Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Python: Python

urllib with x509 certs

  

 
Python python RSS feed   Index | Next | Previous | View Threaded


Lacrima.Maxim at gmail

Jul 4, 2009, 1:12 AM

Post #1 of 8 (380 views)
Permalink
urllib with x509 certs
Hello!

I am trying to use urllib to fetch some internet resources, using my
client x509 certificate.
I have divided my .p12 file into mykey.key and mycert.cer files.
Then I use following approach:
>>> import urllib
>>> url = 'https://example.com'
>>> xml = '''<request>
... <somexml>somexml</somexml>
</request>'''
>>> opener = urllib.URLopener(key_file = 'mykey.key', cert_file = 'mycert.cer')
>>> f = opener.open(url, xml)

This works Ok! But every time I am asked to enter PEM pass phrase,
which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?

With regards, Max
(sorry if my English isn't very proper)
--
http://mail.python.org/mailman/listinfo/python-list


clp2 at rebertia

Jul 4, 2009, 1:24 AM

Post #2 of 8 (363 views)
Permalink
Re: urllib with x509 certs [In reply to]
On Sat, Jul 4, 2009 at 1:12 AM, Lacrima<Lacrima.Maxim[at]gmail.com> wrote:
> Hello!
>
> I am trying to use urllib to fetch some internet resources, using my
> client x509 certificate.
> I have divided my .p12 file into mykey.key and mycert.cer files.
> Then I use following approach:
>>>> import urllib
>>>> url = 'https://example.com'
>>>> xml = '''<request>
> ... <somexml>somexml</somexml>
> </request>'''
>>>> opener = urllib.URLopener(key_file = 'mykey.key', cert_file = 'mycert.cer')
>>>> f = opener.open(url, xml)
>
> This works Ok! But every time I am asked to enter PEM pass phrase,
> which I specified during dividing my .p12 file.
> So my question... What should I do to make my code fetch any url
> automatically (without asking me every time to enter pass phrase)?
> As I understand there is impossible to specify pass phrase while
> constructing URLopener.
> So what should I do?

Subclass FancyURLopener
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
overriding the prompt_user_passwd() method
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prompt_user_passwd].
Then use an instance of your subclass instead of URLopener.

Cheers,
Chris
--
http://blog.rebertia.com
--
http://mail.python.org/mailman/listinfo/python-list


martin at v

Jul 4, 2009, 2:38 AM

Post #3 of 8 (356 views)
Permalink
Re: urllib with x509 certs [In reply to]
> This works Ok! But every time I am asked to enter PEM pass phrase,
> which I specified during dividing my .p12 file.
> So my question... What should I do to make my code fetch any url
> automatically (without asking me every time to enter pass phrase)?
> As I understand there is impossible to specify pass phrase while
> constructing URLopener.
> So what should I do?

You can remove the passphrase on the private key, e.g. with the
openssl rsa utility.

Regards,
Martin
--
http://mail.python.org/mailman/listinfo/python-list


Lacrima.Maxim at gmail

Jul 4, 2009, 3:08 AM

Post #4 of 8 (358 views)
Permalink
Re: urllib with x509 certs [In reply to]
On Jul 4, 11:24 am, Chris Rebert <c...@rebertia.com> wrote:
> On Sat, Jul 4, 2009 at 1:12 AM, Lacrima<Lacrima.Ma...@gmail.com> wrote:
> > Hello!
>
> > I am trying to use urllib to fetch some internet resources, using my
> > client x509 certificate.
> > I have divided my .p12 file into mykey.key and mycert.cer files.
> > Then I use following approach:
> >>>> import urllib
> >>>> url = 'https://example.com'
> >>>> xml = '''<request>
> > ... <somexml>somexml</somexml>
> > </request>'''
> >>>> opener = urllib.URLopener(key_file = 'mykey.key', cert_file = 'mycert.cer')
> >>>> f = opener.open(url, xml)
>
> > This works Ok! But every time I am asked to enter PEM pass phrase,
> > which I specified during dividing my .p12 file.
> > So my question... What should I do to make my code fetch any url
> > automatically (without asking me every time to enter pass phrase)?
> > As I understand there is impossible to specify pass phrase while
> > constructing URLopener.
> > So what should I do?
>
> Subclass FancyURLopener
> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
> overriding the prompt_user_passwd() method
> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prom...].
> Then use an instance of your subclass instead of URLopener.
>
> Cheers,
> Chris
> --http://blog.rebertia.com

Hi Chris,
Thanks for your quick reply.
According to docs the return value of prompt_user_passwd() method
should be a tuple (user, password), but there is no user when
authenticating with certificate. So how should I use this method? This
doesn't work:
>>> import urllib
>>> class MyOpener(urllib.FancyURLopener):
... def prompt_user_passwd(self, host, realm):
... return ('password')
...


