Menu
▾
▴
pyopenssl-list
|
From: Jos V. <jo...@xo...> - 2004-07-14 12:34:19
|
Hi,
I have started to experiment with client certificates and I want
to check some information of these certificates, but I can't get
that part working.
What I do:
ctx.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, cb)
And in the cb function I do:
def cb(conn, cert, errnum, depth, ok):
subject = cert.get_subject()
print subject
This actually works and gives me:
<X509Name object '/CN=Simple Client'>
(I'm using some sample certificates of Red Hat Linux 9's Apache).
But now I want to retrieve some information from that certificate...
In the manual section about X509Name objects it says "X509Name objects
have the following members", but I don't succeed in getting any of
that information.
I'm obviously making one or more stupid mistakes, using this interface
for the first time (using some third-party sample programs), but I
don't know which mistakes...
Any help is appreciated.
Cheers,
--
-- Jos Vos <jo...@xo...>
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
|
|
From: <msj...@gm...> - 2004-07-14 14:40:56
|
On Wed, 14 Jul 2004 14:34:10 +0200, Jos Vos <jo...@xo...> wrote: > Hi, > > I have started to experiment with client certificates and I want > to check some information of these certificates, but I can't get > that part working. > > What I do: > > ctx.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, cb) > > And in the cb function I do: > > def cb(conn, cert, errnum, depth, ok): > subject = cert.get_subject() > print subject > > This actually works and gives me: > > <X509Name object '/CN=Simple Client'> > > (I'm using some sample certificates of Red Hat Linux 9's Apache). What this tells you is that the only field of the X509Name that actually has a value is the CN field, or "common name". > But now I want to retrieve some information from that certificate... > In the manual section about X509Name objects it says "X509Name objects > have the following members", but I don't succeed in getting any of > that information. Well, subject.CN should work. Nothing else should, since they don't actually have any values. There are, of course, properties of the certificate itself that you could check, like whether it has expired and so forth. Hope that helps. /Martin |
|
From: Jos V. <jo...@xo...> - 2004-07-19 17:20:04
|
Hi, On Wed, Jul 14, 2004 at 04:40:44PM +0200, Martin Sj=F6gren wrote: > What this tells you is that the only field of the X509Name that > actually has a value is the CN field, or "common name". This actually works, thanks, but "common_name" or any of the other listed members (in the docs section 3.1.2) does not work, also not if the related fields exist (tested with another certificate). So, is the documentation here indeed incorrect? > There are, of course, properties of the certificate itself that you > could check, like whether it has expired and so forth. Could you point me to some code examples?=20 Related to this: how do I load a revoke list (CRL) in the Python interface? I tried to load a CRL file with load_verify_locations(), which does not seem to produce an error, but also doesn't refuse the revoked certificates afterwards. > Hope that helps. Certainly, thanks so far. --=20 -- Jos Vos <jo...@xo...> -- X/OS Experts in Open Systems BV | Phone: +31 20 6938364 -- Amsterdam, The Netherlands | Fax: +31 20 6948204 |
|
From: <msj...@gm...> - 2004-07-19 19:10:15
|
On Mon, 19 Jul 2004 19:13:47 +0200, Jos Vos <jo...@xo...> wrote:
> > What this tells you is that the only field of the X509Name that
> > actually has a value is the CN field, or "common name".
>
> This actually works, thanks, but "common_name" or any of the other
> listed members (in the docs section 3.1.2) does not work, also
> not if the related fields exist (tested with another certificate).
>
> So, is the documentation here indeed incorrect?
The documentation is, indeed, NOT correct. :-(
The correct list of short and full names is:
C - countryName
L - localityName
ST - stateOrProvinceName
O - organizationName
OU - organizationalUnitName
CN - commonName
emailAddress (no short name)
These are just looked up in openssl by using OBJ_txt2nid and I don't
really know if anything's changed in openssl or if this is just a
general fuckup by me, but these seven work with openssl 0.9.7.
> > There are, of course, properties of the certificate itself that you
> > could check, like whether it has expired and so forth.
>
> Could you point me to some code examples?
Well, there's cert.has_expired(), cert.gmtime_adj_not{Before,After}
and stuff, but I don't have any example snippets as such.
