我在 Azure Key Vault 中有一个证书,我想从中提取私钥。
根据微软文档 https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#composition-of-a-certificate:
创建 Key Vault 证书时,还会创建具有相同名称的可寻址密钥和机密。 Key Vault 密钥允许进行密钥操作,Key Vault 机密允许将证书值作为机密进行检索。
但是,我未能成功从中提取私钥。这是我尝试过的一些 python 代码的示例:
pem_data = get_secret('https://keyvault.azure.net/', 'x509-cert')
pem_data = '-----BEGIN CERTIFICATE----- ' + pem_data + ' -----END CERTIFICATE-----'
pem_data = pem_data.encode()
key = x509.load_pem_x509_certificate(pem_data, backend=default_backend())
private_key = key.private_key()
但是,这会出错,提示无法加载证书。
现在有一个sample https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/keyvault/azure-keyvault-certificates/samples/parse_certificate.py for azure-keyvault-certificates显示如何使用从证书获取私钥pyOpenSSL https://pypi.org/project/pyOpenSSL/:
import base64
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from cryptography.hazmat.primitives.serialization import pkcs12
vault_url = "https://{vault-name}.vault.azure.net"
cert_name = "certificate name"
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url=vault_url, credential=credential)
certificate_secret = secret_client.get_secret(name=cert_name)
# Now we can extract the private key and public certificate from the secret using the cryptography
# package.
# This example shows how to parse a certificate in PKCS12 format since it's the default in Key Vault,
# but PEM certificates are supported as well. With a PEM certificate, you could use load_pem_private_key
# in place of load_key_and_certificates.
cert_bytes = base64.b64decode(certificate_secret.value)
private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates(
data=cert_bytes,
password=None
)
有关 Key Vault 的新 Azure SDK 包(取代azure-keyvault)可以在这里找到:
-
azure-keyvault-证书 https://pypi.org/project/azure-keyvault-certificates/ (迁移指南) https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/keyvault/azure-keyvault-certificates/migration_guide.md
-
azure-keyvault-密钥 https://pypi.org/project/azure-keyvault-keys/ (迁移指南) https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/keyvault/azure-keyvault-keys/migration_guide.md
-
azure-keyvault-秘密 https://pypi.org/project/azure-keyvault-secrets/ (迁移指南) https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/keyvault/azure-keyvault-secrets/migration_guide.md
(我使用 Python 开发 Azure SDK)
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
