[Python-Dev] frozenset C API?

Bill Janssen janssen at parc.com
Thu Sep 6 20:15:16 CEST 2007

> When you say "the full DER form", are you simply referring to the full 
> blob, or a broken-down representation by key and by extension?

The full blob.

> This begs the question: M2Crypto and PyOpenSSL already do what you're 
> proposing to do, as far as I can tell, and are, as you say, "more 
> powerful".

I'm trying to give the application the ability to do some level of
authorization without requiring either of those packages.  Like being
able to tell who's on the other side of the connection :-).  Right
now, I think the right fields to expose are

  "subject" (I see little point to exposing "issuer"),

  "notAfter" (you're always guaranteed to be after "notBefore", or the
  cert wouldn't validate, so I see little point to exposing that, but
  "notAfter" can be used after the connection has been established),

  subjectAltName if present,

  and perhaps the certificate's serial number.

I don't see how the other fields in the cert can be profitably used.
Anything else you want, you can pull over the DER blob and look into

> PyOpenSSL, in particular, is both a popular de-facto 
> standard *and* almost completely unmaintained; python's standard library 
> could absorb/improve it with little fuss.

Good idea, go for it!  A full wrapper for OpenSSL is beyond the scope
of my ambition; I'm simply trying to add a simple fix to what's
already in the standard library.


More information about the Python-Dev mailing list