import contextlib | |
import OpenSSL.crypto | |
import os | |
import requests | |
import ssl | |
import tempfile | |
@contextlib.contextmanager | |
def pfx_to_pem(pfx_path, pfx_password): | |
''' Decrypts the .pfx file to be used with requests. ''' | |
with tempfile.NamedTemporaryFile(suffix='.pem') as t_pem: | |
f_pem = open(t_pem.name, 'wb') | |
pfx = open(pfx_path, 'rb').read() | |
p12 = OpenSSL.crypto.load_pkcs12(pfx, pfx_password) | |
f_pem.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, p12.get_privatekey())) | |
f_pem.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, p12.get_certificate())) | |
ca = p12.get_ca_certificates() | |
if ca is not None: | |
for cert in ca: | |
f_pem.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)) | |
f_pem.close() | |
yield t_pem.name | |
# HOW TO USE: | |
# with pfx_to_pem('foo.pem', 'bar') as cert: | |
# requests.post(url, cert=cert, data=payload) |
This comment has been minimized.
This comment has been minimized.
@erikbern thank you for this snippet! Works like a charm. |
This comment has been minimized.
This comment has been minimized.
@erikbern, In my attempt p12.get_ca_certificates() returns None. I dont know much about it. Do you know what am I missing? |
This comment has been minimized.
This comment has been minimized.
@talespadua lol I actually googled "python requests p12" right now, found my own gist (which I had forgotten about), and saw your comment. pretty weird coincidence given that you commented on it 40 minutes ago. i'll let you know if i figure out how to make it work |
This comment has been minimized.
This comment has been minimized.
Looks like just filtering out all the missing certs is fine. Code has been updated |
This comment has been minimized.
This comment has been minimized.
@erikbern Yeah, I just saw you commenting in a issue on similar subject. The code now appears to work, although I am having bad handshake for some reason. I can acess the website with selenium + firefox, but having a hard time with requests or selenium + phantomjs. Thanks you for the answer! |
This comment has been minimized.
This comment has been minimized.
@erikbern I am new to python and am trying to send a request using the client cert. You code helps me understand how to attach the pfx. One thing I am confused is what get_cert() is used for? and how do I call the method pfx_to_pem. Your quick response will help me. |
This comment has been minimized.
This comment has been minimized.
I am getting error something like this - "PermissionError: [Errno 13] Permission denied:", can you please help? |
This comment has been minimized.
This comment has been minimized.
@erikbern, |
This comment has been minimized.
This comment has been minimized.
Anyone get a ''tlsv1 alert unknown ca' error trying this? |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Nice! Exactly what I'm looking for, thanks a lot man! If anyone's getting Permission denied or file not found error, and you're on Windows, you need to
|
This comment has been minimized.
This comment has been minimized.
@erikbern |
This comment has been minimized.
This comment has been minimized.
Thanks @erikbern! This has saved me a good bit of troubleshooting time trying to figure out why my requests weren't working :) |
This comment has been minimized.
This comment has been minimized.
So I got through the [Errno 13] issue (thanks @d1t69 for the heads up about delete=False), but it seems my credentials are being rejected. They work fine in Postman (Make the request, it asks me to pick my cert, then returns the info I need), so I assume something's going wrong with how it's translating the cert. I checked the contents of the generated .pem file, and the Certificate matches the .pem I used to make the .pfx file but the Key doesn't match the .key file (and trying to substitute that out for the original key gives an SSL Error about asn1 encoding issues). I also tried this method to no avail. Any insight would be greatly appreciated! |
This comment has been minimized.
This comment has been minimized.
@d1t69 would you mind posting your actual code adjustment I seem to be messing it up somewhere along the road |
This comment has been minimized.
This comment has been minimized.
@daultonoryan On Windows, all I had to do was change Line 11 to The file remains in the folder after the script runs if you leave it like this, so I guess either manually delete it or add a line to delete it after the loop wraps up to clean it out. |
This comment has been minimized.
This comment has been minimized.
@erikbern works great and nice simple example of the implementation. Thank you for sharing |
This comment has been minimized.
This comment has been minimized.
I combined this with a hider based on: (https://benkurtovic.com/2014/06/01/obfuscating-hello-world.html) that way at least the password is not there when you read the code
|
This comment has been minimized.
This comment has been minimized.
Is it correct usage? What will happen, if you will send 100k signed requests? |
This comment has been minimized.
This comment has been minimized.
This is a really nice workaround, but there is a library called requests_pkcs12 which does this job |
This comment has been minimized.
This comment has been minimized.
This was a huge help! Thank You. Worked perfectly for me. |
This comment has been minimized.
This comment has been minimized.
I am getting permission denier error upon executing this piece of code |
This comment has been minimized.
This comment has been minimized.
I am getting error something like this - "OpenSSL.SSL.Error: [('memory buffer routines', 'BUF_MEM_grow_clean', 'malloc failure'), ('SSL routines', 'read_state_machine', 'BUF lib')]", can you please help? This error occurs every 1 week, more or less. |
This comment has been minimized.
This comment has been minimized.
Thanks a lot |
This comment has been minimized.
This comment has been minimized.
Worked fine just about 5 months ago and now when I try to run my program I am getting an error 'certificate verify failed'. Can you please help?? Any suggestions? |
This comment has been minimized.
This comment has been minimized.
VOCÊ É UM ARROMBADO!!! Valeuuuuuuuu! |
This comment has been minimized.
This comment has been minimized.
With this technique, for me anyway, I'm able to decrypt a .pfx file without error, but then it fails authentication when submitting to the server per the example, even though the same .pfx file with same password submits fine via Postman. Don't know why it won't work, but I used these instructions to "decompose" the .pfx into a pair of .pem files, and those can be submitted directly from python requests. And with that technique, you only have to do it once, not on every request. |
This comment has been minimized.
This comment has been minimized.
It works on *nix machine but on Windows, it is giving error
|
This comment has been minimized.
This comment has been minimized.
For anyone having "Permission Denied" error, here is the fix (delete=False):
|
This comment has been minimized.
This comment has been minimized.
|
This comment has been minimized.
This only took me like three hours to figure out – posting it here in case it's useful to anyone else!