Menu
▾
▴
pyopenssl-list — General discussion list for users and developers of pyOpenSSL
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
(9) |
Sep
(2) |
Oct
(15) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(17) |
Feb
(2) |
Mar
(3) |
Apr
(2) |
May
(1) |
Jun
|
Jul
(9) |
Aug
(4) |
Sep
|
Oct
|
Nov
(4) |
Dec
(1) |
| 2004 |
Jan
|
Feb
(2) |
Mar
(7) |
Apr
(1) |
May
|
Jun
|
Jul
(4) |
Aug
(6) |
Sep
(13) |
Oct
(5) |
Nov
(1) |
Dec
(4) |
| 2005 |
Jan
(1) |
Feb
(7) |
Mar
(2) |
Apr
(2) |
May
|
Jun
(1) |
Jul
(7) |
Aug
(5) |
Sep
(3) |
Oct
(4) |
Nov
|
Dec
(1) |
| 2006 |
Jan
(1) |
Feb
|
Mar
(3) |
Apr
(1) |
May
|
Jun
(7) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
(2) |
| 2007 |
Jan
(4) |
Feb
|
Mar
(2) |
Apr
(1) |
May
(5) |
Jun
(6) |
Jul
|
Aug
(7) |
Sep
|
Oct
(1) |
Nov
(2) |
Dec
|
| 2008 |
Jan
(2) |
Feb
|
Mar
(10) |
Apr
(4) |
May
(3) |
Jun
(3) |
Jul
(5) |
Aug
(2) |
Sep
(30) |
Oct
(12) |
Nov
(5) |
Dec
(2) |
| 2009 |
Jan
(7) |
Feb
(1) |
Mar
(26) |
Apr
(20) |
May
(4) |
Jun
(1) |
Jul
(7) |
Aug
(21) |
Sep
(2) |
Oct
(9) |
Nov
(8) |
Dec
|
| 2010 |
Jan
(4) |
Feb
(5) |
Mar
(3) |
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(5) |
Nov
(3) |
Dec
|
| 2011 |
Jan
(1) |
Feb
|
Mar
|
Apr
(13) |
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
(1) |
Oct
(6) |
Nov
(11) |
Dec
|
| 2012 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
(13) |
Sep
(1) |
Oct
|
Nov
|
Dec
(3) |
|
From: Rick D. <ri...@fd...> - 2009-08-26 04:26:46
|
Strangely, your provided result is an invalid base32 encoding
because it's an illegal length. It's not just missing equal
signs.
So the openssl commands are...
$ openssl dsaparam -genkey -out dsa_priv.pem 1024
$ echo twinkie | openssl dgst -dss1 -sign dsa_priv.pem -out foo
$ echo twinkie | openssl dgst -dss1 -prverify dsa_priv.pem -signature foo
Verified OK
pyOpenSSL doesn't yet provide this functionality. You
can only sign with x509 certificates, not with just a
PKey. Apparently the certificateless signing is provided
by EVP_SignFinal() and EVP_VerifyFinal() as seen in
openssl-0.9.8j/app/dgst.c
In the meantime, the python module called "subprocess"
may be of some help.
--
Rick
On Tue, Aug 25, 2009 at 12:48:19PM -0700, aaron smith wrote:
> Thanks for the reply. Ultimately what I'm trying to accomplish is
> creating a software license key.
>
> The full ruby example is this:
>
> def make_license(product_code, name, copies)
> sign_dss1 = OpenSSL::Digest::DSS1.new
> priv = OpenSSL::PKey::DSA.new(File.read("lib/dsa_priv.pem"))
> b32 = Base32.encode(priv.sign(sign_dss1,
> make_license_source(product_code, name)))
> # Replace Os with 8s and Is with 9s
> # See http://members.shaw.ca/akochoi-old/blog/2004/11-07/index.html
> b32.gsub!(/O/, '8')
> b32.gsub!(/I/, '9')
> # chop off trailing padding
> b32.delete("=").scan(/.{1,5}/).join("-")
> end
>
> def make_license_source(product_code, name)
> product_code + "," + name
> end
>
> I think what this is doing is creating a new dsa from a private one,
> the file (lib/dsa_priv.pem). It converts it to base 32, and adds in
> some dashes (-). Which ultimately gives me something like:
> "GAWAE-FDWN3-BJHHK-KBGLL-D5SF7-6KHNP-7RWSE-C2FAC-CRR32-QB76K-T3F22-MZFGQ-LV4XA-7X423-6QJY"
>
>
>
>
>
> On Tue, Aug 25, 2009 at 9:13 AM, Rick Dean<ri...@fd...> wrote:
> >
> > The automated test cases are a good place to look for
> > examples. It's a directory named "test" in the pyOpenSSL
> > sources.
> >
> > Some comments about what you are trying to accomplish
> > would be useful. I don't know the Ruby API and you
> > didn't link to it's docs.
> >
> > Are you trying to create a DSA certificate? Is "test" the
> > common name of the subject for the new certificate being
> > created? If so, you need a bunch more stuff than those three
> > lines. I attached an example.
> >
> > --
> > Rick
> >
> >
> > On Mon, Aug 24, 2009 at 10:21:02PM -0700, aaron smith wrote:
> >> I'm trying to convert a small snippet of ruby code that handles some
> >> ssl stuff for me..
