No trouble - filed as https://github.com/pyca/pyopenssl/issues/1031
I guess that given how common this is - the easiest may actually be to have an
extra flag to verify - with the purpose (or all the flags). As that covers most
cases.
Dw.
> On 31 Jul 2021, at 14:27, Paul Kehrer wrote:
>
> Searching our history I don't believe we've ever bound
> X509_STORE_set_purpose. Did this work in a previous version of
> cryptography and has only recently stopped?
>
> In general, cryptography does not bind all of OpenSSL, only the
> functions, macros, and constants we need to expose our APIs. We have
> one consumer that we officially support which uses the bindings
> directly (pyOpenSSL), but otherwise we consider the bindings to be
> private API surface and will add/remove as needed to support various
> versions of OpenSSL.
>
> If cryptography is lacking public APIs for your use case please
> consider filing an issue and helping design/implement those APIs with
> us. Years of experience with maintaining our bindings across dozens of
> OpenSSL versions and various forks has taught us that we can't
> reliably support random bindings we don't use ourselves.
>
> -Paul
>
> On Sat, Jul 31, 2021 at 6:38 AM Dirk-Willem van Gulik
> wrote:
>>
>> Could it be that somehow in (in the latest build) - X509_STORE_set_purpose
>> and associated #defines are missing ?
>>
>> In below - things work fine up until lib.X509_STORE_set_purpose() - but that
>> calls gives me a:
>>
>>AttributeError: cffi library '_openssl' has no function, constant or
>> global variable named 'X509_STORE_set_purpose'
>>
>> With kind regards,
>>
>> Dw
>>
>># Create the pkcs7 object
>>pkcs7_object = lib.d2i_PKCS7_bio(bio.bio, ffi.NULL)
>>
>># We're not passing any untrusted certificates, the chain should
>># complete, up to, but not including the CA cert, in the CMS package.
>>#
>>other = lib.sk_X509_new_null()
>>binding._openssl_assert(lib, other != ffi.NULL)
>>
>># We are prividing exactly one certificate - that of the certificate
>># authority - as trusted. It has to be signed by this national root.
>>#
>>store = lib.X509_STORE_new()
>>lib.X509_STORE_add_cert(store, certificate._x509) # type: ignore
>>
>># As we're using certifcates somewhat off-label; we need to relax
>># the purpose verification. This is the equivalent of the -purpose any
>># flag in:
>> # openssl smime -verify -inform DER -content payload.raw \
>> # -CAfile ca.pem -in signature.p7 -purpose any
>> lib.X509_STORE_set_purpose(store, 7) # X509_PURPOSE_ANY
>>
>> ___
>> Cryptography-dev mailing list
>> Cryptography-dev@python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
> ___
> Cryptography-dev mailing list
> Cryptography-dev@python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
___
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
