Migrated from: https://gitlab.com/m2crypto/m2crypto/-/issues/229
Created by: None (@prolods)
Created at: 2018-08-24T08:15:20.564Z
Hi,
i'm trying to make a connection trough a HTTP proxy to an HTTPS endpoint with client certificate authentication, where the certificate is on a smartcard.
Therefore I loaded a dynamic engine with with a pkcs11 module. (Worked find, i can load the rsa private key and the x509 cert).
How to integrate the SSL Engine into a HTTP lib, to do requests?
So far, i tried to use the integrated httpslib:
def InitPKCS11Engine(id, enginePath, modulePath, pin):
try:
Engine.load_dynamic()
e = Engine.Engine('dynamic')
e.ctrl_cmd_string('SO_PATH', enginePath)
e.ctrl_cmd_string('ID', id)
e.ctrl_cmd_string('LIST_ADD', '1')
e.ctrl_cmd_string('LOAD', None)
e.ctrl_cmd_string("MODULE_PATH", modulePath)
e.ctrl_cmd_string("PIN", pin)
e.init()
e.set_default()
return e
except Exception as err:
print(err)
print(" Failed")
def getPKCS11PrivateKey(engine, pin):
return engine.load_private_key(CERT, pin)
def getPKCS11Cert(engine):
return engine.load_certificate(CERT)
if __name__ == '__main__':
e = InitPKCS11Engine('pkcs11', engine, MODULE_PATH, PIN)
con = httpslib.ProxyHTTPSConnection(PROXY, 8080)
con.putrequest("GET", TARGET)
con.endheaders()
con.connect()
res = con.getresponse()
print(res)
Currently it tries to connect to the proxy twice... and i don't get why. Is there a way to integrate the M2Crypto.SSL.SSLContext into the requests or urllib3 library ?
Thanks a lot in advance.
Cheers
On 2018-08-25T08:08:45.576Z, Matěj Cepl wrote:
Thank you very much for your report. The problem with the Engine is that I don't have any hardware, and I haven't figured out how to debug them at all. Therefore, i have to rely on contributors who have hardware to test the code for me, which is rather unpleasant. I am glad at least here we don't seem to have a problem with the hardware as such.
Concerning your issue with multiple connections, it is possible to you got somehow caught in the horrible mess of (not)-closing of the HTTPS connection, which we tried to deal with in !188 , but it has not been finished yet (any contributions are of course more than welcome). There is an extensive (may I say even exhaustive?) discussion in that merge request comments.
Concerning requests and/or urllib3. There is nothing for that in M2Crypto, and given my general dislike of urllib3 particularly (which tends to do EVERYTHING their own way), I don't think I will ever make any effort to fix it. Of course, well tested and well coded merge requests with this functionality will be considered.
(Last edited at 2018-08-25T08:09:00.796Z.)
On 2018-08-27T07:17:59.248Z, None wrote:
Hi, after some fiddeling, i got the m2urllib2 somewhat to work:
if __name__ == '__main__': e = InitPKCS11Engine('pkcs11', engine, MODULE_PATH, PIN) import os os.environ['http_proxy'] = PROXY + ':8080' os.environ['https_proxy'] = PROXY + ':8080' hdr = {'Host': HOST, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0; Firefox 52.9.0 - 111712-1801120058-1.47', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'DNT': '1', 'Proxy-Authorization': "Basic XXXXXXXXXXXXXXXXXXXXXXXX", 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'Cache-Control': 'max-age=0'} ctx = SSL.Context() req = m2urllib2.Request(TARGET, headers=hdr, method="GET") opener = m2urllib2.build_opener(ctx) m2urllib2.install_opener(opener) res = m2urllib2.urlopen(req) print(res.read())
Except it didn't use client certificate in the TLS-Handshake:
Not im not sure if it is a M2Crypto/OpenSSL/Engine bug, because I cant select the client certificate for the SSLContext (Only takes file paths) and it won't autoselect the correct certificate (Like Java does it). Is this a plib11 bug? What am I supposed to do?
I think the best long term solution would be adapting the M2Crypto SSLContext to the default SSLContext as referenced in https://gitlab.com/m2crypto/m2crypto/issues/136. That way M2Crypto could get a lot thinner and would need less modules. Unfortunately I'm only able to contribute in my spare time and the hardware belongs to a customer.
Changed on 2018-08-28T14:24:41.056Z by None:
mentioned in issue #193
On 2018-08-28T14:26:44.336Z, None wrote:
Might be related to https://gitlab.com/m2crypto/m2crypto/issues/124. Because it is a ECC key on the smartcard.
Changed on 2018-10-02T11:57:39.947Z by Matěj Cepl:
changed milestone to 0.32
Changed on 2019-03-05T07:59:12.621Z by Matěj Cepl:
changed milestone to 0.33
Changed on 2019-04-26T14:28:47.422Z by Matěj Cepl:
changed milestone to 0.34
Changed on 2019-05-30T19:58:51.603Z by Matěj Cepl:
changed milestone to 0.35
(Last edited at 2019-05-30T19:58:51.608Z.)
Changed on 2019-06-08T06:32:45.001Z by Matěj Cepl:
changed milestone to 0.36
(Last edited at 2019-06-08T06:32:45.005Z.)
Changed on 2020-01-14T15:53:13.765Z by Matěj Cepl:
mentioned in issue #267
(Last edited at 2020-01-14T15:53:13.770Z.)
On 2023-03-09T07:24:11.549Z, commonism wrote:
using M2Crypto to access key via PKCS11 and use them for SOAP operations using suds. https://gitlab.uni-hannover.de/koetter/python-dfnpki
It boils down to access the keys using an ENGINE and create an SSL CTX from it:
https://gitlab.uni-hannover.de/koetter/python-dfnpki/-/blob/master/lib/dfnpki/engine.py#L29 https://gitlab.uni-hannover.de/koetter/python-dfnpki/-/blob/master/lib/dfnpki/client.py#L67
For developing you can use https://www.opendnssec.org/softhsm/