urllib with x509 certs

Lacrima
2009-07-04T08:15:07+00:00 
Hello!

I am trying to use urllib to fetch some internet resources, using my
client x509 certificate.
I have divided my .p12 file into mykey.key and mycert.cer files.
Then I use following approach:
>>> import urllib
>>> url = 'https://example.com'
>>> xml = '''<request>
... <somexml>somexml</somexml>
</request>'''
>>> opener = urllib.URLopener(key-file = 'mykey.key', cert-file = 'mycert.cer')
>>> f = opener.open(url, xml)

This works Ok! But every time I am asked to enter PEM pass phrase,
which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?

With regards, Max
(sorry if my English isn't very proper)
Re: urllib with x509 certs by Chris Rebert on 2009-07-04T08:24:43+00:00 
On Sat, Jul 4, 2009 at 1:12 AM, Lacrima<Lacrima.Maxim@gmail.com> wrote:
> Hello!
>
> I am trying to use urllib to fetch some internet resources, using my
> client x509 certificate.
> I have divided my .p12 file into mykey.key and mycert.cer files.
> Then I use following approach:
>>>> import urllib
>>>> url = 'https://example.com'
>>>> xml = '''<request>
> ... <somexml>somexml</somexml>
> </request>'''
>>>> opener = urllib.URLopener(key-file = 'mykey.key', cert-file = 'mycert.cer')
>>>> f = opener.open(url, xml)
>
> This works Ok! But every time I am asked to enter PEM pass phrase,
> which I specified during dividing my .p12 file.
> So my question... What should I do to make my code fetch any url
> automatically (without asking me every time to enter pass phrase)?
> As I understand there is impossible to specify pass phrase while
> constructing URLopener.
> So what should I do?

Subclass FancyURLopener
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
overriding the prompt-user-passwd() method
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prompt-user-passwd].
Then use an instance of your subclass instead of URLopener.

Cheers,
Chris
Re: urllib with x509 certs by "Martin v. Löwis" on 2009-07-04T09:40:06+00:00 
> This works Ok! But every time I am asked to enter PEM pass phrase,
> which I specified during dividing my .p12 file.
> So my question... What should I do to make my code fetch any url
> automatically (without asking me every time to enter pass phrase)?
> As I understand there is impossible to specify pass phrase while
> constructing URLopener.
> So what should I do?

You can remove the passphrase on the private key, e.g. with the
openssl rsa utility.

Regards,
Martin
Re: urllib with x509 certs by Lacrima on 2009-07-04T10:10:09+00:00 
On Jul 4, 11:24=A0am, Chris Rebert <c...@rebertia.com> wrote:
> On Sat, Jul 4, 2009 at 1:12 AM, Lacrima<Lacrima.Ma...@gmail.com> wrote:
> > Hello!
>
> > I am trying to use urllib to fetch some internet resources, using my
> > client x509 certificate.
> > I have divided my .p12 file into mykey.key and mycert.cer files.
> > Then I use following approach:
> >>>> import urllib
> >>>> url =3D 'https://example.com'
> >>>> xml =3D '''<request>
> > ... <somexml>somexml</somexml>
> > </request>'''
> >>>> opener =3D urllib.URLopener(key-file =3D 'mykey.key', cert-file =3D =
'mycert.cer')
> >>>> f =3D opener.open(url, xml)
>
> > This works Ok! But every time I am asked to enter PEM pass phrase,
> > which I specified during dividing my .p12 file.
> > So my question... What should I do to make my code fetch any url
> > automatically (without asking me every time to enter pass phrase)?
> > As I understand there is impossible to specify pass phrase while
> > constructing URLopener.
> > So what should I do?
>
> Subclass FancyURLopener
> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
> overriding the prompt-user-passwd() method
> [http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prom...=
].
> Then use an instance of your subclass instead of URLopener.
>
> Cheers,
> Chris
> doesn't work:
>>> import urllib
>>> class MyOpener(urllib.FancyURLopener):
...      def prompt-user-passwd(self, host, realm):
...          return ('password')
...


