python - 基于 python 证书的身份验证中的 REST 请求，在 SOAPUI 中工作

Question

我正在对 https api 服务器执行 REST 请求，它使用以下配置在 soapui 中工作，


我已在 SSL 设置 > keystore 中添加了证书


self-signed-keystore.jks 具有在服务器上受信任的 key 对，并且正在检查每个请求。如果证书有效，服务器将返回一个 json

使用此代码在 python 中尝试了此操作，但它不起作用我在 SSL 上遇到错误

requests.exceptions.SSLError: HTTPSConnectionPool(host='xlocal', port=8014): Max retries exceeded with url: //api/path/here (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

#!/usr/bin/env python3
import sys
import requests

API_ENDPOINT = "https://xlocal:8xxx/api/test/list"

#pem keys are exported from the jks using keytool explorer or 
#openssl pkcs12 -in soapui-keystore.p12  -nokeys -out soapuicert.pem
#openssl pkcs12 -in soapui-keystore.p12  -nodes -nocerts -out soapuikey.pem
NEW_CERT = r"C:\Users\myuser\self-signed-exported.cert.pem"
NEW_KEY = r"C:\Users\myuser\self-signed-exported.key.pem"

def main(argv):

    get = requests.get(API_ENDPOINT, cert=(NEW_CERT, NEW_KEY))
    get2 = requests.get(API_ENDPOINT, verify=NEW_CERT)

    print(get)
    print(get2)

if __name__ == "__main__":
    main(sys.argv[1:])

它使用下面的代码在 Java 上工作。

public void getforObject() {
        restTemplate = new RestTemplate();
        try (FileInputStream fis = new FileInputStream(Project.keystorePath)) {
            KeyStore keyStore = SSL.getKeyStore(fis, Project.keystorePassword);
            SSLSocketFactory sslSocketFactory = SSL.getSSLSocketFactory(keyStore, Project.keystorePassword, trustAllCerts);
            SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslSocketFactory, (hostname, session) -> true);
            CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();
            HttpComponentsClientHttpRequestFactory httpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
            restTemplate.setRequestFactory(httpRequestFactory);

            String forObject = restTemplate.getForObject(LIST_URL, String.class);

        } catch (Exception e) {
            //SystemLogger.error("Error configuring ssl", e);
            throw new RuntimeException("Error: unable to configure ssl.", e);
        }
}

public class DummyX509TrustManager implements X509TrustManager {
        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        @Override
        public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
                throws CertificateException {
        }
        @Override
        public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
                throws CertificateException {
        }
}

似乎是什么问题？在python中有没有更好的方法来做到这一点？

Answer 1

我能够通过在请求中添加 pem 文件来解决这个问题。您需要使用以下命令从 p12 文件创建一个 pem 文件。
openssl pkcs12 -in soapui-keystore.p12 -out self-signed-exported.pem
代码片段:

NEW_CERT = r"C:\Users\myuser\self-signed-exported.cert.pem"
NEW_KEY = r"C:\Users\myuser\self-signed-exported.key.pem"
PEM_FILE=r"C:\Users\myuser\self-signed-exported.pem"
get = requests.get(API_ENDPOINT, verify=PEM_FILE, cert=(NEW_CERT, NEW_KEY))