New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable use of CRL (and more) in verify context. #483

Merged
merged 18 commits into from Jun 5, 2016

Conversation

Projects
None yet
5 participants
@dsully
Contributor

dsully commented Jun 4, 2016

This is a rebased change from #281 by @sholsapp, which changes by me to be _openssl_assert() compatible.

A local py.test --cov looks good, and all tests pass.

sholsapp and others added some commits Jun 4, 2016

Dan Sully
@codecov-io

This comment has been minimized.

codecov-io commented Jun 4, 2016

Current coverage is 88.36%

Merging #483 into master will increase coverage by 0.19%

@@             master       #483   diff @@
==========================================
  Files             7          7          
  Lines          2059       2096    +37   
  Methods           0          0          
  Messages          0          0          
  Branches        367        367          
==========================================
+ Hits           1815       1852    +37   
  Misses          130        130          
  Partials        114        114          

Powered by Codecov. Last updated by 40d448f...f38ea82

An X.509 store, being only a description, cannot be used by itself to
verify a certificate. To carry out the actual verification process, see
:py:class:`X509StoreContext`.

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

no :py: prefixes in new code please

This comment has been minimized.

@dsully

dsully Jun 4, 2016

Contributor

How would you prefer this change? Just to "X509StoreContext" ?

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

Just

:class:`X509StoreContext`

unless i’m missing something?

ALLOW_PROXY_CERTS = _lib.X509_V_FLAG_ALLOW_PROXY_CERTS
POLICY_CHECK = _lib.X509_V_FLAG_POLICY_CHECK
EXPLICIT_POLICY = _lib.X509_V_FLAG_EXPLICIT_POLICY
# FLAG_INHIBIT_ANY = _lib.X509_V_FLAG_FLAG_INHIBIT_ANY

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

what are these commented out lines about?

This comment has been minimized.

@dsully

dsully Jun 4, 2016

Contributor

Please see the original diff, #281 - I can remove them if you'd like.

This comment has been minimized.

@dsully

dsully Jun 4, 2016

Contributor

I added a comment from the #281 thread.

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

after talking to Paul: kill the commented out and also the comment above. if users ask for it we can still add them conditionally (i.e. getattr() style).

@@ -1452,6 +1477,46 @@ def add_cert(self, cert):
if not result:
_raise_current_error()

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

since you’re touching the code around here you could _openssl_assert-ize this as well :)

the associated flags are configured to check certificate revocation
lists.
.. versionadded:: 0.17

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.

.. versionadded:: 0.17
:param CRL crl: The certificate revocation list to add to this store.
:return: :py:data:`None` if the certificate revocation list was added

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

just

``None``

is fine

suitable CRL must be added to the store otherwise an error will be
raised.
.. versionadded:: 0.17

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.

.. versionadded:: 0.17
:param int flags: The verification flags to set on this store.
:return: :py:data:`None` if the verification flags were

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

just

``None``

is fine

verification parameters and certificate revocation lists.
An X.509 store context is used to carry out the actual verification process
of a certificate in a described context. For describing such a context, see
:py:class:`X509Store`.

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

no :py: prefixes in new code please

:param cert: The certificate used to sign the CRL.
:type cert: :py:class:`X509`
.. versionadded:: 0.17

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.

:param key: The key used to sign the CRL.
:type key: :py:class:`PKey`
:return: :py:class:`X509Name`

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

no :py: prefixes in new code please

:param int days: The number of days until the next update of this CRL.
.. versionadded:: 0.17

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.

.. versionadded:: 0.17
:param int version: The version of the CRL.
:return: :py:const:`None`

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

just

``None``

is fine

YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm
.. versionadded:: 0.17

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.

.. versionadded:: 0.17
:param bytes when: A timestamp string.
:return: :py:const:`None`

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

just

``None``

is fine

YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm
.. versionadded:: 0.17

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.

.. versionadded:: 0.17
:param bytes when: A timestamp string.
:return: :py:const:`None`

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

just

``None``

is fine

This method implicitly sets the issuer's name based on the issuer
certificate and private key used to sign the CRL.
.. versionadded:: 0.17

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

there is no such thing as pyOpenSSL 0.17. The next release will be 16.1.0.

:param bytes digest: The name of the message digest to use (eg
``b"sha1"``).
:return: :py:data:`bytes`

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

please make this an

:rtype: bytes

and it’s fine to have an empty line between the params and the return docs.

:return: :py:data:`bytes`
"""
# TODO: fix this function to use functionality added in version 0.16.

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

i’m not sure what this means? also there’s no 0.16.

@@ -3389,6 +3398,14 @@ def test_load_crl_bad_data(self):
"""
self.assertRaises(Error, load_crl, FILETYPE_PEM, b"hello, world")
def test_get_issuer(self):
"""
Load a known CRL and inspect its issuer's common name.

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

Please write test docstrings as what the expected behavior that you are testing, not about what you do: https://jml.io/pages/test-docstrings.html

Create a CRL.
:param list[X509] certs: A list of certificates to revoke.
:return: :py:class:`CRL`

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

no :py: prefixes in new code please

def test_verify_with_revoked(self):
"""
:py:obj:`verify_certificate` raises error when an intermediate

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

that should be a :func:, no?

def test_verify_with_missing_crl(self):
"""
:py:obj:`verify_certificate` raises error when an intermediate

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

:func: again, although it’s okay to not markup function names in tests at all. it’s not like we run autodoc on it…

class X509StoreContextTests(TestCase):
"""
Tests for :py:obj:`OpenSSL.crypto.X509StoreContext`.
"""
root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
root_key = load_privatekey(FILETYPE_PEM, root_key_pem)

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

it doesn’t seem like you use these attributes?

@@ -1902,9 +1955,6 @@ class CRL(object):
"""
def __init__(self):
"""
Create a new empty certificate revocation list.
"""

This comment has been minimized.

@reaperhulk

reaperhulk Jun 4, 2016

Member

I suspect @hynek would prefer this be left in?

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

meh, can die

This comment has been minimized.

@dsully

dsully Jun 4, 2016

Contributor

Ok, removing.

"""
return self._set_boundary_time(_lib.X509_CRL_get_nextUpdate, when)
def sign(self, issuer_cert, issuer_key, digest='sha1'):

This comment has been minimized.

@reaperhulk

reaperhulk Jun 4, 2016

Member

Since this is a new API and there's no backwards compatibility concern I'd prefer this to not have a default arg for digest.

:type when: :py:class:`bytes`
:return: :py:const:`None`
:param bytes when: The timestamp of the revocation,
as ASN.1 GENERALIZEDTIME.

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

this has to be indented

Dan Sully added some commits Jun 4, 2016

Dan Sully
Dan Sully
--------------------
.. autoclass:: X509StoreFlags
:members:

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor

this sadly doesn’t seem to work :'( gotta enumerate them I’m afraid?

@@ -1425,9 +1426,35 @@ def get_extension(self, index):
X509Type = X509
class X509StoreFlags(Enum):
""" Flags for X509 verification

This comment has been minimized.

@hynek

hynek Jun 4, 2016

Contributor
  • """ please on single lines
  • more explanation please?
  • crosslink with set_flags (and backlink too)
  • add something like “See the OpenSSL docs for the meaning.” and link some words to that URL
Dan Sully
@dsully

This comment has been minimized.

Contributor

dsully commented Jun 5, 2016

That Travis failure appears to be unrelated & flakey, as it's doing a time based check.

Dan Sully
store.add_crl(root_crl)
store.add_crl(intermediate_crl)
store.set_flags(
X509StoreFlags.CRL_CHECK.value |

This comment has been minimized.

@hynek

hynek Jun 5, 2016

Contributor

ok this is gross, I’m sorry. make X509Store flags a regular class. (just subclass object, nothing else special). none of the three of us thought about this .value crap. sorry again.

