You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I try to validate the chain and usage of a certificate. The CA provides a CRL distribution point using HTTP and another one using LDAP. The later triggers an undocumented exception in certvalidator.validate_usage()
Traceback (most recent call last):
File "./check_wpa_eapol.py", line 314, in main
cert_file.file_name, hostname=realm, verbose=args.verbose
File "./check_wpa_eapol.py", line 152, in validate_certificate_chain
validator.validate_usage(set(usage))
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 193, in validate_usage
self._validate_path()
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 121, in _validate_path
validate_path(self._context, candidate_path)
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 50, in validate_path
return _validate_path(validation_context, path)
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 407, in _validate_path
end_entity_name_override=end_entity_name_override
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 1211, in verify_crl
certificate_lists = validation_context.retrieve_crls(cert)
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/context.py", line 452, in retrieve_crls
**self._crl_fetch_params
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/crl_client.py", line 59, in fetch
output.append(_grab_crl(user_agent, url, timeout))
File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/crl_client.py", line 86, in _grab_crl
response = urlopen(request, None, timeout)
File "/usr/lib64/python3.6/urllib/request.py", line 223, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python3.6/urllib/request.py", line 526, in open
response = self._open(req, data)
File "/usr/lib64/python3.6/urllib/request.py", line 549, in _open
'unknown_open', req)
File "/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain
result = func(*args)
File "/usr/lib64/python3.6/urllib/request.py", line 1419, in unknown_open
raise URLError('unknown url type: %s' % type)
urllib.error.URLError: <urlopen error unknown url type: ldap>
I'm unsure on how to handle this case. Just ignore the LDAP CRL? Issue a warning?
Hi,
I try to validate the chain and usage of a certificate. The CA provides a CRL distribution point using HTTP and another one using LDAP. The later triggers an undocumented exception in certvalidator.validate_usage()
Code
Extension
<Extension(oid=<ObjectIdentifier(oid=2.5.29.31, name=cRLDistributionPoints)>, critical=False, value=<CRLDistributionPoints([<DistributionPoint(full_name=[<UniformResourceIdentifier(value='http://crl.swisssign.net/3C9E527903636F4F9C811BD328700C245AEAA587')>], relative_name=None, reasons=None, crl_issuer=None)>, <DistributionPoint(full_name=[<UniformResourceIdentifier(value='ldap://directory.swisssign.net/CN=3C9E527903636F4F9C811BD328700C245AEAA587%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLDistributionPoint')>], relative_name=None, reasons=None, crl_issuer=None)>])>)>Traceback
I'm unsure on how to handle this case. Just ignore the LDAP CRL? Issue a warning?
Workaround
Initialize validator with
The text was updated successfully, but these errors were encountered: