How and why I built certificate validator library
About me
I'm a professional software developer
The problem I wanted to solve
I had to come up with replacement for C library to check if presented certificates are valid, I chosed python.
What is certificate validator library?
I build a small library to validate the X509 certificate
Tech stack
Python3, OpenSSL, Regex
The process of building certificate validator library
I had to search for all existing libraries that could ease my work, I found OpenSSL python library which significantly reduced my task. It had methods to parse certificate, access different fields in certificate.
Then I had to add missing piece which were surprisingly not present in OpenSSL library which was quite shocking to me, given how important certificates are.
Challenges I faced
- I couldn't find a direct way to validate if a value is a DNS or not in python, finally I had to resort to regex for checking.
- I was surprised to find that there was no method to check if a certificate's "is valid before" date or not in OpenSSL library.
Key learnings
I had to make this library for a legacy codebase where we needed to drop dependency from a C library for same purpose, so the errors are hard coded, I wish I had option to deal with errors in elegant way
Tips and advice
-
Always document your code, there is no denying how crucial this is.
-
Use python type hinting, that helps a lot when reviewing code.
def get_fqdn(certificate) -> str:
fqdn_ip = certificate.get_subject().O
return fqdn_ip
The intent of this function is completely clear that it returns a string, just by looking at definitions, compared to
def get_fqdn(certificate):
fqdn_ip = certificate.get_subject().O
return fqdn_ip
- Try to write functions that are composable (I'm one of the propagnant of Functoinal Programming paradigm), this way you can reuse these functions
Final thoughts and next steps
This was my first python project for work, I tried to write simple and readable code, followed PEP8. I'm happy with what turned it out finally.