我编写了一个Python代码来使用加密库生成证书链。它涉及三个证书:根证书、中间证书和叶证书。根证书是自签名证书,中间证书由根私钥签名,叶证书由中间私钥签名。目前,当尝试使用 OpenSSL 验证签名时,根证书和中间证书的签名已成功验证。但是,叶证书的验证失败,并出现以下错误。 1 深度查找时出现错误 2:无法获取颁发者证书错误验证失败。 下面是我用来生成证书的代码。 请帮我找出问题所在。
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.x509.oid import NameOID
import datetime
# --------------------------------------------------------------------------------------
#rootcert
root_private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
root_subject = root_issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"RootCert")
])
builder = x509.CertificateBuilder().subject_name(
root_subject
).issuer_name(
root_issuer
).public_key(
root_private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.now()
).not_valid_after(
datetime.datetime.now() + datetime.timedelta(days=365)
).add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(root_private_key.public_key()), critical=False
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(root_private_key.public_key()), critical=False
)
cert = builder.sign(
root_private_key,
algorithm=hashes.SHA256(),
backend=default_backend()
)
der_cert = cert.public_bytes(encoding=serialization.Encoding.DER)
with open("rootcert.der", "wb") as der_file:
der_file.write(der_cert)
# --------------------------------------------------------------------------------------
#IntermediateCert
device_private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
device_subject = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"IntermediateCert")])
device_issuer = root_issuer
builder = x509.CertificateBuilder().subject_name(
device_subject
).issuer_name(
device_issuer
).public_key(
device_private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.now()
).not_valid_after(
datetime.datetime.now() + datetime.timedelta(days=365)
).add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(device_private_key.public_key()), critical=False
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(root_private_key.public_key()), critical=False
)
cert = builder.sign(
root_private_key,
algorithm=hashes.SHA256(),
backend=default_backend()
)
der_cert = cert.public_bytes(encoding=serialization.Encoding.DER)
with open("IntermediateCert.der", "wb") as der_file:
der_file.write(der_cert)
# --------------------------------------------------------------------------------------
#childcert
child_private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
child_subject = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"ChildCert")])
child_issuer = device_subject
builder = x509.CertificateBuilder().subject_name(
child_subject
).issuer_name(
child_issuer
).public_key(
child_private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.now()
).not_valid_after(
datetime.datetime.now() + datetime.timedelta(days=365)
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(child_private_key.public_key()), critical=False
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(device_private_key.public_key()), critical=False
)
cert = builder.sign(
device_private_key,
algorithm=hashes.SHA256(),
backend=default_backend()
)
der_cert = cert.public_bytes(encoding=serialization.Encoding.DER)
with open("childcert.der", "wb") as der_file:
der_file.write(der_cert)
代码没有任何问题。我使用了错误的 openssl 命令来验证证书链。 正确使用的命令是
openssl verify -CAfile root.pem -untrusted inter.pem child.pem
。我以前没有使用 -untrusted 选项。有关 -untrusted 的更多解释可以在本期这里找到