Topic
  • 11 replies
  • Latest Post - ‏2012-08-23T11:51:35Z by HermannSW
shyhc
shyhc
32 Posts

Pinned topic Certficate Details via XML Mgmt

‏2011-03-24T12:35:24Z |
Hi,

I'd like to query some attributes from certificate files (in cert: or sharedcert:) or
alternatively for certificate objects via XML Mgmt SOAP commands. Issuer, Subject,
Validity NotBefore/NotAfter would be nice.
If it is not possible via XML Mgmt, maybe I could install an xsl doing this?

We are running XI50's with 3.8.0.

Thanks for any hints...
Stefan
Updated on 2012-08-23T11:51:35Z at 2012-08-23T11:51:35Z by HermannSW
  • HermannSW
    HermannSW
    5921 Posts

    Re: Certficate Details via XML Mgmt

    ‏2011-03-24T15:43:08Z  
    Hi Stefan,

    first from with a stylesheet.

    I created a Crypto Certificate named "amex" referencing "pubcert:///American-Express-Global-CA.pem".

    Accessing all the details can be done by dp:get-cert-details() then:
    
    <xsl:copy-of select=
    "dp:get-cert-details('name:amex')"/>
    


    This is the pretty printed output for "amex":
    
    $ curl -s --data-binary 
    "<x/>" http:
    //dp3-l3:2057 | tidy -q -xml <CertificateDetails> <Version>3</Version> <SerialNumber>133</SerialNumber> <SignatureAlgorithm>sha1WithRSAEncryption</SignatureAlgorithm> <Issuer>C=US, O=American Express Company\, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority</Issuer> <NotBefore>1998-08-14T19:06:00Z</NotBefore> <NotAfter>2013-08-14T23:59:00Z</NotAfter> <Subject>C=US, O=American Express Company\, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority</Subject> <SubjectPublicKeyAlgorithm> rsaEncryption</SubjectPublicKeyAlgorithm> <SubjectPublicKeyBitLength>2048</SubjectPublicKeyBitLength> <KeyValue xmlns=
    "http://www.w3.org/2000/09/xmldsig#"> <RSAKeyValue> <Modulus> 8CQmZi7760pzcVOJR8smPFOSlEzKwoW1DfjDV70vKh9qGLdXrwwAFvqgtpCm9xqhLmYmx2ijipNpZrVGVi0dguqQDAoiwolQjQXz1KtzQfDPEqwotG8UlJZZS56QdYbf4kfr4elPQ36HyicYZp61wUBlffxhb62bcs+pXtjz+dpukRD6TLXqfiDeqTkv9Yjkim81xiCcK4ZGMwr8MVWla6wWQOnNNVlvMgTDe7UPe3dw80i7KlKCzq8pbfERb23mBwAB75rzJg2meRNnr/irHHWskbVrvkCw3pwMsWmFGXGRE0XK39H95rLKloN528W4qlt6kAt4Vj7G15+USBH1rQ==</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> <Extensions> <Extension critical=
    "true" name=
    "basicConstraints" oid=
    "2.5.29.19" isder=
    "false"> <item name=
    "CA">TRUE</item> <item name=
    "pathlen">5</item> </Extension> <Extension critical=
    "true" name=
    "keyUsage" oid=
    "2.5.29.15" isder=
    "false"> <item name=
    "Certificate Sign" /> <item name=
    "CRL Sign" /> </Extension> <Extension critical=
    "false" name=
    "certificatePolicies" oid=
    "2.5.29.32" isder=
    "true"> MA4wDAYKKoZIhvkPCgEFAQ==</Extension> <Extension critical=
    "false" name=
    "subjectKeyIdentifier" oid=
    "2.5.29.14" isder=
    "false"> 57:47:35:7B:36:27:11:A8:08:FC:2F:46:25:EB:24:69</Extension> </Extensions> <Base64> MIIEBDCCAuygAwIBAgICAIUwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAlVTMScwJQYDVQQKEx5BbWVyaWNhbiBFeHByZXNzIENvbXBhbnksIEluYy4xJjAkBgNVBAsTHUFtZXJpY2FuIEV4cHJlc3MgVGVjaG5vbG9naWVzMTYwNAYDVQQDEy1BbWVyaWNhbiBFeHByZXNzIEdsb2JhbCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgwODE0MTkwNjAwWhcNMTMwODE0MjM1OTAwWjCBljELMAkGA1UEBhMCVVMxJzAlBgNVBAoTHkFtZXJpY2FuIEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1lcmljYW4gRXhwcmVzcyBUZWNobm9sb2dpZXMxNjA0BgNVBAMTLUFtZXJpY2FuIEV4cHJlc3MgR2xvYmFsIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPAkJmYu++tKc3FTiUfLJjxTkpRMysKFtQ34w1e9Lyofahi3V68MABb6oLaQpvcaoS5mJsdoo4qTaWa1RlYtHYLqkAwKIsKJUI0F89Src0HwzxKsKLRvFJSWWUuekHWG3+JH6+HpT0N+h8onGGaetcFAZX38YW+tm3LPqV7Y8/nabpEQ+ky16n4g3qk5L/WI5IpvNcYgnCuGRjMK/DFVpWusFkDpzTVZbzIEw3u1D3t3cPNIuypSgs6vKW3xEW9t5gcAAe+a8yYNpnkTZ6/4qxx1rJG1a75AsN6cDLFphRlxkRNFyt/R/eayypaDedvFuKpbepALeFY+xteflEgR9a0CAwEAAaNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgoqhkiG+Q8KAQUBMBkGA1UdDgQSBBBXRzV7NicRqAj8L0Yl6yRpMA0GCSqGSIb3DQEBBQUAA4IBAQDHYUWoinG5vjTpIXshzVYTmNUwY+kYqkuSFb8LHbvskmnFLsNhi+gwRcsQRsFzOFyLGdIr80DrfHKzLh4n43WVihybLsSVBYZy0FX0oZJSeVzb9Pjc5dcSsUDHPIbkMWVKyjfG3nZXGWlMRmn8Kq0WN3qTrPchSy3766lQy8HRQAjaA2mHpzdeVcHF7cTjjgwml5tcV0ty4/IDBdACOyYDQJCevgtbSQx48dVMVSng9v1MA6lUAjLRV1qFrEPtWzsWX6C/NdtLnnvo/+cNPDuom0lBRvVzTv+SZSGDE1Vx60k8f4gawhIoJaFGS0E3l3/sjvHUoZbCILZerakcHhGg</Base64> </CertificateDetails>   $
    


