[issue18138] ssl.SSLContext.add_cert()
Christian Heimes added the comment: I think the patch in #16487 does too many things at once. The new patch is a draft for a new patch that adds SSLContext.load_verify_locations(cadata) to the SSL module. cadata can be a bunch of PEM encoded certs (ASCII) or DER encoded certs (bytes-like). The patch may contain bugs as I haven't verified all error paths yet. -- Added file: http://bugs.python.org/file32731/ssl_cadata.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Changes by Jesús Cea Avión j...@jcea.es: -- nosy: +jcea ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Christian Heimes added the comment: Here is a simplified version of the C function. It uses y* or es# ascii to parse the argument. The check for trailing data ensures that the user gets an error message if she tries to load a PEM string with multiple certs. She might expect that add_ca_cert(pem) loads all PEM certs from the string while in fact PEM_read_bio_X509() only loads the first cert. The new patch make the check optional. I still need to find a good name for the option, though... -- Added file: http://bugs.python.org/file30641/sslctx_add_cert4.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Antoine Pitrou added the comment: The check for trailing data ensures that the user gets an error message if she tries to load a PEM string with multiple certs. She might expect that add_ca_cert(pem) loads all PEM certs from the string while in fact PEM_read_bio_X509() only loads the first cert. I don't think it is useful. Just make the behaviour well-documented. (there is no security risk in loading too few CA certs) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Christian Heimes added the comment: I'm pondering about the error case cert already in hash table. There should be a way to distinguish the error from other errors. I see three ways to handle the case: 1) introduce SSLCertInStoreError exeption 2) ignore the error and do nothing 3) ignore the error and return True if a cert was added or False if the cert is already in the store I like 3). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Antoine Pitrou added the comment: Le mardi 18 juin 2013 à 17:30 +, Christian Heimes a écrit : Christian Heimes added the comment: I'm pondering about the error case cert already in hash table. There should be a way to distinguish the error from other errors. I don't know if you've seen it, but SSLError has library and reason attributes (they are little known). See SSLErrorTests. I see three ways to handle the case: 1) introduce SSLCertInStoreError exeption 2) ignore the error and do nothing 3) ignore the error and return True if a cert was added or False if the cert is already in the store I like 3). Yes, sounds reasonable. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Christian Heimes added the comment: Yes, I have seen them. In fact OpenSSL has library, function and reason. if ((ERR_GET_LIB(errcode) == ERR_LIB_X509) (ERR_GET_REASON(errcode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {} I'm going for 3) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Changes by Christian Heimes li...@cheimes.de: Added file: http://bugs.python.org/file30643/sslctx_add_cert5.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
Christian Heimes added the comment: New patch: * rename function to add_ca_cert() * only accept CA certs, no other certs * raise an error if extra data is found after cert (e.g. two certs). PEM_read_bio_X509() silently ignores extra data * fixes from Ezio's code review * documentation -- nosy: +ezio.melotti, pitrou Added file: http://bugs.python.org/file30519/sslctx_add_cert2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18138] ssl.SSLContext.add_cert()
New submission from Christian Heimes: The patch implements an add_cert(pem_or_der_data) method for the ssl.SSLContext() object. On success the method adds a trusted CA cert to the context's internal cert store. The CA certificate can either be an ASCII unicode string (PEM format) or buffer object (DER / ASN1 format). The patch also implements a get_cert_count() method for debugging. I'm going to remove that function eventually as it doesn't give correct answers when the object table contains CRLs, too. A correct implementation might be useful to verify set_default_verify_paths(). I've split up the functions so I can re-use _add_cert() in my upcoming patch for an interface to crypt32.dll on Windows. -- components: Extension Modules files: sslctx_add_cert.patch keywords: patch messages: 190637 nosy: christian.heimes priority: normal severity: normal stage: patch review status: open title: ssl.SSLContext.add_cert() type: enhancement versions: Python 3.4 Added file: http://bugs.python.org/file30466/sslctx_add_cert.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18138 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com