When someone tries to catch and distinguish those exceptions, its important to know that both RevokedError and InvalidCertificateError are subclass of PathValidationError. If exceptions are attempted to be caught in the order the API documentation lists them, RevokedError and InvalidCertificateError will never be caught:
try:
validation_path = validator.validate_usage(key_usage)
except PathValidationError as ex:
# handle PathValidationError
# This will catch RevokedError and InvalidCertificateError too!
pass
except RevokedError as ex:
# control is never passed here!
pass
except InvalidCertificateError as ex:
# control is never passed here!
pass
On the other hand those exceptions can be properly handled if PathValidationError is the last to be caught:
try:
validation_path = validator.validate_usage(key_usage)
except RevokedError as ex:
# handle RevokedError
pass
except InvalidCertificateError as ex:
# handle InvalidCertificateError
pass
except PathValidationError as ex:
# handle PathValidationError
pass
I suggest to modify the API documentation to clarify subclassing of those exceptions and list them in a more appropriate order.
The API documentation of
validate.validate_usageandvalidate.validate_tlslists the following exceptions:https://github.com/wbond/certvalidator/blob/5bc5c390c1955195507c23db91b8926bb03f7385/docs/api.md#L91-L94
When someone tries to catch and distinguish those exceptions, its important to know that both
RevokedErrorandInvalidCertificateErrorare subclass ofPathValidationError. If exceptions are attempted to be caught in the order the API documentation lists them,RevokedErrorandInvalidCertificateErrorwill never be caught:On the other hand those exceptions can be properly handled if
PathValidationErroris the last to be caught:I suggest to modify the API documentation to clarify subclassing of those exceptions and list them in a more appropriate order.