pyca / pyopenssl Goto Github PK

View Code? Open in Web Editor NEW

861.0 53.0 416.0 10.13 MB

A Python wrapper around the OpenSSL library

Home Page: https://pyopenssl.org/

License: Apache License 2.0

Python 100.00%

python cryptography openssl tls ssl

pyopenssl's Introduction

pyOpenSSL -- A Python wrapper around the OpenSSL library

Note: The Python Cryptographic Authority strongly suggests the use of pyca/cryptography where possible. If you are using pyOpenSSL for anything other than making a TLS connection you should move to cryptography and drop your pyOpenSSL dependency.

High-level wrapper around a subset of the OpenSSL library. Includes

SSL.Connection objects, wrapping the methods of Python's portable sockets
Callbacks written in Python
Extensive error-handling mechanism, mirroring OpenSSL's error codes

... and much more.

You can find more information in the documentation. Development takes place on GitHub.

Discussion

If you run into bugs, you can file them in our issue tracker.

We maintain a cryptography-dev mailing list for both user and development discussions.

You can also join #pyca on irc.libera.chat to ask questions or get involved.

pyopenssl's People

Contributors

Stargazers

Watchers

Forkers

reaperhulk alex chevah kouk sholsapp m3rck manuels cjalmeida fedor-brunner ivoz andrew-d smurfix amluto exarkun hellais stewrutledge lvh oberstet jgiannuzzi cms26 lukasa twkang bluehorn tougbia09 pchc2005 openstack-hyper-v-python mytemp cajahop ekohl pombredanne caliel lejeunen hysuh rackerlabs imo ahwang-gcmlp zbyte64 jknightihiji wanbin2014 crc32a ezc anilsarma peter-ryan skconcentrate tempbottle grooverdan caseyding osakaaa gene1wood jacknjzhou xfredcox azur256 p2pteam mapmyfitness afdnlw hasimir eagafonov zenithpolar bwhmather edevil tpherndon marklee77 jenstimmerman yliuhb rightpeter yanziqiguo pengvan brenhilt ntmartin biswapanda richmoore mhils sp1l samucc abrahammartin ttanner bigboss21x tengfei1010 schlenk endreszabo flowerhack glyph ihamburglar finallybiubiu kuba denismo carletes mo0feng opsweb markrechler tlevine yingzixiaoyuan hityufei modulexcite peakrisk aalba6675 stjoannou yd0str overcastcloud yewang15215

pyopenssl's Issues

pyOpenSSL doesn’t cope with error routines returning None

I wanted to play around with pyOpenSSL’s alpha release and our new TLS features in Twisted and ran into a problem: If I build cryptography with homebrew’s OpenSSL (1.0.1e), I get the following traceback:

Traceback (most recent call last):
  File "treq_ciphers.py", line 4, in <module>
    import treq
  File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/treq/__init__.py", line 3, in <module>
    from treq.api import head, get, post, put, patch, delete, request
  File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/treq/api.py", line 1, in <module>
    from treq.client import HTTPClient
  File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/treq/client.py", line 9, in <module>
    from twisted.web.client import (
  File "/Users/hynek/Projects/Twisted/twisted/web/client.py", line 31, in <module>
    from twisted.web import http
  File "/Users/hynek/Projects/Twisted/twisted/web/http.py", line 93, in <module>
    from twisted.internet import interfaces, reactor, protocol, address
  File "/Users/hynek/Projects/Twisted/twisted/internet/reactor.py", line 38, in <module>
    from twisted.internet import default
  File "/Users/hynek/Projects/Twisted/twisted/internet/default.py", line 56, in <module>
    install = _getInstallFunction(platform)
  File "/Users/hynek/Projects/Twisted/twisted/internet/default.py", line 50, in _getInstallFunction
    from twisted.internet.selectreactor import install
  File "/Users/hynek/Projects/Twisted/twisted/internet/selectreactor.py", line 18, in <module>
    from twisted.internet import posixbase
  File "/Users/hynek/Projects/Twisted/twisted/internet/posixbase.py", line 24, in <module>
    from twisted.internet import error, udp, tcp
  File "/Users/hynek/Projects/Twisted/twisted/internet/tcp.py", line 29, in <module>
    from twisted.internet._newtls import (
  File "/Users/hynek/Projects/Twisted/twisted/internet/_newtls.py", line 21, in <module>
    from twisted.protocols.tls import TLSMemoryBIOFactory, TLSMemoryBIOProtocol
  File "/Users/hynek/Projects/Twisted/twisted/protocols/tls.py", line 44, in <module>
    Connection(Context(TLSv1_METHOD), None)
  File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/OpenSSL/SSL.py", line 269, in __init__
    _raise_current_error()
  File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/OpenSSL/_util.py", line 14, in exception_from_error_queue
    ffi.string(lib.ERR_func_error_string(error)),
  File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/cffi/api.py", line 251, in string
    return self._backend.string(cdata, maxlen)
RuntimeError: cannot use string() on <cdata 'char *' NULL>

It does not happen with OS X’s shipped OpenSSL (0.9.8y)
It does not happen on Ubuntu 12.04 LTS.
It does not happen with PyOpenSSL 0.13.1
I tried older Twisted versions too and it happens all the way back to 12.3.0.

disparity between methods accepting filenames as `bytes` or `str`

I upgraded from 0.13.1 to 0.14 and got several errors. One was that several methods that took filenames have been changed to only accept binary strings instead of regular unicode strings. So, in py3, bytes instead of str.

I think 0.13.1 actually had the opposite situation for some of those same methods where it only accepted a unicode string and not a binary string.

I think the underlying C library uses binary strings (ie no encoding enforced), so it makes sense to use that (on *nix). However, the python wrapper should be able to accept both and translate accordingly.

OpenSSL.test.test_ssl.ConnectionTests.test_wantWriteError() fails with "AssertionError: Failed to fill socket buffer, cannot test BIO want write"

OpenSSL.test.test_ssl.ConnectionTests.test_wantWriteError() fails in the same way with each version of Python (2.6, 2.7, 3.1, 3.2, 3.3, 3.4).
OpenSSL 1.0.1f, cryptography 0.2.2, Gentoo GNU/Linux.

======================================================================
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/pyopenssl/OpenSSL/test/test_ssl.py", line 1925, in test_wantWriteError
    "Failed to fill socket buffer, cannot test BIO want write")
AssertionError: Failed to fill socket buffer, cannot test BIO want write

======================================================================

It is failure in earlier part of test function than in issue #37.

Support ALPN / NPN

pyOpenSSL should support ALPN/NPN since OpenSSL now supports it:

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691

Version Weirdness in PyPI

PyPI says that it's currently serving 0.14 and Github says that its last release is 0.14, yet X509Req.get_extensions() exists in GitHub, but not in PyPI.

Can you look into this? I have an an immediate need for it.

Thanks.

Extensions support in CRL object

How to add extensions to a crypto.CRL object? Is it possible? What about the version attribute?

verify raises a TypeError

Following the pyOpenSSL documentation (http://pythonhosted.org//pyOpenSSL/api/crypto.html), the verify method accepts as input the following parameters: certificate, signature, data, digest. The same documentation says that "data is a str instance giving the data to which the signature applies".

This works well using pyOpenSSL 0.13 but when using pyOpenSSL 0.14, the method raises the following exception:

TypeError: 'initializer for ctype 'void *' must be a cdata pointer, not unicode'

This error is reproducible using pyOpenSSL 0.14 either in Python 2.7 or 3.3, and Django 1.6. I'm using Ubuntu 14.04 and OpenSSL 1.0.1f (1.0.1f-1ubuntu2).

The error is solved if using .encode()

expose X509_verify_cert in some way

I'd like to have some heuristics in Twisted for determining whether the system “probably” has some valid trust roots, so that the verification-failure error contains an explanation that a system administrator might be able to use to understand how to fetch some and actually have sensible certificate verification, rather than getting frustrated and falling back to plaintext.

One way to have such a heuristic (given that OpenSSL itself doesn't appear to expose any way to enumerate the certificates within an X509_STORE*) is to have some cached offline “known good” and “known bad” certificates and attempt to verify them and see what happens; the API to do this doesn't seem to be exposed by pyOpenSSL.

test_digest FAIL on FreeBSD and Windows (openssl 1.0.1f)

===============================================================================
[FAIL]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/unittest/case.py", line 331, in run
    testMethod()
  File "/home/kouk/code/pyopenssl/OpenSSL/test/test_crypto.py", line 1454, in test_digest
    b("A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15"))
  File "/usr/local/lib/python2.7/unittest/case.py", line 515, in assertEqual
    assertion_func(first, second, msg=msg)
  File "/usr/local/lib/python2.7/unittest/case.py", line 508, in _baseAssertEqual
    raise self.failureException(msg)
exceptions.AssertionError: 'C1:B5:90:A4:41:11:C8:30:BF:D4:AA:78:13:46:66:59' != 'A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15'

OpenSSL.test.test_crypto.X509Tests.test_digest
-------------------------------------------------------------------------------

This on FreeBSD 9.2-RELEASE #0 r255898, amd64 with cryptography compiled against OpenSSL 1.0.1f 6 Jan 2014. Same thing also on Windows 8 64 bit with the same OpenSSL version.

There are other failures as well but they are being addressed in separate issues.

provide user a notice to recompile pyOpenSSL against OpenSSL 1.0.1g

the following is a wrong issue reported by me (evilaliv3). sorry for the inconvenience.

given the vulnerability https://www.openssl.org/news/secadv_20140407.txt that affects OpenSSL 1.0.1 and 1.0.2-beta, it would be important to provide pyOpenSSL users a security notice in order to invite them to recompile pyOpenSSL on production environments against OpenSSL 1.0.1g.

Steps to do so:
[INSTALL OpenSSL 1.0.1g, it depends on the distribution used]
pip uninstall pyOpenssl -y
pip install pyOpenssl==0.14
[restart deployed applications]

signal in packaging metadata that heartbleed vuln has been removed

For context (about how we are struggling to mitigate heartbleed's threat to our users), please see https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2215 and https://tahoe-lafs.org/pipermail/tahoe-dev/2014-April/008988.html .

Could you please make new releases of pyOpenSSL, named "0.14.1" and (for people like us who can't upgrade to the cffi-based build system yet) "0.13.1". The ".1"'s in these version numbers would serve as a signal, visible within the Python packaging metadata, that this particular package was built by someone who is aware of heartbleed and they intended to remove the heartbleed vuln from this package. Then Tahoe-LAFS (and Foolscap, and Twisted, etc.) can depend on "pyOpenSSL == 0.13.1, >= 0.14.1", to indicate their desire to listen to this signal.

Then the pyOpenSSL setup.py can help the builder of the package send the correct signal, by checking the version number of OpenSSL and refusing to build if it is one of the version numbers that had (in the upstream OpenSSL release) the heartbleed vuln.

Now, Debian and Ubuntu ship OpenSSL libraries which have a patch to fix the vuln but which still report the original upstream OpenSSL version numbers. No problem! When they build pyOpenSSL v0.13.1 and v0.14.1 packages, they will patch out that check that pyOpenSSL's setup.py does (or perhaps pyOpenSSL will offer a "--affirm-heartbleed-fix-is-present" build-time option for this), in order for them to correctly send the signal that their Debian/Ubuntu "python-openssl 0.13.1" or "python-openssl 0.14.1" package does not have the vuln.

Add API for getting the options of a Context object

I want this for testing. Today I found that I had a totally useless unit test because of a discrepancy between my FakeContext(Factory) and a real context factory from Twisted. The only reason the fake class exists is that Context isn't really very introspectable...

Like #61, there's a good chance this requires cryptography to expose some stuff first.

Support Python 3.4

This is probably easy. travis can test it now, too.

Install and internals documentation

Documentation talks about building an extension, but with the new code the extension building steps were move the the external cryptography project.

Is this version still tested on Solaris 2.6 and 2.7 ?

It would be nice to have a list of tested platforms.

With the new changes, is the documentation for internals still valid https://github.com/pyca/pyopenssl/blob/master/doc/internals.rst ?

No need to rewrite it now, but maybe a warning would help so that developers will read those lines with great care.

Thanks!

Problems getting certificates from P12

The get_privatekey() and get_certificate().get_pubkey() don't allow access to the PEM/DER key-data.

>>> with open('certificate.p12', 'rb') as f:
...   p = f.read()
...
>>> c = load_pkcs12(p, 'passphrase')
>>> dir(c.get_privatekey())
['__class__', '__delattr__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'bits', 'check', 'generate_key', 'type']

PyOpenSSL doesn’t find any ciphers on OS X with a brewed (and thus recent) OpenSSL

Brewed or self-compiled OpenSSL’s are the only way ATM to get SSL support on OS X that isn’t completely pathetic.

As of now, if I run the script from https://gist.github.com/dreid/1c491ce3826d1c0541de , PyOpenSSL explodes (exposing issue #3, if I work around that I get the error message that no ciphers have been found); it works with the ancient (0.9.8y) system OpenSSL though.

Digging around has shown that adding

from cryptography.hazmat.bindings.openssl.binding import Binding
b = Binding()
b.lib.SSL_library_init()

at the beginning of the script from the gist makes it work.

My best guess would be that the system OpenSSL gets initialized as some side-effect from my system Python which it is linked against.

allow me to set basicConstraints so I can set certificate chains

https://www.openssl.org/docs/apps/x509v3_config.html#Basic_Constraints_

I was trying to write a test case that verified a certificate chain "for real" and I noticed that there doesn't seem to be a way to set basicConstraints so that OpenSSL thinks an intermediate certificate is a valid CA.

FAIL: test_set_verify_callback_exception on FreeBSD (pyopenssl 0.14)

OS: FreeBSD 9.2-STABLE #0 r260870
Python: 2.7.6

======================================================================
FAIL: test_set_verify_callback_exception (OpenSSL.test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/test_ssl.py", line 1002, in test_set_verify_callback_exception
    Exception, self._handshake_test, serverContext, clientContext)
  File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/util.py", line 270, in failUnlessRaises
    % (exception.__name__, result))
AssertionError: Exception not raised (None returned)
----------------------------------------------------------------------

SSL.OP_ALL is not an integer and OpenSSL.SSL.Context.set_option() requires an integer.

