From jorton at redhat.com  Thu Aug  9 11:30:45 2012
From: jorton at redhat.com (Joe Orton)
Date: Thu, 9 Aug 2012 10:30:45 +0100
Subject: [pyOpenSSL] [PATCH] trusted branch: add exception for non-PEM trust
	output
Message-ID: <20120809093045.GA11585@redhat.com>

Hi, this is patch against the "trusted" branch:

dump_certificate() only works with trusted certs in PEM mode; so throw 
an exception if an unsupported argument combination is used.

Regards, Joe

=== modified file 'src/crypto/crypto.c'
--- src/crypto/crypto.c	2010-07-16 15:00:32 +0000
+++ src/crypto/crypto.c	2012-08-09 09:28:28 +0000
@@ -297,6 +297,11 @@
         return NULL;
     }
 
+    if (trust && type != X509_FILETYPE_PEM) {
+        PyErr_SetString(PyExc_ValueError, "can only write trusted certs with FILETYPE_PEM");
+        return NULL;
+    }
+
     bio = BIO_new(BIO_s_mem());
     switch (type)
     {




From asterix at lagaule.org  Wed Aug 22 21:13:36 2012
From: asterix at lagaule.org (Yann Leboulanger)
Date: Wed, 22 Aug 2012 21:13:36 +0200
Subject: [pyOpenSSL] how to shutdown a socket?
Message-ID: <50352F60.5070300@lagaule.org>

Hi,

I'm having problems closing a OpenSSL.SSL.Conection.
I use python-openssl 0.13 from debian
openssl 1.0.1c
and last thing the underlying socket is non-blocking.

I have tried shutdown()
but it tracebacks:
Traceback (most recent call last):
   File "<string>", line 1, in <fragment>
OpenSSL.SSL.Error: [('SSL routines', 'SSL_shutdown', 'uninitialized')]

I've tried sock_shutdown() (withou argument even if documentation says 
there is one)
no traceback but that doesn't close the socket

I've tried close() (doc says it exists, but it doesn't)

And now I'm out of idea.

someone could point me how I should do that?
Thanks in advance,
-- 
Yann



From asterix at lagaule.org  Wed Aug 22 22:51:11 2012
From: asterix at lagaule.org (Yann Leboulanger)
Date: Wed, 22 Aug 2012 22:51:11 +0200
Subject: [pyOpenSSL] how to shutdown a socket?
In-Reply-To: <20120822204412.3301.236608430.divmod.xquotient.9@localhost6.localdomain6>
References: <50352F60.5070300@lagaule.org>
	<20120822204412.3301.236608430.divmod.xquotient.9@localhost6.localdomain6>
Message-ID: <5035463F.1070303@lagaule.org>

On 08/22/2012 10:44 PM, exarkun at twistedmatrix.com wrote:
> On 07:13 pm, asterix at lagaule.org wrote:
>> Hi,
>>
>> I'm having problems closing a OpenSSL.SSL.Conection.
>
> Hi Yann,
>
> Perhaps you can explain your goals in a little more detail. "Shutdown"
> unfortunately has several possible meanings in the context of an SSL
> connection.
>
> It could mean you want to perform an orderly SSL protocol shutdown.
> There are two variations of this. You might want to do so without
> shutting down the underlying (TCP?) connection. Or you might want to
> shut down that underlying connection.
>
> Or it could just mean you want to close the connection, either in an
> orderly fashion or otherwise (people tend to be sloppy about closing SSL
> connections, particularly when using SSL for HTTPS).
>
> Shutdown and close are also distinct operations when it comes to the
> underlying TCP connection. You might want to actually close the
> underlying TCP connection, rather than just shutting it down.
>
> So, are any of those close to what you want to do? Please elaborate,
> perhaps providing a short, self-contained, complete (minimal) example in
> doing so (<http://sscce.org/>).
>
> Also, I have copied the Launchpad user list on this reply, as I would
> consider it a great boon if pyOpenSSL eventually completely moved off of
> sourceforge, including no longer using the sourceforge hosted mailing
> list service.

Hi,

Thanks for your reply.

What I want to do is to completly close the socket.
My application opens a socket, transfer things, and once finished I want 
to close the socket.

 From what I understand I'm supposed to call shutdown() then close() but 
that doesn't work for me :/

It's hard for me to provide a small example, because haveing 
non-blocking sockets isn't donein 2 lines :/

-- 
Yann



From exarkun at twistedmatrix.com  Wed Aug 22 22:44:12 2012
From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com)
Date: Wed, 22 Aug 2012 20:44:12 -0000
Subject: [pyOpenSSL] how to shutdown a socket?
In-Reply-To: <50352F60.5070300@lagaule.org>
References: <50352F60.5070300@lagaule.org>
Message-ID: <20120822204412.3301.236608430.divmod.xquotient.9@localhost6.localdomain6>

On 07:13 pm, asterix at lagaule.org wrote:
>Hi,
>
>I'm having problems closing a OpenSSL.SSL.Conection.

Hi Yann,

Perhaps you can explain your goals in a little more detail.  "Shutdown" 
unfortunately has several possible meanings in the context of an SSL 
connection.

It could mean you want to perform an orderly SSL protocol shutdown. 
There are two variations of this.  You might want to do so without 
shutting down the underlying (TCP?) connection.  Or you might want to 
shut down that underlying connection.

Or it could just mean you want to close the connection, either in an 
orderly fashion or otherwise (people tend to be sloppy about closing SSL 
connections, particularly when using SSL for HTTPS).

Shutdown and close are also distinct operations when it comes to the 
underlying TCP connection.  You might want to actually close the 
underlying TCP connection, rather than just shutting it down.

So, are any of those close to what you want to do?  Please elaborate, 
perhaps providing a short, self-contained, complete (minimal) example in 
doing so (<http://sscce.org/>).

Also, I have copied the Launchpad user list on this reply, as I would 
consider it a great boon if pyOpenSSL eventually completely moved off of 
sourceforge, including no longer using the sourceforge hosted mailing 
list service.

Thanks,
Jean-Paul



From asterix at lagaule.org  Thu Aug 23 11:53:28 2012
From: asterix at lagaule.org (Yann Leboulanger)
Date: Thu, 23 Aug 2012 11:53:28 +0200
Subject: [pyOpenSSL] how to shutdown a socket?
In-Reply-To: <5035463F.1070303@lagaule.org>
References: <50352F60.5070300@lagaule.org>
	<20120822204412.3301.236608430.divmod.xquotient.9@localhost6.localdomain6>
	<5035463F.1070303@lagaule.org>
Message-ID: <5035FD98.2030508@lagaule.org>

On 08/22/2012 10:51 PM, Yann Leboulanger wrote:
> On 08/22/2012 10:44 PM, exarkun at twistedmatrix.com wrote:
>> On 07:13 pm, asterix at lagaule.org wrote:
>>> Hi,
>>>
>>> I'm having problems closing a OpenSSL.SSL.Conection.
>>
>> Hi Yann,
>>
>> Perhaps you can explain your goals in a little more detail. "Shutdown"
>> unfortunately has several possible meanings in the context of an SSL
>> connection.
>>
>> It could mean you want to perform an orderly SSL protocol shutdown.
>> There are two variations of this. You might want to do so without
>> shutting down the underlying (TCP?) connection. Or you might want to
>> shut down that underlying connection.
>>
>> Or it could just mean you want to close the connection, either in an
>> orderly fashion or otherwise (people tend to be sloppy about closing SSL
>> connections, particularly when using SSL for HTTPS).
>>
>> Shutdown and close are also distinct operations when it comes to the
>> underlying TCP connection. You might want to actually close the
>> underlying TCP connection, rather than just shutting it down.
>>
>> So, are any of those close to what you want to do? Please elaborate,
>> perhaps providing a short, self-contained, complete (minimal) example in
>> doing so (<http://sscce.org/>).
>>
>> Also, I have copied the Launchpad user list on this reply, as I would
>> consider it a great boon if pyOpenSSL eventually completely moved off of
>> sourceforge, including no longer using the sourceforge hosted mailing
>> list service.
>
> Hi,
>
> Thanks for your reply.
>
> What I want to do is to completly close the socket.
> My application opens a socket, transfer things, and once finished I want
> to close the socket.
>
>   From what I understand I'm supposed to call shutdown() then close() but
> that doesn't work for me :/
>
> It's hard for me to provide a small example, because haveing
> non-blocking sockets isn't donein 2 lines :/
>

After debugging and debugging again, I found that I did SSL over SSL ... 
And in this case I was not able to shutdown the second SSL connection.

Now that my code doesn't do SSL over SSL, I can corecly shutdown() and 
then close() the connection.

[OT] sad that shutdwn() doesn't take an argument like the standads 
socket. I know it's discussed in bug 900792:
https://bugs.launchpad.net/pyopenssl/+bug/900792

Sorry for the noise!
-- 
Yann



From philip.kershaw at stfc.ac.uk  Thu Aug 23 12:39:54 2012
From: philip.kershaw at stfc.ac.uk (philip.kershaw at stfc.ac.uk)
Date: Thu, 23 Aug 2012 10:39:54 +0000
Subject: [pyOpenSSL] Arbitrary extension to X.509 certificate
Message-ID: <CC5BC709.269E0%philip.kershaw@stfc.ac.uk>

Hi all,

I'd like to find out if pyOpenSSL supports the addition of arbitrary certificate extensions.  I see here that you can add extensions:

http://stackoverflow.com/questions/7279282/extract-the-value-of-a-x-509-certificate-custom-extension-using-pyopenssl

But if I try this I get:

>>> from OpenSSL import crypto
>>> ext = crypto.X509Extension('1.2.3.4', 0, 'myextension')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]

If it is not currently possible is there some means that the relevant OpenSSL API calls needed could be exposed through pyOpenSSL?

Thanks,
Phil



-- 
Scanned by iCritical.



From exarkun at twistedmatrix.com  Thu Aug 23 14:11:31 2012
From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com)
Date: Thu, 23 Aug 2012 12:11:31 -0000
Subject: [pyOpenSSL] Arbitrary extension to X.509 certificate
In-Reply-To: <CC5BC709.269E0%philip.kershaw@stfc.ac.uk>
References: <CC5BC709.269E0%philip.kershaw@stfc.ac.uk>
Message-ID: <20120823121131.3301.224894919.divmod.xquotient.22@localhost6.localdomain6>

On 10:39 am, philip.kershaw at stfc.ac.uk wrote:
>Hi all,
>
>I'd like to find out if pyOpenSSL supports the addition of arbitrary 
>certificate extensions.  I see here that you can add extensions:
>
>http://stackoverflow.com/questions/7279282/extract-the-value-of-a-x-509 
>-certificate-custom-extension-using-pyopenssl

As you discovered, only some extensions are supported.  To support 
arbitrary extensions, more "APIs" from OpenSSL will need to be exposed. 
This is probably possible, and only a matter of someone doing the work.

I'm copying pyopenssl-users at lists.launchpad.net on this reply.  Please 
prefer the Launchpad mailing list for future correspondence.  Thanks.

Jean-Paul
>But if I try this I get:
>>>>from OpenSSL import crypto
>>>>ext = crypto.X509Extension('1.2.3.4', 0, 'myextension')
>Traceback (most recent call last):
>  File "<stdin>", line 1, in <module>
>OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown 
>extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in 
>extension')]
>
>If it is not currently possible is there some means that the relevant 
>OpenSSL API calls needed could be exposed through pyOpenSSL?
>
>Thanks,
>Phil



From philip.kershaw at stfc.ac.uk  Thu Aug 23 19:22:02 2012
From: philip.kershaw at stfc.ac.uk (philip.kershaw at stfc.ac.uk)
Date: Thu, 23 Aug 2012 17:22:02 +0000
Subject: [pyOpenSSL] Arbitrary extension to X.509 certificate
In-Reply-To: <20120823121131.3301.224894919.divmod.xquotient.22@localhost6.localdomain6>
References: <CC5BC709.269E0%philip.kershaw@stfc.ac.uk>,
	<20120823121131.3301.224894919.divmod.xquotient.22@localhost6.localdomain6>
Message-ID: <836226893590734FA88B31162359477F26836422@EXCHMBX01.fed.cclrc.ac.uk>

Hi Jean-Paul,

It may be possible to get some of this work done.  Can you provide some pointers + any preferences how you would want the relevant OpenSSL interfaces exposed through Python?

