When someone tries to catch and distinguish those exceptions, its important to know that both RevokedError and InvalidCertificateError are subclass of PathValidationError. If exceptions are attempted to be caught in the order the API documentation lists them, RevokedError and InvalidCertificateError will never be caught:
try:
validation_path = validator.validate_usage(key_usage)
except PathValidationError as ex:
# handle PathValidationError
# This will catch RevokedError and InvalidCertificateError too!
pass
except RevokedError as ex:
# control is never passed here!
pass
except InvalidCertificateError as ex:
# control is never passed here!
pass
On the other hand those exceptions can be properly handled if PathValidationError is the last to be caught:
try:
validation_path = validator.validate_usage(key_usage)
except RevokedError as ex:
# handle RevokedError
pass
except InvalidCertificateError as ex:
# handle InvalidCertificateError
pass
except PathValidationError as ex:
# handle PathValidationError
pass
I suggest to modify the API documentation to clarify subclassing of those exceptions and list them in a more appropriate order.
The API documentation of
validate.validate_usage
andvalidate.validate_tls
lists the following exceptions:https://github.com/wbond/certvalidator/blob/5bc5c390c1955195507c23db91b8926bb03f7385/docs/api.md#L91-L94
When someone tries to catch and distinguish those exceptions, its important to know that both
RevokedError
andInvalidCertificateError
are subclass ofPathValidationError
. If exceptions are attempted to be caught in the order the API documentation lists them,RevokedError
andInvalidCertificateError
will never be caught:On the other hand those exceptions can be properly handled if
PathValidationError
is the last to be caught:I suggest to modify the API documentation to clarify subclassing of those exceptions and list them in a more appropriate order.