From listspam at flowtheory.net  Mon Nov  3 22:25:55 2008
From: listspam at flowtheory.net (Joshua 'jag' Ginsberg)
Date: Mon, 3 Nov 2008 16:25:55 -0500
Subject: [pyOpenSSL] Basic CSR signing issues...
Message-ID: <f95158f20811031325m6fc6a29aifd10681308bd9e18@mail.gmail.com>

(apologies if this ends up double-posting -- I sent this 5 hours ago
and it hasn't shown up in the archives yet, so I'm not sure it went
out at all...)

What am I doing wrong? Why can't I load my cert back into PyOpenSSL?

Python 2.5.2 (r252:60911, Sep 29 2008, 21:10:35)
[GCC 4.3.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from OpenSSL import crypto
>>> pkey = crypto.PKey()
>>> pkey.generate_key(crypto.TYPE_RSA, 1024)
>>> open('/tmp/my.key', 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
>>> req = crypto.X509Req()
>>> subject = req.get_subject()
>>> subject.CN = 'secure.example.com'
>>> subject.C = 'US'
>>> subject.ST = 'MA'
>>> subject.L = 'Boston'
>>> subject.O = 'Bitchin Carrot, LLC'
>>> subject.OU = 'Department of Belgian Waffles'
>>> subject.emailAddress = 'certmaster at example.com'
>>> req.set_pubkey(pkey)
>>> req.sign(pkey, 'sha1')
>>> open('/tmp/my.csr', 'w').write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
>>> ca_crt_pem = open('/tmp/ca.crt').read()
>>> ca_crt = crypto.load_certificate(crypto.FILETYPE_PEM, ca_crt_pem)
>>> ca_key_pem = open('/tmp/ca.key').read()
>>> ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem)
>>> cert = crypto.X509()
>>> cert.set_serial_number(1)
>>> cert.set_issuer(ca_crt.get_subject())
>>> cert.set_subject(req.get_subject())
>>> cert.set_pubkey(req.get_pubkey())
>>> cert.sign(ca_key, 'sha1')
>>> open('/tmp/my.crt','w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
>>> fail_cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, open('/tmp/my.crt').read())
Traceback (most recent call last):
 File "<stdin>", line 1, in <module>
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_get_object',
'too long'), ('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'bad object
header'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1
error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested
asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I',
'nested asn1 error'), ('asn1 encoding routines',
'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines',
'PEM_ASN1_read_bio', 'ASN1 lib')]



From listspam at flowtheory.net  Mon Nov  3 17:26:41 2008
From: listspam at flowtheory.net (Joshua 'jag' Ginsberg)
Date: Mon, 3 Nov 2008 11:26:41 -0500
Subject: [pyOpenSSL] Basic CSR signing issues...
Message-ID: <f95158f20811030826n9d7bf49g68a5f60ad27a1de2@mail.gmail.com>

What am I doing wrong? Why can't I load my cert back into PyOpenSSL?

Python 2.5.2 (r252:60911, Sep 29 2008, 21:10:35)
[GCC 4.3.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from OpenSSL import crypto
>>> pkey = crypto.PKey()
>>> pkey.generate_key(crypto.TYPE_RSA, 1024)
>>> open('/tmp/my.key', 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
>>> req = crypto.X509Req()
>>> subject = req.get_subject()
>>> subject.CN = 'secure.example.com'
>>> subject.C = 'US'
>>> subject.ST = 'MA'
>>> subject.L = 'Boston'
>>> subject.O = 'Bitchin Carrot, LLC'
>>> subject.OU = 'Department of Belgian Waffles'
>>> subject.emailAddress = 'certmaster at example.com'
>>> req.set_pubkey(pkey)
>>> req.sign(pkey, 'sha1')
>>> open('/tmp/my.csr', 'w').write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
>>> ca_crt_pem = open('/tmp/ca.crt').read()
>>> ca_crt = crypto.load_certificate(crypto.FILETYPE_PEM, ca_crt_pem)
>>> ca_key_pem = open('/tmp/ca.key').read()
>>> ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem)
>>> cert = crypto.X509()
>>> cert.set_serial_number(1)
>>> cert.set_issuer(ca_crt.get_subject())
>>> cert.set_subject(req.get_subject())
>>> cert.set_pubkey(req.get_pubkey())
>>> cert.sign(ca_key, 'sha1')
>>> open('/tmp/my.crt','w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
>>> fail_cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, open('/tmp/my.crt').read())
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_get_object',
'too long'), ('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'bad object
header'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1
error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested
asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I',
'nested asn1 error'), ('asn1 encoding routines',
'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines',
'PEM_ASN1_read_bio', 'ASN1 lib')]



