«

Hello python-list members

Why is the following code snippet throwing an AssertionError? Is that
behavior a bug within X509.X509_Extension_Stack()? How would you suggest
popping every element from the stack?

Regards,
Matthias Güntert

-------------------------------------------------
from M2Crypto import X509

if __name__ == '__main__':
cert_extension_stack = X509.X509_Extension_Stack()

cert_extension_1 = X509.new_extension("basicConstraints",
"CA:FALSE")
cert_extension_1.set_critical()

cert_extension_2 = X509.new_extension("keyUsage", "101000000")
cert_extension_2.set_critical()

cert_extension_3 = X509.new_extension("subjectAlternativeName",
"DNS:www.mydomain.tld")

print cert_extension_stack.push(cert_extension_1)
print cert_extension_stack.push(cert_extension_2)
print cert_extension_stack.push(cert_extension_3)

print cert_extension_stack.pop()
-------------------------------------------------

-------------------------------------------------
Traceback (most recent call last):
File "test.py", line 18, in <module>
print cert_extension_stack.pop()
File "/usr/lib64/python2.6/site-packages/M2Crypto/X509.py", line 159,
in pop
assert len(self.pystack) == 0
AssertionError
1
2
3
-------------------------------------------------

Matthias Güntert wrote:
> Why is the following code snippet throwing an AssertionError? Is that
> behavior a bug within X509.X509_Extension_Stack()? How would you suggest
> popping every element from the stack?
>
> cert_extension_2 = X509.new_extension("keyUsage", "101000000")

Maybe your OpenSSL is too old. keyUsage needs to be defined in OpenSSL
obj_dat.h file for this to work.

> cert_extension_3 = X509.new_extension("subjectAlternativeName",
> "DNS:www.mydomain.tld")

And I believe you mispelled this, try subjectAltName.

With the change in spelling for subjectAltName your test passes for me
using OpenSSL 1.0.0beta3 and M2Crypto 0.20beta with the (still
incomplete) patch to make M2Crypto work with OpenSSL 1.0:
https://bugzilla.osafoundation.org/s...g.cgi?id=12855

--
Heikki Toivonen - http://heikkitoivonen.net

> > cert_extension_2 = X509.new_extension("keyUsage", "101000000")
>
> Maybe your OpenSSL is too old. keyUsage needs to be defined in OpenSSL
> obj_dat.h file for this to work.

I am using OpenSSL version 0.9.8k-fips which is the latest version.

I replaced:
cert_extension_2 = X509.new_extension("keyUsage", "101000000")
with:
cert_extension_2 = X509.new_extension("keyUsage", "keyCertSign,
cRLSign")

which worked for me.

Also I found an easy way to iterate through the extension stack using:

cert = X509.X509()
for e in cert_extension_stack:
cert.add_ext(e)

> > cert_extension_3 = X509.new_extension("subjectAlternativeName",
> > "DNS:www.mydomain.tld")

> And I believe you mispelled this, try subjectAltName.

Changing "subjectAlternativeName" to "subjectAltName" did the trick.

Thank you!