With regards, Max
--
http://mail.python.org/mailman/listinfo/python-list


Lacrima.Maxim at gmail

Jul 4, 2009, 3:14 AM

Post #5 of 8 (358 views)
Permalink
Re: urllib with x509 certs [In reply to]
On Jul 4, 12:38 pm, "Martin v. Löwis" <mar...@v.loewis.de> wrote:
> > This works Ok! But every time I am asked to enter PEM pass phrase,
> > which I specified during dividing my .p12 file.
> > So my question... What should I do to make my code fetch any url
> > automatically (without asking me every time to enter pass phrase)?
> > As I understand there is impossible to specify pass phrase while
> > constructing URLopener.
> > So what should I do?
>
> You can remove the passphrase on the private key, e.g. with the
> openssl rsa utility.
>
> Regards,
> Martin

Hi Martin!

Thanks for the reply. I want my key to be as secure as possible. So I
will remove pass phrase if only there is no other possibility to go
through authentication.

With regards, Max
--
http://mail.python.org/mailman/listinfo/python-list


clp2 at rebertia

Jul 4, 2009, 3:27 AM

Post #6 of 8 (355 views)
Permalink
Re: urllib with x509 certs [In reply to]
2009/7/4 Lacrima <Lacrima.Maxim[at]gmail.com>:
> On Jul 4, 11:24 am, Chris Rebert <c...@rebertia.com> wrote:
>> On Sat, Jul 4, 2009 at 1:12 AM, Lacrima<Lacrima.Ma...@gmail.com> wrote:
>> > Hello!
>>
>> > I am trying to use urllib to fetch some internet resources, using my
>> > client x509 certificate.
>> > I have divided my .p12 file into mykey.key and mycert.cer files.
>> > Then I use following approach:
>> >>>> import urllib
>> >>>> url = 'https://example.com'
>> >>>> xml = '''<request>
>> > ... <somexml>somexml</somexml>
>> > </request>'''
>> >>>> opener = urllib.URLopener(key_file = 'mykey.key', cert_file = 'mycert.cer')
>> >>>> f = opener.open(url, xml)
>>
>> > This works Ok! But every time I am asked to enter PEM pass phrase,
>> > which I specified during dividing my .p12 file.
>> > So my question... What should I do to make my code fetch any url
>> > automatically (without asking me every time to enter pass phrase)?
>> > As I understand there is impossible to specify pass phrase while
>> > constructing URLopener.
>> > So what should I do?
>>
>> Subclass FancyURLopener
>> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
>> overriding the prompt_user_passwd() method
>> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prom...].
>> Then use an instance of your subclass instead of URLopener.
>>
>> Cheers,
>> Chris
>> --http://blog.rebertia.com
>
> Hi Chris,
> Thanks for your quick reply.
> According to docs the return value of prompt_user_passwd() method
> should be a tuple (user, password), but there is no user when
> authenticating with certificate. So how should I use this method? This
> doesn't work:
>>>> import urllib
>>>> class MyOpener(urllib.FancyURLopener):
> ...      def prompt_user_passwd(self, host, realm):
> ...          return ('password')

Only a guess:

def prompt_user_passwd(self, host, realm):
return ('', 'password')

Cheers,
Chris
--
http://blog.rebertia.com
--
http://mail.python.org/mailman/listinfo/python-list


martin at v

Jul 4, 2009, 4:09 AM

Post #7 of 8 (358 views)
Permalink
Re: urllib with x509 certs [In reply to]
> Thanks for the reply. I want my key to be as secure as possible. So I
> will remove pass phrase if only there is no other possibility to go
> through authentication.

And you put the passphrase into the source code instead? How does it
make that more secure?

Regards,
Martin
--
http://mail.python.org/mailman/listinfo/python-list


Lacrima.Maxim at gmail

Jul 17, 2009, 12:24 AM

Post #8 of 8 (274 views)
Permalink
Re: urllib with x509 certs [In reply to]
Hello!

I've solved this problem, using pyCurl.
Here is sample code.

import pycurl
import StringIO
b = StringIO.StringIO()
c = pycurl.Curl()
url = 'https://example.com/'
c.setopt(pycurl.URL, url)
c.setopt(pycurl.WRITEFUNCTION, b.write)
c.setopt(pycurl.CAINFO, 'cert.crt')
c.setopt(pycurl.SSLKEY, 'mykey.key')
c.setopt(pycurl.SSLCERT, 'mycert.cer')
c.setopt(pycurl.SSLKEYPASSWD , 'pass phrase')
c.perform()

This also allow to specify CA, so your requests are more secure then
with urllib.

With regards, Max.
--
http://mail.python.org/mailman/listinfo/python-list

Python python RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.