如何从BaseHTTPRequestHandler python获取x509.Certificate
我正在使用python 2.7.5设置HTTPS/TLS服务器。但是,我尝试使用一个自定义类“CustomHandler”,它扩展了BaseHTTPRequestHandler,以便在一个python应用程序中支持HTML和RESTAPI。我一直坚持到底要在BaseHTTPRequestHandler中调用什么方法才能将用户/客户端证书作为x509.certificate对象。最后,我希望从python的SSLSocket对象获得完整的用户/客户端DN 我发现self.connection.getpeercert()返回字典对象作为如何从BaseHTTPRequestHandler python获取x509.Certificate,python,ssl,basehttprequesthandler,Python,Ssl,Basehttprequesthandler,我正在使用python 2.7.5设置HTTPS/TLS服务器。但是,我尝试使用一个自定义类“CustomHandler”,它扩展了BaseHTTPRequestHandler,以便在一个python应用程序中支持HTML和RESTAPI。我一直坚持到底要在BaseHTTPRequestHandler中调用什么方法才能将用户/客户端证书作为x509.certificate对象。最后,我希望从python的SSLSocket对象获得完整的用户/客户端DN 我发现self.connection.ge
{'issuer':(('countryName','IL'),),
(“组织名称”、“StartCom有限公司”),
((‘organizationalUnitName’,
“安全数字证书签名”),),
((‘commonName’,
“StartCom 2类主中间服务器CA”),),
“notAfter”:“2013年11月22日08:15:19 GMT”,
“不在此之前”:“2011年11月21日03:09:52 GMT”,
“序列号”:“95F0”,
‘受试者’:(‘描述’,‘571208-SLE2577OHY9FVQ07Z’,),
("国名","美国",,
((‘州或省名称’、‘加利福尼亚’),
(('localityName','San Francisco'),),
((组织名称),“电子前沿基金会”),
(('commonName','*.eff.org'),),
((‘电子邮件地址’,’hostmaster@eff.org'),)),
'subjectAltName':('DNS','*.eff.org'),('DNS','eff.org'),
“版本”:3}
sudo apt-get install python
sudo apt-get install python-pip
pip install cryptography
# Generate Certificates - Root Certificate
sudo openssl req -out ca.pem -new -x509
...Generating a 2048 bit RSA private key
........................+++
.........+++
...writing new private key to 'privkey.pem'
...Enter PEM pass phrase:password
...Verifying - Enter PEM pass phrase:password
...-----
...You are about to be asked to enter information that will be incorporated
...into your certificate request.
...What you are about to enter is what is called a Distinguished Name or a DN.
...There are quite a few fields but you can leave some blank
...For some fields there will be a default value,
...If you enter '.', the field will be left blank.
...-----
...Country Name (2 letter code) [AU]:US
...State or Province Name (full name) [Some-State]:Florida
...Locality Name (eg, city) []:Tampa
...Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
...Organizational Unit Name (eg, section) []:Development
...Common Name (e.g. server FQDN or YOUR name) []:Home Development
...Email Address []:admin@homeoffice.com
# IMPORT THE ca.pem file into your browser's Certificate Authorities
# Generate Certificates - Server certificates
sudo openssl genrsa -out server.key 1024
sudo openssl req -key server.key -new -out server.req
...You are about to be asked to enter information that will be incorporated
...into your certificate request.
...What you are about to enter is what is called a Distinguished Name or a DN.
...There are quite a few fields but you can leave some blank
...For some fields there will be a default value,
...If you enter '.', the field will be left blank.
...-----
...Country Name (2 letter code) [AU]:US
...State or Province Name (full name) [Some-State]:Florida
...Locality Name (eg, city) []:Tampa
...Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
...Organizational Unit Name (eg, section) []:Development
...Common Name (e.g. server FQDN or YOUR name) []:homeoffice.com
...Email Address []:info@homeoffice.com
...
...Please enter the following 'extra' attributes
...to be sent with your certificate request
...A challenge password []:
...An optional company name []:
vi file.srl
...00
vi server.ext
...authorityKeyIdentifier=keyid,issuer
...basicConstraints=CA:FALSE
...keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
...subjectAltName = @alt_names
...
