U
    ÝÁ]0A  ã                	   @   s<  d Z ddlZddlZddlmZmZ ddlmZ ddlmZ ddl	m
Z
mZ ddlmZ zddlmZ eejd	ƒ W n eefk
r   dZY nX ddlZddlZdd
lmZ ddlmZ dZG dd„ dejƒZeje ddG dd„ dejƒƒZ ej!d dd„ƒZ"dd„ Z#dZ$dZ%dZ&dZ'dZ(dZ)dZ*e+dkr8e ,¡  dS )!zTests for ocsp.pyé    N)ÚdatetimeÚ	timedelta)Údefault_backend)Úhashes)ÚUnsupportedAlgorithmÚInvalidSignature)Úx509©ÚocspZsignature_hash_algorithm)Úerrors)Úutilz;Missing = in header key=value
ocsp: Use -help for summary.
c                   @   s†   e Zd ZdZdd„ Zdd„ Ze d¡e d¡e d¡d	d
„ ƒƒƒZe d¡e d¡dd„ ƒƒZ	dd„ Z
e d¡e d¡dd„ ƒƒZdS )ÚOCSPTestOpenSSLz5
    OCSP revokation tests using OpenSSL binary.
    c              
   C   sj   ddl m} t d¡J}t d¡4}t ¡ }d tf|j_||_d|_|jdd| _	W 5 Q R X W 5 Q R X d S )Nr   r	   úcertbot.ocsp.Popenúcertbot.util.exe_existsT©Zenforce_openssl_binary_usage)
Úcertbotr
   ÚmockÚpatchÚ	MagicMockÚoutÚcommunicateÚreturn_valueÚRevocationCheckerÚchecker)Úselfr
   Ú
mock_popenÚmock_existsÚmock_communicate© r   ú9/usr/lib/python3/dist-packages/certbot/tests/ocsp_test.pyÚsetUp"   s    zOCSPTestOpenSSL.setUpc                 C   s   d S ©Nr   )r   r   r   r   ÚtearDown,   s    zOCSPTestOpenSSL.tearDownzcertbot.ocsp.logger.infor   r   c                 C   sæ   t  ¡ }d tf|j_||_d|_ddlm} |jdd}|  |j	d¡ |  | 
d¡dg¡ d t d¡d	 f|j_|jdd}|  | 
d¡d
dg¡ |  |jd¡ d|_d|_	|jdd}|  |j	d¡ |  |j	d¡ |  |jd¡ d S )NTr   r	   r   é   ÚxzHost=xÚ
é   ZHostF)r   r   r   r   r   r   r
   r   ÚassertEqualÚ
call_countZ	host_argsÚ	partitionÚbroken)r   r   r   Úmock_logr   r
   r   r   r   r   Ú	test_init/   s$    zOCSPTestOpenSSL.test_initú#certbot.ocsp._determine_ocsp_serverzcertbot.util.run_scriptc                 C   s  t j t ¡ ¡}t ¡ }d|_d|_|t	dd |_
d| j_d|_|  | j |¡d¡ d| j_ttdd … ƒ|_|  | j |¡d¡ |  |jd	¡ d
|_|  | j |¡d¡ t d¡|_|  | j |¡d¡ |  |jd¡ ||_
d|_|j}|  | j |¡d¡ |  |j|¡ d S )Nr$   Úyr&   ©ZhoursT)Ú r0   Fr#   r   )zhttp://x.cozx.coz#Unable to load certificate launcher)ÚpytzÚUTCÚfromutcr   Úutcnowr   r   ÚcertÚchainr   Útarget_expiryr   r*   r   r'   Úocsp_revokedÚtupleÚopenssl_happyr(   r   ZSubprocessErrorÚside_effect)r   Úmock_runÚmock_determineÚnowÚcert_objZcount_beforer   r   r   Útest_ocsp_revokedI   s,    z!OCSPTestOpenSSL.test_ocsp_revokedc                 C   s0   t  d¡}ddlm} | |¡}|  d|¡ d S )Núocsp_certificate.pemr   r	   )zhttp://ocsp.test4.buypass.comzocsp.test4.buypass.com)Ú	test_utilÚvector_pathr   r
   Z_determine_ocsp_serverr'   )r   Ú	cert_pathr
   Úresultr   r   r   Útest_determine_ocsp_serverh   s    

z*OCSPTestOpenSSL.test_determine_ocsp_serverzcertbot.ocsp.loggerc                 C   s$  t |_ddlm} |  |jtŽ d¡ |  |jt Ž d¡ |  |jjd¡ |  |j	jd¡ d|j_|  |jt
Ž d¡ |  |jjd¡ |  |j	jd¡ |  |jtŽ d¡ |  |jjd¡ |  |jtŽ d¡ |  |j	jd¡ d|j_|  |jtŽ d¡ |  |jjd¡ |  |jtŽ d¡ |  |jjd¡ d S )Nr   r	   Fr#   r&   T)Úopenssl_confusedr   r   r
   r'   Z_translate_ocsp_queryr:   Údebugr(   ZwarningÚopenssl_unknownÚopenssl_expired_ocspÚopenssl_brokenÚinfoÚopenssl_revokedÚopenssl_expired_ocsp_revoked)r   r<   r+   r
