From 40e29bb95f5ee64f55bea25be94a3b3341c99b53 Mon Sep 17 00:00:00 2001
From: Peter Eckersley <pde@eff.org>
Date: Wed, 21 Dec 2016 14:38:20 -0800
Subject: [PATCH] begin implementing OCSP checking for "certificates"

---
 certbot/cert_manager.py |  8 ++++++++
 certbot/ocsp.py         | 14 ++++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/certbot/cert_manager.py b/certbot/cert_manager.py
index 35b12e1bb..1b6d441c7 100644
--- a/certbot/cert_manager.py
+++ b/certbot/cert_manager.py
@@ -8,6 +8,7 @@ import zope.component
 
 from certbot import errors
 from certbot import interfaces
+from certbot import ocsp
 from certbot import storage
 from certbot import util
 
@@ -170,11 +171,17 @@ def _report_human_readable(parsed_certs):
     certinfo = []
     for cert in parsed_certs:
         now = pytz.UTC.fromutc(datetime.datetime.utcnow())
+        expiration_text = ""
         if cert.is_test_cert:
             expiration_text = "INVALID: TEST CERT"
         elif cert.target_expiry <= now:
             expiration_text = "INVALID: EXPIRED"
         else:
+            revoked = ocsp.revoked_status(cert.cert, cert.chain)
+            if revoked:
+                expiration_text = "INVALID: " + revoked
+
+        if not expiration_text:
             diff = cert.target_expiry - now
             if diff.days == 1:
                 expiration_text = "VALID: 1 day"
@@ -182,6 +189,7 @@ def _report_human_readable(parsed_certs):
                 expiration_text = "VALID: {0} hour(s)".format(diff.seconds // 3600)
             else:
                 expiration_text = "VALID: {0} days".format(diff.days)
+
         valid_string = "{0} ({1})".format(cert.target_expiry, expiration_text)
         certinfo.append("  Certificate Name: {0}\n"
                         "    Domains: {1}\n"
diff --git a/certbot/ocsp.py b/certbot/ocsp.py
index d7fc06e0d..cb3dd0610 100644
--- a/certbot/ocsp.py
+++ b/certbot/ocsp.py
@@ -1,8 +1,8 @@
+"""Tools for checking certificate revocation."""
 import logging
 
-from letsencrypt import errors
-from letsencrypt import le_util
-
+from certbot import errors
+from certbot import util
 
 logger = logging.getLogger(__name__)
 
@@ -10,6 +10,9 @@ logger = logging.getLogger(__name__)
 REV_LABEL = "**Revoked**"
 EXP_LABEL = "**Expired**"
 
+INSTALL_LABEL = "(Installed)"
+
+
 def revoked_status(cert_path, chain_path):
     """Get revoked status for a particular cert version.
 
@@ -19,7 +22,7 @@ def revoked_status(cert_path, chain_path):
     :param str chain_path: Path to chain certificate
 
     """
-    url, _ = le_util.run_script(
+    url, _ = util.run_script(
         ["openssl", "x509", "-in", cert_path, "-noout", "-ocsp_uri"])
 
     url = url.rstrip()
@@ -31,7 +34,7 @@ def revoked_status(cert_path, chain_path):
     # This was a PITA...
     # Thanks to "Bulletproof SSL and TLS - Ivan Ristic" for helping me out
     try:
-        output, _ = le_util.run_script(
+        output, _ = util.run_script(
             ["openssl", "ocsp",
             "-no_nonce", "-header", "Host", host,
             "-issuer", chain_path,
@@ -56,4 +59,3 @@ def _translate_ocsp_query(cert_path, ocsp_output):
         raise errors.Error(
             "Unable to properly parse OCSP output: %s", ocsp_output)
 
-