> >>
> >> The Ruby code is this:
> >>
> >> sign_dss1 = OpenSSL::Digest::DSS1.new
> >> priv = OpenSSL::PKey::DSA.new(File.read("lib/dsa_priv.pem"))
> >> priv.sign(sign_dss1, "test" )
> >>
> >> This is somewhat contrived, but this all i'm trying to convert. The
> >> docs for pyOpenSSL don't explain that much, so I'm not even sure where
> >> to look.
> >>
> >> Thanks for your help!
> >> -A
> >>
> >> ------------------------------------------------------------------------------
> >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> >> trial. Simplify your report design, integration and deployment - and focus on
> >> what you do best, core application coding. Discover what's new with
> >> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> >> _______________________________________________
> >> pyopenssl-list mailing list
> >> pyo...@li...
> >> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
> >
> >
|
|
From: aaron s. <bei...@gm...> - 2009-08-25 19:48:39
|
Thanks for the reply. Ultimately what I'm trying to accomplish is
creating a software license key.
The full ruby example is this:
def make_license(product_code, name, copies)
sign_dss1 = OpenSSL::Digest::DSS1.new
priv = OpenSSL::PKey::DSA.new(File.read("lib/dsa_priv.pem"))
b32 = Base32.encode(priv.sign(sign_dss1,
make_license_source(product_code, name)))
# Replace Os with 8s and Is with 9s
# See http://members.shaw.ca/akochoi-old/blog/2004/11-07/index.html
b32.gsub!(/O/, '8')
b32.gsub!(/I/, '9')
# chop off trailing padding
b32.delete("=").scan(/.{1,5}/).join("-")
end
def make_license_source(product_code, name)
product_code + "," + name
end
I think what this is doing is creating a new dsa from a private one,
the file (lib/dsa_priv.pem). It converts it to base 32, and adds in
some dashes (-). Which ultimately gives me something like:
"GAWAE-FDWN3-BJHHK-KBGLL-D5SF7-6KHNP-7RWSE-C2FAC-CRR32-QB76K-T3F22-MZFGQ-LV4XA-7X423-6QJY"
On Tue, Aug 25, 2009 at 9:13 AM, Rick Dean<ri...@fd...> wrote:
>
> The automated test cases are a good place to look for
> examples. It's a directory named "test" in the pyOpenSSL
> sources.
>
> Some comments about what you are trying to accomplish
> would be useful. I don't know the Ruby API and you
> didn't link to it's docs.
>
> Are you trying to create a DSA certificate? Is "test" the
> common name of the subject for the new certificate being
> created? If so, you need a bunch more stuff than those three
> lines. I attached an example.
>
> --
> Rick
>
>
> On Mon, Aug 24, 2009 at 10:21:02PM -0700, aaron smith wrote:
>> I'm trying to convert a small snippet of ruby code that handles some
>> ssl stuff for me..
>>
>> The Ruby code is this:
>>
>> sign_dss1 = OpenSSL::Digest::DSS1.new
>> priv = OpenSSL::PKey::DSA.new(File.read("lib/dsa_priv.pem"))
>> priv.sign(sign_dss1, "test" )
>>
>> This is somewhat contrived, but this all i'm trying to convert. The
>> docs for pyOpenSSL don't explain that much, so I'm not even sure where
>> to look.
>>
>> Thanks for your help!
>> -A
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> pyopenssl-list mailing list
>> pyo...@li...
>> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>
>
|
|
From: Rick D. <ri...@fd...> - 2009-08-25 16:13:00
|
The automated test cases are a good place to look for
examples. It's a directory named "test" in the pyOpenSSL
sources.
Some comments about what you are trying to accomplish
would be useful. I don't know the Ruby API and you
didn't link to it's docs.
Are you trying to create a DSA certificate? Is "test" the
common name of the subject for the new certificate being
created? If so, you need a bunch more stuff than those three
lines. I attached an example.
--
Rick
On Mon, Aug 24, 2009 at 10:21:02PM -0700, aaron smith wrote:
> I'm trying to convert a small snippet of ruby code that handles some
> ssl stuff for me..
>
> The Ruby code is this:
>
> sign_dss1 = OpenSSL::Digest::DSS1.new
> priv = OpenSSL::PKey::DSA.new(File.read("lib/dsa_priv.pem"))
> priv.sign(sign_dss1, "test" )
>
> This is somewhat contrived, but this all i'm trying to convert. The
> docs for pyOpenSSL don't explain that much, so I'm not even sure where
> to look.
>
> Thanks for your help!
> -A
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> pyopenssl-list mailing list
> pyo...@li...
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
|
|
From: aaron s. <bei...@gm...> - 2009-08-25 05:21:13
|
I'm trying to convert a small snippet of ruby code that handles some
ssl stuff for me..
The Ruby code is this:
sign_dss1 = OpenSSL::Digest::DSS1.new
priv = OpenSSL::PKey::DSA.new(File.read("lib/dsa_priv.pem"))
priv.sign(sign_dss1, "test" )
This is somewhat contrived, but this all i'm trying to convert. The
docs for pyOpenSSL don't explain that much, so I'm not even sure where
to look.
Thanks for your help!
