From 2d94946a938878ea10da479b7ac83ab1c434df4d Mon Sep 17 00:00:00 2001
From: Itamar Turner-Trauring <itamar@itamarst.org>
Date: Fri, 28 Apr 2023 21:22:17 -0400
Subject: Expose X509_V_* constants (#1202)

* Expose X509_V_* constants.

* Switch to strategy where cryptography 40.0.2 exposes the constants.

* Fix bad merge.

* Fix flake.

* Link to PR.

* Check availability, rather than versions.

* Add namespacing.

* Add success code to namespace.

* Fix lint.

* Remove unnecessary conditional.

* Update CHANGELOG.rst

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

---------

Co-authored-by: Itamar Turner-Trauring <itamar@pythonspeed.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---
 CHANGELOG.rst      |   2 +
 setup.py           |   3 +-
 src/OpenSSL/SSL.py | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 112 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index b2b4113..c036083 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -20,6 +20,8 @@ Changes:
 ^^^^^^^^
 
 - Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
+- Added ``X509VerificationCodes`` to ``OpenSSL.SSL``.
+  `#1202 <https://github.com/pyca/pyopenssl/pull/1202>`_.
 
 23.1.1 (2023-03-28)
 -------------------
diff --git a/setup.py b/setup.py
index 42bf2c0..d548ccd 100644
--- a/setup.py
+++ b/setup.py
@@ -98,7 +98,8 @@ if __name__ == "__main__":
         package_dir={"": "src"},
         install_requires=[
             # Fix cryptographyMinimum in tox.ini when changing this!
-            "cryptography>=38.0.0,<41",
+            # 40.0.0 and .1 are missing X509_V_* constants that we re-export.
+            "cryptography>=38.0.0,<41,!=40.0.0,!=40.0.1",
         ],
         extras_require={
             "test": ["flaky", "pretend", "pytest>=3.0.1"],
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index efbf790..b79b18e 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -123,6 +123,7 @@ __all__ = [
     "Session",
     "Context",
     "Connection",
+    "X509VerificationCodes",
 ]
 
 
@@ -250,6 +251,113 @@ SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT
 SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START
 SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE
 
