PYTHON-5775 Coverage increase for ocsp_support.py

[aclark4life]

PYTHON-5775

Changes in this PR

Adds test/test_ocsp_support.py with 58 unit tests for pymongo/ocsp_support.py:

• _get_issuer_cert() (4) — issuer found in chain, in trusted CAs, not found returns None, no candidates.
• _verify_signature() (7) — RSA / ECDSA / DSA / X25519 / X448 (skip-verify path), invalid-signature returns 0, fallback key path.
• _get_extension() (2) — extension present returns the value, missing extension returns None via ExtensionNotFound.
• _public_key_hash() (3) — RSA / EC / fallback key serialization paths.
• _get_certs_by_key_hash() / _get_certs_by_name() (4) — match, no-match, and responder-name filtering.
• _verify_response_signature() (8) — direct-issuer signing (by name and by key hash), delegated responder cert lookup (by key hash and by name), missing OCSP-signing EKU, signature verification failures.
• _verify_response() (6) — successful, unauthorized / try-later / malformed-request response statuses, GOOD / REVOKED / UNKNOWN cert statuses.
• _get_ocsp_response() (7) — request build, HTTP POST, RequestException handling, non-200 status, OCSP response parse, cache write on success.
• _ocsp_callback() (17) — must-staple enforcement, AIA-URL absent / present, cached responses, response-validation outcomes, end-to-end accept / reject paths.

External dependencies (cryptography x509/OCSP types, requests.post) are mocked via unittest.mock so no network or real certificates are required.

The module is gated with pytestmark = pytest.mark.ocsp and pytest.importorskip("cryptography") so it is excluded from the default suite and skipped when the ocsp extra is not installed.

Test Plan

uv run --extra ocsp --extra test python -m pytest test/test_ocsp_support.py -v -m ocsp

Checklist

Checklist for Author

• Did you update the changelog (if necessary)?
• Is there test coverage?
• Is any followup work tracked in a JIRA ticket? If so, add link(s).

Checklist for Reviewer

• Does the title of the PR reference a JIRA Ticket?
• Do you fully understand the implementation? (Would you be comfortable explaining how this code works to someone else?)
• Is all relevant documentation (README or docstring) updated?

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Adds a new unit test module to substantially increase coverage of pymongo.ocsp_support, exercising OCSP request/response building and verification logic as well as the OCSP callback behavior.

Changes:

• Introduces test/test_ocsp_support.py with extensive unit tests for pymongo.ocsp_support helper functions and callback flows.
• Adds coverage for multiple success/failure branches (signature verification, EKU handling, timestamp validation, cache behavior, and stapled vs non-stapled OCSP).

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[sleepyStick]

I think these test failures are related to the changes you've made? Can you look into it?
ex:

[2026/04/20 17:26:06.299] ERROR: collection failure ()
[2026/04/20 17:26:06.299] ImportError while importing test module '/data/mci/eab0c9621d344811fb525a305df0a895/src/test/test_ocsp_[support.py](http://support.py/)'.
[2026/04/20 17:26:06.299] Hint: make sure your test modules/packages have valid Python names.
[2026/04/20 17:26:06.299] Traceback:
[2026/04/20 17:26:06.299] /opt/python/pypy3.11/lib/pypy3.11/importlib/__init__.py:126: in import_module
[2026/04/20 17:26:06.299]     return _bootstrap._gcd_import(name[level:], package, level)
[2026/04/20 17:26:06.299]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026/04/20 17:26:06.299] test/test_ocsp_[support.py:30](http://support.py:30/): in <module>
[2026/04/20 17:26:06.299]     from cryptography.exceptions import InvalidSignature
[2026/04/20 17:26:06.299] E   ModuleNotFoundError: No module named 'cryptography'

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

[blink1073]

There is an existing test/ocsp/test_ocsp.py. Perhaps we should move that up a level and merge it with these changes. It was originally in the sub-folder when we used unittest discovery, but now that it has a pytest marker we can move it up.

[blink1073]

LGTM!