使用 PKCS#11 在 Python 中提供 SSL 连接 [英] Providing SSL Connections in Python using PKCS#11
问题描述
我必须在基于 Linux 的固件上为嵌入式系统组件实现基于 Python 的 Web 服务器:
I have to implement a Python based web server on a Linux based firmware for an embedded system component:
class WebServer(http.server.HTTPServer)
...
...
要启用 ssl 连接,在服务器内创建了 ssl 上下文
To enable ssl connections a ssl context is created within the server by
self.ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
self.ssl_context.load_cert_chain(certfile=cert, keyfile=key)
self.ssl_context.verify_mode = ssl.CERT_REQUIRED
self.ssl_context.load_verify_locations(verifyCert)
注意:cert是证书的文件路径,keyfile是私钥的路径.
Note: cert is a file path to the certificate, keyfile is the path to the private key.
根据请求调用 get_request 方法:
Upon a request the method get_request is called:
def get_request(self):
request = self.socket.accept()
if self.ssl_context:
req_socket, addr = request
connstream = self.ssl_context.wrap_socket(req_socket, server_side=True)
return connstream, addr
else:
return request
wrap_socket 方法用于将原始套接字包装成 ssl 套接字,然后返回.这就是提供 ssl 连接的全部内容.
The wrap_socket method is used to wrap the original socket into a ssl socket, which is returned instead. That is all to provide a ssl connection.
现在的问题是:
该解决方案是第一次实施,并不安全.我们有义务使用给定的硬件安全模块 (HSM) 来创建和存储证书和私钥.任何私钥都是完全隐藏的,永远不会离开模块.所有加密原语都必须直接在模块内执行.HSM 的接口是 PKCS#11,为此存在供应商提供的动态中间件库.
The solution is a first implementation and not secure. We are oblidged to use a given hardware security module (HSM) to create and store certificates and private keys. Any private keys are completely hidden and will never leave the module. All cryptographic primitives have to be executed directly within the module. The interface to the HSM is PKCS#11, for which a vendor supplied dynamic middle-ware library exists.
如何使用模块代替原来的 ssl 在 python 下设置 ssl 上下文?我已经知道,ssl 基于 openSSL,为此存在 PKCS#11 引擎(库 opensc-pkcs11.so).供应商的中间件提供 PKCS#11 API.
How can I use the module instead of the original ssl for setup of the ssl context under python? I know already, that ssl is based on openSSL, for which a PKCS#11 engine exists (libarary opensc-pkcs11.so). The middleware from the vendor provides the PKCS#11 API.
不幸的是,我没有计划如何将 PKCS#11 引擎集成到 python 的 ssl/openSSL 以及如何将所有东西联系在一起.甚至可以透明地使用 PKCS#11 而不是本机实现,如果是,我如何从 python 激活它?此外,我将如何传递参数certfile"和keyfile",因为两者都不再作为纯文件使用?事实上,我无法直接访问私钥;HSM 中只有基于 URL 的对象引用,用于对其进行操作.
Unfortunately, I have no plan how the PKCS#11 engine is to be integrated into python's ssl/openSSL and how to tie all things together. Is it even possible to transparently use PKCS#11 instead of the native implementation, and if yes, how do I activate it from python? Moreover, how would I have to pass the arguments "certfile" and "keyfile", because both are not available anymore as plain files? In fact I have no access to the private key directly; there are only URL-based references to objects within the HSM used to operate on it.
PyKCS11 可以代替 ssl 吗?
Can PyKCS11 be a solution instead of ssl?
我只需要知道解决此类问题的基本路径.我可以自己找到所有详细信息.
I just need to know the basic path to solving such problem. I can find all the details on my own.
推荐答案
不建议使用 Python 在 web 服务器中执行此 TLS 内容.最好使用 nginx 或 apache 来完成.它们支持 pkcs#11 SSL 上下文,并且可以快速协商 SSL,因为它们是用 C 编写的.
It's not recommended to do this TLS stuff in the webserver with Python. It's better to do it using nginx or apache. They support both the pkcs#11 SSL context and are fast to negociate SSL since they are written in C.
所以要继续:
- 在 Python 端保持 HTTP(不安全)
- 安装 nginx 或 apache
- 为 HTTPS 配置它:
- Stay on HTTP (not secure) in Python side
- Install nginx or apache
- Configure it for HTTPS :
- 使用 pkcs#11 SSL 证书/密钥(pkcs#11 URI 到您的 HSM)
- 将其反向代理到您的 HTTP(不安全)Python 网络服务器.
这篇关于使用 PKCS#11 在 Python 中提供 SSL 连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
