[pyOpenSSL] Arbitrary extension to X.509 certificate
Richard Moore
richmoore44 at gmail.com
Fri Aug 24 10:53:57 CEST 2012
On 23 August 2012 19:28, <exarkun at twistedmatrix.com> wrote:
> What I *mostly* know is that the OpenSSL APIs are terrible, and
> generally each in their own unique way. Coming up with an approach to
> wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around
> the documentation for a while, hoping to come across a nice looking
> function, then giving up on that and wandering through the source for a
> while (sometimes you can even find the implementation of a function),
> then giving up on that and looking around for other open source
> applications that do roughly the same kind of thing you think you want
> to do and reading their source instead. Between those three sources of
> information, it's sometimes possible to understand what APIs exist to
> accomplish your goal and how they are used.
That pretty much sums up my experience of working with it. There are a
couple of books out there that can help you get started too.
[snip]
> 3. The current extension API which operates in terms of strings is
> broken and hides some features of arbitrary extensions. I forget
> exactly how, though. It is something like "Extension data is treated as
> a string value, prohibiting the use of any extensions which have non-
> string data", but perhaps it's extension names that are the problem and
> not data, or perhaps it's only one of the accessor APIs where this
> mistake is made, I can't remember, and looking at the code now, I don't
> understand/remember the OpenSSL APIs well enough to be able to tell.
Extensions can be structured.
>
> 4. Apparently only extensions with names recognized by OpenSSL are
> supported now. It looks like you want to specify an extension by its
> OID, which I presume requires the use of a different API than pyOpenSSL
> is currently using (ie, perhaps you cannot do this with
> X509V3_EXT_nconf). So the approach taken to implement extension get/set
> may require exploring an alternate API.
>
> I realize this probably provides more questions than answers, but off
> the top of my head it's the best I can do. Perhaps someone on the list
> more familiar with the OpenSSL extension APIs can help answer some of
> these.
I've written a generic read-only API for extensions for Qt (linked
below). It supports some extensions directly (eg. basic constraints)
but also supports converting the arbitrary ASN.1 structures into
nested lists etc. A similar approach could work in python. If there's
anything in the code you have questions about feel free to ask.
https://codereview.qt-project.org/#change,7976
Cheers
Rich.
More information about the pyopenssl-users
mailing list