You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
wbond/certvalidator is unmaintained and we will only be using it as inspiration. However there has been some movement on cryptography: the verify_directly_issued_by() API will be released in cryptography 40.0. So the path to retiring pyOpenSSL looks like this:
Replace signxml.util.verify_x509_cert_chain() with a mixin (or separate library, since our sister library tsp-client needs the same functionality) that can build a chain using verify_directly_issued_by and verify point-in-time validity and extensions using an API inspired by certvalidator.context.ValidationContext. The logic here would have to be inspired by a close reading of certvalidator code and any code referenced by Add x509 Certificate Validation pyca/cryptography#2381.
SignXML uses two major bits of pyOpenSSL functionality:
I've identified two strategies so far:
The text was updated successfully, but these errors were encountered: