v1.9.11 (#19)

MetLife · Feb 21, 2023 · 4e4b5bb · 4e4b5bb
1 parent 980f287
commit 4e4b5bb
Show file tree

Hide file tree

Showing 12 changed files with 169 additions and 122 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -2,20 +2,25 @@
 // https://github.com/microsoft/vscode-dev-containers/tree/v0.205.2/containers/docker-existing-dockerfile
 {
 	"name": "Existing Dockerfile",
-
 	// Sets the run context to one level up instead of the .devcontainer folder.
 	"context": "..",
-
 	// Update the 'dockerFile' property if you aren't using the standard 'Dockerfile' filename.
 	"dockerFile": "../Dockerfile",
-
 	// Set *default* container specific settings.json values on container create.
-	"settings": {
-		"terminal.integrated.defaultProfile.linux": "bash",
-		"terminal.integrated.profiles.linux": { "bash": { "path": "bash" } } 
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-python.vscode-pylance",
+				"visualstudioexptteam.vscodeintellicode"
+			],
+			"terminal.integrated.defaultProfile.linux": "bash",
+			"terminal.integrated.profiles.linux": {
+				"bash": {
+					"path": "bash"
+				}
+			}
+		}
 	},
-	"extensions": ["ms-python.vscode-pylance",
-				   "visualstudioexptteam.vscodeintellicode"],
-	"postCreateCommand": "pip install --no-cache-dir --quiet -r /home/ocspdev/OcspChecker/requirements.txt",
+	"postCreateCommand": "pip install --no-cache-dir --user --quiet -r /home/ocspdev/OcspChecker/requirements.txt",
 	"remoteUser": "ocspdev"
 }
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -7,11 +7,20 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.7, 3.8, 3.9]
+        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
+        os:
+          [
+            ubuntu-20.04,
+            ubuntu-22.04,
+            windows-2022,
+            windows-2019,
+            macos-12,
+            macos-11,
+          ]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # tag=v3.3.0
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # tag=v4.5.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install tools
@@ -24,27 +33,27 @@ jobs:
         run: |
           tox -e py
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # tag=v3.1.2
         with:
           name: pytest-results for ${{ matrix.python-version }}
-          path: '**/test-output.xml'
+          path: "**/test-output.xml"
       - name: Upload coverage results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # tag=v3.1.2
         with:
           name: pytest-results for ${{ matrix.python-version }}
-          path: '**/coverage.xml'
+          path: "**/coverage.xml"
         if: ${{ always() }}
 
   build:
     runs-on: ubuntu-latest
     needs: test
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # tag=v3.3.0
       - name: Set up Python 3.x
         uses: actions/setup-python@v2
         with:
-          python-version: '3.9'
-          architecture: 'x64'
+          python-version: "3.9"
+          architecture: "x64"
       - name: Install tools
         run: |
           python -m pip install --upgrade pip setuptools wheel
@@ -60,7 +69,7 @@ jobs:
         with:
           artifact_path: dist/
       - name: Upload provenance
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # tag=v3.1.2
         with:
           name: OCSP-Checker provenance
           path: build.provenance
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -54,3 +54,10 @@
 - removed a test that will never be able to run in the context of a docker container
 - Improved errors returned to the user for various OpenSSL errors
 - switch from get_received_chain to the get_verified_chain method in NaSSL to ensure the certificate is validated before we try any operations
+
+# v1.9.11
+- bump all dependencies
+- moved to pyproject.toml for project definition
+- added tests for python 3.10 and 3.11
+- added coverage across macOS, Linux, and Windows
+- fixed two broken tests and commented one out for now
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Usually you do not have to specify amd64, but on an Apple M1 you do if you want to use packages
 # that are not optimized for arm64 like NaSSL
-FROM --platform=amd64 python:3.9.9-slim-bullseye
+FROM --platform=amd64 python:3.11.1-slim-bullseye
 
 SHELL ["/bin/bash", "--login", "-c"]
 
@@ -10,12 +10,12 @@ ENV LANG C.UTF-8
 RUN useradd -m ocspdev
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-		ca-certificates \
-		netbase \
-        curl \
-        git \
-        bash-completion \
-	&& rm -rf /var/lib/apt/lists/*
+    ca-certificates \
+    netbase \
+    curl \
+    git \
+    bash-completion \
+    && rm -rf /var/lib/apt/lists/*
 
 RUN pip install --no-cache-dir --quiet --upgrade pip setuptools wheel \
     pip install --no-cache-dir --quiet pytest pytest-cov && \

diff --git a/README.md b/README.md
@@ -15,6 +15,13 @@ __Python__ - Python 3.7 (64-bit) and above.
 
