Menu
▾
▴
Re: [pyOpenSSL] notBefore and notAfter (was Re: pyOpenSSL certificate information - how?)
|
From: Mihai I. <mi...@re...> - 2004-08-08 12:19:09
|
On Sun, Aug 08, 2004 at 02:02:33PM +0200, Martin Sj=F6gren wrote: > On Fri, 6 Aug 2004 10:54:37 -0400, Mihai Ibanescu <mi...@re...> wro= te: > > On a slightly related note. > > I cannot seem to be able to retrieve notBefore and notAfter from an X= 509 cert. > > I suppose that would be a good thing to add, wouldn't it? > > (I found how to set them, but not how to retrieve them). >=20 > Well, ASN1_TIME in openssl is something of a mess. There's no good way > to turn it into e.g. a time_t that could make sense in a python > program. From what I understand of the code, you can basically do the > following with an ASN1_TIME: > * print it (ASN1_TIME_print / ASN1_UTCTIME_print) > * set/adjust it (ASN1_TIME_set / X509_time_adj / X509_gmtime_adj / ...) > * compare it (ASN1_UTCTIME_cmp_time_t) That's what I figured when I tried to add them myself. From <openssl/asn1.h>: int ASN1_UTCTIME_check(ASN1_UTCTIME *a); ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t); int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); #if 0 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s); #endif >=20 > The X509.has_expired method compares the notAfter value to "now". >=20 > I'm not sure what makes sense to do here. I suppose we could add some > sort of print_notBefore/print_notAfter methods to X509. Another idea > would be to add a wrapper type for ASN1_TIME (crypto.ASN1Time? > asn1.Time?) that could have a __str__ for the printing, and some > comparison methods... >=20 > I'm loathe to do anything dramatic though, since I'm trying to get a > new version out the door before Debian sarge is released. ;-) >=20 > Ideas and suggestions are most welcome. Well, I had a quick look at what m2crypto does, and found out there is a get_not_before and get_not_after. But they return strings, and I guess yo= u are left to parse the strings yourself in python. I believe the returned time= s are always GMT so it may not be that complicated. I guess an ASN1_TIME type would make sense. Have its __str__ method use openssl's ASN1_TIME_print, and have a to_epoch() method that would use python's time conversion functions. Probably a warning in the documentati= on that this method is not openssl-"pure". Misa |
