-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR: test_extension_count (__main__.X509Tests) / ERROR: test_get_extension (__main__.X509Tests) #149
Comments
it's happening both on py2.7 and py3.4 |
Not sure if the original reporter also uses OpenSSL >= 1.0.1i, but I get the same error using 1.0.1l now. It seems there was a bug fix in OpenSSL 1.0.1i which causes errors on certificates without a proper signature algorithm OID. This basically means that certificates without signatures are no longer valid, which is exactly what See http://openssl.6102.n7.nabble.com/Behavior-change-in-1-0-1i-crypto-tp53321p53356.html for reference. A small test running on CentOS 5 with OpenSSL 1.0.1l and CentOS 6 with the default system OpenSSL (1.0.1e) shows the difference between the versions. Shortened test case from test_crypto.py: from datetime import datetime
from OpenSSL.crypto import X509, FILETYPE_PEM, load_privatekey, dump_certificate
from OpenSSL.test.util import b
client_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2rn+GrRHRiZ+xkCw/CGNh
btPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xKiku4G/KvnnmWdeJHqsiX
eUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7DtboCRajYyHfluARQIDAQAB
AoGATkZ+NceY5Glqyl4mD06SdcKfV65814vg2EL7V9t8+/mi9rYL8KztSXGlQWPX
zuHgtRoMl78yQ4ZJYOBVo+nsx8KZNRCEBlE19bamSbQLCeQMenWnpeYyQUZ908gF
h6L9qsFVJepgA9RDgAjyDoS5CaWCdCCPCH2lDkdcqC54SVUCQQDseuduc4wi8h4t
V8AahUn9fn9gYfhoNuM0gdguTA0nPLVWz4hy1yJiWYQe0H7NLNNTmCKiLQaJpAbb
TC6vE8C7AkEA0Ee8CMJUc20BnGEmxwgWcVuqFWaKCo8jTH1X38FlATUsyR3krjW2
dL3yDD9NwHxsYP7nTKp/U8MV7U9IBn4y/wJBAJl7H0/BcLeRmuJk7IqJ7b635iYB
D/9beFUw3MUXmQXZUfyYz39xf6CDZsu1GEdEC5haykeln3Of4M9d/4Kj+FcCQQCY
si6xwT7GzMDkk/ko684AV3KPc/h6G0yGtFIrMg7J3uExpR/VdH2KgwMkZXisSMvw
JJEQjOMCVsEJlRk54WWjAkEAzoZNH6UhDdBK5F38rVt/y4SEHgbSfJHIAmPS32Kq
f6GGcfNpip0Uk7q7udTKuX7Q/buZi/C4YW7u3VKAquv9NA==
-----END RSA PRIVATE KEY-----""")
cert = X509()
cert.set_pubkey(load_privatekey(FILETYPE_PEM, client_key_pem))
cert.get_subject().commonName = "Unit Tests"
cert.get_issuer().commonName = "Unit Tests"
when = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
cert.set_notBefore(when)
cert.set_notAfter(when)
cert.add_extensions([])
dump_certificate(FILETYPE_PEM, cert) OpenSSL 1.0.1e produces:
And OpenSSL 1.0.1l:
Note the The proper fix would probably be to self-sign the certificate first before calling |
Just for reference - the OpenSSL X509 dump. OpenSSL 1.0.1e:
OpenSSL 1.0.1l:
|
I'm seeing the same errors on OpenSSL 1.0.2 now. https://travis-ci.org/pyca/pyopenssl/jobs/51081537 I'm starting to incorporate all of these fixes in my PR #193 as it's all cropped up with the latest OpenSSL 1.0.2. |
Thanks, I can confirm that the test suite runs now cleanly with the fixes in #193 for both OpenSSL >= and < 1.0.1i. |
the test in the original message are still failing in the same way with 0.15 and cryptography 0.8.2-1 |
I understand this issue has been fixed in #193. Please reopen if it’s still present. |
When building pyopenssl 0.14 on Debian (with python-cryptography 0.5.2) I got this error when running tests in a clean chroot:
The text was updated successfully, but these errors were encountered: