[Python-Dev] frozenset C API? (original) (raw)

"Martin v. Löwis" martin at v.loewis.de
Thu Sep 6 08:46:50 CEST 2007

It's actually easier to do all or nothing. I'm tempted to just report 'critical' extensions. Simpler to provide them all

I very much doubt that, at least if you want to report decoded information. Conceptually, there is an infinite number of extensions, and when you are done, I can show you lots of certificates that have extensions that you don't support.

This certificate has already been validated; the issue is how to get critical information to the app so it can make authorization decisions (like subjectAltName when the subject field is empty)

{'extensions': {'1.3.6.1.5.5.7.1.12': u'', 'Authority Information Access': u'OCSP - URI:http://EVIntl-ocsp.verisign.com\n', 'X509v3 Authority Key Identifier': u'keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF\n', 'X509v3 Basic Constraints': u'CA:FALSE', 'X509v3 CRL Distribution Points': u'URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl\n', 'X509v3 Certificate Policies': u'Policy: 2.16.840.1.113733.1.7.23.6\n', 'X509v3 Extended Key Usage': u'TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto', 'X509v3 Key Usage': u'Digital Signature, Key Encipherment', 'X509v3 Subject Key Identifier': u'F1:5A:89:93:55:47:4B:BA:51:F5:4E:E0:CB:16:55:F4:D7:CC:38:67'},

Hmm. In this certificate, none of the extensions you report have been marked critical; they are all non-critical.

Also, you are reporting the logotype (1.3.6.1.5.5.7.1.12) incorrectly; it's defined in RFC 3709, and it's definitely not an empty string in the certificate you've used.

Regards, Martin

More information about the Python-Dev mailing list