This module contains utilities for parsing extensions in general, but mostly the VOMS extensions. It has been done based on the reading of the VOMS standard ( and on the RFC 5755 (

This module relies on definition of the RFC 3281, which is the predecessor of 5755, but it still seems to work for what we are interested in.

To summarize, the attributes we are interested in are called CertificateAttributes, and are stored in proxy extensions. The VOMS extension in a proxy is a Sequence of Sequence (??) of CertificateAttribute. One Sequence is due to the fact that you can embed more than one VO CertificateAttribute in one proxy. The other one was acknowledge as a an error in the formal description (an Errata will come)

This is now pure python, but it might be interesting to wrap the existing C library ( instead…


Decode the content of the dirac group extension


m2cert – M2crypto x509 object, a certificate


the dirac group


same as retrieveExtension


Decode the content of the VOMS extension


m2cert – M2Crypto X509 object, a certificate


A dictionnary containing the following fields:

  • notBefore: datetime.datetime

  • notAfter: datetime.datetime

  • attribute: (string). Comma separated list of VOMS tags presented as bellow

    ”<tagName> = <tagValue> (<tagQualifier>)” Typically, the nickname will look like ‘nickname = chaen (lhcb)’,

  • fqan: List of VOMS “position” ([‘/lhcb/Role=production/Capability=NULL’, ‘/lhcb/Role=NULL/Capability=NULL’])

  • vo: name of the VO,

  • subject: subject DN to which the attributes were granted,

  • issuer: typically the DN of the VOMS server (e.g ‘/DC=ch/DC=cern/OU=computers/’)


Utility fonction to check if the certificate has VOMS extensions


m2cert – M2Crypto X509 object, a certificate



DIRAC.Core.Security.m2crypto.asn1_utils.retrieveExtension(m2Cert, extensionOID)

Retrieves the extension from a certificate from its OID

  • m2Cert – M2Crypto X509 object, a certificate

  • extensionOID – the OID we are looking for


an ~pyasn1.type.univ.OctetString object, which is the content of the extension (it still needs to be deserialized, depending on the extension !)


LookupError if it does not have the extension