在 Azure ML 笔记本中,我尝试提取存储在 Azure Key Vault 中的证书 (.pfx),然后使用该证书对 CyberArk Web 服务进行身份验证以检索用户名和密码。
我成功从 Azure Key Vault 中提取证书并将其分解为证书和密钥,但当我向 CyberArk 发出 Web 请求时遇到问题。具体来说,它返回错误“无法获取本地发行者”。
我的代码如下:
from requests import Session
import certifi
import base64
import tempfile
import os
from azure.identity import DefaultAzureCredential,AzureCliCredential
from azure.keyvault.secrets import SecretClient
from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat.primitives import serialization
#credential = DefaultAzureCredential()
credential = AzureCliCredential()
secret_client = SecretClient(vault_url="https://xxxxxxxxx.vault.azure.net/", credential=credential)
certificate = secret_client.get_secret("xxxxxxxx")
URL = 'https://xxxxxxxxx/AIMWebService/api/Accounts?AppID=xxxxxx&Query=Safe=xxxxxx;Object=xxxxxxx'
headers = {'Content-Type': 'application/json'}
cert_bytes = base64.b64decode(certificate.value)
private_key, public_certificate, additional_certificates = serialization.pkcs12.load_key_and_certificates(
data=cert_bytes,
password=None
)
key = tempfile.NamedTemporaryFile(dir="xxxxxxx",delete=False)
cert = tempfile.NamedTemporaryFile(dir="xxxxxxxx",delete=False)
key.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
)
key.flush()
cert.write(
public_certificate.public_bytes(serialization.Encoding.PEM),
)
cert.flush()
session = Session()
session.cert = (cert.name, key.name)
response = session.get(URL)
print(response)
`
我不太确定问题是什么,但我认为这与通常在 cacerts 或 Windows 证书存储中找到的验证证书有关,但我不确定这一切如何转化为在 Azure 中使用证书。
response = session.get(URL,verify=certify.where())
我尝试使用证书进行验证,但在发送请求时仍然遇到相同的错误。我能够从返回的 .pfx 中提取附加证书列表,但我无法找到一种方法将证书列表转换为我可以通过请求发送的验证 .pem 文件。
private_key, public_certificate, additional_certificates = serialization.pkcs12.load_key_and_certificates(
data=cert_bytes,
password=None
)
我必须在 Azure ML 笔记本中更改 AzureKeyVault 身份验证的几项内容,但通过 session.verify 更正和额外的证书验证,我终于能够进行身份验证。
from requests import Session
import base64
import tempfile
import os
from azure.identity import DefaultAzureCredential,AzureCliCredential,ClientSecretCredential
from azure.keyvault.secrets import SecretClient
from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat.primitives import serialization
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url="https://xxxxxxx.vault.azure.net/", credential=credential)
certificate = secret_client.get_secret("xxxxxxx")
URL = 'xxxxxxx'
headers = {'Content-Type': 'application/json'}
cert_bytes = base64.b64decode(certificate.value)
private_key, public_certificate, additional_certificates = serialization.pkcs12.load_key_and_certificates(
data=cert_bytes,
password=None
)
#print(private_key)
#print(public_certificate)
#for item in additional_certificates:
# print(item)
key = tempfile.NamedTemporaryFile(delete=False)
cert = tempfile.NamedTemporaryFile(delete=False)
issuer = tempfile.NamedTemporaryFile(delete=False)
key.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
)
key.flush()
cert.write(
public_certificate.public_bytes(serialization.Encoding.PEM),
)
cert.flush()
issuer.write(
additional_certificates[0].public_bytes(serialization.Encoding.PEM),
)
issuer.flush()
issuer.write(
additional_certificates[1].public_bytes(serialization.Encoding.PEM),
)
issuer.flush()
session = Session()
session.cert = (cert.name, key.name)
session.verify=issuer.name
response = session.get(URL)
print(response.json())
session.close()
cert.close()
key.close()
issuer.close()
os.remove(cert.name)
os.remove(key.name)
os.remove(issuer.name)