[openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates

Carlos Garza carlos.garza at rackspace.com
Sat Jun 28 04:50:39 UTC 2014


   Too late guys. I'm already grabbing the fields from pyasn1. I'm not writing an ASN1 
parser I'm using the one from pyasn1_modules.rfc2459.

   I am in favor of using a common crypto lib which is why I was planning to use
the "cryptography" package that barbican already depends on to handle the decrypting of keys etc. 


On Jun 27, 2014, at 12:48 PM, Dustin Lundquist <dustin at null-ptr.net> wrote:

> It doesn't look like NSS is currently used within Neutron or Keystone. Another alternative would be to write the certificate to a temp file and then invoke "openssl x509 -text -noout -in $TEMP_FILE" and parse the output, Keystone currently does similar (keystone/common/openssl.py). Given renewed focus by security researchers on cryptographic libraries, I think we should avoid requiring additional cryptographic libraries and use what is already in use within OpenStack.

    I'd really like to avoid piping out to the command line then writing another parser for the output. I'm kinda shocked that keystone is actually doing this. :( anyways theirs plenty of hooks to get into the low level OpenSSL lib if we need to.

> 
> -Dustin
> 
> 
> On Fri, Jun 27, 2014 at 7:26 AM, John Dennis <jdennis at redhat.com> wrote:
> On 06/27/2014 12:21 AM, Carlos Garza wrote:
> >       I don't know where we can check in experimental code so I have a demonstration
> > of how to extract CNs subjAltNames or what ever we want from x509 certificates. Later on
> > I plan to use the OpenSSL libraries to verify certs coming from barbican are valid and
> > actually do sign the private_key it is associated with.
> >
> > https://github.com/crc32a/ssl_exp.git
> >
> >
> I'm always leary of reinventing the wheel, we already have code to
> manage pem files (maybe this should be in oslo, it was proposed once)
> 
> keystone/common/pemutils.py
> 
> I'm also leary of folks writing their own ASN.1 parsing as opposed to
> using existing libraries. Why? It's really hard to get right so you
> correctly handle all the cases, long established robust libraries are
> better at this.
> 
> python-nss (which is a Python binding to the NSS crypto library) has
> easy to use code to extract just about anything from a cert, here is an
> example python script using your example pem file. If using NSS isn't an
> option I'd rather see us provide the necessary binding in pyopenssl than
> handcraft one-off routines. FWIW virtually everything you see in the
> cert output below can be accessed as Pythonically as a Python object(s)
> when using python-nss.
> 
> #!/usr/bin/python
> 
> import sys
> import nss.nss as nss
> 
> nss.nss_init_nodb()
> 
> filename = sys.argv[1]
> 
> # Read the PEM file
> try:
>     binary_cert = nss.read_der_from_file(filename, True)
> except Exception as e:
>     print e
>     sys.exit(1)
> else:
>     print "loaded cert from file: %s" % filename
> 
> # Create a Certificiate object from the binary data
> cert = nss.Certificate(binary_cert)
> 
> # Dump some basic information
> print
> print "cert subject: %s " % cert.subject
> print "cert CN: %s " % cert.subject_common_name
> print "cert validity:"
> print "    Not Before: %s" % cert.valid_not_before_str
> print "    Not After: %s" % cert.valid_not_after_str
> 
> print
> print "\ncert has %d extensions" % len(cert.extensions)
> 
> for extension in cert.extensions:
>     print "    %s (critical: %s)" % (extension.name, extension.critical)
> 
> print
> extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
> if extension:
>     print "Subject Alt Names:"
>     for name in nss.x509_alt_name(extension.value):
>         print "    %s" % name
> else:
>     print "cert does not have a subject alt name extension"
> 
> # Dump entire cert in friendly format
> print
> print ">>> Entire cert contents <<<"
> print cert
> 
> sys.exit(0)
> 
> Yields this output:
> 
> loaded cert from file: cr1.pem
> 
> cert subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization
> cert CN: www.digicert.com
> cert validity:
>     Not Before: Thu Mar 20 00:00:00 2014 UTC
>     Not After: Sun Jun 12 12:00:00 2016 UTC
> 
> 
> cert has 10 extensions
>     Certificate Authority Key Identifier (critical: False)
>     Certificate Subject Key ID (critical: False)
>     Certificate Subject Alt Name (critical: False)
>     Certificate Key Usage (critical: True)
>     Extended Key Usage (critical: False)
>     CRL Distribution Points (critical: False)
>     Certificate Policies (critical: False)
>     Authority Information Access (critical: False)
>     Certificate Basic Constraints (critical: True)
>     OID.1.3.6.1.4.1.11129.2.4.2 (critical: False)
> 
> Subject Alt Names:
>     www.digicert.com
>     content.digicert.com
>     digicert.com
>     www.origin.digicert.com
>     login.digicert.com
> 
> >>> Entire cert contents <<<
> Data:
>         Version:       3 (0x2)
>         Serial Number: 13518267578909330747227050733614153347 (0xa2b860cca01f45fd7ee63601b1c3e83)
>         Signature Algorithm:
>             Algorithm: PKCS #1 SHA-256 With RSA Encryption
>         Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
>         Validity:
>             Not Before: Thu Mar 20 00:00:00 2014 UTC
>             Not After:  Sun Jun 12 12:00:00 2016 UTC
>         Subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization
>         Subject Public Key Info:
>             Public Key Algorithm:
>                 Algorithm: PKCS #1 RSA Encryption
>             RSA Public Key:
>                 Modulus:
>                     a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a:
>                     9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed:
>                     1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea:
>                     29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f:
>                     85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b:
>                     16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5:
>                     10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3:
>                     50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21:
>                     b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16:
>                     04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01:
>                     f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80:
>                     c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e:
>                     c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b:
>                     64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06:
>                     7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95:
>                     8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a:
>                     4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53:
>                     8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79:
>                     e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19:
>                     f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6:
>                     55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df:
>                     3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4:
>                     5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2:
>                     c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5:
>                     92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95:
>                     2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81:
>                     d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6:
>                     83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a:
>                     6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0:
>                     7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4:
>                     27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db:
>                     b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5
>                 Exponent:
>                     65537 (0x10001)
>     Signed Extensions: (10)
>         Name:     Certificate Authority Key Identifier
>         Critical: False
>         Key ID:
>             3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4:
>             f8:f8:d6:0f
>         Serial Number: None
>         General Names: [0 total]
> 
>         Name:     Certificate Subject Key ID
>         Critical: False
>         Data:
>             f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6:
>             b0:44:21:06
> 
>         Name:     Certificate Subject Alt Name
>         Critical: False
>         Names:
>             www.digicert.com
>             content.digicert.com
>             digicert.com
>             www.origin.digicert.com
>             login.digicert.com
> 
>         Name:     Certificate Key Usage
>         Critical: True
>         Usages:
>             Digital Signature
>             Key Encipherment
> 
>         Name:     Extended Key Usage
>         Critical: False
>         Usages:
>             TLS Web Server Authentication Certificate
>             TLS Web Client Authentication Certificate
> 
>         Name:     CRL Distribution Points
>         Critical: False
>         CRL Distribution Points: [2 total]
>             Point [1]:
>                 General Names: [1 total]
>                     http://crl3.digicert.com/sha2-ev-server-g1.crl
>                 Issuer:  None
>                 Reasons: ()
>             Point [2]:
>                 General Names: [1 total]
>                     http://crl4.digicert.com/sha2-ev-server-g1.crl
>                 Issuer:  None
>                 Reasons: ()
> 
>         Name:     Certificate Policies
>         Critical: False
> 
>         Name:     Authority Information Access
>         Critical: False
>         Authority Information Access: [2 total]
>             Info [1]:
>                 Method:   PKIX Online Certificate Status Protocol
>                 Location: URI: http://ocsp.digicert.com
>             Info [2]:
>                 Method:   PKIX CA issuers access method
>                 Location: URI: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt
> 
>         Name:        Certificate Basic Constraints
>         Critical:    True
>         Is CA:       False
>         Path Length: 0
> 
>         Name:     OID.1.3.6.1.4.1.11129.2.4.2
>         Critical: False
> 
>     Signature:
>         Signature Algorithm:
>             Algorithm: PKCS #1 SHA-256 With RSA Encryption
>         Signature:
>             2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7:
>             8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f:
>             bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b:
>             8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13:
>             14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79:
>             12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56:
>             11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79:
>             84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4:
>             25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43:
>             0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89:
>             e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec:
>             50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53:
>             d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f:
>             30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90:
>             f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca:
>             f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26
>         Fingerprint (MD5):
>             b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8
>         Fingerprint (SHA1):
>             90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e:
>             9f:e6:a0:d9
> 
> -- John
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list