pyopenssl-list — General discussion list for users and developers of pyOpenSSL

Re: [pyOpenSSL] PKCS12 bzr branch

[<arn...@fr...>]

My idea was to split pkcs12 and crl into separate branches because pkcs12-crl name was already used and I did not have upload rights on it.
pkcs12-crl is not up to date regarding documentation, tests, and the "PY_DECREF bug".

If you think that splitting PKCS12 and CRL is useless I can update your pkcs12-crl branch. Otherwise remove pkcs12-crl.

Regards,

-- 
Arnaud


----- Mail Original -----
De: "Jean-Paul Calderone" <ex...@di...>
À: pyo...@li...
Envoyé: Mercredi 10 Septembre 2008 15:22:41 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: [pyOpenSSL] PKCS12 bzr branch

On Wed, 10 Sep 2008 10:11:24 +0200 (CEST), arn...@fr... wrote:
>Hi,
>
>I put my PKCS12 patch into a new bzr branch :
>https://code.launchpad.net/~arnaud-desmons/pyopenssl/pkcs12
>
>The is documented but I still have to code units tests.
>

Hi Arnaud,

Is this code the same as the code in <https://code.launchpad.net/~exarkun/pyopenssl/pkcs12-crl>?  (It's fine if you have a branch for this, I just
want to make sure I don't duplicate any work you might do in a different
branch).

Jean-Paul

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
pyopenssl-list mailing list
pyo...@li...
https://lists.sourceforge.net/lists/listinfo/pyopenssl-list

Re: [pyOpenSSL] PKCS12 bzr branch

[Jean-Paul C. <ex...@di...>]

On Wed, 10 Sep 2008 10:11:24 +0200 (CEST), arn...@fr... wrote:
>Hi,
>
>I put my PKCS12 patch into a new bzr branch :
>https://code.launchpad.net/~arnaud-desmons/pyopenssl/pkcs12
>
>The is documented but I still have to code units tests.
>

Hi Arnaud,

Is this code the same as the code in <https://code.launchpad.net/~exarkun/pyopenssl/pkcs12-crl>?  (It's fine if you have a branch for this, I just
want to make sure I don't duplicate any work you might do in a different
branch).

Jean-Paul

[pyOpenSSL] Patch to add OpenSSL.crypto.dump_publickey

[Alex S. <ale...@pr...>]

http://prol.etari.at/pyopenssl/crypto_dump_publickey.patch

def dump_public_key(type, pkey): ...

It's just like dump_privatekey except without the encryption arguments.

-- 
Alex Stapleton

[pyOpenSSL] PKCS12 bzr branch

[<arn...@fr...>]

Hi,

I put my PKCS12 patch into a new bzr branch :
https://code.launchpad.net/~arnaud-desmons/pyopenssl/pkcs12

The is documented but I still have to code units tests.

Regards,

[pyOpenSSL] Patch to x509ext.c to add getter for extension short name

[Alex S. <ale...@pr...>]

http://prol.etari.at/pyopenssl/X509Extension_get_type_name.patch

This patch adds a method to the X509Extension class to return the
short name (e.g. basicConstraints) of the extension.

-- 
Alex Stapleton

Re: [pyOpenSSL] Patch for X509Extension in 0.7 to fix most extensions not instantiating

[Jean-Paul C. <ex...@di...>]

On Tue, 9 Sep 2008 09:05:35 +0100, Alex Stapleton <ale...@pr...> wrote:
>Hopefully this isn't redundant, it's a bit hard to track exactly whats
>going on with this project lately.
>
>I have made a patch to fix the X509Extension issue that was recently
>reported against 0.7. The code for them mostly comes from reading
>OpenSSL source, in particular the v3_conf.c file.
>
>You can find it here http://prol.etari.at/pyopenssl/ there is also a
>file that adds a rather crude test for the issue to the crypto test
>suite.
>

Hi Alex, thanks for the patch (especially the test :).

>Is there a proper bug tracker, source control or anything for this
>project right now?
>

I'm paying attention to both sourceforge and launchpad, but I prefer
activity on launchpad.  I saw the issue you filed there and I'll take
a look at the patch as soon as I get a chance.

Thanks again,

Jean-Paul

[pyOpenSSL] Patch for X509Extension in 0.7 to fix most extensions not instantiating

[Alex S. <ale...@pr...>]

Hopefully this isn't redundant, it's a bit hard to track exactly whats
going on with this project lately.

I have made a patch to fix the X509Extension issue that was recently
reported against 0.7. The code for them mostly comes from reading
OpenSSL source, in particular the v3_conf.c file.

