[pycrypto] How can I read a standard openssl private key with PyCrypto and decrypt with it?
Dwayne C. Litzenberger
dlitz at dlitz.net
Tue Aug 18 21:26:30 CST 2009
On Tue, Aug 18, 2009 at 06:07:53PM -0700, William Heath wrote:
>I generated a private key with:
> openssl.exe req -x509 -nodes -days 365 -newkey rsa:1024 -keyout
>sdgidfedapp11.corp.intuit.net.key -out sdgidfedapp11.corp.intuit.net.crt
>I can't figure out is how to use PyCrypto.RSA.construct with it
>to decrypt something.
>I am sure there is a way to do this with PyCrypto, anyone know how to do it?
I am not aware of any simple way to do what you ask without using a
separate library. PKCS#1 and X.509 are not implemented in PyCrypto, and as
far as I understand, you would need both to do anything useful with such a
At this time, PyCrypto's API for RSA is somewhat confusing: It only
implements textbook RSA, so it's not really useful for anyone except other
crypto library developers (e.g. Paramiko, Twisted, etc.). You might be
able to use OpenSSL to generate hex values for each of the parameters, then
parse the results and feed them to RSA.construct yourself using something
openssl rsa -text -in sdgidfedapp11.corp.intuit.net.key
However, since PyCrypto lacks PKCS#1 support, if you aren't careful or if
you don't know exactly what you are doing, you will probably expose your
private key to compromise.
If you want to do practical public-key work with X.509 today, you might
want to check out other libraries like pycryptopp, Google Key Czar, and
M2Crypto. Also, Paramiko (which depends on PyCrypto) might support at
least reading those files, since IIRC they're also used for SSH private
Please do remember that PyCrypto's current RSA functions are insecure if
used directly. I would like to introduce a simple public key API at some
point, but right now it doesn't exist.
If you're doing any low-level work with RSA, you should at minimum, read
and understand this overview paper:
Also, as a side note, 1024-bit RSA keys are a little on the short side
today. I would recommend nothing less than 2048 bits:
Hope that helps.
Dwayne C. Litzenberger <dlitz at dlitz.net>
Key-signing key - 19E1 1FE8 B3CF F273 ED17 4A24 928C EC13 39C2 5CF7
More information about the pycrypto