hbldh / pybankid Goto Github PK
View Code? Open in Web Editor NEWBankID Relying Party client for Python
Home Page: https://pybankid.readthedocs.io
License: MIT License
BankID Relying Party client for Python
Home Page: https://pybankid.readthedocs.io
License: MIT License
Pybankid seems to be using an outdated certificate (https://www.bankid.com/assets/bankid/rp/FPTestcert3_20200618.p12
), while the current one is https://www.bankid.com/assets/bankid/rp/FPTestcert4_20220818.p12
.
I will try to provide a PR shortly.
Opening an issue since I don't see any development/discussion on upgrading to v. 6.0 which was released May 2023.
I was planning to start working on that, and I was wondering if anyone has already started or has any ideas so we can sync with each other.
The connection to production and test environments are using unverified SSL connections. This means a MITM attack can easily take over traffic, despite SSL.
Offending code resides in the RequestsTransport class. Verify
should not be False.
def open(self, request):
"""Fetches the WSDL specification using certificates."""
self.addcredentials(request)
resp = requests.get(request.url, data=request.message,
headers=request.headers,
cert=self.cert, verify=False)
result = StringIO.StringIO(resp.content.decode('utf-8'))
return result
def send(self, request):
"""Posts to SOAP service using certificates."""
self.addcredentials(request)
resp = requests.post(request.url, data=request.message,
headers=request.headers,
cert=self.cert, verify=False)
result = Reply(resp.status_code, resp.headers, resp.content)
return result
Hi guys
I am looking into a way to automatically connect to Göteborg Energi user portal and download some statistics. They don't seem to provide an api and are using BankId for authentication.
I have found pybankid
and I am wondering if it can help me to automate the authentication part. So I would like to have a cronjob or something that logins regularly to Göteborg Energi portal, without any kind of interaction from my side (e.g. without opening MobileBankId app and enter the password).
I currently have BankId on a smartcard (can I use it with pybankid
?) and Mobile BankId but I can try to request certificates files if that is a must.
I would highly appreciate your help here
Thanks a lot
//Max
I think that the clients should have a timeout setting. The requests library Session class (which is used by the clients already) supports a keyword argument timeout to it's request method. If the server hasn't responded within timeout seconds requests raises an exception.
Requests to the BankID service most likely won't time out very often but there should still be a way to handle time outs. Implementing it should be easy since requests already supports it. I think the timeout setting should be passed to the BankID client on instantiation. The same timeout setting would be used for all requests sent by that instance.
I am happy to open a pull request if the addition seems like a good idea to you 😃
Mail regarding new endpoint for production server:
This information is intended for developers and owners of services using BankID.
To manage a generation shift of the root certificate protecting the service we have introduced a new end point for the service. You need to make changes before 1 June 2019.
Old integrations must be changed to use the new end point and the new root CA must be in the trust store.
The change must be done before 1 June 2019. The old end point will not work after that date. Preferably, do the change as soon as possible to secure your future BankID usage.
Dependabot couldn't authenticate with https://pypi.python.org/simple/.
You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.
Testing on Travis CI yielded error when using Python 2.6 interpreter. Needs fixing.
======================================================================
ERROR: tests.test_client.TestClientOnTestServer.test_authentication_and_collect
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File "/home/travis/build/hbldh/pybankid/tests/test_client.py", line 99, in test_authentication_and_collect
c = bankid.client.BankIDClient(certificates=(self.certificate_file, self.key_file), test_server=True)
File "/home/travis/build/hbldh/pybankid/bankid/client.py", line 58, in __init__
headers=headers, transport=t)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/suds/client.py", line 112, in __init__
self.wsdl = reader.open(url)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/suds/reader.py", line 152, in open
d = self.fn(url, self.options)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/suds/wsdl.py", line 136, in __init__
d = reader.open(url)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/suds/reader.py", line 79, in open
d = self.download(url)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/suds/reader.py", line 101, in download
return sax.parse(string=content)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/suds/sax/parser.py", line 136, in parse
sax.parse(source)
File "/opt/python/2.6.9/lib/python2.6/xml/sax/expatreader.py", line 107, in parse
xmlreader.IncrementalParser.parse(self, source)
File "/opt/python/2.6.9/lib/python2.6/xml/sax/xmlreader.py", line 123, in parse
self.feed(buffer)
File "/opt/python/2.6.9/lib/python2.6/xml/sax/expatreader.py", line 211, in feed
self._err_handler.fatalError(exc)
File "/opt/python/2.6.9/lib/python2.6/xml/sax/handler.py", line 38, in fatalError
raise exception
SAXParseException: <unknown>:1:1: not well-formed (invalid token)
See page 27 of docs:
https://www.bankid.com/assets/bankid/rp/riktlinjer-foer-mobilt-bankid-till-foerlitande-part-1-0-7.pdf
The docs don't explain it that well, but the collect response contains a signature from the client, and a OCSP response by what I'm guessing is the bank which signed the client's certificate.
