parse nmap results string using python 3.x - python-3.x

Im automating nmap using python , i like to get some specific value from the results, which is a string
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=*.google.com/organizationName=Google LLC/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.gcpcdn.gvt1.com, DNS:*.ggpht.cn, DNS:*.gkecnapps.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.wear.gkecnapps.cn, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:gkecnapps.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be
| Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US
| Public Key type: unknown
| Public Key bits: 256
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-03T09:45:25
| Not valid after: 2020-05-26T09:45:25
| MD5: bda3 4bfa 9f3d 5091 14a2 4a0e 992b 183f
|_SHA-1: 12b0 59d4 f6fb cd67 5013 a49e 44cf 053f d773 a07f
my method return issuer,public key and public key bit and signature algorithm but with the rest of string output
def run_command():
command ="nmap -p 443 --script ssl-cert google.com"
output = subprocess.getoutput(command)
Issuer= output.split("Issuer: ",1)[1]
public_key = output.split("Public Key type: ",1)[1]
public_key_bit= output.split("Public Key bits: ",1)[1]
singature_algor = output.split("Signature Algorithm: ",1)[1]
print(Issuer,public_key,public_key_bit,singature_algor)
the wanted results, just to print the value of each of these values bellow
Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US
Public Key type: unknown
Public Key bits: 256
Signature Algorithm: sha256WithRSAEncryption


I manage to find a way
def verify_certificate(self,to_check):
command ="nmap -p 443 --script ssl-cert google.com"
output = subprocess.getoutput(command)
line = re.findall(to_check+":.*$", output, re.MULTILINE)
for x in line:
results = x.split(to_check+":",1)[1]
print(results)
output
commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US
and by changing to_check value, I get the other values as well without duplicate code.

Related

How to extract certificate subject attribute values in ASN.1 format?

