我正在尝试使用 M2Crypto 和 urllib2 与受 CAC(智能卡)保护的网站进行通信。做一些研究,我的理解是我需要从卡中提供客户端证书和私钥,以及我在网上下载的 CA 证书。我不知道我是否错过了一步;无法获得经过正确身份验证的连接。
import sys, os, time, cgi, urllib, urlparse
from M2Crypto import m2urllib2 as urllib2
from M2Crypto import m2, SSL, Engine
userPin = "SOMEPIN"
theurl = "https://www.example.com"
rootCertsPath = "/Path/to/folder/with/multiple/certfiles"
# load dynamic engine
e = Engine.load_dynamic_engine("pkcs11", "/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so")
pk = Engine.Engine("pkcs11")
pk.ctrl_cmd_string("MODULE_PATH", "/usr/local/lib/opensc-pkcs11.so")
if len(userPin) > 0: pk.ctrl_cmd_string("PIN", userPin)
m2.engine_init(m2.engine_by_id("pkcs11"))
# grab pkey and cert from smartcard
key = e.load_private_key("id_01")
cert = e.load_certificate("id_01")
# create context
ssl_context = SSL.Context("sslv23")
ssl_context.set_cipher_list("HIGH:!aNULL:!eNULL:@STRENGTH")
ssl_context.set_session_id_ctx("foobar")
ret = ssl_context.load_verify_locations(capath=rootCertsPath)
m2.ssl_ctx_use_x509(ssl_context.ctx, cert.x509)
m2.ssl_ctx_use_pkey_privkey(ssl_context.ctx, key.pkey)
opener = urllib2.build_opener(ssl_context)
urllib2.install_opener(opener)
req = urllib2.Request(theurl)
res = urllib2.urlopen(req);
print res.read()