GitLocker: The Coding Marketplace

Description:

aia 0.2.0

AIA Chasing in Python
This library was built as a workaround to the CPython
issue 18617
(AIA chasing for missing intermediate certificates on TLS connections)
regarding SSL/TLS.
Why a session?
That's not really a session in the HTTP sense,
it's just a way to cache the downloaded certificates in memory,
so one doesn't need to validate the same certificate more than once.
How does it get the certificate chain?
It gets the whole chain
from the AIA (Authority Information Access) extension
of each certificate,
and gets the root certificate locally, from the system.
How does it validate the certificate chain?
Through OpenSSL, which must be installed as an external dependency.
When should I use it?
Ideally, never, but that might not be an option.
When the web server configuration
doesn't include the entire chain (apart from the root certificate),
there are only two "options":
ignore the certificate (not secure)
or get the intermediary certificates in the chain through AIA
(that's why this small library was written).
How to install
Anywhere, assuming OpenSSL is already installed:
pip install aia

For system installation in Arch Linux, there's also the
python-aia
package in AUR.
How to use it?
For simple requests on HTTPS, there's a straightforward way based
on the standard library urllib.request.urlopen.
from aia import AIASession
aia_session = AIASession()

# A GET result (only if status was 200), as bytes
content = aia_session.download("https://...")

# Return a `http.client.HTTPResponse` object, like `urllib.request.urlopen`
response = aia_session.urlopen("https://...")

# Indirectly, the same above
from urllib.request import urlopen
url = "https://..."
context = aia_session.ssl_context_from_url(url)
response = urlopen(url, context=context)

The context methods also helps when working with HTTP client libraries.
For example, with requests:
from tempfile import NamedTemporaryFile
from aia import AIASession
import requests

aia_session = AIASession()
url = "https://..."
cadata = aia_session.cadata_from_url(url) # Validated PEM certificate chain
with NamedTemporaryFile("w") as pem_file:
pem_file.write(cadata)
pem_file.flush()
resp = requests.get(url, verify=pem_file.name)

With httpx in synchronous code
it's really straightforward, since it accepts the SSLContext instance:
from aia import AIASession
import httpx

aia_session = AIASession()
url = "https://..."
context = aia_session.ssl_context_from_url(url)
resp = httpx.get(url, verify=context)

The certificate fetching part of this library and the OpenSSL call
are blocking, so this library is still not prepared
for asynchronous code.
But one can easily make some workaround to use it, for example with
tornado.httpclient
or with the already seen httpx, using asyncio:
import asyncio
from functools import partial
from aia import AIASession

async def get_context(aia_session, url, executor=None):
return await asyncio.get_event_loop().run_in_executor(
executor,
partial(aia_session.ssl_context_from_url, url),
)

# Tornado version
from tornado.httpclient import AsyncHTTPClient

async def download_tornado_async(url):
aia_session = AIASession()
context = await get_context(aia_session, url)
client = AsyncHTTPClient()
try:
resp = await client.fetch(url, ssl_options=context)
return resp.body
finally:
client.close()

result = asyncio.run(download_tornado_async("https://..."))

# httpx version
import httpx

async def download_httpx_async(url):
aia_session = AIASession()
context = await get_context(aia_session, url)
async with httpx.AsyncClient(verify=context) as client:
resp = await client.get(url)
return resp.content

result = asyncio.run(download_httpx_async("https://..."))