wbond
commented
4 years ago I do believe the wording in the comment is incorrect - there should be no "also".
It's been a while since I've worked on this project, so I don't have everything off of the top of my head. That said, if allow fetching was True, and the fetch failed, but there was a cached CRL, I would probably expect it to use the cached CRL. Which I don't believe it currently does. It appears to only used the cached CRL/OCSP info when fetching is disabled.
atmenta
The docstring of
context.ValidationContextstates that if the value of theallow_fetchingparameter isTrue"and certificates contain the location of a CRL or OCSP responder, an HTTP request will be made to obtain information for revocation checking". The word "allow" seems to indicate that this HTTP request is merely an additional way of obtaining information about revocation status. Moreover, also the following comment (especially the word "also") suggests that CRL or OCSP data requested via HTTP are not the only source of revocation status information ifallow_fetchingisTrue:https://github.com/wbond/certvalidator/blob/5bc5c390c1955195507c23db91b8926bb03f7385/certvalidator/context.py#L87-L90
The docstring of the
crlsandocspsparameters explain that pre-fetched/cached CRL and/or OCSP data can be passed toValidationContext.Putting all together, it seems that setting the
allow_fetchingparameter toTruemay result in fetching CRL or OCSP data in addition to checking pre-fetched/cached data.Contrary to this expectation, if
ValidationContext._allow_fetchingisTrue, pre-fetched/cached CRL and OCSP data (passed by thecrlsandocspsparameters) are completely ignored. (See thecrlsandocspsproperties and theretrieve_crlsandretrieve_ocspsmethods ofValidationContext.) If that is the intended behavior, it should be clarified in the documentation. Otherwise - and I would except this more intuitive - the two sources of revocation information should be merged when this is appropriate.