search

wbond / certvalidator

Python library for validating X.509 certificates and paths
MIT License
107 stars 31 forks source link

Fetching OCSP responses may result in TypeError #16

Open atmenta opened 4 years ago

atmenta commented 4 years ago

First of all, thank you for certvalidator! It makes an important task easy to complete in Python. :thumbsup:

While I was experimenting with certificate revocation status checking I ran into some issues. I'll create separate GitHub issues for those.

When certvalidator tries to fetch OCSP responses, but the certificate to be validated does not contain any reference to OCSP responders, TypeError is raised:

TypeError: exceptions must derive from BaseException

The root of that error is that cert.ocsp_urls returns an empty list, so at the end of the following code block None is raised:

https://github.com/wbond/certvalidator/blob/5bc5c390c1955195507c23db91b8926bb03f7385/certvalidator/ocsp_client.py#L89-L109

The cert.ocsp_urls == [] case could be handled here (for safety) e.g. by raising an appropriate error, but in that case ocsp_client.fetch probably shouldn't be called at all, since it can not return any meaningful result.

wbond commented 4 years ago

TypeError: exceptions must derive from BaseException

Could you please provide a backtrace and the version of python you are using?

atmenta commented 4 years ago

Could you please provide a backtrace and the version of python you are using?

Thank you @wbond for the prompt response! Here are the answers:

$ python -V
Python 3.5.3

(Note: raise None results in the same error when Python 3.7.4 is used.)

Traceback (most recent call last):
  ...
  File "/path/to/client_certificate_validator.py", line 82, in validate
    validation_path = validator.validate_usage(key_usage)
  File "/path/to/certvalidator/certvalidator/__init__.py", line 193, in validate_usage
    self._validate_path()
  File "/path/to/certvalidator/certvalidator/__init__.py", line 121, in _validate_path
    validate_path(self._context, candidate_path)
  File "/path/to/certvalidator/certvalidator/validate.py", line 50, in validate_path
    return _validate_path(validation_context, path)
  File "/path/to/certvalidator/certvalidator/validate.py", line 387, in _validate_path
    end_entity_name_override=end_entity_name_override
  File "/path/to/certvalidator/certvalidator/validate.py", line 898, in verify_ocsp_response
    ocsp_responses = validation_context.retrieve_ocsps(cert, issuer)
  File "/path/to/certvalidator/certvalidator/context.py", line 505, in retrieve_ocsps
    **self._ocsp_fetch_params
  File "/path/to/certvalidator/certvalidator/ocsp_client.py", line 117, in fetch
    raise last_e
TypeError: exceptions must derive from BaseException