trust_list: Add OID info/filtering

wbond / oscrypto

Compiler-free Python crypto library backed by the OS, supporting CPython and PyPy

MIT License

320 stars 70 forks source link

trust_list: Add OID info/filtering #15

Closed wbond closed 8 years ago

wbond commented 8 years ago

Package Control will be switching to use oscrypto.trust_list for TLS trust roots to solve:

In order to do this, we need to tweak trust_list.get_list(). Ideally we need:

A way to filter get_list() by one or more key usage strings/extended key usage OIDs
A new method such as get_list() that will return the list os trust roots along with a set() of their key usage names and extended key usage OIDs

wbond commented 8 years ago

There are three implementations of the trust_list module, one for each OS:

wbond commented 8 years ago

Some OIDs need to be added for OS X: https://github.com/wbond/asn1crypto/issues/17

wbond commented 8 years ago

Additionally, we are going to need to add a "translation" layer for key purposes that will cover the "standard", OS X and Windows variations of OIDs. For instance, Windows uses 1.3.6.1.5.5.7.3.1 (a standard OID for server auth) for SSL, whereas OS X uses 1.2.840.113635.100.1.3.

wbond commented 8 years ago

As of 41cb25705aabe33003c89dcc307c81cb23ee650b, oscrypto.trust_list now includes trust information for each certificate in the store, and trust_list.get_path() encodes the trust info into a format that OpenSSL understands.

FranklinYu commented 8 years ago

Correct me if I am wrong: this issue is already fixed, and it will solve wbond/package_control#1079 and wbond/package_control#1002 in the next release, correct? So currently we just need to wait patiently for it?

wbond commented 8 years ago

@franklinyu This work will be used to replace the existing code in Package Control for grabbing OS trust roots.

uchuugaka commented 8 years ago

Any chance this would get resolved soon? This is one of the things that drives me nuts with Sublime.

wbond commented 8 years ago

@uchuugaka Work on this issue will continue as time allows. The next step is to add asn1crypto and oscrypto to Package Control as relative imports, possibly with unused submodules removed.

ipv6freely commented 8 years ago

Even if not fixed, is there at least a workaround to mute the message?

FichteFoll commented 8 years ago

@ipv6freely https://github.com/wbond/package_control/pull/1081

ipv6freely commented 8 years ago

@FichteFoll Thank you!