John Nagle wrote: > The Python SSL object offers two methods from obtaining > the info from an SSL certificate, "server()" and "issuer()". > The actual values in the certificate are a series of name/value > pairs in ASN.1 binary format. But what "server()" and "issuer()" > return are strings, with the pairs separated by "/". The > documentation at "http://docs.python.org/lib/ssl-objects.html"; > says "Returns a string containing the ASN.1 distinguished name > identifying the server's certificate. (See below for an example showing > what distinguished names look like.)" There is, however, no "below". > > What you actually get back looks like this, which is Google's certificate: > > "/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com" > > So, no problem; just split on "/", right? > > Unfortunately, "/" is a legal character in certificate values.
You hit a really serious problem: There's no completely well-defined string representation format for distinguished names used in X.509 certificates. The format above is what OpenSSL used in the beginning. Yuck! IMO this is also a security problem in some cases. The best thing would be to stick to RFC 4514 (formerly RFC 2253: Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names). It defines a UTF-8-based string representation. Play around with OpenSSL's command-line option 'nameopt': > openssl x509 -inform der -in VSIGN1.CER -subject -issuer -noout subject= /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority issuer= /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority > openssl x509 -inform der -in VSIGN1.CER -subject -issuer -noout -nameopt rfc2253 subject= OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US issuer= OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Guess the second is what Python SSL object also should return. No idea whether this is available at OpenSSL's API level. Ciao, Michael. -- http://mail.python.org/mailman/listinfo/python-list
