I am trying to send https request to IIS server using python request and fetch the response for parsing.Authentication is done using self signed certificates.I have generated certificate with password and key by using following commands. I am using TestPublicKey.pem and plainkey.pem as inputs to cert attribute in requests.get method. Can someone guide me how to achieve this ?
C:\OpenSSL-Win64\bin>openssl req -x509 -newkey rsa:2048 -keyout TestPrivateKey.pem -out TestPublicKey.pem -days 9999
C:\OpenSSL-Win64\bin>openssl pkcs12 -inkey TestPrivateKey.pem -in TestPublicKey.pem -export -out Test.pfx
Enter pass phrase for cTestPrivateKey.pem:
Enter Export Password:
Verifying - Enter Export Password:
C:\OpenSSL-Win64\bin>openssl rsa -in TestPrivateKey.pem -out plainkey.pem
Enter pass phrase for TestPrivateKey.pem:
writing RSA key
import requests
url = "https://10.110.20.75/REST/getxml"
r = requests.request("GET", url, verify=False,cert=('TestPublicKey.pem','plainkey.pem'))
print r.status_code
if verify is set to False , then getting 403 status_code. If verify is set to True then SSL Error exception is raised.
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
I got this resolved by trying with following openssl commands and python code.
Note: This answer is certificate without password, if any answers or comments.I am glad to see.
Open SSL commands
Generate the self signed certificate
openssl req -x509 -nodes -days 30 -newkey rsa:2048 -keyout test_Private.key -out test_certificate.cer -subj "/CN=*.hpe.com"
Convert certificate and private key to .PFX
openssl pkcs12 -export -out test_PFX.pfx -inkey test_Private.key -in test_certificate.cer -name "*.hpe.com" -passout pass:
Python code
import requests
url = "https://10.110.20.75/REST/getxml"
webServiceResponse=requests.request("GET",url,verify='test_certificate.cer)
print webServiceResponse.status_code
print webServiceResponse.json()
Related
Full code below.
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime
encryptedpassword = b"yokedicicaner31" #Kullanıcı inputu al, yokedicicaner31, kopyala yapıştır.
key = rsa.generate_private_key(public_exponent=65537,key_size=2048,backend=default_backend())
with open("rsakey.pem","wb") as f:
f.write(key.private_bytes(encoding=serialization.Encoding.PEM,
format = serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(encryptedpassword)))
subject = issuer = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME,u"TR"),
x509.NameAttribute(NameOID.LOCALITY_NAME,u"damacaner"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"damacana ve erikli su sevenler derneği"),
x509.NameAttribute(NameOID.COMMON_NAME, u"damacaner.tr")])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(issuer).public_key(key.public_key()).serial_number(x509.random_serial_number()).not_valid_before(datetime.datetime.utcnow()).not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10)
).add_extension(x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),critical=False).sign(key, hashes.SHA256(), default_backend())
with open("certificate.pem","wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
Full output below.
unable to load X509 request
34359836736:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:
Expecting: CERTIFICATE REQUEST
I tried to open the certificate file called certificate.pem with "openssl req -text -in certificate.pem" commands but it shooted the error that I wrote at output. This error didnt happen when I built certificate with x509.CertificateSigningRequestBuilder but I get an error when I try to build a self-signed certificate with x509.CertificateBuilder. Thanks for all help.
Check if the first line of your certificate request starts with:
-----BEGIN CERTIFICATE REQUEST-----
It is unclear what you are trying to do here, since you only describe the problems you run into and not what task you are trying to implement at the end. Anyway ...
openssl req -text -in certificate.pem
This line expects a certificate request. Your code instead creates a certificate (CertificateBuilder), not a certificate request. The latter would be created with x509.CertificateSigningRequestBuilder, which as expected works with the openssl req command above.
... I get an error when I try to build a self-signed certificate with x509.CertificateBuilder.
It does not look like you get an error when building the self-signed certificate, i.e. the code to build the certificate works. Instead you get an error when using it with openssl req. This error is expected since you did not provide a certificate request but instead a certificate. For certificates use the x509 openssl command not req:
openssl x509 -text -in certificate.pem
I'm developing 'APNS function' with Django.
This is my code to send push notification to the ios device
PATH = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
apns = APNs(use_sandbox=True, cert_file=PATH+'/app/certificate.pem')
token_hex = 'UUID from ios Device'
payload = Payload(alert="Hello World!", sound="default", badge=1)
apns.gateway_server.send_notification(token_hex, payload)
return Response({'test'})
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 522, in init
self._context.load_cert_chain(certfile, keyfile)
SSLError: [SSL] PEM lib (_ssl.c:2580)
Yes, I already did search for the same issue and I'm almost sure that my 'certificate.pem' file is correct.