     
    Hermann<myXsltBlog/>
  • HermannSW
    HermannSW
    5921 Posts

    Re: Certficate Details via XML Mgmt

    ‏2011-03-24T17:15:08Z  
    • HermannSW
    • ‏2011-03-24T15:43:08Z
    Hi Stefan,

    first from with a stylesheet.

    I created a Crypto Certificate named "amex" referencing "pubcert:///American-Express-Global-CA.pem".

    Accessing all the details can be done by dp:get-cert-details() then:
    <pre class="jive-pre"> <xsl:copy-of select= "dp:get-cert-details('name:amex')"/> </pre>

    This is the pretty printed output for "amex":
    <pre class="jive-pre"> $ curl -s --data-binary "<x/>" http: //dp3-l3:2057 | tidy -q -xml <CertificateDetails> <Version>3</Version> <SerialNumber>133</SerialNumber> <SignatureAlgorithm>sha1WithRSAEncryption</SignatureAlgorithm> <Issuer>C=US, O=American Express Company\, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority</Issuer> <NotBefore>1998-08-14T19:06:00Z</NotBefore> <NotAfter>2013-08-14T23:59:00Z</NotAfter> <Subject>C=US, O=American Express Company\, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority</Subject> <SubjectPublicKeyAlgorithm> rsaEncryption</SubjectPublicKeyAlgorithm> <SubjectPublicKeyBitLength>2048</SubjectPublicKeyBitLength> <KeyValue xmlns= "http://www.w3.org/2000/09/xmldsig#"> <RSAKeyValue> <Modulus> 8CQmZi7760pzcVOJR8smPFOSlEzKwoW1DfjDV70vKh9qGLdXrwwAFvqgtpCm9xqhLmYmx2ijipNpZrVGVi0dguqQDAoiwolQjQXz1KtzQfDPEqwotG8UlJZZS56QdYbf4kfr4elPQ36HyicYZp61wUBlffxhb62bcs+pXtjz+dpukRD6TLXqfiDeqTkv9Yjkim81xiCcK4ZGMwr8MVWla6wWQOnNNVlvMgTDe7UPe3dw80i7KlKCzq8pbfERb23mBwAB75rzJg2meRNnr/irHHWskbVrvkCw3pwMsWmFGXGRE0XK39H95rLKloN528W4qlt6kAt4Vj7G15+USBH1rQ==</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> <Extensions> <Extension critical= "true" name= "basicConstraints" oid= "2.5.29.19" isder= "false"> <item name= "CA">TRUE</item> <item name= "pathlen">5</item> </Extension> <Extension critical= "true" name= "keyUsage" oid= "2.5.29.15" isder= "false"> <item name= "Certificate Sign" /> <item name= "CRL Sign" /> </Extension> <Extension critical= "false" name= "certificatePolicies" oid= "2.5.29.32" isder= "true"> MA4wDAYKKoZIhvkPCgEFAQ==</Extension> <Extension critical= "false" name= "subjectKeyIdentifier" oid= "2.5.29.14" isder= "false"> 