[issue22873] Re: SSLsocket.getpeercert - return ALL the fields of the certificate.

John Nagle report at bugs.python.org
Fri Nov 14 19:03:26 CET 2014 

New submission from John Nagle:

In each revision of "getpeercert", a few more fields are returned. Python 3.2 added "issuer" and "notBefore".  Python 3.4 added "crlDistributionPoints", "caIssuers", and OCSP URLS. But some fields
still aren't returned.  I happen to need CertificatePolicies, which is how you distinguish DV, OV, and EV certs.

   Here's what you get now from "getpeercert()" for "bankofamerica.com":

{'OCSP': ('http://EVSecure-ocsp.verisign.com',),
 'caIssuers': ('http://EVSecure-aia.verisign.com/EVSecure2006.cer',),
 'crlDistributionPoints':
('http://EVSecure-crl.verisign.com/EVSecure2006.crl',),
 'issuer': ((('countryName', 'US'),),
            (('organizationName', 'VeriSign, Inc.'),),
            (('organizationalUnitName', 'VeriSign Trust Network'),),
            (('organizationalUnitName',
              'Terms of use at https://www.verisign.com/rpa (c)06'),),
            (('commonName', 'VeriSign Class 3 Extended Validation SSL
CA'),)),
 'notAfter': 'Mar 22 23:59:59 2015 GMT',
 'notBefore': 'Feb 20 00:00:00 2014 GMT',
 'serialNumber': '69A7BC85C106DDE1CF4FA47D5ED813DC',
 'subject': ((('1.3.6.1.4.1.311.60.2.1.3', 'US'),),
             (('1.3.6.1.4.1.311.60.2.1.2', 'Delaware'),),
             (('businessCategory', 'Private Organization'),),
             (('serialNumber', '2927442'),),
             (('countryName', 'US'),),
             (('postalCode', '60603'),),
             (('stateOrProvinceName', 'Illinois'),),
             (('localityName', 'Chicago'),),
             (('streetAddress', '135 S La Salle St'),),
             (('organizationName', 'Bank of America Corporation'),),
             (('organizationalUnitName', 'Network Infrastructure'),),
             (('commonName', 'www.bankofamerica.com'),)),
 'subjectAltName': (('DNS', 'mobile.bankofamerica.com'),
                    ('DNS', 'www.bankofamerica.com')),
 'version': 3}

Missing fields (from Firefox's view of the cert) include:

 Certificate Policies:
    2.16.840.1.113733.1.7.23.6:
    Extended Validation (EV) SSL Server Certificate
    Certification Practice Statement pointer: https://www.verisign.com/cps
    (This tells you it's a valid EV cert).

 Certificate Basic Constraints:
    Is not a Certificate Authority
    (which means they can't issue more certs below this one)

 Extended Key Usage:
    TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
    TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
    (which means this cert is for web use, not email or code signing)

   How about just returning ALL the remaining fields and finishing the job, so this doesn't have to be fixed again?  Thanks.

----------
components: Library (Lib)
messages: 231166
nosy: nagle
priority: normal
severity: normal
status: open
title: Re: SSLsocket.getpeercert - return ALL the fields of the certificate.
versions: Python 3.4

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22873>
_______________________________________

More information about the Python-bugs-list mailing list