Menu
▾
▴
Re: [pyOpenSSL] CRL & PKCS12 patch
|
From: <ex...@tw...> - 2009-10-18 16:05:36
|
On 01:45 pm, seb...@gm... wrote: >Hi, > >Is there any progress on this? I mean, will the CRL functionality be in >the >next pyOpenSSL release and if so, when will that be? I'm trying to get >a >python app into Fedora but while a part of its functionality is based >on a >custom patched pyOpenSSL it will probably not be accepted. > >Apart from that, it's of course a great feature for pyOpenSSL that will >benefit everyone :) > >thanks, Hi, So far, no progress on CRLs in pyOpenSSL. I just took a quick look at the patch attached to https://bugs.launchpad.net/pyopenssl/+bug/385178 - just thoroughly enough to see that it is a long way from being ready to include in trunk. Here's a semi-complete list of what I'd like to see changes about it: * It makes unexplained changes to test_crypto.py; these have nothing to do with CRLs and, if important, should be split out into a separate patch/branch associated with a new ticket that explains their significance. * It makes a memory management change to x509.c which is similarly unexplained and also untested. This should have a unit test and possibly also be split off onto a separate ticket. * It adds get_extension, get_extensions, check_privatekey, verify, repr, and str methods to the X509 type. Also apparently unrelated to CRLs. Also untested. Aside from str and repr these seem valuable and should be added elsewhere, with tests. Maybe str and repr are good too, but I need to be convinced. * It adds str and repr methods to the X509Name type. Also untested and unrelated. * Likewise for X509Req. * There's a bunch of new code in crypto.c about "crypto_ui" and engines which looks like it might be neat, but has nothing to do with crls (and has no tests). * For the new code that's actually x509 crl related: * the whitespace is totally crazy and should be cleaned up * there are no unit tests. I am trying to raise pyOpenSSL to 100% line coverage. That means all new code has to have unit tests. * the function docstrings all use the weird old style which is more aimed at C programmers than Python programmers. They should be updated to be Python programmer friendly. * there's code for dealing with asn1 times copied from another pyOpenSSL source file; this should be factored into a common file that can be re-used, instead of duplicated. A lot of these things are easy to remedy. Just delete some of the patch. However, adding the CRL unit tests is probably real work. Someone who's familiar with the CRL APIs can probably make a significant dent in this without too much trouble. If someone can do that, I'll make time to re-review the new submission and accept it or provide further feedback. Jean-Paul |