57:47:35:7B:36:27:11:A8:08:FC:2F:46:25:EB:24:69</Extension> </Extensions> <Base64> MIIEBDCCAuygAwIBAgICAIUwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAlVTMScwJQYDVQQKEx5BbWVyaWNhbiBFeHByZXNzIENvbXBhbnksIEluYy4xJjAkBgNVBAsTHUFtZXJpY2FuIEV4cHJlc3MgVGVjaG5vbG9naWVzMTYwNAYDVQQDEy1BbWVyaWNhbiBFeHByZXNzIEdsb2JhbCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgwODE0MTkwNjAwWhcNMTMwODE0MjM1OTAwWjCBljELMAkGA1UEBhMCVVMxJzAlBgNVBAoTHkFtZXJpY2FuIEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1lcmljYW4gRXhwcmVzcyBUZWNobm9sb2dpZXMxNjA0BgNVBAMTLUFtZXJpY2FuIEV4cHJlc3MgR2xvYmFsIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPAkJmYu++tKc3FTiUfLJjxTkpRMysKFtQ34w1e9Lyofahi3V68MABb6oLaQpvcaoS5mJsdoo4qTaWa1RlYtHYLqkAwKIsKJUI0F89Src0HwzxKsKLRvFJSWWUuekHWG3+JH6+HpT0N+h8onGGaetcFAZX38YW+tm3LPqV7Y8/nabpEQ+ky16n4g3qk5L/WI5IpvNcYgnCuGRjMK/DFVpWusFkDpzTVZbzIEw3u1D3t3cPNIuypSgs6vKW3xEW9t5gcAAe+a8yYNpnkTZ6/4qxx1rJG1a75AsN6cDLFphRlxkRNFyt/R/eayypaDedvFuKpbepALeFY+xteflEgR9a0CAwEAAaNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgoqhkiG+Q8KAQUBMBkGA1UdDgQSBBBXRzV7NicRqAj8L0Yl6yRpMA0GCSqGSIb3DQEBBQUAA4IBAQDHYUWoinG5vjTpIXshzVYTmNUwY+kYqkuSFb8LHbvskmnFLsNhi+gwRcsQRsFzOFyLGdIr80DrfHKzLh4n43WVihybLsSVBYZy0FX0oZJSeVzb9Pjc5dcSsUDHPIbkMWVKyjfG3nZXGWlMRmn8Kq0WN3qTrPchSy3766lQy8HRQAjaA2mHpzdeVcHF7cTjjgwml5tcV0ty4/IDBdACOyYDQJCevgtbSQx48dVMVSng9v1MA6lUAjLRV1qFrEPtWzsWX6C/NdtLnnvo/+cNPDuom0lBRvVzTv+SZSGDE1Vx60k8f4gawhIoJaFGS0E3l3/sjvHUoZbCILZerakcHhGg</Base64> </CertificateDetails> $ </pre>

     
    Hermann<myXsltBlog/>
    Stefan,

    again the Forum did not let me post my response -- find the solution in my Blog:
    https://www.ibm.com/developerworks/mydeveloperworks/blogs/HermannSW/entry/certficate_details_not_via_xml_mgmt_interface_but_scripted4

     
    Hermann<myXsltBlog/>
  • shyhc
    shyhc
    32 Posts

    Re: Certficate Details via XML Mgmt

    ‏2011-03-25T12:46:32Z  
    Hi Hermann,

    thanks a lot, highly interesting...
    however this seems to work only for pubcert; I get a "permission denied" for whatever file in sharedcert I try (which is where most of our stuff lies).
    Is there any way to get to this? Once I have the "show file" output I could then also continue processing on the server using openssl or so... Or maybe it is easier getting to the file contents from the xsl stylesheet?

