From alex.stapleton at prol.etari.at Tue Sep 9 10:05:35 2008 From: alex.stapleton at prol.etari.at (Alex Stapleton) Date: Tue, 9 Sep 2008 09:05:35 +0100 Subject: [pyOpenSSL] Patch for X509Extension in 0.7 to fix most extensions not instantiating Message-ID: <3ad3168b0809090105o6755572bl1bcba1f203451b08@mail.gmail.com> Hopefully this isn't redundant, it's a bit hard to track exactly whats going on with this project lately. I have made a patch to fix the X509Extension issue that was recently reported against 0.7. The code for them mostly comes from reading OpenSSL source, in particular the v3_conf.c file. You can find it here http://prol.etari.at/pyopenssl/ there is also a file that adds a rather crude test for the issue to the crypto test suite. Is there a proper bug tracker, source control or anything for this project right now? -- Alex Stapleton From exarkun at divmod.com Tue Sep 9 15:06:05 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Tue, 9 Sep 2008 09:06:05 -0400 Subject: [pyOpenSSL] Patch for X509Extension in 0.7 to fix most extensions not instantiating In-Reply-To: <3ad3168b0809090105o6755572bl1bcba1f203451b08@mail.gmail.com> Message-ID: <20080909130605.29191.1332322718.divmod.quotient.23601@ohm> On Tue, 9 Sep 2008 09:05:35 +0100, Alex Stapleton wrote: >Hopefully this isn't redundant, it's a bit hard to track exactly whats >going on with this project lately. > >I have made a patch to fix the X509Extension issue that was recently >reported against 0.7. The code for them mostly comes from reading >OpenSSL source, in particular the v3_conf.c file. > >You can find it here http://prol.etari.at/pyopenssl/ there is also a >file that adds a rather crude test for the issue to the crypto test >suite. > Hi Alex, thanks for the patch (especially the test :). >Is there a proper bug tracker, source control or anything for this >project right now? > I'm paying attention to both sourceforge and launchpad, but I prefer activity on launchpad. I saw the issue you filed there and I'll take a look at the patch as soon as I get a chance. Thanks again, Jean-Paul From alex.stapleton at prol.etari.at Wed Sep 10 01:26:04 2008 From: alex.stapleton at prol.etari.at (Alex Stapleton) Date: Wed, 10 Sep 2008 00:26:04 +0100 Subject: [pyOpenSSL] Patch to x509ext.c to add getter for extension short name Message-ID: <3ad3168b0809091626p4aa932fj453ffad583789782@mail.gmail.com> http://prol.etari.at/pyopenssl/X509Extension_get_type_name.patch This patch adds a method to the X509Extension class to return the short name (e.g. basicConstraints) of the extension. -- Alex Stapleton From arnaud.desmons at free.fr Wed Sep 10 10:11:24 2008 From: arnaud.desmons at free.fr (arnaud.desmons at free.fr) Date: Wed, 10 Sep 2008 10:11:24 +0200 (CEST) Subject: [pyOpenSSL] PKCS12 bzr branch Message-ID: <177995639.2627711221034284188.JavaMail.root@spooler10-g27.priv.proxad.net> Hi, I put my PKCS12 patch into a new bzr branch : https://code.launchpad.net/~arnaud-desmons/pyopenssl/pkcs12 The is documented but I still have to code units tests. Regards, From alex.stapleton at prol.etari.at Wed Sep 10 12:28:09 2008 From: alex.stapleton at prol.etari.at (Alex Stapleton) Date: Wed, 10 Sep 2008 11:28:09 +0100 Subject: [pyOpenSSL] Patch to add OpenSSL.crypto.dump_publickey Message-ID: <3ad3168b0809100328p75afe7fet26fd4a36f7037e83@mail.gmail.com> http://prol.etari.at/pyopenssl/crypto_dump_publickey.patch def dump_public_key(type, pkey): ... It's just like dump_privatekey except without the encryption arguments. -- Alex Stapleton From exarkun at divmod.com Wed Sep 10 15:22:41 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 10 Sep 2008 09:22:41 -0400 Subject: [pyOpenSSL] PKCS12 bzr branch In-Reply-To: <177995639.2627711221034284188.JavaMail.root@spooler10-g27.priv.proxad.net> Message-ID: <20080910132241.29191.868901344.divmod.quotient.24104@ohm> On Wed, 10 Sep 2008 10:11:24 +0200 (CEST), arnaud.desmons at free.fr wrote: >Hi, > >I put my PKCS12 patch into a new bzr branch : >https://code.launchpad.net/~arnaud-desmons/pyopenssl/pkcs12 > >The is documented but I still have to code units tests. > Hi Arnaud, Is this code the same as the code in ? (It's fine if you have a branch for this, I just want to make sure I don't duplicate any work you might do in a different branch). Jean-Paul From arnaud.desmons at free.fr Wed Sep 10 17:43:11 2008 From: arnaud.desmons at free.fr (arnaud.desmons at free.fr) Date: Wed, 10 Sep 2008 17:43:11 +0200 (CEST) Subject: [pyOpenSSL] PKCS12 bzr branch In-Reply-To: <20080910132241.29191.868901344.divmod.quotient.24104@ohm> Message-ID: <1409416752.2724011221061391715.JavaMail.root@spooler10-g27.priv.proxad.net> My idea was to split pkcs12 and crl into separate branches because pkcs12-crl name was already used and I did not have upload rights on it. pkcs12-crl is not up to date regarding documentation, tests, and the "PY_DECREF bug". If you think that splitting PKCS12 and CRL is useless I can update your pkcs12-crl branch. Otherwise remove pkcs12-crl. Regards, -- Arnaud ----- Mail Original ----- De: "Jean-Paul Calderone" ?: pyopenssl-list at lists.sourceforge.net Envoy?: Mercredi 10 Septembre 2008 15:22:41 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: [pyOpenSSL] PKCS12 bzr branch On Wed, 10 Sep 2008 10:11:24 +0200 (CEST), arnaud.desmons at free.fr wrote: >Hi, > >I put my PKCS12 patch into a new bzr branch : >https://code.launchpad.net/~arnaud-desmons/pyopenssl/pkcs12 > >The is documented but I still have to code units tests. > Hi Arnaud, Is this code the same as the code in ? (It's fine if you have a branch for this, I just want to make sure I don't duplicate any work you might do in a different branch). Jean-Paul ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ pyopenssl-list mailing list pyopenssl-list at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/pyopenssl-list From exarkun at divmod.com Wed Sep 10 17:44:55 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 10 Sep 2008 11:44:55 -0400 Subject: [pyOpenSSL] PKCS12 bzr branch In-Reply-To: <1409416752.2724011221061391715.JavaMail.root@spooler10-g27.priv.proxad.net> Message-ID: <20080910154455.29191.1347568658.divmod.quotient.24153@ohm> On Wed, 10 Sep 2008 17:43:11 +0200 (CEST), arnaud.desmons at free.fr wrote: >My idea was to split pkcs12 and crl into separate branches because pkcs12-crl name was already used and I did not have upload rights on it. >pkcs12-crl is not up to date regarding documentation, tests, and the "PY_DECREF bug". > >If you think that splitting PKCS12 and CRL is useless I can update your pkcs12-crl branch. Otherwise remove pkcs12-crl. Splitting it up sounds good. I'll delete pkcs12-crl. Jean-Paul From danwent at gmail.com Thu Sep 11 09:56:26 2008 From: danwent at gmail.com (Dan Wendlandt) Date: Thu, 11 Sep 2008 00:56:26 -0700 Subject: [pyOpenSSL] signing a cert request with DSA Message-ID: <2dde77d60809110056y7446800ck5e74ebafd59dd60f@mail.gmail.com> Apologies if I missed the answer to this while searching list archives and google, but I have a very simple issue: If i run the examples/mk_simple_certs.py file from the tarball, but change the two instances of TYPE_RSA to TYPE_DSA, the code fails with the following error: $ python2.5 mk_simple_certs.py Traceback (most recent call last): File "mk_simple_certs.py", line 8, in careq = createCertRequest(cakey, CN='Certificate Authority') File "/home/danwent/Desktop/pyOpenSSL-0.7/examples/certgen.py", line 51, in createCertRequest req.sign(pkey, digest) OpenSSL.crypto.Error: [('digital envelope routines', 'EVP_SignFinal', 'wrong public key type'), ('asn1 encoding routines', 'ASN1_item_sign', 'EVP lib')] The above code worked fine for TYPE_RSA. Performing the equivalent operations via the command-line 'openssl' utility seems to work for DSA keys. I have PyOpenSSL version 0.7, installed from the standard debian package. I am running debian testing. system info: Linux 2.6.25-2-686 #1 SMP Fri Jul 18 17:46:56 UTC 2008 i686 GNU/Linux openssl: 7$ OpenSSL 0.9.8g 19 Oct 2007 Any help would be appreciated. Thanks, dan -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dan Wendlandt 650-906-2650 http://www.cs.cmu.edu/~dwendlan/ 4250 El Camino Real, Apt A306 Palo Alto, CA 94306 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sebastianthegreatful at gmail.com Wed Sep 17 20:01:30 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Wed, 17 Sep 2008 20:01:30 +0200 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? Message-ID: <002d01c918ef$6c1f97f0$445ec7d0$@com> I'm building a ssl tcp server using the code below. However I'm unsure about how to actually verify the client's cert. 50 class SSLTCPServer(TCPServer): 51 keyFile = "sslcert/server.key" 52 certFile = "sslcert/server.crt" 53 def __init__(self, server_address, RequestHandlerClass): 54 ctx = SSL.Context(SSL.SSLv23_METHOD) 55 ctx.use_privatekey_file(self.keyFile) 56 ctx.use_certificate_file(self.certFile) 57 ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, self._verify) 58 ctx.set_verify_depth(10) 59 ctx.set_session_id('DFS') 60 61 self.server_address = server_address 62 self.RequestHandlerClass = RequestHandlerClass 63 self.socket = socket.socket(self.address_family, self.socket_type) 64 self.socket = SSL.Connection(ctx, self.socket) 65 self.socket.bind(self.server_address) 66 self.socket.listen(self.request_queue_size) 67 68 def _verify(self, conn, cert, errno, depth, retcode): 69 return not cert.has_expired() and cert.get_issuer().organizationName == 'DFS' Anyone got an idea about how to actually build the _verify method? Thanks in advance, Seb -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at divmod.com Wed Sep 17 20:29:49 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 17 Sep 2008 14:29:49 -0400 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <002d01c918ef$6c1f97f0$445ec7d0$@com> Message-ID: <20080917182949.29191.455270902.divmod.quotient.27414@ohm> On Wed, 17 Sep 2008 20:01:30 +0200, Sebastian Greatful wrote: >I'm building a ssl tcp server using the code below. However I'm unsure about >how to actually verify the client's cert. > >50 class SSLTCPServer(TCPServer): > > 51 keyFile = "sslcert/server.key" > > 52 certFile = "sslcert/server.crt" > > 53 def __init__(self, server_address, RequestHandlerClass): > > 54 ctx = SSL.Context(SSL.SSLv23_METHOD) > > 55 ctx.use_privatekey_file(self.keyFile) > > 56 ctx.use_certificate_file(self.certFile) > > 57 ctx.set_verify(SSL.VERIFY_PEER | >SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, self._verify) > > 58 ctx.set_verify_depth(10) > > 59 ctx.set_session_id('DFS') > > 60 > > 61 self.server_address = server_address > > 62 self.RequestHandlerClass = RequestHandlerClass > > 63 self.socket = socket.socket(self.address_family, >self.socket_type) > > 64 self.socket = SSL.Connection(ctx, self.socket) > > 65 self.socket.bind(self.server_address) > > 66 self.socket.listen(self.request_queue_size) > > 67 > > 68 def _verify(self, conn, cert, errno, depth, retcode): > > 69 return not cert.has_expired() and >cert.get_issuer().organizationName == 'DFS' > >Anyone got an idea about how to actually build the _verify method? > If you want to make sure the client's certificate is signed by a particular key which your server has, then you should specify that key's corresponding certificate as a trusted CA certificate (with a method of the context object, perhaps load_verify_locations, though there are a bunch of functions which do similar things, the correct one for you may depend on some other factors). Then, make sure you respect OpenSSL's decision in the verify callback. This is given by the `retcode` parameter. If the client's certificate is not signed by a certificate you told the context object to consider a trusted CA certificate, `retcode` will be false. You can add whatever additional checks you want on top of that (ie, for the subject's name or what have you) but if `retcode` is false, you should return false from the verify function. This includes things like expiration checking, so you don't need to do that. Jean-Paul From exarkun at divmod.com Wed Sep 17 21:14:35 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 17 Sep 2008 15:14:35 -0400 Subject: [pyOpenSSL] signing a cert request with DSA In-Reply-To: <2dde77d60809110056y7446800ck5e74ebafd59dd60f@mail.gmail.com> Message-ID: <20080917191435.29191.870237538.divmod.quotient.27429@ohm> On Thu, 11 Sep 2008 00:56:26 -0700, Dan Wendlandt wrote: >Apologies if I missed the answer to this while searching list archives >and google, but I have a very simple issue: > >If i run the examples/mk_simple_certs.py file from the tarball, but >change the two instances of TYPE_RSA to TYPE_DSA, the code fails with >the following error: > >$ python2.5 mk_simple_certs.py >Traceback (most recent call last): > File "mk_simple_certs.py", line 8, in > careq = createCertRequest(cakey, CN='Certificate Authority') > File "/home/danwent/Desktop/pyOpenSSL-0.7/examples/certgen.py", line >51, in createCertRequest > req.sign(pkey, digest) >OpenSSL.crypto.Error: [('digital envelope routines', 'EVP_SignFinal', >'wrong public key type'), ('asn1 encoding routines', 'ASN1_item_sign', >'EVP lib')] > >The above code worked fine for TYPE_RSA. > >Performing the equivalent operations via the command-line 'openssl' >utility seems to work for DSA keys. > >I have PyOpenSSL version 0.7, installed from the standard debian >package. I am running debian testing. > >system info: Linux 2.6.25-2-686 #1 SMP Fri Jul 18 17:46:56 UTC 2008 >i686 GNU/Linux > >openssl: 7$ OpenSSL 0.9.8g 19 Oct 2007 > >Any help would be appreciated. Thanks, > Hi Dan, No idea what's going on here. It seems like it's probably a pyOpenSSL bug, but