using openssl command directly on prompt I can print the subject of a certificate directly to ASN.1 format:
openssl x509 -subject -noout -nameopt rfc2253 -nameopt dump_all -nameopt oid -nameopt sep_multiline -in mycertificate.cer
The certificate is:
-----BEGIN CERTIFICATE-----
MIIG6jCCBdKgAwIBAgIUMp1HU0W7iInXwAKycQieXr3Nl24wDQYJKoZIhvcNAQEL
BQAwcTELMAkGA1UEBhMCQlIxHDAaBgNVBAoTE09wZW4gQmFua2luZyBCcmFzaWwx
FTATBgNVBAsTDE9wZW4gQmFua2luZzEtMCsGA1UEAxMkT3BlbiBCYW5raW5nIFNB
TkRCT1ggSXNzdWluZyBDQSAtIEcxMB4XDTIyMDkyOTEyNDMwMFoXDTIzMTAyOTEy
NDMwMFowggEPMQswCQYDVQQGEwJCUjELMAkGA1UECBMCUkoxDzANBgNVBAcTBkxP
TkRPTjEcMBoGA1UEChMTT3BlbiBCYW5raW5nIEJyYXNpbDEMMAoGA1UEAxMDdHBw
MRcwFQYDVQQFEw40MzE0MjY2NjAwMDE5NzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh
bml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCVUsxMzAxBgNVBGETKk9GQkJSLTc0
ZTkyOWQ5LTMzYjYtNGQ4NS04YmE3LWMxNDZjODY3YTgxNzE0MDIGCgmSJomT8ixk
AQETJDcyMThlMWFmLTE5NWYtNDJiNS1hNDRiLThjNzgyODQ3MGY1YTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANRjfdZJaqwfRB3IOL0OPpNaH6jqU97T
iNiOWDYN8sd/ZVFqPMgAPBiIczLSfgYon9dj2p8emHGFr/IIwFP1uQyASwcGotGS
6yLLvtAqTWUqlrKEQRL/70AHYOrGYFHxG0s9228Xw1fn70Dm2FibC9t/Y2+HheKL
t0yqOtPTRMn4jRS2bOJ9u23YBG+k6a2t5iO05eIOYEFkGaOuJKxJlnLqyB7kM57c
9y38JLBDFiEKETNoyubhwsPk+3rAyAwonin0OiejLvH5jzwWMMWZJD3JtWCbKl3/
NTaxKdnsd7ZoURghYNJObALBS6hjcKCM0tS5CiehYmFNAyu9cPNbuZUCAwEAAaOC
AtgwggLUMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIrCpV3lc3CZadaUV70hKRXe
B3k5MB8GA1UdIwQYMBaAFIZ/WK0X9YK2TrQFs/uwzhFD30y+MEwGCCsGAQUFBwEB
BEAwPjA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc2FuZGJveC5wa2kub3BlbmJh
bmtpbmdicmFzaWwub3JnLmJyMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwu
c2FuZGJveC5wa2kub3BlbmJhbmtpbmdicmFzaWwub3JnLmJyL2lzc3Vlci5jcmww
GAYDVR0RBBEwD4INdHBwLmxvY2FsaG9zdDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l
BAwwCgYIKwYBBQUHAwIwggGoBgNVHSAEggGfMIIBmzCCAZcGCisGAQQBg7ovZAEw
ggGHMIIBNgYIKwYBBQUHAgIwggEoDIIBJFRoaXMgQ2VydGlmaWNhdGUgaXMgc29s
ZWx5IGZvciB1c2Ugd2l0aCBSYWlkaWFtIFNlcnZpY2VzIExpbWl0ZWQgYW5kIG90
aGVyIHBhcnRpY2lwYXRpbmcgb3JnYW5pc2F0aW9ucyB1c2luZyBSYWlkaWFtIFNl
cnZpY2VzIExpbWl0ZWRzIFRydXN0IEZyYW1ld29yayBTZXJ2aWNlcy4gSXRzIHJl
Y2VpcHQsIHBvc3Nlc3Npb24gb3IgdXNlIGNvbnN0aXR1dGVzIGFjY2VwdGFuY2Ug
b2YgdGhlIFJhaWRpYW0gU2VydmljZXMgTHRkIENlcnRpY2ljYXRlIFBvbGljeSBh
bmQgcmVsYXRlZCBkb2N1bWVudHMgdGhlcmVpbi4wSwYIKwYBBQUHAgEWP2h0dHA6
Ly9yZXBvc2l0b3J5LnNhbmRib3gucGtpLm9wZW5iYW5raW5nYnJhc2lsLm9yZy5i
ci9wb2xpY2llczANBgkqhkiG9w0BAQsFAAOCAQEAMbqpPqhVeuUs6tPUCk6XdYGl
Ofh6OpMLD1X58cGAWLx4DjEYva9dUecQ2FebyYoizyChawKrexNUI4pKkoPWPrWd
TnlEKma9cjPUMuWVa2ZrMz/gzl1tSD8sSY8ZM7/72JT8GhbgCxBz0+qlITyD+myk
4ekJUHMm2/7/bwR4T73HctJ7Y8AorjdSRUNF6CSh/R1NUhWoycg7vJ2tH+Hj/mUk
kzO4I08v/5P5kfRMkofSSH6vRh1zJfYq2/uvpZpFj7/LMar8o5MYRuPFxKifRsr/
vL8HmergQjPtpAnUF8YJpg63AxjKSgfhM9KisaUN6i2/jrhCvz3pAIUzLXBr7w==
-----END CERTIFICATE-----
The output of the command above is:
subject=
0.9.2342.19200300.100.1.1=#132437323138653161662D313935662D343262352D613434622D386337383238343730663561
2.5.4.97=#132A4F464242522D37346539323964392D333362362D346438352D386261372D633134366338363761383137
1.3.6.1.4.1.311.60.2.1.3=#1302554B
2.5.4.15=#131450726976617465204F7267616E697A6174696F6E
2.5.4.5=#130E3433313432363636303030313937
2.5.4.3=#1303747070
2.5.4.10=#13134F70656E2042616E6B696E672042726173696C
2.5.4.7=#13064C4F4E444F4E
2.5.4.8=#1302524A
2.5.4.6=#13024252
I'm trying to get a similar output using NodeJS, but without success... I've tried X509Certificate from crypto, ans1js, pk1js, but haven't success.
Is there a way to get the values using Node?
Thx

