Makes it harder for a compromised certificate to escape revocation by
renewing itself faster than it can be identified and revoked.

TODO:
- fix tests
- coverage
- maybe just refuse to renew any cert more than once, to prevent
  "lineage forks" without introducing such new deadline ? (probably not
  a good idea, losing one's certificate happens and should not cause
  such punishment)
- only enable for CAU certificates ?
- distinguish issuance tracking between renewal and user issuance ?
- auto-revoke certificates issued by renewal, but not those issued by user
  cert ?
- 10 days is way too long. above an hour it will get in the way, and
  revoking multiple should not take too long... if there was a way to
  recognise serials (cf. previous commit)

And use this tracking to to warn about surviving certificates which are
related to the one just revoked - they may need some attention too.

NOTE: While this should be correctly implemented, I think this is not
usable, and hence probably not worth the extra complexity: what can one
do when given a list of serials ? This version discards old tracking
entries, but even if it did not how is one supposed to browse these ?

4 branches depend on how tests are written, and are indeed not currently
used.
1 branch depend on test process environment.

caucase.http will be re-generating its https certificate, so it can be
slower than a normal non-initial start.

It would be the sign of a inconsistency in the dispatcher dict.
Do not transform it into a user error (404).

Not all programs support having multiple CA certificates per file, so add
support for creating and maintaining certificate directories containing
a single certificate each.

Reference machine: Raspberry Pi 1 B+.
caucased can take around 40s to start (CA generation, ...).

wsgi.input is specified to be a bytes object, not a string object.

So caucase.sh gets some regular exercise.

Otherwise, this will trigger if a test takes more than 10s to run, causing
caucased to exit prematurely, as only _stopServer triggers this event.

Also, encode/decode json in utf-8, not ascii, as per standard.

Consistently with how doBackup encodes the result of json.dumps .

Avoid repeating function name in these.

Get an auto-issued user certificate and use it to exercise an authenticated
action.

Should have been part of:
  commit 17325dc0
  Author: Vincent Pelletier <plr.vincent@gmail.com>
  Date:   Sat Jul 14 18:40:41 2018 +0900

      all: Make caucased https certificate independent from CAS.

Also, remove CURL, PUT and PUTNoOut aliases. They are replaced with
private function with a naming consistent with the rest of this script.

Is no value is provided to a return statement, the status of the last
command ran is returned, making "$?" superfluous.

If there is no return statement, shell functions return the status of the
last command they ran. So "return $?" as last function statement is
superfluous.

Simplify code a bit.
Change directory when starting caucased, so all files are stored inside
test's temporary directory (and not just the database).
Tolerate caucased not immediately starting.
Fix CA presence tests (well this is embarrassing).
List test directory content when failing, as it will get deleted shortly
after.

In shell/caucase.sh line 1134:
    trap "kill \"$caucased_pid\"; wait; rm -rf \"$tmp_dir\"" EXIT
                 ^-----------^ SC2064: Use single quotes, otherwise this expands now rather than when signalled.
                                                 ^------^ SC2064: Use single quotes, otherwise this expands now rather than when signalled.

These variables are local, so immediate expantion is expected.

Basically, wrap stdout and stderr whenever they do not have an encoding
with an ascii-encoding writer, and write unicode to stdout & stderr.
wsgi.errors is defined in the reference implementation as being a StringIO,
so follow that.
Stop using argparse.FileType to get rid of python3 "file not closed"
errors.
Also, fix setup access to CHANGES.txt .
Also, fix 2to3 involvement.
Also, replace test.captureStdout with extra tool arguments.

Make coverage tests tolerate the no-op code path where the backup ends
right on a block boundary not being exercised.

Test backup chunk boundaries.
Test absence of a backup before the first user is created.

Resolve deprecation warnings in tests:
caucase/ca.py:548: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly.
  critical=False,
caucase/ca.py:326: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly.
  x509.SubjectKeyIdentifier,
caucase/test.py:422: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly.
  critical=False,

Always wait at least 60 seconds between consecutive wake-ups. Avoids
spamming server and local logs with attempts in case of temporary issues
(ex: network).

Load CRL expiration date even when it has not just been renewed.
Also, request a newer CRL before local one expires (7 days by
default).

Allowing clients to have a period of CRL validity overlap.

Rerun with updated nxd-relicense. This actually changes license text in
every file.

Before:

	W: caucase/__init__.py: cannot find license start
	W: caucase/_version.py: no copyright
	W: caucase/ca.py: cannot find license start
	W: caucase/cli.py: cannot find license start
	W: caucase/client.py: cannot find license start
	W: caucase/exceptions.py: cannot find license start
	W: caucase/http.py: cannot find license start
	W: caucase/http_wsgibase.py: cannot find license start
	W: caucase/storage.py: cannot find license start
	W: caucase/test.py: cannot find license start
	W: caucase/utils.py: cannot find license start
	W: caucase/version.py: cannot find license start
	W: caucase/wsgi.py: cannot find license start
	W: setup.py: cannot find license start
	W: shell/caucase.sh: cannot find license start
	W: versioneer.py: no copyright

After:

	W: caucase/_version.py: no copyright
	W: versioneer.py: no copyright