diff options
author | William Woodruff <william@yossarian.net> | 2022-07-07 16:09:16 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-07 15:09:16 -0500 |
commit | 65ca53a7a06a7c78c1749200a6b3a007e47d3214 (patch) | |
tree | ee398b2d7cb228deee32fa892ec28e14f4bffb85 | |
parent | 02db1a024d04cf6669670f773fd6c5d3a7275626 (diff) | |
download | pyopenssl-65ca53a7a06a7c78c1749200a6b3a007e47d3214.tar.gz |
Make `X509StoreContextError`'s message friendlier (#1133)
* OpenSSL/crypto: make X509StoreContextError's message friendlier
Closes #1132.
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests: update exception tests
Signed-off-by: William Woodruff <william@trailofbits.com>
* OpenSSL/crypto: blacken
Signed-off-by: William Woodruff <william@trailofbits.com>
* CHANGELOG: record changes
Signed-off-by: William Woodruff <william@trailofbits.com>
-rw-r--r-- | CHANGELOG.rst | 3 | ||||
-rw-r--r-- | src/OpenSSL/crypto.py | 18 | ||||
-rw-r--r-- | tests/test_crypto.py | 18 |
3 files changed, 23 insertions, 16 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5f2589f..e1546f7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,6 +12,9 @@ Backward-incompatible changes: - Remove support for SSLv2 and SSLv3. - The minimum ``cryptography`` version is now 37.0.2. +- The ``OpenSSL.crypto.X509StoreContextError`` exception has been refactored, + changing its internal attributes. + `#1133 <https://github.com/pyca/pyopenssl/pull/1133>`_ Deprecations: ^^^^^^^^^^^^^ diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index d6ef67e..6f034d0 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1776,8 +1776,11 @@ class X509StoreContextError(Exception): :type certificate: :class:`X509` """ - def __init__(self, message: Any, certificate: X509) -> None: + def __init__( + self, message: str, errors: List[Any], certificate: X509 + ) -> None: super(X509StoreContextError, self).__init__(message) + self.errors = errors self.certificate = certificate @@ -1878,21 +1881,22 @@ class X509StoreContext: When a call to native OpenSSL X509_verify_cert fails, additional information about the failure can be obtained from the store context. """ + message = _ffi.string( + _lib.X509_verify_cert_error_string( + _lib.X509_STORE_CTX_get_error(self._store_ctx) + ) + ).decode("utf-8") errors = [ _lib.X509_STORE_CTX_get_error(self._store_ctx), _lib.X509_STORE_CTX_get_error_depth(self._store_ctx), - _ffi.string( - _lib.X509_verify_cert_error_string( - _lib.X509_STORE_CTX_get_error(self._store_ctx) - ) - ).decode("utf-8"), + message, ] # A context error should always be associated with a certificate, so we # expect this call to never return :class:`None`. _x509 = _lib.X509_STORE_CTX_get_current_cert(self._store_ctx) _cert = _lib.X509_dup(_x509) pycert = X509._from_raw_x509_ptr(_cert) - return X509StoreContextError(errors, pycert) + return X509StoreContextError(message, errors, pycert) def set_store(self, store: X509Store) -> None: """ diff --git a/tests/test_crypto.py b/tests/test_crypto.py index 8c19030..8ad4d68 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -3874,7 +3874,7 @@ class TestCRL: store_ctx = X509StoreContext(store, self.intermediate_server_cert) with pytest.raises(X509StoreContextError) as err: store_ctx.verify_certificate() - assert err.value.args[0][2] == "certificate revoked" + assert str(err.value) == "certificate revoked" def test_verify_with_missing_crl(self): """ @@ -3894,7 +3894,7 @@ class TestCRL: store_ctx = X509StoreContext(store, self.intermediate_server_cert) with pytest.raises(X509StoreContextError) as err: store_ctx.verify_certificate() - assert err.value.args[0][2] == "unable to get certificate CRL" + assert str(err.value) == "unable to get certificate CRL" assert err.value.certificate.get_subject().CN == "intermediate-service" def test_convert_from_cryptography(self): @@ -4106,7 +4106,7 @@ class TestX509StoreContext: store_ctx.verify_certificate() # OpenSSL 1.1.x and 3.0.x have different error messages - assert exc.value.args[0][2] in [ + assert str(exc.value) in [ "self signed certificate", "self-signed certificate", ] @@ -4124,7 +4124,7 @@ class TestX509StoreContext: with pytest.raises(X509StoreContextError) as exc: store_ctx.verify_certificate() - assert exc.value.args[0][2] == "unable to get issuer certificate" + assert str(exc.value) == "unable to get issuer certificate" assert exc.value.certificate.get_subject().CN == "intermediate" def test_invalid_chain_no_intermediate(self): @@ -4139,7 +4139,7 @@ class TestX509StoreContext: with pytest.raises(X509StoreContextError) as exc: store_ctx.verify_certificate() - assert exc.value.args[0][2] == "unable to get local issuer certificate" + assert str(exc.value) == "unable to get local issuer certificate" assert exc.value.certificate.get_subject().CN == "intermediate-service" def test_modification_pre_verify(self): @@ -4157,7 +4157,7 @@ class TestX509StoreContext: with pytest.raises(X509StoreContextError) as exc: store_ctx.verify_certificate() - assert exc.value.args[0][2] == "unable to get issuer certificate" + assert str(exc.value) == "unable to get issuer certificate" assert exc.value.certificate.get_subject().CN == "intermediate" store_ctx.set_store(store_good) @@ -4182,7 +4182,7 @@ class TestX509StoreContext: with pytest.raises(X509StoreContextError) as exc: store_ctx.verify_certificate() - assert exc.value.args[0][2] == "certificate has expired" + assert str(exc.value) == "certificate has expired" def test_get_verified_chain(self): """ @@ -4216,7 +4216,7 @@ class TestX509StoreContext: with pytest.raises(X509StoreContextError) as exc: store_ctx.get_verified_chain() - assert exc.value.args[0][2] == "unable to get issuer certificate" + assert str(exc.value) == "unable to get issuer certificate" assert exc.value.certificate.get_subject().CN == "intermediate" @pytest.fixture @@ -4281,7 +4281,7 @@ class TestX509StoreContext: with pytest.raises(X509StoreContextError) as exc: store_ctx.verify_certificate() - assert exc.value.args[0][2] == "unable to get local issuer certificate" + assert str(exc.value) == "unable to get local issuer certificate" class TestSignVerify: |