But one of my guessing things, I didn't insert the password for that 'certificate.pem' file.
Is it the reason for that error?
If so , where should I put the password for it?
Anyone solving this error?
'SSLError: [SSL] PEM lib'
It was because of 'certifcate.pem' file. I had misunderstood how to create the correct 'certificate.pem' file. I did follow the instruction from 'http://www.apptuitions.com/generate-pem-file-for-push-notification/'.
Then, I could make the difference although I have not succeeded in pushing and receiving notifications.
I wish this is helpful for those having the same error messages
I got .cer, .p12 and .pem from Apple.
What worked for me was:
openssl x509 -inform der -in aps_development.cer -out cert.pem
openssl pkcs12 -in private.p12 -out key.pem -nocerts
cat key.pem cert.pem > dev.pem
I haven't used the .pem from Apple. The method from the website ( http://www.apptuitions.com/generate-pem-file-for-push-notification/ ) did not work for some reason.
I have PKCS7 message which is signed. It contains a data and a signing certificate (with the whole chain of trust).
I have a code which uses m2crypto to get a certificate out of it.
bio = BIO.MemoryBuffer(pkcs7message)
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(bio._ptr()))
sk = X509.X509_Stack()
certStack = p7.get0_signers(sk)
It works. However, certStack returns only one certificate (instead of returning the whole chain of certificates.
Two questions:
Am I missing something (may be there is an option to let it know that I need the whole chain)
Are there other methods how to get the whole chain (may be using pyopenssl)?
I guess you are making a confusion between signers and certificate chain of a signer. PKCS7_get0_signers return the list of signers.
In order to building a PKCS7 message with 2 signers, you can use following steps:
Build key and certificate for first signer:
openssl genrsa -out key1.pem
openssl req -new -key key1.pem -subj "/CN=key1" | openssl x509 -req -signkey key1.pem -out cert1.pem
Build key and certificate for second signer:
openssl genrsa -out key2.pem
openssl req -new -key key2.pem -subj "/CN=key2" | openssl x509 -req -signkey key2.pem -out cert2.pem
Create an PKCS7 message using both signers :
echo "Hello" | openssl smime -sign -nodetach \
-out signature.der -outform DER \
-inkey key1.pem -signer cert1.pem -inkey key2.pem -signer cert2.pem
Then signers could be printed running your python script:
from M2Crypto import *
bio=BIO.File(open('signature.der'))
smime_object = SMIME.PKCS7(m2.pkcs7_read_bio_der(bio._ptr()))
signers = smime_object.get0_signers(X509.X509_Stack())
for cert in signers:
print(cert.get_issuer().as_text())
It give the signers' issuer:
CN=key1
CN=key2
Say that I have a cer file called symantec-class3.cer, this is what I'm trying:
headers = {"content-type": "application/json"}
api_url = "https://www.someurl.com/search"
pprint.pprint(requests.post(api_url, auth=HTTPBasicAuth(username, password), verify="symantec-class3.cer", data=json.dumps(payload), headers=headers).json())
This is not liking it and spews out the following error:
requests.exceptions.SSLError: [Errno 0] _ssl.c:344: error:00000000:lib(0):func(0):reason(0)
It works fine if I turn verify False, but I'm trying to use a cert file in my local directory.
Python expect cert in PEM format.
So you should extract the public key component from the X509 certificate using the openssl x509 command.
.cer extension often means a binary DER format, so this command should extract the public key in a form that can be used by pycrypto:
openssl x509 -inform der -pubkey -noout -in you.cer >public_key.pem
I want to access a web service over HTTPS.
I have been given a client certificate (p12 file) in order to access it.
Previously we were using basic authentication.
Using python I am unsure how to access it.
I want to use httplib2
h = Http()
#h.add_credentials("testuser", "testpass")
#h.add_certificate(keyfile, certfile, '')
resp, content = h.request("https://example.com/webservice", "POST", xml_data)
print content
Now, I am quite new to SSL, Can I just call add_cert or somethign similar and give it the p12 file.
Do I need to convert it to a PEM file?
The answer to my question was IN my question
h.add_certificate(keyfile, certfile, '')
I had a pkcs12 file, I just needed to extract out the key and cert from the p12 file.
openssl pkcs12 -in file.p12 -out key.pem -nodes -nocerts
openssl pkcs12 -in file.p12 -out cert.pem -nodes -nokeys