CRL API gotchas in get_revoked() and serial number

[schlenk]

The pyopenssl API for CRLs is kind of weird.

Case 1: crl.get_revoked() returns None for empty CRLs

The natural use case for this is to iterate over the revoked objects like this:

for revoked in crl.get_revoked():
     ...

This idiom blows up if you use a CRL with no revoked objects in it, as crl.get_revoked() returns None instead of an empty tuple/list.

Case 2: Revoked.get_serial() returns a hex encoded long integer, but X509 serial returns the long integer directly.

To check if a certificate is revoked, you need to compare the serial number of the X509 with the serial number inside the Revoked object.

if x509.get_serial_number() == revoked.get_serial():
   print("OOPS, doesn't work..., wrong types")

Only this works:

if x509.get_serial_number() == long(revoked.get_serial(), 16):
   print("Obvious...")

This is just insane.

The API should be more natural to use in a pythonic way, so get_revoked() should return an empty iterable and the get_serial() method should return a long int.