By: Sakit Atakishiyev user 20 Oct 2017 at 10:05 p.m. CDT

16 Responses
Sakit Atakishiyev gravatar
Hi everyone. I want to convert my encoded x509 certificate to `x509Certificate`. I checked the existence `cert` example and use the same `certFromString` code in my script. I could decode my encoded certificate to back but when I call `CertUtil.x509CertificateFromBytes(cert)` `python` return me `encoding` error. Because my `x509 certificate` contains `non-ascii` characters. I will share error log with you as soon as possible. I tried lots of way such as after decoding the certificate convert to `utf-8` `python` `bytearray` but does not effect. When I convert my `x509 encoded certificate` to `x509` java object I just use `appache commons codec` library. First `decode` the string and rest the standart way to get `X509Certificate` object. How can I solve this problem with python?

By Aliaksandr Samuseu staff 21 Oct 2017 at 9:33 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Sakit. Unless you can perhaps explain how this problem is specific to Gluu package, I would suggest you to try asking at Python/Jython communities out there.

By Sakit Atakishiyev user 21 Oct 2017 at 10:49 a.m. CDT

Sakit Atakishiyev gravatar
I don't know it is releated to Gluu package or not. Because I got this error when I called `CertUtil.x509CertificateFromBytes`. I checked the `CertUtil` source code. This method accepts `byte[]` but python `base64.b64decode` method returns `str` type. And convert to `byte` array auto. If the certificate file contains any `non-ascii` code python failed to convert `str` to `byte` array.

By Aliaksandr Samuseu staff 21 Oct 2017 at 11:04 a.m. CDT

Aliaksandr Samuseu gravatar
`CertUtil` seems to be some 3rd-party Python lib, if I understand it correctly. I don't see how we can help if it misbehaves.

By Sakit Atakishiyev user 21 Oct 2017 at 11:08 a.m. CDT

Sakit Atakishiyev gravatar
No Aliaksandr I am talking about [this](https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/xdi/oxauth/util/CertUtil.java)

By Aliaksandr Samuseu staff 21 Oct 2017 at 11:10 a.m. CDT

Aliaksandr Samuseu gravatar
Can you provide your code, or fragment of it, which triggers this issue?

By Sakit Atakishiyev user 21 Oct 2017 at 11:17 a.m. CDT

Sakit Atakishiyev gravatar
I use the below python code snippet ``` def certFromString(self, x509CertificateEncoded): cert = base64.b64decode(x509CertificateEncoded) return CertUtil.x509CertificateFromBytes(cert) ``` if `cert` contains any `non-ascii` character this issue will be happen

By Aliaksandr Samuseu staff 21 Oct 2017 at 11:41 a.m. CDT

Aliaksandr Samuseu gravatar
X.509 certificate in PEM format cannot contain non-ASCII characters, if it's valid - it's BASE64-encoded. If your certificate is in DER format, won't it be a solution to convert it to PEM before further processing it? Whenever I had to deal with certificates in Gluu, it was always expected it will be in PEM format, so it's possible that code doesn't support DER.

By Sakit Atakishiyev user 21 Oct 2017 at 11:50 a.m. CDT

Sakit Atakishiyev gravatar
Yes Aliaksandr you are right. My certificate is BASE64-encoded. First I just decode and call `CertUtil.x509CertificateFromBytes` method. But this did not work. Then I just converted PEM format, but did not help me. I got `Failed to parse X.509 certificates from bytes`. It complains `Empty string`. Currently I could not share the logs file I will do it on monday for both case

By Aliaksandr Samuseu staff 21 Oct 2017 at 12:13 p.m. CDT

Aliaksandr Samuseu gravatar
>Then I just converted PEM format, but did not help me. I got Failed to parse X.509 certificates from bytes. It complains Empty string. Could you also share this converted certificate here?

