classification
Title: X509 cert class for ssl module
Type: enhancement Stage: patch review
Components: Extension Modules, SSL Versions: Python 3.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, cvrebert, maker, pitrou, underrun
Priority: high Keywords: patch

Created on 2013-07-05 20:10 by christian.heimes, last changed 2016-09-15 07:53 by christian.heimes.

Files
File name Uploaded Description Edit
ssl_pyx509cert.patch christian.heimes, 2013-07-05 20:10 review
ssl_pyx509cert_match_hostname_fix.patch underrun, 2013-07-26 22:40 review
Messages (10)
msg192353 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-05 20:10
I'm working on a X509 certificate class for the SSL module. Eventually methods like getpeercert() are going to return X509 instances and the Python interface can decide if it should return a dict, DER bytes or whatever. IMHO it's a mandatory requirement for OCSP support, too.

The patch contains a very real proof of concept.
msg192354 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-07-05 20:12
Yeah, this is probably inevitable. Major concern is how to maintain compatibility with getpeercert() currently returning a dict. Should we make X509 a dict subclass? (yikes :-))
msg192361 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-05 21:10
A dict subclass? Oh heck ...

I have slightly different plans. But first, do you agree that the _ssl C extension and all its methods are consider an internal API? How about the _ssl module's method returns X509 objects and the Python module calls methods on the X509 object like get_info() -> dict or get_der() -> bytes?
msg192362 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-07-05 21:12
> I have slightly different plans. But first, do you agree that the _ssl
> C extension and all its methods are consider an internal API? How
> about the _ssl module's method returns X509 objects and the Python
> module calls methods on the X509 object like get_info() -> dict or
> get_der() -> bytes?

Sounds fine, yes.
msg193762 - (view) Author: Derek Wilson (underrun) Date: 2013-07-26 22:40
For ssl.match_hostname to work with this, you need to get the info dict first. I've attached at patch for it.
msg193940 - (view) Author: Derek Wilson (underrun) Date: 2013-07-30 16:49
actually, i suppose rather than change a bunch of existing functions/methods to handle X509 certs it would make more sense to add new methods to the X509 cert class (like match_hostname) so that old stuff doesn't break.
msg200762 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-10-21 12:23
Bump up my priority. I'd like to get the feature into 3.4 as a foundation for some of my other improvements of the SSL module.
msg203166 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-17 14:19
The feature won't be ready for 3.4. I'll work on a PEP for 3.5
msg242605 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2015-05-05 18:35
Presumably too late for 3.5 so do we bump this to 3.6?  Alternatively could the Derek Wilson patch make 3.5, there's nearly three weeks until beta 1 is due on 24th May according to https://www.python.org/dev/peps/pep-0478/ ?
msg242606 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-05-05 18:45
I've a mostly working prototype at https://github.com/tiran/cpython/tree/feature/x509cert . It's missing documentation, more tests and I have to port it to argument clinic.
History
Date User Action Args
2016-09-15 07:53:09christian.heimessetassignee: christian.heimes
components: + SSL
2016-09-08 15:42:27christian.heimessetversions: + Python 3.7, - Python 3.5
2016-06-12 20:35:13BreamoreBoysetnosy: - BreamoreBoy
2016-06-12 11:23:21christian.heimessetassignee: christian.heimes -> (no value)
2015-05-05 18:45:39christian.heimessetmessages: + msg242606
2015-05-05 18:35:45BreamoreBoysetnosy: + BreamoreBoy
messages: + msg242605
2013-11-17 14:19:34christian.heimessetmessages: + msg203166
versions: + Python 3.5, - Python 3.4
2013-10-21 12:23:28christian.heimessetpriority: normal -> high
assignee: christian.heimes
messages: + msg200762

stage: patch review
2013-07-30 16:49:06underrunsetmessages: + msg193940
2013-07-26 22:40:50underrunsetfiles: + ssl_pyx509cert_match_hostname_fix.patch
nosy: + underrun
messages: + msg193762

2013-07-12 16:44:30cvrebertsetnosy: + cvrebert
2013-07-05 21:12:17pitrousetmessages: + msg192362
2013-07-05 21:10:21christian.heimessetmessages: + msg192361
2013-07-05 20:52:21makersetnosy: + maker
2013-07-05 20:12:22pitrousetmessages: + msg192354
2013-07-05 20:10:37christian.heimescreate