From p.mayers at imperial.ac.uk Thu Jul 9 13:39:48 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 09 Jul 2009 12:39:48 +0100 Subject: [pyOpenSSL] CRL & PKCS12 patch Message-ID: <4A55D704.7050908@imperial.ac.uk> All, I've written a little CLI-based micro CA in pyOpenSSL, but I needed CRL support since Vista insists on the CRL be in place for certain types of certs (e.g. SSL) I had to forward-port the existing CRL/PKCS12 patch, which was not hard but not huge fun... What can I do to help get this patch in mainline? I understand development is now Launchpad/bzr-based; this is unfortunate since I apparently have a cognitive block that causes me to fail utterly in driving both tools - but I'm quite capable of coding, including (I hope) writing the unit tests and so forth. If someone can give me a quick pointer as to what is desired, I'll have a crack at it. From exarkun at divmod.com Thu Jul 9 15:38:21 2009 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Thu, 9 Jul 2009 09:38:21 -0400 Subject: [pyOpenSSL] CRL & PKCS12 patch In-Reply-To: <4A55D704.7050908@imperial.ac.uk> Message-ID: <20090709133821.2543.2016555076.divmod.quotient.583@henry.divmod.com> On Thu, 09 Jul 2009 12:39:48 +0100, Phil Mayers wrote: >All, > >I've written a little CLI-based micro CA in pyOpenSSL, but I needed CRL >support since Vista insists on the CRL be in place for certain types of >certs (e.g. SSL) > >I had to forward-port the existing CRL/PKCS12 patch, which was not hard >but not huge fun... > >What can I do to help get this patch in mainline? Hi Phil, Thanks for volunteering. I don't know when I would have gotten to this. Probably not soon. :) >I understand development is now Launchpad/bzr-based; this is unfortunate >since I apparently have a cognitive block that causes me to fail utterly >in driving both tools - but I'm quite capable of coding, including (I >hope) writing the unit tests and so forth. > >If someone can give me a quick pointer as to what is desired, I'll have >a crack at it. > Looking at , I see that there are presently four different branches related to either CRL or PKCS12. lp:~exarkun/pyopenssl/pkcs12-crl lp:~arnaud-desmons/pyopenssl/pkcs12 lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export lp:~sebvieira/pyopenssl/pkcs12-crl-0.8 This is a rather unfortunate state. Which patch did you port forward, and what did you port it forward to? Of the above branches, I only really know about the first - it's a branch I created a long time ago and only applied Arnaud Desmons' patch to. There are a few things beyond what the original patch did which you can do to help get it landed in trunk: * File a ticket! Right now it's not really clear what the goal of all this work is. It has something to do with "CRL" and "PKCS12" clearly, but writing down something more specific than that will make it possible to figure out what's going on, how the branches that exist related to it, and whether or not the goal has been achieved. * Review the APIs for sensibleness and general-purposeness. Do they expose the underlying OpenSSL APIs in a way that's generally useful, with introduced arbitrary limitations? As someone who knows a bit about CRLs and PKCS12 (I assume - since you wrote a CA ;), hopefully this should be easy for you. * Add unit tests for *all* new code and for any old code which is being modified and is not already tested. * Add documentation for the new APIs (doc/pyOpenSSL.tex is the doc source, the rest of the files in doc/ are generated). As far as bzr and launchpad go, it's pretty easy (but I sympathize with your position - it's too bad we have to know how to use 3 or 4 or more different version control systems these days). Maybe I can help a bit. To start, to get some code to start modifying, you want to create a branch of something in launchpad. If you want to try to apply your updated patch to trunk (which would be ideal), then you want to do bzr branch lp:pyopenssl This will create a "pyopenssl" directory with the checkout in it. Then apply your patch, do your