Pyopenssl Example

Welcome to pyOpenSSL’s documentation!¶ Release v20.0.1 (What’s new?pyOpenSSL is a rather thin wrapper around (a subset of) the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library. Below is the example for generating – $ openssl x509 in domain.crt-signkey domain.key -x509toreq -out domain.csr. Where -x509toreq is specified that we are using the x509 certificate files to make a CSR. Generating a Self-Singed Certificates. Elliptic curves¶ OpenSSL.crypto.getellipticcurves ¶ Return a set of objects representing the elliptic curves supported in the OpenSSL build in use. The curve objects have a unicode name attribute by which they identify themselves. The curve objects are useful as values for the argument accepted by Context.settmpecdh to specify which elliptical curve should be used for ECDHE key exchange. Welcome to pyOpenSSL’s documentation!¶ Release v20.0.1 (What’s new?pyOpenSSL is a rather thin wrapper around (a subset of) the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library. In this example I will show the interactive method which means you will be prompted to fill in the required data for CSR. To generate a Certificate Signing request you would need a private key. Ideally I would use two different commands to generate each one separately but here let me show you single command to generate both private key and CSR.

  1. Pyopenssl Example Words
  2. Using Openssl In Python
  3. Pyopenssl Example Paper

History¶

pyOpenSSL was originally created by Martin Sjögren because the SSL support in the standard library in Python 2.1 (the contemporary version of Python when the pyOpenSSL project was begun) was severely limited.Other OpenSSL wrappers for Python at the time were also limited, though in different ways.

Later it was maintained by Jean-Paul Calderone who among other things managed to make pyOpenSSL a pure Python project which the current maintainers are very grateful for.

Over the time the standard library’s ssl module improved, never reaching the completeness of pyOpenSSL’s API coverage.Despite PEP 466 many useful features remain Python 3-only and pyOpenSSL remains the only alternative for full-featured TLS code across all noteworthy Python versions from 2.7 through 3.5 and PyPy.

Development¶

pyOpenSSL is collaboratively developed by the Python Cryptography Authority (PyCA) that also maintains the low-level bindings called cryptography.

Current maintainer and release manager is Hynek Schlawack.

Contributing¶

First of all, thank you for your interest in contributing to pyOpenSSL!This project has no company backing its development therefore we’re dependent on help by the community.

Filing bug reports¶

Bug reports are very welcome.Please file them on the GitHub issue tracker.Good bug reports come with extensive descriptions of the error and how to reproduce it.Reporters are strongly encouraged to include an short, self contained, correct example.

Patches¶

All patches to pyOpenSSL should be submitted in the form of pull requests to the main pyOpenSSL repository, pyca/pyopenssl.These pull requests should satisfy the following properties:

Code¶

  • The pull request should focus on one particular improvement to pyOpenSSL.Create different pull requests for unrelated features or bugfixes.
  • Code should follow PEP 8, especially in the “do what code around you does” sense.Follow OpenSSL naming for callables whenever possible is preferred.
  • Pull requests that introduce code must test all new behavior they introduce as well as for previously untested or poorly tested behavior that they touch.
  • Pull requests are not allowed to break existing tests.We usually don’t comment on pull requests that are breaking the CI because we consider them work in progress.Please note that not having 100% code coverage for the code you wrote/touched also causes our CI to fail.

Documentation¶

When introducing new functionality, please remember to write documentation.

  • New functions and methods should have a docstring describing what they do, what parameters they takes, what types those parameters are, and what they return.

    Don’t forget to add an ..auto(function class method):: statement to the relevant API document found in doc/api/ to actually add your function to the Sphinx documentation.

  • Do not use :py: prefixes when cross-linking (Python is default).Do not use the generic :data: or :obj:.Instead use more specific types like :class:, :func: or :meth: if applicable.

  • Pull requests that introduce features or fix bugs should note those changes in the CHANGELOG.rst file.Please add new entries to the top of the current Changes section followed by a line linking to the relevant pull request:

  • Use semantic newlines in reStructuredText files (files ending in .rst).

Review¶

Example

Finally, pull requests must be reviewed before merging.This process mirrors the cryptography code review process.Everyone can perform reviews; this is a very valuable way to contribute, and is highly encouraged.

Pull requests are merged by members of PyCA.They should, of course, keep all the requirements detailed in this document as well as the pyca/cryptography merge requirements in mind.

The final responsibility for the reviewing of merged code lies with the person merging it.Since pyOpenSSL is a sensitive project from a security perspective, reviewers are strongly encouraged to take this review and merge process very seriously.

Finding Help¶

If you need any help with the contribution process, you’ll find us hanging out at #cryptography-dev on Freenode IRC.You can also ask questions on our mailing list.

Please note that this project is released with a Contributor Code of Conduct.By participating in this project you agree to abide by its terms.

Security¶

If you feel that you found a security-relevant bug that you would prefer to discuss in private, please send us a GPG-encrypted e-mail.

The maintainer can be reached at hs@ox.cx and his GPG key ID is 0xAE2536227F69F181 (Fingerprint: C2A04F86ACE28ADCF817DBB7AE2536227F69F181).Feel free to cross-check this information with Keybase.

Note

This plugin is part of the community.crypto collection (version 1.6.2).

To install it use: ansible-galaxycollectioninstallcommunity.crypto.

To use it in a playbook, specify: community.crypto.openssl_csr_info.

  • This module allows one to query information on OpenSSL Certificate Signing Requests (CSR).

  • In case the CSR signature cannot be validated, the module will fail. In this case, all return variables are still returned.

  • It uses the pyOpenSSL or cryptography python library to interact with OpenSSL. If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements) cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with select_crypto_backend). Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0.

The below requirements are needed on the host that executes this module.

  • PyOpenSSL >= 0.15 or cryptography >= 1.3

ParameterChoices/DefaultsComments
content
string
Content of the CSR file.
Either path or content must be specified, but not both.
path
path
Remote absolute path where the CSR file is loaded from.
Either path or content must be specified, but not both.
select_crypto_backend
string
    Choices:
  • cryptography
  • pyopenssl
Determines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.
If set to pyopenssl, will try to use the pyOpenSSL library.
If set to cryptography, will try to use the cryptography library.
Please note that the pyopenssl backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0. From that point on, only the cryptography backend will be available.

Pyopenssl Example Words

See also

community.crypto.openssl_csr

The official documentation on the community.crypto.openssl_csr module.

community.crypto.openssl_csr_pipe

The official documentation on the community.crypto.openssl_csr_pipe module.

Common return values are documented here, the following are the fields unique to this module:

KeyReturnedDescription
authority_cert_issuer
list / elements=string
success and if the pyOpenSSL backend is not used
The CSR's authority cert issuer as a list of general names.
Is none if the AuthorityKeyIdentifier extension is not present.

[DNS:www.ansible.com, IP:1.2.3.4]
authority_cert_serial_number
integer
success and if the pyOpenSSL backend is not used
Is none if the AuthorityKeyIdentifier extension is not present.

12345
authority_key_identifier
string
success and if the pyOpenSSL backend is not used
The identifier is returned in hexadecimal, with : used to separate bytes.
Is none if the AuthorityKeyIdentifier extension is not present.

00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
basic_constraints
list / elements=string
success
Entries in the basic_constraints extension, or none if extension is not present.

[CA:TRUE, pathlen:1]
basic_constraints_critical
boolean
success
Whether the basic_constraints extension is critical.

extended_key_usage
list / elements=string
success
Entries in the extended_key_usage extension, or none if extension is not present.

[Biometric Info, DVCS, Time Stamping]
extended_key_usage_critical
boolean
success
Whether the extended_key_usage extension is critical.

extensions_by_oid
dictionary
success
Sample:
{'1.3.6.1.5.5.7.1.24': { 'critical': false, 'value': 'MAMCAQU='}}
critical
boolean
success
valuesuccess
The Base64 encoded value (in DER format) of the extension

MAMCAQU=
key_usage
string
success
Entries in the key_usage extension, or none if extension is not present.

[Key Agreement, Data Encipherment]
key_usage_critical
boolean
success
name_constraints_critical
added in 1.1.0 of community.crypto
success
Whether the name_constraints extension is critical.

name_constraints_excluded
added in 1.1.0 of community.crypto
success
List of excluded subtrees the CA cannot sign certificates for.

Sample:
name_constraints_permitted
added in 1.1.0 of community.crypto
success
List of permitted subtrees to sign certificates for.

['email:.somedomain.com']
ocsp_must_staple
boolean
success
yes if the OCSP Must Staple extension is present, none otherwise.

ocsp_must_staple_critical
boolean
success
Whether the ocsp_must_staple extension is critical.

public_key
string
success
Sample:
-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...
public_key_fingerprints
dictionary
success
For every hash algorithm available, the fingerprint is computed.

{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...
signature_valid
boolean
success
In case the check returns no, the module will fail.

subject
dictionary
success
Note that for repeated values, only the last one will be returned.

{'commonName': 'www.example.com', 'emailAddress': '[email protected]'}
subject_alt_name
list / elements=string
success
Entries in the subject_alt_name extension, or none if extension is not present.

[DNS:www.ansible.com, IP:1.2.3.4]
subject_alt_name_critical
boolean
success
Whether the subject_alt_name extension is critical.

subject_key_identifier
string
success and if the pyOpenSSL backend is not used
The identifier is returned in hexadecimal, with : used to separate bytes.
Is none if the SubjectKeyIdentifier extension is not present.

00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33
subject_ordered
list / elements=list
success
Sample:
[['commonName', 'www.example.com'], ['emailAddress': '[email protected]']]

Using Openssl In Python

Authors¶

Pyopenssl Example Paper

  • Felix Fontein (@felixfontein)

  • Yanis Guenane (@Spredzy)