certvalidator icon indicating copy to clipboard operation
certvalidator copied to clipboard
verified publisher icon wbond

verify_ocsp_response() assumes OCSP response has reason

Open rg7663 opened this issue 5 years ago • 4 comments

When performing OCSP revocation checks against https://revoked.badssl.com/ using the function certvalidator.validate.verify_ocsp_response() I get the following:

Traceback (most recent call last):
...
  File "/.../venv/lib/python3.6/site-packages/certvalidator/validate.py", line 1101, in verify_ocsp_response
    reason = revocation_info['revocation_reason'].human_friendly
AttributeError: 'Void' object has no attribute 'human_friendly'

It seems that the function assumes that a revocation reason is given, whereas the RFC states (end of https://tools.ietf.org/html/rfc6960#section-4.2.1) that revocation reason is optional (revocationReason [0] EXPLICIT CRLReason OPTIONAL), and hence revocation_info['revocation_reason'] can be an instance of Void. I would therefore suggest that verify_ocsp_response() should check whether revocation_info['revocation_reason'] is Void first before trying get the human_friendly property, or that Void should have a human_friendly property.

rg7663 avatar Apr 11 '20 11:04 rg7663

Any news about this? I too get this error even though it should simply say it is revoked.. this should not raise an AttributeError.

MrCrumbs avatar Apr 27 '20 11:04 MrCrumbs

No, currently I don’t have time for development of this package, and it doesn’t appear anyone has sent a PR with tests.

wbond avatar Apr 27 '20 13:04 wbond

Weirdly I now see you did fix this in commit 80119e8fa801327a34bdff4f73092f550919d169 (no idea how I missed that, I could swear that wasn't there when I checked..).

@wbond Anyway - do you have plans for publishing a release? We could really use the library as-is, but the latest release is from 2016. Thanks!

MrCrumbs avatar Apr 28 '20 06:04 MrCrumbs

@wbond - would you be able to publish a new release?

MrCrumbs avatar May 03 '20 12:05 MrCrumbs