1

I'm working on a Python script in which I need to determine if a precertificate and leaf certificate match.

To do this, I need to compare the TBS cert of the precert and leaf cert, after removing the SCT(1.3.6.1.4.1.11129.2.4.2) and Precert Poison(1.3.6.1.4.1.11129.2.4.3) extensions.

Using the python cryptography module, it's easy to get the TBS cert:

from cryptography import x509
from cryptography.hazmat.backends import default_backend

cert = x509.load_pem_x509_certificate(cert_data_pem, default_backend())

print(cert.tbs_certificate_bytes)

However I've not been able to figure out how to remove those extensions. It kind of looks like asn1crypto could do it, but there seems to be very little documentation available.

What's the neatest way to remove these extensions? I'm happy to depend on openssl if that works, as I'm already using it in the script.

Tugzrida
  • 491
  • 2
  • 6
  • 17

1 Answers1

1

Well the pyasn1 library was what eventually worked. This snippet decodes the TBS cert and removes the two extensions, then re-encodes it:

from pyasn1.codec.der.decoder import decode as asn1_decode
from pyasn1.codec.der.encoder import encode as asn1_encode
from pyasn1_modules import rfc5280
from cryptography import x509
from cryptography.hazmat.backends import default_backend

cert = asn1_decode(x509.load_pem_x509_certificate(cert_data_pem, default_backend()).tbs_certificate_bytes, asn1Spec=rfc5280.TBSCertificate())[0]

newExts = [ext for ext in cert["extensions"] if str(ext["extnID"]) not in ("1.3.6.1.4.1.11129.2.4.2", "1.3.6.1.4.1.11129.2.4.3")]
cert["extensions"].clear()
cert["extensions"].extend(newExts)

print(asn1_encode(cert))
Tugzrida
  • 491
  • 2
  • 6
  • 17
  • Thanks - worked great for removing unwanted extensions. I wrote the updated cert to a file and tried to convert from DER to PEM using openssl and that failed. I isolated the TBS cert: `tbs_cert = asn1_decode(x509.load_pem_x509_certificate(cert_data_pem, default_backend()).tbs_certificate_bytes, asn1Spec=rfc5280.TBSCertificate()) cert = tbs_cert[0]` How does one convert the `tbs_cert` back into a PEM file? – belwood Oct 27 '22 at 02:34
  • @belwood, you can convert the cert back to PEM with python's built in [`ssl.DER_cert_to_PEM_cert`](https://docs.python.org/3/library/ssl.html#ssl.DER_cert_to_PEM_cert) function like so: `ssl.DER_cert_to_PEM_cert(asn1_encode(cert))`. Note that using the TBS certificate for this will remove the signature from the cert issuer and therefore render the certificate useless for normal applications. – Tugzrida Oct 27 '22 at 06:47