[Twisted-Python] twisted echo ssl client with .p12

Glyph glyph at twistedmatrix.com
Thu Mar 19 23:25:10 MDT 2015 

> On Mar 19, 2015, at 8:36 AM, Louis D. Burr <ldanielburr at me.com> wrote:
> 
> Hi Timothy,
> 
>> On Mar 19, 2015, at 9:56 AM, Timothy Gallagher <timothy.gallagher at nuspire.com <mailto:timothy.gallagher at nuspire.com>> wrote:
>> 
>> Hello all,
>> I have a project that requires client server with ssl/tls including client certificate authentication.  Also the a requirement is that the client needs to use a .p12 file to house its keys.  I have the server part and client part down except I cannot find any code examples using a .p12 file to get the certificates.  Can this be done without having to hack into the ssl.ClientConextFactory?
> 
> Maybe http://stackoverflow.com/questions/6345786/python-reading-a-pkcs12-certificate-with-pyopenssl-crypto <http://stackoverflow.com/questions/6345786/python-reading-a-pkcs12-certificate-with-pyopenssl-crypto> will be useful to you.  Twisted uses pyopenssl under the covers, so the solution exarkun posted to StackOverflow should be applicable.
> 
> Hope this helps,
> 
> - L. Daniel Burr

You definitely shouldn't use ssl.ClientContextFactory.  It doesn't verify certificates, or provide any authentication of the server.  We should really remove and deprecate it :-\.

You should use ssl.optionsForClientTLS, and you should build it like this:

import getpass

from OpenSSL.crypto import load_pkcs12
from twisted.internet.ssl import (
    PrivateCertificate, KeyPair, Certificate, optionsForClientTLS
)

from twisted.internet.protocol import Factory, Protocol
from twisted.internet.endpoints import SSL4ClientEndpoint
from twisted.internet.defer import inlineCallbacks, Deferred
from twisted.internet.task import react

@inlineCallbacks
def main(reactor, p12file, host, port=443):
    host = host.decode("utf-8")
    port = int(port)
    with open(p12file) as f:
        pkcs12 = load_pkcs12(f.read(), getpass.getpass())
        publicCertificate = Certificate(pkcs12.get_certificate())
        privateKey = KeyPair(pkcs12.get_privatekey())
        privateCertificate = PrivateCertificate.fromCertificateAndKeyPair(
            publicCertificate, privateKey
        )
    contextFactory = optionsForClientTLS(host,
                                         clientCertificate=privateCertificate)
    endpoint = SSL4ClientEndpoint(reactor, host, port, contextFactory)
    x = Deferred()
    class it(Protocol, object):
        def connectionMade(self):
            self.transport.write(b"GET / HTTP/1.1\r\n\r\n")
        def dataReceived(self, data):
            x.callback(Certificate.peerFromTransport(self.transport))
            self.transport.abortConnection()
    yield endpoint.connect(Factory.forProtocol(it))
    cert = yield x
    print(cert)

from sys import argv
react(main, argv[1:])

Hopefully that's a pretty complete answer :-).

-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20150319/5d5edec5/attachment-0002.html>

More information about the Twisted-Python mailing list