Open atmenta opened 4 years ago
TypeError: exceptions must derive from BaseException
Could you please provide a backtrace and the version of python you are using?
Could you please provide a backtrace and the version of python you are using?
Thank you @wbond for the prompt response! Here are the answers:
$ python -V
Python 3.5.3
(Note: raise None
results in the same error when Python 3.7.4 is used.)
Traceback (most recent call last):
...
File "/path/to/client_certificate_validator.py", line 82, in validate
validation_path = validator.validate_usage(key_usage)
File "/path/to/certvalidator/certvalidator/__init__.py", line 193, in validate_usage
self._validate_path()
File "/path/to/certvalidator/certvalidator/__init__.py", line 121, in _validate_path
validate_path(self._context, candidate_path)
File "/path/to/certvalidator/certvalidator/validate.py", line 50, in validate_path
return _validate_path(validation_context, path)
File "/path/to/certvalidator/certvalidator/validate.py", line 387, in _validate_path
end_entity_name_override=end_entity_name_override
File "/path/to/certvalidator/certvalidator/validate.py", line 898, in verify_ocsp_response
ocsp_responses = validation_context.retrieve_ocsps(cert, issuer)
File "/path/to/certvalidator/certvalidator/context.py", line 505, in retrieve_ocsps
**self._ocsp_fetch_params
File "/path/to/certvalidator/certvalidator/ocsp_client.py", line 117, in fetch
raise last_e
TypeError: exceptions must derive from BaseException
First of all, thank you for certvalidator! It makes an important task easy to complete in Python. :thumbsup:
While I was experimenting with certificate revocation status checking I ran into some issues. I'll create separate GitHub issues for those.
When certvalidator tries to fetch OCSP responses, but the certificate to be validated does not contain any reference to OCSP responders,
TypeError
is raised:The root of that error is that
cert.ocsp_urls
returns an empty list, so at the end of the following code blockNone
is raised:https://github.com/wbond/certvalidator/blob/5bc5c390c1955195507c23db91b8926bb03f7385/certvalidator/ocsp_client.py#L89-L109
The
cert.ocsp_urls == []
case could be handled here (for safety) e.g. by raising an appropriate error, but in that caseocsp_client.fetch
probably shouldn't be called at all, since it can not return any meaningful result.