我对pyOpenSSL有点新鲜.我试图弄清楚如何将生成的套接字关联到ssl证书.verify_cb被调用,这使我可以访问证书和conn但是如何在发生这种情况时将这些事情联系起来:
cli,addr = self.server.accept()
我有一个我必须使用的API.API由HTTPS保护,并使用相互身份验证/客户端证书.我有一个PEM文件和一个CRT文件.
当我经常连接到服务器时,使用PyOpenSSL我没有问题,这里是代码:
import settings
from OpenSSL import SSL
import socket
def verify(conn, cert, errnum, depth, ok):
# This obviously has to be updated
print 'Got certificate: %s' % cert.get_subject()
return ok
def password_callback(maxlen, verify, extra):
print (maxlen, verify, extra)
return settings.DEPOSIT_CODE
context = SSL.Context(SSL.SSLv23_METHOD)
context.set_verify(SSL.VERIFY_NONE, verify)
context.set_passwd_cb(password_callback)
context.use_certificate_file(settings.CLIENT_CERT_FILE)
context.use_privatekey_file(settings.PEM_FILE)
sock = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
sock.connect(("someserver.com",443))
http_get_request = """
GET / HTTP/1.1
"""
sock.write(http_get_request)
print sock.recv(1000)
但是,因为这是一个带有客户端证书的HTTPS API,我已经为它实现了一个开启工具,以某种方式修改的代码在这里:
import settings
import socket
import urllib2
def verify(conn, cert, errnum, depth, ok):
# …我正在python2和pyOpensSSL中编写一个测试装置,它实际上是一个SSL工厂。该文本装置创建其自己的CA证书和密钥,然后创建由该CA签名的证书。
目前,我无法使用openssl verify来验证证书。这就是我得到的:
server.pem: OU = Hosting Platform CA Testing, CN = test.com
error 7 at 0 depth lookup:certificate signature failure
139891057788744:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139891057788744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797:
139891057788744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:221:
CA以及证书的密钥生成如下:
def createKey(self):
self.key = OpenSSL.crypto.PKey()
self.key.generate_key(OpenSSL.crypto.TYPE_RSA, self.bits)
我已经验证了-subject,-subject-hash,-issuer并-issuer-hash为证书和发行者CA证书两种:
server.pem:
subject= /OU=Hosting Platform CA Testing/CN=test.com
e209e907
issuer= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
/etc/pki/tls/certs/f04ea969.0:
subject= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
issuer= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting …最近在SSL 3中发现了一个漏洞,Apple决定将其关闭以进行推送通知(APNS).以下是2014年10月22日发布的公告.
在过去的几天里,我的开发推送服务器因此异常而崩溃:
Traceback (most recent call last):
File "/var/django/current/manage.py", line 12, in <module>
execute_from_command_line(sys.argv)
File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 399, in execute_from_command_line
utility.execute()
File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 392, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/base.py", line 242, in run_from_argv
self.execute(*args, **options.__dict__)
File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/base.py", line 285, in execute
output = self.handle(*args, **options)
File "/var/django/releases/7f093a6773161ea21d18c502eaf1a38c76749314/my_app/management/commands/load_apns_feedback.py", line 35, in handle
for ios_push_notification_hex_token, unavailability_detected_at in feedback_service.feedback():
File "/var/django/shared/env/local/lib/python2.7/site-packages/apnsclient/apns.py", line 696, in feedback
self._connection.refresh()
File "/var/django/shared/env/local/lib/python2.7/site-packages/apnsclient/apns.py", line 269, in refresh
self._ensure_socket_open()
File "/var/django/shared/env/local/lib/python2.7/site-packages/apnsclient/apns.py", line 262, in _ensure_socket_open …我正在尝试在python3上创建一个非分离签名。我目前有使用m2crypto在python2上执行此操作的代码,但是m2crypto不适用于python3。
我一直在尝试rsa,pycrypto和openssl,但尚未找到找到方法。
这是等效的OpenSSL命令:
openssl smime -sign -signer $CRTFILE -inkey $KEYFILE -outformDER -nodetach
这nodetach是我无法使用rsa,pyopenssl或pycrypto模仿的选项。
有人在python3上这样做吗?我想避免使用Popen + openssl。
我需要按颁发者过滤传入的 X509 证书,为此我使用 Pyhton 的 OpenSSL.crypto。但是,我没有找到如何创建 X509Name 对象作为常量,我需要将其与从 cert.get_issuer() 获得的值进行比较。
所以我正在尝试使用OpenSSL加密模块使用以下代码生成新的CA证书:
#warning: this block is background information, probably not
#where my real problem is
#generate the key pair
key=OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA,2048)
#print the private and public keys as PEMs
print(codecs.decode(OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM,key),'utf8'))
print(codecs.decode(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM,key),'utf8'))
#generate a new x509 certificate
ca=OpenSSL.crypto.X509()
#fill it with goodies
ca.set_version(3)
ca.set_serial_number(1)
ca.get_subject().CN = "CA.test.com"
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 10)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
#print the new certificate as a PEM
print(codecs.decode(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,ca),'utf8'))
打印出来的证书在SSLShopper证书解码器上解码好,所以我对这部分感到非常自信.当我尝试用证书签名时,麻烦真的开始了
ca.sign(key, 'sha1')
因为我得到了一个"期望类型'字节',而不是来自IDE的'str'.检查OpenSSL.crypto.X509.sign()文档并确认它确实需要一个bytes对象,切换到
digestname='sha1'.encode('utf-8')
ca.sign(key, digestname)
我得到一个"AttributeError:'bytes'对象没有属性'encode'"异常.单步执行代码,我发现在OpenSSL._util.byte_string()中抛出了异常,因为
if …"""Python HTTPS server"""
from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl
# https://stackoverflow.com/a/40822838/2715716
HTTPD = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)
# Ubuntu on Windows:
# - Generate key:
# `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365`
# - Strip passphrase:
# `openssl rsa -in key.pem -out key-no-pass.pem`
HTTPD.socket = ssl.wrap_socket(HTTPD.socket,
keyfile='key-no-pass.pem', certfile='cert.pem', server_side=True)
HTTPD.serve_forever()
上面给出了ssl.SSLError:[X509:KEY_VALUES_MISMATCH]键值不匹配(_ssl.c:2846).有没有办法知道不匹配的价值?
我试着用openssl verify -verbose -CAfile cert.pem它希望它告诉我哪些值不匹配,但我不知道使用它和我写的命令只是打开一些互动提示.
我对证书或Python一无所知,我只做过python -m SimpleHTTPServer.这是我试图获得一个自签名证书,以便Chrome可以让我不得不使用HTTPS来处理一些WebRTC localhost.
问题
当我运行你 python3 应用程序时,它显示
File "/usr/local/lib/python3.6/ssl.py", line 101, in <module>
import _ssl # if we can't import it, let the error propagate
ModuleNotFoundError: No module named '_ssl'
我试过的
安装依赖项
yum install openssl-devel
我还编辑了setup.py文件并重新编译了 python3
# Detect SSL support for the socket module (via _ssl)
search_for_ssl_incs_in = [
'/usr/local/ssl/include',
'/usr/local/include/openssl', #I've added this line
'/usr/contrib/ssl/include/'
]
我已经用路径配置编译了 openssl
#tar -xzvf openssl-***.tar.gz
#./config --prefix=/usr/local --openssldir=/usr/local/openssl
#make & make install
CentOS 7
蟒蛇 3.6
我需要在Ubuntu 16.04中使用openssl-1.1.1尝试python 3.7。python和openssl版本都是预发行版本。按照上一篇文章中有关如何统计将openssl链接到python 的说明,我下载了opnssl-1.1.1的源代码。然后导航到openssl的源代码并执行:
./config
sudo make
sudo make install
然后,编辑Modules/Setup.dist以取消注释以下行:
SSL=/usr/local/ssl
_ssl _ssl.c \
-DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
-L$(SSL)/lib -lssl -lcrypto
然后下载python 3.7源代码。然后,在源代码中导航并执行:
./configure
make
make install
执行后make install,在终端输出的末尾出现此错误:
./python: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
generate-posix-vars failed
Makefile:596: recipe for target 'pybuilddir.txt' failed
make: *** [pybuilddir.txt] Error 1
我不知道问题出在哪里,我需要做什么。