classification
Title: SSL: diagnostic functions to list loaded CA certs
Type: enhancement Stage: resolved
Components: Extension Modules Versions: Python 3.4
process
Status: open Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: brett.cannon, christian.heimes, pitrou, python-dev, r.david.murray
Priority: normal Keywords: patch

Created on 2013-06-06 10:19 by christian.heimes, last changed 2014-01-21 23:29 by r.david.murray.

Files
File name Uploaded Description Edit
ssl_ca_stats.patch christian.heimes, 2013-06-06 10:19 review
ssl_ca_stats2.patch christian.heimes, 2013-06-11 23:25 review
ssl_ca_stats3.patch christian.heimes, 2013-06-16 20:05 review
Messages (6)
msg190709 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-06-06 10:19
The patch adds two methods to SSLContext which return information about loaded x509 certs, CRL and CAs. 

Example:

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
>>> ctx.cert_store_stats()
{'crl': 0, 'x509': 1}
>>> ctx.get_ca_list()
[{'issuer': ((('organizationName', 'Root CA'),),
             (('organizationalUnitName', 'http://www.cacert.org'),),
             (('commonName', 'CA Cert Signing Authority'),),
             (('emailAddress', 'support@cacert.org'),)),
  'notAfter': 'Mar 29 12:29:49 2033 GMT',
  'notBefore': 'Mar 30 12:29:49 2003 GMT',
  'serialNumber': '00',
  'subject': ((('organizationName', 'Root CA'),),
              (('organizationalUnitName', 'http://www.cacert.org'),),
              (('commonName', 'CA Cert Signing Authority'),),
              (('emailAddress', 'support@cacert.org'),)),
  'version': 3}]
msg190998 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-06-11 23:25
New patch

* method has been renamed to get_ca_list() and returns only CA certs
* get_ca_list(binary_form=True) returns CA certs in DER format
* cert_store_stats() returns three elements: X.509 CA cert count, X.509 non-CA count and CRL count
msg191285 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-06-16 20:05
Updated patch with Antoine's review:

* method is now called get_ca_certs()
* cert_store_stats() returns total amount of X.509 as 'x509' key and X.509 certs with CA purpose in 'x509_ca'.
* documentation
msg191334 - (view) Author: Roundup Robot (python-dev) Date: 2013-06-17 13:45
New changeset 38e759e4c9e6 by Christian Heimes in branch 'default':
Issue #18147: Add diagnostic functions to ssl.SSLContext().
http://hg.python.org/cpython/rev/38e759e4c9e6
msg203710 - (view) Author: Roundup Robot (python-dev) Date: 2013-11-22 01:23
New changeset ae0734493f6b by Christian Heimes in branch 'default':
Issue #18147: Add missing documentation for SSLContext.get_ca_certs().
http://hg.python.org/cpython/rev/ae0734493f6b
msg208720 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-01-21 23:29
It looks like the doc for get_ca_certs wasn't missing, so now it appears twice in the docs.  I'm not sure which is the preferred wording, so I'll leave it to Christian to fix it.
History
Date User Action Args
2014-01-21 23:29:16r.david.murraysetstatus: closed -> open
nosy: + r.david.murray
messages: + msg208720

2013-11-22 01:23:49python-devsetmessages: + msg203710
2013-06-17 13:58:43christian.heimessetstatus: open -> closed
stage: commit review -> resolved
2013-06-17 13:45:51christian.heimessetresolution: fixed
stage: patch review -> commit review
2013-06-17 13:45:20python-devsetnosy: + python-dev
messages: + msg191334
2013-06-17 11:55:30pitroulinkissue18233 dependencies
2013-06-16 20:05:54christian.heimessetfiles: + ssl_ca_stats3.patch

messages: + msg191285
2013-06-11 23:25:33christian.heimessetfiles: + ssl_ca_stats2.patch

messages: + msg190998
2013-06-06 10:19:29christian.heimescreate