如何在Python中使用OpenSSL从pfx文件中提取密钥? [英] How to extract keys from pfx file using OpenSSL in Python?

问题描述

我需要使用pfx文件中的certificate和key对xml进行签名.

I need to sign an xml with the certificate and key from a pfx file.

换句话说，我有一个pfx文件，需要从其中提取pem和key来对我的xml进行签名.

In other words, I have a pfx file, from where I need to extract the pem an key to sign my xml.

我发现此脚本可以从pfx中提取笔和键，但是却给了我错误:

I've found this script to extract the pen and key from pfx, but is giving me error:

import OpenSSL.crypto


pfx_path = 'D:\\facturacion_electronica\\cetificado_prueba\\llama.pfx'


pfx_password = 'caballo123'

def load_public_key(pfx_path, pfx_password):
        ''' Read the public key and return as PEM encoded '''

        # print('Opening:', pfx_path)
        with open(pfx_path, 'rb') as f:
                pfx_data = f.read()

        # print('Loading PFX contents:')
        pfx = OpenSSL.crypto.load_pkcs12(pfx_data, pfx_password)

        public_key = OpenSSL.crypto.dump_publickey(
                OpenSSL.crypto.FILETYPE_PEM,
                p12.get_certificate().get_pubkey())

        print(public_key)

        return public_key


load_public_key(pfx_path, pfx_password)

错误:

python openssl.py
openssl.py:17: DeprecationWarning: str for passphrase is no longer accepted, use bytes
  pfx = OpenSSL.crypto.load_pkcs12(pfx_data, pfx_password)
Traceback (most recent call last):
  File "openssl.py", line 28, in <module>
    load_public_key(pfx_path, pfx_password)
  File "openssl.py", line 21, in load_public_key
    p12.get_certificate().get_pubkey())
NameError: name 'p12' is not defined

提取了pem和密钥后，我将使用它来对XML进行签名:

from lxml import etree
from signxml import XMLSigner, XMLVerifier

passwd = 'caballo123'
cd = 'D:\\facturacion_electronica\\cetificado_prueba\\'


data_to_sign = "<Test/>"
cert = open("example.pem").read()
key = open("example.key").read()
root = etree.fromstring(data_to_sign)
signed_root = XMLSigner().sign(root, key=key, cert=cert)
verified_data = XMLVerifier().verify(signed_root).signed_xml

推荐答案

我已经在约翰·汉利(John Hanley)的个人页面上找到了答案:

I've found the answer on John Hanley personal page:

https://www.jhanley.com/google-cloud-extracting-private-key-from-service-account-p12-credentials/

    import OpenSSL.crypto
    import os

    pfx_cert = 'D:\\facturacion_electronica\\cetificado_prueba\\llama.pfx'
    pfx_password = b'caballo123'

    ###########################################################    
    # Version 1.00
    # Date Created: 2018-12-21
    # Last Update:  2018-12-21
    # https://www.jhanley.com
    # Copyright (c) 2018, John J. Hanley
    # Author: John Hanley
    ###########################################################

    # Convert a Google P12 (PFX) service account into private key and certificate.
    # Convert an SSL Certifcate (PFX) into private key, certificate and CAs.

    def write_CAs(filename, p12):
        # Write the Certificate Authorities, if any, to filename

        if os.path.exists(filename):
            os.remove(filename)

        ca = p12.get_ca_certificates()

        if ca is None:
            return

        print('Creating Certificate CA File:', filename)

        with open(filename, 'wb') as f:
            for cert in ca:
                f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))

    def pfx_to_pem(pfx_path, pfx_password, pkey_path, pem_path, pem_ca_path):
        '''
        Decrypt the P12 (PFX) file and create a private key file and certificate file.

        Input:
            pfx_path    INPUT: This is the Google P12 file or SSL PFX certificate file
            pfx_password    INPUT: Password used to protect P12 (PFX)
            pkey_path   INPUT: File name to write the Private Key to
            pem_path    INPUT: File name to write the Certificate to
            pem_ca_path INPUT: File name to write the Certificate Authorities to
        '''

        print('Opening:', pfx_path)
        with open(pfx_path, 'rb') as f_pfx:
            pfx = f_pfx.read()

        print('Loading P12 (PFX) contents:')
        p12 = OpenSSL.crypto.load_pkcs12(pfx, pfx_password)

        print('Creating Private Key File:', pkey_path)
        with open(pkey_path, 'wb') as f:
            # Write Private Key
            f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, p12.get_privatekey()))

        print('Creating Certificate File:', pem_path)
        with open(pem_path, 'wb') as f:
            # Write Certificate
            f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, p12.get_certificate()))

        # Google P12 does not have certifiate authorities but SSL PFX certificates do
        write_CAs(pem_ca_path, p12)

    # Start here

    pfx_to_pem(
        pfx_cert,         # Google Service Account P12 file
        pfx_password,     # P12 file password
        'llama.key',      # Filename to write private key
        'llama_cert.pem', # Filename to write certificate
        'llama_ca.pem')   # Filename to write CAs if present

这篇关于如何在Python中使用OpenSSL从pfx文件中提取密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！