Author christian.heimes
Recipients christian.heimes, giampaolo.rodola, gvanrossum, janssen, pitrou
Date 2013-11-22.17:18:24
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1385140705.11.0.110070816916.issue19689@psf.upfronthosting.co.za>
In-reply-to
Content
New patch with enum and more cleanups.

I'd like to explain the rationals for the purpose argument in create_default_context and the ASN1Object thing. There are multiple things involved here. First of all a certificate may have key usage and extended key usage OIDs in its X509v3 extensions. OpenSSL already checks them according to its mode.

The purpose is also required to load the correct set of certs from a  certificate provider (e.g. Windows cert store, Mozilla NSS certdata, Apple's keystore). The system or user can impose additional restrictions for certificates, e.g. disable a cert for TLS web server auth although the X.509 struct specifies 1.3.6.1.5.5.7.3.1 in its X509v3 extensions. NSS certdata also contains invalid certificates or certificates that are not suitable for server auth although the cert claims it.

In order to load only trusted certs for a purpose the API needs a purpose flag (usually an OID or a NID). Most Linux users have never seen this differentiation because /etc/ssl/certs/ either contains only server auth certs or their distributions screw up, See https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004 or http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.2.1.0.1.5.html
History
Date User Action Args
2013-11-22 17:18:25christian.heimessetrecipients: + christian.heimes, gvanrossum, janssen, pitrou, giampaolo.rodola
2013-11-22 17:18:25christian.heimessetmessageid: <1385140705.11.0.110070816916.issue19689@psf.upfronthosting.co.za>
2013-11-22 17:18:25christian.heimeslinkissue19689 messages
2013-11-22 17:18:24christian.heimescreate