Open Stack

Hi all,
I’d like to get people interested in Anchor development to look at a WIP patch I uploaded now:
https://review.openstack.org/204368

It changes the backend of Anchor from relying on openssl (and all the issues that go with it) to using pyasn1/pycrypto to directly operate on the certificate/csr.
While it’s not complete and I’m still waiting for some answers to enable extensions (http://stackoverflow.com/questions/31552798/parsing-x509-extensions-with-pyasn1), it’s functional. By definition – test_functional passes ;)

It’s going to be a big change and take quite some time, so any feedback is appreciated early on. The original rationale for the change can be read at https://etherpad.openstack.org/p/Anchor_direct_asn1 and while there were some issues on the way, I believe that everything I expected to improve, improved a lot. What I’m most happy about is that the change gets rid of magic string parsing / output and memory management of openssl. Things like string and date manipulation either disappeared or got much shorter. Also many error checks are not needed anymore.

I didn’t correct all function comments, so some of them may mention wrong types. But the interface stayed pretty much the same – higher level functionality like certificate_ops/signing has only cosmetic changes.

So if you’re interested in Anchor, please have a look.

Best Regards,
Stanisław Pitucha

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3508 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150722/c91286df/attachment.bin>