Obtaining SSL certificate info from SSL object - proposal

John Nagle nagle at animats.com
Wed Dec 13 18:00:36 EST 2006 

John Nagle wrote:
> Michael Ströder wrote:
> 
>> John Nagle wrote:
>>
>>>    The Python SSL object offers two methods from obtaining
>>> the info from an SSL certificate, "server()" and "issuer()".
>>> The actual values in the certificate are a series of name/value
>>> pairs in ASN.1 binary format.  But what "server()" and "issuer()"
>>> return are strings, with the pairs separated by "/".  The
>>> documentation at "http://docs.python.org/lib/ssl-objects.html"
>>> says "Returns a string containing the ASN.1 distinguished name
>>> identifying the server's certificate. (See below for an example showing
>>> what distinguished names look like.)"  There is, however, no "below".

    Since I really need this, I'm looking at modifying the Python SSL
interface to SSL objects by adding a function "certificate()" which
returns an X.509 certificate in the following format:

	SSL certificates are trees, represented in a format, "ASN.1", which
	allows storing numbers, strings, and flags.
	Fields are identified by names or by assigned "OID numbers"
	(see RFC 2459).

	The tree is returned as tuples.  The first element of the tuple
	is always a string giving the name of the field, and the second
	element is a string, Boolean, or number giving the value, or
	a list of more tuples.  The result is a tree, which will
	resemble the tree typically displayed by browsers displaying
	SSL certificates.

	The top tuple's field name is the domain for which the certificate
	applies.

	Note that it is straightforward to implement "issuer" and "subject"
	using "certificate", which provides a way out of the current problems
	with those fields.

	Example:

(   'www.google.com',
     (   'Certificate',
         [   ('Version', 3),
             (   'Serial Number',
                 '4B:A5:AE:59:DE:DD:1C:C7:80:7C:89:22:91:F0:E2:43'),
             (   'Certificate Signature Algorithm',
                 'PKCS #1 MD5 With RSA Encryption'),
             (   'Issuer',
                 [   ('CN', 'Thawte SGC CA'),
                     ('O', 'Thawte Consulting (Pty) Ltd.'),
                     ('C', 'ZA')]),
             (   'Validity',
                 [   ('Not Before', '5/15/2006 23:18:11 PM GMT'),
                     ('Not After', '5/15/2007 23:18:11 PM GMT')]),
             (   'Subject',
                 [   ('CN', 'www.google.com'),
                     ('O', 'Google Inc'),
                     ('L', 'Mountain View'),
                     ('ST', 'California'),
                     ('C', 'US')]),
             (   'Subject Public Key Info',
                 [   (   'Subjects Public Key Algorithm',
                         'PKCS #1 RSA Encryption'),
                     (   'Subjects Public Key',
                         '30 81 89 02 81 81 00 e6 c5 c6 8d cd 0b a3 03 
04dc ae cc 			c9 46 be bd cc 9d bc 73 34 48 fe d3 7564 d0 c9 c9 7
6 27 72 0f a9 96 1a 3b 81 f3 14 f6ae 90 56 e7 19 d2 73
68 a7 85 a4 ae ca 24 14 3000 ba e8 36 5d 81 73 3a 71 05 8f b1 af 11 87 da5c f
1 3e bf 53 51 84 6f 44 0e b7 e8 26 d7 2f b26f f2 f2 5d df a7 cf 8c a5 e9 1e 6f 
30 48 94 210b 01 ad ba 0e 71 01 0d 10 ef bf ee 2c d3
8d fe54 a8 fe d3 97 8f cb 02 03 01 00 01')]),
             (   'Certificate Signature Algorithm',
                 'PKCS #1 MD5 With RSA Encryption'),
             (   'Certificate Signature Value',
                 '57 4b bc a4 43 e7 e0 01 92 a0 96 35 f9 18 08 881d 7b 70 19 8f 
f9 36 b2 05 3a 05 ca 14 59 4d 240e e5 8a af 4e 87 5a
f7 1c 2a 96 8f cb 61 40 9ed2 b4 38 40 21 24 c1 4f 1f cb 13 4a 8f 95 02 df91 3d 
d6 40 eb 11 6f 9b 10 a1 6f ce 91 5e 30 f66d 13 5e 15
a4 2e c2 18 9e 00 c3 d8 32 67 47 fcb8 1e 9a d9 9a 8e cc ff 7c 12 b7 03 bf 52 20 
cf21 f4 f3 77 dd 12 15 f0 94 fa 90 d5 e3 59 68 81')]
))

     Comments?

				John Nagle

More information about the Python-list mailing list