Fix logic for multiple separate paths in single chain

sfc-gh-pczajka · sfc-gh-pczajka · commit d41228cecb9b · 2025-10-07T17:28:19.000+02:00
diff --git a/src/snowflake/connector/crl.py b/src/snowflake/connector/crl.py
@@ -373,7 +373,18 @@ def traverse_chain(cert: x509.Certificate) -> CRLValidationResult | None:
             return CRLValidationResult.REVOKED
 
         is_being_visited.add(chain[0].subject)
-        return traverse_chain(chain[0])
+        error_result = False
+        revoked_result = False
+        for cert in subject_certificates[chain[0].subject]:
+            result = traverse_chain(cert)
+            if result == CRLValidationResult.UNREVOKED:
+                return result
+            error_result |= result == CRLValidationResult.ERROR
+            revoked_result |= result == CRLValidationResult.REVOKED
+
+        if error_result or not revoked_result:
+            return CRLValidationResult.ERROR
+        return CRLValidationResult.REVOKED
 
     def _is_certificate_trusted_by_os(self, cert: x509.Certificate) -> bool:
         if trusted_cert := self._trusted_ca.get(cert.subject):
diff --git a/test/unit/test_crl.py b/test/unit/test_crl.py
@@ -636,25 +636,17 @@ def test_cross_signed_certificate_chain(cert_gen, session_manager):
     ]
     assert not validator.validate_certificate_chains(chains)
 
-
-def test_cross_signed_certificate_chain_revoked_CA(cert_gen, session_manager):
-    chain = cert_gen.create_cross_signed_chain()
+    # mingled A and B paths passed in one chain - A has no connection to CA, B has
     chains = [
         [
             chain.leafA,
             chain.AsignB,
             chain.leafB,
-            chain.BsignA,
+            # chain.BsignA,
             chain.rootB,
-            chain.rootA,
+            # chain.rootA,
         ]
     ]
-    validator = CRLValidator(
-        session_manager,
-        cert_revocation_check_mode=CertRevocationCheckMode.ENABLED,
-        allow_certificates_without_crl_url=True,
-        trusted_certificates=[cert_gen.ca_certificate],
-    )
     assert validator.validate_certificate_chains(chains)
 
 
