SSL: diagnostic functions to list loaded CA certs

[tiran]

BPO	18147
Nosy	@brettcannon, @pitrou, @tiran, @bitdancer
Files	ssl_ca_stats.patch ssl_ca_stats2.patch ssl_ca_stats3.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-04-13.19:07:03.566>
created_at = <Date 2013-06-06.10:19:29.227>
labels = ['extension-modules', 'type-feature']
title = 'SSL: diagnostic functions to list loaded CA certs'
updated_at = <Date 2015-04-13.19:07:03.565>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2015-04-13.19:07:03.565>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2015-04-13.19:07:03.566>
closer = 'python-dev'
components = ['Extension Modules']
creation = <Date 2013-06-06.10:19:29.227>
creator = 'christian.heimes'
dependencies = []
files = ['30481', '30550', '30610']
hgrepos = []
issue_num = 18147
keywords = ['patch']
message_count = 7.0
messages = ['190709', '190998', '191285', '191334', '203710', '208720', '240707']
nosy_count = 5.0
nosy_names = ['brett.cannon', 'pitrou', 'christian.heimes', 'r.david.murray', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue18147'
versions = ['Python 3.4']

[tiran]

The patch adds two methods to SSLContext which return information about loaded x509 certs, CRL and CAs.

Example:

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
>>> ctx.cert_store_stats()
{'crl': 0, 'x509': 1}
>>> ctx.get_ca_list()
[{'issuer': ((('organizationName', 'Root CA'),),
             (('organizationalUnitName', 'http://www.cacert.org'),),
             (('commonName', 'CA Cert Signing Authority'),),
             (('emailAddress', 'support@cacert.org'),)),
  'notAfter': 'Mar 29 12:29:49 2033 GMT',
  'notBefore': 'Mar 30 12:29:49 2003 GMT',
  'serialNumber': '00',
  'subject': ((('organizationName', 'Root CA'),),
              (('organizationalUnitName', 'http://www.cacert.org'),),
              (('commonName', 'CA Cert Signing Authority'),),
              (('emailAddress', 'support@cacert.org'),)),
  'version': 3}]

[tiran]

New patch

• method has been renamed to get_ca_list() and returns only CA certs
• get_ca_list(binary_form=True) returns CA certs in DER format
• cert_store_stats() returns three elements: X.509 CA cert count, X.509 non-CA count and CRL count

[tiran]

Updated patch with Antoine's review:

• method is now called get_ca_certs()
• cert_store_stats() returns total amount of X.509 as 'x509' key and X.509 certs with CA purpose in 'x509_ca'.
• documentation

[python-dev]

New changeset 38e759e4c9e6 by Christian Heimes in branch 'default':
Issue bpo-18147: Add diagnostic functions to ssl.SSLContext().
http://hg.python.org/cpython/rev/38e759e4c9e6

[python-dev]

New changeset ae0734493f6b by Christian Heimes in branch 'default':
Issue bpo-18147: Add missing documentation for SSLContext.get_ca_certs().
http://hg.python.org/cpython/rev/ae0734493f6b

[bitdancer]

It looks like the doc for get_ca_certs wasn't missing, so now it appears twice in the docs. I'm not sure which is the preferred wording, so I'll leave it to Christian to fix it.

[python-dev]

New changeset d88b5469fdd3 by Antoine Pitrou in branch '3.4':
Fix duplicate doc entry for SSLContext.get_ca_certs()
https://hg.python.org/cpython/rev/d88b5469fdd3

New changeset d7352db81b50 by Antoine Pitrou in branch 'default':
Fix duplicate doc entry for SSLContext.get_ca_certs()
https://hg.python.org/cpython/rev/d7352db81b50