From afc64456e628e42cf189c47a7e1a739f65f79193 Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Mon, 27 Mar 2023 11:40:16 -0400 Subject: [PATCH 01/11] Expose X509_V_* constants. --- CHANGELOG.rst | 2 + src/OpenSSL/SSL.py | 122 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8de589faf..6a8fad0be 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,8 @@ Deprecations: Changes: ^^^^^^^^ +- Added ``X509_V_*` constants to ``OpenSSL.SSL``. + 23.1.0 (2023-03-24) ------------------- diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index efbf7907e..3444ae9cf 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -6,6 +6,8 @@ from sys import platform from weakref import WeakValueDictionary +from cryptography import __version__ as _cryptography_version + from OpenSSL._util import ( UNSPECIFIED as _UNSPECIFIED, exception_from_error_queue as _exception_from_error_queue, @@ -250,6 +252,126 @@ SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE +X509_V_OK = _lib.X509_V_OK +# cryptography v40.x releases are missing the X509_V_ERR_* codes; previously +# they were exposed but not formally part of the public API. In v41 they are +# there to support these constants. +if not _cryptography_version.startswith("40."): + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = ( + _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + ) + X509_V_ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL + X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + ) + X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + ) + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = ( + _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + ) + X509_V_ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE + X509_V_ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE + X509_V_ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID + X509_V_ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED + X509_V_ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID + X509_V_ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + ) + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + ) + X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + ) + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + ) + X509_V_ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = ( + _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + ) + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = ( + _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + ) + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = ( + _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + ) + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + ) + X509_V_ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG + X509_V_ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED + X509_V_ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA + X509_V_ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED + X509_V_ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE + X509_V_ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED + X509_V_ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED + X509_V_ERR_SUBJECT_ISSUER_MISMATCH = ( + _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH + ) + X509_V_ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH + X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = ( + _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + ) + X509_V_ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN + X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = ( + _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + ) + X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = ( + _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + ) + X509_V_ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = ( + _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + ) + X509_V_ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED = ( + _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + ) + X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = ( + _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + ) + X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED = ( + _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + ) + X509_V_ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION + X509_V_ERR_INVALID_POLICY_EXTENSION = ( + _lib.X509_V_ERR_INVALID_POLICY_EXTENSION + ) + X509_V_ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY + X509_V_ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE + X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = ( + _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + ) + X509_V_ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE + X509_V_ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION + X509_V_ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION + X509_V_ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX + X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = ( + _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + ) + X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = ( + _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + ) + X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = ( + _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + ) + X509_V_ERR_CRL_PATH_VALIDATION_ERROR = ( + _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR + ) + X509_V_ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH + X509_V_ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH + X509_V_ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH + X509_V_ERR_APPLICATION_VERIFICATION = ( + _lib.X509_V_ERR_APPLICATION_VERIFICATION + ) +for name in list(globals().keys()): + if name.startswith("X509_V_"): + __all__.append(name) + + # Taken from https://golang.org/src/crypto/x509/root_linux.go _CERTIFICATE_FILE_LOCATIONS = [ "/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc. From cf55484608a4470cc010a36280e601388d1e76b4 Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Tue, 28 Mar 2023 13:11:50 -0400 Subject: [PATCH 02/11] Switch to strategy where cryptography 40.0.2 exposes the constants. --- setup.py | 3 ++- src/OpenSSL/SSL.py | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/setup.py b/setup.py index 42bf2c01b..d548ccde3 100644 --- a/setup.py +++ b/setup.py @@ -98,7 +98,8 @@ def find_meta(meta): package_dir={"": "src"}, install_requires=[ # Fix cryptographyMinimum in tox.ini when changing this! - "cryptography>=38.0.0,<41", + # 40.0.0 and .1 are missing X509_V_* constants that we re-export. + "cryptography>=38.0.0,<41,!=40.0.0,!=40.0.1", ], extras_require={ "test": ["flaky", "pretend", "pytest>=3.0.1"], diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 3444ae9cf..4c27cdd98 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -253,10 +253,11 @@ SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE X509_V_OK = _lib.X509_V_OK -# cryptography v40.x releases are missing the X509_V_ERR_* codes; previously -# they were exposed but not formally part of the public API. In v41 they are -# there to support these constants. -if not _cryptography_version.startswith("40."): +# cryptography v40.0.0 and .1 releases are missing the X509_V_ERR_* codes; +# previously they were exposed but not formally part of the public API. Once +# pyOpenSSL has minimal required cryptography version of 41 this code can be +# run unconditionally. See https://github.com/pyca/pyopenssl/issues/1206 +if not _cryptography_version in ("40.0.0", "40.0.1"): X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = ( _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ) From 2045c04617d4ce39eae328aaa702d474d931dd91 Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Tue, 28 Mar 2023 13:15:20 -0400 Subject: [PATCH 03/11] Fix bad merge. --- CHANGELOG.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c73527061..52d0482e7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,9 +15,10 @@ Deprecations: Changes: ^^^^^^^^ + - Added ``X509_V_*` constants to ``OpenSSL.SSL``. -======= + 23.1.1 (2023-03-28) ------------------- From 9fe055c263b70f94ddd016ae25440761887e2669 Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Tue, 28 Mar 2023 13:17:14 -0400 Subject: [PATCH 04/11] Fix flake. --- src/OpenSSL/SSL.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 4c27cdd98..0631e9e2e 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -257,7 +257,7 @@ # previously they were exposed but not formally part of the public API. Once # pyOpenSSL has minimal required cryptography version of 41 this code can be # run unconditionally. See https://github.com/pyca/pyopenssl/issues/1206 -if not _cryptography_version in ("40.0.0", "40.0.1"): +if _cryptography_version not in ("40.0.0", "40.0.1"): X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = ( _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ) From 4fc7a7931dcba5a1c10c1faa480da994253219c9 Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Fri, 28 Apr 2023 11:13:18 -0400 Subject: [PATCH 05/11] Link to PR. --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 52d0482e7..318e4e8df 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -17,7 +17,7 @@ Changes: ^^^^^^^^ - Added ``X509_V_*` constants to ``OpenSSL.SSL``. - + `#1202 `_. 23.1.1 (2023-03-28) ------------------- From 103d051de5a7e51094aab26b50893d0cbba6abbe Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Fri, 28 Apr 2023 11:15:48 -0400 Subject: [PATCH 06/11] Check availability, rather than versions. --- src/OpenSSL/SSL.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 0631e9e2e..998ce1649 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -6,8 +6,6 @@ from sys import platform from weakref import WeakValueDictionary -from cryptography import __version__ as _cryptography_version - from OpenSSL._util import ( UNSPECIFIED as _UNSPECIFIED, exception_from_error_queue as _exception_from_error_queue, @@ -257,7 +255,7 @@ # previously they were exposed but not formally part of the public API. Once # pyOpenSSL has minimal required cryptography version of 41 this code can be # run unconditionally. See https://github.com/pyca/pyopenssl/issues/1206 -if _cryptography_version not in ("40.0.0", "40.0.1"): +if hasattr(_lib, "X509_V_ERR_CERT_SIGNATURE_FAILURE"): X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = ( _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ) From dc1aa08f8243ba8dbf1e0b2983e9f54a3c6811dd Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Fri, 28 Apr 2023 11:23:09 -0400 Subject: [PATCH 07/11] Add namespacing. --- src/OpenSSL/SSL.py | 219 ++++++++++++++++++++++----------------------- 1 file changed, 106 insertions(+), 113 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 998ce1649..81b988546 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -251,124 +251,117 @@ SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE X509_V_OK = _lib.X509_V_OK + # cryptography v40.0.0 and .1 releases are missing the X509_V_ERR_* codes; # previously they were exposed but not formally part of the public API. Once # pyOpenSSL has minimal required cryptography version of 41 this code can be # run unconditionally. See https://github.com/pyca/pyopenssl/issues/1206 if hasattr(_lib, "X509_V_ERR_CERT_SIGNATURE_FAILURE"): - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = ( - _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT - ) - X509_V_ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL - X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = ( - _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE - ) - X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = ( - _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE - ) - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = ( - _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY - ) - X509_V_ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE - X509_V_ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE - X509_V_ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID - X509_V_ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED - X509_V_ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID - X509_V_ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD - ) - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD - ) - X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD - ) - X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD - ) - X509_V_ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = ( - _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT - ) - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = ( - _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN - ) - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = ( - _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY - ) - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = ( - _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE - ) - X509_V_ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG - X509_V_ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED - X509_V_ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA - X509_V_ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED - X509_V_ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE - X509_V_ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED - X509_V_ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED - X509_V_ERR_SUBJECT_ISSUER_MISMATCH = ( - _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH - ) - X509_V_ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH - X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = ( - _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH - ) - X509_V_ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN - X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = ( - _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER - ) - X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = ( - _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION - ) - X509_V_ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN - X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = ( - _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION - ) - X509_V_ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED = ( - _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED - ) - X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = ( - _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE - ) - X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED = ( - _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED - ) - X509_V_ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION - X509_V_ERR_INVALID_POLICY_EXTENSION = ( - _lib.X509_V_ERR_INVALID_POLICY_EXTENSION - ) - X509_V_ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY - X509_V_ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE - X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = ( - _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE - ) - X509_V_ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE - X509_V_ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION - X509_V_ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION - X509_V_ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX - X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = ( - _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE - ) - X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = ( - _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX - ) - X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = ( - _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX - ) - X509_V_ERR_CRL_PATH_VALIDATION_ERROR = ( - _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR - ) - X509_V_ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH - X509_V_ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH - X509_V_ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH - X509_V_ERR_APPLICATION_VERIFICATION = ( - _lib.X509_V_ERR_APPLICATION_VERIFICATION - ) -for name in list(globals().keys()): - if name.startswith("X509_V_"): - __all__.append(name) + __all__.append("X509VerificationErrors") + + class X509VerificationErrors: + """ + Error codes for X509 verification, as returned by the underlying + ``X509_STORE_CTX_get_error()`` function and passed by pyOpenSSL to + verification callback functions. + + See `OpenSSL Verification Errors + `_ + for details. + """ + + UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL + UNABLE_TO_DECRYPT_CERT_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + ) + UNABLE_TO_DECRYPT_CRL_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + ) + UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = ( + _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + ) + CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE + CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE + CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID + CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED + CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID + CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED + ERROR_IN_CERT_NOT_BEFORE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + ) + ERROR_IN_CERT_NOT_AFTER_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + ) + ERROR_IN_CRL_LAST_UPDATE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + ) + ERROR_IN_CRL_NEXT_UPDATE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + ) + OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM + DEPTH_ZERO_SELF_SIGNED_CERT = ( + _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + ) + SELF_SIGNED_CERT_IN_CHAIN = _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + UNABLE_TO_GET_ISSUER_CERT_LOCALLY = ( + _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + ) + UNABLE_TO_VERIFY_LEAF_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + ) + CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG + CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED + INVALID_CA = _lib.X509_V_ERR_INVALID_CA + PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED + INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE + CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED + CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED + SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH + AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH + AKID_ISSUER_SERIAL_MISMATCH = ( + _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + ) + KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN + UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + UNHANDLED_CRITICAL_EXTENSION = ( + _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + ) + KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + UNHANDLED_CRITICAL_CRL_EXTENSION = ( + _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + ) + INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA + PROXY_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + KEYUSAGE_NO_DIGITAL_SIGNATURE = ( + _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + ) + PROXY_CERTIFICATES_NOT_ALLOWED = ( + _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + ) + INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION + INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION + NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY + DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE + UNSUPPORTED_EXTENSION_FEATURE = ( + _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + ) + UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE + PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION + EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION + SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX + UNSUPPORTED_CONSTRAINT_TYPE = ( + _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + ) + UNSUPPORTED_CONSTRAINT_SYNTAX = ( + _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + ) + UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + CRL_PATH_VALIDATION_ERROR = _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR + HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH + EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH + IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH + APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION # Taken from https://golang.org/src/crypto/x509/root_linux.go From 664fb9f21f06a9891e4f8515cef50273e246ffca Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Fri, 28 Apr 2023 11:31:45 -0400 Subject: [PATCH 08/11] Add success code to namespace. --- src/OpenSSL/SSL.py | 152 ++++++++++++++++++++++++--------------------- 1 file changed, 80 insertions(+), 72 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 81b988546..c84ca380c 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -123,6 +123,7 @@ "Session", "Context", "Connection", + "X509VerificationCodes", ] @@ -250,118 +251,125 @@ SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE -X509_V_OK = _lib.X509_V_OK -# cryptography v40.0.0 and .1 releases are missing the X509_V_ERR_* codes; -# previously they were exposed but not formally part of the public API. Once -# pyOpenSSL has minimal required cryptography version of 41 this code can be -# run unconditionally. See https://github.com/pyca/pyopenssl/issues/1206 -if hasattr(_lib, "X509_V_ERR_CERT_SIGNATURE_FAILURE"): - __all__.append("X509VerificationErrors") +class X509VerificationCodes: + """ + Success and error codes for X509 verification, as returned by the + underlying ``X509_STORE_CTX_get_error()`` function and passed by pyOpenSSL + to verification callback functions. - class X509VerificationErrors: - """ - Error codes for X509 verification, as returned by the underlying - ``X509_STORE_CTX_get_error()`` function and passed by pyOpenSSL to - verification callback functions. + See `OpenSSL Verification Errors + `_ + for details. + """ - See `OpenSSL Verification Errors - `_ - for details. - """ + OK = _lib.X509_V_OK - UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT - UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL - UNABLE_TO_DECRYPT_CERT_SIGNATURE = ( + # cryptography v40.0.0 and .1 releases are missing the X509_V_ERR_* codes; + # previously they were exposed but not formally part of the public API. Once + # pyOpenSSL has minimal required cryptography version of 41 this code can be + # run unconditionally. See https://github.com/pyca/pyopenssl/issues/1206 + if hasattr(_lib, "X509_V_ERR_CERT_SIGNATURE_FAILURE"): + ERR_UNABLE_TO_GET_ISSUER_CERT = ( + _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + ) + ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL + ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = ( _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE ) - UNABLE_TO_DECRYPT_CRL_SIGNATURE = ( + ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = ( _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE ) - UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = ( + ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = ( _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY ) - CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE - CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE - CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID - CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED - CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID - CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED - ERROR_IN_CERT_NOT_BEFORE_FIELD = ( + ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE + ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE + ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID + ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED + ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID + ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED + ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = ( _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ) - ERROR_IN_CERT_NOT_AFTER_FIELD = ( + ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = ( _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD ) - ERROR_IN_CRL_LAST_UPDATE_FIELD = ( + ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = ( _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD ) - ERROR_IN_CRL_NEXT_UPDATE_FIELD = ( + ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = ( _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD ) - OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM - DEPTH_ZERO_SELF_SIGNED_CERT = ( + ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM + ERR_DEPTH_ZERO_SELF_SIGNED_CERT = ( _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ) - SELF_SIGNED_CERT_IN_CHAIN = _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN - UNABLE_TO_GET_ISSUER_CERT_LOCALLY = ( + ERR_SELF_SIGNED_CERT_IN_CHAIN = ( + _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + ) + ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = ( _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ) - UNABLE_TO_VERIFY_LEAF_SIGNATURE = ( + ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = ( _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ) - CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG - CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED - INVALID_CA = _lib.X509_V_ERR_INVALID_CA - PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED - INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE - CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED - CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED - SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH - AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH - AKID_ISSUER_SERIAL_MISMATCH = ( + ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG + ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED + ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA + ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED + ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE + ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED + ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED + ERR_SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH + ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH + ERR_AKID_ISSUER_SERIAL_MISMATCH = ( _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH ) - KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN - UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER - UNHANDLED_CRITICAL_EXTENSION = ( + ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN + ERR_UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + ERR_UNHANDLED_CRITICAL_EXTENSION = ( _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION ) - KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN - UNHANDLED_CRITICAL_CRL_EXTENSION = ( + ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = ( _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION ) - INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA - PROXY_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED - KEYUSAGE_NO_DIGITAL_SIGNATURE = ( + ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA + ERR_PROXY_PATH_LENGTH_EXCEEDED = ( + _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + ) + ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = ( _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE ) - PROXY_CERTIFICATES_NOT_ALLOWED = ( + ERR_PROXY_CERTIFICATES_NOT_ALLOWED = ( _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED ) - INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION - INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION - NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY - DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE - UNSUPPORTED_EXTENSION_FEATURE = ( + ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION + ERR_INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION + ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY + ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE + ERR_UNSUPPORTED_EXTENSION_FEATURE = ( _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE ) - UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE - PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION - EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION - SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX - UNSUPPORTED_CONSTRAINT_TYPE = ( + ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE + ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION + ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION + ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX + ERR_UNSUPPORTED_CONSTRAINT_TYPE = ( _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE ) - UNSUPPORTED_CONSTRAINT_SYNTAX = ( + ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = ( _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX ) - UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX - CRL_PATH_VALIDATION_ERROR = _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR - HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH - EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH - IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH - APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION + ERR_UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + ERR_CRL_PATH_VALIDATION_ERROR = ( + _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR + ) + ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH + ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH + ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH + ERR_APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION # Taken from https://golang.org/src/crypto/x509/root_linux.go From 3054feca81cd2682a5638911a5423e0a54a005cb Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Fri, 28 Apr 2023 11:35:05 -0400 Subject: [PATCH 09/11] Fix lint. --- src/OpenSSL/SSL.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index c84ca380c..033005075 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -266,9 +266,10 @@ class X509VerificationCodes: OK = _lib.X509_V_OK # cryptography v40.0.0 and .1 releases are missing the X509_V_ERR_* codes; - # previously they were exposed but not formally part of the public API. Once - # pyOpenSSL has minimal required cryptography version of 41 this code can be - # run unconditionally. See https://github.com/pyca/pyopenssl/issues/1206 + # previously they were exposed but not formally part of the public API. + # Once pyOpenSSL has minimal required cryptography version of 41 this code + # can be run unconditionally. See + # https://github.com/pyca/pyopenssl/issues/1206 if hasattr(_lib, "X509_V_ERR_CERT_SIGNATURE_FAILURE"): ERR_UNABLE_TO_GET_ISSUER_CERT = ( _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT From acb57ee15eac1d38ab0d69205df340707a62d943 Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Fri, 28 Apr 2023 18:11:29 -0400 Subject: [PATCH 10/11] Remove unnecessary conditional. --- src/OpenSSL/SSL.py | 199 +++++++++++++++++++++------------------------ 1 file changed, 92 insertions(+), 107 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 033005075..b79b18e5b 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -264,113 +264,98 @@ class X509VerificationCodes: """ OK = _lib.X509_V_OK - - # cryptography v40.0.0 and .1 releases are missing the X509_V_ERR_* codes; - # previously they were exposed but not formally part of the public API. - # Once pyOpenSSL has minimal required cryptography version of 41 this code - # can be run unconditionally. See - # https://github.com/pyca/pyopenssl/issues/1206 - if hasattr(_lib, "X509_V_ERR_CERT_SIGNATURE_FAILURE"): - ERR_UNABLE_TO_GET_ISSUER_CERT = ( - _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT - ) - ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL - ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = ( - _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE - ) - ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = ( - _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE - ) - ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = ( - _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY - ) - ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE - ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE - ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID - ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED - ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID - ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED - ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD - ) - ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD - ) - ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD - ) - ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = ( - _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD - ) - ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM - ERR_DEPTH_ZERO_SELF_SIGNED_CERT = ( - _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT - ) - ERR_SELF_SIGNED_CERT_IN_CHAIN = ( - _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN - ) - ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = ( - _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY - ) - ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = ( - _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE - ) - ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG - ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED - ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA - ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED - ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE - ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED - ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED - ERR_SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH - ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH - ERR_AKID_ISSUER_SERIAL_MISMATCH = ( - _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH - ) - ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN - ERR_UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER - ERR_UNHANDLED_CRITICAL_EXTENSION = ( - _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION - ) - ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN - ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = ( - _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION - ) - ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA - ERR_PROXY_PATH_LENGTH_EXCEEDED = ( - _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED - ) - ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = ( - _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE - ) - ERR_PROXY_CERTIFICATES_NOT_ALLOWED = ( - _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED - ) - ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION - ERR_INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION - ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY - ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE - ERR_UNSUPPORTED_EXTENSION_FEATURE = ( - _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE - ) - ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE - ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION - ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION - ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX - ERR_UNSUPPORTED_CONSTRAINT_TYPE = ( - _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE - ) - ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = ( - _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX - ) - ERR_UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX - ERR_CRL_PATH_VALIDATION_ERROR = ( - _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR - ) - ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH - ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH - ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH - ERR_APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION + ERR_UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL + ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + ) + ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + ) + ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = ( + _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + ) + ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE + ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE + ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID + ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED + ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID + ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED + ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + ) + ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + ) + ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + ) + ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = ( + _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + ) + ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM + ERR_DEPTH_ZERO_SELF_SIGNED_CERT = ( + _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + ) + ERR_SELF_SIGNED_CERT_IN_CHAIN = _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = ( + _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + ) + ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = ( + _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + ) + ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG + ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED + ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA + ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED + ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE + ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED + ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED + ERR_SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH + ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH + ERR_AKID_ISSUER_SERIAL_MISMATCH = ( + _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + ) + ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN + ERR_UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + ERR_UNHANDLED_CRITICAL_EXTENSION = ( + _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + ) + ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = ( + _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + ) + ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA + ERR_PROXY_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = ( + _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + ) + ERR_PROXY_CERTIFICATES_NOT_ALLOWED = ( + _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + ) + ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION + ERR_INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION + ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY + ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE + ERR_UNSUPPORTED_EXTENSION_FEATURE = ( + _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + ) + ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE + ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION + ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION + ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX + ERR_UNSUPPORTED_CONSTRAINT_TYPE = ( + _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + ) + ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = ( + _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + ) + ERR_UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + ERR_CRL_PATH_VALIDATION_ERROR = _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR + ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH + ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH + ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH + ERR_APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION # Taken from https://golang.org/src/crypto/x509/root_linux.go From 2bb44e1becfa6af8b024e57b83b03e1a6a883f94 Mon Sep 17 00:00:00 2001 From: Itamar Turner-Trauring Date: Fri, 28 Apr 2023 21:16:36 -0400 Subject: [PATCH 11/11] Update CHANGELOG.rst Co-authored-by: Alex Gaynor --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9ebcde949..c03608361 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -20,7 +20,7 @@ Changes: ^^^^^^^^ - Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``. -- Added ``X509_V_*` constants to ``OpenSSL.SSL``. +- Added ``X509VerificationCodes`` to ``OpenSSL.SSL``. `#1202 `_. 23.1.1 (2023-03-28)