Thanks,
Phil
________________________________________
From: exarkun at twistedmatrix.com [exarkun at twistedmatrix.com]
Sent: 23 August 2012 13:11
To: pyopenssl-list at lists.sourceforge.net; pyopenssl-users at lists.launchpad.net
Subject: Re: [pyOpenSSL] Arbitrary extension to X.509 certificate

On 10:39 am, philip.kershaw at stfc.ac.uk wrote:
>Hi all,
>
>I'd like to find out if pyOpenSSL supports the addition of arbitrary
>certificate extensions.  I see here that you can add extensions:
>
>http://stackoverflow.com/questions/7279282/extract-the-value-of-a-x-509
>-certificate-custom-extension-using-pyopenssl

As you discovered, only some extensions are supported.  To support
arbitrary extensions, more "APIs" from OpenSSL will need to be exposed.
This is probably possible, and only a matter of someone doing the work.

I'm copying pyopenssl-users at lists.launchpad.net on this reply.  Please
prefer the Launchpad mailing list for future correspondence.  Thanks.

Jean-Paul
>But if I try this I get:
>>>>from OpenSSL import crypto
>>>>ext = crypto.X509Extension('1.2.3.4', 0, 'myextension')
>Traceback (most recent call last):
>  File "<stdin>", line 1, in <module>
>OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown
>extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in
>extension')]
>
>If it is not currently possible is there some means that the relevant
>OpenSSL API calls needed could be exposed through pyOpenSSL?
>
>Thanks,
>Phil

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
pyopenssl-list mailing list
pyopenssl-list at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
-- 
Scanned by iCritical.



From exarkun at twistedmatrix.com  Thu Aug 23 20:28:49 2012
From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com)
Date: Thu, 23 Aug 2012 18:28:49 -0000
Subject: [pyOpenSSL] Arbitrary extension to X.509 certificate
In-Reply-To: <836226893590734FA88B31162359477F26836422@EXCHMBX01.fed.cclrc.ac.uk>
References: <CC5BC709.269E0%philip.kershaw@stfc.ac.uk>,
	<20120823121131.3301.224894919.divmod.xquotient.22@localhost6.localdomain6>
	<836226893590734FA88B31162359477F26836422@EXCHMBX01.fed.cclrc.ac.uk>
Message-ID: <20120823182849.3301.1753366028.divmod.xquotient.67@localhost6.localdomain6>

On 05:22 pm, philip.kershaw at stfc.ac.uk wrote:
>Hi Jean-Paul,
>
>It may be possible to get some of this work done.  Can you provide some 
>pointers + any preferences how you would want the relevant OpenSSL 
>interfaces exposed through Python?

Hiya Phil,

I'd love to give you some hints on this one.  First though, I want to 
point out that your question is a bit more of a stumper than you might 
have expected.  Though I'm the pyOpenSSL maintainer, I'm far from an 
expert on all of the OpenSSL APIs.

What I *mostly* know is that the OpenSSL APIs are terrible, and 
generally each in their own unique way.  Coming up with an approach to 
wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around 
the documentation for a while, hoping to come across a nice looking 
function, then giving up on that and wandering through the source for a 
while (sometimes you can even find the implementation of a function), 
then giving up on that and looking around for other open source 
applications that do roughly the same kind of thing you think you want 
to do and reading their source instead.  Between those three sources of 
information, it's sometimes possible to understand what APIs exist to 
accomplish your goal and how they are used.

With a tenuous grip on that material, it's a question of deciding how 
the behavior could be exposed to Python.  Sometimes this is obvious, as 
in the case of SSL_write.  Other times it's obvious but admitting the 
reality is difficult, as in the case of the PKey APIs where OpenSSL 
reference counting and CPython reference counting contend with each 
other, requiring careful multi-library reference counting tricks to 
avoid double frees and other memory corruption.

All of this may sound like a lot of work, and it is.  Unfortunately it's 
hard to come to any sound decisions about what the Python API should 
look like until a lot of the background work has been done.  pyOpenSSL 
is an extremely leaky abstraction: wherever it diverges very far from 
the behavior of OpenSSL, things get difficult, so my philosophy since 
taking over the project has been to avoid any divergence from OpenSSL 
except those that are unavoidable (and grandfathering in some 
divergences, such as the class-oriented API).

