[pycrypto] How can I read a standard openssl private key with PyCrypto and decrypt with it?
William Heath
wgheath at gmail.com
Wed Aug 19 11:06:26 CST 2009
I am looking for any way to do this on google app engine using any python
library. Do you have any ideas on that?
-Tim
On Tue, Aug 18, 2009 at 8:26 PM, Dwayne C. Litzenberger <dlitz at dlitz.net>wrote:
> On Tue, Aug 18, 2009 at 06:07:53PM -0700, William Heath wrote:
> >I generated a private key with:
> >
> > openssl.exe req -x509 -nodes -days 365 -newkey rsa:1024 -keyout
> >sdgidfedapp11.corp.intuit.net.key -out sdgidfedapp11.corp.intuit.net.crt
> >
> >I can't figure out is how to use PyCrypto.RSA.construct with it
> >to decrypt something.
> [snip]
> >I am sure there is a way to do this with PyCrypto, anyone know how to do
> it?
>
> I am not aware of any simple way to do what you ask without using a
> separate library. PKCS#1 and X.509 are not implemented in PyCrypto, and as
> far as I understand, you would need both to do anything useful with such a
> key.
>
> At this time, PyCrypto's API for RSA is somewhat confusing: It only
> implements textbook RSA, so it's not really useful for anyone except other
> crypto library developers (e.g. Paramiko, Twisted, etc.). You might be
> able to use OpenSSL to generate hex values for each of the parameters, then
> parse the results and feed them to RSA.construct yourself using something
> like this:
>
> openssl rsa -text -in sdgidfedapp11.corp.intuit.net.key
>
> However, since PyCrypto lacks PKCS#1 support, if you aren't careful or if
> you don't know exactly what you are doing, you will probably expose your
> private key to compromise.
>
> If you want to do practical public-key work with X.509 today, you might
> want to check out other libraries like pycryptopp, Google Key Czar, and
> M2Crypto. Also, Paramiko (which depends on PyCrypto) might support at
> least reading those files, since IIRC they're also used for SSH private
> keys.
>
> Please do remember that PyCrypto's current RSA functions are insecure if
> used directly. I would like to introduce a simple public key API at some
> point, but right now it doesn't exist.
>
> If you're doing any low-level work with RSA, you should at minimum, read
> and understand this overview paper:
>
> http://www.cs.bgu.ac.il/~beimel/Courses/crypto/Boneh.pdf
>
> Also, as a side note, 1024-bit RSA keys are a little on the short side
> today. I would recommend nothing less than 2048 bits:
>
> http://www.google.com/search?q=1024-bit+RSA
>
> Hope that helps.
>
> Cheers,
> - Dwayne
>
> --
> Dwayne C. Litzenberger <dlitz at dlitz.net>
> Key-signing key - 19E1 1FE8 B3CF F273 ED17 4A24 928C EC13 39C2 5CF7
> _______________________________________________
> pycrypto mailing list
> pycrypto at lists.dlitz.net
> http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.dlitz.net/pipermail/pycrypto/attachments/20090819/e650d1b4/attachment.htm
More information about the pycrypto
mailing list