[Pki-users] Python programming against dogtag
Alex Scheel
ascheel at redhat.com
Tue Jun 30 13:26:15 UTC 2020
Hi Pascal,
----- Original Message -----
> From: "Pascal Jakobi" <pascal.jakobi at gmail.com>
> To: pki-users at redhat.com
> Sent: Monday, June 29, 2020 6:29:32 PM
> Subject: [Pki-users] Python programming against dogtag
>
> I created the following python test script.
>
> import requests
>
> import json
>
> url = "https://zbook.home:8443/ca/rest/agent/certrequests"
>
> headers = {'Accept': 'application/json'}
>
> certfile='/etc/pki/tls/certs/ca_admin_cert.crt.pem'
>
> keyfile='/etc/pki/tls/private/ca_admin_cert.key.pem'
>
> r = requests.request("GET", url, headers=headers, verify=False,
> cert=(certfile,keyfile))
>
> print('DEBUG {}'.format(r.status_code))
>
> print('DEBUG {}'.format(r.json()))
>
> It works fine against dogtag. However, it will fail if verify is set to
> True.
>
> So how can I enable SSL verification ? In other terms, what's the
> equivalent to the "-k" switch from curl ?
There's three ways to go about this. verify _technically_ takes a path
argument, which allows you to pass a specific certificate/chain, and
use that to validate the certificate. Something like:
requests.request("GET", url, headers=headers, cert=(certfile, keyfile),
verify="/path/to/ca_root.crt")
This is documented here:
https://requests.readthedocs.io/en/master/user/advanced/#ssl-cert-verification
What we use in Dogtag is a custom adapter, using Python's SSL library and
its certificate verification/loading mechanisms. This is more involved,
but you can see what we do here:
https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/client.py#L59-L86
https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/client.py#L181
This is also documented here:
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
https://requests.readthedocs.io/en/master/user/advanced/#transport-adapters
Lastly, you could just reuse PKIConnection on Dogtag >= 10.9.0 :-)
from pki.client import PKIConnection
conn = PKIConnection(protocol='https', hostname='zbook.home', port='8443',
cert_paths='/path/to/ca_root.crt')
conn.set_authentication_cert(certfile, keyfile)
conn.{get,put,post,...}
HTH,
- Alex
>
> Thanks in advance
>
> --
> *Pascal Jakobi*
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list