revocation_response is optional

certvalidator

A Python library for validating X.509 certificates or paths. Supports various options, including: validation at a specific moment in time, whitelisting and revocation checks.

Features
Related Crypto Libraries
Current Release
Dependencies
Installation
License
Documentation
Continuous Integration
Testing
Development
CI Tasks

Features

X.509 path building
X.509 basic path validation
- Signatures
  - RSA, DSA and EC algorithms
- Name chaining
- Validity dates
- Basic constraints extension
  - CA flag
  - Path length constraint
- Key usage extension
- Extended key usage extension
- Certificate policies
  - Policy constraints
  - Policy mapping
  - Inhibit anyPolicy
- Failure on unknown/unsupported critical extensions
TLS/SSL server validation
Whitelisting certificates
Blacklisting hash algorithms
Revocation checks
- CRLs
  - Indirect CRLs
  - Delta CRLs
- OCSP checks
  - Delegated OCSP responders
- Disable, require or allow soft failures
- Caching of CRLs/OCSP responses
CRL and OCSP HTTP clients
Point-in-time validation

Unsupported features:

Name constraints

Related Crypto Libraries

certvalidator is part of the modularcrypto family of Python packages:

Current Release

0.11.1 - changelog

Dependencies

asn1crypto
oscrypto
Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9 or pypy

Installation

pip install certvalidator

License

certvalidator is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Documentation

certvalidator documentation

Continuous Integration

Various combinations of platforms and versions of Python are tested via:

macOS, Linux, Windows via GitHub Actions
arm64 via CircleCI

Testing

Tests are written using unittest and require no third-party packages.

Depending on what type of source is available for the package, the following commands can be used to run the test suite.

Git Repository

When working within a Git working copy, or an archive of the Git repository, the full test suite is run via:

python run.py tests

To run only some tests, pass a regular expression as a parameter to tests.

python run.py tests path

PyPi Source Distribution

When working within an extracted source distribution (aka .tar.gz) from PyPi, the full test suite is run via:

python setup.py test

Test Cases

The test cases for the library are comprised of:

Public Key Interoperability Test Suite from NIST
OCSP tests from OpenSSL
Various certificates generated for TLS certificate validation

Development

To install the package used for linting, execute:

pip install --user -r requires/lint

The following command will run the linter:

python run.py lint

Support for code coverage can be installed via:

pip install --user -r requires/coverage

Coverage is measured by running:

python run.py coverage

To install the packages requires to generate the API documentation, run:

pip install --user -r requires/api_docs

The documentation can then be generated by running:

python run.py api_docs

The following will run a test that connects to all (non-adult) sites in the Alexa top 1000 that respond on port 443:

python run.py stress_test

Once the script is complete, results that differ between the OS validation and the certvalidator validation will be listed for further debugging.

To change the version number of the package, run:

python run.py version {pep440_version}

To install the necessary packages for releasing a new version on PyPI, run:

pip install --user -r requires/release

Releases are created by:

Making a git tag in PEP 440 format
Running the command:
```
python run.py release
```

Existing releases can be found at https://pypi.org/project/certvalidator.

CI Tasks

A task named deps exists to ensure a modern version of pip is installed, along with all necessary testing dependencies.

The ci task runs lint (if flake8 is avaiable for the version of Python) and coverage (or tests if coverage is not available for the version of Python). If the current directory is a clean git working copy, the coverage data is submitted to codecov.io.

python run.py deps
python run.py ci

	> > :raises:
	> > certvalidator.errors.PathValidationError - when an error occurs validating the path
	> > certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked
	> > certvalidator.errors.InvalidCertificateError - when the certificate is not valid for the usages specified

	last_e = None
	for ocsp_url in cert.ocsp_urls:
	try:
	request = Request(ocsp_url)
	request.add_header('Accept', 'application/ocsp-response')
	request.add_header('Content-Type', 'application/ocsp-request')
	request.add_header('User-Agent', user_agent)
	response = urlopen(request, ocsp_request.dump(), timeout)
	ocsp_response = ocsp.OCSPResponse.load(response.read())
	request_nonce = ocsp_request.nonce_value
	response_nonce = ocsp_response.nonce_value
	if request_nonce and response_nonce and request_nonce.native != response_nonce.native:
	raise errors.OCSPValidationError(
	'Unable to verify OCSP response since the request and response nonces do not match'
	)
	return ocsp_response

	except (URLError) as e:
	last_e = e

	raise last_e

	# By default, any CRLs or OCSP responses that are passed to the constructor
	# are chccked. If _allow_fetching is True, any CRLs or OCSP responses that
	# can be downloaded will also be checked. The next two attributes change
	# that behavior.

