[Pki-users] Python programming against dogtag

Alex Scheel ascheel at redhat.com
Tue Jun 30 13:26:15 UTC 2020 

Hi Pascal,

----- Original Message -----
> From: "Pascal Jakobi" <pascal.jakobi at gmail.com>
> To: pki-users at redhat.com
> Sent: Monday, June 29, 2020 6:29:32 PM
> Subject: [Pki-users] Python programming against dogtag
> 
> I created the following python test script.
> 
>     import requests
> 
>     import json
> 
>     url = "https://zbook.home:8443/ca/rest/agent/certrequests"
> 
>     headers = {'Accept': 'application/json'}
> 
>     certfile='/etc/pki/tls/certs/ca_admin_cert.crt.pem'
> 
>     keyfile='/etc/pki/tls/private/ca_admin_cert.key.pem'
> 
>     r = requests.request("GET", url, headers=headers, verify=False,
>     cert=(certfile,keyfile))
> 
>     print('DEBUG {}'.format(r.status_code))
> 
>     print('DEBUG {}'.format(r.json()))
> 
> It works fine against dogtag. However, it will fail if verify is set to
> True.
> 
> So how can I enable SSL verification ? In other terms, what's the
> equivalent to the "-k" switch from curl ?

There's three ways to go about this. verify _technically_ takes a path
argument, which allows you to pass a specific certificate/chain, and
use that to validate the certificate. Something like:

    requests.request("GET", url, headers=headers, cert=(certfile, keyfile),
                     verify="/path/to/ca_root.crt")

This is documented here:

https://requests.readthedocs.io/en/master/user/advanced/#ssl-cert-verification


What we use in Dogtag is a custom adapter, using Python's SSL library and
its certificate verification/loading mechanisms. This is more involved,
but you can see what we do here:

https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/client.py#L59-L86
https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/client.py#L181

This is also documented here:

https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
https://requests.readthedocs.io/en/master/user/advanced/#transport-adapters


Lastly, you could just reuse PKIConnection on Dogtag >= 10.9.0 :-)

    from pki.client import PKIConnection
    conn = PKIConnection(protocol='https', hostname='zbook.home', port='8443',
                         cert_paths='/path/to/ca_root.crt')
    conn.set_authentication_cert(certfile, keyfile)
    conn.{get,put,post,...}




HTH,

- Alex


> 
> Thanks in advance
> 
> --
> *Pascal Jakobi*
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list