pyOpenSSL

CSR X509 Extensions

Asked by Michal Kwiatkowski

How can I get x509 Extenstions from a CSR using pyOpenSSL?
I need to get Subject Alternative Names, but as far, all I can read from CSR is public key and subject.
I've googled no reasonable solution.
Any suggestions?

Question information

Language:
English Edit question
Status:
Answered
For:
pyOpenSSL Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Jean-Paul Calderone (exarkun) said : 		#1

pyOpenSSL does not expose the OpenSSL APIs for inspecting X509Req extensions. To do what you want, bindings for these OpenSSL APIs need to be added to pyOpenSSL.

Revision history for this message
Stephen Holsapple (sholsapp) said : 		#2

It doesn't appear any progress has been made on this since the last update and I'm willing to add the bindings. Can someone kick me off in the right direction? Should I use x509.c as a template?

Revision history for this message
Adi Roiban (adiroiban) said : 		#3

pyopenssl was changed recently and is now a pure Python project. Development was moved at https://github.com/pyca/pyopenssl

The low level stuff was moved into a separate project called: cryptography https://github.com/pyca/cryptography

OpenSSL bindings are here: https://github.com/pyca/cryptography/tree/master/cryptography/hazmat/bindings/openssl

The C binding part is now handled by cffi http://cffi.readthedocs.org/en/release-0.8/

Revision history for this message
Pascal Louis-Marie (plouismarie) said : 		#4

Who read that 4 years after... ME!

And I want to share my working python3 code to decode a CSR.
It displays the alt name list too, this code works in flask :

@app.route("/Csrcheck",methods=['GET', 'POST'])
def csrcheck():
  csr=request.form['csrcontent'] # you can here replace the csr value by the CSR hash straight here
  if csr == "":
    return "please populate the csr first and try again"
  if "CERTIFICATE" not in csr:
    return "The csr syntax looks bogus, please review and try again"
  else:
    try:
      req = load_certificate_request(FILETYPE_PEM, csr)
      subject = req.get_subject()
      altname = req.get_extensions()
      listaltname=''
      for elem in altname:
        listaltname+=str(elem).split('DNS:')[1]+' '
      components = dict(subject.get_components())
      result="<b>Common name</b> : {} <br> \
              <b>Alt name</b> : {} <br> \
              <b>Organisation</b> : {} <br> \
              <b>Organisation unit</b> : {} <br>\
              <b>City</b> : {} <br>\
              <b>State</b> : {} <br>\
              <b>Country</b> : {} <br>\ ".format(components[b'CN'].decode(),listaltname,components[b'O'].decode(),components[b'OU'].decode(),components[b'L'].decode(),components[b'ST'].decode(),components[b'C'].decode())
      myhtml=" Here is the content of the populated CSR : <br>" + result
      return myhtml
    except OpenSSL.crypto.Error:
      return 'Could not extract CSR content, please review and try again'

Can you help with this problem?

Provide an answer of your own, or ask Michal Kwiatkowski for more information if necessary.

To post a message you must log in.