hacking, whatever. At some point you'll want to put your changes into version control. Somewhere under that "pyopenssl" directory, do bzr commit -m "" Or you can leave off the -m to get an editor to write your commit message in. Repeat edit/commit as many times as you need. When you think you're done and you want someone else to take a look, push the branch back to launchpad. Somewhere beneath that "pyopenssl" directory do bzr push lp:~username/pyopenssl/branchname Replace "username" with your Launchpad username. Replace "branchname" with the name you want to associate with this branch. If you haven't previously told bzr about your launchpad credentials, you'll need to do bzr launchpad-login first. And if you'd rather just send patches around, I don't have a problem with that. Thanks, Jean-Paul From p.mayers at imperial.ac.uk Tue Jul 14 00:06:04 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 13 Jul 2009 23:06:04 +0100 Subject: [pyOpenSSL] CRL & PKCS12 patch In-Reply-To: <20090709133821.2543.2016555076.divmod.quotient.583@henry.divmod.com> References: <20090709133821.2543.2016555076.divmod.quotient.583@henry.divmod.com> Message-ID: <4A5BAFCC.5040303@imperial.ac.uk> > Looking at , I see that there are > presently four different branches related to either CRL or PKCS12. > > lp:~exarkun/pyopenssl/pkcs12-crl > lp:~arnaud-desmons/pyopenssl/pkcs12 > lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export > lp:~sebvieira/pyopenssl/pkcs12-crl-0.8 I believe at least 3 of those are actually the same patch; numbers 1 & 2, and 3 is a forward-port to 0.8 My work was just a quick port (again) of the 0.8 branch to the 0.9 release code. > * File a ticket! Right now it's not really clear what the goal of all > this work is. It has something to do with "CRL" and "PKCS12" clearly, > but writing down something more specific than that will make it possible > to figure out what's going on, how the branches that exist related to it, > and whether or not the goal has been achieved. Well, to be honest I'm much less interested in pkcs12 (though I can see it's useful) but I'll have a crack at two tickets. > > * Review the APIs for sensibleness and general-purposeness. Do they > expose the underlying OpenSSL APIs in a way that's generally useful, > with introduced arbitrary limitations? As someone who knows a bit > about CRLs and PKCS12 (I assume - since you wrote a CA ;), hopefully > this should be easy for you. Hmm. To be honest, having spent several hours today fooling with BIO* and similar, I intensely dislike most of the OpenSSL APIs, so the less they reflect them... ;o) But I take the point - a sensible, pythonic api. > > * Add unit tests for *all* new code and for any old code which is being > modified and is not already tested. > > * Add documentation for the new APIs (doc/pyOpenSSL.tex is the doc source, > the rest of the files in doc/ are generated). Ack. Tex... I've had a first go at the code; I've added a single test for the CRL. https://code.launchpad.net/~phil-mayers/pyopenssl/crl+morepkcs12 I'm pretty sure it's not the best API layout, but I had a couple of hours free and wanted to get something basic working tonight; I'll try and write a ticket and think about the API tomorrow. Do you have C indent preferences? From exarkun at divmod.com Sat Jul 18 03:55:01 2009 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Fri, 17 Jul 2009 21:55:01 -0400 Subject: [pyOpenSSL] CRL & PKCS12 patch In-Reply-To: <4A5BAFCC.5040303@imperial.ac.uk> Message-ID: <20090718015501.2543.483943539.divmod.quotient.3198@henry.divmod.com> On Mon, 13 Jul 2009 23:06:04 +0100, Phil Mayers wrote: >> Looking at , I see that there are >> presently four different branches related to either CRL or PKCS12. >> >> lp:~exarkun/pyopenssl/pkcs12-crl >> lp:~arnaud-desmons/pyopenssl/pkcs12 >> lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export >> lp:~sebvieira/pyopenssl/pkcs12-crl-0.8 > >I believe at least 3 of those are actually the same patch; numbers 1 & >2, and 3 is a forward-port to 0.8 > >My work was just