usercertificate attribute fingerprint (possibly OT)

[Natxo Asenjo]

hi,

connecting to a freeipa ldap host (that uses the 389 directory server under the hood) I can successfully retrieve certificates belonging to hosts.

I can then use Crypt::X509 to extract info from that. But how could I get the fingerprints? If I use the apache directory studio ldap client I can see the md5 and sha1 fingerprints of the attribute but I seem uncapable of getting it using my script.

my $ldap = Net::LDAP->new( $server ) or die "$@";

my $mesg = $ldap->start_tls(
    verify => 'require',
    sslversion => 'tlsv1',
);

$mesg = $ldap->bind (
    "testuser",
     password    => 'pwd',
     version     => 3,
);

my $search = $ldap->search(
                        base    => $base,
                        scope   => 'sub',
                        filter  => '(objectclass=*)',
                        attr    => ['usercertificate'],
                    );


for my $entry ( $search->entries) {
    my $cert =  $entry->get_value( 'usercertificate' );;
    my $decoded = Crypt::X509->new ( cert => $cert );
    if ( $decoded->error ) {
        warn "Error parsing certificate: ", $decoded->error;
    }
    print "Subject: " . $decoded->subject_cn, "\n";
    print "notafter: " . gmtime( $decoded->not_after) , "\n";
}

So this works, but I see no method to get the fingerprint. Is there a way to get it from the info I get from ldap?

Thanks for any pointers.

 

--
Groeten,
natxo

[Natxo Asenjo]

On Sun, May 17, 2015 at 9:42 PM, Chris Ridd <chri...@mac.com> wrote:

> So this works, but I see no method to get the fingerprint. Is there a way to get it from the info I get from ldap?

This code uses Net::SSLeay to extract a fingerprint from something like your $cert.

http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.46/examples/x509_cert_details.pl

Hi, thanks for your answer..

I ended up using Digest::SHA1 on $cert and massaging  the digest, I got the sha1 fingerprints like that.

--
Groeten,
natxo