From abd062cb9453f0b17687757cdee943dfdd4d3c5f Mon Sep 17 00:00:00 2001
From: Peter Eckersley <pde@eff.org>
Date: Thu, 5 Jan 2017 11:55:19 -0800
Subject: [PATCH] Handle warnings in "revoked" responses too

---
 certbot/ocsp.py            |  7 ++++++-
 certbot/tests/ocsp_test.py | 12 ++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/certbot/ocsp.py b/certbot/ocsp.py
index b87ac056d..fd99ffe54 100644
--- a/certbot/ocsp.py
+++ b/certbot/ocsp.py
@@ -97,7 +97,9 @@ def _translate_ocsp_query(cert_path, ocsp_output, ocsp_errors):
     """Parse openssl's weird output to work out what it means."""
 
     pattern = r"{0}: (WARNING.*)?good".format(cert_path)
+    rpattern = r"{0}: (WARNING.*)?revoked".format(cert_path)
     good = re.search(pattern, ocsp_output, flags=re.DOTALL)
+    revoked = re.search(rpattern, ocsp_output, flags=re.DOTALL)
     warning = good.group(1) if good else None
 
     if (not "Response verify OK" in ocsp_errors) or (good and warning):
@@ -106,7 +108,10 @@ def _translate_ocsp_query(cert_path, ocsp_output, ocsp_errors):
         return False
     elif good and not warning:
         return False
-    elif cert_path + ": revoked" in ocsp_output:
+    elif revoked:
+        warning = revoked.group(1)
+        if warning:
+            logger.info("OCSP revocation warning: %s", warning)
         return True
     else:
         logger.warn("Unable to properly parse OCSP output: %s\nstderr:%s",
diff --git a/certbot/tests/ocsp_test.py b/certbot/tests/ocsp_test.py
index f64c38a33..6770f04d9 100644
--- a/certbot/tests/ocsp_test.py
+++ b/certbot/tests/ocsp_test.py
@@ -102,7 +102,11 @@ class OCSPTest(unittest.TestCase):
         self.assertEqual(mock_log.debug.call_count, 2)
         self.assertEqual(ocsp._translate_ocsp_query(*openssl_broken), False)
         self.assertEqual(mock_log.warn.call_count, 1)
+        mock_log.info.call_count = 0
         self.assertEqual(ocsp._translate_ocsp_query(*openssl_revoked), True)
+        self.assertEqual(mock_log.info.call_count, 0)
+        self.assertEqual(ocsp._translate_ocsp_query(*openssl_expired_ocsp_revoked), True)
+        self.assertEqual(mock_log.info.call_count, 1)
 
 
 # pylint: disable=line-too-long
@@ -142,6 +146,14 @@ good
 """,
 """Response verify OK""")
 
+openssl_expired_ocsp_revoked = ("blah.pem", """
+blah.pem: WARNING: Status times invalid.
+140659132298912:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:372:
+revoked
+	This Update: Apr  6 00:00:00 2016 GMT
+	Next Update: Apr 13 00:00:00 2016 GMT
+""",
+"""Response verify OK""")
 
 if __name__ == '__main__':
     unittest.main()  # pragma: no cover