Searching our history I don't believe we've ever bound X509_STORE_set_purpose. Did this work in a previous version of cryptography and has only recently stopped?
In general, cryptography does not bind all of OpenSSL, only the functions, macros, and constants we need to expose our APIs. We have one consumer that we officially support which uses the bindings directly (pyOpenSSL), but otherwise we consider the bindings to be private API surface and will add/remove as needed to support various versions of OpenSSL. If cryptography is lacking public APIs for your use case please consider filing an issue and helping design/implement those APIs with us. Years of experience with maintaining our bindings across dozens of OpenSSL versions and various forks has taught us that we can't reliably support random bindings we don't use ourselves. -Paul On Sat, Jul 31, 2021 at 6:38 AM Dirk-Willem van Gulik <di...@webweaving.org> wrote: > > Could it be that somehow in (in the latest build) - X509_STORE_set_purpose > and associated #defines are missing ? > > In below - things work fine up until lib.X509_STORE_set_purpose() - but that > calls gives me a: > > AttributeError: cffi library '_openssl' has no function, constant or > global variable named 'X509_STORE_set_purpose' > > With kind regards, > > Dw > > # Create the pkcs7 object > pkcs7_object = lib.d2i_PKCS7_bio(bio.bio, ffi.NULL) > > # We're not passing any untrusted certificates, the chain should > # complete, up to, but not including the CA cert, in the CMS package. > # > other = lib.sk_X509_new_null() > binding._openssl_assert(lib, other != ffi.NULL) > > # We are prividing exactly one certificate - that of the certificate > # authority - as trusted. It has to be signed by this national root. > # > store = lib.X509_STORE_new() > lib.X509_STORE_add_cert(store, certificate._x509) # type: ignore > > # As we're using certifcates somewhat off-label; we need to relax > # the purpose verification. This is the equivalent of the -purpose any > # flag in: > # openssl smime -verify -inform DER -content payload.raw \ > # -CAfile ca.pem -in signature.p7 -purpose any > lib.X509_STORE_set_purpose(store, 7) # X509_PURPOSE_ANY > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
