This tutorial describes how to convert a Binary Security Token extracted from a SOAP message into a valid PEM format that can be read by openssl or similar tool. If you are ever troubleshooting the use of X509v3 certificates used with WS-Security, this can come in very handy.
Suppose the following <BinarySecurityToken> element was embedded in a WS-Security <Security> Header:
<wsse:BinarySecurityToken wsu:Id="SecurityToken-8167d7ab-58bc-4845-b731-99f7f3e29d9c" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsu="MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJVUz’>MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJVUz’>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJVUz
ELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JKIENvbnN1bHRp
bmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15RFNpZ0NlcnQwHhcNMTIxMjMxMj
M0NDQ3WhcNMjIxMjI5MjM0NDQ3WjBxMQswCQYDVQQGEwJVUzELMAkGA1UECBMCT1IxETAPBgN
VBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JKIENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSV
QxFjAUBgNVBAMTDUR1bW15RFNpZ0NlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALd4DQW
C6PtcA9NXzpBvcv9jfDXHBpr9k9DWSe5qI5N8HPZ+8ArAyRURz9+cEz7yWcjL7WY0KzLrBrx9Xwn0Ss2Y
+xyPfvVKCxVTkPF5kSLfwIWl3oL1bAVyMNyV1aB4GL7tWAHEe8E7y6djKTP2EZwRyUWHHjyKycqDxKADa
KWXAgMBAAGjgd4wgdswDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUx+xJOYF+4DagDezOpMX5lwcCsxEw
gZ4GA1UdIwSBljCBk4AUx+xJOYF+4DagDezOpMX5lwcCsxGhdaRzMHExCzAJBgNVBAYTAlVTMQswCQYDVQ
QIEwJPUjERMA8GA1UEBxMIUG9ydGxhbmQxHTAbBgNVBAoTFFJDQkogQ29uc3VsdGluZywgTExDMQswCQYD
VQQLEwJJVDEWMBQGA1UEAxMNRHVtbXlEU2lnQ2VydIIEdOq6LjALBgNVHQ8EBAMCArwwDQYJKoZIhvcNAQEFB
QADgYEAnPAuf0VmKv8gIxmHbE5D6ljyAHXXVpah6JWonJelmsrXMrkQygudnOEWYI4VjbMFWJ0Oatnx1k
rYv3M8Xs25xviOTe+jjALLMiq6T/BBU7iz+/WN9UZPJnd12DwrLE5+bXMvdRHlwVkU1krnbu
haIyZl2qlcCsrOqCYRfEqXqe8=</wsse:BinarySecurityToken>
I added the newline characters so that the full element would fit on this page. But, in practice, there are no line breaks, it is one large blob. Save the base-64 encoded value to a file such as this one.
We need to introduce a newline character, ‘\n’, after every 64 characters in order to get this file into a valid PEM format. This can be done with the following command at a bash shell prompt(assume the file containing the base64 encoded BST value is called base64BST.txt):
cat base64BST.txt | awk -F "" ‘{for(i=1;i<=NF;i++){printf("%s%s",$i,i%64?"":"\n")}}’|awk ‘{sub(/\:$/,"")};1’ > tmp01
The output of this command (contents of tmp01) will look something like:
MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JK
IENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15RFNp
Z0NlcnQwHhcNMTIxMjMxMjM0NDQ3WhcNMjIxMjI5MjM0NDQ3WjBxMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRS
Q0JKIENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15
RFNpZ0NlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALd4DQWC6PtcA9NX
zpBvcv9jfDXHBpr9k9DWSe5qI5N8HPZ+8ArAyRURz9+cEz7yWcjL7WY0KzLrBrx9
Xwn0Ss2Y+xyPfvVKCxVTkPF5kSLfwIWl3oL1bAVyMNyV1aB4GL7tWAHEe8E7y6dj
KTP2EZwRyUWHHjyKycqDxKADaKWXAgMBAAGjgd4wgdswDAYDVR0TBAUwAwEB/zAd
BgNVHQ4EFgQUx+xJOYF+4DagDezOpMX5lwcCsxEwgZ4GA1UdIwSBljCBk4AUx+xJ
OYF+4DagDezOpMX5lwcCsxGhdaRzMHExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJP
UjERMA8GA1UEBxMIUG9ydGxhbmQxHTAbBgNVBAoTFFJDQkogQ29uc3VsdGluZywg
TExDMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMNRHVtbXlEU2lnQ2VydIIEdOq6LjAL
BgNVHQ8EBAMCArwwDQYJKoZIhvcNAQEFBQADgYEAnPAuf0VmKv8gIxmHbE5D6ljy
AHXXVpah6JWonJelmsrXMrkQygudnOEWYI4VjbMFWJ0Oatnx1krYv3M8Xs25xviO
Te+jjALLMiq6T/BBU7iz+/WN9UZPJnd12DwrLE5+bXMvdRHlwVkU1krnbuhaIyZl
2qlcCsrOqCYRfEqXqe8=
We have successfully inserted the ‘\n’ characters that are needed by the PEM format.
