Obtaining certificate purpose

[PhilippSelenium]

Executing:

openssl x509 -in /tmp/client.crt -noout -text -purpose

gives me:

...
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                D5:7D:F1:50:BC:0B:D7:2E:95:DC:40:CF:3F:42:5D:07:63:8C:8A:CF
            X509v3 Authority Key Identifier: 
                keyid:4A:6B:31:17:BE:D6:81:4D:65:BD:B6:D5:DA:BC:03:F5:B6:D1:9B:A7

    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:33:bb:81:d2:15:56:a6:ca:3d:8a:25:c9:2d:79:
         c6:70:d6:10:5b:7a:61:56:0f:52:db:d7:91:e5:38:00:34:39:
         02:21:00:9b:e1:a4:9a:f6:cb:e9:9d:21:53:fa:6b:1e:76:5f:
         e8:f4:23:0c:f2:f8:b9:e9:67:08:f5:7a:70:8c:85:21:10

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

I have seen that there is a purpose available for Key Usage: https://cryptography.io/en/latest/x509/reference/?highlight=purpose#cryptography.x509.KeyUsage

Is there any possibility to obtain/check these values in cryptography?

[alex]

purpose is an x509 extension and thus can be accessed like all x509 extensions: https://cryptography.io/en/latest/x509/reference/?highlight=purpose#cryptography.x509.Extensions

[PhilippSelenium]

I cannot seem to find an extension that matches purpose:

from cryptography import x509
with open("/tmp/client.crt", "rb") as f:
     crt = x509.load_pem_x509_certificate(f.read())
print[e.oid for e in crt.extensions])

yields

[<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>,
<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>,
<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>,
<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>,
<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>]

The open ssl output does also not list purpose under extensions

[alex]

keyUsage is what's providing purpose.

…

On Fri, Oct 1, 2021 at 7:20 AM PhilippSelenium ***@***.***> wrote: I cannot seem to find an extension that matches purpose: from cryptography import x509 with open("/tmp/client.crt", "rb") as f: crt = x509.load_pem_x509_certificate(f.read()) print[e.oid for e in crt.extensions]) yields [<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, <ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, <ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, <ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, <ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>] — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#6350 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBBZTFB5EKKI5CMCJGLUEWKQBANCNFSM5FEBRU5A> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- All that is necessary for evil to succeed is for good people to do nothing.

[PhilippSelenium]

This seems to be incomplete then.

KeyUsage(digital_signature=True,
                            content_commitment=True,
                                 key_encipherment=True,
                                 data_encipherment=False,
                                 key_agreement=False,
                                 key_cert_sign=False,
                                 crl_sign=False,
                                 encipher_only=False,
                                 decipher_only=False)

9 items vs. 18 items (the output from openssl above)

[alex]

Unfortunately you're going to need to investigate what OpenSSL is doing there then, because this output doesn't map directly to the structure of x.509.

…

On Fri, Oct 1, 2021 at 7:33 AM PhilippSelenium ***@***.***> wrote: This seems to be incomplete then. KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False) 9 items vs. 18 items the output from openssl above — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

-- All that is necessary for evil to succeed is for good people to do nothing.

[tiran]

openssl x509 -purpose uses the X509_PURPOSE API, which looks into key usage, extended key usage, and basic constraint. Cryptography does not expose this API.

https://github.com/openssl/openssl/blob/openssl-3.0.0/crypto/x509/v3_purp.c