Open Stack

Just to follow up - the patch is now complete and ready for reviews at https://review.openstack.org/204368
It does not use pycrypto after all but cryptography.io - but only for the actual crypto; certificate parsing / modifications use pyasn1.

This enabled DSA in addition to RSA. Other signatures will be also available soon.
Overall, I think the change was even better than I originally expected. While openssl is still accessed, it's only via small part of cryptography.io. It's also not used for any of the user input.

Best Regards,
Stanisław Pitucha

-----Original Message-----
From: Pitucha, Stanislaw Izaak 
Sent: Friday, July 24, 2015 10:07 AM
To: openstack-security at lists.openstack.org
Subject: Re: [Openstack-security] [Anchor] Almost security-impact review - getting rid of openssl

Now available at https://review.openstack.org/205328

Best Regards,
Stanisław Pitucha

-----Original Message-----
From: Clark, Robert Graham 
Sent: Wednesday, July 22, 2015 7:50 PM
To: Darren J Moffat; Pitucha, Stanislaw Izaak; openstack-security at lists.openstack.org
Subject: Re: [Openstack-security] [Anchor] Almost security-impact review - getting rid of openssl

I tend to agree with Darren.

As it's quite a big change I think it should be discussed in a
security-specification.

-Rob


On 22/07/2015 10:19, "Darren J Moffat" <Darren.Moffat at Oracle.COM> wrote:

>
>
>On 07/22/15 05:29, Pitucha, Stanislaw Izaak wrote:
>> Hi all,
>> I'd like to get people interested in Anchor development to look at a
>>WIP patch I uploaded now:
>> https://review.openstack.org/204368
>>
>> It changes the backend of Anchor from relying on openssl (and all the
>>issues that go with it) to using pyasn1/pycrypto to directly operate on
>>the certificate/csr.
>> While it's not complete and I'm still waiting for some answers to
>>enable extensions
>>(http://stackoverflow.com/questions/31552798/parsing-x509-extensions-with
>>-pyasn1), it's functional. By definition - test_functional passes ;)
>
>I think this is the exact opposite of the direction we should be going in.
>
>pycrypto is old and not well featured.  Other parts of OpenStack and
>dependent projects such as paramiko are moving to cryptography.io which
>is a modern Python layer over OpenSSL.
>
>Please do not add more dependencies on pycrypto.
>
>> It's going to be a big change and take quite some time, so any feedback
>>is appreciated early on. The original rationale for the change can be
>>read at https://etherpad.openstack.org/p/Anchor_direct_asn1 and while
>>there were some issues on the way, I believe that everything I expected
>>to improve, improved a lot. What I'm most happy about is that the change
>>gets rid of magic string parsing / output and memory management of
>>openssl. Things like string and date manipulation either disappeared or
>>got much shorter. Also many error checks are not needed anymore.
>>
>> I didn't correct all function comments, so some of them may mention
>>wrong types. But the interface stayed pretty much the same - higher
>>level functionality like certificate_ops/signing has only cosmetic
>>changes.
>>
>> So if you're interested in Anchor, please have a look.
>>
>> Best Regards,
>> Stanisław Pitucha
>>
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>
>-- 
>Darren J Moffat
>
>_______________________________________________
>Openstack-security mailing list
>Openstack-security at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3508 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150811/651a3d0e/attachment.bin>