Make `X509StoreContextError`'s message friendlier (#1133)

* OpenSSL/crypto: make X509StoreContextError's message friendlier Closes #1132. Signed-off-by: William Woodruff <william@trailofbits.com> * tests: update exception tests Signed-off-by: William Woodruff <william@trailofbits.com> * OpenSSL/crypto: blacken Signed-off-by: William Woodruff <william@trailofbits.com> * CHANGELOG: record changes Signed-off-by: William Woodruff <william@trailofbits.com>
author: William Woodruff <william@yossarian.net> 2022-07-07 16:09:16 -0400
committer: GitHub <noreply@github.com> 2022-07-07 15:09:16 -0500
commit: 65ca53a7a06a7c78c1749200a6b3a007e47d3214 (patch)
tree: ee398b2d7cb228deee32fa892ec28e14f4bffb85
parent: 02db1a024d04cf6669670f773fd6c5d3a7275626 (diff)
download: pyopenssl-65ca53a7a06a7c78c1749200a6b3a007e47d3214.tar.gz
3 files changed, 23 insertions, 16 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5f2589f..e1546f7 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -12,6 +12,9 @@ Backward-incompatible changes:
 
 - Remove support for SSLv2 and SSLv3.
 - The minimum ``cryptography`` version is now 37.0.2.
+- The ``OpenSSL.crypto.X509StoreContextError`` exception has been refactored,
+  changing its internal attributes.
+  `#1133 <https://github.com/pyca/pyopenssl/pull/1133>`_
 
 Deprecations:
 ^^^^^^^^^^^^^
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index d6ef67e..6f034d0 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1776,8 +1776,11 @@ class X509StoreContextError(Exception):
     :type certificate: :class:`X509`
     """
 
-    def __init__(self, message: Any, certificate: X509) -> None:
+    def __init__(
+        self, message: str, errors: List[Any], certificate: X509
+    ) -> None:
         super(X509StoreContextError, self).__init__(message)
+        self.errors = errors
         self.certificate = certificate
 
 
@@ -1878,21 +1881,22 @@ class X509StoreContext:
         When a call to native OpenSSL X509_verify_cert fails, additional
         information about the failure can be obtained from the store context.
         """
+        message = _ffi.string(
+            _lib.X509_verify_cert_error_string(
+                _lib.X509_STORE_CTX_get_error(self._store_ctx)
+            )
+        ).decode("utf-8")
         errors = [
             _lib.X509_STORE_CTX_get_error(self._store_ctx),
             _lib.X509_STORE_CTX_get_error_depth(self._store_ctx),
-            _ffi.string(
-                _lib.X509_verify_cert_error_string(
-                    _lib.X509_STORE_CTX_get_error(self._store_ctx)
-                )
-            ).decode("utf-8"),
+            message,
         ]
         # A context error should always be associated with a certificate, so we
         # expect this call to never return :class:`None`.
         _x509 = _lib.X509_STORE_CTX_get_current_cert(self._store_ctx)
         _cert = _lib.X509_dup(_x509)
         pycert = X509._from_raw_x509_ptr(_cert)
-        return X509StoreContextError(errors, pycert)
+        return X509StoreContextError(message, errors, pycert)
 
     def set_store(self, store: X509Store) -> None:
         """
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index 8c19030..8ad4d68 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3874,7 +3874,7 @@ class TestCRL:
         store_ctx = X509StoreContext(store, self.intermediate_server_cert)
         with pytest.raises(X509StoreContextError) as err:
             store_ctx.verify_certificate()
-        assert err.value.args[0][2] == "certificate revoked"
+        assert str(err.value) == "certificate revoked"
 
     def test_verify_with_missing_crl(self):
         """
@@ -3894,7 +3894,7 @@ class TestCRL:
         store_ctx = X509StoreContext(store, self.intermediate_server_cert)
         with pytest.raises(X509StoreContextError) as err:
             store_ctx.verify_certificate()
-        assert err.value.args[0][2] == "unable to get certificate CRL"
+        assert str(err.value) == "unable to get certificate CRL"
         assert err.value.certificate.get_subject().CN == "intermediate-service"
 
     def test_convert_from_cryptography(self):
@@ -4106,7 +4106,7 @@ class TestX509StoreContext:
             store_ctx.verify_certificate()
 
         # OpenSSL 1.1.x and 3.0.x have different error messages
-        assert exc.value.args[0][2] in [
+        assert str(exc.value) in [
             "self signed certificate",
             "self-signed certificate",
         ]
@@ -4124,7 +4124,7 @@ class TestX509StoreContext:
         with pytest.raises(X509StoreContextError) as exc:
             store_ctx.verify_certificate()
 
-        assert exc.value.args[0][2] == "unable to get issuer certificate"
+        assert str(exc.value) == "unable to get issuer certificate"
         assert exc.value.certificate.get_subject().CN == "intermediate"
 
     def test_invalid_chain_no_intermediate(self):
@@ -4139,7 +4139,7 @@ class TestX509StoreContext:
         with pytest.raises(X509StoreContextError) as exc:
             store_ctx.verify_certificate()
 
-        assert exc.value.args[0][2] == "unable to get local issuer certificate"
+        assert str(exc.value) == "unable to get local issuer certificate"
         assert exc.value.certificate.get_subject().CN == "intermediate-service"
 
     def test_modification_pre_verify(self):
@@ -4157,7 +4157,7 @@ class TestX509StoreContext:
         with pytest.raises(X509StoreContextError) as exc:
             store_ctx.verify_certificate()
 
-        assert exc.value.args[0][2] == "unable to get issuer certificate"
+        assert str(exc.value) == "unable to get issuer certificate"
         assert exc.value.certificate.get_subject().CN == "intermediate"
 
         store_ctx.set_store(store_good)
@@ -4182,7 +4182,7 @@ class TestX509StoreContext:
         with pytest.raises(X509StoreContextError) as exc:
             store_ctx.verify_certificate()
 
-        assert exc.value.args[0][2] == "certificate has expired"
+        assert str(exc.value) == "certificate has expired"
 
     def test_get_verified_chain(self):
         """
@@ -4216,7 +4216,7 @@ class TestX509StoreContext:
         with pytest.raises(X509StoreContextError) as exc:
             store_ctx.get_verified_chain()
 
-        assert exc.value.args[0][2] == "unable to get issuer certificate"
+        assert str(exc.value) == "unable to get issuer certificate"
         assert exc.value.certificate.get_subject().CN == "intermediate"
 
     @pytest.fixture
@@ -4281,7 +4281,7 @@ class TestX509StoreContext:
         with pytest.raises(X509StoreContextError) as exc:
             store_ctx.verify_certificate()
 
-        assert exc.value.args[0][2] == "unable to get local issuer certificate"
+        assert str(exc.value) == "unable to get local issuer certificate"
 
 
 class TestSignVerify:
author	William Woodruff <william@yossarian.net>	2022-07-07 16:09:16 -0400
committer	GitHub <noreply@github.com>	2022-07-07 15:09:16 -0500
commit	65ca53a7a06a7c78c1749200a6b3a007e47d3214 (patch)
tree	ee398b2d7cb228deee32fa892ec28e14f4bffb85
parent	02db1a024d04cf6669670f773fd6c5d3a7275626 (diff)
download	pyopenssl-65ca53a7a06a7c78c1749200a6b3a007e47d3214.tar.gz