pyopenssl icon indicating copy to clipboard operation
pyopenssl copied to clipboard

Published 20 hours ago verified publisher icon pyca

Replacement for CRL name hash computation

Open number492 opened this issue 10 months ago • 3 comments

I am trying to compute the name hash for CRLs (X509Name.hash() in pyopenssl), and it seems there is no equivalent operation in the cryptography package. The closest I can find is Name.public_bytes(), but that only gives me X509Name.der(). I tried reproducing the steps in hash()'s documentation, but I'm getting a different hash than openssl. Not to mention the process is internal and may be subject to change.

What is the suggested replacement for pyopenssl's X509Name.hash()?

number492 avatar Jan 18 '25 22:01 number492

What's your goal with the hash function? Are you looking for something that will return the exact same value, or are looking for something that will fill the same role (i.e., a deterministic short integer representation)?

On Sat, Jan 18, 2025 at 6:00 PM Istvan Papp @.***> wrote:

I am trying to compute the name hash for CRLs (X509Name.hash() in pyopenssl), and it seems there is no equivalent operation in the cryptography package. The closest I can find is Name.public_bytes(), but that only gives me X509Name.der(). I tried reproducing the steps in hash()'s documentation, but I'm getting a different hash than openssl. Not to mention the process is internal and may be subject to change.

What is the suggested replacement for pyopenssl's X509Name.hash()?

— Reply to this email directly, view it on GitHub https://github.com/pyca/pyopenssl/issues/1412, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBBYBGO5TASZIBJL6CL2LLMHNAVCNFSM6AAAAABVOBQPL2VHI2DSMVQWIX3LMV43ASLTON2WKOZSG44TOMRWHAZTOMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

alex avatar Jan 18 '25 23:01 alex

I am trying to get the exact same value, to build the symlinks, specifically for openssl to consume later. Without falling back to running openssl via subprocess, preferably.

number492 avatar Jan 19 '25 07:01 number492

Unfortunately, OpenSSL no longer documents the precise algorithm for computing these. https://github.com/openssl/openssl/blob/master/crypto/x509/x509_cmp.c#L289 is the implementation.

On Sun, Jan 19, 2025 at 2:32 AM Istvan Papp @.***> wrote:

I am trying to get the exact same value, to build the symlinks, specifically for openssl to consume later. Without falling back to running openssl via subprocess, preferably.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

alex avatar Jan 19 '25 13:01 alex