[issue18138] ssl.SSLContext.add_cert()

2013-11-20 Thread Christian Heimes

Christian Heimes added the comment:

I think the patch in #16487 does too many things at once. The new patch is a 
draft for a new patch that adds SSLContext.load_verify_locations(cadata) to the 
SSL module. cadata can be a bunch of PEM encoded certs (ASCII) or DER encoded 
certs (bytes-like). The patch may contain bugs as I haven't verified all error 
paths yet.

--
Added file: http://bugs.python.org/file32731/ssl_cadata.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-25 Thread Jesús Cea Avión

Changes by Jesús Cea Avión :


--
nosy: +jcea

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-18 Thread Christian Heimes

Changes by Christian Heimes :


Added file: http://bugs.python.org/file30643/sslctx_add_cert5.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-18 Thread Christian Heimes

Christian Heimes added the comment:

Yes, I have seen them. In fact OpenSSL has library, function and reason.

if ((ERR_GET_LIB(errcode) == ERR_LIB_X509) && 
(ERR_GET_REASON(errcode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {}

I'm going for 3)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-18 Thread Antoine Pitrou

Antoine Pitrou added the comment:

Le mardi 18 juin 2013 à 17:30 +, Christian Heimes a écrit :
> Christian Heimes added the comment:
> 
> I'm pondering about the error case "cert already in hash table". There
> should be a way to distinguish the error from other errors.

I don't know if you've seen it, but SSLError has "library" and "reason"
attributes (they are little known). See SSLErrorTests.

>  I see three ways to handle the case:
> 
> 1) introduce SSLCertInStoreError exeption
> 2) ignore the error and do nothing
> 3) ignore the error and return True if a cert was added or False if
> the cert is already in the store
> 
> I like 3).

Yes, sounds reasonable.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-18 Thread Christian Heimes

Christian Heimes added the comment:

I'm pondering about the error case "cert already in hash table". There should 
be a way to distinguish the error from other errors. I see three ways to handle 
the case:

1) introduce SSLCertInStoreError exeption
2) ignore the error and do nothing
3) ignore the error and return True if a cert was added or False if the cert is 
already in the store

I like 3).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-18 Thread Antoine Pitrou

Antoine Pitrou added the comment:

> The check for trailing data ensures that the user gets an error
> message if she tries to load a PEM string with multiple certs. She
> might expect that add_ca_cert(pem) loads all PEM certs from the
> string while in fact PEM_read_bio_X509() only loads the first cert.

I don't think it is useful. Just make the behaviour well-documented.
(there is no security risk in loading too few CA certs)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-18 Thread Christian Heimes

Christian Heimes added the comment:

Here is a simplified version of the C function. It uses y* or es# "ascii" to 
parse the argument.

The check for trailing data ensures that the user gets an error message if she 
tries to load a PEM string with multiple certs. She might expect that 
add_ca_cert(pem) loads all PEM certs from the string while in fact 
PEM_read_bio_X509() only loads the first cert. The new patch make the check 
optional.

I still need to find a good name for the option, though...

--
Added file: http://bugs.python.org/file30641/sslctx_add_cert4.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-09 Thread Christian Heimes

Christian Heimes added the comment:

New patch:

* rename function to add_ca_cert()
* only accept CA certs, no other certs
* raise an error if extra data is found after cert (e.g. two certs). 
PEM_read_bio_X509() silently ignores extra data
* fixes from Ezio's code review
* documentation

--
nosy: +ezio.melotti, pitrou
Added file: http://bugs.python.org/file30519/sslctx_add_cert2.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue18138] ssl.SSLContext.add_cert()

2013-06-04 Thread Christian Heimes

New submission from Christian Heimes:

The patch implements an add_cert(pem_or_der_data) method for the 
ssl.SSLContext() object. On success the method adds a trusted CA cert to the 
context's internal cert store. The CA certificate can either be an ASCII 
unicode string (PEM format) or buffer object (DER / ASN1 format).

The patch also implements a get_cert_count() method for debugging. I'm going to 
remove that function eventually as it doesn't give correct answers when the 
object table contains CRLs, too. A correct implementation might be useful to 
verify set_default_verify_paths().

I've split up the functions so I can re-use _add_cert() in my upcoming patch 
for an interface to crypt32.dll on Windows.

--
components: Extension Modules
files: sslctx_add_cert.patch
keywords: patch
messages: 190637
nosy: christian.heimes
priority: normal
severity: normal
stage: patch review
status: open
title: ssl.SSLContext.add_cert()
type: enhancement
versions: Python 3.4
Added file: http://bugs.python.org/file30466/sslctx_add_cert.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com