问题
I have tried to use python library "requests" to communicate with a website protected by a smartcard. It means a strong authentification in SSL : you must give a client side certificate (cert and private key).
As I am using a smartcard, I cannot read the private key (only the modulus) that is a normal protection. I can read the smartcard with the python library PyKCS11 : all certificate, public key and modulus of private key once given the pin code.
How to mix both requests and PyKCS11 ?
How to make a SSL request with a client side certificate in a smartcard ?
EDIT 2017/08/04
On my Mac :
- brew install openssl
- brew install opensc
- brew install engine_pkcs11
- openssl
- engine dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/(my specific Pkcs11 lib).dylib
- Loaded: (pkcs11) pkcs11 engine
- s_client -engine pkcs11 -key '(slot):(id)' -keyform engine -cert 'pem.cer' -connect (host):443 -state -debug
- SSL handshake ok
- engine dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/(my specific Pkcs11 lib).dylib
My problem now is that pyOpenSSl do not have a function in the API to select an engine (like pkcs11). So I am stopped. I cannot use python.
回答1:
I would try to use:
- OpenSSL with PKCS#11 (maybe using pkcs11 engine https://github.com/OpenSC/libp11)
- pyOpenSSL
回答2:
It works with M2Crypto:
def InitPKCS11Engine(id, dllPath):
Engine.load_dynamic()
e = Engine.Engine('dynamic')
e.ctrl_cmd_string('SO_PATH', dllPath)
e.ctrl_cmd_string('ID', id)
e.ctrl_cmd_string('LIST_ADD', '1')
e.ctrl_cmd_string('LOAD', None)
return e
Afterwards you can add your specific pkcs11 library and add the pin.
来源:https://stackoverflow.com/questions/45385964/how-to-make-a-tls-request-using-a-smartcard-with-python