[Cryptography-dev] X509_STORE_set_purpose() missing

Paul Kehrer paul.l.kehrer at gmail.com
Sat Jul 31 08:27:14 EDT 2021 

Searching our history I don't believe we've ever bound
X509_STORE_set_purpose. Did this work in a previous version of
cryptography and has only recently stopped?

In general, cryptography does not bind all of OpenSSL, only the
functions, macros, and constants we need to expose our APIs. We have
one consumer that we officially support which uses the bindings
directly (pyOpenSSL), but otherwise we consider the bindings to be
private API surface and will add/remove as needed to support various
versions of OpenSSL.

If cryptography is lacking public APIs for your use case please
consider filing an issue and helping design/implement those APIs with
us. Years of experience with maintaining our bindings across dozens of
OpenSSL versions and various forks has taught us that we can't
reliably support random bindings we don't use ourselves.

-Paul

On Sat, Jul 31, 2021 at 6:38 AM Dirk-Willem van Gulik
<dirkx at webweaving.org> wrote:
>
> Could it be that somehow in (in the latest build) - X509_STORE_set_purpose and associated #defines are missing ?
>
> In below - things work fine up until lib.X509_STORE_set_purpose() - but that calls gives me a:
>
>     AttributeError: cffi library '_openssl' has no function, constant or global variable named 'X509_STORE_set_purpose'
>
> With kind regards,
>
> Dw
>
>     # Create the pkcs7 object
>     pkcs7_object = lib.d2i_PKCS7_bio(bio.bio, ffi.NULL)
>
>     # We're not passing any untrusted certificates, the chain should
>     # complete, up to, but not including the CA cert, in the CMS package.
>     #
>     other = lib.sk_X509_new_null()
>     binding._openssl_assert(lib, other != ffi.NULL)
>
>     # We are prividing exactly one certificate - that of the certificate
>     # authority - as trusted. It has to be signed by this national root.
>     #
>     store = lib.X509_STORE_new()
>     lib.X509_STORE_add_cert(store, certificate._x509) # type: ignore
>
>     # As we're using certifcates somewhat off-label; we need to relax
>     # the purpose verification. This is the equivalent of the -purpose any
>     # flag in:
>    # openssl smime -verify -inform DER -content payload.raw \
>    #      -CAfile ca.pem -in signature.p7 -purpose any
>    lib.X509_STORE_set_purpose(store, 7) # X509_PURPOSE_ANY
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev

More information about the Cryptography-dev mailing list