From kuizhang at gmail.com  Mon Nov 14 03:44:52 2011
From: kuizhang at gmail.com (Kui Zhang)
Date: Sun, 13 Nov 2011 18:44:52 -0800
Subject: [pyOpenSSL] how to verify integrity of x509 cert
Message-ID: <CAKx2Y1m-TuCiJPM=AJLPKKiQ1HAO9++zf=kUe1=EAtQ=hOeukQ@mail.gmail.com>

Hello

any way I can do this in pyopenssl ?

http://www.jensign.com/JavaScience/IsCertTrusted/index.html


thanks
KuiZ



From richmoore44 at gmail.com  Mon Nov 14 10:46:40 2011
From: richmoore44 at gmail.com (Richard Moore)
Date: Mon, 14 Nov 2011 09:46:40 +0000
Subject: [pyOpenSSL] how to verify integrity of x509 cert
In-Reply-To: <CAKx2Y1m-TuCiJPM=AJLPKKiQ1HAO9++zf=kUe1=EAtQ=hOeukQ@mail.gmail.com>
References: <CAKx2Y1m-TuCiJPM=AJLPKKiQ1HAO9++zf=kUe1=EAtQ=hOeukQ@mail.gmail.com>
Message-ID: <CAMp7mVsCoc3_MAt47TLKH1Yz8afsyLeC0B1NZbvNjqhN0mL1WA@mail.gmail.com>

On Mon, Nov 14, 2011 at 2:44 AM, Kui Zhang <kuizhang at gmail.com> wrote:
> any way I can do this in pyopenssl ?
>
> http://www.jensign.com/JavaScience/IsCertTrusted/index.html

You can't right now. I'm hoping to add it since I know how to
implement the openssl side of it, but I haven't had time yet.

Rich.



From exarkun at twistedmatrix.com  Mon Nov 14 17:00:28 2011
From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com)
Date: Mon, 14 Nov 2011 16:00:28 -0000
Subject: [pyOpenSSL] how to verify integrity of x509 cert
In-Reply-To: <CAMp7mVsCoc3_MAt47TLKH1Yz8afsyLeC0B1NZbvNjqhN0mL1WA@mail.gmail.com>
References: <CAKx2Y1m-TuCiJPM=AJLPKKiQ1HAO9++zf=kUe1=EAtQ=hOeukQ@mail.gmail.com>
	<CAMp7mVsCoc3_MAt47TLKH1Yz8afsyLeC0B1NZbvNjqhN0mL1WA@mail.gmail.com>
Message-ID: <20111114160028.20412.1979679495.divmod.xquotient.71@localhost.localdomain>

On 09:46 am, richmoore44 at gmail.com wrote:
>On Mon, Nov 14, 2011 at 2:44 AM, Kui Zhang <kuizhang at gmail.com> wrote:
>>any way I can do this in pyopenssl ?
>>
>>http://www.jensign.com/JavaScience/IsCertTrusted/index.html
>
>You can't right now. I'm hoping to add it since I know how to
>implement the openssl side of it, but I haven't had time yet.

Heya Rich,

I wonder if you could file a bug report on Launchpad describing this new 
feature.  It might help out someone searching for the functionality in 
the future.

Thanks,
Jean-Paul



From rich at kde.org  Sat Nov 19 16:22:39 2011
From: rich at kde.org (Richard Moore)
Date: Sat, 19 Nov 2011 15:22:39 +0000
Subject: [pyOpenSSL] how to verify integrity of x509 cert
In-Reply-To: <20111114160028.20412.1979679495.divmod.xquotient.71@localhost.localdomain>
References: <CAKx2Y1m-TuCiJPM=AJLPKKiQ1HAO9++zf=kUe1=EAtQ=hOeukQ@mail.gmail.com>
	<CAMp7mVsCoc3_MAt47TLKH1Yz8afsyLeC0B1NZbvNjqhN0mL1WA@mail.gmail.com>
	<20111114160028.20412.1979679495.divmod.xquotient.71@localhost.localdomain>
Message-ID: <CAMp7mVsMV+xK-VziOLTVF+_rCUfpSo1tsai_PMHhveNo2e78Pg@mail.gmail.com>

On Mon, Nov 14, 2011 at 4:00 PM,  <exarkun at twistedmatrix.com> wrote:
> Heya Rich,
>
> I wonder if you could file a bug report on Launchpad describing this new
> feature. ?It might help out someone searching for the functionality in
> the future.

Sure, done. #892522

Rich.



