Obtaining SSL certificate info from SSL object - BUG?

Michael Ströder michael at stroeder.com
Thu Oct 26 13:01:07 EDT 2006 

John Nagle wrote:
>     The Python SSL object offers two methods from obtaining
> the info from an SSL certificate, "server()" and "issuer()".
> The actual values in the certificate are a series of name/value
> pairs in ASN.1 binary format.  But what "server()" and "issuer()"
> return are strings, with the pairs separated by "/".  The
> documentation at "http://docs.python.org/lib/ssl-objects.html"
> says "Returns a string containing the ASN.1 distinguished name
> identifying the server's certificate. (See below for an example showing
> what distinguished names look like.)"  There is, however, no "below".
> 
> What you actually get back looks like this, which is Google's certificate:
> 
> "/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com"
> 
> So, no problem; just split on "/", right?
> 
> Unfortunately, "/" is a legal character in certificate values.

You hit a really serious problem: There's no completely well-defined
string representation format for distinguished names used in X.509
certificates. The format above is what OpenSSL used in the beginning.
Yuck! IMO this is also a security problem in some cases.

The best thing would be to stick to RFC 4514 (formerly RFC 2253:
Lightweight Directory Access Protocol (LDAP): String Representation of
Distinguished Names). It defines a UTF-8-based string representation.

Play around with OpenSSL's command-line option 'nameopt':

> openssl x509 -inform der -in VSIGN1.CER -subject -issuer -noout
subject= /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
Authority
issuer= /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
Authority

> openssl x509 -inform der -in VSIGN1.CER -subject -issuer -noout
-nameopt rfc2253
subject= OU=Class 1 Public Primary Certification Authority,O=VeriSign\,
Inc.,C=US
issuer= OU=Class 1 Public Primary Certification Authority,O=VeriSign\,
Inc.,C=US

Guess the second is what Python SSL object also should return. No idea
whether this is available at OpenSSL's API level.

Ciao, Michael.

More information about the Python-list mailing list