I'm not sure where. Do you feel like looking through the implementation of the `openssl ca? command (I assume that's the equivalent command you're talking about, correct me if I'm wrong) to see if you can see what it is doing differently from pyOpenSSL's PKey.sign method? Jean-Paul From sebastianthegreatful at gmail.com Wed Sep 17 21:27:50 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Wed, 17 Sep 2008 21:27:50 +0200 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <20080917182949.29191.455270902.divmod.quotient.27414@ohm> References: <002d01c918ef$6c1f97f0$445ec7d0$@com> <20080917182949.29191.455270902.divmod.quotient.27414@ohm> Message-ID: <003201c918fb$7b399900$71accb00$@com> -----Oprindelig meddelelse----- Fra: pyopenssl-list-bounces at lists.sourceforge.net [mailto:pyopenssl-list-bounces at lists.sourceforge.net] P? vegne af Jean-Paul Calderone Sendt: 17. september 2008 20:30 Til: pyopenssl-list at lists.sourceforge.net Emne: Re: [pyOpenSSL] How can I verify client that the client is signed by me? >If you want to make sure the client's certificate is signed by a particular >key which your server has, then you should specify that key's corresponding >certificate as a trusted CA certificate (with a method of the context object, >perhaps load_verify_locations, though there are a bunch of functions which >do similar things, the correct one for you may depend on some other factors). > That?s exactly what I'm trying to do. However I can't make the load_verify_locations Function work. Executing the code below I get (, , ) 71 def _verify(self, conn, cert, errno, depth, retcode): 72 try: 73 cert.load_verify_locations(self.caFile) 74 except: 75 print sys.exc_info() >Then, make sure you respect OpenSSL's decision in the verify callback. This >is given by the `retcode` parameter. If the client's certificate is not >signed by a certificate you told the context object to consider a trusted CA >certificate, `retcode` will be false. You can add whatever additional >checks you want on top of that (ie, for the subject's name or what have you) >but if `retcode` is false, you should return false from the verify function. I'd very much like to do so :) But does that mean that I should set it to something or check it or what? Best regards, Seb From sebastianthegreatful at gmail.com Wed Sep 17 21:44:51 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Wed, 17 Sep 2008 21:44:51 +0200 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <20080917182949.29191.455270902.divmod.quotient.27414@ohm> References: <002d01c918ef$6c1f97f0$445ec7d0$@com> <20080917182949.29191.455270902.divmod.quotient.27414@ohm> Message-ID: <003301c918fd$dad69be0$9083d3a0$@com> I now execute load_verify_locations on the Context object, instead... doh! However I'm still very unsure about how to handle the retcode... all hints appreciated :) Best regards, Seb From exarkun at divmod.com Wed Sep 17 21:53:59 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 17 Sep 2008 15:53:59 -0400 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <003301c918fd$dad69be0$9083d3a0$@com> Message-ID: <20080917195359.29191.13876912.divmod.quotient.27441@ohm> On Wed, 17 Sep 2008 21:44:51 +0200, Sebastian Greatful wrote: >I now execute load_verify_locations on the Context object, instead... doh! > >However I'm still very unsure about how to handle the retcode... all hints >appreciated :) If it's false, return false from your verify callback. If it's true, either return true, or do whatever extra checks you want and return the result of them. Jean-Paul From sebastianthegreatful at gmail.com Wed Sep 17 22:18:22 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Wed, 17 Sep 2008 22:18:22 +0200 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <20080917195359.29191.13876912.divmod.quotient.27441@ohm> References: <003301c918fd$dad69be0$9083d3a0$@com> <20080917195359.29191.13876912.divmod.quotient.27441@ohm> Message-ID: <000001c91902$8a7bfbe0$9f73f3a0$@com> >-----Oprindelig meddelelse----- >Fra: pyopenssl-list-bounces at lists.sourceforge.net [mailto:pyopenssl-list-bounces at lists.sourceforge.net] P? >vegne af Jean-Paul Calderone >Sendt: 17. september 2008 21:54 >Til: pyopenssl-list at lists.sourceforge.net >Emne: Re: [pyOpenSSL] How can I verify client that the client is signed by me? >On Wed, 17 Sep 2008 21:44:51 +0200, Sebastian Greatful wrote: >>I now execute load_verify_locations on the Context object, instead... doh! >> >>However I'm still very unsure about how to handle the retcode... all hints >>appreciated :) >If it's false, return false from your verify callback. If it's true, either >return true, or do whatever extra checks you want and return the result of >them. So basically I should just return it? Since I at the moment don?t want to verify on other parameters... I the code is as below and I have used the following guide http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html to generate the cert's. However the retcode remains false. Even though the client's certificate really should be signed with the file referred to by caFile. Any ideas on where I go wrong? 