On 06/27/2014 12:21 AM, Carlos Garza wrote: > I don't know where we can check in experimental code so I have a > demonstration > of how to extract CNs subjAltNames or what ever we want from x509 > certificates. Later on > I plan to use the OpenSSL libraries to verify certs coming from barbican are > valid and > actually do sign the private_key it is associated with. > > https://github.com/crc32a/ssl_exp.git > > I'm always leary of reinventing the wheel, we already have code to manage pem files (maybe this should be in oslo, it was proposed once)
keystone/common/pemutils.py I'm also leary of folks writing their own ASN.1 parsing as opposed to using existing libraries. Why? It's really hard to get right so you correctly handle all the cases, long established robust libraries are better at this. python-nss (which is a Python binding to the NSS crypto library) has easy to use code to extract just about anything from a cert, here is an example python script using your example pem file. If using NSS isn't an option I'd rather see us provide the necessary binding in pyopenssl than handcraft one-off routines. FWIW virtually everything you see in the cert output below can be accessed as Pythonically as a Python object(s) when using python-nss. #!/usr/bin/python import sys import nss.nss as nss nss.nss_init_nodb() filename = sys.argv[1] # Read the PEM file try: binary_cert = nss.read_der_from_file(filename, True) except Exception as e: print e sys.exit(1) else: print "loaded cert from file: %s" % filename # Create a Certificiate object from the binary data cert = nss.Certificate(binary_cert) # Dump some basic information print print "cert subject: %s " % cert.subject print "cert CN: %s " % cert.subject_common_name print "cert validity:" print " Not Before: %s" % cert.valid_not_before_str print " Not After: %s" % cert.valid_not_after_str print print "\ncert has %d extensions" % len(cert.extensions) for extension in cert.extensions: print " %s (critical: %s)" % (extension.name, extension.critical) print extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME) if extension: print "Subject Alt Names:" for name in nss.x509_alt_name(extension.value): print " %s" % name else: print "cert does not have a subject alt name extension" # Dump entire cert in friendly format print print ">>> Entire cert contents <<<" print cert sys.exit(0) Yields this output: loaded cert from file: cr1.pem cert subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization cert CN: www.digicert.com cert validity: Not Before: Thu Mar 20 00:00:00 2014 UTC Not After: Sun Jun 12 12:00:00 2016 UTC cert has 10 extensions Certificate Authority Key Identifier (critical: False) Certificate Subject Key ID (critical: False) Certificate Subject Alt Name (critical: False) Certificate Key Usage (critical: True) Extended Key Usage (critical: False) CRL Distribution Points (critical: False) Certificate Policies (critical: False) Authority Information Access (critical: False) Certificate Basic Constraints (critical: True) OID.1.3.6.1.4.1.11129.2.4.2 (critical: False) Subject Alt Names: www.digicert.com content.digicert.com digicert.com www.origin.digicert.com login.digicert.com >>> Entire cert contents <<< Data: Version: 3 (0x2) Serial Number: 13518267578909330747227050733614153347 (0xa2b860cca01f45fd7ee63601b1c3e83) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US Validity: Not Before: Thu Mar 20 00:00:00 2014 UTC Not After: Sun Jun 12 12:00:00 2016 UTC Subject: CN=www.digicert.com,O="DigiCert, Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive Parkway,STREET=Suite 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private Organization Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a: 9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed: 1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea: 29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f: 85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b: 16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5: 10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3: 50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21: b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16: 04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01: f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80: c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e: c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b: 64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06: 7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95: 8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a: 4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53: 8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79: e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19: f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6: 55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df: 3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4: 5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2: c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5: 92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95: 2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81: d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6: 83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a: 6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0: 7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4: 27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db: b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5 Exponent: 65537 (0x10001) Signed Extensions: (10) Name: Certificate Authority Key Identifier Critical: False Key ID: 3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4: f8:f8:d6:0f Serial Number: None General Names: [0 total] Name: Certificate Subject Key ID Critical: False Data: f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6: b0:44:21:06 Name: Certificate Subject Alt Name Critical: False Names: www.digicert.com content.digicert.com digicert.com www.origin.digicert.com login.digicert.com Name: Certificate Key Usage Critical: True Usages: Digital Signature Key Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Critical: False CRL Distribution Points: [2 total] Point [1]: General Names: [1 total] http://crl3.digicert.com/sha2-ev-server-g1.crl Issuer: None Reasons: () Point [2]: General Names: [1 total] http://crl4.digicert.com/sha2-ev-server-g1.crl Issuer: None Reasons: () Name: Certificate Policies Critical: False Name: Authority Information Access Critical: False Authority Information Access: [2 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://ocsp.digicert.com Info [2]: Method: PKIX CA issuers access method Location: URI: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt Name: Certificate Basic Constraints Critical: True Is CA: False Path Length: 0 Name: OID.1.3.6.1.4.1.11129.2.4.2 Critical: False Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7: 8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f: bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b: 8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13: 14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79: 12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56: 11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79: 84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4: 25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43: 0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89: e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec: 50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53: d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f: 30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90: f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca: f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26 Fingerprint (MD5): b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8 Fingerprint (SHA1): 90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e: 9f:e6:a0:d9 -- John _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev