Message203812
New patch with enum and more cleanups.
I'd like to explain the rationals for the purpose argument in create_default_context and the ASN1Object thing. There are multiple things involved here. First of all a certificate may have key usage and extended key usage OIDs in its X509v3 extensions. OpenSSL already checks them according to its mode.
The purpose is also required to load the correct set of certs from a certificate provider (e.g. Windows cert store, Mozilla NSS certdata, Apple's keystore). The system or user can impose additional restrictions for certificates, e.g. disable a cert for TLS web server auth although the X.509 struct specifies 1.3.6.1.5.5.7.3.1 in its X509v3 extensions. NSS certdata also contains invalid certificates or certificates that are not suitable for server auth although the cert claims it.
In order to load only trusted certs for a purpose the API needs a purpose flag (usually an OID or a NID). Most Linux users have never seen this differentiation because /etc/ssl/certs/ either contains only server auth certs or their distributions screw up, See https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004 or http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.2.1.0.1.5.html |
|
Date |
User |
Action |
Args |
2013-11-22 17:18:25 | christian.heimes | set | recipients:
+ christian.heimes, gvanrossum, janssen, pitrou, giampaolo.rodola |
2013-11-22 17:18:25 | christian.heimes | set | messageid: <1385140705.11.0.110070816916.issue19689@psf.upfronthosting.co.za> |
2013-11-22 17:18:25 | christian.heimes | link | issue19689 messages |
2013-11-22 17:18:24 | christian.heimes | create | |
|