[英]Website authentication using smart cards' certificate and public key
So I have a credit card looking like smart card with a chip.所以我有一张信用卡,看起来像带芯片的智能卡。 This card logins on a website after the card is inserted into the card reader.
此卡插入读卡器后登录网站。
Now I have to write a program in python which can read the card and login on that website.现在我必须用python编写一个程序,它可以读取卡并登录该网站。 After research on internet I found out that I need to extract :
在互联网上研究后,我发现我需要提取:
from the card and then use these 2 things to create a HTTPs connection ( example here ) .从卡然后使用这两个东西来创建一个 HTTPS 连接( 这里的例子)。 So far I am able to extract certificate in pem format.
到目前为止,我能够以 pem 格式提取证书。 But i cant find a way to extract key in pem format till now.
但到目前为止,我还找不到以 pem 格式提取密钥的方法。 I used
PyKCS11
to read the card.我用
PyKCS11
读卡。 Below is my code:下面是我的代码:
from asn1crypto import pem, x509
from PyKCS11 import *
import binascii
pkcs11 = PyKCS11Lib()
pkcs11.load(r'C:\Windows\System32\XXXX.dll')
print(pkcs11.getSlotList(tokenPresent=False))
slot = pkcs11.getSlotList(tokenPresent=False)[0]
print(pkcs11.getTokenInfo(slot))
session = pkcs11.openSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION)
session.login('123456')
result = []
result_pem = []
# find public key and print modulus
pubKey = session.findObjects([(CKA_CLASS, CKO_PUBLIC_KEY)])[0]
modulus = session.getAttributeValue(pubKey, [CKA_MODULUS])[0]
print("\nmodulus: {}".format(binascii.hexlify(bytearray(modulus))))
#find certificates
certs = session.findObjects([(CKA_CLASS, CKO_CERTIFICATE)])
for cert in certs:
cka_value, cka_id = session.getAttributeValue(cert, [CKA_VALUE, CKA_ID])
cert_der = bytes(cka_value)
cert = x509.Certificate.load(cert_der)
# Write out a PEM encoded value
cert_pem = pem.armor('CERTIFICATE', cert_der)
result.append(cert)
result_pem.append(cert_pem)
with open('cert.pem','wb') as f:
f.write(cert_pem)
print(result)
So here are my questions: 1. Is my approach right?所以这里是我的问题: 1. 我的方法对吗?
If yes, then how to extract public key in pem format?如果是,那么如何以pem格式提取公钥?
How this smart card authentication actually works on client side and server side?这种智能卡身份验证如何在客户端和服务器端实际工作?
If you already have exported the certificate, it is probably easier to extract the public key from there, instead of from the smartcard.如果您已经导出了证书,从那里提取公钥可能更容易,而不是从智能卡中提取。 You can use openssl for that:
您可以为此使用 openssl:
openssl x509 -in cert.pem -pubkey -out pubkey.pem -noout
What you are trying to achieve is to open a TLS connection with mutual authentication using a client certificate .您要实现的是使用客户端证书打开具有相互身份验证的 TLS 连接。 If you do this, the private key of your client certificate signs parts of the handshake to authenticate itself towards the server.
如果这样做,客户端证书的私钥会签署握手的部分内容,以向服务器验证自己的身份。
Extracting the certificate and the public key from the smartcard won't help you here.从智能卡中提取证书和公钥在这里对您没有帮助。 You need to find a library, which allows you to use your private key straight from your PKCS#11 token.
您需要找到一个库,它允许您直接从您的 PKCS#11 令牌中使用您的私钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.