cryptography.x509创建自签名证书和为server签名，验证签名时报错： `Certificate is missing required extension`

使用python模块cryptography.x509创建自签名证书和为server签名，验证签名时报错：
Certificate is missing required extension
应该添加什么必要的扩展呢？

生成证书代码：

# 使用自签名签发服务器签名
def generate_sign_sret():

    with open("csr.pem", "rb") as f:
        pem_req_data = f.read()
    server_csr = x509.load_pem_x509_csr(pem_req_data)
    with open("cert.pem", "rb") as f:
        ca_pem_req_data = f.read()
    ca_cert = x509.load_pem_x509_certificate(ca_pem_req_data)
    # 签发服务器证书
    server_cert = (
        x509.CertificateBuilder()
        # 服务器请求信息
        .subject_name(server_csr.subject)
        # 自签名证书
        .issuer_name(ca_cert.subject)
        .public_key(server_csr.public_key())
        .serial_number(x509.random_serial_number())
        .not_valid_before(datetime.now() - timedelta(days=1))
        # 有效期一年
        .not_valid_after(datetime.now() + timedelta(days=365))
        .add_extension(
            # x509.BasicConstraints(ca=False, path_length=None),
            x509.SubjectAlternativeName([x509.DNSName("cryptography.io")]),
            # critical=True,
            critical=False,
        )
        .add_extension(
            x509.BasicConstraints(ca=False, path_length=None),
            critical=True,
        )
        .add_extension(
            x509.KeyUsage(True, True, True, True, True, False, True, True, True),
            critical=True,
        )
        # 使用CA的私钥签发
        .sign(key, SHA256(), default_backend())
    )
    server_cert_bytes = server_cert.public_bytes(encoding=serialization.Encoding.PEM)
    with open("server_cert.pem", "wb") as f:
        f.write(server_cert_bytes)

验证函数：

# 验签
def verifyCert():
    with open("cert.pem", "rb") as f:
        ca_pem_req_data = f.read()
    ca_cert = x509.load_pem_x509_certificate(ca_pem_req_data)

    with open("server_cert.pem", "rb") as f:
        server_pem_req_data = f.read()
    server_cert = x509.load_pem_x509_certificate(server_pem_req_data)

    with open(certifi.where(), "rb") as pems:
        store = Store(x509.load_pem_x509_certificates(pems.read()))
    # 创建一个受信任的store
    trust_builder = PolicyBuilder().store(store)
    verifier = trust_builder.build_server_verifier(x509.DNSName("cryptography.io"))
    try:
        verifier.verify(server_cert, [server_cert, ca_cert])
        print("Server certificate is valid.")
    except Exception as e:
        print("Server certificate validation failed:", e)

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
码农阿豪@新空间代码工作室 Java领域优质创作者 2024-04-01 17:30
关注
让阿豪来帮你解答，本回答参考chatgpt3.5编写提供，如果还有疑问可以评论或留言
根据错误提示，应该添加Subject Key Identifier扩展，可以通过以下方式添加： .add_extension( x509.SubjectKeyIdentifier.from_public_key(server_cert.public_key()), critical=False, ) 修改后的代码如下：
使用自签名签发服务器签名

def generate_sign_sret(): with open("csr.pem", "rb") as f: pem_req_data = f.read() server_csr = x509.load_pem_x509_csr(pem_req_data) with open("cert.pem", "rb") as f: ca_pem_req_data = f.read() ca_cert = x509.load_pem_x509_certificate(ca_pem_req_data) # 签发服务器证书 server_cert = ( x509.CertificateBuilder() # 服务器请求信息 .subject_name(server_csr.subject) # 自签名证书 .issuer_name(ca_cert.subject) .public_key(server_csr.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(datetime.now() - timedelta(days=1)) # 有效期一年 .not_valid_after(datetime.now() + timedelta(days=365)) .add_extension( x509.SubjectAlternativeName([x509.DNSName("cryptography.io")]), critical=False, ) .add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) .add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=True, key_agreement=True, key_cert_sign=False, crl_sign=True, encipher_only=True, decipher_only=True, ), critical=True, ) .add_extension( x509.SubjectKeyIdentifier.from_public_key(server_cert.public_key()), critical=False, ) # 使用CA的私钥签发 .sign(key, SHA256(), default_backend()) ) server_cert_bytes = server_cert.public_bytes(encoding=serialization.Encoding.PEM) with open("server_cert.pem", "wb") as f: f.write(server_cert_bytes)

验签

def verify_Cert(): with open("cert.pem", "rb") as f: ca_pem_req_data = f.read() ca_cert = x509.load_pem_x509_certificate(ca_pem_req_data) with open("server_cert.pem", "rb") as f: server_pem_req_data = f.read() server_cert = x509.load_pem_x509_certificate(server_pem_req_data) with open(certifi.where(), "rb") as pems: store = Store(x509.load_pem_x509_certificates(pems.read())) # 创建一个受信任的store trust_builder = PolicyBuilder().store(store) verifier = trust_builder.build_server_verifier(x509.DNSName("cryptography.io")) try: verifier.verify(server_cert, [server_cert, ca_cert]) print("Server certificate is valid.") except Exception as e: print("Server certificate validation failed:", e)

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

如何在Go中将x509.Certificate转换为tls.Certificate？
2015-12-10 01:32

回答 1 已采纳 A tls.Certificate often stores a certificate chain - in other words, > 1 certificate. Notice it
如何将* x 509.Certificate更改为字节数组
2018-03-31 11:05

