CA系统的设计(CA证书生成,吊销,数字签名生成)

CA系统概述

        CA认证系统是一种基于公钥密码基础设施(PKI)的信息安全技术,它可以为网络通信双方提供身份认证、数据加密、数字签名等功能。CA认证系统的核心是证书授权机构(CA),它负责为用户(节点)颁发数字证书,证明其身份和公钥的合法性。数字证书是一种包含用户信息和公钥的电子文件,它由CA用私钥签名,可以被其他用户或系统验证。数字证书的有效性由证书吊销列表(CRL)或在线证书状态协议(OCSP)来维护。

服务端(CA证书中心)功能:

1.接受CSR文件申请(申请CA证书的请求)

2.签发CSR文件形成数字证书

3.撤销CA数字证书文件

4.查看CA证书文件

5.CA客户端用户信息增删改查

CA客户端功能:

1.门限密钥的生成与分发

2.生成CSR文件、发送CA证书申请

3.CA证书验证等功能

4.CA证书吊销申请

5.数字签名生成

证书的生成

1.密钥生成

        使用RSA模块生成密钥对

#生成密钥函数
def generate_cakey(keysize):# 生成 CA 密钥对private_key = rsa.generate_private_key(public_exponent=65537,key_size=keysize,backend=default_backend())ca_private_key = private_key.private_bytes(encoding=Encoding.PEM,format=PrivateFormat.PKCS8,encryption_algorithm=NoEncryption())ca_public_key = private_key.public_key().public_bytes(encoding=Encoding.PEM,format=serialization.PublicFormat.SubjectPublicKeyInfo)print("生成密钥成功")return private_key,ca_private_key,ca_public_key

密钥对的保存和读取

        密钥对需要保存为pem格式以便于后续的使用,密钥对的读取也是从pem格式的密钥读取密钥信息

def save_key(ca_private_key,ca_public_key):# 将私钥保存到文件with open('ca_private_key_4.pem', 'wb') as f:f.write(ca_private_key)# 将公钥保存到文件with open('ca_public_key_4.pem', 'wb') as f:f.write(ca_public_key)# 打印保存的密钥对文件名print("key saved successfully -------------------------------")def load_key(key_path):with open(key_path, 'rb') as f:ca_key = f.read()return ca_key

2.数字证书的签发

        因为是数字证书系统,服务端先要生成CA根证书,后签发中间证书给客户端,所以需要生成2组RSA密钥对,即用户公私钥,服务端公私钥,进行一个证书的发放。

def generate_ca_certificate(name,province,country,user_private_key_pem, ca_private_key_pem, deadline):#加载CA服务端密钥ca_private_key = serialization.load_pem_private_key(ca_private_key_pem, password=None, backend=default_backend())#加载用户密钥user_private_key = serialization.load_pem_private_key(user_private_key_pem, password=None,backend=default_backend())#生成CA服务端证书root_subject = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, 'CN'),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, 'Guangxi'),x509.NameAttribute(NameOID.LOCALITY_NAME, 'Guangxi'),x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'CA'),x509.NameAttribute(NameOID.COMMON_NAME, 'CA'),])root_issuer = root_subject #颁发者和主题一样before_now = datetime.datetime.utcnow()if deadline <= before_now:raise ValueError("Deadline must be in the future.")serial_number = x509.random_serial_number()# 根证书root_certificate = (x509.CertificateBuilder().subject_name(root_subject).issuer_name(root_issuer).public_key(ca_private_key.public_key()).serial_number(serial_number).not_valid_before(before_now).not_valid_after(deadline).add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).sign(ca_private_key, hashes.SHA256(), default_backend()))#生成中间证书intermediate_subject = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME,country),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,province),x509.NameAttribute(NameOID.LOCALITY_NAME,province),x509.NameAttribute(NameOID.ORGANIZATION_NAME,name),x509.NameAttribute(NameOID.COMMON_NAME,name),])intermediate_issuer = root_subjectintermediate_certificate = (x509.CertificateBuilder().subject_name(intermediate_subject).issuer_name(intermediate_issuer).public_key(user_private_key.public_key()).serial_number(x509.random_serial_number()).not_valid_before(before_now).not_valid_after(deadline).add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).sign(ca_private_key, hashes.SHA256(), default_backend()))# 转换为 PEM 格式root_cert_pem = root_certificate.public_bytes(serialization.Encoding.PEM)intermediate_cert_pem = intermediate_certificate.public_bytes(serialization.Encoding.PEM)# 私钥导出user_private_key_pem = user_private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.TraditionalOpenSSL,encryption_algorithm=serialization.NoEncryption())ca_private_key_pem = ca_private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.TraditionalOpenSSL,encryption_algorithm=serialization.NoEncryption())# 证书链(根证书 + 中间证书)cert_chain_pem = root_cert_pem + intermediate_cert_pemprint("证书链----------------------------------------------------")print(cert_chain_pem)print("cert_chain_pem",cert_chain_pem)print("Intermediate_CA", intermediate_certificate)return intermediate_certificate

