search

wbond / certvalidator

Python library for validating X.509 certificates and paths
MIT License
107 stars 31 forks source link

'Void' object has no attribute 'human_friendly' #37

Open chrisdlangton opened 2 years ago

chrisdlangton commented 2 years ago

When run on revoked.badssl.com

    ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
    validator = CertificateValidator(pem, validation_context=ctx, intermediate_certs=intermediate_certs)
    validator.validate_usage(
        key_usage=set(validator_key_usage),
        extended_key_usage=set(validator_extended_key_usage),
    )

full self-enclosed test:

from socket import socket, AF_INET, SOCK_STREAM
from certvalidator import CertificateValidator, ValidationContext
import idna
from OpenSSL import SSL
from OpenSSL.crypto import dump_certificate, FILETYPE_PEM

host = 'revoked.badssl.com'
ctx = SSL.Context(method=SSL.TLSv1_2_METHOD)
ctx.check_hostname = False
ctx.verify_mode = SSL.VERIFY_NONE
conn = SSL.Connection(ctx, socket(AF_INET, SOCK_STREAM))
conn.connect((host, 443))
conn.settimeout(3)
conn.set_tlsext_host_name(idna.encode(host))
conn.setblocking(1)
conn.do_handshake()
x509 = conn.get_peer_certificate()
intermediate_certs = []
for (_, cert) in enumerate(conn.get_peer_cert_chain()):
    intermediate_certs.append(dump_certificate(FILETYPE_PEM, cert))
conn.close()
pem = dump_certificate(FILETYPE_PEM, x509)
ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
validator = CertificateValidator(pem, validation_context=ctx, intermediate_certs=intermediate_certs)
validator.validate_usage(
    key_usage=set(['digital_signature', 'key_encipherment']),
    extended_key_usage=set(['server_auth']),
)

full trace

Traceback (most recent call last):
  File "<redacted>/src/main.py", line 39, in <module>
    validator.validate_usage(
  File "<redacted>/.venv/lib/python3.9/site-packages/certvalidator/__init__.py", line 193, in validate_usage
    self._validate_path()
  File "<redacted>/.venv/lib/python3.9/site-packages/certvalidator/__init__.py", line 121, in _validate_path
    validate_path(self._context, candidate_path)
  File "<redacted>/.venv/lib/python3.9/site-packages/certvalidator/validate.py", line 50, in validate_path
    return _validate_path(validation_context, path)
  File "<redacted>/.venv/lib/python3.9/site-packages/certvalidator/validate.py", line 376, in _validate_path
    verify_ocsp_response(
  File "<redacted>/.venv/lib/python3.9/site-packages/certvalidator/validate.py", line 1101, in verify_ocsp_response
    reason = revocation_info['revocation_reason'].human_friendly
AttributeError: 'Void' object has no attribute 'human_friendly'

Via pip certvalidator==0.11.1

** Expected

Your docs explain I should see RevokedError not AttributeError which seems more about a source code bug within CertificateValidator then an actual error realted to OCSP revocation.

You may want to do some testing against badssl.com if you don't have something better