Convert an X509v3 Binary Security Token to PEM Format

This tutorial describes how to convert a Binary Security Token extracted from a SOAP message into a valid PEM format that can be read by openssl or similar tool. If you are ever troubleshooting the use of X509v3 certificates used with WS-Security, this can come in very handy.

Suppose the following <BinarySecurityToken> element was embedded in a WS-Security <Security> Header:

<wsse:BinarySecurityToken wsu:Id="SecurityToken-8167d7ab-58bc-4845-b731-99f7f3e29d9c" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsu="MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJVUz’>MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJVUz’>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJVUz

ELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JKIENvbnN1bHRp

bmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15RFNpZ0NlcnQwHhcNMTIxMjMxMj

M0NDQ3WhcNMjIxMjI5MjM0NDQ3WjBxMQswCQYDVQQGEwJVUzELMAkGA1UECBMCT1IxETAPBgN

VBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JKIENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSV

QxFjAUBgNVBAMTDUR1bW15RFNpZ0NlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALd4DQW

C6PtcA9NXzpBvcv9jfDXHBpr9k9DWSe5qI5N8HPZ+8ArAyRURz9+cEz7yWcjL7WY0KzLrBrx9Xwn0Ss2Y

+xyPfvVKCxVTkPF5kSLfwIWl3oL1bAVyMNyV1aB4GL7tWAHEe8E7y6djKTP2EZwRyUWHHjyKycqDxKADa

KWXAgMBAAGjgd4wgdswDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUx+xJOYF+4DagDezOpMX5lwcCsxEw

gZ4GA1UdIwSBljCBk4AUx+xJOYF+4DagDezOpMX5lwcCsxGhdaRzMHExCzAJBgNVBAYTAlVTMQswCQYDVQ

QIEwJPUjERMA8GA1UEBxMIUG9ydGxhbmQxHTAbBgNVBAoTFFJDQkogQ29uc3VsdGluZywgTExDMQswCQYD

VQQLEwJJVDEWMBQGA1UEAxMNRHVtbXlEU2lnQ2VydIIEdOq6LjALBgNVHQ8EBAMCArwwDQYJKoZIhvcNAQEFB

QADgYEAnPAuf0VmKv8gIxmHbE5D6ljyAHXXVpah6JWonJelmsrXMrkQygudnOEWYI4VjbMFWJ0Oatnx1k

rYv3M8Xs25xviOTe+jjALLMiq6T/BBU7iz+/WN9UZPJnd12DwrLE5+bXMvdRHlwVkU1krnbu

haIyZl2qlcCsrOqCYRfEqXqe8=</wsse:BinarySecurityToken>

I added the newline characters so that the full element would fit on this page. But, in practice, there are no line breaks, it is one large blob. Save the base-64 encoded value to a file such as this one.

We need to introduce a newline character, ‘\n’, after every 64 characters in order to get this file into a valid PEM format. This can be done with the following command at a bash shell prompt(assume the file containing the base64 encoded BST value is called base64BST.txt):

cat base64BST.txt | awk -F "" ‘{for(i=1;i<=NF;i++){printf("%s%s",$i,i%64?"":"\n")}}’|awk ‘{sub(/\:$/,"")};1’ > tmp01

The output of this command (contents of tmp01) will look something like:

MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JK
IENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15RFNp
Z0NlcnQwHhcNMTIxMjMxMjM0NDQ3WhcNMjIxMjI5MjM0NDQ3WjBxMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRS
Q0JKIENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15
RFNpZ0NlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALd4DQWC6PtcA9NX
zpBvcv9jfDXHBpr9k9DWSe5qI5N8HPZ+8ArAyRURz9+cEz7yWcjL7WY0KzLrBrx9
Xwn0Ss2Y+xyPfvVKCxVTkPF5kSLfwIWl3oL1bAVyMNyV1aB4GL7tWAHEe8E7y6dj
KTP2EZwRyUWHHjyKycqDxKADaKWXAgMBAAGjgd4wgdswDAYDVR0TBAUwAwEB/zAd
BgNVHQ4EFgQUx+xJOYF+4DagDezOpMX5lwcCsxEwgZ4GA1UdIwSBljCBk4AUx+xJ
OYF+4DagDezOpMX5lwcCsxGhdaRzMHExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJP
UjERMA8GA1UEBxMIUG9ydGxhbmQxHTAbBgNVBAoTFFJDQkogQ29uc3VsdGluZywg
TExDMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMNRHVtbXlEU2lnQ2VydIIEdOq6LjAL
BgNVHQ8EBAMCArwwDQYJKoZIhvcNAQEFBQADgYEAnPAuf0VmKv8gIxmHbE5D6ljy
AHXXVpah6JWonJelmsrXMrkQygudnOEWYI4VjbMFWJ0Oatnx1krYv3M8Xs25xviO
Te+jjALLMiq6T/BBU7iz+/WN9UZPJnd12DwrLE5+bXMvdRHlwVkU1krnbuhaIyZl
2qlcCsrOqCYRfEqXqe8=

We have successfully inserted the ‘\n’ characters that are needed by the PEM format.

Now, add the Header:

—–BEGIN CERTIFICATE—–

and add the Footer:

—–END CERTIFICATE—–

The resulting file looks like this.

