Enable use of CRL (and more) in verify context #281
Conversation
|
Hey all, I submitted the PR mostly to get the testing/coverage goodness and to give others a chance to submit feedback before I spend too much longer on this. I'll ad some comments to parts I specifically have questions about. |
| a certificate. To carry out the actual verification process, see | ||
| :py:class:`X509StoreContext`. | ||
| """ | ||
|
|
There was a problem hiding this comment.
Not all of the flags below are tested. What do folks prefer I do here: 1) expose all of the flags below and let people use them even though they're not tested or 2) only expose the flags that have been specifically tested?
|
Also, it appears that I need the latest version of cryptography for this PR to work. How can I do that? |
|
@sholsapp The Travis CI builds run against cryptography master in the allowed failures section. They abruptly error, which is usually a sign of a memory management problem: https://travis-ci.org/pyca/pyopenssl/jobs/67910194 |
|
@reaperhulk That's what I thought re: the building against master. I'll find some time to see if I can hunt down a memory error. Thanks for the tip. |
|
I deleted my last comment couple comments and I think this patch is a red herring. I'm finding that building and testing pyOpenSSL against head of cryptography, even without this patch, is failing at the same location. I narrowed it down to failing on OpenSSL/test/test_ssl.py:361 when instantiating Can someone else reproduce? |
|
@sholsapp Yes I can reproduce. Will have to investigate what's going on tomorrow though. |
|
Thanks @reaperhulk. If I find anything I'll speak up. |
|
@sholsapp calling |
| """ | ||
| Sign the CRL. | ||
|
|
||
| Signing a CRL enables clients to assosciate the CRL itself with an |
|
As an update, this segfault is a bug in cryptography master related to conditional names not being stripped. See: pyca/cryptography#2061 |
|
Thanks for tracking that down @reaperhulk! 😄 |
|
pyca/cryptography#2061 has been fixed. I restarted your builds and it passes on py26 and py27 but there are some issue with the PR on py3. |
|
Thanks @reaperhulk I'll check it out soon. |
sholsapp
force-pushed
the
x509storecontext-crl
branch
3 times, most recently
from
1f4aab1 to
5c16491
Compare
Current coverage is
|
sholsapp
force-pushed
the
x509storecontext-crl
branch
2 times, most recently
from
9075124 to
dbef1c7
Compare
This change adds a number of features to the X509Store class in order to allow use of certificate revocation lists (and more) in verification contexts. Fixes pyca#256
sholsapp
force-pushed
the
x509storecontext-crl
branch
from
dbef1c7 to
94107a4
Compare
|
FYI, we usually don’t look at PRs unless codecov/commit is 100% (and not 86.36%). IOW the checks must be all green. |
|
@hynek sure thing, that's great that we're at 100% code coverage. I'll get to this soonish. |
|
JFTR, we're not at 100% project-wide; but we require new patches to be fully covered so we catch up one day. :) |
|
@sholsapp - can you rebase this, and let's see where the code coverage is at? Likely only minor changes needed. |
|
Please also do #478 on it. That should pretty much solve all coverage problems. |
|
I have a working patch based on @sholsapp's change, rebased to HEAD & using _openssl_assert(). What's the best way to get that change into this PR? Or do I need a new PR by it's nature? |
|
New PR is probably the easiest approach. On Fri, Jun 3, 2016 at 8:48 PM, Dan Sully [email protected] wrote:
"I disapprove of what you say, but I will defend to the death your right to |
|
Ok, #483 is good to go, passed Travis. |
This change adds a number of features to the X509Store class in order to
allow use of certificate revocation lists (and more) in verification
contexts.
Fixes #256