c#获取ssl证书有效性_SSL证书：证书有效期及证书链获取

灰太狼 2023-01-10 05:06 334阅读 0赞

importdatetimeimportsocketimportjsonimportrefrom OpenSSL importSSLimportlogging"""pip install pyOpenSSL"""

defchoice2dict(choices):""":param choices: \[('a', '1'), ('b', '2'),\]

:return:"""trans=dict()for key, value inchoices:ifisinstance(key, bytes):

key=key.decode()ifisinstance(value, bytes):

value=value.decode()

trans\[str(key)\]=valuereturntrans\#该类可以实现基本功能, 但优化空间非常大

classSSLCertificateAnalyzer(object):def \_\_init\_\_(self, host: str, port: int, domain: str, purpose='extranet'):

self.\_result=\{\}

self.host=host

self.port=port

self.domain=domain

self.purpose=purpose

self.sock=Nonedefget\_result(self):returnself.\_resultdefdoing(self):try:

context=SSL.Context(SSL.SSLv23\_METHOD)

s=socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

s.settimeout(15)

self.sock= SSL.Connection(context=context, socket=s)

self.sock.connect((self.host, self.port))

self.sock.setblocking(1)

self.sock.do\_handshake()

self.construct\_result()exceptException as e:

logging.error(e)

self.\_result=\{'issuer\_cn': '', 'cert\_type': '', 'due\_date': '', 'serial\_number': '', 'subject\_cn': '','has\_expired': '', 'extension\_subject\_dns': '', 'cn\_matched': '', 'cert\_chain': '','check\_all': 'Connect to the server failed'\}defconstruct\_result(self):

x509=self.sock.get\_peer\_certificate()

result=self.analysis\_certificate\_x509(x509)

cert\_chain\_json=self.get\_peer\_cert\_chain()

self.\_result.update(result)

self.\_result\['cert\_chain'\] =cert\_chain\_jsonif self.\_result\['has\_expired'\] == 'Yes':

self.\_result\['check\_all'\] = 'Expired'

else:

self.\_result\['check\_all'\] = 'Good'

if not self.\_result\['cert\_chain'\]:

self.\_result\['check\_all'\] += ', No certificate chain'

if self.\_result\['cn\_matched'\] == 'No':

self.\_result\['check\_all'\] += ', CN not matched'

if self.\_result\['cert\_type'\] == 'self-signed' and self.purpose == 'extranet':

self.\_result\['check\_all'\] += ', self-signed'

defget\_peer\_cert\_chain(self):

cert\_chain=self.sock.get\_peer\_cert\_chain()

cert\_chain\_result=list()for x509 incert\_chain:

result=self.analysis\_certificate\_x509(x509)

cert\_chain\_result.append(result)return json.dumps(cert\_chain\_result) if cert\_chain\_result else ''

defget\_cn\_matched(self, flag, subject\_cn):ifsubject\_cn:

\_convert= re.sub(r'\\\*\\.', '.\*?\[.\]', subject\_cn)

pattern= '(' + \_convert + ')(.\*)'

ifre.search(pattern, self.domain, re.I):

flag= 'Yes'

returnflagdefanalysis\_certificate\_x509(self, x509):

cn\_matched= 'No'result=\{'issuer\_cn': '', 'cert\_type': '', 'due\_date': '', 'serial\_number': 'serial\_number','subject\_cn': '', 'has\_expired': 'No', 'extension\_subject\_dns': '', 'cn\_matched': cn\_matched

\}try:

issuer=choice2dict(x509.get\_issuer().get\_components())

issuer\_cn= issuer\['CN'\] if 'CN' in issuer else ''

if 'lenovo' in issuer\_cn.lower() or 'local' inissuer\_cn.lower():

cert\_type= 'self-signed'

else:

cert\_type= 'commercial'result\['issuer\_cn'\] =issuer\_cn

result\['cert\_type'\] =cert\_typeexceptException as e:

logging.warning(e)try:

subject=choice2dict(x509.get\_subject().get\_components())

result\['subject\_cn'\] = subject\['CN'\] if 'CN' in subject else ''cn\_matched= self.get\_cn\_matched(cn\_matched, result\['subject\_cn'\])exceptException as e:

logging.warning(e)try:

not\_after=x509.get\_notAfter()\#due\_date = datetime.datetime.strptime(not\_after\[:14\], '%Y%m%d%H%M%S')

due\_date =datetime.datetime(

year=int(not\_after\[0:4\]), month=int(not\_after\[4:6\]), day=int(not\_after\[6:8\]),

hour=int(not\_after\[8:10\]), minute=int(not\_after\[10:12\]), second=int(not\_after\[10:12\])

)ifisinstance(due\_date, datetime.datetime):

result\['due\_date'\] = due\_date.strftime('%Y-%m-%d %H:%M:%S')ifisinstance(due\_date, datetime.date):

result\['due\_date'\] = due\_date.strftime('%Y-%m-%d %H:%M:%S')exceptException as e:passresult\['cn\_matched'\] = 'No'result\['has\_expired'\] = 'Yes'result\['serial\_number'\] = ''

try:

x509\_extension=x509.get\_extension(0)

x509\_extension\_short\_name=x509\_extension.get\_short\_name()if x509\_extension\_short\_name == 'subjectAltName':try:

x509\_extension\_subject\_alt\_name=x509\_extension.\_subjectAltNameString()if ':' inx509\_extension\_subject\_alt\_name:

extension\_subject\_dns= x509\_extension\_subject\_alt\_name.split(':')\[1\].strip()

result\['extension\_subject\_dns'\] =extension\_subject\_dns

cn\_matched=self.get\_cn\_matched(cn\_matched, extension\_subject\_dns)exceptException as e:

logging.warning(e)

result\['serial\_number'\] =str(x509.get\_serial\_number())

result\['has\_expired'\] = 'Yes' if x509.has\_expired() else 'No'result\['cn\_matched'\] =cn\_matchedexceptException as e:

logging.error(e)returnresultif \_\_name\_\_ == '\_\_main\_\_':

sca= SSLCertificateAnalyzer(host='118.112.225.33', port=443, domain='baidu.com', purpose='extranet')