Skip to main content

[pkg-discuss] Re: removal of M2Crypto

  • From: Erik Trauschke < >
  • To: Brian Cameron < >
  • Cc:
  • Subject: [pkg-discuss] Re: removal of M2Crypto
  • Date: Thu, 27 Jun 2013 15:46:50 -0700

Hi Brian,

I'm going to spend some time on getting these patches into either the upstream code base or into just into userland.

Like I mentioned, some of the features we are looking for have already been added with custom patches by community members, however, these were lying around dormant for quite a while now.

I'm unsure how we should approach this. I can contact the maintainer and offer to do any work required to get them integrated. However, if this doesn't help, how are we going ahead? Are we rewriting the already existing patches from scratch and put them into the userland gate (not too much additional work) or can we just use the available patches and put them in our gate? Do we have to contact the original author for this?

Any info is appreciated.


PS: we probably will also have to run these patches by some of the OpenSSL experts to make sure we are not screwing things up.

On 04/25/13 03:05 PM, Brian Cameron wrote:


This is excellent analysis, and I am glad to hear that migrating away
from M2Crypto in S12 seems doable.  Note that I am keeping track of
Python 3 migration plans here:

I put much of your excellent analysis there, but I would appreciate it
if we could more use the Wiki for sharing of information going forward.

I wonder if it makes sense to file bugs upstream with PyOpenSSL about
the crl.get_next_update(), crl.verify(), and cert.check_ca() issues.
We may find that upstream will help write some of these patches if we
explain the issues to them.


On 04/25/13 04:35 PM, Erik Trauschke wrote:
This is more about putting down some notes about this for future

I've looked a bit into what would actually be necessary to replace
M2Crypto with pyopenssl in the IPS source code.

Turns out that we are not so far away from being able to make this

At the moment the following things in pyopenssl are still lacking:

- crl.get_next_update()
     So far pyopenssl doesn't support expiry of CRLs or retrieval of CRL
expiry dates. Couldn't find a patch for this, either.

- crl.get_issuer()
     There is a patch waiting to get merged into the main code base:

- crl.verify()
     Verify that CRL was signed by trusted CA.
So far there is no patch I could find but we might be able to treat this
as a regular cert for verification (see below)

- cert.verify()
     Verify that cert was signed by trusted CA.
There is a bug and patch available for this one:

- cert.check_ca()
     Check if the current certificate is a proper CA based on
basicConstraints and keyUsage.
This one can be implemented as a small Python function because the
information required for making this determination is available in
pyopenssl. However, it's also pretty simple to add the proper OpenSSL
API call to pyopenssl.

If we target this change to go into S12 I don't see any reason why we
wouldn't be able to do it. Looking at the patches for some of the issues
above it looks fairly simple to add additional interfaces to OpenSSL
into pyopenssl, even if we'd have to do our own patches.


[pkg-discuss] Re: removal of M2Crypto

Erik Trauschke 06/27/2013

Message not available

[pkg-discuss] Re: removal of M2Crypto

Erik Trauschke 06/29/2013
Please Confirm