-A
|
|
From: <ex...@tw...> - 2009-08-19 17:22:30
|
On 04:03 pm, da...@cr... wrote:
>On Tue Aug 18 17:57:53 2009, Matthias G wrote:
>>Can someone please tell, why for gods sake i receive this error?
>>
>>-------------------------
>>Traceback (most recent call last):
>> File "test.py", line 2, in <module>
>> crypto.load_certificate(crypto.FILETYPE_PEM, 'client.pem')
>>OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start
>>line')]
>>-------------------------
>
>Because the string 'client.pem' does not have a PEM start line...
>
>crypto.load_certificate(crypto.FILETYPE_PEM,
>file('client.pem').read())
>
>will do what you want.
Groan. Good catch, Dave. :)
Jean-Paul
|
|
From: Dave C. <da...@cr...> - 2009-08-19 16:15:53
|
On Tue Aug 18 17:57:53 2009, Matthias Güntert wrote:
> Can someone please tell, why for gods sake i receive this error?
>
> -------------------------
> Traceback (most recent call last):
> File "test.py", line 2, in <module>
> crypto.load_certificate(crypto.FILETYPE_PEM, 'client.pem')
> OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start
> line')]
> -------------------------
Because the string 'client.pem' does not have a PEM start line...
crypto.load_certificate(crypto.FILETYPE_PEM,
file('client.pem').read())
will do what you want.
Dave.
--
Dave Cridland - mailto:da...@cr... - xmpp:dw...@da...
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
|
|
From: <ex...@tw...> - 2009-08-19 14:13:27
|
On 18 Aug, 04:57 pm, mat...@gm... wrote: >Hello guys > >I am trying to open an Base64 encoded X509 certificate using the >following two lines: This is pretty weird. I'm able to reproduce it. Moreover, using the openssl command line tools does not produce this error, but loads (correctly, I assume) the certificate. Was the certificate created in an unusual way? That might point more specifically at where the problem in pyOpenSSL is. Jean-Paul |
|
From: Matthias G. <Mat...@gm...> - 2009-08-18 16:58:08
|
Hello guys
I am trying to open an Base64 encoded X509 certificate using the
following two lines:
-------------------------
#!/usr/bin/python
from OpenSSL import *
crypto.load_certificate(crypto.FILETYPE_PEM, 'client.pem')
-------------------------
Can someone please tell, why for gods sake i receive this error?
-------------------------
Traceback (most recent call last):
File "test.py", line 2, in <module>
crypto.load_certificate(crypto.FILETYPE_PEM, 'client.pem')
OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start
line')]
-------------------------
I am using the latest pyOpenSSL modules (version 0.9) and OpenSSL
version ' OpenSSL 0.9.8k-fips 25 Mar 2009'
This is what my test certificate looks like
$ cat client.pem
-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEa
MBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNVBAMTHkNPTU9ETyBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5v
bG9neTEhMB8GCSqGSIb3DQEJARYSY29udGFjdEBjb21vZG8uY29tMB4XDTA5MDgx
ODEzMzMxM1oXDTEwMDgxODEzMzMxM1owgbAxCzAJBgNVBAYTAkNIMQswCQYDVQQI
EwJaSDEPMA0GA1UEBxMGWnVyaWNoMRgwFgYDVQQKEw9NeSBDb21wYW55IEluYy4x
HDAaBgNVBAMTE3dlYmNhLm15Y29tcGFueS5jb20xHzAdBgNVBAsTFkluZm9ybWF0
aW9uIFRlY2hub2xvZ3kxKjAoBgkqhkiG9w0BCQEWG21hdHRoaWFzLmd1ZW50ZXJ0
QGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnU8f94
fV9/dx1I7A38v5BLtC72RP6wcMwQKtbwjFPlN007l5Ba8EBd/gU3sC5tgbQUeCjX
YGSat27S0V9dh+bKfqjMlxMuiggOoFTkOXGi9xAsg8grH4lSj5AJ9MEtkUewixk3
bBbak3FZEFsCT0MqJxPglBBN3VH7Ws2kJhXVDkN4cNZAabN9SSsaQ5dzdVYkTSmB
JOstpUQcL6XYJrfga5d1JOPNUcChfZQzkwNbLwvTHmEfS2fVY4lDFgS4D6CK93mL
HfpYMH6KTMTuxvpABYdP3oYZx4RkDu9bW+kVTzOkTFvuJS/RplBklpcCwpiGZRSu
3uPM0ZwEDXl4kVECAwEAAaOCARgwggEUMB0GA1UdDgQWBBTaOaPuXmtLDTJVv++V
YBiQr9gHCTCB8gYDVR0jBIHqMIHngBQh/bRnvtQDgFt58jMU5CDps5M4mKGBy6SB
yDCBxTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ
MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAl
BgNVBAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEfMB0GA1UECxMW
SW5mb3JtYXRpb24gVGVjaG5vbG9neTEhMB8GCSqGSIb3DQEJARYSY29udGFjdEBj
b21vZG8uY29tggEBMA0GCSqGSIb3DQEBBQUAA4IBAQByC+ddcYxjmQ2gXioIRFPq
BVE7bGw4+gTu0LOBu1T9sV7xDhVqHeOlf3WZZzDWipvOjCvjsl4wblobdYNHDCQT
J3n0dA7HnxsKI0wVOptRSXhjgQLGxq94oEnAiFdgu6CXVN50MWD//UAazpusMQYn
P1eamkIER3Hkt7G5/PQmCjQhNh0gQpFF9l58zTmeQ/mGRa2PN34WGRkFDGCTFhno
g2h5UmNF03QL+m8YCdWY2EIztgVhRvLABxAMkdOHUCCfpZfh6ixd0vKk2/xXeE+I
0xcY5AW0CwSrgzy4ITXY1dbFxCSH3DuwJl4ECG+OQqV8zORzuiLIDlZPEu5/J7AD
-----END CERTIFICATE-----
|
|
From: William H. <wg...@gm...> - 2009-08-14 00:03:37
|
Hi All,
I can't seem to figure out how to do the exact same thing occurring in the
following ruby code via the openssl command line or python code:
#!/usr/bin/ruby require 'base64' require 'openssl' decrypted_key =
File.read('decrypted_key1.txt') encrypted_tkt =
File.read('encrypted_ticket.txt') cipher = OpenSSL::Cipher::Cipher.new(
'AES-128-CBC' ) cipher.decrypt cipher.key = decrypted_key cipher.padding = 0
ciphertext = Base64::decode64( encrypted_tkt ) cipher.iv =
ciphertext[0,cipher.iv_len] ciphertext = ciphertext[cipher.iv_len..-1]
@decrypted_ticket = cipher.update( ciphertext ) + cipher.final # number of
padding bytes at the end of the cleartext is recorded in the last byte
last_byte = @decrypted_ticket[-1] @decrypted_ticket =
@decrypted_ticket[0..-last_byte-1] # decrypted value is itself an xml
document print @decrypted_ticket I tried this; openssl enc -d -aes-128-cbc
-a -in cipher2.txt -pass file:decrypted_key1.txt
This did not work, any ideas?
-Tim
|
|
From: eGenix T. M.-A. L. <in...@eg...> - 2009-08-04 20:37:41
|
________________________________________________________________________
ANNOUNCING
eGenix.com pyOpenSSL Distribution
Version 0.9.0-0.9.8k
An easy to install and use repackaged distribution
of the pyOpenSSL Python interface for OpenSSL -
available on Windows, Mac OS X and Unix platforms
This announcement is also available on our web-site for online reading:
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.9.0-0.9.8k-1-Update.html
________________________________________________________________________
INTRODUCTION
The eGenix.com pyOpenSSL Distribution includes everything you need to
get started with SSL in Python. It comes with an easy to use installer
that includes the most recent OpenSSL library versions in pre-compiled
form.
pyOpenSSL is an open-source Python add-on (http://pyopenssl.sf.net/)
that allows writing SSL aware networking applications as well as
certificate management tools.
OpenSSL is an open-source implementation of the SSL protocol
(http://www.openssl.org/).
For more information, please see the product page:
http://www.egenix.com/products/python/pyOpenSSL/
________________________________________________________________________
NEWS
Due to popular demand, we've added .egg file versions for Windows
and Linux to the available download options. This should make things
easier for people using e.g. zc.buildout and other egg-file based
installers.
As always, binaries include both pyOpenSSL and the necessary OpenSSL
libraries.
________________________________________________________________________
DOWNLOADS
The download archives and instructions for installing the package can
be found at:
http://www.egenix.com/products/python/pyOpenSSL/
________________________________________________________________________
UPGRADING
Before installing this version of pyOpenSSL, please make sure that
you uninstall any previously installed pyOpenSSL version. Otherwise,
you could end up not using the included OpenSSL libs.
_______________________________________________________________________
SUPPORT
Commercial support for these packages is available from eGenix.com.
Please see
http://www.egenix.com/services/support/
for details about our support offerings.
Enjoy,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Aug 04 2009)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
|
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 20:35:31
|
Zooko Wilcox-O'Hearn wrote: > On Tuesday,2009-08-04, at 13:32 , M.-A. Lemburg wrote: > >> You're missing the point: The PSF can get into trouble for making >> crypto code available via their website without complying to existing >> laws and regulations. > > I'm sorry if I am being obtuse, but I really don't understand what this > has to do with Jean-Paul's decisions. You originally raised this issue > when you wrote in an earlier mail: > >> Note that uploading pyOpenSSL eggs to PyPI could result in legal >> problems for the PSF due to export restrictions. I'm not sure that's >> such a good idea. In any case, you'd have to let the PSF know in advance. > > Do you have any specific reason to believe that this could result in > legal problems for the PSF? Well, yes, otherwise I wouldn't have mentioned them: PyPI doesn't restrict downloads from countries on the UN embargo list, nor does it ask for compliance with export regulations. > Your earlier note suggested that maybe PSF > would be in the clear if the relevant laws about "software in the public > domain" applied to open source software like pyOpenSSL, and if the > Netherlands (which has jurisdiction over the PyPI servers) didn't have > some other laws that we're unaware of which would make it illegal. So > as far as anyone has stated in this discussion, there is no reason to > believe that it is a legal problem for the PSF. I can't say whether there is a problem or not. The PSF will have to ask a lawyer about these things and, of course, has to get a chance to do so prior to accepting such uploads. It's well possible that there is no problem, or that the PSF would have to file a notice with the BIS to get things cleared for open source releases like pyOpenSSL. I'm not aware of a previous attempt to get this cleared up for the PSF, so now is a good chance to get these questions sorted out. eGenix has gone through a clearing procedure for our pyOpenSSL distribution as well as our products using pyOpenSSL. The German authorities gave us green light based on the GSN clause. Things may be different in the US, though. > And why would JP have to let the PSF know in advance? Do you mean that > he "ought" to let the PSF know in advance in order to be polite to them? PyPI is a service provided by the PSF, so if you know that an upload could cause trouble for the PSF, it's only fair to inform them first. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: Zooko Wilcox-O'H. <zo...@zo...> - 2009-08-04 20:03:05
|
On Tuesday,2009-08-04, at 13:32 , M.-A. Lemburg wrote: > You're missing the point: The PSF can get into trouble for making > crypto code available via their website without complying to > existing laws and regulations. I'm sorry if I am being obtuse, but I really don't understand what this has to do with Jean-Paul's decisions. You originally raised this issue when you wrote in an earlier mail: > Note that uploading pyOpenSSL eggs to PyPI could result in legal > problems for the PSF due to export restrictions. I'm not sure > that's such a good idea. In any case, you'd have to let the PSF > know in advance. Do you have any specific reason to believe that this could result in legal problems for the PSF? Your earlier note suggested that maybe PSF would be in the clear if the relevant laws about "software in the public domain" applied to open source software like pyOpenSSL, and if the Netherlands (which has jurisdiction over the PyPI servers) didn't have some other laws that we're unaware of which would make it illegal. So as far as anyone has stated in this discussion, there is no reason to believe that it is a legal problem for the PSF. And why would JP have to let the PSF know in advance? Do you mean that he "ought" to let the PSF know in advance in order to be polite to them? I didn't let the PSF know in advance when I uploaded pycryptopp to PyPI, and I don't think that I had to nor that I ought to. Regards, Zooko Wilcox-O'Hearn |
