API confusion with cert. subject_name and cert.subject_alternative_name

[GoogleCodeExporter]

Hi,

right now:

[1] cert.subject_name returns a string.  

[2] cert.subject_alternative_name returns an array of general_names

The proposal is to change  cert.subject_name to return a list of GeneralNames.

For example.  Given this "real-world" vert

-----BEGIN CERTIFICATE-----
MIIGfzCCBWegAwIBAgIQSVCinGH6MkvjJZjRyjK9nTANBgkqhkiG9w0BAQUFADCB
jjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNDAyBgNV
BAMTK0NPTU9ETyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Ew
HhcNMTIwMjI5MDAwMDAwWhcNMTQwMjI4MjM1OTU5WjCCAW8xEjAQBgNVBAMTCXd3
dy5yZC5pbzERMA8GA1UEAxMIcmRpby5jb20xDjAMBgNVBAMTBXJkLmlvMRUwEwYD
VQQDEwxhcGkucmRpby5jb20xEjAQBgNVBAMTCWFwaS5yZC5pbzEQMA4GA1UEBRMH
NDU4NjAwNzETMBEGCysGAQQBgjc8AgEDEwJVUzEZMBcGCysGAQQBgjc8AgECEwhE
ZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYT
AlVTMQ4wDAYDVQQREwU5NDEwMzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBG
cmFuY2lzY28xFzAVBgNVBAkTDjE1NTAgQnJ5YW50IHN0MRMwEQYDVQQKEwpSZGlv
LCBJbmMuMSMwIQYDVQQLExpDT01PRE8gRVYgTXVsdGktRG9tYWluIFNTTDEVMBMG
A1UEAxMMd3d3LnJkaW8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAt0AgYOe8EBJNVBAuSJFLKHRKZn0/ObCLBFG4xVH/5fb1rfYHBT1XSjjOqR3t
iGC/A3esF8YC7TuHQcTLVephx0DtJv1ASxRg3zPM8ebBRsuul18N0W+sY1aNXpkd
36quxvjg5UdBrAweuekJ7OTSZcCe2Ry/SKBeZSWWtkWsI4krCLv7JaKUwxw2h+Hn
TAZSBLVxz/mixF0WYdepYwnq2Hm7XvvVEIQ7wxOQ9bA7iCevLojZOnb39BT2QII7
cy8AB47RZdfYg7UwaO3bST2rauA4MKar7/Ozqc0aemNFpLatJfgv07cydiuj9fsd
5aE/c8is8C9M9+7MmSMkcNEgGwIDAQABo4IB8zCCAe8wHwYDVR0jBBgwFoAUiERR
/1AqaV4tiPQhutkM8s7L6nwwHQYDVR0OBBYEFCrYw8bfrYJ61NS2yYx6/CnhjzT4
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEFATArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzBTBgNVHR8ETDBK
MEigRqBEhkJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9FeHRlbmRlZFZh
bGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYQGCCsGAQUFBwEBBHgwdjBOBggr
BgEFBQcwAoZCaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPRXh0ZW5kZWRW
YWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5jb21vZG9jYS5jb20wTAYDVR0RBEUwQ4IMd3d3LnJkaW8uY29tgglhcGku
cmQuaW+CDGFwaS5yZGlvLmNvbYIFcmQuaW+CCHJkaW8uY29tggl3d3cucmQuaW8w
DQYJKoZIhvcNAQEFBQADggEBAKFd4bPVFRyrlqIKPtrtMuqGqid6685ohxf0cv52
sjdRYwLVTjnZOrmkDdNaF3R2A1ZlVMRN+67rK+qfY5sTeijFcudV3/i0PDtOFRwP
6yYVD2uZmYkxfPiW309HPmDF+EzhxpVjWlTQEOwkfFLTmJmwl3Qu2Kffp8F1ENXW
OTVNvj5VtMghvzu68PpzKl1VjlOR4Ej9NCwh1dUjNKEoTPzvpehXsIZ7jHSpX/T1
wSSt9ckiechDdpgZXTzHgbxHNibK0Uhh+QhkBgYMj5F8qj5BlBhWAWqQa/VnEdmr
Pfo7U+QmadoqQd7qt06hE2hG1nfZ0vPJDbWV3oVSwG2Yt7I=
-----END CERTIFICATE-----

the API produces this mess.

CN=www.rd.io/CN=rdio.com/CN=rd.io/CN=api.rdio.com/CN=api.rd.io/serialNumber=4586
007/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCatego
ry=Private Organization/C=US/postalCode=94103/ST=CA/L=San 
Francisco/streetAddress=1550 Bryant st/O=Rdio, Inc./OU=COMODO EV Multi-Domain 
SSL/CN=www.rdio.com

I mean I guess I could  [x.split('=') for x in s.split('/')] to attempt to put 
it back into key-values, but seems odd.

thoughts?

nickg

Original issue reported on code.google.com by nickgsup...@gmail.com on 14 Oct 2013 at 3:32

[GoogleCodeExporter]

hmm, if you don't want to expose GeneralName, another option would be to change 
both methods to return a list of (string,value) tuples, where 'value' is either 
a string or another list of (string,value) tuples.

Original comment by nickgsup...@gmail.com on 14 Oct 2013 at 3:40

[GoogleCodeExporter]

Yeah, this API needs work.

I need to verify how browsers handle names but I've been thinking about 
something like this:

[1] Higher-level API for those who just want to extract mappings to domains:
[1a] domain_names() for a union of common names, dnsNames and everything else 
that browsers may recognize as a domain (i.e., drop the ASN.1 information and 
just return a flat list of strings).
[1b] similar API for country_names(), email_addresses(), ip_addresses() etc.

[2] raw (copy of the?) ASN.1 structure for anything else - given how 
complicated the name format is, giving full power to those few who really need 
it seems like the best option.

Anyway it's on my TODO list and am happy to take more suggestions for a better 
API.

Original comment by ekasper@google.com on 14 Oct 2013 at 7:06

• Changed state: Accepted

[GoogleCodeExporter]

Note to self when addressing this issue: RDN handling in GeneralName is bust, 
too, as it's only considering the first component of each set.

Original comment by ekasper@google.com on 19 Nov 2013 at 11:02

[GoogleCodeExporter]

New API for subject names committed in 
https://code.google.com/p/certificate-transparency/source/detail?r=8c76f1c8965df
68efe9b90da763aed4dbf07ce63

(This is a breaking change.)

Marking the issue fixed as I think the original issue has been solved. But 
further feature requests for the cert/names API are welcome!

Original comment by ekasper@google.com on 9 Dec 2013 at 3:33

• Changed state: Fixed