Decoding an X.509 certificate

Questions / Help
, ,
1

Hi,

I’ve got a project where I have to decode an X.509 certificate. I’m using Erlang’s public_key module to decode either a PEM or DER file. I get back a beautiful Erlang record. I know I can use Record for this purpose, but that seems overkill. I want to avoid adding yet another library.

Anyone got any recommendations for nicely extracting items out of a nested tuple in Elixir?

Thanks

2

Pattern matching, using elem/2, are you looking for anything in particular?

I would recommend to use x509 library though, it’s really neat library written by @voltone. When you start decoding things by hand, that code is really hard to comprehend afterwards, better use a well tested library instead IMO.

3 Likes
3

You could use get_in/2 and Access.elem/1, e.g.

iex(1)> tbs = 1
iex(2)> validity = 5
iex(3)> not_after = 2
iex(4)> get_in(cert, [Access.elem(tbs), Access.elem(validity), Access.elem(not_after)])
{:utcTime, ~c"470525070659Z"}

But I also like @D4no0 's suggestion :slight_smile:

1 Like
4

Thanks. I ended up using the X509 library. Took 5 lines of code.

2 Likes
5

For reference of what I meant by incomprehensible code, take a look at this :smiley:: lib/ssl_moon/network/ssl/certificate.ex · main · SSL MOON / SSL MOON · GitLab

6

thanks for pointing us to this library which is raising actually a question how we can make finding libraries easier :slight_smile: I was looking for something similar a month ago as it is what I need for the below dealing with MC OAUTH keys :

https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#the-signing-key

Actually MC have github repositories for other languages like JAVA/Python/…etc but no Elixir or erlang as below :

7

This is the problem we are struggling on a daily basis, the best bet now is to ask the community for advice.

Ironically enough with this “AI” hype, this is actually a place where a LLM that would be trained exclusively on documentation of elixir libraries would be excellent.

1 Like
8

that is really a good use case , maybe the team can embed it in the forum so similar to what you get when you search the forum , maybe it can auto generate responses and page of details and links , nice idea :+1:

9

I was actually playing with using Erlang to turn the thing into a map:

-module(rec_to_useful).

-compile({parse_transform, exprecs}).
-exprecs_prefix([operation, "_"]).

-export([to_keyword/1, to_map/1]).

-record('Foo', {fieldOne, fieldTwo, fieldThree}).

to_keyword(Data) -> lists:zip(record_info(fields, 'Foo'), tl(tuple_to_list(Data))).

to_map(Data) -> maps:from_list(to_keyword(Data)).

then

iex(2)> :rec_to_useful.to_map({Foo, 1, 2, 3})
%{fieldOne: 1, fieldTwo: 2, fieldThree: 3}
10

Recent OTP versions support generating code from ASN.1 that produces and accepts maps:

iex(1)> path = ~c"path/to/source/of/otp/lib/public_key/asn1/OTP-PUB-KEY.set.asn"
iex(2)> :asn1ct.compile(path, [:maps])
iex(3)> :code.load_abs(~c"OTP-PUB-KEY")
iex(4)> {:ok, cert} = :"OTP-PUB-KEY".decode(:"Certificate", der)
{:ok,
 %{
   signature: <<133, 191, 235, 15, 159, 223, 81, 127, 179, 46, 167, 62, 52, 82,
     250, 40, 4, 169, 130, 49, 63, 172, 36, 83, 164, 138, 162, 50, 233, 76, 254,
     50, 216, 144, 27, 209, 244, 68, 99, 74, 40, 207, 201, 3, 50, 87, 71, ...>>,
   tbsCertificate: %{
     version: :v3,
     signature: %{
       algorithm: {1, 2, 840, 113549, 1, 1, 11},
       parameters: <<5, 0>>
     },
     extensions: [
       %{
         critical: true,
         extnID: {2, 5, 29, 19},
         extnValue: <<48, 6, 1, 1, 255, 2, 1, 1>>
       },
       %{critical: true, extnID: {2, 5, 29, 15}, extnValue: <<3, 2, 1, 134>>},
       %{
         critical: false,
         extnID: {2, 5, 29, 14},
         extnValue: <<4, 20, 103, 184, 255, 213, 187, 5, 43, 104, 112, 7, 148,
           46, 97, 212, 57, 234, 235, 127, 203, 121>>
       },
       %{
         critical: false,
         extnID: {2, 5, 29, 35},
         extnValue: <<48, 22, 128, 20, 103, 184, 255, 213, 187, 5, 43, 104, 112,
           7, 148, 46, 97, 212, 57, 234, 235, 127, 203, 121>>
       }
     ],
     serialNumber: 4655353446208655840,
     issuer: {:rdnSequence,
      [
        [%{type: {2, 5, 4, 6}, value: <<19, 2, 85, 83>>}],
        [%{type: {2, 5, 4, 8}, value: <<12, 2, 78, 84>>}],
        [%{type: {2, 5, 4, 7}, value: "\f\vSpringfield"}],
        [%{type: {2, 5, 4, 10}, value: "\f\tACME Inc."}]
      ]},
     validity: %{
       notBefore: {:utcTime, ~c"220525065848Z"},
       notAfter: {:utcTime, ~c"470525070348Z"}
     },
     subject: {:rdnSequence,
      [
        [%{type: {2, 5, 4, 6}, value: <<19, 2, 85, 83>>}],
        [%{type: {2, 5, 4, 8}, value: <<12, 2, 78, 84>>}],
        [%{type: {2, 5, 4, 7}, value: "\f\vSpringfield"}],
        [%{type: {2, 5, 4, 10}, value: "\f\tACME Inc."}]
      ]},
     subjectPublicKeyInfo: %{
       algorithm: %{
         algorithm: {1, 2, 840, 113549, 1, 1, 1},
         parameters: <<5, 0>>
       },
       subjectPublicKey: <<48, 130, 1, 10, 2, 130, 1, 1, 0, 180, 114, 112, 36,
         255, 225, 242, 197, 38, 146, 113, 132, 20, 169, 223, 175, 93, 149, 110,
         209, 12, 217, 199, 112, 222, 188, 84, ...>>
     }
   },
   signatureAlgorithm: %{
     algorithm: {1, 2, 840, 113549, 1, 1, 11},
     parameters: <<5, 0>>
   }
 }}
iex(5)> cert.tbsCertificate.validity.notAfter
{:utcTime, ~c"470525070348Z"}
4 Likes
11

That’s pretty cool