Skip to content

Add tests proving missing certificate chain validation#18

Open
lnagel wants to merge 2 commits intothorgate:mainfrom
namespace-ee:issue-17-chain-validation-tests
Open

Add tests proving missing certificate chain validation#18
lnagel wants to merge 2 commits intothorgate:mainfrom
namespace-ee:issue-17-chain-validation-tests

Conversation

@lnagel
Copy link

@lnagel lnagel commented Feb 3, 2026

Summary

  • Adds test suite demonstrating that certificate chain validation is missing
  • Tests are marked xfail - they document vulnerabilities that currently exist

What the tests prove

Test Vulnerability
test_self_signed_cert_should_be_rejected Self-signed certificates pass XmlSignature.verify()
test_expired_cert_should_be_rejected Expired certificates pass verification
test_untrusted_ca_cert_should_be_rejected Certificates from untrusted CAs pass verification
test_existing_fixture_is_self_signed Existing test fixtures use self-signed certs

Test output

test_chain_validation.py::TestSelfSignedCertificateAccepted::test_self_signed_cert_should_be_rejected XFAIL
test_chain_validation.py::TestExpiredCertificateAccepted::test_expired_cert_should_be_rejected XFAIL
test_chain_validation.py::TestUntrustedCAAccepted::test_untrusted_ca_cert_should_be_rejected XFAIL
test_chain_validation.py::TestExistingTestsUseSelfSignedCerts::test_existing_fixture_is_self_signed PASSED

Next steps

When chain validation is implemented, remove the xfail marks and invert the assertions - these tests should then PASS by rejecting the invalid certificates.

Relates to #17

🤖 Generated with Claude Code

lnagel and others added 2 commits February 3, 2026 12:38
@lnagel @claude
fix OCSP.verify_response() to check cert_status (#1)
5b233a6 
Previously, verify_response() only checked response_status (whether the
OCSP server processed the request) but not cert_status (whether the
certificate is actually valid). This meant revoked and unknown
certificates silently passed validation.

Now raises OCSPCertificateRevokedError for revoked certificates and
OCSPCertificateUnknownError for unknown status.

Fixes thorgate#13

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
@lnagel @claude
Add failing tests demonstrating missing certificate chain validation
3b63d87 
Tests prove that pyasice accepts signatures from:
- Self-signed certificates (should be rejected)
- Expired certificates (should be rejected)
- Certificates signed by untrusted CAs (should be rejected)

Also demonstrates that existing test fixtures use self-signed certs.

Tests are marked with xfail and will pass once chain validation is implemented.

Relates to thorgate#17

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lnagel