X509Req object misses version field
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyOpenSSL |
Fix Released
|
Medium
|
Jean-Paul Calderone |
Bug Description
The X509Req object misses the required version field.
Certain CA's require this field to be present.
In order to fix this issue a new method is create (in the attached patch) with allows the addition of a version. (An function description is provided with the patch)
The method is called;
X509Req.
The working (and difference) can be illustrated with the following 2 pieces of code (assuming the patch is applied):
from OpenSSL import crypto
pkey=crypto.PKey()
pkey.generate_
# create an old request
req1=crypto.
req1.set_
req1.sign(pkey, "md5")
# create a new request
req2=crypto.
req2.set_
req2.sign(pkey, "md5")
req2.set_version(0)
#dump the 2 requests
print crypto.
print crypto.
################
parsing both 'output' request using the following command shows the he length of element 7 is 0 (which is wrong) is the first certificate and will have a length of 1 in the correct version.
Changed in pyopenssl: | |
assignee: | nobody → exarkun |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in pyopenssl: | |
milestone: | none → 0.9 |
Changed in pyopenssl: | |
status: | Fix Committed → Fix Released |
According to RFC 2459, sections 4.1 and 4.1.2.1, the version field is optional and if not present, a default value of 1 is to be assumed. However, it goes on to say that implementations which can only interpret version 3 are conforming implementations. I'm not sure whether this means an implementation which rejects the certificates it was previously possible to create with pyOpenSSL is conforming or not (assuming perfection elsewhere).
Anyway, I've added the set_version method, along with a friend, get_version, for inspection, in r79. These will be included in the next release.