Crypto fail on SCT retrieval

[Talanor]

When executing this code (http://hastebin.com/arinusefex.py) on "twitter.com" (which only displays basic informations and X509 extensions of the certificate), it raises an exception on the last extension, which oid is : 1.3.6.1.4.1.11129.2.4.2.

[reaperhulk]

1.3.6.1.4.1.11129.2.4.2 is the OID for certificate transparency (RFC 6962). Since your install (and indeed almost all installs) of OpenSSL don't know this extension an error is raised when __str__ is called, which calls X509V3_EXT_print. pyOpenSSL should definitely just provide a __str__ of "unknown extension" or something when it encounters an OID it doesn't recognize.

[Talanor]

Thank you. Additionally, would you have any idea as of why my openssl command seem to be able to display the informations properly and pyopenssl can't?

[reaperhulk]

What version of openssl? I can parse CT Precertificate SCTs with 1.0.2, but it's possible your pyopenssl isn't linked against that. To test you can run:

python -c "import OpenSSL.SSL; print(OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION))"

[Talanor]

It prints out OpenSSL 1.0.1f 6 Jan 2014

and openssl version also returns OpenSSL 1.0.1f 6 Jan 2014

[reaperhulk]

Hmm, I'm not sure why you're having problems then. I believe x509 -text uses the same X509V3_EXT_print function we're calling, but maybe I'm mistaken?

[Talanor]

After reading some code, it would seem (not sure at all, correct me if i'm wrong), that cffi compiles python wrappers to call X509V3_EXT_print (and a bunch of other functions). Maybe the problem comes from the wrapper?