Add the ability to set a custom verification time on X509Store #567
Conversation
Current coverage is 95.65% (diff: 100%)@@ master #567 diff @@
==========================================
Files 16 16
Lines 5610 5614 +4
Methods 0 0
Messages 0 0
Branches 408 403 -5
==========================================
+ Hits 5356 5370 +14
+ Misses 176 167 -9
+ Partials 78 77 -1
|
| :param datetime vfy_time: The verification time to set on this store. | ||
| :return: ``None`` if the verification time were successfully set. | ||
| """ | ||
| param = _lib.X509_VERIFY_PARAM_new() |
There was a problem hiding this comment.
You'll need to add a param = _ffi.gc(param, X509_VERIFY_PARAM_free) to this. X509_STORE_set1_param increfs it so without a corresponding free to decref after creation it will leak.
There was a problem hiding this comment.
Thanks for your feedback!
When I try:
from OpenSSL._util import lib
lib.X509_VERIFY_PARAM_freeI got this exception on my system: AttributeError: 'module' object has no attribute 'X509_VERIFY_PARAM_free'
It looks like X509_VERIFY_PARAM_free is not exported, I should do a PR on cryptography to export it? or something is wrong on my side?
Thanks!
There was a problem hiding this comment.
Nope, you're quite right it isn't currently exported in cryptography. Please do submit a PR there!
|
I've made the change, I'll push once the cryptography PR has been merged (to make the CI works). |
|
We won't be able to merge this until after we do a cryptography release with the new binding (and this PR will then need to be updated to reflect the new minimum version required), but now we can see if it works against cryptography master :) |
|
I am unfamiliar with the state of docs for X509Store, does this function need to be documented outside of the docstring @hynek? |
| .. versionadded: 16.3.0 | ||
|
|
||
| :param datetime vfy_time: The verification time to set on this store. | ||
| :return: ``None`` if the verification time were successfully set. |
|
On phone but it's gonna need an automethod line somewhere. |
|
@reaperhulk no problem I get it. I'll follow the "Sixteenth Release" milestone of cryptography. Let me know what changes are needed for the doc, I checked |
|
The build fails because it's using I will wait till the new cryptography version is released. |
|
@tsileo cryptography 1.6 is now out :) |
|
Thanks for the heads-up! How should I update the doc to reflect the new minimum version required for cryptography? I can't find any example. And I think it should be OK for the doc due to the Any other change I need to make? |
|
Probably something like "bumped minimum cryptography version to 1.6", but hynek may have a preference. Technically this PR is fine @hynek so if you've got any stylistic nits speak now :) |
|
Before we get into stylistic questions, the new minimum version has to be applied to setup.py/tox.ini. |
|
Done! Let me know if there's something else I need to do :) |
| @@ -9,7 +9,7 @@ deps = | |||
| coverage>=4.2 | |||
| pytest>=3.0.1 | |||
| cryptographyMaster: git+https://github.com/pyca/cryptography.git | |||
| cryptographyMinimum: cryptography<1.4 | |||
| cryptographyMinimum: cryptography==1.6 | |||
There was a problem hiding this comment.
This got to be <1.7 so we always test against the latest 1.6 release.
| @@ -1518,6 +1518,20 @@ def set_flags(self, flags): | |||
| """ | |||
| _openssl_assert(_lib.X509_STORE_set_flags(self._store, flags) != 0) | |||
|
|
|||
| def set_time(self, vfy_time): | |||
| """Set verification time to this store. | |||
| @@ -3740,6 +3740,27 @@ def test_modification_pre_verify(self): | |||
| store_ctx.set_store(store_good) | |||
| self.assertEqual(store_ctx.verify_certificate(), None) | |||
|
|
|||
| def test_verify_with_time(self): | |||
| """ | |||
| :func:`verify_certificate` raises error when the verification time is | |||
There was a problem hiding this comment.
I know the code base is inconsistent in this regard, but please don't use type prefixes like :func: in test doc strings. They are never rendered and there’s no way to verify them at all.
|
As for documenting minimum cryptography version I’m not sure either. Until now, we’ve never really documented it in the CHANGELOG… |
|
@hynek I just pushed the style tweaks and updated the minimum cryptography requirements. |
| @@ -1514,10 +1514,24 @@ def set_flags(self, flags): | |||
|
|
|||
| :param int flags: The verification flags to set on this store. | |||
| See :class:`X509StoreFlags` for available constants. | |||
| :return: ``None`` if the verification flags were successfully set. | |||
There was a problem hiding this comment.
heh you removed the wrong one but I see the qualification is everywhere in this class so just re-add this one and let the other be for now
There was a problem hiding this comment.
Oops, I was checking if it was present in other methods. I just re-added it.
| @@ -1518,6 +1518,21 @@ def set_flags(self, flags): | |||
| """ | |||
| _openssl_assert(_lib.X509_STORE_set_flags(self._store, flags) != 0) | |||
|
|
|||
| def set_time(self, vfy_time): | |||
| """ | |||
| Set verification time to this store. | |||
There was a problem hiding this comment.
Final thing: could you add a few more lines about the what that method is good for? Is that grammar even correct? Honest question. :)
There was a problem hiding this comment.
No problem. Not sure it was correct. It's updated.
|
flake8 is failing |
|
Sorry about that, I fixed the line too long (my config is set at 120 :p) |
|
thanks! |
Upstream changes: * Added OpenSSL.X509Store.set_time() to set a custom verification time when verifying certificate chains. pyca/pyopenssl#567 * Added a collection of functions for working with OCSP stapling. None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided. Users will need to write their own code to handle OCSP assertions. We specifically added: Context.set_ocsp_server_callback, Context.set_ocsp_client_callback, and Connection.request_ocsp. pyca/pyopenssl#580 * Changed the SSL module's memory allocation policy to avoid zeroing memory it allocates when unnecessary. This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation. For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements. pyca/pyopenssl#578 * Automatically set SSL_CTX_set_ecdh_auto() on OpenSSL.SSL.Context. pyca/pyopenssl#575 * Fix empty exceptions from OpenSSL.crypto.load_privatekey(). pyca/pyopenssl#581 The full upstream changelog can be found at: https://pyopenssl.readthedocs.io/en/17.0.0/changelog.html I've also added a patch from pyca/pyopenssl#637 in order to fix the tests, which was the main reason for the version bump because that patch won't apply for 16.2.0. According to the upstream changelog there should be no backwards-incompatible changes, but I've tested building against some of the packages depending on pyopenssl anyway. Regardless of this, the build for pyopenssl fails right now anyway, so the worst that could happen via this commit would be that we break something that's already broken. Signed-off-by: aszlig <[email protected]>
This PR add a
set_timemethods onOpenSSL.crypto.X509Store.This new methods:
X509_VERIFY_PARAMdatetime.datetimeinstance)X509StoreOne things I'm worried about is if the
X509_VERIFY_PARAMshould be "gc"ed manually? or it will be cleaned when theX509Storewill be "gc"ed?I chose to implement the method on
X509Storebecause it's more convenient to set the time only once on the store, and then verify multiple certificates (instead of having to set it in eachX509StoreContext).Thanks!