   r   r   r   Útest_translate_ocspo   s&    z#OCSPTestOpenSSL.test_translate_ocspN)Ú__name__Ú
__module__Ú__qualname__Ú__doc__r    r"   r   r   r,   r@   rF   rO   r   r   r   r   r      s   
r   zFThis class tests functionalities available only on cryptography>=2.5.0)Úreasonc                   @   sT   e Zd ZdZdd„ Ze d¡e d¡dd„ ƒƒZdd	„ Zd
d„ Z	dd„ Z
dd„ ZdS )ÚOSCPTestCryptographyz;
    OCSP revokation tests using Cryptography >= 2.4.0
    c                 C   sr   ddl m} | ¡ | _t d¡| _t d¡| _t 	¡ | _
| j| j
_| j| j
_tj t ¡ ¡}|tdd | j
_d S )Nr   r	   rA   úocsp_issuer_certificate.pemr&   r/   )r   r
   r   r   rB   rC   rD   Ú
chain_pathr   r   r?   r5   r6   r1   r2   r3   r   r4   r   r7   )r   r
   r>   r   r   r   r       s    


zOSCPTestCryptography.setUpr-   z%certbot.ocsp._check_ocsp_cryptographyc                 C   s*   d|_ | j | j¡ | | j| jd¡ d S )N)úhttp://example.comúexample.comrX   )r   r   r8   r?   Zassert_called_once_withrD   rW   )r   Zmock_revoker=   r   r   r   Ú test_ensure_cryptography_toggledš   s    z5OSCPTestCryptography.test_ensure_cryptography_toggledc              	   C   s:   t tjjtjjƒ | j | j¡}W 5 Q R X |  	|¡ d S r!   )
Ú
_ocsp_mockÚocsp_libÚOCSPCertStatusÚREVOKEDÚOCSPResponseStatusÚ
SUCCESSFULr   r8   r?   Z
assertTrue)r   Úrevokedr   r   r   Útest_revoke¢   s    z OSCPTestCryptography.test_revokec              	   C   sŠ   t  t d¡tƒ ¡}ttjjtj	j
ƒ"}|j|d j_| j | j¡ W 5 Q R X |  |d jd¡ |  |d jd d  ¡ | ¡  ¡ ¡ d S )NrV   Úmock_responseÚ
mock_checkr#   r   )r   Úload_pem_x509_certificaterB   Úload_vectorr   r[   r\   r]   r^   r_   r`   Úsubjectr   Úresponder_namer   r8   r?   r'   r(   Z	call_argsÚpublic_numbersÚ
public_key)r   ÚissuerÚmocksr   r   r   Útest_responder_is_issuer§   s     ÿÿ
ÿz-OSCPTestCryptography.test_responder_is_issuerc              	   C   s¾   t  t d¡tƒ ¡}t  t d¡tƒ ¡}ttjjtj	j
ƒ}| j | j¡ W 5 Q R X |  |d jd¡ |  |d jd d d  ¡ | ¡  ¡ ¡ |  |d jd d d  ¡ | ¡  ¡ ¡ d S )NrV   úocsp_responder_certificate.pemrd   r&   r   r#   )r   re   rB   rf   r   r[   r\   r]   r^   r_   r`   r   r8   r?   r'   r(   Zcall_args_listri   rj   )r   rk   Ú	responderrl   r   r   r   Ú%test_responder_is_authorized_delegateµ   s(     ÿ ÿÿ
ÿ
ÿz:OSCPTestCryptography.test_responder_is_authorized_delegatec                 C   sÜ  t tjjtjjdd | j | j¡}W 5 Q R X |  	|¡ t tjjtjj
ƒ | j | j¡}W 5 Q R X |  	|¡ t tjjtjjƒ | j | j¡}W 5 Q R X |  	|¡ t tjjtjjƒ: tjdt dtjj¡d | j | j¡}W 5 Q R X W 5 Q R X |  	|¡ t tjjtjjtdƒd | j | j¡}W 5 Q R X |  	|¡ t tjjtjjtdƒd | j | j¡}W 5 Q R X |  	|¡ t tjjtjjtdƒd | j | j¡}W 5 Q R X |  	|¡ t tjjtjjƒ }g |d j_| j | j¡}W 5 Q R X |  	|¡ t tjjtjjƒ@}|d jjd	 }tjd