    Thx & kind regards
    Stefan
  • Liv2luv
    Liv2luv
    573 Posts

    Re: Certficate Details via XML Mgmt

    ‏2011-03-25T13:45:53Z  
    • shyhc
    • ‏2011-03-25T12:46:32Z
    Hi Hermann,

    thanks a lot, highly interesting...
    however this seems to work only for pubcert; I get a "permission denied" for whatever file in sharedcert I try (which is where most of our stuff lies).
    Is there any way to get to this? Once I have the "show file" output I could then also continue processing on the server using openssl or so... Or maybe it is easier getting to the file contents from the xsl stylesheet?

    Thx & kind regards
    Stefan
    Just trying to extend the dp:get-cert-details() usage...

    1. Create a loop back xml firewall with transform action
    2. use this xslt for transform action

    
    <?xml version=
    "1.0" encoding=
    "UTF-8"?> <xsl:stylesheet version=
    "1.0" xmlns:xsl=
    "http://www.w3.org/1999/XSL/Transform" xmlns:dp=
    "http://www.datapower.com/extensions" xmlns:dpconfig=
    "http://www.datapower.com/param/config" xmlns:xsi=
    "http://www.w3.org/2001/XMLSchema-instance" extension-element-prefixes=
    "dp" exclude-result-prefixes=
    "">     <xsl:template match=
    "/"> <xsl:variable name=
    "getCertDetails" select=
    "concat('name:',dp:http-request-header('getCert'))"/>   <xsl:copy-of select=
    "dp:get-cert-details($getCertDetails)"/> </xsl:template> </xsl:stylesheet>
    

    3. Refer any certificate object by passing the certificate object name in teh header parameter using curl command. Example:
    
    curl -H 
    "getCert:CertObjectName" -d 
    "<x/>" http:
    //123.456.2.3:4900 | ..\xmlstarlet-1.0.1\xml.exe fo
    


    Command after 'Pipe' symbol is optional - only if you would like to see a formatted response xml. Needs xml starlet (search in sourceforge.net)

    4. sample response, certificate details, similar to what Hermann has posted

    5. Finally, the certificate object should be in 'UP' state and you need permission to access that file location

    Thanks.
  • shyhc
    shyhc
    32 Posts

    Re: Certficate Details via XML Mgmt

    ‏2011-03-25T14:23:52Z  
    Hi again,

    using the get-cert-details extension I can get the detailed xml output using name: plus the name of a certificate object, however only from the domain where the script is installed - is there a way to get around this? I think I'll call my xsl with a cert filename and then create an CryptoCertificate object, query it using get-cert-details and drop it again...

    Kind regards,
    Stefan
  • River Ben
    River Ben
    15 Posts

    Re: Certficate Details via XML Mgmt

    ‏2012-08-22T22:48:04Z  
    anybody tried to extract the value of Policy Identifier(it is value of the 'certificatePolicies' extension) from the 'certificatePolicies' Extension.

    <Extension critical="false" name="certificatePolicies"
    oid="2.5.29.32" isder="true">
    MA4wDAYKKoZIhvkPCgEFAQ==</Extension>

    for some reason, it is encoded/encrypted. Not able to decode/decrypt it and get the value of Policy identifier.

    Anybody tried this before, please share your thoughts
  • HermannSW
    HermannSW
    5921 Posts

    Re: Certficate Details via XML Mgmt

    ‏2012-08-23T01:36:08Z  
    • River Ben
    • ‏2012-08-22T22:48:04Z
    anybody tried to extract the value of Policy Identifier(it is value of the 'certificatePolicies' extension) from the 'certificatePolicies' Extension.

    <Extension critical="false" name="certificatePolicies"
    oid="2.5.29.32" isder="true">
    MA4wDAYKKoZIhvkPCgEFAQ==</Extension>

    for some reason, it is encoded/encrypted. Not able to decode/decrypt it and get the value of Policy identifier.

    Anybody tried this before, please share your thoughts
    http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/topic/com.ibm.dp.xm.doc/extensionfunctions113.htm?resultof=%22%64%70%3a%67%65%74%2d%63%65%72%74%2d%64%65%74%61%69%6c%73%22%20
    shows under "Results" the "known" entries.

    Unknown extensions (like your "certificatePolicies") will be represented base64 encoded.

     
    Hermann<myXsltBlog/> <myXsltTweets/>
  • River Ben
    River Ben
    15 Posts

    Re: Certficate Details via XML Mgmt

    ‏2012-08-23T08:28:22Z  
    Herman, thanks for your reply

    In my stylesheet, I am able to read all the extensions without any any problem. The problem here I am having is in decoding the value(MA4wDAYKKoZIhvkPCgEFAQ==) of extension 'certificatePolicies'. I thought it is base-64, but it is not.

    If you open any client certificate, the extension 'certificatePolicies' will have a value something like this.
    Extension Value: Policy Identifier: <Unrecognized policy identifier : 2.23.34.2.1.1>

    So here, I am trying to figure out how that encoded value needs to decode.

    Except that certificatePolicies extension value, every other extension value is in plain text, not sure why only its vlaue in encoded format.

    using the following code

    <xsl:variable name="client-cert">
    <xsl:if test="dp:auth-info('ssl-client-cert') != ''">
    <xsl:value-of select="dp:auth-info('ssl-client-cert')"/>
    </xsl:if>
    </xsl:variable>

    <xsl:variable name="extensions_certPolicyValue">
    <xsl:value-of select="dp:get-cert-details(concat('cert:', $client-cert))/CertificateDetails/Extensions/Extension" />
    </xsl:variable>

    the value of extensions_certPolicyValue is MA4wDAYKKoZIhvkPCgEFAQ==

    I am looking for a way to decode it
  • River Ben
    River Ben
    15 Posts

    Re: Certficate Details via XML Mgmt

    ‏2012-08-23T08:31:42Z  
    small correction in my code

    <xsl:variable name="client-cert">
    <xsl:if test="dp:auth-info('ssl-client-cert') != ''">
    <xsl:value-of select="dp:auth-info('ssl-client-cert')"/>
    </xsl:if>
    </xsl:variable>

    <xsl:variable name="extensions_certPolicyValue">
    <xsl:value-of select="dp:get-cert-details(concat('cert:', $client-cert))/CertificateDetails/Extensions/Extension" />
    </xsl:variable>
  • River Ben
    River Ben
    15 Posts

    Re: Certficate Details via XML Mgmt

    ‏2012-08-23T08:33:29Z  
    this is missing in the xpath :
  • HermannSW
    HermannSW
    5921 Posts

    Re: Certficate Details via XML Mgmt

    ‏2012-08-23T11:51:35Z  
    • River Ben
    • ‏2012-08-23T08:33:29Z
    this is missing in the xpath :
    Your extension output
    
    <Extension critical=
    "false" name=
    "certificatePolicies" oid=
    "2.5.29.32" isder=
    "true"> MA4wDAYKKoZIhvkPCgEFAQ==</Extension>
    


    says its DER encoded (ASN.1, binary format), see:
    http://en.wikipedia.org/wiki/Distinguished_Encoding_Rules

    Your base64 encoded string contains binary data not allowed as XML characters, so decoding as XML is impossible
    (only 0x09, 0x0a and 0x0d are XML Characters in 0x00-0x1f byte range):
    
    $ echo 
    "MA4wDAYKKoZIhvkPCgEFAQ==" | base64 -d  | od -Ax1 -tx1 000000 30 0e 30 0c 06 0a 2a 86 48 86 f9 0f 0a 01 05 01 000010 $
    


    Looking up your oid "2.5.29.32" gives this:
    http://www.oid-info.com/cgi-bin/display?oid=2.5.29.32&submit=Display&action=display

    The relevant RFC is RFC3280, section 4.2.1.5 is on Certificate Policies.

    There is no ASN.1 parsing support, you would need to do the decoding of above base64 encoded binary data yourself according the spec.

    Alternatively you can submit a Request for Encancement:
    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRFEs&PROD_ID=577&BRAND_ID=181&PROD_FAM_ID=281

     
    Hermann<myXsltBlog/> <myXsltTweets/>