cryptography证书相关操作

cryptography是Python一个密码学相关包，基于OpenSSL，可以对常用X509证书、私钥、公钥等进行处理，提取信息、签名、验证签名、加密、解密等。
安装方法如下

pip3 install cryptography

证书相关使用方法如下

from cryptography import x509
from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
from cryptography.x509 import (DNSName, IPAddress)
from cryptography.x509.oid import ExtensionOID, NameOID

cert_bytes = b'''-----BEGIN CERTIFICATE-----
MIICmzCCAkCgAwIBAgIDBPBxMAoGCCqGSM49BAMCMHsxCzAJBgNVBAYTAmNuMRAw
DgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMRMwEQYDVQQKEwpUZXN0
Q01vcmcxMRIwEAYDVQQLEwlyb290LWNlcnQxHzAdBgNVBAMMFmNhLuekuuS+i+a1
i+ivlee7hOe7hzEwHhcNMjMwMTEzMTAzMzE3WhcNMzIwMTExMTAzMzE3WjCBhDEL
MAkGA1UEBhMCY24xEDAOBgNVBAgTB2JlaWppbmcxEDAOBgNVBAcTB2JlaWppbmcx
EzARBgNVBAoTClRlc3RDTW9yZzExDjAMBgNVBAsTBWFkbWluMSwwKgYDVQQDDCPn
pLrkvovmtYvor5XnlKjmiLcxLnNpZ24uVGVzdENNb3JnMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABOgUND6Hi/Sk5NxWZSYYrm4+CuwMzKEdG2pbySdkFqv8KXPO
6HcrmJqs63YJ9RVX2y4kGDwz0d0w+Pic5vIWOsujgagwgaUwDgYDVR0PAQH/BAQD
AgGmMA8GA1UdJQQIMAYGBFUdJQAwKQYDVR0OBCIEIFM1ET3HKfgbcQscGNWPIFZI
bej+SY6sCuhWtCHoSj32MCsGA1UdIwQkMCKAIK/AH4T9T1bZonOO7+tzl1eLDO24
8wX1TQdeLBVOM0l/MCoGA1UdEQQjMCGCCWxvY2FsaG9zdIIOY2hhaW5tYWtlci5v
cmeHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAMl0MreFSbM5XfMUhPTbhYYPtyTC
TtQafx96xeykAHlaAiEA/6gveqPsooMn4lNPptsxwPtHxtF/BFNU1BWqyXKDS3w=
-----END CERTIFICATE-----
'''

cert = x509.load_pem_x509_certificate(cert_bytes)

print('生效时间:', cert.not_valid_before)
print('失效时间:', cert.not_valid_after)

# 证书主题信息
print('使用人名称:', cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value)
print('使用人国家名称:', cert.subject.get_attributes_for_oid(NameOID.COUNTRY_NAME)[0].value)
print('使用人位置名称:', cert.subject.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value)
print('使用人组织名称:', cert.subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)[0].value)
print('使用人组织单位名称:', cert.subject.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value)

# 签发人
print('签发人名称:', cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value)
print('签发人组织名称:', cert.issuer.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)[0].value)
print('签发人组织单位名称:', cert.issuer.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value)

# 签名算法
print('签名算法名称:', cert.signature_algorithm_oid._name)
print('签名哈希算法名称:', cert.signature_hash_algorithm.name)
print('证书哈希(hex):', cert.fingerprint(cert.signature_hash_algorithm).hex())
print('证书密钥标识符SKI(hex):',
      cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_KEY_IDENTIFIER).value.key_identifier.hex())

# 生成公钥 (如果是RSA算法format选PublicFormat.PKCS1)
print('公钥PEM:', cert.public_key().public_bytes(Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo))

# 扩展项

print('使用者替代名称-允许的域名:', cert.extensions.
      get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value.get_values_for_type(DNSName))
print('使用者替代名称-允许的IP地址:', cert.extensions.
      get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value.get_values_for_type(IPAddress))

执行结果如下

生效时间: 2023-01-13 10:33:17
失效时间: 2032-01-11 10:33:17
使用人名称: 示例测试用户1.sign.TestCMorg1
使用人国家名称: cn
使用人位置名称: beijing
使用人组织名称: TestCMorg1
使用人组织单位名称: admin
签发人名称: ca.示例测试组织1
签发人组织名称: TestCMorg1
签发人组织单位名称: root-cert
签名算法名称: ecdsa-with-SHA256
签名哈希算法名称: sha256
证书哈希(hex): 8e78b776113cd16a862952a830b8fe809951bdbcaa03a8476b8dabd1d262871b
证书密钥标识符SKI(hex): 5335113dc729f81b710b1c18d58f2056486de8fe498eac0ae856b421e84a3df6
公钥PEM: b'-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6BQ0PoeL9KTk3FZlJhiubj4K7AzM\noR0balvJJ2QWq/wpc87odyuYmqzrdgn1FVfbLiQYPDPR3TD4+Jzm8hY6yw==\n-----END PUBLIC KEY-----\n'
使用者替代名称-允许的域名: ['localhost', 'chainmaker.org']
使用者替代名称-允许的IP地址: [IPv4Address('127.0.0.1')]