Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS12: return 'friendly name' with PKCS12KeyAndCertificates API #6348

Merged
merged 13 commits into from
Oct 6, 2021
Merged

PKCS12: return 'friendly name' with PKCS12KeyAndCertificates API #6348

merged 13 commits into from
Oct 6, 2021

Conversation

felixfontein
Copy link
Contributor

This PR provides a new API asked for in #5760 to return the 'friendly name' from a PKCS12 file, which happens to be the name of the "main" certificate with private key that was provided to the serialize_key_and_certificates API when creating a PKCS12. This API brings cryptography's API more to par with the API provided by PyOpenSSL. (Now the only remaining differences I'm aware of are related to the encryption algorithm / configuration.)

As suggested by @reaperhulk in #5760 (comment), adds a new API which also returns the 'friendly name'. I've adjusted the name slightly to load_key_and_certificates_with_name since the storing API (serialize_key_and_certificates) also uses name. I've put name as the first return value of the new API since that's the order of parameters serialize_key_and_certificates uses. (If these two things should change, I'm happy to do that :) )

The old API load_key_and_certificates now basically calls the new API and ignores the name.

Fixes #5760.

@felixfontein felixfontein mentioned this pull request Oct 1, 2021
Closed
reaperhulk
reaperhulk reviewed Oct 1, 2021
View reviewed changes
Copy link
Member

@reaperhulk reaperhulk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs docs, changelog, and tests that exercise the new codepath (codecov not reporting is a common problem, but if it did report this would fail coverage).

src/cryptography/hazmat/backends/openssl/backend.py Outdated Show resolved Hide resolved
@felixfontein felixfontein mentioned this pull request Oct 3, 2021
Merged
@felixfontein felixfontein force-pushed the pkcs12-friendly-name-export branch 2 times, most recently from c2e983f to 125935e Compare October 3, 2021 15:25
@patchback patchback bot mentioned this pull request Oct 3, 2021
Merged
@reaperhulk
Copy link
Member

Two big comments:

  1. Let's not make a new serialization API for now. Let's just add a test vector that has multiple aliases and be able to parse that.
  2. I think we need to return a PKCS12 object now, this multiply-nested tuple API is too much.

A true PKCS12 object is ridiculous (see: https://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/pkcs/PKCS12PfxPduBuilder.html) so maybe what we want is more along the lines of

class PKCS12KeyAndCertificates:
    @getter
    def key -> PRIVATE_KEY_TYPES: ...

    @getter
    def cert -> PKCS12Certificate: ....

    @getter
    def additional_certs -> List[PKCS12Certificate]: ...
class PKCS12Certificate:
    @getter
    def friendly_name -> bytes: ...

    @getter
    def certificate -> x509.Certificate: ...

@felixfontein
Copy link
Contributor Author

@reaperhulk I guess key and cert in PKCS12KeyAndCertificates should be typing.Optional[]?

@reaperhulk
Copy link
Member

Yeah they're not required so they should be optionals. That's what I get from writing an interface in a GitHub comment 😄

@felixfontein felixfontein force-pushed the pkcs12-friendly-name-export branch 2 times, most recently from 0e2b1d7 to 75d7486 Compare October 4, 2021 17:50
reaperhulk
reaperhulk previously requested changes Oct 4, 2021
View reviewed changes
Copy link
Member

@reaperhulk reaperhulk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the new test vectors should be documented in test-vectors.rst describing what they contain. We have a section named Custom PKCS12 Test Vectors you can add them to.

docs/hazmat/primitives/asymmetric/serialization.rst Outdated Show resolved Hide resolved
docs/x509/reference.rst Outdated Show resolved Hide resolved
@reaperhulk reaperhulk added this to the Thirty Sixth Release milestone Oct 4, 2021
felixfontein added a commit to felixfontein/cryptography that referenced this pull request Oct 5, 2021
@felixfontein
Add new PKCS12 test vectors for pyca#6348.
0bb2bda
@felixfontein felixfontein mentioned this pull request Oct 5, 2021
Merged
reaperhulk pushed a commit that referenced this pull request Oct 6, 2021
@felixfontein
Add new PKCS12 test vectors (#6383)
667e7a5 
* Add new PKCS12 test vectors for #6348.

* Re-create test certs without DSA.

* Forgot to adjust the docs.
@reaperhulk
Copy link
Member

Ready for rebase

@felixfontein
Propose a new load_key_and_certificates_with_name API to return the P…
6ae74e9 
…KCS12 'friendly name' as well.
@felixfontein
Extend load_key_and_certificates_with_name to return friendly names f…
3c2f56e 
…or all certificates; add serialize_key_and_certificates_with_names; add X509_alias_set1 to cffi; add basic tests for all these.
@felixfontein
Add changelog entry and documentation.
6628750
@felixfontein
Revert "Extend load_key_and_certificates_with_name to return friendly…
12be686 
… names for all certificates; add serialize_key_and_certificates_with_names; add X509_alias_set1 to cffi; add basic tests for all these."

This reverts commit 125935e.
@felixfontein
Create new interface.
dd9c280
@felixfontein
Rename load_key_and_certificates_object -> load_pkcs12.
bdb15e8
@felixfontein felixfontein mentioned this pull request Oct 6, 2021
Merged
@felixfontein
Copy link
Contributor Author

I don't think the cancelled test is related to this PR.

@reaperhulk reaperhulk changed the title PKCS12: return 'friendly name' with new load_key_and_certificates_with_name API PKCS12: return 'friendly name' with PKCS12KeyAndCertificates API Oct 6, 2021
@reaperhulk reaperhulk merged commit 17aeaa6 into pyca:main Oct 6, 2021
@felixfontein felixfontein deleted the pkcs12-friendly-name-export branch October 6, 2021 09:15
@felixfontein
Copy link
Contributor Author

@reaperhulk thanks a lot for guiding this new feature, and for reviewing and merging!

@felixfontein felixfontein mentioned this pull request Oct 6, 2021
Closed
@patchback patchback bot mentioned this pull request Nov 22, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reaperhulk reaperhulk reaperhulk approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
Thirty Sixth Release
Development

Successfully merging this pull request may close these issues.

Being able to read PKCS12 'friendly name'
2 participants
@felixfontein @reaperhulk