> On Mar 19, 2015, at 8:36 AM, Louis D. Burr <ldanielb...@me.com> wrote:
>
> Hi Timothy,
>
>> On Mar 19, 2015, at 9:56 AM, Timothy Gallagher
>> <timothy.gallag...@nuspire.com <mailto:timothy.gallag...@nuspire.com>> wrote:
>>
>> Hello all,
>> I have a project that requires client server with ssl/tls including client
>> certificate authentication. Also the a requirement is that the client needs
>> to use a .p12 file to house its keys. I have the server part and client
>> part down except I cannot find any code examples using a .p12 file to get
>> the certificates. Can this be done without having to hack into the
>> ssl.ClientConextFactory?
>
> Maybe
> http://stackoverflow.com/questions/6345786/python-reading-a-pkcs12-certificate-with-pyopenssl-crypto
>
> <http://stackoverflow.com/questions/6345786/python-reading-a-pkcs12-certificate-with-pyopenssl-crypto>
> will be useful to you. Twisted uses pyopenssl under the covers, so the
> solution exarkun posted to StackOverflow should be applicable.
>
> Hope this helps,
>
> - L. Daniel Burr
You definitely shouldn't use ssl.ClientContextFactory. It doesn't verify
certificates, or provide any authentication of the server. We should really
remove and deprecate it :-\.
You should use ssl.optionsForClientTLS, and you should build it like this:
import getpass
from OpenSSL.crypto import load_pkcs12
from twisted.internet.ssl import (
PrivateCertificate, KeyPair, Certificate, optionsForClientTLS
)
from twisted.internet.protocol import Factory, Protocol
from twisted.internet.endpoints import SSL4ClientEndpoint
from twisted.internet.defer import inlineCallbacks, Deferred
from twisted.internet.task import react
@inlineCallbacks
def main(reactor, p12file, host, port=443):
host = host.decode("utf-8")
port = int(port)
with open(p12file) as f:
pkcs12 = load_pkcs12(f.read(), getpass.getpass())
publicCertificate = Certificate(pkcs12.get_certificate())
privateKey = KeyPair(pkcs12.get_privatekey())
privateCertificate = PrivateCertificate.fromCertificateAndKeyPair(
publicCertificate, privateKey
)
contextFactory = optionsForClientTLS(host,
clientCertificate=privateCertificate)
endpoint = SSL4ClientEndpoint(reactor, host, port, contextFactory)
x = Deferred()
class it(Protocol, object):
def connectionMade(self):
self.transport.write(b"GET / HTTP/1.1\r\n\r\n")
def dataReceived(self, data):
x.callback(Certificate.peerFromTransport(self.transport))
self.transport.abortConnection()
yield endpoint.connect(Factory.forProtocol(it))
cert = yield x
print(cert)
from sys import argv
react(main, argv[1:])
Hopefully that's a pretty complete answer :-).
-glyph
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python