{"id":4391,"library":"requests-pkcs12","title":"requests-pkcs12","description":"The requests-pkcs12 library extends the popular Python `requests` library to add native support for client-side PKCS#12 (often .p12 or .pfx) certificates. It provides a clean implementation by creating a custom `TransportAdapter` and `SSLContext`, avoiding monkey patching or the use of unencrypted temporary files. Currently at version 1.27, it serves as a robust transitional solution until `requests` incorporates direct PKCS#12 support. The project appears to be actively maintained, with frequent updates.","status":"active","version":"1.27","language":"en","source_language":"en","source_url":"https://github.com/m-click/requests_pkcs12","tags":["HTTP","requests","PKCS#12","SSL","certificates","authentication","client-certificate"],"install":[{"cmd":"pip install requests-pkcs12","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Required for parsing PKCS#12 files and creating SSL contexts.","package":"cryptography","version":">=42.0.0"},{"reason":"The core HTTP library that requests-pkcs12 extends.","package":"requests","version":">=2.32.5"}],"imports":[{"note":"For simple, one-off GET requests using PKCS#12.","symbol":"get","correct":"from requests_pkcs12 import get"},{"note":"For simple, one-off POST requests using PKCS#12.","symbol":"post","correct":"from requests_pkcs12 import post"},{"note":"For integrating PKCS#12 support into a requests.Session.","symbol":"Pkcs12Adapter","correct":"from requests_pkcs12 import Pkcs12Adapter"},{"note":"Needed when using Pkcs12Adapter with requests sessions.","symbol":"Session","correct":"from requests import Session"}],"quickstart":{"code":"import os\nfrom requests import Session\nfrom requests_pkcs12 import Pkcs12Adapter, get\n\n# --- Example 1: Simple one-off request ---\n# Requires a client certificate file (e.g., clientcert.p12) and its password.\n# Ensure 'pkcs12_filename' points to a valid .p12 file\n# and 'pkcs12_password' is correct for testing.\n\nPKCS12_FILENAME = os.environ.get('PKCS12_FILENAME', 'clientcert.p12') # Placeholder\nPKCS12_PASSWORD = os.environ.get('PKCS12_PASSWORD', 'your_pkcs12_password') # Placeholder\nTARGET_URL = os.environ.get('TARGET_URL', 'https://example.com/secure_endpoint') # Placeholder\n\ntry:\n    print(f\"\\nAttempting one-off GET to {TARGET_URL}...\")\n    r = get(\n        TARGET_URL,\n        pkcs12_filename=PKCS12_FILENAME,\n        pkcs12_password=PKCS12_PASSWORD,\n        verify=True # Always verify server certificates in production!\n    )\n    r.raise_for_status() # Raise HTTPError for bad responses (4xx or 5xx)\n    print(f\"One-off GET successful! Status: {r.status_code}\")\n    # print(r.text)\nexcept Exception as e:\n    print(f\"One-off GET failed: {e}\")\n\n# --- Example 2: Using with a requests Session (recommended for multiple requests) ---\n\ntry:\n    print(f\"\\nAttempting session-based GET to {TARGET_URL}...\")\n    with Session() as s:\n        s.mount(\n            'https://',\n            Pkcs12Adapter(\n                pkcs12_filename=PKCS12_FILENAME,\n                pkcs12_password=PKCS12_PASSWORD\n            )\n        )\n        # The 'verify' parameter can be set on the session or per request.\n        # It is crucial for verifying the server's identity.\n        r_session = s.get(TARGET_URL, verify=True)\n        r_session.raise_for_status()\n        print(f\"Session-based GET successful! Status: {r_session.status_code}\")\n        # print(r_session.text)\nexcept Exception as e:\n    print(f\"Session-based GET failed: {e}\")\n\n# Note: For actual testing, replace 'clientcert.p12' and 'your_pkcs12_password'\n# with a real PKCS#12 file path and its password. You might need a dummy\n# server that requires client certificate authentication for full testing.","lang":"python","description":"This quickstart demonstrates how to perform both one-off and session-based HTTP requests using a PKCS#12 client certificate. It requires a `.p12` file and its corresponding password. For security, these values are retrieved from environment variables, or fall back to placeholders for demonstration. Remember to replace `PKCS12_FILENAME`, `PKCS12_PASSWORD`, and `TARGET_URL` with your actual certificate path, password, and the secure endpoint you wish to access."},"warnings":[{"fix":"Only use `pkcs12_filename` and `pkcs12_password` (or `pkcs12_data` and `pkcs12_password`) provided by `requests-pkcs12`. Continue to use the `verify` parameter for server-side certificate verification.","message":"Do not combine `pkcs12_filename` or `pkcs12_data` arguments with the standard `requests` `cert` parameter. The `Pkcs12Adapter` handles both certificate and key internally; using `cert` simultaneously can lead to conflicts or incorrect behavior.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Always use `verify=True` and ensure your system's CA certificates are up-to-date, or provide a path to a trusted CA bundle if connecting to non-standard CAs.","message":"While `requests-pkcs12` handles client certificate authentication, proper server-side certificate verification (via the `verify` parameter) is still crucial. Failing to set `verify=True` (or providing a CA bundle) can leave your application vulnerable to Man-in-the-Middle attacks.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Keep an eye on the official `requests` library roadmap and changelogs for native PKCS#12 support. Migrating to built-in functionality would be recommended if it becomes available.","message":"The `requests-pkcs12` library is explicitly stated as a 'transitional solution' by its authors. Future versions of the main `requests` library might eventually incorporate native PKCS#12 support, potentially deprecating the need for this external library.","severity":"deprecated","affected_versions":"All versions"},{"fix":"Upgrade your Python version to 3.8 or newer. Check the `cryptography` changelog for specific version compatibility details. `requests-pkcs12` itself requires `>=3.7`.","message":"`requests-pkcs12` depends on `cryptography`, which has evolving Python version support. For instance, `cryptography` versions 44.0.0+ (released November 2024) deprecated Python 3.7 support. Ensure your Python environment meets `cryptography`'s and `requests-pkcs12`'s minimum requirements.","severity":"gotcha","affected_versions":"Users on Python < 3.8 with cryptography >= 44.0.0"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}