+
+class X509VerificationCodes:
+    """
+    Success and error codes for X509 verification, as returned by the
+    underlying ``X509_STORE_CTX_get_error()`` function and passed by pyOpenSSL
+    to verification callback functions.
+
+    See `OpenSSL Verification Errors
+    <https://www.openssl.org/docs/manmaster/man3/X509_verify_cert_error_string.html#ERROR-CODES>`_
+    for details.
+    """
+
+    OK = _lib.X509_V_OK
+    ERR_UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
+    ERR_UNABLE_TO_GET_CRL = _lib.X509_V_ERR_UNABLE_TO_GET_CRL
+    ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = (
+        _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+    )
+    ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = (
+        _lib.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
+    )
+    ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = (
+        _lib.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+    )
+    ERR_CERT_SIGNATURE_FAILURE = _lib.X509_V_ERR_CERT_SIGNATURE_FAILURE
+    ERR_CRL_SIGNATURE_FAILURE = _lib.X509_V_ERR_CRL_SIGNATURE_FAILURE
+    ERR_CERT_NOT_YET_VALID = _lib.X509_V_ERR_CERT_NOT_YET_VALID
+    ERR_CERT_HAS_EXPIRED = _lib.X509_V_ERR_CERT_HAS_EXPIRED
+    ERR_CRL_NOT_YET_VALID = _lib.X509_V_ERR_CRL_NOT_YET_VALID
+    ERR_CRL_HAS_EXPIRED = _lib.X509_V_ERR_CRL_HAS_EXPIRED
+    ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
+    )
+    ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
+    )
+    ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
+    )
+    ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = (
+        _lib.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
+    )
+    ERR_OUT_OF_MEM = _lib.X509_V_ERR_OUT_OF_MEM
+    ERR_DEPTH_ZERO_SELF_SIGNED_CERT = (
+        _lib.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+    )
+    ERR_SELF_SIGNED_CERT_IN_CHAIN = _lib.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+    ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = (
+        _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+    )
+    ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = (
+        _lib.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+    )
+    ERR_CERT_CHAIN_TOO_LONG = _lib.X509_V_ERR_CERT_CHAIN_TOO_LONG
+    ERR_CERT_REVOKED = _lib.X509_V_ERR_CERT_REVOKED
+    ERR_INVALID_CA = _lib.X509_V_ERR_INVALID_CA
+    ERR_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PATH_LENGTH_EXCEEDED
+    ERR_INVALID_PURPOSE = _lib.X509_V_ERR_INVALID_PURPOSE
+    ERR_CERT_UNTRUSTED = _lib.X509_V_ERR_CERT_UNTRUSTED
+    ERR_CERT_REJECTED = _lib.X509_V_ERR_CERT_REJECTED
+    ERR_SUBJECT_ISSUER_MISMATCH = _lib.X509_V_ERR_SUBJECT_ISSUER_MISMATCH
+    ERR_AKID_SKID_MISMATCH = _lib.X509_V_ERR_AKID_SKID_MISMATCH
+    ERR_AKID_ISSUER_SERIAL_MISMATCH = (
+        _lib.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
+    )
+    ERR_KEYUSAGE_NO_CERTSIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CERTSIGN
+    ERR_UNABLE_TO_GET_CRL_ISSUER = _lib.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+    ERR_UNHANDLED_CRITICAL_EXTENSION = (
+        _lib.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+    )
+    ERR_KEYUSAGE_NO_CRL_SIGN = _lib.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+    ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = (
+        _lib.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+    )
+    ERR_INVALID_NON_CA = _lib.X509_V_ERR_INVALID_NON_CA
+    ERR_PROXY_PATH_LENGTH_EXCEEDED = _lib.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+    ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = (
+        _lib.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+    )
+    ERR_PROXY_CERTIFICATES_NOT_ALLOWED = (
+        _lib.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+    )
+    ERR_INVALID_EXTENSION = _lib.X509_V_ERR_INVALID_EXTENSION
+    ERR_INVALID_POLICY_EXTENSION = _lib.X509_V_ERR_INVALID_POLICY_EXTENSION
+    ERR_NO_EXPLICIT_POLICY = _lib.X509_V_ERR_NO_EXPLICIT_POLICY
+    ERR_DIFFERENT_CRL_SCOPE = _lib.X509_V_ERR_DIFFERENT_CRL_SCOPE
+    ERR_UNSUPPORTED_EXTENSION_FEATURE = (
+        _lib.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+    )
+    ERR_UNNESTED_RESOURCE = _lib.X509_V_ERR_UNNESTED_RESOURCE
+    ERR_PERMITTED_VIOLATION = _lib.X509_V_ERR_PERMITTED_VIOLATION
+    ERR_EXCLUDED_VIOLATION = _lib.X509_V_ERR_EXCLUDED_VIOLATION
+    ERR_SUBTREE_MINMAX = _lib.X509_V_ERR_SUBTREE_MINMAX
+    ERR_UNSUPPORTED_CONSTRAINT_TYPE = (
+        _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+    )
+    ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = (
+        _lib.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+    )
+    ERR_UNSUPPORTED_NAME_SYNTAX = _lib.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+    ERR_CRL_PATH_VALIDATION_ERROR = _lib.X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+    ERR_HOSTNAME_MISMATCH = _lib.X509_V_ERR_HOSTNAME_MISMATCH
+    ERR_EMAIL_MISMATCH = _lib.X509_V_ERR_EMAIL_MISMATCH
+    ERR_IP_ADDRESS_MISMATCH = _lib.X509_V_ERR_IP_ADDRESS_MISMATCH
+    ERR_APPLICATION_VERIFICATION = _lib.X509_V_ERR_APPLICATION_VERIFICATION
+
+
 # Taken from https://golang.org/src/crypto/x509/root_linux.go
 _CERTIFICATE_FILE_LOCATIONS = [
     "/etc/ssl/certs/ca-certificates.crt",  # Debian/Ubuntu/Gentoo etc.
-- 
cgit v1.2.1