Skip to content

Fix Python bindings of X509Certificate #12012

New issue
New issue
Open
Open
Fix Python bindings of X509Certificate#12012
@touilleMan

Description

@touilleMan
touilleMan
opened on Jan 6, 2026

See for instance this seemingly correct code:

    try:
        certificates = [
            X509Certificate.from_der(raw_leaf),
            *(X509Certificate.from_der(raw) for raw in raw_intermediates)
        ]
    except ValueError:
        return ValidateX509TrustchainBadOutcome.INVALID_DER_X509_CERTIFICATE

    current = certificates[0]
    already_seen: set[bytes] = set()
    while True:
        already_seen.add(current.subject())
...

The trick is X509Certificate.from_der never raise any exception ! Instead the actual certificate validation is done lazily when calling current.subject() :/

This is error prone and not needed. Instead we should:

  • Have X509Certificate.from_der doing the validation and raise a ValueError if the provided certificate is invalid
  • Rename X509Certificate.try_from_pem into X509Certificate.from_pem and also have this function do the validation eagerly (the try_ prefix is not something Pythonic)
  • Replace the subject() and issuer() method by simple properties

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions