Menu
▾
▴
pyopenssl-list
|
From: BRACHET M. <mi...@gm...> - 2008-07-03 11:32:19
|
Hi every body, I am new to this mailing list. I have a quite simple problem, I get a Certificate Request form a MyProxy server to sign it in order to create a Proxy certificate. But I must overwrite the subject of the MyProxy request to fulfill the requirements. I get the Request in a x509req Object, but this object does not provide a method like set_subject(). How can I do ? Thanks in advance, Regards, Maxime. |
|
From: BRACHET M. <mi...@gm...> - 2008-07-03 12:22:21
|
Hi, It seems that I misunderstand what to do. I create a new x509 certificate using request informations, but I need to add a CN to my subject and the x509Name does not provide any methods to do this. Any ideas ? Regards, Maxime. 2008/7/3 BRACHET Maxime <mi...@gm...>: > Hi every body, > > I am new to this mailing list. > I have a quite simple problem, > I get a Certificate Request form a MyProxy server to sign it in order to > create a Proxy certificate. > But I must overwrite the subject of the MyProxy request to fulfill the > requirements. > I get the Request in a x509req Object, but this object does not provide a > method like set_subject(). > > How can I do ? > > Thanks in advance, > Regards, > Maxime. > |
|
From: Jean-Paul C. <ex...@di...> - 2008-07-03 12:37:25
|
On Thu, 3 Jul 2008 15:22:29 +0300, BRACHET Maxime <mi...@gm...> wrote:
>Hi,
>
>> Hi every body,
>>
>> I am new to this mailing list.
>> I have a quite simple problem,
>> I get a Certificate Request form a MyProxy server to sign it in order to
>> create a Proxy certificate.
>> But I must overwrite the subject of the MyProxy request to fulfill the
>> requirements.
>> I get the Request in a x509req Object, but this object does not provide a
>> method like set_subject().
>>
>> How can I do ?
>
>It seems that I misunderstand what to do.
>I create a new x509 certificate using request informations, but I need to
>add a CN to my subject and the x509Name does not provide any methods to do
>this.
>Any ideas ?
X509Name instances can have attributes like CN set on them directly:
>>> from OpenSSL.crypto import X509
>>> cert = X509()
>>> cert.get_subject().CN = 'foo'
>>> cert.get_subject()
<X509Name object '/CN=foo'>
It doesn't seem correct that you need to change anything about the X509Req,
though. If it has the wrong parameters, then it needs to be regenerated by
the MyProxy server/user (I don't know what MyProxy is). If you change it
and sign the result, then it will disagree with the private part which was
generated along with it.
Jean-Paul
|
|
From: BRACHET M. <mi...@gm...> - 2008-07-03 12:53:39
|
Hi, If the Subject comport multiple CN the X509Name.CN return only the first. In the RFC 3820 part 3.4 : http://www.ietf.org/rfc/rfc3820.txt To generate a Proxy certificate I need to add a CN to the subject. MyProxy is a Proxy Credential Server : http://grid.ncsa.uiuc.edu/myproxy/ I can add a new one in doing cert.get_subject().CN += '/CN=foo' but it is not really a proper way. Thanks for you response. Maxime. 2008/7/3, Jean-Paul Calderone <ex...@di...>: > On Thu, 3 Jul 2008 15:22:29 +0300, BRACHET Maxime <mi...@gm...> wrote: >>Hi, >> >>> Hi every body, >>> >>> I am new to this mailing list. >>> I have a quite simple problem, >>> I get a Certificate Request form a MyProxy server to sign it in order to >>> create a Proxy certificate. >>> But I must overwrite the subject of the MyProxy request to fulfill the >>> requirements. >>> I get the Request in a x509req Object, but this object does not provide a >>> method like set_subject(). >>> >>> How can I do ? >> >>It seems that I misunderstand what to do. >>I create a new x509 certificate using request informations, but I need to >>add a CN to my subject and the x509Name does not provide any methods to do >>this. >>Any ideas ? > > X509Name instances can have attributes like CN set on them directly: > > >>> from OpenSSL.crypto import X509 > >>> cert = X509() > >>> cert.get_subject().CN = 'foo' > >>> cert.get_subject() > <X509Name object '/CN=foo'> > > It doesn't seem correct that you need to change anything about the X509Req, > though. If it has the wrong parameters, then it needs to be regenerated by > the MyProxy server/user (I don't know what MyProxy is). If you change it > and sign the result, then it will disagree with the private part which was > generated along with it. > > Jean-Paul > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > pyopenssl-list mailing list > pyo...@li... > https://lists.sourceforge.net/lists/listinfo/pyopenssl-list > |
|
From: Jean-Paul C. <ex...@di...> - 2008-07-03 14:23:53
|
On Thu, 3 Jul 2008 15:53:46 +0300, BRACHET Maxime <mi...@gm...> wrote: >Hi, > >If the Subject comport multiple CN the X509Name.CN return only the first. >In the RFC 3820 part 3.4 : http://www.ietf.org/rfc/rfc3820.txt >To generate a Proxy certificate I need to add a CN to the subject. >MyProxy is a Proxy Credential Server : http://grid.ncsa.uiuc.edu/myproxy/ > >I can add a new one in doing >cert.get_subject().CN += '/CN=foo' > >but it is not really a proper way. > >Thanks for you response. >Maxime. Ah, thanks for explaining. I haven't seen that RFC before. I have a bit of trouble following section 3.4. My naive reading suggests that something like this would be correct: subject = cert.get_subject() issuer = cacert.get_issuer() for k, v in issuer.get_components(): setattr(subject, k, v) subject.CN = 'foo' However, I'm not very confident that this is a correct interpretation (or that it even makes any kind of sense). You are right that the API for modifying X509Name objects in pyOpenSSL is limited and missing certain functionality. If it's necessary to add a new API for appending a new component to an X509Name to support this, I'd be happy to accept a patch for this (I may even be interested in working on it myself once I have a better understanding of the requirements). Sorry I couldn't give a more definite answer. Jean-Paul |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X