X.509 certificates are common way to exchange and distribute public key information. For example, most Open Social containers use the OAuth RSA-SHA1 signature method, and distribute their public keys in the X.509 format.
While working on an AppEngine application, I needed to verify requests from such containers. However, there is (currently) no pure python library able of parsing the certificates. This meant that I needed extract the public key out of the certificate manually, and store it in some parsed way inside the Python code.
Fortunately, parsing public keys form a X.509 certificate and representing them as a Hex number turned out simple and easy.
openssl x509 -modulus -noout < pub.cer | sed s/Modulus=/0x/
Just replace pub.cer with the certificate file you want to parse. For example (I’ve used Orkut’s certificate):
$ openssl x509 -modulus -noout < pub.1199819524.-1556113204990931254.cer | sed s/Modulus=/0x/
0xB1E057678343866DB89D7DEC251899261BF2F5E0D95F5D868F81D600C9A101C9E6DA20606290228308551ED3ACF9921421DCD01EF1DE35DD3275CD4983C7BE0BE325CE8DFC3AF6860F7AB0BF32742CD9FB2FCD1CD1756BBC400B743F73ACEFB45D26694CAF4F26B9765B9F65665245524DE957E8C547C358781FDFB68EC056D1
and all I’ve to do is to copy the result into my Python code (isn’t Python’s unbounded integers great?).
I am trying to do the same with another opensocial container and getting following error:
C:\Program Files\GnuWin32\bin>openssl x509 -modulus -noout < lokalistenPublicKey
v1.pem | sed s/Modulus=/0x/
unable to load certificate
3476:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib
.c:647:Expecting: TRUSTED CERTIFICATE
Can you help?
Hi,
It looks like the certificate you have is not in the right format, or it might be corrupted. Which container are you trying to use?
http://lokalisten.de/
I found a public key on developer forum from one of lokalisten.de team member, here are its contents:
—–BEGIN PUBLIC KEY—–
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZzI/zgAlC2cYWJBoXhpJOmeB+
djBDLhncgYlNQLNLjkS1L2cc9SLJUPz3dXmFxie6x8rxdB4XxEG8bsDejDptJe9S
/zrymlH5OgFEqyas+qqo58xHnCFGX8FVbbHOmMEj9qom3HK+QUgNrA7zcP0rXuB5
OzleBGV3OsvMgTQzVwIDAQAB
—–END PUBLIC KEY—–
It looks like the key wasn’t copied correctly and has some parts missing, or is not in the x509 format.
Take a look at Orkut’s key:
http://sandbox.orkut.com/46/o/pub.1199819524.-1556113204990931254.cer
Their key is much longer and has different headers.
[root@hadoop_m ca]# openssl x509 -in client4.crt -pubkey
—–BEGIN PUBLIC KEY—–
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8umK3S5fOhGJsu4mi7VtikLL2
sQ1xNkmmhzq/dHgc020JUq2ZhqM0R7nwBpopilPHU6sVnF0xTMHHhM/68maqZ+vu
Uz3byFCTvTLWpbCTx6ysMGfIq43Du0xzSQaSRFBqFecJ5P5EeKewhdnyB/SUqDgI
Zvbgq8d3E/H0b4yzAQIDAQAB
—–END PUBLIC KEY—–
I think command should be:
openssl x509 -modulus -noout -in pub.cer | sed ‘s/Modulus=/0x/’
It’s completely equivalent, mine reads the certificate from stdin, yours specifies it on the command line…
I’d try using -inform DER