Otherwise, this causes an IOError to be raised in _getPEMTypeDict.
So move file existence check inside the loop. Also rely on isdir returning
False on non-existent inputs.
This may for example happen if openssl-rehash is used on these directories:
caucase-updater may delete an expired CA, breaking its symlink, triggering
this bug and crashing caucase-updater.

Issue certificates and revocation lists a few seconds in the past of the
true issuance time, to allow the client to be a bit in the past compared
to the server. Otherwise, the client would receive a "not valid yet"
certificate or CRL, which could crash it (es: caucase-update). Which
normally is intended (so time attacks are noticed), but in this case is
counter-productive.

Silence the warning about "local" not being POSIX, as many shells implement
it.
Resolve the other watnings, related to now-useless "x" prefixes in [
arguments.

This whole business of parsing openssl command output is so brittle...

Work around what should be a test-only issue, where versioneer produces
a unicode object for the module's version (by decoding a json object,
whose strings become unicode objects). Python 2.7's BaseHttpServer does
not encode the response in such case, causing a test failure when writing
to wfile, set to be a BytesIO object.
I guess some magic encoding happens on a real socket, likely to ascii.

Silences pylint warnings.

Silences a pylint warning.

This was indirectly satisfied by cryptography depending on ipaddress, so
no functional change is expected. This is just to be pedantic.

Traversal to the root makes is unreasonable.
Rely on "shell" directory being a sibling of test.py's container.

Break requested sleep period into smaller chunks, to try to compensate for
extended suspension periods.
The chosen values seem to be a reasonable trade-off between accuracy and
number of wake-ups.

Positional arguments are comparatively a lot harder to understand.

caucase.test: Increase the caucased start timeout for test_databaseUpgradeFrom_0_9_8_{with,no}_revoked

This step needs to generate certificates, so it may reach the shorter,
default timeout.

If environment points us at a specific python interpreter, use it to run
caucased, even if caucased is present reachable from PATH.

As seen at least on cryptography 35.0.0 .
Ideally this should be on a 63 or 64bits cutoff, but somehow the breakage
is a lot lower.
Bug reported upstream:
  https://github.com/pyca/cryptography/issues/6573

Because:
- Non-blocking lock acquisition does not work with a context manager.
- subprocess is not a context manager in python 2.7 .

The test should not need to sanitise the environment of this test in
particular (if we do not trust the environment then there would be a lot
more to sanitise for the python part of the test as well), and the intent
was just to add the CAUCASE_PYTHON variable so caucase.sh runs the expected
python executable and not one possibly picked from PATH.
So copy environment, edit the copy and pass this to the caucase.sh
subprocess.

This codebase must remain py2 compatible for some more, so do not complain
about backward-compatible code.

Fixes cli.updater crashing when one of the locally-stored CA is expired.
Also, explicitly raise when there are CAs in the local trust store but all
fail loading.

If an unverifiable CRL is present (ex: its CA expired), then it can be
ignored in the computation of the next wake-up time.
Also, factorise with similar code in client.CaucaseClient.updateCRLFile .

Preserve py2.7 compatibility.
Also, make pylint happier with the result.

Otherwise, the expired CA causes an error when it is being loaded, before
the time comparison.
Also, CRL signed by that CA also causes an error (as its signature cannot
be checked).
Catch these errors so the corresponding unusable PEMs are discarded.

Make python3 resource leak detector happy.