I have a SSL certificate file that contains the Certificate Body, Certificate Chain and Encrypted Private Key, e.g.
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
...
...
-----END ENCRYPTED PRIVATE KEY-----
I'm looking to separate it into it's three different parts using Python's RegEx library, re.
I tried many different things, e.g re.split(r'(-----BEGIN .+?-----(?s).+?-----END .+?-----)', exportCertificateOutput)
Any advice on how to do this? Thanks.
Based on the comment by #FailSafe I ended up going with:
re.findall("(-----[BEGIN \S\ ]+?-----[\S\s]+?-----[END \S\ ]+?-----)")
Please note you may have to escape the \ by doubling them \\.
Related
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCVlvdXJTdGF0ZTER
MA8GA1UEBxMIWW91ckNpdHkxCzAJBgNVBAsTAklUMRowGAYDVQQKExFZb3VyQ29t
cGFueSwgSW5jLjEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA379BFFxfACdXsUk2wrQka/nAlKbo+I9DAW32
+/SRxj/KtXVddscKW1obHGpMKPw4meJqOpQwJkIChYjSUQSpPKzdGpccDMf/eoF0
J7EaQ2szLv9AqdRQw2Aaek8SmocVmd3LxEOX4VvALBOMLHVrB5/vhYfGECLJbc3l
RdEbdXyHDtHklRAoIVQCfjTwBWGNAD337vmHW7Q0R6FYUoa4fcJh7Rv6jHSywqwx
7pVfaDbZPuTgUhw7wksKNFxccG0xcTMr/+GrciHEuZ0chq86CBP9RIyLpp2+RMSf
m6rMEYm9o65j7vEYaKEJUOJtA5MIs/ZjaXfS1LjXurLU0nCOQQIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAK159goyAYOpcnrQ2EvCGlizrK1kS3D8JjnAiP1NHrjB
/qdTYR+/8Dr/hMcwwU5ThGAVf68eMkk6tUNwAdpZ9C904Js2z+ENEbO8GA0Fc4rw
ix7vb15vSXe3shGijRGIzzHVGRoR3r7xQtIuMaDAr3xlV8jHbcvZTcpX0Kbq6H1G
NLA4CXsOI4KGwu4FXfSzJEGb3gEJD8HaMP8V8er5G0owv/g/9Z/1/b0g97kAcUwk
M2eDsvPhMx/pENGbnLPe4XMy7NPiEdzFnaYtUy2BDcXj3ZQEWxRWklERgg9/YcWI
obf5ziuNm1Df24NBt5tpCNzfGviKT6/RYfWg3dMaKxc=
-----END CERTIFICATE REQUEST-----
I need signature algorithm data from it but I don't know how i achieve it.
from cryptography.x509 import load_pem_x509_csr
req = load_pem_x509_csr(b'''
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCVlvdXJTdGF0ZTER
...
obf5ziuNm1Df24NBt5tpCNzfGviKT6/RYfWg3dMaKxc=
-----END CERTIFICATE REQUEST-----
''');
print(req.signature_hash_algorithm.name)
I'm attempting to use Jinja to automate the creation of a config file with inline certificates. For the most part, the config as a whole looks as expected with the exception of the certificates. While I can get them into the end file, the formatting is messed up and thus not working.
The expected goal is obviously
pki:
# The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'
ca: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
key: |
-----BEGIN X25519 PRIVATE KEY-----
<snip>
-----END X25519 PRIVATE KEY-----
But I'm ending up with
pki:
# The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'
ca: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
cert: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
key: |
-----BEGIN X25519 PRIVATE KEY-----
<snip>
-----END X25519 PRIVATE KEY-----
The snippet from my Jinja template looks like this:
pki:
ca: |
{{ca}}
cert: |
{{hostCert}}
key: |
{{hostKey}}
The template is obviously lined up, but I'm obviously missing some form of formatting. I've attempted to use the |center(x) formatting but it's not working... or doing anything that I can see. Does anyone have advice on getting the certificates to align properly so that they're read correctly?
Jinja is doing exactly what you've told it to do: it places the value of the ca variable in your text where you've placed the {{ ca }} token. The content of the ca variable isn't indented, so it's not indented when you place it in your document.