回答 1 已采纳 Please find below the code snippet derPubKey, err := x509.MarshalPKIXPublicKey(&pKey.PublicKey)
C# Winform 自动安装p12 证书提示拒绝访问 c#
2017-05-12 07:26

回答 1 已采纳可以参考下面这个链接： [System.Security.Cryptography.CryptographicException](http://geekswithblogs.net/techn
最全编程开发常用单词词汇
2021-02-26 16:10

www.bajins.com的博客面向对象编程常用 JDK（Java development kit） java开发工具包常用 JVM（java virtual machine）虚拟机常用 classpath 类路径常用 Version 版本常用 author 作者常用 java 解释命令常用 ...
superset安装 python
2023-01-09 14:53

回答 6 已采纳 ModuleNotFoundError: No module named 'cryptography.hazmat.backends.openssl.x509' ModuleNotFoundErro
Golang证书验证 ssl
2017-12-09 23:01

回答 1 已采纳 You need to do two things: add the CA certificate on the server side as well, the CA needs to be
在Go中验证有效负载签名
2015-08-13 23:17

回答 2 已采纳 I tried running your code and it doesn't look like your ticket is well formed. It's not long enoug
Java Secure Socket Extension (JSSE) Reference Guide
2015-03-03 22:00

太阳火神的美丽人生的博客 Java Secure Socket Extension (JSSE) Reference Guide
C#已经添加了System.Security.Cryptography依然没有MD5类 c#
2017-02-14 06:53

回答 2 已采纳嗯，解决办法最后是在Xamarin工程中扩展了一个MD5和原生一样的类。。。。
无法使用Go X509 pkg解析ECDSA密钥
2019-03-20 08:17

回答 1 已采纳 add error check. func main() { blk, _ := pem.Decode([]byte(b)) key, err := x509.ParseECPr
python 安装 cryptography==2.8 报错 python
2023-02-15 14:09

回答 8 已采纳基于Monster 组和GPT的调写：在 Windows 上，你可以下载 OpenSSL for Windows 并安装。在 Linux 上，你可以使用你的发行版的包管理器安装 OpenSSL。设置环
Node.js v12.16.2 Documentation TLS (SSL)
2020-04-16 19:18

Bol5261的博客 CryptoStream cryptoStream.bytesWritten Class: SecurePair Event: 'secure' tls.createSecurePair([context][, isServer][, requestCert][, rejectUnauthorized][, options]) TLS (SSL) Stability: 2 - Stable ...
在Objective C中签名字符串并在PHP中验证 - 不起作用 ios objective-c php
2013-08-22 12:02

回答 2 已采纳 PHP openssl_sign computes a signature for the specified data by using SHA1 for hashing (PHP: opens
RFC2510文档: (CMP)>Internet X.509 Public Key Infrastructure Certificate Management Protocols
2006-12-26 16:53

vick6880的博客 Note that "certificate" in this document refers to an X.509v3 Certificate as defined in [COR95, X509-AM]. The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", ...
PrestoOnYarn搭建及其问题解决方案总结
2021-12-08 14:25

qq_2368521029的博客 Presto搭建整合流程总结一、环境准备本次搭建内容是： presto on yarn + kerberos 整合本次presto集群搭建过程基于一下环境： hadoop版本: hadoop-2.7.3 ...Java HotSpot™ 64-Bit Server VM warning: C
TLS Support
2020-04-22 12:57

Bol5261的博客 Using tls-gen’s Basic Profile Below is an example that generates a CA and uses it to produce two certificate/key pairs, one for the server and another for clients. This is the setup that is expected...
Gerrit version 2.12.9 is now available
2018-11-09 19:28

「已注销」的博客 Gerrit version 2.12.9 is now available gerrit.war 历史版本下载各个版本的 gerrit.war 下载链接： https://blog.csdn.net/mmh19891113/article/details/81013994 gerrit-releases.storage.googleapis....
engine安装配置记录
2022-06-06 16:48

IT曙光的博客更新yum源为阿里镜像 [root@engine110 yum.repos.d]# dnf install wget -y CentOS-8 - AppStream 2.8 MB/s | 8.4 MB 00:03 CentOS-8 - Base 1.3 MB/s | 4.6 MB 00:03 CentOS-8 - Extras 6.4 kB/s | 10 kB 00:01 ...
Enabling SSL or TLS in Oracle E-Business Suite Release 12
2015-06-16 16:08

sunansheng的博客 The document is usually in a standard X509 format and contains three elements: Entity attributes (information about your organization) Public key (which is bound to your organization) Digital ...
没有解决我的问题, 去提问

问题事件

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
创建了问题 4月1日

悬赏问题

¥15 Opencv配置出错
¥15 模电中二极管，三极管和电容的应用
¥15 关于模型导入UNITY的.FBX: Check external application preferences.警告。
¥15 气象网格数据与卫星轨道数据如何匹配
¥100 java ee ssm项目悬赏，感兴趣直接联系我
¥15 微软账户问题不小心注销了好像
¥15 x264库中预测模式字IPM、运动向量差MVD、量化后的DCT系数的位置
¥15 curl 命令调用正常，程序调用报 java.net.ConnectException: connection refused
¥20 关于web前端如何播放二次加密m3u8视频的问题
¥15 使用百度地图api 位置函数报错？

cryptography.x509创建自签名证书和为server签名，验证签名时报错： `Certificate is missing required extension`

2条回答 默认 最新

使用自签名签发服务器签名

验签

问题事件

悬赏问题

2条回答默认最新