[openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates
John Dennis
jdennis at redhat.com
Fri Jun 27 14:26:23 UTC 2014
On 06/27/2014 12:21 AM, Carlos Garza wrote:
> I don't know where we can check in experimental code so I have a demonstration
> of how to extract CNs subjAltNames or what ever we want from x509 certificates. Later on
> I plan to use the OpenSSL libraries to verify certs coming from barbican are valid and
> actually do sign the private_key it is associated with.
>
> https://github.com/crc32a/ssl_exp.git
>
>
I'm always leary of reinventing the wheel, we already have code to
manage pem files (maybe this should be in oslo, it was proposed once)
keystone/common/pemutils.py
I'm also leary of folks writing their own ASN.1 parsing as opposed to
using existing libraries. Why? It's really hard to get right so you
correctly handle all the cases, long established robust libraries are
better at this.
python-nss (which is a Python binding to the NSS crypto library) has
easy to use code to extract just about anything from a cert, here is an
example python script using your example pem file. If using NSS isn't an
option I'd rather see us provide the necessary binding in pyopenssl than
handcraft one-off routines. FWIW virtually everything you see in the
cert output below can be accessed as Pythonically as a Python object(s)
when using python-nss.
#!/usr/bin/python
import sys
import nss.nss as nss
nss.nss_init_nodb()
filename = sys.argv[1]
# Read the PEM file
try:
binary_cert = nss.read_der_from_file(filename, True)
except Exception as e:
print e
sys.exit(1)
else:
print "loaded cert from file: %s" % filename
# Create a Certificiate object from the binary data
cert = nss.Certificate(binary_cert)
# Dump some basic information
print
print "cert subject: %s " % cert.subject
print "cert CN: %s " % cert.subject_common_name
print "cert validity:"
print " Not Before: %s" % cert.valid_not_before_str
print " Not After: %s" % cert.valid_not_after_str
print
print "\ncert has %d extensions" % len(cert.extensions)
for extension in cert.extensions:
print " %s (critical: %s)" % (extension.name, extension.critical)
print
extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
if extension:
print "Subject Alt Names:"
for name in nss.x509_alt_name(extension.value):
print " %s" % name
else:
print "cert does not have a subject alt name extension"
# Dump entire cert in friendly format
print
print ">>> Entire cert contents <<<"
print cert
sys.exit(0)
Yields this output:
loaded cert from file: cr1.pem
cert subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization
cert CN: www.digicert.com
cert validity:
Not Before: Thu Mar 20 00:00:00 2014 UTC
Not After: Sun Jun 12 12:00:00 2016 UTC
cert has 10 extensions
Certificate Authority Key Identifier (critical: False)
Certificate Subject Key ID (critical: False)
Certificate Subject Alt Name (critical: False)
Certificate Key Usage (critical: True)
Extended Key Usage (critical: False)
CRL Distribution Points (critical: False)
Certificate Policies (critical: False)
Authority Information Access (critical: False)
Certificate Basic Constraints (critical: True)
OID.1.3.6.1.4.1.11129.2.4.2 (critical: False)
Subject Alt Names:
www.digicert.com
content.digicert.com
digicert.com
www.origin.digicert.com
login.digicert.com
>>> Entire cert contents <<<
Data:
Version: 3 (0x2)
Serial Number: 13518267578909330747227050733614153347 (0xa2b860cca01f45fd7ee63601b1c3e83)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
Validity:
Not Before: Thu Mar 20 00:00:00 2014 UTC
Not After: Sun Jun 12 12:00:00 2016 UTC
Subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a:
9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed:
1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea:
29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f:
85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b:
16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5:
10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3:
50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21:
b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16:
04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01:
f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80:
c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e:
c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b:
64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06:
7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95:
8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a:
4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53:
8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79:
e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19:
f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6:
55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df:
3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4:
5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2:
c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5:
92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95:
2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81:
d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6:
83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a:
6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0:
7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4:
27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db:
b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5
Exponent:
65537 (0x10001)
Signed Extensions: (10)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4:
f8:f8:d6:0f
Serial Number: None
General Names: [0 total]
Name: Certificate Subject Key ID
Critical: False
Data:
f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6:
b0:44:21:06
Name: Certificate Subject Alt Name
Critical: False
Names:
www.digicert.com
content.digicert.com
digicert.com
www.origin.digicert.com
login.digicert.com
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Key Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Critical: False
CRL Distribution Points: [2 total]
Point [1]:
General Names: [1 total]
http://crl3.digicert.com/sha2-ev-server-g1.crl
Issuer: None
Reasons: ()
Point [2]:
General Names: [1 total]
http://crl4.digicert.com/sha2-ev-server-g1.crl
Issuer: None
Reasons: ()
Name: Certificate Policies
Critical: False
Name: Authority Information Access
Critical: False
Authority Information Access: [2 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://ocsp.digicert.com
Info [2]:
Method: PKIX CA issuers access method
Location: URI: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt
Name: Certificate Basic Constraints
Critical: True
Is CA: False
Path Length: 0
Name: OID.1.3.6.1.4.1.11129.2.4.2
Critical: False
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7:
8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f:
bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b:
8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13:
14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79:
12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56:
11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79:
84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4:
25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43:
0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89:
e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec:
50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53:
d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f:
30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90:
f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca:
f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26
Fingerprint (MD5):
b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8
Fingerprint (SHA1):
90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e:
9f:e6:a0:d9
-- John
More information about the OpenStack-dev
mailing list