upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-05-28 04:34:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Handle warnings in "revoked" responses too

Browse source
This commit is contained in:
Peter Eckersley 2017-01-05 11:55:19 -08:00
parent 3b460cea71
commit abd062cb94
2 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
certbot/ocsp.py
View file

@ -97,7 +97,9 @@ def _translate_ocsp_query(cert_path, ocsp_output, ocsp_errors):
"""Parse openssl's weird output to work out what it means."""
pattern = r"{0}: (WARNING.*)?good".format(cert_path)
rpattern = r"{0}: (WARNING.*)?revoked".format(cert_path)
good = re.search(pattern, ocsp_output, flags=re.DOTALL)
revoked = re.search(rpattern, ocsp_output, flags=re.DOTALL)
warning = good.group(1) if good else None
if (not "Response verify OK" in ocsp_errors) or (good and warning):
@ -106,7 +108,10 @@ def _translate_ocsp_query(cert_path, ocsp_output, ocsp_errors):
return False
elif good and not warning:
return False
elif cert_path + ": revoked" in ocsp_output:
elif revoked:
warning = revoked.group(1)
if warning:
logger.info("OCSP revocation warning: %s", warning)
return True
else:
logger.warn("Unable to properly parse OCSP output: %s\nstderr:%s",

12
certbot/tests/ocsp_test.py
View file

@ -102,7 +102,11 @@ class OCSPTest(unittest.TestCase):
self.assertEqual(mock_log.debug.call_count, 2)
self.assertEqual(ocsp._translate_ocsp_query(*openssl_broken), False)
self.assertEqual(mock_log.warn.call_count, 1)
mock_log.info.call_count = 0
self.assertEqual(ocsp._translate_ocsp_query(*openssl_revoked), True)
self.assertEqual(mock_log.info.call_count, 0)
self.assertEqual(ocsp._translate_ocsp_query(*openssl_expired_ocsp_revoked), True)
self.assertEqual(mock_log.info.call_count, 1)
# pylint: disable=line-too-long
@ -142,6 +146,14 @@ good
""",
"""Response verify OK""")
openssl_expired_ocsp_revoked = ("blah.pem", """
blah.pem: WARNING: Status times invalid.
140659132298912:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:372:
revoked
This Update: Apr 6 00:00:00 2016 GMT
Next Update: Apr 13 00:00:00 2016 GMT
""",
"""Response verify OK""")
if __name__ == '__main__':
unittest.main() # pragma: no cover