[Openstack-security] [Anchor] Almost security-impact review - getting rid of openssl

Darren J Moffat Darren.Moffat at Oracle.COM
Wed Jul 22 09:19:30 UTC 2015



On 07/22/15 05:29, Pitucha, Stanislaw Izaak wrote:
> Hi all,
> I’d like to get people interested in Anchor development to look at a WIP patch I uploaded now:
> https://review.openstack.org/204368
>
> It changes the backend of Anchor from relying on openssl (and all the issues that go with it) to using pyasn1/pycrypto to directly operate on the certificate/csr.
> While it’s not complete and I’m still waiting for some answers to enable extensions (http://stackoverflow.com/questions/31552798/parsing-x509-extensions-with-pyasn1), it’s functional. By definition – test_functional passes ;)

I think this is the exact opposite of the direction we should be going in.

pycrypto is old and not well featured.  Other parts of OpenStack and 
dependent projects such as paramiko are moving to cryptography.io which 
is a modern Python layer over OpenSSL.

Please do not add more dependencies on pycrypto.

> It’s going to be a big change and take quite some time, so any feedback is appreciated early on. The original rationale for the change can be read at https://etherpad.openstack.org/p/Anchor_direct_asn1 and while there were some issues on the way, I believe that everything I expected to improve, improved a lot. What I’m most happy about is that the change gets rid of magic string parsing / output and memory management of openssl. Things like string and date manipulation either disappeared or got much shorter. Also many error checks are not needed anymore.
>
> I didn’t correct all function comments, so some of them may mention wrong types. But the interface stayed pretty much the same – higher level functionality like certificate_ops/signing has only cosmetic changes.
>
> So if you’re interested in Anchor, please have a look.
>
> Best Regards,
> Stanisław Pitucha
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>

-- 
Darren J Moffat




More information about the Openstack-security mailing list