Implement Expect-Staple

net/tools/testserver/minica.py

Index: net/tools/testserver/minica.py
diff --git a/net/tools/testserver/minica.py b/net/tools/testserver/minica.py
index acf68fcbb935059182661b275a106bb3c74472ad..91706fca7a8179b11e44abf011eee8a768cdad7b 100644
--- a/net/tools/testserver/minica.py
+++ b/net/tools/testserver/minica.py
@@ -3,9 +3,23 @@
 # found in the LICENSE file.
 
 import asn1
+import datetime
 import hashlib
 import os
+import time
 
+GENERALIZED_TIME_FORMAT = "%Y%m%d%H%M%SZ"
+
+OCSP_STATE_GOOD = 1
+OCSP_STATE_REVOKED = 2
+OCSP_STATE_INVALID = 3
+OCSP_STATE_UNAUTHORIZED = 4
+OCSP_STATE_UNKNOWN = 5
+
+OCSP_DATE_VALID = 1
+OCSP_DATE_OLD = 2
+OCSP_DATE_YOUNG = 3
+OCSP_DATE_LONG = 4
 
 # This file implements very minimal certificate and OCSP generation. It's
 # designed to test revocation checking.
@@ -245,8 +259,7 @@ def MakeCertificate(
     asn1.BitString(privkey.Sign(tbsCert)),
   ]))
 
-
-def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state):
+def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state, ocsp_date):
   # https://tools.ietf.org/html/rfc2560
   issuer_name_hash = asn1.OCTETSTRING(
       hashlib.sha1(asn1.ToDER(Name(cn = issuer_cn))).digest())
@@ -264,6 +277,22 @@ def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state):
   else:
     raise ValueError('Bad OCSP state: ' + str(ocsp_state))
 
+  now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime()))
+  if ocsp_date == OCSP_DATE_VALID:
+    thisUpdate = now - datetime.timedelta(hours=1)
+    nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
+  elif ocsp_date == OCSP_DATE_OLD:
+    thisUpdate = now - datetime.timedelta(hours=1, weeks=1)
+    nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
+  elif ocsp_date == OCSP_DATE_YOUNG:

[svaldez, 2016/06/23 14:03:16]

EARLY?

+    thisUpdate = now + datetime.timedelta(hours=1)
+    nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
+  elif ocsp_date == OCSP_DATE_LONG:
+    thisUpdate = now - datetime.timedelta(days=365)
+    nextUpdate = thisUpdate + datetime.timedelta(hours=1, days=365)
+  else:
+    raise ValueError('Bad OCSP date: ' + str(ocsp_date))
+
   basic_resp_data_der = asn1.ToDER(asn1.SEQUENCE([
     asn1.Explicit(2, issuer_key_hash),
     asn1.GeneralizedTime("20100101060000Z"), # producedAt
@@ -279,8 +308,13 @@ def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state):
           serial,
         ]),
         cert_status,
-        asn1.GeneralizedTime("20100101060000Z"), # thisUpdate
-        asn1.Explicit(0, asn1.GeneralizedTime("20300101060000Z")), # nextUpdate
+        asn1.GeneralizedTime( # thisUpdate, 1 hour ago
+          thisUpdate.strftime(GENERALIZED_TIME_FORMAT)
+        ),
+        asn1.Explicit( # nextUpdate, 7 days later
+          0,
+          asn1.GeneralizedTime(nextUpdate.strftime(GENERALIZED_TIME_FORMAT))
+        ),
       ]),
     ]),
   ]))
@@ -311,12 +345,6 @@ def DERToPEM(der):
   pem += '-----END CERTIFICATE-----\n'
   return pem
 
-OCSP_STATE_GOOD = 1
-OCSP_STATE_REVOKED = 2
-OCSP_STATE_INVALID = 3
-OCSP_STATE_UNAUTHORIZED = 4
-OCSP_STATE_UNKNOWN = 5
-
 # unauthorizedDER is an OCSPResponse with a status of 6:
 # SEQUENCE { ENUM(6) }
 unauthorizedDER = '30030a0106'.decode('hex')
@@ -324,6 +352,7 @@ unauthorizedDER = '30030a0106'.decode('hex')
 def GenerateCertKeyAndOCSP(subject = "127.0.0.1",
                            ocsp_url = "http://127.0.0.1",
                            ocsp_state = OCSP_STATE_GOOD,
+                           ocsp_date = OCSP_DATE_VALID,
                            serial = 0):
   '''GenerateCertKeyAndOCSP returns a (cert_and_key_pem, ocsp_der) where:
        * cert_and_key_pem contains a certificate and private key in PEM format
@@ -344,6 +373,7 @@ def GenerateCertKeyAndOCSP(subject = "127.0.0.1",
     elif ocsp_state == OCSP_STATE_INVALID:
       ocsp_der = '3'
     else:
-      ocsp_der = MakeOCSPResponse(ISSUER_CN, KEY, serial, ocsp_state)
+      ocsp_der = MakeOCSPResponse(
+          ISSUER_CN, KEY, serial, ocsp_state, ocsp_date)
 
   return (cert_pem + KEY_PEM, ocsp_der)