From francesco.rizzi at gmail.com Tue Apr 4 08:14:23 2017 From: francesco.rizzi at gmail.com (Francesco Rizzi) Date: Tue, 4 Apr 2017 08:14:23 -0400 Subject: [Cryptography-dev] Building for AWS Linux AMI Message-ID: Hi all. I've been trying to get a build of cryptography targeting the AWS Linux AMI used by AWS Lambda (AMIs listed on https://aws.amazon.com/amazon-linux-ami/ ), but failed repeatedly. Has anyone done so already? Or could try? I also found a "Lambda-Packages" github ( https://github.com/Miserlou/lambda-packages ) that seems to include cryptography pre-built for that target, but that also lead to errors ( https://github.com/Miserlou/lambda-packages/issues/41 ) Thanks in advance, FR -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Tue Apr 4 12:27:57 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 4 Apr 2017 12:27:57 -0400 Subject: [Cryptography-dev] Building for AWS Linux AMI In-Reply-To: References: Message-ID: That lamba-packages project looks like an approach that would work. The error you describe in your issue is because you'll need to separately install cryptography's dependencies. You can see those dependencies by looking in setup.py (although you'll need to evaluate some Python code in your head). The current version of cryptography (1.8.1) has slightly different dependencies so you'll need to look at the setup.py in that tarball. On April 4, 2017 at 8:14:40 PM, Francesco Rizzi (francesco.rizzi at gmail.com) wrote: Hi all. I've been trying to get a build of cryptography targeting the AWS Linux AMI used by AWS Lambda (AMIs listed on https://aws.amazon.com/amazon-linux-ami/ ), but failed repeatedly. Has anyone done so already? Or could try? I also found a "Lambda-Packages" github ( https://github.com/Miserlou/lambda-packages ) that seems to include cryptography pre-built for that target, but that also lead to errors ( https://github.com/Miserlou/lambda-packages/issues/41 ) Thanks in advance, FR _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt.s.b.42 at gmail.com Tue Apr 4 20:25:30 2017 From: matt.s.b.42 at gmail.com (Matt Bullock) Date: Wed, 05 Apr 2017 00:25:30 +0000 Subject: [Cryptography-dev] Building for AWS Linux AMI In-Reply-To: References: Message-ID: A couple months ago I put together a CodeBuild project for building cryptography for just this type of use. I was specifically targeting building against (and packaging) a newer version of OpenSSL than is present on Lambda, but it solves the general problem of building it as part of that. You should be able to lightly modify the buildspec to just package up the wheel files, or you could use this as the basis for your own buildspec, of which the cryptography build is only a part. https://github.com/mattsb42/codebuild-python-cryptography-custom-openssl On Tue, Apr 4, 2017 at 9:28 AM Paul Kehrer wrote: > That lamba-packages project looks like an approach that would work. The > error you describe in your issue is because you'll need to separately > install cryptography's dependencies. You can see those dependencies by > looking in setup.py (although you'll need to evaluate some Python code in > your head). The current version of cryptography (1.8.1) has slightly > different dependencies so you'll need to look at the setup.py in that > tarball. > > > On April 4, 2017 at 8:14:40 PM, Francesco Rizzi (francesco.rizzi at gmail.com) > wrote: > > Hi all. > I've been trying to get a build of cryptography targeting the AWS Linux > AMI used by AWS Lambda (AMIs listed on > https://aws.amazon.com/amazon-linux-ami/ ), but failed repeatedly. > > Has anyone done so already? Or could try? > > I also found a "Lambda-Packages" github ( > https://github.com/Miserlou/lambda-packages ) that seems to include > cryptography pre-built for that target, but that also lead to errors ( > https://github.com/Miserlou/lambda-packages/issues/41 ) > > Thanks in advance, > FR > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francesco.rizzi at gmail.com Tue Apr 4 