Skip Menu |

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 60639
Status: resolved
Worked: 30 min
Priority: 0/
Queue: Net-SSLeay
People
Owner: MIKEM [...] cpan.org
Requestors: mas [...] scsy.de
Cc:
AdminCc:
Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Aug 23 10:48:51 2010 mas [...] scsy.de - Ticket created
Subject: Access to X509 cert data (when using IO::Socket::SSL)
Hi there! I use IO::Socket::SSL to connect to an SSL server. The IO::Socket::SSL man page suggests that one can use their $sslclient->peer_certificate to get access to the certificate: "If no field is given the internal representation of certificate from Net::SSLeay is returned." Unfortunately, this internal representation only seems to be an integer number, while I expected to get an object containing the actual SSL certificate. I need the certificate in order to read the key length and extended X509 attributes. A Perl hacker from #perl on Freenode told me after brief analysis of Net::SSLeay that it looks like access to the certificate via Net::SSLeay is currently impossible, so I'm placing this as a feature request. Maybe you can add the functionality if you find the time to, or let me know whether there is an alternative way to access the certificate. Kind regards & thanks for your time, -martin
  Mon Aug 23 10:49:26 2010 mas [...] scsy.de - Status changed from 'new' to 'open'
  Mon Aug 23 10:56:45 2010 rafl [...] debian.org - Correspondence added
Subject: Re: [rt.cpan.org #60639] Access to X509 cert data (when using IO::Socket::SSL)
Date: Mon, 23 Aug 2010 16:55:30 +0200
To: bug-Net-SSLeay [...] rt.cpan.org
From: Florian Ragwitz <rafl [...] debian.org>
"Martin Schmitt via RT" <bug-Net-SSLeay@rt.cpan.org> writes: Show quoted text
> I use IO::Socket::SSL to connect to an SSL server. The IO::Socket::SSL > man page suggests that one can use their $sslclient->peer_certificate to > get access to the certificate: > > "If no field is given the internal representation of certificate from > Net::SSLeay is returned." > > Unfortunately, this internal representation only seems to be an integer > number, while I expected to get an object containing the actual SSL > certificate.
This is Net::SSLeay's weird and somewhat stupid idea of an object. It's really the memory address of the associated c structure. To inspect it, call any function valid for an X509 pointer, i.e. Net::SSLeay::X509_*, with it as the first argument.
Download (untitled)
application/pgp-signature 197b

Message body not shown because it is not plain text.

  Mon Aug 23 10:59:24 2010 leonerd-cpan [...] leonerd.org.uk - Correspondence added
On Mon Aug 23 10:48:51 2010, MSCHMITT wrote: Show quoted text
> A Perl hacker from #perl on Freenode told me after brief analysis of > Net::SSLeay that it looks like access to the certificate via Net::SSLeay > is currently impossible, so I'm placing this as a feature request.
Moreover, that hacker would be me. It looks like, from the typemap, that you're representing an X509* as a simple IV: X509 * T_IV Perhaps this could instead be represented as an instance of a new Net::SSLeay::X509 object, which just has a large collection of accessor methods that poke into the structure of OpenSSL's struct X509. I believe these fields are part of the external API, as they appear in the public header file <openssl/x509.h>. -- Paul Evans
  Mon Aug 23 11:06:15 2010 rafl [...] debian.org - Correspondence added
Subject: Re: [rt.cpan.org #60639] Access to X509 cert data (when using IO::Socket::SSL)
Date: Mon, 23 Aug 2010 17:04:39 +0200
To: bug-Net-SSLeay [...] rt.cpan.org
From: Florian Ragwitz <rafl [...] debian.org>
"Paul Evans via RT" <bug-Net-SSLeay@rt.cpan.org> writes: Show quoted text
> On Mon Aug 23 10:48:51 2010, MSCHMITT wrote:
>> A Perl hacker from #perl on Freenode told me after brief analysis of >> Net::SSLeay that it looks like access to the certificate via Net::SSLeay >> is currently impossible, so I'm placing this as a feature request.
> > Moreover, that hacker would be me. > > It looks like, from the typemap, that you're representing an X509* as a > simple IV: > > X509 * T_IV > > Perhaps this could instead be represented as an instance of a new > Net::SSLeay::X509 object, which just has a large collection of > accessor methods that poke into the structure of OpenSSL's struct > X509. I believe these fields are part of the external API, as they > appear in the public header file <openssl/x509.h>.
Yes, absolutely. The way it is right now (representing pointers as IVs) is purely for historical reasons. And it can be easily changed without breaking back-compat. Just no one did that yet. However, mugwump created Net::SSLeay::OO instead, which provides something similar. Also, I believe there already are a couple of functions to introspect the fields of the X509 struct. If there's anything you need and that's currently missing, both feature requests and patches are welcome.
Download (untitled)
application/pgp-signature 197b

Message body not shown because it is not plain text.

