Description of problem: I have a CA cert and I'm trying to pick out its constraints and parsing it is failing in python-nss with: $ python ~rcrit/python_nss/doc/examples/cert_dump.py /etc/ipa/ca.crt Traceback (most recent call last): File "/home/rcrit/cert_dump.py", line 183, in <module> print_extension(2, extension) File "/home/rcrit/cert_dump.py", line 101, in print_extension bc = nss.BasicConstraints(extension.value) nss.error.NSPRError: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.: 'cannot decode Basic Constraints' Version-Release number of selected component (if applicable): python-nss-0.12-1.fc16.x86_64
Created attachment 565031 [details] The failing CA PEM file
The format specifier for PyArg_ParseTupleAndKeywords in BasicConstraints_init() was wrong, instead of "O|i" it should have been "O!", looks like it was a cut-n-paste bug. < if (!PyArg_ParseTupleAndKeywords(args, kwds, "O|i:BasicConstraints", kwlist, --- > if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!:BasicConstraints", kwlist,
As a note to myself, I found a couple of other places with similar issues, they're fixed in upstream tip but if we do a patch we should include these as well: - if (!PyArg_ParseTupleAndKeywords(args, kwds, "O|i:GeneralName", kwlist, + if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!:GeneralName", kwlist, -------------- - if (!PyArg_ParseTuple(args, "O!|i:x509_key_usage", - &SecItemType, &py_sec_item, &repr_kind)) + if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!|i:x509_key_usage", kwlist, + &SecItemType, &py_sec_item, &repr_kind)) --------------- - {"x509_key_usage", (PyCFunction)cert_x509_key_usage, METH_VARARGS, cert_x509_key_usage_doc}, + {"x509_key_usage", (PyCFunction)cert_x509_key_usage, METH_VARARGS|METH_KEYWORDS, cert_x509_key_usage_doc},