Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable use of CRL (and more) in verify context. #483

Merged
merged 18 commits into from Jun 5, 2016
Merged

Enable use of CRL (and more) in verify context. #483

merged 18 commits into from Jun 5, 2016

Conversation

dsully
Copy link

@dsully dsully commented Jun 4, 2016

This is a rebased change from #281 by @sholsapp, which changes by me to be _openssl_assert() compatible.

A local py.test --cov looks good, and all tests pass.

@codecov-io
Copy link

codecov-io commented Jun 4, 2016

Current coverage is 88.36%

Merging #483 into master will increase coverage by 0.19%

@@             master       #483   diff @@
==========================================
  Files             7          7          
  Lines          2059       2096    +37   
  Methods           0          0          
  Messages          0          0          
  Branches        367        367          
==========================================
+ Hits           1815       1852    +37   
  Misses          130        130          
  Partials        114        114          

Powered by Codecov. Last updated by 40d448f...f38ea82


An X.509 store, being only a description, cannot be used by itself to
verify a certificate. To carry out the actual verification process, see
:py:class:`X509StoreContext`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no :py: prefixes in new code please

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would you prefer this change? Just to "X509StoreContext" ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just

:class:`X509StoreContext`

unless i’m missing something?

:type when: :py:class:`bytes`
:return: :py:const:`None`
:param bytes when: The timestamp of the revocation,
as ASN.1 GENERALIZEDTIME.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has to be indented

--------------------

.. autoclass:: X509StoreFlags
:members:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this sadly doesn’t seem to work :'( gotta enumerate them I’m afraid?

@dsully
Copy link
Author

dsully commented Jun 5, 2016

That Travis failure appears to be unrelated & flakey, as it's doing a time based check.

store.add_crl(root_crl)
store.add_crl(intermediate_crl)
store.set_flags(
X509StoreFlags.CRL_CHECK.value |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok this is gross, I’m sorry. make X509Store flags a regular class. (just subclass object, nothing else special). none of the three of us thought about this .value crap. sorry again.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeaah... that's the worst part about Enum. I think everyone wishes it wasn't that way.

@@ -1890,7 +1946,7 @@ def get_rev_date(self):
Get the revocation timestamp.

:return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
:rtype: :py:class:`bytes`
:rtype: :class:`bytes`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just “bytes” is fine for rtype

@hynek
Copy link
Contributor

hynek commented Jun 5, 2016

Almost there! Since you did find/replace: could you get rid of all the

:const:`None`

in favor of

``None``

?

I have some more smaller things, but I don’t want to torture you any further. :)

_openssl_assert(_lib.X509_STORE_add_crl(self._store, crl._crl) != 0)

def set_flags(self, flags):
"""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this docstring needs to point to the new flags class in some sane manner. Maybe within :param int flags?

@hynek
Copy link
Contributor

hynek commented Jun 5, 2016

Actually I know! :) We need to sort out the TODO comment. I will merge once it’s resolved. :)

@dsully
Copy link
Author

dsully commented Jun 5, 2016

@hynek - I removed the TODO comment, as @sholsapp originally added it, and I can't get ahold of him right now to determine what he meant. I'll let him address it in a later PR. Does that work?

@hynek
Copy link
Contributor

hynek commented Jun 5, 2016

you haven’t pushed and yep wfm


:param X509 issuer_cert: The issuer's certificate.
:param PKey issuer_key: The issuer's private key.
:param str digest: The digest method to sign the CRL with.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok sorry one last one: we don't do str in pyOpenSSL. This has to be bytes.

@hynek hynek merged commit 44e767a into pyca:master Jun 5, 2016
@hynek
Copy link
Contributor

hynek commented Jun 5, 2016

🍻

@hynek
Copy link
Contributor

hynek commented Jun 5, 2016

Thank you so much to everyone for their patience. pyOpenSSL is slightly less terrible once again!

@sholsapp
Copy link
Contributor

sholsapp commented Jun 6, 2016

Awesomeee! :) 🍻

@apeduru apeduru mentioned this pull request Jul 22, 2016
jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Jan 28, 2017
Add patch that makes tests on NetBSD progress further.
But then there's a segfault. See
pyca/pyopenssl#596

16.2.0 (2016-10-15)
-------------------

Changes:
^^^^^^^^

- Fixed compatibility errors with OpenSSL 1.1.0.
- Fixed an issue that caused failures with subinterpreters and embedded Pythons.
  `#552 <https://github.com/pyca/pyopenssl/pull/552>`_


16.1.0 (2016-08-26)
-------------------

Deprecations:
^^^^^^^^^^^^^

- Dropped support for OpenSSL 0.9.8.


Changes:
^^^^^^^^

- Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``.
  `#496 <https://github.com/pyca/pyopenssl/pull/496>`_
- Enable use of CRL (and more) in verify context.
  `#483 <https://github.com/pyca/pyopenssl/pull/483>`_
- ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such.
  `#439 <https://github.com/pyca/pyopenssl/pull/439>`_
- Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants