From p.mayers at imperial.ac.uk Thu Jul 9 13:39:48 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 09 Jul 2009 12:39:48 +0100
Subject: [pyOpenSSL] CRL & PKCS12 patch
Message-ID: <4A55D704.7050908@imperial.ac.uk>
All,
I've written a little CLI-based micro CA in pyOpenSSL, but I needed CRL
support since Vista insists on the CRL be in place for certain types of
certs (e.g. SSL)
I had to forward-port the existing CRL/PKCS12 patch, which was not hard
but not huge fun...
What can I do to help get this patch in mainline?
I understand development is now Launchpad/bzr-based; this is unfortunate
since I apparently have a cognitive block that causes me to fail utterly
in driving both tools - but I'm quite capable of coding, including (I
hope) writing the unit tests and so forth.
If someone can give me a quick pointer as to what is desired, I'll have
a crack at it.
From exarkun at divmod.com Thu Jul 9 15:38:21 2009
From: exarkun at divmod.com (Jean-Paul Calderone)
Date: Thu, 9 Jul 2009 09:38:21 -0400
Subject: [pyOpenSSL] CRL & PKCS12 patch
In-Reply-To: <4A55D704.7050908@imperial.ac.uk>
Message-ID: <20090709133821.2543.2016555076.divmod.quotient.583@henry.divmod.com>
On Thu, 09 Jul 2009 12:39:48 +0100, Phil Mayers
wrote:
>All,
>
>I've written a little CLI-based micro CA in pyOpenSSL, but I needed CRL
>support since Vista insists on the CRL be in place for certain types of
>certs (e.g. SSL)
>
>I had to forward-port the existing CRL/PKCS12 patch, which was not hard
>but not huge fun...
>
>What can I do to help get this patch in mainline?
Hi Phil,
Thanks for volunteering. I don't know when I would have gotten to this.
Probably not soon. :)
>I understand development is now Launchpad/bzr-based; this is unfortunate
>since I apparently have a cognitive block that causes me to fail utterly
>in driving both tools - but I'm quite capable of coding, including (I
>hope) writing the unit tests and so forth.
>
>If someone can give me a quick pointer as to what is desired, I'll have
>a crack at it.
>
Looking at , I see that there are
presently four different branches related to either CRL or PKCS12.
lp:~exarkun/pyopenssl/pkcs12-crl
lp:~arnaud-desmons/pyopenssl/pkcs12
lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export
lp:~sebvieira/pyopenssl/pkcs12-crl-0.8
This is a rather unfortunate state. Which patch did you port forward, and
what did you port it forward to? Of the above branches, I only really
know about the first - it's a branch I created a long time ago and only
applied Arnaud Desmons' patch to.
There are a few things beyond what the original patch did which you can do
to help get it landed in trunk:
* File a ticket! Right now it's not really clear what the goal of all
this work is. It has something to do with "CRL" and "PKCS12" clearly,
but writing down something more specific than that will make it possible
to figure out what's going on, how the branches that exist related to it,
and whether or not the goal has been achieved.
* Review the APIs for sensibleness and general-purposeness. Do they
expose the underlying OpenSSL APIs in a way that's generally useful,
with introduced arbitrary limitations? As someone who knows a bit
about CRLs and PKCS12 (I assume - since you wrote a CA ;), hopefully
this should be easy for you.
* Add unit tests for *all* new code and for any old code which is being
modified and is not already tested.
* Add documentation for the new APIs (doc/pyOpenSSL.tex is the doc source,
the rest of the files in doc/ are generated).
As far as bzr and launchpad go, it's pretty easy (but I sympathize with your
position - it's too bad we have to know how to use 3 or 4 or more different
version control systems these days).
Maybe I can help a bit. To start, to get some code to start modifying, you
want to create a branch of something in launchpad. If you want to try to
apply your updated patch to trunk (which would be ideal), then you want to
do
bzr branch lp:pyopenssl
This will create a "pyopenssl" directory with the checkout in it. Then apply
your patch, do your hacking, whatever. At some point you'll want to put your
changes into version control. Somewhere under that "pyopenssl" directory, do
bzr commit -m ""
Or you can leave off the -m to get an editor to write your commit message in.
