3

I did a Google search but I didn't find anything that would help me on that.I'm trying to authenticate my app in Microsoft Azure, so I created some self signed certificates. They give a tutorial of how to parse the crt however it's in PowerShell. I use only Ubuntu / OS X. Here's the code:

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import("mycer.cer")
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)

$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)

$keyid = [System.Guid]::NewGuid().ToString()

How would I go about writing the same code in Python? I have the .crt, .key, .csr, .pass.key and pkcs8_key files.

Update:

I want to extract the keyId and customKeyIdentifier from the certificates.

cybertextron
  • 10,547
  • 28
  • 104
  • 208
  • 2
    The `$keyid` in this powershell code is just a new GUID being generated; it has nothing to do with the certificate itself and isn't based on anything in the certificate. The _thumbprint_ on the other hand is a hash of the cert and is based on the cert's contents. In the code you posted, the `$keyid` will be different every time (you only need the last line), but the thumbprint will be the same every time for a given cert. So you may want to clarify which information you need. – briantist Nov 10 '15 at 19:56
  • 1
    I think you can refer to these threads http://stackoverflow.com/questions/5775340/what-is-an-rsa-key-id and http://stackoverflow.com/questions/12911373/how-do-i-use-a-x509-certificate-with-pycrypto . – Peter Pan Nov 11 '15 at 05:39
  • @philippe, I am very interested to your scenarios. What's your purpose to get the certificate information? As I known, if we want to authenticate app, we can use Azure AD. Or via uploaded our certificate to Azure, and compare with the certificate on our application. Appreciate it if the more information you provide for finding the better solution together with us. – Will Shao - MSFT Nov 12 '15 at 09:38

2 Answers2

1

@philippe,

According to your description, if you want to get the certificate information using python, please refer to this simple code. I used the .cer as testing file:

import OpenSSL.crypto
f=open("tested.cer", "rb")
der = f.read()
x509=OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, der)
print("serial number",x509.get_serial_number());
print("Issue Name",x509.get_issuer());
print("subject_name_hash",x509.subject_name_hash());
idif=x509.get_extension(0)
print("extension",x509.get_extension(0))
print("id",idif.get_data(),idif.get_short_name())
print("get_subject",x509.get_subject());
pkey = x509.get_pubkey()
print("Public Key ",pkey)
listdir=dir(pkey)
print(listdir)
print(pkey.bits())
print(pkey.type())
print(pkey._pkey)

Meanwhile, if you want to get a certificate information as keyId and customKeyIdentifier , I recommend you refer to the define of these properties of certificate and this sample. You can find the corresponding properties on that page. With these properties, you can get your certificate and its extension information. And you also can refer to this API documents. If I misunderstood, please feel free to let me know.

Will Shao - MSFT
  • 1,189
  • 7
  • 14
  • @will-shao-msft I was wondering how to extract the public key value? I just tried your example with `print pkey._pkey`, but for some reason I got some strange cdata struct returned like this... `` Do you hava any idea how to get the real value of the public key? Btw. I'm using Python 2.7, does this matter? – b00r00x0 Jan 08 '17 at 17:44
0

You don’t need neither python or powershell to parse certificates for Microsoft Azure.

The documentation describe 3 properties that are needed :

"keyCredentials": [
{
    "customKeyIdentifier": "$base64Thumbprint_from_above",
    "keyId": "$keyid_from_above",
    "type": "AsymmetricX509Cert",
    "usage": "Verify",
    "value":  "$base64Value_from_above"
}],
  • $base64Thumbprint is the base64 encoding of the sha1 hash of the certificate (in der format)
  • $keyid is just a random guuid
  • $base64Value is the base64 encoding of the whole certificate (in der format)

Generate the certificate

To generate a self-signed certificate (x509 with rsa 2048)

$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Compute the base64 thumbprint

$ openssl x509 -outform der -in certificate.crt | openssl dgst -binary -sha1 | openssl base64

Compute the base64

$ openssl x509 -outform der -in certificate.crt | openssl base64 -A

Generate a random uuid

$ python -c "import uuid; print(uuid.uuid4())"

I checked against results generated with powershell and there are the same

luxcem
  • 1,807
  • 22
  • 37