Expose X509_V_* constants (#1202)

* Expose X509_V_* constants. * Switch to strategy where cryptography 40.0.2 exposes the constants. * Fix bad merge. * Fix flake. * Link to PR. * Check availability, rather than versions. * Add namespacing. * Add success code to namespace. * Fix lint. * Remove unnecessary conditional. * Update CHANGELOG.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Co-authored-by: Itamar Turner-Trauring <itamar@pythonspeed.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
pyca · Apr 29, 2023 · 2d94946 · 2d94946
1 parent dd90c04
commit 2d94946
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 1 deletion.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -20,6 +20,8 @@ Changes:
 ^^^^^^^^
 
 - Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
+- Added ``X509VerificationCodes`` to ``OpenSSL.SSL``.
+  `#1202 <https://github.com/pyca/pyopenssl/pull/1202>`_.
 
 23.1.1 (2023-03-28)
 -------------------

diff --git a/setup.py b/setup.py
@@ -98,7 +98,8 @@ def find_meta(meta):
         package_dir={"": "src"},
         install_requires=[
             # Fix cryptographyMinimum in tox.ini when changing this!
-            "cryptography>=38.0.0,<41",
+            # 40.0.0 and .1 are missing X509_V_* constants that we re-export.
+            "cryptography>=38.0.0,<41,!=40.0.0,!=40.0.1",
         ],
         extras_require={
             "test": ["flaky", "pretend", "pytest>=3.0.1"],

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
@@ -123,6 +123,7 @@
     "Session",
     "Context",
     "Connection",
+    "X509VerificationCodes",
 ]
 
 
@@ -250,6 +251,113 @@
 SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START
 SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE
 
+
+class X509VerificationCodes:
+    """
+    Success and error codes for X509 verification, as returned by the
+    underlying ``X509_STORE_CTX_get_error()`` function and passed by pyOpenSSL
+    to verification callback functions.
+
+    See `OpenSSL Verification Errors
+    <https://www.openssl.org/docs/manmaster/man3/X509_verify_cert_error_string.html#ERROR-CODES>`_
+    for details.
+    """
+
+    OK = _lib.X509_V_OK
+    ERR_UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
+    ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL
+    ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = (
+        _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+    )
+    ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = (
+        _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
+    )
+    ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = (
+        _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+    )
+    ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE
+    ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE
+    ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID
+    ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED
+    ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID
+    ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED
+    ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
+    )
+    ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
+    )
+    ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
+    )
+    ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
+    )
+    ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM
+    ERR_DEPTH_ZERO_SELF_SIGNED_CERT = (
+        _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+    )
+    ERR_SELF_SIGNED_CERT_IN_CHAIN = _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+    ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = (
+        _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+    )
+    ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = (
+        _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+    )
+    ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG
+    ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED
+    ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA
+    ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED
+    ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE
+    ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED
+    ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED
+    ERR_SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH
+    ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH
+    ERR_AKID_ISSUER_SERIAL_MISMATCH = (
+        _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
+    )
+    ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN
+    ERR_UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+    ERR_UNHANDLED_CRITICAL_EXTENSION = (
+        _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+    )
+    ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+    ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = (
+        _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+    )
+    ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA
+    ERR_PROXY_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+    ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = (
+        _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+    )
+    ERR_PROXY_CERTIFICATES_NOT_ALLOWED = (
+        _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+    )
+    ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION
+    ERR_INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION
+    ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY
+    ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE
+    ERR_UNSUPPORTED_EXTENSION_FEATURE = (
+        _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+    )
+    ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE
+    ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION
+    ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION
+    ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX
+    ERR_UNSUPPORTED_CONSTRAINT_TYPE = (
+        _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+    )
+    ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = (
+        _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+    )
+    ERR_UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+    ERR_CRL_PATH_VALIDATION_ERROR = _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+    ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH
+    ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH
+    ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH
+    ERR_APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION
+
+
 # Taken from https://golang.org/src/crypto/x509/root_linux.go
 _CERTIFICATE_FILE_LOCATIONS = [
     "/etc/ssl/certs/ca-certificates.crt",  # Debian/Ubuntu/Gentoo etc.