Repeat edit/commit as many times as you need. When you think you're done and
you want someone else to take a look, push the branch back to launchpad.
Somewhere beneath that "pyopenssl" directory do
bzr push lp:~username/pyopenssl/branchname
Replace "username" with your Launchpad username. Replace "branchname" with
the name you want to associate with this branch. If you haven't previously
told bzr about your launchpad credentials, you'll need to do
bzr launchpad-login
first.
And if you'd rather just send patches around, I don't have a problem with
that.
Thanks,
Jean-Paul
From p.mayers at imperial.ac.uk Tue Jul 14 00:06:04 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 13 Jul 2009 23:06:04 +0100
Subject: [pyOpenSSL] CRL & PKCS12 patch
In-Reply-To: <20090709133821.2543.2016555076.divmod.quotient.583@henry.divmod.com>
References: <20090709133821.2543.2016555076.divmod.quotient.583@henry.divmod.com>
Message-ID: <4A5BAFCC.5040303@imperial.ac.uk>
> Looking at , I see that there are
> presently four different branches related to either CRL or PKCS12.
>
> lp:~exarkun/pyopenssl/pkcs12-crl
> lp:~arnaud-desmons/pyopenssl/pkcs12
> lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export
> lp:~sebvieira/pyopenssl/pkcs12-crl-0.8
I believe at least 3 of those are actually the same patch; numbers 1 &
2, and 3 is a forward-port to 0.8
My work was just a quick port (again) of the 0.8 branch to the 0.9
release code.
> * File a ticket! Right now it's not really clear what the goal of all
> this work is. It has something to do with "CRL" and "PKCS12" clearly,
> but writing down something more specific than that will make it possible
> to figure out what's going on, how the branches that exist related to it,
> and whether or not the goal has been achieved.
Well, to be honest I'm much less interested in pkcs12 (though I can see
it's useful) but I'll have a crack at two tickets.
>
> * Review the APIs for sensibleness and general-purposeness. Do they
> expose the underlying OpenSSL APIs in a way that's generally useful,
> with introduced arbitrary limitations? As someone who knows a bit
> about CRLs and PKCS12 (I assume - since you wrote a CA ;), hopefully
> this should be easy for you.
Hmm. To be honest, having spent several hours today fooling with BIO*
and similar, I intensely dislike most of the OpenSSL APIs, so the less
they reflect them... ;o)
But I take the point - a sensible, pythonic api.
>
> * Add unit tests for *all* new code and for any old code which is being
> modified and is not already tested.
>
> * Add documentation for the new APIs (doc/pyOpenSSL.tex is the doc source,
> the rest of the files in doc/ are generated).
Ack. Tex...
I've had a first go at the code; I've added a single test for the CRL.
https://code.launchpad.net/~phil-mayers/pyopenssl/crl+morepkcs12
I'm pretty sure it's not the best API layout, but I had a couple of
hours free and wanted to get something basic working tonight; I'll try
and write a ticket and think about the API tomorrow.
Do you have C indent preferences?
From exarkun at divmod.com Sat Jul 18 03:55:01 2009
From: exarkun at divmod.com (Jean-Paul Calderone)
Date: Fri, 17 Jul 2009 21:55:01 -0400
Subject: [pyOpenSSL] CRL & PKCS12 patch
In-Reply-To: <4A5BAFCC.5040303@imperial.ac.uk>
Message-ID: <20090718015501.2543.483943539.divmod.quotient.3198@henry.divmod.com>
On Mon, 13 Jul 2009 23:06:04 +0100, Phil Mayers wrote:
>> Looking at , I see that there are
>> presently four different branches related to either CRL or PKCS12.
>>
>> lp:~exarkun/pyopenssl/pkcs12-crl
>> lp:~arnaud-desmons/pyopenssl/pkcs12
>> lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export
>> lp:~sebvieira/pyopenssl/pkcs12-crl-0.8
>
>I believe at least 3 of those are actually the same patch; numbers 1 &
>2, and 3 is a forward-port to 0.8
>
>My work was just a quick port (again) of the 0.8 branch to the 0.9
>release code.
