support CRLDistributionPoints in the OpenSSL backend #1920
Conversation
|
(note: _build_general_names should be used to replace a bunch of boilerplate in a future PR once this merges) |
|
I'm not sure I understand this comment. |
|
If you mean the comment I just put on this, that's a note to myself because I added |
|
Can we do it in the reverse order, a PR to use that first? On Sun, May 10, 2015 at 5:49 PM, Paul Kehrer notifications@github.com
"I disapprove of what you say, but I will defend to the death your right to |
|
Sure, #1921 (this will be rebased against that once it merges) |
2 similar comments
|
@reaperhulk ready for that rebase |
|
This has been rebased |
|
Ok, I was just about to adjust my changes to your last putback but i see you are already way ahead. |
|
Yeah @etrauschke I based the work on your patch and expanded it from there. We do have a relative name test in here already (see line 1668). |
|
Yes, but you don't test that decoding an actual certificate with a relative name actually works. So what you are testing is your abstraction, but not the code which pulls the information from the OpenSSL backend. |
|
I don't think I follow. The test (test_relativename_and_crl_issuer) loads a DER certificate with an encoded relativename, parses it, and then does an equality check. This should exercise the backend unless I'm completely misunderstanding. |
|
Sorry, I'm an idiot. You're right, never mind. |
There was a problem hiding this comment.
The conversion to _asn1_string_to_utf8 was lost.
There was a problem hiding this comment.
Hmm, should this use CRL_REASON_UNSPECIFIED and friends from OpenSSL?
There was a problem hiding this comment.
We could; they're defined in the RFC though so the OpenSSL defines aren't as important in my opinion. If we did choose to do it we'd probably want to make a list and then iterate over that?
There was a problem hiding this comment.
A series of if statements seems ok to me. I think I'd prefer if we used
OpenSSL's constants.
On Tue, May 12, 2015 at 11:38 PM, Paul Kehrer notifications@github.com
wrote:
In src/cryptography/hazmat/backends/openssl/x509.py
#1920 (comment):
reasons = []# We will check each bit from RFC 5280# ReasonFlags ::= BIT STRING {# unused (0),# keyCompromise (1),# cACompromise (2),# affiliationChanged (3),# superseded (4),# cessationOfOperation (5),# certificateHold (6),# privilegeWithdrawn (7),# aACompromise (8) }for bit in range(1, 9):if self._backend._lib.ASN1_BIT_STRING_get_bit(cdp.reasons, bit):We could; they're defined in the RFC though so the OpenSSL defines aren't
as important in my opinion. If we did choose to do it we'd probably want to
make a list and then iterate over that?—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/1920/files#r30200533.
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
There was a problem hiding this comment.
If we want a series of if statements I'll have to put a new vector in that sets every bit and also one that tests the negative cases not covered by the existing vectors. Obviously doable, but required if we want to maintain coverage.
There was a problem hiding this comment.
Ugh, right. Let me think.
On Tue, May 12, 2015 at 11:49 PM, Paul Kehrer notifications@github.com
wrote:
In src/cryptography/hazmat/backends/openssl/x509.py
#1920 (comment):
reasons = []# We will check each bit from RFC 5280# ReasonFlags ::= BIT STRING {# unused (0),# keyCompromise (1),# cACompromise (2),# affiliationChanged (3),# superseded (4),# cessationOfOperation (5),# certificateHold (6),# privilegeWithdrawn (7),# aACompromise (8) }for bit in range(1, 9):if self._backend._lib.ASN1_BIT_STRING_get_bit(cdp.reasons, bit):If we want a series of if statements I'll have to put a new vector in that
sets every bit and also one that tests the negative cases not covered by
the existing vectors. Obviously doable, but required if we want to maintain
coverage.—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/1920/files#r30200778.
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
There was a problem hiding this comment.
It appears the OpenSSL constants map to the CRLReason enumeration in RFC 5280 and not the ReasonFlags (which are close, but not identical). So we can't actually use the OpenSSL constants here. For reference:
ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
privilegeWithdrawn (7),
aACompromise (8) }
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10) }
OpenSSL's defines:
# define CRL_REASON_NONE -1
# define CRL_REASON_UNSPECIFIED 0
# define CRL_REASON_KEY_COMPROMISE 1
# define CRL_REASON_CA_COMPROMISE 2
# define CRL_REASON_AFFILIATION_CHANGED 3
# define CRL_REASON_SUPERSEDED 4
# define CRL_REASON_CESSATION_OF_OPERATION 5
# define CRL_REASON_CERTIFICATE_HOLD 6
# define CRL_REASON_REMOVE_FROM_CRL 8
# define CRL_REASON_PRIVILEGE_WITHDRAWN 9
# define CRL_REASON_AA_COMPROMISE 10
1 similar comment
support CRLDistributionPoints in the OpenSSL backend
4 participants
refs #1743