As mentioned in the comment, the best way is to use https://nodejs.org/api/crypto.html#x509subject
The output is a string and is perfectly parsable
This is an ordered collection of key/values ('=' separating key from value and '\n' separating each key/value)
The ouput for your certificate is:
C=BR
ST=RJ
L=LONDON
O=Open Banking Brasil
CN=tpp
serialNumber=43142666000197
businessCategory=Private Organization
jurisdictionC=UK
organizationIdentifier=OFBBR-74e929d9-33b6-4d85-8ba7-c146c867a817
UID=7218e1af-195f-42b5-a44b-8c7828470f5a
This is the human readable form of the component subject of your certificate encoded here as an ASN.1 value (search for subject rdnSequence)
Note that ASN.1 format is not a thing ...

Hyperledger Fabric How to generate peer sans certificates via fabric-ca-client

I am trying to run a Hypderledger v2.0 fabric-ca-client binary file to get certificates with SANS configurations...
$ fabric-ca-client enroll -u ${CA_FULL_URL} --tls.certfiles ${CA_CERT_PATH} --csr.hosts peer0-org1 --enrollment.profile tls
So we have "--csr.hosts peer0-org1" to supposedly generate certs that include SAN(Subject Alternative Name)...
BUT when checking it with $ openssl x509 -noout -text -in certificateX123.pem
The result is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:3b:4f:ea:63:1a:03:b4:61:45:e9:44:1b:29:dc:ed:e6:bc:0b:76
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Validity
Not Before: Jun 21 05:14:00 2020 GMT
Not After : Jun 18 05:14:00 2035 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:3c:3f:d9:97:7e:fc:08:e5:0a:3f:fe:b3:fe:70:
33:20:92:6c:88:78:19:35:08:00:98:97:17:8b:af:
03:44:2d:a4:4d:65:63:fc:d8:b5:4c:23:cc:e6:63:
55:a3:4f:04:62:72:8d:b2:fa:f1:9a:9d:14:9f:f9:
aa:33:ee:fe:e8
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
78:B7:6D:51:91:0C:9E:6C:31:C9:63:67:34:BD:CA:18:B5:C5:35:D1
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:6a:1a:92:cc:45:9b:c9:a5:4d:61:b9:bd:a3:94:
b2:2c:52:7a:16:36:91:12:f9:a0:1f:fe:77:29:a3:1e:05:5d:
02:20:7f:e0:5d:c9:03:4f:8e:b2:6d:66:a4:8f:04:fb:e0:e6:
52:cf:e0:e9:3a:1a:36:bc:7b:98:99:f9:c4:64:c6:7e
I don't see any SANS configurations like
SANS:
- "localhost"
- "127.0.0.1"
So WHY is there no SANS configuration in the generated certificate??? Please help. Thank you!

#Russo , As mentioned by #ChintanRajvir it is a fabric tls-ca. You don't need SANS in tls-ca. Instead check network/crypto-config/peerOrganizations/beta.com/peers/peer1.beta.com/tls/server.crt. Change the Org-name accordingly. This is the certificate which requires SANS not the tls-ca.
Snippet
openssl x509 -in crypto-config/peerOrganizations/beta.com/peers/peer1.beta.com/tls/server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:ca:fc:cb:29:77:d1:ff:b5:19:ac:64:67:89:26:e2:2e:28:61:00
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.beta.com
Validity
Not Before: Jun 23 07:34:00 2020 GMT
Not After : Jun 23 07:39:00 2021 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = peer, CN = peer1.beta.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:4d:d3:f8:a8:a8:0f:f9:e4:81:f9:43:ae:fe:bb:
44:d7:4f:de:c7:82:e5:29:66:22:bc:4c:49:e6:a4:
a4:f8:26:84:09:2a:51:1b:81:38:0d:9c:13:21:9b:
38:98:9d:d5:2f:45:75:d4:4b:62:45:01:74:1f:ad:
bf:5d:af:7e:47
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
54:D6:E3:AC:54:8C:8A:A3:13:32:4A:78:30:E7:59:8A:3C:EB:EE:3C
X509v3 Authority Key Identifier:
keyid:10:4E:E0:F4:A7:86:57:01:A0:28:25:99:57:A9:F2:55:5D:CD:E0:4F
X509v3 Subject Alternative Name:
DNS:peer1.beta.com, DNS:localhost
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"peer1.beta.com","hf.Type":"peer"}}
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:1e:fe:18:8b:2f:7c:a3:1b:4e:1a:db:5d:96:49:
31:d5:ca:3d:e9:92:75:14:4d:38:49:a2:15:88:de:77:33:77:
02:20:33:19:ec:9c:ac:e4:43:90:b2:f6:2b:3b:f0:a8:45:d4:
a9:7e:0b:e2:80:ba:86:75:df:5a:f2:fe:90:b8:18:52

