pyOpenSSL

Merge lp:~rick-fdd/pyopenssl/subject_and_issuer2 into lp:~exarkun/pyopenssl/trunk

subject_and_issuer2
Merge into trunk

Proposed by rick_dean on 2009-07-16

Status:

Merged

Merged at revision:

not available

Proposed branch:

lp:~rick-fdd/pyopenssl/subject_and_issuer2

Merge into:

lp:~exarkun/pyopenssl/trunk

Diff against target:

None lines

To merge this branch:

bzr merge lp:~rick-fdd/pyopenssl/subject_and_issuer2

Undecided

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Jean-Paul Calderone		2009-07-16	Pending
Review via email: mp+8896@code.launchpad.net

Revision history for this message

rick_dean (rick-fdd) wrote on 2009-07-16:

This new functionality is critical for generating root x509v3 certificates. It includes documentation and test cases. The actual patch is tiny like a good design should be.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Alex Stapleton

Eric P. Mangold

rick_dean

to status/vote changes:

Ramon

 === modified file 'doc/pyOpenSSL.tex'
 --- doc/pyOpenSSL.tex	2009-07-04 20:15:36 +0000
 +++ doc/pyOpenSSL.tex	2009-07-08 21:17:17 +0000
@@ -188,8 +188,11 @@
  See \class{X509Extension}.
  \end{datadesc}
--\begin{classdesc}{X509Extension}{typename, critical, value}
--A class representing an X.509 v3 certificate extensions.
++\begin{classdesc}{X509Extension}{typename, critical, value\optional{, subject}\optional{, issuer}}
++A class representing an X.509 v3 certificate extensions.
++See \url{http://openssl.org/docs/apps/x509v3_config.html\#STANDARD_EXTENSIONS}
++for \var{typename} strings and their options.
++Optional parameters \var{subject} and \var{issuer} must be X509 objects.
  \end{classdesc}
  \begin{datadesc}{NetscapeSPKIType}
 === modified file 'src/crypto/crypto.h'
 --- src/crypto/crypto.h	2009-04-01 16:58:26 +0000
 +++ src/crypto/crypto.h	2009-07-08 21:17:17 +0000
@@ -58,7 +58,7 @@
  #define crypto_X509Extension_New_NUM    5
  #define crypto_X509Extension_New_RETURN crypto_X509ExtensionObj *
--#define crypto_X509Extension_New_PROTO  (char *, int, char *)
++#define crypto_X509Extension_New_PROTO  (char *, int, char *, crypto_X509Obj *, crypto_X509Obj *)
  #define crypto_PKCS7_New_NUM            6
  #define crypto_PKCS7_New_RETURN         crypto_PKCS7Obj *
 === modified file 'src/crypto/x509ext.c'
 --- src/crypto/x509ext.c	2009-06-27 15:17:28 +0000
 +++ src/crypto/x509ext.c	2009-07-08 21:17:17 +0000
@@ -75,7 +75,8 @@
   * Returns:   The newly created X509Extension object
   */
  crypto_X509ExtensionObj *
--crypto_X509Extension_New(char *type_name, int critical, char *value)
++crypto_X509Extension_New(char *type_name, int critical, char *value,
++                         crypto_X509Obj *subject, crypto_X509Obj  *issuer)
+ {
      X509V3_CTX ctx;
      crypto_X509ExtensionObj *self;
@@ -84,7 +85,12 @@
      /* We have no configuration database - but perhaps we should.  Anyhow, the
       * context is necessary for any extension which uses the r2i conversion
       * method.  That is, X509V3_EXT_nconf may segfault if passed a NULL ctx. */
++    X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0);
      X509V3_set_ctx_nodb(&ctx);
++    if(subject)
++            ctx.subject_cert = subject->x509;
++    if(issuer)
++            ctx.issuer_cert = issuer->x509;
      self = PyObject_New(crypto_X509ExtensionObj, &crypto_X509Extension_Type);
@@ -137,27 +143,40 @@
+ }
  static char crypto_X509Extension_doc[] = "\n\
--X509Extension(typename, critical, value) -> X509Extension instance\n\
++X509Extension(typename, critical, value[, subject][, issuer]) -> \n\
++                X509Extension instance\n\
  \n\
  @param typename: The name of the extension to create.\n\
  @type typename: C{str}\n\
  @param critical: A flag indicating whether this is a critical extension.\n\
  @param value: The value of the extension.\n\
  @type value: C{str}\n\
++@param subject: Optional X509 cert to use as subject.\n\
++@type subject: C{X509}\n\
++@param issuer: Optional X509 cert to use as issuer.\n\
++@type issuer: C{X509}\n\
  @return: The X509Extension object\n\
  ";
  static PyObject *
--crypto_X509Extension_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
++crypto_X509Extension_new(PyTypeObject *subtype, PyObject *args,
++                         PyObject *kwargs) {
      char *type_name, *value;
--    int critical;
++    int critical = 0;
++    crypto_X509Obj * subject = NULL;
++    crypto_X509Obj * issuer = NULL;
++    static char *kwlist[] = {"type_name", "critical", "value", "subject",
++                             "issuer", NULL};
--    if (!PyArg_ParseTuple(args, "sis:X509Extension", &type_name, &critical,
--                          &value)) {
++    if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sis|O!O!:X509Extension",
++                kwlist, &type_name, &critical, &value,
++                &crypto_X509_Type, &subject,
++                &crypto_X509_Type, &issuer )) {
          return NULL;
+     }
--    return (PyObject *)crypto_X509Extension_New(type_name, critical, value);
++    return (PyObject *)crypto_X509Extension_New(type_name, critical, value,
++                                                subject, issuer);
+ }
  /*
 === modified file 'test/test_crypto.py'
 --- test/test_crypto.py	2009-07-05 16:54:05 +0000
 +++ test/test_crypto.py	2009-07-08 21:17:17 +0000
@@ -7,6 +7,7 @@
  from unittest import main
  from os import popen2
++from datetime import datetime, timedelta
  from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey, PKeyType
  from OpenSSL.crypto import X509, X509Type, X509Name, X509NameType
@@ -234,6 +235,51 @@
          self.assertEqual(ext.get_short_name(), 'nsComment')
++    def test_issuer_and_subject(self):
++        """
++        Use L{X509Extension} to create a root cert with X509v3
++        extensions, which requires the "subject" or "issuer" optional args.
++        """
++        # Basic setup stuff to generate a certificate
++        pkey = PKey()
++        pkey.generate_key(TYPE_RSA, 1024)
++        req = X509Req()
++        req.set_pubkey(pkey)
++        req.get_subject().commonName = "Yoda root CA"  # Authority good you have.
++        x509 = X509()
++        subject = x509.get_subject()
++        subject.commonName = req.get_subject().commonName
++        x509.set_issuer(subject)
++        x509.set_pubkey(pkey)
++        now = datetime.now().strftime("%Y%m%d%H%M%SZ")
++        expire  = (datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ")
++        x509.set_notBefore(now)
++        x509.set_notAfter(expire)
++        # Test "subject" as a unneeded parameter
++        ext1 = X509Extension('basicConstraints', False, 'CA:TRUE', subject=x509)
++        x509.add_extensions( (ext1, ) )
++        # Correct use of "subject" and "issuer"
++        ext3 = X509Extension('subjectKeyIdentifier', False, 'hash', subject=x509, )
++        x509.add_extensions( (ext3, ) )
++        ext2 = X509Extension('authorityKeyIdentifier', False, 'keyid:always,issuer:always', issuer=x509, )
++        x509.add_extensions( (ext2, ) )
++        # Test missing issuer
++        self.assertRaises(Error, X509Extension, 'authorityKeyIdentifier', False, 'keyid:always,issuer:always', )
++        # Test missing subject
++        self.assertRaises(Error, X509Extension, 'subjectKeyIdentifier', False, 'hash', )
++        # Test bad type of issuer and subject
++        self.assertRaises(TypeError, eval,
++               "OpenSSL.crypto.X509Extension('basicConstraints', False, 'CA:TRUE', subject=True)", ())
++        self.assertRaises(TypeError, eval,
++               "OpenSSL.crypto.X509Extension('basicConstraints', False, 'CA:TRUE', issuer=3)", ())
++        # Complete the certificate
++        x509.sign(pkey, 'sha1')
++        # Verify the certificate
++        text = dump_certificate(FILETYPE_TEXT, x509)
++        self.assertTrue( text.index('X509v3 Subject Key Identifier') > 100 )
++        self.assertTrue( text.index('X509v3 Authority Key Identifier') > 100 )
++
++
  class PKeyTests(TestCase):
      """
 === modified file 'test/util.py'
 --- test/util.py	2009-07-05 17:05:45 +0000
 +++ test/util.py	2009-07-08 21:17:17 +0000
@@ -11,6 +11,7 @@
  import os, os.path
  from tempfile import mktemp
  from unittest import TestCase
++import sys
  class TestCase(TestCase):
@@ -81,10 +82,10 @@
          except exception, inst:
              return inst
          except:
--            raise self.failureException('%s raised instead of %s:\n %s'
++            raise self.failureException('%s raised instead of %s'
                                          % (sys.exc_info()[0],
                                             exception.__name__,
--                                           failure.Failure().getTraceback()))
++                                          ))
          else:
              raise self.failureException('%s not raised (%r returned)'
                                          % (exception.__name__, result))

pyOpenSSL

Merge lp:~rick-fdd/pyopenssl/subject_and_issuer2 into lp:~exarkun/pyopenssl/trunk

Commit message

Description of the change

Preview Diff

Subscribers