pyopenssl
pyopenssl copied to clipboard
pyca
Update X509StoreFlags to latest flags available in cryptography
Here is the current list for pyopenssl https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/crypto.py#L1556
Here is the list for crytography https://github.com/pyca/cryptography/blob/d3eae8d7dbcd7ca491531424a4ac8b4838acf199/src/_cffi_src/openssl/x509_vfy.py#L105
Maybe rewrite X509StoreFlags to automatically export any X509_V_FLAG_* attribute from cryptography.
But I am not sure if this is a good idea :) ... so maybe just manually update them from time to time.
>>> for i in dir(lib):
... if not i.startswith('X509_V_FLAG_'):
... continue
... print(i)
...
X509_V_FLAG_ALLOW_PROXY_CERTS
X509_V_FLAG_CB_ISSUER_CHECK
X509_V_FLAG_CHECK_SS_SIGNATURE
X509_V_FLAG_CRL_CHECK
X509_V_FLAG_CRL_CHECK_ALL
X509_V_FLAG_EXPLICIT_POLICY
X509_V_FLAG_EXTENDED_CRL_SUPPORT
X509_V_FLAG_IGNORE_CRITICAL
X509_V_FLAG_INHIBIT_ANY
X509_V_FLAG_INHIBIT_MAP
X509_V_FLAG_NOTIFY_POLICY
X509_V_FLAG_PARTIAL_CHAIN
X509_V_FLAG_POLICY_CHECK
X509_V_FLAG_SUITEB_128_LOS
X509_V_FLAG_SUITEB_128_LOS_ONLY
X509_V_FLAG_SUITEB_192_LOS
X509_V_FLAG_TRUSTED_FIRST
X509_V_FLAG_USE_CHECK_TIME
X509_V_FLAG_USE_DELTAS
X509_V_FLAG_X509_STRICT
Is there a particular motivation here?
On Wed, Dec 2, 2020 at 8:44 AM Adi Roiban [email protected] wrote:
Here is the current list for pyopenssl https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/crypto.py#L1556
Here is the list for crytography https://github.com/pyca/cryptography/blob/d3eae8d7dbcd7ca491531424a4ac8b4838acf199/src/_cffi_src/openssl/x509_vfy.py#L105
Maybe rewrite X509StoreFlags to automatically export any X509_V_FLAG_* attribute from cryptography.
But I am not sure if this is a good idea :) ... so maybe just manually update them from time to time.
for i in dir(lib): ... if not i.startswith('X509_V_FLAG_'): ... continue ... print(i) ... X509_V_FLAG_ALLOW_PROXY_CERTSX509_V_FLAG_CB_ISSUER_CHECKX509_V_FLAG_CHECK_SS_SIGNATUREX509_V_FLAG_CRL_CHECKX509_V_FLAG_CRL_CHECK_ALLX509_V_FLAG_EXPLICIT_POLICYX509_V_FLAG_EXTENDED_CRL_SUPPORTX509_V_FLAG_IGNORE_CRITICALX509_V_FLAG_INHIBIT_ANYX509_V_FLAG_INHIBIT_MAPX509_V_FLAG_NOTIFY_POLICYX509_V_FLAG_PARTIAL_CHAINX509_V_FLAG_POLICY_CHECKX509_V_FLAG_SUITEB_128_LOSX509_V_FLAG_SUITEB_128_LOS_ONLYX509_V_FLAG_SUITEB_192_LOSX509_V_FLAG_TRUSTED_FIRSTX509_V_FLAG_USE_CHECK_TIMEX509_V_FLAG_USE_DELTASX509_V_FLAG_X509_STRICT
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pyca/pyopenssl/issues/972, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBAFPO4TPDPQW6Q3IZLSSZAEDANCNFSM4UKQOS4A .
-- All that is necessary for evil to succeed is for good people to do nothing.
I am looking to use X509_V_FLAG_PARTIAL_CHAIN
For now, I have just defined X509_V_FLAG_PARTIAL_CHAIN = 0x80000 in my code.
Feel free to close this issue if the recommendation is to just use directly the constants defined in crytography.
I am using the pyopenssl API for defining a context.
Using pyopenssl I can get the OpenSSL.crypto.X509Store instance associated with the context.
https://www.pyopenssl.org/en/stable/api/ssl.html?highlight=get_cert_store#OpenSSL.SSL.Context.get_cert_store
Then using pyopenssl I can use OpenSSL.crypto.X509Store.set_flags() to set a flag on the store.
I think it would be nice to be able to work with the SSL context and store by only importing pyopenssl .
Thanks!
This flag is now exposed in X509StoreFlags.PARTIAL_CHAIN. Here's an example:
from OpenSSL.crypto import X509Store, X509StoreFlags
store = X509Store()
store.set_flags(X509StoreFlags.PARTIAL_CHAIN)
@alex @mhils This can be closed now
Thanks for the followup.
This was done in https://github.com/pyca/pyopenssl/pull/1166
Released 23.0.0