From woutervanbommel at gmail.com  Tue Nov  4 07:27:06 2008
From: woutervanbommel at gmail.com (Wouter van Bommel)
Date: Tue, 4 Nov 2008 07:27:06 +0100
Subject: [pyOpenSSL] Basic CSR signing issues...
In-Reply-To: <f95158f20811031325m6fc6a29aifd10681308bd9e18@mail.gmail.com>
References: <f95158f20811031325m6fc6a29aifd10681308bd9e18@mail.gmail.com>
Message-ID: <3f96c1440811032227i2334c51dgd86307f1e1b5693a@mail.gmail.com>

Hi Joshua,

You might have a look at bug 274418, https://bugs.launchpad.net/bugs/274418.

However this bug is only relevant if you are able to import certificates
that you created and signed on the commandline with e.g. openssl.

Using the openssl ASN1 dump option on the 'failing' certificate might also
give some insight on what is going on. If you are not sure post the dump on
the list.

regards,

Wouter

2008/11/3 Joshua 'jag' Ginsberg <listspam at flowtheory.net>

> (apologies if this ends up double-posting -- I sent this 5 hours ago
> and it hasn't shown up in the archives yet, so I'm not sure it went
> out at all...)
>
> What am I doing wrong? Why can't I load my cert back into PyOpenSSL?
>
> Python 2.5.2 (r252:60911, Sep 29 2008, 21:10:35)
> [GCC 4.3.2] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>> from OpenSSL import crypto
> >>> pkey = crypto.PKey()
> >>> pkey.generate_key(crypto.TYPE_RSA, 1024)
> >>> open('/tmp/my.key',
> 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
> >>> req = crypto.X509Req()
> >>> subject = req.get_subject()
> >>> subject.CN = 'secure.example.com'
> >>> subject.C = 'US'
> >>> subject.ST = 'MA'
> >>> subject.L = 'Boston'
> >>> subject.O = 'Bitchin Carrot, LLC'
> >>> subject.OU = 'Department of Belgian Waffles'
> >>> subject.emailAddress = 'certmaster at example.com'
> >>> req.set_pubkey(pkey)
> >>> req.sign(pkey, 'sha1')
> >>> open('/tmp/my.csr',
> 'w').write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
> >>> ca_crt_pem = open('/tmp/ca.crt').read()
> >>> ca_crt = crypto.load_certificate(crypto.FILETYPE_PEM, ca_crt_pem)
> >>> ca_key_pem = open('/tmp/ca.key').read()
> >>> ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem)
> >>> cert = crypto.X509()
> >>> cert.set_serial_number(1)
> >>> cert.set_issuer(ca_crt.get_subject())
> >>> cert.set_subject(req.get_subject())
> >>> cert.set_pubkey(req.get_pubkey())
> >>> cert.sign(ca_key, 'sha1')
> >>>
> open('/tmp/my.crt','w').write(crypto.dump_certificate(crypto.FILETYPE_PEM,
> cert))
> >>> fail_cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM,
> open('/tmp/my.crt').read())
> Traceback (most recent call last):
>  File "<stdin>", line 1, in <module>
> OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_get_object',
> 'too long'), ('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'bad object
> header'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1
> error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested
> asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I',
> 'nested asn1 error'), ('asn1 encoding routines',
> 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines',
> 'PEM_ASN1_read_bio', 'ASN1 lib')]
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> pyopenssl-list mailing list
> pyopenssl-list at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pyopenssl-users/attachments/20081104/cbf82cbc/attachment.html>