3.数字签名生成

        可以利用用户私钥生成数字签名,后使用服务端签发的证书对数字签名进行一个验证。

def sign_data(data, private_key):# 加载私钥loaded_private_key = serialization.load_pem_private_key(private_key,password=None,backend=default_backend())# 计算数据的哈希值digest = hashes.Hash(hashes.SHA256(), backend=default_backend())#data = b'some bytes data'if isinstance(data, str):digest.update(data.encode())#digest.update(data.encode())hashed_data = digest.finalize()# 使用私钥对哈希值进行签名signature = loaded_private_key.sign(hashed_data,padding.PKCS1v15(),hashes.SHA256())return signature

4.数字证书验证数字签名的有效性

        这里利用证书的公钥验证之前生成的数字签名的有效性。只是验证证书公钥有效性,未判断证书有无被吊销情况。

import datetime
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from OpenSSL import crypto
import OpenSSL.crypto
import os
import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization#生成密钥函数
def generate_cakey(keysize):# 生成 CA 密钥对private_key = rsa.generate_private_key(public_exponent=65537,key_size=keysize,backend=default_backend())ca_private_key = private_key.private_bytes(encoding=Encoding.PEM,format=PrivateFormat.PKCS8,encryption_algorithm=NoEncryption())ca_public_key = private_key.public_key().public_bytes(encoding=Encoding.PEM,format=serialization.PublicFormat.SubjectPublicKeyInfo)print("生成密钥成功")return private_key,ca_private_key,ca_public_keydef load_key(key_path):with open(key_path, 'rb') as f:ca_key = f.read()return ca_keydef save_key(ca_private_key, ca_public_key):# 将私钥保存到文件with open('ca_private_key.pem', 'wb') as f:f.write(ca_private_key)# 将公钥保存到文件with open('ca_public_key.pem', 'wb') as f:f.write(ca_public_key)# 打印保存的密钥对文件名print("CA-key saved successfully -------------------------------")def save_key2(ca_private_key, ca_public_key):# 将私钥保存到文件with open('usr_private_key.pem', 'wb') as f:f.write(ca_private_key)# 将公钥保存到文件with open('usr_public_key.pem', 'wb') as f:f.write(ca_public_key)# 打印保存的密钥对文件名print("USER-key saved successfully -------------------------------")def generate_ca_certificate(name, province, country, user_private_key_pem, ca_private_key_pem, deadline):# 加载CA服务端密钥ca_private_key = serialization.load_pem_private_key(ca_private_key_pem, password=None, backend=default_backend())# 加载用户密钥user_private_key = serialization.load_pem_private_key(user_private_key_pem, password=None,backend=default_backend())# 生成CA服务端证书root_subject = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, 'CN'),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, 'Guangxi'),x509.NameAttribute(NameOID.LOCALITY_NAME, 'Guangxi'),x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'CA'),x509.NameAttribute(NameOID.COMMON_NAME, 'CA'),])root_issuer = root_subject  # 颁发者和主题一样before_now = datetime.datetime.utcnow()if deadline <= before_now:raise ValueError("Deadline must be in the future.")serial_number = x509.random_serial_number()# 根证书root_certificate = (x509.CertificateBuilder().subject_name(root_subject).issuer_name(root_issuer).public_key(ca_private_key.public_key()).serial_number(serial_number).not_valid_before(before_now).not_valid_after(deadline).add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).sign(ca_private_key, hashes.SHA256(), default_backend()))# 生成中间证书intermediate_subject = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, country),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, province),x509.NameAttribute(NameOID.LOCALITY_NAME, province),x509.NameAttribute(NameOID.ORGANIZATION_NAME, name),x509.NameAttribute(NameOID.COMMON_NAME, name),])intermediate_issuer = root_subjectintermediate_certificate = (x509.CertificateBuilder().subject_name(intermediate_subject).issuer_name(intermediate_issuer).public_key(user_private_key.public_key()).serial_number(x509.random_serial_number()).not_valid_before(before_now).not_valid_after(deadline).add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).sign(ca_private_key, hashes.SHA256(), default_backend()))# 