a quick port (again) of the 0.8 branch to the 0.9 >release code. Hm, if I'd had my head on straight, I would have pinged Rick (owner of branch number 3) and made sure he coordinated with you in this effort. Instead, I only just now realized that you and he have some PKCS12 overlap in the work you're doing. Looking at his branch (not the one above though, he has since created a newer one with a "2" on the end) and yours, I think his PKCS12 code is more complete overall. However, it could still benefit from some of the things your version does (you have better type checking code, I think). I'm going to point him at your work along with my other feedback. Once the PKCS12 stuff is out of the way, I'll dig into the CRL parts of your branch more (I've still only just skimmed them). There is currently a PKCS12 ticket, I see: https://bugs.launchpad.net/pyopenssl/+bug/349304 I also now see that there is a ticket which talks about CRLs! The summary didn't make this obvious so I missed/forget about it. It has a patch attached which I haven't looked at at all yet. The ticket is https://bugs.launchpad.net/pyopenssl/+bug/385178 And to keep things interesting, it sounds like it mixes in a bunch of PKCS7 changes. > [snip] > >Do you have C indent preferences? > I wish I did. I think I'm leaning towards 4 space indents. However, if you're modifying existing code, go with the local prevailing convention. I'm trying to keep things consistent, but I'm sure I'm failing at that in places. Apologies again for not pointing out those two tickets in my previous message. Jean-Paul From rick at fdd.com Mon Jul 20 19:16:22 2009 From: rick at fdd.com (Rick Dean) Date: Mon, 20 Jul 2009 12:16:22 -0500 Subject: [pyOpenSSL] pyOpenSSL support for PKCS12 modification and export Message-ID: <20090720171622.GA31851@two.fdd.com> Hey Phil Mayers, I believe your patch leaks objects when setting a certificate or key of a PKCS12 when one is already set? I have worked on a PKCS12 patch as well, that includes a larger API such as the CA certs and friendly name. Would you please have a look? https://code.launchpad.net/~rick-fdd/pyopenssl/pkcs12_mod_and_export2 -- Rick From p.mayers at imperial.ac.uk Mon Jul 20 19:47:01 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 20 Jul 2009 18:47:01 +0100 Subject: [pyOpenSSL] pyOpenSSL support for PKCS12 modification and export In-Reply-To: <20090720171622.GA31851@two.fdd.com> References: <20090720171622.GA31851@two.fdd.com> Message-ID: <4A64AD95.2050203@imperial.ac.uk> Rick Dean wrote: > Hey Phil Mayers, > > I believe your patch leaks objects when > setting a certificate or key of a PKCS12 > when one is already set? It's probably worth re-emphasising; it's not really my patch. It's really just a forward-port (of a forward-port) of Arnaud Desmons' original PKCS12 & CRL patch. Really, I've done very little work on it; just what was required for the patch to apply against the pyOpenSSL trunk and compile/work. You might be right about the PKCS12, but I wouldn't know - I barely looked at it. I'm only really interested in CRL support. > > I have worked on a PKCS12 patch as well, that > includes a larger API such as the CA certs and > friendly name. Would you please have a look? > > https://code.launchpad.net/~rick-fdd/pyopenssl/pkcs12_mod_and_export2 > It'll be next week before I have any more time to devote, but I'll try to take a look. From exarkun at divmod.com Thu Jul 23 16:32:35 2009 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Thu, 23 Jul 2009 10:32:35 -0400 Subject: [pyOpenSSL] Windows Installers In-Reply-To: 0 Message-ID: <20090723143236.2543.353928027.divmod.quotient.4699@henry.divmod.com> Hey all, I've been working on making the Windows installation process for pyOpenSSL a bit simpler. At the bottom of there are links for exe, msi, and egg distributions of pyOpenSSL for Python 2.5 and Python 2.6. These should work on a Windows machine even if OpenSSL hasn't been installed separately. Any testing anyone can do of these would be much appreciated. Thanks, Jean-Paul