We Keep Coding

Jinja Formatting of Inline Certificate

I'm attempting to use Jinja to automate the creation of a config file with inline certificates. For the most part, the config as a whole looks as expected with the exception of the certificates. While I can get them into the end file, the formatting is messed up and thus not working.
The expected goal is obviously
pki:
# The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'
ca: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
key: |
-----BEGIN X25519 PRIVATE KEY-----
<snip>
-----END X25519 PRIVATE KEY-----
But I'm ending up with
pki:
# The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'
ca: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
key: |
-----BEGIN X25519 PRIVATE KEY-----
<snip>
-----END X25519 PRIVATE KEY-----
The snippet from my Jinja template looks like this:
pki:
ca: |
{{ca}}
cert: |
{{hostCert}}
key: |
{{hostKey}}
The template is obviously lined up, but I'm obviously missing some form of formatting. I've attempted to use the |center(x) formatting but it's not working... or doing anything that I can see. Does anyone have advice on getting the certificates to align properly so that they're read correctly?

Jinja is doing exactly what you've told it to do: it places the value of the ca variable in your text where you've placed the {{ ca }} token. The content of the ca variable isn't indented, so it's not indented when you place it in your document.
If you want to indent a block of text, Jinja provides the indent filter. You would use it like this:
pki:
ca: |
{{ca|indent(4)}}
Having said that...this seems like a situation in which using Jinja is a sub-optimal solution: why not just render the YAML from a Python data structure using yaml.safe_dump?

Separating SSL Certificate with Python RegEx

I have a SSL certificate file that contains the Certificate Body, Certificate Chain and Encrypted Private Key, e.g.
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
...
...
-----END ENCRYPTED PRIVATE KEY-----
I'm looking to separate it into it's three different parts using Python's RegEx library, re.
I tried many different things, e.g re.split(r'(-----BEGIN .+?-----(?s).+?-----END .+?-----)', exportCertificateOutput)
Any advice on how to do this? Thanks.

Based on the comment by #FailSafe I ended up going with:
re.findall("(-----[BEGIN \S\ ]+?-----[\S\s]+?-----[END \S\ ]+?-----)")
Please note you may have to escape the \ by doubling them \\.

Error while extracting public key from PKCS11 and Asn1crypto signed certificate

In addition to this thread: Where is the trust chain? [python] asn1crypto and pkcs11 Aladdin USB eToken
I tried:
openssl x509 -pubkey -noout -in cert.pem
Error getting public key
140003854860736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129:
140003854860736:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:693:
140003854860736:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=n, Type=RSA
140003854860736:error:0408B004:rsa routines:rsa_pub_decode:RSA lib:../crypto/rsa/rsa_ameth.c:51:
140003854860736:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:../crypto/x509/x_pubkey.c:124:
The contents of this file is:
-----BEGIN CERTIFICATE-----
MIIFXjCCBEigAwIBAQIEBHHhkjALBgkqhkiG9w0BAQswKjEoMCYGA1UEAwwfTW92
aW1lbnRvIEVzdHVkYW50aWwgQnJhc2lsZWlybzAiGA8yMDE5MDEwMTAwMDAwMVoY
DzIwMjAwMzMxMjM1OTU5WjAWMRQwEgYDVQQDDAtDTkUgVEVTVEUgMzCCAjgwCwYJ
KoZIhvcNAQEBA4ICJwAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCd
YHeqD8rwL2AtAeX1CLVxVP3LF9sjRDlSY6/0nrkr+WxNICHP5FI6GFTTLlHvgkwW
P4JKCIsEe6q+w7KfY5/BUy5wC65+o9bG25KA+MrUyN1h1Lonn8/6AKb/h+cz7MI9
yalMl2iu28zeQJHNzzRVM0W9/lG7WANn14pwQHsMa6WYnRl9APoqAvvqj6tOgD04
qPUlkgQRhGYJizgB6ZHR4TVAGj/TCV0XEPZOJIpTrd7nsET+xCjMjBg8jT3qg7Vg
lghIn+72Yi0nKykmN5duZwlvcFTfKkNBvJicDExYZ7WXxu9PfJETdHyFQLLck+Cr
MlSDloI/K9qWfdd8iX6GzETspfPV+ZXkdvfIM8A4TdlCiVx5n+1xc6jk4NB5eHSu
S80oNO0ctg6qKBcHb8YwV5VnQFZE3WaOZTORUBq+bjQxci9g0MA7ZqTK0O0K1QOL
Gl38AbDFjHpdtLIl/LdmzhSFx3NR4lA8RE4AkMOOeNqcDrRT4/PlBWoPsqWYcpPL
6AGl0I8N6hrm1iOvIxTWU6zV40E4SJSViPNzlo3L5iK+Ej4G3/YSCB8850nc6j11
3QGUTUvX8a8ZoKE3BuCO3LtYWYAb/RxyGlCq9jMFwHTYqqHu9cA5CwilMfP31SZ4
bMKhwR2AI/iowcMqCVtSZYi/dUDk9wY89nqY+5I+7QIDAQABo4IBiDCCAYQwRgYF
YEwBCgEEPTE5OTgtMDMtMTY2NzE0ODUyNDYwMTAwNzQ0NjQyMjU2NTIzNTAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwQwYFYEwBCgIEOlVuaXZlcnNpZGFkZSBDYW5k
aWRvIE1lbmRlc1N1cGVyaW9yRGlyZWl0b1JpbyBkbyBKYW5laXJvUkowIgYFYEwB
BAMEGUx1aXMgSW5hY2lvIEx1bGEgZGEgU2lsdmEwYgYIKwYBBQUHAQEEVjBUMFIG
CCsGAQUFBzAFhkZodHRwczovL3ZhbGlkYS5zb3BhZ29tZWlhLmNvbS5ici9nZXRf
YXV0aG9yaXR5X2luZm9ybWF0aW9uX2FjY2Vzcy83NDU3MDgGA1UdHwQxMC8wLaAr
oCmGJ2h0dHBzOi8vZG9taW5pby5jb20vZ2V0X2NybC9jb2RpZ29fZWVhLzAzBgNV
HSMELDAqgCg4OGQwZGU4MmMxYzE4NjJlZjUzYjExMWIwMzE2ODRlYWE1YjAwM2Ri
MAsGCSqGSIb3DQEBCwOCAQEAAhxXh4ouoo3pv12/nYyIKWDNDuRdAXCVasAQtpn6
ZOfOzde1a2AnqMET04BrR5SSpBeBq+aVacXtIVQCPoBD7F8+NppEM+q/Gw8aGugP
dXGKTgMQZMGI1vHMsydNB3tg0MoepUyr3V6HmBSGQkRq8uLiQ2Ke3Fm6/I+BOdNl
oe6/VBcD3zOMM+qnqM/ucR2Lcje0deifGTVnP16bISBk8077PxzGq1Ds2jLrDj1+
KsVA4JKBCZgDT3BBCQrKbXnENDeCSZ9TVlzgcNBFnFQzWDga3UjLvhEj8SjSg9Rl
e1jK7e83C6A96ixfUDlD6pVPl57QHAaalnQ6aHONq2wamg==
-----END CERTIFICATE-----
What's wrong with this file or with the code from that thread? I can't extract the public key.