The OCSP 0 response is signed by a certificate that has the same issuer as the certificate being
verified (i.e. the BankId).
I think the purpose for this is that it gives the bank power to revoke the user certificate. So the infrastructure in that sense is reliant on both the bank and the BankID backend. I think the bank controls the OCSP stapling, while BankID stands for the authentication infrastructure.
I found some old documentation of the server architecture for the Norwegian system from 2005:
http://www.eurim.org.uk/activities/pi/BankIDWhitePaper.pdf
So there seems to be the root-CA which is jointly owned by all the banks. Then each bank gets its own level-1 CA signed by the root.
Question is, do we need to verify these as a merchant? Why would they include them in the response otherwise?
The latest RP guidelines states that the EOL for the v5 API endpoint is april 2022. The v5.1 endpoint has been available since april 2020. pybankid should switch to use the new endpoint well before the EOL of v5.
OSX High sierra seems to have changed openssl implementations to LibreSSL which causes a check in pybankid to crash.
(flow) moodh:~/pybankid$ which openssl
/usr/bin/openssl
(flow) moodh:~/pybankid$ openssl version
LibreSSL 2.2.7
Here's the relevant code:
https://github.com/hbldh/pybankid/blob/master/bankid/certutils.py#L76
p = subprocess.Popen(['openssl', 'version'], stdout=subprocess.PIPE)
sout, serr = p.communicate()
if not sout.decode().lower().startswith('openssl'):
raise NotImplementedError(
"OpenSSL executable could not be found. "
"Splitting cannot be performed.")
print(sout.strip())
openssl_executable = 'openssl'
I guess both has to be supported.
I can fix a PR if you'd like but since the change is trivial you might just want to fix it yourself. :)
Thanks!
Hi,
I forked pybankid-example-app for a project where I need to create a gateway to BankId services, thus, using this wrapper (pybankid). I cloned the project and started by creating a virtual environment with python 2.7 on Mac OS (later I learned that 2.7.8 had some issues with SSL libraries, so I upgraded to 2.7.11, what contains a backport of all the SSL modules since 2.7.9).
When I download the requirements I found a funny thing, and is that first downloads six, requests and so on, and then fails when installing bankid. I found out that by installing each of those separately (i.e.: pip install six
pip install requests
and so on) it worked like a charm.
That type of issue is described here: pypa/pip#25
That is cool, to work in localhost I instalL each of the requirement lines by splitting the requirements.txt like this: while read in; do pip install "$in"; done < requirements.txt;
However, my problem comes when I need to deploy this to Heroku (silly me, I should have figured out before). The pybankid-example-app, nor any project that has this wrapper as dependency can be built to run in Heroku.
Good news is that this is, apparently a common problem doing imports in the setup.py It is explained here:
And here an actuall implementation of a similar fix for pandas library: pandas-dev/pandas@28e2a38
My main problem is: I am not sure if I can pull through a similar fix in a reasonable amount of time. Could you help me with it?
Cheers,
-Manuel
Hi,
Im trying to connect to the production environment of BankID.
I have obtained a client certificate from the bank. (===...BEGIN CERTIFICATE...===)
I got this cert in a .txt file. I have no idea how to get the key/certificate in the same format as pybankid generated it when running against their test environment.
Do I need to convert It in someway to get in a format such that pybankid accepts it?
When collecting a completed signing result, the unicode parsing fails in version 0.3.6. A raw suds
object is returned instead of a dict.
After upgrading to the above mentioned just released versions of requests and urllib3, get an exception in pybankid code.
~$ python
Python 3.8.10 (default, Mar 13 2023, 10:26:41)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from bankid import BankIDJSONClient
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/colin/venv/lib/python3.8/site-packages/bankid/__init__.py", line 24, in <module>
from requests.packages.urllib3.exceptions import SubjectAltNameWarning as _sanw
ImportError: cannot import name 'SubjectAltNameWarning' from 'urllib3.exceptions' (/home/colin/venv/lib/python3.8/site-packages/urllib3/exceptions.py)
>>>
I have a new use case in a fully asynchronous framework currently using httpx. Opening up here for discussion. Would an async API and more modular HTTP backend would be welcomed as a contribution? And if so, any design preferences for how that would work?
This information is intended for developers and owners of services using BankID. You need to change your services before February 2020.
To make integration with the BankID service easier, we have replaced the SOAP/XML interface with a JSON based interface. The old SOAP interface will not work after February 2020. The following summarizes the changes:
Details are found in BankID Relying Party Guidelines available at https://www.bankid.com/bankid-i-dina-tjanster/rp-info.
Please study the guidelines and the FAQ at https://www.bankid.com/bankid-i-dina-tjanster/rp-info carefully before posting questions to us. Remaining technical questions may be directed to [email protected]. For other questions we refer to the Bank or vendor with which you have the BankID service agreement.
Hey,
I read that in issue #5 the decision was made to not include signature verification. I however would like to challenge that again and maybe we can come up with an extension to this library.
