Как получить x509.Сертификат от питона BaseHTTPRequestHandler - PullRequest
1 голос
/ 31 мая 2019

Я настраиваю сервер HTTPS / TLS через python 2.7.5 с в этом примере . Тем не менее, я пытаюсь использовать пользовательский класс 'CustomHandler', который расширяет BaseHTTPRequestHandler для поддержки API-интерфейсов HTML и Rest в одном приложении Python. Я застрял на том, какие именно методы вызывать в BaseHTTPRequestHandler, чтобы получить сертификат пользователя / клиента как объект x509.Certificate. В конце концов, я хочу получить полное DN пользователя / клиента из объекта Python SSLSocket.

Я обнаружил, что self.connection.getpeercert () возвращает объект словаря, как задокументировано здесь

{'issuer': ((('countryName', 'IL'),),
            (('organizationName', 'StartCom Ltd.'),),
              'Secure Digital Certificate Signing'),),
              'StartCom Class 2 Primary Intermediate Server CA'),)),
 'notAfter': 'Nov 22 08:15:19 2013 GMT',
 'notBefore': 'Nov 21 03:09:52 2011 GMT',
 'serialNumber': '95F0',
 'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),
             (('countryName', 'US'),),
             (('stateOrProvinceName', 'California'),),
             (('localityName', 'San Francisco'),),
             (('organizationName', 'Electronic Frontier Foundation, Inc.'),),
             (('commonName', '*.eff.org'),),
             (('emailAddress', 'hostmaster@eff.org'),)),
 'subjectAltName': (('DNS', '*.eff.org'), ('DNS', 'eff.org')),
 'version': 3}

Настройка для работы ...

sudo apt-get install python
sudo apt-get install python-pip
pip install cryptography

# Generate Certificates - Root Certificate
sudo openssl req -out ca.pem -new -x509
...Generating a 2048 bit RSA private key
...writing new private key to 'privkey.pem'
...Enter PEM pass phrase:password
...Verifying - Enter PEM pass phrase:password
...You are about to be asked to enter information that will be incorporated
...into your certificate request.
...What you are about to enter is what is called a Distinguished Name or a DN.
...There are quite a few fields but you can leave some blank
...For some fields there will be a default value,
...If you enter '.', the field will be left blank.
...Country Name (2 letter code) [AU]:US
...State or Province Name (full name) [Some-State]:Florida
...Locality Name (eg, city) []:Tampa
...Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
...Organizational Unit Name (eg, section) []:Development
...Common Name (e.g. server FQDN or YOUR name) []:Home Development
...Email Address []:admin@homeoffice.com
# IMPORT THE ca.pem file into your browser's Certificate Authorities

# Generate Certificates - Server certificates
sudo openssl genrsa -out server.key 1024
sudo openssl req -key server.key -new -out server.req
...You are about to be asked to enter information that will be incorporated
...into your certificate request.
...What you are about to enter is what is called a Distinguished Name or a DN.
...There are quite a few fields but you can leave some blank
...For some fields there will be a default value,
...If you enter '.', the field will be left blank.
...Country Name (2 letter code) [AU]:US
...State or Province Name (full name) [Some-State]:Florida
...Locality Name (eg, city) []:Tampa
...Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
...Organizational Unit Name (eg, section) []:Development
...Common Name (e.g. server FQDN or YOUR name) []:homeoffice.com
...Email Address []:info@homeoffice.com
...Please enter the following 'extra' attributes
...to be sent with your certificate request
...A challenge password []:
...An optional company name []:
vi file.srl
vi server.ext
...keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
...subjectAltName = @alt_names
...DNS.1 = homeoffice.com
sudo openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -days 1825 -sha256 -extfile server.ext
...Signature ok
...subject=C = US, ST = Florida, L = Tampa, O = Home, OU = Development, CN = Home Development, emailAddress = info@homeoffice.com
...Getting CA Private Key
...Enter pass phrase for privkey.pem:password

# Generate Certificates - Client Certificates
sudo openssl genrsa -des3 -out client.key 1024
...Generating RSA private key, 1024 bit long modulus
...e is 65537 (0x010001)
...Enter pass phrase for client.key:password
...Verifying - Enter pass phrase for client.key:password
sudo openssl req -key client.key -new -out client.req
...Enter pass phrase for client.key:password
...You are about to be asked to enter information that will be incorporated
...into your certificate request.
...What you are about to enter is what is called a Distinguished Name or a DN.
...There are quite a few fields but you can leave some blank
...For some fields there will be a default value,
...If you enter '.', the field will be left blank.
...Country Name (2 letter code) [AU]:US
...State or Province Name (full name) [Some-State]:Florida
...Locality Name (eg, city) []:Tampa
...Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
...Organizational Unit Name (eg, section) []:Development
...Common Name (e.g. server FQDN or YOUR name) []:Smith John J jjsmith3
...Email Address []:jjsmith3@yahoo.com
...Please enter the following 'extra' attributes
...to be sent with your certificate request
...A challenge password []:
...An optional company name []:
sudo openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem
...Signature ok
...subject=C = US, ST = Florida, L = Tampa, O = Home, OU = Development, CN = Home Development, emailAddress = email@domain.com
...Getting CA Private Key
...Enter pass phrase for privkey.pem:password
sudo openssl pkcs12 -export -out client.p12 -in client.pem -inkey client.key
...Enter pass phrase for client.key:password
...Enter Export Password:password
...Verifying - Enter Export Password:password
# IMPORT THE client.p12 file into your browser's Personal Certificates

# change ownership of sudo-created files to your user
sudo chown user:group *
# add support to access local application by fqdn
sudo echo "       homeoffice.com" >> /etc/hosts

Вот код, который я использую, чтобы попытаться заставить это работать.

from BaseHTTPServer import BaseHTTPRequestHandler
import BaseHTTPServer, SimpleHTTPServer
import ssl
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.backends import default_backend

class CustomHandler(BaseHTTPRequestHandler):
    def do_HEAD(self):
        self.send_header('Content-Type', 'text/html')
    def do_GET(self):
        self.send_header('Content-Type', 'text/html')
    # Need x509.Certificate here instead of dict
    that = x509.load_der_x509_certificate(self.connection.getpeercert(True), default_backend())
        self.wfile.write(open("index.html", "r"))
    def do_POST(self):
        cert_dict = self.connection.getpeercert()
        # Need x509.Certificate here instead of dict

httpd = BaseHTTPServer.HTTPServer(('homeoffice.com', 4443), CustomHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='./server.key', certfile='./server.pem', server_side=True, cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1_2, ca_certs='./ca.pem', do_handshake_on_connect=True, suppress_ragged_eofs=True)

Мне бы хотелось, чтобы self.connection.getpeercert () возвратил объект x509.Certificate против объекта словаря. Я бы предпочел использовать уже существующие классы, а не писать собственный код для разбора словаря.

ОБНОВЛЕНО: ссылки, которые я нашел полезными во время исследования ...