With regards, Max
Re: urllib with x509 certs by Lacrima on 2009-07-04T10:16:47+00:00 
On Jul 4, 12:38=A0pm, "Martin v. L=F6wis" <mar...@v.loewis.de> wrote:
> > This works Ok! But every time I am asked to enter PEM pass phrase,
> > which I specified during dividing my .p12 file.
> > So my question... What should I do to make my code fetch any url
> > automatically (without asking me every time to enter pass phrase)?
> > As I understand there is impossible to specify pass phrase while
> > constructing URLopener.
> > So what should I do?
>
> You can remove the passphrase on the private key, e.g. with the
> openssl rsa utility.
>
> Regards,
> Martin

Hi Martin!

Thanks for the reply. I want my key to be as secure as possible. So I
will remove pass phrase if only there is no other possibility to go
through authentication.

With regards, Max
Re: urllib with x509 certs by Chris Rebert on 2009-07-04T10:29:42+00:00 
MjAwOS83LzQgTGFjcmltYSA8TGFjcmltYS5NYXhpbUBnbWFpbC5jb20+Ogo+IE9uIEp1bCA0LCAx
MToyNMKgYW0sIENocmlzIFJlYmVydCA8Yy4uLkByZWJlcnRpYS5jb20+IHdyb3RlOgo+PiBPbiBT
YXQsIEp1bCA0LCAyMDA5IGF0IDE6MTIgQU0sIExhY3JpbWE8TGFjcmltYS5NYS4uLkBnbWFpbC5j
b20+IHdyb3RlOgo+PiA+IEhlbGxvIQo+Pgo+PiA+IEkgYW0gdHJ5aW5nIHRvIHVzZSB1cmxsaWIg
dG8gZmV0Y2ggc29tZSBpbnRlcm5ldCByZXNvdXJjZXMsIHVzaW5nIG15Cj4+ID4gY2xpZW50IHg1
MDkgY2VydGlmaWNhdGUuCj4+ID4gSSBoYXZlIGRpdmlkZWQgbXkgLnAxMiBmaWxlIGludG8gbXlr
ZXkua2V5IGFuZCBteWNlcnQuY2VyIGZpbGVzLgo+PiA+IFRoZW4gSSB1c2UgZm9sbG93aW5nIGFw
cHJvYWNoOgo+PiA+Pj4+IGltcG9ydCB1cmxsaWIKPj4gPj4+PiB1cmwgPSAnaHR0cHM6Ly9leGFt
cGxlLmNvbScKPj4gPj4+PiB4bWwgPSAnJyc8cmVxdWVzdD4KPj4gPiAuLi4gPHNvbWV4bWw+c29t
ZXhtbDwvc29tZXhtbD4KPj4gPiA8L3JlcXVlc3Q+JycnCj4+ID4+Pj4gb3BlbmVyID0gdXJsbGli
LlVSTG9wZW5lcihrZXlfZmlsZSA9ICdteWtleS5rZXknLCBjZXJ0X2ZpbGUgPSAnbXljZXJ0LmNl
cicpCj4+ID4+Pj4gZiA9IG9wZW5lci5vcGVuKHVybCwgeG1sKQo+Pgo+PiA+IFRoaXMgd29ya3Mg
T2shIEJ1dCBldmVyeSB0aW1lIEkgYW0gYXNrZWQgdG8gZW50ZXIgUEVNIHBhc3MgcGhyYXNlLAo+
PiA+IHdoaWNoIEkgc3BlY2lmaWVkIGR1cmluZyBkaXZpZGluZyBteSAucDEyIGZpbGUuCj4+ID4g
U28gbXkgcXVlc3Rpb24uLi4gV2hhdCBzaG91bGQgSSBkbyB0byBtYWtlIG15IGNvZGUgZmV0Y2gg
YW55IHVybAo+PiA+IGF1dG9tYXRpY2FsbHkgKHdpdGhvdXQgYXNraW5nIG1lIGV2ZXJ5IHRpbWUg
dG8gZW50ZXIgcGFzcyBwaHJhc2UpPwo+PiA+IEFzIEkgdW5kZXJzdGFuZCB0aGVyZSBpcyBpbXBv
c3NpYmxlIHRvIHNwZWNpZnkgcGFzcyBwaHJhc2Ugd2hpbGUKPj4gPiBjb25zdHJ1Y3RpbmcgVVJM
b3BlbmVyLgo+PiA+IFNvIHdoYXQgc2hvdWxkIEkgZG8/Cj4+Cj4+IFN1YmNsYXNzIEZhbmN5VVJM
b3BlbmVyCj4+IFtodHRwOi8vZG9jcy5weXRob24ub3JnL2xpYnJhcnkvdXJsbGliLmh0bWwjdXJs
bGliLkZhbmN5VVJMb3BlbmVyXSwKPj4gb3ZlcnJpZGluZyB0aGUgcHJvbXB0X3VzZXJfcGFzc3dk
KCkgbWV0aG9kCj4+IFtodHRwOi8vZG9jcy5weXRob24ub3JnL2xpYnJhcnkvdXJsbGliLmh0bWwj
dXJsbGliLkZhbmN5VVJMb3BlbmVyLnByb20uLi5dLgo+PiBUaGVuIHVzZSBhbiBpbnN0YW5jZSBv
ZiB5b3VyIHN1YmNsYXNzIGluc3RlYWQgb2YgVVJMb3BlbmVyLgo+Pgo+PiBDaGVlcnMsCj4+IENo
cmlzCj4+IC0taHR0cDovL2Jsb2cucmViZXJ0aWEuY29tCj4KPiBIaSBDaHJpcywKPiBUaGFua3Mg
Zm9yIHlvdXIgcXVpY2sgcmVwbHkuCj4gQWNjb3JkaW5nIHRvIGRvY3MgdGhlIHJldHVybiB2YWx1
ZSBvZiBwcm9tcHRfdXNlcl9wYXNzd2QoKSBtZXRob2QKPiBzaG91bGQgYmUgYSB0dXBsZSAodXNl
ciwgcGFzc3dvcmQpLCBidXQgdGhlcmUgaXMgbm8gdXNlciB3aGVuCj4gYXV0aGVudGljYXRpbmcg
d2l0aCBjZXJ0aWZpY2F0ZS4gU28gaG93IHNob3VsZCBJIHVzZSB0aGlzIG1ldGhvZD8gVGhpcwo+
IGRvZXNuJ3Qgd29yazoKPj4+PiBpbXBvcnQgdXJsbGliCj4+Pj4gY2xhc3MgTXlPcGVuZXIodXJs
bGliLkZhbmN5VVJMb3BlbmVyKToKPiAuLi4gwqAgwqAgwqBkZWYgcHJvbXB0X3VzZXJfcGFzc3dk
KHNlbGYsIGhvc3QsIHJlYWxtKToKPiAuLi4gwqAgwqAgwqAgwqAgwqByZXR1cm4gKCdwYXNzd29y
ZCcpCgpPbmx5IGEgZ3Vlc3M6CgpkZWYgcHJvbXB0X3VzZXJfcGFzc3dkKHNlbGYsIGhvc3QsIHJl
YWxtKToKICAgIHJldHVybiAoJycsICdwYXNzd29yZCcpCgpDaGVlcnMsCkNocmlzCi0tIApodHRw
Oi8vYmxvZy5yZWJlcnRpYS5jb20KLS0gCmh0dHA6Ly9tYWlsLnB5dGhvbi5vcmcvbWFpbG1hbi9s
aXN0aW5mby9weXRob24tbGlzdAo=
Re: urllib with x509 certs by "Martin v. Löwis" on 2009-07-04T11:11:49+00:00 
> Thanks for the reply. I want my key to be as secure as possible. So I
> will remove pass phrase if only there is no other possibility to go
> through authentication.

And you put the passphrase into the source code instead? How does it
make that more secure?

Regards,
Martin
Re: urllib with x509 certs by Lacrima on 2009-07-17T07:26:58+00:00 
Hello!

I've solved this problem, using pyCurl.
Here is sample code.

import pycurl
import StringIO
b = StringIO.StringIO()
c = pycurl.Curl()
url = 'https://example.com/'
c.setopt(pycurl.URL, url)
c.setopt(pycurl.WRITEFUNCTION, b.write)
c.setopt(pycurl.CAINFO, 'cert.crt')
c.setopt(pycurl.SSLKEY, 'mykey.key')
c.setopt(pycurl.SSLCERT, 'mycert.cer')
c.setopt(pycurl.SSLKEYPASSWD , 'pass phrase')
c.perform()

This also allow to specify CA, so your requests are more secure then
with urllib.

With regards, Max.
Loading
$ This page is proudly powered by www.pubbs.net, you can see more at python archive | Partners: Global Manufacturers