mitmproxy/netlib/certutils.py

import os, ssl, time, datetime
from pyasn1.type import univ, constraint, char, namedtype, tag
from pyasn1.codec.der.decoder import decode
from pyasn1.error import PyAsn1Error
import OpenSSL
import tcp

DEFAULT_EXP = 62208000 # =24 * 60 * 60 * 720
# Generated with "openssl dhparam". It's too slow to generate this on startup.
DEFAULT_DHPARAM = """-----BEGIN DH PARAMETERS-----
MIGHAoGBAOdPzMbYgoYfO3YBYauCLRlE8X1XypTiAjoeCFD0qWRx8YUsZ6Sj20W5
zsfQxlZfKovo3f2MftjkDkbI/C/tDgxoe0ZPbjy5CjdOhkzxn0oTbKTs16Rw8DyK
1LjTR65sQJkJEdgsX8TSi/cicCftJZl9CaZEaObF2bdgSgGK+PezAgEC
-----END DH PARAMETERS-----"""

def create_ca(o, cn, exp):
    key = OpenSSL.crypto.PKey()
    key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)
    cert = OpenSSL.crypto.X509()
    cert.set_serial_number(int(time.time()*10000))
    cert.set_version(2)
    cert.get_subject().CN = cn
    cert.get_subject().O = o
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(exp)
    cert.set_issuer(cert.get_subject())
    cert.set_pubkey(key)
    cert.add_extensions([
      OpenSSL.crypto.X509Extension("basicConstraints", True,
                                   "CA:TRUE"),
      OpenSSL.crypto.X509Extension("nsCertType", True,
                                   "sslCA"),
      OpenSSL.crypto.X509Extension("extendedKeyUsage", True,
                                    "serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"
                                    ),
      OpenSSL.crypto.X509Extension("keyUsage", False,
                                   "keyCertSign, cRLSign"),
      OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
                                   subject=cert),
      ])
    cert.sign(key, "sha1")
    return key, cert


def dummy_cert(pkey, cacert, commonname, sans):
    """
        Generates a dummy certificate.

        pkey: CA private key
        cacert: CA certificate
        commonname: Common name for the generated certificate.
        sans: A list of Subject Alternate Names.

        Returns cert if operation succeeded, None if not.
    """
    ss = []
    for i in sans:
        ss.append("DNS: %s"%i)
    ss = ", ".join(ss)

    cert = OpenSSL.crypto.X509()
    cert.gmtime_adj_notBefore(-3600*48)
    cert.gmtime_adj_notAfter(60 * 60 * 24 * 30)
    cert.set_issuer(cacert.get_subject())
    cert.get_subject().CN = commonname
    cert.set_serial_number(int(time.time()*10000))
    if ss:
        cert.set_version(2)
        cert.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", True, ss)])
    cert.set_pubkey(cacert.get_pubkey())
    cert.sign(pkey, "sha1")
    return SSLCert(cert)


class CertStore:
    """
        Implements an in-memory certificate store.
    """
    def __init__(self, pkey, cert):
        self.pkey, self.cert = pkey, cert
        self.certs = {}

    @classmethod
    def from_store(klass, path, basename):
        p = os.path.join(path, basename + "-ca.pem")
        if not os.path.exists(p):
            key, ca = klass.create_store(path, basename)
        else:
            p = os.path.join(path, basename + "-ca.pem")
            raw = file(p, "rb").read()
            ca = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, raw)
            key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, raw)
        return klass(key, ca)

    @classmethod
    def create_store(klass, path, basename, o=None, cn=None, expiry=DEFAULT_EXP):
        if not os.path.exists(path):
            os.makedirs(path)

        o = o or basename
        cn = cn or basename

        key, ca = create_ca(o=o, cn=cn, exp=expiry)
        # Dump the CA plus private key
        f = open(os.path.join(path, basename + "-ca.pem"), "wb")
        f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
        f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
        f.close()

        # Dump the certificate in PEM format
        f = open(os.path.join(path, basename + "-cert.pem"), "wb")
        f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
        f.close()

        # Create a .cer file with the same contents for Android
        f = open(os.path.join(path, basename + "-cert.cer"), "wb")
        f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
        f.close()

        # Dump the certificate in PKCS12 format for Windows devices
        f = open(os.path.join(path, basename + "-cert.p12"), "wb")
        p12 = OpenSSL.crypto.PKCS12()
        p12.set_certificate(ca)
        p12.set_privatekey(key)
        f.write(p12.export())
        f.close()

        f = open(os.path.join(path, basename + "-dhparam.pem"), "wb")
        f.write(DEFAULT_DHPARAM)
        f.close()
        return key, ca

    def get_cert(self, commonname, sans):
        """
            Returns an SSLCert object.

            commonname: Common name for the generated certificate. Must be a
            valid, plain-ASCII, IDNA-encoded domain name.

            sans: A list of Subject Alternate Names.

