Skip to the content.

Home

jc.parsers.x509_cert

jc - JSON Convert X.509 Certificate format file parser

This parser will convert DER and PEM encoded X.509 certificate files.

You can convert other certificate formats (e.g. PKCS #7, PKCS #12, etc.) by processing them through a program like openssl and sending the output to jc. (See examples below)

Note: jc does not verify the integrity of the certificate, which requires calculating the hash of the certificate body and comparing it to the the hash in the certificate's signature after it is decrypted with the issuer certificate's public key.

Usage (cli):

$ cat certificate.pem | jc --x509-cert

Usage (module):

import jc
result = jc.parse('x509_cert', x509_cert_file_output)

Schema:

[
  {
    "tbs_certificate": {
      "version":                      string,
      "serial_number":                string,  # [0]
      "serial_number_str":            string,
      "signature": {
        "algorithm":                  string,
        "parameters":                 string/null,
      },
      "issuer": {
        "country_name":               string,
        "state_or_province_name"      string,
        "locality_name":              string,
        "organization_name":          array/string,
        "organizational_unit_name":   array/string,
        "common_name":                string,
        "email_address":              string,
        "serial_number":              string,   # [0]
        "serial_number_str":          string
      },
      "validity": {
        "not_before":                 integer,  # [1]
        "not_after":                  integer,  # [1]
        "not_before_iso":             string,
        "not_after_iso":              string
      },
      "subject": {
        "country_name":               string,
        "state_or_province_name":     string,
        "locality_name":              string,
        "organization_name":          array/string,
        "organizational_unit_name":   array/string,
        "common_name":                string,
        "email_address":              string,
        "serial_number":              string,   # [0]
        "serial_number_str":          string
      },
      "subject_public_key_info": {
        "algorithm": {
          "algorithm":                string,
          "parameters":               string/null,
        },
        "public_key": {
          "modulus":                  string,  # [0]
          "public_exponent":          integer
        }
      },
      "issuer_unique_id":             string/null,
      "subject_unique_id":            string/null,
      "extensions": [
        {
          "extn_id":                  string,
          "critical":                 boolean,
          "extn_value":               array/object/string/integer  # [2]
        }
      ]
    },
    "signature_algorithm": {
      "algorithm":                    string,
      "parameters":                   string/null
    },
    "signature_value":                string  # [0]
  }
]

[0] in colon-delimited hex notation
[1] time-zone-aware (UTC) epoch timestamp
[2] See below for well-known Extension schemas:

    Basic Constraints:
    {
      "extn_id":                          "basic_constraints",
      "critical":                         boolean,
      "extn_value": {
        "ca":                             boolean,
        "path_len_constraint":            string/null
      }
    }

    Key Usage:
    {
      "extn_id":                          "key_usage",
      "critical":                         boolean,
      "extn_value": [
                                          string
      ]
    }

    Key Identifier:
    {
      "extn_id":                          "key_identifier",
      "critical":                         boolean,
      "extn_value":                       string  # [0]
    }

    Authority Key Identifier:
    {
      "extn_id":                          "authority_key_identifier",
      "critical":                         boolean,
      "extn_value": {
        "key_identifier":                 string,  # [0]
        "authority_cert_issuer":          string/null,
        "authority_cert_serial_number":   string/null
      }
    }

    Subject Alternative Name:
    {
      "extn_id":                          "subject_alt_name",
      "critical":                         boolean,
      "extn_value": [
                                          string
      ]
    }

    Certificate Policies:
    {
      "extn_id":                          "certificate_policies",
      "critical":                         boolean,
      "extn_value": [
        {
          "policy_identifier":            string,
          "policy_qualifiers": [          array or null
            {
              "policy_qualifier_id":      string,
              "qualifier":                string
            }
          ]
        }
      ]
    }

    Signed Certificate Timestamp List:
    {
      "extn_id":                    "signed_certificate_timestamp_list",
      "critical":                   boolean,
      "extn_value":                 string  # [0]
    }