That said (and apologies for that bit of ranting, but I needed to get it 
out), here are some suggestions I can make with respect to improving the 
x509 extension support:

  1. Some extensions require a X509V3_CTX structure to supply additional 
configuration/parameters.  It may be necessary to represent this 
structure in Python in order to provide an API which can really create 
arbitrary extensions (or I could be wrong).

  2. X509V3_EXT_nconf seems like an important extension API which 
pyOpenSSL currently uses as part of the existing extension support, but 
does not exactly "expose".  Many of its features are hidden and 
unavailable from Python.  This might be an area in which to make 
improvements (or I could be wrong).

  3. The current extension API which operates in terms of strings is 
broken and hides some features of arbitrary extensions.  I forget 
exactly how, though.  It is something like "Extension data is treated as 
a string value, prohibiting the use of any extensions which have non- 
string data", but perhaps it's extension names that are the problem and 
not data, or perhaps it's only one of the accessor APIs where this 
mistake is made, I can't remember, and looking at the code now, I don't 
understand/remember the OpenSSL APIs well enough to be able to tell.

  4. Apparently only extensions with names recognized by OpenSSL are 
supported now.  It looks like you want to specify an extension by its 
OID, which I presume requires the use of a different API than pyOpenSSL 
is currently using (ie, perhaps you cannot do this with 
X509V3_EXT_nconf).  So the approach taken to implement extension get/set 
may require exploring an alternate API.

I realize this probably provides more questions than answers, but off 
the top of my head it's the best I can do.  Perhaps someone on the list 
more familiar with the OpenSSL extension APIs can help answer some of 
these.

Jean-Paul



From richmoore44 at gmail.com  Fri Aug 24 10:53:57 2012
From: richmoore44 at gmail.com (Richard Moore)
Date: Fri, 24 Aug 2012 09:53:57 +0100
Subject: [pyOpenSSL] Arbitrary extension to X.509 certificate
In-Reply-To: <20120823182849.3301.1753366028.divmod.xquotient.67@localhost6.localdomain6>
References: <CC5BC709.269E0%philip.kershaw@stfc.ac.uk>
	<20120823121131.3301.224894919.divmod.xquotient.22@localhost6.localdomain6>
	<836226893590734FA88B31162359477F26836422@EXCHMBX01.fed.cclrc.ac.uk>
	<20120823182849.3301.1753366028.divmod.xquotient.67@localhost6.localdomain6>
Message-ID: <CAMp7mVtD5WY88W1opDFcO9RR=np0m_EVxKUzvNktkpP7STYcyw@mail.gmail.com>

On 23 August 2012 19:28,  <exarkun at twistedmatrix.com> wrote:
> What I *mostly* know is that the OpenSSL APIs are terrible, and
> generally each in their own unique way.  Coming up with an approach to
> wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around
> the documentation for a while, hoping to come across a nice looking
> function, then giving up on that and wandering through the source for a
> while (sometimes you can even find the implementation of a function),
> then giving up on that and looking around for other open source
> applications that do roughly the same kind of thing you think you want
> to do and reading their source instead.  Between those three sources of
> information, it's sometimes possible to understand what APIs exist to
> accomplish your goal and how they are used.

That pretty much sums up my experience of working with it. There are a
couple of books out there that can help you get started too.

[snip]
>   3. The current extension API which operates in terms of strings is
> broken and hides some features of arbitrary extensions.  I forget
> exactly how, though.  It is something like "Extension data is treated as
> a string value, prohibiting the use of any extensions which have non-
> string data", but perhaps it's extension names that are the problem and
> not data, or perhaps it's only one of the accessor APIs where this
> mistake is made, I can't remember, and looking at the code now, I don't
> understand/remember the OpenSSL APIs well enough to be able to tell.

Extensions can be structured.

>
>   4. Apparently only extensions with names recognized by OpenSSL are
> supported now.  It looks like you want to specify an extension by its
> OID, which I presume requires the use of a different API than pyOpenSSL
> is currently using (ie, perhaps you cannot do this with
> X509V3_EXT_nconf).  So the approach taken to implement extension get/set
> may require exploring an alternate API.
>
> I realize this probably provides more questions than answers, but off
> the top of my head it's the best I can do.  Perhaps someone on the list
> more familiar with the OpenSSL extension APIs can help answer some of
> these.

