def get_subjectaltname(csr, datatype=PEM):
"""
Given a CSR return the subjectaltname value, if any.
The return value is a tuple of strings or None
"""
request = load_certificate_request(csr, datatype)
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
break
else:
return None
del request
nss_names = nss.x509_alt_name(extension.value, nss.AsObject)
asn1_names = decoder.decode(extension.value.data,
asn1Spec=_SubjectAltName())[0]
names = []
for nss_name, asn1_name in zip(nss_names, asn1_names):
name_type = nss_name.type_string
if name_type == SAN_OTHERNAME_KRB5PRINCIPALNAME:
name = _decode_krb5principalname(asn1_name['otherName']['value'])
else:
name = nss_name.name
names.append((name_type, name))
return tuple(names)
def get_subjectaltname(csr, datatype=PEM):
"""
Given a CSR return the subjectaltname value, if any.
The return value is a tuple of strings or None
"""
request = load_certificate_request(csr, datatype)
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
break
else:
return None
del request
nss_names = nss.x509_alt_name(extension.value, nss.AsObject)
asn1_names = decoder.decode(extension.value.data,
asn1Spec=_SubjectAltName())[0]
names = []
for nss_name, asn1_name in zip(nss_names, asn1_names):
name_type = nss_name.type_string
if name_type == SAN_OTHERNAME_KRB5PRINCIPALNAME:
name = _decode_krb5principalname(asn1_name['otherName']['value'])
else:
name = nss_name.name
names.append((name_type, name))
return tuple(names)
def get_subjectaltname(request):
"""
Given a CSR return the subjectaltname value, if any.
The return value is a tuple of strings or None
"""
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return nss.x509_alt_name(extension.value)
return None
def get_subjectaltname(csr):
"""
Return the first value of the subject alt name, if any
"""
try:
request = pkcs10.load_certificate_request(csr)
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return nss.x509_alt_name(extension.value)[0]
return None
except NSPRError, nsprerr:
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
def get_subjectaltname(request):
"""
Given a CSR return the subjectaltname value, if any.
The return value is a tuple of strings or None
"""
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return tuple(name.name
for name in nss.x509_alt_name(extension.value,
nss.AsObject)
if name.type_name == SAN_DNSNAME)
return None
def get_subjectaltname(csr):
"""
Return the first value of the subject alt name, if any
"""
try:
request = pkcs10.load_certificate_request(csr)
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return nss.x509_alt_name(extension.value)[0]
return None
except NSPRError, nsprerr:
raise errors.CertificateOperationError(
error=_('Failure decoding Certificate Signing Request'))
def get_subjectaltname(request):
"""
Given a CSR return the subjectaltname value, if any.
The return value is a tuple of strings or None
"""
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return tuple(
name.name
for name in nss.x509_alt_name(extension.value, nss.AsObject)
if name.type_name == SAN_DNSNAME)
return None
def print_extension(level, extension):
print nss.indented_format([(level, 'Name: %s' % extension.name),
(level, 'Critical: %s' % extension.critical)])
oid_tag = extension.oid_tag
if oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
print nss.indented_format([(level, 'Usages:')])
print nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_key_usage(extension.value)))
elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
print nss.indented_format([(level, 'Data:')])
print nss.indented_format(nss.make_line_fmt_tuples(level+1,
extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT)))
elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
pts = nss.CRLDistributionPts(extension.value)
i = 1
print nss.indented_format([(level, 'CRL Distribution Points: [%d total]' % len(pts))])
for pt in pts:
print nss.indented_format([(level+1, 'Point[%d]:' % i)])
names = pt.get_general_names()
print nss.indented_format([(level+2, 'General Names: [%d total]' % len(names))])
for name in names:
print nss.indented_format([(level+3, '%s:' % name)])
print nss.indented_format([(level+2, 'Reasons: %s' % (pt.get_reasons(),))])
print nss.indented_format([(level+2, 'Issuer: %s' % pt.issuer)])
elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
auth_key_id = nss.AuthKeyID(extension.value)
print nss.indented_format([(level+1, 'Key ID:')])
print nss.indented_format(nss.make_line_fmt_tuples(level+2,
auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT)))
print nss.indented_format([(level+1, 'Serial Number: %s' % (auth_key_id.serial_number))])
print nss.indented_format([(level+1, 'Issuer:' % auth_key_id.get_general_names())])
elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
bc = nss.BasicConstraints(extension.value)
print nss.indented_format([(level, '%s' % str(bc))])
elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
print nss.indented_format([(level, 'Usages:')])
print nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_ext_key_usage(extension.value)))
elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME, nss.SEC_OID_X509_ISSUER_ALT_NAME):
names = nss.x509_alt_name(extension.value)
print nss.indented_format([(level+2, 'Alternate Names: [%d total]' % len(names))])
for name in names:
print nss.indented_format([(level+3, '%s:' % name)])
print
def test_1(self):
"""
Test CSR with subject alt name
"""
csr = self.read_file("test1.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
assert(subject.common_name == 'test.example.com')
assert(subject.state_name == 'California')
assert(subject.country_name == 'US')
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
def test_1(self):
"""
Test CSR with subject alt name
"""
csr = self.read_file("test1.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
assert(subject.common_name == 'test.example.com')
assert(subject.state_name == 'California')
assert(subject.country_name == 'US')
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
def decode_generalnames(secitem):
"""
Decode a GeneralNames object (this the data for the Subject
Alt Name and Issuer Alt Name extensions, among others).