	for ocsp_url in cert.ocsp_urls:
	try:
	request = Request(ocsp_url)
	request.add_header('Accept', 'application/ocsp-response')
	request.add_header('Content-Type', 'application/ocsp-request')
	request.add_header('User-Agent', user_agent)
	response = urlopen(request, ocsp_request.dump(), timeout)
	ocsp_response = ocsp.OCSPResponse.load(response.read())
	request_nonce = ocsp_request.nonce_value
	response_nonce = ocsp_response.nonce_value
	if request_nonce and response_nonce and request_nonce.native != response_nonce.native:
	raise errors.OCSPValidationError(
	'Unable to verify OCSP response since the request and response nonces do not match'
	)
	return ocsp_response

	except (URLError) as e:
	last_e = e

	except (URLError, socket.error) as e:
	self._fetched_crls[cert.issuer_serial] = []
	if self._revocation_mode == "soft-fail":
	self._soft_fail_exceptions.append(e)
	raise SoftFailError()
	else:
	raise

	except (URLError, socket.error) as e:
	self._fetched_ocsps[cert.issuer_serial] = []
	if self._revocation_mode == "soft-fail":
	self._soft_fail_exceptions.append(e)
	raise SoftFailError()
	else:
	raise

	try:
	cert_description = _cert_type(index, last_index, end_entity_name_override, definite=True)
	verify_crl(
	cert,
	path,
	validation_context,
	cert_description=cert_description,
	end_entity_name_override=end_entity_name_override
	)
	revocation_check_failed = False
	status_good = True
	matched = True
	except (CRLValidationIndeterminateError) as e:
	failures.extend([failure[0] for failure in e.failures])
	revocation_check_failed = True
	matched = True
	except (SoftFailError):
	soft_fail = True
	except (CRLNoMatchesError):
	pass

	try:
	verify_ocsp_response(
	cert,
	path,
	validation_context,
	cert_description=_cert_type(
	index,
	last_index,
	end_entity_name_override,
	definite=True
	),
	end_entity_name_override=end_entity_name_override
	)
	status_good = True
	matched = True
	except (OCSPValidationIndeterminateError) as e:
	failures.extend([failure[0] for failure in e.failures])
	revocation_check_failed = True
	matched = True
	except (SoftFailError):
	soft_fail = True
	except (OCSPNoMatchesError):
	pass

wbond / certvalidator Goto Github PK

certvalidator's Introduction

certvalidator

Features

Related Crypto Libraries

Current Release

Dependencies

Installation

License

Documentation

Continuous Integration

Testing

Git Repository

PyPi Source Distribution

Test Cases

Development

CI Tasks

certvalidator's People

Contributors

Stargazers

Watchers

Forkers

certvalidator's Issues

====================================================================== ERROR: test_basic_certificate_validator_tls (tests.test_certificate_validator.CertificateValidatorTests.test_basic_certificate_validator_tls)

====================================================================== ERROR: test_basic_certificate_validator_tls_expired (tests.test_certificate_validator.CertificateValidatorTests.test_basic_certificate_validator_tls_expired)

====================================================================== ERROR: test_basic_certificate_validator_tls_invalid_hostname (tests.test_certificate_validator.CertificateValidatorTests.test_basic_certificate_validator_tls_invalid_hostname)

Code

Extension

Traceback

Workaround

related code context

following patch: Index: python-certvalidator/tests/_unittest_compat.py

--- python-certvalidator.orig/tests/_unittest_compat.py +++ python-certvalidator/tests/_unittest_compat.py @@ -4,7 +4,7 @@ from future import unicode_literals, import sys import unittest import re

coding: utf-8

coding: utf-8

Recommend Projects

Recommend Topics

Recommend Org

======================================================================
ERROR: test_basic_certificate_validator_tls (tests.test_certificate_validator.CertificateValidatorTests.test_basic_certificate_validator_tls)

======================================================================
ERROR: test_basic_certificate_validator_tls_expired (tests.test_certificate_validator.CertificateValidatorTests.test_basic_certificate_validator_tls_expired)

======================================================================
ERROR: test_basic_certificate_validator_tls_invalid_hostname (tests.test_certificate_validator.CertificateValidatorTests.test_basic_certificate_validator_tls_invalid_hostname)

following patch:
Index: python-certvalidator/tests/_unittest_compat.py

--- python-certvalidator.orig/tests/_unittest_compat.py
+++ python-certvalidator/tests/_unittest_compat.py
@@ -4,7 +4,7 @@ from future import unicode_literals,
import sys
import unittest
import re