classification
Title: SSLSocket.getpeercert(): OCSP and CRL DP URIs
Type: enhancement Stage: resolved
Components: Extension Modules Versions: Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, pitrou, python-dev
Priority: normal Keywords: patch

Created on 2013-07-06 12:30 by christian.heimes, last changed 2014-03-09 19:17 by python-dev. This issue is now closed.

Files
File name Uploaded Description Edit
ssl_ocsp_crldp.patch christian.heimes, 2013-07-06 22:39 review
ssl_ocsp_crldp2.patch christian.heimes, 2013-07-18 11:50 review
Messages (10)
msg192426 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-06 12:30
The patch implements OCSP and CRL distribution point access for getpeercert(). I'll add tests and doc updates later.

Output for https://info.pca.dfn.de/

{'OCSP': ('http://ocsp.pca.dfn.de/OCSP-Server/OCSP',),
 'crlDistributionPoints': ('http://cdp1.pca.dfn.de/global-services-ca/pub/crl/cacrl.crl',
                           'http://cdp2.pca.dfn.de/global-services-ca/pub/crl/cacrl.crl'),
 'issuer': ((('countryName', 'DE'),),
            (('organizationName', 'DFN-Verein'),),
            (('organizationalUnitName', 'DFN-PKI'),),
            (('commonName', 'DFN-Verein CA Services'),)),
 'notAfter': 'Oct 18 09:07:09 2014 GMT',
 'notBefore': 'Oct 19 09:07:09 2009 GMT',
 'serialNumber': '0EFBA9CC',
 'subject': ((('countryName', 'DE'),),
             (('organizationName', 'DFN-Verein'),),
             (('organizationalUnitName', 'DFN-PKI'),),
             (('commonName', 'info.pca.dfn.de'),)),
 'version': 3}
msg192495 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-06 22:39
Updated patch with test, doc updates and a third field. I have added CDP and two AIA URIs: crlDistributionPoints, caIssuers and OCSP
msg193277 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-07-18 10:06
Do you have to put those certs in capath? Things would probably be simpler if you didn't have to trigger capath loading using an actual SSL connection.
Also, please a versionadded tag in the doc entry.
msg193283 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-18 11:50
It's just one certificate. The hash format of OpenSSL has changed over the years so we have to duplicate all certificates. But I don't need the extra stuff. I figured out that the Nokia test certificate has all new fields.

My initial patch has a versionchanged doc update. Did you have too much French wine again? *scnr* :)
msg193285 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-07-18 12:27
> It's just one certificate.

Indeed, it's just the decision to use capath that I'm arguing with.

> My initial patch has a versionchanged doc update. Did you have too
> much French wine again? *scnr* :)

Not *too much*, no ;-)
msg203188 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-17 14:59
Are you satisfied with my patch? I'd like to commit it before beta 1
msg203566 - (view) Author: Roundup Robot (python-dev) Date: 2013-11-21 02:40
New changeset 468d18bffdea by Christian Heimes in branch 'default':
Issue #18379: SSLSocket.getpeercert() returns CA issuer AIA fields, OCSP
http://hg.python.org/cpython/rev/468d18bffdea
msg203567 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 02:41
memo to me: update whatsnew
msg203639 - (view) Author: Roundup Robot (python-dev) Date: 2013-11-21 15:27
New changeset 40bfddda43d4 by Christian Heimes in branch 'default':
Issue #19682: Fix compatibility issue with old version of OpenSSL that
http://hg.python.org/cpython/rev/40bfddda43d4
msg212975 - (view) Author: Roundup Robot (python-dev) Date: 2014-03-09 19:17
New changeset 7885876b6503 by R David Murray in branch 'default':
whatsnew: SSLSocket.getpeercert new values returned. (#18379)
http://hg.python.org/cpython/rev/7885876b6503
History
Date User Action Args
2014-03-09 19:17:43python-devsetmessages: + msg212975
2013-12-22 20:47:36pitrousetstatus: open -> closed
2013-11-21 15:27:41python-devsetstatus: pending -> open

messages: + msg203639
2013-11-21 02:41:01christian.heimessetstatus: open -> pending
messages: + msg203567

assignee: christian.heimes
resolution: fixed
stage: patch review -> resolved
2013-11-21 02:40:29python-devsetnosy: + python-dev
messages: + msg203566
2013-11-17 14:59:07christian.heimessetmessages: + msg203188
2013-07-18 12:27:10pitrousetmessages: + msg193285
2013-07-18 11:50:49christian.heimessetfiles: + ssl_ocsp_crldp2.patch

messages: + msg193283
2013-07-18 10:06:17pitrousetmessages: + msg193277
2013-07-06 22:39:11christian.heimessetfiles: - ssl_ocsp_crldp.patch
2013-07-06 22:39:03christian.heimessetfiles: + ssl_ocsp_crldp.patch

messages: + msg192495
2013-07-06 12:30:20christian.heimescreate