Feature Request: Parse output Microsoft Template OID 1.3.6.1.4.1.311.21.7

[leamese]

Hi,

I am trying to determine the certificate template used. offcourse this is only used when the certificate is issued by a microsoft CA.

I do the following:

with open("C:\\cert\\xyz.crt", "rb") as cert_file:
    cert_data = cert_file.read()

# Parse the certificate
cert = x509.load_pem_x509_certificate(cert_data, default_backend())

# Find the Certificate Template Information extension
cert_template_extension = None

extension = None
for ext in cert.extensions:
    if ext.oid.dotted_string == "1.3.6.1.4.1.311.21.7":
        extension = ext
        print(ext.value.value)

ext.value.value:
b'0.\x06&+\x06\x01\x04\x01\x827\x15\x08\x86\xf6\xf87\x86\x8e\xf4$\x82\xd5\x91\x02\x86\xa3\xb83\x84\x9c\xe9>x\x81\xbc\xdb(\x81\xb0\xf7`\x02\x01d\x02\x01D'

it would be helpful to have it parsed correctly. It should translate to something like this:
Template=1.3.6.1.4.1.311.21.8.14531639.12827172.5589122.13163571.8860862.120.3091880.2898912
Primair versionnumber=100
Secundair versionnumber=68
Info: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/9da866e5-9ce9-4a83-9064-0d20af8b2ccf

CertificateTemplateOID ::= SEQUENCE {
         templateID              OBJECT IDENTIFIER,
         templateMajorVersion    INTEGER (0..4294967295) OPTIONAL,
         templateMinorVersion    INTEGER (0..4294967295) OPTIONAL
     } --#public

ext.value:
<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.311.21.7, name=Unknown OID)>, value=b'0.\x06&+\x06\x01\x04\x01\x827\x15\x08\x86\xf6\xf87\x86\x8e\xf4$\x82\xd5\x91\x02\x86\xa3\xb83\x84\x9c\xe9>x\x81\xbc\xdb(\x81\xb0\xf7\x02\x01d\x02\x01D')> b'0.\x06&+\x06\x01\x04\x01\x827\x15\x08\x86\xf6\xf87\x86\x8e\xf4$\x82\xd5\x91\x02\x86\xa3\xb83\x84\x9c\xe9>x\x81\xbc\xdb(\x81\xb0\xf7\x02\x01d\x02\x01D'

Is it possible to implement this?

Kind Regards

[alex]

Historically we've only implemented extensions that are specified in RFC, so this would be new for us and we'll need to think about it a bit. That said technically this looks straight forward: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/9da866e5-9ce9-4a83-9064-0d20af8b2ccf

…

On Thu, Apr 6, 2023 at 5:30 AM leamese ***@***.***> wrote: Hi, I am trying to determine the certificate template used. offcourse this is only used when the certificate is issued by a microsoft CA. I do the following: with open("C:\\cert\\xyz.crt", "rb") as cert_file: cert_data = cert_file.read() # Parse the certificate cert = x509.load_pem_x509_certificate(cert_data, default_backend()) # Find the Certificate Template Information extension cert_template_extension = None extension = None for ext in cert.extensions: if ext.oid.dotted_string == "1.3.6.1.4.1.311.21.7": extension = ext print(ext.value.value) ext.value.value: b'0.\x06&+\x06\x01\x04\x01\x827\x15\x08\x86\xf6\xf87\x86\x8e\xf4$\x82\xd5\x91\x02\x86\xa3\xb83\x84\x9c\xe9>x\x81\xbc\xdb(\x81\xb0\xf7`\x02\x01d\x02\x01D' it would be helpful to have it parsed correctly. It should translate to: Template=1.3.6.1.4.1.311.21.8.14531639.12827172.5589122.13163571.8860862.120.3091880.2898912 Primair versionnumber=100 Secundair versionnumber=68 ext.value: <UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.311.21.7, name=Unknown OID)>, value=b'0.\x06&+\x06\x01\x04\x01\x827\x15\x08\x86\xf6\xf87\x86\x8e\xf4$\x82\xd5\x91\x02\x86\xa3\xb83\x84\x9c\xe9>x\x81\xbc\xdb(\x81\xb0\xf7\x02\x01d\x02\x01D')> b'0.\x06&+\x06\x01\x04\x01\x827\x15\x08\x86\xf6\xf87\x86\x8e\xf4$\x82\xd5\x91\x02\x86\xa3\xb83\x84\x9c\xe9>x\x81\xbc\xdb(\x81\xb0\xf7 \x02\x01d\x02\x01D' http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.21.7&a=display=> MS Template OID Is it possible to implement this? Kind Regards — Reply to this email directly, view it on GitHub <#8676>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBBPWKJX5XKMHF47NYDW72LL7ANCNFSM6AAAAAAWVHCUTI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[leamese]

Thanks. I'll keep an eye on this thread. If it helps, with open ssl i used "openssl asn1parse -in .\xyz.crt" which supplied me with
1183:d=5 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.7
1194:d=5 hl=2 l= 48 prim: OCTET STRING [HEX DUMP]:302E06262B060104018237150886F6F837868EF42482D5910286A3B833849CE93E7881BCDB2881B0F760020164020144

decoding the hex dump with http://ldh.org/asn1.html gives me the sequence (as described by microsoft)
SEQUENCE {
OBJECTIDENTIFIER 1.3.6.1.4.1.311.21.8.14531639.12827172.5589122.13163571.8860862.120.3091880.2898912
INTEGER 0x64 (100 decimal)
INTEGER 0x44 (68 decimal)
}
if those individual elements within the sequence could be accessed that would be great :). Especially that object identifier value.

Kind regards