~mcepl/m2crypto#229: 
Using the Engine in a HTTPS Connection with a proxy.

Migrated from: https://gitlab.com/m2crypto/m2crypto/-/issues/229
Created by: None (@prolods)
Created at: 2018-08-24T08:15:20.564Z

Hi,

i'm trying to make a connection trough a HTTP proxy to an HTTPS endpoint with client certificate authentication, where the certificate is on a smartcard.

Therefore I loaded a dynamic engine with with a pkcs11 module. (Worked find, i can load the rsa private key and the x509 cert).
How to integrate the SSL Engine into a HTTP lib, to do requests?

So far, i tried to use the integrated httpslib:

def InitPKCS11Engine(id, enginePath, modulePath, pin):  
    try:  
        Engine.load_dynamic()  
        e = Engine.Engine('dynamic')  
        e.ctrl_cmd_string('SO_PATH', enginePath)  
        e.ctrl_cmd_string('ID', id)  
        e.ctrl_cmd_string('LIST_ADD', '1')  
        e.ctrl_cmd_string('LOAD', None)  
        e.ctrl_cmd_string("MODULE_PATH", modulePath)  
        e.ctrl_cmd_string("PIN", pin)  
        e.init()  
        e.set_default()  
        return e  
    except Exception as err:  
        print(err)  
        print(" Failed")  
 
 
def getPKCS11PrivateKey(engine, pin):  
    return engine.load_private_key(CERT, pin)  


def getPKCS11Cert(engine):  
    return engine.load_certificate(CERT)  


if __name__ == '__main__':  
    e = InitPKCS11Engine('pkcs11', engine, MODULE_PATH, PIN)  

    con = httpslib.ProxyHTTPSConnection(PROXY, 8080)  
    con.putrequest("GET", TARGET)  
    con.endheaders()  
    con.connect()  
    res = con.getresponse()    
    print(res)

Currently it tries to connect to the proxy twice... and i don't get why. Is there a way to integrate the M2Crypto.SSL.SSLContext into the requests or urllib3 library ?

Thanks a lot in advance.

Cheers

Status
REPORTED
Submitter
~mcepl
Assigned to
No-one
Submitted
7 months ago
Updated
7 months ago
Labels
No labels applied.

~mcepl referenced this from #124 7 months ago

~mcepl referenced this from #136 7 months ago

~mcepl 7 months ago

On 2018-08-25T08:08:45.576Z, Matěj Cepl wrote:

Thank you very much for your report. The problem with the Engine is that I don't have any hardware, and I haven't figured out how to debug them at all. Therefore, i have to rely on contributors who have hardware to test the code for me, which is rather unpleasant. I am glad at least here we don't seem to have a problem with the hardware as such.

Concerning your issue with multiple connections, it is possible to you got somehow caught in the horrible mess of (not)-closing of the HTTPS connection, which we tried to deal with in !188 , but it has not been finished yet (any contributions are of course more than welcome). There is an extensive (may I say even exhaustive?) discussion in that merge request comments.

Concerning requests and/or urllib3. There is nothing for that in M2Crypto, and given my general dislike of urllib3 particularly (which tends to do EVERYTHING their own way), I don't think I will ever make any effort to fix it. Of course, well tested and well coded merge requests with this functionality will be considered.

(Last edited at 2018-08-25T08:09:00.796Z.)

~mcepl 7 months ago

On 2018-08-27T07:17:59.248Z, None wrote:

Hi, after some fiddeling, i got the m2urllib2 somewhat to work:

if __name__ == '__main__':  
    e = InitPKCS11Engine('pkcs11', engine, MODULE_PATH, PIN)  
    import os  
    os.environ['http_proxy'] = PROXY + ':8080'  
    os.environ['https_proxy'] = PROXY + ':8080'  
    hdr = {'Host': HOST,  
           'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0; Firefox 52.9.0 - 111712-1801120058-1.47',  
           'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  
           'Accept-Language': 'en-US,en;q=0.5',  
           'Accept-Encoding': 'gzip, deflate',  
           'DNT': '1',  
           'Proxy-Authorization': "Basic XXXXXXXXXXXXXXXXXXXXXXXX",  
           'Connection': 'close',  
           'Upgrade-Insecure-Requests': '1',  
           'Cache-Control': 'max-age=0'}  


    ctx = SSL.Context()  
    req = m2urllib2.Request(TARGET, headers=hdr, method="GET")  
    opener = m2urllib2.build_opener(ctx)  
    m2urllib2.install_opener(opener) 
    res = m2urllib2.urlopen(req)  
    print(res.read())  

Except it didn't use client certificate in the TLS-Handshake:

wireshark

Not im not sure if it is a M2Crypto/OpenSSL/Engine bug, because I cant select the client certificate for the SSLContext (Only takes file paths) and it won't autoselect the correct certificate (Like Java does it). Is this a plib11 bug? What am I supposed to do?

I think the best long term solution would be adapting the M2Crypto SSLContext to the default SSLContext as referenced in https://gitlab.com/m2crypto/m2crypto/issues/136. That way M2Crypto could get a lot thinner and would need less modules. Unfortunately I'm only able to contribute in my spare time and the hardware belongs to a customer.

~mcepl 7 months ago

Changed on 2018-08-28T14:24:41.056Z by None:

mentioned in issue #193

~mcepl 7 months ago

On 2018-08-28T14:26:44.336Z, None wrote:

Might be related to https://gitlab.com/m2crypto/m2crypto/issues/124. Because it is a ECC key on the smartcard.

~mcepl 7 months ago

Changed on 2018-10-02T11:57:39.947Z by Matěj Cepl:

changed milestone to 0.32

~mcepl 7 months ago

Changed on 2019-03-05T07:59:12.621Z by Matěj Cepl:

changed milestone to 0.33

~mcepl 7 months ago

Changed on 2019-04-26T14:28:47.422Z by Matěj Cepl:

changed milestone to 0.34

~mcepl 7 months ago

Changed on 2019-05-30T19:58:51.603Z by Matěj Cepl:

changed milestone to 0.35

(Last edited at 2019-05-30T19:58:51.608Z.)

~mcepl 7 months ago

Changed on 2019-06-08T06:32:45.001Z by Matěj Cepl:

changed milestone to 0.36

(Last edited at 2019-06-08T06:32:45.005Z.)

~mcepl 7 months ago

Changed on 2020-01-14T15:53:13.765Z by Matěj Cepl:

mentioned in issue #267

(Last edited at 2020-01-14T15:53:13.770Z.)

~mcepl 7 months ago

On 2023-03-09T07:24:11.549Z, commonism wrote:

using M2Crypto to access key via PKCS11 and use them for SOAP operations using suds. https://gitlab.uni-hannover.de/koetter/python-dfnpki

It boils down to access the keys using an ENGINE and create an SSL CTX from it:

https://gitlab.uni-hannover.de/koetter/python-dfnpki/-/blob/master/lib/dfnpki/engine.py#L29 https://gitlab.uni-hannover.de/koetter/python-dfnpki/-/blob/master/lib/dfnpki/client.py#L67

For developing you can use https://www.opendnssec.org/softhsm/

~mcepl referenced this from #267 7 months ago

Register here or Log in to comment, or comment via email.