如何使用存储在python字符串变量中的证书打开ssl套接字

问题描述

在 Python 中，ssl.wrap_socket 可以从文件中读取证书，ssl.wrap_socket 需要证书作为文件路径.

In Python, ssl.wrap_socket can read certificates from files, ssl.wrap_socket require the certificate as a file path.

如何使用从字符串变量中读取的证书启动 SSL 连接?

How can I start an SSL connection using a certificate read from string variables?

我的主机环境不允许写入文件，并且临时文件模块不起作用
我使用的是 Python 2.7.
我将证书存储在 MySQL 中并作为字符串读取.

My host environment does not allow write to files, and tempfile module is not functional
I'm using Python 2.7.
I store the certificate inside MySQL and read as a string.

我放弃了，这基本上是需要用纯python代码实现ssl，这超出了我目前的知识范围.

I gave up, this is basically require implement ssl by pure python code, this is beyond my current knowledge.

推荐答案

看源码， ssl.wrap_socket 直接调用本机代码 (openssl) 函数 SSL_CTX_use_cert_chain_file ，它需要文件的路径，所以你想做什么做是不可能的.

Looking at the source, ssl.wrap_socket calls directly into the native code (openssl) function SSL_CTX_use_cert_chain_file which requires a path to a file, so what you are trying to do is not possible.

供参考:

在 ssl/init.py 中我们看到:

In ssl/init.py we see:

def wrap_socket(sock, keyfile=None, certfile=None,
                server_side=False, cert_reqs=CERT_NONE,
                ssl_version=PROTOCOL_SSLv23, ca_certs=None,
                do_handshake_on_connect=True):

    return SSLSocket(sock, keyfile=keyfile, certfile=certfile,
                   server_side=server_side, cert_reqs=cert_reqs,
                   ssl_version=ssl_version, ca_certs=ca_certs,
                   do_handshake_on_connect=do_handshake_on_connect)

将我们指向 SSLSocket 构造函数(在同一个文件中)，我们看到以下情况发生:

Points us to the SSLSocket constructor (which is in the same file) and we see the following happen:

self._sslobj = _ssl2.sslwrap(self._sock, server_side,
                                     keyfile, certfile,
                                     cert_reqs, ssl_version, ca_certs)

_ssl2 是用 C (_ssl2.c) 实现的

_ssl2 is implemented in C (_ssl2.c)

查看 sslwrap 函数，我们看到它正在创建一个新对象:

Looking at the sslwrap function, we see it's creating a new object:

    return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
                                       server_side, verification_mode,
                                       protocol, cacerts_file);

查看该对象的构造函数，我们最终看到:

Looking at the constructor for that object, we eventually see:

            ret = SSL_CTX_use_certificate_chain_file(self->ctx,
                                                     cert_file);

那个函数是在 openssl 中定义的，所以现在我们需要切换到那个代码库.

That function is defined in openssl, so now we need to switch to that codebase.

在ssl/ssl_rsa.c中我们最终在函数中找到:

In ssl/ssl_rsa.c we eventually find in the function:

BIO_read_filename(in,file) 

如果你深入研究 BIO 代码(openssl 的一部分)，你最终会得到一个普通的 fopen():

If you dig far enough into the BIO code (part of openssl) you'll eventually come to a normal fopen():

fp=fopen(ptr,p);

所以它看起来像当前编写的那样.它必须位于可由 C 的 fopen() 打开的文件中.

So it looks like as it's currently written. It must be in a file openable by C's fopen().

此外，由于 python 的 ssl 库如此迅速地跳转到 C，我也没有在解决方法中看到一个立即明显的地方可以使用monkeypatch.

Also, since python's ssl library so quickly jumps into C, I don't see a immediately obvious place to monkeypatch in a workaround either.

这篇关于如何使用存储在python字符串变量中的证书打开ssl套接字的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，WP2