Now, add the Header:
—–BEGIN CERTIFICATE—–
and add the Footer:
—–END CERTIFICATE—–
The resulting file looks like this.
-----BEGIN CERTIFICATE----- MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJV UzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JK IENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15RFNp Z0NlcnQwHhcNMTIxMjMxMjM0NDQ3WhcNMjIxMjI5MjM0NDQ3WjBxMQswCQYDVQQG EwJVUzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRS Q0JKIENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15 RFNpZ0NlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALd4DQWC6PtcA9NX zpBvcv9jfDXHBpr9k9DWSe5qI5N8HPZ+8ArAyRURz9+cEz7yWcjL7WY0KzLrBrx9 Xwn0Ss2Y+xyPfvVKCxVTkPF5kSLfwIWl3oL1bAVyMNyV1aB4GL7tWAHEe8E7y6dj KTP2EZwRyUWHHjyKycqDxKADaKWXAgMBAAGjgd4wgdswDAYDVR0TBAUwAwEB/zAd BgNVHQ4EFgQUx+xJOYF+4DagDezOpMX5lwcCsxEwgZ4GA1UdIwSBljCBk4AUx+xJ OYF+4DagDezOpMX5lwcCsxGhdaRzMHExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJP UjERMA8GA1UEBxMIUG9ydGxhbmQxHTAbBgNVBAoTFFJDQkogQ29uc3VsdGluZywg TExDMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMNRHVtbXlEU2lnQ2VydIIEdOq6LjAL BgNVHQ8EBAMCArwwDQYJKoZIhvcNAQEFBQADgYEAnPAuf0VmKv8gIxmHbE5D6ljy AHXXVpah6JWonJelmsrXMrkQygudnOEWYI4VjbMFWJ0Oatnx1krYv3M8Xs25xviO Te+jjALLMiq6T/BBU7iz+/WN9UZPJnd12DwrLE5+bXMvdRHlwVkU1krnbuhaIyZl 2qlcCsrOqCYRfEqXqe8= -----END CERTIFICATE-----
This is a valid PEM format. To demonstrate this, let's run openssl on it:
$ openssl x509 -in base64BST.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1961540142 (0x74eaba2e)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=OR, L=Portland, O=RCBJ Consulting, LLC, OU=IT, CN=DummyDSigCert
Validity
Not Before: Dec 31 23:44:47 2012 GMT
Not After : Dec 29 23:44:47 2022 GMT
Subject: C=US, ST=OR, L=Portland, O=RCBJ Consulting, LLC, OU=IT, CN=DummyDSigCert
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b7:78:0d:05:82:e8:fb:5c:03:d3:57:ce:90:6f:
72:ff:63:7c:35:c7:06:9a:fd:93:d0:d6:49:ee:6a:
23:93:7c:1c:f6:7e:f0:0a:c0:c9:15:11:cf:df:9c:
13:3e:f2:59:c8:cb:ed:66:34:2b:32:eb:06:bc:7d:
5f:09:f4:4a:cd:98:fb:1c:8f:7e:f5:4a:0b:15:53:
90:f1:79:91:22:df:c0:85:a5:de:82:f5:6c:05:72:
30:dc:95:d5:a0:78:18:be:ed:58:01:c4:7b:c1:3b:
cb:a7:63:29:33:f6:11:9c:11:c9:45:87:1e:3c:8a:
c9:ca:83:c4:a0:03:68:a5:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Key Identifier:
C7:EC:49:39:81:7E:E0:36:A0:0D:EC:CE:A4:C5:F9:97:07:02:B3:11
X509v3 Authority Key Identifier:
keyid:C7:EC:49:39:81:7E:E0:36:A0:0D:EC:CE:A4:C5:F9:97:07:02:B3:11
DirName:/C=US/ST=OR/L=Portland/O=RCBJ Consulting,LLC/OU=IT/CN=D
ummyDSigCert
serial:74:EA:BA:2E
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign
Signature Algorithm: sha1WithRSAEncryption
9c:f0:2e:7f:45:66:2a:ff:20:23:19:87:6c:4e:43:ea:58:f2:
00:75:d7:56:96:a1:e8:95:a8:9c:97:a5:9a:ca:d7:32:b9:10:
ca:0b:9d:9c:e1:16:60:8e:15:8d:b3:05:58:9d:0e:6a:d9:f1:
d6:4a:d8:bf:73:3c:5e:cd:b9:c6:f8:8e:4d:ef:a3:8c:02:cb:
32:2a:ba:4f:f0:41:53:b8:b3:fb:f5:8d:f5:46:4f:26:77:75:
d8:3c:2b:2c:4e:7e:6d:73:2f:75:11:e5:c1:59:14:d6:4a:e7:
6e:e8:5a:23:26:65:da:a9:5c:0a:ca:ce:a8:26:11:7c:4a:97:
a9:ef
—–BEGIN CERTIFICATE—–
MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JK
IENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15RFNp
Z0NlcnQwHhcNMTIxMjMxMjM0NDQ3WhcNMjIxMjI5MjM0NDQ3WjBxMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRS
Q0JKIENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15
RFNpZ0NlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALd4DQWC6PtcA9NX
zpBvcv9jfDXHBpr9k9DWSe5qI5N8HPZ+8ArAyRURz9+cEz7yWcjL7WY0KzLrBrx9
Xwn0Ss2Y+xyPfvVKCxVTkPF5kSLfwIWl3oL1bAVyMNyV1aB4GL7tWAHEe8E7y6dj
KTP2EZwRyUWHHjyKycqDxKADaKWXAgMBAAGjgd4wgdswDAYDVR0TBAUwAwEB/zAd
BgNVHQ4EFgQUx+xJOYF+4DagDezOpMX5lwcCsxEwgZ4GA1UdIwSBljCBk4AUx+xJ
OYF+4DagDezOpMX5lwcCsxGhdaRzMHExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJP
UjERMA8GA1UEBxMIUG9ydGxhbmQxHTAbBgNVBAoTFFJDQkogQ29uc3VsdGluZywg
TExDMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMNRHVtbXlEU2lnQ2VydIIEdOq6LjAL
BgNVHQ8EBAMCArwwDQYJKoZIhvcNAQEFBQADgYEAnPAuf0VmKv8gIxmHbE5D6ljy
AHXXVpah6JWonJelmsrXMrkQygudnOEWYI4VjbMFWJ0Oatnx1krYv3M8Xs25xviO
Te+jjALLMiq6T/BBU7iz+/WN9UZPJnd12DwrLE5+bXMvdRHlwVkU1krnbuhaIyZl
2qlcCsrOqCYRfEqXqe8=
—–END CERTIFICATE—–