<div dir="ltr">It doesn't look like NSS is currently used within Neutron or Keystone. Another alternative would be to write the certificate to a temp file and then invoke "openssl x509 -text -noout -in $TEMP_FILE" and parse the output, Keystone currently does similar (keystone/common/openssl.py). Given renewed focus by security researchers on cryptographic libraries, I think we should avoid requiring additional cryptographic libraries and use what is already in use within OpenStack.<div>
<br></div><div><br></div><div>-Dustin</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 27, 2014 at 7:26 AM, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 06/27/2014 12:21 AM, Carlos Garza wrote:<br>
> I don't know where we can check in experimental code so I have a demonstration<br>
> of how to extract CNs subjAltNames or what ever we want from x509 certificates. Later on<br>
> I plan to use the OpenSSL libraries to verify certs coming from barbican are valid and<br>
> actually do sign the private_key it is associated with.<br>
><br>
> <a href="https://github.com/crc32a/ssl_exp.git" target="_blank">https://github.com/crc32a/ssl_exp.git</a><br>
><br>
><br>
</div>I'm always leary of reinventing the wheel, we already have code to<br>
manage pem files (maybe this should be in oslo, it was proposed once)<br>
<br>
keystone/common/pemutils.py<br>
<br>
I'm also leary of folks writing their own ASN.1 parsing as opposed to<br>
using existing libraries. Why? It's really hard to get right so you<br>
correctly handle all the cases, long established robust libraries are<br>
better at this.<br>
<br>
python-nss (which is a Python binding to the NSS crypto library) has<br>
easy to use code to extract just about anything from a cert, here is an<br>
example python script using your example pem file. If using NSS isn't an<br>
option I'd rather see us provide the necessary binding in pyopenssl than<br>
handcraft one-off routines. FWIW virtually everything you see in the<br>
cert output below can be accessed as Pythonically as a Python object(s)<br>
when using python-nss.<br>
<br>
#!/usr/bin/python<br>
<br>
import sys<br>
import nss.nss as nss<br>
<br>
nss.nss_init_nodb()<br>
<br>
filename = sys.argv[1]<br>
<br>
# Read the PEM file<br>
try:<br>
binary_cert = nss.read_der_from_file(filename, True)<br>
except Exception as e:<br>
print e<br>
sys.exit(1)<br>
else:<br>
print "loaded cert from file: %s" % filename<br>
<br>
# Create a Certificiate object from the binary data<br>
cert = nss.Certificate(binary_cert)<br>
<br>
# Dump some basic information<br>
print<br>
print "cert subject: %s " % cert.subject<br>
print "cert CN: %s " % cert.subject_common_name<br>
print "cert validity:"<br>
print " Not Before: %s" % cert.valid_not_before_str<br>
print " Not After: %s" % cert.valid_not_after_str<br>
<br>
print<br>
print "\ncert has %d extensions" % len(cert.extensions)<br>
<br>
for extension in cert.extensions:<br>
print " %s (critical: %s)" % (<a href="http://extension.name" target="_blank">extension.name</a>, extension.critical)<br>
<br>
print<br>
extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)<br>
if extension:<br>
print "Subject Alt Names:"<br>
for name in nss.x509_alt_name(extension.value):<br>
print " %s" % name<br>
else:<br>
print "cert does not have a subject alt name extension"<br>
<br>
# Dump entire cert in friendly format<br>
print<br>
print ">>> Entire cert contents <<<"<br>
print cert<br>
<br>
sys.exit(0)<br>
<br>
Yields this output:<br>
<br>
loaded cert from file: cr1.pem<br>
<br>
cert subject: CN=<a href="http://www.digicert.com" target="_blank">www.digicert.com</a>,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization<br>
cert CN: <a href="http://www.digicert.com" target="_blank">www.digicert.com</a><br>
cert validity:<br>
Not Before: Thu Mar 20 00:00:00 2014 UTC<br>
Not After: Sun Jun 12 12:00:00 2016 UTC<br>
<br>
<br>
cert has 10 extensions<br>
Certificate Authority Key Identifier (critical: False)<br>
Certificate Subject Key ID (critical: False)<br>
Certificate Subject Alt Name (critical: False)<br>
Certificate Key Usage (critical: True)<br>
Extended Key Usage (critical: False)<br>
CRL Distribution Points (critical: False)<br>
Certificate Policies (critical: False)<br>
Authority Information Access (critical: False)<br>
Certificate Basic Constraints (critical: True)<br>
OID.1.3.6.1.4.1.11129.2.4.2 (critical: False)<br>
<br>
Subject Alt Names:<br>
<a href="http://www.digicert.com" target="_blank">www.digicert.com</a><br>
<a href="http://content.digicert.com" target="_blank">content.digicert.com</a><br>
<a href="http://digicert.com" target="_blank">digicert.com</a><br>
<a href="http://www.origin.digicert.com" target="_blank">www.origin.digicert.com</a><br>
<a href="http://login.digicert.com" target="_blank">login.digicert.com</a><br>
<br>
>>> Entire cert contents <<<<br>
Data:<br>
Version: 3 (0x2)<br>
Serial Number: 13518267578909330747227050733614153347 (0xa2b860cca01f45fd7ee63601b1c3e83)<br>
Signature Algorithm:<br>
Algorithm: PKCS #1 SHA-256 With RSA Encryption<br>
Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=<a href="http://www.digicert.com" target="_blank">www.digicert.com</a>,O=DigiCert Inc,C=US<br>
Validity:<br>
Not Before: Thu Mar 20 00:00:00 2014 UTC<br>
Not After: Sun Jun 12 12:00:00 2016 UTC<br>
Subject: CN=<a href="http://www.digicert.com" target="_blank">www.digicert.com</a>,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization<br>
Subject Public Key Info:<br>
Public Key Algorithm:<br>
Algorithm: PKCS #1 RSA Encryption<br>
RSA Public Key:<br>
Modulus:<br>
a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a:<br>