> Related to this: how do I load a revoke list (CRL) in the Python
> interface? I tried to load a CRL file with load_verify_locations(),
> which does not seem to produce an error, but also doesn't refuse the
> revoked certificates afterwards.
To be honest with you, I don't know, I haven't worked with CRLs (which
means it's a good bet it doesn't work at all in pyopenssl... patches
welcome :)
/Martin
|
|
From: Mihai I. <mi...@re...> - 2004-08-06 14:54:24
|
On a slightly related note. I cannot seem to be able to retrieve notBefore and notAfter from an X509 cert. I suppose that would be a good thing to add, wouldn't it? (I found how to set them, but not how to retrieve them). Misa |
|
From: <msj...@gm...> - 2004-08-08 12:02:38
|
On Fri, 6 Aug 2004 10:54:37 -0400, Mihai Ibanescu <mi...@re...> wrote: > On a slightly related note. > I cannot seem to be able to retrieve notBefore and notAfter from an X509 cert. > I suppose that would be a good thing to add, wouldn't it? > (I found how to set them, but not how to retrieve them). Well, ASN1_TIME in openssl is something of a mess. There's no good way to turn it into e.g. a time_t that could make sense in a python program. From what I understand of the code, you can basically do the following with an ASN1_TIME: * print it (ASN1_TIME_print / ASN1_UTCTIME_print) * set/adjust it (ASN1_TIME_set / X509_time_adj / X509_gmtime_adj / ...) * compare it (ASN1_UTCTIME_cmp_time_t) The X509.has_expired method compares the notAfter value to "now". I'm not sure what makes sense to do here. I suppose we could add some sort of print_notBefore/print_notAfter methods to X509. Another idea would be to add a wrapper type for ASN1_TIME (crypto.ASN1Time? asn1.Time?) that could have a __str__ for the printing, and some comparison methods... I'm loathe to do anything dramatic though, since I'm trying to get a new version out the door before Debian sarge is released. ;-) Ideas and suggestions are most welcome. /Martin |
|
From: Mihai I. <mi...@re...> - 2004-08-08 12:19:09
|
On Sun, Aug 08, 2004 at 02:02:33PM +0200, Martin Sj=F6gren wrote: > On Fri, 6 Aug 2004 10:54:37 -0400, Mihai Ibanescu <mi...@re...> wro= te: > > On a slightly related note. > > I cannot seem to be able to retrieve notBefore and notAfter from an X= 509 cert. > > I suppose that would be a good thing to add, wouldn't it? > > (I found how to set them, but not how to retrieve them). >=20 > Well, ASN1_TIME in openssl is something of a mess. There's no good way > to turn it into e.g. a time_t that could make sense in a python > program. From what I understand of the code, you can basically do the > following with an ASN1_TIME: > * print it (ASN1_TIME_print / ASN1_UTCTIME_print) > * set/adjust it (ASN1_TIME_set / X509_time_adj / X509_gmtime_adj / ...) > * compare it (ASN1_UTCTIME_cmp_time_t) That's what I figured when I tried to add them myself. From <openssl/asn1.h>: int ASN1_UTCTIME_check(ASN1_UTCTIME *a); ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t); int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); #if 0 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s); #endif >=20 > The X509.has_expired method compares the notAfter value to "now". >=20 > I'm not sure what makes sense to do here. I suppose we could add some > sort of print_notBefore/print_notAfter methods to X509. Another idea > would be to add a wrapper type for ASN1_TIME (crypto.ASN1Time? > asn1.Time?) that could have a __str__ for the printing, and some > comparison methods... >=20 > I'm loathe to do anything dramatic though, since I'm trying to get a > new version out the door before Debian sarge is released. ;-) >=20 > Ideas and suggestions are most welcome. Well, I had a quick look at what m2crypto does, and found out there is a get_not_before and get_not_after. But they return strings, and I guess yo= u are left to parse the strings yourself in python. I believe the returned time= s are always GMT so it may not be that complicated. I guess an ASN1_TIME type would make sense. Have its __str__ method use openssl's ASN1_TIME_print, and have a to_epoch() method that would use python's time conversion functions. Probably a warning in the documentati= on that this method is not openssl-"pure". Misa |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X