From exarkun at divmod.com  Tue Nov  4 14:54:08 2008
From: exarkun at divmod.com (Jean-Paul Calderone)
Date: Tue, 4 Nov 2008 08:54:08 -0500
Subject: [pyOpenSSL] Basic CSR signing issues...
In-Reply-To: <f95158f20811031325m6fc6a29aifd10681308bd9e18@mail.gmail.com>
Message-ID: <20081104135408.29191.9335965.divmod.quotient.49572@ohm>

On Mon, 3 Nov 2008 16:25:55 -0500, Joshua 'jag' Ginsberg <listspam at flowtheory.net> wrote:
>(apologies if this ends up double-posting -- I sent this 5 hours ago
>and it hasn't shown up in the archives yet, so I'm not sure it went
>out at all...)
>
>What am I doing wrong? Why can't I load my cert back into PyOpenSSL?
>

I'm not certain, but I suspect the issue is that you didn't explicitly set
the notBefore and notAfter attributes on the certificate.  I'm not sure
why the OpenSSL.crypto.Error doesn't provide this information, but if you
run this openssl command line:

    openssl x509 -in my.crt -text

then this error is produced:

    unable to load certificate
    13042:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142:
    13042:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1281:
    13042:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:208:Type=ASN1_TIME
    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=notBefore, Type=X509_VAL
    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=validity, Type=X509_CINF
    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=cert_info, Type=X509
    13042:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

It's similar to the one you get from pyOpenSSL (complaining about a "too
long" ASN1 thing somewhere, with lots of nesting and such) but notice that
it also includes the names of the fields which were on the parse stack at
the time of the error, something omitted from the pyOpenSSL exception.  Once
I noticed that, I checked your code and saw that you weren't setting the
validity dates, hence my suspicion.

Jean-Paul



From listspam at flowtheory.net  Tue Nov  4 20:52:14 2008
From: listspam at flowtheory.net (Joshua 'jag' Ginsberg)
Date: Tue, 4 Nov 2008 14:52:14 -0500
Subject: [pyOpenSSL] Basic CSR signing issues...
In-Reply-To: <20081104135408.29191.9335965.divmod.quotient.49572@ohm>
References: <f95158f20811031325m6fc6a29aifd10681308bd9e18@mail.gmail.com>
	<20081104135408.29191.9335965.divmod.quotient.49572@ohm>
Message-ID: <f95158f20811041152tac09b90jf763ae0d37ae6e5f@mail.gmail.com>

Bingo! After setting these dates, everything worked perfectly. Thanks
for your help!

-jag

On Tue, Nov 4, 2008 at 8:54 AM, Jean-Paul Calderone <exarkun at divmod.com> wrote:
> On Mon, 3 Nov 2008 16:25:55 -0500, Joshua 'jag' Ginsberg <listspam at flowtheory.net> wrote:
>>(apologies if this ends up double-posting -- I sent this 5 hours ago
>>and it hasn't shown up in the archives yet, so I'm not sure it went
>>out at all...)
>>
>>What am I doing wrong? Why can't I load my cert back into PyOpenSSL?
>>
>
> I'm not certain, but I suspect the issue is that you didn't explicitly set
> the notBefore and notAfter attributes on the certificate.  I'm not sure
> why the OpenSSL.crypto.Error doesn't provide this information, but if you
> run this openssl command line:
>
>    openssl x509 -in my.crt -text
>
> then this error is produced:
>
>    unable to load certificate
>    13042:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142:
>    13042:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1281:
>    13042:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:208:Type=ASN1_TIME
>    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=notBefore, Type=X509_VAL
>    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=validity, Type=X509_CINF
>    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=cert_info, Type=X509
>    13042:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
>
> It's similar to the one you get from pyOpenSSL (complaining about a "too
> long" ASN1 thing somewhere, with lots of nesting and such) but notice that
> it also includes the names of the fields which were on the parse stack at
> the time of the error, something omitted from the pyOpenSSL exception.  Once
> I noticed that, I checked your code and saw that you weren't setting the
> validity dates, hence my suspicion.
>
> Jean-Paul
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> pyopenssl-list mailing list
> pyopenssl-list at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>