转换为 PEM 格式root_cert_pem = root_certificate.public_bytes(serialization.Encoding.PEM)intermediate_cert_pem = intermediate_certificate.public_bytes(serialization.Encoding.PEM)# 私钥导出user_private_key_pem = user_private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.TraditionalOpenSSL,encryption_algorithm=serialization.NoEncryption())ca_private_key_pem = ca_private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.TraditionalOpenSSL,encryption_algorithm=serialization.NoEncryption())# 证书链(根证书 + 中间证书)cert_chain_pem = root_cert_pem + intermediate_cert_pemprint("证书链----------------------------------------------------")print(cert_chain_pem)print("cert_chain_pem", cert_chain_pem)print("Intermediate_CA", intermediate_certificate)return intermediate_certificate
#保存证书
def save_certificate_to_file(certificate, filename):with open(filename, "wb") as file:file.write(certificate)def sign_data(data, private_key):# 加载私钥loaded_private_key = serialization.load_pem_private_key(private_key,password=None,backend=default_backend())# 计算数据的哈希值digest = hashes.Hash(hashes.SHA256(), backend=default_backend())#data = b'some bytes data'if isinstance(data, str):digest.update(data.encode())#digest.update(data.encode())hashed_data = digest.finalize()# 使用私钥对哈希值进行签名signature = loaded_private_key.sign(hashed_data,padding.PKCS1v15(),hashes.SHA256())return signaturedef verify_signature(data, signature, certificate):# 加载证书loaded_certificate = x509.load_pem_x509_certificate(certificate,default_backend())# 提取公钥public_key = loaded_certificate.public_key()# 计算数据的哈希值digest = hashes.Hash(hashes.SHA256(), backend=default_backend())hashed_data = digest.finalize()try:# 使用公钥验证签名public_key.verify(signature,hashed_data,padding.PKCS1v15(),hashes.SHA256())print("签名验证成功")return Trueexcept Exception:print("签名验证失败")return Falseif __name__ == "__main__":keysize = 2048  # 密钥长度time0 = "2026-1-1"time1 = "00:00:00"date_string = time0 + " " + time1format_string = '%Y-%m-%d %H:%M:%S'  # 把时间转换为标准时间datetime_obj = datetime.datetime.strptime(date_string, format_string)print('datetime_obj', datetime_obj)# 生成服务端公私钥private_key, ca_private_key, ca_public_key = generate_cakey(keysize)# 生成用户端公私钥private_key2, usr_private_key2, usr_public_key2 = generate_cakey(keysize)# 保存密钥为pem格式save_key(ca_private_key,ca_public_key)save_key2(usr_private_key2,usr_public_key2)ca_private_key_path = 'ca_private_key.pem'  # 密钥文件的路径ca_public_key_path = 'ca_public_key.pem'#加载密钥文件ca_private_key = load_key(ca_private_key_path)ca_public_key = load_key(ca_public_key_path)#先保存再打开看似有点奇怪,利于后面写系统usr_private_key_path = 'usr_private_key.pem'usr_public_key_path = 'usr_public_key.pem'user_private_key = load_key(usr_private_key_path)user_public_key = load_key(usr_public_key_path)# 打印密钥内容print("ca_private_key", ca_private_key)print("ca_public_key", ca_public_key)print("user_private_key", user_private_key)print("user_public_key", user_public_key)# 生成 CA 证书name = 'xiaoxi'province = "Guangxi"country = "CN"ca_certificate = generate_ca_certificate(name, province, country, user_private_key,ca_private_key, datetime_obj)print("ca_certificate", ca_certificate)ca_certificate_bytes = ca_certificate.public_bytes(encoding=serialization.Encoding.PEM)script_dir = os.path.dirname(os.path.abspath(__file__))# 构建保存证书的文件夹路径ca_folder = os.path.join(script_dir, 'my_ca')os.makedirs(ca_folder, exist_ok=True)ca_path = os.path.join(ca_folder, "ca_certificate.crt")save_certificate_to_file(ca_certificate_bytes, ca_path)#数字签名data文件data = b'hello'signature = sign_data(data, user_private_key)# 使用签发的证书对数字签名进行验证is_valid = verify_signature(data, signature, ca_certificate_bytes)

