summaryrefslogtreecommitdiffstats
path: root/Tools/ssl/get-remote-certificate.py
diff options
context:
space:
mode:
authorGuido van Rossum <guido@python.org>2007-08-25 15:08:43 (GMT)
committerGuido van Rossum <guido@python.org>2007-08-25 15:08:43 (GMT)
commit4f2c3ddca45c11d466bf487d16d74fe875536e3f (patch)
tree494ac4ce52ddc06df41589ba3e0080ea48b5851c /Tools/ssl/get-remote-certificate.py
parent1a42ece0c76166b1dead10decb0e54af084b4eb2 (diff)
downloadcpython-4f2c3ddca45c11d466bf487d16d74fe875536e3f.zip
cpython-4f2c3ddca45c11d466bf487d16d74fe875536e3f.tar.gz
cpython-4f2c3ddca45c11d466bf487d16d74fe875536e3f.tar.bz2
Server-side SSL and certificate validation, by Bill Janssen.
While cleaning up Bill's C style, I may have cleaned up some code he didn't touch as well (in _ssl.c).
Diffstat (limited to 'Tools/ssl/get-remote-certificate.py')
-rw-r--r--Tools/ssl/get-remote-certificate.py79
1 files changed, 79 insertions, 0 deletions
diff --git a/Tools/ssl/get-remote-certificate.py b/Tools/ssl/get-remote-certificate.py
new file mode 100644
index 0000000..cbcd76f
--- /dev/null
+++ b/Tools/ssl/get-remote-certificate.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python
+#
+# fetch the certificate that the server(s) are providing in PEM form
+#
+# args are HOST:PORT [, HOST:PORT...]
+#
+# By Bill Janssen.
+
+import sys, os
+
+def fetch_server_certificate (host, port):
+
+ import re, tempfile, os, ssl
+
+ def subproc(cmd):
+ from subprocess import Popen, PIPE, STDOUT
+ proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
+ status = proc.wait()
+ output = proc.stdout.read()
+ return status, output
+
+ def strip_to_x509_cert(certfile_contents, outfile=None):
+ m = re.search(r"^([-]+BEGIN CERTIFICATE[-]+[\r]*\n"
+ r".*[\r]*^[-]+END CERTIFICATE[-]+)$",
+ certfile_contents, re.MULTILINE | re.DOTALL)
+ if not m:
+ return None
+ else:
+ tn = tempfile.mktemp()
+ fp = open(tn, "w")
+ fp.write(m.group(1) + "\n")
+ fp.close()
+ try:
+ tn2 = (outfile or tempfile.mktemp())
+ status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
+ (tn, tn2))
+ if status != 0:
+ raise OperationError(status, tsig, output)
+ fp = open(tn2, 'rb')
+ data = fp.read()
+ fp.close()
+ os.unlink(tn2)
+ return data
+ finally:
+ os.unlink(tn)
+
+ if sys.platform.startswith("win"):
+ tfile = tempfile.mktemp()
+ fp = open(tfile, "w")
+ fp.write("quit\n")
+ fp.close()
+ try:
+ status, output = subproc(
+ 'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
+ (host, port, tfile))
+ finally:
+ os.unlink(tfile)
+ else:
+ status, output = subproc(
+ 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
+ (host, port))
+ if status != 0:
+ raise OSError(status)
+ certtext = strip_to_x509_cert(output)
+ if not certtext:
+ raise ValueError("Invalid response received from server at %s:%s" %
+ (host, port))
+ return certtext
+
+if __name__ == "__main__":
+ if len(sys.argv) < 2:
+ sys.stderr.write(
+ "Usage: %s HOSTNAME:PORTNUMBER [, HOSTNAME:PORTNUMBER...]\n" %
+ sys.argv[0])
+ sys.exit(1)
+ for arg in sys.argv[1:]:
+ host, port = arg.split(":")
+ sys.stdout.write(fetch_server_certificate(host, int(port)))
+ sys.exit(0)