[Cryptography-dev] How to retrieve the certificates
Kai Lu
kayne.lu at gmail.com
Wed Jul 1 16:54:12 CEST 2015
Hi Vladimir,
Sorry. I made a mistake. I forgot to print
"OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,cert)".
Now, it is doing what I want. Many thanks for your help!!!
Cheers,
Kayne.
On Wed, Jul 1, 2015 at 4:45 PM, Kai Lu <kayne.lu at gmail.com> wrote:
> Hi Vladimir,
>
> I just tried below (the usage syntax might be wrong), and nothing is
> printed out.
>
> ++++++
>
> peercertchain = conn.get_peer_cert_chain()
>
>
> print "\n\npeer cert chain:\n"
>
> for cert in peercertchain:
>
> OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,cert)
>
> +++++++
>
>
> Cheers,
>
> Kayne.
>
> On Wed, Jul 1, 2015 at 4:34 PM, Kai Lu <kayne.lu at gmail.com> wrote:
>
>> Hi Vladimir,
>>
>> The following outputs are what I want:
>>
>> openssl s_client -showcerts -connect www.google.com:443 2>/dev/null
>>
>> CONNECTED(00000003)
>>
>> ---
>>
>> Certificate chain
>>
>> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
>>
>> i:/C=US/O=Google Inc/CN=Google Internet Authority G2
>>
>> *-----BEGIN CERTIFICATE-----*
>>
>> *MIIEdjCCA16gAwIBAgIIGauXbnwTccIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE*
>>
>> *BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl*
>>
>> *cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNjE4MDg1MjU2WhcNMTUwOTE2MDAwMDAw*
>>
>> *WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN*
>>
>> *TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3*
>>
>> *Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKqVwD*
>>
>> *tAdntIdi6/bTxyzrCWEHaqqr+DAs07w5OnAlLUTplLSsEoRQJApVVhXjDbgssVs8*
>>
>> *xvaM8Y+7/MPsnyHuxMmk/C+LAuvOpcW4yVtOM+50kVz3Htb3fN7Q0RHqbMUNjAuM*
>>
>> *tC+Kwbs+HqEsHTAxwWvcypvrSC2pGfz/gTy4723wi5EC+ekHKCft5ph8NOfvnOo7*
>>
>> *E88xquN9lpU/710fhsUs7b8gSzlqIKpkNvIQR81ZnNCJ68ERw6XVrBcp9/8BnaXR*
>>
>> *Gk7BW6jTTLGLp2CsEsLPxlJGiAKPNBprMa3ub219HSLchH7inf7y2Q2gSkjWPjMu*
>>
>> *tkrU3qFY1Zybw7irAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI*
>>
>> *KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE*
>>
>> *XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0*
>>
>> *MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G*
>>
>> *A1UdDgQWBBQU2aHhkUAk8wPx0PpJZxFS5CBoVDAMBgNVHRMBAf8EAjAAMB8GA1Ud*
>>
>> *IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW*
>>
>> *eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB*
>>
>> *RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBxXQdynpvBsOe3YVbZTSXfpJz9vBDB*
>>
>> *LCE4wuKBZof2yZUU6JlAuJdYaJ1c1ulaVkRRXG+aWET9FepkPEBVIcKEFCaR24Uv*
>>
>> *RWvcgMT02eAAyrs9D8010C670yA0q/rs6V0EMPzo6u7mKuj1jviRC7r5MgLmBDxW*
>>
>> *rF6alaM7CdiLCopi84uR44cshfOtMz94jcZO3FLNuRZmq8alVuWyS3F2utiy+Ge3*
>>
>> *GtcrbeFzD9uPLwgH0VkqW4pQjAFwqLkvmB/See/5j1gZPGpZpYW1KM0xnP8b4mo2*
>>
>> *Misqw5uB5TqigipttTMAiA4IdJnOkV1EUmfzrEjRkkSVb0c7OZURHd45*
>>
>> -----END CERTIFICATE-----
>>
>> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
>>
>> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>>
>> *-----BEGIN CERTIFICATE-----*
>>
>> *MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT*
>>
>> *MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i*
>>
>> *YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG*
>>
>> *EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy*
>>
>> *bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB*
>>
>> *AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP*
>>
>> *VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv*
>>
>> *h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE*
>>
>> *ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ*
>>
>> *EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC*
>>
>> *DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7*
>>
>> *qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD*
>>
>> *VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig*
>>
>> *JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF*
>>
>> *BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ*
>>
>> *MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE*
>>
>> *+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6*
>>
>> *8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS*
>>
>> *etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i*
>>
>> *vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP*
>>
>> *WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8*
>>
>> *VOBHBw==*
>>
>> *-----END CERTIFICATE-----*
>>
>> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>>
>> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>>
>> *-----BEGIN CERTIFICATE-----*
>>
>> *MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT*
>>
>> *MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0*
>>
>> *aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw*
>>
>> *WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE*
>>
>> *AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB*
>>
>> *CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m*
>>
>> *OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu*
>>
>> *T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c*
>>
>> *JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR*
>>
>> *Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz*
>>
>> *PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm*
>>
>> *aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM*
>>
>> *TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g*
>>
>> *LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO*
>>
>> *BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv*
>>
>> *dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB*
>>
>> *AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL*
>>
>> *NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W*
>>
>> *b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S*
>>
>> *-----END CERTIFICATE-----*
>>
>> ---
>>
>> Server certificate
>>
>> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=
>> www.google.com
>>
>> issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
>>
>> ---
>>
>> No client certificate CA names sent
>>
>> Server Temp Key: ECDH, prime256v1, 256 bits
>>
>> ---
>>
>> SSL handshake has read 3719 bytes and written 375 bytes
>>
>> ---
>>
>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
>>
>> Server public key is 2048 bit
>>
>> Secure Renegotiation IS supported
>>
>> Compression: NONE
>>
>> Expansion: NONE
>>
>> SSL-Session:
>>
>> Protocol : TLSv1.2
>>
>> Cipher : ECDHE-RSA-AES128-GCM-SHA256
>>
>> Session-ID:
>> CE335417E6C47BEA5F638FD712963403AA915EA2B07A630EFD0ACA6C30FB92E7
>>
>> Session-ID-ctx:
>>
>> Master-Key:
>> 228675E99ACA98666180FBDF8DDFB051301DE91FBFBEC7FE2F5684CF702971E55C1C66F0463D4B547788689F28278281
>>
>> Key-Arg : None
>>
>> Krb5 Principal: None
>>
>> PSK identity: None
>>
>> PSK identity hint: None
>>
>> TLS session ticket lifetime hint: 100800 (seconds)
>>
>> TLS session ticket:
>>
>> 0000 - 46 28 de 0a c1 94 a1 91-bb d9 ee 40 f8 7e 6e f3
>> F(......... at .~n.
>>
>> 0010 - fc 26 3e 26 bd 35 1c bd-d7 8c ee 88 9f 37 52 b8
>> .&>&.5.......7R.
>>
>> 0020 - 14 b4 ba 92 87 15 01 ed-aa bf 54 4d fb df f9 7b
>> ..........TM...{
>>
>> 0030 - 5c 62 a9 a2 45 f1 09 15-83 b3 34 7e e8 87 d9 58
>> \b..E.....4~...X
>>
>> 0040 - 36 fe e8 29 4a c7 7d ec-38 d5 66 d2 c7 89 21 05
>> 6..)J.}.8.f...!.
>>
>> 0050 - 7b 65 d5 e4 69 36 bb ea-9a 32 36 54 31 e5 61 f9
>> {e..i6...26T1.a.
>>
>> 0060 - 19 7c 75 8d 63 25 53 c5-cb 4b ca 24 cd 96 a8 cd
>> .|u.c%S..K.$....
>>
>> 0070 - 59 d3 63 a0 1e fa a4 32-16 ed ae aa e5 23 39 35
>> Y.c....2.....#95
>>
>> 0080 - 60 f8 c5 56 8f 09 1d 61-7c ed 30 fa b4 a9 8c 4f
>> `..V...a|.0....O
>>
>> 0090 - 40 c2 c4 8b 2a 2b 38 34-d9 df 85 72 67 42 e4 71
>> @...*+84...rgB.q
>>
>> 00a0 - 76 3b b4 1e v;..
>>
>>
>> Start Time: 1435761117
>>
>> Timeout : 300 (sec)
>>
>> Verify return code: 0 (ok)
>>
>> Cheers,
>> Kayne.
>>
>> On Wed, Jul 1, 2015 at 4:29 PM, Kai Lu <kayne.lu at gmail.com> wrote:
>>
>>> Hi Vladimir,
>>>
>>> Thanks for your reply!
>>>
>>> What I need is .PEM format. Could you please provide an example
>>> about how to use OpenSSL.crypto.dump_certificate(*type*, *cert*)?
>>>
>>> Cheers,
>>> Kayne.
>>>
>>>
>>>
>>> On Wed, Jul 1, 2015 at 4:12 PM, Vladimir Didenko <
>>> vladimir.didenko at gmail.com> wrote:
>>>
>>>> 2015-07-01 17:03 GMT+03:00 Kai Lu:
>>>>
>>>>> Hi,
>>>>>
>>>>> Could anyone please tell me how to get each certificate (like
>>>>> "begin ... end") in the cert chain by using "peercertchain =
>>>>> conn.get_peer_cert_chain()"? I use PyOpenssl package. The command line
>>>>> like openssl s_client -showcerts -connect XXXX:443 2>/dev/null can print
>>>>> out what I need, but I want to use PyOpenssl package or other packages to
>>>>> implement it in the Python programs other than calling command line from
>>>>> Python code.
>>>>>
>>>>
>>>> I don't understand what is a problem. conn.get_peer_cert_chain
>>>> returns usual Python list of X509 objects. Each object is certificate. If
>>>> you need PEM format you can use crypto.dump_certificate function.
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Vladimir.
>>>>
>>>> _______________________________________________
>>>> Cryptography-dev mailing list
>>>> Cryptography-dev at python.org
>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150701/0bcabf48/attachment-0001.html>
More information about the Cryptography-dev
mailing list