AIA chasing through OpenSSL for TLS certificate chain building and verifying
Project description
AIA Chasing in Python
This library was built as a workaround to the CPython issue 18617 (AIA chasing for missing intermediate certificates on TLS connections) regarding SSL/TLS.
Why a session? That's not really a session in the HTTP sense, it's just a way to cache the downloaded certificates in memory, so one doesn't need to validate the same certificate more than once.
How does it get the certificate chain? It gets the whole chain from the AIA (Authority Information Access) extension of each certificate, and gets the root certificate locally, from the system.
How does it validate the certificate chain? Through OpenSSL, which must be installed as an external dependency.
When should I use it? Ideally, never, but that might not be an option. When the web server configuration doesn't include the entire chain (apart from the root certificate), there are only two "options": ignore the certificate (not secure) or get the intermediary certificates in the chain through AIA (that's why this small library was written).
How to install
Anywhere, assuming OpenSSL is already installed:
pip install aia
For system installation in Arch Linux, there's also the python-aia package in AUR.
How to use it?
For simple requests on HTTPS, there's a straightforward way based
on the standard library urllib.request.urlopen
.
from aia import AIASession
aia_session = AIASession()
# A GET result (only if status was 200), as bytes
content = aia_session.download("https://...")
# Return a `http.client.HTTPResponse` object, like `urllib.request.urlopen`
response = aia_session.urlopen("https://...")
# Indirectly, the same above
from urllib.request import urlopen
url = "https://..."
context = aia_session.ssl_context_from_url(url)
response = urlopen(url, context=context)
The context methods also helps when working with HTTP client libraries.
For example, with requests
:
from tempfile import NamedTemporaryFile
from aia import AIASession
import requests
aia_session = AIASession()
url = "https://..."
cadata = aia_session.cadata_from_url(url) # Validated PEM certificate chain
with NamedTemporaryFile("w") as pem_file:
pem_file.write(cadata)
pem_file.flush()
resp = requests.get(url, verify=pem_file.name)
With httpx
in synchronous code
it's really straightforward, since it accepts the SSLContext
instance:
from aia import AIASession
import httpx
aia_session = AIASession()
url = "https://..."
context = aia_session.ssl_context_from_url(url)
resp = httpx.get(url, verify=context)
The certificate fetching part of this library and the OpenSSL call
are blocking, so this library is still not prepared
for asynchronous code.
But one can easily make some workaround to use it, for example with
tornado.httpclient
or with the already seen httpx
, using asyncio
:
import asyncio
from functools import partial
from aia import AIASession
async def get_context(aia_session, url, executor=None):
return await asyncio.get_event_loop().run_in_executor(
executor,
partial(aia_session.ssl_context_from_url, url),
)
# Tornado version
from tornado.httpclient import AsyncHTTPClient
async def download_tornado_async(url):
aia_session = AIASession()
context = await get_context(aia_session, url)
client = AsyncHTTPClient()
try:
resp = await client.fetch(url, ssl_options=context)
return resp.body
finally:
client.close()
result = asyncio.run(download_tornado_async("https://..."))
# httpx version
import httpx
async def download_httpx_async(url):
aia_session = AIASession()
context = await get_context(aia_session, url)
async with httpx.AsyncClient(verify=context) as client:
resp = await client.get(url)
return resp.content
result = asyncio.run(download_httpx_async("https://..."))
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file aia-0.2.0.tar.gz
.
File metadata
- Download URL: aia-0.2.0.tar.gz
- Upload date:
- Size: 7.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | cdc09ecb8de9004fa9f399e4d41ed0c029947651c8466af02e6f08305f880672 |
|
MD5 | 185c3563230dee0b362d7782df42c52d |
|
BLAKE2b-256 | 9623dede6bbc91c9334501762995bd817228ee5edc4f7f4a09b616519260ee46 |
File details
Details for the file aia-0.2.0-py3-none-any.whl
.
File metadata
- Download URL: aia-0.2.0-py3-none-any.whl
- Upload date:
- Size: 7.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1bcd020f2d3b11792e86b24f9686616e753ad83f7347a2872c13ad0ce47747e7 |
|
MD5 | 71ba1eb998912338c7af442eb891b3c4 |
|
BLAKE2b-256 | 3e5c621da51ea01d34d0b940b26f8a34b7b68096c192d01c38bf672498c234f9 |