| msg192353 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-07-05 20:10 |
| I'm working on a X509 certificate class for the SSL module. Eventually methods like getpeercert() are going to return X509 instances and the Python interface can decide if it should return a dict, DER bytes or whatever. IMHO it's a mandatory requirement for OCSP support, too. The patch contains a very real proof of concept. |
|
|
| msg192354 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-07-05 20:12 |
| Yeah, this is probably inevitable. Major concern is how to maintain compatibility with getpeercert() currently returning a dict. Should we make X509 a dict subclass? (yikes :-)) |
|
|
| msg192361 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-07-05 21:10 |
| A dict subclass? Oh heck ... I have slightly different plans. But first, do you agree that the _ssl C extension and all its methods are consider an internal API? How about the _ssl module's method returns X509 objects and the Python module calls methods on the X509 object like get_info() -> dict or get_der() -> bytes? |
|
|
| msg192362 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-07-05 21:12 |
| > I have slightly different plans. But first, do you agree that the _ssl > C extension and all its methods are consider an internal API? How > about the _ssl module's method returns X509 objects and the Python > module calls methods on the X509 object like get_info() -> dict or > get_der() -> bytes? Sounds fine, yes. |
|
|
| msg193762 - (view) |
Author: Derek Wilson (underrun) |
Date: 2013-07-26 22:40 |
| For ssl.match_hostname to work with this, you need to get the info dict first. I've attached at patch for it. |
|
|
| msg193940 - (view) |
Author: Derek Wilson (underrun) |
Date: 2013-07-30 16:49 |
| actually, i suppose rather than change a bunch of existing functions/methods to handle X509 certs it would make more sense to add new methods to the X509 cert class (like match_hostname) so that old stuff doesn't break. |
|
|
| msg200762 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-10-21 12:23 |
| Bump up my priority. I'd like to get the feature into 3.4 as a foundation for some of my other improvements of the SSL module. |
|
|
| msg203166 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-11-17 14:19 |
| The feature won't be ready for 3.4. I'll work on a PEP for 3.5 |
|
|
| msg242605 - (view) |
Author: Mark Lawrence (BreamoreBoy) * |
Date: 2015-05-05 18:35 |
| Presumably too late for 3.5 so do we bump this to 3.6? Alternatively could the Derek Wilson patch make 3.5, there's nearly three weeks until beta 1 is due on 24th May according to https://www.python.org/dev/peps/pep-0478/ ? |
|
|
| msg242606 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2015-05-05 18:45 |
| I've a mostly working prototype at https://github.com/tiran/cpython/tree/feature/x509cert . It's missing documentation, more tests and I have to port it to argument clinic. |
|
|
| msg309842 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2018-01-12 09:27 |
| API example: >>> import ssl >>> chain = ssl.Certificate.chain_from_file("Lib/test/ssl_cert.pem") >>> cas = ssl.Certificate.bundle_from_file("Lib/test/pycacert.pem") >>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem") Traceback (most recent call last): File "", line 1, in ssl.SSLError: [PEM: BAD_PASSWORD_READ] bad password read (_ssl.c:58) >>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem", password="somepass") >>> chain (<_ssl.Certificate '/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost'>,) >>> cas [<_ssl.Certificate '/C=XY/O=Python Software Foundation CA/CN=our-ca-server'>] >>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) >>> ctx.load_cert_chain(chain, pkey) >>> ctx.load_verify_locations(cadata=cas) |
|
|
| msg309844 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2018-01-12 09:41 |
| More examples: >>> import ssl, socket, pprint >>> ctx = ssl.create_default_context() >>> sock = ctx.wrap_socket(socket.socket(), server_hostname="www.python.org") >>> sock.connect(("www.python.org", 443)) >>> pprint.pprint(sock._sslobj._sslobj.verified_chain()) (<_ssl.Certificate '/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org'>, <_ssl.Certificate '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA'>, <_ssl.Certificate '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA'>) >>> eecert = sock._sslobj._sslobj.verified_chain()[0] >>> eecert.check_hostname('www.python.org') 'www.python.org' >>> eecert.check_hostname('www.python.com') False >>> cert = ssl.Certificate.from_file('wildcards-combined.rsa.pem') >>> pprint.pprint(cert.get_info()) {'OCSP': ('http://testca.pythontest.net/ca/ocsp/pysubca',), 'caIssuers': ('http://testca.pythontest.net/ca/pysubca.cer',), 'crlDistributionPoints': ('http://testca.pythontest.net/ca/pysubca.crl',), 'issuer': ((('countryName', 'XZ'),), (('stateOrProvinceName', 'Holy Grail'),), (('organizationName', 'Castle Anthrax'),), (('organizationalUnitName', 'Python Software Foundation'),), (('commonName', 'Python Tests Intermediate CA'),)), 'notAfter': 'Jan 1 12:00:00 2027 GMT', 'notBefore': 'Jan 1 12:00:00 2017 GMT', 'serialNumber': '0A', 'subject': ((('countryName', 'XZ'),), (('stateOrProvinceName', 'Holy Grail'),), (('organizationName', 'Castle Anthrax'),), (('organizationalUnitName', 'Python Software Foundation'),), (('commonName', 'Wildcards in SAN'),)), 'subjectAltName': (('DNS', '*.wildcard.pythontest.net'), ('DNS', 'www*.wildcard-www.pythontest.net'), ('DNS', 'x*.wildcard-x.pythontest.net')), 'version': 3} >>> cert.check_hostname('www.wildcard.pythontest.net') '*.wildcard.pythontest.net' |
|
|
| msg310991 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2018-01-28 21:02 |
| At Christian's request and considering the importance of the ssl module, I'm going to allow an extension for landing of this feature until 3.7.0b2, currently scheduled for 2018-02-26. If anyone else can help Christian get this in before b2, that would be great. |
|
|
| msg312850 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2018-02-25 20:14 |
| I won't be able to land this in time for b2. It's most done but not production ready. I have only a limited amount of time and will use it to fix TLS 1.3 bits and pieces. Rescheduling for 3.8 |
|
|