This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: X509 cert class for ssl module
Type: enhancement Stage: patch review
Components: Extension Modules, SSL Versions: Python 3.8
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, cvrebert, maker, ned.deily, pitrou, underrun
Priority: normal Keywords: patch

Created on 2013-07-05 20:10 by christian.heimes, last changed 2022-04-11 14:57 by admin.

File name Uploaded Description Edit
ssl_pyx509cert.patch christian.heimes, 2013-07-05 20:10 review
ssl_pyx509cert_match_hostname_fix.patch underrun, 2013-07-26 22:40 review
Pull Requests
URL Status Linked Edit
PR 5162 open christian.heimes, 2018-01-12 08:54
Messages (14)
msg192353 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-05 20:10
I'm working on a X509 certificate class for the SSL module. Eventually methods like getpeercert() are going to return X509 instances and the Python interface can decide if it should return a dict, DER bytes or whatever. IMHO it's a mandatory requirement for OCSP support, too.

The patch contains a very real proof of concept.
msg192354 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-07-05 20:12
Yeah, this is probably inevitable. Major concern is how to maintain compatibility with getpeercert() currently returning a dict. Should we make X509 a dict subclass? (yikes :-))
msg192361 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-05 21:10
A dict subclass? Oh heck ...

I have slightly different plans. But first, do you agree that the _ssl C extension and all its methods are consider an internal API? How about the _ssl module's method returns X509 objects and the Python module calls methods on the X509 object like get_info() -> dict or get_der() -> bytes?
msg192362 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-07-05 21:12
> I have slightly different plans. But first, do you agree that the _ssl
> C extension and all its methods are consider an internal API? How
> about the _ssl module's method returns X509 objects and the Python
> module calls methods on the X509 object like get_info() -> dict or
> get_der() -> bytes?

Sounds fine, yes.
msg193762 - (view) Author: Derek Wilson (underrun) Date: 2013-07-26 22:40
For ssl.match_hostname to work with this, you need to get the info dict first. I've attached at patch for it.
msg193940 - (view) Author: Derek Wilson (underrun) Date: 2013-07-30 16:49
actually, i suppose rather than change a bunch of existing functions/methods to handle X509 certs it would make more sense to add new methods to the X509 cert class (like match_hostname) so that old stuff doesn't break.
msg200762 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-10-21 12:23
Bump up my priority. I'd like to get the feature into 3.4 as a foundation for some of my other improvements of the SSL module.
msg203166 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-17 14:19
The feature won't be ready for 3.4. I'll work on a PEP for 3.5
msg242605 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2015-05-05 18:35
Presumably too late for 3.5 so do we bump this to 3.6?  Alternatively could the Derek Wilson patch make 3.5, there's nearly three weeks until beta 1 is due on 24th May according to ?
msg242606 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-05-05 18:45
I've a mostly working prototype at . It's missing documentation, more tests and I have to port it to argument clinic.
msg309842 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-01-12 09:27
API example:

>>> import ssl

>>> chain = ssl.Certificate.chain_from_file("Lib/test/ssl_cert.pem")
>>> cas = ssl.Certificate.bundle_from_file("Lib/test/pycacert.pem")
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ssl.SSLError: [PEM: BAD_PASSWORD_READ] bad password read (_ssl.c:58)
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem", password="somepass")

>>> chain
(<_ssl.Certificate '/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost'>,)
>>> cas
[<_ssl.Certificate '/C=XY/O=Python Software Foundation CA/CN=our-ca-server'>]

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>>> ctx.load_cert_chain(chain, pkey)
>>> ctx.load_verify_locations(cadata=cas)
msg309844 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-01-12 09:41
More examples:

>>> import ssl, socket, pprint
>>> ctx = ssl.create_default_context()
>>> sock = ctx.wrap_socket(socket.socket(), server_hostname="")
>>> sock.connect(("", 443))
>>> pprint.pprint(sock._sslobj._sslobj.verified_chain())
(<_ssl.Certificate '/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/'>,
 <_ssl.Certificate '/C=US/O=DigiCert Inc/ SHA2 Extended Validation Server CA'>,
 <_ssl.Certificate '/C=US/O=DigiCert Inc/ High Assurance EV Root CA'>)

>>> eecert = sock._sslobj._sslobj.verified_chain()[0]
>>> eecert.check_hostname('')
>>> eecert.check_hostname('')

>>> cert = ssl.Certificate.from_file('wildcards-combined.rsa.pem')
>>> pprint.pprint(cert.get_info())
{'OCSP': ('',),
 'caIssuers': ('',),
 'crlDistributionPoints': ('',),
 'issuer': ((('countryName', 'XZ'),),
            (('stateOrProvinceName', 'Holy Grail'),),
            (('organizationName', 'Castle Anthrax'),),
            (('organizationalUnitName', 'Python Software Foundation'),),
            (('commonName', 'Python Tests Intermediate CA'),)),
 'notAfter': 'Jan  1 12:00:00 2027 GMT',
 'notBefore': 'Jan  1 12:00:00 2017 GMT',
 'serialNumber': '0A',
 'subject': ((('countryName', 'XZ'),),
             (('stateOrProvinceName', 'Holy Grail'),),
             (('organizationName', 'Castle Anthrax'),),
             (('organizationalUnitName', 'Python Software Foundation'),),
             (('commonName', 'Wildcards in SAN'),)),
 'subjectAltName': (('DNS', '*'),
                    ('DNS', 'www*'),
                    ('DNS', 'x*')),
 'version': 3}
>>> cert.check_hostname('')
msg310991 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-01-28 21:02
At Christian's request and considering the importance of the ssl module, I'm going to allow an extension for landing of this feature until 3.7.0b2, currently scheduled for 2018-02-26.  If anyone else can help Christian get this in before b2, that would be great.
msg312850 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-25 20:14
I won't be able to land this in time for b2. It's most done but not production ready. I have only a limited amount of time and will use it to fix TLS 1.3 bits and pieces.

Rescheduling for 3.8
Date User Action Args
2022-04-11 14:57:47adminsetgithub: 62569
2018-02-25 20:14:01christian.heimessetpriority: deferred blocker -> normal

messages: + msg312850
versions: - Python 3.7
2018-01-28 21:02:35ned.deilysetpriority: high -> deferred blocker
versions: + Python 3.8
nosy: + ned.deily

messages: + msg310991
2018-01-12 09:41:16christian.heimessetmessages: + msg309844
2018-01-12 09:27:21christian.heimessetmessages: + msg309842
2018-01-12 08:54:59christian.heimessetpull_requests: + pull_request5018
2016-09-15 07:53:09christian.heimessetassignee: christian.heimes
components: + SSL
2016-09-08 15:42:27christian.heimessetversions: + Python 3.7, - Python 3.5
2016-06-12 20:35:13BreamoreBoysetnosy: - BreamoreBoy
2016-06-12 11:23:21christian.heimessetassignee: christian.heimes -> (no value)
2015-05-05 18:45:39christian.heimessetmessages: + msg242606
2015-05-05 18:35:45BreamoreBoysetnosy: + BreamoreBoy
messages: + msg242605
2013-11-17 14:19:34christian.heimessetmessages: + msg203166
versions: + Python 3.5, - Python 3.4
2013-10-21 12:23:28christian.heimessetpriority: normal -> high
assignee: christian.heimes
messages: + msg200762

stage: patch review
2013-07-30 16:49:06underrunsetmessages: + msg193940
2013-07-26 22:40:50underrunsetfiles: + ssl_pyx509cert_match_hostname_fix.patch
nosy: + underrun
messages: + msg193762

2013-07-12 16:44:30cvrebertsetnosy: + cvrebert
2013-07-05 21:12:17pitrousetmessages: + msg192362
2013-07-05 21:10:21christian.heimessetmessages: + msg192361
2013-07-05 20:52:21makersetnosy: + maker
2013-07-05 20:12:22pitrousetmessages: + msg192354
2013-07-05 20:10:37christian.heimescreate