defacto64 / certificate-transparency Goto Github PK

more quality certs from embedded systems, this time from 
http://www.marchnetworks.com/

ct.crypto.error.CertificateError: Corrupt time: Invalid time representation: 
0001010000Z

Looks like seconds are not put in.

here's the cert:

-----BEGIN CERTIFICATE-----
MIIChDCCAe2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDEtMCsGA1UECxMkM2E2
YWRmMjktM2VhZS00ZTA1LWJlNTctZGY5YzJmNjMwYzc1MRcwFQYDVQQKEw5NYXJj
aCBOZXR3b3JrczE2MDQGA1UEAxMtTWFyY2ggTmV0d29ya3MgUGxhdGZvcm0gQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MBoXCzAwMDEwMTAwMDBaFwszMDAxMDEwMDAwWjCB
gDEtMCsGA1UECxMkM2E2YWRmMjktM2VhZS00ZTA1LWJlNTctZGY5YzJmNjMwYzc1
MRcwFQYDVQQKEw5NYXJjaCBOZXR3b3JrczE2MDQGA1UEAxMtTWFyY2ggTmV0d29y
a3MgUGxhdGZvcm0gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDPN6a7xXwjMZaEq0uY3xOYtjnaMOTYIlf1L/z9vfIfSoGs
Tc+yK3WFqhVxem261IRTznUvvHH3B33tbusaBkMx5KIQa8Fnd8L0gPM6zfrY/Tm4
8+TbIqDpeI4E1Whl0bvUjkvDIBgMsfb1qlbY82mhJGU/YLbiEL/53RXZOlfBRwID
AQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEdu3q/IkyRI
h5qlm7cFXhwPHipA3F+nRJfSZdzQz+uEeFzaqFo36AR7bPzPVHs2O+7O1CnOe/yX
7hDWT3IdE9HBPaUmBVymTo6duAiNFptyphOAaYakn/iWjwzMQuy5jt8wgnu1WcCm
BRrY7i37mHlrdaZWtBge2jpVgL17EQDe
-----END CERTIFICATE-----

here's what openssl does:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: OU=3a6adf29-3eae-4e05-be57-df9c2f630c75, O=March Networks, CN=March Networks Platform Certificate Authority
        Validity
            Not Before: Jan  1 00:00:00 2000 GMT
            Not After : Jan  1 00:00:00 2030 GMT
        Subject: OU=3a6adf29-3eae-4e05-be57-df9c2f630c75, O=March Networks, CN=March Networks Platform Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cf:37:a6:bb:c5:7c:23:31:96:84:ab:4b:98:df:
                    13:98:b6:39:da:30:e4:d8:22:57:f5:2f:fc:fd:bd:
                    f2:1f:4a:81:ac:4d:cf:b2:2b:75:85:aa:15:71:7a:
                    6d:ba:d4:84:53:ce:75:2f:bc:71:f7:07:7d:ed:6e:
                    eb:1a:06:43:31:e4:a2:10:6b:c1:67:77:c2:f4:80:
                    f3:3a:cd:fa:d8:fd:39:b8:f3:e4:db:22:a0:e9:78:
                    8e:04:d5:68:65:d1:bb:d4:8e:4b:c3:20:18:0c:b1:
                    f6:f5:aa:56:d8:f3:69:a1:24:65:3f:60:b6:e2:10:
                    bf:f9:dd:15:d9:3a:57:c1:47
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE

etc...


What would you like to do here.  I'm happy to adjust x509_time and add tests.

nickg

Adds RFC compatible monitor to the C++ code base.

https://codereview.appspot.com/14205043/

As mentioned on the ct hackday this is the monitor we run as a 
proof-of-concept. Bureaucracy and other constraints have sadly delayed this 
submission a month - sorry for that :-/

Further information is found on the rietveld page.

ct.crypto.error.CertificateError: Corrupt time: Invalid time representation: 
360314154014+0000

however openssl is able to read the time

            Not Before: Mar 12 03:19:24 2008 GMT
            Not After : Jul 28 02:36:28 2035

not sure what's going on with this one.

