[Python-Dev] frozenset C API?

Bill Janssen janssen at parc.com
Thu Sep 6 05:52:08 CEST 2007 

> > > I'm wondering if I should try to pull some extension attributes out of
> > > the cert, and add them to the dict, as well.  Like subjectAltName, for
> > > instance.  Or should we just wait till someone wants it and files a
> > > bug report?
> > 
> > If you have the time and inclination to do that, feel free to. Covering
> > some of the most widely used extensions could be useful: subjectAltName,
> > key usage, extended key usage. If you set up a framework for that,
> > people will contribute others they like to see supported.
> 
> It's actually easier to do all or nothing.  I'm tempted to just report
> 'critical' extensions.

Simpler to provide them all, though I should note that the purpose of
the information provided here is mainly for authorization/accounting
purposes, not for "other" use of the certificate.  If that's desired,
they should pull the binary form of the certificate (there's an
interface for that), and use M2Crypto or PyOpenSSL to decode it in
general.  This certificate has already been validated; the issue is
how to get critical information to the app so it can make
authorization decisions (like subjectAltName when the subject field is
empty).  Reporting non-critical extensions like "extended key usage"
is nifty, but seems pointless.

Here's an example:

      {'extensions': {'Netscape Cert Type': u'SSL Server'},
       'issuer': ((('countryName', u'US'),),
                  (('stateOrProvinceName', u'Delaware'),),
                  (('localityName', u'Wilmington'),),
                  (('organizationName', u'Python Software Foundation'),),
                  (('organizationalUnitName', u'SSL'),),
                  (('commonName', u'somemachine.python.org'),)),
       'notAfter': 'Feb 16 16:54:50 2013 GMT',
       'notBefore': 'Aug 27 16:54:50 2007 GMT',
       'serialNumber': 'FFAA4ADBF570818D',
       'subject': ((('countryName', u'US'),),
                   (('stateOrProvinceName', u'Delaware'),),
                   (('localityName', u'Wilmington'),),
                   (('organizationName', u'Python Software Foundation'),),
                   (('organizationalUnitName', u'SSL'),),
                   (('commonName', u'somemachine.python.org'),)),
       'version': 3}

and

      {'extensions': {'1.3.6.1.5.5.7.1.12': u'',
                      'Authority Information Access': u'OCSP - URI:http://EVIntl-ocsp.verisign.com\n',
                      'X509v3 Authority Key Identifier': u'keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF\n',
                      'X509v3 Basic Constraints': u'CA:FALSE',
                      'X509v3 CRL Distribution Points': u'URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl\n',
                      'X509v3 Certificate Policies': u'Policy: 2.16.840.1.113733.1.7.23.6\n',
                      'X509v3 Extended Key Usage': u'TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto',
                      'X509v3 Key Usage': u'Digital Signature, Key Encipherment',
                      'X509v3 Subject Key Identifier': u'F1:5A:89:93:55:47:4B:BA:51:F5:4E:E0:CB:16:55:F4:D7:CC:38:67'},
       'issuer': ((('countryName', u'US'),),
                  (('organizationName', u'VeriSign, Inc.'),),
                  (('organizationalUnitName', u'VeriSign Trust Network'),),
                  (('organizationalUnitName',
                    u'Terms of use at https://www.verisign.com/rpa (c)06'),),
                  (('commonName',
                    u'VeriSign Class 3 Extended Validation SSL SGC CA'),)),
       'notAfter': 'May  8 23:59:59 2009 GMT',
       'notBefore': 'May  9 00:00:00 2007 GMT',
       'serialNumber': '6A4AC31B3110E6EB48F0FC51A39A171F',
       'subject': ((('serialNumber', u'2497886'),),
                   (('1.3.6.1.4.1.311.60.2.1.3', u'US'),),
                   (('1.3.6.1.4.1.311.60.2.1.2', u'Delaware'),),
                   (('countryName', u'US'),),
                   (('postalCode', u'94043'),),
                   (('stateOrProvinceName', u'California'),),
                   (('localityName', u'Mountain View'),),
                   (('streetAddress', u'487 East Middlefield Road'),),
                   (('organizationName', u'VeriSign, Inc.'),),
                   (('organizationalUnitName', u'Production Security Services'),),
                   (('organizationalUnitName',
                     u'Terms of use at www.verisign.com/rpa (c)06'),),
                   (('commonName', u'www.verisign.com'),)),
       'version': 3}

Probably another thing that *should* be reported is the cipher used to
protect the information on the channel, so that the app can decide
whether it's strong enough for its taste.  (If it's not, it can
presumably reconnect using a different variant of SSL to try for a
better result, or decide not to use the server (or talk to the client)
at all.)

Bill

More information about the Python-Dev mailing list