urllib with x509 certs

[Lacrima]

Hello!

I am trying to use urllib to fetch some internet resources, using my
client x509 certificate.
I have divided my .p12 file into mykey.key and mycert.cer files.
Then I use following approach:
This works Ok! But every time I am asked to enter PEM pass phrase,
which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?

With regards, Max
(sorry if my English isn't very proper)

 

[Chris Rebert]

Hello!

I am trying to use urllib to fetch some internet resources, using my
client x509 certificate.
I have divided my .p12 file into mykey.key and mycert.cer files.
Then I use following approach:

This works Ok! But every time I am asked to enter PEM pass phrase,
which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?

Subclass FancyURLopener
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
overriding the prompt_user_passwd() method
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prompt_user_passwd].
Then use an instance of your subclass instead of URLopener.

Cheers,
Chris

 

[Martin v. Löwis]

This works Ok! But every time I am asked to enter PEM pass phrase,

which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?

You can remove the passphrase on the private key, e.g. with the
openssl rsa utility.

Regards,
Martin

 

[Lacrima]

Hello!

I am trying to use urllib to fetch some internet resources, using my
client x509 certificate.
I have divided my .p12 file into mykey.key and mycert.cer files.
Then I use following approach:

This works Ok! But every time I am asked to enter PEM pass phrase,
which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?

Subclass FancyURLopener
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
overriding the prompt_user_passwd() method
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prom...].
Then use an instance of your subclass instead of URLopener.

Cheers,
Chris
--http://blog.rebertia.com

Hi Chris,
Thanks for your quick reply.
According to docs the return value of prompt_user_passwd() method
should be a tuple (user, password), but there is no user when
authenticating with certificate. So how should I use this method? This
doesn't work:.... def prompt_user_passwd(self, host, realm):
.... return ('password')
....


With regards, Max

 

[Lacrima]

You can remove the passphrase on the private key, e.g. with the
openssl rsa utility.

Regards,
Martin

Hi Martin!

Thanks for the reply. I want my key to be as secure as possible. So I
will remove pass phrase if only there is no other possibility to go
through authentication.

With regards, Max

 

[Chris Rebert]

Hello!

I am trying to use urllib to fetch some internet resources, using my
client x509 certificate.
I have divided my .p12 file into mykey.key and mycert.cer files.
Then I use following approach:
import urllib
url = 'https://example.com'
xml = '''<request>
... <somexml>somexml</somexml>
</request>'''
opener = urllib.URLopener(key_file = 'mykey.key', cert_file = 'mycert.cer')
f = opener.open(url, xml)

This works Ok! But every time I am asked to enter PEM pass phrase,
which I specified during dividing my .p12 file.
So my question... What should I do to make my code fetch any url
automatically (without asking me every time to enter pass phrase)?
As I understand there is impossible to specify pass phrase while
constructing URLopener.
So what should I do?

Subclass FancyURLopener
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener],
overriding the prompt_user_passwd() method
[http://docs.python.org/library/urllib.html#urllib.FancyURLopener.prom....].
Then use an instance of your subclass instead of URLopener.

Cheers,
Chris
--http://blog.rebertia.com

Hi Chris,
Thanks for your quick reply.
According to docs the return value of prompt_user_passwd() method
should be a tuple (user, password), but there is no user when
authenticating with certificate. So how should I use this method? This
doesn't work:...      def prompt_user_passwd(self, host, realm):
...          return ('password')

Only a guess:

def prompt_user_passwd(self, host, realm):
return ('', 'password')

Cheers,
Chris

 

[Martin v. Löwis]

Thanks for the reply. I want my key to be as secure as possible. So I

will remove pass phrase if only there is no other possibility to go
through authentication.

And you put the passphrase into the source code instead? How does it
make that more secure?

Regards,
Martin

 

[Lacrima]

Hello!

I've solved this problem, using pyCurl.
Here is sample code.

import pycurl
import StringIO
b = StringIO.StringIO()
c = pycurl.Curl()
url = 'https://example.com/'
c.setopt(pycurl.URL, url)
c.setopt(pycurl.WRITEFUNCTION, b.write)
c.setopt(pycurl.CAINFO, 'cert.crt')
c.setopt(pycurl.SSLKEY, 'mykey.key')
c.setopt(pycurl.SSLCERT, 'mycert.cer')
c.setopt(pycurl.SSLKEYPASSWD , 'pass phrase')
c.perform()

This also allow to specify CA, so your requests are more secure then
with urllib.

With regards, Max.