Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #93473 > unrolled thread

Searching for a usable X509 implementation

Back to article view | Back to comp.lang.python

Contents

  Searching for a usable X509 implementation Dennis Jacobfeuerborn <djacobfeuerborn@gmail.com> - 2015-07-03 17:11 -0700
    Re: Searching for a usable X509 implementation Laura Creighton <lac@openend.se> - 2015-07-05 02:27 +0200
    Re: Searching for a usable X509 implementation Laura Creighton <lac@openend.se> - 2015-07-05 07:33 +0200
      Re: Searching for a usable X509 implementation Johannes Bauer <dfnsonfsduifb@gmx.de> - 2015-07-06 21:24 +0200

#93473 — Searching for a usable X509 implementation

Hi,
I'm trying to implement certificate functionality in a python app but after fighting with pyOpenSSL and M2Crypto I'm thinking about writing wrapper functions for the OpenSSL command line tool instead or switching the app to another language all together.

Apparently PyOpenSSL has no way to save a public key to a file which is baffling. M2Crypto has that ability but apparently no usable way to verify a certificate?

Is there really no usable module out there to enable straightforward certificate handling?

Regards,
  Dennis

[toc] | [next] | [standalone]

#93498

In a message of Fri, 03 Jul 2015 17:11:10 -0700, Dennis Jacobfeuerborn writes:
>Hi,
>I'm trying to implement certificate functionality in a python app but after fighting with pyOpenSSL and M2Crypto I'm thinking about writing wrapper functions for the OpenSSL command line tool instead or switching the app to another language all together.
>
>Apparently PyOpenSSL has no way to save a public key to a file which is baffling. M2Crypto has that ability but apparently no usable way to verify a certificate?

PyOpenSSL does, you must have missed it when looking.
You are looking for OpenSSL.crypto.dump_certificate(type, cert)
    Dump the certificate cert into a buffer string encoded with the type type.

Laura 

[toc] | [prev] | [next] | [standalone]

#93501

In a message of Sun, 05 Jul 2015 02:27:22 +0200, Laura Creighton writes:
>In a message of Fri, 03 Jul 2015 17:11:10 -0700, Dennis Jacobfeuerborn writes:
>>Hi,
>>I'm trying to implement certificate functionality in a python app but after fighting with pyOpenSSL and M2Crypto I'm thinking about writing wrapper functions for the OpenSSL command line tool instead or switching the app to another language all together.
>>
>>Apparently PyOpenSSL has no way to save a public key to a file which is baffling. M2Crypto has that ability but apparently no usable way to verify a certificate?
>
>PyOpenSSL does, you must have missed it when looking.
>You are looking for OpenSSL.crypto.dump_certificate(type, cert)
>    Dump the certificate cert into a buffer string encoded with the type type.
>
>Laura 

Excuse me.  I misunderstood your mail.  You only want to save the
public key, and not a certificate or a certificate request.

I don't see a way to do this in PEM or ASN.1 format.

For an RSA key in PEM format you can do:
from OpenSSL.crypto import _new_mem_buf, _lib, _bio_to_string

def dump_rsa_public_key(pkey):
    bio = _new_mem_buf()
    result = _lib.PEM_write_bio_RSAPublicKey(bio, _lib.EVP_PKEY_get1_RSA(pkey._
pkey))
    # if result == 0: ERROR!  Figure out what you want to do here ...
    return _bio_to_string(bio)

There are similar things for other formats and DSA keys.  

The original version of PyOpenSSL was written by Martin Sjögren, when
he was working for me, and we had no need for such a thing at the time,
since we just saved full certificates.  You are right that it is very
odd that nobody else has needed them since then, and this probably
should be added to PyOpenSSL.

Laura

[toc] | [prev] | [next] | [standalone]

#93537

On 05.07.2015 07:33, Laura Creighton wrote:

> For an RSA key in PEM format you can do:
> from OpenSSL.crypto import _new_mem_buf, _lib, _bio_to_string
> 
> def dump_rsa_public_key(pkey):
>     bio = _new_mem_buf()
>     result = _lib.PEM_write_bio_RSAPublicKey(bio, _lib.EVP_PKEY_get1_RSA(pkey._
> pkey))
>     # if result == 0: ERROR!  Figure out what you want to do here ...
>     return _bio_to_string(bio)

Oooooh, hacky :-)

> The original version of PyOpenSSL was written by Martin Sjögren, when
> he was working for me, and we had no need for such a thing at the time,
> since we just saved full certificates.  You are right that it is very
> odd that nobody else has needed them since then, and this probably
> should be added to PyOpenSSL.

Sadly my impression is that pyOpenSSL development is slow at best. I've
had an issue with it a while back and was missing some feature which
someone else had already suggested. It kindof was some back and forth in
their bugtracker and then all discussion died.

IIRC (and my memory may be wrong) it was about the ability to check
signatures of one certificate against a well-defined truststore
(especially against only one to identify parent certificates by crypto).
I was frustrated back then about the indecisiveness and wrote my own
wrapper around the functions I needed and was done with it.

Best regards,
Johannes

-- 
>> Wo hattest Du das Beben nochmal GENAU vorhergesagt?
> Zumindest nicht öffentlich!
Ah, der neueste und bis heute genialste Streich unsere großen
Kosmologen: Die Geheim-Vorhersage.
 - Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1@speranza.aioe.org>

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web