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 19:32:45
|
Zooko Wilcox-O'Hearn wrote: > On Tuesday,2009-08-04, at 12:04 , M.-A. Lemburg wrote: > >> Whether export regulations are good or bad is not the question and >> we're not the ones making the laws. > > I'm a bit confused -- I never said anything about making laws. I said > that no open source programmer, as far as I can tell, is spending the > time and effort to obey the laws, and that I approved. My advice to JP > Calderone is to upload crypto to the Net without first notifying the US > Bureau of Export Controls, and then see if he gets arrested. That's > what I've been doing -- http://pypi.python.org/pypi/pycryptopp -- and I > haven't gotten arrested yet. You're missing the point: The PSF can get into trouble for making crypto code available via their website without complying to existing laws and regulations. >> However, the PSF runs PyPI and as legal entity it has to follow the >> rules whatever they are. > > How does this impact JP Calderone's decision to upload or not upload > pyOpenSSL? If the PSF wants to make sure that all of the packages > hosted on PyPI are legal, then they have a heck of a research job to do > -- there are how many packages? Tens of thousands? And nobody from PSF > has ever examined them for legality. If the PSF wants all uploaders to > first make sure that their uploads are legal, then they have a heck of a > user education job to do, because currently it looks like dozens of > people at least have uploaded crypto to PyPI, and I'm willing to bet not > one of them has notified the BXA. The PSF has been careful about these things in the past and we did notify the BIS (formerly BXA) of the fact that the Python distribution included crypto code and some installers ship with OpenSSL. We haven't done that for the things on PyPI because last time we did check, PyPI did not host any crypto code or only bindings for it. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: Zooko Wilcox-O'H. <zo...@zo...> - 2009-08-04 18:48:49
|
On Tuesday,2009-08-04, at 12:04 , M.-A. Lemburg wrote: > Whether export regulations are good or bad is not the question and > we're not the ones making the laws. I'm a bit confused -- I never said anything about making laws. I said that no open source programmer, as far as I can tell, is spending the time and effort to obey the laws, and that I approved. My advice to JP Calderone is to upload crypto to the Net without first notifying the US Bureau of Export Controls, and then see if he gets arrested. That's what I've been doing -- http://pypi.python.org/ pypi/pycryptopp -- and I haven't gotten arrested yet. > However, the PSF runs PyPI and as legal entity it has to follow the > rules whatever they are. How does this impact JP Calderone's decision to upload or not upload pyOpenSSL? If the PSF wants to make sure that all of the packages hosted on PyPI are legal, then they have a heck of a research job to do -- there are how many packages? Tens of thousands? And nobody from PSF has ever examined them for legality. If the PSF wants all uploaders to first make sure that their uploads are legal, then they have a heck of a user education job to do, because currently it looks like dozens of people at least have uploaded crypto to PyPI, and I'm willing to bet not one of them has notified the BXA. And, just to be clear, this makes me happy. Not because I think that I'm the one making the laws, but because I think it is a good thing that this law is being widely violated. Regards, Zooko Wilcox-O'Hearn |
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 18:04:37
|
Zooko Wilcox-O'Hearn wrote: > On Tuesday,2009-08-04, at 3:49 , M.-A. Lemburg wrote: > >> Note that uploading pyOpenSSL eggs to PyPI could result in legal >> problems for the PSF due to export restrictions. I'm not sure that's >> such a good idea. In any case, you'd have to let the PSF know in advance. > > A quick glance at the results of a search for "crypt" suggest that pypi > already hosts dozens of crypto packages. I think that the crypto export > regulations from the USA are now routinely ignored by more or less > everyone on the Internet, which is how it should be. > > Also, they changed the regulations last year and I still haven't gotten > around to reading about the new rules, so for all I know what PSF is > currently doing is legal. Or maybe it is even more illegal than it was > before. Who cares? Whether export regulations are good or bad is not the question and we're not the ones making the laws. However, the PSF runs PyPI and as legal entity it has to follow the rules whatever they are. PyPI itself is hosted in the Netherlands, so the EU regulations apply for things being downloaded from PyPI: http://www.ez.nl/english/Subjects/Exportcontrols These are based on the Wassenaar Arrangement: http://www.wassenaar.org/ There's a GENERAL SOFTWARE NOTE in the the EU regulations that applies to all software "in the public domain", but this term is not very well defined. The GSN basically removes such software from being controlled http://ec.europa.eu/trade/issues/sectoral/industry/dualuse/index_en.htm I don't know whether the Netherlands have any extra requirements. The current regulations for the US require filing a notification of all exported and re-exported OSS crypto software (including any crypto software being uploaded to PyPI from the US): http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: Zooko Wilcox-O'H. <zo...@zo...> - 2009-08-04 14:55:32