 ## Installation
 
+It is strongly recommended to run ocsp-checker in a virtual environment. This will prevent you from impacting your system python when installing its dependencies. [venv](https://docs.python.org/3/library/venv.html) is a good option, with an example below:
+
+```python -m venv ocsp-checker```
+```cd ocsp-checker && source bin/activate```
+
+Once your virtual environment is activated, install ocsp-checker as follows:
+
 ```pip install ocsp-checker```
 
 ## Usage

diff --git a/ocspchecker/ocspchecker.py b/ocspchecker/ocspchecker.py
@@ -20,13 +20,18 @@
 from nassl._nassl import OpenSSLError
 from nassl.cert_chain_verifier import CertificateChainVerificationFailed
 from nassl.ssl_client import (
-    ClientCertificateRequested, OpenSslVerifyEnum, OpenSslVersionEnum, SslClient)
+    ClientCertificateRequested,
+    OpenSslVerifyEnum,
+    OpenSslVersionEnum,
+    SslClient,
+)
 from validators import domain, url
 
 
 class InitialConnectionError(Exception):
-    """ Custom exception class to differentiate between
-     initial connection errors and OpenSSL errors """
+    """Custom exception class to differentiate between
+    initial connection errors and OpenSSL errors"""
+
     pass
 
 
@@ -35,20 +40,25 @@ class InitialConnectionError(Exception):
 
 openssl_errors: dict = {
     # https://github.com/openssl/openssl/issues/6805
-     "1408F10B": "The remote host is not using SSL/TLS on the port specified."
+    "1408F10B": "The remote host is not using SSL/TLS on the port specified."
     # TLS Fatal Alert 40 - sender was unable to negotiate an acceptable set of security
     # parameters given the options available
-    ,"14094410": "SSL/TLS Handshake Failure."
+    ,
+    "14094410": "SSL/TLS Handshake Failure."
     # TLS Fatal Alert 112 - the server understood the ClientHello but did not recognize
     # the server name per: https://datatracker.ietf.org/doc/html/rfc6066#section-3
-    ,"14094458": "Unrecognized server name provided. Check your target and try again."
+    ,
+    "14094458": "Unrecognized server name provided. Check your target and try again."
     # TLS Fatal Alert 50 - a field was out of the specified range
     # or the length of the message was incorrect
-    ,"1417B109": "Decode Error. Check your target and try again."
+    ,
+    "1417B109": "Decode Error. Check your target and try again."
     # TLS Fatal Alert 80 - Internal Error
-    ,"14094438": "TLS Fatal Alert 80 - Internal Error."
+    ,
+    "14094438": "TLS Fatal Alert 80 - Internal Error."
     # Unable to find public key parameters
-    ,"140070EF": "Unable to find public key parameters."
+    ,
+    "140070EF": "Unable to find public key parameters.",
 }
 
 
@@ -133,7 +143,9 @@ def get_certificate_chain(host: str, port: int) -> List[str]:
         ) from None
 
     except ConnectionRefusedError:
-        raise InitialConnectionError(f"{func_name}: Connection to {host}:{port} refused.") from None
+        raise InitialConnectionError(
+            f"{func_name}: Connection to {host}:{port} refused."
+        ) from None
 
     except OSError:
         raise InitialConnectionError(
@@ -149,7 +161,7 @@ def get_certificate_chain(host: str, port: int) -> List[str]:
         ssl_version=OpenSslVersionEnum.SSLV23,
         underlying_socket=soc,
         ssl_verify=OpenSslVerifyEnum.NONE,
-        ssl_verify_locations=path_to_ca_certs
+        ssl_verify_locations=path_to_ca_certs,
     )
 
     # Add Server Name Indication (SNI) extension to the Client Hello
@@ -165,16 +177,19 @@ def get_certificate_chain(host: str, port: int) -> List[str]:
         ) from None
 
     except CertificateChainVerificationFailed:
-        raise ValueError(f"{func_name}: Certificate Verification failed for {host}.") from None
+        raise ValueError(
+            f"{func_name}: Certificate Verification failed for {host}."
+        ) from None
 
     except ClientCertificateRequested:
-        raise ValueError(f"{func_name}: Client Certificate Requested for {host}.") from None
+        raise ValueError(
+            f"{func_name}: Client Certificate Requested for {host}."
+        ) from None
 
     except OpenSSLError as err:
         for key, value in openssl_errors.items():
             if key in err.args[0]:
-                raise ValueError(f"{func_name}: {value}"
-            ) from None
+                raise ValueError(f"{func_name}: {value}") from None
 
         raise ValueError(f"{func_name}: {err}") from None
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,41 @@
+[build-system]
+requires = ["setuptools>=61.0.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name="ocsp-checker"
+version="1.9.11"
+description="Library used to check the OCSP revocation status for a x509 digital certificate."
+
+readme= {file = "README.md", content-type = "text/markdown"}
+authors=[{ name = "Joe Gatt", email = "[email protected]" }]
+license= {file = "LICENSE.txt" }
+classifiers=[
+    "License :: OSI Approved :: Apache Software License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.7",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+]
+keywords=["ssl, tls, ocsp, python, security"]
+dependencies = [
+    "cryptography==39",
+    "nassl==5.0",
+    "validators>=0.20.0",
+    "certifi",
+]
+requires-python = ">=3.7"
+
+[tools.setuptools.packages]
+find = {}
+
+[project.urls]
+"homepage" = "https://github.com/MetLife/OCSPChecker"
+"documentation" = "https://github.com/MetLife/OCSPChecker/blob/master/README.md"
+"repository" = "https://github.com/MetLife/OCSPChecker"
+"changelog" = "https://github.com/MetLife/OCSPChecker/blob/master/CHANGELOG.md"
+
+[project.scripts]
+ocspchecker = "ocspchecker.__main__:main"
diff --git a/requirements.txt b/requirements.txt
@@ -1,8 +1,8 @@
 certifi
-cffi==1.15.0
-cryptography>=36,<37
-decorator==5.1.0
-nassl>=4.0.1
+cffi==1.15.1
+cryptography==39
+decorator==5.1.1
+nassl==5.0.0
 pycparser==2.21
 six==1.16.0
-validators==0.18.2
+validators==0.20.0
diff --git a/setup.py b/setup.py