Skip to content

feat: Add new classification for single (leaf) key #7030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add new classification for single (leaf) key #7030

wants to merge 1 commit into from

Conversation

DarthCeltic
Copy link

What this PR does

This pull request addresses the issue of key management being too restrictive due to hardcoded, finite parameters for both leaf and chain keys. It introduces a more flexible approach to handling different key types, specifically a single (leaf) key.

Why this change is needed

The existing implementation was too limited and failed when a single key was passed, as the parameters were not designed to handle that specific use case. This change makes the key management logic more robust and versatile, allowing it to work with a wider range of inputs without breaking.

How this was accomplished

  • Refactored key-related code to replace hardcoded values with more dynamic parameters.
  • Implemented new conditional logic (if/then statements) to properly classify and handle single (leaf) keys.
  • Added a new classification type to the key management system.
  • Confirmed functionality with my local pytest suite, which now passes with the new test cases I added for single key scenarios.

Related Issue

Closes #6978

Note to reviewer: I've added new tests to cover the single-key use case, which you can see in the tests/ directory. Please let me know if you have any questions or need further clarification.

image image image

Ten0
Ten0 reviewed Sep 14, 2025
View reviewed changes
src/requests/adapters.py
}
return host_params, pool_kwargs

def is_single_certificate(cert_path):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems unlikely that special-casing single certs is the best approach 🤔: we probably want to not care about the part of the chain that's above the trusted certificate.
I wouldn't expect curl to special-case single certs either...
Probably we want to match curl's behavior with regards to the openssl config here.

Ten0
Ten0 reviewed Sep 14, 2025
View reviewed changes
src/requests/adapters.py

conn.cert_reqs = "CERT_REQUIRED"

if is_single_certificate(cert_loc):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this just disable certificate verification if there is a single cert in the chain, without actually verifying that the cert provided by the server matches?

sigmavirus24
sigmavirus24 requested changes Sep 14, 2025
View reviewed changes
Copy link
Contributor

@sigmavirus24 sigmavirus24 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DarthCeltic the LLMs have led you far astray. You're wrecking the security here rather than doing what was reported as a bug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sigmavirus24 sigmavirus24 sigmavirus24 requested changes

+1 more reviewer

@Ten0 Ten0 Ten0 left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

requests fails to connect even if trusted leaf certificate is provided when server's cert chain is incomplete
3 participants
@DarthCeltic @sigmavirus24 @Ten0