From mixam85 at gmail.com Thu Jul 3 13:32:26 2008 From: mixam85 at gmail.com (BRACHET Maxime) Date: Thu, 3 Jul 2008 14:32:26 +0300 Subject: [pyOpenSSL] [pyopenssl-list] x509req Object set_subject Message-ID: <5a405c360807030432h6845b60wa661436b93c7c904@mail.gmail.com> Hi every body, I am new to this mailing list. I have a quite simple problem, I get a Certificate Request form a MyProxy server to sign it in order to create a Proxy certificate. But I must overwrite the subject of the MyProxy request to fulfill the requirements. I get the Request in a x509req Object, but this object does not provide a method like set_subject(). How can I do ? Thanks in advance, Regards, Maxime. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mixam85 at gmail.com Thu Jul 3 14:22:29 2008 From: mixam85 at gmail.com (BRACHET Maxime) Date: Thu, 3 Jul 2008 15:22:29 +0300 Subject: [pyOpenSSL] [pyopenssl-list] x509req Object set_subject In-Reply-To: <5a405c360807030432h6845b60wa661436b93c7c904@mail.gmail.com> References: <5a405c360807030432h6845b60wa661436b93c7c904@mail.gmail.com> Message-ID: <5a405c360807030522u46b74bfl62a30e2586260f0f@mail.gmail.com> Hi, It seems that I misunderstand what to do. I create a new x509 certificate using request informations, but I need to add a CN to my subject and the x509Name does not provide any methods to do this. Any ideas ? Regards, Maxime. 2008/7/3 BRACHET Maxime : > Hi every body, > > I am new to this mailing list. > I have a quite simple problem, > I get a Certificate Request form a MyProxy server to sign it in order to > create a Proxy certificate. > But I must overwrite the subject of the MyProxy request to fulfill the > requirements. > I get the Request in a x509req Object, but this object does not provide a > method like set_subject(). > > How can I do ? > > Thanks in advance, > Regards, > Maxime. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at divmod.com Thu Jul 3 14:37:22 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Thu, 3 Jul 2008 08:37:22 -0400 Subject: [pyOpenSSL] [pyopenssl-list] x509req Object set_subject In-Reply-To: <5a405c360807030522u46b74bfl62a30e2586260f0f@mail.gmail.com> Message-ID: <20080703123722.4714.355415666.divmod.quotient.16500@ohm> On Thu, 3 Jul 2008 15:22:29 +0300, BRACHET Maxime wrote: >Hi, > >> Hi every body, >> >> I am new to this mailing list. >> I have a quite simple problem, >> I get a Certificate Request form a MyProxy server to sign it in order to >> create a Proxy certificate. >> But I must overwrite the subject of the MyProxy request to fulfill the >> requirements. >> I get the Request in a x509req Object, but this object does not provide a >> method like set_subject(). >> >> How can I do ? > >It seems that I misunderstand what to do. >I create a new x509 certificate using request informations, but I need to >add a CN to my subject and the x509Name does not provide any methods to do >this. >Any ideas ? X509Name instances can have attributes like CN set on them directly: >>> from OpenSSL.crypto import X509 >>> cert = X509() >>> cert.get_subject().CN = 'foo' >>> cert.get_subject() It doesn't seem correct that you need to change anything about the X509Req, though. If it has the wrong parameters, then it needs to be regenerated by the MyProxy server/user (I don't know what MyProxy is). If you change it and sign the result, then it will disagree with the private part which was generated along with it. Jean-Paul From mixam85 at gmail.com Thu Jul 3 14:53:46 2008 From: mixam85 at gmail.com (BRACHET Maxime) Date: Thu, 3 Jul 2008 15:53:46 +0300 Subject: [pyOpenSSL] Re : [pyopenssl-list] x509req Object set_subject In-Reply-To: <20080703123722.4714.355415666.divmod.quotient.16500@ohm> References: <5a405c360807030522u46b74bfl62a30e2586260f0f@mail.gmail.com> <20080703123722.4714.355415666.divmod.quotient.16500@ohm> Message-ID: <5a405c360807030553s6a0fcc92h94803755f43a48c2@mail.gmail.com> Hi, If the Subject comport multiple CN the X509Name.CN return only the first. In the RFC 3820 part 3.4 : http://www.ietf.org/rfc/rfc3820.txt To generate a Proxy certificate I need to add a CN to the subject. MyProxy is a Proxy Credential Server : http://grid.ncsa.uiuc.edu/myproxy/ I can add a new one in doing cert.get_subject().CN += '/CN=foo' but it is not really a proper way. Thanks for you response. Maxime. 2008/7/3, Jean-Paul Calderone : > On Thu, 3 Jul 2008 15:22:29 +0300, BRACHET Maxime wrote: >>Hi, >> >>> Hi every body, >>> >>> I am new to this mailing list. >>> I have a quite simple problem, >>> I get a Certificate Request form a MyProxy server to sign it in order to >>> create a Proxy certificate. >>> But I must overwrite the subject of the MyProxy request to fulfill the >>> requirements. >>> I get the Request in a x509req Object, but this object does not provide a >>> method like set_subject(). >>> >>> How can I do ? >> >>It seems that I misunderstand what to do. >>I create a new x509 certificate using request informations, but I need to >>add a CN to my subject and the x509Name does not provide any methods to do >>this. >>Any ideas ? > > X509Name instances can have attributes like CN set on them directly: > > >>> from OpenSSL.crypto import X509 > >>> cert = X509() > >>> cert.get_subject().CN = 'foo' > >>> cert.get_subject() > > > It doesn't seem correct that you need to change anything about the X509Req, > though. If it has the wrong parameters, then it needs to be regenerated by > the MyProxy server/user (I don't know what MyProxy is). If you change it > and sign the result, then it will disagree with the private part which was > generated along with it. > > Jean-Paul > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > pyopenssl-list mailing list > pyopenssl-list at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/pyopenssl-list > From exarkun at divmod.com Thu Jul 3 16:23:53 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Thu, 3 Jul 2008 10:23:53 -0400 Subject: [pyOpenSSL] Re : [pyopenssl-list] x509req Object set_subject In-Reply-To: <5a405c360807030553s6a0fcc92h94803755f43a48c2@mail.gmail.com> Message-ID: <20080703142353.4714.999653516.divmod.quotient.16544@ohm> On Thu, 3 Jul 2008 15:53:46 +0300, BRACHET Maxime wrote: >Hi, > >If the Subject comport multiple CN the X509Name.CN return only the first. >In the RFC 3820 part 3.4 : http://www.ietf.org/rfc/rfc3820.txt >To generate a Proxy certificate I need to add a CN to the subject. >MyProxy is a Proxy Credential Server : http://grid.ncsa.uiuc.edu/myproxy/ > >I can add a new one in doing >cert.get_subject().CN += '/CN=foo' > >but it is not really a proper way. > >Thanks for you response. >Maxime. Ah, thanks for explaining. I haven't seen that RFC before. I have a bit of trouble following section 3.4. My naive reading suggests that something like this would be correct: subject = cert.get_subject() issuer = cacert.get_issuer() for k, v in issuer.get_components(): setattr(subject, k, v) subject.CN = 'foo' However, I'm not very confident that this is a correct interpretation (or that it even makes any kind of sense). You are right that the API for modifying X509Name objects in pyOpenSSL is limited and missing certain functionality. If it's necessary to add a new API for appending a new component to an X509Name to support this, I'd be happy to accept a patch for this (I may even be interested in working on it myself once I have a better understanding of the requirements). Sorry I couldn't give a more definite answer. Jean-Paul