Examples:

$ cat entrust-ec1.pem | jc --x509-cert -p
[
  {
    "tbs_certificate": {
      "version": "v3",
      "serial_number": "a6:8b:79:29:00:00:00:00:50:d0:91:f9",
      "signature": {
        "algorithm": "sha384_ecdsa",
        "parameters": null
      },
      "issuer": {
        "country_name": "US",
        "organization_name": "Entrust, Inc.",
        "organizational_unit_name": [
          "See www.entrust.net/legal-terms",
          "(c) 2012 Entrust, Inc. - for authorized use only"
        ],
        "common_name": "Entrust Root Certification Authority - EC1"
      },
      "validity": {
        "not_before": 1355844336,
        "not_after": 2144764536,
        "not_before_iso": "2012-12-18T15:25:36+00:00",
        "not_after_iso": "2037-12-18T15:55:36+00:00"
      },
      "subject": {
        "country_name": "US",
        "organization_name": "Entrust, Inc.",
        "organizational_unit_name": [
          "See www.entrust.net/legal-terms",
          "(c) 2012 Entrust, Inc. - for authorized use only"
        ],
        "common_name": "Entrust Root Certification Authority - EC1"
      },
      "subject_public_key_info": {
        "algorithm": {
          "algorithm": "ec",
          "parameters": "secp384r1"
        },
        "public_key": "04:84:13:c9:d0:ba:6d:41:7b:e2:6c:d0:eb:55:..."
      },
      "issuer_unique_id": null,
      "subject_unique_id": null,
      "extensions": [
        {
          "extn_id": "key_usage",
          "critical": true,
          "extn_value": [
            "crl_sign",
            "key_cert_sign"
          ]
        },
        {
          "extn_id": "basic_constraints",
          "critical": true,
          "extn_value": {
            "ca": true,
            "path_len_constraint": null
          }
        },
        {
          "extn_id": "key_identifier",
          "critical": false,
          "extn_value": "b7:63:e7:1a:dd:8d:e9:08:a6:55:83:a4:e0:6a:..."
        }
      ]
    },
    "signature_algorithm": {
      "algorithm": "sha384_ecdsa",
      "parameters": null
    },
    "signature_value": "30:64:02:30:61:79:d8:e5:42:47:df:1c:ae:53:..."
  }
]

$ openssl pkcs7 -in thawte.p7b -inform der -print_certs | \\
          jc --x509-cert -p
[
  {
    "tbs_certificate": {
      "version": "v3",
      "serial_number": "34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db...",
      "signature": {
        "algorithm": "sha1_rsa",
        "parameters": null
      },
      "issuer": {
        "country_name": "US",
        "organization_name": "thawte, Inc.",
        "organizational_unit_name": [
          "Certification Services Division",
          "(c) 2006 thawte, Inc. - For authorized use only"
        ],
        "common_name": "thawte Primary Root CA"
      },
      "validity": {
        "not_before": 1163721600,
        "not_after": 2099865599,
        "not_before_iso": "2006-11-17T00:00:00+00:00",
        "not_after_iso": "2036-07-16T23:59:59+00:00"
      },
      "subject": {
        "country_name": "US",
        "organization_name": "thawte, Inc.",
        "organizational_unit_name": [
          "Certification Services Division",
          "(c) 2006 thawte, Inc. - For authorized use only"
        ],
        "common_name": "thawte Primary Root CA"
      },
      "subject_public_key_info": {
        "algorithm": {
          "algorithm": "rsa",
          "parameters": null
        },
        "public_key": {
          "modulus": "ac:a0:f0:fb:80:59:d4:9c:c7:a4:cf:9d:a1:59:73...",
          "public_exponent": 65537
        }
      },
      "issuer_unique_id": null,
      "subject_unique_id": null,
      "extensions": [
        {
          "extn_id": "basic_constraints",
          "critical": true,
          "extn_value": {
            "ca": true,
            "path_len_constraint": null
          }
        },
        {
          "extn_id": "key_usage",
          "critical": true,
          "extn_value": [
            "crl_sign",
            "key_cert_sign"
          ]
        },
        {
          "extn_id": "key_identifier",
          "critical": false,
          "extn_value": "7b:5b:45:cf:af:ce:cb:7a:fd:31:92:1a:6a:b6:..."
        }
      ]
    },
    "signature_algorithm": {
      "algorithm": "sha1_rsa",
      "parameters": null
    },
    "signature_value": "79:11:c0:4b:b3:91:b6:fc:f0:e9:67:d4:0d:6e..."
  }
]

