Python requests CA certificates as a string

Question

Currently we're using an approach of putting CA Certificates on the server to access third party APIs.

certificate_path = os.path.join(CERT_PATH, 'cacert.pem')
certificate_key_path = os.path.join(CERT_PATH, 'cacert.key')
response = requests.get(url, cert=(certificate_path, certificate_key_path))

This works,But we're looking for instead of storing CA certificates on the server, store in the Accounts Table in the database for security purposes (security cause raised by Customer).

So the questions are:

Is there any approach we can directly pass CA cert's string to the requests directly (other than writing content in to a temp file)?
Is any other http python module support passing CA cert's string in the http get/post request?
Is there any other approach we should use instead of storing them in the database and on the server?

Read about _Lower-Lower-Level Classes_ of `requests` or use `io.BufferIO(...` — stovfl, Jul 31 '17 at 18:28

greenbender · Answer 1 · 2020-11-01T08:48:06.573

The example you have provided is passing a client-side cert as shown in the requests documentation.

As it stands there is no way to pass the client cert and key in memory (or as a string).

Monkey patching to the rescue - by monkey patching requests you can add the ability to load client certs and keys from memory. The following patch enables passing in a client cert and key in a variety formats without breaking the existing functionality.

import requests
from OpenSSL.crypto import PKCS12, X509, PKey


def _is_key_file_encrypted(keyfile):
    '''In memory key is not encrypted'''
    if isinstance(keyfile, PKey):
        return False
    return _is_key_file_encrypted.original(keyfile)


class PyOpenSSLContext(requests.packages.urllib3.contrib.pyopenssl.PyOpenSSLContext):
    '''Support loading certs from memory'''
    def load_cert_chain(self, certfile, keyfile=None, password=None):
        if isinstance(certfile, X509) and isinstance(keyfile, PKey):
            self._ctx.use_certificate(certfile)
            self._ctx.use_privatekey(keyfile)
        else:
            super().load_cert_chain(certfile, keyfile=keyfile, password=password)


class HTTPAdapter(requests.adapters.HTTPAdapter):
    '''Handle a variety of cert types'''
    def cert_verify(self, conn, url, verify, cert):
        if cert:
            # PKCS12
            if isinstance(cert, PKCS12):
                conn.cert_file = cert.get_certificate()
                conn.key_file = cert.get_privatekey()
                cert = None
            elif isinstance(cert, tuple) and len(cert) == 2:
                # X509 and PKey
                if isinstance(cert[0], X509) and hasattr(cert[1], PKey):
                    conn.cert_file = cert[0]
                    conn.key_file = cert[1]
                    cert = None
                # cryptography objects
                elif hasattr(cert[0], 'public_bytes') and hasattr(cert[1], 'private_bytes'):
                    conn.cert_file = X509.from_cryptography(cert[0])
                    conn.key_file = PKey.from_cryptography_key(cert[1])
                    cert = None
        super().cert_verify(conn, url, verify, cert)


def patch_requests(adapter=True):
    '''You can perform a full patch and use requests as usual:

    >>> patch_requests()
    >>> requests.get('https://httpbin.org/get')

    or use the adapter explicitly:

    >>> patch_requests(adapter=False)
    >>> session = requests.Session()
    >>> session.mount('https', HTTPAdapter())
    >>> session.get('https://httpbin.org/get')
    '''
    if hasattr(requests.packages.urllib3.util.ssl_, '_is_key_file_encrypted'):
        _is_key_file_encrypted.original = requests.packages.urllib3.util.ssl_._is_key_file_encrypted
        requests.packages.urllib3.util.ssl_._is_key_file_encrypted = _is_key_file_encrypted
    requests.packages.urllib3.util.ssl_.SSLContext = PyOpenSSLContext
    if adapter:
        requests.sessions.HTTPAdapter = HTTPAdapter

To use the patch you can do something like the following (assume the above code is in a file called patch.py)

import os
import requests
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from patch import patch_requests


CLIENT_CERT = serialization.load_pem_x509_certificate(
    os.getenv('CLIENT_CERT'), default_backend())
CLIENT_KEY = serialization.load_pem_private_key(
    os.getenv('CLIENT_KEY'), None, default_backend())


# monkey patch load_cert_chain to allow loading
# cryptography certs and keys from memory
patch_requests()


response = requests.get(url, cert=(CLIENT_CERT, CLIENT_KEY))

You now have the ability to supply a client cert to requests in memory in as pyopenssl object(s) or cryptography objects.

