diff options
author | Chayim <chayim@users.noreply.github.com> | 2022-01-27 12:12:56 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-27 12:12:56 +0200 |
commit | 42a0114a639fcda7668c64b619d1da288abd8fcd (patch) | |
tree | efaa657b47ef683d72fd9407848b7fd6388a9b8f | |
parent | 24cdd70761c7c275d5010f628f83d919bf35fc90 (diff) | |
download | redis-py-42a0114a639fcda7668c64b619d1da288abd8fcd.tar.gz |
Raising ConnectionError on invalid ocsp certificates - with status information (#1907)
-rw-r--r-- | redis/ocsp.py | 9 | ||||
-rw-r--r-- | tests/test_ssl.py | 10 |
2 files changed, 14 insertions, 5 deletions
diff --git a/redis/ocsp.py b/redis/ocsp.py index 666c7dc..4753434 100644 --- a/redis/ocsp.py +++ b/redis/ocsp.py @@ -56,9 +56,14 @@ def _check_certificate(issuer_cert, ocsp_bytes, validate=True): raise AuthorizationError("you are not authorized to view this ocsp certificate") if ocsp_response.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL: if ocsp_response.certificate_status != ocsp.OCSPCertStatus.GOOD: - return False + raise ConnectionError( + f'Received an {str(ocsp_response.certificate_status).split(".")[1]} ' + "ocsp certificate status" + ) else: - return False + raise ConnectionError( + "failed to retrieve a sucessful response from the ocsp responder" + ) if ocsp_response.this_update >= datetime.datetime.now(): raise ConnectionError("ocsp certificate was issued in the future") diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 0ae7440..ab5d47f 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -107,7 +107,7 @@ class TestSSL: def test_valid_ocsp_cert_http(self): from redis.ocsp import OCSPVerifier - hostnames = ["github.com", "aws.amazon.com", "ynet.co.il", "microsoft.com"] + hostnames = ["github.com", "aws.amazon.com", "ynet.co.il"] for hostname in hostnames: context = ssl.create_default_context() with socket.create_connection((hostname, 443)) as sock: @@ -124,7 +124,9 @@ class TestSSL: with socket.create_connection((hostname, 443)) as sock: with context.wrap_socket(sock, server_hostname=hostname) as wrapped: ocsp = OCSPVerifier(wrapped, hostname, 443) - assert ocsp.is_valid() is False + with pytest.raises(ConnectionError) as e: + assert ocsp.is_valid() + assert "REVOKED" in str(e) @skip_if_nocryptography() def test_unauthorized_ocsp(self): @@ -147,7 +149,9 @@ class TestSSL: with socket.create_connection((hostname, 443)) as sock: with context.wrap_socket(sock, server_hostname=hostname) as wrapped: ocsp = OCSPVerifier(wrapped, hostname, 443) - assert ocsp.is_valid() is False + with pytest.raises(ConnectionError) as e: + assert ocsp.is_valid() + assert "from the" in str(e) @skip_if_nocryptography() def test_unauthorized_then_direct(self): |