Obtaining SSL certificate info from SSL object - BUG?

Mon, 23 Oct 2006 21:07:05 -0700 

     The Python SSL object offers two methods from obtaining
the info from an SSL certificate, "server()" and "issuer()".
The actual values in the certificate are a series of name/value
pairs in ASN.1 binary format.  But what "server()" and "issuer()"
return are strings, with the pairs separated by "/".  The
documentation at "http://docs.python.org/lib/ssl-objects.html";
says "Returns a string containing the ASN.1 distinguished name identifying the 
server's certificate. (See below for an example showing what distinguished 
names 
look like.)"  There is, however, no "below".

What you actually get back looks like this, which is Google's certificate:

"/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com"

So, no problem; just split on "/", right?

Unfortunately, "/" is a legal character in certificate values.

Worse, this isn't just a theoretical problem. Verisign's issuer
information reads:

"/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International
Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign".

Note that

    "OU=Terms of use at www.verisign.com/rpa (c)00"

with a "/" in the middle of the value field.  So you hit this
problem on every cert issued by Verisign.  Oops.

Nor does there seem to be a way to get at the certificate itself
from within Python. There was some discussion of this in 2002 at

http://groups.google.com/group/comp.lang.python/browse_frm/thread/a91a4e1c0f4e03c4/eec124c606f56c0b?lnk=gst&q=socket+ssl+issuer&rnum=4#eec124c606f56c0b

when someone wrote: "Furthermore, while the server and issuer are exposed
through undocumented attributes, the server_cert is not.  So there is no way to
validate the cert manually, short of rewriting socketmodule.c.  This is one case
where the batteries included have been sitting on the shelf too long."

Clearly, "server()" and "issuer()" should return lists, not strings.  That
would resolve the ambiguity.  ASN.1 is a representation for lists, and
hammering those lists into strings loses information.

Is there a workaround for this?  Without rebuilding Python
and becoming incompatible?

                        John Nagle
                        Animats
-- 
http://mail.python.org/mailman/listinfo/python-list

Reply via email to