Get https://gcp.io/v2/: x509: certificate signed by unknown authority

I am trying to push my docker image to Google Cloud Registry but get a 509 error say the certificate signed by unknown authority. This never used to be a problem and I can't seem to fix the issue. Any help is appreciated.
I'm running
docker -- push gcp.io/project/registry
Error
Get https://gcp.io/v2/: x509: certificate signed by unknown authority
I'm on Mac OS.

Update: you have a typo, you need to go to gcr.io, not gcp.io.
[ Original answer ]
Looks like a certificate issue on gcp.io:
$ openssl s_client -showcerts -connect gcp.io:443 </dev/null
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.gcp.io
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.gcp.io
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.gcp.io
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIF6jCCBNKgAwIBAgIRAPLbl+CLddoCWmMcKSzPAT8wDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xOTExMjUwMDAwMDBaFw0yMDExMjQyMzU5NTlaMFUxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
ZGNhcmQxETAPBgNVBAMMCCouZ2NwLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAozq94VQqkxLR0qUqz6IM5/lY411MkLgrQhOR8Sg17EioEpudFKCV
FhC9N2Z8EFLpaGAxABpYM5JLWy1PpszOEETFswaS0Y/CpCnzW/SXtlH2ZOlGBXII
3LKP7ScfCgbwnndg820cA0XDNc54MUZcx2ebe2MZfFHKNhm+Lpqr4UZZu4ZaE8C6
9tcJaMC/znIWUpf+61aUJIQTYITL+NVB3zCeDhK0r29aLbz4K33TqN+9PJtwyTiS
8PZFTg93R8RCzdJD6x1lg3u7tAHGi6S3Omn7y3YtivTsA3iYbYIBm9i+0EHgpTOA
Hp9Z3wX2TF/M6FiY7yo1tc8ft6i3wICaUwIDAQABo4ICeDCCAnQwHwYDVR0jBBgw
FoAUjYxexFStiuF36Zv5mwXhuAGNYeEwHQYDVR0OBBYEFH7PsGxNUFi1gLyOjwje
oEXcFIIuMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUw
IwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCB
hAYIKwYBBQUHAQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28u
Y29tL1NlY3RpZ29SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0
MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAbBgNVHREEFDAS
gggqLmdjcC5pb4IGZ2NwLmlvMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAB7dc
G+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFuouNwEgAABAMARjBEAiAB
bpCCsd9bTM4mJMAEVf9WL4Mu3z+EaezOfJ+1N5MzEAIgHcuRkKk/tukyDAz0gZtu
z1K87zVaw96FUdFbLQnZw0YAdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWW
gXFFWAAAAW6i42//AAAEAwBIMEYCIQCL81nEy3BBlmVR5ehK+LgAvWUxlwWUoTtH
+TLgft+usgIhALCoeeBaEkcMTPIU+fmQQ6FTp7tMvzN726bHJ/ODJZmEMA0GCSqG
SIb3DQEBCwUAA4IBAQBBnaYdC4OjT0rjlVYRR5lqiRsHTgQiReJXVwXtYO6czPYU
np1szzpF0xto3lTImJNzyyWl8Zt+4H/ABrOE3aKlnpQVZ/nBPqx8cLI/O8kEl6o4
rQxCXfVum3LTHqO0EtFSQfC3ALS137afCKUGa/e4PlFNTMqStP/anhv6byK+0bwh
jiqd9xuhjLmttf6zDelcmZPAZFuSL34khKnILPiXBsbiKFULiY1yEdpc4IpNLvZD
ys46g64+ss0sIqYR3vDPdoQmY3SUutxL7m2fwElGKGJIMFvkJ4+TUvNqAIsyQuEt
sIp/puDi8aEFhExywY1zrAeUuj4CJrCsHKZ25IIg
-----END CERTIFICATE-----
1 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
---
Server certificate
subject=OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.gcp.io
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3435 bytes and written 424 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: A1FB2B7B405094705F0DAFCAABA63B4E1ABDE5C122F2F3E5A7DE88ECB75AB617
Session-ID-ctx:
Master-Key: A0FB112FC9A33BD96E2346627A4E99A03F5C8AA404B19215EA3226A487B034E17EAC38AE0BD79C6B51E882BDC0DECE90
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1588527367
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
And I see a similar error from curl -v https://gcp.io/v2/. This will need to be resolved by Google.

