More M2Crypto issues. Not big ones, though.

John Nagle nagle at animats.com
Sat Jan 13 00:38:44 EST 2007 

Heikki Toivonen wrote:
> John Nagle wrote:
> 
>>  A list of small problems and bugs in the current M2Crypto:
>>I need to look at SSL certificates in some detail, so this
>>is all about the access functions for certificates.
> 
> 
> Thanks, got the reports, will check them out.
> 
> 
>>    3. /M2Crypto/SSL/Connection.py:147:
>>    DeprecationWarning: Old style callback, use cb_func(ok, store)
>>    instead return m2.ssl_connect(self.ssl)
>>    (Also reported, in Polish, here:
>>http://www.mail-archive.com/pld-devel-pl@lists.pld-linux.org/msg12433.html)
>>    Entered into Bugzilla as #7718.
> 
> 
> This is actually intended. Once I figure out how to implement all the
> functionality in the new way I'd like to remove the old way.

    OK.	

>>    4. "close()" on an SSL socket that's just finished certificate
>>    negotiation hangs, at least on Windows.  
> 
> No known issues, but the ending of an SSL connection is a little grey
> area to me so I wouldn't be surprised if there are some cases where we
> shut down prematurely or too late. But I don't know why we'd hang.

    I'll check that again.
> 
> 
>>    1. X509.X509_name.__getattr__:
>>    Field retrieval from X.509 name items with x509_name_by_nid
>>    retrieves only first instance of field, not all instances.
> 
> Yes, I've been battling with this myself as well. OpenSSL provides
> objects to get things as a list, but they are so weird I haven't yet
> figured out a way to wrap them in Python so that you would actually be
> able to get some values out.

      I convert X509_name items to a list of tuples.  Here's an example:

	Server: [
		('CN', 'www.apartmentsapart.com'),
		('OU', 'Travel Services'),
		('O', 'Niche Travel Ltd.'),
		('L', 'Nicosia'),
		('ST', 'Nicosia'),
		('C', 'CY')]

That's straightforward.

But to do this I have to convert the X509_name item to a string, like this:

     subjectstr = subject.as_text(flags=(m2.XN_FLAG_RFC2253 | 
m2.ASN1_STRFLGS_UTF8_CONVERT) & ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS)

which yields a string of items like "L=Nicosia, OU=Travel Services", with
backslash escapes where necessary.  (The default formatting does not
have proper escaping; it's just for debug use.)  So I parse that,
obeying the escapes, and get out the tuples.  This works OK, but
shouldn't be necessary.  It's not something I need now, though.

Most things in X509 certificates map well to lists of tuples.

>>    2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
>>    OpenSSL will return info in UTF-8 if you use the
>>    ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
>>    M2 glue code handles this correctly.  Haven't found a UTF8 cert
>>    to test it on yet.
> 
> 
> Yeah, I am not convinced everything works as it should. Any UTF8 (and
> other encoding) samples would be welcome.

      Looking for one.  I think all that's needed is to recognize when
ASN1_STRFLGS_UTF8_CONVERT is set when converting to a Python string,
and convert to the appropriate form of Python string.

      Just rediscovered bug #5277, "Support certificates with multiple DNS 
names", which is fixed in 0.18.  Looking forward to version 0.18.
If you want to test that, try to open "https://www.autumngalleryforthehome.com".

					John Nagle

More information about the Python-list mailing list