以下是一个使用 Python 的cryptography库实现的较为完整的 PKI 证书开发代码示例,涵盖了生成密钥对、创建自签名证书以及对证书进行简单验证的功能,代码是可运行的示例,你可以根据实际需求进一步拓展和完善它。
1. 生成密钥对代码
收起
python
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
def generate_key_pair():
"""
生成RSA密钥对,并将私钥和公钥保存为PEM格式的文件
"""
# 生成私钥
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
# 将私钥序列化并保存到文件
with open('private_key.pem', 'wb') as f:
f.write(private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.Format.PrivateKey,
encryption_algorithm=serialization.NoEncryption()
))
# 从私钥中获取公钥
public_key = private_key.public_key()
# 将公钥序列化并保存到文件
with open('public_key.pem', 'wb') as f:
f.write(public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.Format.SubjectPublicKeyInfo
))
print("密钥对生成成功,已保存到相应文件。")
2. 创建自签名证书代码
收起
python
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from datetime import datetime, timedelta
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
def create_self_signed_certificate():
"""
使用之前生成的私钥创建自签名证书,并保存为PEM格式文件
"""
# 加载之前生成的私钥
with open('private_key.pem', 'rb') as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password=None,
backend=default_backend()
)
# 构建证书的主体信息(这里简单示例,可以根据实际详细填写)
subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, "CN"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Province"),
x509.NameAttribute(NameOID.LOCALITY_NAME, "City"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Company"),
x509.NameAttribute(NameOID.COMMON_NAME, "example.com")
])
# 构建证书的颁发者信息,这里自签名所以和主体相同
issuer = subject
# 设置证书有效期,例如从现在开始1年有效
valid_from = datetime.utcnow()
valid_until = valid_from + timedelta(days=365)
# 构建证书的序列号(简单示例,实际可更复杂)
serial_number = x509.random_serial_number()
# 创建证书构建器对象
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
builder = builder.public_key(private_key.public_key())
builder = builder.serial_number(serial_number)
builder = builder.not_valid_before(valid_from)
builder = builder.not_valid_after(valid_until)
# 添加扩展(可选,这里简单示例一个基本扩展)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True
)
# 使用私钥对证书进行签名
certificate = builder.sign(
private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend()
)
# 将证书序列化并保存到文件
with open('self_signed_certificate.pem', 'wb') as f:
f.write(certificate.public_bytes(serialization.Encoding.PEM))
print("自签名证书生成成功,已保存到文件。")
3. 证书验证代码
收起
python
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
import datetime
def verify_certificate():
"""
验证自签名证书的有效性,包括有效期、签名等方面
"""
# 加载证书文件
with open('self_signed_certificate.pem', 'rb') as cert_file:
certificate = x509.load_pem_x509_certificate(
cert_file.read(),
backend=default_backend()
)
# 加载对应的私钥(用于验证签名,这里假设私钥是可信的已有的)
with open('private_key.pem', 'rb') as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password=None,
backend=default_backend()
)
# 验证证书有效期
if certificate.not_valid_before > datetime.datetime.utcnow():
print("证书未生效")
return
if certificate.not_valid_after < datetime.datetime.utcnow():
print("证书已过期")
return
# 验证证书签名(对比公钥和签名信息)
try:
public_key = certificate.public_key()
public_key.verify(
certificate.signature,
certificate.tbs_certificate_bytes,
padding=x509.PKCS1v15(),
algorithm=certificate.signature_hash_algorithm
)
print("证书签名验证通过")
except:
print("证书签名验证失败")
return
# 验证证书主体信息等(简单示例,可根据实际详细核对)
if certificate.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value!= "example.com":
print("证书主体名称不匹配")
return
print("证书验证成功")
4. 主函数调用示例
收起
python
if __name__ == "__main__":
# 生成密钥对
generate_key_pair()
# 创建自签名证书
create_self_signed_certificate()
# 验证证书
verify_certificate()
使用时,你可以将上述代码保存到一个.py文件中(例如pki_certificate_example.py),确保已经安装了cryptography库(可以通过pip install cryptography命令安装),然后在命令行中运行该 Python 文件(例如python pki_certificate_example.py),就可以看到相应的输出结果,依次完成密钥对生成、自签名证书创建以及证书验证的操作流程。
1196

被折叠的 条评论
为什么被折叠?