Added `_is_key_file_encrypted()` to patch to support `requests` using `urllib3 >= 1.25` — greenbender, Nov 01 '20 at 10:22
Able to load load_pem_x509_certificate from x509 as it was not available under serialization. Getting "400 The SSL certificate error" error. Not sure why this is coming. Any help is appreciated. — Reyan Chougle, Aug 01 '22 at 06:15

score 6 · Answer 2 · answered Oct 04 '17 at 17:01

6

There is a way to do it via temp files, like this:

cert = tempfile.NamedTemporaryFile(delete=False)
cert.write(CERTIFICATE_AS_STRING)
cert.close()
requests.get(url, cert=cert.name, verify=True)
os.unlink(cert.name)

If you'd like to know why this is potentially unsecure, check out my answer here: https://stackoverflow.com/a/46570264/6445270

answered Oct 04 '17 at 17:01

Dmitry Orlov

454
6
14

Sorry removing from Accepted answer. As you know, temp files are potentially insecure. And we were looking for a better approach for security purposes only. Accepting KaurJ's answer as to its more convincing. I had clearly asked in the question for an approach other than writing content into a temp file. – Laxmikant Ratnaparkhi Jul 12 '19 at 10:13

score 4 · Accepted Answer · answered Jul 10 '19 at 14:15

4

If one wants to do this without using temporary file, it is possible by overriding the requests SSLContext. Sample can be seen in this answer.

answered Jul 10 '19 at 14:15

Kaur J

96
3

Exactly, this is what I was looking when the question was asked. – Laxmikant Ratnaparkhi Jul 12 '19 at 10:03
1

This approach works, however, it has the downside of adding your client-side cert to *every* request made by the requests library in your process. If you want to supply a client-side cert in memory per request or per session see my [answer](https://stackoverflow.com/a/63353645/3243889) – greenbender Aug 27 '20 at 23:40

score 3 · Answer 4 · answered Apr 11 '22 at 12:27

I took a different approach and used the init_poolmanager to set the ssl context. I avoid patching, so it will only work with Session objects.

E.x.:

#pip install requests pyOpenSSL

import OpenSSL
import requests
import requests.hooks
from urllib3 import Retry
from urllib3.contrib.pyopenssl import PyOpenSSLContext
from urllib3.util.ssl_ import create_urllib3_context


class ClientSideCertificateHTTPAdapter(requests.adapters.HTTPAdapter):
    DEFAULT_PROTOCOL = create_urllib3_context().protocol

    def __init__(self, *args, cert, key, protocol=DEFAULT_PROTOCOL, **kwargs):
        self._cert = cert
        self._key = key
        self._protocol = protocol
        super().__init__(*args, **kwargs)


    def init_poolmanager(self, *args, **kwargs):
        ctx = PyOpenSSLContext(self._protocol)
        kwargs["ssl_context"] = ctx
        ctx._ctx.use_certificate(self._cert)
        ctx._ctx.use_privatekey(self._key)
        return super().init_poolmanager(*args, **kwargs)


def main():
    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, "-----BEGIN CERTIFICATE----- MIIDnjC....cUkiz -----END CERTIFICATE-----")
    key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, "-----BEGIN CERTIFICATE----- MIIDnjC....cUkiz -----END CERTIFICATE-----", b"passphrase_goes_here")

    adapter = ClientSideCertificateHTTPAdapter(cert=cert, key=key, max_retries=Retry(total=10, backoff_factor=0.5))
    session = requests.Session()
    session.mount("https://www.hotmail.com/", adapter)
    session.get("https://www.hotmail.com/api/v2/mail")


if __name__ == "__main__":
    main()

Nice solution, but starting with `urllib3` release `1.26.12` this will give a deprecation warning `'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x. Read more in this issue: https://github.com/urllib3/urllib3/issues/2680`. Use `1.26.11` to avoid the warning message. — johlo, Oct 21 '22 at 09:27
@johlo It should be easy to just use OpenSSL directly, as PyOpenSSLContext comment in file is: " I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible for translating the interface of the standard library ``SSLContext`` object to calls into PyOpenSSL." and `__init__` is basically `self._ctx = OpenSSL.SSL.Context(self.protocol)` — Patrick Mevzek, Feb 09 '23 at 22:54

Python requests CA certificates as a string

4 Answers4

Linked

Related