How to get public key from an OpenPGP smart card without using key servers?

I am working on a use-case where OpenPGP is being used to generate a public key pair on a smart card (Yubikey).
The smart card is then to be shipped off to the user.
Trying to emulate this locally the following is being done:
generate keys on smart card
remove GnuPG home directory
access smart card to re-generate GnuPG home directory
The issue is that I cannot test encrypting a file after the above steps have been performed as the public key seems to be missing. fetch doesn't seem to work.
At this stage I do not want to share the public key on any online server.
Is there any way of retrieving the public key from the smart card after deleting the key rings?
Below are the steps being followed:
$ gpg --card-edit
Reader ...........: 1050:0404:X:0
Application ID ...: D2760001240102010006046314290000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04631429
Name of cardholder: sm sm
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: sm
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: 54D4 E469 7056 B390 AE72 CAA1 A507 3320 7876 0302
created ....: 2017-10-11 13:16:52
Encryption key....: ADA3 2D7F 8D66 4F34 C04A 457C DFEB E3E4 A8F1 8611
created ....: 2017-10-11 11:14:18
Authentication key: 18B9 7AB4 0723 46F4 C23A 3DD7 E5C0 6A93 049E F6A8
created ....: 2017-10-11 11:14:18
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
gpg: Note: keys are already stored on the card!
Replace existing keys? (y/N) y
What keysize do you want for the Signature key? (4096)
What keysize do you want for the Encryption key? (4096)
What keysize do you want for the Authentication key? (4096)
Key is valid for? (0) 0
Is this correct? (y/N) y
Real name: john doe
Email address: john.doe#foobar.com
Comment:
You selected this USER-ID:
"john doe <<john.doe#foobar.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: /home/xxx/.gnupg/trustdb.gpg: trustdb created
gpg: key 6825CB0EBDA94110 marked as ultimately trusted
gpg: directory '/home/xxx/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/xxx/.gnupg/openpgp-revocs.d/6858F119E93FB74BB561DE556825CB0EBDA94110.rev'
public and secret key created and signed.
gpg/card> list
Reader ...........: 1050:0404:X:0
Application ID ...: D2760001240102010006046314290000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04631429
Name of cardholder: sm sm
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: sm
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110
created ....: 2017-10-11 13:18:11
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC
created ....: 2017-10-11 13:18:11
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32
created ....: 2017-10-11 13:18:11
General key info..: pub rsa4096/6825CB0EBDA94110 2017-10-11 john doe <<john.doe#foobar.com>
sec> rsa4096/6825CB0EBDA94110 created: 2017-10-11 expires: never
card-no: 0006 04631429
ssb> rsa4096/31C77DBE2D227E32 created: 2017-10-11 expires: never
card-no: 0006 04631429
ssb> rsa4096/47114B69A622C1DC created: 2017-10-11 expires: never
card-no: 0006 04631429
gpg/card> quit
$ rm -rf .gnupg/
$ gpg --card-status
gpg: directory '/home/smalatho/.gnupg' created
gpg: new configuration file '/home/smalatho/.gnupg/dirmngr.conf' created
gpg: new configuration file '/home/smalatho/.gnupg/gpg.conf' created
gpg: keybox '/home/smalatho/.gnupg/pubring.kbx' created
Reader ...........: 1050:0404:X:0
Application ID ...: D2760001240102010006046314290000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04631429
Name of cardholder: sm sm
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: sm
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110
created ....: 2017-10-11 13:18:11
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC
created ....: 2017-10-11 13:18:11
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32
created ....: 2017-10-11 13:18:11
General key info..: [none]

OpenPGP smart cards do not store enough information to reconstruct a full OpenPGP public key. You must import the public key separately -- sharing it on a key servers is one solution, but you can also gpg --export the key and later gpg --import it again for testing.