Hm, if I'd had my head on straight, I would have pinged Rick (owner of
branch number 3) and made sure he coordinated with you in this effort.
Instead, I only just now realized that you and he have some PKCS12
overlap in the work you're doing.
Looking at his branch (not the one above though, he has since created
a newer one with a "2" on the end) and yours, I think his PKCS12 code
is more complete overall. However, it could still benefit from some of
the things your version does (you have better type checking code, I
think).
I'm going to point him at your work along with my other feedback.
Once the PKCS12 stuff is out of the way, I'll dig into the CRL parts
of your branch more (I've still only just skimmed them).
There is currently a PKCS12 ticket, I see:
https://bugs.launchpad.net/pyopenssl/+bug/349304
I also now see that there is a ticket which talks about CRLs! The summary
didn't make this obvious so I missed/forget about it. It has a patch
attached which I haven't looked at at all yet. The ticket is
https://bugs.launchpad.net/pyopenssl/+bug/385178
And to keep things interesting, it sounds like it mixes in a bunch of PKCS7
changes.
> [snip]
>
>Do you have C indent preferences?
>
I wish I did. I think I'm leaning towards 4 space indents. However, if
you're modifying existing code, go with the local prevailing convention.
I'm trying to keep things consistent, but I'm sure I'm failing at that in
places.
Apologies again for not pointing out those two tickets in my previous
message.
Jean-Paul
From rick at fdd.com Mon Jul 20 19:16:22 2009
From: rick at fdd.com (Rick Dean)
Date: Mon, 20 Jul 2009 12:16:22 -0500
Subject: [pyOpenSSL] pyOpenSSL support for PKCS12 modification and export
Message-ID: <20090720171622.GA31851@two.fdd.com>
Hey Phil Mayers,
I believe your patch leaks objects when
setting a certificate or key of a PKCS12
when one is already set?
I have worked on a PKCS12 patch as well, that
includes a larger API such as the CA certs and
friendly name. Would you please have a look?
https://code.launchpad.net/~rick-fdd/pyopenssl/pkcs12_mod_and_export2
--
Rick
From p.mayers at imperial.ac.uk Mon Jul 20 19:47:01 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 20 Jul 2009 18:47:01 +0100
Subject: [pyOpenSSL] pyOpenSSL support for PKCS12 modification and export
In-Reply-To: <20090720171622.GA31851@two.fdd.com>
References: <20090720171622.GA31851@two.fdd.com>
Message-ID: <4A64AD95.2050203@imperial.ac.uk>
Rick Dean wrote:
> Hey Phil Mayers,
>
> I believe your patch leaks objects when
> setting a certificate or key of a PKCS12
> when one is already set?
It's probably worth re-emphasising; it's not really my patch. It's
really just a forward-port (of a forward-port) of Arnaud Desmons'
original PKCS12 & CRL patch.
Really, I've done very little work on it; just what was required for the
patch to apply against the pyOpenSSL trunk and compile/work.
You might be right about the PKCS12, but I wouldn't know - I barely
looked at it. I'm only really interested in CRL support.
>
> I have worked on a PKCS12 patch as well, that
> includes a larger API such as the CA certs and
> friendly name. Would you please have a look?
>
> https://code.launchpad.net/~rick-fdd/pyopenssl/pkcs12_mod_and_export2
>
It'll be next week before I have any more time to devote, but I'll try
to take a look.
From exarkun at divmod.com Thu Jul 23 16:32:35 2009
From: exarkun at divmod.com (Jean-Paul Calderone)
Date: Thu, 23 Jul 2009 10:32:35 -0400
Subject: [pyOpenSSL] Windows Installers
In-Reply-To: 0
Message-ID: <20090723143236.2543.353928027.divmod.quotient.4699@henry.divmod.com>
Hey all,
I've been working on making the Windows installation process for pyOpenSSL
a bit simpler.
At the bottom of there
are links for exe, msi, and egg distributions of pyOpenSSL for Python 2.5
and Python 2.6. These should work on a Windows machine even if OpenSSL
hasn't been installed separately.
Any testing anyone can do of these would be much appreciated.
Thanks,
Jean-Paul