setUps --/ "../EF#//0MN( "&.. #'??  ll488$!ZZ(K5891;M5MO   " **//0r.r/z%certbot.ocsp._check_ocsp_cryptographycd|_|jj|j|j |j |j ddy)N)http://example.com example.comrg )rrr<rCassert_called_once_withr:r;)r mock_checkrBs r test_ensure_cryptography_toggledz5OSCPTestCryptography.test_ensure_cryptography_toggledsA'L# !!$--0**4>>4??L`bder.cttjjtjj 5|j j|j}dddsJy#1swYxYw)N) _ocsp_mockocsp_libOCSPCertStatusREVOKEDOCSPResponseStatus SUCCESSFULrr<rC)rrevokeds r test_revokez OSCPTestCryptography.test_revokesX //779T9T9_9_ ` ?ll// >G ?w ? ?s &A00A9ctjtjdt }t t jjt jj5}|j|dj_ d|dj_|jj!|j"tj$j'|j)j*}d|dj_ ||dj_|jj!|j"ddddj,dk(sJ|dj.dddj1|j)j1k(sJ|dj.dddj1|j)j1k(sJy#1swYxYw)Nra mock_responserkr&rr#rload_pem_x509_certificaterH load_vectorr rnrorprqrrrssubjectrresponder_nameresponder_key_hashrr<rCSubjectKeyIdentifierfrom_public_key public_keydigestr(call_args_listpublic_numbers)rissuermockskey_hashs r test_responder_is_issuerz-OSCPTestCryptography.test_responder_is_issuers//  ! !"? @/BSU//77 33>>@ 5CHAGE/ " / / >EIE/ " / / B LL % %dmm 400@@ARARATU\\HAEE/ " / / >EME/ " / / B LL % %dmm 4 5\"--222\"11!4Q7:IIK     . . 01 11\"11!4Q7:IIK     . . 01 11# 5 5s .CG55G>ctjtjdt }tjtjdt }t t jjt jj5}|j|dj_ d|dj_|jj!|j"tj$j'|j)j*}d|dj_ ||dj_|jj!|j"ddddj,dk(sJ|dj.dddj1|j)j1k(sJ|dj.dddj1|j)j1k(sJ|dj.dddj1|j)j1k(sJ|dj.d ddj1|j)j1k(sJy#1swY;xYw) Nraocsp_responder_certificate.pemrwrkrr#r&rx)rr responderrrs r %test_responder_is_authorized_delegatez:OSCPTestCryptography.test_responder_is_authorized_delegatesx//  ! !"? @/BSU22  ! !"B C_EVX //77 33>>@ 5CHAJARARE/ " / / >EIE/ " / / B LL % %dmm 400@@AUAUAWX__HAEE/ " / / >EME/ " / / B LL % %dmm 4 5\"--222\"11!4Q7:IIK**,;;=> >>\"11!4Q7:IIK"--/>>@A AA\"11!4Q7:IIK**,;;=> >>\"11!4Q7:IIK"--/>>@A AA- 5 5s CJ44J>c  ttjjtjj d5|j j|j}ddddusJttjjtjj5|j j|j}ddd|dusJttjjtjj 5|j j|j}ddd|dusJttjjtjj 5tjdtjdtjj 5|j j|j}dddddd|dusJttjjtjj t#d5|j j|j}ddd|dusJttjjtjj t%d5|j j|j}ddd|dusJttjjtjj t'd5|j j|j}ddd|dusJttjjtjj 5}g|d j(_|j j|j}ddd|dusJttjjtjj 5}|d j(j*d }tj,d |j. |d j(j*d <|j j|j}ddd|dusJttjjtjj 5tjd 5}d|_tjdtjdtjj 5|j j|j}ddddddddd|dusJy#1swYJxYw#1swYxYw#1swYxYw#1swYxYw#1swYxYw#1swYtxYw#1swYxYw#1swYxYw#1swY!xYw#1swYgxYw#1swYxYw#1swYxYw#1swYxYw)Ni)http_status_codeFz4cryptography.x509.Extensions.get_extension_for_classz Not found)r@foo)check_signature_side_effectrwrfake)rr{r/)zhttps://example.comrh)rnrorpUNKNOWNrrrsrr<rC UNAUTHORIZEDrqrrrExtensionNotFoundAuthorityInformationAccessOIDOCSPrrAssertionErrorr certificatesMockr{)rrtrcert mock_servers r test_revoke_resiliencyz+OSCPTestCryptography.test_revoke_resiliencys% //779T9T9_9_),. ?ll// >G ?%//779T9T9a9a b ?ll// >G ?%//779T9T9_9_ ` ?ll// >G ?