X.509 Certificate Parser for Python
This is probably the most complete parser of X.509 certificates in python.
Requirements:
pyasn1 >= 0.1.4
Code is in alpha stage! Don't use for anything sensitive. I wrote it (based on
previous work of colleagues) since there is no comprehensive python parser for
X.509 certificates. Often python programmers had to parse openssl output.
Advantages:
- I find it less painful to use than parsing output of 'openssl x509'
- somewhat stricter in extension parsing compared to openssl
Disadvantages:
- it's slow compared to openssl (about 2.3x compared to RHEL's openssl-1.0-fips)
- currently not very strict in what string types in RDNs it accepts
- API is still rather ugly and has no documentation yet; code is nasty at some
places (and there's some old dangling code like pkcs7/verifier.py)
Parsing utility:
There is testing utility that shows how to extract information from certificates
programatically. It can be run from command line:
python pyx509/x509_parse.py path/to/certificate.der
Known bugs and quirks:
- subject alternative name now only shows DNS names (other types are ignored)
- name constraints don't distinguish among various GeneralName subtypes
- some extensions are not shown very nicely when put in string format
- not all extensions are supported
- string types accepted for various RDN subelements are rather too permissive
- RDN string conversion does not conform to RFC 4514
- badly formed extensions are ignored if not marked critical
- easy to switch to more strict behavior
- other clients do this as well; RFC 5280 specifies behavior for unknown
elements in extensions in appendix B.1, but does not cover all cases (e.g.
element exists, but with string type different from spec)