I have contacted BankID and got the necessary certificate, however the documentation on their site is very sparse and it makes it very complicated, especially as I am not an expert in all the details about certificates.
My goal:
Having a discussion again if it should be part of this library, otherwise provide a working guide with coding examples to include a step by step guide that at least gives more instructions to users of this library (maybe in a readme)
I am using pybankid for a project on an Heroku-app which is built on an ephemeral file storage and I haven't been able to figure out how to upload the certificates to Heroku. I was thinking of using config variables to upload the certificates but that would mean using strings rather than file-paths for the certificates. After looking into it some people were suggesting monkey-patching the requests Session()-class but I can't get this to work. I have also looked into TempFiles but this is supposedly not a secure solution, according to this post.
I think the easiest way forward might be to mount an AWS S3-bucket and provide the path for the certificates this way as a workaround, but I also saw some examples of people using Heroku with the pybankid-flask app so it should be possible, I just don't know how. Any ideas on how I can do this?
The RFA for the CertificateError
exception was changed some version ago (https://github.com/hbldh/pybankid/blob/master/bankid/exceptions.py#L197). The comment was updated but the actual value on the class was not. It should probably be the same as the comment. However, the current RP guidelines says that RFA16 should be used for certificateErr.
This got me thinking; wouldn't it be neat if pybankid included the RFAs?
The test certificate that the component generates using expired 2020-08-18. Updated link is https://www.bankid.com/assets/bankid/rp/FPTestcert3_20200618.p12
Hello, guys!
I have a little question about your client.
For create connect you use certificates:
client = BankIDClient(certificates=('path/to/certificate.pem', 'path/to/key.pem'))
Can you tell me, what is the certificates. Do I understand correctly, that i am requesting them from the bank.
May be you can help me, i have a little problem with Swedish and i'm from Russia.
@Tethik @hbldh
It's been working well for months, but now suddenly it throws an SSLError when trying to use BankID for test with pybankid.
I've installed the certificate from https://www.bankid.com/utvecklare/test, but the same error still
occurrs.
The setup has been working before, last time I checked it was around March 2022.
I was trying to use BankID's test environment with pybankid, by using the 'authenticate' method on the BankIDJSONClient.
Installed the latest TLS Certificate from BankID, for the test environment
Paste the command(s) you ran and the output.
[Tue Oct 11 10:28:47.586665 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
[Tue Oct 11 10:28:47.586734 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] httplib_response = self._make_request(
[Tue Oct 11 10:28:47.586800 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 426, in _make_request
[Tue Oct 11 10:28:47.586900 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] six.raise_from(e, None)
[Tue Oct 11 10:28:47.586964 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "<string>", line 3, in raise_from
[Tue Oct 11 10:28:47.587083 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 421, in _make_request
[Tue Oct 11 10:28:47.587148 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] httplib_response = conn.getresponse()
[Tue Oct 11 10:28:47.587211 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/http/client.py", line 1347, in getresponse
[Tue Oct 11 10:28:47.587274 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] response.begin()
[Tue Oct 11 10:28:47.587335 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/http/client.py", line 307, in begin
[Tue Oct 11 10:28:47.587396 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] version, status, reason = self._read_status()
[Tue Oct 11 10:28:47.587462 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/http/client.py", line 268, in _read_status
[Tue Oct 11 10:28:47.587526 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
[Tue Oct 11 10:28:47.587588 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/socket.py", line 669, in readinto
[Tue Oct 11 10:28:47.587649 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] return self._sock.recv_into(b)
[Tue Oct 11 10:28:47.587710 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/ssl.py", line 1241, in recv_into
[Tue Oct 11 10:28:47.587769 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] return self.read(nbytes, buffer)
[Tue Oct 11 10:28:47.587829 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] File "/usr/local/lib/python3.8/ssl.py", line 1099, in read
[Tue Oct 11 10:28:47.587887 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] return self._sslobj.read(len, buffer)
[Tue Oct 11 10:28:47.587946 2022] [wsgi:error] [pid 967:tid 139798451377920] [remote 10.0.0.2:44356] ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2623)
When installing with pip I got the old BankID cerificate link in certutils.py
So: https://www.bankid.com/assets/bankid/rp/FPTestcert2_20150818_102329.pfx
Instead of the current: https://www.bankid.com/assets/bankid/rp/FPTestcert3_20200618.p12
At least when installing Flask-PyBankId
suds-jurko is a fork of suds still being developed. Seems to be Python 3.x compliant, so this might make PyBankID Python 3 ready as well.
Might resolve the stupid logging error in testing as well.
Mobile only.
BankID allows authenticating without using a personalNumber.
The requirement from BankID is that the BankID app is installed on your mobile device.
BankID api then returns an order_ref which can be used to start the bankid app in the mobile phone.
When the signature completes, we can poll/collect as usual until the signature is validated.
Is this possible with pybankid or is providing the personalNumber a requirement?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.