Extended certificate verification options and some extensions to PKCS#7 API
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyOpenSSL |
New
|
Undecided
|
Unassigned |
Bug Description
I've found that pyopenssl doesn't expose some OpenSSL functionality, vital for proper verification of certificate (chains) such as options for CRL support, policy checking etc.
Attached patch adds some new APIs
1. Several methods for X509Store object which allows to configure certificate checking options either for store created inside SSL.Context, or for independently created store (to verify PKCS7 signed messages). Also equivalents of load_verify_
2. Added new type of object X509Crl
3. Added set_client_
4. Added function pkcs7_sign to create signed PKCS#7 object from data string signing it with private key and certifcate
(interface to OpenSSL PKCS7_sign function)
5. Added method verify for pkcs7 object (interface to PKCS7_verify)
6. Added methods check_privatekey and verify for X509 objects (because it is neccessary to check if privatekey matches certificate for certificates used for pkcs7 signing)
7. Added function load_private_
8. Added methods get_extension and get_extensions for X509 object (for use inside verify callbacks)
9. Some menthods of X509, X509Req, X509Name made to output correct unicode for X509 NAMEs
This introduce backward minor incompatibility, because choosen set of flags produces output of textual representation
slightly different from default. To make tests for dump_certificate and dump_certificat
Applying your patch to a fresh pyopenssl 0.9 breaks the build: crypto. h:22:21: error: x509crl.h: No such file or directory
src/crypto/
Did you forget to include x509crl.h in your patch?