Title: Re: SSLsocket.getpeercert - return ALL the fields of the certificate.
Type: Stage: resolved
Components: Library (Lib) Versions: Python 3.4
Status: closed Resolution: duplicate
Dependencies: Superseder: ssl.getpeercert() should include extensions
View: 20469
Assigned To: Nosy List: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, nagle, pitrou
Priority: normal Keywords:

Created on 2014-11-14 18:03 by nagle, last changed 2016-04-18 17:40 by berker.peksag. This issue is now closed.

Messages (3)
msg231166 - (view) Author: John Nagle (nagle) Date: 2014-11-14 18:03
In each revision of "getpeercert", a few more fields are returned. Python 3.2 added "issuer" and "notBefore".  Python 3.4 added "crlDistributionPoints", "caIssuers", and OCSP URLS. But some fields
still aren't returned.  I happen to need CertificatePolicies, which is how you distinguish DV, OV, and EV certs.

   Here's what you get now from "getpeercert()" for "":

{'OCSP': ('',),
 'caIssuers': ('',),
 'issuer': ((('countryName', 'US'),),
            (('organizationName', 'VeriSign, Inc.'),),
            (('organizationalUnitName', 'VeriSign Trust Network'),),
              'Terms of use at (c)06'),),
            (('commonName', 'VeriSign Class 3 Extended Validation SSL
 'notAfter': 'Mar 22 23:59:59 2015 GMT',
 'notBefore': 'Feb 20 00:00:00 2014 GMT',
 'serialNumber': '69A7BC85C106DDE1CF4FA47D5ED813DC',
 'subject': ((('', 'US'),),
             (('', 'Delaware'),),
             (('businessCategory', 'Private Organization'),),
             (('serialNumber', '2927442'),),
             (('countryName', 'US'),),
             (('postalCode', '60603'),),
             (('stateOrProvinceName', 'Illinois'),),
             (('localityName', 'Chicago'),),
             (('streetAddress', '135 S La Salle St'),),
             (('organizationName', 'Bank of America Corporation'),),
             (('organizationalUnitName', 'Network Infrastructure'),),
             (('commonName', ''),)),
 'subjectAltName': (('DNS', ''),
                    ('DNS', '')),
 'version': 3}

Missing fields (from Firefox's view of the cert) include:

 Certificate Policies:
    Extended Validation (EV) SSL Server Certificate
    Certification Practice Statement pointer:
    (This tells you it's a valid EV cert).

 Certificate Basic Constraints:
    Is not a Certificate Authority
    (which means they can't issue more certs below this one)

 Extended Key Usage:
    TLS Web Server Authentication (
    TLS Web Client Authentication (
    (which means this cert is for web use, not email or code signing)

   How about just returning ALL the remaining fields and finishing the job, so this doesn't have to be fixed again?  Thanks.
msg231198 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-11-15 00:59
> How about just returning ALL the remaining fields and finishing the
> job, so this doesn't have to be fixed again?  Thanks.

Please learn some respect. You are not here to tell volunteers what they should work on.
And if you want to see things sped up, you can submit a patch.
msg231202 - (view) Author: John Nagle (nagle) Date: 2014-11-15 03:51
May be a duplicate of Issue 204679: "ssl.getpeercert() should include extensions"
Date User Action Args
2016-04-18 17:40:06berker.peksagsetstatus: open -> closed
superseder: ssl.getpeercert() should include extensions
resolution: duplicate
stage: resolved
2015-07-21 07:43:34ethan.furmansetnosy: - ethan.furman
2014-11-15 03:51:45naglesetmessages: + msg231202
2014-11-15 00:59:57pitrousetmessages: + msg231198
2014-11-14 18:19:26ethan.furmansetnosy: + ethan.furman
2014-11-14 18:04:15alexsetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft
2014-11-14 18:03:26naglecreate