|
On Tuesday,2009-08-04, at 3:49 , M.-A. Lemburg wrote: > Note that uploading pyOpenSSL eggs to PyPI could result in legal > problems for the PSF due to export restrictions. I'm not sure > that's such a good idea. In any case, you'd have to let the PSF > know in advance. A quick glance at the results of a search for "crypt" suggest that pypi already hosts dozens of crypto packages. I think that the crypto export regulations from the USA are now routinely ignored by more or less everyone on the Internet, which is how it should be. Also, they changed the regulations last year and I still haven't gotten around to reading about the new rules, so for all I know what PSF is currently doing is legal. Or maybe it is even more illegal than it was before. Who cares? Regards, Zooko |
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 10:20:17
|
Jean-Paul Calderone wrote: > Hey all, > > I've been working on making the Windows installation process for pyOpenSSL > a bit simpler. > > At the bottom of <https://bugs.launchpad.net/pyopenssl/+bug/238658> there > are links for exe, msi, and egg distributions of pyOpenSSL for Python 2.5 > and Python 2.6. These should work on a Windows machine even if OpenSSL > hasn't been installed separately. > > Any testing anyone can do of these would be much appreciated. I wonder why you are going through the same cycles we have in order to package pyOpenSSL instead of just using our installers. http://www.egenix.com/products/python/pyOpenSSL/ If all that's missing are egg files to install, we can add those as well (and we don't need setuptools for that, so you can continue working with your usual unhacked distutils setup). Note that uploading pyOpenSSL eggs to PyPI could result in legal problems for the PSF due to export restrictions. I'm not sure that's such a good idea. In any case, you'd have to let the PSF know in advance. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: Jean-Paul C. <ex...@di...> - 2009-07-23 14:32:59
|
Hey all, I've been working on making the Windows installation process for pyOpenSSL a bit simpler. At the bottom of <https://bugs.launchpad.net/pyopenssl/+bug/238658> there are links for exe, msi, and egg distributions of pyOpenSSL for Python 2.5 and Python 2.6. These should work on a Windows machine even if OpenSSL hasn't been installed separately. Any testing anyone can do of these would be much appreciated. Thanks, Jean-Paul |
|
From: Phil M. <p.m...@im...> - 2009-07-20 17:47:09
|
Rick Dean wrote: > Hey Phil Mayers, > > I believe your patch leaks objects when > setting a certificate or key of a PKCS12 > when one is already set? It's probably worth re-emphasising; it's not really my patch. It's really just a forward-port (of a forward-port) of Arnaud Desmons' original PKCS12 & CRL patch. Really, I've done very little work on it; just what was required for the patch to apply against the pyOpenSSL trunk and compile/work. You might be right about the PKCS12, but I wouldn't know - I barely looked at it. I'm only really interested in CRL support. > > I have worked on a PKCS12 patch as well, that > includes a larger API such as the CA certs and > friendly name. Would you please have a look? > > https://code.launchpad.net/~rick-fdd/pyopenssl/pkcs12_mod_and_export2 > It'll be next week before I have any more time to devote, but I'll try to take a look. |
|
From: Rick D. <ri...@fd...> - 2009-07-20 17:42:12
|
Hey Phil Mayers, I believe your patch leaks objects when setting a certificate or key of a PKCS12 when one is already set? I have worked on a PKCS12 patch as well, that includes a larger API such as the CA certs and friendly name. Would you please have a look? https://code.launchpad.net/~rick-fdd/pyopenssl/pkcs12_mod_and_export2 -- Rick |
|
From: Jean-Paul C. <ex...@di...> - 2009-07-18 01:55:33
|
On Mon, 13 Jul 2009 23:06:04 +0100, Phil Mayers <p.m...@im...> wrote: >> Looking at <https://code.launchpad.net/pyopenssl>, I see that there are >> presently four different branches related to either CRL or PKCS12. >> >> lp:~exarkun/pyopenssl/pkcs12-crl >> lp:~arnaud-desmons/pyopenssl/pkcs12 >> lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export >> lp:~sebvieira/pyopenssl/pkcs12-crl-0.8 > >I believe at least 3 of those are actually the same patch; numbers 1 & >2, and 3 is a forward-port to 0.8 > >My work was just a quick port (again) of the 0.8 branch to the 0.9 >release code. Hm, if I'd had my head on straight, I would have pinged Rick (owner of branch number 3) and made sure he coordinated with you in this effort. Instead, I only just now realized that you and he have some PKCS12 overlap in the work you're doing. Looking at his branch (not the one above though, he has since created a newer one with a "2" on the end) and yours, I think his PKCS12 code is more complete overall. However, it could still benefit from some