[pyOpenSSL] Basic CSR signing issues...
Wouter van Bommel
woutervanbommel at gmail.com
Tue Nov 4 07:27:06 CET 2008
Hi Joshua,
You might have a look at bug 274418, https://bugs.launchpad.net/bugs/274418.
However this bug is only relevant if you are able to import certificates
that you created and signed on the commandline with e.g. openssl.
Using the openssl ASN1 dump option on the 'failing' certificate might also
give some insight on what is going on. If you are not sure post the dump on
the list.
regards,
Wouter
2008/11/3 Joshua 'jag' Ginsberg <listspam at flowtheory.net>
> (apologies if this ends up double-posting -- I sent this 5 hours ago
> and it hasn't shown up in the archives yet, so I'm not sure it went
> out at all...)
>
> What am I doing wrong? Why can't I load my cert back into PyOpenSSL?
>
> Python 2.5.2 (r252:60911, Sep 29 2008, 21:10:35)
> [GCC 4.3.2] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>> from OpenSSL import crypto
> >>> pkey = crypto.PKey()
> >>> pkey.generate_key(crypto.TYPE_RSA, 1024)
> >>> open('/tmp/my.key',
> 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
> >>> req = crypto.X509Req()
> >>> subject = req.get_subject()
> >>> subject.CN = 'secure.example.com'
> >>> subject.C = 'US'
> >>> subject.ST = 'MA'
> >>> subject.L = 'Boston'
> >>> subject.O = 'Bitchin Carrot, LLC'
> >>> subject.OU = 'Department of Belgian Waffles'
> >>> subject.emailAddress = 'certmaster at example.com'
> >>> req.set_pubkey(pkey)
> >>> req.sign(pkey, 'sha1')
> >>> open('/tmp/my.csr',
> 'w').write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
> >>> ca_crt_pem = open('/tmp/ca.crt').read()
> >>> ca_crt = crypto.load_certificate(crypto.FILETYPE_PEM, ca_crt_pem)
> >>> ca_key_pem = open('/tmp/ca.key').read()
> >>> ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem)
> >>> cert = crypto.X509()
> >>> cert.set_serial_number(1)
> >>> cert.set_issuer(ca_crt.get_subject())
> >>> cert.set_subject(req.get_subject())
> >>> cert.set_pubkey(req.get_pubkey())
> >>> cert.sign(ca_key, 'sha1')
> >>>
> open('/tmp/my.crt','w').write(crypto.dump_certificate(crypto.FILETYPE_PEM,
> cert))
> >>> fail_cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM,
> open('/tmp/my.crt').read())
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_get_object',
> 'too long'), ('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'bad object
> header'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1
> error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested
> asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I',
> 'nested asn1 error'), ('asn1 encoding routines',
> 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines',
> 'PEM_ASN1_read_bio', 'ASN1 lib')]
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> pyopenssl-list mailing list
> pyopenssl-list at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pyopenssl-users/attachments/20081104/cbf82cbc/attachment.html>
More information about the pyopenssl-users
mailing list