[Openstack-security] [Anchor] Almost security-impact review - getting rid of openssl

Pitucha, Stanislaw Izaak stanislaw.pitucha at hp.com
Thu Jul 23 09:57:06 UTC 2015 

Hi,
I really don't mind which implementation for signing is used. cryptography.io provides pkcs#1 signatures, so it can replace pycrypto. However I chose pycrypto because it's smaller and just an established library and doesn't require cffi - it only needs to provide that one function, so lack of functionality is not an issue.

So really I'm happy to include either - it's very few lines of code affected.

As Rob suggested, I'll submit a spec too.

Best Regards,
Stanisław Pitucha

-----Original Message-----
From: Darren J Moffat [mailto:Darren.Moffat at Oracle.COM] 
Sent: Wednesday, July 22, 2015 7:20 PM
To: Pitucha, Stanislaw Izaak; openstack-security at lists.openstack.org
Subject: Re: [Openstack-security] [Anchor] Almost security-impact review - getting rid of openssl



On 07/22/15 05:29, Pitucha, Stanislaw Izaak wrote:
> Hi all,
> I’d like to get people interested in Anchor development to look at a WIP patch I uploaded now:
> https://review.openstack.org/204368
>
> It changes the backend of Anchor from relying on openssl (and all the issues that go with it) to using pyasn1/pycrypto to directly operate on the certificate/csr.
> While it’s not complete and I’m still waiting for some answers to enable extensions (http://stackoverflow.com/questions/31552798/parsing-x509-extensions-with-pyasn1), it’s functional. By definition – test_functional passes ;)

I think this is the exact opposite of the direction we should be going in.

pycrypto is old and not well featured.  Other parts of OpenStack and 
dependent projects such as paramiko are moving to cryptography.io which 
is a modern Python layer over OpenSSL.

Please do not add more dependencies on pycrypto.

> It’s going to be a big change and take quite some time, so any feedback is appreciated early on. The original rationale for the change can be read at https://etherpad.openstack.org/p/Anchor_direct_asn1 and while there were some issues on the way, I believe that everything I expected to improve, improved a lot. What I’m most happy about is that the change gets rid of magic string parsing / output and memory management of openssl. Things like string and date manipulation either disappeared or got much shorter. Also many error checks are not needed anymore.
>
> I didn’t correct all function comments, so some of them may mention wrong types. But the interface stayed pretty much the same – higher level functionality like certificate_ops/signing has only cosmetic changes.
>
> So if you’re interested in Anchor, please have a look.
>
> Best Regards,
> Stanisław Pitucha
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>

-- 
Darren J Moffat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3508 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150723/9a7da720/attachment.bin>

More information about the Openstack-security mailing list