In SoapUI, I am sending a SOAP request where I constructed a WSSE header with a BinarySecurityToken which I understand to be the base64 encoded client certificate, which is in PKCS12 format. However, the ValueType attribute says it is #X509PKIPathv1
, and after I base64 decode the token it generates, I cannot view it with OpenSSL in any certificate format other than openssl asn1parse
. So it appears to be some form of the public version of the certificate, but I have no idea what format it is in. The OASIS docs just say X509PKIPathv1 is "An ordered list of X.509 certificates packaged in a PKIPath" which is not helpful. Does anyone know what X509PKIPathv1 is or how to use it?
Below is the tag from the SOAP request I am referring to. I am trying to recreate this SOAP request in Python which is why I am asking. This question is also related to Why does `openssl asnparse` not give an error but `openssl x509` does for a DER file?.
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-64A8138B2F6D8C69B617017819964911159">MIISMTCCBgAwggPooAMCAQICEFsqPhGc/rJKIj+PeHduzogwDQYJKoZIhvcNAQENBQAwgZkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQ8wDQYDVQQHEwZGb2xzb20xDjAMBgNVBAoTBUNBSVNPMRkwFwYKCZImiZPyLGQBGRYJY2Fpc28uY29tMQswCQYDVQQLEwJJVDEsMCoGA1UEAwwjQ049Q0FJU09fQ2VydGlmaWNhdGVfQXV0aG9yaXR5X1Jvb3QwHhcNMjIwNjIzMjIzOTI3WhcNNDIwNjE4MjIzOTI2WjCBmTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBkZvbHNvbTEOMAwGA1UEChMFQ0FJU08xGTAXBgoJkiaJk/IsZAEZFgljYWlzby5jb20xCzAJBgNVBAsTAklUMSwwKgYDVQQDDCNDTj1DQUlTT19DZXJ0aWZpY2F0ZV9BdXRob3JpdHlfUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPjvAyH1hlZXIgUKtObCs8B0soLP6WrGmF9urIv8U4lrv1mvnTyePGcbvjIIQVI1fectP/Ah7vKXqbiRtPfL7PGkxM/g6qaXg7NqZdQXrBhNEwZJNnhf5HBJpO+QuAoYJ8Nc2f4Ot8ZDgdFcgzC42XC7MkdMhtsO648zT2OfcHsJLQ20zxW6mUbYTObmoxX0OX/x7pL7vqJV6Tueqe2o1l0i3EWO+m2dbqzl/A9xOJ+C1415H5cN0Vf2yUIe6KaJ0CVj0YBVQW/7ox3S/q4Q6FZ/8bI8wbpxW8GLMZop6wOxIbP9wq6cSDcXD0e9dMqUHXzIBwslE/1Yye+ZJLXaiDdohhyCLxfHJrzAonP7yQgWqkZldYf2lZhRyJSZNAijF/Saxis73EikXiKNYxCmPofS2Wq8jNM0Uv63mkQ1UESUcxgdSJAwUQPfkY1spJdGZodrho0M+Nq6qyYIpJurQurBDEs38DkCG9wyhv143Eb6VLS0e7Ohseom4xgKJqZiRGbZgZIg4dnH5Irzm6XgnBz6NOOQ4gJEQ5ak8j8PhFUkHRGav0KSf00WlW5VnpJYwDqZlm71e3SEWLDWw0koHz2ZdaytIf8wfpPu74VuYEggQXlq8Ep783fKbR8E2RLqV4kVnmu/4s4Cjmictx2jvJS3HFwMirsttwEw35L+pQxrAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJMrIQ0RoghhW4wTLHug/v4tpuXOMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEA1hebUHJNLuVzQfCZGmEk9elPUaf2tnpOcs1FaP/XLPYOHdYJRultSGRQL+aVmDsewicFj4CDDkvE4p759l+n3u9oZpJ9s9LcDP6lOIiFKgULW368iMNF/SVB6AJtaph8YlT1nP4STiJkFmPJnDCtDmQQ1Ay6nKnHz8AMvCIiYpsc/hWXuy8eYpQt41GkhbF0LXtV0l4f1l/nW0TEE2gP8Q6mB1k+EdOsZkAG23lOcxO0citQGRPaLR9TvqiSWAChrXs6qvqV38EpYHRfZ/Nb1tdIGObvWQn5mxH4koMY4LW9Lumiz2OInaNeTMkW1H8ie+3F891Y39ZSgz+H18XxP4fnciL+6Ab8kj62/YWAAWIUksiImXGHdyomO7K4dCp7Dd//s9aglx/6YbsGqXnbgW9FHMdcL1plSUCszvN5INc4Ux4+xSIwVAuP1643S7g4ZShhQI6HASqJFOIm5JgVfaTggS2WfeW5xF65HPWvTl3ssavE2X6bVHsP1l/hTap1GjMWsjQ75+oz7/H28LckWlSxFjjIOxrBuiwk4sG49TQW7T3eWmhtNBrFCLjTXEr/ZCTkOVpogLsdd0iz67R43Rg/N0cu1djZIe16Z7HK3VoOyFWTyIHVcbIeBMrbQhBA3n/xCFNttXBZnsVXn8dIXfmDq1SJZKDjNKs4r4pgg24wggaAMIIEaKADAgECAhByYqsKUQh17PXXTfFGQLo8MA0GCSqGSIb3DQEBDQUAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEPMA0GA1UEBxMGRm9sc29tMQ4wDAYDVQQKEwVDQUlTTzEZMBcGCgmSJomT8ixkARkWCWNhaXNvLmNvbTELMAkGA1UECxMCSVQxLDAqBgNVBAMMI0NOPUNBSVNPX0NlcnRpZmljYXRlX0F1dGhvcml0eV9Sb290MB4XDTIyMDYyMzIyNTUyOFoXDTMyMDYyMDIyNTUyN1owgZkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQ8wDQYDVQQHEwZGb2xzb20xDjAMBgNVBAoTBUNBSVNPMRkwFwYKCZImiZPyLGQBGRYJY2Fpc28uY29tMQswCQYDVQQLEwJJVDEsMCoGA1UEAwwjQ0FJU09fQ2VydGlmaWNhdGVfQXV0aG9yaXR5X0lzc3VpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsJIDYjLut3q3QD8baXx3p5ruwK0DZzL7RmBGdpH2BPmP1OFYNzyvlGUHY29kG39PM6kencWxOl0UlIxrNpEhJ22URaEe8vLTpn+qUbBIKd05SK4Zd03IYilt9yaL+bWEk3n8tOeaWqobguMwJbTOSqmbAboK31E2DTFu1QFAiKLwZLi7KYGeh0V4tXcUc4f6PmNBX9oMxG5EJccWxZEUXGIDUVFw920HOfQSEtmOHp4sRupFGeBMbcLkBKoBbUO3vGL6zu8bM9i0X3bz0ZOArk2JqqdaJ72CiY4IeAcOz2EHpiKZKBcbq0kve2w+dFwnHloNwiYpcvgbGhLLzzC7nQx0ggY50bHd61xuYBOPgQhLCcQN6dASNpolbOW8UFnnR+fDJ4JsqshLU1U5pBSyfK4DHTKEujGKwhu4Ffw1NpZCddGc3tUdS0rLZK55w/1v0JTqSuMZMtC1oyR0jliwWOgYNWIENEHJxr+HVnADQgJhlJIenFBFUOUs9ShaPETPcHYul/b4/C3lh4cV0IOk6hvE4wSj8GoktFTZS/vQetSfLYn2UHxfqLkgnEGTwCmAGKvxciD0JTanC3pE7Pz1J8R+Pjf09tpWGzJSOYkTLRAU+T5J05b5EBPXW7HH5QudOvQvW59UhmalybBLWmDWcMrATBI6HjowfnX1EK3txLQIDAQABo4HBMIG+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFF8FtvQdOIDvokiAT6kiqL5rwzieMB8GA1UdIwQYMBaAFJMrIQ0RoghhW4wTLHug/v4tpuXOMFgGA1UdHwRRME8wTaBLoEmGR2h0dHA6Ly9jcmwucGtpYWFzLmVudHJ1c3QuY29tL2NybC9lY3N6ODg2cnFma3Zici84NzRoNmhpZHR4ZndtcC9jcmwuY3JsMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEA2jacfCbCeSMIJ/iZE3RpxP1o6u+e5kGbK0Lzd0KNz2/8i974mhaa9bk4+E8x3tkmK2W9IKujpe2mAxjDcVoIvTgGddKEDo5sM1PchvJkVa61szyj+QPHNS5gBaBPIwJ2xt8Y7FgDClu1zQP3eqfPo8cvYahjTSCO3OhzMDyWTE+4osU5J9VtgrS+YH6uWvfJOSBqHfl5zcNadvnjzSGD7rsiLGHQwisRcdr0GAZohaPk7LjuNXLbRWbGIdfE+LjmJdC2hUQjeQzqepYb6dSgf/HKYV/FvlncoaCtUYd/GPKbSV4Wuf/3TlG2i9RHO8nANstvDr9AZol7U6nTZlsHWiHO8bxuTcA9YGFjvcOy4j7fWwat9ASM5Ba5Yc7JJnPC55fipXfJqc4qMZadBnAFxZQKIq0PTw54utVMPJIyvJ1cXHgdP7gRtrC4ABi50dUWMZ3uC2TjTM727vMLktHxa0vuOVNyO1M+GT4y13u7fepKaXvgBI4Inq6L5OkZBjruZrvnJUfbGpiTQzNgcRBAonQRgOVadAWMIQ7pZ1r8NABxcwuYm9x6dDEUaSJeKXKdMrUZXFr5DIg5UbCSwePtwpA3OyCBZkn4s6Xls5Fg34XTidJlt3P2bn7metNiuw5TSGncYtITlHpMLpfyU1VUf4/HsKiolQwFTFbrN7xsDmMwggWlMIIDj6ADAgECAhBuO7BBuRIolS+o6m1uHaV3MAsGCSqGSIb3DQEBDTCBmTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBkZvbHNvbTEOMAwGA1UEChMFQ0FJU08xGTAXBgoJkiaJk/IsZAEZFgljYWlzby5jb20xCzAJBgNVBAsTAklUMSwwKgYDVQQDDCNDQUlTT19DZXJ0aWZpY2F0ZV9BdXRob3JpdHlfSXNzdWluZzAeFw0yMzExMTUxNzM5MDBaFw0yNTAyMTUxNzM4NTlaMEcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQKEwVDQUlTTzEPMA0GA1UECxMGcGVvcGxlMRcwFQYDVQQDEw5BUEkgVVNFUngyMDkzNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALbjzi4qPqT2H7zRzYeqW7WS9IwxB/7Q59HT+Ubcke6iLI51JkbsHTDZcr7Qk4vlE4NocdqUaZngnxMKON3EZw6EH2WzuVxIrGc+2QecMJtYUt2YHpNULkX0MDeMHBORqTGxdQQtdtKpKDGlfaZJZvuKddwJlLLX62mfJ5lElbOGJ7WvrQTmM8JpN8xHB+Uj5n2YAipXMvZtJPDvbWprS6dfDNHW3y0JQK5+4UEO9n9/MF5pKJKNZnNjhFhegHsa5y554AMAIqb/ujVA6B5m1R7JhhV+wQJ7/dMgJcueysvCdvgfjaPOKbIAIRk9W6yNXhP9IVv8GP+KaxChwV1n0UcCAwEAAaOCATwwggE4MAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIP6fwShdnBmv+ZuMG3resB9QHjREQyfzF2hm+sINW32JMB8GA1UdIwQYMBaAFF8FtvQdOIDvokiAT6kiqL5rwzieMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjBdBggrBgEFBQcBAQRRME8wTQYIKwYBBQUHMAGGQWh0dHA6Ly9vY3NwLnBraWFhcy5lbnRydXN0LmNvbS9vY3NwL2Vjc3o4ODZycWZrdmJyLzZ6a2U5aWRwYjBpYndoMFgGA1UdHwRRME8wTaBLoEmGR2h0dHA6Ly9jcmwucGtpYWFzLmVudHJ1c3QuY29tL2NybC9lY3N6ODg2cnFma3Zici82emtlOWlkcGIwaWJ3aC9jcmwuY3JsMAsGCSqGSIb3DQEBDQOCAgEAQzQqIoew5ikOxzt1zENNoGe7F9IEcqTI0ndwXdJbYHvG9EhEQNoJmFhIf1A4Dx+6EDaZMeZZFm3NW8vJjWT+WBb4+xdRq0wd0H62WACdv4P6269gr+hkmzjX8APQrH0ME+v5fzoWevgbDM4TJSUy65zu503z/wcGvyOpKZ3yqYP4SlWyiybha0zuRZ2iiJi01bNSl2yOo16tZ9INdLBnVuS1xNzPr10foSwSeKtIoXLZwco0NhfeswMsFpDafseoCGoLDKikvWqTgc+OGA+bskylXggkCwL5kMo4eJul88HQfs+5i0h8ueKOumzPeizVCBoxCDx8VcxrBgNIgb+QlnHettbeQBoBAF4F9qhCnmCKL/rJGs9cRIfVYVLgAsrWD5cqyOQTUuT1azveVM0SIRjZAbJwKk/2US8272Xz9S4iYO1wmXETaS+4+vNWxOJFd/ypvEwINdE00DrNkrg6O/u4B0fOxvSomBgNAipEgV0gxNRkzXt4jEhW6Ll8LivGfUA7O/xk8YSUINKILTz4sptotzxHO6CxXnacEF/zjDpMrWr/iA1yruyklnQIarZpwIlJoyk/tuNfBPm54b3XF6UUYYLc9KsDdQ18RUPdgg3GGM2mbPlyYoip7gd9hXl2VKdCguE8u/ZFYf2J6V8WdqCgMf5bvUR62qm9EzsfQ90=</wsse:BinarySecurityToken>
Is this really programming or development?
PKIPath
is defined in RFC6066 section 10.1 as SEQUENCE OF Certificate
(from anchor down) -- which it asserts is compatible with X.509 though I don't have that to confirm. What you have clearly conforms to this.
OpenSSL doesn't support this directly, but on most Unix shells (making this at least marginally on-topic) you can fake it with something like
{ head -c4 >/dev/null; # or dd of=/dev/null bs=4 count=1 2>/dev/null
while openssl x509 -inform der -text -noout # or other options as desired
do :; done } <bin_file
or more manually with a script (more on-topic) something like
# assumes chain doesn't exceed 65535 but each cert does exceed 255
off=4; eof=$(stat -c%s $1)
while [[ off -lt eof ]]; do
len=$(( 0x$(dd if=$1 bs=1 skip=$((off+2)) count=2 2>/dev/null \
| od -An -tx1 | tr -d ' ') + 4))
printf -- "-----cert at %d,%d-----\n" $off $len
dd if=$1 bs=1 skip=$off count=$len 2>/dev/null \
| openssl x509 -inform d -noout -text
(( off+=len ))
done
PS: this is not even remotely similar to PKCS12 format, which -- other than usually containing one or more X.509/PKIX cert(s) often with privatekey(s) or other data -- is totally different.