使用Python的cryptography.x509库验证证书链

使用Python的cryptography.x509库可以很方便地验证证书链。下面是一个简单的例子来说明如何使用该库来验证证书链。

首先，我们需要导入所需的库文件：

from cryptography import x509
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding
from cryptography.x509.oid import NameOID

接下来，我们创建一个简单的函数来生成一个带有私钥的自签名证书，并将其保存到文件中：

def generate_self_signed_cert():
    private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048
    )
    public_key = private_key.public_key()

    builder = x509.CertificateBuilder().subject_name(x509.Name([
        x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
        x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
        x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
        x509.NameAttribute(NameOID.COMMON_NAME, u"example.com"),
    ])).issuer_name(x509.Name([
        x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
        x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
        x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
        x509.NameAttribute(NameOID.COMMON_NAME, u"example.com"),
    ])).serial_number(x509.random_serial_number()).not_valid_before(datetime.datetime.utcnow()).not_valid_after(
        datetime.datetime.utcnow() + datetime.timedelta(days=365)).public_key(public_key)

    cert = builder.sign(private_key, hashes.SHA256(), default_backend())
    pem_data = cert.public_bytes(Encoding.PEM)

    with open('self_signed_cert.pem', 'wb') as f:
        f.write(pem_data)

    return cert

然后，我们可以编写一个函数来验证证书链。该函数将读取证书链中的所有证书，查找并验证每个证书的颁发者证书，最后返回验证结果：

def verify_certificate_chain(cert_path):
    with open(cert_path, 'rb') as f:
        cert_data = f.read()
    cert = x509.load_pem_x509_certificate(cert_data, default_backend())
    cert_store = x509.Store()

    cert_store.add_cert(cert)

    while cert.issuer != cert.subject:
        issuer_cert = cert_store.get_issuer(cert)
        verifier = issuer_cert.public_key()

        try:
            verifier.verify(cert.signature, cert.tbs_certificate_bytes, padding.PKCS1v15(), cert.signature_hash_algorithm)
            print("Certificate with serial number {} is valid.".format(cert.serial_number))
        except InvalidSignature:
            print("Certificate with serial number {} is not valid.".format(cert.serial_number))
            return False

        cert = issuer_cert

    return True

最后，我们可以使用生成的自签名证书和验证函数来验证证书链：

cert = generate_self_signed_cert()

valid = verify_certificate_chain('self_signed_cert.pem')

if valid:
    print("Certificate chain is valid.")
else:
    print("Certificate chain is not valid.")

这个例子演示了如何使用Python的cryptography.x509库来验证证书链。首先我们通过生成一个自签名的证书，然后通过验证函数来验证证书链的有效性。如果证书链是有效的，则会输出"Certificate chain is valid."，否则会输出"Certificate chain is not valid."。

请注意这只是一个演示，实际的证书链验证可能会更加复杂，并且可能涉及到更多的证书和验证规则。但是使用cryptography.x509库提供的功能，可以轻松地实现这些功能。