9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed:<br>
1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea:<br>
29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f:<br>
85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b:<br>
16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5:<br>
10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3:<br>
50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21:<br>
b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16:<br>
04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01:<br>
f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80:<br>
c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e:<br>
c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b:<br>
64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06:<br>
7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95:<br>
8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a:<br>
4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53:<br>
8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79:<br>
e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19:<br>
f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6:<br>
55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df:<br>
3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4:<br>
5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2:<br>
c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5:<br>
92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95:<br>
2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81:<br>
d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6:<br>
83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a:<br>
6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0:<br>
7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4:<br>
27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db:<br>
b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5<br>
Exponent:<br>
65537 (0x10001)<br>
Signed Extensions: (10)<br>
Name: Certificate Authority Key Identifier<br>
Critical: False<br>
Key ID:<br>
3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4:<br>
f8:f8:d6:0f<br>
Serial Number: None<br>
General Names: [0 total]<br>
<br>
Name: Certificate Subject Key ID<br>
Critical: False<br>
Data:<br>
f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6:<br>
b0:44:21:06<br>
<br>
Name: Certificate Subject Alt Name<br>
Critical: False<br>
Names:<br>
<a href="http://www.digicert.com" target="_blank">www.digicert.com</a><br>
<a href="http://content.digicert.com" target="_blank">content.digicert.com</a><br>
<a href="http://digicert.com" target="_blank">digicert.com</a><br>
<a href="http://www.origin.digicert.com" target="_blank">www.origin.digicert.com</a><br>
<a href="http://login.digicert.com" target="_blank">login.digicert.com</a><br>
<br>
Name: Certificate Key Usage<br>
Critical: True<br>
Usages:<br>
Digital Signature<br>
Key Encipherment<br>
<br>
Name: Extended Key Usage<br>
Critical: False<br>
Usages:<br>
TLS Web Server Authentication Certificate<br>
TLS Web Client Authentication Certificate<br>
<br>
Name: CRL Distribution Points<br>
Critical: False<br>
CRL Distribution Points: [2 total]<br>
Point [1]:<br>
General Names: [1 total]<br>
<a href="http://crl3.digicert.com/sha2-ev-server-g1.crl" target="_blank">http://crl3.digicert.com/sha2-ev-server-g1.crl</a><br>
Issuer: None<br>
Reasons: ()<br>
Point [2]:<br>
General Names: [1 total]<br>
<a href="http://crl4.digicert.com/sha2-ev-server-g1.crl" target="_blank">http://crl4.digicert.com/sha2-ev-server-g1.crl</a><br>
Issuer: None<br>
Reasons: ()<br>
<br>
Name: Certificate Policies<br>
Critical: False<br>
<br>
Name: Authority Information Access<br>
Critical: False<br>
Authority Information Access: [2 total]<br>
Info [1]:<br>
Method: PKIX Online Certificate Status Protocol<br>
Location: URI: <a href="http://ocsp.digicert.com" target="_blank">http://ocsp.digicert.com</a><br>
Info [2]:<br>
Method: PKIX CA issuers access method<br>
Location: URI: <a href="http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt" target="_blank">http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt</a><br>
<br>
Name: Certificate Basic Constraints<br>
Critical: True<br>
Is CA: False<br>
Path Length: 0<br>
<br>
Name: OID.1.3.6.1.4.1.11129.2.4.2<br>
Critical: False<br>
<br>
Signature:<br>
Signature Algorithm:<br>
Algorithm: PKCS #1 SHA-256 With RSA Encryption<br>
Signature:<br>
2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7:<br>
8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f:<br>
bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b:<br>
8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13:<br>
14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79:<br>
12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56:<br>
11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79:<br>
84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4:<br>
25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43:<br>
0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89:<br>
e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec:<br>
50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53:<br>
d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f:<br>
30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90:<br>
f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca:<br>
f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26<br>
Fingerprint (MD5):<br>
b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8<br>
Fingerprint (SHA1):<br>
90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e:<br>
9f:e6:a0:d9<br>
<span class="HOEnZb"><font color="#888888"><br>
-- John<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div>