If you want to indent a block of text, Jinja provides the indent filter. You would use it like this:
pki:
ca: |
{{ca|indent(4)}}
Having said that...this seems like a situation in which using Jinja is a sub-optimal solution: why not just render the YAML from a Python data structure using yaml.safe_dump?
In pyOpenSSL i haven't been able to find a way to encrypt a RSA private key with AES 256 just yet, been looking all over the place for this but cant seem to find a way.
Before i used OpenSSL to get the key and ca/cl certificates but now im opting to make an application where i need to handle the pfx-file in certain ways.
In OpenSSL i used to do the following:
openssl pkcs12 -in file.pfx -nocerts -out key.key
after that i did:
openssl rsa -aes256 -key.key -out encrypted.key
is there anything similar in pyOpenSSL using crypto?
I believe I solved this. But for anyone wondering, this is what I did:
import os
import shutil
from Crypto.PublicKey import RSA
def encrypt(old_key, new_key, passphrase):
key = RSA.importKey(open(old_key, 'rb').read())
with open(new_key, 'wb') as f:
pem_key = key.export_key(format='PEM', passphrase=passphrase, pkcs=8, protection='PBKDF2WithHMAC-SHA1AndAES256-CBC')
f.write(pem_key)
f.close()
if os.path.exists(old_key):
os.remove(old_key)
encryptAES('path_to_old_key', 'path_to_new:key.key', 'supersecretpassword')
One question still remaining is if there's anyway to output the encryption info done in python similar to OpenSSL?
If you run openssl rsa -aes256 -in old.key -out new.key
The key will return attributes in the beginning like such:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC
Key here...
-----END RSA PRIVATE KEY-----
However when I export the private key in Python I just get:
-----BEGIN ENCRYPTED PRIVATE KEY-----
Key here...
-----END ENCRYPTED PRIVATE KEY-----
Is there anyway to display these attributes with pycryptodome?
In addition to this thread: Where is the trust chain? [python] asn1crypto and pkcs11 Aladdin USB eToken
I tried:
openssl x509 -pubkey -noout -in cert.pem
Error getting public key
140003854860736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129:
140003854860736:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:693:
140003854860736:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=n, Type=RSA
140003854860736:error:0408B004:rsa routines:rsa_pub_decode:RSA lib:../crypto/rsa/rsa_ameth.c:51:
140003854860736:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:../crypto/x509/x_pubkey.c:124:
The contents of this file is:
-----BEGIN CERTIFICATE-----
MIIFXjCCBEigAwIBAQIEBHHhkjALBgkqhkiG9w0BAQswKjEoMCYGA1UEAwwfTW92
aW1lbnRvIEVzdHVkYW50aWwgQnJhc2lsZWlybzAiGA8yMDE5MDEwMTAwMDAwMVoY
DzIwMjAwMzMxMjM1OTU5WjAWMRQwEgYDVQQDDAtDTkUgVEVTVEUgMzCCAjgwCwYJ
