Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upConversation
sholsapp
and others
added some commits
Jun 4, 2016
This comment has been minimized.
This comment has been minimized.
codecov-io
commented
Jun 4, 2016
•
Current coverage is 88.36%@@ master #483 diff @@
==========================================
Files 7 7
Lines 2059 2096 +37
Methods 0 0
Messages 0 0
Branches 367 367
==========================================
+ Hits 1815 1852 +37
Misses 130 130
Partials 114 114
|
dsully
referenced this pull request
Jun 4, 2016
Closed
Enable use of CRL (and more) in verify context #281
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| An X.509 store, being only a description, cannot be used by itself to | ||
| verify a certificate. To carry out the actual verification process, see | ||
| :py:class:`X509StoreContext`. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| ALLOW_PROXY_CERTS = _lib.X509_V_FLAG_ALLOW_PROXY_CERTS | ||
| POLICY_CHECK = _lib.X509_V_FLAG_POLICY_CHECK | ||
| EXPLICIT_POLICY = _lib.X509_V_FLAG_EXPLICIT_POLICY | ||
| # FLAG_INHIBIT_ANY = _lib.X509_V_FLAG_FLAG_INHIBIT_ANY |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
dsully
Jun 4, 2016
Contributor
Please see the original diff, #281 - I can remove them if you'd like.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
after talking to Paul: kill the commented out and also the comment above. if users ask for it we can still add them conditionally (i.e. getattr() style).
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| @@ -1452,6 +1477,46 @@ def add_cert(self, cert): | ||
| if not result: | ||
| _raise_current_error() |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
since you’re touching the code around here you could _openssl_assert-ize this as well :)
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| the associated flags are configured to check certificate revocation | ||
| lists. | ||
| .. versionadded:: 0.17 |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| .. versionadded:: 0.17 | ||
| :param CRL crl: The certificate revocation list to add to this store. | ||
| :return: :py:data:`None` if the certificate revocation list was added |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| suitable CRL must be added to the store otherwise an error will be | ||
| raised. | ||
| .. versionadded:: 0.17 |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| .. versionadded:: 0.17 | ||
| :param int flags: The verification flags to set on this store. | ||
| :return: :py:data:`None` if the verification flags were |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| verification parameters and certificate revocation lists. | ||
| An X.509 store context is used to carry out the actual verification process | ||
| of a certificate in a described context. For describing such a context, see | ||
| :py:class:`X509Store`. |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| :param cert: The certificate used to sign the CRL. | ||
| :type cert: :py:class:`X509` | ||
| .. versionadded:: 0.17 |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| :param key: The key used to sign the CRL. | ||
| :type key: :py:class:`PKey` | ||
| :return: :py:class:`X509Name` |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| :param int days: The number of days until the next update of this CRL. | ||
| .. versionadded:: 0.17 |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| .. versionadded:: 0.17 | ||
| :param int version: The version of the CRL. | ||
| :return: :py:const:`None` |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| YYYYMMDDhhmmss+hhmm | ||
| YYYYMMDDhhmmss-hhmm | ||
| .. versionadded:: 0.17 |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| .. versionadded:: 0.17 | ||
| :param bytes when: A timestamp string. | ||
| :return: :py:const:`None` |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| YYYYMMDDhhmmss+hhmm | ||
| YYYYMMDDhhmmss-hhmm | ||
| .. versionadded:: 0.17 |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| .. versionadded:: 0.17 | ||
| :param bytes when: A timestamp string. | ||
| :return: :py:const:`None` |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| This method implicitly sets the issuer's name based on the issuer | ||
| certificate and private key used to sign the CRL. | ||
| .. versionadded:: 0.17 |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| :param bytes digest: The name of the message digest to use (eg | ||
| ``b"sha1"``). | ||
| :return: :py:data:`bytes` |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
please make this an
:rtype: bytes
and it’s fine to have an empty line between the params and the return docs.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| :return: :py:data:`bytes` | ||
| """ | ||
| # TODO: fix this function to use functionality added in version 0.16. |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
tests/test_crypto.py
Outdated
| @@ -3389,6 +3398,14 @@ def test_load_crl_bad_data(self): | ||
| """ | ||
| self.assertRaises(Error, load_crl, FILETYPE_PEM, b"hello, world") | ||
| def test_get_issuer(self): | ||
| """ | ||
| Load a known CRL and inspect its issuer's common name. |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
Please write test docstrings as what the expected behavior that you are testing, not about what you do: https://jml.io/pages/test-docstrings.html
hynek
reviewed
Jun 4, 2016
tests/test_crypto.py
Outdated
| Create a CRL. | ||
| :param list[X509] certs: A list of certificates to revoke. | ||
| :return: :py:class:`CRL` |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
tests/test_crypto.py
Outdated
| def test_verify_with_revoked(self): | ||
| """ | ||
| :py:obj:`verify_certificate` raises error when an intermediate |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
tests/test_crypto.py
Outdated
| def test_verify_with_missing_crl(self): | ||
| """ | ||
| :py:obj:`verify_certificate` raises error when an intermediate |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
:func: again, although it’s okay to not markup function names in tests at all. it’s not like we run autodoc on it…
hynek
reviewed
Jun 4, 2016
tests/test_crypto.py
Outdated
| class X509StoreContextTests(TestCase): | ||
| """ | ||
| Tests for :py:obj:`OpenSSL.crypto.X509StoreContext`. | ||
| """ | ||
| root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) | ||
| root_key = load_privatekey(FILETYPE_PEM, root_key_pem) |
This comment has been minimized.
