CODEWITHSUNDEEP
pythonopensslpyopenssl
user1667153
user1667153

Reputation: 125

PyOpenSSL: Get a CRL's last update and next update fields

I'm trying to get the dates for a CRL using PyOpenSSL. The CRL class doesn't contain them as accessible members. I'm going through all of the underscore members, but I'd rather not use one of those, as they're not supposed to be 'public'.

Any suggestions on getting the dates out?

Upvotes: 4

Views: 3093

Answers (3)

abbot
abbot

Reputation: 27860

You can't do that with pyOpenSSL, but this information from CRLs can actually be extracted using PyCrypto's asn1 parser without much problems. See example below:

import types
from Crypto.Util import asn1
import datetime as dt
from pytz import UTC

def decode_time(obj, format):
    return dt.datetime.strptime(obj.payload, format).replace(tzinfo=UTC)

time_formats = {
    23: lambda(obj): decode_time(obj, "%y%m%d%H%M%SZ"),
    24: lambda(obj): decode_time(obj, "%Y%m%d%H%M%SZ"),
    }

def crl_dates(crl_der):
    crl_seq = asn1.DerSequence()
    crl_seq.decode(crl_der)
    if len(crl_seq) != 3: raise ValueError("unknown crl format")
    tbsCertList = asn1.DerSequence()
    tbsCertList.decode(crl_seq[0])
    thisUpdate = asn1.DerObject()
    nextUpdate = asn1.DerObject()
    if isinstance(tbsCertList[0], types.StringTypes): # CRL v1
        thisUpdate.decode(tbsCertList[2])
        nextUpdate.decode(tbsCertList[3])
    else:
        if tbsCertList[0] > 1: raise ValueError("unsupported CRL profile version: %d" % tbsCertList[0])
        thisUpdate.decode(tbsCertList[3])
        nextUpdate.decode(tbsCertList[4])
    if thisUpdate.typeTag not in time_formats or \
       nextUpdate.typeTag not in time_formats:
        raise ValueError("invalid CRL date/time fields")
    return time_formats[thisUpdate.typeTag](thisUpdate), \
           time_formats[nextUpdate.typeTag](nextUpdate)

if __name__ == '__main__':
    from urllib2 import urlopen
    print "CRL v1", crl_dates(urlopen("http://crl.verisign.com/pca1.1.1.crl").read())
    print "CRL v2", crl_dates(urlopen("http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl").read())

Note: this code does not check any signatures or anything like that, just extracts the CRL dates.

Upvotes: 5

user1667153
user1667153

Reputation: 125

The functionality doesn't exist currently. We ended up having to extend pyOpenSSL to handle this.

Upvotes: 0

ryucl0ud
ryucl0ud

Reputation: 622

It seems that get_rev_date() will return that date as ASN1 GENERALIZEDTIME.

I found this on pyOpenSSL's documentation.

Upvotes: 0

Related Questions