Menu
▾
▴
Re: [pyOpenSSL] Arbitrary extension to X.509 certificate
|
From: <phi...@st...> - 2012-08-24 15:10:10
|
Hi Richard and Jean-Paul, Thanks for the feedback and pointers. I will take a look at the feasibility and discuss with colleagues here who've also had experience with the OpenSSL interfaces. You've pretty much re-enforced my impressions of it from anecdotal evidence elsewhere. Cheers, Phil On 24/08/2012 09:53, "Richard Moore" <ric...@gm...> wrote: >On 23 August 2012 19:28, <ex...@tw...> wrote: >> What I *mostly* know is that the OpenSSL APIs are terrible, and >> generally each in their own unique way. Coming up with an approach to >> wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around >> the documentation for a while, hoping to come across a nice looking >> function, then giving up on that and wandering through the source for a >> while (sometimes you can even find the implementation of a function), >> then giving up on that and looking around for other open source >> applications that do roughly the same kind of thing you think you want >> to do and reading their source instead. Between those three sources of >> information, it's sometimes possible to understand what APIs exist to >> accomplish your goal and how they are used. > >That pretty much sums up my experience of working with it. There are a >couple of books out there that can help you get started too. > >[snip] >> 3. The current extension API which operates in terms of strings is >> broken and hides some features of arbitrary extensions. I forget >> exactly how, though. It is something like "Extension data is treated as >> a string value, prohibiting the use of any extensions which have non- >> string data", but perhaps it's extension names that are the problem and >> not data, or perhaps it's only one of the accessor APIs where this >> mistake is made, I can't remember, and looking at the code now, I don't >> understand/remember the OpenSSL APIs well enough to be able to tell. > >Extensions can be structured. > >> >> 4. Apparently only extensions with names recognized by OpenSSL are >> supported now. It looks like you want to specify an extension by its >> OID, which I presume requires the use of a different API than pyOpenSSL >> is currently using (ie, perhaps you cannot do this with >> X509V3_EXT_nconf). So the approach taken to implement extension get/set >> may require exploring an alternate API. >> >> I realize this probably provides more questions than answers, but off >> the top of my head it's the best I can do. Perhaps someone on the list >> more familiar with the OpenSSL extension APIs can help answer some of >> these. > >I've written a generic read-only API for extensions for Qt (linked >below). It supports some extensions directly (eg. basic constraints) >but also supports converting the arbitrary ASN.1 structures into >nested lists etc. A similar approach could work in python. If there's >anything in the code you have questions about feel free to ask. > >https://codereview.qt-project.org/#change,7976 > >Cheers > >Rich. -- Scanned by iCritical. |
