Hi,
I try to validate the chain and usage of a certificate. The CA provides a CRL distribution point using HTTP and another one using LDAP. The later triggers an undocumented exception in certvalidator.validate_usage()
Traceback (most recent call last):
File "./check_wpa_eapol.py", line 314, in main
cert_file.file_name, hostname=realm, verbose=args.verbose
File "./check_wpa_eapol.py", line 152, in validate_certificate_chain
validator.validate_usage(set(usage))
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 193, in validate_usage
self._validate_path()
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 121, in _validate_path
validate_path(self._context, candidate_path)
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 50, in validate_path
return _validate_path(validation_context, path)
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 407, in _validate_path
end_entity_name_override=end_entity_name_override
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 1211, in verify_crl
certificate_lists = validation_context.retrieve_crls(cert)
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/context.py", line 452, in retrieve_crls
**self._crl_fetch_params
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/crl_client.py", line 59, in fetch
output.append(_grab_crl(user_agent, url, timeout))
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/crl_client.py", line 86, in _grab_crl
response = urlopen(request, None, timeout)
File "/usr/lib64/python3.6/urllib/request.py", line 223, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python3.6/urllib/request.py", line 526, in open
response = self._open(req, data)
File "/usr/lib64/python3.6/urllib/request.py", line 549, in _open
'unknown_open', req)
File "/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain
result = func(*args)
File "/usr/lib64/python3.6/urllib/request.py", line 1419, in unknown_open
raise URLError('unknown url type: %s' % type)
urllib.error.URLError: <urlopen error unknown url type: ldap>
I'm unsure on how to handle this case. Just ignore the LDAP CRL? Issue a warning?
Hi, I try to validate the chain and usage of a certificate. The CA provides a CRL distribution point using HTTP and another one using LDAP. The later triggers an undocumented exception in certvalidator.validate_usage()
Code
Extension
<Extension(oid=<ObjectIdentifier(oid=2.5.29.31, name=cRLDistributionPoints)>, critical=False, value=<CRLDistributionPoints([<DistributionPoint(full_name=[<UniformResourceIdentifier(value='http://crl.swisssign.net/3C9E527903636F4F9C811BD328700C245AEAA587')>], relative_name=None, reasons=None, crl_issuer=None)>, <DistributionPoint(full_name=[<UniformResourceIdentifier(value='ldap://directory.swisssign.net/CN=3C9E527903636F4F9C811BD328700C245AEAA587%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLDistributionPoint')>], relative_name=None, reasons=None, crl_issuer=None)>])>)>
Traceback
I'm unsure on how to handle this case. Just ignore the LDAP CRL? Issue a warning?
Workaround
Initialize validator with