[openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates

Carlos Garza carlos.garza at rackspace.com
Sat Jun 28 05:01:14 UTC 2014


On Jun 27, 2014, at 9:26 AM, John Dennis <jdennis at redhat.com> wrote:

> On 06/27/2014 12:21 AM, Carlos Garza wrote:
>> 	I don't know where we can check in experimental code so I have a demonstration
>> of how to extract CNs subjAltNames or what ever we want from x509 certificates. Later on
>> I plan to use the OpenSSL libraries to verify certs coming from barbican are valid and
>> actually do sign the private_key it is associated with. 
>> 
>> https://github.com/crc32a/ssl_exp.git
>> 
>> 
> I'm always leary of reinventing the wheel, we already have code to
> manage pem files (maybe this should be in oslo, it was proposed once)
> 
> keystone/common/pemutils.py
> 
> I'm also leary of folks writing their own ASN.1 parsing as opposed to
> using existing libraries. Why? It's really hard to get right so you
> correctly handle all the cases, long established robust libraries are
> better at this.

    I'm not writing an ASN.1 parser. I'm using pyasn1 and the 
pyasn1_modules.rfc2459 module to reading interesting fields from
the x509. 


> python-nss (which is a Python binding to the NSS crypto library) has
> easy to use code to extract just about anything from a cert, here is an
> example python script using your example pem file. If using NSS isn't an
> option I'd rather see us provide the necessary binding in pyopenssl than
> handcraft one-off routines. FWIW virtually everything you see in the
> cert output below can be accessed as Pythonically as a Python object(s)
> when using python-mss.

looks to me like pip install python-nss is broken for python3 :(

I am planning on using another library to handle signature verification etc
but for the most part pyasn1 a pure python module
is pretty good at extracting the fields I need. 

> #!/usr/bin/python
> 
> import sys
> import nss.nss as nss
> 
> nss.nss_init_nodb()
> 
> filename = sys.argv[1]
> 
> # Read the PEM file
> try:
>    binary_cert = nss.read_der_from_file(filename, True)
> except Exception as e:
>    print e
>    sys.exit(1) 
> else:
>    print "loaded cert from file: %s" % filename
> 
> # Create a Certificiate object from the binary data
> cert = nss.Certificate(binary_cert)
> 
> # Dump some basic information
> print
> print "cert subject: %s " % cert.subject
> print "cert CN: %s " % cert.subject_common_name
> print "cert validity:"
> print "    Not Before: %s" % cert.valid_not_before_str
> print "    Not After: %s" % cert.valid_not_after_str
> 
> print
> print "\ncert has %d extensions" % len(cert.extensions)
> 
> for extension in cert.extensions:
>    print "    %s (critical: %s)" % (extension.name, extension.critical)
> 
> print
> extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
> if extension:
>    print "Subject Alt Names:"
>    for name in nss.x509_alt_name(extension.value):
>        print "    %s" % name
> else:
>    print "cert does not have a subject alt name extension"
> 
> # Dump entire cert in friendly format
> print
> print ">>> Entire cert contents <<<"
> print cert
> 
> sys.exit(0)
> 
> Yields this output:
> 
> loaded cert from file: cr1.pem
> 
> cert subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization 
> cert CN: www.digicert.com 
> cert validity:
>    Not Before: Thu Mar 20 00:00:00 2014 UTC
>    Not After: Sun Jun 12 12:00:00 2016 UTC
> 
> 
> cert has 10 extensions
>    Certificate Authority Key Identifier (critical: False)
>    Certificate Subject Key ID (critical: False)
>    Certificate Subject Alt Name (critical: False)
>    Certificate Key Usage (critical: True)
>    Extended Key Usage (critical: False)
>    CRL Distribution Points (critical: False)
>    Certificate Policies (critical: False)
>    Authority Information Access (critical: False)
>    Certificate Basic Constraints (critical: True)
>    OID.1.3.6.1.4.1.11129.2.4.2 (critical: False)
> 
> Subject Alt Names:
>    www.digicert.com
>    content.digicert.com
>    digicert.com
>    www.origin.digicert.com
>    login.digicert.com
> 
>>>> Entire cert contents <<<
> Data:
>        Version:       3 (0x2)
>        Serial Number: 13518267578909330747227050733614153347 (0xa2b860cca01f45fd7ee63601b1c3e83)
>        Signature Algorithm:
>            Algorithm: PKCS #1 SHA-256 With RSA Encryption
>        Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
>        Validity:
>            Not Before: Thu Mar 20 00:00:00 2014 UTC
>            Not After:  Sun Jun 12 12:00:00 2016 UTC
>        Subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization
>        Subject Public Key Info:
>            Public Key Algorithm:
>                Algorithm: PKCS #1 RSA Encryption
>            RSA Public Key:
>                Modulus:
>                    a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a:
>                    9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed:
>                    1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea:
>                    29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f:
>                    85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b:
>                    16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5:
>                    10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3:
>                    50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21:
>                    b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16:
>                    04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01:
>                    f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80:
>                    c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e:
>                    c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b:
>                    64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06:
>                    7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95:
>                    8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a:
>                    4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53:
>                    8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79:
>                    e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19:
>                    f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6:
>                    55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df:
>                    3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4:
>                    5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2:
>                    c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5:
>                    92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95:
>                    2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81:
>                    d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6:
>                    83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a:
>                    6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0:
>                    7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4:
>                    27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db:
>                    b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5
>                Exponent:
>                    65537 (0x10001)
>    Signed Extensions: (10)
>        Name:     Certificate Authority Key Identifier
>        Critical: False
>        Key ID:
>            3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4:
>            f8:f8:d6:0f
>        Serial Number: None
>        General Names: [0 total]
> 
>        Name:     Certificate Subject Key ID
>        Critical: False
>        Data:
>            f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6:
>            b0:44:21:06
> 
>        Name:     Certificate Subject Alt Name
>        Critical: False
>        Names:
>            www.digicert.com
>            content.digicert.com
>            digicert.com
>            www.origin.digicert.com
>            login.digicert.com
> 
>        Name:     Certificate Key Usage
>        Critical: True
>        Usages:
>            Digital Signature
>            Key Encipherment
> 
>        Name:     Extended Key Usage
>        Critical: False
>        Usages:
>            TLS Web Server Authentication Certificate
>            TLS Web Client Authentication Certificate
> 
>        Name:     CRL Distribution Points
>        Critical: False
>        CRL Distribution Points: [2 total]
>            Point [1]:
>                General Names: [1 total]
>                    http://crl3.digicert.com/sha2-ev-server-g1.crl
>                Issuer:  None
>                Reasons: ()
>            Point [2]:
>                General Names: [1 total]
>                    http://crl4.digicert.com/sha2-ev-server-g1.crl
>                Issuer:  None
>                Reasons: ()
> 
>        Name:     Certificate Policies
>        Critical: False
> 
>        Name:     Authority Information Access
>        Critical: False
>        Authority Information Access: [2 total]
>            Info [1]:
>                Method:   PKIX Online Certificate Status Protocol
>                Location: URI: http://ocsp.digicert.com
>            Info [2]:
>                Method:   PKIX CA issuers access method
>                Location: URI: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt
> 
>        Name:        Certificate Basic Constraints
>        Critical:    True
>        Is CA:       False
>        Path Length: 0
> 
>        Name:     OID.1.3.6.1.4.1.11129.2.4.2
>        Critical: False
> 
>    Signature:
>        Signature Algorithm:
>            Algorithm: PKCS #1 SHA-256 With RSA Encryption
>        Signature:
>            2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7:
>            8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f:
>            bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b:
>            8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13:
>            14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79:
>            12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56:
>            11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79:
>            84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4:
>            25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43:
>            0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89:
>            e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec:
>            50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53:
>            d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f:
>            30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90:
>            f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca:
>            f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26
>        Fingerprint (MD5):
>            b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8
>        Fingerprint (SHA1):
>            90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e:
>            9f:e6:a0:d9
> 
> -- John
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list