No trouble - filed as https://github.com/pyca/pyopenssl/issues/1031
I guess that given how common this is - the easiest may actually be to have an extra flag to verify - with the purpose (or all the flags). As that covers most cases. Dw. > On 31 Jul 2021, at 14:27, Paul Kehrer <paul.l.keh...@gmail.com> wrote: > > Searching our history I don't believe we've ever bound > X509_STORE_set_purpose. Did this work in a previous version of > cryptography and has only recently stopped? > > In general, cryptography does not bind all of OpenSSL, only the > functions, macros, and constants we need to expose our APIs. We have > one consumer that we officially support which uses the bindings > directly (pyOpenSSL), but otherwise we consider the bindings to be > private API surface and will add/remove as needed to support various > versions of OpenSSL. > > If cryptography is lacking public APIs for your use case please > consider filing an issue and helping design/implement those APIs with > us. Years of experience with maintaining our bindings across dozens of > OpenSSL versions and various forks has taught us that we can't > reliably support random bindings we don't use ourselves. > > -Paul > > On Sat, Jul 31, 2021 at 6:38 AM Dirk-Willem van Gulik > <di...@webweaving.org> wrote: >> >> Could it be that somehow in (in the latest build) - X509_STORE_set_purpose >> and associated #defines are missing ? >> >> In below - things work fine up until lib.X509_STORE_set_purpose() - but that >> calls gives me a: >> >> AttributeError: cffi library '_openssl' has no function, constant or >> global variable named 'X509_STORE_set_purpose' >> >> With kind regards, >> >> Dw >> >> # Create the pkcs7 object >> pkcs7_object = lib.d2i_PKCS7_bio(bio.bio, ffi.NULL) >> >> # We're not passing any untrusted certificates, the chain should >> # complete, up to, but not including the CA cert, in the CMS package. >> # >> other = lib.sk_X509_new_null() >> binding._openssl_assert(lib, other != ffi.NULL) >> >> # We are prividing exactly one certificate - that of the certificate >> # authority - as trusted. It has to be signed by this national root. >> # >> store = lib.X509_STORE_new() >> lib.X509_STORE_add_cert(store, certificate._x509) # type: ignore >> >> # As we're using certifcates somewhat off-label; we need to relax >> # the purpose verification. This is the equivalent of the -purpose any >> # flag in: >> # openssl smime -verify -inform DER -content payload.raw \ >> # -CAfile ca.pem -in signature.p7 -purpose any >> lib.X509_STORE_set_purpose(store, 7) # X509_PURPOSE_ANY >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