This comment has been minimized.
reaperhulk
reviewed
Jun 4, 2016
| @@ -1902,9 +1955,6 @@ class CRL(object): | ||
| """ | ||
| def __init__(self): | ||
| """ | ||
| Create a new empty certificate revocation list. | ||
| """ |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
reaperhulk
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| """ | ||
| return self._set_boundary_time(_lib.X509_CRL_get_nextUpdate, when) | ||
| def sign(self, issuer_cert, issuer_key, digest='sha1'): |
This comment has been minimized.
This comment has been minimized.
reaperhulk
Jun 4, 2016
Member
Since this is a new API and there's no backwards compatibility concern I'd prefer this to not have a default arg for digest.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| :type when: :py:class:`bytes` | ||
| :return: :py:const:`None` | ||
| :param bytes when: The timestamp of the revocation, | ||
| as ASN.1 GENERALIZEDTIME. |
This comment has been minimized.
This comment has been minimized.
added some commits
Jun 4, 2016
hynek
reviewed
Jun 4, 2016
doc/api/crypto.rst
Outdated
| -------------------- | ||
| .. autoclass:: X509StoreFlags | ||
| :members: |
This comment has been minimized.
This comment has been minimized.
hynek
reviewed
Jun 4, 2016
src/OpenSSL/crypto.py
Outdated
| @@ -1425,9 +1426,35 @@ def get_extension(self, index): | ||
| X509Type = X509 | ||
| class X509StoreFlags(Enum): | ||
| """ Flags for X509 verification |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 4, 2016
Contributor
"""please on single lines- more explanation please?
- crosslink with set_flags (and backlink too)
- add something like “See the OpenSSL docs for the meaning.” and link some words to that URL
This comment has been minimized.
This comment has been minimized.
|
That Travis failure appears to be unrelated & flakey, as it's doing a time based check. |
hynek
reviewed
Jun 5, 2016
tests/test_crypto.py
Outdated
| store.add_crl(root_crl) | ||
| store.add_crl(intermediate_crl) | ||
| store.set_flags( | ||
| X509StoreFlags.CRL_CHECK.value | |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 5, 2016
Contributor
ok this is gross, I’m sorry. make X509Store flags a regular class. (just subclass object, nothing else special). none of the three of us thought about this .value crap. sorry again.
This comment has been minimized.
This comment has been minimized.
dsully
Jun 5, 2016
Contributor
Yeaah... that's the worst part about Enum. I think everyone wishes it wasn't that way.
hynek
reviewed
Jun 5, 2016
src/OpenSSL/crypto.py
Outdated
| @@ -1890,7 +1946,7 @@ def get_rev_date(self): | ||
| Get the revocation timestamp. | ||
| :return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME. | ||
| :rtype: :py:class:`bytes` | ||
| :rtype: :class:`bytes` |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Almost there! Since you did find/replace: could you get rid of all the in favor of ? I have some more smaller things, but I don’t want to torture you any further. :) |
added some commits
Jun 5, 2016
hynek
reviewed
Jun 5, 2016
| _openssl_assert(_lib.X509_STORE_add_crl(self._store, crl._crl) != 0) | ||
| def set_flags(self, flags): | ||
| """ |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 5, 2016
Contributor
this docstring needs to point to the new flags class in some sane manner. Maybe within :param int flags?
hynek
reviewed
Jun 5, 2016
src/OpenSSL/crypto.py
Outdated
| :param X509 certificate: The certificate to be verified. | ||
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Actually I know! :) We need to sort out the TODO comment. I will merge once it’s resolved. :) |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
you haven’t pushed and yep wfm |
hynek
reviewed
Jun 5, 2016
src/OpenSSL/crypto.py
Outdated
| :param X509 issuer_cert: The issuer's certificate. | ||
| :param PKey issuer_key: The issuer's private key. | ||
| :param str digest: The digest method to sign the CRL with. |
This comment has been minimized.
This comment has been minimized.
hynek
Jun 5, 2016
Contributor
ok sorry one last one: we don't do str in pyOpenSSL. This has to be bytes.
hynek
merged commit 44e767a
into
pyca:master
Jun 5, 2016
This comment has been minimized.
This comment has been minimized.
|
|
This comment has been minimized.
This comment has been minimized.
|
Thank you so much to everyone for their patience. pyOpenSSL is slightly less terrible once again! |
This comment has been minimized.
This comment has been minimized.
|
Awesomeee! :) |
pushed a commit
to jsonn/pkgsrc
that referenced
this pull request
Jan 28, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
dsully commentedJun 4, 2016
This is a rebased change from #281 by @sholsapp, which changes by me to be _openssl_assert() compatible.
A local py.test --cov looks good, and all tests pass.