[issue16487] Allow ssl certificates to be specified from memory rather than files.

Fri, 12 Jan 2018 01:26:01 -0800 

Christian Heimes <li...@cheimes.de> added the comment:

Senthil,

I'm not a fan of PR 2449 because it provides yet another way to load 
certificates and keys from memory. It's a clever idea to use MemoryBIO here. 
But the approach is *not* compatible with PEP 543. The PEP requires an API that 
can turn a memory blob into a series of certificate objects. PR 2449 doesn't 
enable memory -> certificate. The new API is OpenSSL specific and restricted to 
PKCS#8 key in PEM/DER encoding. PEP 543 is extensible for PKCS#11, engine and 
HSM support. PR 2449 is not.

There are other issues with PR 2449. For example it's missing several GIL 
releases calls. The password callback doesn't look correct in some places.

https://github.com/python/cpython/pull/5162 provides a PEP 543-compatible 
implementation (plus additions from pending PR):

>>> import ssl

>>> chain = ssl.Certificate.chain_from_file("Lib/test/ssl_cert.pem")
>>> cas = ssl.Certificate.bundle_from_file("Lib/test/pycacert.pem")
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ssl.SSLError: [PEM: BAD_PASSWORD_READ] bad password read (_ssl.c:58)
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem", 
>>> password="somepass")

>>> chain
(<_ssl.Certificate '/C=XY/L=Castle Anthrax/O=Python Software 
Foundation/CN=localhost'>,)
>>> cas
[<_ssl.Certificate '/C=XY/O=Python Software Foundation CA/CN=our-ca-server'>]

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>>> ctx.load_cert_chain(chain, pkey)
>>> ctx.load_verify_locations(cadata=cas)

# get_ca_certs() doesn't return ssl.Certificates yet
>>> ctx.get_ca_certs()
[{'subject': ((('countryName', 'XY'),), (('organizationName', 'Python Software 
Foundation CA'),), (('commonName', 'our-ca-server'),)), 'issuer': 
((('countryName', 'XY'),), (('organizationName', 'Python Software Foundation 
CA'),), (('commonName', 'our-ca-server'),)), 'version': 3, 'serialNumber': 
'B09264B1F2DA21D0', 'notBefore': 'Jan  4 19:47:07 2013 GMT', 'notAfter': 'Jan  
2 19:47:07 2023 GMT'}]

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue16487>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to