开发者

Extract the value of a X.509 certificate custom extension using PyOpenSSL

开发者 https://www.devze.com 2023-04-01 05:57 出处:网络
Using Python and PyOpenSSL, is there a way to retrieve the value of a custom extension? By 开发者_如何学JAVAcustom extension, I mean an extension encoded using the arbitrary extension format described

Using Python and PyOpenSSL, is there a way to retrieve the value of a custom extension? By 开发者_如何学JAVAcustom extension, I mean an extension encoded using the arbitrary extension format described under ARBITRARY EXTENSIONS at http://www.openssl.org/docs/apps/x509v3_config.html.

Also, is it possible to create a certificate that contains such an extension using PyOpenSSL?

If the answer to either of these is "no", I would also be interested in pointers on how to do this with any other Python library. I do not want to perform system calls to the OpenSSL command line app.


You can get any and all extensions on an X.509 certificate you've loaded using pyOpenSSL. For example:

>>> from OpenSSL import crypto as c
>>> cert = c.load_certificate(c.FILETYPE_PEM, file('server.pem').read())
>>> cert.get_extension_count()
4L
>>> ext = cert.get_extension(0)
>>> ext.get_short_name()
'basicConstraints'
>>> ext.get_data()
'0\x00'
>>> 

The data comes out in its raw format (some encoding of ASN.1, perhaps depending on the specific extension).

You can also add extensions.

>>> newext = c.X509Extension('nsComment', 0, 'tacos are delicious')
>>> cert.add_extensions([newext])
>>> cert.get_extension_count()
5L
>>> cert.get_extension(4)
<X509Extension object at 0x7f74db7c2290>
>>> cert.get_extension(4).get_data()
'\x16\x13tacos are delicious'
>>> 

However, note the slight asymmetry. The extension data must be a string and is encoded using ASN.1 automatically. This seems to preclude the possibility of adding arbitrary non-string extension data.


get any extension on an X.509 certificate, For example get subjectAltName:

cert = crypto.load_certificate(crypto.FILETYPE_ASN1, open(certName).read()) 
for index in range(cert.get_extension_count()):                                                                                                                                                         
        ext = cert.get_extension(index)                                                                                                                                                                          
        if 'subjectAltName' == ext.get_short_name():                                                                                                    
            print(str(ext))
        else:
            pass
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号