From alienoid at IS.LG.UA Sat May 15 14:24:02 2004 From: alienoid at IS.LG.UA (Ruslan) Date: Sat, 15 May 2004 15:24:02 +0300 Subject: [PYTHON-CRYPTO] M2Crypto & pkcs12 question Message-ID: <1084623841.5511.10.camel@dev.is.lg.ua> Hello. Is it possible programmatically using M2Crypto to convert pkcs12 certificate into pem one, like we can do with openssl command line? If it's not possible now, can you point where to start to implement this by adding/modifying M2Crypto source? Any help is very appreciated. Thanks in advance. Best regards, Ruslan From ngps at POST1.COM Mon May 17 18:18:01 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Tue, 18 May 2004 00:18:01 +0800 Subject: [PYTHON-CRYPTO] M2Crypto & pkcs12 question In-Reply-To: <1084623841.5511.10.camel@dev.is.lg.ua> References: <1084623841.5511.10.camel@dev.is.lg.ua> Message-ID: <20040517161801.GG364@vista.netmemetic.com> On Sat, May 15, 2004 at 03:24:02PM +0300, Ruslan wrote: > Is it possible programmatically using M2Crypto to convert pkcs12 > certificate into pem one, like we can do with openssl command line? Possible - yes. Functionality available now - I think not. Just to be sure, do you mean "openssl pkcs12 ..."? > If it's not possible now, can you point where to start to implement this > by adding/modifying M2Crypto source? Suppose you want to implement "openssl pkcs12 some-specific-operation". Look in /apps/pkcs12.c for the parts that implement some-specific-operation. Note the structures and functions used. See /include/pkcs12.h for the definitions of said structures and functions. Now create a file /SWIG/_pkcs12.i. Add whatever glue code is necessary so that Python and C code can pass pointers to the identified structures back and forth, Python can invoke the C functions, the C functions can raise Python exceptions and perhaps callback into Python. Next create a file /M2Crypto/PKCS12.py. Add Python wrapper classes to the pointers to structures; the glue functions that work on said structures become methods of these Python OO wrapper classes. Add utility functions at the module level for programmer convenience. Create unit tests in Python. Write doc strings! Please. ;-) HTH. TIA for your patches. ;-) -- Ng Pheng Siong http://firewall.rulemaker.net -+- Firewall Change Management & Version Control http://sandbox.rulemaker.net/ngps -+- ZServerSSL/Zope Windows Installers From jon+pythoncrypto at UNEQUIVOCAL.CO.UK Tue May 18 12:52:26 2004 From: jon+pythoncrypto at UNEQUIVOCAL.CO.UK (Jon Ribbens) Date: Tue, 18 May 2004 11:52:26 +0100 Subject: [PYTHON-CRYPTO] Bug in SSL.Context.load_verify_locations ? Message-ID: <20040518105226.GA32311@snowy.squish.net> I heve the following code: ctx = SSL.Context("sslv3") ctx.load_verify_locations("filename.pem") It is failing with: 64293:error:0B064071:x509 certificate routines:ADD_CERT_DIR:invalid directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_dir.c:187: I think this is beacuse of: def load_verify_locations(self, cafile=None, capath=None): return m2.ssl_ctx_load_verify_locations(self.ctx, cafile, capath or '') You are passing an empty string to X509_STORE_load_locations, when it should be NULL instead. Also it might be nice if m2crypto threw an exception when OpenSSL reported an error. Cheers Jon From htj at CS.AAU.DK Tue May 25 10:52:53 2004 From: htj at CS.AAU.DK (Henrik Thostrup Jensen) Date: Tue, 25 May 2004 10:52:53 +0200 Subject: [PYTHON-CRYPTO] X509 certificates for authorization using M2Crypto Message-ID: Hi Im trying to setup mutual authentication using X509 certificates over an SSL connection using M2Crypto, however being quite new to SSL I have some troubles. Each side has a certifacte with a random generated key pair (of short lived time), which is signed by my own CA (which is again signed by another CA, but I dont think this is important). If each side can present a signed certificate they can trust each other. How should the certificates be loaded - and which should be loaded, that is, can i do without my public key and only use the x509 certificate, or do i need both? I've looked at the examples in the M2Crypto distribution (echoserver and such), but have not been able to solve this problem. If anyone can answer this or provide some examples, I would gratefull. Best regards, Henrik From ngps at POST1.COM Mon May 31 06:52:54 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Mon, 31 May 2004 12:52:54 +0800 Subject: [PYTHON-CRYPTO] Bug in SSL.Context.load_verify_locations ? In-Reply-To: <20040518105226.GA32311@snowy.squish.net> References: <20040518105226.GA32311@snowy.squish.net> Message-ID: <20040531045254.GB524@vista.netmemetic.com> On Tue, May 18, 2004 at 11:52:26AM +0100, Jon Ribbens wrote: > I think this is beacuse of: > > def load_verify_locations(self, cafile=None, capath=None): > return m2.ssl_ctx_load_verify_locations(self.ctx, cafile, capath or '') > > You are passing an empty string to X509_STORE_load_locations, when it > should be NULL instead. Oops. > Also it might be nice if m2crypto threw an exception when OpenSSL > reported an error. Yes, that's the general intention. When it does not, that usually indicates a bug. Thanks for the note. (As mentioned on my blog, I'm looking into putting up a public code repository for M2Crypto. I hope that will reduce the turnaround time on bug fixes.) Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Firewall Change Management & Version Control http://sandbox.rulemaker.net/ngps -+- ZServerSSL/Zope Windows Installers From ngps at POST1.COM Mon May 31 06:47:30 2004 From: ngps at POST1.COM (Ng Pheng Siong) Date: Mon, 31 May 2004 12:47:30 +0800 Subject: [PYTHON-CRYPTO] X509 certificates for authorization using M2Crypto In-Reply-To: References: Message-ID: <20040531044730.GA524@vista.netmemetic.com> On Tue, May 25, 2004 at 10:52:53AM +0200, Henrik Thostrup Jensen wrote: > How should the certificates be loaded - and which should be loaded, that is, > can i do without my public key and only use the x509 certificate, or do i > need both? I've looked at the examples in the M2Crypto distribution > (echoserver and such), but have not been able to solve this problem. Hi, An X. 509 certificate certifies the public key it contains. The certification is done by digitally signing said public key using the CA's private key. The CA's public key corresponding to its signing private key is itself certified in the CA's certificate. This CA certificate may be certified by a higher-level CA or by itself; in the latter case the certificate is called a self-signed certificate. All top-level CA certificates are self-signed certificates. (By definition, one may say. ;-) Thus, your public key is already in the certificate. As part of the SSL protocol, your program will be asked to demonstrate it possesses the corresponding private key. If you look inside the various [client|server].pem in demo/, each contains the following: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- Both cert (i.e., public key) and private key are there. Note that an SSL end point may use a certificate certified by CA X, whereas it is only willing to accept a peer certifcate certified by CA Y. In this general case, the SSL end point needs to transmit a cert chain, i.e., a chain of certificates up to and including CA X's or Y's cert. In your case, both SSL end points are using your own CA, so presumably both load that CA cert upon startup and is able to verify the peer cert correctly. So the following (client-side) code /should/ do what you want: ctx = SSL.Context() ctx.load_cert_chain('client.pem') ctx.load_verify_locations('ca.pem', '') ctx.set_verify(SSL.verify_peer, 10, SSL.cb.ssl_verify_callback) Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Firewall Change Management & Version Control http://sandbox.rulemaker.net/ngps -+- ZServerSSL/Zope Windows Installers