pyOpenSSL

Support CRL loading and export

Bug #404436 reported by rick_dean
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyOpenSSL
Fix Released
Undecided
Unassigned
Nominated for Main by sebvieira

Bug Description

Here is a patch that implements a CRL interface.
The API is different that previous patches because
it wraps struct X509_REVOKED as well. See branch
lp:~rick-fdd/pyopenssl/crl_and_revoked

The patch supports loading and exporting all formats
(PEM, DER, and text). CRL can be both created and
inspected. Full documentation and test cases are
provided.

The major lacking features are reason codes and their
associated extensions. Also, the OpenSSL.CRL.export
method has too many parameters because IMHO signing
should be a distinct method. Nonetheless, the
code currently is quite usable.

Unlike the PKCS12 implementation, CRL objects do not
contain references to other python objects. This means
adding and getting are all by value, but it simplifies
the code. I can provide a less complete patch of
the other method using GC if requested, but I think
it will also be harder to extend.

Unlike X509, OpenSSL.Revoked.get_serial() returns a
hex string, not an integer. Likewise for set_serial().

Related branches

lp:~rick-fdd/pyopenssl/crl_and_revoked
Jean-Paul Calderone: Pending requested
Diff: 1316 lines (+1131/-11)
11 files modified
doc/pyOpenSSL.tex (+68/-0)
setup.py (+2/-0)
src/crypto/crl.c (+294/-0)
src/crypto/crl.h (+19/-0)
src/crypto/crypto.c (+52/-1)
src/crypto/crypto.h (+2/-0)
src/crypto/revoked.c (+451/-0)
src/crypto/revoked.h (+18/-0)
src/crypto/x509.c (+8/-8)
src/crypto/x509.h (+4/-2)
test/test_crypto.py (+213/-0)
Revision history for this message
rick_dean (rick-fdd) wrote :
Revision history for this message
rick_dean (rick-fdd) wrote :

Here is a version of the patch that applies cleanly to the tip of main.

Revision history for this message
rick_dean (rick-fdd) wrote :

The previous patch was incomplete.

This patch adapts the tip of the branch crl_and_revoked, which contained some later changes like revocation reasons.

The biggest change in the merge was removing the introduction of a second _runopenssl().

Revision history for this message
rick_dean (rick-fdd) wrote :

Wow. Third time is a charm.

Revision history for this message
seth vidal (skvidal) wrote :

Any word on if this has been accepted?

Revision history for this message
Jean-Paul Calderone (exarkun) wrote :

There's some more info on the merge proposal, which I've added a link to above.

Jean-Paul Calderone (exarkun)
Changed in pyopenssl:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.