``secitem``
The input is the DER-encoded extension data, without the
OCTET STRING header, as an nss SecItem object.
Return a list of ``GeneralNameInfo`` namedtuples. The
``der_value`` field is set for otherNames, otherwise it is
``None``.
"""
nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject)
asn1_names = decoder.decode(secitem.data, asn1Spec=_SubjectAltName())[0]
names = []
for nss_name, asn1_name in zip(nss_names, asn1_names):
# NOTE: we use the NSS enum to identify the name type.
# (For otherName we also tuple it up with the type-id OID).
# The enum does not correspond exactly to the ASN.1 tags.
# If we ever want to switch to using the true tag numbers,
# the expression to get the tag is:
#
# asn1_name.getComponent().getTagSet()[0].asTuple()[2]
#
if nss_name.type_enum == nss.certOtherName:
oid = str(asn1_name['otherName']['type-id'])
nametype = (nss_name.type_enum, oid)
der_value = asn1_name['otherName']['value'].asOctets()
else:
nametype = nss_name.type_enum
der_value = None
if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME):
name = _decode_krb5principalname(asn1_name['otherName']['value'])
else:
name = nss_name.name
gni = GeneralNameInfo(nametype, nss_name.type_string, name, der_value)
names.append(gni)
return names
def decode_generalnames(secitem):
"""
Decode a GeneralNames object (this the data for the Subject
Alt Name and Issuer Alt Name extensions, among others).
``secitem``
The input is the DER-encoded extension data, without the
OCTET STRING header, as an nss SecItem object.
Return a list of ``GeneralNameInfo`` namedtuples. The
``der_value`` field is set for otherNames, otherwise it is
``None``.
"""
nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject)
asn1_names = decoder.decode(secitem.data, asn1Spec=_SubjectAltName())[0]
names = []
for nss_name, asn1_name in zip(nss_names, asn1_names):
# NOTE: we use the NSS enum to identify the name type.
# (For otherName we also tuple it up with the type-id OID).
# The enum does not correspond exactly to the ASN.1 tags.
# If we ever want to switch to using the true tag numbers,
# the expression to get the tag is:
#
# asn1_name.getComponent().getTagSet()[0].asTuple()[2]
#
if nss_name.type_enum == nss.certOtherName:
oid = str(asn1_name['otherName']['type-id'])
nametype = (nss_name.type_enum, oid)
der_value = asn1_name['otherName']['value'].asOctets()
else:
nametype = nss_name.type_enum
der_value = None
if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME):
name = _decode_krb5principalname(asn1_name['otherName']['value'])
else:
name = nss_name.name
gni = GeneralNameInfo(nametype, nss_name.type_string, name, der_value)
names.append(gni)
return names
def test_2(self):
"""
Test CSR with subject alt name and a list of CRL distribution points
"""
csr = self.read_file("test2.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
assert(subject.common_name == 'test.example.com')
assert(subject.state_name == 'California')
assert(subject.country_name == 'US')
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
if extension.oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
pts = nss.CRLDistributionPts(extension.value)
urls = pts[0].get_general_names()
assert('http://ca.example.com/my.crl' in urls)
assert('http://other.example.com/my.crl' in urls)
def test_2(self):
"""
Test CSR with subject alt name and a list of CRL distribution points
"""
csr = self.read_file("test2.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
assert(subject.common_name == 'test.example.com')
assert(subject.state_name == 'California')
assert(subject.country_name == 'US')
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
if extension.oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
pts = nss.CRLDistributionPts(extension.value)
urls = pts[0].get_general_names()
assert('http://ca.example.com/my.crl' in urls)
assert('http://other.example.com/my.crl' in urls)
def print_extension(level, extension):
print(
nss.indented_format([(level, 'Name: %s' % extension.name),
(level, 'Critical: %s' % extension.critical)]))
oid_tag = extension.oid_tag
if oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
print(nss.indented_format([(level, 'Usages:')]))
print(
nss.indented_format(
nss.make_line_fmt_tuples(level + 1,
nss.x509_key_usage(extension.value))))
elif oid_tag == nss.SEC_OID_NS_CERT_EXT_CERT_TYPE:
print(nss.indented_format([(level, 'Types:')]))
print(
nss.indented_format(
nss.make_line_fmt_tuples(level + 1,
nss.x509_cert_type(extension.value))))
elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
print(nss.indented_format([(level, 'Data:')]))
print(
nss.indented_format(
nss.make_line_fmt_tuples(
level + 1,
extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT))))
elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
pts = nss.CRLDistributionPts(extension.value)
print(
nss.indented_format([
(level, 'CRL Distribution Points: [%d total]' % len(pts))
]))
for i, pt in enumerate(pts):
print(nss.indented_format([(level + 1, 'Point[%d]:' % i)]))
names = pt.get_general_names()
print(
nss.indented_format([
(level + 2, 'General Names: [%d total]' % len(names))
]))
for name in names:
print(nss.indented_format([(level + 3, '%s:' % name)]))
print(
nss.indented_format([(level + 2,
'Reasons: %s' % (pt.get_reasons(), ))]))
print(nss.indented_format([(level + 2, 'Issuer: %s' % pt.issuer)]))
elif oid_tag == nss.SEC_OID_X509_AUTH_INFO_ACCESS:
aias = nss.AuthorityInfoAccesses(extension.value)
print(
nss.indented_format([
(level, 'Authority Information Access: [%d total]' % len(aias))
]))
for i, aia in enumerate(aias):
print(nss.indented_format([(level + 1, 'Info[%d]:' % i)]))
print(
nss.indented_format([(level + 2,
'Method: %s' % (aia.method_str, ))]))
print(
nss.indented_format([
(level + 2, 'Location: (%s) %s' %
(aia.location.type_string, aia.location.name))
]))
elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
auth_key_id = nss.AuthKeyID(extension.value)
print(nss.indented_format([(level + 1, 'Key ID:')]))
print(
nss.indented_format(
nss.make_line_fmt_tuples(
level + 2,
auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT))))
print(
nss.indented_format([
(level + 1, 'Serial Number: %s' % (auth_key_id.serial_number))
]))
print(
nss.indented_format([
(level + 1, 'Issuer:' % auth_key_id.get_general_names())
]))
elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
bc = nss.BasicConstraints(extension.value)
print(nss.indented_format([(level, '%s' % str(bc))]))
elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
print(nss.indented_format([(level, 'Usages:')]))
print(
nss.indented_format(
nss.make_line_fmt_tuples(
level + 1, nss.x509_ext_key_usage(extension.value))))
elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME,
nss.SEC_OID_X509_ISSUER_ALT_NAME):
names = nss.x509_alt_name(extension.value)
print(
nss.indented_format([
(level + 2, 'Alternate Names: [%d total]' % len(names))
]))
for name in names:
print(nss.indented_format([(level + 3, '%s:' % name)]))
print()
def print_extension(level, extension):
print(nss.indented_format([(level, 'Name: %s' % extension.name),
