Python pyopenssl 签名证书错误 (Firefox: SEC_ERROR_REUSED_ISSUER_AND_SERIAL, chrome: ERR_CERT_AUTHORITY_INVALID)

Python pyopenssl signed certificate error (Firefox: SEC_ERROR_REUSED_ISSUER_AND_SERIAL, chrome: ERR_CERT_AUTHORITY_INVALID)

我正在为研究所的一个项目创建防病毒软件。作为项目的一部分,我正在尝试创建一个可以拦截 https 数据的代理服务器。 为此,我创建了一个 CA 证书并将其附加到 Firefox 和 Windows 存储。它是使用以下方法创建的:

from OpenSSL import crypto    
import os
    
KEY_FILE = "self_sertificate.key"
CERT_FILE = "self_sertificate.crt"
    
def get_self_sert():
    k = crypto.PKey()
    k.generate_key(crypto.TYPE_RSA, 2048)
        
    cert = crypto.X509()
    cert.set_version(2)
    cert.get_subject().C = "US"
    cert.get_subject().ST = "State"
    cert.get_subject().L = "City"
    cert.get_subject().O = "Organization"
    cert.get_subject().OU = "Organization CA"
    cert.get_subject().CN = "Organization CA"
    cert.set_serial_number(24695562)
    
    cert.add_extensions([
        crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
        crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),
    ])
        
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(10*365*24*60*60)
    cert.set_issuer(cert.get_subject())
    cert.set_pubkey(k)
    cert.sign(k, 'sha256')
    return cert,k
   
def create_self_signed_cert(dir='\cert'):      
    cert,k = get_self_sert()
    
    with open(os.path.join(os.getcwd() + dir, CERT_FILE), "wb") as f:
        f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
    
    with open(os.path.join(os.getcwd() + dir, KEY_FILE), "wb") as f:
        f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))

后续证书的创建:

 def create_cert_req(url):
        pKey = crypto.PKey()
        pKey.generate_key(crypto.TYPE_RSA, 2048)
    
        req = crypto.X509Req()
        subj = req.get_subject()
        
        subj.C = 'US'
        subj.ST = 'State'
        subj.L = 'City'
        subj.O = 'Organization'
        subj.OU = 'Organization CA'
        subj.CN = url
        subj.emailAddress = 'example@example.org'
        
        req.set_pubkey(pKey)
        req.sign(pKey,'sha256')
        return req

def create_signed_cert_demo(url,serial=106570068,dir='\lib\cert\',cert_name=str(random.randint(100000,1000000))):
    req = create_cert_req(url)
    ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
    ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())

    cert = crypto.X509()
    
    cert.set_version(2)
    cert.set_serial_number(serial)
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(10*365*24*60*60)
    cert.set_issuer(ca_cert.get_subject())
    cert.set_subject(req.get_subject())
    cert.set_pubkey(req.get_pubkey())
    cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
    
    cert.sign(ca_key,'sha256')
    
    with open(os.path.join(os.getcwd() + dir, cert_name+'.crt'), "wb") as f:
        f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
        
    with open(os.path.join(os.getcwd() + dir, cert_name+'.key'), "wb") as f:
        f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
    return cert_name+'.crt',cert_name+'.key'

然后创建了一个接受 https 连接并创建新证书的代理:

cert_crt,cert_key = certificate.create_signed_cert_demo(headers['host']) # Calling the function that creates the certificate
print('\lib\cert\'+cert_crt)
print('\lib\cert\'+cert_key)
conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\lib\cert\'+cert_crt,keyfile=os.getcwd() +'\lib\cert\'+cert_key)
data = conn.recv(1024)

当我通过浏览器访问 http 站点时,我的代理工作正常,但是当我访问 https 站点时,出现错误:

Firefox:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Chrome:
ERR_CERT_AUTHORITY_INVALID

Python 错误:

File "Proxy.py", line 102, in <module>
    conn.start()
  File "Proxy.py", line 52, in start
    conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\lib\cert\'+cert_crt,keyfile=os.getcwd() +'\lib\cert\'+cert_key)
  File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1405, in wrap_socket
    return context.wrap_socket(
  File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1040, in _create
    self.do_handshake()
  File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1108)