Getting pub key and digital signature using M2Crypto

I used a GUI tool to make a X509 certificate and tried to use M2Crypto of Python to extract useful information from that cert, but came across issues. Code as below:
ca=X509.load_cert("MyCA.crt", X509.FORMAT_PEM)
print ca_pub.as_pem(cipher=None)
-----BEGIN PRIVATE KEY-----
MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDol4gW9mDc8IRW
Ack4Y0/Nk+OnikJPMj65YDIexVuW/ptCEnRAX+EZmB3lM4labS0Ou5gydKj3vpoR
dUM6Un1d8YYyw8Q2gJGXDHbTFjn/eU98VxIa7nHYlZGLvG5g0Eo4fCTUw3CBhI3Y
B8U3C89Ez1IL6sqly9Fhc5BICFtxVtCngWhapR3tIcR85h3vlUCmavhRyBmtdiku
As6ceH9GxfaFmONph/GzKVHy7iA6MSAIf/EDyz5jRKfWwhLQh4Uq9BWfioaFlQPF
iZlxs45iE3pAxrAAejkguUrjeAmIojQvQq9T0YNtdf3LQCUVn2Vfd9KkqncqADew
tujidoEZAgMBAAE=
-----END PRIVATE KEY-----
My questions:
Why get_pubkey() displays "Private Key" information? Should it begin with ---Begin Public Key ----- ?
The certificate is self-signed, and how to get the digital signature from the certificate?
Many thanks!!

extracting public key from certificate and encrypting data

This is for a homework assignment!
I get the server's certificate using get_peer_certificate()
and the calling dump_certificate to dump the certificate in a variable. The format is PEM and looks right to me.
-----BEGIN CERTIFICATE-----
GIBBERISH................
......................
........................
-----END CERTIFICATE-----
How do I extract the server's public key from this file ('server.pubkey') and encrypt plaintext using RSA algorithm and any python library. At the time of writing this, I am using pyOpenSSL

I'd recommend using a more broad crypto library such as M2Crypto which has the X509 certificate functions as well as RSA encryption:
from M2Crypto import RSA, X509
data = ssl_sock.getpeercert(1)
# load the certificate into M2Crypto to manipulate it
cert = X509.load_cert_string(data, X509.FORMAT_DER)
pub_key = cert.get_pubkey()
rsa_key = pub_key.get_rsa()
cipher = rsa_key.public_encrypt('plaintext', RSA.pkcs1_padding)

from OpenSSL import crypto
crtObj = crypto.load_certificate(crypto.FILETYPE_ASN1, config.x509_certificate)
pubKeyObject = crtObj.get_pubkey()
pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM, pubKeyObject)

from cryptography.x509 import load_pem_x509_certificate
cert_str = b"-----BEGIN CERTIFICATE-----MIIDETCCAfm..."
cert_obj = load_pem_x509_certificate(cert_str)
public_key = cert_obj.public_key()
private_key = cert_obj.private_key()
Source: https://pyjwt.readthedocs.io/en/stable/faq.html

Note that OpenSSL library is not recommended to be used for those purposes. Instead, cryptography library is pointed. It is maintained and regularly updated.
Assuming you have the certificate in Pem format, the following code block will give you public key in string.
from cryptography import x509
from cryptography.hazmat.primitives import serialization
def read_pub_key_from_cert()
# Read certificate file.
with open("tls.crt") as certificate:
cert = certificate.read()
# Convert it into bytes.
cert_in_bytes = bytes(cert, 'utf-8')
# Create x509 certificate object.
cert_obj = x509.load_pem_x509_certificate(cert_in_bytes)
# Create Public key object.
public_key_obj = cert_obj.public_key()
# Convert Public key object into Pem format in bytes.
public_pem = public_key_obj.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
# Convert Public key into string.
pub_key_string = public_pem.decode("utf-8")
return(pub_key_string)