-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PyOpenSSL X509Store / Context parity in Cryptography #10393
Comments
cc: @woodruffw Looks like there's two pieces you need here:
Both of these are tracked in #10034 Figuring out CLRs is going to require some API design work on our part. It looks like your implementation relies on having pre-fetched the CRLs, and not loading them on-demand. |
…#3568) - Cryptography update addresses older version of cryptography package containing CVE-2023-50782 & CVE-2024-26130 - certdir now uses cryptography X509 objects and RSA private key objects, instead of PyOpenSSL X509 and Pkey objects. This is largely due to the removal of APIs from PyOpenSSL which we were utilizing for PKCS12 support and the guidance from PyOpenSSL project to not utilize the ``Crypto`` module in new projects as it is considered deprecated in favor of Cryptography. Per prior discussion, there should be no API stability concerns related to this change since the CertDir class is not exposed via telepath or storm apis. - certdir is now fully typed. This identified issues where we were declaring bytes as inputs on certdir and Cortex was passing in PEM strings instead of bytes. - Remove PyOpenSSL use where it is possible to do so. We now only use it for doing X509 path building and certificate verification, eventually we'll be able to remove this in favor of APIs provided by Cryptography ( see pyca/cryptography#10393 pyca/cryptography#10034 ) --------- Co-authored-by: Cisphyx <[email protected]>
#10345 adds verification without a subject. CRL is the remaining piece here. We still need to figure out what we want to do in terms of API design there. |
Hello!
I've been working on updating some code to utilize cryptography in favor of PyOpenSSL due to the API deprecation in the older project.
The only code that I can not currently remove is related to the use of X509Store and X509StoreContext. That is utilized for doing certificate validation. For example:
I believe my use case aligns with #10276 ( doing code signing and/or user cert verification ). Current docs for the verification APIS ( https://cryptography.io/en/42.0.2/x509/verification/ ) don't seem to support setting CRLs or flag setting.
Is this type of use case in scope for work in #10345 ?
The text was updated successfully, but these errors were encountered: