Message 231166 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	nagle
Recipients	nagle
Date	2014-11-14.18:03:25
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1415988206.94.0.332443874226.issue22873@psf.upfronthosting.co.za>
In-reply-to

Content
In each revision of "getpeercert", a few more fields are returned. Python 3.2 added "issuer" and "notBefore". Python 3.4 added "crlDistributionPoints", "caIssuers", and OCSP URLS. But some fields still aren't returned. I happen to need CertificatePolicies, which is how you distinguish DV, OV, and EV certs. Here's what you get now from "getpeercert()" for "bankofamerica.com": {'OCSP': ('http://EVSecure-ocsp.verisign.com',), 'caIssuers': ('http://EVSecure-aia.verisign.com/EVSecure2006.cer',), 'crlDistributionPoints': ('http://EVSecure-crl.verisign.com/EVSecure2006.crl',), 'issuer': ((('countryName', 'US'),), (('organizationName', 'VeriSign, Inc.'),), (('organizationalUnitName', 'VeriSign Trust Network'),), (('organizationalUnitName', 'Terms of use at https://www.verisign.com/rpa (c)06'),), (('commonName', 'VeriSign Class 3 Extended Validation SSL CA'),)), 'notAfter': 'Mar 22 23:59:59 2015 GMT', 'notBefore': 'Feb 20 00:00:00 2014 GMT', 'serialNumber': '69A7BC85C106DDE1CF4FA47D5ED813DC', 'subject': ((('1.3.6.1.4.1.311.60.2.1.3', 'US'),), (('1.3.6.1.4.1.311.60.2.1.2', 'Delaware'),), (('businessCategory', 'Private Organization'),), (('serialNumber', '2927442'),), (('countryName', 'US'),), (('postalCode', '60603'),), (('stateOrProvinceName', 'Illinois'),), (('localityName', 'Chicago'),), (('streetAddress', '135 S La Salle St'),), (('organizationName', 'Bank of America Corporation'),), (('organizationalUnitName', 'Network Infrastructure'),), (('commonName', 'www.bankofamerica.com'),)), 'subjectAltName': (('DNS', 'mobile.bankofamerica.com'), ('DNS', 'www.bankofamerica.com')), 'version': 3} Missing fields (from Firefox's view of the cert) include: Certificate Policies: 2.16.840.1.113733.1.7.23.6: Extended Validation (EV) SSL Server Certificate Certification Practice Statement pointer: https://www.verisign.com/cps (This tells you it's a valid EV cert). Certificate Basic Constraints: Is not a Certificate Authority (which means they can't issue more certs below this one) Extended Key Usage: TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) (which means this cert is for web use, not email or code signing) How about just returning ALL the remaining fields and finishing the job, so this doesn't have to be fixed again? Thanks.

In each revision of "getpeercert", a few more fields are returned. Python 3.2 added "issuer" and "notBefore".  Python 3.4 added "crlDistributionPoints", "caIssuers", and OCSP URLS. But some fields
still aren't returned.  I happen to need CertificatePolicies, which is how you distinguish DV, OV, and EV certs.

   Here's what you get now from "getpeercert()" for "bankofamerica.com":

{'OCSP': ('http://EVSecure-ocsp.verisign.com',),
 'caIssuers': ('http://EVSecure-aia.verisign.com/EVSecure2006.cer',),
 'crlDistributionPoints':
('http://EVSecure-crl.verisign.com/EVSecure2006.crl',),
 'issuer': ((('countryName', 'US'),),
            (('organizationName', 'VeriSign, Inc.'),),
            (('organizationalUnitName', 'VeriSign Trust Network'),),
            (('organizationalUnitName',
              'Terms of use at https://www.verisign.com/rpa (c)06'),),
            (('commonName', 'VeriSign Class 3 Extended Validation SSL
CA'),)),
 'notAfter': 'Mar 22 23:59:59 2015 GMT',
 'notBefore': 'Feb 20 00:00:00 2014 GMT',
 'serialNumber': '69A7BC85C106DDE1CF4FA47D5ED813DC',
 'subject': ((('1.3.6.1.4.1.311.60.2.1.3', 'US'),),
             (('1.3.6.1.4.1.311.60.2.1.2', 'Delaware'),),
             (('businessCategory', 'Private Organization'),),
             (('serialNumber', '2927442'),),
             (('countryName', 'US'),),
             (('postalCode', '60603'),),
             (('stateOrProvinceName', 'Illinois'),),
             (('localityName', 'Chicago'),),
             (('streetAddress', '135 S La Salle St'),),
             (('organizationName', 'Bank of America Corporation'),),
             (('organizationalUnitName', 'Network Infrastructure'),),
             (('commonName', 'www.bankofamerica.com'),)),
 'subjectAltName': (('DNS', 'mobile.bankofamerica.com'),
                    ('DNS', 'www.bankofamerica.com')),
 'version': 3}

Missing fields (from Firefox's view of the cert) include:

 Certificate Policies:
    2.16.840.1.113733.1.7.23.6:
    Extended Validation (EV) SSL Server Certificate
    Certification Practice Statement pointer: https://www.verisign.com/cps
    (This tells you it's a valid EV cert).

 Certificate Basic Constraints:
    Is not a Certificate Authority
    (which means they can't issue more certs below this one)

 Extended Key Usage:
    TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
    TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
    (which means this cert is for web use, not email or code signing)

   How about just returning ALL the remaining fields and finishing the job, so this doesn't have to be fixed again?  Thanks.

History
Date	User	Action	Args
2014-11-14 18:03:27	nagle	set	recipients: + nagle
2014-11-14 18:03:26	nagle	set	messageid: <1415988206.94.0.332443874226.issue22873@psf.upfronthosting.co.za>
2014-11-14 18:03:26	nagle	link	issue22873 messages
2014-11-14 18:03:25	nagle	create