From hacim.rekab at gmail.com Mon Oct 5 01:33:40 2015 From: hacim.rekab at gmail.com (Micah Baker) Date: Sun, 4 Oct 2015 16:33:40 -0700 Subject: [Cryptography-dev] SCEP OID support Message-ID: <1F9A0B3D-4D30-4737-B5AC-3BE20239795D@gmail.com> I?m attempting to build a SCEP server using cryptography and don?t see a way to add OIDs not already defined by the module. If it is not possible to use other real OIDs, can we add the half-dozen SCEP OIDs to cryptography? The OIDs can be found here: https://tools.ietf.org/html/draft-gutmann-scep-01#page-17 . If someone is willing to give me some pointers I could try to write a patch for this, assuming it?s just a table of supported OIDs somewhere. -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Mon Oct 5 01:59:29 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Sun, 4 Oct 2015 18:59:29 -0500 Subject: [Cryptography-dev] SCEP OID support In-Reply-To: <1F9A0B3D-4D30-4737-B5AC-3BE20239795D@gmail.com> References: <1F9A0B3D-4D30-4737-B5AC-3BE20239795D@gmail.com> Message-ID: Micah, You can define any OID you want just by passing a string of the dotted value of the OID to the constructor of x509.ObjectIdentifier. You won't get the human readable name, but that's not a big deal. However, that class is really just a convenience and doesn't have any behavior so I'm not sure what benefit it would be to you when implementing SCEP. Could you elaborate a bit on what you're trying to do? -Paul (reaperhulk) On October 4, 2015 at 6:33:57 PM, Micah Baker (hacim.rekab at gmail.com) wrote: I?m attempting to build a SCEP server using cryptography and don?t see a way to add OIDs not already defined by the module. If it is not possible to use other real OIDs, can we add the half-dozen SCEP OIDs to cryptography? The OIDs can be found here:?https://tools.ietf.org/html/draft-gutmann-scep-01#page-17. If someone is willing to give me some pointers I could try to write a patch for this, assuming it?s just a table of supported OIDs somewhere. _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From hacim.rekab at gmail.com Mon Oct 5 02:03:50 2015 From: hacim.rekab at gmail.com (Micah Baker) Date: Sun, 4 Oct 2015 17:03:50 -0700 Subject: [Cryptography-dev] SCEP OID support In-Reply-To: References: <1F9A0B3D-4D30-4737-B5AC-3BE20239795D@gmail.com> Message-ID: <7A6592C1-C112-4C4B-BC1C-4F8CB3453B12@gmail.com> Hi Paul, SCEP requires a senderNonce and transactionID to be returned to the client requesting the certificate. Those two values are included in the signed message the client sends to the server, and then the server must take the two values and include them in the response to the client or the client is supposed to reject the response. This is not just adding an OID for a capability, it?s also adding a value to the OID which must be included in the signed response. Does x509.ObjectIdentifier allow something to the effect of 1.2.3.4=some random bytes or text? Thanks, Micah > On Oct 4, 2015, at 4:59 PM, Paul Kehrer wrote: > > Micah, > > You can define any OID you want just by passing a string of the dotted value of the OID to the constructor of x509.ObjectIdentifier. You won't get the human readable name, but that's not a big deal. However, that class is really just a convenience and doesn't have any behavior so I'm not sure what benefit it would be to you when implementing SCEP. Could you elaborate a bit on what you're trying to do? > > > -Paul (reaperhulk) > > On October 4, 2015 at 6:33:57 PM, Micah Baker (hacim.rekab at gmail.com ) wrote: > >> I?m attempting to build a SCEP server using cryptography and don?t see a way to add OIDs not already defined by the module. If it is not possible to use other real OIDs, can we add the half-dozen SCEP OIDs to cryptography? The OIDs can be found here: https://tools.ietf.org/html/draft-gutmann-scep-01#page-17 . If someone is willing to give me some pointers I could try to write a patch for this, assuming it?s just a table of supported OIDs somewhere. >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Mon Oct 5 16:32:12 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Mon, 5 Oct 2015 09:32:12 -0500 Subject: [Cryptography-dev] SCEP OID support In-Reply-To: <7A6592C1-C112-4C4B-BC1C-4F8CB3453B12@gmail.com> References: <1F9A0B3D-4D30-4737-B5AC-3BE20239795D@gmail.com> <7A6592C1-C112-4C4B-BC1C-4F8CB3453B12@gmail.com> Message-ID: It has been a long time since I looked at SCEP, but it looks like it requires PKCS7 SignedData/EnvelopedData structures? Cryptography can't generate arbitrary ASN.1 so you'd need to generate it outside of cryptography (using something like pyasn1 or https://github.com/wbond/asn1crypto) and then sign it using cryptography (which may or may not be possible with the currently exposed primitives -- I didn't dig into how SCEP does the SignedData). I suspect what you need here is a PKCS7 implementation in cryptography, since that would hypothetically allow you to build/sign arbitrary PKCS7 structures, but maybe I'm misunderstanding the problem and it's simpler than that. -Paul On October 4, 2015 at 7:03:53 PM, Micah Baker (hacim.rekab at gmail.com) wrote: Hi Paul, SCEP requires a senderNonce and transactionID to be returned to the client requesting the certificate. Those two values are included in the signed message the client sends to the server, and then the server must take the two values and include them in the response to the client or the client is supposed to reject the response. This is not just adding an OID for a capability, it?s also adding a value to the OID which must be included in the signed response. Does??x509.ObjectIdentifier allow something to the effect of 1.2.3.4=some random bytes or text? Thanks, Micah On Oct 4, 2015, at 4:59 PM, Paul Kehrer wrote: Micah, You can define any OID you want just by passing a string of the dotted value of the OID to the constructor of x509.ObjectIdentifier. You won't get the human readable name, but that's not a big deal. However, that class is really just a convenience and doesn't have any behavior so I'm not sure what benefit it would be to you when implementing SCEP. Could you elaborate a bit on what you're trying to do? -Paul (reaperhulk) On October 4, 2015 at 6:33:57 PM, Micah Baker (hacim.rekab at gmail.com) wrote: I?m attempting to build a SCEP server using cryptography and don?t see a way to add OIDs not already defined by the module. If it is not possible to use other real OIDs, can we add the half-dozen SCEP OIDs to cryptography? The OIDs can be found here:?https://tools.ietf.org/html/draft-gutmann-scep-01#page-17. If someone is willing to give me some pointers I could try to write a patch for this, assuming it?s just a table of supported OIDs somewhere. _______________________________________________? Cryptography-dev mailing list? Cryptography-dev at python.org? https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From cherian.rosh at gmail.com Thu Oct 8 01:31:26 2015 From: cherian.rosh at gmail.com (Roshan Cherian) Date: Wed, 7 Oct 2015 16:31:26 -0700 Subject: [Cryptography-dev] pkcs12 to pkcs7 Message-ID: Hi Team, I have a requirement to convert from p12 to p7. I am sorry for my little knowledge on this. I am doing the following: p12 = load_pkcs12(file(self._pkcs12Path, 'rb').read()) pem = dump_certificate(FILETYPE_PEM, p12.get_certificate()) p7 = load_pkcs7_data(FILETYPE_PEM, pem) However I am getting an error: Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] I am pretty sure I am doing something wrong, could you help? Thanks, -Roshan -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Oct 14 04:21:03 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 13 Oct 2015 21:21:03 -0500 Subject: [Cryptography-dev] pkcs12 to pkcs7 In-Reply-To: References: Message-ID: Hi Roshan, It appears you're using the pyOpenSSL API so you'll probably get more help on the pyopenssl-users mailing list (https://mail.python.org/mailman/listinfo/pyopenssl-users). -Paul Kehrer (reaperhulk) On October 7, 2015 at 6:31:34 PM, Roshan Cherian (cherian.rosh at gmail.com) wrote: Hi Team, I have a requirement to convert from p12 to p7. I am sorry for my little knowledge on this. I am doing the following: p12 = load_pkcs12(file(self._pkcs12Path, 'rb').read()) ? ? ? ? pem = dump_certificate(FILETYPE_PEM, p12.get_certificate()) ? ? ? ? p7 = load_pkcs7_data(FILETYPE_PEM, pem) However I am getting an error: Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] I am pretty sure I am doing something wrong, could you help? Thanks, -Roshan _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From hs at ox.cx Wed Oct 14 07:46:28 2015 From: hs at ox.cx (Hynek Schlawack) Date: Wed, 14 Oct 2015 07:46:28 +0200 Subject: [Cryptography-dev] Mailing lists (was: Re: pkcs12 to pkcs7) In-Reply-To: References: Message-ID: <7C8418CE-DE82-404E-84AF-BAA7113A3248@ox.cx> This reminds me that we should merge those lists. pyopenssl-users is not?a very active mailing list and has just ~60 subscribers. Since pyopenssl is incorporated into PyCA now, I don?t think it makes sense to keep it around. Opinions? ?h > Am 14.10.2015 um 04:21 schrieb Paul Kehrer : > > Hi Roshan, > > It appears you're using the pyOpenSSL API so you'll probably get more help on the pyopenssl-users mailing list (https://mail.python.org/mailman/listinfo/pyopenssl-users ). > > -Paul Kehrer (reaperhulk) > > On October 7, 2015 at 6:31:34 PM, Roshan Cherian (cherian.rosh at gmail.com ) wrote: > >> Hi Team, >> >> I have a requirement to convert from p12 to p7. I am sorry for my little knowledge on this. I am doing the following: >> >> p12 = load_pkcs12(file(self._pkcs12Path, 'rb').read()) >> >> pem = dump_certificate(FILETYPE_PEM, p12.get_certificate()) >> >> p7 = load_pkcs7_data(FILETYPE_PEM, pem) >> >> >> >> However I am getting an error: >> >> >> Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] >> >> I am pretty sure I am doing something wrong, could you help? >> >> Thanks, >> >> -Roshan >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From terrycwk1994 at gmail.com Wed Oct 14 08:26:04 2015 From: terrycwk1994 at gmail.com (Terry Chia) Date: Wed, 14 Oct 2015 06:26:04 +0000 Subject: [Cryptography-dev] Mailing lists (was: Re: pkcs12 to pkcs7) In-Reply-To: <7C8418CE-DE82-404E-84AF-BAA7113A3248@ox.cx> References: <7C8418CE-DE82-404E-84AF-BAA7113A3248@ox.cx> Message-ID: If that's the case maybe we should rename this list to pyca or something like that? This goes for the IRC channel as well btw. On Wed, 14 Oct 2015 at 1:46 PM Hynek Schlawack wrote: > This reminds me that we should merge those lists. pyopenssl-users is > not?a very active mailing list and has just ~60 subscribers. > > Since pyopenssl is incorporated into PyCA now, I don?t think it makes > sense to keep it around. > > Opinions? > > ?h > > Am 14.10.2015 um 04:21 schrieb Paul Kehrer : > > Hi Roshan, > > It appears you're using the pyOpenSSL API so you'll probably get more help > on the pyopenssl-users mailing list ( > https://mail.python.org/mailman/listinfo/pyopenssl-users). > > -Paul Kehrer (reaperhulk) > > On October 7, 2015 at 6:31:34 PM, Roshan Cherian (cherian.rosh at gmail.com) > wrote: > > Hi Team, > > I have a requirement to convert from p12 to p7. I am sorry for my little > knowledge on this. I am doing the following: > > p12 = load_pkcs12(file(self._pkcs12Path, 'rb').read()) > > pem = dump_certificate(FILETYPE_PEM, p12.get_certificate()) > > p7 = load_pkcs7_data(FILETYPE_PEM, pem) > > > However I am getting an error: > > Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 > encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 > encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM > routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] > > I am pretty sure I am doing something wrong, could you help? > > Thanks, > > -Roshan > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Oct 14 16:28:28 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 14 Oct 2015 09:28:28 -0500 Subject: [Cryptography-dev] Mailing lists (was: Re: pkcs12 to pkcs7) In-Reply-To: References: <7C8418CE-DE82-404E-84AF-BAA7113A3248@ox.cx> Message-ID: We've had some discussion around this in the past. The current list topic is "A list for discussing the development of cryptography libraries in python", which is more generic than I thought it was. That said, renaming it might be useful. Do we want the list to focus exclusively on development of said libraries or do we want to open it up to user questions?? Renaming the IRC channel has my full support (#pyca or #pyca-dev). Freenode even has support for auto-redirecting users to the new channel name. If we're going to do that I'd like more devs to weigh in though. -Paul On October 14, 2015 at 1:26:26 AM, Terry Chia (terrycwk1994 at gmail.com) wrote: If that's the case maybe we should rename this list to pyca or something like that? This goes for the IRC channel as well btw. On Wed, 14 Oct 2015 at 1:46 PM Hynek Schlawack wrote: This reminds me that we should merge those lists. ?pyopenssl-users is not?a very active mailing list and has just ~60 subscribers. Since pyopenssl is incorporated into PyCA now, I don?t think it makes sense to keep it around. Opinions? ?h Am 14.10.2015 um 04:21 schrieb Paul Kehrer : Hi Roshan, It appears you're using the pyOpenSSL API so you'll probably get more help on the pyopenssl-users mailing list (https://mail.python.org/mailman/listinfo/pyopenssl-users). -Paul Kehrer (reaperhulk) On October 7, 2015 at 6:31:34 PM, Roshan Cherian (cherian.rosh at gmail.com) wrote: Hi Team, I have a requirement to convert from p12 to p7. I am sorry for my little knowledge on this. I am doing the following: p12 =?load_pkcs12(file(self._pkcs12Path,?'rb').read()) ? ? ? ? pem =?dump_certificate(FILETYPE_PEM, p12.get_certificate()) ? ? ? ? p7 =?load_pkcs7_data(FILETYPE_PEM, pem) However I am getting an error: Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] I am pretty sure I am doing something wrong, could you help? Thanks, -Roshan _______________________________________________? Cryptography-dev mailing list? Cryptography-dev at python.org? https://mail.python.org/mailman/listinfo/cryptography-dev? _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From donald at stufft.io Wed Oct 14 16:29:24 2015 From: donald at stufft.io (Donald Stufft) Date: Wed, 14 Oct 2015 10:29:24 -0400 Subject: [Cryptography-dev] Mailing lists (was: Re: pkcs12 to pkcs7) In-Reply-To: References: <7C8418CE-DE82-404E-84AF-BAA7113A3248@ox.cx> Message-ID: I would be pro renaming IRC channels. On October 14, 2015 at 10:28:35 AM, Paul Kehrer (paul.l.kehrer at gmail.com) wrote: We've had some discussion around this in the past. The current list topic is "A list for discussing the development of cryptography libraries in python", which is more generic than I thought it was. That said, renaming it might be useful. Do we want the list to focus exclusively on development of said libraries or do we want to open it up to user questions?? Renaming the IRC channel has my full support (#pyca or #pyca-dev). Freenode even has support for auto-redirecting users to the new channel name. If we're going to do that I'd like more devs to weigh in though. -Paul On October 14, 2015 at 1:26:26 AM, Terry Chia (terrycwk1994 at gmail.com) wrote: If that's the case maybe we should rename this list to pyca or something like that? This goes for the IRC channel as well btw. On Wed, 14 Oct 2015 at 1:46 PM Hynek Schlawack wrote: This reminds me that we should merge those lists. ?pyopenssl-users is not?a very active mailing list and has just ~60 subscribers. Since pyopenssl is incorporated into PyCA now, I don?t think it makes sense to keep it around. Opinions? ?h Am 14.10.2015 um 04:21 schrieb Paul Kehrer : Hi Roshan, It appears you're using the pyOpenSSL API so you'll probably get more help on the pyopenssl-users mailing list (https://mail.python.org/mailman/listinfo/pyopenssl-users). -Paul Kehrer (reaperhulk) On October 7, 2015 at 6:31:34 PM, Roshan Cherian (cherian.rosh at gmail.com) wrote: Hi Team, I have a requirement to convert from p12 to p7. I am sorry for my little knowledge on this. I am doing the following: p12 =?load_pkcs12(file(self._pkcs12Path,?'rb').read()) ? ? ? ? pem =?dump_certificate(FILETYPE_PEM, p12.get_certificate()) ? ? ? ? p7 =?load_pkcs7_data(FILETYPE_PEM, pem) However I am getting an error: Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] I am pretty sure I am doing something wrong, could you help? Thanks, -Roshan _______________________________________________? Cryptography-dev mailing list? Cryptography-dev at python.org? https://mail.python.org/mailman/listinfo/cryptography-dev? _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- An HTML attachment was scrubbed... URL: From hs at ox.cx Wed Oct 14 16:31:50 2015 From: hs at ox.cx (Hynek Schlawack) Date: Wed, 14 Oct 2015 16:31:50 +0200 Subject: [Cryptography-dev] Mailing lists (was: Re: pkcs12 to pkcs7) In-Reply-To: References: <7C8418CE-DE82-404E-84AF-BAA7113A3248@ox.cx> Message-ID: <7ABED8B8-135A-459D-8658-42C782C1E9FE@ox.cx> I don?t think we have enough traffic on both to justify two channels. let?s just go for #pyca and a mailing list pyca and add -dev variants if there?s a volume problem. I?d also like to re-propose to get pyca.io as a shared TLD (pyca.org is for sale for $750 so if we all pitched in, we could also get that one :)). ?h > Am 14.10.2015 um 16:28 schrieb Paul Kehrer : > > We've had some discussion around this in the past. The current list topic is "A list for discussing the development of cryptography libraries in python", which is more generic than I thought it was. That said, renaming it might be useful. Do we want the list to focus exclusively on development of said libraries or do we want to open it up to user questions? > > Renaming the IRC channel has my full support (#pyca or #pyca-dev). Freenode even has support for auto-redirecting users to the new channel name. If we're going to do that I'd like more devs to weigh in though. > > -Paul > On October 14, 2015 at 1:26:26 AM, Terry Chia (terrycwk1994 at gmail.com ) wrote: > >> If that's the case maybe we should rename this list to pyca or something like that? This goes for the IRC channel as well btw. >> On Wed, 14 Oct 2015 at 1:46 PM Hynek Schlawack > wrote: >> This reminds me that we should merge those lists. pyopenssl-users is not?a very active mailing list and has just ~60 subscribers. >> >> Since pyopenssl is incorporated into PyCA now, I don?t think it makes sense to keep it around. >> >> Opinions? >> >> ?h >> >>> Am 14.10.2015 um 04:21 schrieb Paul Kehrer >: >>> >>> Hi Roshan, >>> >>> It appears you're using the pyOpenSSL API so you'll probably get more help on the pyopenssl-users mailing list (https://mail.python.org/mailman/listinfo/pyopenssl-users ). >>> >>> -Paul Kehrer (reaperhulk) >>> >>> On October 7, 2015 at 6:31:34 PM, Roshan Cherian (cherian.rosh at gmail.com ) wrote: >>> >>>> Hi Team, >>>> >>>> I have a requirement to convert from p12 to p7. I am sorry for my little knowledge on this. I am doing the following: >>>> >>>> p12 = load_pkcs12(file(self._pkcs12Path, 'rb').read()) >>>> >>>> pem = dump_certificate(FILETYPE_PEM, p12.get_certificate()) >>>> >>>> p7 = load_pkcs7_data(FILETYPE_PEM, pem) >>>> >>>> >>>> >>>> However I am getting an error: >>>> >>>> >>>> Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] >>>> >>>> I am pretty sure I am doing something wrong, could you help? >>>> >>>> Thanks, >>>> >>>> -Roshan >>>> >>>> _______________________________________________ >>>> Cryptography-dev mailing list >>>> Cryptography-dev at python.org >>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev at python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From hacim.rekab at gmail.com Thu Oct 15 03:46:40 2015 From: hacim.rekab at gmail.com (Micah Baker) Date: Wed, 14 Oct 2015 18:46:40 -0700 Subject: [Cryptography-dev] SCEP OID support In-Reply-To: References: <1F9A0B3D-4D30-4737-B5AC-3BE20239795D@gmail.com> <7A6592C1-C112-4C4B-BC1C-4F8CB3453B12@gmail.com> Message-ID: Hi Paul, I already have the ASN.1 dotted notation values and just need a way to sign the PKCS7 EnvelopedData with those OIDs. I think you are correct in that what I need here is a way to build and sign arbitrary PKCS7 structures since SCEP does some nesting. The diagram on Page 14/15 of the IETF draft for SCEP is a helpful way to visualize it: https://tools.ietf.org/html/draft-gutmann-scep-01#page-15 Would this be something the community is interested in? Thanks, Micah > On Oct 5, 2015, at 7:32 AM, Paul Kehrer > wrote: > > It has been a long time since I looked at SCEP, but it looks like it requires PKCS7 SignedData/EnvelopedData structures? Cryptography can't generate arbitrary ASN.1 so you'd need to generate it outside of cryptography (using something like pyasn1 or https://github.com/wbond/asn1crypto ) and then sign it using cryptography (which may or may not be possible with the currently exposed primitives -- I didn't dig into how SCEP does the SignedData). > > I suspect what you need here is a PKCS7 implementation in cryptography, since that would hypothetically allow you to build/sign arbitrary PKCS7 structures, but maybe I'm misunderstanding the problem and it's simpler than that. > > -Paul > On October 4, 2015 at 7:03:53 PM, Micah Baker (hacim.rekab at gmail.com ) wrote: > >> Hi Paul, >> >> SCEP requires a senderNonce and transactionID to be returned to the client requesting the certificate. Those two values are included in the signed message the client sends to the server, and then the server must take the two values and include them in the response to the client or the client is supposed to reject the response. This is not just adding an OID for a capability, it?s also adding a value to the OID which must be included in the signed response. Does x509.ObjectIdentifier allow something to the effect of 1.2.3.4=some random bytes or text? >> >> Thanks, >> >> Micah >> >>> On Oct 4, 2015, at 4:59 PM, Paul Kehrer > wrote: >>> >>> Micah, >>> >>> You can define any OID you want just by passing a string of the dotted value of the OID to the constructor of x509.ObjectIdentifier. You won't get the human readable name, but that's not a big deal. However, that class is really just a convenience and doesn't have any behavior so I'm not sure what benefit it would be to you when implementing SCEP. Could you elaborate a bit on what you're trying to do? >>> >>> >>> -Paul (reaperhulk) >>> >>> On October 4, 2015 at 6:33:57 PM, Micah Baker (hacim.rekab at gmail.com ) wrote: >>> >>>> I?m attempting to build a SCEP server using cryptography and don?t see a way to add OIDs not already defined by the module. If it is not possible to use other real OIDs, can we add the half-dozen SCEP OIDs to cryptography? The OIDs can be found here: https://tools.ietf.org/html/draft-gutmann-scep-01#page-17 . If someone is willing to give me some pointers I could try to write a patch for this, assuming it?s just a table of supported OIDs somewhere. >>>> _______________________________________________ >>>> Cryptography-dev mailing list >>>> Cryptography-dev at python.org >>>> https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Thu Oct 15 06:12:38 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 14 Oct 2015 23:12:38 -0500 Subject: [Cryptography-dev] SCEP OID support In-Reply-To: References: <1F9A0B3D-4D30-4737-B5AC-3BE20239795D@gmail.com> <7A6592C1-C112-4C4B-BC1C-4F8CB3453B12@gmail.com> Message-ID: <94140920-754F-4B3D-96C7-91DE2C743816@gmail.com> There is definitely a great deal of interest in PKCS7 support. Previously we've had to wait while we worked on X509 but now that we have a reasonable implementation of that we can talk more about PKCS7. If you'd like to take a stab at an API proposal to start just file an issue with it and we can start discussing there! -Paul (reaperhulk) > On Oct 14, 2015, at 8:46 PM, Micah Baker wrote: > > Hi Paul, > > I already have the ASN.1 dotted notation values and just need a way to sign the PKCS7 EnvelopedData with those OIDs. I think you are correct in that what I need here is a way to build and sign arbitrary PKCS7 structures since SCEP does some nesting. The diagram on Page 14/15 of the IETF draft for SCEP is a helpful way to visualize it: https://tools.ietf.org/html/draft-gutmann-scep-01#page-15 > > Would this be something the community is interested in? > > Thanks, > > Micah > >> On Oct 5, 2015, at 7:32 AM, Paul Kehrer wrote: >> >> It has been a long time since I looked at SCEP, but it looks like it requires PKCS7 SignedData/EnvelopedData structures? Cryptography can't generate arbitrary ASN.1 so you'd need to generate it outside of cryptography (using something like pyasn1 or https://github.com/wbond/asn1crypto) and then sign it using cryptography (which may or may not be possible with the currently exposed primitives -- I didn't dig into how SCEP does the SignedData). >> >> I suspect what you need here is a PKCS7 implementation in cryptography, since that would hypothetically allow you to build/sign arbitrary PKCS7 structures, but maybe I'm misunderstanding the problem and it's simpler than that. >> >> -Paul >>> On October 4, 2015 at 7:03:53 PM, Micah Baker (hacim.rekab at gmail.com) wrote: >>> >>> Hi Paul, >>> >>> SCEP requires a senderNonce and transactionID to be returned to the client requesting the certificate. Those two values are included in the signed message the client sends to the server, and then the server must take the two values and include them in the response to the client or the client is supposed to reject the response. This is not just adding an OID for a capability, it?s also adding a value to the OID which must be included in the signed response. Does x509.ObjectIdentifier allow something to the effect of 1.2.3.4=some random bytes or text? >>> >>> Thanks, >>> >>> Micah >>> >>>> On Oct 4, 2015, at 4:59 PM, Paul Kehrer wrote: >>>> >>>> Micah, >>>> >>>> You can define any OID you want just by passing a string of the dotted value of the OID to the constructor of x509.ObjectIdentifier. You won't get the human readable name, but that's not a big deal. However, that class is really just a convenience and doesn't have any behavior so I'm not sure what benefit it would be to you when implementing SCEP. Could you elaborate a bit on what you're trying to do? >>>> >>>> >>>> -Paul (reaperhulk) >>>> >>>>> On October 4, 2015 at 6:33:57 PM, Micah Baker (hacim.rekab at gmail.com) wrote: >>>>> >>>>> I?m attempting to build a SCEP server using cryptography and don?t see a way to add OIDs not already defined by the module. If it is not possible to use other real OIDs, can we add the half-dozen SCEP OIDs to cryptography? The OIDs can be found here: https://tools.ietf.org/html/draft-gutmann-scep-01#page-17. If someone is willing to give me some pointers I could try to write a patch for this, assuming it?s just a table of supported OIDs somewhere. >>>>> _______________________________________________ >>>>> Cryptography-dev mailing list >>>>> Cryptography-dev at python.org >>>>> https://mail.python.org/mailman/listinfo/cryptography-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcea at jcea.es Tue Oct 20 14:30:45 2015 From: jcea at jcea.es (Jesus Cea) Date: Tue, 20 Oct 2015 14:30:45 +0200 Subject: [Cryptography-dev] Creation and signing of X.509 certificates Message-ID: <562633F5.30302@jcea.es> I wonder if current library release can create X.509 certificates as clients and CAs, and signing those certificates with a CA certificate (generated with cryptography library too). I want to drop OpenSSL for this activity for good!. -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From paul.l.kehrer at gmail.com Tue Oct 20 14:57:44 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 20 Oct 2015 07:57:44 -0500 Subject: [Cryptography-dev] Creation and signing of X.509 certificates In-Reply-To: <562633F5.30302@jcea.es> References: <562633F5.30302@jcea.es> Message-ID: Yes, cryptography is capable of generating certificates as of version 1.0. There are some less common extensions not yet supported when creating certificates (name constraints and certificate policies) but everything else is supported. Check out https://cryptography.io/en/latest/x509/reference/#x-509-certificate-builder -Paul Kehrer (reaperhulk) On October 20, 2015 at 7:30:55 AM, Jesus Cea (jcea at jcea.es) wrote: I wonder if current library release can create X.509 certificates as clients and CAs, and signing those certificates with a CA certificate (generated with cryptography library too). I want to drop OpenSSL for this activity for good!. -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcea at jcea.es Wed Oct 21 02:40:27 2015 From: jcea at jcea.es (Jesus Cea) Date: Wed, 21 Oct 2015 02:40:27 +0200 Subject: [Cryptography-dev] Selecting alternative OpenSSL library Message-ID: <5626DEFB.7020205@jcea.es> My stock OpenSSL library is ancient so I installed an alternative current OpenSSL release under "/usr/local/ssl". In order to compile "cryptography" in this machine I must do: $ LDFLAGS="-L/usr/local/ssl/lib" \ CFLAGS="-I/usr/local/ssl/include" \ python -m pip install -U cryptography This is a Solaris machine, but I guess the same can be done in Linux, and other unix-like OSs. Please, add something about this in . Thanks for "cryptography". It is an amazing product. PS: How can I know what OpenSSL version is using "cryptography", beside checking the loaded shared objects by hand? :): """ $ python3 Python 3.5.0 (dtrace-issue13405_3.5:a7da156226da, Sep 13 2015, 18:22:50) [GCC 5.2.0] on sunos5 Type "help", "copyright", "credits" or "license" for more information. >>> import cryptography >>> from cryptography.hazmat.bindings.openssl.binding import Binding >>> import os >>> os.getpid() 22075 ... [In another terminal] $ # pmap 22075 | grep -i ssl FDF00000 1536K r-x-- /usr/local/ssl/lib/libcrypto.so.1.0.0 FE08F000 92K rwx-- /usr/local/ssl/lib/libcrypto.so.1.0.0 FE0A6000 8K rwx-- /usr/local/ssl/lib/libcrypto.so.1.0.0 FE0B0000 376K r-x-- /usr/local/ssl/lib/libssl.so.1.0.0 FE11D000 28K rwx-- /usr/local/ssl/lib/libssl.so.1.0.0 FE130000 552K r-x-- /usr/local/lib/python3.5/site-packages/cryptography/hazmat/bindings/_openssl.so FE1C9000 60K rwx-- /usr/local/lib/python3.5/site-packages/cryptography/hazmat/bindings/_openssl.so """ -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From erik.trauschke at gmail.com Wed Oct 21 03:18:23 2015 From: erik.trauschke at gmail.com (Erik Trauschke) Date: Tue, 20 Oct 2015 18:18:23 -0700 Subject: [Cryptography-dev] Selecting alternative OpenSSL library In-Reply-To: <5626DEFB.7020205@jcea.es> References: <5626DEFB.7020205@jcea.es> Message-ID: I would add a run path to your LDFLAGS, this way you can be sure it picks up the correct OpenSSL library if your library search paths are not set to the right value by crle or things like LD_LIBRARY_PATH. You can do that by adding -R/path/to/lib to LDFLAGS. Erik On Tue, Oct 20, 2015 at 5:40 PM, Jesus Cea wrote: > My stock OpenSSL library is ancient so I installed an alternative > current OpenSSL release under "/usr/local/ssl". In order to compile > "cryptography" in this machine I must do: > > $ LDFLAGS="-L/usr/local/ssl/lib" \ > CFLAGS="-I/usr/local/ssl/include" \ > python -m pip install -U cryptography > > This is a Solaris machine, but I guess the same can be done in Linux, > and other unix-like OSs. > > Please, add something about this in > . > > Thanks for "cryptography". It is an amazing product. > > PS: How can I know what OpenSSL version is using "cryptography", beside > checking the loaded shared objects by hand? :): > > """ > $ python3 > Python 3.5.0 (dtrace-issue13405_3.5:a7da156226da, Sep 13 2015, 18:22:50) > [GCC 5.2.0] on sunos5 > Type "help", "copyright", "credits" or "license" for more information. >>>> import cryptography >>>> from cryptography.hazmat.bindings.openssl.binding import Binding >>>> import os >>>> os.getpid() > 22075 > ... > [In another terminal] > $ # pmap 22075 | grep -i ssl > FDF00000 1536K r-x-- /usr/local/ssl/lib/libcrypto.so.1.0.0 > FE08F000 92K rwx-- /usr/local/ssl/lib/libcrypto.so.1.0.0 > FE0A6000 8K rwx-- /usr/local/ssl/lib/libcrypto.so.1.0.0 > FE0B0000 376K r-x-- /usr/local/ssl/lib/libssl.so.1.0.0 > FE11D000 28K rwx-- /usr/local/ssl/lib/libssl.so.1.0.0 > FE130000 552K r-x-- > /usr/local/lib/python3.5/site-packages/cryptography/hazmat/bindings/_openssl.so > FE1C9000 60K rwx-- > /usr/local/lib/python3.5/site-packages/cryptography/hazmat/bindings/_openssl.so > """ > > -- > Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ > jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ > Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ > jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ > "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ > "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ > "El amor es poner tu felicidad en la felicidad de otro" - Leibniz > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > From cory at lukasa.co.uk Wed Oct 21 09:48:04 2015 From: cory at lukasa.co.uk (Cory Benfield) Date: Wed, 21 Oct 2015 08:48:04 +0100 Subject: [Cryptography-dev] Selecting alternative OpenSSL library In-Reply-To: <5626DEFB.7020205@jcea.es> References: <5626DEFB.7020205@jcea.es> Message-ID: <8FFEC500-C432-42CA-8127-60C92FE19F3E@lukasa.co.uk> > On 21 Oct 2015, at 01:40, Jesus Cea wrote: > > My stock OpenSSL library is ancient so I installed an alternative > current OpenSSL release under "/usr/local/ssl". In order to compile > "cryptography" in this machine I must do: > > $ LDFLAGS="-L/usr/local/ssl/lib" \ > CFLAGS="-I/usr/local/ssl/include" \ > python -m pip install -U cryptography > > This is a Solaris machine, but I guess the same can be done in Linux, > and other unix-like OSs. > > Please, add something about this in > . We?re already very close to this: the instructions in the ?static wheels? section of the documentation[0], while slightly more complicated, include the LDFLAGS and CFLAGS notation. The OS X section includes it as well. I wonder if we need to extend the ?using your own OpenSSL on Linux? section [1] to include the LDFLAGS and CFLAGS. [0]: https://cryptography.io/en/latest/installation/#static-wheels [1]: https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux > PS: How can I know what OpenSSL version is using "cryptography", beside > checking the loaded shared objects by hand? :): Try this: $ python -c "from cryptography.hazmat.backends.openssl.backend import backend;print(backend.openssl_version_text())? Cory -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jcea at jcea.es Wed Oct 21 12:47:32 2015 From: jcea at jcea.es (Jesus Cea) Date: Wed, 21 Oct 2015 12:47:32 +0200 Subject: [Cryptography-dev] Selecting alternative OpenSSL library In-Reply-To: References: <5626DEFB.7020205@jcea.es> Message-ID: <56276D44.7080009@jcea.es> On 21/10/15 03:18, Erik Trauschke wrote: > I would add a run path to your LDFLAGS, this way you can be sure it > picks up the correct OpenSSL library if your library search paths are > not set to the right value by crle or things like LD_LIBRARY_PATH. > > You can do that by adding -R/path/to/lib to LDFLAGS. Good point. I don't need it because my particular configuration, but it is something to document somewhere. """ $ ldd /usr/local/lib/python3.5/site-packages/cryptography/hazmat/bindings/_openssl.so libssl.so.1.0.0 => /usr/local/ssl/lib//libssl.so.1.0.0 libcrypto.so.1.0.0 => /usr/local/ssl/lib//libcrypto.so.1.0.0 libpython3.5m.so.1.0 => /usr/local/lib/libpython3.5m.so.1.0 ... """ -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From jcea at jcea.es Wed Oct 21 12:59:18 2015 From: jcea at jcea.es (Jesus Cea) Date: Wed, 21 Oct 2015 12:59:18 +0200 Subject: [Cryptography-dev] Selecting alternative OpenSSL library In-Reply-To: <8FFEC500-C432-42CA-8127-60C92FE19F3E@lukasa.co.uk> References: <5626DEFB.7020205@jcea.es> <8FFEC500-C432-42CA-8127-60C92FE19F3E@lukasa.co.uk> Message-ID: <56277006.1060700@jcea.es> On 21/10/15 09:48, Cory Benfield wrote: > We?re already very close to this: the instructions in the ?static wheels? section of the documentation[0], while slightly more complicated, include the LDFLAGS and CFLAGS notation. The OS X section includes it as well. I wonder if we need to extend the ?using your own OpenSSL on Linux? section [1] to include the LDFLAGS and CFLAGS. Yes, please add something to the linux section. >> PS: How can I know what OpenSSL version is using "cryptography", beside >> checking the loaded shared objects by hand? :): > > Try this: > > $ python -c "from cryptography.hazmat.backends.openssl.backend import backend;print(backend.openssl_version_text())? Great. Please, document it in that webpage :-). -- Jes?s Cea Avi?n _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ Twitter: @jcea _/_/ _/_/ _/_/_/_/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From peter.allen.hamilton at gmail.com Tue Oct 27 15:27:25 2015 From: peter.allen.hamilton at gmail.com (Peter Hamilton) Date: Tue, 27 Oct 2015 15:27:25 -0400 Subject: [Cryptography-dev] Questions on writing EllipticCurve test fixtures Message-ID: I'm trying to add a tests/hazmat/primitives/fixtures_ec.py file containing EllipticCurve fixtures for use in testing the certificate validation feature I'm working on, and I have a few questions. I'm using OpenSSL to generate EllipticCurve public/private keys, with the intent of then adding them in fixtures_ec.py as Python literals (like how fixtures_rsa.py and fixtures_dsa.py handle things). When defining EllipticCurvePrivateNumbers, is the hex string used for the private_value argument taken verbatim from the priv field in the EllipticCurve private key file, or is it the hex of the integer produced after converting the priv hex string according to the rules in RFC 5915 and 3447? I have the same questions regarding the x and y fields of the EllipticCurvePublicNumbers object that's also needed by EllipticCurvePrivateNumbers. It's not clear to me, from looking at the RSA and DSA examples, how they're handled so without more context here I'm pretty much stuck. I tried backtracking how the EllipticCurvePrivateNumbers data is used by the backends but I didn't find anything that shed light on the situation. Also, is OpenSSL the best tool to use here for generating these test examples? It's what I've always used but if there's another tool that generates the EllipticCurve keys in the format that cryptography expects, I'm happy to switch to using that to generate the examples. Thanks for your time, Peter Hamilton -------------- next part -------------- An HTML attachment was scrubbed... URL: From ronf at timeheart.net Tue Oct 27 22:40:49 2015 From: ronf at timeheart.net (Ron Frederick) Date: Tue, 27 Oct 2015 19:40:49 -0700 Subject: [Cryptography-dev] Questions on writing EllipticCurve test fixtures In-Reply-To: References: Message-ID: <7D5777C6-3EDD-43C2-89A0-6A2004D17276@timeheart.net> On Oct 27, 2015, at 12:27 PM, Peter Hamilton wrote: > I'm trying to add a tests/hazmat/primitives/fixtures_ec.py file containing EllipticCurve fixtures for use in testing the certificate validation feature I'm working on, and I have a few questions. I'm using OpenSSL to generate EllipticCurve public/private keys, with the intent of then adding them in fixtures_ec.py as Python literals (like how fixtures_rsa.py and fixtures_dsa.py handle things). > > When defining EllipticCurvePrivateNumbers, is the hex string used for the private_value argument taken verbatim from the priv field in the EllipticCurve private key file, or is it the hex of the integer produced after converting the priv hex string according to the rules in RFC 5915 and 3447? I have the same questions regarding the x and y fields of the EllipticCurvePublicNumbers object that's also needed by EllipticCurvePrivateNumbers. It's not clear to me, from looking at the RSA and DSA examples, how they're handled so without more context here I'm pretty much stuck. I tried backtracking how the EllipticCurvePrivateNumbers data is used by the backends but I didn't find anything that shed light on the situation. The private value in DER or PEM encoded ECDSA keys is an octet string, but it must be converted to an integer before it is passed to EllipticCurvePrivateNumbers. In Python, you can use ?int.from_bytes? for this, passing in ?big? as the byte order. The x and y public values in DER or PEM encoded ECDSA values must also be converted to integer values before being passed to EllipticCurvePublicNumbers. However, they are encoded together in a single ASN.1 value which must be first decoded as described in RFC 5480 or http://www.secg.org/sec1-v2.pdf. The point byte string is encoded as an ASN.1 bit string in the case of EC private keys, so it must first be decoded as bytes (and confirming that it is a multiple of 8 bits long with no padding bits). EC public keys encode this in ASN.1 directly as an octet string, so this last point isn?t an issue there. There?s work going on right now to add EC point encode/decode functions to Cryptography, so if you wait a bit you won?t need to code that yourself. See the discussion at: https://github.com/pyca/cryptography/issues/2346 > Also, is OpenSSL the best tool to use here for generating these test examples? It's what I've always used but if there's another tool that generates the EllipticCurve keys in the format that cryptography expects, I'm happy to switch to using that to generate the examples. I generally use OpenSSL to generate keys, but it?s also possible to use ?ssh-keygen?. In addition to PKCS#8 and the older PEM encoding, it supports a few more formats, but those are probably only interesting if you are looking to interoperate with SSH rather than SSL. -- Ron Frederick ronf at timeheart.net From peter.allen.hamilton at gmail.com Wed Oct 28 15:14:09 2015 From: peter.allen.hamilton at gmail.com (Peter Hamilton) Date: Wed, 28 Oct 2015 15:14:09 -0400 Subject: [Cryptography-dev] Cryptography-dev Digest, Vol 27, Issue 10 In-Reply-To: References: Message-ID: Thanks for the information Ron, it definitely helps. It actually looks like as of yesterday EllipticCurvePublicNumbers has a from_encoded_point class method, which handles converting x/y. I should be able to use cryptography.utils.int_from_bytes to handle the private_value. With these two utilities, I should be good to go. Thanks again! Peter On Wed, Oct 28, 2015 at 12:00 PM, wrote: > Send Cryptography-dev mailing list submissions to > cryptography-dev at python.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mail.python.org/mailman/listinfo/cryptography-dev > or, via email, send a message with subject or body 'help' to > cryptography-dev-request at python.org > > You can reach the person managing the list at > cryptography-dev-owner at python.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Cryptography-dev digest..." > > > Today's Topics: > > 1. Questions on writing EllipticCurve test fixtures (Peter Hamilton) > 2. Re: Questions on writing EllipticCurve test fixtures > (Ron Frederick) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 27 Oct 2015 15:27:25 -0400 > From: Peter Hamilton > To: cryptography-dev at python.org > Subject: [Cryptography-dev] Questions on writing EllipticCurve test > fixtures > Message-ID: > WM9mBg3z-A6SnuT-k1BnmHU-7wg at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I'm trying to add a tests/hazmat/primitives/fixtures_ec.py file containing > EllipticCurve fixtures for use in testing the certificate validation > feature I'm working on, and I have a few questions. I'm using OpenSSL to > generate EllipticCurve public/private keys, with the intent of then adding > them in fixtures_ec.py as Python literals (like how fixtures_rsa.py and > fixtures_dsa.py handle things). > > When defining EllipticCurvePrivateNumbers, is the hex string used for the > private_value argument taken verbatim from the priv field in the > EllipticCurve private key file, or is it the hex of the integer produced > after converting the priv hex string according to the rules in RFC 5915 and > 3447? I have the same questions regarding the x and y fields of the > EllipticCurvePublicNumbers object that's also needed by > EllipticCurvePrivateNumbers. It's not clear to me, from looking at the RSA > and DSA examples, how they're handled so without more context here I'm > pretty much stuck. I tried backtracking how the EllipticCurvePrivateNumbers > data is used by the backends but I didn't find anything that shed light on > the situation. > > Also, is OpenSSL the best tool to use here for generating these test > examples? It's what I've always used but if there's another tool that > generates the EllipticCurve keys in the format that cryptography expects, > I'm happy to switch to using that to generate the examples. > > Thanks for your time, > Peter Hamilton > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.python.org/pipermail/cryptography-dev/attachments/20151027/34f85508/attachment-0001.html > > > > ------------------------------ > > Message: 2 > Date: Tue, 27 Oct 2015 19:40:49 -0700 > From: Ron Frederick > To: cryptography-dev at python.org > Subject: Re: [Cryptography-dev] Questions on writing EllipticCurve > test fixtures > Message-ID: <7D5777C6-3EDD-43C2-89A0-6A2004D17276 at timeheart.net> > Content-Type: text/plain; charset=utf-8 > > On Oct 27, 2015, at 12:27 PM, Peter Hamilton < > peter.allen.hamilton at gmail.com> wrote: > > I'm trying to add a tests/hazmat/primitives/fixtures_ec.py file > containing EllipticCurve fixtures for use in testing the certificate > validation feature I'm working on, and I have a few questions. I'm using > OpenSSL to generate EllipticCurve public/private keys, with the intent of > then adding them in fixtures_ec.py as Python literals (like how > fixtures_rsa.py and fixtures_dsa.py handle things). > > > > When defining EllipticCurvePrivateNumbers, is the hex string used for > the private_value argument taken verbatim from the priv field in the > EllipticCurve private key file, or is it the hex of the integer produced > after converting the priv hex string according to the rules in RFC 5915 and > 3447? I have the same questions regarding the x and y fields of the > EllipticCurvePublicNumbers object that's also needed by > EllipticCurvePrivateNumbers. It's not clear to me, from looking at the RSA > and DSA examples, how they're handled so without more context here I'm > pretty much stuck. I tried backtracking how the EllipticCurvePrivateNumbers > data is used by the backends but I didn't find anything that shed light on > the situation. > > The private value in DER or PEM encoded ECDSA keys is an octet string, but > it must be converted to an integer before it is passed to > EllipticCurvePrivateNumbers. In Python, you can use ?int.from_bytes? for > this, passing in ?big? as the byte order. > > The x and y public values in DER or PEM encoded ECDSA values must also be > converted to integer values before being passed to > EllipticCurvePublicNumbers. However, they are encoded together in a single > ASN.1 value which must be first decoded as described in RFC 5480 or > http://www.secg.org/sec1-v2.pdf. > > The point byte string is encoded as an ASN.1 bit string in the case of EC > private keys, so it must first be decoded as bytes (and confirming that it > is a multiple of 8 bits long with no padding bits). EC public keys encode > this in ASN.1 directly as an octet string, so this last point isn?t an > issue there. > > There?s work going on right now to add EC point encode/decode functions to > Cryptography, so if you wait a bit you won?t need to code that yourself. > See the discussion at: > > https://github.com/pyca/cryptography/issues/2346 > > > > Also, is OpenSSL the best tool to use here for generating these test > examples? It's what I've always used but if