[pyOpenSSL] CRL & PKCS12 patch
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Sun Oct 18 18:05:14 CEST 2009
On 01:45 pm, sebvieira at gmail.com wrote:
>Hi,
>
>Is there any progress on this? I mean, will the CRL functionality be in
>the
>next pyOpenSSL release and if so, when will that be? I'm trying to get
>a
>python app into Fedora but while a part of its functionality is based
>on a
>custom patched pyOpenSSL it will probably not be accepted.
>
>Apart from that, it's of course a great feature for pyOpenSSL that will
>benefit everyone :)
>
>thanks,
Hi,
So far, no progress on CRLs in pyOpenSSL. I just took a quick look at
the patch attached to https://bugs.launchpad.net/pyopenssl/+bug/385178 -
just thoroughly enough to see that it is a long way from being ready to
include in trunk. Here's a semi-complete list of what I'd like to see
changes about it:
* It makes unexplained changes to test_crypto.py; these have nothing to
do with CRLs and, if important, should be split out into a separate
patch/branch associated with a new ticket that explains their
significance.
* It makes a memory management change to x509.c which is similarly
unexplained and also untested. This should have a unit test and
possibly also be split off onto a separate ticket.
* It adds get_extension, get_extensions, check_privatekey, verify,
repr, and str methods to the X509 type. Also apparently unrelated to
CRLs. Also untested. Aside from str and repr these seem valuable and
should be added elsewhere, with tests. Maybe str and repr are good too,
but I need to be convinced.
* It adds str and repr methods to the X509Name type. Also untested and
unrelated.
* Likewise for X509Req.
* There's a bunch of new code in crypto.c about "crypto_ui" and engines
which looks like it might be neat, but has nothing to do with crls (and
has no tests).
* For the new code that's actually x509 crl related:
* the whitespace is totally crazy and should be cleaned up
* there are no unit tests. I am trying to raise pyOpenSSL to 100%
line coverage. That means all new code has to have unit tests.
* the function docstrings all use the weird old style which is more
aimed at C programmers than Python programmers. They should be updated
to be Python programmer friendly.
* there's code for dealing with asn1 times copied from another
pyOpenSSL source file; this should be factored into a common file that
can be re-used, instead of duplicated.
A lot of these things are easy to remedy. Just delete some of the
patch. However, adding the CRL unit tests is probably real work.
Someone who's familiar with the CRL APIs can probably make a significant
dent in this without too much trouble. If someone can do that, I'll
make time to re-review the new submission and accept it or provide
further feedback.
Jean-Paul
More information about the pyopenssl-users
mailing list