Skip to content

gh-118658: Modify cert generation script to extract cert3.pem#124598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
encukou merged 2 commits into from
Oct 4, 2024
Merged

gh-118658: Modify cert generation script to extract cert3.pem #124598

encukou merged 2 commits into from
Oct 4, 2024

Conversation

@felixfontein
Copy link
Contributor

@felixfonteinfelixfontein commented Sep 26, 2024
edited by bedevere-app bot
Loading

This updates #118669 to extract the added file cert3.pem from keycert3.pem.

I'm not sure whether using the same issue number in the title is ok...

@bedevere-appbedevere-appbot mentioned this pull request Sep 26, 2024
Closed
@felixfonteinfelixfontein mentioned this pull request Sep 26, 2024
Merged
@felixfontein
Copy link
ContributorAuthor

felixfontein commented Sep 26, 2024
edited
Loading

CC @kanavin

I cannot really test this since the script doesn't work for me at all (it produces an invalid OpenSSL command line before reaching the part I modified), but I ran the code I added/modified manually and it seems to work.

felixfontein
felixfontein commented Sep 26, 2024
View reviewed changes
@felixfonteinfelixfontein mentioned this pull request Sep 26, 2024
Closed
@kanavin
Copy link
Contributor

kanavin commented Sep 26, 2024

I have cherry-picked this. Sadly there are failures:

====================================================================== ERROR: test_certificate_chain (test.test_ssl.TestPostHandshakeAuth.test_certificate_chain) ---------------------------------------------------------------------- Traceback (most recent call last): File "/srv/work/alex/cpython/Lib/test/test_ssl.py", line 4708, in test_certificate_chain expected_ee_cert = ssl.PEM_cert_to_DER_cert(f.read()) File "/srv/work/alex/cpython/Lib/ssl.py", line 1498, in PEM_cert_to_DER_cert raise ValueError("Invalid PEM encoding; must start with %s" % PEM_HEADER) ValueError: Invalid PEM encoding; must start with -----BEGIN CERTIFICATE----- ====================================================================== FAIL: test_https_client_non_tls_response_ignored (test.test_ssl.TestPreHandshakeClose.test_https_client_non_tls_response_ignored) ---------------------------------------------------------------------- Traceback (most recent call last): File "/srv/work/alex/cpython/Lib/test/test_ssl.py", line 5150, in test_https_client_non_tls_response_ignored with warnings_helper.check_no_resource_warning(self), \ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^ File "/srv/work/alex/cpython/Lib/contextlib.py", line 148, in __exit__ next(self.gen) ~~~~^^^^^^^^^^ File "/srv/work/alex/cpython/Lib/test/support/warnings_helper.py", line 148, in check_no_resource_warning with check_no_warnings(testcase, category=ResourceWarning, force_gc=True): ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/srv/work/alex/cpython/Lib/contextlib.py", line 148, in __exit__ next(self.gen) ~~~~^^^^^^^^^^ File "/srv/work/alex/cpython/Lib/test/support/warnings_helper.py", line 131, in check_no_warnings testcase.assertEqual(warns, []) ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^ AssertionError: Lists differ: [<warnings.WarningMessage object at 0x7fe633996510>] != [] First list contains 1 additional elements. First extra element 0: <warnings.WarningMessage object at 0x7fe633996510> - [<warnings.WarningMessage object at 0x7fe633996510>] + [] ---------------------------------------------------------------------- Ran 2 tests in 0.081s

The generated cert3.pem looks like this:

-----BEGIN PRIVATE KEY----- MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDlMLf3ifFQ+30m PFr/C+j+snJyAtnylop6CBLODCRxdcFKH40r7ugai8yDi+5uLWzw4n9I1Yim16sx VBGDSl4hawzhSyMmg6TfzXMISFuQVCxib6vPH7Lp0PPAxHs2yTz/B+CmfLJKJX6T xlGSN/4Ko6fcvkncovYDAi3N199T1dfIKh3PCcXQHvF5kR0aV6cieV7Ga4MIiZrR j2v7lujEEVrOfOqdI7BR1LRN4wM8sDIkfUoJHjkrQd6PiasdiTNmhyAz6pQw4nKq x1hSkLEB9lGY7MkqFJa58YHmDLEawlHIsTqrW0R5Zq8PPHeWyJ54/FPectRRWUDx 7gnRjTMKAePeK3LDXAq4ofpJvZvbOywWEDHh4k3d0IMGZWIZb+f8wzCe/twWfS0a ifuIWlNOG0JDRQfrAOOQ8P646qY6O708qXyhGpN/W1QbsSaSzrzvPDtvPgZrHqAq VrcP+ftIFzMC5T2ZUmsKsEVTi3cKbw4hNLMYGlem3erKP7qazhsCAwEAAQKCAYAg FZJjamGoYxRxgliAxNOQuD1yPXjyT2XCUJgFVUjSw1fUPxd9s3u1n6V5MuEldmF+ VU7ZTN9M7/sstCaheQs1ZW2PqnuYvCwcEoBMhAiha08tVpG4NKlQtyowbbEMCd7q mtk1pVY2MAqIuGYZ8JG1PpTUv6TKaNvErwzneJVwgIqtIEw8/BK/oF1QleJ7mhKx Lkl4wHs++jh8prXIqicar41FQ9J6PhFEW2EEWEfPOqFCX3G6VgtNxXJZKL4WK+sM 1aLQ2nibHez1M2LnbTQg7KmN1wMHIf0af5MIhyAr4cTo6AyiRrrwy7WZQ2dROh2I Gu3R/iZj+rqjbIqRphhtNuH2FJvHWU3vgcp/AhITNHIz3p8d5R0bqktrajBfa3oW ZEwMUqjTyFTDha+jVR4EQIXpXMSNAroK5DwN6skfk90bZS0xR9mMBFRBYXUnaYw+ TW4i1bUsdOBF/tVNEKDNqjVOE7r4laDM3NxcNwbE4FfmyIOvwLrPsX/T0XFiyOkC gcEA9y6e9cOm0uhs5Ew1iOi6MWsSbYnitML91cp//RgRXDmIPh211IcMeAx1Kg2B wXIbUT9H7cz8XyC5gbILcDV2VSoF46VLCD9leshOenTcN4cqUZFRXK+3YQ2TJ44O v3dhsnptd2AFdrmgNVFGNxTo8SnZcHTjB+nPNGUatyOLMF+JW8XecBY3H45o+v2R tK8I/9oXCBzdoburPcmBDW8kij4mQWUVQmjyVTiV6Ww13pKkumwduHOSegCR87c6 gy+DAoHBAO1dydHkiDqJ1bG2FDahRAimTLsA4RGiHrPVJuERgy9V6UM6czWF5tjx sFwp4S5hMS7JAV3njzLFpbkrPOR/ig2U2iSWJdWsc6mX0acA82SD52r8f6cxBnEr mbLnda7/KlaNDsF5Y0XeWa7IiDJ1aeDeisySVyW3PmUMnFUvgVKFY9LDGBMowHCL xTN9DqfjTTLnokgiGAasz4l6Pgj2THGr0bfb5xeuGKM6Zy81CJ0hvnYpIVRsMvo2 FE/yiqlLiQKBwQCKoWcdx0GFAD4yPFu6EWx70uVe8fpoDwR2J0BpHlp+MvYqgFc+ fw+LNNFxaGnhqLGRe8BHqrPQVnY0OzsXD6TyVsM+zbGrSoMLvdPl8iygJ/qgDLRp G1Pp5sclZBL5Z2cvxmImlX/6+ljUDmUm918+Ao6k96ltAsDnTd0R4alq0+ohwnPi wVLhK+nM+vIBODn/5L0OG8JhtvNvj9gFRNRlhD3IZ3zo5hsjmLzbUYlU70HcHE7+ 6DK6oh85ZQY4FSkCgcEA1B5KKr21V8qxItx598/pgmlKjJrehul/0mkbE2qY9wYp LCDhr+T3RMvHNLVgPBgy4YJTLF2wREkILg+LnQ60iiqJPsTHDsnLmrTHcByTZTHS 7nKyiPBwt1WlRpE9Q6NXbH0lwJP/uQJY1q7xt1XhxkhZdTMZmeTFZ3v7gMyxHtOB P2mE7CowvuLI2ZhaLoIcDO+ewCNnoR9xX4PUSCICclp/UXS8cRbtgYDBkRgtmG39 TI648D6414zYXhF7BIsxAoHASq4ZDjN3xGhmEtMcMaDAZ2sT5Gl20SK3hO7n7BDo 1u+UP8BsWxUkJioRFMdcP3DM+Vsfc+DnTdT7oh4AcXNPONgdEpkwkjEZDvJ0KFnF 6eESCrSXAHZ6adHF26xQx22nv7J2dT2mgDaDPuC+VSB0mqKimfGQqrWPzVNfc1lz 8x2MjTTMTtXnEvVkkMX9QL//j0ChQMU0z6DDfCz+LFmBPfowPSTai343hO64zdXD 9Db2a9A3OGfUSDPCeNvn9zbC -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIF8zCCBFugAwIBAgIJAMstgJlaaVJcMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV BAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29mdHdhcmUgRm91bmRhdGlvbiBDQTEW MBQGA1UEAwwNb3VyLWNhLXNlcnZlcjAgFw0xODA4MjkxNDIzMTZaGA8yNTI1MTAy ODE0MjMxNlowXzELMAkGA1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4 MSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUgRm91bmRhdGlvbjESMBAGA1UEAwwJ bG9jYWxob3N0MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA5TC394nx UPt9Jjxa/wvo/rJycgLZ8paKeggSzgwkcXXBSh+NK+7oGovMg4vubi1s8OJ/SNWI pterMVQRg0peIWsM4UsjJoOk381zCEhbkFQsYm+rzx+y6dDzwMR7Nsk8/wfgpnyy SiV+k8ZRkjf+CqOn3L5J3KL2AwItzdffU9XXyCodzwnF0B7xeZEdGlenInlexmuD CIma0Y9r+5boxBFaznzqnSOwUdS0TeMDPLAyJH1KCR45K0Hej4mrHYkzZocgM+qU MOJyqsdYUpCxAfZRmOzJKhSWufGB5gyxGsJRyLE6q1tEeWavDzx3lsieePxT3nLU UVlA8e4J0Y0zCgHj3ityw1wKuKH6Sb2b2zssFhAx4eJN3dCDBmViGW/n/MMwnv7c Fn0tGon7iFpTThtCQ0UH6wDjkPD+uOqmOju9PKl8oRqTf1tUG7Emks687zw7bz4G ax6gKla3D/n7SBczAuU9mVJrCrBFU4t3Cm8OITSzGBpXpt3qyj+6ms4bAgMBAAGj ggHAMIIBvDAUBgNVHREEDTALgglsb2NhbGhvc3QwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud DgQWBBStfyeYTVBw2jUaNWxsrQjCeDnZnzB9BgNVHSMEdjB0gBQDAWzX4NDae7nx gos5flccYJ/gOKFRpE8wTTELMAkGA1UEBhMCWFkxJjAkBgNVBAoMHVB5dGhvbiBT b2Z0d2FyZSBGb3VuZGF0aW9uIENBMRYwFAYDVQQDDA1vdXItY2Etc2VydmVyggkA yy2AmVppUlswgYMGCCsGAQUFBwEBBHcwdTA8BggrBgEFBQcwAoYwaHR0cDovL3Rl c3RjYS5weXRob250ZXN0Lm5ldC90ZXN0Y2EvcHljYWNlcnQuY2VyMDUGCCsGAQUF BzABhilodHRwOi8vdGVzdGNhLnB5dGhvbnRlc3QubmV0L3Rlc3RjYS9vY3NwLzBD BgNVHR8EPDA6MDigNqA0hjJodHRwOi8vdGVzdGNhLnB5dGhvbnRlc3QubmV0L3Rl c3RjYS9yZXZvY2F0aW9uLmNybDANBgkqhkiG9w0BAQsFAAOCAYEAJTTD+6HAN2lq N1t4GCNkGJZT02eOpIu/z943zUzZTevlZ4XAEaSsWLzgnj6E+6EZqh0pTVIi5DQv 2Wj10zlJsE/Pq1geJoFGQizxgngK5ExxKLuQs0/fbyOr092LYV98CeokqNzoKErY 2hSbTfZZid9eD9GMzdRyw3i8RIgsqZlh5bHv3fOm3zJfJuhmHGHyckY92uxVUulW t0MqBOlAI4kfzysD4GCLDbqp7/oyPeBHpEJOOLXHEWRbZTX1RhL2F+I7ueFS4aCj cnKIdwv9i6R3b0rMEoCBEwhIZUbcFKXtwSLebmwKStuECxLkzUiCJ1VNI9RCHubc 7RQKDt+PENJ/GdOgprLfGGhvyn6W78qogS/cQU9SW004upBZEYyLAy+szXm4LaEw qh89p63QPpyRwCE1L9Ae+Bxv0aMg11fnMEs1vcA/7xls9GyDKV8fQq/cwrn+O/2/ t9wEerwHtYzuF+9tSnuy1hwSyAdmivXC/TrISwQbtSkqDZG1eWoo -----END CERTIFICATE-----

kanavin
kanavin suggested changes Sep 26, 2024
View reviewed changes
@kanavinkanavin mentioned this pull request Sep 26, 2024
Merged
@kanavin
Copy link
Contributor

kanavin commented Sep 26, 2024

CC @kanavin

I cannot really test this since the script doesn't work for me at all (it produces an invalid OpenSSL command line before reaching the part I modified), but I ran the code I added/modified manually and it seems to work.

I confirmed via #107594 that this fixes the problem. But you do need the above mentioned change, and the NEWS.d entry.

@encukou
Copy link
Member

encukou commented Sep 26, 2024
edited
Loading

@gpshead Do you still have the context for this in your head? :)

@felixfontein
Copy link
ContributorAuthor

felixfontein commented Sep 26, 2024

Since the skip news label has been added, do I still have to add a NEWS.d entry?

@kanavin
Copy link
Contributor

kanavin commented Sep 26, 2024

Since the skip news label has been added, do I still have to add a NEWS.d entry?

I don't think so, the CI check for that now passes. But this does need to be backported to 3.13.

@encukou
Copy link
Member

encukou commented Sep 26, 2024

It's a a test-only change, so no NEWS entry is needed , and a backport can go in 3.13.1.

@encukouencukou added the needs backport to 3.13 bugs and security fixes label Sep 26, 2024
encukou
encukou reviewed Oct 4, 2024
View reviewed changes
Lib/test/certdata/make_ssl_certs.py Outdated
f.write(key)
f.write(cert)

cert=extract_cert(cert, 0)
Copy link
Member

@encukouencukouOct 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of text manipulation, could we ask openssl to extract it?
As far as I can see, the incantation is:

openssl x509 -outform pem -in keycert3.pem -out cert3.pem

Copy link
ContributorAuthor

@felixfonteinfelixfonteinOct 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great idea! Implemented in 021af09.

@encukouencukou merged commit 480354d into python:mainOct 4, 2024
@miss-islington-app
Copy link

miss-islington-appbot commented Oct 4, 2024

Thanks @felixfontein for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-appbot commented Oct 4, 2024

Sorry, @felixfontein and @encukou, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 480354dc236af9ae9d47b2520aa85fb7293c7b68 3.13

@felixfonteinfelixfontein deleted the cert3 branch October 4, 2024 12:24
felixfontein added a commit to felixfontein/cpython that referenced this pull request Oct 4, 2024
@felixfontein
[3.13]pythongh-118658: Modify cert generation script to extract cert…
106f476
…3.pem (pythonGH-124598) (cherry picked from commit 480354d) Co-authored-by: Felix Fontein <felix@fontein.de>
@bedevere-app
Copy link

bedevere-appbot commented Oct 4, 2024

GH-124972 is a backport of this pull request to the 3.13 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.13 bugs and security fixes label Oct 4, 2024
encukou pushed a commit that referenced this pull request Oct 8, 2024
@felixfontein
[3.13]gh-118658: Modify cert generation script to extract cert3.pem (G…
4eab6e8
…H-124598) (GH-124972) (cherry picked from commit 480354d)
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@encukouencukouencukou approved these changes

+1 more reviewer

@kanavinkanavinkanavin requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@encukouencukou

Labels

skip newstopic-SSL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@felixfontein@kanavin@encukou