After a great deal of discussion, under the Subject line of "frozenset
C API?" (you may have missed it :-), I'm coming to the conclusion that
in revealing the fields of an SSL certificate, less is more.
>From one of the messages in that thread:
I'm trying to give the application the ability to do some level of
authorization without requiring either of those packages. Like being
able to tell who's on the other side of the connection :-). Right
now, I think the right fields to expose are
"subject" (I see little point to exposing "issuer"),
"notAfter" (you're always guaranteed to be after "notBefore", or the
cert wouldn't validate, so I see little point to exposing that, but
"notAfter" can be used after the connection has been established),
subjectAltName if present,
and perhaps the certificate's serial number.
Remember that the cert has already been validated, so I don't see how
the other fields in the cert can be profitably used for authorization
and/or accounting, which is the purpose of this interface. Anything
else you want, you can pull over the DER blob and look into it with
some other crypto package; I'll provide a way to pull the full binary
form of the certificate into Python as a bytes string (as soon as the
bytes API gets backported into the trunk).
Under those rules, the samples in the current documentation would look
like
{'notAfter': 'May 8 23:59:59 2009 GMT',
'serialNumber': '6A4AC31B3110E6EB48F0FC51A39A171F',
'subject': ((('serialNumber', u'2497886'),),
(('1.3.6.1.4.1.311.60.2.1.3', u'US'),),
(('1.3.6.1.4.1.311.60.2.1.2', u'Delaware'),),
(('countryName', u'US'),),
(('postalCode', u'94043'),),
(('stateOrProvinceName', u'California'),),
(('localityName', u'Mountain View'),),
(('streetAddress', u'487 East Middlefield Road'),),
(('organizationName', u'VeriSign, Inc.'),),
(('organizationalUnitName', u'Production Security Services'),),
(('organizationalUnitName',
u'Terms of use at www.verisign.com/rpa (c)06'),),
(('commonName', u'www.verisign.com'),))}
and
{'notAfter': 'Feb 16 16:54:50 2013 GMT',
'serialNumber': 'FFAA4ADBF570818D',
'subject': ((('countryName', u'US'),),
(('stateOrProvinceName', u'Delaware'),),
(('localityName', u'Wilmington'),),
(('organizationName', u'Python Software Foundation'),),
(('organizationalUnitName', u'SSL'),),
(('commonName', u'somemachine.python.org'),))}
The server cert at https://www.dcl.hpi.uni-potsdam.de/ would look like
{'notAfter': 'Mar 17 13:02:27 2008 GMT',
'serialNumber': '2567F168000300000678',
'subject': ((('countryName', u'DE'),),
(('stateOrProvinceName', u'Brandenburg'),),
(('localityName', u'Potsdam'),),
(('organizationName', u'Hasso-Plattner-Institut'),),
(('organizationalUnitName', u'Operating Systems & Middleware'),),
(('commonName', u'www.dcl.hpi.uni-potsdam.de'),)),
'subjectAltName': ('DNS:www.dcl.hpi.uni-potsdam.de',
'DNS:www',
'DNS:dfw',
'DNS:dfw.dcl.hpi.uni-potsdam.de',
'IP Address:141.89.224.164')}
Thanks to Martin for suggesting it.
Bill
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
