如何在Scrapy中使用SSL客户端证书(p12)? [英] How to use ssl client certificate (p12) with Scrapy?
问题描述
我需要使用格式为 p12 (PKCS12)的客户端证书文件来与scrapy进行网络服务器交谈,有没有办法做到这一点?
I need to use client certificate file in format p12(PKCS12) to talk to a webserver with scrapy, is there a way to do that ?
推荐答案
在这里我无法为您提供经过测试且完整的解决方案,但是我知道在一些地方可能会进行一些调整以满足您的需求.
I can't offer you a tested and complete solution here, but I know a few places where some adjustments might give you what you need.
起点是scrapy的 ContextFactory
对象,该对象定义了SSL/TLS配置.标准实现 ScrapyClientContextFactory
不使用客户端证书,也不执行任何服务器证书验证,它仅接受任何证书.(更多详细信息)
The starting point is scrapy's ContextFactory
object which defines the SSL/TLS configuration. The standard implementation ScrapyClientContextFactory
doesn't use client certificates and also doesn't do any server certificate verification, it just accepts any certificate. (More details)
查看源代码,但是您看到替代的 BrowserLikeContextFactory
正在创建 optionsForClientTLS
对象.
When looking into the source code however you see the alternative BrowserLikeContextFactory
is creating an optionsForClientTLS
object.
此对象还可以使用 clientCertificate
参数来对服务器进行身份验证.(详细信息)
This object can also take a clientCertificate
parameter to authenticate to the server. (Details)
因此从理论上讲,您需要继承 BrowserLikeContextFactory
的子类,在其中编写您自己的 creatorForNetloc
方法,并使其创建也具有 optionsForClientTLS
的方法> clientCertificate
So in theory you need to subclass BrowserLikeContextFactory
, write there your own creatorForNetloc
method and make it create optionsForClientTLS
that also have a clientCertificate
要点:
@implementer(IPolicyForHTTPS)
class ClientCertContextFactory(BrowserLikeContextFactory):
def creatorForNetloc(self, hostname, port):
with open('yourcert.pem') as keyAndCert:
myClientCert = twisted.internet.ssl.PrivateCertificate.load(keyAndCert.read())
return optionsForClientTLS(hostname.decode("ascii"),
trustRoot=platformTrust(),
clientCertificate=myClientCert,
extraCertificateOptions={
'method': self._ssl_method,
})
在 settings.py
中激活上下文工厂:
DOWNLOADER_CLIENTCONTEXTFACTORY = 'your.package.ClientCertContextFactory'
根据文档 twisted.internet.ssl.PrivateCertificate
只能加载pem或asn.1格式的密钥,这意味着您必须将密钥转换为pem格式:
According to the docs twisted.internet.ssl.PrivateCertificate
can only load pem or asn.1 format keys, means you will have to convert your key into pem format:
openssl pkcs12 -in client_ssl.pfx -out client_ssl.pem -clcerts
更新转换为p12格式的PKCS12文件:
Update Conversion for PKCS12 files in p12 format:
openssl pkcs12 -in client_cert.p12 -out client_cert.pem -clcerts
这篇关于如何在Scrapy中使用SSL客户端证书(p12)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!