I've written a generic read-only API for extensions for Qt (linked
below). It supports some extensions directly (eg. basic constraints)
but also supports converting the arbitrary ASN.1 structures into
nested lists etc. A similar approach could work in python. If there's
anything in the code you have questions about feel free to ask.

https://codereview.qt-project.org/#change,7976

Cheers

Rich.



From philip.kershaw at stfc.ac.uk  Fri Aug 24 17:08:50 2012
From: philip.kershaw at stfc.ac.uk (philip.kershaw at stfc.ac.uk)
Date: Fri, 24 Aug 2012 15:08:50 +0000
Subject: [pyOpenSSL] Arbitrary extension to X.509 certificate
In-Reply-To: <CAMp7mVtD5WY88W1opDFcO9RR=np0m_EVxKUzvNktkpP7STYcyw@mail.gmail.com>
Message-ID: <CC5D55B7.26A27%philip.kershaw@stfc.ac.uk>

Hi Richard and Jean-Paul,

Thanks for the feedback and pointers.  I will take a look at the
feasibility and discuss with colleagues here who've also had experience
with the OpenSSL interfaces.  You've pretty much re-enforced my
impressions of it from anecdotal evidence elsewhere.

Cheers,
Phil

On 24/08/2012 09:53, "Richard Moore" <richmoore44 at gmail.com> wrote:

>On 23 August 2012 19:28,  <exarkun at twistedmatrix.com> wrote:
>> What I *mostly* know is that the OpenSSL APIs are terrible, and
>> generally each in their own unique way.  Coming up with an approach to
>> wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around
>> the documentation for a while, hoping to come across a nice looking
>> function, then giving up on that and wandering through the source for a
>> while (sometimes you can even find the implementation of a function),
>> then giving up on that and looking around for other open source
>> applications that do roughly the same kind of thing you think you want
>> to do and reading their source instead.  Between those three sources of
>> information, it's sometimes possible to understand what APIs exist to
>> accomplish your goal and how they are used.
>
>That pretty much sums up my experience of working with it. There are a
>couple of books out there that can help you get started too.
>
>[snip]
>>   3. The current extension API which operates in terms of strings is
>> broken and hides some features of arbitrary extensions.  I forget
>> exactly how, though.  It is something like "Extension data is treated as
>> a string value, prohibiting the use of any extensions which have non-
>> string data", but perhaps it's extension names that are the problem and
>> not data, or perhaps it's only one of the accessor APIs where this
>> mistake is made, I can't remember, and looking at the code now, I don't
>> understand/remember the OpenSSL APIs well enough to be able to tell.
>
>Extensions can be structured.
>
>>
>>   4. Apparently only extensions with names recognized by OpenSSL are
>> supported now.  It looks like you want to specify an extension by its
>> OID, which I presume requires the use of a different API than pyOpenSSL
>> is currently using (ie, perhaps you cannot do this with
>> X509V3_EXT_nconf).  So the approach taken to implement extension get/set
>> may require exploring an alternate API.
>>
>> I realize this probably provides more questions than answers, but off
>> the top of my head it's the best I can do.  Perhaps someone on the list
>> more familiar with the OpenSSL extension APIs can help answer some of
>> these.
>
>I've written a generic read-only API for extensions for Qt (linked
>below). It supports some extensions directly (eg. basic constraints)
>but also supports converting the arbitrary ASN.1 structures into
>nested lists etc. A similar approach could work in python. If there's
>anything in the code you have questions about feel free to ask.
>
>https://codereview.qt-project.org/#change,7976
>
>Cheers
>
>Rich.

-- 
Scanned by iCritical.



From james+pyopenssl at jvc26.org  Thu Aug 30 18:46:04 2012
From: james+pyopenssl at jvc26.org (James Clemence)
Date: Thu, 30 Aug 2012 17:46:04 +0100
Subject: [pyOpenSSL] Verification of SSL Signature
Message-ID: <CAOJVkVw22uTnjn1nz4j-xqm0K+UPOXfcGfft+WyRY9aFUzfBog@mail.gmail.com>

Hi,

I believe that as of 0.11, pyOpenSSL has started supporting the
verification of signatures. I am working on a project which was
started by someone else using M2Crypto. M2Crypto is really painful to
include on platforms such as Heroku as it requires the use of SWIG.
Consequently I am trying to remove the dependency on M2Crypto and
replace with pyOpenSSL which is easy to install via Pip, and doesn't
require custom buildpacks and more which SWIG-related things do.

