Enable use of CRL (and more) in verify context. #483
Conversation
Current coverage is 88.36%@@ master #483 diff @@
==========================================
Files 7 7
Lines 2059 2096 +37
Methods 0 0
Messages 0 0
Branches 367 367
==========================================
+ Hits 1815 1852 +37
Misses 130 130
Partials 114 114
|
An X.509 store, being only a description, cannot be used by itself to | ||
verify a certificate. To carry out the actual verification process, see | ||
:py:class:`X509StoreContext`. |
hynek
Jun 4, 2016
Contributor
no :py:
prefixes in new code please
no :py:
prefixes in new code please
dsully
Jun 4, 2016
Author
How would you prefer this change? Just to "X509StoreContext" ?
How would you prefer this change? Just to "X509StoreContext" ?
hynek
Jun 4, 2016
Contributor
Just
:class:`X509StoreContext`
unless i’m missing something?
Just
:class:`X509StoreContext`
unless i’m missing something?
ALLOW_PROXY_CERTS = _lib.X509_V_FLAG_ALLOW_PROXY_CERTS | ||
POLICY_CHECK = _lib.X509_V_FLAG_POLICY_CHECK | ||
EXPLICIT_POLICY = _lib.X509_V_FLAG_EXPLICIT_POLICY | ||
# FLAG_INHIBIT_ANY = _lib.X509_V_FLAG_FLAG_INHIBIT_ANY |
hynek
Jun 4, 2016
Contributor
what are these commented out lines about?
what are these commented out lines about?
hynek
Jun 4, 2016
Contributor
after talking to Paul: kill the commented out and also the comment above. if users ask for it we can still add them conditionally (i.e. getattr()
style).
after talking to Paul: kill the commented out and also the comment above. if users ask for it we can still add them conditionally (i.e. getattr()
style).
@@ -1452,6 +1477,46 @@ def add_cert(self, cert): | |||
if not result: | |||
_raise_current_error() |
hynek
Jun 4, 2016
Contributor
since you’re touching the code around here you could _openssl_assert
-ize this as well :)
since you’re touching the code around here you could _openssl_assert
-ize this as well :)
the associated flags are configured to check certificate revocation | ||
lists. | ||
.. versionadded:: 0.17 |
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
.. versionadded:: 0.17 | ||
:param CRL crl: The certificate revocation list to add to this store. | ||
:return: :py:data:`None` if the certificate revocation list was added |
hynek
Jun 4, 2016
•
Contributor
just
``None``
is fine
just
``None``
is fine
suitable CRL must be added to the store otherwise an error will be | ||
raised. | ||
.. versionadded:: 0.17 |
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
.. versionadded:: 0.17 | ||
:param int flags: The verification flags to set on this store. | ||
:return: :py:data:`None` if the verification flags were |
hynek
Jun 4, 2016
Contributor
just
``None``
is fine
just
``None``
is fine
verification parameters and certificate revocation lists. | ||
An X.509 store context is used to carry out the actual verification process | ||
of a certificate in a described context. For describing such a context, see | ||
:py:class:`X509Store`. |
hynek
Jun 4, 2016
Contributor
no :py:
prefixes in new code please
no :py:
prefixes in new code please
:param cert: The certificate used to sign the CRL. | ||
:type cert: :py:class:`X509` | ||
.. versionadded:: 0.17 |
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
:param key: The key used to sign the CRL. | ||
:type key: :py:class:`PKey` | ||
:return: :py:class:`X509Name` |
hynek
Jun 4, 2016
Contributor
no :py:
prefixes in new code please
no :py:
prefixes in new code please
:param int days: The number of days until the next update of this CRL. | ||
.. versionadded:: 0.17 |
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
.. versionadded:: 0.17 | ||
:param int version: The version of the CRL. | ||
:return: :py:const:`None` |
hynek
Jun 4, 2016
Contributor
just
``None``
is fine
just
``None``
is fine
YYYYMMDDhhmmss+hhmm | ||
YYYYMMDDhhmmss-hhmm | ||
.. versionadded:: 0.17 |
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
.. versionadded:: 0.17 | ||
:param bytes when: A timestamp string. | ||
:return: :py:const:`None` |
hynek
Jun 4, 2016
Contributor
just
``None``
is fine
just
``None``
is fine
YYYYMMDDhhmmss+hhmm | ||
YYYYMMDDhhmmss-hhmm | ||
.. versionadded:: 0.17 |
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
.. versionadded:: 0.17 | ||
:param bytes when: A timestamp string. | ||
:return: :py:const:`None` |
hynek
Jun 4, 2016
Contributor
just
``None``
is fine
just
``None``
is fine
This method implicitly sets the issuer's name based on the issuer | ||
certificate and private key used to sign the CRL. | ||
.. versionadded:: 0.17 |
hynek
Jun 4, 2016
Contributor
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.
