对于初学者来说,我知道“ getpeercert()”方法,并且确实提供了证书。此信息写得很好,并通过以下链接提供了参考:How can i get Certificate issuer information in python?
问题在于,似乎没有提供根证书,而仅提供了中间证书和同级证书。这是预期的,还是有办法获得完整的链条?
我问,因为总而言之,我正在创建一个Python 3脚本,该脚本与验证Web服务器的证书以及该证书是否由Symantec发行有关。一位同事发现这个Ruby脚本https://arkadiyt.com/2018/02/04/quantifying-untrusted-symantec-certificates/声称能够获得完整的链,而不仅仅是中介(由发行)和同伴(向发行)。
对我来说,我遇到的站点没有不同的根/中间证书,至少据我所知,我认为根CA更加严格,并且它们的中间实体是出于安全目的。这样,以防万一中介发生了什么事,那么根本身就不会丢失(如果我错了,请纠正我,尽管不直接与这个问题联系在一起)。
这是代码,以防万一,但是几乎完全照搬了第一个链接。是从CSV文件中提取的:
'''START:定义功能以检查URL的SSL证书'''
def Check_SSL_Cert(url):
# Was having random issues with connecting to various URLs
# Thew in this try / except block to get more detail of issues but also keep iterating through the list
try:
ctx = ssl.create_default_context() # returns a new context with secure default settings
s = ctx.wrap_socket(socket.socket(), server_hostname=url) # Wraps the underlying socket <socket.socket()> in an SSL context
s.connect((url, 443)) # Connect to <url> on port <443>
cert = s.getpeercert() # Get the cert chain of remote URL
subject = dict(x[0] for x in cert['subject']) # Assign <subject>
issued_to = subject['commonName'] # Who was the certificated issued to
issuer = dict(x[0] for x in cert['issuer']) # Assign <issuer>
issued_by = issuer['commonName'] # Who assigned the certificate
except:
print("[*] Exception - Issues with URL: {}".format(url)) # Some screen output
TROUBLESOME.add(url) # Add troublesome URLs to <TROUBLESOME> set data strcutre
#time.sleep(5) # Logic check
# Used for logic checking
#print("URL: {}".format(url))
# Check to see if <symantec> is anywhere within the certificates <issued_by> value
try:
if 'symantec' in issued_by:
print("\n\nIssued to: {}".format(issued_to))
print("Issued by: {}".format(issued_by))
SYMANTEC_CERTED.append(url)
#time.sleep(5) # Logic checker
except:
print("[*] Exception - Issue with cert for: {}".format(url)) # Some nice screen output
#time.sleep(5)
'''END:定义功能以检查URL'''的SSL证书
如果还有其他问题,请让我知道,或者如果我不清楚我在寻求什么帮助,请随时提出更多要求。
谢谢您的时间。