Re: NULL first parameter of X509V3_EXT_conf?

Matěj Cepl <mcepl@xxxxxxx> · Sat, 28 Sep 2024 22:30:10 +0200

On Tue Sep 17, 2024 at 7:26 AM CEST, Viktor Dukhovni wrote:
> You can start by switching to X509V3_EXT_nconf(), which should tolerate
> a NULL `conf` argument, if your extension is self-contained, and needs
> no supporting configuration.

Hmm, I tried to do it in
https://git.sr.ht/~mcepl/m2crypto/commit/bd1e7306fbd6 , which
give me with this result in Python:

    def new_extension(
        name: str, value: bytes, critical: int = 0, _pyfree: int = 1
    ) -> X509_Extension:
        """
        Create new X509_Extension instance.
        """
        if (
            name == 'subjectKeyIdentifier'
            and value.strip('0123456789abcdefABCDEF:') != ''
        ):
            raise ValueError('value must be precomputed hash')
        ctx = m2.x509v3_set_nconf()
        x509_ext_ptr = m2.x509v3_ext_nconf(None, ctx, name, value)
        if x509_ext_ptr is None:
            raise X509Error(
                "Cannot create X509_Extension with name '%s' and value '%s'"
                % (name, value)
            )
        x509_ext = X509_Extension(x509_ext_ptr, _pyfree)
        x509_ext.set_critical(critical)
        return x509_ext

and this is the C/swig implementation of x509v3_ext_nconf():

    X509V3_CTX *
    x509v3_set_nconf(void) {
          X509V3_CTX * ctx;
          CONF *conf = NCONF_new(NULL);

          if (!(ctx=(X509V3_CTX *)PyMem_Malloc(sizeof(X509V3_CTX)))) {
              PyErr_SetString(PyExc_MemoryError, "x509v3_set_nconf");
              return NULL;
          }
          /* X509V3_set_nconf does not generate any error signs at all. */
          X509V3_set_nconf(ctx, conf);
          return ctx;
    }

The weird thing is that this is working fine with some Linux
distributions and architectures (Python 3.9 on alpine and
locally when run with 3.11 on openSUSE/Tumbleweed), but it fails
with both lower and higher versions of Python on various other
distributions.

Does anybody see anything obvious I do wrong?

Thank for any ideas,

Matěj

-- 
http://matej.ceplovi.cz/blog/, @mcepl@floss.social
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8

Reality is merely an illusion, albeit a very persistent one.
      -- Albert Einstein

-- 
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/D4I7A7DTVHOM.3LDFQ71CKE4KB%40cepl.eu.
Attachment:
E09FEF25D96484AC.asc

Description: application/pgp-keys
Attachment:
signature.asc

Description: PGP signature