[Openstack-security] [Anchor] Almost security-impact review - getting rid of openssl

Clark, Robert Graham robert.clark at hp.com
Wed Jul 22 09:50:22 UTC 2015 

I tend to agree with Darren.

As it's quite a big change I think it should be discussed in a
security-specification.

-Rob


On 22/07/2015 10:19, "Darren J Moffat" <Darren.Moffat at Oracle.COM> wrote:

>
>
>On 07/22/15 05:29, Pitucha, Stanislaw Izaak wrote:
>> Hi all,
>> I'd like to get people interested in Anchor development to look at a
>>WIP patch I uploaded now:
>> https://review.openstack.org/204368
>>
>> It changes the backend of Anchor from relying on openssl (and all the
>>issues that go with it) to using pyasn1/pycrypto to directly operate on
>>the certificate/csr.
>> While it's not complete and I'm still waiting for some answers to
>>enable extensions
>>(http://stackoverflow.com/questions/31552798/parsing-x509-extensions-with
>>-pyasn1), it's functional. By definition - test_functional passes ;)
>
>I think this is the exact opposite of the direction we should be going in.
>
>pycrypto is old and not well featured.  Other parts of OpenStack and
>dependent projects such as paramiko are moving to cryptography.io which
>is a modern Python layer over OpenSSL.
>
>Please do not add more dependencies on pycrypto.
>
>> It's going to be a big change and take quite some time, so any feedback
>>is appreciated early on. The original rationale for the change can be
>>read at https://etherpad.openstack.org/p/Anchor_direct_asn1 and while
>>there were some issues on the way, I believe that everything I expected
>>to improve, improved a lot. What I'm most happy about is that the change
>>gets rid of magic string parsing / output and memory management of
>>openssl. Things like string and date manipulation either disappeared or
>>got much shorter. Also many error checks are not needed anymore.
>>
>> I didn't correct all function comments, so some of them may mention
>>wrong types. But the interface stayed pretty much the same - higher
>>level functionality like certificate_ops/signing has only cosmetic
>>changes.
>>
>> So if you're interested in Anchor, please have a look.
>>
>> Best Regards,
>> Stanisław Pitucha
>>
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>
>-- 
>Darren J Moffat
>
>_______________________________________________
>Openstack-security mailing list
>Openstack-security at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list