Imp work with unencrypted pem certificates#25
Imp work with unencrypted pem certificates#25blaggacao wants to merge 7 commits intoknowark:masterfrom
Conversation
blaggacao
force-pushed
the
imp-work-with-unencrypted-pem-certificates
branch
3 times, most recently
from
47dda09 to
4fb8178
Compare
|
As it seems Andes |
blaggacao
force-pushed
the
imp-work-with-unencrypted-pem-certificates
branch
3 times, most recently
from
b3c907a to
339a788
Compare
|
Generating pem cert and key is exactly 2 commands away, for using a better supported standard and dropping OpenSSL, I guess it's worth it. openssl pkcs12 -in certificate.p12 -out cert.pem -nokeys -clcerts
openssl pkcs12 -in certificate.p12 -out key.pem -nodes -nocerts |
As a side-effect, get rid of (deprecated) pyOpenSSL dependency. Rather provide the library with a standard pem certificate. Maybe support DER binary format one day?
blaggacao
force-pushed
the
imp-work-with-unencrypted-pem-certificates
branch
from
339a788 to
70d5411
Compare
|
If there really is a need to support |
blaggacao
left a comment
blaggacao
left a comment
There was a problem hiding this comment.
Some doubts about what I did...
| issuer_name = ', '.join( | ||
| attr.rfc4514_string() for attr | ||
| in reversed(certificate_object.issuer._attributes) | ||
| ).encode('ascii') |
There was a problem hiding this comment.
@tebanep I guessed ascii is the right byte encoding. Can you confirm? Should that go somewhere else? (eg. encoder)
| @@ -0,0 +1,29 @@ | |||
| Bag Attributes | |||
| localKeyID: 0E B2 55 CC 89 54 77 79 8B A4 18 B3 78 25 52 04 30 48 97 AD | |||
| subject=/C=DE/ST=Bavaria/L=Munich/O=MIT-xperts GmbH/OU=TEST CA/CN=testbox.mit-xperts.com/emailAddress=info@mit-xperts.com | |||
| issuer_name = signer._prepare_issuer_name(certificate) | ||
| assert issuer_name == ( | ||
| b'emailAddress=info@mit-xperts.com,CN=itv.mit-xperts.com,' | ||
| b'1.2.840.113549.1.9.1=info@mit-xperts.com,CN=itv.mit-xperts.com,' |
There was a problem hiding this comment.
This OID seems to be the correct representation of an email adress, this is what is also used by the dian exemplification:
<ds:X509IssuerName>
C=CO,L=Bogota D.C.,O=Andes SCD.,OU=Division de certificacion entidad final,CN=CA ANDES SCD S.A. Clase II,1.2.840.113549.1.9.1=#1614696e666f40616e6465737363642e636f6d2e636f
</ds:X509IssuerName>
|
Why all this? Because someone like Andes has obscure |
blaggacao
force-pushed
the
imp-work-with-unencrypted-pem-certificates
branch
from
699a53d to
469e08f
Compare
blaggacao
force-pushed
the
imp-work-with-unencrypted-pem-certificates
branch
from
c87671f to
5a806ec
Compare
Codecov Report
@@ Coverage Diff @@
## master #25 +/- ##
==========================================
- Coverage 100% 99.79% -0.21%
==========================================
Files 94 94
Lines 1954 1978 +24
Branches 96 99 +3
==========================================
+ Hits 1954 1974 +20
- Misses 0 2 +2
- Partials 0 2 +2
Continue to review full report at Codecov.
|
|
@tebanep I guess the test diff is due to the back port from |
1 participant
Instead transform the p12 files into passwordless PEM data, eg:
openssl pkcs12 -in persona_juridica_pruebas_vigente.p12 -out newfile.pem --passin pass:persona_juridica_pruebas -nokeys -clcertsThat's exactly the certificate as needed and consumed by
It seems that p12 does not work properly. It gives an OpenSSL lib error.