• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] How to examine certificate from command line?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] How to examine certificate from command line?

  • Subject: Re: [Fed-Talk] How to examine certificate from command line?
  • From: John Oliver <email@hidden>
  • Date: Mon, 19 Nov 2012 13:25:14 -0800
  • Thread-topic: [Fed-Talk] How to examine certificate from command line?
I'm getting some strange results.

In a nutshell, what I want to do is parse through all certificates in SystemRootCertificates and identify the country of origin.  To get a list of all root certificates and their SHA1 hashes, I do:

security find-certificate -a -Z /System/Library/Keychains/SystemRootCertificates.keychain | sed 's/^\ \ \ \ //' | grep -v '^keychain\|^class\|^attributes\|^"cenc\|^"ctyp\|^"hpky\|^"issu\|^"alis\|^"skid\|^"snbr\|^"subj'| sed 'N;s/\n/@/' | sed 's/"labl"\<blob\>\=//' | sed 's/^SHA-1\ hash\:\ //' | sort -t'@' -k2 > /tmp/rootcerts

It's certainly a little awkward, but it works.  I can then parse through /tmp/rootcerts and use my '@' delimiter to have the name of the certificate and the hash.  I can then use:

security find-certificate -c "$NAME" -p /System/Library/Keychains/SystemRootCertificates.keychain | openssl x509 -text | grep '^\ *Issuer:' | tr -s ' ' | cut -d' ' -f3 | sed -e 's/^C=//' -e 's/,$//'

And that gets me the two-letter country code for MOST certificates.  Some others, it bombs out on, because of duplicate names, some weird characters, etc.  This is why I wanted to look by hash instead of name.  However, doing that is… weird!  For example, one certificate name / hash pair is:

"ePKI Root Certification Authority"
67650DF17E8E7E5B8240A4F4564BCFE23D69C6F0

So, I try:

security find-certificate -Z 67650DF17E8E7E5B8240A4F4564BCFE23D69C6F0 -p /System/Library/Keychains/SystemRootCertificates.keychain

SHA-1 hash: 2DFF6336E33A4829AA009F01A1801EE7EBA582BB
keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
class: 0x80001000 
attributes:
    "alis"<blob>="Prefectural Association For JPKI"
    "cenc"<uint32>=0x00000003 
    "ctyp"<uint32>=0x00000001 
    "hpky"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C  "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
    "issu"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341  "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"
    "labl"<blob>="Prefectural Association For JPKI"
    "skid"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C  "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
    "snbr"<blob>=0x01 
    "subj"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341  "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"

That was NOT the result I was expecting!  Let's try again with another…

"Security Communication RootCA2"
5F3B8CF2F810B37D78B4CEEC1919C37334B9C774

security find-certificate -c "Security Communication RootCA2" /System/Library/Keychains/SystemRootCertificates.keychain
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.

security find-certificate -Z 5F3B8CF2F810B37D78B4CEEC1919C37334B9C774 /System/Library/Keychains/SystemRootCertificates.keychain
SHA-1 hash: 2DFF6336E33A4829AA009F01A1801EE7EBA582BB
keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
class: 0x80001000 
attributes:
    "alis"<blob>="Prefectural Association For JPKI"
    "cenc"<uint32>=0x00000003 
    "ctyp"<uint32>=0x00000001 
    "hpky"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C  "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
    "issu"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341  "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"
    "labl"<blob>="Prefectural Association For JPKI"
    "skid"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C  "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
    "snbr"<blob>=0x01 
    "subj"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341  "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"


So color me puzzled :-)
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: [Fed-Talk] How to examine certificate from command line?
  • Next by Date: [Fed-Talk] Why can I open some certificates but not others?
  • Previous by thread: Re: [Fed-Talk] How to examine certificate from command line?
  • Next by thread: [Fed-Talk] Why can I open some certificates but not others?
  • Index(es):
    • Date
    • Thread