Read the iOS P12 certificate using the Python library pyOpenSSL

1, the preface

This article describes how to use Python to read information from a P12 node.

If you have experience in iOS team development, you must know something about P12, because the CER certificate produced by Apple developer website, Use only generate upload apple background CSR (Certificate Signing Request) files — — CertificateSigningRequest. CertSigningRequest macOS system installation, at the same time, A normal personal Development account can register a maximum of two iOS Development/Distribution certificates each. So p12 is a way to share certificates between multiple computers. IOS certificates are not covered in detail in this article, but you can see the reference link at the end of this article.

2. P12 certificate

But before I do that, I want to give you a theory. p12 — KCS12 file holds the private key and certificate. Personal Information Exchange File

P12 stores the certificate and private key using DER code. So what is DER? Here’s a little bit about certificates:

The certificate standard

X.509 – A certificate standard that defines what should be included in a certificate. For details, refer to RFC5280, the certificate standard used by SSL.

Coding format

The same X.509 certificate may have different encoding formats. Currently, there are two encoding formats:

• DER – Distinguished Encoding Rules, which is in binary format and cannot be read.

• Pem-privacy Enhanced Mail: Open the file in the format of —–BEGIN… The beginning, “– — — — — END…” At the end, the content is BASE64 encoding.

Therefore, to view the content of p12, it is best to convert it to PEM format. So here is a certificate standard format, it needs to implement this standard tools can parse:

• OpenSSL– the OpenSSL isSSLSSL is only a specification. In theory, the SSL specification is secure and difficult to crack with the current state of the art, but the SSL implementation can have some vulnerabilities, such as the famous “heartbleed”. OpenSSL also provides a bunch of powerful tools that 90% of us don’t use.

Therefore, you can use OpenSSL to read the information about the P12 and convert the P12 to pem by running the following command:

openssl pkcs12 -in XXX.p12  -out XXX.pem -nodes
Copy the code

After the command is executed, the password of the P12 file is required. If the password is incorrect, run the following command: Mac verify error: invalid password? If the password is correct: MAC Verified OK.

Example:

P12:

Pem:

PyOpenSSL use

So, pyOpenSSL can be used to parse p12 in Python. There is nothing more to say here, just look at the code:

Install pyOpenSSL first:

pip install pyOpenSSL
Copy the code

P12 file read code:

# load OpenSSL.crypto
from OpenSSL import crypto

# open it, using password. Supply/read your own from stdin.
p12 = crypto.load_pkcs12(open("/Users/HTC/Desktop/HTC.p12".'rb').read(), '123456')

cer = p12.get_certificate()     # (signed) certificate object
pkey = p12.get_privatekey()      # private key.
ca_cer = p12.get_ca_certificates() # ca chain.
print(cer, pkey, ca_cer)

print('version', cer.get_version())
print('Signature algorithm', cer.get_signature_algorithm())
print('Serial number:', cer.get_serial_number())
print('Certificate expired:', cer.has_expired())
print('Not valid before:', cer.get_notBefore())
print('Not valid after this time', cer.get_notAfter())



# theme name
subject = cer.get_subject()
s_components = subject.get_components()
print(s_components)

key_dict = {'UID': 'user ID'.'CN': 'Common Name'.'OU': 'Organizational unit'.'O': 'organization'.'C': 'Country or region'
			}

for (key, value) in s_components:
	print(key, value)
	print(key_dict.get(key.decode(), key))

# Name of issuer
suer = cer.get_issuer()
print(suer.get_components())

# Certificate extension information
print('Extension number:', cer.get_extension_count())
print('Extension 1:', cer.get_extension(0))

Copy the code

conclusion

Now after Xcode8, you can log in the developer account, download and manage certificates automatically, so as to reduce the problems that developers encounter in configuring certificates, very convenient. Of course, if you have multiple developers or cross-domain teams, or you don’t want the developers to have maximum access, using p12 is still the best way to go! If all the sub-accounts under a master account can operate the certificate, it is difficult to guarantee the impact and security. Therefore, Apple also has a certain reason, it is difficult to manage the permissions in Xcode accounts.

About the certificate, here just introduces the simple knowledge of P12, the certificate system has a lot of standards and knowledge, but also need to learn more combat, come on!

reference

• cryptography – Python: reading a pkcs12 certificate with pyOpenSSL.crypto – Stack Overflow
• Python: Read pkCS12 certificates with PyOpenssl. crypto – code log
• About developing Certificates & Identifiers & Provisioning Profiles IOS Release – Front-end Stack Development – CSDN Blog
• IOS Developer Certificate – Detailed/generated/used – Echo’s Blog –
• Python to view ipA UDID and other basic information – simple book
• Those certificates related stuff (SSL, x. 509, PEM, DER, CRT, CER, KEY, CSR, P12) – guogangj – blog garden

• If you have any questions, feel free to discuss them in the comments section!
• If there are incorrect places, welcome to guide!