You can find it here http://prol.etari.at/pyopenssl/ there is also a
file that adds a rather crude test for the issue to the crypto test
suite.

Is there a proper bug tracker, source control or anything for this
project right now?

-- 
Alex Stapleton

Re: [pyOpenSSL] Support for EVP_verify and EVP_sign routines

[Jean-Paul C. <ex...@di...>]

On Fri, 22 Aug 2008 17:08:25 +0100, Edward Tait <et...@go...> wrote:
>I have managed to add support for the EVP_sign* and EVP_verify* routines to
>pyOpenSSL, is there any interest in my sending in a patch?
>

Sure.  https://launchpad.net/pyopenssl

Jean-Paul

[pyOpenSSL] Support for EVP_verify and EVP_sign routines

[Edward T. <et...@go...>]

I have managed to add support for the EVP_sign* and EVP_verify* routines to
pyOpenSSL, is there any interest in my sending in a patch?

Re: [pyOpenSSL] Re : [pyopenssl-list] x509req Object set_subject

[Jean-Paul C. <ex...@di...>]

On Thu, 3 Jul 2008 15:53:46 +0300, BRACHET Maxime <mi...@gm...> wrote:
>Hi,
>
>If the Subject comport multiple CN the X509Name.CN return only the first.
>In the RFC 3820 part 3.4 : http://www.ietf.org/rfc/rfc3820.txt
>To generate a Proxy certificate I need to add a CN to the subject.
>MyProxy is a Proxy Credential Server : http://grid.ncsa.uiuc.edu/myproxy/
>
>I can add a new one in doing
>cert.get_subject().CN += '/CN=foo'
>
>but it is not really a proper way.
>
>Thanks for you response.
>Maxime.

Ah, thanks for explaining.  I haven't seen that RFC before.  I have a bit
of trouble following section 3.4.  My naive reading suggests that something
like this would be correct:

    subject = cert.get_subject()
    issuer = cacert.get_issuer()
    for k, v in issuer.get_components():
        setattr(subject, k, v)
    subject.CN = 'foo'

However, I'm not very confident that this is a correct interpretation (or
that it even makes any kind of sense).

You are right that the API for modifying X509Name objects in pyOpenSSL is
limited and missing certain functionality.  If it's necessary to add a new
API for appending a new component to an X509Name to support this, I'd be
happy to accept a patch for this (I may even be interested in working on
it myself once I have a better understanding of the requirements).    

Sorry I couldn't give a more definite answer.

Jean-Paul

[pyOpenSSL] Re : [pyopenssl-list] x509req Object set_subject

[BRACHET M. <mi...@gm...>]

Hi,

If the Subject comport multiple CN the X509Name.CN return only the first.
In the RFC 3820 part 3.4 : http://www.ietf.org/rfc/rfc3820.txt
To generate a Proxy certificate I need to add a CN to the subject.
MyProxy is a Proxy Credential Server : http://grid.ncsa.uiuc.edu/myproxy/

I can add a new one in doing
cert.get_subject().CN += '/CN=foo'

but it is not really a proper way.

Thanks for you response.
Maxime.

2008/7/3, Jean-Paul Calderone <ex...@di...>:
> On Thu, 3 Jul 2008 15:22:29 +0300, BRACHET Maxime <mi...@gm...> wrote:
>>Hi,
>>
>>> Hi every body,
>>>
>>> I am new to this mailing list.
>>> I have a quite simple problem,
>>> I get a Certificate Request form a MyProxy server to sign it in order to
>>> create a Proxy certificate.
>>> But I must overwrite the subject of the MyProxy request to fulfill the
>>> requirements.
>>> I get the Request in a x509req Object, but this object does not provide a
>>> method like set_subject().
>>>
>>> How can I do ?
>>
>>It seems that I misunderstand what to do.
>>I create a new x509 certificate using request informations, but I need to
>>add a CN to my subject and the x509Name does not provide any methods to do
>>this.
>>Any ideas ?
>
> X509Name instances can have attributes like CN set on them directly:
>
>     >>> from OpenSSL.crypto import X509
>     >>> cert = X509()
>     >>> cert.get_subject().CN = 'foo'
>     >>> cert.get_subject()
>     <X509Name object '/CN=foo'>
>
> It doesn't seem correct that you need to change anything about the X509Req,
> though.  If it has the wrong parameters, then it needs to be regenerated by
> the MyProxy server/user (I don't know what MyProxy is).  If you change it
> and sign the result, then it will disagree with the private part which was
> generated along with it.
>
> Jean-Paul
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> pyopenssl-list mailing list
> pyo...@li...
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>

Re: [pyOpenSSL] [pyopenssl-list] x509req Object set_subject

[Jean-Paul C. <ex...@di...>]

On Thu, 3 Jul 2008 15:22:29 +0300, BRACHET Maxime <mi...@gm...> wrote:
>Hi,
>
>> Hi every body,
>>
>> I am new to this mailing list.
>> I have a quite simple problem,
>> I get a Certificate Request form a MyProxy server to sign it in order to
>> create a Proxy certificate.
>> But I must overwrite the subject of the MyProxy request to fulfill the
>> requirements.
>> I get the Request in a x509req Object, but this object does not provide a
>> method like set_subject().
>>
>> How can I do ?
>
>It seems that I misunderstand what to do.
>I create a new x509 certificate using request informations, but I need to
>add a CN to my subject and the x509Name does not provide any methods to do
>this.
>Any ideas ?

X509Name instances can have attributes like CN set on them directly:

    >>> from OpenSSL.crypto import X509
    >>> cert = X509()
    >>> cert.get_subject().CN = 'foo'
    >>> cert.get_subject()
    <X509Name object '/CN=foo'>

It doesn't seem correct that you need to change anything about the X509Req,
though.  If it has the wrong parameters, then it needs to be regenerated by
the MyProxy server/user (I don't know what MyProxy is).  If you change it
and sign the result, then it will disagree with the private part which was
generated along with it.

Jean-Paul

Re: [pyOpenSSL] [pyopenssl-list] x509req Object set_subject

[BRACHET M. <mi...@gm...>]

Hi,

It seems that I misunderstand what to do.
I create a new x509 certificate using request informations, but I need to
add a CN to my subject and the x509Name does not provide any methods to do
this.
Any ideas ?

Regards,
Maxime.

2008/7/3 BRACHET Maxime <mi...@gm...>:

> Hi every body,
>
> I am new to this mailing list.
> I have a quite simple problem,
> I get a Certificate Request form a MyProxy server to sign it in order to
> create a Proxy certificate.
> But I must overwrite the subject of the MyProxy request to fulfill the
> requirements.
> I get the Request in a x509req Object, but this object does not provide a
> method like set_subject().
>
> How can I do ?
>
> Thanks in advance,
> Regards,
> Maxime.
>

[pyOpenSSL] [pyopenssl-list] x509req Object set_subject

[BRACHET M. <mi...@gm...>]

Hi every body,

I am new to this mailing list.
I have a quite simple problem,
I get a Certificate Request form a MyProxy server to sign it in order to
create a Proxy certificate.
But I must overwrite the subject of the MyProxy request to fulfill the
requirements.
I get the Request in a x509req Object, but this object does not provide a
method like set_subject().

How can I do ?

Thanks in advance,
Regards,
Maxime.

Re: [pyOpenSSL] pyOpenSSL and select compatibility under Windows

[Hugh G. <hg...@ab...>]

Jean-Paul Calderone wrote, on 26/06/2008 12:52:
> OpenSSL.SSL.Connection objects just wrap Python socket objects.  Since
> the latter works with select, so does the former.

Thanks, that gives me some confidence to give it a go. I didn't want to 
waste time.

Regarding stunnel: a simple configuration of the firewall will prevent 
any problems with the internal non-ssl socket being accessed from 
outside the server. Also note that its licence is GPL which is probably 
not an issue as it can just be downloaded and installed separately as 
part of a server package.


Hugh

Re: [pyOpenSSL] pyOpenSSL and select compatibility under Windows

[Jean-Paul C. <ex...@di...>]

On Thu, 26 Jun 2008 10:44:39 +0100, Hugh Gibson <hg...@ab...> wrote:
>Hi,
>
>We have a server written in Python using a select() loop on the main
>thread to drive socket IO, with our own HTTP 1.1 implementation. It uses
>worker threads to process requests. At present login to our AJAX
>application is handled by our own challenge/response system but we want
>to move to SSL.
>
>I'm trying to determine if pyOpenSSL sockets are compatible with
>select() under Windows so that we can slot them into place.
>
>It seems from http://docs.python.org/lib/module-select.html that there
>might be problems:
>    "On Windows, the underlying select() function is provided by the
>     WinSock library, and does not handle file descriptors that don't
>     originate from WinSock."
>
>Has anyone used this combination successfully?
>
>I've tried stunnel and that works fine enabling SSL connections to our
>server, but I need a way to determine if a connection came via stunnel
>or directly otherwise a client could connect directly to the server.

OpenSSL.SSL.Connection objects just wrap Python socket objects.  Since
the latter works with select, so does the former.

Jean-Paul

[pyOpenSSL] pyOpenSSL and select compatibility under Windows

[Hugh G. <hg...@ab...>]

Hi,

We have a server written in Python using a select() loop on the main 
thread to drive socket IO, with our own HTTP 1.1 implementation. It uses 
worker threads to process requests. At present login to our AJAX 
application is handled by our own challenge/response system but we want 
to move to SSL.

I'm trying to determine if pyOpenSSL sockets are compatible with 
select() under Windows so that we can slot them into place.

It seems from http://docs.python.org/lib/module-select.html that there 
might be problems:
    "On Windows, the underlying select() function is provided by the
     WinSock library, and does not handle file descriptors that don't
     originate from WinSock."

Has anyone used this combination successfully?

I've tried stunnel and that works fine enabling SSL connections to our 
server, but I need a way to determine if a connection came via stunnel 
or directly otherwise a client could connect directly to the server.

Hugh

Re: [pyOpenSSL] connection timeout

[Jean-Paul C. <ex...@di...>]

On Wed, 28 May 2008 18:58:56 +0100, rastejante <ras...@gm...> wrote:
>Hi list,
>
>How can a set a timeout on the SSL connection?
>I already try it with settimeout() from socket object, but get
>OpenSSL.SSL.WantReadError.

Isn't this what you wanted to happen?

Jean-Paul

[pyOpenSSL] connection timeout

[rastejante <ras...@gm...>]

Hi list,

How can a set a timeout on the SSL connection?
I already try it with settimeout() from socket object, but get  
OpenSSL.SSL.WantReadError.
I also try it using the context set_timeout(), but seems to make no  
effect either.

Tks in advance.

[pyOpenSSL] Signature with authenticated attributes?

[Jameson \Chema\ Q. <jq...@cs...>]

Is it possible to use pyopenssl to create an ssl signature with
authenticated attributes, as defined in
rfc2315<http://www.faqs.org/rfcs/rfc2315.html>section 9.2, using
pyopenssl? If not, does anyone know of any tool that can
do this?

I am making a signing service for the Sugar environment. One assumption of
Sugar is that non-trusted applications can run, so the service needs to
include in the signature a hash of the application that requested the
signature. I need to use SSL-type signatures, and would prefer to use them
as defined in rfc2315 rather than invent a proprietary temporary
intermediate format of data-plus-requesting-app for signing.

Thanks,
Jameson

[pyOpenSSL] pyOpenSSL 0.7

[Jean-Paul C. <ex...@di...>]

pyOpenSSL is a wrapper around a subset of the OpenSSL API, including support
for X509 certificates, public and private keys, and and SSL connections.

pyOpenSSL 0.7 fixes a number of memory leaks and memory corruption issues.  It
also exposes several new OpenSSL APIs to Python:

 * SSL_get_shutdown and SSL_set_shutdown exposed as
   OpenSSL.SSL.Connection.get_shutdown and
   OpenSSL.SSL.Connection.set_shutdown
 * SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN exposed
   as OpenSSL.SSL.SENT_SHUTDOWN and OpenSSL.SSL.RECEIVED_SHUTDOWN
 * X509_verify_cert_error_string exposed as
   OpenSSL.crypto.X509_verify_cert_error_string
 * X509.get_serial_number and X509.set_serial_number now accept
   long integers
 * Expose notBefore and notAfter on X509 certificates for
   inspection and mutation
 * Expose low-level X509Name state with X509Name.get_components

pyOpenSSL home page: http://pyopenssl.sourceforge.net/
pyOpenSSL downloads: http://sourceforge.net/project/showfiles.php?group_id=31249

Jean-Paul Calderone

[pyOpenSSL] pyOpenSSL 0.7

[Jean-Paul C. <ex...@di...>]

pyOpenSSL is a wrapper around a subset of the OpenSSL API, including support
for X509 certificates, public and private keys, and and SSL connections.

pyOpenSSL 0.7 fixes a number of memory leaks and memory corruption issues.  It
also exposes several new OpenSSL APIs to Python:

  * SSL_get_shutdown and SSL_set_shutdown exposed as
    OpenSSL.SSL.Connection.get_shutdown and
    OpenSSL.SSL.Connection.set_shutdown
  * SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN exposed
    as OpenSSL.SSL.SENT_SHUTDOWN and OpenSSL.SSL.RECEIVED_SHUTDOWN
  * X509_verify_cert_error_string exposed as
    OpenSSL.crypto.X509_verify_cert_error_string
  * X509.get_serial_number and X509.set_serial_number now accept
    long integers
  * Expose notBefore and notAfter on X509 certificates for
    inspection and mutation
  * Expose low-level X509Name state with X509Name.get_components
  * Expose hashing and DER access on X509Names

pyOpenSSL home page: http://pyopenssl.sourceforge.net/
pyOpenSSL downloads: http://sourceforge.net/project/showfiles.php?group_id=31249

Jean-Paul Calderone

Re: [pyOpenSSL] Call for testing - pyOpenSSL 0.7a1

[Jean-Paul C. <ex...@di...>]

On Tue, 8 Apr 2008 14:50:57 +0200, Sebastian Vieira <seb...@gm...> wrote:
>Hi,
>
>I posted this msg to the ml some weeks ago (before your announcement), but
>maybe it's worth posting it again now that development is active again:
>
>-- begin original mail --
>Now all works up to the point that i want to add an X509 extension. The
>'Basic Constraints' extension works fine, but when i add another (or replace
>it) like this:
>
>extensions.append(crypto.X509Extension('basicConstraints',1, 'CA:true'))
>extensions.append(crypto.X509Extension('nsComment', 0, 'OpenSSL Generated
>Certificate'))
>cert.add_extensions(extensions)
>
>
>i get this error:
>
>ValueError: Can't initialize exception
>
>The same goes for
>
>extensions.append(crypto.X509Extension('subjectKeyIdentifier', 0, 'hash'))
>
>
>and authorityKeyIdentifier
>-- end --
>
>thanks,
>

Thanks for following up on this.  I noticed your earlier post and did a
bit of investigation.  One thing I learned is that there's a think-o in
the exception message for this error case.  It says

    ValueError: Can't initialize exception

But the case which fails would really be better described by

    ValueError: Can't initialize extension

Unfortunately, I didn't make much progress beyond this.  However, I'm
aware of the issue and I'll keep working on it.  I don't know if a fix
will make it into 0.7, but I hope that any known issue which isn't
resolved in 0.7 will be resolved in 0.8.

Jean-Paul

Re: [pyOpenSSL] Call for testing - pyOpenSSL 0.7a1

[Sebastian V. <seb...@gm...>]

Hi,

I posted this msg to the ml some weeks ago (before your announcement), but
maybe it's worth posting it again now that development is active again:

-- begin original mail --
Now all works up to the point that i want to add an X509 extension. The
'Basic Constraints' extension works fine, but when i add another (or replace
it) like this:

extensions.append(crypto.X509Extension('basicConstraints',1, 'CA:true'))
extensions.append(crypto.X509Extension('nsComment', 0, 'OpenSSL Generated
Certificate'))
cert.add_extensions(extensions)


i get this error:

ValueError: Can't initialize exception

The same goes for

extensions.append(crypto.X509Extension('subjectKeyIdentifier', 0, 'hash'))


and authorityKeyIdentifier
-- end --

thanks,

S.

On Sat, Mar 22, 2008 at 8:11 PM, <ex...@tw...> wrote:

> Greetings all,
>
> Over the past several weeks, I've been working on integrating patches from
> the issue tracker and fixing long-standing bugs in the 0.6 release.  I've
> gotten to the point where I think a release would be useful.  So I've put
> together an alpha of what will become 0.7.  You can find a source tarball
> or Windows Python 2.5 installers on the SourceForge download page.  Any
> testing and feedback anyone can provide would be greatly appreciated.
>  I'll
> probably aim for a final 0.7 release in between one to two weeks, barring
> any serious problems anyone may find.
>
> Thanks!
>
> Jean-Paul
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> pyopenssl-list mailing list
> pyo...@li...
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>

Re: [pyOpenSSL] pyOpenSSL in Debian

[Sandro T. <mat...@gm...>]

Hi Jean-Paul,


>  Actually, I'm trying to get rid of latex2html to generate
>  documentation (we cannot use it for the Debian package since it's not
>  a completly free tool), replacing it with tex4ht; as soon as I'll have
>  a working patch, I'll submit to you.

As promised, here is the patch I wrote to use tex4ht instead of
latex2html to generate html documentation: this is because latex2html
is not completely free, and I cannot use it to create package to go
into main Debian distribution. In the same patch you can find some
changes to doc/Makefile and the usage of w3m instead of lynx to
generated txt doc: this is becase w3m generates UTF8 output that
renders better the name of Martin Sjögren.

The patch apply against 0.7a1, still didn't try against 0.7a2.

I will use the patch in the debian package; if you like it and want to
merge directly in you code, jsut give me a ping so I can avoid to
apply while building.

Cheers,
Sandro

-- 
Sandro Tosi (aka morph, Morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi