步骤1。我已经使用cryptography库生成了一个证书签名请求(csr(。
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California")
])).add_extension(
x509.SubjectAlternativeName([
# Describe what sites we want this certificate for.
x509.DNSName(u"mysite.com"),
]),
critical=False
)
type(csr) = cryptography.x509.base.CertificateSigningRequestBuilder
步骤2。然后我签署了证书
cert = csr.sign(private_key, hashes.SHA256())
它现在的类型是:
type(cert) = CertificateSigningRequest
步骤3。csr需要序列化,数据可以写入要保存的文件或通过网络发送
serialized = cert.public_bytes(
serialization.Encoding.PEM
)
类型:
type(serialized) = bytes
保存证书
with open('cert_name.cert', 'wb') as f:
f.write(serialized)
当我需要阅读证书以获得另一个签名时,问题就出现了。
with open('cert_name.cert', 'rb') as f:
load_cert = f.read()
type(load_cert) = byte
我想,在步骤2中,load_cert需要是cryptography.x509.base.CertificateSigningRequestBuilder类型才能签名,然后,在步骤3中,它将被序列化以再次保存
如何将load_cert转换为类型cryptography.x509.base.CertificateSigningRequestBuilder以便为签名做好准备。或者有人能替代这里描述的流程吗?
我不知道你为什么要多次签署CSR,它应该由你签署一次,然后由CA验证,CA会给你证书。本教程可能会为您理清思路。
要取消CSR的序列化,您应该执行以下操作:
with open('cert_name.cert', 'rb') as f:
data = f.read()
load_cert = cryptography.x509.load_pem_x509_csr(data)
您可以验证取消序列化的CSR是否已经具有以下签名:
load_cert.is_signature_valid