It doesn't look like NSS is currently used within Neutron or Keystone. Another alternative would be to write the certificate to a temp file and then invoke "openssl x509 -text -noout -in $TEMP_FILE" and parse the output, Keystone currently does similar (keystone/common/openssl.py). Given renewed focus by security researchers on cryptographic libraries, I think we should avoid requiring additional cryptographic libraries and use what is already in use within OpenStack.
-Dustin On Fri, Jun 27, 2014 at 7:26 AM, John Dennis <[email protected]> wrote: > On 06/27/2014 12:21 AM, Carlos Garza wrote: > > I don't know where we can check in experimental code so I have a > demonstration > > of how to extract CNs subjAltNames or what ever we want from x509 > certificates. Later on > > I plan to use the OpenSSL libraries to verify certs coming from barbican > are valid and > > actually do sign the private_key it is associated with. > > > > https://github.com/crc32a/ssl_exp.git > > > > > I'm always leary of reinventing the wheel, we already have code to > manage pem files (maybe this should be in oslo, it was proposed once) > > keystone/common/pemutils.py > > I'm also leary of folks writing their own ASN.1 parsing as opposed to > using existing libraries. Why? It's really hard to get right so you > correctly handle all the cases, long established robust libraries are > better at this. > > python-nss (which is a Python binding to the NSS crypto library) has > easy to use code to extract just about anything from a cert, here is an > example python script using your example pem file. If using NSS isn't an > option I'd rather see us provide the necessary binding in pyopenssl than > handcraft one-off routines. FWIW virtually everything you see in the > cert output below can be accessed as Pythonically as a Python object(s) > when using python-nss. > > #!/usr/bin/python > > import sys > import nss.nss as nss > > nss.nss_init_nodb() > > filename = sys.argv[1] > > # Read the PEM file > try: > binary_cert = nss.read_der_from_file(filename, True) > except Exception as e: > print e > sys.exit(1) > else: > print "loaded cert from file: %s" % filename > > # Create a Certificiate object from the binary data > cert = nss.Certificate(binary_cert) > > # Dump some basic information > print > print "cert subject: %s " % cert.subject > print "cert CN: %s " % cert.subject_common_name > print "cert validity:" > print " Not Before: %s" % cert.valid_not_before_str > print " Not After: %s" % cert.valid_not_after_str > > print > print "\ncert has %d extensions" % len(cert.extensions) > > for extension in cert.extensions: > print " %s (critical: %s)" % (extension.name, extension.critical) > > print > extension = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME) > if extension: > print "Subject Alt Names:" > for name in nss.x509_alt_name(extension.value): > print " %s" % name > else: > print "cert does not have a subject alt name extension" > > # Dump entire cert in friendly format > print > print ">>> Entire cert contents <<<" > print cert > > sys.exit(0) > > Yields this output: > > loaded cert from file: cr1.pem > > cert subject: CN=www.digicert.com,O="DigiCert, > Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive > Parkway,STREET=Suite > 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private > Organization > cert CN: www.digicert.com > cert validity: > Not Before: Thu Mar 20 00:00:00 2014 UTC > Not After: Sun Jun 12 12:00:00 2016 UTC > > > cert has 10 extensions > Certificate Authority Key Identifier (critical: False) > Certificate Subject Key ID (critical: False) > Certificate Subject Alt Name (critical: False) > Certificate Key Usage (critical: True) > Extended Key Usage (critical: False) > CRL Distribution Points (critical: False) > Certificate Policies (critical: False) > Authority Information Access (critical: False) > Certificate Basic Constraints (critical: True) > OID.1.3.6.1.4.1.11129.2.4.2 (critical: False) > > Subject Alt Names: > www.digicert.com > content.digicert.com > digicert.com > www.origin.digicert.com > login.digicert.com > > >>> Entire cert contents <<< > Data: > Version: 3 (0x2) > Serial Number: 13518267578909330747227050733614153347 > (0xa2b860cca01f45fd7ee63601b1c3e83) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU= > www.digicert.com,O=DigiCert Inc,C=US > Validity: > Not Before: Thu Mar 20 00:00:00 2014 UTC > Not After: Sun Jun 12 12:00:00 2016 UTC > Subject: CN=www.digicert.com,O="DigiCert, > Inc.",L=Lehi,ST=Utah,C=US,postalCode=84043,STREET=2600 West Executive > Parkway,STREET=Suite > 500,serialNumber=5299537-0142,incorporationState=Utah,incorporationCountry=US,businessCategory=Private > Organization > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > a8:89:b3:3b:91:94:57:87:72:09:5b:5f:cb:2c:42:2a: > 9e:ed:c2:fd:20:7b:2c:63:7f:dd:07:bf:fb:49:5c:ed: > 1c:a2:70:79:75:c2:34:cc:eb:12:f0:40:88:3a:b9:ea: > 29:a2:11:8f:53:e1:02:e1:87:04:f6:58:b9:86:b6:7f: > 85:5e:0a:58:47:c3:bd:e7:6b:21:07:9d:db:ef:57:8b: > 16:ce:38:f1:e3:e2:e4:5a:10:b8:39:bb:0a:ad:ca:c5: > 10:85:3a:a1:6f:67:c9:18:c3:5b:b2:4c:a6:01:b6:c3: > 50:be:7e:c8:79:ca:3c:53:5e:02:78:ae:96:5f:56:21: > b3:a4:3c:3f:fe:49:c5:17:73:a5:6e:a9:60:aa:bd:16: > 04:56:fa:54:d2:cb:25:c0:e9:9f:89:c9:ee:10:87:01: > f2:c7:93:2d:c3:2f:9e:d0:9c:42:24:9d:09:24:f6:80: > c4:e8:34:99:5a:2e:26:c3:73:28:52:26:ac:09:34:8e: > c5:70:e1:f5:fb:93:b8:34:2d:44:f4:50:1f:86:0a:9b: > 64:45:26:05:d4:45:ca:72:03:dd:1e:80:1a:9c:53:06: > 7b:c8:36:31:03:da:5f:55:c4:0d:29:c0:52:9c:23:95: > 8d:a9:55:95:c4:11:02:5b:a3:1b:ee:79:b2:6e:4a:6a: > 4d:4a:44:3e:39:9e:8b:0d:ec:38:93:5e:5c:b3:4f:53: > 8f:4e:2a:78:b1:52:54:4b:fb:6a:94:35:61:03:06:79: > e8:06:9c:8e:81:5b:6b:36:df:c0:fe:43:ce:d5:16:19: > f6:82:94:e8:80:00:e1:84:14:1d:28:73:8b:e9:ba:b6: > 55:e7:a6:17:8c:ae:70:15:be:04:ef:c8:08:27:d9:df: > 3a:7e:67:8c:06:0d:51:94:05:95:2f:27:e4:c1:d4:a4: > 5e:ca:96:13:89:d2:05:8b:43:68:fc:31:87:a9:b6:f2: > c3:47:e3:df:d9:19:13:4f:b9:05:a9:8a:98:03:ca:c5: > 92:29:e3:73:e7:4b:e8:0a:da:1b:9c:db:68:50:66:95: > 2b:dc:e8:39:1b:14:fa:41:d3:fc:da:e6:8d:04:2c:81: > d1:12:47:c6:27:9d:d7:54:bd:4f:ee:42:20:96:52:a6: > 83:9f:59:05:6b:2b:18:41:7a:5a:bb:89:1b:45:82:8a: > 6e:7b:94:78:e0:4e:09:eb:1c:a8:da:d9:b4:56:d4:a0: > 7d:08:d5:f2:94:81:2e:a1:b4:0a:14:56:21:26:c3:c4: > 27:48:3c:50:d5:71:45:35:4b:37:22:7b:69:26:6c:db: > b8:4e:f2:f1:a2:f8:6b:fb:1a:ae:e6:eb:5b:1e:15:d5 > Exponent: > 65537 (0x10001) > Signed Extensions: (10) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 3d:d3:50:a5:d6:a0:ad:ee:f3:4a:60:0a:65:d3:21:d4: > f8:f8:d6:0f > Serial Number: None > General Names: [0 total] > > Name: Certificate Subject Key ID > Critical: False > Data: > f8:a3:a7:61:ab:d9:77:4b:19:66:90:c7:9f:e3:9f:e6: > b0:44:21:06 > > Name: Certificate Subject Alt Name > Critical: False > Names: > www.digicert.com > content.digicert.com > digicert.com > www.origin.digicert.com > login.digicert.com > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Key Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Name: CRL Distribution Points > Critical: False > CRL Distribution Points: [2 total] > Point [1]: > General Names: [1 total] > http://crl3.digicert.com/sha2-ev-server-g1.crl > Issuer: None > Reasons: () > Point [2]: > General Names: [1 total] > http://crl4.digicert.com/sha2-ev-server-g1.crl > Issuer: None > Reasons: () > > Name: Certificate Policies > Critical: False > > Name: Authority Information Access > Critical: False > Authority Information Access: [2 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://ocsp.digicert.com > Info [2]: > Method: PKIX CA issuers access method > Location: URI: > http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt > > Name: Certificate Basic Constraints > Critical: True > Is CA: False > Path Length: 0 > > Name: OID.1.3.6.1.4.1.11129.2.4.2 > Critical: False > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 2d:9c:82:2e:a4:47:a7:54:f1:e7:80:34:d2:1e:8f:b7: > 8e:f0:b4:8e:d0:9a:b6:b7:36:1f:17:22:0d:0e:91:7f: > bf:9d:ea:6f:7a:a9:18:cd:8c:60:8a:4d:c9:ea:b3:0b: > 8d:bd:77:30:97:3e:f5:e9:72:00:33:33:cd:3b:d6:13: > 14:a3:a7:4d:fc:dd:c1:97:2c:e5:f6:1a:24:97:3d:79: > 12:01:9b:c8:9c:6e:26:a5:8d:bd:9d:a8:b1:bd:10:56: > 11:05:d6:3b:56:dc:0c:42:cd:8c:dc:81:30:5a:c9:79: > 84:0b:03:11:99:06:0e:32:f7:b9:33:8d:59:fc:e5:e4: > 25:a3:f6:89:41:7f:32:38:44:56:3e:e2:b1:da:fe:43: > 0b:5a:5c:19:aa:53:0f:ae:e3:86:2c:de:c7:4e:13:89: > e8:a7:93:52:45:71:06:35:2e:b0:ed:4d:97:76:1e:ec: > 50:84:f6:15:ce:86:04:ab:ab:e0:93:fe:8e:cf:f5:53: > d3:43:d1:57:82:70:37:ea:84:85:38:fc:83:eb:8c:9f: > 30:5f:31:4f:57:c2:e6:88:25:b8:4e:ec:99:07:23:90: > f1:51:2d:ca:0f:ab:9a:58:33:12:2c:62:bd:d9:d7:ca: > f0:0d:cc:5d:28:81:96:ff:d2:8f:34:d6:a9:bd:ba:26 > Fingerprint (MD5): > b7:37:7c:9b:1c:7b:c1:12:72:1a:a4:1f:59:ec:42:d8 > Fingerprint (SHA1): > 90:5e:94:72:0e:a5:98:93:79:5c:41:5f:00:ad:d6:0e: > 9f:e6:a0:d9 > > -- John > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
