经过多次尝试,有些失败,有些部分成功,我找到了一种应该可行的方法(尽管没有使用自签名证书进行测试)。此外,我还清除了之前尝试的所有内容。
有两个必要的步骤:
-
使用获取服务器证书[Python 3.Docs]: (ssl.get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None),它将其返回为PEM编码字符串(例如:我们的 -印刷漂亮):
'-----BEGIN CERTIFICATE-----'
'MIIIPjCCByagAwIBAgIICG/ofYt2G48wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE'
'BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl'
...
'L2KuOvWZ40sTVCJdWPUMtT9VP7VHfLNTFft/IhR+bUPkr33xjOa0Idq6cL89oufn'
'-----END CERTIFICATE-----'
-
使用 (!!!无证!!!) ssl._ssl._test_decode_cert
(存在于Python 3 / Python 2)
-
由于这个事实ssl._ssl._test_decode_cert只能从文件中读取证书,需要执行 2 个额外步骤:
我想强调[Python 3.Docs]: SSLSocket.getpeercert(binary_form=False),其中包含大量信息(我上次错过了)。
另外,我还了解到ssl._ssl._test_decode_cert,通过查看SSLSocket.getpeercert执行 (“${PYTHON_SRC_DIR}/Modules/_ssl.c”).
代码00.py:
#!/usr/bin/env python
import itertools
import os
import socket
import ssl
import sys
def _get_tmp_cert_file_name(host, port):
return os.path.join(os.path.dirname(os.path.abspath(__file__)), "_".join(("cert", host, str(port), str(os.getpid()), ".crt")))
def _decode_cert(cert_pem, tmp_cert_file_name):
#print(tmp_cert_file_name)
with open(tmp_cert_file_name, "w") as fout:
fout.write(cert_pem)
try:
return ssl._ssl._test_decode_cert(tmp_cert_file_name)
except Exception as e:
print("Error decoding certificate:", e)
return dict()
finally:
os.unlink(tmp_cert_file_name)
def get_srv_cert_0(host, port=443):
try:
cert_pem = ssl.get_server_certificate((host, port))
except Exception as e:
print("Error getting certificate:", e)
return dict()
tmp_cert_file_name = _get_tmp_cert_file_name(host, port)
return _decode_cert(cert_pem, tmp_cert_file_name)
def get_srv_cert_1(host, port=443):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
context = ssl.SSLContext()
ssl_sock = context.wrap_socket(sock, server_hostname=host)
try:
ssl_sock.connect((host, port))
except Exception as e:
print("Error connecting:\n", e)
return dict()
try:
cert_der = ssl_sock.getpeercert(True)
except Exception as e:
print("Error getting cert:\n", e)
return dict()
tmp_cert_file_name = _get_tmp_cert_file_name(host, port)
return _decode_cert(ssl.DER_cert_to_PEM_cert(cert_der), tmp_cert_file_name)
def main(*argv):
domain = "google.com"
if argv:
print("Using custom method")
get_srv_cert_func = get_srv_cert_1
else:
print("Using regular method")
get_srv_cert_func = get_srv_cert_0
cert = get_srv_cert_func(domain)
print("====== peer's certificate ======")
try:
print("Issued To:", dict(itertools.chain(*cert["subject"]))["commonName"])
print("Issued By:", dict(itertools.chain(*cert["issuer"]))["commonName"])
print("Valid From:", cert["notBefore"])
print("Valid To:", cert["notAfter"])
if (cert == None):
print("no certificate")
except Exception as e:
print("Error getting certificate:", e)
if __name__ == "__main__":
print("Python {:s} {:03d}bit on {:s}\n".format(" ".join(elem.strip() for elem in sys.version.split("\n")),
64 if sys.maxsize > 0x100000000 else 32, sys.platform))
rc = main(*sys.argv[1:])
print("\nDone.")
sys.exit(rc)
Notes:
-
_get_tmp_cert_file_name:生成用于存储证书的临时文件名(与脚本位于同一目录中)
-
_解码_证书:将证书保存在文件中,然后对文件进行解码并返回结果dict
-
获取_srv_cert_0:从服务器获取证书,然后解码
-
获取_srv_cert_1: 同样的事情获取_srv_cert_0确实如此,但是“手动”
- 其优点是可以控制SSL上下文创建/操作(我认为这是要点的问题)
-
main:
Output:
(py35x64_test) e:\Work\Dev\StackOverflow\q050055935> "e:\Work\Dev\VEnvs\py35x64_test\Scripts\python.exe" ./code00.py
Python 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)] 064bit on win32
Using regular method
====== peer's certificate ======
Issued To: *.google.com
Issued By: Google Internet Authority G2
Valid From: Apr 10 18:58:05 2018 GMT
Valid To: Jul 3 18:33:00 2018 GMT
Done.
(py35x64_test) e:\Work\Dev\StackOverflow\q050055935> "e:\Work\Dev\VEnvs\py35x64_test\Scripts\python.exe" ./code00.py 1
Python 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)] 064bit on win32
Using custom method
====== peer's certificate ======
Issued To: *.google.com
Issued By: Google Internet Authority G2
Valid From: Apr 10 18:55:13 2018 GMT
Valid To: Jul 3 18:33:00 2018 GMT
Done.
Check [SO]:如何使用 python 解码 SSL 证书? (@CristiFati 的回答)仅用于解码部分。