From exarkun at twistedmatrix.com  Sat Nov 19 20:08:41 2011
From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com)
Date: Sat, 19 Nov 2011 19:08:41 -0000
Subject: [pyOpenSSL] how to verify integrity of x509 cert
In-Reply-To: <CAMp7mVsMV+xK-VziOLTVF+_rCUfpSo1tsai_PMHhveNo2e78Pg@mail.gmail.com>
References: <CAKx2Y1m-TuCiJPM=AJLPKKiQ1HAO9++zf=kUe1=EAtQ=hOeukQ@mail.gmail.com>
	<CAMp7mVsCoc3_MAt47TLKH1Yz8afsyLeC0B1NZbvNjqhN0mL1WA@mail.gmail.com>
	<20111114160028.20412.1979679495.divmod.xquotient.71@localhost.localdomain>
	<CAMp7mVsMV+xK-VziOLTVF+_rCUfpSo1tsai_PMHhveNo2e78Pg@mail.gmail.com>
Message-ID: <20111119190841.20412.1264949425.divmod.xquotient.169@localhost.localdomain>

On 03:22 pm, rich at kde.org wrote:
>On Mon, Nov 14, 2011 at 4:00 PM,  <exarkun at twistedmatrix.com> wrote:
>>Heya Rich,
>>
>>I wonder if you could file a bug report on Launchpad describing this 
>>new
>>feature. ?It might help out someone searching for the functionality in
>>the future.
>
>Sure, done. #892522

Thanks!

Jean-Paul



From tobias.oberstein at tavendo.de  Fri Nov 25 14:12:46 2011
From: tobias.oberstein at tavendo.de (Tobias Oberstein)
Date: Fri, 25 Nov 2011 05:12:46 -0800
Subject: [pyOpenSSL] Does PKey.generate_key lock the GIL?
Message-ID: <634914A010D0B943A035D226786325D42D0D420909@EXVMBX020-12.exch020.serverdata.net>

I am using PyOpenSSL from within Twisted and want to generate new keys without blocking the Twisted networking.

To do so, I use the deferToThread() Twisted feature, which runs functions on a thread from a background thread pool.

However,

PKey.generate_key

still seems to block everything.

Does above function lock the GIL?



From p.mayers at imperial.ac.uk  Fri Nov 25 15:01:12 2011
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 25 Nov 2011 14:01:12 +0000
Subject: [pyOpenSSL] Does PKey.generate_key lock the GIL?
In-Reply-To: <634914A010D0B943A035D226786325D42D0D420909@EXVMBX020-12.exch020.serverdata.net>
References: <634914A010D0B943A035D226786325D42D0D420909@EXVMBX020-12.exch020.serverdata.net>
Message-ID: <4ECF9FA8.4050906@imperial.ac.uk>

On 25/11/11 13:12, Tobias Oberstein wrote:
> I am using PyOpenSSL from within Twisted and want to generate new keys without blocking the Twisted networking.
>
> To do so, I use the deferToThread() Twisted feature, which runs functions on a thread from a background thread pool.
>
> However,
>
> PKey.generate_key
>
> still seems to block everything.
>
> Does above function lock the GIL?

Other way round. The GIL is held unless you explicitly release it, which 
the current source code for that function does not seem to:

http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/crypto/pkey.c#L39

So AFAICT yes, it will block forever.

Perhaps you could shell out to "openssl rsa" in a subprocess. Not ideal, 
but it won't require source code changes.



From tobias.oberstein at tavendo.de  Fri Nov 25 18:13:17 2011
From: tobias.oberstein at tavendo.de (Tobias Oberstein)
Date: Fri, 25 Nov 2011 09:13:17 -0800
Subject: [pyOpenSSL] Does PKey.generate_key lock the GIL?
In-Reply-To: <4ECF9FA8.4050906@imperial.ac.uk>
References: <634914A010D0B943A035D226786325D42D0D420909@EXVMBX020-12.exch020.serverdata.net>
	<4ECF9FA8.4050906@imperial.ac.uk>
Message-ID: <634914A010D0B943A035D226786325D42D0D420911@EXVMBX020-12.exch020.serverdata.net>

> > However,
> >
> > PKey.generate_key
> >
> > still seems to block everything.
> >
> > Does above function lock the GIL?
> 
> Other way round. The GIL is held unless you explicitly release it, which the
> current source code for that function does not seem to:
> 
> http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenS
> SL/crypto/pkey.c#L39
> 
> So AFAICT yes, it will block forever.
> 
> Perhaps you could shell out to "openssl rsa" in a subprocess. Not ideal, but it
> won't require source code changes.

Thanks for clarifying.

Unfortunately, I am also missing other stuff (like dump pub key from cert to verify that cert imported actually is for a given priv key).

So I checked out M2Crypto.

It seems to release the GIL during key generation ..

The API is ... creative. IOW: it sucks. But I guess thats because it's a SWIG generated OpenSSL wrapper.

Anyway .. will move to M2Crypto.




