[openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates

John Dennis jdennis at redhat.com
Fri Jun 27 14:26:23 UTC 2014


On 06/27/2014 12:21 AM, Carlos Garza wrote:
> 	I don't know where we can check in experimental code so I have a demonstration
> of how to extract CNs subjAltNames or what ever we want from x509 certificates. Later on
> I plan to use the OpenSSL libraries to verify certs coming from barbican are valid and
> actually do sign the private_key it is associated with. 
>
> https://github.com/crc32a/ssl_exp.git
>
>
I'm always leary of reinventing the wheel, we already have code to
manage pem files (maybe this should be in oslo, it was proposed once)

keystone/common/pemutils.py

I'm also leary of folks writing their own ASN.1 parsing as opposed to
using existing libraries. Why? It's really hard to get right so you
correctly handle all the cases, long established robust libraries are
better at this.

python-nss (which is a Python binding to the NSS crypto library) has
easy to use code to extract just about anything from a cert, here is an
example python script using your example pem file. If using NSS isn't an
option I'd rather see us provide the necessary binding in pyopenssl than
handcraft one-off routines. FWIW virtually everything you see in the
cert output below can be accessed as Pythonically as a Python object(s)
when using python-nss.

#!/usr/bin/python

import sys
import nss.nss as nss

nss.nss_init_nodb()

filename = sys.argv[1]

# Read the PEM file
try:
    binary_cert = nss.read_der_from_file(filename, True)
except Exception as e:
    print e
    sys.exit(1) 
else:
    print "loaded cert from file: %s" % filename

# Create a Certificiate object from the binary data
cert = nss.Certificate(binary_cert)

# Dump some basic information
print
print "cert subject: %s " % cert.subject
print "cert CN: %s " % cert.subject_common_name
print "cert validity:"
print "    Not Before: %s" % cert.valid_not_before_str
print "    Not After: %s" % cert.valid_not_after_str

print
print "\ncert has %d extensions" % len(cert.extensions)

for extension in cert.extensions:
    print "    %s (critical: %s)" % (extension.name, extension.critical)

print
extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
if extension:
    print "Subject Alt Names:"
    for name in nss.x509_alt_name(extension.value):
        print "    %s" % name
else:
    print "cert does not have a subject alt name extension"

# Dump entire cert in friendly format
print
print ">>> Entire cert contents <<<"
print cert

sys.exit(0)

Yields this output:

loaded cert from file: cr1.pem

cert subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization 
cert CN: www.digicert.com 
cert validity:
    Not Before: Thu Mar 20 00:00:00 2014 UTC
    Not After: Sun Jun 12 12:00:00 2016 UTC


cert has 10 extensions
    Certificate Authority Key Identifier (critical: False)
    Certificate Subject Key ID (critical: False)
    Certificate Subject Alt Name (critical: False)
    Certificate Key Usage (critical: True)
    Extended Key Usage (critical: False)
    CRL Distribution Points (critical: False)
    Certificate Policies (critical: False)
    Authority Information Access (critical: False)
    Certificate Basic Constraints (critical: True)
    OID.1.3.6.1.4.1.11129.2.4.2 (critical: False)

Subject Alt Names:
    www.digicert.com
    content.digicert.com
    digicert.com
    www.origin.digicert.com
    login.digicert.com

>>> Entire cert contents <<<
Data:
        Version:       3 (0x2)
        Serial Number: 13518267578909330747227050733614153347 (0xa2b860cca01f45fd7ee63601b1c3e83)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
        Validity:
            Not Before: Thu Mar 20 00:00:00 2014 UTC
            Not After:  Sun Jun 12 12:00:00 2016 UTC
        Subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization
        Subject Public Key Info:
            Public Key Algorithm:
                Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a:
                    9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed:
                    1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea:
                    29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f:
                    85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b:
                    16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5:
                    10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3:
                    50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21:
                    b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16:
                    04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01:
                    f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80:
                    c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e:
                    c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b:
                    64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06:
                    7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95:
                    8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a:
                    4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53:
                    8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79:
                    e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19:
                    f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6:
                    55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df:
                    3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4:
                    5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2:
                    c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5:
                    92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95:
                    2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81:
                    d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6:
                    83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a:
                    6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0:
                    7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4:
                    27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db:
                    b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5
                Exponent:
                    65537 (0x10001)
    Signed Extensions: (10)
        Name:     Certificate Authority Key Identifier
        Critical: False
        Key ID:
            3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4:
            f8:f8:d6:0f
        Serial Number: None
        General Names: [0 total]

        Name:     Certificate Subject Key ID
        Critical: False
        Data:
            f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6:
            b0:44:21:06

        Name:     Certificate Subject Alt Name
        Critical: False
        Names:
            www.digicert.com
            content.digicert.com
            digicert.com
            www.origin.digicert.com
            login.digicert.com

        Name:     Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Key Encipherment

        Name:     Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

        Name:     CRL Distribution Points
        Critical: False
        CRL Distribution Points: [2 total]
            Point [1]:
                General Names: [1 total]
                    http://crl3.digicert.com/sha2-ev-server-g1.crl
                Issuer:  None
                Reasons: ()
            Point [2]:
                General Names: [1 total]
                    http://crl4.digicert.com/sha2-ev-server-g1.crl
                Issuer:  None
                Reasons: ()

        Name:     Certificate Policies
        Critical: False

        Name:     Authority Information Access
        Critical: False
        Authority Information Access: [2 total]
            Info [1]:
                Method:   PKIX Online Certificate Status Protocol
                Location: URI: http://ocsp.digicert.com
            Info [2]:
                Method:   PKIX CA issuers access method
                Location: URI: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt

        Name:        Certificate Basic Constraints
        Critical:    True
        Is CA:       False
        Path Length: 0

        Name:     OID.1.3.6.1.4.1.11129.2.4.2
        Critical: False

    Signature:
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature:
            2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7:
            8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f:
            bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b:
            8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13:
            14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79:
            12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56:
            11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79:
            84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4:
            25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43:
            0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89:
            e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec:
            50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53:
            d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f:
            30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90:
            f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca:
            f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26
        Fingerprint (MD5):
            b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8
        Fingerprint (SHA1):
            90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e:
            9f:e6:a0:d9

-- John



More information about the OpenStack-dev mailing list