cryptography 学习笔记

编程入门行业动态更新时间:2024-10-10 01:23:39

cryptography <a href=https://www.elefans.com/category/jswz/34/1770117.html style= 学习笔记"/>

cryptography 学习笔记

cryptography 学习笔记，通过简单的学习喜欢上了这个库。

使用 cryptography 生成私钥、 CSR，并通过私钥对CSR进行签名。

from os import pathfrom cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes# 私钥文件地址
private_key_file = './key.pem'
# 私钥密码
password = b"passphrase"def generate_private_key() -> RSAPrivateKey:"""生成私钥:return: 私钥"""# Generate our keykey = rsa.generate_private_key(public_exponent=65537,key_size=2048,)# Write our key to disk for safe keepingwith open(private_key_file, "wb") as f:f.write(key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.TraditionalOpenSSL,encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase"),))return keydef sign_csr(key: RSAPrivateKey) -> str:"""对csr进行签名:param key: 私钥:return: 签名后的CSR"""# Generate a CSRcsr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([# Provide various details about who we are.x509.NameAttribute(NameOID.COUNTRY_NAME, u"CN"),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Hubei"),x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wuhan"),x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Wuhan Test Cloud Information Technology Co., Ltd. "),x509.NameAttribute(NameOID.COMMON_NAME, u"*.test"),])).add_extension(x509.SubjectAlternativeName([# Describe what sites we want this certificate for.x509.DNSName(u"test"),x509.DNSName(u"*.test"),]),critical=False,# Sign the CSR with our private key.).sign(key, hashes.SHA256())# Write our CSR out to disk.cert_csr: bytes = csr.public_bytes(serialization.Encoding.PEM)# with open("./csr.pem", "wb") as f:#     f.write(certificate_csr)return cert_csr.decode('utf-8')# 私钥数据
if path.exists(private_key_file):private_key_file = open(private_key_file, 'r')private_key = load_pem_private_key(private_key_file.read().encode(), password)
else:private_key = our_generate_private_key()
certificate_csr = sign_csr(private_key).replace('\n', '')
print(certificate_csr)

结合前面的代码，自动生气ZeroSSL证书：

import osimport requests
import json
from urllib3.exceptions import InsecureRequestWarning
from pathlib import Path
import time
import shutil
import glob
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes# Suppress https warning (Burp)
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)class SSLCertReNew(object):def __init__(self):self.url = ''# for testing purposes with Burp# self.proxies = { 'http' : 'http://127.0.0.1:8080', 'https' : 'http://127.0.0.1:8080' }self.proxies = Noneself.apiKey = 'API_KEY_HERE'  # .certificateDomain = 'example.me'self.private_key = self.our_generate_private_key()self.csr = self.create_csr().replace('\n', '')self.certHash = Noneself.HttpsUrl = Noneself.HttpsContent = None# run stepsself.initial_request()self.verification_methods()if self.status == 0:time.sleep(10)else:self.download_and_save()def our_generate_private_key(self) -> RSAPrivateKey:"""生成私钥:return: 私钥"""# Generate our keykey = rsa.generate_private_key(public_exponent=65537,key_size=2048,)# Write our key to disk for safe keeping# with open(private_key_file, "wb") as f:#     f.write(key.private_bytes(#         encoding=serialization.Encoding.PEM,#         format=serialization.PrivateFormat.TraditionalOpenSSL,#         encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase"),#     ))return keydef create_csr(self) -> str:"""对csr进行签名:return: 签名后的CSR"""# Generate a CSRcsr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([# Provide various details about who we are.x509.NameAttribute(NameOID.COUNTRY_NAME, u"CN"),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Hubei"),x509.NameAttribute(NameOID.LOCALITY_NAME, u"wuhan"),x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Test Cloud Information Technology Co., Ltd. "),x509.NameAttribute(NameOID.COMMON_NAME, u"example.me"),])).add_extension(x509.SubjectAlternativeName([# Describe what sites we want this certificate for.x509.DNSName(u"example.me"),x509.DNSName(u"test.example.me"),]),critical=False,# Sign the CSR with our private key.).sign(self.private_key, hashes.SHA256())# Write our CSR out to disk.cert_csr: bytes = csr.public_bytes(serialization.Encoding.PEM)# with open("./csr.pem", "wb") as f:#     f.write(certificate_csr)return cert_csr.decode('utf-8')def initial_request(self):response = requests.post(self.url + f'/certificates?access_key={self.apiKey}',proxies=self.proxies,data={'certificate_domains': self.certificateDomain,'certificate_validity_days': 90,  # 证书有效期 90 天'certificate_csr': self.csr})result = json.loads(response.text)self.certHash = result['id']# url from jsonself.HttpsUrl = result['validation']['other_methods'][f'{self.certificateDomain}']['file_validation_url_https']self.HttpsContent = result['validation']['other_methods'][f'{self.certificateDomain}']['file_validation_content']self.dirOne = self.HttpsUrl.split('/')[-3]self.dirTwo = self.HttpsUrl.split('/')[-2]self.fileName = self.HttpsUrl.split('/')[-1]# create directoriesPath(f'/var/www/{self.certificateDomain}/{self.dirOne}/{self.dirTwo}').mkdir(parents=True, exist_ok=True)# save file# convert array into string with newlinestring = '\n'.join(result['validation']['other_methods'][f'{self.certificateDomain}']['file_validation_content'])f = open(f'/var/www/{self.certificateDomain}/{self.dirOne}/{self.dirTwo}/{self.fileName}', 'w')f.write(string)f.close()def verification_methods(self):response = requests.post(self.url + f'/certificates/{self.certHash}/challenges?access_key={self.apiKey}',proxies=self.proxies, data={'validation_method': 'HTTPS_CSR_HASH'})def verification_status(self):response = requests.post(self.url + f'/certificates/{self.certHash}/status?access_key={self.apiKey}',proxies=self.proxies)result = json.loads(response.text)self.status = result['validation_completed']def download_and_save(self):response = requests.get(self.url + f'/certificates/{self.certHash}/download/return?access_key={self.apiKey}',verify=False)result = json.loads(response.text)ca_bundle = result['ca_bundle.crt']cert = result['certificate.crt']f = open(f'/etc/apache2/ssl/{self.certificateDomain}_cert.pem', 'w+')f.write(cert)f.close()f = open(f'/etc/apache2/ssl/{self.certificateDomain}_ca.pem', 'w+')f.write(ca_bundle)f.close()# move private keyshutil.move(f'{self.certificateDomain}_key.pem', f'/etc/apache2/ssl/{self.certificateDomain}_key.pem')# delete files in /var/www/site/.wellknown/pki-verificationfiles = glob.glob(f'/var/www/{self.certificateDomain}/{self.dirOne}/{self.dirTwo}/*')for f in files:os.remove(f)obj = SSLCertReNew()