我在使用 M2Crypto-0.20.2。希望使用 OpenSC 项目的 engine_pkcs11 和 Aladdin PKI 客户端进行基于令牌的身份验证,以通过 ssl 进行 xmlrpc 调用。
from M2Crypto import Engine
Engine.load_dynamic()
dynamic = Engine.Engine('dynamic')
# 从 OpenSC 项目加载 engine_pkcs
dynamic.ctrl_cmd_string("SO_PATH", "/usr/local/ssl/lib/engines/engine_pkcs11.so")
Engine.cleanup()
Engine.load_dynamic()
# 加载 Aladdin PKI 客户端
aladdin = Engine.Engine('dynamic')
aladdin.ctrl_cmd_string("SO_PATH", "/usr/lib/libeTPkcs11.so")
key = aladdin.load_private_key("PIN","password")
运行后,遇到了以下错误:
key = pkcs.load_private_key("PIN","eT0ken")
File "/usr/local/lib/python2.4/site-packages/M2Crypto/Engine.py", line 70, in load_private_key
return self._engine_load_key(m2.engine_load_private_key, name, pin)
File "/usr/local/lib/python2.4/site-packages/M2Crypto/Engine.py", line 60, in _engine_load_key
raise EngineError(Err.get_error())
M2Crypto.Engine.EngineError: 23730:error:26096075:engine routines:ENGINE_load_private_key:not initialised:eng_pkey.c:112:
对于 load_private_key(),应将什么作为第一个参数传递?M2Crypto 文档没有解释。
我没有在加载引擎时收到任何错误,但我不确定是否正确加载了它们。看起来引擎 ID 必须是特定名称,但在任何地方都找不到该列表。'dynamic'
对我有效。
希望得到帮助!
2、解决方案
方案一:
在 Engine.py 中添加以下方法:
def engine_initz(self):
"""Return engine name"""
return m2.engine_initz(self._ptr)
并在 SWIG/_engine.i 中添加以下内容:
%rename(engine_initz) ENGINE_init;
extern int ENGINE_init(ENGINE *);
然后重新编译 __m2crypto.so,在加载私钥之前添加 “pkcs11.engine_initz()”,即可解决问题。
方案二:
在新的 API 中,可以使用以下代码:
from M2Crypto import Engine, m2
dynamic = Engine.load_dynamic_engine("pkcs11", "/Users/martin/prefix/lib/engines/engine_pkcs11.so")
pkcs11 = Engine.Engine("pkcs11")
pkcs11.ctrl_cmd_string("MODULE_PATH", "/Library/OpenSC/lib/opensc-pkcs11.so")
r = pkcs11.ctrl_cmd_string("PIN", sys.argv[1])
key = pkcs11.load_private_key("id_01")
将 “/Users/martin/prefix/lib/engines/engine_pkcs11.so” 替换为 “/usr/local/ssl/lib/engines/engine_pkcs11.so”,将 “/Library/OpenSC/lib/opensc-pkcs11.so” 替换为 “/usr/lib/libeTPkcs11.so”,即可使用 Aladdin。
方案三:
在 M2Crypto 中添加以下代码:
Index: SWIG/_engine.i
===================================================================
--- SWIG/_engine.i (revision 719)
+++ SWIG/_engine.i (working copy)
@@ -44,6 +44,9 @@
%rename(engine_free) ENGINE_free;
extern int ENGINE_free(ENGINE *);
+%rename(engine_init2) ENGINE_init;
+extern int ENGINE_init(ENGINE *);
+
/*
* Engine id/name functions
*/
然后使用以下代码:
import sys, os, time, cgi, urllib, urlparse
from M2Crypto import m2urllib2 as urllib2
from M2Crypto import m2, SSL, Engine
# 加载动态引擎
e = Engine.load_dynamic_engine("pkcs11", "/Users/martin/prefix/lib/engines/engine_pkcs11.so")
pk = Engine.Engine("pkcs11")
pk.ctrl_cmd_string("MODULE_PATH", "/Library/OpenSC/lib/opensc-pkcs11.so")
m2.engine_init2(m2.engine_by_id("pkcs11")) # 这解决了问题
cert = e.load_certificate("slot_01-id_01")
key = e.load_private_key("slot_01-id_01", sys.argv[1])
ctx = SSL.Context("sslv23")
ctx.set_cipher_list("HIGH:!aNULL:!eNULL:@STRENGTH")
ctx.set_session_id_ctx("foobar")
m2.ssl_ctx_use_x509(ctx.ctx, cert.x509)
m2.ssl_ctx_use_pkey_privkey(ctx.ctx, key.pkey)
opener = urllib2.build_opener(ctx)
urllib2.install_opener(opener)
即可解决问题。