[Python-Dev] frozenset C API? (original) (raw)
Bill Janssen janssen at parc.com
Thu Sep 6 20:15:16 CEST 2007
- Previous message: [Python-Dev] frozenset C API?
- Next message: [Python-Dev] Design and direction of the SSL module (was Re: frozenset C API?)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
When you say "the full DER form", are you simply referring to the full blob, or a broken-down representation by key and by extension?
The full blob.
This begs the question: M2Crypto and PyOpenSSL already do what you're proposing to do, as far as I can tell, and are, as you say, "more powerful".
I'm trying to give the application the ability to do some level of authorization without requiring either of those packages. Like being able to tell who's on the other side of the connection :-). Right now, I think the right fields to expose are
"subject" (I see little point to exposing "issuer"),
"notAfter" (you're always guaranteed to be after "notBefore", or the cert wouldn't validate, so I see little point to exposing that, but "notAfter" can be used after the connection has been established),
subjectAltName if present,
and perhaps the certificate's serial number.
I don't see how the other fields in the cert can be profitably used. Anything else you want, you can pull over the DER blob and look into it.
PyOpenSSL, in particular, is both a popular de-facto standard and almost completely unmaintained; python's standard library could absorb/improve it with little fuss.
Good idea, go for it! A full wrapper for OpenSSL is beyond the scope of my ambition; I'm simply trying to add a simple fix to what's already in the standard library.
Bill
- Previous message: [Python-Dev] frozenset C API?
- Next message: [Python-Dev] Design and direction of the SSL module (was Re: frozenset C API?)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]