:param bytes digest: The name of the message digest to use (eg | ||
``b"sha1"``). | ||
:return: :py:data:`bytes` |
hynek
Jun 4, 2016
Contributor
please make this an
:rtype: bytes
and it’s fine to have an empty line between the params and the return docs.
please make this an
:rtype: bytes
and it’s fine to have an empty line between the params and the return docs.
:return: :py:data:`bytes` | ||
""" | ||
|
||
# TODO: fix this function to use functionality added in version 0.16. |
hynek
Jun 4, 2016
Contributor
i’m not sure what this means? also there’s no 0.16.
i’m not sure what this means? also there’s no 0.16.
@@ -3389,6 +3398,14 @@ def test_load_crl_bad_data(self): | |||
""" | |||
self.assertRaises(Error, load_crl, FILETYPE_PEM, b"hello, world") | |||
|
|||
def test_get_issuer(self): | |||
""" | |||
Load a known CRL and inspect its issuer's common name. |
hynek
Jun 4, 2016
Contributor
Please write test docstrings as what the expected behavior that you are testing, not about what you do: https://jml.io/pages/test-docstrings.html
Please write test docstrings as what the expected behavior that you are testing, not about what you do: https://jml.io/pages/test-docstrings.html
Create a CRL. | ||
:param list[X509] certs: A list of certificates to revoke. | ||
:return: :py:class:`CRL` |
hynek
Jun 4, 2016
Contributor
no :py:
prefixes in new code please
no :py:
prefixes in new code please
|
||
def test_verify_with_revoked(self): | ||
""" | ||
:py:obj:`verify_certificate` raises error when an intermediate |
hynek
Jun 4, 2016
Contributor
that should be a :func:
, no?
that should be a :func:
, no?
|
||
def test_verify_with_missing_crl(self): | ||
""" | ||
:py:obj:`verify_certificate` raises error when an intermediate |
hynek
Jun 4, 2016
Contributor
:func:
again, although it’s okay to not markup function names in tests at all. it’s not like we run autodoc on it…
:func:
again, although it’s okay to not markup function names in tests at all. it’s not like we run autodoc on it…
|
||
class X509StoreContextTests(TestCase): | ||
""" | ||
Tests for :py:obj:`OpenSSL.crypto.X509StoreContext`. | ||
""" | ||
root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) | ||
root_key = load_privatekey(FILETYPE_PEM, root_key_pem) |
hynek
Jun 4, 2016
Contributor
it doesn’t seem like you use these attributes?
it doesn’t seem like you use these attributes?
@@ -1902,9 +1955,6 @@ class CRL(object): | |||
""" | |||
|
|||
def __init__(self): | |||
""" | |||
Create a new empty certificate revocation list. | |||
""" |
hynek
Jun 4, 2016
Contributor
meh, can die
meh, can die
dsully
Jun 4, 2016
Author
Ok, removing.
Ok, removing.
""" | ||
return self._set_boundary_time(_lib.X509_CRL_get_nextUpdate, when) | ||
|
||
def sign(self, issuer_cert, issuer_key, digest='sha1'): |
reaperhulk
Jun 4, 2016
Member
Since this is a new API and there's no backwards compatibility concern I'd prefer this to not have a default arg for digest
.
Since this is a new API and there's no backwards compatibility concern I'd prefer this to not have a default arg for digest
.
-------------------- | ||
|
||
.. autoclass:: X509StoreFlags | ||
:members: |
hynek
Jun 4, 2016
Contributor
this sadly doesn’t seem to work :'( gotta enumerate them I’m afraid?
this sadly doesn’t seem to work :'( gotta enumerate them I’m afraid?
