X509Backend support in OpenSSL backend#1499
Conversation
|
Test FAILed. |
docs/x509.rst
Outdated
There was a problem hiding this comment.
This should probably say something like: "X.509 certificate are commonly used in protocols like TLS."
reaperhulk
force-pushed
the
x509-ossl-impl
branch
from
68af062 to
26db73e
Compare
|
Test PASSed. |
|
You should be able to rebase the vector loader changes out now |
reaperhulk
force-pushed
the
x509-ossl-impl
branch
from
26db73e to
a020fd1
Compare
|
Test PASSed. |
|
Test FAILed. |
|
Test failures relevant On Thu Nov 27 2014 at 2:06:09 PM jenkins-cryptography <
|
|
Test PASSed. |
There was a problem hiding this comment.
We have a bytes_to_bio utility method in the backend, should we have a bio_to_bytes too?
There was a problem hiding this comment.
Yeah probably should. These methods are also present in #1503 (I pulled them from this PR and hoisted them into the backend itself). If that PR lands first I'll rebase this one against it.
There was a problem hiding this comment.
Apparently BIO_get_mem_data is only useful for memory BIOs so I don't want to generically call the _read_mem_bio method bio_to_bytes. I am going to move them to live next to each other in the backend though.
|
Test PASSed. |
|
Test PASSed. |
docs/index.rst
Outdated
|
Test PASSed. |
|
Oop, sorry, one more thing: I think |
|
Test PASSed. |
|
Test PASSed. |
docs/x509.rst
Outdated
There was a problem hiding this comment.
Thinking about it some more, I'd like if all of these attributes / methods showed an example of accessing them, using the cert we parse above.
|
Test PASSed. |
|
What is the deal with me and over-indenting lately. |
|
Test PASSed. |
Slight cleanup to teh docs
|
Test PASSed. |
docs/x509.rst
Outdated
There was a problem hiding this comment.
Can you slap a :type: int on this, and "Returns the raw version"
|
Ok. One last comment and then I'll merge. |
|
Test PASSed. |
There was a problem hiding this comment.
Shit I just realized this, but should this checking for a thing with an unnamed curve be in _evp_pkey_to_public_key? It seems like it could occur with regular key loading as well?
There was a problem hiding this comment.
Might be a good idea. Right now in our OpenSSL EC key classes we call _ec_key_curve_sn which asserts that EC_GROUP_get_curve_name isn't undef. We could hoist this check into EC key stuff for now. I'd like to put that in as a separate PR.
There was a problem hiding this comment.
Ok!
On Wed Dec 17 2014 at 1:15:28 PM Paul Kehrer notifications@github.com
wrote:
In src/cryptography/hazmat/backends/openssl/x509.py
#1499 (diff):
pkey.type == self._backend._lib.EVP_PKEY_EC):ec_cdata = self._backend._lib.EVP_PKEY_get1_EC_KEY(pkey)assert ec_cdata != self._backend._ffi.NULLec_cdata = self._backend._ffi.gc(ec_cdata, self._backend._lib.EC_KEY_free)group = self._backend._lib.EC_KEY_get0_group(ec_cdata)assert group != self._backend._ffi.NULLnid = self._backend._lib.EC_GROUP_get_curve_name(group)if nid == self._backend._lib.NID_undef:raise NotImplementedError("ECDSA certificates with unnamed curves are unsupported ""at this time")
Might be a good idea. Right now in our OpenSSL EC key classes we call
_ec_key_curve_sn which asserts that EC_GROUP_get_curve_name isn't undef.
We could hoist this check into EC key stuff for now. I'd like to put that
in as a separate PR.—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/1499/files#r22004752.
X509Backend support in OpenSSL backend
|
Should the dependency be omitted on Python 3.4+, or does |
|
We could skip installing. Right now it's just installed and ignored. On Wed Dec 17 2014 at 10:19:32 PM Felix Yan notifications@github.com
|
|
Thanks, I'm going to sed the line out on Arch for now. |
8 participants
This PR adds a dependency on
enum34. I am expecting some improvements to be needed in the docs along with potentially some comments required to explain the purpose of some of the tests.TODO:
Depends on #1498.