X509 certificate conversions
X509 to XML view
When security is required then the ebXML Collaboration Protocol Agreement (CPA) lists the x509 certificates that are used for signing, encryption or SSL etc. These certificates are listed in its XML view.
The original x509 certifiate file (in PEM notation) is listed next:
-----BEGIN CERTIFICATE----- MIIDbDCCAtWgAwIBAgIJAK0YKzJXl6IeMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD VQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFsemVyczETMBEG A1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUwIwYDVQQDExxj b3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5MB4XDTA3MDIxNDEyMjUxMVoXDTEw MDIxMzEyMjUxMVowgYExCzAJBgNVBAYTAkxJMRAwDgYDVQQIEwdCYWx6ZXJzMRAw DgYDVQQHEwdCYWx6ZXJzMRMwEQYDVQQKEwpDb3JvbmF0aW9uMRIwEAYDVQQLEwlT U0xTZXJ2ZXIxJTAjBgNVBAMTHGNvcm9uYXRpb24tZWJYTUwtYjJiLWdhdGV3YXkw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALFf5I3rx+3INkzi1E0x8/NRP7ek ffqNg3zn2rFPUeEzEJpfx/VTPOHyL6UU0VbF2HZyi+iBaSVP/NWVL7poQx+j89TZ 3hpa64Zhaq5e+ZmFZks/b6A3dWUzQCIXOzT/V1RPo31jjQAnZydVVdKnBvaHvu4i 7FnCnKcJ9sT8YWZ9AgMBAAGjgekwgeYwHQYDVR0OBBYEFMmp/YoOfRFGa0LnE9L3 g0lhe1YGMIG2BgNVHSMEga4wgauAFMmp/YoOfRFGa0LnE9L3g0lhe1YGoYGHpIGE MIGBMQswCQYDVQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFs emVyczETMBEGA1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUw IwYDVQQDExxjb3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5ggkArRgrMleXoh4w DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCv/4KF2Q+QaZvrIAE2SmqZ OIy5gsZITetzKyj3eJiQQbeXLejyF6BtBaSfbDAg6tCF6jh7IvKUeNS+xeW7vjNz MNDrx0v/IF/2i7wR1nPqaFUhJdbiERBHdPrpIBSv5beJhgFLKr0IgZc5la277xYg MrHlcciZwU1aQq2Uchu0YQ== -----END CERTIFICATE-----
The (binary) tool hefeweizen_key_info_writer (in directory src-c/keyinfo-writer) is part of HefeWeizen and allows to create the XML view of a certificate.
# hefeweizen_key_info_writer Coronation_ssl_server_private_key.pem passphrase Coronation_ssl_server_cacert.pem > Coronation_ssl_server_cacert.xml
Use a tool like xmlstarlet to make nice XML out of the generated XML file.
Creates an output like the following:
<?xml version="1.0"?>
<Certificate certId="">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>
sV/kjevH7cg2TOLUTTHz81E/t6R9+o2DfOfasU9R4TMQml/H9VM84fIvpRTRVsXY
dnKL6IFpJU/81ZUvumhDH6Pz1NneGlrrhmFqrl75mYVmSz9voDd1ZTNAIhc7NP9X
VE+jfWONACdnJ1VV0qcG9oe+7iLsWcKcpwn2xPxhZn0=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>MIIDbDCCAtWgAwIBAgIJAK0YKzJXl6IeMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
VQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFsemVyczETMBEG
A1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUwIwYDVQQDExxj
b3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5MB4XDTA3MDIxNDEyMjUxMVoXDTEw
MDIxMzEyMjUxMVowgYExCzAJBgNVBAYTAkxJMRAwDgYDVQQIEwdCYWx6ZXJzMRAw
DgYDVQQHEwdCYWx6ZXJzMRMwEQYDVQQKEwpDb3JvbmF0aW9uMRIwEAYDVQQLEwlT
U0xTZXJ2ZXIxJTAjBgNVBAMTHGNvcm9uYXRpb24tZWJYTUwtYjJiLWdhdGV3YXkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALFf5I3rx+3INkzi1E0x8/NRP7ek
ffqNg3zn2rFPUeEzEJpfx/VTPOHyL6UU0VbF2HZyi+iBaSVP/NWVL7poQx+j89TZ
3hpa64Zhaq5e+ZmFZks/b6A3dWUzQCIXOzT/V1RPo31jjQAnZydVVdKnBvaHvu4i
7FnCnKcJ9sT8YWZ9AgMBAAGjgekwgeYwHQYDVR0OBBYEFMmp/YoOfRFGa0LnE9L3
g0lhe1YGMIG2BgNVHSMEga4wgauAFMmp/YoOfRFGa0LnE9L3g0lhe1YGoYGHpIGE
MIGBMQswCQYDVQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFs
emVyczETMBEGA1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUw
IwYDVQQDExxjb3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5ggkArRgrMleXoh4w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCv/4KF2Q+QaZvrIAE2SmqZ
OIy5gsZITetzKyj3eJiQQbeXLejyF6BtBaSfbDAg6tCF6jh7IvKUeNS+xeW7vjNz
MNDrx0v/IF/2i7wR1nPqaFUhJdbiERBHdPrpIBSv5beJhgFLKr0IgZc5la277xYg
MrHlcciZwU1aQq2Uchu0YQ==</X509Certificate>
<X509SubjectName>CN=coronation-ebXML-b2b-gateway,OU=SSLServer,O=Coronation,L=Balzers,ST=Balzers,C=LI</X509SubjectName>
<X509IssuerSerial>
<X509IssuerName>CN=coronation-ebXML-b2b-gateway,OU=SSLServer,O=Coronation,L=Balzers,ST=Balzers,C=LI</X509IssuerName>
<X509SerialNumber>12472766663220503070</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</KeyInfo>
</Certificate>
This can be used to put into the ebXML Collaboration Protocol Agreement. Please don't forget to set the Certificate namespace (eg tp:Certificate) and the Certificate id attribute.
XML view back to X509 certificate
The HefeWeizen system reads the installed ebXML CPA's and uses the certificates where appropriate. For example for the HTTPs client authentication. The toolkit used in HefeWeizen requires the x509 certificate in PEM notation and hence a tool must create that from the XML part we get in the ebXML CPA. If you have watched closely the x509 certificate is actually stored in the XML view.
The ruby script hefeweizen_XMLKeyInfoTox509Pem_writer (in directory src/tools) is used to convert back to the .pem format. The first argument is the XML file and the second file is the desired output file.
# ruby hefeweizen_XMLKeyInfoTox509Pem_writer.rb Coronation_ssl_server_cacert.xml Coronation_ssl_server_my_cacert.pem
And the output of the file Coronation_ssl_server_my_cacert.pem
-----BEGIN CERTIFICATE----- MIIDbDCCAtWgAwIBAgIJAK0YKzJXl6IeMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD VQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFsemVyczETMBEG A1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUwIwYDVQQDExxj b3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5MB4XDTA3MDIxNDEyMjUxMVoXDTEw MDIxMzEyMjUxMVowgYExCzAJBgNVBAYTAkxJMRAwDgYDVQQIEwdCYWx6ZXJzMRAw DgYDVQQHEwdCYWx6ZXJzMRMwEQYDVQQKEwpDb3JvbmF0aW9uMRIwEAYDVQQLEwlT U0xTZXJ2ZXIxJTAjBgNVBAMTHGNvcm9uYXRpb24tZWJYTUwtYjJiLWdhdGV3YXkw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALFf5I3rx+3INkzi1E0x8/NRP7ek ffqNg3zn2rFPUeEzEJpfx/VTPOHyL6UU0VbF2HZyi+iBaSVP/NWVL7poQx+j89TZ 3hpa64Zhaq5e+ZmFZks/b6A3dWUzQCIXOzT/V1RPo31jjQAnZydVVdKnBvaHvu4i 7FnCnKcJ9sT8YWZ9AgMBAAGjgekwgeYwHQYDVR0OBBYEFMmp/YoOfRFGa0LnE9L3 g0lhe1YGMIG2BgNVHSMEga4wgauAFMmp/YoOfRFGa0LnE9L3g0lhe1YGoYGHpIGE MIGBMQswCQYDVQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFs emVyczETMBEGA1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUw IwYDVQQDExxjb3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5ggkArRgrMleXoh4w DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCv/4KF2Q+QaZvrIAE2SmqZ OIy5gsZITetzKyj3eJiQQbeXLejyF6BtBaSfbDAg6tCF6jh7IvKUeNS+xeW7vjNz MNDrx0v/IF/2i7wR1nPqaFUhJdbiERBHdPrpIBSv5beJhgFLKr0IgZc5la277xYg MrHlcciZwU1aQq2Uchu0YQ== -----END CERTIFICATE-----
as expected.
HefeWeizen uses this tool when a CPA is read to prepare the .pem files.
