Hi Pascal,
----- Original Message -----
From: "Pascal Jakobi" <pascal.jakobi(a)gmail.com>
To: pki-users(a)redhat.com
Sent: Monday, June 29, 2020 6:29:32 PM
Subject: [Pki-users] Python programming against dogtag
I created the following python test script.
import requests
import json
url = "https://zbook.home:8443/ca/rest/agent/certrequests"
headers = {'Accept': 'application/json'}
certfile='/etc/pki/tls/certs/ca_admin_cert.crt.pem'
keyfile='/etc/pki/tls/private/ca_admin_cert.key.pem'
r = requests.request("GET", url, headers=headers, verify=False,
cert=(certfile,keyfile))
print('DEBUG {}'.format(r.status_code))
print('DEBUG {}'.format(r.json()))
It works fine against dogtag. However, it will fail if verify is set to
True.
So how can I enable SSL verification ? In other terms, what's the
equivalent to the "-k" switch from curl ?
There's three ways to go about this. verify _technically_ takes a path
argument, which allows you to pass a specific certificate/chain, and
use that to validate the certificate. Something like:
requests.request("GET", url, headers=headers, cert=(certfile, keyfile),
verify="/path/to/ca_root.crt")
This is documented here:
https://requests.readthedocs.io/en/master/user/advanced/#ssl-cert-verific...
What we use in Dogtag is a custom adapter, using Python's SSL library and
its certificate verification/loading mechanisms. This is more involved,
but you can see what we do here:
https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/clien...
https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/clien...
This is also documented here:
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_loc...
https://requests.readthedocs.io/en/master/user/advanced/#transport-adapters
Lastly, you could just reuse PKIConnection on Dogtag >= 10.9.0 :-)
from pki.client import PKIConnection
conn = PKIConnection(protocol='https', hostname='zbook.home',
port='8443',
cert_paths='/path/to/ca_root.crt')
conn.set_authentication_cert(certfile, keyfile)
conn.{get,put,post,...}
HTH,
- Alex
Thanks in advance
--
*Pascal Jakobi*
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users