By Sakit Atakishiyev user 21 Oct 2017 at 12:37 p.m. CDT

Sakit Atakishiyev gravatar
First I pass the below encoded certificate ``` MIIDszCCApugAwIBAgIJANI7wHpexnncMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV BAYTAkFaMRwwGgYDVQQIDBNTYWtpdCBBdGFracOFwp9peWV2MRAwDgYDVQQHDAdC YWvDhMKxMREwDwYDVQQKDAhDeWJlcm5ldDELMAkGA1UECwwCQ0IxETAPBgNVBAMM CGZvcnRlLmF6MB4XDTE3MTAyMTE3MzAxMVoXDTE4MTAyMTE3MzAxMVowcDELMAkG A1UEBhMCQVoxHDAaBgNVBAgME1Nha2l0IEF0YWtpw4XCn2l5ZXYxEDAOBgNVBAcM B0Jha8OEwrExETAPBgNVBAoMCEN5YmVybmV0MQswCQYDVQQLDAJDQjERMA8GA1UE AwwIZm9ydGUuYXowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrH2ns fcgC5rlfJNK1rgBqkCk22tFEYcodZqAghbVRYQvrbKPWW4n3jEDSwS18kjWdheru o87XXcZOkttutUebAmbq0iEZ/YRDN6A9Z5h1y0vq+uGKFzBAXo4XO96BEEVGcKF+ kCjscBb6FLL1TXZMTQTqRyh/3c8xy1lU+asPWOvCLJnyJJ789hQ+Y5G6A/9vW76S rOz0BeJSVJkhgcEI8xc/3F4luPu3oPqVMweOYbdo+kC75LPycxM0vVcCBMqZ2zVH aVWx9WVfbRhuL2/sRYp49YAqbxCnRXfE4dazy2GOfjw8a2lKswaWffa5ZLDAObQ/ qI9Ik6REeUwMm/JPAgMBAAGjUDBOMB0GA1UdDgQWBBRvldPmB23SWtvx5Nfn7FQP k5yPQjAfBgNVHSMEGDAWgBRvldPmB23SWtvx5Nfn7FQPk5yPQjAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB4GF8UfJ5Qzxc0KrxMi+m0uimf6yWbJybd bfWI0vYAgLqFK1DuLl7YOcqRCySFOsEZkD6deFDC5VmRmhBw1wchNTLad0VN/TkQ N/LpBUPsksyqtkWQjBQwNGdw6hh2TTT0cRhEyFWzC3E7z7j3Fj+sgGIo/dANsm3V JxJ1ToiWxTZft9tc39b0qjKylgAskBpwVwMOc3ojbH3CM2Z0kUyxC51Z40ycYXSk uDT3eQMxV0Tb4DGl7/8WiVbJJLB1pvgqccXkYs8edbxKmZEDFfswRXstIj4uJhPG gOKiZh0coAAbxrR5q7EvTnIYuGQvdF8NqWhU5bwCxahh6yfzjD5X ``` but then try the below code snippet ``` -----BEGIN CERTIFICATE----- MIIDszCCApugAwIBAgIJANI7wHpexnncMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV BAYTAkFaMRwwGgYDVQQIDBNTYWtpdCBBdGFracOFwp9peWV2MRAwDgYDVQQHDAdC YWvDhMKxMREwDwYDVQQKDAhDeWJlcm5ldDELMAkGA1UECwwCQ0IxETAPBgNVBAMM CGZvcnRlLmF6MB4XDTE3MTAyMTE3MzAxMVoXDTE4MTAyMTE3MzAxMVowcDELMAkG A1UEBhMCQVoxHDAaBgNVBAgME1Nha2l0IEF0YWtpw4XCn2l5ZXYxEDAOBgNVBAcM B0Jha8OEwrExETAPBgNVBAoMCEN5YmVybmV0MQswCQYDVQQLDAJDQjERMA8GA1UE AwwIZm9ydGUuYXowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrH2ns fcgC5rlfJNK1rgBqkCk22tFEYcodZqAghbVRYQvrbKPWW4n3jEDSwS18kjWdheru o87XXcZOkttutUebAmbq0iEZ/YRDN6A9Z5h1y0vq+uGKFzBAXo4XO96BEEVGcKF+ kCjscBb6FLL1TXZMTQTqRyh/3c8xy1lU+asPWOvCLJnyJJ789hQ+Y5G6A/9vW76S rOz0BeJSVJkhgcEI8xc/3F4luPu3oPqVMweOYbdo+kC75LPycxM0vVcCBMqZ2zVH aVWx9WVfbRhuL2/sRYp49YAqbxCnRXfE4dazy2GOfjw8a2lKswaWffa5ZLDAObQ/ qI9Ik6REeUwMm/JPAgMBAAGjUDBOMB0GA1UdDgQWBBRvldPmB23SWtvx5Nfn7FQP k5yPQjAfBgNVHSMEGDAWgBRvldPmB23SWtvx5Nfn7FQPk5yPQjAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB4GF8UfJ5Qzxc0KrxMi+m0uimf6yWbJybd bfWI0vYAgLqFK1DuLl7YOcqRCySFOsEZkD6deFDC5VmRmhBw1wchNTLad0VN/TkQ N/LpBUPsksyqtkWQjBQwNGdw6hh2TTT0cRhEyFWzC3E7z7j3Fj+sgGIo/dANsm3V JxJ1ToiWxTZft9tc39b0qjKylgAskBpwVwMOc3ojbH3CM2Z0kUyxC51Z40ycYXSk uDT3eQMxV0Tb4DGl7/8WiVbJJLB1pvgqccXkYs8edbxKmZEDFfswRXstIj4uJhPG gOKiZh0coAAbxrR5q7EvTnIYuGQvdF8NqWhU5bwCxahh6yfzjD5X -----END CERTIFICATE----- ```