there's another tool that > generates the EllipticCurve keys in the format that cryptography expects, > I'm happy to switch to using that to generate the examples. > > I generally use OpenSSL to generate keys, but it?s also possible to use > ?ssh-keygen?. In addition to PKCS#8 and the older PEM encoding, it supports > a few more formats, but those are probably only interesting if you are > looking to interoperate with SSH rather than SSL. > -- > Ron Frederick > ronf at timeheart.net > > > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > > ------------------------------ > > End of Cryptography-dev Digest, Vol 27, Issue 10 > ************************************************ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Oct 28 18:47:54 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 29 Oct 2015 07:47:54 +0900 Subject: [Cryptography-dev] PyCA cryptography 1.1 released Message-ID: On behalf of all our contributors I am pleased to announce the release of PyCA/cryptography (https://github.com/pyca/cryptography) 1.1!?cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic standard library". We support Python 2.6-2.7, Python 3.3+, and PyPy. Changelog (https://cryptography.io/en/latest/changelog/): * Added support for Elliptic Curve Diffie-Hellman with ECDH. * Added X963KDF. * Added support for parsing certificate revocation lists (CRLs) using load_pem_x509_crl() and load_der_x509_crl(). * Add support for AES key wrapping with aes_key_wrap() and aes_key_unwrap(). * Added a __hash__ method to Name. * Add support for encoding and decoding elliptic curve points to a byte string form using encode_point() and from_encoded_point(). * Added get_extension_for_class(). * CertificatePolicies are now supported in the CertificateBuilder. * countryName is now encoded as a PrintableString when creating subject and issuer distinguished names with the Certificate and CSR builder classes. ...and other small improvements as always. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From benn.bollay at gmail.com Thu Oct 29 15:30:29 2015 From: benn.bollay at gmail.com (Benn Bollay) Date: Thu, 29 Oct 2015 12:30:29 -0700 Subject: [Cryptography-dev] Validating certificate chains Message-ID: If I have two X509.Certificate objects, how would I validate that one is correctly subordinate (that is, the signature is correct) to the other? Cheers, --B -------------- next part -------------- An HTML attachment was scrubbed... URL: From benn.bollay at gmail.com Thu Oct 29 15:58:50 2015 From: benn.bollay at gmail.com (Benn Bollay) Date: Thu, 29 Oct 2015 12:58:50 -0700 Subject: [Cryptography-dev] Certificate Chain Verification Message-ID: Hello folks - Given a set of certificates, I'd like to verify that the chain is cryptographically correct, all of the certificates are chronologically valid, and so forth. Cheers, --B -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.allen.hamilton at gmail.com Thu Oct 29 16:22:10 2015 From: peter.allen.hamilton at gmail.com (Peter Hamilton) Date: Thu, 29 Oct 2015 16:22:10 -0400 Subject: [Cryptography-dev] Certificate Chain Verification In-Reply-To: References: Message-ID: Hi Benn, I'm still new to the cryptography community but I am currently working on adding a certificate validation feature that will do just this. I'm hoping to get the code up for it soon. Right now, I believe you would need to manually check the signer names, the signatures, and validity dates yourself to verify the whole chain. See the following pull request for a little more information: https://github.com/pyca/cryptography/pull/2387 Cheers, Peter On Thu, Oct 29, 2015 at 3:58 PM, Benn Bollay wrote: > Hello folks - > > Given a set of certificates, I'd like to verify that the chain is > cryptographically correct, all of the certificates are chronologically > valid, and so forth. > > Cheers, > --B > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From benn.bollay at gmail.com Thu Oct 29 18:40:20 2015 From: benn.bollay at gmail.com (Benn Bollay) Date: Thu, 29 Oct 2015 15:40:20 -0700 Subject: [Cryptography-dev] Certificate Chain Verification In-Reply-To: References: Message-ID: Ouch, that's a bummer of a response. What's the alternative for me before this code gets sorted? Convert the x509 and public_key to PEM and cross-load them into, I dunno, pyOpenSSL or m2crypto or something else? (suggestions welcome). Cheers, --B On Thu, Oct 29, 2015 at 1:22 PM, Peter Hamilton < peter.allen.hamilton at gmail.com> wrote: > Hi Benn, > > I'm still new to the cryptography community but I am currently working on > adding a certificate validation feature that will do just this. I'm hoping > to get the code up for it soon. Right now, I believe you would need to > manually check the signer names, the signatures, and validity dates > yourself to verify the whole chain. See the following pull request for a > little more information: > > https://github.com/pyca/cryptography/pull/2387 > > Cheers, > Peter > > On Thu, Oct 29, 2015 at 3:58 PM, Benn Bollay > wrote: > >> Hello folks - >> >> Given a set of certificates, I'd like to verify that the chain is >> cryptographically correct, all of the certificates are chronologically >> valid, and so forth. >> >> Cheers, >> --B >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vladimir.didenko at gmail.com Fri Oct 30 01:03:05 2015 From: vladimir.didenko at gmail.com (Vladimir Didenko) Date: Fri, 30 Oct 2015 08:03:05 +0300 Subject: [Cryptography-dev] Certificate Chain Verification In-Reply-To: References: Message-ID: 2015-10-30 1:40 GMT+03:00 Benn Bollay: > Ouch, that's a bummer of a response. > > What's the alternative for me before this code gets sorted? Convert the > x509 and public_key to PEM and cross-load them into, I dunno, pyOpenSSL or > m2crypto or something else? (suggestions welcome). > I used pyOpenSSL for this task. Follow code should give you basic idea how to implement it: http://pastebin.com/GUh7F5pR -- Regards, Vladimir. -------------- next part -------------- An HTML attachment was scrubbed... URL: From erik.trauschke at gmail.com Fri Oct 30 11:11:03 2015 From: erik.trauschke at gmail.com (Erik Trauschke) Date: Fri, 30 Oct 2015 08:11:03 -0700 Subject: [Cryptography-dev] Validating certificate chains In-Reply-To: References: Message-ID: You should be able to use X509_verify() for this. Just get the public key for the issuing certificate and then pass this plus the certificate you want to verify to X509_verify(). There are verification functions like that for CRL and CSR objects as well, which work the same way. Erik On Thu, Oct 29, 2015 at 12:30 PM, Benn Bollay wrote: > If I have two X509.Certificate objects, how would I validate that one is > correctly subordinate (that is, the signature is correct) to the other? > > Cheers, > --B > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev >