From marco.bizzarri at GMAIL.COM Mon Jan 8 22:18:01 2007 From: marco.bizzarri at GMAIL.COM (Marco Bizzarri) Date: Mon, 8 Jan 2007 22:18:01 +0100 Subject: [PYTHON-CRYPTO] Missing get0_signers in 0.17 and "header too long:asn1_lib.c" with 0.13 or 0.17 with p7m file Message-ID: <3f0d61c40701081318q4c8a289bg7cdca8b6409dfa3f@mail.gmail.com> Hi all. I've two different problems with two files which should be signed and readable. The first one is that it looks like the get0_signers method is missing from the 0.17 of M2Crypto. Is there any problem in this method? Otherwise, I can try to add it by myself copying from the code of 0.13. The second one is with a p7m file. I try to do the following on it: def _load_pkcs7_bio_der(self, p7_bio): p7_ptr = m2.pkcs7_read_bio_der(p7_bio._ptr()) if p7_ptr is None: raise Err.get_error() return SMIME.PKCS7(p7_ptr, 1) def run(self, file): import pdb; pdb.set_trace() p7_bio = BIO.MemoryBuffer(file.read()) try: p7 = self._load_pkcs7_bio_der(p7_bio) except: return [] in the except branch I always get an exception with this file, with the following exception: 6720:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: If posting the file to the list is appropriate, I can do it. Regards Marco -- Marco Bizzarri http://iliveinpisa.blogspot.com/ From reitz at INWORKS.DE Thu Jan 11 12:03:56 2007 From: reitz at INWORKS.DE (Andre Reitz) Date: Thu, 11 Jan 2007 12:03:56 +0100 Subject: [PYTHON-CRYPTO] unsubscribe Message-ID: <45A6199C.8060502@inworks.de> -- ________________________________________________________________________ Als Technologie- und Beratungsunternehmen entwickeln und implementieren wir standardisierte IT-L?sungen zum Kunden- und Mitarbeitermanagement. Mit dem Intrafox? Complaint Manager bieten wir die Standardsoftware f?r professionelles Beschwerdemanagement an. Mehr unter www.intrafox.de Der Inquery? Survey Server ist eine der leistungsf?higsten L?sungen f?r Online-Umfragen - z.B. f?r Kunden- oder Mitarbeiterbefragungen. Mehr unter www.inquery.de ________________________________________________________________________ Inworks GmbH Andre Reitz, Leiter Entwicklung H?rvelsinger Weg 39, D - 89081 Ulm Tel +49 731 93807-21 Fax +49 731 93807-18 Internet: http://www.inworks.de From ccx at WEBPROJEKTY.CZ Wed Jan 17 16:31:06 2007 From: ccx at WEBPROJEKTY.CZ (Jan Pobrislo) Date: Wed, 17 Jan 2007 16:31:06 +0100 Subject: [PYTHON-CRYPTO] Invalid signature Message-ID: <20070117163106.0i501izxu04k8044@webprojekty.cz> Hello, I'm having trouble producing properly signed certificates. Self-signed (CA) certificates works okay, but when I sign another certificate by CA's key it doesn't seem to be valid in some applications. PS: Now I tried it in IE and it reports even the CA to be broken It works in: Firefox/win32 - I'm not sure I've didn't force it to use the certificate though M2Crypto.X509.X509.verify method reports success Reports invalid RSA signature: Internet exlporer 6 openssl cli tool konqueror kmail seamonkey / Linux I'm using m2crypto-0.17 on gentoo linux Example cerificates attached I do something like this: from M2Crypto import X509,RSA,EVP from M2Crypto.ASN1 import * def generate(self,top): top.log("Generating keypair") keypair = RSA.gen_key(int(top['bits']),0x10001) top.key = EVP.PKey() top.key.assign_rsa(keypair) top.log("Creating certificate") top.cert = X509.X509() top.cert.set_pubkey(top.key) top.log("Configuring certificate") #... Setting validity, DN, Extensions top.log("Signing") if top.parent: #... Setting Issuer DN, Serial number if not hasattr(top.parent,'key'): self.load(top.parent) top.cert.sign(top.parent.key,top['digest']) else: top.log("Self-signed certificate") top.cert.set_issuer_name(self.get_name(top)) top.cert.sign(top.key,top['digest']) #... then it gets written like this: def write(self,top): top.log("Writing to %s"%top.filesdir) top.key.save_key(top.key_filename(),None) top.cert.save_pem(top.cert_filename()) You can get whole code at svn://ccx.sh.cvut.cz/generic/xmlca It's a CA application that automatically generates and distributes SSL certificates. Thanks for replies, it's quite urgent ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -------------- next part -------------- A non-text attachment was scrubbed... Name: webprojekty.cz_cert.pem Type: application/x-x509-ca-cert Size: 899 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: apache_cert.pem Type: application/x-x509-ca-cert Size: 1863 bytes Desc: not available URL: From marc at PRECIPICE.ORG Mon Jan 22 01:40:45 2007 From: marc at PRECIPICE.ORG (Marc Hedlund) Date: Sun, 21 Jan 2007 18:40:45 -0600 Subject: [PYTHON-CRYPTO] Building M2Crypto-0.17 on MacOS X Message-ID: Hi, I've been struggling all day to get a working version of M2Crypto-0.17 that I can distribute with an application built on MacOS X, using py2app. Following all of the instructions in INSTALL, I can build an extension for i386, but the Universal build fails. I see this at the end of the build step: gcc -arch i386 -arch ppc -isysroot /Developer/SDKs/MacOSX10.4u.sdk -g -bundle -undefined dynamic_lookup build/temp.macosx-10.3-fat-2.5/SWIG/_m2crypto_wrap.o -L/usr/local/lib -lssl -lcrypto -o build/lib.macosx-10.3-fat-2.5/M2Crypto/__m2crypto.so /usr/bin/ld: for architecture ppc /usr/bin/ld: warning /usr/local/lib/libssl.dylib cputype (7, architecture i386) does not match cputype (18) for specified -arch flag: ppc (file not loaded) /usr/bin/ld: warning /usr/local/lib/libcrypto.dylib cputype (7, architecture i386) does not match cputype (18) for specified -arch flag: ppc (file not loaded) I have followed all of the instructions in the INSTALL file (both for openssl-0.98d and for M2Crypto-0.17). I downloaded and installed the most recent Xcode release, corrected the openssl Makefiles for the linker problem, gave a --prefix argument everywhere, and upgraded to Python-2.5. Any hints or suggestions? Thanks, -M From heikki at OSAFOUNDATION.ORG Mon Jan 22 19:06:42 2007 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Mon, 22 Jan 2007 10:06:42 -0800 Subject: [PYTHON-CRYPTO] Building M2Crypto-0.17 on MacOS X In-Reply-To: References: Message-ID: <45B4FD32.1090202@osafoundation.org> Marc Hedlund wrote: > I've been struggling all day to get a working version of M2Crypto-0.17 > that I can distribute with an application built on MacOS X, using > py2app. Following all of the instructions in INSTALL, I can build an > extension for i386, but the Universal build fails. The only other thing to check would be that you have swig 1.3.24 or later, but I doubt this is your issue. Also, if you use any stuff built by Apple (openssl for instance), it can be hard getting things to work as Apple seems to build things with unusual options, and occasionally new OS updates change how things were built... I have personally not even tried building universal binaries, but I do build successful ppc and intel bits on the Mac. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: From martin at PALJAK.PRI.EE Mon Jan 22 19:14:11 2007 From: martin at PALJAK.PRI.EE (Martin Paljak) Date: Mon, 22 Jan 2007 20:14:11 +0200 Subject: [PYTHON-CRYPTO] Building M2Crypto-0.17 on MacOS X In-Reply-To: <45B4FD32.1090202@osafoundation.org> References: <45B4FD32.1090202@osafoundation.org> Message-ID: <02D9FC0D-1F50-4973-9322-3C0D0A65EA72@paljak.pri.ee> Hi, I have, and there was even a small patch for that. Not sure what is the problem for you though. I did build against a custom openssl as well. If you look at older revisions of setup.py maybe you find the missing piece. svn log tells me: ------------------------------------------------------------------------ r436 | heikki | 2006-05-04 00:51:07 +0300 (Thu, 04 May 2006) | 2 lines Commenting out the search_paths_first trick for now because it breaks at least Cygwin. ------------------------------------------------------------------------ r434 | heikki | 2006-05-03 00:39:28 +0300 (Wed, 03 May 2006) | 2 lines According to Martin Paljak, latest darwin universal Python requires -Wl,-search_paths_first extra link args. On 22.01.2007, at 20:06, Heikki Toivonen wrote: > Marc Hedlund wrote: >> I've been struggling all day to get a working version of >> M2Crypto-0.17 >> that I can distribute with an application built on MacOS X, using >> py2app. Following all of the instructions in INSTALL, I can build an >> extension for i386, but the Universal build fails. > > The only other thing to check would be that you have swig 1.3.24 or > later, but I doubt this is your issue. Also, if you use any stuff > built > by Apple (openssl for instance), it can be hard getting things to work > as Apple seems to build things with unusual options, and occasionally > new OS updates change how things were built... > > I have personally not even tried building universal binaries, but I do > build successful ppc and intel bits on the Mac. > > -- > Heikki Toivonen > > -- Martin Paljak From heikki at OSAFOUNDATION.ORG Mon Jan 22 20:04:43 2007 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Mon, 22 Jan 2007 11:04:43 -0800 Subject: [PYTHON-CRYPTO] Building M2Crypto-0.17 on MacOS X In-Reply-To: <02D9FC0D-1F50-4973-9322-3C0D0A65EA72@paljak.pri.ee> References: <45B4FD32.1090202@osafoundation.org> <02D9FC0D-1F50-4973-9322-3C0D0A65EA72@paljak.pri.ee> Message-ID: <45B50ACB.7010308@osafoundation.org> Martin Paljak wrote: > Hi, > > I have, and there was even a small patch for that. Not sure what is the > problem for you though. I did build against a custom openssl as well. If > you look at older revisions of setup.py maybe you find the missing piece. > svn log tells me: Darn, I had completely forgot that. The line is still in setup.py, so you should be good just by uncommenting it. I added a comment there and mentioned it in the INSTALL document, so should be good for 0.18. Of course, even better if someone went and figured a solution that did not require changing any code. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: From marc at PRECIPICE.ORG Mon Jan 22 20:13:55 2007 From: marc at PRECIPICE.ORG (Marc Hedlund) Date: Mon, 22 Jan 2007 13:13:55 -0600 Subject: [PYTHON-CRYPTO] Building M2Crypto-0.17 on MacOS X In-Reply-To: <45B50ACB.7010308@osafoundation.org> References: <45B4FD32.1090202@osafoundation.org> <02D9FC0D-1F50-4973-9322-3C0D0A65EA72@paljak.pri.ee> <45B50ACB.7010308@osafoundation.org> Message-ID: I believe I tried that, but I'll give it another go. Thanks for the suggestions. -M On Mon, 22 Jan 2007, Heikki Toivonen wrote: > Martin Paljak wrote: >> Hi, >> >> I have, and there was even a small patch for that. Not sure what is the >> problem for you though. I did build against a custom openssl as well. If >> you look at older revisions of setup.py maybe you find the missing piece. >> svn log tells me: > > Darn, I had completely forgot that. The line is still in setup.py, so > you should be good just by uncommenting it. I added a comment there and > mentioned it in the INSTALL document, so should be good for 0.18. > > Of course, even better if someone went and figured a solution that did > not require changing any code. > > -- > Heikki Toivonen > > > From m.bizzarri at ICUBE.IT Mon Jan 22 20:36:16 2007 From: m.bizzarri at ICUBE.IT (Marco Bizzarri) Date: Mon, 22 Jan 2007 20:36:16 +0100 Subject: [PYTHON-CRYPTO] Missing get0_signers in 0.17 and "header too long:asn1_lib.c" with 0.13 or 0.17 with p7m file In-Reply-To: <3f0d61c40701081318q4c8a289bg7cdca8b6409dfa3f@mail.gmail.com> References: <3f0d61c40701081318q4c8a289bg7cdca8b6409dfa3f@mail.gmail.com> Message-ID: <45B51230.8060009@icube.it> I'm sorry to post again on this topic. Reading from the changelog in 0.17 I understand get0_signer has been removed since its implementation was wrong. Is there any plan to re-add it soon? Otherwise, could someone provide hints on how it should be reimplemented in order to obtain a proper behaviour and not crashing python anymore? Regards Marco Marco Bizzarri wrote: > Hi all. I've two different problems with two files which should be > signed and readable. > > The first one is that it looks like the get0_signers method is missing > from the 0.17 of M2Crypto. Is there any problem in this method? > Otherwise, I can try to add it by myself copying from the code of > 0.13. > > The second one is with a p7m file. I try to do the following on it: > > def _load_pkcs7_bio_der(self, p7_bio): > p7_ptr = m2.pkcs7_read_bio_der(p7_bio._ptr()) > if p7_ptr is None: > raise Err.get_error() > return SMIME.PKCS7(p7_ptr, 1) > > def run(self, file): > import pdb; pdb.set_trace() > p7_bio = BIO.MemoryBuffer(file.read()) > try: > p7 = self._load_pkcs7_bio_der(p7_bio) > except: > return [] > > in the except branch I always get an exception with this file, with > the following exception: > > 6720:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too > long:asn1_lib.c:150: > > If posting the file to the list is appropriate, I can do it. > > Regards > Marco > From heikki at OSAFOUNDATION.ORG Mon Jan 22 21:46:24 2007 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Mon, 22 Jan 2007 12:46:24 -0800 Subject: [PYTHON-CRYPTO] Missing get0_signers in 0.17 and "header too long:asn1_lib.c" with 0.13 or 0.17 with p7m file In-Reply-To: <45B51230.8060009@icube.it> References: <3f0d61c40701081318q4c8a289bg7cdca8b6409dfa3f@mail.gmail.com> <45B51230.8060009@icube.it> Message-ID: <45B522A0.5050209@osafoundation.org> Marco Bizzarri wrote: > I'm sorry to post again on this topic. Reading from the changelog in > 0.17 I understand get0_signer has been removed since its implementation > was wrong. Is there any plan to re-add it soon? Otherwise, could someone > provide hints on how it should be reimplemented in order to obtain a > proper behaviour and not crashing python anymore? I did some experimenting and here is how it's looking currently: I can make the code work by not freeing the returned X509 stack. However, this almost certainly makes the code leak memory. The problem with the free seems to be that we should be freeing the stack, but not the entries in the stack. Unfortunately the freeing function frees both. Maybe there is another version that only frees the stack? I haven't checked everything yet, but I can't spend more time on this at the moment. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: From m.bizzarri at ICUBE.IT Tue Jan 23 07:44:20 2007 From: m.bizzarri at ICUBE.IT (Marco Bizzarri) Date: Tue, 23 Jan 2007 07:44:20 +0100 Subject: [PYTHON-CRYPTO] Missing get0_signers in 0.17 and "header too long:asn1_lib.c" with 0.13 or 0.17 with p7m file In-Reply-To: <45B522A0.5050209@osafoundation.org> References: <3f0d61c40701081318q4c8a289bg7cdca8b6409dfa3f@mail.gmail.com> <45B51230.8060009@icube.it> <45B522A0.5050209@osafoundation.org> Message-ID: <45B5AEC4.2040008@icube.it> Heikki Toivonen wrote: > Marco Bizzarri wrote: > >> I'm sorry to post again on this topic. Reading from the changelog in >> 0.17 I understand get0_signer has been removed since its implementation >> was wrong. Is there any plan to re-add it soon? Otherwise, could someone >> provide hints on how it should be reimplemented in order to obtain a >> proper behaviour and not crashing python anymore? >> > > I did some experimenting and here is how it's looking currently: > > I can make the code work by not freeing the returned X509 stack. > However, this almost certainly makes the code leak memory. > > The problem with the free seems to be that we should be freeing the > stack, but not the entries in the stack. Unfortunately the freeing > function frees both. Maybe there is another version that only frees the > stack? > > I haven't checked everything yet, but I can't spend more time on this at > the moment Can you only post the code on the ML or send it to me? I will try to investigate starting from there... Thanks for your support. Regards Marco From heikki at OSAFOUNDATION.ORG Tue Jan 23 19:08:58 2007 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Tue, 23 Jan 2007 10:08:58 -0800 Subject: [PYTHON-CRYPTO] Missing get0_signers in 0.17 and "header too long:asn1_lib.c" with 0.13 or 0.17 with p7m file In-Reply-To: <45B5AEC4.2040008@icube.it> References: <3f0d61c40701081318q4c8a289bg7cdca8b6409dfa3f@mail.gmail.com> <45B51230.8060009@icube.it> <45B522A0.5050209@osafoundation.org> <45B5AEC4.2040008@icube.it> Message-ID: <45B64F3A.90202@osafoundation.org> Marco Bizzarri wrote: > Heikki Toivonen wrote: >> I haven't checked everything yet, but I can't spend more time on this at >> the moment > Can you only post the code on the ML or send it to me? > > I will try to investigate starting from there... See https://bugzilla.osafoundation.org/show_bug.cgi?id=7795 -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: From marc at PRECIPICE.ORG Wed Jan 31 04:22:32 2007 From: marc at PRECIPICE.ORG (Marc Hedlund) Date: Tue, 30 Jan 2007 21:22:32 -0600 Subject: [PYTHON-CRYPTO] Building M2Crypto-0.17 on MacOS X In-Reply-To: References: <45B4FD32.1090202@osafoundation.org> <02D9FC0D-1F50-4973-9322-3C0D0A65EA72@paljak.pri.ee> <45B50ACB.7010308@osafoundation.org> Message-ID: This (building M2Crypto-0.17 Universal on MacOS X) was a big pain, so here are my notes on it: First, download OpenSSL 0.9.8d and unpack it. Edit the OpenSSL Makefiles per PROBLEMS. Then: ./config no-shared no-asm --prefix=/usr/local make make test sudo make install make clean ./Configure no-shared no-asm --prefix=/usr/local darwin-ppc-cc make build_libs "CC=cc -arch ppc" lipo -info lib* mkdir -p build/ppc mv lib* build/ppc make clean ./Configure no-shared no-asm --prefix=/usr/local darwin-i386-cc make build_libs "CC=cc -arch i386" lipo -info lib* mkdir -p build/i386 mv lib* build/i386/ /bin/ls -1 build/i386/ > libnames.tmp mkdir universal Create a script in the OpenSSL directory called 'make_universal', with these contents: #!/bin/sh for lib in `cat libnames.tmp`; do lipo -create build/*/$lib -output universal/$lib done exit 0 Then: sh make_universal lipo -info universal/lib* sudo cp universal/lib* /usr/local/lib lipo -info /usr/local/lib/lib{crypto,ssl}* cd ../m2crypto-0.17 Then edit the m2crypto setup.py and uncomment the extra_link_args line at the end. python setup.py build --openssl=/usr/local sudo python setup.py install --openssl=/usr/local I'm happy to contribute a built, zipped mpkg installer (statically linked) if that's desirable. Thanks to everyone who gave suggestions. -M