Re: [pyOpenSSL] Arbitrary extension to X.509 certificate

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 23 August 2012 19:28,  <ex...@tw...> wrote:
> What I *mostly* know is that the OpenSSL APIs are terrible, and
> generally each in their own unique way.  Coming up with an approach to
> wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around
> the documentation for a while, hoping to come across a nice looking
> function, then giving up on that and wandering through the source for a
> while (sometimes you can even find the implementation of a function),
> then giving up on that and looking around for other open source
> applications that do roughly the same kind of thing you think you want
> to do and reading their source instead.  Between those three sources of
> information, it's sometimes possible to understand what APIs exist to
> accomplish your goal and how they are used.

That pretty much sums up my experience of working with it. There are a
couple of books out there that can help you get started too.

[snip]
>   3. The current extension API which operates in terms of strings is
> broken and hides some features of arbitrary extensions.  I forget
> exactly how, though.  It is something like "Extension data is treated as
> a string value, prohibiting the use of any extensions which have non-
> string data", but perhaps it's extension names that are the problem and
> not data, or perhaps it's only one of the accessor APIs where this
> mistake is made, I can't remember, and looking at the code now, I don't
> understand/remember the OpenSSL APIs well enough to be able to tell.

Extensions can be structured.

>
>   4. Apparently only extensions with names recognized by OpenSSL are
> supported now.  It looks like you want to specify an extension by its
> OID, which I presume requires the use of a different API than pyOpenSSL
> is currently using (ie, perhaps you cannot do this with
> X509V3_EXT_nconf).  So the approach taken to implement extension get/set
> may require exploring an alternate API.
>
> I realize this probably provides more questions than answers, but off
> the top of my head it's the best I can do.  Perhaps someone on the list
> more familiar with the OpenSSL extension APIs can help answer some of
> these.

I've written a generic read-only API for extensions for Qt (linked
below). It supports some extensions directly (eg. basic constraints)
but also supports converting the arbitrary ASN.1 structures into
nested lists etc. A similar approach could work in python. If there's
anything in the code you have questions about feel free to ask.

https://codereview.qt-project.org/#change,7976

Cheers

Rich.