This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: ssl.get_server_certificate new line missing
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.1, Python 3.2, Python 2.7, Python 2.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: janssen, kylev, offero, pitrou, r.david.murray
Priority: normal Keywords: easy, patch

Created on 2010-03-07 17:56 by offero, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
python-ssl-PEM_FOOTER.patch kylev, 2010-03-27 01:22 Add PEM footer newline, test both header and footer
Messages (6)
msg100595 - (view) Author: Chris (offero) Date: 2010-03-07 17:56 
I'm using ssl.get_server_certificate function. It returns a pem string. For each server I try, I get the string, but it is missing a newline "\n" before the -----END CERTIFICATE----- text. Any subsequent use of the string makes openssl throw up with a "bad end line" error.

ssl.PEM_cert_to_DER_cert can be used, and, subsequently the der string can be used elsewhere.

Example:
>>> fncert = ssl.get_server_certificate(("freenode.net", 443), 3)
>>> fncert
'-----BEGIN CERTIFICATE-----\nMIICFTCCAX6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBVMRswGQYDVQQKExJBcGFj\naGUgSFRUUCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciB0ZXN0aW5nIHB1cnBvc2VzIG9u\nbHkxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0wNzA1MDkxODM2MjVaFw0wODA1MDgx\nODM2MjVaMEwxGzAZBgNVBAoTEkFwYWNoZSBIVFRQIFNlcnZlcjEZMBcGA1UECxMQ\nVGVzdCBDZXJ0aWZpY2F0ZTESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3\nDQEBAQUAA4GNADCBiQKBgQDYqJO6X9uwU0AyJ6H1WgYCZOqpZvdI96/LaDumT4Tl\nD6QvmXzAbM4okSHU3FEuSqR/tNv+eT5IZJKHVsXh0CiDduIYkLdqkLhEAbixjX/1\nfdCtGL4X0l42LqhK4TMFT5AxxsP1qFDXDvzl/yjxo9juVuZhCeqFr1YDKBffCIAn\ncwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAG0zi/KyzHxSsLHfrwTFh9330TaGj/3H\nuvhmBUPC3FOxbIH2y5CG/Ddg46756cfaxKKiqJV3I4dAgatQybE65ELc3wOWgs4v\n4VDGsFKbkmBLuCgnFaY+p4xvr2XL+bJmpm8+IQqW5Ob/OUSl7Vj4btHhF6VK29CI\n+DexDLRI0KqZ-----END CERTIFICATE-----\n'

Notice no "\n" before -----END CERTIFICATE-----\n

Platform: 
Linux x64
python 2.6.4
msg100597 - (view) Author: Chris (offero) Date: 2010-03-07 18:17 
Did some more research and found this as the culprit:

in Lib/ssl.py

#############################
...
def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
...
    return DER_cert_to_PEM_cert(dercert)

def DER_cert_to_PEM_cert(der_cert_bytes):

    """Takes a certificate in binary DER format and returns the
    PEM version of it as a string."""

    if hasattr(base64, 'standard_b64encode'):
        # preferred because older API gets line-length wrong
        f = base64.standard_b64encode(der_cert_bytes)
        return (PEM_HEADER + '\n' +
                textwrap.fill(f, 64) +
                PEM_FOOTER + '\n')
    else:
        return (PEM_HEADER + '\n' +
                base64.encodestring(der_cert_bytes) +
                PEM_FOOTER + '\n')

############################

Notice no '\n' before the PEM_FOOTER
msg100599 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2010-03-07 18:27 
I think that's because encodestring tacks a 'courtesy newline' on to the end of the output it returns.  textwrap.fill does't, and I'm guessing that's the code path that your installation is taking.
msg101817 - (view) Author: Kyle VanderBeek (kylev) Date: 2010-03-27 01:25 
Forgot to note that my patch is against 2.7 current trunk.
msg104366 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-27 21:37 
This looks reasonable enough.
msg104374 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-27 22:10 
Fixed in r80557 (trunk) and r80558 (2.6). 3.1 and 3.2 weren't affected, but I still merged in the additional tests. Thank you!
History
Date User Action Args
2022-04-11 14:56:58adminsetgithub: 52333
2010-04-27 22:10:04pitrousetstatus: open -> closed
resolution: fixed
messages: + msg104374

stage: patch review -> resolved
2010-04-27 21:37:46pitrousetnosy: + pitrou

messages: + msg104366
stage: test needed -> patch review
2010-03-27 01:25:14kylevsetnosy: + kylev
messages: + msg101817
2010-03-27 01:22:30kylevsetfiles: + python-ssl-PEM_FOOTER.patch
keywords: + patch
2010-03-07 18:30:48r.david.murraysetnosy: + janssen
2010-03-07 18:27:20r.david.murraysetversions: + Python 3.1, Python 2.7, Python 3.2
2010-03-07 18:27:06r.david.murraysetpriority: normal

components: + Library (Lib)

keywords: + easy
nosy: + r.david.murray
messages: + msg100599
stage: test needed
2010-03-07 18:17:50offerosetmessages: + msg100597
2010-03-07 17:56:27offerocreate