pyOpenSSL

X509Req object misses version field

Bug #274418 reported by Wouter van Bommel on 2008-09-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	pyOpenSSL	Fix Released	Medium	Jean-Paul Calderone	pyOpenSSL 0.9

Bug Description

The X509Req object misses the required version field.
Certain CA's require this field to be present.

In order to fix this issue a new method is create (in the attached patch) with allows the addition of a version. (An function description is provided with the patch)

The method is called;

X509Req.set_version(int).

The working (and difference) can be illustrated with the following 2 pieces of code (assuming the patch is applied):

from OpenSSL import crypto
pkey=crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 1024)

# create an old request
req1=crypto.X509Req()
req1.set_pubkey(pkey)
req1.sign(pkey, "md5")

# create a new request
req2=crypto.X509Req()
req2.set_pubkey(pkey)
req2.sign(pkey, "md5")
req2.set_version(0)

#dump the 2 requests
print crypto.dump_certificate_request(crypto.FILETYPE_PEM, req1)

print crypto.dump_certificate_request(crypto.FILETYPE_PEM, req2)

################
parsing both 'output' request using the following command shows the he length of element 7 is 0 (which is wrong) is the first certificate and will have a length of 1 in the correct version.

Revision history for this message

Wouter van Bommel (woutervb) wrote on 2008-09-25:

C:\Documents and Settings\woutervb\Desktop\x509-req-set_version.patch Edit (1.2 KiB, text/plain)

Jean-Paul Calderone (exarkun) on 2008-09-25

Changed in pyopenssl:
assignee:	nobody → exarkun
importance:	Undecided → Medium
status:	New → Confirmed

Jean-Paul Calderone (exarkun) on 2008-09-25

Changed in pyopenssl:
milestone:	none → 0.9

Revision history for this message

Jean-Paul Calderone (exarkun) wrote on 2008-12-29:

According to RFC 2459, sections 4.1 and 4.1.2.1, the version field is optional and if not present, a default value of 1 is to be assumed. However, it goes on to say that implementations which can only interpret version 3 are conforming implementations. I'm not sure whether this means an implementation which rejects the certificates it was previously possible to create with pyOpenSSL is conforming or not (assuming perfection elsewhere).

Anyway, I've added the set_version method, along with a friend, get_version, for inspection, in r79. These will be included in the next release.