如何在Scrapy中使用SSL客户端证书(p12)? [英] How to use ssl client certificate (p12) with Scrapy?

问题描述

我需要使用格式为 p12 (PKCS12)的客户端证书文件来与scrapy进行网络服务器交谈，有没有办法做到这一点?

I need to use client certificate file in format p12(PKCS12) to talk to a webserver with scrapy, is there a way to do that ?

推荐答案

在这里我无法为您提供经过测试且完整的解决方案，但是我知道在一些地方可能会进行一些调整以满足您的需求.

I can't offer you a tested and complete solution here, but I know a few places where some adjustments might give you what you need.

起点是scrapy的 ContextFactory 对象，该对象定义了SSL/TLS配置.标准实现 ScrapyClientContextFactory 不使用客户端证书，也不执行任何服务器证书验证，它仅接受任何证书.(更多详细信息)

The starting point is scrapy's ContextFactory object which defines the SSL/TLS configuration. The standard implementation ScrapyClientContextFactory doesn't use client certificates and also doesn't do any server certificate verification, it just accepts any certificate. (More details)

查看源代码，但是您看到替代的 BrowserLikeContextFactory 正在创建 optionsForClientTLS 对象.

When looking into the source code however you see the alternative BrowserLikeContextFactory is creating an optionsForClientTLS object.

此对象还可以使用 clientCertificate 参数来对服务器进行身份验证.(详细信息)

This object can also take a clientCertificate parameter to authenticate to the server. (Details)

因此从理论上讲，您需要继承 BrowserLikeContextFactory 的子类，在其中编写您自己的 creatorForNetloc 方法，并使其创建也具有 optionsForClientTLS 的方法> clientCertificate

So in theory you need to subclass BrowserLikeContextFactory, write there your own creatorForNetloc method and make it create optionsForClientTLS that also have a clientCertificate

要点:

@implementer(IPolicyForHTTPS)
class ClientCertContextFactory(BrowserLikeContextFactory):

    def creatorForNetloc(self, hostname, port):
        with open('yourcert.pem') as keyAndCert:
            myClientCert = twisted.internet.ssl.PrivateCertificate.load(keyAndCert.read())
        return optionsForClientTLS(hostname.decode("ascii"),
                                   trustRoot=platformTrust(),
                                   clientCertificate=myClientCert,
                                   extraCertificateOptions={
                                        'method': self._ssl_method,
                                   })

在 settings.py 中激活上下文工厂:

DOWNLOADER_CLIENTCONTEXTFACTORY = 'your.package.ClientCertContextFactory'

根据文档 twisted.internet.ssl.PrivateCertificate 只能加载pem或asn.1格式的密钥，这意味着您必须将密钥转换为pem格式:

According to the docs twisted.internet.ssl.PrivateCertificate can only load pem or asn.1 format keys, means you will have to convert your key into pem format:

openssl pkcs12 -in client_ssl.pfx -out client_ssl.pem -clcerts

(从借用openssl将pfx转换为pem )

更新转换为p12格式的PKCS12文件:

Update Conversion for PKCS12 files in p12 format:

openssl pkcs12 -in client_cert.p12 -out client_cert.pem -clcerts

这篇关于如何在Scrapy中使用SSL客户端证书(p12)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！