work around openssl 3.1.0 bug and bump for 23.1.1 #1204

reaperhulk · 2023-03-28T00:34:23Z

No description provided.

cryptographyMain does not support 3.6

ShaneHarvey · 2023-03-28T19:05:40Z

Should the other calls to OBJ_nid2sn also be fixed?:

pyopenssl/src/OpenSSL/crypto.py

Line 504 in da18a74

return cls(lib, nid, _ffi.string(lib.OBJ_nid2sn(nid)).decode("ascii"))
pyopenssl/src/OpenSSL/crypto.py

Line 753 in da18a74

name = _lib.OBJ_nid2sn(nid)
pyopenssl/src/OpenSSL/crypto.py

Line 2607 in da18a74

string_type = _lib.OBJ_nid2sn(nid)

reaperhulk · 2023-03-29T00:53:46Z

Passing an undef NID to EllipticCurve.from_nid is already documented as requiring a known NID. In the UNDEF case it will fail sooner on OpenSSL 3.1.0, but that's it. (This is a terrible API in general, as is most of pyOpenSSL, but c'est la vie).

X509Name.get_components appears reachable so I'd be happy to review a patch that fixes that (and adds a test).

PKCS7.get_type_name would be reachable only if someone creates a PKCS7 structure that deliberately does not use known types. That's certainly possible, albeit somewhat involved. If a test exercising the path is created we'd take a patch for this as well.

alex · 2023-03-29T01:08:40Z

It's impossible to use X509Name.get_components with an unknown NID and get a useful result AFAICT. UNDEF as a string there is useless.

…

On Tue, Mar 28, 2023 at 8:53 PM Paul Kehrer ***@***.***> wrote: Passing an undef NID to EllipticCurve.from_nid is already documented as requiring a known NID. In the UNDEF case it will fail sooner on OpenSSL 3.1.0, but that's it. (This is a terrible API in general, as is most of pyOpenSSL, but c'est la vie). X509Name.get_components appears reachable so I'd be happy to review a patch that fixes that (and adds a test). PKCS7.get_type_name would be reachable only if someone creates a PKCS7 structure that deliberately does not use known types. That's certainly possible, albeit somewhat involved. If a test exercising the path is created we'd take a patch for this as well. — Reply to this email directly, view it on GitHub <#1204 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBABSB5JLH5TDFRRHWTW6OB2LANCNFSM6AAAAAAWJ2V3CI> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

ShaneHarvey · 2023-03-29T02:08:12Z

Thanks!

reaperhulk added 2 commits March 28, 2023 09:30

work around openssl 3.1.0 bug and bump for 23.1.1

3cc86cf

remove a CI job that can't succeed

36d34e6

cryptographyMain does not support 3.6

reaperhulk mentioned this pull request Mar 28, 2023

Seeing failures with get_short_name when used with cryptography >=40.0 #1203

Closed

alex approved these changes Mar 28, 2023

View reviewed changes

alex merged commit 12bc43b into pyca:23.1.x Mar 28, 2023
34 checks passed

reaperhulk deleted the handle-null branch March 28, 2023 03:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

work around openssl 3.1.0 bug and bump for 23.1.1 #1204

work around openssl 3.1.0 bug and bump for 23.1.1 #1204

reaperhulk commented Mar 28, 2023

ShaneHarvey commented Mar 28, 2023 •

edited

reaperhulk commented Mar 29, 2023

alex commented Mar 29, 2023 via email

ShaneHarvey commented Mar 29, 2023

work around openssl 3.1.0 bug and bump for 23.1.1 #1204

work around openssl 3.1.0 bug and bump for 23.1.1 #1204

Conversation

reaperhulk commented Mar 28, 2023

ShaneHarvey commented Mar 28, 2023 • edited

reaperhulk commented Mar 29, 2023

alex commented Mar 29, 2023 via email

ShaneHarvey commented Mar 29, 2023

ShaneHarvey commented Mar 28, 2023 •

edited