算法运行截图

生成的证书

完整算法代码

import datetime
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from OpenSSL import crypto
import OpenSSL.crypto
import os
import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization#生成密钥函数
def generate_cakey(keysize):# 生成 CA 密钥对private_key = rsa.generate_private_key(public_exponent=65537,key_size=keysize,backend=default_backend())ca_private_key = private_key.private_bytes(encoding=Encoding.PEM,format=PrivateFormat.PKCS8,encryption_algorithm=NoEncryption())ca_public_key = private_key.public_key().public_bytes(encoding=Encoding.PEM,format=serialization.PublicFormat.SubjectPublicKeyInfo)print("生成密钥成功")return private_key,ca_private_key,ca_public_keydef load_key(key_path):with open(key_path, 'rb') as f:ca_key = f.read()return ca_keydef save_key(ca_private_key, ca_public_key):# 将私钥保存到文件with open('ca_private_key.pem', 'wb') as f:f.write(ca_private_key)# 将公钥保存到文件with open('ca_public_key.pem', 'wb') as f:f.write(ca_public_key)# 打印保存的密钥对文件名print("CA-key saved successfully -------------------------------")def save_key2(ca_private_key, ca_public_key):# 将私钥保存到文件with open('usr_private_key.pem', 'wb') as f:f.write(ca_private_key)# 将公钥保存到文件with open('usr_public_key.pem', 'wb') as f:f.write(ca_public_key)# 打印保存的密钥对文件名print("USER-key saved successfully -------------------------------")def generate_ca_certificate(name, province, country, user_private_key_pem, ca_private_key_pem, deadline):# 加载CA服务端密钥ca_private_key = serialization.load_pem_private_key(ca_private_key_pem, password=None, backend=default_backend())# 加载用户密钥user_private_key = serialization.load_pem_private_key(user_private_key_pem, password=None,backend=default_backend())# 生成CA服务端证书root_subject = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, 'CN'),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, 'Guangxi'),x509.NameAttribute(NameOID.LOCALITY_NAME, 'Guangxi'),x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'CA'),x509.NameAttribute(NameOID.COMMON_NAME, 'CA'),])root_issuer = root_subject  # 颁发者和主题一样before_now = datetime.datetime.utcnow()if deadline <= before_now:raise ValueError("Deadline must be in the future.")serial_number = x509.random_serial_number()# 根证书root_certificate = (x509.CertificateBuilder().subject_name(root_subject).issuer_name(root_issuer).public_key(ca_private_key.public_key()).serial_number(serial_number).not_valid_before(before_now).not_valid_after(deadline).add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).sign(ca_private_key, hashes.SHA256(), default_backend()))# 生成中间证书intermediate_subject = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, country),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, province),x509.NameAttribute(NameOID.LOCALITY_NAME, province),x509.NameAttribute(NameOID.ORGANIZATION_NAME, name),x509.NameAttribute(NameOID.COMMON_NAME, name),])intermediate_issuer = root_subjectintermediate_certificate = (x509.CertificateBuilder().subject_name(intermediate_subject).issuer_name(intermediate_issuer).public_key(user_private_key.public_key()).serial_number(x509.random_serial_number()).not_valid_before(before_now).not_valid_after(deadline).add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).sign(ca_private_key, hashes.SHA256(), default_backend()))# 转换为 PEM 格式root_cert_pem = root_certificate.public_bytes(serialization.Encoding.PEM)intermediate_cert_pem = intermediate_certificate.public_bytes(serialization.Encoding.PEM)# 私钥导出user_private_key_pem = user_private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.TraditionalOpenSSL,encryption_algorithm=serialization.NoEncryption())ca_private_key_pem = ca_private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.TraditionalOpenSSL,encryption_algorithm=serialization.NoEncryption())# 证书链(根证书 + 中间证书)cert_chain_pem = root_cert_pem + intermediate_cert_pemprint("证书链----------------------------------------------------")print(cert_chain_pem)print("cert_chain_pem", cert_chain_pem)print("Intermediate_CA", intermediate_certificate)return intermediate_certificate
#保存证书
def save_certificate_to_file(certificate, filename):with open(filename, "wb") as file:file.write(certificate)def sign_data(data, private_key):# 加载私钥loaded_private_key = serialization.load_pem_private_key(private_key,password=None,backend=default_backend())# 计算数据的哈希值digest = hashes.Hash(hashes.SHA256(), backend=default_backend())#data = b'some bytes data'if isinstance(data, str):digest.update(data.encode())#digest.update(data.encode())hashed_data = digest.finalize()# 使用私钥对哈希值进行签名signature = loaded_private_key.sign(hashed_data,padding.PKCS1v15(),hashes.SHA256())return signaturedef verify_signature(data, signature, certificate):# 加载证书loaded_certificate = x509.load_pem_x509_certificate(certificate,default_backend())# 提取公钥public_key = loaded_certificate.public_key()# 计算数据的哈希值digest = hashes.Hash(hashes.SHA256(), backend=default_backend())hashed_data = digest.finalize()try:# 使用公钥验证签名public_key.verify(signature,hashed_data,padding.PKCS1v15(),hashes.SHA256())print("签名验证成功")return Trueexcept Exception:print("签名验证失败")return Falseif __name__ == "__main__":keysize = 2048  # 密钥长度time0 = "2026-1-1"time1 = "00:00:00"date_string = time0 + " " + time1format_string = '%Y-%m-%d %H:%M:%S'  # 把时间转换为标准时间datetime_obj = datetime.datetime.strptime(date_string, format_string)print('datetime_obj', datetime_obj)# 生成服务端公私钥private_key, ca_private_key, ca_public_key = generate_cakey(keysize)# 生成用户端公私钥private_key2, usr_private_key2, usr_public_key2 = generate_cakey(keysize)# 保存密钥为pem格式save_key(ca_private_key,ca_public_key)save_key2(usr_private_key2,usr_public_key2)ca_private_key_path = 'ca_private_key.pem'  # 密钥文件的路径ca_public_key_path = 'ca_public_key.pem'#加载密钥文件ca_private_key = load_key(ca_private_key_path)ca_public_key = load_key(ca_public_key_path)#先保存再打开看似有点奇怪,利于后面写系统usr_private_key_path = 'usr_private_key.pem'usr_public_key_path = 'usr_public_key.pem'user_private_key = load_key(usr_private_key_path)user_public_key = load_key(usr_public_key_path)# 打印密钥内容print("ca_private_key", ca_private_key)print("ca_public_key", ca_public_key)print("user_private_key", user_private_key)print("user_public_key", user_public_key)# 生成 CA 证书name = 'xiaoxi'province = "Guangxi"country = "CN"ca_certificate = generate_ca_certificate(name, province, country, user_private_key,ca_private_key, datetime_obj)print("ca_certificate", ca_certificate)ca_certificate_bytes = ca_certificate.public_bytes(encoding=serialization.Encoding.PEM)script_dir = os.path.dirname(os.path.abspath(__file__))# 构建保存证书的文件夹路径ca_folder = os.path.join(script_dir, 'server_ca')os.makedirs(ca_folder, exist_ok=True)ca_path = os.path.join(ca_folder, "ca_certificate.crt")save_certificate_to_file(ca_certificate_bytes, ca_path)#数字签名data文件data = b'hello'signature = sign_data(data, user_private_key)# 使用签发的证书对数字签名进行验证is_valid = verify_signature(data, signature, ca_certificate_bytes)

证书的吊销

证书的吊销参考这篇文章

证书吊销列表(CRL) - 程翔北 - 博客园

需要生成一个证书吊销列表CRL然后把吊销的证书序列号添加进去。

完整算法代码

import os
from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
from datetime import datetime, timedeltadef add_certificate_to_crl():crl_file_path = "H:/CA_demo/crl_list.crl"ca_private_key_path = "H:/CA_demo/ca_private_key.pem"# 要吊销的证书序列号target_serial_number = 1234 #会转化为16进制try:if not os.path.exists(crl_file_path):# 构建 CRL 发布者/颁发者名称issuer_name = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, "CN"),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Guangxi"),x509.NameAttribute(NameOID.LOCALITY_NAME, "Guangxi"),x509.NameAttribute(NameOID.ORGANIZATION_NAME, "CA"),])# 构建 CRL 列表生成器builder = x509.CertificateRevocationListBuilder().issuer_name(x509.Name(issuer_name))# 设置 CRL 的有效期this_update = datetime.utcnow()next_update = this_update + timedelta(days=1)builder = builder.last_update(this_update).next_update(next_update)else:with open(crl_file_path, "rb") as crl_file:crl_data = crl_file.read()# 解析现有的 CRL 数据crl = x509.load_pem_x509_crl(crl_data, default_backend())builder = x509.CertificateRevocationListBuilder().issuer_name(crl.issuer)# 将现有的吊销证书添加到新的 CRL 中for revoked_certificate in crl:builder = builder.add_revoked_certificate(revoked_certificate)# 更新最后更新时间this_update = datetime.utcnow()# 设置下一次更新时间next_update = this_update + timedelta(days=1)builder = builder.last_update(this_update).next_update(next_update)# 创建新的吊销证书now = datetime.utcnow()revoked_certificate = x509.RevokedCertificateBuilder().serial_number(target_serial_number).revocation_date(now).build()builder = builder.add_revoked_certificate(revoked_certificate)# 使用 CA 私钥对 CRL 进行签名with open(ca_private_key_path, 'rb') as key_file:private_key = serialization.load_pem_private_key(key_file.read(),password=None,backend=default_backend())crl = builder.sign(private_key=private_key,algorithm=hashes.SHA256(),backend=default_backend())# 将更新后的 CRL 列表保存到文件with open(crl_file_path, "wb") as crl_file:crl_file.write(crl.public_bytes(serialization.Encoding.PEM))print(f"证书序列号 {target_serial_number} 已添加到 CRL 中。")except Exception as e:print(f"发生错误: {e}")if __name__ == "__main__":add_certificate_to_crl()

算法运行截图

        CRL文件里面有新的吊销的序列号和日期,此处为了简化演示才输入1234,正常情况是要需要吊销证书的真实序列号。

系统测试 

客户端界面

服务端界面

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/498846.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

《代码随想录》Day21打卡!

《代码随想录》Day21打卡!

写在前面&#xff1a;祝大家新年快乐&#xff01;&#xff01;&#xff01;2025年快乐&#xff0c;2024年拜拜~~~ 《代码随想录》二叉树&#xff1a;修剪二叉搜索树 本题的完整题目如下&#xff1a; 本题的完整思路如下&#xff1a; 1.本题使用递归进行求解&#xff0c;所以分…
阅读更多...
XQR5VFX130-1CN1752V,,具有高度的可编程性和灵活性的FPGA中文技术资料

XQR5VFX130-1CN1752V,,具有高度的可编程性和灵活性的FPGA中文技术资料

XQR5VFX130-1CN1752V概述 &#xff1a; 高性能空间级Virtex-5QV FPGA将无与伦比的密度、性能和抗辐射能力与可重新配置的灵活性结合在一起&#xff0c;而无需承担 ASIC 的高风险。 丰富的系列级块&#xff1a;可满足各种高级逻辑设计和许多专用系统级块的需求。包括功能强大的3…
阅读更多...
HTML——16.相对路径

HTML——16.相对路径

<!DOCTYPE html> <html><head><meta charset"UTF-8"><title></title></head><body><a href"../../fj1/fj2/c.html" target"_blank">链接到c</a><!--相对路径&#xff1a;-->…
阅读更多...
Typescript 【详解】类型声明

Typescript 【详解】类型声明

值类型 // 字符串 let myNname: string "朝阳";// 数字 let num: number 10;// 布尔类型 let ifLogin: boolean true; // 布尔类型支持赋值计算之后结果是布尔值的表达式 let bool: boolean !!0// null let n: null null;// undefined let u: undefined undefi…
阅读更多...
区块链安全常见的攻击分析——Unprotected callback - ERC721 SafeMint reentrancy【8】

区块链安全常见的攻击分析——Unprotected callback - ERC721 SafeMint reentrancy【8】

区块链安全常见的攻击分析——Unprotected callback - ERC721 SafeMint reentrancy【8】 1.1 漏洞分析1.2 漏洞合约1.3 攻击分析1.4 攻击合约 重点&#xff1a;MaxMint721 漏洞合约的 mint 函数调用了 ERC721 合约中的 _checkOnERC721Received 函数&#xff0c;触发 to 地址中实…
阅读更多...
写在2024的最后一天

写在2024的最后一天

落笔不知何起&#xff0c;那就从开始道来吧。 2024的元旦节后入职了一家新公司&#xff0c;一开始是比较向往的&#xff0c;也许是因为它座落在繁华街道的高档写字楼之中&#xff0c;又或许是因为它相较于以往的公司而言相对正规些。但接触了公司代码后&#xff0c;我有了…
阅读更多...
自动化测试-Pytest测试

自动化测试-Pytest测试

目录 pytest简介 基本测试实例 编写测试文件 执行测试 pytest运行时参数 mark标记 Fixture pytest插件 Allure测试报告 测试步骤 pytest简介 Pytest‌是一个非常流行的Python测试框架&#xff0c;它支持简单的单元测试和复杂的功能测试&#xff0c;具有易于上手、功…
阅读更多...
CPT203 Software Engineering 软件工程 Pt.2 敏捷方法和需求工程(中英双语)

CPT203 Software Engineering 软件工程 Pt.2 敏捷方法和需求工程(中英双语)

文章目录 3. Aglie methods&#xff08;敏捷方法&#xff09;3.1 Aglie methods&#xff08;敏捷方法&#xff09;3.1.1 特点3.1.2 优点3.1.3 缺点3.1.4 原则3.1.5 计划驱动与敏捷方法的对比 3.2 Scrum3.2.1 Scrum roles3.2.2 Scrum Activities and Artifacts3.2.2.1 Product B…
阅读更多...
C#Halcon图像处理畸变校正之曲面校正

C#Halcon图像处理畸变校正之曲面校正

图像校正场景一般有两种&#xff0c;其一由镜头本身或安装角度引起&#xff0c;其二是被拍摄物品本身引起 理论处理流程 我的处理处理流程 1&#xff0c;加载网格校正图像 2&#xff0c;确定符合条件的网格区域 3&#xff0c;显示网格鞍点 4&#xff0c;显示网格线 5&#xff…
阅读更多...
IO Virtualization with Virtio.part 1 [十二]

IO Virtualization with Virtio.part 1 [十二]

久等了各位&#xff01; 本篇开始讲解 IO 虚拟化中的 virtio&#xff0c;我会以 Linux 的 IIC 驱动为例&#xff0c;从 IIC 驱动的非虚拟化实现&#xff0c;到 IIC 驱动的半虚拟化实现&#xff0c;再到最后 X-Hyper 中如何通过 virtio 来实现前后端联系&#xff0c;一步步把 v…
阅读更多...
HTML——26.像素单位

HTML——26.像素单位

<!DOCTYPE html> <html><head><meta charset"UTF-8"><title>像素</title></head><body><!--像素&#xff1a;1.指设备屏幕上的一个点&#xff0c;单位px&#xff0c;如led屏上的小灯朱2.当屏幕分辨率固定时&…
阅读更多...
uniapp不能直接修改props的数据原理浅析

uniapp不能直接修改props的数据原理浅析

uniapp不能直接修改props的数据 Avoid mutating a prop directly since the value will be overwritten whenever the parent component re-renders. Instead, use a data or computed property based on the props value. Prop being mutated: "expectDeliveryAt" 避…
阅读更多...
基于FISCO BCOS的电子签署系统