This is what I got:

(Pdb) SSL.OP_ALL
2147486719L
(Pdb) context.set_options(self._OP_ALL)
*** TypeError: options must be an integer
(Pdb)

Python 2.7.3
pyopenssl 0.14a3
latest published version of cryptography , cffi, pycparse, six...etc
Ubuntu 12.04 - 32
OpenSSL 1.0.1 14 Mar 2012

Thanks!

Windows Binaries

Hi there,

now that pyOpenSSL 0.14 is seemingly released, could you please provide (win32) binaries? This might be especially valueable as compiling with mingw32 doesn't work out of the box on Windows right now.

Thanks!
Max

Better Diffie-Hellman Parameter APIs

Currently there’s only one API for DH parameters that both loads and sets them on a context (Context.load_tmp_dh).

There should be APIs to do these steps separately: i.e. load into memory and set on an context.

test_export sometimes fails because of the passage of time

OpenSSL.test.test_crypto.CRLTests.test_export compares the string representations of two CRL objects.

From time to time the two objects differ in a specific way. One will include a section something like Last Update: Apr 19 22:36:25 2014 GMT and the other will have a string like Last Update: Apr 19 22:36:26 2014 GMT in the same place.

This is not a signal that the implementation is broken. It's just a reflection of the fact that the seconds value might turn over in between generation of the two strings.

The test should be robust against this circumstance so it doesn't spuriously fail sometimes.

allow for inspection of previously-set callbacks

APIs like set_info_callback don't have any way to retrieve the previously-set callback, so there's no way to non-destructively have two different libraries obtain information from the same context.

I'm having some issues with preserving compatibility guarantees within Twisted for folks who have set up their own Context objects.

setup.py doesn't use install_requires to install cryptography

Basically doing pip install <pyopenssl> doesn't actually install cryptography. This can be done by using setuptools and install_requires=["cryptography"] in the call to setup().

Connection.state_string() returns None

Connection.state_string() is defined and documented but its an empty method. If it is not possible to fix it (yet) could a call to this method raise a NotImplementedError or such alike?

OpenSSL.test.test_ssl.ContextTests.test_set_default_verify_paths() error with absent network connection

OpenSSL.test.test_ssl.ContextTests.test_set_default_verify_paths() triggers error when network connection is absent. It is the only test in pyOpenSSL test suite with this problem.

======================================================================
ERROR: test_set_default_verify_paths (OpenSSL.test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/pyopenssl/OpenSSL/test/test_ssl.py", line 930, in test_set_default_verify_paths
    client.connect(('verisign.com', 443))
socket.gaierror: [Errno -3] Temporary failure in name resolution

======================================================================

Possible fix:

--- OpenSSL/test/test_ssl.py
+++ OpenSSL/test/test_ssl.py
@@ -8,7 +8,7 @@
 from gc import collect, get_referrers
 from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN
 from sys import platform, version_info
-from socket import SHUT_RDWR, error, socket
+from socket import SHUT_RDWR, error, gaierror, socket
 from os import makedirs
 from os.path import join
 from unittest import main
@@ -927,7 +927,11 @@
                 lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

             client = socket()
-            client.connect(('verisign.com', 443))
+            try:
+                client.connect(('verisign.com', 443))
+            except gaierror:
+                # Absent network connection or verisign.com inaccessible.
+                return
             clientSSL = Connection(context, client)
             clientSSL.set_connect_state()                                                                                                                   
             clientSSL.do_handshake()

unable to install

I was trying to insatll pyopenssl on my mac using python setup.py install. I got the following error message:

Traceback (most recent call last):
  File "setup.py", line 75, in <module>
    test_suite="OpenSSL")
  File "/Users/Wu/anaconda/lib/python2.7/distutils/core.py", line 152, in setup
    dist.run_commands()
  File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 953, in run_commands
    self.run_command(cmd)
  File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 972, in run_command
    cmd_obj.run()
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/install.py", line 74, in run
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/install.py", line 97, in do_egg_install
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 358, in run
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 574, in easy_install
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 625, in install_item
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 671, in process_distribution
  File "build/bdist.macosx-10.5-x86_64/egg/pkg_resources.py", line 580, in resolve
  File "build/bdist.macosx-10.5-x86_64/egg/pkg_resources.py", line 818, in best_match
  File "build/bdist.macosx-10.5-x86_64/egg/pkg_resources.py", line 830, in obtain
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 593, in easy_install
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 623, in install_item
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 809, in install_eggs
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 1015, in build_and_install
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 1000, in run_setup
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/sandbox.py", line 50, in run_setup
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/sandbox.py", line 100, in run
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/sandbox.py", line 52, in <lambda>
  File "setup.py", line 156, in <module>

  File "/Users/Wu/anaconda/lib/python2.7/distutils/core.py", line 152, in setup
    dist.run_commands()
  File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 953, in run_commands
    self.run_command(cmd)
  File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 971, in run_command
    cmd_obj.ensure_finalized()
  File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 109, in ensure_finalized
    self.finalize_options()
  File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/bdist_egg.py", line 108, in finalize_options
  File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 312, in get_finalized_command
    cmd_obj.ensure_finalized()
  File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 109, in ensure_finalized
    self.finalize_options()
  File "/Users/Wu/anaconda/lib/python2.7/distutils/command/bdist.py", line 99, in finalize_options
    self.plat_name = self.get_finalized_command('build').plat_name
  File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 312, in get_finalized_command
    cmd_obj.ensure_finalized()
  File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 109, in ensure_finalized
    self.finalize_options()
  File "setup.py", line 75, in finalize_options
    test_suite="OpenSSL")
  File "/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/openssl/binding.py", line 83, in __init__
  File "/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/openssl/binding.py", line 99, in _ensure_ffi_initialized
  File "/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/utils.py", line 77, in build_ffi
  File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/api.py", line 341, in verify
  File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/verifier.py", line 75, in load_library
  File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/verifier.py", line 151, in _load_library
  File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/vengine_cpy.py", line 138, in load_library
cffi.ffiplatform.VerificationError: importing '/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_48bbf0ebx93c91939.so': dlopen(/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_48bbf0ebx93c91939.so, 2): Library not loaded: libcrypto.1.0.0.dylib
  Referenced from: /var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_48bbf0ebx93c91939.so
  Reason: image not found

Can anyone help? Thanks.

About errors of _util.py and crypto.py of pyOpenSSL

Just picked up pyOpenSSL coding, and the same error cannot be debugged. It's just the most basical implementation of loading private key and signing something. Here's my code:

from OpenSSL.crypto import load_privatekey, FILETYPE_PEM, sign
import base64
key = load_privatekey(FILETYPE_PEM, open("C:\Users\Gio\SSL\gioCA\newcerts\01.pem").read())
content = "test_message"
d = sign(key, content, 'sha1')
b = base64.b64encode(d)
print(b)

And the errors are as below:
Traceback (most recent call last):
File "F:\workspace\myFirst\encrytion.py", line 5, in
key = load_privatekey(FILETYPE_PEM, open("C:\Users\Gio\SSL\gioCA\newcerts\01.pem").read())
File "C:\Python33\lib\site-packages\pyOpenSSL-0.14-py3.3.egg\OpenSSL\crypto.py", line 2010, in load_privatekey
File "C:\Python33\lib\site-packages\pyOpenSSL-0.14-py3.3.egg\OpenSSL_util.py", line 22, in exception_from_error_queue
OpenSSL.crypto.Error: []

Can anyone solve this problem?

test_WantReadError fails on OSX 10.8

Using system Python (2.7.2) and OpenSSL (0.9.8y) I consistently see the following test failure:

======================================================================
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/jerith/code/pyopenssl/OpenSSL/test/test_ssl.py", line 1780, in test_wantWriteError
    self.assertRaises(WantWriteError, conn.do_handshake)
  File "/Users/jerith/code/pyopenssl/OpenSSL/test/util.py", line 262, in failUnlessRaises
    exception.__name__,
AssertionError: <class 'OpenSSL.SSL.WantReadError'> raised instead of WantWriteError

----------------------------------------------------------------------

Enable people to validate OSCP staples

@reaperhulk and I discussed this with @jamielennox. pyOpenSSL seems like a reasonable place to start this discussion. ccing: @hynek since I bet he has opinions.

Fix regressions in support for bytes / unicode in certain APIs

In previous pyopenssl versions the API was fine with accepting strings as Unicode.

For example this was a valid code, which no longer works in latest version. Context.set_cipher_list(u'ALL')

The migration should not be a big deal, but I think that this needs to be documented.

Also, handling unicode paths in a cross-platform code is a bit messy since Python API on Linux sometimes accepts Unicode, sometimes byte string (depending on environment), and on Windows you always have to pass the path a Unicode.

Maybe OpenSSL.test.util.TestCase.mktemp should be changed to always return a unicode path, example via mktemp(dir='.', suffix=UNICODE_TEST_MARKER)

Thanks!

Context.set_info_callback now pass Context to callback but in the past a SSLConnection was passed

callback is defined as (copied from test)

      def info(conn, where, ret):
            called.append((conn, where, ret))
        context = Context(TLSv1_METHOD)
        context.set_info_callback(info)

In previous pyOpenSSL version conn was OpenSSL.SSL.Connection

In latest version it is OpenSSL.SSL.Context.

As stated by the comment, the test current test is lame:

https://github.com/pyca/pyopenssl/blob/master/OpenSSL/test/test_ssl.py#L711

I hope that the latest version can be fixed to obtain the connection in the callback as getting the Context is not much help as the code should already have a reference to the Context.

Thanks!

verify callback gets Context instead of Connection

What I haven't been able to fix is the verify callback called in set_verify. The docs still say the first object passed is a "A Connection object", but I am now getting a "OpenSSL.SSL.Context object".

Is this an issue with the docs or the code?

ERROR: test_set_default_verify_paths on NetBSD

I see a test failure with pyOpenSSL-0.14 and cryptography-0.2.2:

ERROR: test_set_default_verify_paths (OpenSSL.test.test_ssl.ContextTests)

Traceback (most recent call last):
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/test/test_ssl.py", line 933, in test_set_default_verify_paths
clientSSL.do_handshake()
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/SSL.py", line 1076, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/SSL.py", line 871, in _raise_ssl_error
_raise_current_error()
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/_util.py", line 22, in exception_from_error_queue
raise exceptionType(errors)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

This is in a sandbox with no certificates installed, in case it matters, and openssl-1.0.1f.

KeyError thrown from test_closed

the test_closed unit test is failing on Windows because the errno attribute is set to zero (the winerror is used instead) and the _raise_ssl_error function asks for the errorcode[0] which throws a KeyError.


======================================================================
FAIL: test_closed (OpenSSL.test.test_ssl.ConnectionSendallTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "c:\users\konstantinos\documents\github\pyopenssl\OpenSSL\test\test_ssl.py", line 1937, in test_closed
    exc = self.assertRaises(SysCallError, server.sendall, b"hello, world")
  File "c:\users\konstantinos\documents\github\pyopenssl\OpenSSL\test\util.py", line 266, in failUnlessRaises
    exception.__name__,
AssertionError: <type 'exceptions.KeyError'> raised instead of SysCallError

----------------------------------------------------------------------
Ran 338 tests in 8.555s

FAILED (failures=1)

Can't get extensions from X509Req

Has this functionality been fixed? Is this the right area to ask this question?

def test_add_extensions(self):
    """  
    :py:obj:`X509Req.add_extensions` accepts a :py:obj:`list` of :py:obj:`X509Extension`
    instances and adds them to the X509 request.
    """
    request = X509Req()
    request.add_extensions([
            X509Extension(b('basicConstraints'), True, b('CA:false'))])
    # XXX Add get_extensions so the rest of this unit test can be written.

I'd like to add this functionality and wanted to know if using X509.c as a template was a good idea or not.

unable to install

Trying to install pyopenssl on python 2.7.6 (windows xp) using latest from git: python setup.py install

results in:
error: Setup script exited with error: Unable to find vcvarsall.bat

I don't see any requirement of visual studio for pyopenssl listed anywhere..

D:\pyopenssl>python setup.py install
running install
running bdist_egg
running egg_info
writing requirements to pyOpenSSL.egg-info\requires.txt
writing pyOpenSSL.egg-info\PKG-INFO
writing top-level names to pyOpenSSL.egg-info\top_level.txt
writing dependency_links to pyOpenSSL.egg-info\dependency_links.txt
reading manifest file 'pyOpenSSL.egg-info\SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files matching '*.pyc' found anywhere in distribution
no previously-included directories found matching 'doc\_build'
writing manifest file 'pyOpenSSL.egg-info\SOURCES.txt'
installing library code to build\bdist.win32\egg
running install_lib
running build_py
creating build\bdist.win32\egg
creating build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\crypto.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\rand.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\SSL.py -> build\bdist.win32\egg\OpenSSL
creating build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\test_crypto.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\test_rand.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\test_ssl.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\util.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\__init__.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\tsafe.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\version.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\_util.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\__init__.py -> build\bdist.win32\egg\OpenSSL
byte-compiling build\bdist.win32\egg\OpenSSL\crypto.py to crypto.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\rand.py to rand.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\SSL.py to SSL.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\test_crypto.py to test_crypto.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\test_rand.py to test_rand.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\test_ssl.py to test_ssl.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\util.py to util.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\__init__.py to __init__.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\tsafe.py to tsafe.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\version.py to version.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\_util.py to _util.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\__init__.py to __init__.pyc
creating build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\PKG-INFO -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\SOURCES.txt -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\dependency_links.txt -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\requires.txt -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\top_level.txt -> build\bdist.win32\egg\EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist\pyOpenSSL-0.14a4-py2.7.egg' and adding 'build\bdist.win32\egg' to it
removing 'build\bdist.win32\egg' (and everything under it)
Processing pyOpenSSL-0.14a4-py2.7.egg
Removing c:\python27\lib\site-packages\pyOpenSSL-0.14a4-py2.7.egg
Copying pyOpenSSL-0.14a4-py2.7.egg to c:\python27\lib\site-packages
pyOpenSSL 0.14a4 is already the active version in easy-install.pth

Installed c:\python27\lib\site-packages\pyopenssl-0.14a4-py2.7.egg
Processing dependencies for pyOpenSSL==0.14a4
Searching for cryptography>=0.1
Reading https://pypi.python.org/simple/cryptography/
Best match: cryptography 0.1
Downloading https://pypi.python.org/packages/source/c/cryptography/cryptography-0.1.tar.gz#md5=bdc1c5fe069deca7467b71a0cc538f17
Processing cryptography-0.1.tar.gz
Writing c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\setup.cfg
Running cryptography-0.1\setup.py -q bdist_egg --dist-dir c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\egg-dist-tmp-xgecl7
Searching for cffi>=0.6
Reading https://pypi.python.org/simple/cffi/
Best match: cffi 0.8.1
Downloading https://pypi.python.org/packages/source/c/cffi/cffi-.8.1.tar.gz#md5=1a877bf113bfe90fdefedbf9e39310d2
Processing cffi-0.8.1.tar.gz
Writing c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\temp\easy_install-3vl6qf\cffi-0.8.1\setup.cfg

Running cffi-0.8.1\setup.py -q bdist_egg --dist-dir c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\temp\easy_install-3vl6qf\cffi-0.8.1\egg-dist-tmp-hifh2a
error: Setup script exited with error: Unable to find vcvarsall.bat

LICENSE file doesn't specify copyright holder or year

From LICENSE:
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.

pip install error

distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

I am using ubuntu 13.10

SSL_shutdown error codes are un-discoverable

The _raise_current_error in Connection.shutdown is incorrect because SSL_shutdown can result in SSL_ERR_WANT_WRITE or SSL_ERR_WANT_READ. The way you discover this, according to the official documentation, is:

If the underlying BIO is non-blocking, SSL_shutdown() will also return when the underlying BIO could not satisfy the needs of SSL_shutdown() to continue the handshake. In this case a call to SSL_get_error() with the return value of SSL_shutdown() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.

The current behavior is that the error code is masked because the return code is lost.

FAIL: test_wantWriteError on FreeBSD (pyopenssl 0.14)

I'm not sure that #31 is actually fixed, but opted to create a new issue instead:

OS: FreeBSD 9.2-STABLE #0 r260870
Python: 2.7.6

======================================================================
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/test_ssl.py", line 1931, in test_wantWriteError
    self.assertRaises(WantWriteError, conn.do_handshake)
  File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/util.py", line 266, in failUnlessRaises
    exception.__name__,
AssertionError: <class 'OpenSSL.SSL.WantReadError'> raised instead of WantWriteError
----------------------------------------------------------------------

X509_verify_cert_error_string went missing

This function had no unit tests and didn't get ported.

_asFileDescriptor raises TypeError: argument must be an int, or have a fileno() method.

On a 64bit build of Python on Windows 8 I tried to enable SNI support in pip. However I encountered an error because _asFileDescriptor assumes file descriptors are ints (when on my system they are longs).

PS C:\Users\Balena\Documents\GitHub\pyopenssl\OpenSSL> pip.exe install -i https://pypi.longaccess.io/simple treq
Downloading/unpacking treq
Cleaning up...
Exception:
Traceback (most recent call last):
  File "C:\Python27\lib\site-packages\pip\basecommand.py", line 122, in main
    status = self.run(options, args)
  File "C:\Python27\lib\site-packages\pip\commands\install.py", line 274, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "C:\Python27\lib\site-packages\pip\req\req_set.py", line 286, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "C:\Python27\lib\site-packages\pip\index.py", line 194, in find_requirement
    page = self._get_page(main_index_url, req)
  File "C:\Python27\lib\site-packages\pip\index.py", line 568, in _get_page
    session=self.session,
  File "C:\Python27\lib\site-packages\pip\index.py", line 670, in get_page
    resp = session.get(url, headers={"Accept": "text/html"})
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\sessions.py", line 395, in get
    return self.request('GET', url, **kwargs)
  File "C:\Python27\lib\site-packages\pip\download.py", line 237, in request
    return super(PipSession, self).request(method, url, *args, **kwargs)
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\sessions.py", line 383, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\sessions.py", line 486, in send
    r = adapter.send(request, **kwargs)
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\adapters.py", line 330, in send
    timeout=timeout
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\connectionpool.py", line 480, in urlopen
    body=body, headers=headers)
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\connectionpool.py", line 285, in _make_requ
st
    conn.request(method, url, **httplib_request_kw)
  File "C:\Python27\lib\httplib.py", line 973, in request
    self._send_request(method, url, body, headers)
  File "C:\Python27\lib\httplib.py", line 1007, in _send_request
    self.endheaders(body)
  File "C:\Python27\lib\httplib.py", line 969, in endheaders
    self._send_output(message_body)
  File "C:\Python27\lib\httplib.py", line 829, in _send_output
    self.send(msg)
  File "C:\Python27\lib\httplib.py", line 791, in send
    self.connect()
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\connection.py", line 164, in connect
    ssl_version=resolved_ssl_version)
  File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\contrib\pyopenssl.py", line 377, in ssl_wra
_socket
    cnx = OpenSSL.SSL.Connection(ctx, sock)
  File "build\bdist.win-amd64\egg\OpenSSL\SSL.py", line 828, in __init__
    set_result = _lib.SSL_set_fd(self._ssl, _asFileDescriptor(self._socket))
  File "build\bdist.win-amd64\egg\OpenSSL\SSL.py", line 209, in _asFileDescriptor
    raise TypeError("argument must be an int, or have a fileno() method.")
TypeError: argument must be an int, or have a fileno() method.