证书示例: 加州

-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIEAXjTCjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYxODAzWhcNMzAwNjI4MDYxODAzWjB3MQsw
CQYDVQQGEwJVUzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNV
BAoMDE9yZ2FuaXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYD
VQQDDA9Pcmdhbml6YXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCywk1rl4sltY6c3yfLVplhYjCkXHsZIUsTxr58rdX6igKiY6iNuSE5mhAo
dT/im0sTuFbn7EK4iopjlAqOJ0zo6abp2pkD2aCG2OC+3tl0brzim7yeG4TtPY/A
HoWh/Ax3csrGgVxWQjjNDJTgDqiC6u3rP75JjF0dqyF+0XyPOK+IjrKzzFDyTsI9
vC+rSGEi78Lo0x+Gx5FGBdaZXP8nMRaaTDagWTI37dijb0Cx2BaRxeQUUqX7tp/W
ilGxb5swu0/CLKDv9k0IPeqiMax/YFZTjg9efUkUBtT4nTJi4QXkwAv1sF9InmMm
/kVcihVvtic+lCbDvGKbheY9XcrvAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFNo5o+5ea0sNMlW/75VgGJCv2AcJMA0GCSqGSIb3DQEBCwUA
A4IBAQB2s+HyTJN0M83Ovvyl8TAOI1jDRHqe48mWSYgBTEge7kSu/BwIdfz3W/S2
M2MN8kdm0T8s0+s2Hqwo5kgfoI2QVahNB0gHhycE+Pnmvey6rfgvaRzCU1UvnLJu
PhSJaAth0IOVifcfCIWdVSVwRslJPwr/VkSR8al6bMA9ZVQ2lcw8NqtHZkVDFidZ
GdJefC9cS+M+1B9T/uR+cXJTBTdOKzwilwLFwP5NoPdQEg3OgFjWWaYyvdMM/DLO
YSqn/Uuc7+eJfFPPLgai1Rgkx912HWvQz/C8R3UHopii/789AfnWp3Nq7wNjAITK
lgjuq1T/u7kCvn9sBzBFUlN7akCT
-----END CERTIFICATE-----

example.org

    -----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIEBlohVDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYzMDA3WhcNMzAwNjI4MDYzMDA3WjCBlzEL
MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD
VQQKDAxPcmdhbml6YXRpb24xGDAWBgNVBAsMD09yZ2FuaXphdGlvbiBDQTEUMBIG
A1UEAwwLZXhhbXBsZS5vcmcxIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBs
ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCbPNPw/IdWx67
aY8H6ODRhxum/sdll9PjYgkrvGbJoERPUthaON/MaIMAHZXuqnXITwYL3FgFzZ/f
YlbCWoTapT/+N9/jnjR0XZEhIBubK+Asgy/pmQ5Nq0bjT7agMhp5z4eqKjXgziNf
6BdPdb5MDXIlvZ50Nm3b6wTx16yCvZ1tcCnkv+8vj/ADcq5/soPI/pI0mBv/MTI/
AzAC0OvAMXEoG2KX2GHl8F3CA+4PnsUnhY7PBJJ8XuG9tmbgD5zDUe9v4KmwIw7H
L6oMc8Dij+Z1gU7zCKyTMyuiS0yoIziPixFGY7ApVkr7LVF1z0y0snZffDdMrFnP
Zrg64D/FAgMBAAGjGjAYMBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMA0GCSqGSIb3
DQEBCwUAA4IBAQB6fRWks0FanwRVBsTVHpAJmoUSVf7PxyhH+/ZXJx5L74wT587B
sbjefwFlDMHimsyFHJxLBK7A/HPbkbNIioW2rmBHdipTSs4s6X/wQTJjLt9YvCs6
l4LzZ5Iqs68PvkgVMRkbOZKbPbIBEW2qe2zg++BB3ye9EWhE/jGa338+RvwzwnVn
f8EV1KIKtK9p9rUQPaY/ipV+8E74oDoL0Hk/M4qobjpCJEQzI/triORzDefdjZ50
UVpVbsOMjtlhymUon/h8OluwY0to/ehjs1RD6KIxZ6sjK0cERMotSSzYnlQh7xW8
8ZxXEYF2jVJkqSLnW9QDrK6tGZJ/MbeRqJKc
-----END CERTIFICATE-----

SEC_ERROR_REUSED_ISSUER_AND_SERIAL

您对同一 CA 颁发的不同证书使用相同的序列号(硬编码为 106570068)。但是每个CA颁发的证书必须有不同的序列号。

ERR_CERT_AUTHORITY_INVALID

CA 可能没有作为受信任的 CA 正确导入浏览器。但它也可能只是一个稍微错误且不太具体的错误消息,由 Firefox 显示的基本相同的问题触发。

ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1108)

这只是浏览器拒绝证书的副作用。

事实证明,浏览器会在单个会话中记住证书。要解决此问题,您需要保存证书并使用它们。 更新函数 create_signed_cert_demo:

def create_signed_cert_demo(url,serial=random.randint(1,100000000),dir='\lib\cert\',cert_name=str(random.randint(100000,1000000))):
    dir_list = os.listdir(os.getcwd() + dir)
    if url + '.crt' in dir_list:
        return url + '.crt', url + '.key'
    req = create_cert_req(url)
    ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
    ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())
    
    cert = crypto.X509()
        
    cert.set_version(2)
    cert.set_serial_number(serial)
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(10*365*24*60*60)
    cert.set_issuer(ca_cert.get_subject())
    cert.set_subject(req.get_subject())
    cert.set_pubkey(req.get_pubkey())
    cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
        
    cert.sign(ca_key,'sha256')
    
    with open(os.path.join(os.getcwd() + dir, url+'.crt'), "wb") as f:
        f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
        
    with open(os.path.join(os.getcwd() + dir, url+'.key'), "wb") as f:
        f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
    return url+'.crt',url+'.key'