ssl.py _load_windows_store_certs fails if windows cert store is empty

[JonathanKamens]

BPO	26313
Nosy	@pfmoore, @tjguk, @zware, @zooba, @yan12125
Files	issue26313.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-03-17.22:04:16.425>
created_at = <Date 2016-02-08.20:09:48.699>
labels = ['OS-windows']
title = 'ssl.py _load_windows_store_certs fails if windows cert store is empty'
updated_at = <Date 2016-03-17.22:04:16.423>
user = 'https://bugs.python.org/JonathanKamens'

bugs.python.org fields:

activity = <Date 2016-03-17.22:04:16.423>
actor = 'steve.dower'
assignee = 'none'
closed = True
closed_date = <Date 2016-03-17.22:04:16.425>
closer = 'steve.dower'
components = ['Windows']
creation = <Date 2016-02-08.20:09:48.699>
creator = 'Jonathan Kamens'
dependencies = []
files = ['42127']
hgrepos = []
issue_num = 26313
keywords = ['patch']
message_count = 6.0
messages = ['259880', '261552', '261555', '261939', '261940', '261941']
nosy_count = 8.0
nosy_names = ['paul.moore', 'tim.golden', 'python-dev', 'zach.ware', 'steve.dower', 'Jonathan Kamens', 'yan12125', 'baji']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue26313'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6']

[JonathanKamens]

In ssl.py:

    def _load_windows_store_certs(self, storename, purpose):
        certs = bytearray()
        for cert, encoding, trust in enum_certificates(storename):
            # CA certs are never PKCS#7 encoded                                 
            if encoding == "x509_asn":
                if trust is True or purpose.oid in trust:
                    certs.extend(cert)
        self.load_verify_locations(cadata=certs)
        return certs

The line right before the return statement will raise an exception if certs is empty.

It should be protected with "if certs:" as it is elsewhere in this file.

[yan12125]

The same issue is reported at ytdl-org/youtube-dl#8132, too. Empty Windows cert store is uncommon. The only case I found so far is on Wine. Steps to reproduce:

1. On Arch Linux x86_64, install mingw-w64-python2-bin from AUR
2. Run the following command:
$ WINEDEBUG=fixme-all PYTHONPATH=/usr/x86_64-w64-mingw32/lib/python27 wine /usr/x86_64-w64-mingw32/bin/python2.exe -c 'import ssl; ssl.create_default_context()' 
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "Z:\usr\x86_64-w64-mingw32\lib\python27\ssl.py", line 440, in create_default_context
    context.load_default_certs(purpose)
  File "Z:\usr\x86_64-w64-mingw32\lib\python27\ssl.py", line 391, in load_default_certs
    self._load_windows_store_certs(storename, purpose)
  File "Z:\usr\x86_64-w64-mingw32\lib\python27\ssl.py", line 383, in _load_windows_store_certs
    self.load_verify_locations(cadata=certs)
ValueError: Empty certificate data

[baji]

Protected the certs with if statement

[python-dev]

New changeset 8df52636b0dc by Steve Dower in branch '2.7':
Issue bpo-26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
https://hg.python.org/cpython/rev/8df52636b0dc

[python-dev]

New changeset eb2c2671e7d6 by Steve Dower in branch '3.5':
Issue bpo-26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
https://hg.python.org/cpython/rev/eb2c2671e7d6

New changeset 97cd199944c3 by Steve Dower in branch 'default':
Issue bpo-26313: ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
https://hg.python.org/cpython/rev/97cd199944c3

[zooba]

Thanks! Fixed for 3.6, 3.5 and 2.7.