From jos at xos.nl  Wed Jul 14 14:34:10 2004
From: jos at xos.nl (Jos Vos)
Date: Wed, 14 Jul 2004 14:34:10 +0200
Subject: [pyOpenSSL] pyOpenSSL certificate information - how?
Message-ID: <200407141234.i6ECYAH04261@xos037.xos.nl>

Hi,

I have started to experiment with client certificates and I want
to check some information of these certificates, but I can't get
that part working.

What I do:

  ctx.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, cb)

And in the cb function I do:

  def cb(conn, cert, errnum, depth, ok):
    subject = cert.get_subject()
    print subject

This actually works and gives me:

  <X509Name object '/CN=Simple Client'>

(I'm using some sample certificates of Red Hat Linux 9's Apache).

But now I want to retrieve some information from that certificate...
In the manual section about X509Name objects it says "X509Name objects
have the following members", but I don't succeed in getting any of
that information.

I'm obviously making one or more stupid mistakes, using this interface
for the first time (using some third-party sample programs), but I
don't know which mistakes...

Any help is appreciated. 
Cheers,

--
--    Jos Vos <jos at xos.nl>
--    X/OS Experts in Open Systems BV   |   Phone: +31 20 6938364
--    Amsterdam, The Netherlands        |     Fax: +31 20 6948204



From msjogren at gmail.com  Wed Jul 14 16:40:44 2004
From: msjogren at gmail.com (=?ISO-8859-1?Q?Martin_Sj=F6gren?=)
Date: Wed, 14 Jul 2004 16:40:44 +0200
Subject: [pyOpenSSL] pyOpenSSL certificate information - how?
In-Reply-To: <200407141234.i6ECYAH04261@xos037.xos.nl>
References: <200407141234.i6ECYAH04261@xos037.xos.nl>
Message-ID: <1e1bb1f00407140740615c0121@mail.gmail.com>

On Wed, 14 Jul 2004 14:34:10 +0200, Jos Vos <jos at xos.nl> wrote:
> Hi,
> 
> I have started to experiment with client certificates and I want
> to check some information of these certificates, but I can't get
> that part working.
> 
> What I do:
> 
>   ctx.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, cb)
> 
> And in the cb function I do:
> 
>   def cb(conn, cert, errnum, depth, ok):
>     subject = cert.get_subject()
>     print subject
> 
> This actually works and gives me:
> 
>   <X509Name object '/CN=Simple Client'>
> 
> (I'm using some sample certificates of Red Hat Linux 9's Apache).

What this tells you is that the only field of the X509Name that
actually has a value is the CN field, or "common name".

> But now I want to retrieve some information from that certificate...
> In the manual section about X509Name objects it says "X509Name objects
> have the following members", but I don't succeed in getting any of
> that information.

Well, subject.CN should work. Nothing else should, since they don't
actually have any values.

There are, of course, properties of the certificate itself that you
could check, like whether it has expired and so forth.

Hope that helps.


/Martin



From jos at xos.nl  Mon Jul 19 19:13:47 2004
From: jos at xos.nl (Jos Vos)
Date: Mon, 19 Jul 2004 19:13:47 +0200
Subject: [pyOpenSSL] pyOpenSSL certificate information - how?
In-Reply-To: <1e1bb1f00407140740615c0121@mail.gmail.com>; from msjogren@gmail.com on Wed, Jul 14, 2004 at 04:40:44PM +0200
References: <200407141234.i6ECYAH04261@xos037.xos.nl> <1e1bb1f00407140740615c0121@mail.gmail.com>
Message-ID: <20040719191347.A2537@xos037.xos.nl>

Hi,

On Wed, Jul 14, 2004 at 04:40:44PM +0200, Martin Sj?gren wrote:

> What this tells you is that the only field of the X509Name that
> actually has a value is the CN field, or "common name".

This actually works, thanks, but "common_name" or any of the other
listed members (in the docs section 3.1.2) does not work, also
not if the related fields exist (tested with another certificate).

So, is the documentation here indeed incorrect?

> There are, of course, properties of the certificate itself that you
> could check, like whether it has expired and so forth.

Could you point me to some code examples? 

Related to this: how do I load a revoke list (CRL) in the Python
interface?  I tried to load a CRL file with load_verify_locations(),
which does not seem to produce an error, but also doesn't refuse the
revoked certificates afterwards.

> Hope that helps.

Certainly, thanks so far.

-- 
--    Jos Vos <jos at xos.nl>
--    X/OS Experts in Open Systems BV   |   Phone: +31 20 6938364
--    Amsterdam, The Netherlands        |     Fax: +31 20 6948204



From msjogren at gmail.com  Mon Jul 19 21:10:13 2004
From: msjogren at gmail.com (=?ISO-8859-1?Q?Martin_Sj=F6gren?=)
Date: Mon, 19 Jul 2004 21:10:13 +0200
Subject: [pyOpenSSL] pyOpenSSL certificate information - how?
In-Reply-To: <20040719191347.A2537@xos037.xos.nl>
References: <200407141234.i6ECYAH04261@xos037.xos.nl> <1e1bb1f00407140740615c0121@mail.gmail.com> <20040719191347.A2537@xos037.xos.nl>
Message-ID: <1e1bb1f0040719121085f7b92@mail.gmail.com>

On Mon, 19 Jul 2004 19:13:47 +0200, Jos Vos <jos at xos.nl> wrote:
> > What this tells you is that the only field of the X509Name that
> > actually has a value is the CN field, or "common name".
> 
> This actually works, thanks, but "common_name" or any of the other
> listed members (in the docs section 3.1.2) does not work, also
> not if the related fields exist (tested with another certificate).
> 
> So, is the documentation here indeed incorrect?

The documentation is, indeed, NOT correct. :-(

The correct list of short and full names is:
C - countryName
L - localityName
ST - stateOrProvinceName
O - organizationName
OU - organizationalUnitName
CN - commonName
emailAddress (no short name)

These are just looked up in openssl by using OBJ_txt2nid and I don't
really know if anything's changed in openssl or if this is just a
general fuckup by me, but these seven work with openssl 0.9.7.

> > There are, of course, properties of the certificate itself that you
> > could check, like whether it has expired and so forth.
> 
> Could you point me to some code examples?

Well, there's cert.has_expired(), cert.gmtime_adj_not{Before,After}
and stuff, but I don't have any example snippets as such.

> Related to this: how do I load a revoke list (CRL) in the Python
> interface?  I tried to load a CRL file with load_verify_locations(),
> which does not seem to produce an error, but also doesn't refuse the
> revoked certificates afterwards.

To be honest with you, I don't know, I haven't worked with CRLs (which
means it's a good bet it doesn't work at all in pyopenssl... patches
welcome :)


/Martin