From dfnsonfsduifb at gmx.de Wed Mar 6 19:43:12 2013 From: dfnsonfsduifb at gmx.de (Johannes Bauer) Date: Wed, 06 Mar 2013 19:43:12 +0100 Subject: [pyOpenSSL-Users] Verify X509 signature by public key Message-ID: <51378E40.2010306@gmx.de> Hi list, first off something organisatoric: I mistakenly first posted on the sourceforge list because I stumbled upon a page which said "the project has moved to Launchpad, but the mailing list remains on sf.net" -- so maybe this notice should be taken down. Just now noticed that the list has apparently moved from sf -> Launchpad -> python.org, so I sure hope this is the right place now. Here's my original message: I'm trying to verify a certificate's signature (X509 object) with a public key (that I got from a X509.get_pubkey()). This doesn't seem to be easy using pyopenssl. I'd even do it myself (X509.digest() with the correct digest algorithm, then modular exponentiation), but the pubkey object doens't provide a facility to access the modulus or exponent. Why not? Surely there must be an easier way, right? This seems like one of the most basic tasks there is (and pyopenssl *does* support it when using a SSL socket, so support is in there somewhere already). Can somebody please enlighten me on how to do this? Thank you and best regards, Joe From exarkun at twistedmatrix.com Thu Mar 7 05:21:16 2013 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Thu, 07 Mar 2013 04:21:16 -0000 Subject: [pyOpenSSL-Users] Verify X509 signature by public key In-Reply-To: <51378E40.2010306@gmx.de> References: <51378E40.2010306@gmx.de> Message-ID: <20130307042116.4904.389058004.divmod.xquotient.13@localhost6.localdomain6> On 6 Mar, 06:43 pm, dfnsonfsduifb at gmx.de wrote: >Hi list, > >I'm trying to verify a certificate's signature (X509 object) with a >public key (that I got from a X509.get_pubkey()). This doesn't seem to >be easy using pyopenssl. I'd even do it myself (X509.digest() with the >correct digest algorithm, then modular exponentiation), but the pubkey >object doens't provide a facility to access the modulus or exponent. >Why >not? Surely there must be an easier way, right? This seems like one of >the most basic tasks there is (and pyopenssl *does* support it when >using a SSL socket, so support is in there somewhere already). > >Can somebody please enlighten me on how to do this? OpenSSL lacks a straightforward API for this. As you suggest, the certificate being used to handshake a new connection is verified, but this is done implicitly as part of the handshake API and not available for use without a connection. Since pyOpenSSL is *primarily* an OpenSSL wrapper, pyOpenSSL has inherited this shortcoming. It has been proposed to add such an API at least once. It seems that as far as development got was for a ticket to be filed: https://bugs.launchpad.net/pyopenssl/+bug/892522 For some reason, I *do* seem to recall that someone worked on a patch of some sort, but since it is not attached to that ticket and there appears to be no branch containing the work, I'm not sure where that work ended up (or if I'm just imagining that it happened). If you'd like to work on this, I can try to offer support (answering questions about the codebase, offering suggestions on how to write unit tests or documentation, etc). Jean-Paul From dfnsonfsduifb at gmx.de Thu Mar 7 10:23:31 2013 From: dfnsonfsduifb at gmx.de (Johannes Bauer) Date: Thu, 07 Mar 2013 10:23:31 +0100 Subject: [pyOpenSSL-Users] Verify X509 signature by public key In-Reply-To: <20130307042116.4904.389058004.divmod.xquotient.13@localhost6.localdomain6> References: <51378E40.2010306@gmx.de> <20130307042116.4904.389058004.divmod.xquotient.13@localhost6.localdomain6> Message-ID: <51385C93.7040101@gmx.de> Hi Jean-Paul, On 07.03.2013 05:21, exarkun at twistedmatrix.com wrote: > https://bugs.launchpad.net/pyopenssl/+bug/892522 > > For some reason, I *do* seem to recall that someone worked on a patch of > some sort, but since it is not attached to that ticket and there appears > to be no branch containing the work, I'm not sure where that work ended > up (or if I'm just imagining that it happened). > > If you'd like to work on this, I can try to offer support (answering > questions about the codebase, offering suggestions on how to write unit > tests or documentation, etc). Alright, I've made a patch to the latest bazaar version that does this. It's not easily possible with using the X509/PK combination as I originally intended, but pretty easy using a Crt/Crt combination. I'm basically creating a store with only the issuer certificate in there and then try to verify the subject certificate. It is necessary to ignore verification failures that don't occur at the leaf level (because this will always happen when verifying a certificate that wasn't signed by a root). I've not yet written testcases for that (should be easy enough, I see you use the unitcase module), but I'm guessing the solution is along these lines. As stated, it works for me and I'd be happy to improve it to get it into mainline. The patch I provides works against bzr rev 168, trunk. I'll attach it to the bug 892552. Best regards, Johannes From dfnsonfsduifb at gmx.de Fri Mar 8 14:00:38 2013 From: dfnsonfsduifb at gmx.de (Johannes Bauer) Date: Fri, 08 Mar 2013 14:00:38 +0100 Subject: [pyOpenSSL-Users] Mailing list redirection Message-ID: <5139E0F6.70001@gmx.de> Hi list, on this page http://pyopenssl.sourceforge.net/ is a link that is outdated and directs to the (obsolete?) pyopenssl mailing list istead of the python.org mailing list. Maybe someone can fix this? It's rather confusing. Best regards, Johannes From info at egenix.com Wed Mar 13 19:32:46 2013 From: info at egenix.com (eGenix Team: M.