It requires the user to manually export the public key before deleting GNUPGHOME directory and then re-importing the public key in the smart card.
$ gpg --armor --export j.doe#example.com > public.asc
$ rm -rf ~/.gnupg
$ gpg --import public.asc

According to the maintainer of GnuPG, it is technically possible to reconstruct the public key using only information from the card but it isn't easy:
However, if you really lost the public key and you need it back, it is possible to re-create the public key with the same fingerprint. There is no code for this, you need to hack the source.
What you need is the creation timestamp and the public key parameters
from the card. You can gather this information using
$ gpg-connect-agent
> scd learn --force
S SERIALNO D276000124010101000100xxxxxxxxxx 0
S APPTYPE OPENPGP
[...]
S KEY-TIME 1 1136130759
S KEY-TIME 2 1136132140
S KEY-TIME 3 1136131786
[...]
OK
> /decode
> /hex
> scd readkey OPENPGP.1
D[0000] 28 31 30 3A 70 75 62 6C 69 63 2D 6B 65 79 28 33 (10:public-key(3
D[0010] 3A 72 73 61 28 31 3A 6E 31 32 39 3A 00 D0 99 19 :rsa(1:n129:....
[...]
OK
Take the creation time from the KEY-TIME lines. I used /decode and /hex above only for readability. You should use
> /datafile out
> scd readkey OPENPGP.1
OK
> /bye
instead which writes the s-expression with the public key to the file out. The Libgcrypt functions take those s-expressions as arguments. Now you need to feed it to gpg to create the public key part and the self-signatures.

snmpwalk failed with authorizationError

I tried to execute:
snmpwalk -v 3 -u snmpv3username -A <passphrase> -a MD5 -l authNoPriv localhost .1.3.6.1.4.1.334.72.1.1.6.2.1.0
However, I got the following error:
Error in packet.
Reason: authorizationError (access denied to that object)
I have already define the following in /etc/snmp/snmpd.conf:
createUser snmpv3username MD5 <passphrase> AES <passphrase>
Question is:
1. What is the meaning of this error? I thought I have defined the user in the config file
2. How to solve this issue?
If I execute:
snmpwalk -v 1 -c public -O e 127.0.0.1
I got this result:
SNMPv2-MIB::sysDescr.0 = STRING: Linux ip-10-251-138-141 2.6.32-358.14.1.el6.x86_64 #1 SMP Mon Jun 17 15:54:20 EDT 2013 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (615023) 1:42:30.23
SNMPv2-MIB::sysContact.0 = STRING: Root <root#localhost>
SNMPv2-MIB::sysName.0 = STRING: ip-10-251-138-141
SNMPv2-MIB::sysLocation.0 = STRING: aws-west
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (2) 0:00:00.02
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (562693901) 65 days, 3:02:19.01
End of MIB
Thanks in advance

You do the snmpwalk with seclevel authnopriv but your user has seclevel authpriv configured.
Try:
snmpwalk -v 3 -u snmpv3username -A <passphrase> -a MD5 -x AES -X <passphrase> -l authNoPriv localhost .1.3.6.1.4.1.334.72.1.1.6.2.1.0

Besides creating the user, you must also "authorize" it to see data. Users can exist without any permissions to see data (its part of the SNMPv3 specifications).
For Net-SNMP, you can do this easily by granting it read-only access using this line in your snmpd.conf file:
rouser snmpv3username
or for write access to everything:
rwuser snmpv3username
Edit: Additionally, you should put the create user line in /var/net-snmp/snmpd.conf instead so it gets replaced by a private, localized key that can't be stolen and used in other devices.

Resources