[Cryptography-dev] How to retrieve the certificates
Kai Lu
kayne.lu at gmail.com
Wed Jul 1 16:45:37 CEST 2015
Hi Vladimir,
I just tried below (the usage syntax might be wrong), and nothing is
printed out.
++++++
peercertchain = conn.get_peer_cert_chain()
print "\n\npeer cert chain:\n"
for cert in peercertchain:
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,cert)
+++++++
Cheers,
Kayne.
On Wed, Jul 1, 2015 at 4:34 PM, Kai Lu <kayne.lu at gmail.com> wrote:
> Hi Vladimir,
>
> The following outputs are what I want:
>
> openssl s_client -showcerts -connect www.google.com:443 2>/dev/null
>
> CONNECTED(00000003)
>
> ---
>
> Certificate chain
>
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
>
> i:/C=US/O=Google Inc/CN=Google Internet Authority G2
>
> *-----BEGIN CERTIFICATE-----*
>
> *MIIEdjCCA16gAwIBAgIIGauXbnwTccIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE*
>
> *BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl*
>
> *cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNjE4MDg1MjU2WhcNMTUwOTE2MDAwMDAw*
>
> *WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN*
>
> *TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3*
>
> *Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKqVwD*
>
> *tAdntIdi6/bTxyzrCWEHaqqr+DAs07w5OnAlLUTplLSsEoRQJApVVhXjDbgssVs8*
>
> *xvaM8Y+7/MPsnyHuxMmk/C+LAuvOpcW4yVtOM+50kVz3Htb3fN7Q0RHqbMUNjAuM*
>
> *tC+Kwbs+HqEsHTAxwWvcypvrSC2pGfz/gTy4723wi5EC+ekHKCft5ph8NOfvnOo7*
>
> *E88xquN9lpU/710fhsUs7b8gSzlqIKpkNvIQR81ZnNCJ68ERw6XVrBcp9/8BnaXR*
>
> *Gk7BW6jTTLGLp2CsEsLPxlJGiAKPNBprMa3ub219HSLchH7inf7y2Q2gSkjWPjMu*
>
> *tkrU3qFY1Zybw7irAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI*
>
> *KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE*
>
> *XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0*
>
> *MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G*
>
> *A1UdDgQWBBQU2aHhkUAk8wPx0PpJZxFS5CBoVDAMBgNVHRMBAf8EAjAAMB8GA1Ud*
>
> *IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW*
>
> *eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB*
>
> *RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBxXQdynpvBsOe3YVbZTSXfpJz9vBDB*
>
> *LCE4wuKBZof2yZUU6JlAuJdYaJ1c1ulaVkRRXG+aWET9FepkPEBVIcKEFCaR24Uv*
>
> *RWvcgMT02eAAyrs9D8010C670yA0q/rs6V0EMPzo6u7mKuj1jviRC7r5MgLmBDxW*
>
> *rF6alaM7CdiLCopi84uR44cshfOtMz94jcZO3FLNuRZmq8alVuWyS3F2utiy+Ge3*
>
> *GtcrbeFzD9uPLwgH0VkqW4pQjAFwqLkvmB/See/5j1gZPGpZpYW1KM0xnP8b4mo2*
>
> *Misqw5uB5TqigipttTMAiA4IdJnOkV1EUmfzrEjRkkSVb0c7OZURHd45*
>
> -----END CERTIFICATE-----
>
> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
>
> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>
> *-----BEGIN CERTIFICATE-----*
>
> *MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT*
>
> *MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i*
>
> *YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG*
>
> *EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy*
>
> *bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB*
>
> *AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP*
>
> *VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv*
>
> *h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE*
>
> *ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ*
>
> *EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC*
>
> *DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7*
>
> *qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD*
>
> *VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig*
>
> *JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF*
>
> *BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ*
>
> *MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE*
>
> *+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6*
>
> *8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS*
>
> *etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i*
>
> *vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP*
>
> *WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8*
>
> *VOBHBw==*
>
> *-----END CERTIFICATE-----*
>
> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>
> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> *-----BEGIN CERTIFICATE-----*
>
> *MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT*
>
> *MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0*
>
> *aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw*
>
> *WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE*
>
> *AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB*
>
> *CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m*
>
> *OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu*
>
> *T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c*
>
> *JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR*
>
> *Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz*
>
> *PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm*
>
> *aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM*
>
> *TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g*
>
> *LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO*
>
> *BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv*
>
> *dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB*
>
> *AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL*
>
> *NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W*
>
> *b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S*
>
> *-----END CERTIFICATE-----*
>
> ---
>
> Server certificate
>
> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
>
> issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
>
> ---
>
> No client certificate CA names sent
>
> Server Temp Key: ECDH, prime256v1, 256 bits
>
> ---
>
> SSL handshake has read 3719 bytes and written 375 bytes
>
> ---
>
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
>
> Server public key is 2048 bit
>
> Secure Renegotiation IS supported
>
> Compression: NONE
>
> Expansion: NONE
>
> SSL-Session:
>
> Protocol : TLSv1.2
>
> Cipher : ECDHE-RSA-AES128-GCM-SHA256
>
> Session-ID:
> CE335417E6C47BEA5F638FD712963403AA915EA2B07A630EFD0ACA6C30FB92E7
>
> Session-ID-ctx:
>
> Master-Key:
> 228675E99ACA98666180FBDF8DDFB051301DE91FBFBEC7FE2F5684CF702971E55C1C66F0463D4B547788689F28278281
>
> Key-Arg : None
>
> Krb5 Principal: None
>
> PSK identity: None
>
> PSK identity hint: None
>
> TLS session ticket lifetime hint: 100800 (seconds)
>
> TLS session ticket:
>
> 0000 - 46 28 de 0a c1 94 a1 91-bb d9 ee 40 f8 7e 6e f3
> F(......... at .~n.
>
> 0010 - fc 26 3e 26 bd 35 1c bd-d7 8c ee 88 9f 37 52 b8
> .&>&.5.......7R.
>
> 0020 - 14 b4 ba 92 87 15 01 ed-aa bf 54 4d fb df f9 7b
> ..........TM...{
>
> 0030 - 5c 62 a9 a2 45 f1 09 15-83 b3 34 7e e8 87 d9 58
> \b..E.....4~...X
>
> 0040 - 36 fe e8 29 4a c7 7d ec-38 d5 66 d2 c7 89 21 05
> 6..)J.}.8.f...!.
>
> 0050 - 7b 65 d5 e4 69 36 bb ea-9a 32 36 54 31 e5 61 f9
> {e..i6...26T1.a.
>
> 0060 - 19 7c 75 8d 63 25 53 c5-cb 4b ca 24 cd 96 a8 cd
> .|u.c%S..K.$....
>
> 0070 - 59 d3 63 a0 1e fa a4 32-16 ed ae aa e5 23 39 35
> Y.c....2.....#95
>
> 0080 - 60 f8 c5 56 8f 09 1d 61-7c ed 30 fa b4 a9 8c 4f
> `..V...a|.0....O
>
> 0090 - 40 c2 c4 8b 2a 2b 38 34-d9 df 85 72 67 42 e4 71
> @...*+84...rgB.q
>
> 00a0 - 76 3b b4 1e v;..
>
>
> Start Time: 1435761117
>
> Timeout : 300 (sec)
>
> Verify return code: 0 (ok)
>
> Cheers,
> Kayne.
>
> On Wed, Jul 1, 2015 at 4:29 PM, Kai Lu <kayne.lu at gmail.com> wrote:
>
>> Hi Vladimir,
>>
>> Thanks for your reply!
>>
>> What I need is .PEM format. Could you please provide an example
>> about how to use OpenSSL.crypto.dump_certificate(*type*, *cert*)?
>>
>> Cheers,
>> Kayne.
>>
>>
>>
>> On Wed, Jul 1, 2015 at 4:12 PM, Vladimir Didenko <
>> vladimir.didenko at gmail.com> wrote:
>>
>>> 2015-07-01 17:03 GMT+03:00 Kai Lu:
>>>
>>>> Hi,
>>>>
>>>> Could anyone please tell me how to get each certificate (like
>>>> "begin ... end") in the cert chain by using "peercertchain =
>>>> conn.get_peer_cert_chain()"? I use PyOpenssl package. The command line
>>>> like openssl s_client -showcerts -connect XXXX:443 2>/dev/null can print
>>>> out what I need, but I want to use PyOpenssl package or other packages to
>>>> implement it in the Python programs other than calling command line from
>>>> Python code.
>>>>
>>>
>>> I don't understand what is a problem. conn.get_peer_cert_chain returns
>>> usual Python list of X509 objects. Each object is certificate. If you need
>>> PEM format you can use crypto.dump_certificate function.
>>>
>>>
>>> --
>>> Regards,
>>> Vladimir.
>>>
>>> _______________________________________________
>>> Cryptography-dev mailing list
>>> Cryptography-dev at python.org
>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150701/9498097a/attachment-0001.html>
More information about the Cryptography-dev
mailing list