@@ -1425,9 +1426,35 @@ def get_extension(self, index): | |||
X509Type = X509 | |||
|
|||
|
|||
class X509StoreFlags(Enum): | |||
""" Flags for X509 verification |
hynek
Jun 4, 2016
Contributor
"""
please on single lines
- more explanation please?
- crosslink with set_flags (and backlink too)
- add something like “See the OpenSSL docs for the meaning.” and link some words to that URL
"""
please on single lines- more explanation please?
- crosslink with set_flags (and backlink too)
- add something like “See the OpenSSL docs for the meaning.” and link some words to that URL
That Travis failure appears to be unrelated & flakey, as it's doing a time based check. |
store.add_crl(root_crl) | ||
store.add_crl(intermediate_crl) | ||
store.set_flags( | ||
X509StoreFlags.CRL_CHECK.value | |
hynek
Jun 5, 2016
Contributor
ok this is gross, I’m sorry. make X509Store flags a regular class. (just subclass object, nothing else special). none of the three of us thought about this .value crap. sorry again.
ok this is gross, I’m sorry. make X509Store flags a regular class. (just subclass object, nothing else special). none of the three of us thought about this .value crap. sorry again.
dsully
Jun 5, 2016
Author
Yeaah... that's the worst part about Enum. I think everyone wishes it wasn't that way.
Yeaah... that's the worst part about Enum. I think everyone wishes it wasn't that way.
@@ -1890,7 +1946,7 @@ def get_rev_date(self): | |||
Get the revocation timestamp. | |||
:return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME. | |||
:rtype: :py:class:`bytes` | |||
:rtype: :class:`bytes` |
hynek
Jun 5, 2016
Contributor
just “bytes” is fine for rtype
just “bytes” is fine for rtype
Almost there! Since you did find/replace: could you get rid of all the
in favor of
? I have some more smaller things, but I don’t want to torture you any further. :) |
_openssl_assert(_lib.X509_STORE_add_crl(self._store, crl._crl) != 0) | ||
|
||
def set_flags(self, flags): | ||
""" |
hynek
Jun 5, 2016
Contributor
this docstring needs to point to the new flags class in some sane manner. Maybe within :param int flags
?
this docstring needs to point to the new flags class in some sane manner. Maybe within :param int flags
?
:param X509 certificate: The certificate to be verified. | ||
hynek
Jun 5, 2016
Contributor
no empty line please
no empty line please
Actually I know! :) We need to sort out the TODO comment. I will merge once it’s resolved. :) |
you haven’t pushed and yep wfm |
:param X509 issuer_cert: The issuer's certificate. | ||
:param PKey issuer_key: The issuer's private key. | ||
:param str digest: The digest method to sign the CRL with. |
hynek
Jun 5, 2016
Contributor
ok sorry one last one: we don't do str
in pyOpenSSL. This has to be bytes
.
ok sorry one last one: we don't do str
in pyOpenSSL. This has to be bytes
.
|
Thank you so much to everyone for their patience. pyOpenSSL is slightly less terrible once again! |
Awesomeee! :) |
Add patch that makes tests on NetBSD progress further. But then there's a segfault. See pyca/pyopenssl#596 16.2.0 (2016-10-15) ------------------- Changes: ^^^^^^^^ - Fixed compatibility errors with OpenSSL 1.1.0. - Fixed an issue that caused failures with subinterpreters and embedded Pythons. `#552 <https://github.com/pyca/pyopenssl/pull/552>`_ 16.1.0 (2016-08-26) ------------------- Deprecations: ^^^^^^^^^^^^^ - Dropped support for OpenSSL 0.9.8. Changes: ^^^^^^^^ - Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``. `#496 <https://github.com/pyca/pyopenssl/pull/496>`_ - Enable use of CRL (and more) in verify context. `#483 <https://github.com/pyca/pyopenssl/pull/483>`_ - ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such. `#439 <https://github.com/pyca/pyopenssl/pull/439>`_ - Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
This is a rebased change from #281 by @sholsapp, which changes by me to be _openssl_assert() compatible.
A local py.test --cov looks good, and all tests pass.