of the things your version does (you have better type checking code, I think). I'm going to point him at your work along with my other feedback. Once the PKCS12 stuff is out of the way, I'll dig into the CRL parts of your branch more (I've still only just skimmed them). There is currently a PKCS12 ticket, I see: https://bugs.launchpad.net/pyopenssl/+bug/349304 I also now see that there is a ticket which talks about CRLs! The summary didn't make this obvious so I missed/forget about it. It has a patch attached which I haven't looked at at all yet. The ticket is https://bugs.launchpad.net/pyopenssl/+bug/385178 And to keep things interesting, it sounds like it mixes in a bunch of PKCS7 changes. > [snip] > >Do you have C indent preferences? > I wish I did. I think I'm leaning towards 4 space indents. However, if you're modifying existing code, go with the local prevailing convention. I'm trying to keep things consistent, but I'm sure I'm failing at that in places. Apologies again for not pointing out those two tickets in my previous message. Jean-Paul |
|
From: Phil M. <p.m...@im...> - 2009-07-13 22:06:17
|
> Looking at <https://code.launchpad.net/pyopenssl>, I see that there are > presently four different branches related to either CRL or PKCS12. > > lp:~exarkun/pyopenssl/pkcs12-crl > lp:~arnaud-desmons/pyopenssl/pkcs12 > lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export > lp:~sebvieira/pyopenssl/pkcs12-crl-0.8 I believe at least 3 of those are actually the same patch; numbers 1 & 2, and 3 is a forward-port to 0.8 My work was just a quick port (again) of the 0.8 branch to the 0.9 release code. > * File a ticket! Right now it's not really clear what the goal of all > this work is. It has something to do with "CRL" and "PKCS12" clearly, > but writing down something more specific than that will make it possible > to figure out what's going on, how the branches that exist related to it, > and whether or not the goal has been achieved. Well, to be honest I'm much less interested in pkcs12 (though I can see it's useful) but I'll have a crack at two tickets. > > * Review the APIs for sensibleness and general-purposeness. Do they > expose the underlying OpenSSL APIs in a way that's generally useful, > with introduced arbitrary limitations? As someone who knows a bit > about CRLs and PKCS12 (I assume - since you wrote a CA ;), hopefully > this should be easy for you. Hmm. To be honest, having spent several hours today fooling with BIO* and similar, I intensely dislike most of the OpenSSL APIs, so the less they reflect them... ;o) But I take the point - a sensible, pythonic api. > > * Add unit tests for *all* new code and for any old code which is being > modified and is not already tested. > > * Add documentation for the new APIs (doc/pyOpenSSL.tex is the doc source, > the rest of the files in doc/ are generated). Ack. Tex... I've had a first go at the code; I've added a single test for the CRL. https://code.launchpad.net/~phil-mayers/pyopenssl/crl+morepkcs12 I'm pretty sure it's not the best API layout, but I had a couple of hours free and wanted to get something basic working tonight; I'll try and write a ticket and think about the API tomorrow. Do you have C indent preferences? |
|
From: Jean-Paul C. <ex...@di...> - 2009-07-09 13:54:37
|
On Thu, 09 Jul 2009 12:39:48 +0100, Phil Mayers <p.m...@im...> wrote: >All, > >I've written a little CLI-based micro CA in pyOpenSSL, but I needed CRL >support since Vista insists on the CRL be in place for certain types of >certs (e.g. SSL) > >I had to forward-port the existing CRL/PKCS12 patch, which was not hard >but not huge fun... > >What can I do to help get this patch in mainline? Hi Phil, Thanks for volunteering. I don't know when I would have gotten to this. Probably not soon. :) >I understand development is now Launchpad/bzr-based; this is unfortunate >since I apparently have a cognitive block that causes me to fail utterly >in driving both tools - but I'm quite capable of coding, including (I >hope) writing the unit tests and so forth. > >If someone can give me a quick pointer as to what is desired, I'll have >a crack at it. > Looking at <https://code.launchpad.net/pyopenssl>, I see that there are presently four different branches related to either CRL or PKCS12. lp:~exarkun/pyopenssl/pkcs12-crl lp:~arnaud-desmons/pyopenssl/pkcs12 lp:~rick-fdd/pyopenssl/pkcs12_mod_and_export lp:~sebvieira/pyopenssl/pkcs12-crl-0.8 This is a rather unfortunate state. Which patch did you port forward, and what did you port it forward to? Of the above branches, I only really know about the first - it's a branch I created a long time ago and only applied Arnaud Desmons' patch to. There are a few things beyond what the original patch did which you can do to help get it landed in trunk: * File a ticket! Right now it's not really clear what the goal of all this work is. It has something to do with "CRL" and "PKCS12" clearly, but writing down something more specific than that will make it possible to figure out what's going on, how the branches that exist related to it, and whether or not the goal has been achieved. * Review the APIs for sensibleness and general-purposeness. Do they expose the underlying OpenSSL APIs in a way that's generally useful, with introduced arbitrary limitations? As someone who knows a bit about CRLs and PKCS12 (I assume - since you wrote a CA ;), hopefully this should be easy for you. * Add unit tests for *all* new code and for any old code which is being modified and is not already tested. * Add