[openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates

Dustin Lundquist dustin at null-ptr.net
Fri Jun 27 17:48:04 UTC 2014


It doesn't look like NSS is currently used within Neutron or Keystone.
Another alternative would be to write the certificate to a temp file and
then invoke "openssl x509 -text -noout -in $TEMP_FILE" and parse the
output, Keystone currently does similar (keystone/common/openssl.py). Given
renewed focus by security researchers on cryptographic libraries, I think
we should avoid requiring additional cryptographic libraries and use what
is already in use within OpenStack.


-Dustin


On Fri, Jun 27, 2014 at 7:26 AM, John Dennis <jdennis at redhat.com> wrote:

> On 06/27/2014 12:21 AM, Carlos Garza wrote:
> >       I don't know where we can check in experimental code so I have a
> demonstration
> > of how to extract CNs subjAltNames or what ever we want from x509
> certificates. Later on
> > I plan to use the OpenSSL libraries to verify certs coming from barbican
> are valid and
> > actually do sign the private_key it is associated with.
> >
> > https://github.com/crc32a/ssl_exp.git
> >
> >
> I'm always leary of reinventing the wheel, we already have code to
> manage pem files (maybe this should be in oslo, it was proposed once)
>
> keystone/common/pemutils.py
>
> I'm also leary of folks writing their own ASN.1 parsing as opposed to
> using existing libraries. Why? It's really hard to get right so you
> correctly handle all the cases, long established robust libraries are
> better at this.
>
> python-nss (which is a Python binding to the NSS crypto library) has
> easy to use code to extract just about anything from a cert, here is an
> example python script using your example pem file. If using NSS isn't an
> option I'd rather see us provide the necessary binding in pyopenssl than
> handcraft one-off routines. FWIW virtually everything you see in the
> cert output below can be accessed as Pythonically as a Python object(s)
> when using python-nss.
>
> #!/usr/bin/python
>
> import sys
> import nss.nss as nss
>
> nss.nss_init_nodb()
>
> filename = sys.argv[1]
>
> # Read the PEM file
> try:
>     binary_cert = nss.read_der_from_file(filename, True)
> except Exception as e:
>     print e
>     sys.exit(1)
> else:
>     print "loaded cert from file: %s" % filename
>
> # Create a Certificiate object from the binary data
> cert = nss.Certificate(binary_cert)
>
> # Dump some basic information
> print
> print "cert subject: %s " % cert.subject
> print "cert CN: %s " % cert.subject_common_name
> print "cert validity:"
> print "    Not Before: %s" % cert.valid_not_before_str
> print "    Not After: %s" % cert.valid_not_after_str
>
> print
> print "\ncert has %d extensions" % len(cert.extensions)
>
> for extension in cert.extensions:
>     print "    %s (critical: %s)" % (extension.name, extension.critical)
>
> print
> extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
> if extension:
>     print "Subject Alt Names:"
>     for name in nss.x509_alt_name(extension.value):
>         print "    %s" % name
> else:
>     print "cert does not have a subject alt name extension"
>
> # Dump entire cert in friendly format
> print
> print ">>> Entire cert contents <<<"
> print cert
>
> sys.exit(0)
>
> Yields this output:
>
> loaded cert from file: cr1.pem
>
> cert subject: CN=www.digicert.com,O="DigiCert,
> Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive
> Parkway,STREET=Suite
> 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private
> Organization
> cert CN: www.digicert.com
> cert validity:
>     Not Before: Thu Mar 20 00:00:00 2014 UTC
>     Not After: Sun Jun 12 12:00:00 2016 UTC
>
>
> cert has 10 extensions
>     Certificate Authority Key Identifier (critical: False)
>     Certificate Subject Key ID (critical: False)
>     Certificate Subject Alt Name (critical: False)
>     Certificate Key Usage (critical: True)
>     Extended Key Usage (critical: False)
>     CRL Distribution Points (critical: False)
>     Certificate Policies (critical: False)
>     Authority Information Access (critical: False)
>     Certificate Basic Constraints (critical: True)
>     OID.1.3.6.1.4.1.11129.2.4.2 (critical: False)
>
> Subject Alt Names:
>     www.digicert.com
>     content.digicert.com
>     digicert.com
>     www.origin.digicert.com
>     login.digicert.com
>
> >>> Entire cert contents <<<
> Data:
>         Version:       3 (0x2)
>         Serial Number: 13518267578909330747227050733614153347
> (0xa2b860cca01f45fd7ee63601b1c3e83)
>         Signature Algorithm:
>             Algorithm: PKCS #1 SHA-256 With RSA Encryption
>         Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=
> www.digicert.com,O=DigiCert Inc,C=US
>         Validity:
>             Not Before: Thu Mar 20 00:00:00 2014 UTC
>             Not After:  Sun Jun 12 12:00:00 2016 UTC
>         Subject: CN=www.digicert.com,O="DigiCert,
> Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive
> Parkway,STREET=Suite
> 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private
> Organization
>         Subject Public Key Info:
>             Public Key Algorithm:
>                 Algorithm: PKCS #1 RSA Encryption
>             RSA Public Key:
>                 Modulus:
>                     a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a:
>                     9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed:
>                     1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea:
>                     29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f:
>                     85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b:
>                     16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5:
>                     10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3:
>                     50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21:
>                     b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16:
>                     04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01:
>                     f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80:
>                     c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e:
>                     c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b:
>                     64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06:
>                     7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95:
>                     8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a:
>                     4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53:
>                     8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79:
>                     e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19:
>                     f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6:
>                     55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df:
>                     3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4:
>                     5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2:
>                     c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5:
>                     92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95:
>                     2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81:
>                     d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6:
>                     83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a:
>                     6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0:
>                     7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4:
>                     27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db:
>                     b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5
>                 Exponent:
>                     65537 (0x10001)
>     Signed Extensions: (10)
>         Name:     Certificate Authority Key Identifier
>         Critical: False
>         Key ID:
>             3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4:
>             f8:f8:d6:0f
>         Serial Number: None
>         General Names: [0 total]
>
>         Name:     Certificate Subject Key ID
>         Critical: False
>         Data:
>             f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6:
>             b0:44:21:06
>
>         Name:     Certificate Subject Alt Name
>         Critical: False
>         Names:
>             www.digicert.com
>             content.digicert.com
>             digicert.com
>             www.origin.digicert.com
>             login.digicert.com
>
>         Name:     Certificate Key Usage
>         Critical: True
>         Usages:
>             Digital Signature
>             Key Encipherment
>
>         Name:     Extended Key Usage
>         Critical: False
>         Usages:
>             TLS Web Server Authentication Certificate
>             TLS Web Client Authentication Certificate
>
>         Name:     CRL Distribution Points
>         Critical: False
>         CRL Distribution Points: [2 total]
>             Point [1]:
>                 General Names: [1 total]
>                     http://crl3.digicert.com/sha2-ev-server-g1.crl
>                 Issuer:  None
>                 Reasons: ()
>             Point [2]:
>                 General Names: [1 total]
>                     http://crl4.digicert.com/sha2-ev-server-g1.crl
>                 Issuer:  None
>                 Reasons: ()
>
>         Name:     Certificate Policies
>         Critical: False
>
>         Name:     Authority Information Access
>         Critical: False
>         Authority Information Access: [2 total]
>             Info [1]:
>                 Method:   PKIX Online Certificate Status Protocol
>                 Location: URI: http://ocsp.digicert.com
>             Info [2]:
>                 Method:   PKIX CA issuers access method
>                 Location: URI:
> http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt
>
>         Name:        Certificate Basic Constraints
>         Critical:    True
>         Is CA:       False
>         Path Length: 0
>
>         Name:     OID.1.3.6.1.4.1.11129.2.4.2
>         Critical: False
>
>     Signature:
>         Signature Algorithm:
>             Algorithm: PKCS #1 SHA-256 With RSA Encryption
>         Signature:
>             2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7:
>             8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f:
>             bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b:
>             8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13:
>             14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79:
>             12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56:
>             11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79:
>             84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4:
>             25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43:
>             0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89:
>             e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec:
>             50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53:
>             d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f:
>             30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90:
>             f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca:
>             f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26
>         Fingerprint (MD5):
>             b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8
>         Fingerprint (SHA1):
>             90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e:
>             9f:e6:a0:d9
>
> -- John
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140627/0804c1e6/attachment.html>


More information about the OpenStack-dev mailing list