Hi, I am a maintainer of M2Crypto [1] and I have finally moved to try to understand mysterious crash in X509.new_extension() function [2]. This (shortened) script [3] leads quite consistently to crash on all Pythons from 2.7 to 3.12 with the latest M2Crypto 0.42.0 and many previous versions: from M2Crypto import X509 sub_key_id = '1C:E6:F0:58:58:32:BC:7B:BA:8E:E0:23:1B:FF:17:99:B0:4D:CF:64' cert_pem_string = """ -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- """ m2_x509_cert = X509.load_cert_string(cert_pem_string) local_ski = m2_x509_cert.get_ext('subjectKeyIdentifier') local_aki = m2_x509_cert.get_ext('authorityKeyIdentifier') X509.new_extension('subjectKeyIdentifier', sub_key_id) print('This next bit seq faults.') X509.new_extension('authorityKeyIdentifier', 'keyid') X509.new_extension() is just a very thin layer over X509V3_EXT_conf() and it seems that OpenSSL crashes in this function when it is called for the second time with the first parameter (`conf`) set to `NULL`. The function doesn’t seem to be very well documented (at least I haven’t find a manpage for it), so I dived directly into the code and it seems to me that it all boils down to `def_init_default()` function [4], which however seems to be perfectly happy with `conf` value being `NULL`. Any idea what I am missing? Thank you for kicking me into the right direction, Matěj [1] Recently moved to https://sr.ht/~mcepl/m2crypto/ [2] https://todo.sr.ht/~mcepl/m2crypto/9 [3] Full version of the reproducer is on https://gitlab.com/-/project/346279/uploads/3b9517dc3b8582a47cd83c7cca14af2a/crash_m2crypto.py [4] https://github.com/openssl/openssl/blob/master/crypto/conf/conf_def.c#L124 -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Do not pity the dead, Harry. Pity the living, and above all, the people who watched [Harry Potter and the Cursed Child]. -- Philami on https://is.gd/f9VMaC -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/D482XO16CXPR.2TBIO826UF3JY%40cepl.eu.
Attachment:
E09FEF25D96484AC.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: PGP signature