Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose X509_V_* constants #1202

Merged
merged 14 commits into from
Apr 29, 2023
Merged
2 changes: 2 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ Changes:
^^^^^^^^

- Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
- Added ``X509VerificationCodes`` to ``OpenSSL.SSL``.
`#1202 </~https://github.com/pyca/pyopenssl/pull/1202>`_.

23.1.1 (2023-03-28)
-------------------
Expand Down
3 changes: 2 additions & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,8 @@ def find_meta(meta):
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
"cryptography>=38.0.0,<41",
# 40.0.0 and .1 are missing X509_V_* constants that we re-export.
"cryptography>=38.0.0,<41,!=40.0.0,!=40.0.1",
],
extras_require={
"test": ["flaky", "pretend", "pytest>=3.0.1"],
Expand Down
108 changes: 108 additions & 0 deletions src/OpenSSL/SSL.py
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@
"Session",
"Context",
"Connection",
"X509VerificationCodes",
]


Expand Down Expand Up @@ -250,6 +251,113 @@
SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START
SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE


class X509VerificationCodes:
"""
Success and error codes for X509 verification, as returned by the
underlying ``X509_STORE_CTX_get_error()`` function and passed by pyOpenSSL
to verification callback functions.

See `OpenSSL Verification Errors
<https://www.openssl.org/docs/manmaster/man3/X509_verify_cert_error_string.html#ERROR-CODES>`_
for details.
"""

OK = _lib.X509_V_OK
ERR_UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL
ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = (
_lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
)
ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = (
_lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
)
ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = (
_lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
)
ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE
ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE
ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID
ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED
ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID
ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED
ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = (
_lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
)
ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = (
_lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
)
ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = (
_lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
)
ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = (
_lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
)
ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM
ERR_DEPTH_ZERO_SELF_SIGNED_CERT = (
_lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
)
ERR_SELF_SIGNED_CERT_IN_CHAIN = _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = (
_lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
)
ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = (
_lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
)
ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG
ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED
ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA
ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED
ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE
ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED
ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED
ERR_SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH
ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH
ERR_AKID_ISSUER_SERIAL_MISMATCH = (
_lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
)
ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN
ERR_UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
ERR_UNHANDLED_CRITICAL_EXTENSION = (
_lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
)
ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = (
_lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
)
ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA
ERR_PROXY_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = (
_lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
)
ERR_PROXY_CERTIFICATES_NOT_ALLOWED = (
_lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
)
ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION
ERR_INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION
ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY
ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE
ERR_UNSUPPORTED_EXTENSION_FEATURE = (
_lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
)
ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE
ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION
ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION
ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX
ERR_UNSUPPORTED_CONSTRAINT_TYPE = (
_lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
)
ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = (
_lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
)
ERR_UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
ERR_CRL_PATH_VALIDATION_ERROR = _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR
ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH
ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH
ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH
ERR_APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION


# Taken from https://golang.org/src/crypto/x509/root_linux.go
_CERTIFICATE_FILE_LOCATIONS = [
"/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc.
Expand Down