classification
Title: ssl.py _load_windows_store_certs fails if windows cert store is empty
Type: Stage: resolved
Components: Windows Versions: Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Jonathan Kamens, baji, paul.moore, python-dev, steve.dower, tim.golden, yan12125, zach.ware
Priority: normal Keywords: patch

Created on 2016-02-08 20:09 by Jonathan Kamens, last changed 2016-03-17 22:04 by steve.dower. This issue is now closed.

Files
File name Uploaded Description Edit
issue26313.diff baji, 2016-03-11 10:18 review
Messages (6)
msg259880 - (view) Author: Jonathan Kamens (Jonathan Kamens) Date: 2016-02-08 20:09
In ssl.py:

    def _load_windows_store_certs(self, storename, purpose):
        certs = bytearray()
        for cert, encoding, trust in enum_certificates(storename):
            # CA certs are never PKCS#7 encoded                                 
            if encoding == "x509_asn":
                if trust is True or purpose.oid in trust:
                    certs.extend(cert)
        self.load_verify_locations(cadata=certs)
        return certs

The line right before the return statement will raise an exception if certs is empty.

It should be protected with "if certs:" as it is elsewhere in this file.
msg261552 - (view) Author: Chih-Hsuan Yen (yan12125) * Date: 2016-03-11 09:23
The same issue is reported at https://github.com/rg3/youtube-dl/issues/8132, too. Empty Windows cert store is uncommon. The only case I found so far is on Wine. Steps to reproduce:

1. On Arch Linux x86_64, install mingw-w64-python2-bin from AUR
2. Run the following command:
$ WINEDEBUG=fixme-all PYTHONPATH=/usr/x86_64-w64-mingw32/lib/python27 wine /usr/x86_64-w64-mingw32/bin/python2.exe -c 'import ssl; ssl.create_default_context()' 
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "Z:\usr\x86_64-w64-mingw32\lib\python27\ssl.py", line 440, in create_default_context
    context.load_default_certs(purpose)
  File "Z:\usr\x86_64-w64-mingw32\lib\python27\ssl.py", line 391, in load_default_certs
    self._load_windows_store_certs(storename, purpose)
  File "Z:\usr\x86_64-w64-mingw32\lib\python27\ssl.py", line 383, in _load_windows_store_certs
    self.load_verify_locations(cadata=certs)
ValueError: Empty certificate data
msg261555 - (view) Author: Baji (baji) * Date: 2016-03-11 10:18
Protected the certs with if statement
msg261939 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-03-17 22:03
New changeset 8df52636b0dc by Steve Dower in branch '2.7':
Issue #26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
https://hg.python.org/cpython/rev/8df52636b0dc
msg261940 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-03-17 22:03
New changeset eb2c2671e7d6 by Steve Dower in branch '3.5':
Issue #26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
https://hg.python.org/cpython/rev/eb2c2671e7d6

New changeset 97cd199944c3 by Steve Dower in branch 'default':
Issue #26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
https://hg.python.org/cpython/rev/97cd199944c3
msg261941 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2016-03-17 22:04
Thanks! Fixed for 3.6, 3.5 and 2.7.
History
Date User Action Args
2016-03-17 22:04:16steve.dowersetstatus: open -> closed
versions: + Python 3.5, Python 3.6
messages: + msg261941

resolution: fixed
stage: resolved
2016-03-17 22:03:43python-devsetmessages: + msg261940
2016-03-17 22:03:43python-devsetnosy: + python-dev
messages: + msg261939
2016-03-11 10:18:30bajisetfiles: + issue26313.diff

nosy: + baji
messages: + msg261555

keywords: + patch
2016-03-11 09:23:29yan12125setnosy: + yan12125
messages: + msg261552
2016-02-08 20:09:48Jonathan Kamenscreate