[pyOpenSSL] CRL & PKCS12 patch

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Sun Oct 18 18:05:14 CEST 2009 

On 01:45 pm, sebvieira at gmail.com wrote:
>Hi,
>
>Is there any progress on this? I mean, will the CRL functionality be in 
>the
>next pyOpenSSL release and if so, when will that be? I'm trying to get 
>a
>python app into Fedora but while a part of its functionality is based 
>on a
>custom patched pyOpenSSL it will probably not be accepted.
>
>Apart from that, it's of course a great feature for pyOpenSSL that will
>benefit everyone :)
>
>thanks,

Hi,

So far, no progress on CRLs in pyOpenSSL.  I just took a quick look at 
the patch attached to https://bugs.launchpad.net/pyopenssl/+bug/385178 - 
just thoroughly enough to see that it is a long way from being ready to 
include in trunk.  Here's a semi-complete list of what I'd like to see 
changes about it:

  * It makes unexplained changes to test_crypto.py; these have nothing to 
do with CRLs and, if important, should be split out into a separate 
patch/branch associated with a new ticket that explains their 
significance.

  * It makes a memory management change to x509.c which is similarly 
unexplained and also untested.  This should have a unit test and 
possibly also be split off onto a separate ticket.

  * It adds get_extension, get_extensions, check_privatekey, verify, 
repr, and str methods to the X509 type.  Also apparently unrelated to 
CRLs.  Also untested.  Aside from str and repr these seem valuable and 
should be added elsewhere, with tests.  Maybe str and repr are good too, 
but I need to be convinced.

  * It adds str and repr methods to the X509Name type.  Also untested and 
unrelated.

  * Likewise for X509Req.

  * There's a bunch of new code in crypto.c about "crypto_ui" and engines 
which looks like it might be neat, but has nothing to do with crls (and 
has no tests).

  * For the new code that's actually x509 crl related:

    * the whitespace is totally crazy and should be cleaned up

    * there are no unit tests.  I am trying to raise pyOpenSSL to 100% 
line coverage.  That means all new code has to have unit tests.

    * the function docstrings all use the weird old style which is more 
aimed at C programmers than Python programmers.  They should be updated 
to be Python programmer friendly.

    * there's code for dealing with asn1 times copied from another 
pyOpenSSL source file; this should be factored into a common file that 
can be re-used, instead of duplicated.


A lot of these things are easy to remedy.  Just delete some of the 
patch.  However, adding the CRL unit tests is probably real work. 
Someone who's familiar with the CRL APIs can probably make a significant 
dent in this without too much trouble.  If someone can do that, I'll 
make time to re-review the new submission and accept it or provide 
further feedback.

Jean-Paul

More information about the pyopenssl-users mailing list