From glyph at twistedmatrix.com  Fri Nov 25 22:34:44 2011
From: glyph at twistedmatrix.com (Glyph Lefkowitz)
Date: Fri, 25 Nov 2011 16:34:44 -0500
Subject: [pyOpenSSL] Does PKey.generate_key lock the GIL?
In-Reply-To: <634914A010D0B943A035D226786325D42D0D420911@EXVMBX020-12.exch020.serverdata.net>
References: <634914A010D0B943A035D226786325D42D0D420909@EXVMBX020-12.exch020.serverdata.net>
	<4ECF9FA8.4050906@imperial.ac.uk>
	<634914A010D0B943A035D226786325D42D0D420911@EXVMBX020-12.exch020.serverdata.net>
Message-ID: <0A551159-983E-4A03-8DB1-5E1041968173@twistedmatrix.com>

On Nov 25, 2011, at 12:13 PM, Tobias Oberstein <tobias.oberstein at tavendo.de> wrote:

>>> However,
>>> 
>>> PKey.generate_key
>>> 
>>> still seems to block everything.
>>> 
>>> Does above function lock the GIL?
>> 
>> Other way round. The GIL is held unless you explicitly release it, which the
>> current source code for that function does not seem to:
>> 
>> http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenS
>> SL/crypto/pkey.c#L39
>> 
>> So AFAICT yes, it will block forever.
>> 
>> Perhaps you could shell out to "openssl rsa" in a subprocess. Not ideal, but it
>> won't require source code changes.
> 
> Thanks for clarifying.
> 
> Unfortunately, I am also missing other stuff (like dump pub key from cert to verify that cert imported actually is for a given priv key).
> 
> So I checked out M2Crypto.
> 
> It seems to release the GIL during key generation ..
> 
> The API is ... creative. IOW: it sucks. But I guess thats because it's a SWIG generated OpenSSL wrapper.
> 
> Anyway .. will move to M2Crypto.

Rather than fixing, or even reporting, this one bug in pyopenssl?


From tobias.oberstein at tavendo.de  Sat Nov 26 07:37:19 2011
From: tobias.oberstein at tavendo.de (Tobias Oberstein)
Date: Fri, 25 Nov 2011 22:37:19 -0800
Subject: [pyOpenSSL] Does PKey.generate_key lock the GIL?
In-Reply-To: <0A551159-983E-4A03-8DB1-5E1041968173@twistedmatrix.com>
References: <634914A010D0B943A035D226786325D42D0D420909@EXVMBX020-12.exch020.serverdata.net>
	<4ECF9FA8.4050906@imperial.ac.uk>
	<634914A010D0B943A035D226786325D42D0D420911@EXVMBX020-12.exch020.serverdata.net>
	<0A551159-983E-4A03-8DB1-5E1041968173@twistedmatrix.com>
Message-ID: <634914A010D0B943A035D226786325D42D0D420922@EXVMBX020-12.exch020.serverdata.net>

> >>> However,
> >>>
> >>> PKey.generate_key
> >>>
> >>> still seems to block everything.
> >>>
> >>> Does above function lock the GIL?
> >>
> >> Other way round. The GIL is held unless you explicitly release it,
> >> which the current source code for that function does not seem to:
> >>
> >>
> http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenS
> >> SL/crypto/pkey.c#L39
> >>
> >> So AFAICT yes, it will block forever.
> >>
> >> Perhaps you could shell out to "openssl rsa" in a subprocess. Not
> >> ideal, but it won't require source code changes.
> >
> > Thanks for clarifying.
> >
> > Unfortunately, I am also missing other stuff (like dump pub key from cert
> to verify that cert imported actually is for a given priv key).
> >
> > So I checked out M2Crypto.
> >
> > It seems to release the GIL during key generation ..
> >
> > The API is ... creative. IOW: it sucks. But I guess thats because it's a SWIG
> generated OpenSSL wrapper.
> >
> > Anyway .. will move to M2Crypto.
> 
> Rather than fixing, or even reporting, this one bug in pyopenssl?

It's 2 "bugs": GIL + no dump_publickey (or something similar whichlets me do above).

I'll factor our code and maybe come back to this .. bit of time pressure right now.







From p.mayers at imperial.ac.uk  Sat Nov 26 10:17:15 2011
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sat, 26 Nov 2011 09:17:15 +0000
Subject: [pyOpenSSL] Does PKey.generate_key lock the GIL?
In-Reply-To: <0A551159-983E-4A03-8DB1-5E1041968173@twistedmatrix.com>
References: <634914A010D0B943A035D226786325D42D0D420909@EXVMBX020-12.exch020.serverdata.net>
	<4ECF9FA8.4050906@imperial.ac.uk>
	<634914A010D0B943A035D226786325D42D0D420911@EXVMBX020-12.exch020.serverdata.net>
	<0A551159-983E-4A03-8DB1-5E1041968173@twistedmatrix.com>
Message-ID: <4ED0AE9B.80207@imperial.ac.uk>

On 11/25/2011 09:34 PM, Glyph Lefkowitz wrote:

>> Anyway .. will move to M2Crypto.
>
> Rather than fixing, or even reporting, this one bug in pyopenssl?

I have opened

https://bugs.launchpad.net/pyopenssl/+bug/896526

...so it doesn't get forgotten.