Support CRL loading and export

Bug #404436 reported by rick_dean on 2009-07-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Nominated for Main by sebvieira

Bug Description

Here is a patch that implements a CRL interface.
The API is different that previous patches because
it wraps struct X509_REVOKED as well. See branch

The patch supports loading and exporting all formats
(PEM, DER, and text). CRL can be both created and
inspected. Full documentation and test cases are

The major lacking features are reason codes and their
associated extensions. Also, the OpenSSL.CRL.export
method has too many parameters because IMHO signing
should be a distinct method. Nonetheless, the
code currently is quite usable.

Unlike the PKCS12 implementation, CRL objects do not
contain references to other python objects. This means
adding and getting are all by value, but it simplifies
the code. I can provide a less complete patch of
the other method using GC if requested, but I think
it will also be harder to extend.

Unlike X509, OpenSSL.Revoked.get_serial() returns a
hex string, not an integer. Likewise for set_serial().

Related branches

rick_dean (rick-fdd) wrote :
rick_dean (rick-fdd) wrote :

Here is a version of the patch that applies cleanly to the tip of main.

rick_dean (rick-fdd) wrote :

The previous patch was incomplete.

This patch adapts the tip of the branch crl_and_revoked, which contained some later changes like revocation reasons.

The biggest change in the merge was removing the introduction of a second _runopenssl().

rick_dean (rick-fdd) wrote :

Wow. Third time is a charm.

seth vidal (skvidal) wrote :

Any word on if this has been accepted?

Jean-Paul Calderone (exarkun) wrote :

There's some more info on the merge proposal, which I've added a link to above.

Changed in pyopenssl:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers