Support for cryptography.X509.Extensions in pyopenssl.X509.add_extensions etc?

[wgreenberg]

Since pyOpenSSL's Extensions are now deprecated, I'm trying to migrate Certbot to cryptography's, but there's still pyOpenSSL public API that only accepts/returns the deprecated extension type:

• pyopenssl/src/OpenSSL/crypto.py

  Lines 1079 to 1130 in a972ea4

  	def add_extensions(
  	self, extensions: Iterable[_X509ExtensionInternal]
  	) -> None:
  	"""
  	Add extensions to the certificate signing request.
  	:param extensions: The X.509 extensions to add.
  	:type extensions: iterable of :py:class:`X509Extension`
  	:return: ``None``
  	"""
  	stack = _lib.sk_X509_EXTENSION_new_null()
  	_openssl_assert(stack != _ffi.NULL)
  	stack = _ffi.gc(stack, _lib.sk_X509_EXTENSION_free)
  	for ext in extensions:
  	if not isinstance(ext, _X509ExtensionInternal):
  	raise ValueError("One of the elements is not an X509Extension")
  	# TODO push can fail (here and elsewhere)
  	_lib.sk_X509_EXTENSION_push(stack, ext._extension)
  	add_result = _lib.X509_REQ_add_extensions(self._req, stack)
  	_openssl_assert(add_result == 1)
  	def get_extensions(self) -> List[_X509ExtensionInternal]:
  	"""
  	Get X.509 extensions in the certificate signing request.
  	:return: The X.509 extensions in this request.
  	:rtype: :py:class:`list` of :py:class:`X509Extension` objects.
  	.. versionadded:: 0.15
  	"""
  	exts = []
  	native_exts_obj = _lib.X509_REQ_get_extensions(self._req)
  	native_exts_obj = _ffi.gc(
  	native_exts_obj,
  	lambda x: _lib.sk_X509_EXTENSION_pop_free(
  	x,
  	_ffi.addressof(_lib._original_lib, "X509_EXTENSION_free"),
  	),
  	)
  	for i in range(_lib.sk_X509_EXTENSION_num(native_exts_obj)):
  	ext = _X509ExtensionInternal.__new__(_X509ExtensionInternal)
  	extension = _lib.X509_EXTENSION_dup(
  	_lib.sk_X509_EXTENSION_value(native_exts_obj, i)
  	)
  	ext._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
  	exts.append(ext)
  	return exts

• pyopenssl/src/OpenSSL/crypto.py

  Lines 1638 to 1659 in a972ea4

  	def get_extension(self, index: int) -> _X509ExtensionInternal:
  	"""
  	Get a specific extension of the certificate by index.
  	Extensions on a certificate are kept in order. The index
  	parameter selects which extension will be returned.
  	:param int index: The index of the extension to retrieve.
  	:return: The extension at the specified index.
  	:rtype: :py:class:`X509Extension`
  	:raises IndexError: If the extension index was out of bounds.
  	.. versionadded:: 0.12
  	"""
  	ext = _X509ExtensionInternal.__new__(_X509ExtensionInternal)
  	ext._extension = _lib.X509_get_ext(self._x509, index)
  	if ext._extension == _ffi.NULL:
  	raise IndexError("extension index out of bounds")
  	extension = _lib.X509_EXTENSION_dup(ext._extension)
  	ext._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
  	return ext

I noticed that some work was done to add support for cryptography's CRL types in #1252, and was hoping similar work could be done for extensions. Happy to help implement this if it's desired.

[alex]

The easiest thing is likely to migrate your entire X.509 usage to cryptography's, rather than doing it piecemeal. -- pyOpenSSL's X509 type has to_cryptography and from_cryptography methods for that purpose.

There's some technical barriers that would make it difficult to do for extensions in an efficient way.

[mhils]

The easiest thing is likely to migrate your entire X.509 usage to cryptography's, rather than doing it piecemeal. -- pyOpenSSL's X509 type has to_cryptography and from_cryptography methods for that purpose.

+1. We're doing this (to_cryptography/from_cryptography) for mitmproxy and it works really well.