Should pyOpenSSL warn/error when callers attempt to use EC keys with OpenSSL 0.9.8?

This bit me when using MacPorts on OS X, which comes with OpenSSL 0.9.8 installed. Here's what I did:

% port install openssl pypy virtualenv27
...
% port list openssl
openssl                        @1.0.1g         devel/openssl
% virtualenv-2.7 --python=pypy foo
% ./foo/bin/pip install pyOpenSSL
...

SSL connections would die without fuss from a simple test server when using an EC key pair (e.g., this self-signed test key and crt):

% ./foo/bin/python test.py &
% curl --verbose -k 'https://127.0.0.1:4443/'
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 4443 (#0)
* successfully set certificate verify locations:
*   CAfile: .../share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

This didn't happen when using RSA key pairs. With the help of kind folks on #cryptography-dev, I learned that cryptography was linking against the wrong version of OpenSSL:

% ./foo/bin/python -c 'from OpenSSL.SSL import SSLEAY_VERSION, SSLeay_version ; print(SSLeay_version(SSLEAY_VERSION))'
OpenSSL 0.9.8y 5 Feb 2013

There is a fix (i.e., a manual pip install cryptography that forces building against the right version). However, what would have been extremely helpful is if pyOpenSSL (or perhaps cryptography, I don't know the best place) raised an exception to callers who try using EC key pairs with OpenSSL 0.9.8 (where EC is apparently broken).

Document mailing list

I now see that users mailing list was moved.

I have not received any email on [email protected] to announce the move.

Maybe an email should be sent on the old list to inform users to move on the new one.

Also maybe the new README file could include a link to the new mailinglist.

Maybe also update http://sourceforge.net/projects/pyopenssl/ Website link and new bug tracker link http://sourceforge.net/p/pyopenssl/support-requests/?source=navbar

Thanks!

Add API for getting the method of a Context object

Could be that I've missed this in the documentation, but there does not appear to be a way to access the method (as in SSLv23_METHOD) of an already existing context.

I want this for writing tests.

Release

Is it time for a release yet? There's new functionality (like X509Req.get_extensions) that is not currently available in the PyPI version because there have been no releases due to open issues, yet there's only one issue and it's documentation-related.

Please release!

Whence MODE_NO_COMPRESSION?

I can't figure out where MODE_NO_COMPRESSION comes from. I found it in the documentation and that appears to be the only reference in the source.

Upstream documentation appears to not have heard of it either. When I compile against my (current) OpenSSL, I can't find the symbol exported.

OpenSSL Engine support

Is it implemented? Any documentation on how to use it?

Tests generate segmentation fault on RHEL 6

Is this a known issue?

[pyopenssl] sholsapp@sholsapp-ld(~/workspace/pyopenssl) $ python setup.py test
running test
running egg_info
writing requirements to pyOpenSSL.egg-info/requires.txt
writing pyOpenSSL.egg-info/PKG-INFO
writing top-level names to pyOpenSSL.egg-info/top_level.txt
writing dependency_links to pyOpenSSL.egg-info/dependency_links.txt
reading manifest file 'pyOpenSSL.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files matching '*.pyc' found anywhere in distribution
no previously-included directories found matching 'doc/_build'
writing manifest file 'pyOpenSSL.egg-info/SOURCES.txt'
running build_ext
test_add_revoked_keyword (OpenSSL.test.test_crypto.CRLTests) ... ok
test_add_revoked_wrong_args (OpenSSL.test.test_crypto.CRLTests) ... ok
test_construction (OpenSSL.test.test_crypto.CRLTests) ... ok
test_construction_wrong_args (OpenSSL.test.test_crypto.CRLTests) ... ok
test_export (OpenSSL.test.test_crypto.CRLTests) ... ok
test_export_invalid (OpenSSL.test.test_crypto.CRLTests) ... Segmentation fault (core dumped)

[pyopenssl] sholsapp@sholsapp-ld(~/workspace/pyopenssl) $ uname -a
Linux sholsapp-ld 2.6.32-131.4.1.el6.x86_64 #1 SMP Fri Jun 10 10:54:26 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

pyca / pyopenssl Goto Github PK

pyopenssl's Introduction

pyOpenSSL -- A Python wrapper around the OpenSSL library

Discussion

pyopenssl's People

Contributors

Stargazers

Watchers

Forkers

pyopenssl's Issues

Recommend Projects

Recommend Topics

Recommend Org