|jd|d jjd	< | j | j¡}W 5 Q R X |  	|¡ t tjjtjjƒV t d¡@}d|_tjdt dtjj¡d | j | j¡}W 5 Q R X W 5 Q R X W 5 Q R X |  	|¡ d S )Ni  )Úhttp_status_codez4cryptography.x509.Extensions.get_extension_for_classz	Not found)r;   Zfoo)Úcheck_signature_side_effectrc   r   Zfake)rk   rg   r-   )zhttps://example.comrY   )r[   r\   r]   ZUNKNOWNr_   r`   r   r8   r?   ZassertFalseZUNAUTHORIZEDr^   r   r   r   ZExtensionNotFoundZAuthorityInformationAccessOIDZOCSPr   r   ÚAssertionErrorr   ÚcertificatesÚMockrg   )r   ra   rl   r5   Zmock_serverr   r   r   Útest_revoke_resiliencyÇ   s€    ÿ


 ÿÿ"
ÿ
ÿ
ÿ
ÿ
ÿ ÿ
 ÿÿ,z+OSCPTestCryptography.test_revoke_resiliencyN)rP   rQ   rR   rS   r    r   r   rZ   rb   rm   rp   rv   r   r   r   r   rU   ˆ   s   rU   éÈ   c                 c   sx   t  d¡d}t| |ƒ|_t  d¡B}t j|d|_t  d¡}|rH||_|||dœV  W 5 Q R X W 5 Q R X W 5 Q R X d S )Nz(certbot.ocsp.ocsp.load_der_ocsp_responsezcertbot.ocsp.requests.post)Zstatus_codez.certbot.ocsp.crypto_util.verify_signed_payload)rc   Ú	mock_postrd   )r   r   Ú_construct_mock_ocsp_responser   ru   r;   )Úcertificate_statusÚresponse_statusrq   rr   rc   rx   rd   r   r   r   r[     s     ÿýr[   c                 C   s®   t  t d¡tƒ ¡}t  t d¡tƒ ¡}t  t d¡tƒ ¡}t ¡ }| ||t 	¡ ¡}| 
¡ }tj|| |j|j|j|j|gt 	¡ t ¡ tdd t ¡ tdd t jjjdS )NrA   rV   rn   r#   )Zdays)r{   rz   Úserial_numberÚissuer_key_hashÚissuer_name_hashrh   rt   Zhash_algorithmZnext_updateZthis_updateZsignature_algorithm_oid)r   re   rB   rf   r   r\   ZOCSPRequestBuilderZadd_certificater   ZSHA1Zbuildr   ru   r|   r}   r~   rg   r   r>   r   ZoidZSignatureAlgorithmOIDZRSA_WITH_SHA1)rz   r{   r5   rk   ro   ZbuilderZrequestr   r   r   ry   !  s8     ÿ ÿ ÿõry   )r0   z€
/etc/letsencrypt/live/example.org/cert.pem: good
	This Update: Dec 17 00:00:00 2016 GMT
	Next Update: Dec 24 00:00:00 2016 GMT
z´
Response Verify Failure
139903674214048:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
)úblah.pemz^
blah.pem: good
	This Update: Dec 20 18:00:00 2016 GMT
	Next Update: Dec 27 18:00:00 2016 GMT
úResponse verify OK)r   zŒ
blah.pem: revoked
	This Update: Dec 20 01:00:00 2016 GMT
	Next Update: Dec 27 01:00:00 2016 GMT
	Revocation Time: Dec 20 01:46:34 2016 GMT
r€   )r   za
blah.pem: unknown
	This Update: Dec 20 18:00:00 2016 GMT
	Next Update: Dec 27 18:00:00 2016 GMT
r€   )r0   Z	tentaclesr€   )r   zÜ
blah.pem: WARNING: Status times invalid.
140659132298912:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:372:
good
	This Update: Apr  6 00:00:00 2016 GMT
	Next Update: Apr 13 00:00:00 2016 GMT
r€   )r   zß
blah.pem: WARNING: Status times invalid.
140659132298912:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:372:
revoked
	This Update: Apr  6 00:00:00 2016 GMT
	Next Update: Apr 13 00:00:00 2016 GMT
r€   Ú__main__)rw   N)-rS   Ú
contextlibZunittestr   r   Zcryptography.hazmat.backendsr   Zcryptography.hazmat.primitivesr   Zcryptography.exceptionsr   r   Zcryptographyr   Zcryptography.x509r
   r\   ÚgetattrZOCSPResponseÚImportErrorÚAttributeErrorr   r1   r   r   Zcertbot.testsr   rB   r   ZTestCaser   ZskipIfrU   Úcontextmanagerr[   ry   rG   r:   rM   rI   rK   rJ   rN   rP   Úmainr   r   r   r   Ú<module>   sJ   
kÿ    ÿ