20:28:56 2017 From: francesco.rizzi at gmail.com (Francesco Rizzi) Date: Tue, 4 Apr 2017 20:28:56 -0400 Subject: [Cryptography-dev] Building for AWS Linux AMI In-Reply-To: References: Message-ID: Thank you so much Paul, and Matt. Paul actually got me on the right path earlier today: I had forgotten to check dependencies in setup.py. I seem to have built for the AWS Linux and am now having "fun" with the finishing touches. If time permits, I'll try and post my notes (after cleaning them up) on the process, just in case anyone else has to go through this. Thanks again! F On Tue, Apr 4, 2017 at 8:25 PM, Matt Bullock wrote: > A couple months ago I put together a CodeBuild project for building > cryptography for just this type of use. I was specifically targeting > building against (and packaging) a newer version of OpenSSL than is present > on Lambda, but it solves the general problem of building it as part of > that. You should be able to lightly modify the buildspec to just package > up the wheel files, or you could use this as the basis for your own > buildspec, of which the cryptography build is only a part. > > https://github.com/mattsb42/codebuild-python-cryptography-custom-openssl > > > On Tue, Apr 4, 2017 at 9:28 AM Paul Kehrer > wrote: > >> That lamba-packages project looks like an approach that would work. The >> error you describe in your issue is because you'll need to separately >> install cryptography's dependencies. You can see those dependencies by >> looking in setup.py (although you'll need to evaluate some Python code in >> your head). The current version of cryptography (1.8.1) has slightly >> different dependencies so you'll need to look at the setup.py in that >> tarball. >> >> >> On April 4, 2017 at 8:14:40 PM, Francesco Rizzi ( >> francesco.rizzi at gmail.com) wrote: >> >> Hi all. >> I've been trying to get a build of cryptography targeting the AWS Linux >> AMI used by AWS Lambda (AMIs listed on https://aws.amazon.com/ >> amazon-linux-ami/ ), but failed repeatedly. >> >> Has anyone done so already? Or could try? >> >> I also found a "Lambda-Packages" github ( https://github.com/Miserlou/ >> lambda-packages ) that seems to include cryptography pre-built for that >> target, but that also lead to errors ( https://github.com/Miserlou/ >> lambda-packages/issues/41 ) >> >> Thanks in advance, >> FR >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Sun Apr 9 09:19:04 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Sun, 09 Apr 2017 13:19:04 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20170409131904.28731.32042@web03.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5266701/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at grumpypunk.com Thu Apr 20 08:14:08 2017 From: paul at grumpypunk.com (Paul King) Date: Thu, 20 Apr 2017 13:14:08 +0100 Subject: [Cryptography-dev] Processing public key algorithm 'ecdsa-with-SHA256' Message-ID: Hi I am using pyOpenSSL to process a PEM certificate. From the command line I can use ?openssl x509 -inform pem -text -in 10.pem? to process the certificate and can see: Signature Algorithm: ecdsa-with-SHA256 However, when I try this in python with pyOpenSSL on my Mac, I struggle. Can someone advise me on how to process this type in python with pyOpenSSL? Code: pub = cert.get_pubkey() pub_asn1 = OpenSSL.crypto.dump_publickey( OpenSSL.crypto.FILETYPE_ASN1, pub ) Similarly I want to do the same for the Subject Public Key: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: <-snip-> ASN1 OID: prime256v1 NIST CURVE: P-256 Does that make sense for what I am trying to do, and should I be able to do this with pyOpenSSL? Thanks Paul From alex.gaynor at gmail.com Thu Apr 20 08:22:46 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Thu, 20 Apr 2017 08:22:46 -0400 Subject: [Cryptography-dev] Processing public key algorithm 'ecdsa-with-SHA256' In-Reply-To: References: Message-ID: Hi Paul, If what you're trying to do is manipulate X.509 certificates and public keys, I