documentation for the new APIs (doc/pyOpenSSL.tex is the doc source, the rest of the files in doc/ are generated). As far as bzr and launchpad go, it's pretty easy (but I sympathize with your position - it's too bad we have to know how to use 3 or 4 or more different version control systems these days). Maybe I can help a bit. To start, to get some code to start modifying, you want to create a branch of something in launchpad. If you want to try to apply your updated patch to trunk (which would be ideal), then you want to do bzr branch lp:pyopenssl This will create a "pyopenssl" directory with the checkout in it. Then apply your patch, do your hacking, whatever. At some point you'll want to put your changes into version control. Somewhere under that "pyopenssl" directory, do bzr commit -m "<message>" Or you can leave off the -m to get an editor to write your commit message in. Repeat edit/commit as many times as you need. When you think you're done and you want someone else to take a look, push the branch back to launchpad. Somewhere beneath that "pyopenssl" directory do bzr push lp:~username/pyopenssl/branchname Replace "username" with your Launchpad username. Replace "branchname" with the name you want to associate with this branch. If you haven't previously told bzr about your launchpad credentials, you'll need to do bzr launchpad-login first. And if you'd rather just send patches around, I don't have a problem with that. Thanks, Jean-Paul |
|
From: Phil M. <p.m...@im...> - 2009-07-09 12:16:09
|
All, I've written a little CLI-based micro CA in pyOpenSSL, but I needed CRL support since Vista insists on the CRL be in place for certain types of certs (e.g. SSL) I had to forward-port the existing CRL/PKCS12 patch, which was not hard but not huge fun... What can I do to help get this patch in mainline? I understand development is now Launchpad/bzr-based; this is unfortunate since I apparently have a cognitive block that causes me to fail utterly in driving both tools - but I'm quite capable of coding, including (I hope) writing the unit tests and so forth. If someone can give me a quick pointer as to what is desired, I'll have a crack at it. |
|
From: eGenix T. M.-A. L. <in...@eg...> - 2009-06-11 09:52:04
|
________________________________________________________________________
ANNOUNCING
eGenix.com pyOpenSSL Distribution
Version 0.9.0-0.9.8k
An easy to install and use repackaged distribution
of the pyOpenSSL Python interface for OpenSSL -
available on Windows, Mac OS X and Unix platforms
This announcement is also available on our web-site for online reading:
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.9.0-0.9.8k-1-GA.html
________________________________________________________________________
INTRODUCTION
The eGenix.com pyOpenSSL Distribution includes everything you need to
get started with SSL in Python. It comes with an easy to use installer
that includes the most recent OpenSSL library versions in pre-compiled
form.
pyOpenSSL is an open-source Python add-on (http://pyopenssl.sf.net/)
that allows writing SSL aware networking applications as well as
certificate management tools.
OpenSSL is an open-source implementation of the SSL protocol
(http://www.openssl.org/).
For more information, please see the product page:
http://www.egenix.com/products/python/pyOpenSSL/
________________________________________________________________________
NEWS
This new release of the eGenix.com pyOpenSSL Distribution updates the
included pyOpenSSL version to 0.9, which includes a new fix for a
serious problem in pyOpenSSL 0.8 related to threaded applications. It
also comes with an important bug-fix update of OpenSSL, now at version
0.9.8k.
The problem causes invalid thread states in the Python interpreter
which then result in random core dumps and seg faults when using
pyOpenSSL 0.8.0 with multi-threaded applications.
The new fix is slightly different than the one we included in 0.8.1
and based on a code analysis we did together with Jean-Paul Calderone
to track down the cause of the problem.
Binaries are available for Linux x86 and x64 as well as Windows x86
and Mac OS X PPC/Intel. They include both pyOpenSSL and the necessary
OpenSSL libraries.
For Plone users and friends of buildout scripts, we have added
pre-built binaries for Windows. They install just like the Linux
versions and allow easy integration of the archives into buildout
scripts.
For our Mac OS X users, we have included new pre-built binaries for
Mac OS X PPC and Intel platforms.
________________________________________________________________________
DOWNLOADS
The download archives and instructions for installing the package can
be found at:
http://www.egenix.com/products/python/pyOpenSSL/
________________________________________________________________________
UPGRADING
Before installing this version of pyOpenSSL, please make sure that
you uninstall any previously installed pyOpenSSL version. Otherwise,
you could end up not using the included OpenSSL libs.
_______________________________________________________________________
SUPPORT
Commercial support for these packages is available from eGenix.com.
Please see
http://www.egenix.com/services/support/
for details about our support offerings.
Enjoy,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Jun 11 2009)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2009-06-29: EuroPython 2009, Birmingham, UK 17 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
|
5 messages has been excluded from this view by a project administrator.