-A. Lemburg) Date: Wed, 13 Mar 2013 19:32:46 +0100 Subject: [pyOpenSSL-Users] ANN: eGenix pyOpenSSL Distribution 0.13.1.1.0.1.5 Message-ID: <5140C64E.8040004@egenix.com> ________________________________________________________________________ ANNOUNCING eGenix.com pyOpenSSL Distribution Version 0.13.1.1.0.1.5 An easy-to-install and easy-to-use distribution of the pyOpenSSL Python interface for OpenSSL - available for Windows, Mac OS X and Unix platforms This announcement is also available on our web-site for online reading: http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.1.1.0.1.5.html ________________________________________________________________________ INTRODUCTION The eGenix.com pyOpenSSL Distribution includes everything you need to get started with SSL in Python. It comes with an easy-to-use installer that includes the most recent OpenSSL library versions in pre-compiled form, making your application independent of OS provided OpenSSL libraries: http://www.egenix.com/products/python/pyOpenSSL/ pyOpenSSL is an open-source Python add-on that allows writing SSL/TLS- aware network applications as well as certificate management tools: https://launchpad.net/pyopenssl/ OpenSSL is an open-source implementation of the SSL/TLS protocol: http://www.openssl.org/ ________________________________________________________________________ NEWS This new release of the eGenix.com pyOpenSSL Distribution updates the included OpenSSL version to 1.0.1c. New in OpenSSL 1.0.1e since our last release for OpenSSL 1.0.1c --------------------------------------------------------------- OpenSSL 1.0.1e includes several important fixes: * OpenSSL security advisory: ?http://www.openssl.org/news/secadv_20130204.txt - also known as "Lucky 13" ?http://www.h-online.com/security/news/item/TLS-tripped-up-by-Lucky-13-1798423.html * OpenSSL security advisory: ?http://www.openssl.org/news/secadv_20130205.txt * corrected fix for CVE-2013-0169 in 1.0.1e: ?http://www.mail-archive.com/openssl-users at openssl.org/msg70100.html * fixes the SSL3_GET_RECORD:wrong version number problem: http://openssl.6102.n7.nabble.com/error-1408F10B-SSL-routines-SSL3-GET-RECORD-wrong-version-number-td22477.html as well as several other new features compared to 1.0.0: http://lwn.net/Articles/486426/ fixes vulnerabilities relative to 1.0.1c: http://openssl.org/news/vulnerabilities.html and includes a number of stability enhancements as well as extra protection against attacks: http://openssl.org/news/changelog.html New in the eGenix pyOpenSSL Distribution ---------------------------------------- * Changed the package version scheme to be PEP 386 compatible. The new scheme no longer contains underscores or patch level letters. * Added a CA root certificate bundle file ca-bundle.crt, which is created from the current Mozilla root CA certificate list. This allows verifying server certificates without having to rely on the system root CA certificate list. The bundle file will be updated with each new release of eGenix pyOpenSSL. We also make the file available as separate download. Please see the product page for details. * Added pyOpenSSL examples/ directory to the source distribution. * Added a new OpenSSL.ca_bundle module which provides easy to use access to the embedded ca-bundle.crt file. * Added new example https_client.py to the examples/ directory, which demonstrates setting up an SSL connection and using the new OpenSSL.ca_bundle module. * Windows x64 builds now have assembler code turned back on again, after a problem with OpenSSL 1.0.1c. As always, we provide binaries that include both pyOpenSSL and the necessary OpenSSL libraries for all supported platforms: Windows x86 and x64, Linux x86 and x64, Mac OS X PPC, x86 and x64. We've also added egg-file distribution versions of our eGenix.com pyOpenSSL Distribution for Windows, Linux and Mac OS X to the available download options. These make setups using e.g. zc.buildout and other egg-file based installers a lot easier. ________________________________________________________________________ DOWNLOADS The download archives and instructions for installing the package can be found at: http://www.egenix.com/products/python/pyOpenSSL/ ________________________________________________________________________ UPGRADING Before installing this version of pyOpenSSL, please make sure that you uninstall any previously installed pyOpenSSL version. Otherwise, you could end up not using the included OpenSSL libs. _______________________________________________________________________ SUPPORT Commercial support for these packages is available from eGenix.com. Please see http://www.egenix.com/services/support/ for details about our support offerings. ________________________________________________________________________ MORE INFORMATION For more information about the eGenix pyOpenSSL Distribution, licensing and download instructions, please visit our web-site or write to sales at egenix.com. Enjoy, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 13 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/