            Return None if the certificate could not be found or generated.
        """
        if commonname in self.certs:
            return self.certs[commonname]
        c = dummy_cert(self.pkey, self.cert, commonname, sans)
        self.certs[commonname] = c
        return c


class _GeneralName(univ.Choice):
    # We are only interested in dNSNames. We use a default handler to ignore
    # other types.
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('dNSName', char.IA5String().subtype(
                implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)
            )
        ),
    )


class _GeneralNames(univ.SequenceOf):
    componentType = _GeneralName()
    sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, 1024)


class SSLCert:
    def __init__(self, cert):
        """
            Returns a (common name, [subject alternative names]) tuple.
        """
        self.x509 = cert

    @classmethod
    def from_pem(klass, txt):
        x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, txt)
        return klass(x509)

    @classmethod
    def from_der(klass, der):
        pem = ssl.DER_cert_to_PEM_cert(der)
        return klass.from_pem(pem)

    def to_pem(self):
        return OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, self.x509)

    def digest(self, name):
        return self.x509.digest(name)

    @property
    def issuer(self):
        return self.x509.get_issuer().get_components()

    @property
    def notbefore(self):
        t = self.x509.get_notBefore()
        return datetime.datetime.strptime(t, "%Y%m%d%H%M%SZ")

    @property
    def notafter(self):
        t = self.x509.get_notAfter()
        return datetime.datetime.strptime(t, "%Y%m%d%H%M%SZ")

    @property
    def has_expired(self):
        return self.x509.has_expired()

    @property
    def subject(self):
        return self.x509.get_subject().get_components()

    @property
    def serial(self):
        return self.x509.get_serial_number()

    @property
    def keyinfo(self):
        pk = self.x509.get_pubkey()
        types = {
            OpenSSL.crypto.TYPE_RSA: "RSA",
            OpenSSL.crypto.TYPE_DSA: "DSA",
        }
        return (
            types.get(pk.type(), "UNKNOWN"),
            pk.bits()
        )

    @property
    def cn(self):
        c = None
        for i in self.subject:
            if i[0] == "CN":
                c = i[1]
        return c

    @property
    def altnames(self):
        altnames = []
        for i in range(self.x509.get_extension_count()):
            ext = self.x509.get_extension(i)
            if ext.get_short_name() == "subjectAltName":
                try:
                    dec = decode(ext.get_data(), asn1Spec=_GeneralNames())
                except PyAsn1Error:
                    continue
                for i in dec[0]:
                    altnames.append(i[0].asOctets())
        return altnames


def get_remote_cert(host, port, sni):
    c = tcp.TCPClient((host, port))
    c.connect()
    c.convert_to_ssl(sni=sni)
    return c.cert
remove tempfile and shutil imports because they're not actually used 2013-10-07 20:55:35 +00:00			`import os, ssl, time, datetime`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`from pyasn1.type import univ, constraint, char, namedtype, tag`
			`from pyasn1.codec.der.decoder import decode`
Ignore SAN entries that we don't understand. 2012-07-24 02:55:54 +00:00			`from pyasn1.error import PyAsn1Error`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`import OpenSSL`
Add a get_remote_cert method to tcp client. 2012-06-27 20:15:55 +00:00			`import tcp`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`DEFAULT_EXP = 62208000 # =24 * 60 * 60 * 720`
			`# Generated with "openssl dhparam". It's too slow to generate this on startup.`
			`DEFAULT_DHPARAM = """-----BEGIN DH PARAMETERS-----`
			`MIGHAoGBAOdPzMbYgoYfO3YBYauCLRlE8X1XypTiAjoeCFD0qWRx8YUsZ6Sj20W5`
			`zsfQxlZfKovo3f2MftjkDkbI/C/tDgxoe0ZPbjy5CjdOhkzxn0oTbKTs16Rw8DyK`
			`1LjTR65sQJkJEdgsX8TSi/cicCftJZl9CaZEaObF2bdgSgGK+PezAgEC`
			`-----END DH PARAMETERS-----"""`

			`def create_ca(o, cn, exp):`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`key = OpenSSL.crypto.PKey()`
			`key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`cert = OpenSSL.crypto.X509()`
			`cert.set_serial_number(int(time.time()*10000))`
			`cert.set_version(2)`
			`cert.get_subject().CN = cn`
			`cert.get_subject().O = o`
			`cert.gmtime_adj_notBefore(0)`
			`cert.gmtime_adj_notAfter(exp)`
			`cert.set_issuer(cert.get_subject())`
			`cert.set_pubkey(key)`
			`cert.add_extensions([`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`OpenSSL.crypto.X509Extension("basicConstraints", True,`
			`"CA:TRUE"),`
			`OpenSSL.crypto.X509Extension("nsCertType", True,`
			`"sslCA"),`
			`OpenSSL.crypto.X509Extension("extendedKeyUsage", True,`
			`"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"`
			`),`
			`OpenSSL.crypto.X509Extension("keyUsage", False,`
			`"keyCertSign, cRLSign"),`
			`OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`subject=cert),`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`])`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`cert.sign(key, "sha1")`
			`return key, cert`


			`def dummy_cert(pkey, cacert, commonname, sans):`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`"""`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`Generates a dummy certificate.`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`pkey: CA private key`
			`cacert: CA certificate`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`commonname: Common name for the generated certificate.`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00			`sans: A list of Subject Alternate Names.`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`Returns cert if operation succeeded, None if not.`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`"""`
			`ss = []`
			`for i in sans:`
			`ss.append("DNS: %s"%i)`
			`ss = ", ".join(ss)`

			`cert = OpenSSL.crypto.X509()`
Make certificate not-before time 48 hours. Fixes #200 2014-01-08 01:46:55 +00:00			`cert.gmtime_adj_notBefore(-3600*48)`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`cert.gmtime_adj_notAfter(60 * 60 * 24 * 30)`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`cert.set_issuer(cacert.get_subject())`
Don't create a certificate request when creating a dummy cert 2013-09-24 19:18:41 +00:00			`cert.get_subject().CN = commonname`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`cert.set_serial_number(int(time.time()*10000))`
			`if ss:`
extensions aren't supported in v1, set to v3 (value=2) if using them. 2013-04-19 13:37:14 +00:00			`cert.set_version(2)`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`cert.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", True, ss)])`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`cert.set_pubkey(cacert.get_pubkey())`
			`cert.sign(pkey, "sha1")`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`return SSLCert(cert)`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00
			`class CertStore:`
			`"""`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`Implements an in-memory certificate store.`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00			`"""`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`def __init__(self, pkey, cert):`
			`self.pkey, self.cert = pkey, cert`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`self.certs = {}`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00
			`@classmethod`
			`def from_store(klass, path, basename):`
			`p = os.path.join(path, basename + "-ca.pem")`
			`if not os.path.exists(p):`
			`key, ca = klass.create_store(path, basename)`
			`else:`
			`p = os.path.join(path, basename + "-ca.pem")`
			`raw = file(p, "rb").read()`
			`ca = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, raw)`
			`key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, raw)`
			`return klass(key, ca)`

			`@classmethod`
			`def create_store(klass, path, basename, o=None, cn=None, expiry=DEFAULT_EXP):`
			`if not os.path.exists(path):`
			`os.makedirs(path)`

			`o = o or basename`
			`cn = cn or basename`

			`key, ca = create_ca(o=o, cn=cn, exp=expiry)`
			`# Dump the CA plus private key`
			`f = open(os.path.join(path, basename + "-ca.pem"), "wb")`
			`f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))`
			`f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))`
			`f.close()`

			`# Dump the certificate in PEM format`
			`f = open(os.path.join(path, basename + "-cert.pem"), "wb")`
			`f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))`
			`f.close()`

			`# Create a .cer file with the same contents for Android`
			`f = open(os.path.join(path, basename + "-cert.cer"), "wb")`
			`f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))`
			`f.close()`

			`# Dump the certificate in PKCS12 format for Windows devices`
			`f = open(os.path.join(path, basename + "-cert.p12"), "wb")`
			`p12 = OpenSSL.crypto.PKCS12()`
			`p12.set_certificate(ca)`
			`p12.set_privatekey(key)`
			`f.write(p12.export())`
			`f.close()`

			`f = open(os.path.join(path, basename + "-dhparam.pem"), "wb")`
			`f.write(DEFAULT_DHPARAM)`
			`f.close()`
			`return key, ca`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00
Minor improvement to CertStore interface 2014-03-02 00:50:19 +00:00			`def get_cert(self, commonname, sans):`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00			`"""`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`Returns an SSLCert object.`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00
			`commonname: Common name for the generated certificate. Must be a`
			`valid, plain-ASCII, IDNA-encoded domain name.`

			`sans: A list of Subject Alternate Names.`

Sanity-check certstore common names. 2013-01-05 12:34:39 +00:00			`Return None if the certificate could not be found or generated.`
Basic certificate store implementation and cert utils API cleanup. 2013-01-05 12:15:53 +00:00			`"""`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`if commonname in self.certs:`
			`return self.certs[commonname]`
Beef up CertStore, add DH params. 2014-03-04 01:12:58 +00:00			`c = dummy_cert(self.pkey, self.cert, commonname, sans)`
Revamp dummy cert generation. We no longer use on-disk storage - we just keep the certs in memory. 2013-08-12 04:03:29 +00:00			`self.certs[commonname] = c`
			`return c`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00

			`class _GeneralName(univ.Choice):`
			`# We are only interested in dNSNames. We use a default handler to ignore`
			`# other types.`
			`componentType = namedtype.NamedTypes(`
			`namedtype.NamedType('dNSName', char.IA5String().subtype(`
			`implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)`
			`)`
			`),`
			`)`


			`class _GeneralNames(univ.SequenceOf):`
			`componentType = _GeneralName()`
			`sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, 1024)`


move StateObject back into libmproxy 2014-01-31 00:06:53 +00:00			`class SSLCert:`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`def __init__(self, cert):`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`"""`
			`Returns a (common name, [subject alternative names]) tuple.`
			`"""`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`self.x509 = cert`

			`@classmethod`
			`def from_pem(klass, txt):`
			`x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, txt)`
			`return klass(x509)`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
			`@classmethod`
			`def from_der(klass, der):`
			`pem = ssl.DER_cert_to_PEM_cert(der)`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`return klass.from_pem(pem)`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
Add utility function for converstion to PEM. 2012-06-28 02:56:21 +00:00			`def to_pem(self):`
			`return OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, self.x509)`

Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`def digest(self, name):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`return self.x509.digest(name)`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
			`@property`
			`def issuer(self):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`return self.x509.get_issuer().get_components()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
			`@property`
			`def notbefore(self):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`t = self.x509.get_notBefore()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`return datetime.datetime.strptime(t, "%Y%m%d%H%M%SZ")`

			`@property`
			`def notafter(self):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`t = self.x509.get_notAfter()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`return datetime.datetime.strptime(t, "%Y%m%d%H%M%SZ")`

			`@property`
			`def has_expired(self):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`return self.x509.has_expired()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
			`@property`
			`def subject(self):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`return self.x509.get_subject().get_components()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
			`@property`
			`def serial(self):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`return self.x509.get_serial_number()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
			`@property`
			`def keyinfo(self):`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`pk = self.x509.get_pubkey()`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`types = {`
			`OpenSSL.crypto.TYPE_RSA: "RSA",`
			`OpenSSL.crypto.TYPE_DSA: "DSA",`
			`}`
			`return (`
			`types.get(pk.type(), "UNKNOWN"),`
			`pk.bits()`
			`)`

			`@property`
			`def cn(self):`
Beef up client certificate handling substantially. 2013-01-20 09:13:38 +00:00			`c = None`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`for i in self.subject:`
			`if i[0] == "CN":`
Beef up client certificate handling substantially. 2013-01-20 09:13:38 +00:00			`c = i[1]`
			`return c`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00
			`@property`
			`def altnames(self):`
			`altnames = []`
Refactor certutils.SSLCert API. 2012-06-27 10:11:58 +00:00			`for i in range(self.x509.get_extension_count()):`
			`ext = self.x509.get_extension(i)`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`if ext.get_short_name() == "subjectAltName":`
Ignore SAN entries that we don't understand. 2012-07-24 02:55:54 +00:00			`try:`
			`dec = decode(ext.get_data(), asn1Spec=_GeneralNames())`
			`except PyAsn1Error:`
			`continue`
Add certutils to netlib. 2012-06-27 04:42:00 +00:00			`for i in dec[0]:`
			`altnames.append(i[0].asOctets())`
			`return altnames`


Add a get_remote_cert method to tcp client. 2012-06-27 20:15:55 +00:00			`def get_remote_cert(host, port, sni):`
add tcp.Address to unify ipv4/ipv6 address handling 2014-01-28 16:26:35 +00:00			`c = tcp.TCPClient((host, port))`
Add a get_remote_cert method to tcp client. 2012-06-27 20:15:55 +00:00			`c.connect()`
			`c.convert_to_ssl(sni=sni)`
			`return c.cert`