This is a valid PEM format.  To demonstrate this, let's run openssl on it:

$ openssl x509 -in base64BST.pem -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1961540142 (0x74eaba2e)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, ST=OR, L=Portland, O=RCBJ Consulting, LLC, OU=IT, CN=DummyDSigCert

Validity

Not Before: Dec 31 23:44:47 2012 GMT

Not After : Dec 29 23:44:47 2022 GMT

Subject: C=US, ST=OR, L=Portland, O=RCBJ Consulting, LLC, OU=IT, CN=DummyDSigCert

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:b7:78:0d:05:82:e8:fb:5c:03:d3:57:ce:90:6f:

72:ff:63:7c:35:c7:06:9a:fd:93:d0:d6:49:ee:6a:

23:93:7c:1c:f6:7e:f0:0a:c0:c9:15:11:cf:df:9c:

13:3e:f2:59:c8:cb:ed:66:34:2b:32:eb:06:bc:7d:

5f:09:f4:4a:cd:98:fb:1c:8f:7e:f5:4a:0b:15:53:

90:f1:79:91:22:df:c0:85:a5:de:82:f5:6c:05:72:

30:dc:95:d5:a0:78:18:be:ed:58:01:c4:7b:c1:3b:

cb:a7:63:29:33:f6:11:9c:11:c9:45:87:1e:3c:8a:

c9:ca:83:c4:a0:03:68:a5:97

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:TRUE

X509v3 Subject Key Identifier:

C7:EC:49:39:81:7E:E0:36:A0:0D:EC:CE:A4:C5:F9:97:07:02:B3:11

X509v3 Authority Key Identifier:

keyid:C7:EC:49:39:81:7E:E0:36:A0:0D:EC:CE:A4:C5:F9:97:07:02:B3:11

DirName:/C=US/ST=OR/L=Portland/O=RCBJ Consulting,LLC/OU=IT/CN=D

ummyDSigCert

serial:74:EA:BA:2E

X509v3 Key Usage:

Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign

Signature Algorithm: sha1WithRSAEncryption

9c:f0:2e:7f:45:66:2a:ff:20:23:19:87:6c:4e:43:ea:58:f2:

00:75:d7:56:96:a1:e8:95:a8:9c:97:a5:9a:ca:d7:32:b9:10:

ca:0b:9d:9c:e1:16:60:8e:15:8d:b3:05:58:9d:0e:6a:d9:f1:

d6:4a:d8:bf:73:3c:5e:cd:b9:c6:f8:8e:4d:ef:a3:8c:02:cb:

32:2a:ba:4f:f0:41:53:b8:b3:fb:f5:8d:f5:46:4f:26:77:75:

d8:3c:2b:2c:4e:7e:6d:73:2f:75:11:e5:c1:59:14:d6:4a:e7:

6e:e8:5a:23:26:65:da:a9:5c:0a:ca:ce:a8:26:11:7c:4a:97:

a9:ef

—–BEGIN CERTIFICATE—–

MIIDOjCCAqOgAwIBAgIEdOq6LjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJV

UzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRSQ0JK

IENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15RFNp

Z0NlcnQwHhcNMTIxMjMxMjM0NDQ3WhcNMjIxMjI5MjM0NDQ3WjBxMQswCQYDVQQG

EwJVUzELMAkGA1UECBMCT1IxETAPBgNVBAcTCFBvcnRsYW5kMR0wGwYDVQQKExRS

Q0JKIENvbnN1bHRpbmcsIExMQzELMAkGA1UECxMCSVQxFjAUBgNVBAMTDUR1bW15

RFNpZ0NlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALd4DQWC6PtcA9NX

zpBvcv9jfDXHBpr9k9DWSe5qI5N8HPZ+8ArAyRURz9+cEz7yWcjL7WY0KzLrBrx9

Xwn0Ss2Y+xyPfvVKCxVTkPF5kSLfwIWl3oL1bAVyMNyV1aB4GL7tWAHEe8E7y6dj

KTP2EZwRyUWHHjyKycqDxKADaKWXAgMBAAGjgd4wgdswDAYDVR0TBAUwAwEB/zAd

BgNVHQ4EFgQUx+xJOYF+4DagDezOpMX5lwcCsxEwgZ4GA1UdIwSBljCBk4AUx+xJ

OYF+4DagDezOpMX5lwcCsxGhdaRzMHExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJP

UjERMA8GA1UEBxMIUG9ydGxhbmQxHTAbBgNVBAoTFFJDQkogQ29uc3VsdGluZywg

TExDMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMNRHVtbXlEU2lnQ2VydIIEdOq6LjAL

BgNVHQ8EBAMCArwwDQYJKoZIhvcNAQEFBQADgYEAnPAuf0VmKv8gIxmHbE5D6ljy

AHXXVpah6JWonJelmsrXMrkQygudnOEWYI4VjbMFWJ0Oatnx1krYv3M8Xs25xviO

Te+jjALLMiq6T/BBU7iz+/WN9UZPJnd12DwrLE5+bXMvdRHlwVkU1krnbuhaIyZl

2qlcCsrOqCYRfEqXqe8=

—–END CERTIFICATE—–