pyx509
pyx509 copied to clipboard
Parser of X.509 certificates
X.509 Certificate Parser for Python
This is probably the most complete parser of X.509 certificates in python.
Requirements: pyasn1 >= 0.1.4
Code is in alpha stage! Don't use for anything sensitive. I wrote it (based on previous work of colleagues) since there is no comprehensive python parser for X.509 certificates. Often python programmers had to parse openssl output.
Advantages:
- I find it less painful to use than parsing output of 'openssl x509'
- somewhat stricter in extension parsing compared to openssl
Disadvantages:
- it's slow compared to openssl (about 2.3x compared to RHEL's openssl-1.0-fips)
- currently not very strict in what string types in RDNs it accepts
- API is still rather ugly and has no documentation yet; code is nasty at some places (and there's some old dangling code like pkcs7/verifier.py)
Parsing utility:
There is testing utility that shows how to extract information from certificates programatically. It can be run from command line:
python pyx509/x509_parse.py path/to/certificate.der
Known bugs and quirks:
- name constraints don't distinguish among various GeneralName subtypes
- some extensions are not shown very nicely when put in string format
- not all extensions are supported
- string types accepted for various RDN subelements are rather too permissive
- RDN string conversion does not conform to RFC 4514
- badly formed extensions are ignored if not marked critical
- easy to switch to more strict behavior
- other clients do this as well; RFC 5280 specifies behavior for unknown elements in extensions in appendix B.1, but does not cover all cases (e.g. element exists, but with string type different from spec)