By Aliaksandr Samuseu staff 02 Nov 2017 at 11:54 a.m. CDT

Aliaksandr Samuseu gravatar
This issue seems to happen at the next line: ``` cert = base64.b64decode(x509CertificateEncoded) ``` `CertUtil` is not utilized when the 2nd certificate is processed at all in the provided code segment. The first certificate is processed successfully by it, though. The case doesn't seem to be related to Gluu's code base, so you may need to find another way to process certificate that suites your needs, Sakit.

By Sakit Atakishiyev user 02 Nov 2017 at 12:05 p.m. CDT

Sakit Atakishiyev gravatar
Hi Aliaksandr. the code ```cert = base64.b64decode(x509CertificateEncoded)``` works normally I got error when calling ```CertUtil.x509CertificateFromBytes(cert)``` And the reason is when Jython convert `cert` to `java byte array` it throughs error because of `cert` contains non-ascii code. `cert` is `str` type. I know it not related to Gluu code. But I think that if someone has certficate which contains non-ascii code he/she does not convert this certificate to `X509` on `Jython` side. I googled also that is there any way to converting non-ascii `str` to `byte[]` but they did not work. Because I convert first `str` to `unicode` type then call `CertUtil` but this time my certificate corrupted. So is possible to adding a new method to `CertUtil` which is accept encoded certificate from Jython script and decode(with java native library) then converts it to `X509` certificate?

By Aliaksandr Samuseu staff 02 Nov 2017 at 1:04 p.m. CDT

Aliaksandr Samuseu gravatar
For the 2nd certificate provided [here](https://support.gluu.org/customization/4662/certfromstring-encoding-error/#at26620) I'm getting "Incorrect padding" exception from `base64.b64decode()` Seems like it reacts as such to enclosing "BEGIN/END" lines, as it's the only difference in it from the 1st certificate, which is processed without issues by both `b64decode` and `CertUtil.x509CertificateFromBytes()` I fail to see any issue here we should attend, from our side. You are free to use any other Python library for certificate processing if Gluu's `CertUtil` doesn't work for you. Then again, any issues with 3rd party libraries are of no concern to Gluu. If you have a clear view of how the Gluu's current code could be enhanced to provide some required useful feature, please feel free to [submit a feature proposal at Github](https://github.com/GluuFederation/oxAuth/issues), or even commit the updated code itself. At the moment I see that at least for the 1st certificate provided by you `CertUtil.x509CertificateFromBytes()` produces some meaningful results. If it doesn't suite your needs, you should use some other 3rd-party library instead.

By Aliaksandr Samuseu staff 02 Nov 2017 at 1:40 p.m. CDT

Aliaksandr Samuseu gravatar
You also can use `CertUtil.parsePem()` passing it the actual base64-encoded certificate right after it's loaded from file, without decoding it first, works for me as well, including the 2nd certificate. No decode errors, nothing. In the end it seems to produce Java's [X509Certificate object](https://docs.oracle.com/javase/7/docs/api/java/security/cert/X509Certificate.html) If that's not what you need, you should probably find some other certificate processing library.

By Aliaksandr Samuseu staff 02 Nov 2017 at 2:24 p.m. CDT

Aliaksandr Samuseu gravatar
I further tested `CertUtil.x509CertificateFromBytes()` by feeding it a certificate in DER (binary) format and it was able to process it as well without issues. So far, everything seems to work as expected, to me. Here is the code I used: ``` loaded_certificate = self.loadCeritificate("/etc/certs/test_cert2.der") cert = self.certFromString(loaded_certificate) print ("extracted cert: ", cert) ... def certFromString(self, x509CertificateEncoded): return CertUtil.x509CertificateFromBytes(x509CertificateEncoded) def loadCeritificate(self, certificate_file): # Load certificate from file f = open(certificate_file, 'r') try: certificate = f.read() except: print "Failed to load certificate from file: '%s'" % certificate_file return None finally: f.close() return certificate ``` I got `test_cert2.der` by converting the 2nd certificate you provided before.

By Sakit Atakishiyev user 03 Nov 2017 at 12:35 a.m. CDT

Sakit Atakishiyev gravatar
Thank you very much Aliaksandr. I will test and share the result