50 class SSLTCPServer(TCPServer): 51 keyFile = "sslcert/server.key" 52 certFile = "sslcert/server.crt" 53 caFile = "sslcert/ca.crt" 54 def __init__(self, server_address, RequestHandlerClass): 55 ctx = SSL.Context(SSL.SSLv23_METHOD) 56 ctx.use_privatekey_file(self.keyFile) 57 ctx.use_certificate_file(self.certFile) 58 ctx.load_verify_locations(self.caFile) 59 ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, self._verify) 60 ctx.set_verify_depth(10) 61 ctx.set_session_id('DFS') 62 63 self.server_address = server_address 64 self.RequestHandlerClass = RequestHandlerClass 65 self.socket = socket.socket(self.address_family, self.socket_type) 66 self.socket = SSL.Connection(ctx, self.socket) 67 self.socket.bind(self.server_address) 68 self.socket.listen(self.request_queue_size) 69 70 def _verify(self, conn, cert, errno, depth, retcode): 71 return retcode From exarkun at divmod.com Wed Sep 17 22:40:50 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 17 Sep 2008 16:40:50 -0400 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <000001c91902$8a7bfbe0$9f73f3a0$@com> Message-ID: <20080917204050.29191.1385151359.divmod.quotient.27459@ohm> On Wed, 17 Sep 2008 22:18:22 +0200, Sebastian Greatful wrote: > [snip] > >Any ideas on where I go wrong? > >50 class SSLTCPServer(TCPServer): > 51 keyFile = "sslcert/server.key" > 52 certFile = "sslcert/server.crt" > 53 caFile = "sslcert/ca.crt" > 54 def __init__(self, server_address, RequestHandlerClass): > 55 ctx = SSL.Context(SSL.SSLv23_METHOD) > 56 ctx.use_privatekey_file(self.keyFile) > 57 ctx.use_certificate_file(self.certFile) > 58 ctx.load_verify_locations(self.caFile) > 59 ctx.set_verify(SSL.VERIFY_PEER | >SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, self._verify) > 60 ctx.set_verify_depth(10) > 61 ctx.set_session_id('DFS') > 62 > 63 self.server_address = server_address > 64 self.RequestHandlerClass = RequestHandlerClass > 65 self.socket = socket.socket(self.address_family, >self.socket_type) > 66 self.socket = SSL.Connection(ctx, self.socket) > 67 self.socket.bind(self.server_address) > 68 self.socket.listen(self.request_queue_size) > 69 > 70 def _verify(self, conn, cert, errno, depth, retcode): > 71 return retcode > This isn't a complete example (and the line numbers would make it annoying to actually run if it were ;). A complete, minimal reproduction of the problem would make it easier to diagnose. Jean-Paul From sebastianthegreatful at gmail.com Wed Sep 17 22:51:40 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Wed, 17 Sep 2008 22:51:40 +0200 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <20080917204050.29191.1385151359.divmod.quotient.27459@ohm> References: <000001c91902$8a7bfbe0$9f73f3a0$@com> <20080917204050.29191.1385151359.divmod.quotient.27459@ohm> Message-ID: <000101c91907$3052ad80$90f80880$@com> >This isn't a complete example (and the line numbers would make it annoying >to actually run if it were ;). A complete, minimal reproduction of the >problem would make it easier to diagnose. Sorry, I'm just copy pasting from vim. Server: http://paste.pocoo.org/show/85562/ FileServer: http://paste.pocoo.org/show/85561/ HttpServer: http://paste.pocoo.org/show/85563/ Httplib: http://paste.pocoo.org/show/85564/ Is that better? Just let me know how you want it. The actual project is a distributed filesystem with a http interface. In order for the project to run you need a running pyro-ns (pyro name server) The SSL part is in the "Server" I really appreciate the your help, thanks a lot Best regards, Seb From exarkun at divmod.com Wed Sep 17 23:01:56 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 17 Sep 2008 17:01:56 -0400 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <000101c91907$3052ad80$90f80880$@com> Message-ID: <20080917210156.29191.1980661668.divmod.quotient.27468@ohm> On Wed, 17 Sep 2008 22:51:40 +0200, Sebastian Greatful wrote: > >>This isn't a complete example (and the line numbers would make it annoying >>to actually run if it were ;). A complete, minimal reproduction of the >>problem would make it easier to diagnose. > >Sorry, I'm just copy pasting from vim. > >Server: http://paste.pocoo.org/show/85562/ >FileServer: http://paste.pocoo.org/show/85561/ >HttpServer: http://paste.pocoo.org/show/85563/ >Httplib: http://paste.pocoo.org/show/85564/ > > >Is that better? Just let me know how you want it. > The client code is important too (since it's the thing supplying the certificate), as are the keys and certificates (since they determine what the connection is actually verifying). The HTTP parts probably aren't important since the failure is happening at the SSL layer, so the HTTP code probably never gets involved. If you can provide a file containing a server and a file containing a client such that when run the client connects to the server and the server fails to decide that the client's certificate is valid, that'd be best (basically, make it possible for me to be really lazy, so that I am inclined to work on this instead of on real work ;). Jean-Paul From sebastianthegreatful at gmail.com Thu Sep 18 09:54:02 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Thu, 18 Sep 2008 09:54:02 +0200 Subject: [pyOpenSSL] How can I verify client that the client is signed by me? In-Reply-To: <20080917210156.29191.1980661668.divmod.quotient.27468@ohm> References: <000101c91907$3052ad80$90f80880$@com> <20080917210156.29191.1980661668.divmod.quotient.27468@ohm> Message-ID: <000901c91963$b84ed2c0$28ec7840$@com> Thanks to Jean-Paul I now know that the problem wasn?t my code but rather my certificates. So the lesson is, remember to verify those certificates before using them. Best regards, Seb -----Oprindelig meddelelse----- Fra: pyopenssl-list-bounces at lists.sourceforge.net [mailto:pyopenssl-list-bounces at lists.sourceforge.net] P? vegne af Jean-Paul Calderone Sendt: 17. september 2008 23:02 Til: pyopenssl-list at lists.sourceforge.net Emne: Re: [pyOpenSSL] How can I verify client that the client is signed by me? On Wed, 17 Sep 2008 22:51:40 +0200, Sebastian Greatful wrote: > >>This isn't a complete example (and the line numbers would make it annoying >>to actually run if it were ;). A complete, minimal reproduction of the >>problem would make it easier to diagnose. > >Sorry, I'm just copy pasting from vim. > >Server: http://paste.pocoo.org/show/85562/ >FileServer: http://paste.pocoo.org/show/85561/ >HttpServer: http://paste.pocoo.org/show/85563/ >Httplib: http://paste.pocoo.org/show/85564/ > > >Is that better? Just let me know how you want it. > The client code is important too (since it's the thing supplying the certificate), as are the keys and certificates (since they determine what the connection is actually verifying). The HTTP parts probably aren't important since the failure is happening at the SSL layer, so the HTTP code probably never gets involved. If you can provide a file containing a server and a file containing a client such that when run the client connects to the server and the server fails to decide that the client's certificate is valid, that'd be best (basically, make it possible for me to be really lazy, so that I am inclined to work on this instead of on real work ;). Jean-Paul ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ pyopenssl-list mailing list pyopenssl-list at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/pyopenssl-list From sebastianthegreatful at gmail.com Sat Sep 20 12:55:05 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Sat, 20 Sep 2008 12:55:05 +0200 Subject: [pyOpenSSL] Getting the next cert in hierarchy Message-ID: <001501c91b0f$585f74c0$091e5e40$@com> As part of my verification I'm trying to retrieve the email embedded in the certificate. However it returns None I'm using the code below where _verify is the callback pass as the second argument to the set_verify method of a context object. Judging from this, http://89.150.104.27/~snot/certificate.PNG, screenshot it seems like I need to get the second certificate in the certificate hierarchy. but how do I access it? 31 def _verify(self, conn, cert, errno, depth, retcode): 38 print cert.get_issuer().emailAddress 39 self.accessRights.read = True 40 self.accessRights.write = True 41 return retcode Best regards, Seb -------------- next part -------------- An HTML attachment was scrubbed... URL: From sebastianthegreatful at gmail.com Sat Sep 20 13:19:04 2008 From: sebastianthegreatful at gmail.com (Sebastian Greatful) Date: Sat, 20 Sep 2008 13:19:04 +0200 Subject: [pyOpenSSL] Getting the next cert in hierarchy In-Reply-To: <001501c91b0f$585f74c0$091e5e40$@com> References: <001501c91b0f$585f74c0$091e5e40$@com> Message-ID: <001d01c91b12$b1bf8610$153e9230$@com> Get_subject was the key to it, not get_issuer. ofcourse J Best regards, Seb Fra: Sebastian Greatful [mailto:sebastianthegreatful at gmail.com] Sendt: 20. september 2008 12:55 Til: pyopenssl-list at lists.sourceforge.net Emne: Getting the next cert in hierarchy As part of my verification I'm trying to retrieve the email embedded in the certificate. However it returns None I'm using the code below where _verify is the callback pass as the second argument to the set_verify method of a context object. Judging from this, http://89.150.104.27/~snot/certificate.PNG, screenshot it seems like I need to get the second certificate in the certificate hierarchy. but how do I access it? 31 def _verify(self, conn, cert, errno, depth, retcode): 38 print cert.get_issuer().emailAddress 39 self.accessRights.read = True 40 self.accessRights.write = True 41 return retcode Best regards, Seb -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at divmod.com Mon Sep 22 15:18:58 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Mon, 22 Sep 2008 09:18:58 -0400 Subject: [pyOpenSSL] 0.8a1 is out In-Reply-To: 0 Message-ID: <20080922131858.29191.511591871.divmod.quotient.29702@ohm> Hello, I've just uploaded 0.8a1 to sourceforge. This release is almost entirely about thread-related fixes. It includes part of a patch Red Hat has been applying to their 0.6 package for a long time, as well as a change to the way OpenSSL.SSL.Connection manage the GIL. Whereas previously Connection operations acquired and released the GIL as necessary to allow for concurrency, using a Connection object in multiple threads was not safe. This should now be safe, through a combination of proper initialization of OpenSSL's threading support and a different strategy for managing the CPython GIL. Please try it out and let me know how it goes. Thanks! Jean-Paul From pks_chennai at yahoo.com Wed Sep 24 06:31:23 2008 From: pks_chennai at yahoo.com (Pravin Sinha) Date: Tue, 23 Sep 2008 21:31:23 -0700 (PDT) Subject: [pyOpenSSL] PyOpenSSL Linux 32/64 bit problem Message-ID: <805912.54786.qm@web51502.mail.re2.yahoo.com> Hi, PyOpenSSL, built on 32 bit Linux does not work on 64 bit Linux and vice-versa. I have a requirement where I should be able to share the lib built on one machine(either 32bit or 64 bit, whichever works) to work with both. Any Idea if I can achieve? this. The error which I am getting while importing OpenSSL in python is: >>> import OpenSSL Traceback (most recent call last): ? File "", line 1, in ? ? File "/test/OpenSSL/__init__.py", line 11, in ? ??? import rand, crypto, SSL, tsafe ImportError: /test/OpenSSL/rand.so: cannot open shared object file: No such file or directory _____________________________________________________________________ Appreciate your time and help Regards, -Pravin. -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at divmod.com Wed Sep 24 20:13:59 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Wed, 24 Sep 2008 14:13:59 -0400 Subject: [pyOpenSSL] PyOpenSSL Linux 32/64 bit problem In-Reply-To: <805912.54786.qm@web51502.mail.re2.yahoo.com> Message-ID: <20080924181359.29191.2033266284.divmod.quotient.30206@ohm> On Tue, 23 Sep 2008 21:31:23 -0700 (PDT), Pravin Sinha wrote: >Hi, > >PyOpenSSL, built on 32 bit Linux does not work on 64 bit Linux and vice-versa. I have a requirement where I should be able to share the lib built on one machine(either 32bit or 64 bit, whichever works) to work with both. Any Idea if I can achieve? this. > >The error which I am getting while importing OpenSSL in python is: > >>>> import OpenSSL >Traceback (most recent call last): >? File "", line 1, in ? >? File "/test/OpenSSL/__init__.py", line 11, in ? >??? import rand, crypto, SSL, tsafe >ImportError: /test/OpenSSL/rand.so: cannot open shared object file: No such file or directory >_____________________________________________________________________ > >Appreciate your time and help >Regards, >-Pravin. > I don't think this is an issue unique to pyOpenSSL. This is how ELF shared objects work. I looked around a bit to try to find some documentation on a way to build a combined 32/64 bit ELF library but I didn't find much. I'm not even sure it's possible; you may want to investigate that further. If you can figure out how to do it, then you can try building pyOpenSSL's extension modules manually however is appropriate. `setup.py build_ext? allows a little customization, but I suspect not enough for this. Jean-Paul From woutervanbommel at gmail.com Thu Sep 25 11:15:16 2008 From: woutervanbommel at gmail.com (Wouter van Bommel) Date: Thu, 25 Sep 2008 11:15:16 +0200 Subject: [pyOpenSSL] Patch to add a certificate request version Message-ID: <3f96c1440809250215w1d2e87afge38aebede5f265b9@mail.gmail.com> L.S., As attachment I send a small patch wich adds an extra function to the library in order to set a version on an X509Req object. Some CA's require the precense of this (required) field, which is missing when exporting the object. The call X509Req.set_version() allows the ability to add the version. Regards, Wouter van Bommel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: x509-req-set_version.patch URL: From exarkun at divmod.com Thu Sep 25 14:57:35 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Thu, 25 Sep 2008 08:57:35 -0400 Subject: [pyOpenSSL] Patch to add a certificate request version In-Reply-To: <3f96c1440809250215w1d2e87afge38aebede5f265b9@mail.gmail.com> Message-ID: <20080925125735.29191.93375873.divmod.quotient.30303@ohm> On Thu, 25 Sep 2008 11:15:16 +0200, Wouter van Bommel wrote: >L.S., > >As attachment I send a small patch wich adds an extra function to the >library in order to set a version on an X509Req object. > >Some CA's require the precense of this (required) field, which is missing >when exporting the object. > >The call X509Req.set_version() allows the ability to add the version. > >Regards, > >Wouter van Bommel > Hi Wouter, Can you file a ticket at and attach your patch there? If you could also include unit tests, documentation, or both this would greatly reduce the work I need to do to apply it (and so speed that up :). Thanks! Jean-Paul From sebvieira at gmail.com Tue Sep 30 11:38:23 2008 From: sebvieira at gmail.com (Sebastian Vieira) Date: Tue, 30 Sep 2008 11:38:23 +0200 Subject: [pyOpenSSL] CRL patch to stable? Message-ID: <279239c70809300238g745873cci1fb81806bca7cf2@mail.gmail.com> Hi, Some time ago i wrote to say someone made a nice patch for pyOpenSSL that was able to create certificate revocation lists (CRL). This patch was then added to another branch but never made it back into stable/main. Since i like to have CRL option and all the features/bugfixes of the now-main branch, could both be merged? kind regards, Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at divmod.com Tue Sep 30 14:06:50 2008 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Tue, 30 Sep 2008 08:06:50 -0400 Subject: [pyOpenSSL] CRL patch to stable? In-Reply-To: <279239c70809300238g745873cci1fb81806bca7cf2@mail.gmail.com> Message-ID: <20080930120650.29191.804011553.divmod.quotient.32193@ohm> On Tue, 30 Sep 2008 11:38:23 +0200, Sebastian Vieira wrote: >Hi, > >Some time ago i wrote to say someone made a nice patch for pyOpenSSL that >was able to create certificate revocation lists (CRL). This patch was then >added to another branch but never made it back into stable/main. Since i >like to have CRL option and all the features/bugfixes of the now-main >branch, could both be merged? > I still haven't had an opportunity to do the necessary remaining work to get the CRL code into a shape where I'm comfortable having it in trunk. I need to review the code and write unit tests and documentation. Any help anyone would like to provide in this would be much appreciated. :) Jean-Paul From arnaud.desmons at free.fr Tue Sep 30 13:32:03 2008 From: arnaud.desmons at free.fr (arnaud.desmons at free.fr) Date: Tue, 30 Sep 2008 13:32:03 +0200 (CEST) Subject: [pyOpenSSL] CRL patch to stable? In-Reply-To: <279239c70809300238g745873cci1fb81806bca7cf2@mail.gmail.com> Message-ID: <1746370546.4859811222774323506.JavaMail.root@spooler10-g27.priv.proxad.net> Hi, I updated PKCS12 patch for being doc/memory compliant with the main branch but not yet for CRL patch. Regards, -- Arnaud ----- Mail Original ----- De: "Sebastian Vieira" ?: pyopenssl-list at lists.sourceforge.net Envoy?: Mardi 30 Septembre 2008 11:38:23 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: [pyOpenSSL] CRL patch to stable? Hi, Some time ago i wrote to say someone made a nice patch for pyOpenSSL that was able to create certificate revocation lists (CRL). This patch was then added to another branch but never made it back into stable/main. Since i like to have CRL option and all the features/bugfixes of the now-main branch, could both be merged? kind regards, Sebastian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ pyopenssl-list mailing list pyopenssl-list at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/pyopenssl-list