...[alt_names]
...DNS.1 = homeoffice.com
sudo openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -days 1825 -sha256 -extfile server.ext
...Signature ok
...subject=C = US, ST = Florida, L = Tampa, O = Home, OU = Development, CN = Home Development, emailAddress = info@homeoffice.com
...Getting CA Private Key
...Enter pass phrase for privkey.pem:password
# Generate Certificates - Client Certificates
sudo openssl genrsa -des3 -out client.key 1024
...Generating RSA private key, 1024 bit long modulus
......................................++++++
.....................................++++++
...e is 65537 (0x010001)
...Enter pass phrase for client.key:password
...Verifying - Enter pass phrase for client.key:password
sudo openssl req -key client.key -new -out client.req
...Enter pass phrase for client.key:password
...You are about to be asked to enter information that will be incorporated
...into your certificate request.
...What you are about to enter is what is called a Distinguished Name or a DN.
...There are quite a few fields but you can leave some blank
...For some fields there will be a default value,
...If you enter '.', the field will be left blank.
...-----
...Country Name (2 letter code) [AU]:US
...State or Province Name (full name) [Some-State]:Florida
...Locality Name (eg, city) []:Tampa
...Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
...Organizational Unit Name (eg, section) []:Development
...Common Name (e.g. server FQDN or YOUR name) []:Smith John J jjsmith3
...Email Address []:jjsmith3@yahoo.com
...
...Please enter the following 'extra' attributes
...to be sent with your certificate request
...A challenge password []:
...An optional company name []:
sudo openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem
...Signature ok
...subject=C = US, ST = Florida, L = Tampa, O = Home, OU = Development, CN = Home Development, emailAddress = email@domain.com
...Getting CA Private Key
...Enter pass phrase for privkey.pem:password
sudo openssl pkcs12 -export -out client.p12 -in client.pem -inkey client.key
...Enter pass phrase for client.key:password
...Enter Export Password:password
...Verifying - Enter Export Password:password
# IMPORT THE client.p12 file into your browser's Personal Certificates
# change ownership of sudo-created files to your user
sudo chown user:group *
# add support to access local application by fqdn
sudo echo "127.0.0.1 homeoffice.com" >> /etc/hosts
从BaseHTTPServer导入BaseHTTPRequestHandler
导入BaseHTTPServer,SimpleHTTPServer
导入ssl
从加密导入x509
从cryptography.x509.oid导入NameOID
从cryptography.hazmat.backends导入默认\u后端
类CustomHandler(BaseHTTPRequestHandler):
def do_头(自身):
自我发送_响应(200)
self.send_标题('Content-Type','text/html')
self.end_头()
def do_获得(自我):
自我发送_响应(200)
self.send_标题('Content-Type','text/html')
self.end_头()
#需要x509。此处为证书,而不是dict
打印(self.connection.getpeercert())
that=x509.load\u der\u x509\u证书(self.connection.getpeercert(True),默认值为\u backend())
打印(that.issuer.rfc4514_string())
打印(that.subject.rfc4514_string())
self.wfile.write(打开(“index.html”、“r”))
def do_POST(自我):
cert\u dict=self.connection.getpeercert()
#需要x509。此处为证书,而不是dict
打印(打印(证书)
打印(证书)
httpd=BaseHTTPServer.HTTPServer(('homeoffice.com',4443),CustomHandler)
httpd.socket=ssl.wrap\u socket(httpd.socket,keyfile='./server.key',certfile='./server.pem',server\u side=True,cert\u reqs=ssl.cert\u REQUIRED,ssl\u version=ssl.PROTOCOL\u TLSv1\u 2,ca\u certs='./ca.pem',do\u handshake\u on\u connect=True,suppress\u ragged\u eofs=True)
httpd.永远为你服务()
x509_cert = OpenSSL.crypto.load_certificate(
OpenSSL.crypto.FILETYPE_ASN1, self.connection.getpeercert(True)
)
x509_cert = OpenSSL.crypto.load_certificate(
OpenSSL.crypto.FILETYPE_ASN1, self.connection.getpeercert(True)
)