def start_consumer():
import jks # 安装pyjks
from OpenSSL import crypto # 安装openssl,module好像叫pyopenssl
from urllib import quote, urlencode # 密码中特殊字符做quote, url中特殊字符做urlencode
username = 'guest'
password = quote('guest@password')
p12_path = r'certificate\keystore\client\client_key.p12'
keystore_path = r'certificate\keystore\rabbitStore'
keystore = jks.KeyStore.load(keystore_path, 'rabbit')
cert = keystore.certs['rabbit-server'].cert
key_x_509 = crypto.load_certificate(crypto.FILETYPE_ASN1, cert)
key_asn = crypto.dump_certificate(crypto.FILETYPE_ASN1, key_x_509)
key_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, key_x_509)
key_pem_file = open('key.pem', 'wb')
key_pem_file.write(key_pem)
key_pem_file.close()
# 加载p12,p12里有1个私钥、3个证书(其中有2个ca证书)
p12 = crypto.load_pkcs12(open(p12_path, 'rb').read(), 'rabbit')
cert_asn = crypto.dump_certificate(crypto.FILETYPE_ASN1, p12.get_certificate())
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, p12.get_certificate())
cert_pem_file = open('cert.pem', 'wb')
cert_pem_file.write(cert_pem)
cert_pem_file.close()
cacert_asn_1 = crypto.dump_certificate(crypto.FILETYPE_ASN1, p12.get_ca_certificates()[0])
cacert_asn_2 = crypto.dump_certificate(crypto.FILETYPE_ASN1, p12.get_ca_certificates()[1])
cacert_pem_1 = crypto.dump_certificate(crypto.FILETYPE_PEM, p12.get_ca_certificates()[0])
cacert_pem_2 = crypto.dump_certificate(crypto.FILETYPE_PEM, p12.get_ca_certificates()[1])
cacert_pem_file = open('cacert.pem', 'wb')
cacert_pem_file.write(cacert_pem_1)
cacert_pem_file.write(cacert_pem_2)
cacert_pem_file.close()
pk_asn = crypto.dump_privatekey(crypto.FILETYPE_ASN1, p12.get_privatekey())
pk_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM, p12.get_privatekey())
pk_pem_file = open('pk.pem', 'wb')
pk_pem_file.write(pk_pem)
pk_pem_file.close()
# ca_certs/cert_reqs/certfile/keyfile/ssl_version/password
ssl_options = urlencode({'ssl_options': {'ca_certs': 'cacert.pem', 'certfile': 'cert.pem', 'keyfile': 'pk.pem'}})
amqp_url = 'amqps://{0}:{1}@xx.xx.xx.xx:5671?heartbeat=30&{2}'.format(username, password, ssl_options)
# 下面连接的类参考(异步):https://blog.csdn.net/baidu_30809315/article/details/108716198
consumer = ReconnectingMQConsumer(amqp_url)
consumer.run()
遇到的问题:
pip install pyjks
安装pyjks时其中一个依赖-twofish windows安装报错
原因:twofish包含c99 file
c99定义:a past version of the C programming language standard
linux似乎需要特定gcc才能够编译c99 file
windows需要安装MinGW
https://github.com/kurtbrose/pyjks/issues/32
python没有像java专门提供的密钥库KeyStore,pyjks是类似java keystore的一个module,
但是python有ssl
https://stackoverflow.com/questions/33790315/python-equivalent-of-javas-keystore
how to load a pkcs12 keystore using python
https://stackoverflow.com/questions/60837051/how-to-load-a-pkcs12-keystore-using-python
# p12 = crypto.load_pkcs12(open(client_key_path, 'rb').read(), 'rabbit')
# ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_2_METHOD)
# ctx.use_privatekey(p12.get_privatekey())
# ctx.use_certificate(p12.get_certificate())
# ctx.add_client_ca(p12.get_ca_certificates())
使用pika.BlockingConnection在组装ConnectionParameters时可以尝试上面方式,但是我没有搞定,
因为BlockingConnection是pika同步连接,我们已经弃用了,目前使用的是SelectConnection异步连接
方式连mq server,同时使用URLParameters配置连接参数,异步连接在docs上说性能好一些。
pyjks使用
https://pyjks.readthedocs.io/en/latest/examples.html
https://pypi.org/project/pyjks/
