我正在尝试用python实现x509证书验证。基本上,我只想生成公钥、私钥,然后使用私钥生成证书。然后我想用公钥验证该证书,并得到true/false。我从这里得到了密钥和证书生成的代码。里面的代码从这里开始尝试(有一个verifySignature函数(。这是我的全部代码
#verify csr pem using public and private key
import random
from OpenSSL import crypto
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
import datetime
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
import uuid
from cryptography import *
from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
from cryptography.exceptions import InvalidSignature
one_day = datetime.timedelta(1, 0, 0)
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'openstack-ansible Test CA'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'openstack-ansible'),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Default CA Deployment'),
]))
builder = builder.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'openstack-ansible Test CA'),
]))
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime(2020, 10, 2))
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True,
)
certificate = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(),
backend=default_backend()
)
print(isinstance(certificate, x509.Certificate))
with open("ca.key", "wb") as f:
f.write(private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(b"openstack-ansible")
))
with open("ca.crt", "wb") as f:
f.write(certificate.public_bytes(
encoding=serialization.Encoding.PEM,
))
try:
issuerPublicKey = public_key
hashAlgorithm = hashes.SHA256()
tbsCertificate = certificate.tbs_certificate_bytes
subjectSignature = certificate.signature
padding = PKCS1v15()
print(issuerPublicKey.verify( subjectSignature,tbsCertificate, padding, hashAlgorithm ))
verifier = issuerPublicKey.verify( subjectSignature,tbsCertificate, padding, hashAlgorithm )
# verifier.update( tbsCertificate )
verifier.verify()
print("true")
except InvalidSignature as e:
print(e)
except Exception as e:
print(e)
代码中的问题是您试图打印None值(这是验证返回的值(。
以下verify_self_signed_x509_certificate函数将以正确的方式调用所有内容,以便返回bool,无论证书是否正确自签名
from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
def verify_self_signed_x509_certificate(public_certificate: x509.Certificate) -> bool:
return verify_external_signed_x509_certificate(public_certificate, public_certificate)
def verify_external_signed_x509_certificate(public_certificate: x509.Certificate, parent_certificate: x509.Certificate) -> bool:
tbs_certificate_bytes = public_certificate.tbs_certificate_bytes
signature = public_certificate.signature
pad = padding.PKCS1v15()
parent_public_key = parent_certificate.public_key()
if not isinstance(parent_public_key, RSAPublicKey):
raise Exception('Key is not an RSA public key')
try:
parent_public_key.verify(
signature,
tbs_certificate_bytes,
pad,
hashes.SHA256()
)
return True
except:
return False