Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for cryptography.X509.Extensions in pyopenssl.X509.add_extensions etc? #1295

Closed
wgreenberg opened this issue Feb 27, 2024 · 2 comments

Comments

@wgreenberg
Copy link

Since pyOpenSSL's Extensions are now deprecated, I'm trying to migrate Certbot to cryptography's, but there's still pyOpenSSL public API that only accepts/returns the deprecated extension type:

  • def add_extensions(
    self, extensions: Iterable[_X509ExtensionInternal]
    ) -> None:
    """
    Add extensions to the certificate signing request.
    :param extensions: The X.509 extensions to add.
    :type extensions: iterable of :py:class:`X509Extension`
    :return: ``None``
    """
    stack = _lib.sk_X509_EXTENSION_new_null()
    _openssl_assert(stack != _ffi.NULL)
    stack = _ffi.gc(stack, _lib.sk_X509_EXTENSION_free)
    for ext in extensions:
    if not isinstance(ext, _X509ExtensionInternal):
    raise ValueError("One of the elements is not an X509Extension")
    # TODO push can fail (here and elsewhere)
    _lib.sk_X509_EXTENSION_push(stack, ext._extension)
    add_result = _lib.X509_REQ_add_extensions(self._req, stack)
    _openssl_assert(add_result == 1)
    def get_extensions(self) -> List[_X509ExtensionInternal]:
    """
    Get X.509 extensions in the certificate signing request.
    :return: The X.509 extensions in this request.
    :rtype: :py:class:`list` of :py:class:`X509Extension` objects.
    .. versionadded:: 0.15
    """
    exts = []
    native_exts_obj = _lib.X509_REQ_get_extensions(self._req)
    native_exts_obj = _ffi.gc(
    native_exts_obj,
    lambda x: _lib.sk_X509_EXTENSION_pop_free(
    x,
    _ffi.addressof(_lib._original_lib, "X509_EXTENSION_free"),
    ),
    )
    for i in range(_lib.sk_X509_EXTENSION_num(native_exts_obj)):
    ext = _X509ExtensionInternal.__new__(_X509ExtensionInternal)
    extension = _lib.X509_EXTENSION_dup(
    _lib.sk_X509_EXTENSION_value(native_exts_obj, i)
    )
    ext._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
    exts.append(ext)
    return exts
  • def get_extension(self, index: int) -> _X509ExtensionInternal:
    """
    Get a specific extension of the certificate by index.
    Extensions on a certificate are kept in order. The index
    parameter selects which extension will be returned.
    :param int index: The index of the extension to retrieve.
    :return: The extension at the specified index.
    :rtype: :py:class:`X509Extension`
    :raises IndexError: If the extension index was out of bounds.
    .. versionadded:: 0.12
    """
    ext = _X509ExtensionInternal.__new__(_X509ExtensionInternal)
    ext._extension = _lib.X509_get_ext(self._x509, index)
    if ext._extension == _ffi.NULL:
    raise IndexError("extension index out of bounds")
    extension = _lib.X509_EXTENSION_dup(ext._extension)
    ext._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
    return ext

I noticed that some work was done to add support for cryptography's CRL types in #1252, and was hoping similar work could be done for extensions. Happy to help implement this if it's desired.

@wgreenberg wgreenberg changed the title Support for cryptography.X509.Extensions in pyopenssl.X509.add_extensions? Support for cryptography.X509.Extensions in pyopenssl.X509.add_extensions etc? Feb 27, 2024
@alex
Copy link
Member

alex commented Feb 27, 2024

The easiest thing is likely to migrate your entire X.509 usage to cryptography's, rather than doing it piecemeal. -- pyOpenSSL's X509 type has to_cryptography and from_cryptography methods for that purpose.

There's some technical barriers that would make it difficult to do for extensions in an efficient way.

@mhils
Copy link
Member

mhils commented Feb 27, 2024

The easiest thing is likely to migrate your entire X.509 usage to cryptography's, rather than doing it piecemeal. -- pyOpenSSL's X509 type has to_cryptography and from_cryptography methods for that purpose.

+1. We're doing this (to_cryptography/from_cryptography) for mitmproxy and it works really well.

@alex alex closed this as completed Mar 21, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

No branches or pull requests

3 participants