urllib with x509 certs

Hello!
I am trying to use urllib to fetch some internet resources, using my
client x509 certificate.
I have divided my .p12 file into mykey.key and mycert.cer files.
Then I use following approach:
>>> import urllib
>>> url = 'https://example.com'
>>> xml = '''
... somexml
'''
>>> opener = urllib.URLopener(key_file = 'mykey.key', cert_file = 'mycert.cer')
>>> f = opener.open(url, xml)
This works Ok! But every time I am asked to enter PEM pass phrase,
which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?
With regards, Max
(sorry if my English isn't very proper)
--
http://mail.python.org/mailman/listinfo/python-list

On Sat, Jul 4, 2009 at 1:12 AM, Lacrima wrote:
> Hello!
>
> I am trying to use urllib to fetch some internet resources, using my
> client x509 certificate.
> I have divided my .p12 file into mykey.key and mycert.cer files.
> Then I use following approach:
>>>> import urllib
>>>> url = 'https://example.com'
>>>> xml = '''
> ... somexml
> '''
>>>> opener = urllib.URLopener(key_file = 'mykey.key', cert_file = 'mycert.cer')
>>>> f = opener.open(url, xml)
>
> This works Ok! But every time I am asked to enter PEM pass phrase,
> which I specified during dividing my .p12 file.
> So my question... What should I do to make my code fetch any url
> automatically (without asking me every time to enter pass phrase)?
> As I understand there is impossible to specify pass phrase while
> constructing URLopener.
> So what should I do?
Subclass FancyURLopener
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
overriding the prompt_user_passwd() method
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prompt_user_passwd].
Then use an instance of your subclass instead of URLopener.
Cheers,
Chris
--
http://blog.rebertia.com
--
http://mail.python.org/mailman/listinfo/python-list

> This works Ok! But every time I am asked to enter PEM pass phrase,
> which I specified during dividing my .p12 file.
> So my question... What should I do to make my code fetch any url
> automatically (without asking me every time to enter pass phrase)?
> As I understand there is impossible to specify pass phrase while
> constructing URLopener.
> So what should I do?
You can remove the passphrase on the private key, e.g. with the
openssl rsa utility.
Regards,
Martin
--
http://mail.python.org/mailman/listinfo/python-list

On Jul 4, 11:24=A0am, Chris Rebert wrote:
> On Sat, Jul 4, 2009 at 1:12 AM, Lacrima wrote:
> > Hello!
>
> > I am trying to use urllib to fetch some internet resources, using my
> > client x509 certificate.
> > I have divided my .p12 file into mykey.key and mycert.cer files.
> > Then I use following approach:
> >>>> import urllib
> >>>> url =3D 'https://example.com'
> >>>> xml =3D '''
> > ... somexml
> > '''
> >>>> opener =3D urllib.URLopener(key_file =3D 'mykey.key', cert_file =3D =
'mycert.cer')
> >>>> f =3D opener.open(url, xml)
>
> > This works Ok! But every time I am asked to enter PEM pass phrase,
> > which I specified during dividing my .p12 file.
> > So my question... What should I do to make my code fetch any url
> > automatically (without asking me every time to enter pass phrase)?
> > As I understand there is impossible to specify pass phrase while
> > constructing URLopener.
> > So what should I do?
>
> Subclass FancyURLopener
> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
> overriding the prompt_user_passwd() method
> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prom...=
].
> Then use an instance of your subclass instead of URLopener.
>
> Cheers,
> Chris
> --http://blog.rebertia.com
Hi Chris,
Thanks for your quick reply.
According to docs the return value of prompt_user_passwd() method
should be a tuple (user, password), but there is no user when
authenticating with certificate. So how should I use this method? This
doesn't work:
>>> import urllib
>>> class MyOpener(urllib.FancyURLopener):
... def prompt_user_passwd(self, host, realm):
... return ('password')
...
With regards, Max
-- =
http://mail.python.org/mailman/listinfo/python-list

On Jul 4, 12:38=A0pm, "Martin v. L=F6wis" wrote:
> > This works Ok! But every time I am asked to enter PEM pass phrase,
> > which I specified during dividing my .p12 file.
> > So my question... What should I do to make my code fetch any url
> > automatically (without asking me every time to enter pass phrase)?
> > As I understand there is impossible to specify pass phrase while
> > constructing URLopener.
> > So what should I do?
>
> You can remove the passphrase on the private key, e.g. with the
> openssl rsa utility.
>
> Regards,
> Martin
Hi Martin!
Thanks for the reply. I want my key to be as secure as possible. So I
will remove pass phrase if only there is no other possibility to go
through authentication.
With regards, Max
-- =
http://mail.python.org/mailman/listinfo/python-list

> Thanks for the reply. I want my key to be as secure as possible. So I
> will remove pass phrase if only there is no other possibility to go
> through authentication.
And you put the passphrase into the source code instead? How does it
make that more secure?
Regards,
Martin
--
http://mail.python.org/mailman/listinfo/python-list

Hello!
I've solved this problem, using pyCurl.
Here is sample code.
import pycurl
import StringIO
b = StringIO.StringIO()
c = pycurl.Curl()
url = 'https://example.com/'
c.setopt(pycurl.URL, url)
c.setopt(pycurl.WRITEFUNCTION, b.write)
c.setopt(pycurl.CAINFO, 'cert.crt')
c.setopt(pycurl.SSLKEY, 'mykey.key')
c.setopt(pycurl.SSLCERT, 'mycert.cer')
c.setopt(pycurl.SSLKEYPASSWD , 'pass phrase')
c.perform()
This also allow to specify CA, so your requests are more secure then
with urllib.
With regards, Max.
--
http://mail.python.org/mailman/listinfo/python-list