基于FISCO BCOS的电子签署系统

概述 本项目致力于构建一个安全、高效且功能完备的电子签署系统&#xff0c;通过整合区块链技术与传统数据库管理&#xff0c;为用户提供了可靠的电子签署解决方案&#xff0c;有效应对传统电子签署系统的数据安全隐患&#xff0c;满足企业和个人在数字化办公环境下对电子文档…
阅读更多...
HackMyVM-Adria靶机的测试报告

HackMyVM-Adria靶机的测试报告

目录 一、测试环境 1、系统环境 2、使用工具/软件 二、测试目的 三、操作过程 1、信息搜集 2、Getshell 3、提权 四、结论 一、测试环境 1、系统环境 渗透机&#xff1a;kali2021.1(192.168.101.127) 靶 机&#xff1a;debian/linux(192.168.101.226) 注意事项&…
阅读更多...
STM32-笔记23-超声波传感器HC-SR04

STM32-笔记23-超声波传感器HC-SR04

一、简介 HC-SR04 工作参数&#xff1a; • 探测距离&#xff1a;2~600cm • 探测精度&#xff1a;0.1cm1% • 感应角度&#xff1a;<15 • 输出方式&#xff1a;GPIO • 工作电压&#xff1a;DC 3~5.5V • 工作电流&#xff1a;5.3mA • 工作温度&#xff1a;-40~85℃ 怎么…
阅读更多...
win32汇编环境下,对话框程序中生成listview列表控件,点击标题栏自动排序的示例

win32汇编环境下,对话框程序中生成listview列表控件,点击标题栏自动排序的示例

;;启动后的效果 ;点击性别后的效果 ;把代码抄进radasm里面&#xff0c;可以直接编译运行。重要的地方加了备注。 ;这个有点复杂&#xff0c;重要的地方加了备注 ;以下是ASM文件 ;>>>>>>>>>>>>>>>>>>>>>>>…
阅读更多...
工业以太网交换机怎么挑选?

工业以太网交换机怎么挑选?

在现代工业中&#xff0c;工业以太网交换机是网络的核心设备。正确选择适合的交换机&#xff0c;直接关系到工业网络的运行稳定性和系统的可靠性。接下来&#xff0c;我们将围绕选型时需要重点考虑的几个方面展开讨论&#xff0c;并为您提供一些实用建议。 性能与传输速度 选择…
阅读更多...
如何在 Ubuntu 22.04 上安装并开始使用 RabbitMQ

如何在 Ubuntu 22.04 上安装并开始使用 RabbitMQ

简介 消息代理是中间应用程序&#xff0c;在不同服务之间提供可靠和稳定的通信方面发挥着关键作用。它们可以将传入的请求存储在队列中&#xff0c;并逐个提供给接收服务。通过以这种方式解耦服务&#xff0c;你可以使其更具可扩展性和性能。 RabbitMQ 是一种流行的开源消息代…
阅读更多...
Zabbix企业级分布式监控系统

Zabbix企业级分布式监控系统

第一章&#xff1a;监控概念及Zabbix部署 监控概述 对于监控系统在企业架构中不是新的技术&#xff0c;但却是必不可少的重要组成部分&#xff0c;所谓无监控&#xff0c;不运维&#xff01; 监控系统可以帮助运维、开发、测试等人员及时的发现服务器出现的故障&#xff0c;…
阅读更多...
前端安全措施:接口签名、RSA加密、反调试、反反调试、CAPTCHA验证

前端安全措施:接口签名、RSA加密、反调试、反反调试、CAPTCHA验证

文章目录 引言I 设置防爬虫功能使用robots.txt文件通过配置HTTP头部中的X-Robots-TagII 禁止打开开发者工具反复清空控制台无限debugger反调试检查是否按下了F12或其他调试快捷键禁用右键监听调试快捷键例子III 屏蔽粘贴/复制/剪切/选中IV 知识扩展: javascript内置命令调试分…
阅读更多...
最新文章
推荐文章

Copyright @ 2022~2023