%//779T9T9_9_ ` CR(,(>(> +T-O-O-T-T)VW C,,33DMMB C C %//779T9T9_9_4H4OQ ?ll// >G ?%//779T9T9_9_4DU4KM ?ll// >G ?%//779T9T9_9_4B54IK ?ll// >G ?%//77 33>>@ ?CH?AE/ " / / <ll// >G ?%//77 33>>@ ?CH)66CCAFDBF))t||C5E/ " / / < G  ? % //779T9T9_9_ ` GAB Gk+Q (ZZ V,0,B,B$/1S1S1X1X-Z[G#ll77 FGG G G%G ? ?  ? ?  ? ? C C C C ? ?  ? ?  ? ?  ? ? ? ?GG G G G Gs&V-/&V:&WAW!&W9W!&W.&W; &X<:XA=X"YA X;(&X/X;Y-V7:WWW W!!W+.W8;XXX"X,/X8 4X;;Y YYN) rYrZr[r\r!rrrlrurrrr]r.r r_r_sX 1TZZ56TZZ78f97f  10A>E r.r_c#Ktjd5}t|||_tjd5}tj||_tjd5}|r||_|||ddddddddddy#1swYxYw#1swYxYw#1swYyxYww)Nz(certbot.ocsp.ocsp.load_der_ocsp_responsezcertbot.ocsp.requests.post) status_codez.certbot.ocsp.crypto_util.verify_signed_payload)rw mock_postrk)rr_construct_mock_ocsp_responserrr@)certificate_statusresponse_statusrrrwrrks r rnrn s > ? =%B &1 " ZZ4 5 %)YY;K%LI "LM .-HJ*%2!*",            sKB?'B31B'0BB' B3 B?B$ B''B0 ,B33B<8B?ctjtjdt }tjtjdt }tjtjdt }t j }|j||tj}|j}tj|||j|j|j|j |gtjt#j$t&j(j+dt-dzt#j$t&j(j+dt-dz tj.j0j2 S)NrGrar)tzinfor#)days) rr serial_numberissuer_key_hashissuer_name_hashr|rhash_algorithm next_update this_updatesignature_algorithm_oid)rryrHrzr roOCSPRequestBuilderadd_certificater SHA1buildrrrrrr{rr6r7r8replaceroidSignatureAlgorithmOID RSA_WITH_SHA1)rrrrrbuilderrequests r rr3sR  ) )457H JD  + +;OQF..>?ARTI))+G%%dFFKKMBGmmoG 99'-++// 11 (([{{}LL*22$2?)QRBSSLL*22$2?)QRBSS $ > > L L  r.)r5z /etc/letsencrypt/live/example.org/cert.pem: good This Update: Dec 17 00:00:00 2016 GMT Next Update: Dec 24 00:00:00 2016 GMT z Response Verify Failure 139903674214048:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate )blah.pemz^ blah.pem: good This Update: Dec 20 18:00:00 2016 GMT Next Update: Dec 27 18:00:00 2016 GMT Response verify OK)rz blah.pem: revoked This Update: Dec 20 01:00:00 2016 GMT Next Update: Dec 27 01:00:00 2016 GMT Revocation Time: Dec 20 01:46:34 2016 GMT r)rza blah.pem: unknown This Update: Dec 20 18:00:00 2016 GMT Next Update: Dec 27 18:00:00 2016 GMT r)r5 tentaclesr)rz blah.pem: WARNING: Status times invalid. 140659132298912:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:372: good This Update: Apr 6 00:00:00 2016 GMT Next Update: Apr 13 00:00:00 2016 GMT r)rz blah.pem: WARNING: Status times invalid. 140659132298912:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:372: revoked This Update: Apr 6 00:00:00 2016 GMT Next Update: Apr 13 00:00:00 2016 GMT r__main__r#)N)-r\ contextlibrrsysunittestr cryptographyrcryptography.exceptionsrrcryptography.hazmat.backendsr cryptography.hazmat.primitivesr cryptography.x509r ropytestr7rr certbot.testsrrHrTestCaserr_contextmanagerrnrrNr>rVrRrTrSrWrYexitmainargv__file__r]r.r rs 4881. + b-h''b-J] 8,,] @ AE$6 9  z CHH[V[[!" 2 34r.