(level, 'Critical: %s' % extension.critical)]))
oid_tag = extension.oid_tag
if oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
print(nss.indented_format([(level, 'Usages:')]))
print(nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_key_usage(extension.value))))
elif oid_tag == nss.SEC_OID_NS_CERT_EXT_CERT_TYPE:
print(nss.indented_format([(level, 'Types:')]))
print(nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_cert_type(extension.value))))
elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
print(nss.indented_format([(level, 'Data:')]))
print(nss.indented_format(nss.make_line_fmt_tuples(level+1,
extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT))))
elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
pts = nss.CRLDistributionPts(extension.value)
print(nss.indented_format([(level, 'CRL Distribution Points: [%d total]' % len(pts))]))
for i, pt in enumerate(pts):
print(nss.indented_format([(level+1, 'Point[%d]:' % i)]))
names = pt.get_general_names()
print(nss.indented_format([(level+2, 'General Names: [%d total]' % len(names))]))
for name in names:
print(nss.indented_format([(level+3, '%s:' % name)]))
print(nss.indented_format([(level+2, 'Reasons: %s' % (pt.get_reasons(),))]))
print(nss.indented_format([(level+2, 'Issuer: %s' % pt.issuer)]))
elif oid_tag == nss.SEC_OID_X509_AUTH_INFO_ACCESS:
aias = nss.AuthorityInfoAccesses(extension.value)
print(nss.indented_format([(level, 'Authority Information Access: [%d total]' % len(aias))]))
for i, aia in enumerate(aias):
print(nss.indented_format([(level+1, 'Info[%d]:' % i)]))
print(nss.indented_format([(level+2, 'Method: %s' % (aia.method_str,))]))
print(nss.indented_format([(level+2, 'Location: (%s) %s' % (aia.location.type_string, aia.location.name))]))
elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
auth_key_id = nss.AuthKeyID(extension.value)
print(nss.indented_format([(level+1, 'Key ID:')]))
print(nss.indented_format(nss.make_line_fmt_tuples(level+2,
auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT))))
print(nss.indented_format([(level+1, 'Serial Number: %s' % (auth_key_id.serial_number))]))
print(nss.indented_format([(level+1, 'Issuer:' % auth_key_id.get_general_names())]))
elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
bc = nss.BasicConstraints(extension.value)
print(nss.indented_format([(level, '%s' % str(bc))]))
elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
print(nss.indented_format([(level, 'Usages:')]))
print(nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_ext_key_usage(extension.value))))
elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME, nss.SEC_OID_X509_ISSUER_ALT_NAME):
names = nss.x509_alt_name(extension.value)
print(nss.indented_format([(level+2, 'Alternate Names: [%d total]' % len(names))]))
for name in names:
print(nss.indented_format([(level+3, '%s:' % name)]))
print()
def print_extension(level, extension):
print nss.indented_format([(level, 'Name: %s' % extension.name),
(level, 'Critical: %s' % extension.critical)])
oid_tag = extension.oid_tag
if oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
print nss.indented_format([(level, 'Usages:')])
print nss.indented_format(
nss.make_line_fmt_tuples(level + 1,
nss.x509_key_usage(extension.value)))
elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
print nss.indented_format([(level, 'Data:')])
print nss.indented_format(
nss.make_line_fmt_tuples(
level + 1,
extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT)))
elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
pts = nss.CRLDistributionPts(extension.value)
i = 1
print nss.indented_format([
(level, 'CRL Distribution Points: [%d total]' % len(pts))
])
for pt in pts:
print nss.indented_format([(level + 1, 'Point[%d]:' % i)])
names = pt.get_general_names()
print nss.indented_format([
(level + 2, 'General Names: [%d total]' % len(names))
])
for name in names:
print nss.indented_format([(level + 3, '%s:' % name)])
print nss.indented_format([(level + 2,
'Reasons: %s' % (pt.get_reasons(), ))])
print nss.indented_format([(level + 2, 'Issuer: %s' % pt.issuer)])
elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
auth_key_id = nss.AuthKeyID(extension.value)
print nss.indented_format([(level + 1, 'Key ID:')])
print nss.indented_format(
nss.make_line_fmt_tuples(
level + 2,
auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT)))
print nss.indented_format([
(level + 1, 'Serial Number: %s' % (auth_key_id.serial_number))
])
print nss.indented_format([
(level + 1, 'Issuer:' % auth_key_id.get_general_names())
])
elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
bc = nss.BasicConstraints(extension.value)
print nss.indented_format([(level, '%s' % str(bc))])
elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
print nss.indented_format([(level, 'Usages:')])
print nss.indented_format(
nss.make_line_fmt_tuples(level + 1,
nss.x509_ext_key_usage(extension.value)))
elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME,
nss.SEC_OID_X509_ISSUER_ALT_NAME):
names = nss.x509_alt_name(extension.value)
print nss.indented_format([
(level + 2, 'Alternate Names: [%d total]' % len(names))
])
for name in names:
print nss.indented_format([(level + 3, '%s:' % name)])
print