[pyOpenSSL] Arbitrary extension to X.509 certificate

Fri Aug 24 17:08:50 CEST 2012

Hi Richard and Jean-Paul,

Thanks for the feedback and pointers.  I will take a look at the
feasibility and discuss with colleagues here who've also had experience
with the OpenSSL interfaces.  You've pretty much re-enforced my
impressions of it from anecdotal evidence elsewhere.

Cheers,
Phil

On 24/08/2012 09:53, "Richard Moore" <richmoore44 at gmail.com> wrote:

>On 23 August 2012 19:28,  <exarkun at twistedmatrix.com> wrote:
>> What I *mostly* know is that the OpenSSL APIs are terrible, and
>> generally each in their own unique way.  Coming up with an approach to
>> wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around
>> the documentation for a while, hoping to come across a nice looking
>> function, then giving up on that and wandering through the source for a
>> while (sometimes you can even find the implementation of a function),
>> then giving up on that and looking around for other open source
>> applications that do roughly the same kind of thing you think you want
>> to do and reading their source instead.  Between those three sources of
>> information, it's sometimes possible to understand what APIs exist to
>> accomplish your goal and how they are used.
>
>That pretty much sums up my experience of working with it. There are a
>couple of books out there that can help you get started too.
>
>[snip]
>>   3. The current extension API which operates in terms of strings is
>> broken and hides some features of arbitrary extensions.  I forget
>> exactly how, though.  It is something like "Extension data is treated as
>> a string value, prohibiting the use of any extensions which have non-
>> string data", but perhaps it's extension names that are the problem and
>> not data, or perhaps it's only one of the accessor APIs where this
>> mistake is made, I can't remember, and looking at the code now, I don't
>> understand/remember the OpenSSL APIs well enough to be able to tell.
>
>Extensions can be structured.
>
>>
>>   4. Apparently only extensions with names recognized by OpenSSL are
>> supported now.  It looks like you want to specify an extension by its
>> OID, which I presume requires the use of a different API than pyOpenSSL
>> is currently using (ie, perhaps you cannot do this with
>> X509V3_EXT_nconf).  So the approach taken to implement extension get/set
>> may require exploring an alternate API.
>>
>> I realize this probably provides more questions than answers, but off
>> the top of my head it's the best I can do.  Perhaps someone on the list
>> more familiar with the OpenSSL extension APIs can help answer some of
>> these.
>
>I've written a generic read-only API for extensions for Qt (linked
>below). It supports some extensions directly (eg. basic constraints)
>but also supports converting the arbitrary ASN.1 structures into
>nested lists etc. A similar approach could work in python. If there's
>anything in the code you have questions about feel free to ask.
>
>https://codereview.qt-project.org/#change,7976
>
>Cheers
>
>Rich.

-- 
Scanned by iCritical.