  Mon Aug 23 17:07:51 2010 mas [...] scsy.de - Correspondence added
Thanks for your feedback, guys. I've now spent a while with Net::SSLeay::OO (cloned from git today) and it seems that the Net::SSLeay::OO::X509 class, being a wrapper for Net::SSLeay, also only offers the discrete fields from the certificate in "cooked" form, but not the certificate itself. man Net::SSLeay::OO lists a to-be-done class Net::SSLeay::OO::PEM which somewhat hints towards the planned capability of extracting the cert, but there's not trace of it to be found so far. Too bad. I'm not too sure what to do from here. My next stop will probably need to be parsing output from openssl s_client to get cert and connection details.
  Tue Aug 24 06:22:49 2010 leonerd-cpan [...] leonerd.org.uk - Correspondence added
On Mon Aug 23 17:07:51 2010, MSCHMITT wrote: Show quoted text
> Too bad. I'm not too sure what to do from here. My next stop will > probably need to be parsing output from openssl s_client to get cert and > connection details.
Florian wrote: Show quoted text
> Also, I believe there already are a couple of functions to introspect > the fields of the X509 struct. If there's anything you need and that's > currently missing, both feature requests and patches are welcome.
Could you give some details on the exact fields you want here? If you can suggest an "ideal use case", the fields you want, then I'm sure I should be able to hack up a quick patch to let you get at them from Net::SSLeay -- Paul Evans
  Tue Aug 24 14:26:57 2010 mas [...] scsy.de - Correspondence added
Thanks for your offer, but by far the easiest thing for me would be to just have the certificate at hand for manipulation. The values I pull from the cert with Crypt::X509, that are not covered by Net::SSLeay, are: $x509->serial $x509->not_before $x509->not_after $x509->pubkey_size $x509->PubKeyAlg $x509->SigEncAlg $x509->SigHashAlg $x509->BasicConstraints I don't care about subject alternative names right now, but that may change. In all seriousness, I have written a wrapper for openssl s_client today that does all this, so please don't spend too much of your valuable time writing accessors for discrete attributes. If you can, however, pass the certificate back, that would be totally excellent. :-) Thanks & kind regards, -martin
  Fri Aug 27 21:41:06 2010 mikem [...] open.com.au - Correspondence added
Subject: Re: [rt.cpan.org #60639] Access to X509 cert data (when using IO::Socket::SSL)
Date: Sat, 28 Aug 2010 07:10:20 +0530
To: "bug-Net-SSLeay [...] rt.cpan.org" <bug-Net-SSLeay [...] rt.cpan.org>
From: Mike Mccauley <mikem [...] open.com.au>
Florian, I am travelling for the next 3 weeks. Can you follow this one? Cheers Sent from my iPhone On 23/08/2010, at 8:26 PM, "Florian Ragwitz via RT" <bug-Net-SSLeay@rt.cpan.org Show quoted text
> wrote:
Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=60639 > > > "Martin Schmitt via RT" <bug-Net-SSLeay@rt.cpan.org> writes:
>> I use IO::Socket::SSL to connect to an SSL server. The >> IO::Socket::SSL >> man page suggests that one can use their $sslclient-
>> >peer_certificate to
>> get access to the certificate: >> >> "If no field is given the internal representation of certificate from >> Net::SSLeay is returned." >> >> Unfortunately, this internal representation only seems to be an >> integer >> number, while I expected to get an object containing the actual SSL >> certificate.
> > This is Net::SSLeay's weird and somewhat stupid idea of an object. > It's > really the memory address of the associated c structure. To inspect > it, > call any function valid for an X509 pointer, i.e. Net::SSLeay::X509_*, > with it as the first argument. > > <mime-attachment>
  Sat Sep 24 18:47:47 2011 MIKEM [...] cpan.org - Correspondence added
Hi Martin, is this still an issue for you? Cheers. On Tue Aug 24 14:26:57 2010, MSCHMITT wrote: Show quoted text
> Thanks for your offer, but by far the easiest thing for me would be
to Show quoted text
> just have the certificate at hand for manipulation. The values I
pull Show quoted text
> from the cert with Crypt::X509, that are not covered by Net::SSLeay,
are: Show quoted text
> > $x509->serial > $x509->not_before > $x509->not_after > $x509->pubkey_size > $x509->PubKeyAlg > $x509->SigEncAlg > $x509->SigHashAlg > $x509->BasicConstraints > > I don't care about subject alternative names right now, but that may
change. Show quoted text
> > In all seriousness, I have written a wrapper for openssl s_client
today Show quoted text
> that does all this, so please don't spend too much of your valuable
time Show quoted text
> writing accessors for discrete attributes. If you can, however, pass
the Show quoted text
> certificate back, that would be totally excellent. :-) > > Thanks & kind regards, > > -martin
  Sat Sep 24 18:47:48 2011 MIKEM [...] cpan.org - Status changed from 'open' to 'resolved'
  Sat Sep 24 18:47:48 2011 MIKEM [...] cpan.org - Given to MIKEM
  Sun Sep 25 01:31:30 2011 mas [...] scsy.de - Correspondence added
Gosh, this is more than a year old. :-) Well, I do have my workaround, the rest is mostly cosmetic, isn't it?
  Sun Sep 25 01:31:32 2011 The RT System itself - Status changed from 'resolved' to 'open'
  Thu Mar 22 07:32:59 2012 kmx [...] cpan.org - Correspondence added
On Sun Sep 25 01:31:30 2011, MSCHMITT wrote:
Show quoted text
> Gosh, this is more than a year old. :-) Well, I do have my workaround,
> the rest is mostly cosmetic, isn't it?

You are right.

FYI the latest (SVN) version of Net::SSLeay has a bunch o new functions related to getting X509 certificate details
check for example http://anonscm.debian.org/viewvc/net-ssleay/trunk/examples/x509_cert_details.pl?revision=322&amp;view=markup

Mike, I guess you should close this RT.

--
kmx

  Thu Mar 22 17:24:41 2012 MIKEM [...] cpan.org - TimeWorked changed from (no value) to '30'
  Thu Mar 22 17:24:41 2012 MIKEM [...] cpan.org - Status changed from 'open' to 'resolved'