Friday, September 8, 2017

Automate OpenSSL to pull a certificate thumbprint for an OIDC IDP

How to automatically pull the certificate thumbprint for an Open Identity Connect Providers certificate instead of the manual process described at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

You could use this process along with 'aws iam update-open-id-connect-provider-thumbprint' to automate the process of regularly pulling the certificate from your IDP and updating it's thumbprint in IAM.

code can be found at: https://github.com/walkerk1980/AWSScripts/blob/master/oidcThumbprint.pl

#!/usr/bin/perl

# The purpose of this script is to automate the process described in the link below
# Use this script at your own risk
# Obtaining the Thumbprint for an OpenID Connect Identity Provider
# http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

#requires bash
#requires jq package
#requires perl
#requires openssl

#set the oidc idp URL
my $idpURL='https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration';

my $cmd='curl -s ' . $idpURL . ' |jq -r \'.jwks_uri\'';

#run output of curl through jq
my $jwksURI=`$cmd`;

#cut off prepended https://
my $fullURL=substr($jwksURI, 8);

#cut off host of URL
my $hostURL=substr($fullURL, 0, index($fullURL, '/'));

$cmd='openssl s_client -showcerts -connect ' . $hostURL . ':443 </dev/null 2>/dev/null';

#use ssl_connect to get certificate chain
my $sslclientoutput=`$cmd`;

#cut junk off beginning of last cert
my $lastcertsub1=substr(substr($sslclientoutput, rindex($sslclientoutput, 'BEGIN')-5), 'END');
#cut junk off end of cert
my $lastcert=substr($lastcertsub1, 0, index($lastcertsub1, 'END')+20);

#create pem file
$cmd='echo "' . $lastcert . '" >oidcert.pem';
system($cmd);

$cmd='openssl x509 -fingerprint -noout -in oidcert.pem';
my $opensslfinger=`$cmd`;

#cut off junk at beginning
my $fingerprint=substr($opensslfinger, index($opensslfinger, '=')+1);

#get rid of colons
$fingerprint =~  s/://g;

print $fingerprint


No comments:

Post a Comment