-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCS12: return 'friendly name' with PKCS12KeyAndCertificates API #6348
PKCS12: return 'friendly name' with PKCS12KeyAndCertificates API #6348
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs docs, changelog, and tests that exercise the new codepath (codecov not reporting is a common problem, but if it did report this would fail coverage).
c2e983f
to
125935e
Compare
Two big comments:
A true PKCS12 object is ridiculous (see: https://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/pkcs/PKCS12PfxPduBuilder.html) so maybe what we want is more along the lines of class PKCS12KeyAndCertificates:
@getter
def key -> PRIVATE_KEY_TYPES: ...
@getter
def cert -> PKCS12Certificate: ....
@getter
def additional_certs -> List[PKCS12Certificate]: ...
|
@reaperhulk I guess |
Yeah they're not required so they should be optionals. That's what I get from writing an interface in a GitHub comment 😄 |
0e2b1d7
to
75d7486
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the new test vectors should be documented in test-vectors.rst
describing what they contain. We have a section named Custom PKCS12 Test Vectors
you can add them to.
e3e920e
to
1d9fb36
Compare
* Add new PKCS12 test vectors for #6348. * Re-create test certs without DSA. * Forgot to adjust the docs.
Ready for rebase |
…KCS12 'friendly name' as well.
…or all certificates; add serialize_key_and_certificates_with_names; add X509_alias_set1 to cffi; add basic tests for all these.
… names for all certificates; add serialize_key_and_certificates_with_names; add X509_alias_set1 to cffi; add basic tests for all these." This reverts commit 125935e.
44aabb1
to
bdb15e8
Compare
I don't think the cancelled test is related to this PR. |
@reaperhulk thanks a lot for guiding this new feature, and for reviewing and merging! |
This PR provides a new API asked for in #5760 to return the 'friendly name' from a PKCS12 file, which happens to be the name of the "main" certificate with private key that was provided to the
serialize_key_and_certificates
API when creating a PKCS12. This API brings cryptography's API more to par with the API provided by PyOpenSSL. (Now the only remaining differences I'm aware of are related to the encryption algorithm / configuration.)As suggested by @reaperhulk in #5760 (comment), adds a new API which also returns the 'friendly name'. I've adjusted the name slightly to
load_key_and_certificates_with_name
since the storing API (serialize_key_and_certificates
) also usesname
. I've putname
as the first return value of the new API since that's the order of parametersserialize_key_and_certificates
uses. (If these two things should change, I'm happy to do that :) )The old API
load_key_and_certificates
now basically calls the new API and ignores the name.Fixes #5760.