KoZIhvcNAQEBA4ICJwAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCd
YHeqD8rwL2AtAeX1CLVxVP3LF9sjRDlSY6/0nrkr+WxNICHP5FI6GFTTLlHvgkwW
P4JKCIsEe6q+w7KfY5/BUy5wC65+o9bG25KA+MrUyN1h1Lonn8/6AKb/h+cz7MI9
yalMl2iu28zeQJHNzzRVM0W9/lG7WANn14pwQHsMa6WYnRl9APoqAvvqj6tOgD04
qPUlkgQRhGYJizgB6ZHR4TVAGj/TCV0XEPZOJIpTrd7nsET+xCjMjBg8jT3qg7Vg
lghIn+72Yi0nKykmN5duZwlvcFTfKkNBvJicDExYZ7WXxu9PfJETdHyFQLLck+Cr
MlSDloI/K9qWfdd8iX6GzETspfPV+ZXkdvfIM8A4TdlCiVx5n+1xc6jk4NB5eHSu
S80oNO0ctg6qKBcHb8YwV5VnQFZE3WaOZTORUBq+bjQxci9g0MA7ZqTK0O0K1QOL
Gl38AbDFjHpdtLIl/LdmzhSFx3NR4lA8RE4AkMOOeNqcDrRT4/PlBWoPsqWYcpPL
6AGl0I8N6hrm1iOvIxTWU6zV40E4SJSViPNzlo3L5iK+Ej4G3/YSCB8850nc6j11
3QGUTUvX8a8ZoKE3BuCO3LtYWYAb/RxyGlCq9jMFwHTYqqHu9cA5CwilMfP31SZ4
bMKhwR2AI/iowcMqCVtSZYi/dUDk9wY89nqY+5I+7QIDAQABo4IBiDCCAYQwRgYF
YEwBCgEEPTE5OTgtMDMtMTY2NzE0ODUyNDYwMTAwNzQ0NjQyMjU2NTIzNTAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwQwYFYEwBCgIEOlVuaXZlcnNpZGFkZSBDYW5k
aWRvIE1lbmRlc1N1cGVyaW9yRGlyZWl0b1JpbyBkbyBKYW5laXJvUkowIgYFYEwB
BAMEGUx1aXMgSW5hY2lvIEx1bGEgZGEgU2lsdmEwYgYIKwYBBQUHAQEEVjBUMFIG
CCsGAQUFBzAFhkZodHRwczovL3ZhbGlkYS5zb3BhZ29tZWlhLmNvbS5ici9nZXRf
YXV0aG9yaXR5X2luZm9ybWF0aW9uX2FjY2Vzcy83NDU3MDgGA1UdHwQxMC8wLaAr
oCmGJ2h0dHBzOi8vZG9taW5pby5jb20vZ2V0X2NybC9jb2RpZ29fZWVhLzAzBgNV
HSMELDAqgCg4OGQwZGU4MmMxYzE4NjJlZjUzYjExMWIwMzE2ODRlYWE1YjAwM2Ri
MAsGCSqGSIb3DQEBCwOCAQEAAhxXh4ouoo3pv12/nYyIKWDNDuRdAXCVasAQtpn6
ZOfOzde1a2AnqMET04BrR5SSpBeBq+aVacXtIVQCPoBD7F8+NppEM+q/Gw8aGugP
dXGKTgMQZMGI1vHMsydNB3tg0MoepUyr3V6HmBSGQkRq8uLiQ2Ke3Fm6/I+BOdNl
oe6/VBcD3zOMM+qnqM/ucR2Lcje0deifGTVnP16bISBk8077PxzGq1Ds2jLrDj1+
KsVA4JKBCZgDT3BBCQrKbXnENDeCSZ9TVlzgcNBFnFQzWDga3UjLvhEj8SjSg9Rl
e1jK7e83C6A96ixfUDlD6pVPl57QHAaalnQ6aHONq2wamg==
-----END CERTIFICATE-----
What's wrong with this file or with the code from that thread? I can't extract the public key.
I used a GUI tool to make a X509 certificate and tried to use M2Crypto of Python to extract useful information from that cert, but came across issues. Code as below:
ca=X509.load_cert("MyCA.crt", X509.FORMAT_PEM)
print ca_pub.as_pem(cipher=None)
-----BEGIN PRIVATE KEY-----
MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDol4gW9mDc8IRW
Ack4Y0/Nk+OnikJPMj65YDIexVuW/ptCEnRAX+EZmB3lM4labS0Ou5gydKj3vpoR
dUM6Un1d8YYyw8Q2gJGXDHbTFjn/eU98VxIa7nHYlZGLvG5g0Eo4fCTUw3CBhI3Y
B8U3C89Ez1IL6sqly9Fhc5BICFtxVtCngWhapR3tIcR85h3vlUCmavhRyBmtdiku
As6ceH9GxfaFmONph/GzKVHy7iA6MSAIf/EDyz5jRKfWwhLQh4Uq9BWfioaFlQPF
iZlxs45iE3pAxrAAejkguUrjeAmIojQvQq9T0YNtdf3LQCUVn2Vfd9KkqncqADew
tujidoEZAgMBAAE=
-----END PRIVATE KEY-----
My questions:
Why get_pubkey() displays "Private Key" information? Should it begin with ---Begin Public Key ----- ?
The certificate is self-signed, and how to get the digital signature from the certificate?
Many thanks!!