-----BEGIN CERTIFICATE-----
MIIDHjCCAoegAwIBAgIJALWdz92v035NMA0GCSqGSIb3DQEBBAUAMG8xCzAJBgNV
BAYTAnVzMRAwDgYDVQQHEwdkdWVud2VnMQ0wCwYDVQQKEwRQSUxSMRkwFwYDVQQD
ExBQSUxSIFdlYkFkbWluIENBMSQwIgYJKoZIhvcNAQkBFhVhZmFib3p6aUBwaWxy
dGVjaC5jb20wIhcNMDgxMDI4MTU0MDU5WhcRMzYwMzE0MTU0MDE0KzAwMDAwPTEL
MAkGA1UEBhMCdXMxEDAOBgNVBAcTB2R1ZW53ZWcxDTALBgNVBAoTBFBJTFIxDTAL
BgNVBAMTBFRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK6NROua7Yo3
9iT1dqsr/meG4sC4wedeEmUyp9VpvDpS1sHrH0jcss81ffe/tTnREyX2chqvjqh1
R86625pSHmCOMbMAKW6iO4Tc18LOvvgnEPdHxlwMLh8vrbb9/3wWEAiVs4nd4KUD
7rScat1cNootcdcVTw7uuf/sastx/z1RAgMBAAGjge8wgewwHQYDVR0OBBYEFGwh
LY4EcMd4gy5SRYiUWi/V5RWLMIGhBgNVHSMEgZkwgZaAFPL2SfXc7QIbbbBvdXj/
4bScvvrSoXOkcTBvMQswCQYDVQQGEwJ1czEQMA4GA1UEBxMHZHVlbndlZzENMAsG
A1UEChMEUElMUjEZMBcGA1UEAxMQUElMUiBXZWJBZG1pbiBDQTEkMCIGCSqGSIb3
DQEJARYVYWZhYm96emlAcGlscnRlY2guY29tggkAtZ3P3a/TfkwwDwYDVR0RBAgw
BoIEVGVzdDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQQFAAOB
gQAIYhdpcAseNRK8p8uEqwAYTW55eo4+Jk4M3ysVE83gEkJjNq1I9SHp79//suYs
xCpYV3GIBHOFakIa+Scn/tkfLs1IA1AIAYMZHhrgGfF5BlOQGtJHssnUS7tDgApf
fA6jJs41eqhotUj6QNqlCR0F3avYqUHLCAuBCBFOZKevuQ==
-----END CERTIFICATE-----

Commit 4980d68c8f2f4d0a84988ea90e908121f997fb11 introduced the use of 
SSL_CTX_set_custom_cli_ext which is only available in development versions of 
OpenSSL: 
https://github.com/openssl/openssl/commit/a398f821fa98b9923a426cf45b268cf4d56c89
bd

Do we have an alternative that we could use in the meantime? I'd rather not 
have to compile OpenSSL from scratch...

RFC6962 Section 3.3 says:
  "...or by using Online Certificate Status
   Protocol (OCSP) Stapling (also known as the "Certificate Status
   Request" TLS extension; see [RFC6066]), where the response includes
   an OCSP extension with OID 1.3.6.1.4.1.11129.2.4.5..."

"OCSP extension" is ambiguous here.  An RFC2560/6960 "Basic" OCSP Response can 
contain status information for 1 or more certificates.  For each certificate, 
there is an optional "singleExtensions" list of extensions.  And at the very 
end of the Response, there is an optional "responseExtensions" list of 
extensions.

Since each SCT relates to precisely one certificate, I think that 
"singleExtensions" is the right place to put the .2.4.5 extension.

To avoid interop issues, could RFC6962-bis clarify this?

(It's very common for an OCSP Response to only include status for 1 
certificate, so some implementers might put the .2.4.5 extension in 
"responseExtensions" without even considering the alternative).

