Enable use of CRL (and more) in verify context. #483
Conversation
Current coverage is 88.36%@@ master #483 diff @@
==========================================
Files 7 7
Lines 2059 2096 +37
Methods 0 0
Messages 0 0
Branches 367 367
==========================================
+ Hits 1815 1852 +37
Misses 130 130
Partials 114 114
|
|
|
||
| An X.509 store, being only a description, cannot be used by itself to | ||
| verify a certificate. To carry out the actual verification process, see | ||
| :py:class:`X509StoreContext`. |
There was a problem hiding this comment.
no :py: prefixes in new code please
There was a problem hiding this comment.
How would you prefer this change? Just to "X509StoreContext" ?
There was a problem hiding this comment.
Just
:class:`X509StoreContext`
unless i’m missing something?
| :type when: :py:class:`bytes` | ||
| :return: :py:const:`None` | ||
| :param bytes when: The timestamp of the revocation, | ||
| as ASN.1 GENERALIZEDTIME. |
| -------------------- | ||
|
|
||
| .. autoclass:: X509StoreFlags | ||
| :members: |
There was a problem hiding this comment.
this sadly doesn’t seem to work :'( gotta enumerate them I’m afraid?
|
That Travis failure appears to be unrelated & flakey, as it's doing a time based check. |
| store.add_crl(root_crl) | ||
| store.add_crl(intermediate_crl) | ||
| store.set_flags( | ||
| X509StoreFlags.CRL_CHECK.value | |
There was a problem hiding this comment.
ok this is gross, I’m sorry. make X509Store flags a regular class. (just subclass object, nothing else special). none of the three of us thought about this .value crap. sorry again.
There was a problem hiding this comment.
Yeaah... that's the worst part about Enum. I think everyone wishes it wasn't that way.
| @@ -1890,7 +1946,7 @@ def get_rev_date(self): | |||
| Get the revocation timestamp. | |||
|
|
|||
| :return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME. | |||
| :rtype: :py:class:`bytes` | |||
| :rtype: :class:`bytes` | |||
There was a problem hiding this comment.
just “bytes” is fine for rtype
|
Almost there! Since you did find/replace: could you get rid of all the in favor of ? I have some more smaller things, but I don’t want to torture you any further. :) |
| _openssl_assert(_lib.X509_STORE_add_crl(self._store, crl._crl) != 0) | ||
|
|
||
| def set_flags(self, flags): | ||
| """ |
There was a problem hiding this comment.
this docstring needs to point to the new flags class in some sane manner. Maybe within :param int flags?
|
Actually I know! :) We need to sort out the TODO comment. I will merge once it’s resolved. :) |
|
you haven’t pushed and yep wfm |
|
|
||
| :param X509 issuer_cert: The issuer's certificate. | ||
| :param PKey issuer_key: The issuer's private key. | ||
| :param str digest: The digest method to sign the CRL with. |
There was a problem hiding this comment.
ok sorry one last one: we don't do str in pyOpenSSL. This has to be bytes.
|
🍻 |
|
Thank you so much to everyone for their patience. pyOpenSSL is slightly less terrible once again! |
|
Awesomeee! :) 🍻 |
Add patch that makes tests on NetBSD progress further. But then there's a segfault. See pyca/pyopenssl#596 16.2.0 (2016-10-15) ------------------- Changes: ^^^^^^^^ - Fixed compatibility errors with OpenSSL 1.1.0. - Fixed an issue that caused failures with subinterpreters and embedded Pythons. `#552 <https://github.com/pyca/pyopenssl/pull/552>`_ 16.1.0 (2016-08-26) ------------------- Deprecations: ^^^^^^^^^^^^^ - Dropped support for OpenSSL 0.9.8. Changes: ^^^^^^^^ - Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``. `#496 <https://github.com/pyca/pyopenssl/pull/496>`_ - Enable use of CRL (and more) in verify context. `#483 <https://github.com/pyca/pyopenssl/pull/483>`_ - ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such. `#439 <https://github.com/pyca/pyopenssl/pull/439>`_ - Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
This is a rebased change from #281 by @sholsapp, which changes by me to be _openssl_assert() compatible.
A local py.test --cov looks good, and all tests pass.