Basic X509V3 context support

Bug #322813 reported by TSeeker
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description

In some cases it is required to have an actual X509V3 context structure when adding some extensions (e.g. subjectKeyIdentifier or authorityKeyIdentifier.

The attached patch, against the Bazaar revision 92, adds the OpenSSL.crypto.X509Context_Type type and associated factory; this type supports two methods, set_subject() and set_issuer() which both require an X509 object as their argument. The X509Extension() factory has been modified so that it can accept an optional "context" keyword argument.

Here's an example of how to use X509Context():

# Generate X509V3 context
ctx = crypto.X509Context()
ctx.set_subject( ca_cert )
ctx.set_issuer( ca_cert )

# Generate extensions
extensions = []
extensions.append( crypto.X509Extension( 'basicConstraints' , True , 'CA:TRUE,pathlen:0' ) )
extensions.append( crypto.X509Extension( 'subjectKeyIdentifier' , True , 'hash' , context = ctx ) )
ca_cert.add_extensions( extensions )
extensions = [ crypto.X509Extension( 'authorityKeyIdentifier' , False , 'keyid:always,issuer:always' , context = ctx ) ]
ca_cert.add_extensions( extensions )

Revision history for this message
TSeeker (tseeker) wrote :
Revision history for this message
Jean-Paul Calderone (exarkun) wrote :

Hi Emmanuel,

Thanks for the patch. I've just started looking at it. It'll take me a little while to digest, but in the mean time, one thing I noticed is that the added files declare themselves to be copyright you, all rights reserved. Technically, I need you to license them to me, preferably under the MIT or BSD license, in order to be able to use them. I assume you'll be happy to do this, or you wouldn't have contributed the patch. :) But I need to check to make sure.

Revision history for this message
TSeeker (tseeker) wrote :

Hello Jean-Paul,

My bad ("just take the header and replace everything") - no problem about the license :)

Revision history for this message
rick_dean (rick-fdd) wrote :

I applied the patch to ext-context successfully but the sample code doesn't run.
X509Extension objects don't have a set_subject or set_issuer attribute, and trying to add
an extension of "subjectKeyIdentifier" produces this strange error which is not fixable by playing
with "import"

TypeError: X509Extension() argument 4 must be X509Context, not OpenSSL.crypto.X509Context

I'm using fedora 10, python 2.5.2-1.fc10.i386, openssl-0.9.8g-12.fc10.i686, and
ext-context revision 95

Revision history for this message
rick_dean (rick-fdd) wrote :

This patch applied on top of Tseekers on top of revision 95 fixes
my problems described above, although the code is still seg faulting
for me which could be because I am trying to create a self signed
CA with those attributes. Anyway, I'll keep looking.

Revision history for this message
TSeeker (tseeker) wrote :

The patch will not work against rev 95 because it will conflict with some of Jean-Paul's work in progress (which at the moment defines a behaviour-less X509Context type). To get the patch to work, you need to use revision 92.

Revision history for this message
rick_dean (rick-fdd) wrote :

Here is the API I like which doesn't python wrap the x509context,
but instead adds optional args of "issuer" and "subject" to
the X509Extension() constructor. For example...

 ext1 = crypto.X509Extension('subjectKeyIdentifier', False, 'hash', subject=cert, )
 ext3 = crypto.X509Extension('basicConstraints', False, 'CA:TRUE')
 certx.add_extensions( (ext1, ext3) )
 ext2 = crypto.X509Extension('authorityKeyIdentifier', False, 'keyid:always,issuer:always', issuer=cert)
 certx.add_extensions( (ext2, ) )

The attached patch applies to revision 95 of branch ext-context.
Compared to the alternatives, this code is shorter and uses less

Revision history for this message
rick_dean (rick-fdd) wrote :

I have ported this to the tip of main, added some LATEX
documentation, and pushed it to

This functionality is critical for constructing X509v3
root certificates.

There was a bug in OpenSSL.test.util.failUnlessRaises()
which is patched.

This patch was sponsored by
who is "Secure enterprise WiFi made easy".

Changed in pyopenssl:
status: New → Fix Committed
Changed in pyopenssl:
milestone: none → 0.10
Changed in pyopenssl:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.