search

wbond / certvalidator

Python library for validating X.509 certificates and paths
MIT License
107 stars 31 forks source link

validate_usage: Exception on LDAP CRL URLs #41

Open bbczeuz opened 2 years ago

bbczeuz commented 2 years ago

Hi, I try to validate the chain and usage of a certificate. The CA provides a CRL distribution point using HTTP and another one using LDAP. The later triggers an undocumented exception in certvalidator.validate_usage()

Code

        usage=["digital_signature", "key_encipherment"]
        validation_context = ValidationContext(
            allow_fetching=True, revocation_mode="hard-fail"
        )
        validator = CertificateValidator(
            end_entity_cert, intermediates, validation_context
        )
        validator.validate_usage(set(usage))

Extension

<Extension(oid=<ObjectIdentifier(oid=2.5.29.31, name=cRLDistributionPoints)>, critical=False, value=<CRLDistributionPoints([<DistributionPoint(full_name=[<UniformResourceIdentifier(value='http://crl.swisssign.net/3C9E527903636F4F9C811BD328700C245AEAA587')>], relative_name=None, reasons=None, crl_issuer=None)>, <DistributionPoint(full_name=[<UniformResourceIdentifier(value='ldap://directory.swisssign.net/CN=3C9E527903636F4F9C811BD328700C245AEAA587%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLDistributionPoint')>], relative_name=None, reasons=None, crl_issuer=None)>])>)>

Traceback

Traceback (most recent call last):
  File "./check_wpa_eapol.py", line 314, in main
    cert_file.file_name, hostname=realm, verbose=args.verbose
  File "./check_wpa_eapol.py", line 152, in validate_certificate_chain
    validator.validate_usage(set(usage))
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 193, in validate_usage
    self._validate_path()
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 121, in _validate_path
    validate_path(self._context, candidate_path)
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 50, in validate_path
    return _validate_path(validation_context, path)
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 407, in _validate_path
    end_entity_name_override=end_entity_name_override
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 1211, in verify_crl
    certificate_lists = validation_context.retrieve_crls(cert)
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/context.py", line 452, in retrieve_crls
    **self._crl_fetch_params
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/crl_client.py", line 59, in fetch
    output.append(_grab_crl(user_agent, url, timeout))
  File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/crl_client.py", line 86, in _grab_crl
    response = urlopen(request, None, timeout)
  File "/usr/lib64/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python3.6/urllib/request.py", line 526, in open
    response = self._open(req, data)
  File "/usr/lib64/python3.6/urllib/request.py", line 549, in _open
    'unknown_open', req)
  File "/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.6/urllib/request.py", line 1419, in unknown_open
    raise URLError('unknown url type: %s' % type)
urllib.error.URLError: <urlopen error unknown url type: ldap>

I'm unsure on how to handle this case. Just ignore the LDAP CRL? Issue a warning?

Workaround

Initialize validator with

        validation_context = ValidationContext(
            allow_fetching=False, revocation_mode="soft-fail"
        )