$ openssl pkcs12 -info -in certificate.pfx \\
          -passin pass: -passout pass: | \\
          jc --x509-cert -p
[
  {
    "tbs_certificate": {
      "version": "v3",
      "serial_number": "01",
      "signature": {
        "algorithm": "sha1_rsa",
        "parameters": null
      },
      "issuer": {
        "country_name": "FR",
        "state_or_province_name": "Alsace",
        "locality_name": "Strasbourg",
        "organization_name": "www.freelan.org",
        "organizational_unit_name": "freelan",
        "common_name": "Freelan Sample Certificate Authority",
        "email_address": "contact@freelan.org"
      },
      "validity": {
        "not_before": 1335522678,
        "not_after": 1650882678,
        "not_before_iso": "2012-04-27T10:31:18+00:00",
        "not_after_iso": "2022-04-25T10:31:18+00:00"
      },
      "subject": {
        "country_name": "FR",
        "state_or_province_name": "Alsace",
        "organization_name": "www.freelan.org",
        "organizational_unit_name": "freelan",
        "common_name": "alice",
        "email_address": "contact@freelan.org"
      },
      "subject_public_key_info": {
        "algorithm": {
          "algorithm": "rsa",
          "parameters": null
        },
        "public_key": {
          "modulus": "dd:6d:bd:f8:80:fa:d7:de:1b:1f:a7:a3:2e:b2:02...",
          "public_exponent": 65537
        }
      },
      "issuer_unique_id": null,
      "subject_unique_id": null,
      "extensions": [
        {
          "extn_id": "basic_constraints",
          "critical": false,
          "extn_value": {
            "ca": false,
            "path_len_constraint": null
          }
        },
        {
          "extn_id": "2.16.840.1.113730.1.13",
          "critical": false,
          "extn_value": "16:1d:4f:70:65:6e:53:53:4c:20:47:65:6e:65..."
        },
        {
          "extn_id": "key_identifier",
          "critical": false,
          "extn_value": "59:5f:c9:13:ba:1b:cc:b9:a8:41:4a:8a:49:79..."
        },
        {
          "extn_id": "authority_key_identifier",
          "critical": false,
          "extn_value": {
            "key_identifier": "23:6c:2d:3d:3e:29:5d:78:b8:6c:3e:aa...",
            "authority_cert_issuer": null,
            "authority_cert_serial_number": null
          }
        }
      ]
    },
    "signature_algorithm": {
      "algorithm": "sha1_rsa",
      "parameters": null
    },
    "signature_value": "13:e7:02:45:3e:a7:ab:bd:b8:da:e7:ef:74:88..."
  }
]

parse

def parse(data: Union[str, bytes],
          raw: bool = False,
          quiet: bool = False) -> List[Dict]

Main text parsing function

Parameters:

data:        (string or bytes) text or binary data to parse
raw:         (boolean) unprocessed output if True
quiet:       (boolean) suppress warning messages if True

Returns:

List of Dictionaries. Raw or processed structured data.

Parser Information

Compatibility: linux, darwin, cygwin, win32, aix, freebsd

Source: jc/parsers/x509_cert.py

Version 1.3 by Kelly Brazil (kellyjonbrazil@gmail.com)