This comment has been minimized.

@dsully

dsully Jun 5, 2016

Contributor

Yeaah... that's the worst part about Enum. I think everyone wishes it wasn't that way.

Dan Sully
@@ -1890,7 +1946,7 @@ def get_rev_date(self):
Get the revocation timestamp.
:return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
:rtype: :py:class:`bytes`
:rtype: :class:`bytes`

This comment has been minimized.

@hynek

hynek Jun 5, 2016

Contributor

just “bytes” is fine for rtype

@hynek

This comment has been minimized.

Contributor

hynek commented Jun 5, 2016

Almost there! Since you did find/replace: could you get rid of all the

:const:`None`

in favor of

``None``

?

I have some more smaller things, but I don’t want to torture you any further. :)

Dan Sully added some commits Jun 5, 2016

Dan Sully
Dan Sully
_openssl_assert(_lib.X509_STORE_add_crl(self._store, crl._crl) != 0)
def set_flags(self, flags):
"""

This comment has been minimized.

@hynek

hynek Jun 5, 2016

Contributor

this docstring needs to point to the new flags class in some sane manner. Maybe within :param int flags?

:param X509 certificate: The certificate to be verified.

This comment has been minimized.

@hynek

hynek Jun 5, 2016

Contributor

no empty line please

@hynek

This comment has been minimized.

Contributor

hynek commented Jun 5, 2016

Actually I know! :) We need to sort out the TODO comment. I will merge once it’s resolved. :)

@dsully

This comment has been minimized.

Contributor

dsully commented Jun 5, 2016

@hynek - I removed the TODO comment, as @sholsapp originally added it, and I can't get ahold of him right now to determine what he meant. I'll let him address it in a later PR. Does that work?

@hynek

This comment has been minimized.

Contributor

hynek commented Jun 5, 2016

you haven’t pushed and yep wfm

:param X509 issuer_cert: The issuer's certificate.
:param PKey issuer_key: The issuer's private key.
:param str digest: The digest method to sign the CRL with.

This comment has been minimized.

@hynek

hynek Jun 5, 2016

Contributor

ok sorry one last one: we don't do str in pyOpenSSL. This has to be bytes.

Dan Sully

@hynek hynek merged commit 44e767a into pyca:master Jun 5, 2016

2 checks passed

codecov/patch 100% of diff hit (target 88.15%)
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@hynek

This comment has been minimized.

Contributor

hynek commented Jun 5, 2016

🍻

@hynek

This comment has been minimized.

Contributor

hynek commented Jun 5, 2016

Thank you so much to everyone for their patience. pyOpenSSL is slightly less terrible once again!

@sholsapp

This comment has been minimized.

Contributor

sholsapp commented Jun 6, 2016

Awesomeee! :) 🍻

@apeduru apeduru referenced this pull request Jul 22, 2016

Open

Indirect CRL Issuer #505

jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Jan 28, 2017

wiz
Updated py-OpenSSL to 16.2.0.
Add patch that makes tests on NetBSD progress further.
But then there's a segfault. See
pyca/pyopenssl#596

16.2.0 (2016-10-15)
-------------------

Changes:
^^^^^^^^

- Fixed compatibility errors with OpenSSL 1.1.0.
- Fixed an issue that caused failures with subinterpreters and embedded Pythons.
  `#552 <https://github.com/pyca/pyopenssl/pull/552>`_


16.1.0 (2016-08-26)
-------------------

Deprecations:
^^^^^^^^^^^^^

- Dropped support for OpenSSL 0.9.8.


Changes:
^^^^^^^^

- Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``.
  `#496 <https://github.com/pyca/pyopenssl/pull/496>`_
- Enable use of CRL (and more) in verify context.
  `#483 <https://github.com/pyca/pyopenssl/pull/483>`_
- ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such.
  `#439 <https://github.com/pyca/pyopenssl/pull/439>`_
- Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment