Re: [pyOpenSSL] pyOpenSSL certificate information - how?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 19 Jul 2004 19:13:47 +0200, Jos Vos <jo...@xo...> wrote:
> > What this tells you is that the only field of the X509Name that
> > actually has a value is the CN field, or "common name".
> 
> This actually works, thanks, but "common_name" or any of the other
> listed members (in the docs section 3.1.2) does not work, also
> not if the related fields exist (tested with another certificate).
> 
> So, is the documentation here indeed incorrect?

The documentation is, indeed, NOT correct. :-(

The correct list of short and full names is:
C - countryName
L - localityName
ST - stateOrProvinceName
O - organizationName
OU - organizationalUnitName
CN - commonName
emailAddress (no short name)

These are just looked up in openssl by using OBJ_txt2nid and I don't
really know if anything's changed in openssl or if this is just a
general fuckup by me, but these seven work with openssl 0.9.7.

> > There are, of course, properties of the certificate itself that you
> > could check, like whether it has expired and so forth.
> 
> Could you point me to some code examples?

Well, there's cert.has_expired(), cert.gmtime_adj_not{Before,After}
and stuff, but I don't have any example snippets as such.

> Related to this: how do I load a revoke list (CRL) in the Python
> interface?  I tried to load a CRL file with load_verify_locations(),
> which does not seem to produce an error, but also doesn't refuse the
> revoked certificates afterwards.

To be honest with you, I don't know, I haven't worked with CRLs (which
means it's a good bet it doesn't work at all in pyopenssl... patches
welcome :)

/Martin