Adds OIDs used in  AuthorityInfoAccess and ExtendedKeyUsage extensions.

https://codereview.appspot.com/13953043

This more a test of how to submit patches.  It doesn't appear to break anything 
and parses correctly.

thanks!

nickg

This exposes the certificate serial_number.

it returns a asn1.CertificateSerialNumber object since it's not really clear 
what format should be returned.   This seems to match how subject-alt-names 
works  (it returns a list of GeneralNames).

However I'd be happy with just returning a single string version of the number 
'12313423423' etc.

Test included.

https://codereview.appspot.com/14025043/

thanks

nickg

https://codereview.appspot.com/14502064

stack trace:
  File "/usr/local/Cellar/python/2.7.5/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/ct-0.1-py2.7.egg/ct/crypto/cert.py", line 297, in subject_alternative_names
    return name.parse_alternative_names(general_names)
  File "/usr/local/Cellar/python/2.7.5/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/ct-0.1-py2.7.egg/ct/crypto/name.py", line 87, in parse_alternative_names
    return [GeneralName(n) for n in asn1_alternative_names_extension]
  File "/usr/local/Cellar/python/2.7.5/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/ct-0.1-py2.7.egg/ct/crypto/name.py", line 7, in __init__
    self.__parse_name()
  File "/usr/local/Cellar/python/2.7.5/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/ct-0.1-py2.7.egg/ct/crypto/name.py", line 12, in __parse_name
    self.__parse_name_value(self.__asn1_name.getComponent())
  File "/usr/local/Cellar/python/2.7.5/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/ct-0.1-py2.7.egg/ct/crypto/name.py", line 38, in __parse_name_value
    except pyasn1_error.PyAsn1Error:
NameError: global name 'pyasn1_error' is not defined

Deserializer::ReadSCT reads the extensions, but does not assign them in the 
proto.

See: 
https://code.google.com/p/certificate-transparency/source/browse/src/proto/seria
lizer.cc#546

http://codereview.appspot.com/14660043

in name.py, __parse_name_value has

         elif self.__type == x509_name.IP_ADDRESS_NAME:
                 self.__value = name_value.asNumbers()

This returns a tuple of ints.   However, other name-types return a string (most 
of the time). 

The following patch formats the IP NAME as an IPv4 or IPv6 depending on size.

Why I care:  there is a test cert for a CVE that contains names with embedded 
null characters and IP addresses.  I'd like to add it to the CT test suite.  
It's much easier if all values from subject alternative name are strings.

If accepted I'll submit the test case as well.

thanks,

nickg

I ran the cert pasing on the some random certs live in the wild.

These work "fine" in browsers, and openssl (although cert might expired or dead 
or self-signed or not trusted)

Many are failing due to this check deep inside:

pyasn1/codec/cer/decoder.py

class BooleanDecoder(decoder.AbstractSimpleDecoder):
    protoComponent = univ.Boolean(0)
    def valueDecoder(self, fullSubstrate, substrate, asn1Spec, tagSet, length,
                     state, decodeFun, substrateFun):
        head, tail = substrate[:length], substrate[length:]
        if not head:
            raise error.PyAsn1Error('Empty substrate')
        byte = oct2int(head[0])
        # CER/DER specifies encoding of TRUE as 0xFF and FALSE as 0x0, while
        # BER allows any non-zero value as TRUE; cf. sections 8.2.2. and 11.1
        # in http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
        if byte == 0xff:
            value = 1
        elif byte == 0x00:
            value = 0
        else:
            raise error.PyAsn1Error('Boolean CER violation: %s' % byte)

(with value of "1")

I don't know the field exactly (the backtrace is a nightmare).  However, I can 
confirm that changing the logic to not raise the exception (and setting 
value=1) allows it to continue.

I believe we can create a decoder that allows this type of boolean value.

Or we can keep process as is, and just raise an somewhat cryptic exception.

your thoughts?

nickg


here's a sample.. this is live on the internets...

-----BEGIN CERTIFICATE-----
MIICgjCCAeugAwIBAgIBADANBgkqhkiG9w0BAQUFADB8MSMwIQYDVQQDDBpNYXRy
aXhTU0wgU2FtcGxlIFNlcnZlciBDQTELMAkGA1UEBgwCVVMxCzAJBgNVBAgMAldB
MREwDwYDVQQHDAhCZWxsZXZ1ZTEZMBcGA1UECgwQUGVlcnNlYyBOZXR3b3JrczEN
MAsGA1UECwwEVGVzdDAeFw0wNjAzMTMwODEzMzRaFw0wNzAzMTMwODEzMzRaMH4x
JTAjBgNVBAMMHE1hdHJpeFNTTCBTYW1wbGUgU2VydmVyIENlcnQxCzAJBgNVBAYM
AlVTMQswCQYDVQQIDAJXQTERMA8GA1UEBwwIQmVsbGV2dWUxGTAXBgNVBAoMEFBl
ZXJTZWMgTmV0d29ya3MxDTALBgNVBAsMBFRlc3QwgZ4wDQYJKoZIhvcNAQEBBQAD
gYwAMIGIAoGArLJFx36VVxymSgNnepNJfNQ2Wh6RUoe3n6YakhtPWCXHRvGwNBr6
lOqt5bZkcsqM2FkUYMAdIV3DTvMXAVOUf9q0Ys27oIDny/0h2D8vVehjIScYrMrm
xPULuVuovFW4q+VMu+5vMp7U29j0zOHfn/xe687X7DjyaMd19eCcHiECAwEAAaMT
MBEwDwYDVR0TAQEBBAUwAwEBADANBgkqhkiG9w0BAQUFAAOBgQBX6R0aLW/agkug
2zl7kOxssCzi2l55Co6oGno+9t4Xk2IMVpIU/gas8RwnQRjFhw1M02yWobxYEh32
WRJdomY7VNB3m73VhMX909fP+m/d4shJNwB35oZn8JZPjmk9NB/ZGvxK6Zk0WttV
F/KVvu5//R80bStnBA4cAhP7FyUugg==
-----END CERTIFICATE-----

Hi,

right now:

[1] cert.subject_name returns a string.  

[2] cert.subject_alternative_name returns an array of general_names

The proposal is to change  cert.subject_name to return a list of GeneralNames.

For example.  Given this "real-world" vert

-----BEGIN CERTIFICATE-----
MIIGfzCCBWegAwIBAgIQSVCinGH6MkvjJZjRyjK9nTANBgkqhkiG9w0BAQUFADCB
jjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNDAyBgNV
BAMTK0NPTU9ETyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Ew
HhcNMTIwMjI5MDAwMDAwWhcNMTQwMjI4MjM1OTU5WjCCAW8xEjAQBgNVBAMTCXd3
dy5yZC5pbzERMA8GA1UEAxMIcmRpby5jb20xDjAMBgNVBAMTBXJkLmlvMRUwEwYD
VQQDEwxhcGkucmRpby5jb20xEjAQBgNVBAMTCWFwaS5yZC5pbzEQMA4GA1UEBRMH
NDU4NjAwNzETMBEGCysGAQQBgjc8AgEDEwJVUzEZMBcGCysGAQQBgjc8AgECEwhE
ZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYT
AlVTMQ4wDAYDVQQREwU5NDEwMzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBG
cmFuY2lzY28xFzAVBgNVBAkTDjE1NTAgQnJ5YW50IHN0MRMwEQYDVQQKEwpSZGlv
LCBJbmMuMSMwIQYDVQQLExpDT01PRE8gRVYgTXVsdGktRG9tYWluIFNTTDEVMBMG
A1UEAxMMd3d3LnJkaW8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAt0AgYOe8EBJNVBAuSJFLKHRKZn0/ObCLBFG4xVH/5fb1rfYHBT1XSjjOqR3t
iGC/A3esF8YC7TuHQcTLVephx0DtJv1ASxRg3zPM8ebBRsuul18N0W+sY1aNXpkd
36quxvjg5UdBrAweuekJ7OTSZcCe2Ry/SKBeZSWWtkWsI4krCLv7JaKUwxw2h+Hn
TAZSBLVxz/mixF0WYdepYwnq2Hm7XvvVEIQ7wxOQ9bA7iCevLojZOnb39BT2QII7
cy8AB47RZdfYg7UwaO3bST2rauA4MKar7/Ozqc0aemNFpLatJfgv07cydiuj9fsd
5aE/c8is8C9M9+7MmSMkcNEgGwIDAQABo4IB8zCCAe8wHwYDVR0jBBgwFoAUiERR
/1AqaV4tiPQhutkM8s7L6nwwHQYDVR0OBBYEFCrYw8bfrYJ61NS2yYx6/CnhjzT4
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEFATArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzBTBgNVHR8ETDBK
MEigRqBEhkJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9FeHRlbmRlZFZh
bGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYQGCCsGAQUFBwEBBHgwdjBOBggr
BgEFBQcwAoZCaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPRXh0ZW5kZWRW
YWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5jb21vZG9jYS5jb20wTAYDVR0RBEUwQ4IMd3d3LnJkaW8uY29tgglhcGku
cmQuaW+CDGFwaS5yZGlvLmNvbYIFcmQuaW+CCHJkaW8uY29tggl3d3cucmQuaW8w
DQYJKoZIhvcNAQEFBQADggEBAKFd4bPVFRyrlqIKPtrtMuqGqid6685ohxf0cv52
sjdRYwLVTjnZOrmkDdNaF3R2A1ZlVMRN+67rK+qfY5sTeijFcudV3/i0PDtOFRwP
6yYVD2uZmYkxfPiW309HPmDF+EzhxpVjWlTQEOwkfFLTmJmwl3Qu2Kffp8F1ENXW
OTVNvj5VtMghvzu68PpzKl1VjlOR4Ej9NCwh1dUjNKEoTPzvpehXsIZ7jHSpX/T1
wSSt9ckiechDdpgZXTzHgbxHNibK0Uhh+QhkBgYMj5F8qj5BlBhWAWqQa/VnEdmr
Pfo7U+QmadoqQd7qt06hE2hG1nfZ0vPJDbWV3oVSwG2Yt7I=
-----END CERTIFICATE-----

the API produces this mess.

CN=www.rd.io/CN=rdio.com/CN=rd.io/CN=api.rdio.com/CN=api.rd.io/serialNumber=4586
007/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCatego
ry=Private Organization/C=US/postalCode=94103/ST=CA/L=San 
Francisco/streetAddress=1550 Bryant st/O=Rdio, Inc./OU=COMODO EV Multi-Domain 
SSL/CN=www.rdio.com

I mean I guess I could  [x.split('=') for x in s.split('/')] to attempt to put 
it back into key-values, but seems odd.


thoughts?

nickg

To reproduce:
src/client/upload_server_cert.sh www.idnet.net

The output from the 1st command in the script is not valid PEM:
openssl s_client -connect $SERVER:443 -showcerts < /dev/null | tee $TMP

Attached example output. Even after cleaning the non-PEM lines, CertChain still 
fails to load this chain.

cert.subject_alternative_name:

        general_names = self.__get_decoded_extension_value(
            x509_extension.ID_CE_SUBJECT_ALT_NAME)

       This can be none.


then it goes to 

name.py parse_alternative name

   return [GeneralName(n) for n in asn1_alternative_names_extension]

which then explodes

    return [GeneralName(n) for n in asn1_alternative_names_extension]
TypeError: 'NoneType' object is not iterable


A quick hack might be:

diff --git a/src/python/ct/crypto/name.py b/src/python/ct/crypto/name.py
index a7ef6f7..b0ceb9b 100644
--- a/src/python/ct/crypto/name.py
+++ b/src/python/ct/crypto/name.py
@@ -83,6 +83,7 @@ def parse_alternative_names(asn1_alternative_names_extension):
     Returns:
         A lit of GeneralName instances.
     """
-
+    if asn1_alternative_names_extension is None:
+        return None

or maybe

return [] 

??


Here's a sample cert to test with (it's an intermediate cert):

-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

around line 84 of name.py

"""
    Returns:                                                                                                              
        A lit of GeneralName instances.
"""

s/lit/list/

thanks

nickg