The link to the original code is
[here](https://github.com/pyroven/django-pyroven) and requires a
reasonably significant refactoring, as it falls a long way from 12
Factor App ideals. However, I wanted to know whether I was on the
right track for replacing the M2Crypto functions, which at present
consist:

key = cert.get_pubkey() # Cert is an M2Crypto X509 object
key = key.get_rsa()
ret = key.verify(hashed, self.sig)
if ret != 1:
    # Cert invalid ... etc.

I tried to replace this with:

crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from
crypto.load_certificate()

Which I had assumed was roughly equivalent to the above, but I wonder
whether I got the wrong end of the stick having read through the
source as to what crypto.verify was actually doing.

At the present time I end up with the Exception:

[('rsa routines', 'RSA_verify', 'bad signature')]

Which is difficult to tell whether the code is right and the
hash/verification is correctly failing, or whether I'm actually doing
something which is fundamentally incorrect.

Thanks for your help!

J



From exarkun at twistedmatrix.com  Fri Aug 31 15:49:57 2012
From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com)
Date: Fri, 31 Aug 2012 13:49:57 -0000
Subject: [pyOpenSSL] Verification of SSL Signature
In-Reply-To: <CAOJVkVw22uTnjn1nz4j-xqm0K+UPOXfcGfft+WyRY9aFUzfBog@mail.gmail.com>
References: <CAOJVkVw22uTnjn1nz4j-xqm0K+UPOXfcGfft+WyRY9aFUzfBog@mail.gmail.com>
Message-ID: <20120831134957.23316.1328783866.divmod.xquotient.35@localhost6.localdomain6>

On 30 Aug, 04:46 pm, james+pyopenssl at jvc26.org wrote:
>Hi,
>
>I believe that as of 0.11, pyOpenSSL has started supporting the
>verification of signatures. I am working on a project which was
>started by someone else using M2Crypto. M2Crypto is really painful to
>include on platforms such as Heroku as it requires the use of SWIG.
>Consequently I am trying to remove the dependency on M2Crypto and
>replace with pyOpenSSL which is easy to install via Pip, and doesn't
>require custom buildpacks and more which SWIG-related things do.
>
>The link to the original code is
>[here](https://github.com/pyroven/django-pyroven) and requires a
>reasonably significant refactoring, as it falls a long way from 12
>Factor App ideals. However, I wanted to know whether I was on the
>right track for replacing the M2Crypto functions, which at present
>consist:
>
>key = cert.get_pubkey() # Cert is an M2Crypto X509 object
>key = key.get_rsa()
>ret = key.verify(hashed, self.sig)
>if ret != 1:
>    # Cert invalid ... etc.
>
>I tried to replace this with:
>
>crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from
>crypto.load_certificate()
>
>Which I had assumed was roughly equivalent to the above, but I wonder
>whether I got the wrong end of the stick having read through the
>source as to what crypto.verify was actually doing.
>
>At the present time I end up with the Exception:
>
>[('rsa routines', 'RSA_verify', 'bad signature')]
>
>Which is difficult to tell whether the code is right and the
>hash/verification is correctly failing, or whether I'm actually doing
>something which is fundamentally incorrect.

Hi James,

Consider the unit test for OpenSSL.crypto.verify (which passes on my 
system):

http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750

(Sorry about the broken URL :/)

It looks like you're doing roughly the right thing, at least as far as 
pyOpenSSL is concerned.

Unrelatedly, I'm copying pyopenssl-users at lists.launchpad.net on my 
reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge 
at some point.
>Thanks for your help!
>
>J
>
>------------------------------------------------------------------------------
>Live Security Virtual Conference
>Exclusive live event will cover all the ways today's security and
>threat landscape has changed and how IT managers can respond. 
>Discussions
>will include endpoint security, mobile security and the latest in 
>malware
>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>_______________________________________________
>pyopenssl-list mailing list
>pyopenssl-list at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/pyopenssl-list