[issue18369] X509 cert class for ssl module

[Christian Heimes]

Christian Heimes  added the comment:

I won't be able to land this in time for b2. It's most done but not production 
ready. I have only a limited amount of time and will use it to fix TLS 1.3 bits 
and pieces.

Rescheduling for 3.8

--
priority: deferred blocker -> normal
versions:  -Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Ned Deily]

Ned Deily  added the comment:

At Christian's request and considering the importance of the ssl module, I'm 
going to allow an extension for landing of this feature until 3.7.0b2, 
currently scheduled for 2018-02-26.  If anyone else can help Christian get this 
in before b2, that would be great.

--
nosy: +ned.deily
priority: high -> deferred blocker
versions: +Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Christian Heimes  added the comment:

More examples:

>>> import ssl, socket, pprint
>>> ctx = ssl.create_default_context()
>>> sock = ctx.wrap_socket(socket.socket(), server_hostname="www.python.org")
>>> sock.connect(("www.python.org", 443))
>>> pprint.pprint(sock._sslobj._sslobj.verified_chain())
(<_ssl.Certificate '/businessCategory=Private 
Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/street=16
 Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python 
Software Foundation/CN=www.python.org'>,
 <_ssl.Certificate '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 
Extended Validation Server CA'>,
 <_ssl.Certificate '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High 
Assurance EV Root CA'>)

>>> eecert = sock._sslobj._sslobj.verified_chain()[0]
>>> eecert.check_hostname('www.python.org')
'www.python.org'
>>> eecert.check_hostname('www.python.com')
False

>>> cert = ssl.Certificate.from_file('wildcards-combined.rsa.pem')
>>> pprint.pprint(cert.get_info())
{'OCSP': ('http://testca.pythontest.net/ca/ocsp/pysubca',),
 'caIssuers': ('http://testca.pythontest.net/ca/pysubca.cer',),
 'crlDistributionPoints': ('http://testca.pythontest.net/ca/pysubca.crl',),
 'issuer': ((('countryName', 'XZ'),),
(('stateOrProvinceName', 'Holy Grail'),),
(('organizationName', 'Castle Anthrax'),),
(('organizationalUnitName', 'Python Software Foundation'),),
(('commonName', 'Python Tests Intermediate CA'),)),
 'notAfter': 'Jan  1 12:00:00 2027 GMT',
 'notBefore': 'Jan  1 12:00:00 2017 GMT',
 'serialNumber': '0A',
 'subject': ((('countryName', 'XZ'),),
 (('stateOrProvinceName', 'Holy Grail'),),
 (('organizationName', 'Castle Anthrax'),),
 (('organizationalUnitName', 'Python Software Foundation'),),
 (('commonName', 'Wildcards in SAN'),)),
 'subjectAltName': (('DNS', '*.wildcard.pythontest.net'),
('DNS', 'www*.wildcard-www.pythontest.net'),
('DNS', 'x*.wildcard-x.pythontest.net')),
 'version': 3}
>>> cert.check_hostname('www.wildcard.pythontest.net')
'*.wildcard.pythontest.net'

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Christian Heimes  added the comment:

API example:

>>> import ssl

>>> chain = ssl.Certificate.chain_from_file("Lib/test/ssl_cert.pem")
>>> cas = ssl.Certificate.bundle_from_file("Lib/test/pycacert.pem")
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem")
Traceback (most recent call last):
  File "", line 1, in 
ssl.SSLError: [PEM: BAD_PASSWORD_READ] bad password read (_ssl.c:58)
>>> pkey = ssl.PrivateKey.from_file("Lib/test/ssl_key.passwd.pem", 
>>> password="somepass")

>>> chain
(<_ssl.Certificate '/C=XY/L=Castle Anthrax/O=Python Software 
Foundation/CN=localhost'>,)
>>> cas
[<_ssl.Certificate '/C=XY/O=Python Software Foundation CA/CN=our-ca-server'>]

