PySSLCertificate by youknowone · Pull Request #6219 · RustPython/RustPython

youknowone

Walkthrough

Adds a new ssl_cert submodule exposing a Certificate PyO3 type and helpers, integrates it into the main _ssl module, replaces DER-byte returns with Certificate objects for peer/chain APIs, introduces encoding constants, and extends OpenSSL error mapping to include EOF/SSLEOFError.

Changes

Cohort / File(s)	Summary
New Certificate Module `stdlib/src/ssl/cert.rs`	Adds `ssl_cert` submodule with `PySSLCertificate` PyO3 class, `public_bytes()` and `get_info()` methods, helpers `cert_to_certificate()`, `cert_to_py()`, `_test_decode_cert()`, `obj2txt()`, and internal `cert_to_dict()` including subjectAltName parsing and UTF‑8‑tolerant encoding.
SSL Module Integration `stdlib/src/ssl.rs`	Adds `mod cert`, re-exports `PySSLCertificate`, `cert_to_certificate`, `cert_to_py`, `obj2txt`; introduces `ENCODING_PEM`, `ENCODING_DER`, `ENCODING_PEM_AUX` constants; changes `convert_openssl_error` visibility to `pub(crate)` and maps EOF → `SSLEOFError` (OpenSSL 3.0 aware); updates peer/chain APIs to return `Certificate` objects instead of DER bytes.

Sequence Diagram(s)

sequenceDiagram
    participant Py as Python
    participant SSL as _ssl (ssl.rs)
    participant Cert as ssl_cert (cert.rs)
    participant OpenSSL as OpenSSL

    Py->>SSL: getpeercert / get_verified_chain / get_unverified_chain
    SSL->>Cert: cert_to_certificate(vm, x509)
    Cert->>OpenSSL: inspect/encode X509
    OpenSSL-->>Cert: X509 data / bytes
    Cert->>Cert: cert_to_dict() or build PySSLCertificate
    Cert-->>SSL: PySSLCertificate object(s)
    SSL-->>Py: return Certificate object(s)

    alt request raw bytes via public_bytes
        Py->>Cert: PySSLCertificate.public_bytes(format)
        Cert->>OpenSSL: encode (DER/PEM)
        OpenSSL-->>Cert: encoded bytes
        Cert-->>Py: bytes
    end

    alt OpenSSL error occurs
        OpenSSL-->>SSL: ErrorStack / error
        SSL->>SSL: convert_openssl_error(vm, err) (maps EOF→SSLEOFError when applicable)
        SSL-->>Py: raise mapped exception
    end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Focus review on:
- cert_to_dict() subject/issuer and subjectAltName parsing and edge-case formatting (IPv6, DirName, other types).
- FFI/OpenSSL error conversion and EOF → SSLEOFError mapping across OpenSSL versions.
- PyO3 exposure and visibility (pub(crate) vs exported names) and places in _ssl that now return PySSLCertificate.

Possibly related PRs

Implement more SSL methods #6210 — Overlaps SSL certificate handling and get_verified_chain/getpeercert behavior (DER vs Certificate objects).

Suggested reviewers

coolreader18
ShaharNaveh

Poem

🐰 A rabbit hops through code with glee,
Certificates grown from X509 tree,
PEM or DER, a gentle byte,
Subjects and SANs now shining bright,
Hop — secure connections take flight! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.44% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "PySSLCertificate" directly references the central new type being introduced in this changeset. The PR's primary objective is to add a new certificate module with the PySSLCertificate struct, along with supporting helper functions and methods for certificate handling in SSL operations. The title is specific, clear, and not vague—it names the key component being introduced rather than using generic terms. While the title is minimal and doesn't explicitly describe an action (like "Add" or "Implement"), it effectively highlights the most important change from the developer's perspective by naming the newly exposed public type.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}