[openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates
Dustin Lundquist
dustin at null-ptr.net
Fri Jun 27 17:48:04 UTC 2014
It doesn't look like NSS is currently used within Neutron or Keystone.
Another alternative would be to write the certificate to a temp file and
then invoke "openssl x509 -text -noout -in $TEMP_FILE" and parse the
output, Keystone currently does similar (keystone/common/openssl.py). Given
renewed focus by security researchers on cryptographic libraries, I think
we should avoid requiring additional cryptographic libraries and use what
is already in use within OpenStack.
-Dustin
On Fri, Jun 27, 2014 at 7:26 AM, John Dennis <jdennis at redhat.com> wrote:
> On 06/27/2014 12:21 AM, Carlos Garza wrote:
> > I don't know where we can check in experimental code so I have a
> demonstration
> > of how to extract CNs subjAltNames or what ever we want from x509
> certificates. Later on
> > I plan to use the OpenSSL libraries to verify certs coming from barbican
> are valid and
> > actually do sign the private_key it is associated with.
> >
> > https://github.com/crc32a/ssl_exp.git
> >
> >
> I'm always leary of reinventing the wheel, we already have code to
> manage pem files (maybe this should be in oslo, it was proposed once)
>
> keystone/common/pemutils.py
>
> I'm also leary of folks writing their own ASN.1 parsing as opposed to
> using existing libraries. Why? It's really hard to get right so you
> correctly handle all the cases, long established robust libraries are
> better at this.
>
> python-nss (which is a Python binding to the NSS crypto library) has
> easy to use code to extract just about anything from a cert, here is an
> example python script using your example pem file. If using NSS isn't an
> option I'd rather see us provide the necessary binding in pyopenssl than
> handcraft one-off routines. FWIW virtually everything you see in the
> cert output below can be accessed as Pythonically as a Python object(s)
> when using python-nss.
>
> #!/usr/bin/python
>
> import sys
> import nss.nss as nss
>
> nss.nss_init_nodb()
>
> filename = sys.argv[1]
>
> # Read the PEM file
> try:
> binary_cert = nss.read_der_from_file(filename, True)
> except Exception as e:
> print e
> sys.exit(1)
> else:
> print "loaded cert from file: %s" % filename
>
> # Create a Certificiate object from the binary data
> cert = nss.Certificate(binary_cert)
>
> # Dump some basic information
> print
> print "cert subject: %s " % cert.subject
> print "cert CN: %s " % cert.subject_common_name
> print "cert validity:"
> print " Not Before: %s" % cert.valid_not_before_str
> print " Not After: %s" % cert.valid_not_after_str
>
> print
> print "\ncert has %d extensions" % len(cert.extensions)
>
> for extension in cert.extensions:
> print " %s (critical: %s)" % (extension.name, extension.critical)
>
> print
> extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
> if extension:
> print "Subject Alt Names:"
> for name in nss.x509_alt_name(extension.value):
> print " %s" % name
> else:
> print "cert does not have a subject alt name extension"
>
> # Dump entire cert in friendly format
> print
> print ">>> Entire cert contents <<<"
> print cert
>
> sys.exit(0)
>
> Yields this output:
>
> loaded cert from file: cr1.pem
>
> cert subject: CN=www.digicert.com,O="DigiCert,
> Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive
> Parkway,STREET=Suite
> 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private
> Organization
> cert CN: www.digicert.com
> cert validity:
> Not Before: Thu Mar 20 00:00:00 2014 UTC
> Not After: Sun Jun 12 12:00:00 2016 UTC
>
>
> cert has 10 extensions
> Certificate Authority Key Identifier (critical: False)
> Certificate Subject Key ID (critical: False)
> Certificate Subject Alt Name (critical: False)
> Certificate Key Usage (critical: True)
> Extended Key Usage (critical: False)
> CRL Distribution Points (critical: False)
> Certificate Policies (critical: False)
> Authority Information Access (critical: False)
> Certificate Basic Constraints (critical: True)
> OID.1.3.6.1.4.1.11129.2.4.2 (critical: False)
>
> Subject Alt Names:
> www.digicert.com
> content.digicert.com
> digicert.com
> www.origin.digicert.com
> login.digicert.com
>
> >>> Entire cert contents <<<
> Data:
> Version: 3 (0x2)
> Serial Number: 13518267578909330747227050733614153347
> (0xa2b860cca01f45fd7ee63601b1c3e83)
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=
> www.digicert.com,O=DigiCert Inc,C=US
> Validity:
> Not Before: Thu Mar 20 00:00:00 2014 UTC
> Not After: Sun Jun 12 12:00:00 2016 UTC
> Subject: CN=www.digicert.com,O="DigiCert,
> Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive
> Parkway,STREET=Suite
> 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private
> Organization
> Subject Public Key Info:
> Public Key Algorithm:
> Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a:
> 9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed:
> 1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea:
> 29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f:
> 85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b:
> 16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5:
> 10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3:
> 50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21:
> b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16:
> 04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01:
> f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80:
> c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e:
> c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b:
> 64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06:
> 7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95:
> 8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a:
> 4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53:
> 8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79:
> e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19:
> f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6:
> 55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df:
> 3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4:
> 5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2:
> c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5:
> 92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95:
> 2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81:
> d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6:
> 83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a:
> 6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0:
> 7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4:
> 27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db:
> b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5
> Exponent:
> 65537 (0x10001)
> Signed Extensions: (10)
> Name: Certificate Authority Key Identifier
> Critical: False
> Key ID:
> 3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4:
> f8:f8:d6:0f
> Serial Number: None
> General Names: [0 total]
>
> Name: Certificate Subject Key ID
> Critical: False
> Data:
> f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6:
> b0:44:21:06
>
> Name: Certificate Subject Alt Name
> Critical: False
> Names:
> www.digicert.com
> content.digicert.com
> digicert.com
> www.origin.digicert.com
> login.digicert.com
>
> Name: Certificate Key Usage
> Critical: True
> Usages:
> Digital Signature
> Key Encipherment
>
> Name: Extended Key Usage
> Critical: False
> Usages:
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
>
> Name: CRL Distribution Points
> Critical: False
> CRL Distribution Points: [2 total]
> Point [1]:
> General Names: [1 total]
> http://crl3.digicert.com/sha2-ev-server-g1.crl
> Issuer: None
> Reasons: ()
> Point [2]:
> General Names: [1 total]
> http://crl4.digicert.com/sha2-ev-server-g1.crl
> Issuer: None
> Reasons: ()
>
> Name: Certificate Policies
> Critical: False
>
> Name: Authority Information Access
> Critical: False
> Authority Information Access: [2 total]
> Info [1]:
> Method: PKIX Online Certificate Status Protocol
> Location: URI: http://ocsp.digicert.com
> Info [2]:
> Method: PKIX CA issuers access method
> Location: URI:
> http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt
>
> Name: Certificate Basic Constraints
> Critical: True
> Is CA: False
> Path Length: 0
>
> Name: OID.1.3.6.1.4.1.11129.2.4.2
> Critical: False
>
> Signature:
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Signature:
> 2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7:
> 8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f:
> bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b:
> 8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13:
> 14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79:
> 12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56:
> 11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79:
> 84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4:
> 25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43:
> 0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89:
> e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec:
> 50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53:
> d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f:
> 30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90:
> f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca:
> f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26
> Fingerprint (MD5):
> b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8
> Fingerprint (SHA1):
> 90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e:
> 9f:e6:a0:d9
>
> -- John
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140627/0804c1e6/attachment.html>
More information about the OpenStack-dev
mailing list