More M2Crypto issues. Not big ones, though.

John Nagle nagle at animats.com
Fri Jan 12 18:02:10 EST 2007 

   A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.

Bugs:

	1.  Off by one error at "X509.get_ext_count()". Reports
	eight extensions on a certificate that only has seven.
	get_ext_at works for extensions 0..6, then returns
	an undefined for the nonexistent #7.
	Test against "https://www.verisign.com".
	Entered into Bugzilla as #7717.

	3. /M2Crypto/SSL/Connection.py:147:
	DeprecationWarning: Old style callback, use cb_func(ok, store)
	instead return m2.ssl_connect(self.ssl)
	(Also reported, in Polish, here: 
http://www.mail-archive.com/pld-devel-pl@lists.pld-linux.org/msg12433.html)
	Entered into Bugzilla as #7718.

	4. "close()" on an SSL socket that's just finished certificate
	negotiation hangs, at least on Windows.  "del" does not hang,
	but I don't know if there's a leak problem.
	Not enough info yet to file a bug report.  I might be doing
	something wrong there.  Any known "close" issues?

Other issues:

	1. X509.X509_name.__getattr__:
	Field retrieval from X.509 name items with x509_name_by_nid
	retrieves only first instance of field, not all instances.
	Really should return a list.  The same key is used more
	than once very frequently; these keys aren't unique.
	It's tempting to treat these things like a hash, but they
	don't really work that way.  As for simply iterating through
	the name elements, there's no direct way to just get the
	elements one at a time.   X509_Name has an "entry_count"
	method, but no way to get the Nth entry.

	As a workaround, I'm converting the X508_name to a string with
	   subjectstr = peer.get_subject().as_text(
		flags=(m2.XN_FLAG_RFC2253 | m2.ASN1_STRFLGS_UTF8_CONVERT)
		& ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS)	# in RFC2253 format
	This is safely parseable.  While the default format doesn't have
	escapes around the delimiter characters, with these flags,
	entries are comma-separated with backslash escapes where
	necessary.  This works, unlike the "server()" function in
	Python's built-in SSL, which returns a debug format that
	has the same characters as delimiters and text.

	2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
	OpenSSL will return info in UTF-8 if you use the
	ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
	M2 glue code handles this correctly.  Haven't found a UTF8 cert
	to test it on yet.

Other than that, I'm having relatively good results with M2Crypto.

					John Nagle

More information about the Python-list mailing list