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
>>> ctx.load_cert_chain(chain, pkey)
>>> ctx.load_verify_locations(cadata=cas)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Change by Christian Heimes :


--
pull_requests: +5018

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Changes by Christian Heimes :


--
assignee:  -> christian.heimes
components: +SSL

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Changes by Christian Heimes :


--
versions: +Python 3.7 -Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Mark Lawrence]

Changes by Mark Lawrence :


--
nosy:  -BreamoreBoy

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Changes by Christian Heimes :


--
assignee: christian.heimes -> 

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Mark Lawrence]

Mark Lawrence added the comment:

Presumably too late for 3.5 so do we bump this to 3.6?  Alternatively could the 
Derek Wilson patch make 3.5, there's nearly three weeks until beta 1 is due on 
24th May according to https://www.python.org/dev/peps/pep-0478/ ?

--
nosy: +BreamoreBoy

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Christian Heimes added the comment:

I've a mostly working prototype at 
https://github.com/tiran/cpython/tree/feature/x509cert . It's missing 
documentation, more tests and I have to port it to argument clinic.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Christian Heimes added the comment:

The feature won't be ready for 3.4. I'll work on a PEP for 3.5

--
versions: +Python 3.5 -Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Christian Heimes added the comment:

Bump up my priority. I'd like to get the feature into 3.4 as a foundation for 
some of my other improvements of the SSL module.

--
assignee:  - christian.heimes
priority: normal - high
stage:  - patch review

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Derek Wilson]

Derek Wilson added the comment:

actually, i suppose rather than change a bunch of existing functions/methods to 
handle X509 certs it would make more sense to add new methods to the X509 cert 
class (like match_hostname) so that old stuff doesn't break.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Derek Wilson]

Derek Wilson added the comment:

For ssl.match_hostname to work with this, you need to get the info dict first. 
I've attached at patch for it.

--
nosy: +underrun
Added file: 
http://bugs.python.org/file31047/ssl_pyx509cert_match_hostname_fix.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Chris Rebert]

Changes by Chris Rebert pyb...@rebertia.com:


--
nosy: +cvrebert

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

New submission from Christian Heimes:

I'm working on a X509 certificate class for the SSL module. Eventually methods 
like getpeercert() are going to return X509 instances and the Python interface 
can decide if it should return a dict, DER bytes or whatever. IMHO it's a 
mandatory requirement for OCSP support, too.

The patch contains a very real proof of concept.

--
components: Extension Modules
files: ssl_pyx509cert.patch
keywords: patch
messages: 192353
nosy: christian.heimes, pitrou
priority: normal
severity: normal
status: open
title: X509 cert class for ssl module
type: enhancement
versions: Python 3.4
Added file: http://bugs.python.org/file30783/ssl_pyx509cert.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Antoine Pitrou]

Antoine Pitrou added the comment:

Yeah, this is probably inevitable. Major concern is how to maintain 
compatibility with getpeercert() currently returning a dict. Should we make 
X509 a dict subclass? (yikes :-))

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Michele Orrù]

Changes by Michele Orrù maker...@gmail.com:


--
nosy: +maker

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Christian Heimes]

Christian Heimes added the comment:

A dict subclass? Oh heck ...

I have slightly different plans. But first, do you agree that the _ssl C 
extension and all its methods are consider an internal API? How about the _ssl 
module's method returns X509 objects and the Python module calls methods on the 
X509 object like get_info() - dict or get_der() - bytes?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18369] X509 cert class for ssl module

[Antoine Pitrou]

Antoine Pitrou added the comment:

 I have slightly different plans. But first, do you agree that the _ssl
 C extension and all its methods are consider an internal API? How
 about the _ssl module's method returns X509 objects and the Python
 module calls methods on the X509 object like get_info() - dict or
 get_der() - bytes?

Sounds fine, yes.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18369
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com