search

atlassian-api / atlassian-python-api

Atlassian Python REST API wrapper
https://atlassian-python-api.readthedocs.io
Apache License 2.0
1.34k stars 661 forks source link

Atlassian Python API for Bitbucket throws SSL Handshake Error even with a valid Bitbucket certificate added to Trust Store #1156

Open biju-techstack opened 1 year ago

biju-techstack commented 1 year ago

We have a self hosted Bitbucket server running on AWS EC2

I am trying to develop a Python tool to scan all our source code for sensitive data.

I am using the following code which basically consists of 3 steps:

  1. Connect to Bitbucket server and download SSL certificate
  2. Add certificate from step # 1 to windows local store
  3. Use Atlassian Python API for Bitbucket to Access Bitbucket Projects and Repos
#################### 1. Connect to Bitbucket server and download SSL certificate ##########################

host = "bitbucket.myorg.com"
conn = ssl.create_connection(host,port)
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
sock = context.wrap_socekt(conn,server_hostname=host)
certificate = ssl.DER_cert_to_PEM_cert(sock.getpeercert(true))

print(certificate)

#################### 2. Add certificate from step #1 to windows local store ##########################

#Flag variables
CERT_STORE_PROV_SYSTEM = 0x0000000A
CERT_STORE_OPEN_EXISTING_FLAG = 0x00004000
CRYPT_STRING_BASE64HEADER = 0x00000000
CERT_SYSTEM_STORE_CURRENT_USER_ACCOUNT = 1<<16
X509_ASN_ENCODING = 0x00000001
CERT_STORE_ADD_REPLACE_EXISTING = 3
CERT_CLOSE_STORE_FORCE_FLAG = 0x00000001

#replace with your certificate file path
crtPath = "D:\\certificates\\cert_file.crt"

with open(crtPath,'r') as f:
cert_str = f.read()

cert_byte = win32crypt.CryptStringToBinary(cert_str, CRYPT_STRING_BASE64HEADER)[0]
store = win32crypt.CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, None, CERT_SYSTEM_STORE_CURRENT_USER_ACCOUNT|CERT_STORE_OPEN_EXISTING_FLAG, "ROOT")

try:
  store.CertAddEncodedCertificateToStore(X509_ASN_ENCODING, cert_byte, CERT_STORE_ADD_REPLACE_EXISTING)
finally:
  store.CertCloseStore(CERT_CLOSE_STORE_FORCE_FLAG)

#################### 3. Use Atlassian Python API for Bitbucket to Access Bitbucket Projects and Repos ###################

bitbucket = Bitbucket(
  url='bitbucket.myorg.com',
  username='admin',
  password='admin',
  verify_ssl=True)

When I run the above code, I get the following SSL handshake error :

requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

Few points I'd like to highlight:

  1. I verified the downloaded certificate and it is very much valid
  2. I verified that step # 2 adds the certificate from # 1 to windows trust store successfully as well
  3. I do NOT want to tun off ssl_verify
  4. Looks like Atlassian Python API is not able to recognize the downloaded certificate from the windows trust store.
  5. IF I turn off ssl_verify, step # 3 above is able to successfully access the Bitbucket projects and repo info - but i do NOT want to turn off ssl_verify due to security standards of my organization.

What am I missing here?

Spacetown commented 1 year ago

Python uses his own certificates. To use the system certificates you can run python3 -m pip install pip-system-certs.