certvalidator icon indicating copy to clipboard operation
certvalidator copied to clipboard

Published 20 hours ago verified publisher icon wbond

revocation_response is optional

Open rg7663 opened this issue 7 years ago • 2 comments
trafficstars

According to rfc6960 (https://tools.ietf.org/html/rfc6960#section-4.2.1) the revocation reason is optional. Perhaps I have misunderstood some part of the spec, but as far as I can see (and have found in my own tests), the line 1101 in validate.py (https://github.com/wbond/certvalidator/blob/b69d3b745b5af9e5ccd4b9781407ab7e82076d6b/certvalidator/validate.py#L1101) does not first check that the revocation_info['revocation_reason'] is not Void before attempting to use the human_friendly property.

rg7663 avatar Feb 24 '18 13:02 rg7663

I agree, it's easy to reproduce:

from oscrypto import tls
from certvalidator import CertificateValidator, ValidationContext, errors

session = tls.TLSSession(manual_validation=True)
connection = tls.TLSSocket('revoked.grc.com', 443, session=session)

context = ValidationContext(allow_fetching=True)
validator = CertificateValidator(connection.certificate, connection.intermediates, context)
validator.validate_tls(connection.hostname)

mzdeb avatar May 25 '18 09:05 mzdeb

This was fixed in 80119e8fa80, but no new release to pypi was made after that change. @wbond Could we get a dotrelease to pypi that includes the patch?

matslindh avatar Jul 17 '18 12:07 matslindh