From 932f5cc1d7dc5ef2c85ff0f38b9cf8879c733521 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Thu, 11 Dec 2014 13:58:00 -0500 Subject: [PATCH 1/7] Add tests for Context.check_privatekey. --- OpenSSL/test/test_ssl.py | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py index 44980d53a..bbd97e6b5 100644 --- a/OpenSSL/test/test_ssl.py +++ b/OpenSSL/test/test_ssl.py @@ -507,6 +507,43 @@ def test_use_certificate_file_long(self): ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM)) + def test_check_privatekey_valid(self): + """ + :py:obj:`Context.check_privatekey` returns :py:obj:`None` if the + :py:obj:`Context` instance has been configured to use a matched key and + certificate pair. + """ + key = load_privatekey(FILETYPE_PEM, client_key_pem) + cert = load_certificate(FILETYPE_PEM, client_cert_pem) + context = Context(TLSv1_METHOD) + context.use_privatekey(key) + context.use_certificate(cert) + self.assertIs(None, context.check_privatekey()) + + + def test_check_privatekey_invalid(self): + """ + :py:obj:`Context.check_privatekey` raises :py:obj:`Error` if the + :py:obj:`Context` instance has been configured to use a key and + certificate pair which don't relate to each other. + """ + key = load_privatekey(FILETYPE_PEM, client_key_pem) + cert = load_certificate(FILETYPE_PEM, server_cert_pem) + context = Context(TLSv1_METHOD) + context.use_privatekey(key) + context.use_certificate(cert) + self.assertRaises(Error, context.check_privatekey) + + + def test_check_privatekey_wrong_args(self): + """ + :py:obj:`Context.check_privatekey` raises :py:obj:`TypeError` if called + with other than no arguments. + """ + context = Context(TLSv1_METHOD) + self.assertRaises(TypeError, context.check_privatekey, object()) + + def test_set_app_data_wrong_args(self): """ :py:obj:`Context.set_app_data` raises :py:obj:`TypeError` if called with other than From a03449287727239f58f1c319bff134ebc7f2013a Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Thu, 11 Dec 2014 14:02:31 -0500 Subject: [PATCH 2/7] Add the necessary SSL_CTX_check_private_key call and error handling. --- OpenSSL/SSL.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/OpenSSL/SSL.py b/OpenSSL/SSL.py index 7b1cbc1b4..751cc2adc 100644 --- a/OpenSSL/SSL.py +++ b/OpenSSL/SSL.py @@ -492,6 +492,9 @@ def check_privatekey(self): :return: None (raises an exception if something's wrong) """ + if not _lib.SSL_CTX_check_private_key(self._context): + _raise_current_error() + def load_client_ca(self, cafile): """ From 01209075d4214b4e7104cd5c0ca5fb09b7724cbe Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Thu, 11 Dec 2014 14:03:02 -0500 Subject: [PATCH 3/7] Tentatively bump the required version of cryptography necessary for the new OpenSSL API. --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 14506309e..65a1b52ef 100755 --- a/setup.py +++ b/setup.py @@ -34,7 +34,7 @@ maintainer_email = 'exarkun@twistedmatrix.com', url = 'https://github.com/pyca/pyopenssl', license = 'APL2', - install_requires=["cryptography>=0.5.4", "six>=1.5.2"], + install_requires=["cryptography>=0.7", "six>=1.5.2"], long_description = """\ High-level wrapper around a subset of the OpenSSL library, includes * SSL.Connection objects, wrapping the methods of Python's portable From 5ab37af29fd602b49ce89fe54cbdf4c12cc81f5c Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Thu, 11 Dec 2014 14:05:24 -0500 Subject: [PATCH 4/7] ChangeLog --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 291f9779e..3226ca770 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-12-11 Jean-Paul Calderone + + * OpenSSL/SSL.py: Fixed a regression ``Context.check_privatekey`` + causing it to always succeed - even if it should fail. + 2014-08-21 Alex Gaynor * OpenSSL/crypto.py: Fixed a regression where calling ``load_pkcs7_data`` From a35801674c3cd91c45b41f552e1a2ed96b62cbad Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 12 Dec 2014 18:39:20 -0500 Subject: [PATCH 5/7] Perhaps this is a sensible way to declare a dependency on post-0.6.1 master? Perhaps not, I'm not sure. This might be nonsense. --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 65a1b52ef..8d9d12a53 100755 --- a/setup.py +++ b/setup.py @@ -34,7 +34,7 @@ maintainer_email = 'exarkun@twistedmatrix.com', url = 'https://github.com/pyca/pyopenssl', license = 'APL2', - install_requires=["cryptography>=0.7", "six>=1.5.2"], + install_requires=["cryptography>=0.7.dev0", "six>=1.5.2"], long_description = """\ High-level wrapper around a subset of the OpenSSL library, includes * SSL.Connection objects, wrapping the methods of Python's portable From 77b3d0888a38808f9f00440ada01001c55451356 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 12 Dec 2014 20:04:35 -0500 Subject: [PATCH 6/7] Give assertIs and assertIsNot their stdlib-preferred names. --- OpenSSL/test/util.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/OpenSSL/test/util.py b/OpenSSL/test/util.py index 21bbdc45f..4260eb0bf 100644 --- a/OpenSSL/test/util.py +++ b/OpenSSL/test/util.py @@ -227,7 +227,7 @@ def assertNotIn(self, containee, container, msg=None): failIfIn = assertNotIn - def failUnlessIdentical(self, first, second, msg=None): + def assertIs(self, first, second, msg=None): """ Fail the test if :py:data:`first` is not :py:data:`second`. This is an obect-identity-equality test, not an object equality @@ -239,10 +239,10 @@ def failUnlessIdentical(self, first, second, msg=None): if first is not second: raise self.failureException(msg or '%r is not %r' % (first, second)) return first - assertIdentical = failUnlessIdentical + assertIdentical = failUnlessIdentical = assertIs - def failIfIdentical(self, first, second, msg=None): + def assertIsNot(self, first, second, msg=None): """ Fail the test if :py:data:`first` is :py:data:`second`. This is an obect-identity-equality test, not an object equality @@ -254,7 +254,7 @@ def failIfIdentical(self, first, second, msg=None): if first is second: raise self.failureException(msg or '%r is %r' % (first, second)) return first - assertNotIdentical = failIfIdentical + assertNotIdentical = failIfIdentical = assertIsNot def failUnlessRaises(self, exception, f, *args, **kwargs): From 7cf3b47ef61479820e5bf779dea84fc2d09fae07 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sun, 18 Jan 2015 18:35:40 -0500 Subject: [PATCH 7/7] 0.7 was released. --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 8d9d12a53..65a1b52ef 100755 --- a/setup.py +++ b/setup.py @@ -34,7 +34,7 @@ maintainer_email = 'exarkun@twistedmatrix.com', url = 'https://github.com/pyca/pyopenssl', license = 'APL2', - install_requires=["cryptography>=0.7.dev0", "six>=1.5.2"], + install_requires=["cryptography>=0.7", "six>=1.5.2"], long_description = """\ High-level wrapper around a subset of the OpenSSL library, includes * SSL.Connection objects, wrapping the methods of Python's portable