think you'll have an easier time using the pyca/cryptography APIs, they're significantly richer and better tested -- and since pyOpenSSL depends on pyca/cryptography you already have a copy :-) https://cryptography.io/en/latest/x509/ are our X.509 docs, and https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/ are the docs for key serialization. Let us know if you have any questions. Alex On Thu, Apr 20, 2017 at 8:14 AM, Paul King via Cryptography-dev < cryptography-dev at python.org> wrote: > Hi > > I am using pyOpenSSL to process a PEM certificate. > > From the command line I can use ?openssl x509 -inform pem -text -in > 10.pem? to process the certificate and can see: > > Signature Algorithm: ecdsa-with-SHA256 > > However, when I try this in python with pyOpenSSL on my Mac, I struggle. > > Can someone advise me on how to process this type in python with pyOpenSSL? > > Code: > > pub = cert.get_pubkey() > pub_asn1 = OpenSSL.crypto.dump_publickey( > OpenSSL.crypto.FILETYPE_ASN1, pub ) > > Similarly I want to do the same for the Subject Public Key: > > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > <-snip-> > ASN1 OID: prime256v1 > NIST CURVE: P-256 > > > Does that make sense for what I am trying to do, and should I be able to > do this with pyOpenSSL? > > > Thanks > Paul > > > > > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Thu Apr 20 08:37:00 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Thu, 20 Apr 2017 08:37:00 -0400 Subject: [Cryptography-dev] Processing public key algorithm 'ecdsa-with-SHA256' In-Reply-To: <5CF70C91-3163-40AB-BB2E-A7220B7F2A96@grumpypunk.com> References: <5CF70C91-3163-40AB-BB2E-A7220B7F2A96@grumpypunk.com> Message-ID: Sure, you can parse an X.509 certificate and then do whatever you want with it: https://cryptography.io/en/latest/x509/reference/#cryptography.x509.load_pem_x509_certificate There's no standard JSON serializatino for X.509, but you can use the individual attributes/methods from a certificate to serialize it however you like. Alex On Thu, Apr 20, 2017 at 8:28 AM, Paul King wrote: > > Hi Alex, > > Thanks for the rapid response. > > I am trying to process a lot of certificates so that I can do some > research on them. I have them in PEM format and I would ideally like to > process them once to get them into JSON, and from there try other things. > So I am processing rather than manipulating/changing. > > One thing I have learnt is that ASN1 is horrible and there are so many > variant/corner cases! For this reason I want to try and use a well > maintained package so cryptography makes sense. > > I can always process a log with the command line ?openssl? statement and I > want to achieve a similar programmatic solution with python. Does that make > sense? > > I could use the openssl command line and then process the text but that > doesn?t seem a good way to start! > > > On 20 Apr 2017, at 13:22, Alex Gaynor wrote: > > Hi Paul, > > If what you're trying to do is manipulate X.509 certificates and public > keys, I think you'll have an easier time using the pyca/cryptography APIs, > they're significantly richer and better tested -- and since pyOpenSSL > depends on pyca/cryptography you already have a copy :-) > > https://cryptography.io/en/latest/x509/ are our X.509 docs, and > https://cryptography.io/en/latest/hazmat/primitives/ > asymmetric/serialization/ are the docs for key serialization. Let us know > if you have any questions. > > Alex > > On Thu, Apr 20, 2017 at 8:14 AM, Paul King via Cryptography-dev < > cryptography-dev at python.org> wrote: > >> Hi >> >> I am using pyOpenSSL to process a PEM certificate. >> >> From the command line I can use ?openssl x509 -inform pem -text -in >> 10.pem? to process the certificate and can see: >> >> Signature Algorithm: ecdsa-with-SHA256 >> >> However, when I try this in python with pyOpenSSL on my Mac, I struggle. >> >> Can someone advise me on how to process this type in python with >> pyOpenSSL? >> >> Code: >> >> pub = cert.get_pubkey() >> pub_asn1 = OpenSSL.crypto.dump_publickey( >> OpenSSL.crypto.FILETYPE_ASN1, pub ) >> >> Similarly I want to do the same for the Subject Public Key: >> >> Subject Public Key Info: >> Public Key Algorithm: id-ecPublicKey >> Public-Key: (256 bit) >> pub: >> <-snip-> >> ASN1 OID: prime256v1 >> NIST CURVE: P-256 >> >> >> Does that make sense for what I am trying to do, and should I be able to >> do this with pyOpenSSL? >> >> >> Thanks >> Paul >> >> >> >> >> >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev at python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> > > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.oden at gmail.com Thu Apr 20 13:26:45 2017 From: james.oden at gmail.com (James Olin Oden) Date: Thu, 20 Apr 2017 13:26:45 -0400 Subject: [Cryptography-dev] How does one associate a CSR with a Cert with PyOpenSSL Message-ID: I've figured out how to create a self signed key that does not have a CSR associated with it, and I know how to create a CSR. I cannot seem to figure out or find examples of using PyOpenSSL to create a certificate with a CSR associated with it. What am I missing? Thank You...James -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Thu Apr 20 21:05:23 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 20 Apr 2017 21:05:23 -0400 Subject: [Cryptography-dev] How does one associate a CSR with a Cert with PyOpenSSL In-Reply-To: References: Message-ID: Hi James, While this is possible with pyOpenSSL (via http://pyopenssl.readthedocs.io/en/stable/api/crypto.html#OpenSSL.crypto.X509Req.sign), I'd recommend doing it with pyca/cryptography. It has a much better documented API (https://cryptography.io/en/latest/x509/) and is the preferred API if possible. pyOpenSSL also depends on cryptography so you already have it. -Paul Kehrer (reaperhulk) On April 21, 2017 at 1:28:10 AM, James Olin Oden (james.oden at gmail.com) wrote: I've figured out how to create a self signed key that does not have a CSR associated with it, and I know how to create a CSR. I cannot seem to figure out or find examples of using PyOpenSSL to create a certificate with a CSR associated with it. What am I missing? Thank You...James _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Thu Apr 20 21:07:30 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Thu, 20 Apr 2017 21:07:30 -0400 Subject: [Cryptography-dev] Processing public key algorithm 'ecdsa-with-SHA256' In-Reply-To: <36C5BADE-827B-4281-B0A8-719B15686509@grumpypunk.com> References: <5CF70C91-3163-40AB-BB2E-A7220B7F2A96@grumpypunk.com> <36C5BADE-827B-4281-B0A8-719B15686509@grumpypunk.com> Message-ID: (Please reply to the full mailing lists) https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey describes the methods that an EllipticCurvePublicKey has for exporting the key, either to bytes or ot raw numbers. Alex On Thu, Apr 20, 2017 at 9:21 AM, Paul King wrote: > > > This all looks good, however I still struggle with the public key. Using > cryptography only this time: > > > >>> public_key = cert.public_key() > >>> print public_key > at 0x10fc6dfd0> > > So it has the public key, and correctly knows its elliptic curve. > > If I now want to break out all of the components/attributes of the public > key object then how should I do it? What would be the best way? I guess I > want SubjectPublicKeyInfo as well as the actual public key? > > > The details I am hoping to find include: > > Subject Public Key Info: >>> Public Key Algorithm: id-ecPublicKey >>> Public-Key: (256 bit) >>> pub: >>> <-snip-> >>> ASN1 OID: prime256v1 >>> NIST CURVE: P-256 >>> >> > > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at grumpypunk.com Mon Apr 24 03:21:05 2017 From: paul at grumpypunk.com (Paul King) Date: Mon, 24 Apr 2017 08:21:05 +0100 Subject: [Cryptography-dev] Processing public key algorithm 'ecdsa-with-SHA256' In-Reply-To: References: <5CF70C91-3163-40AB-BB2E-A7220B7F2A96@grumpypunk.com> <36C5BADE-827B-4281-B0A8-719B15686509@grumpypunk.com> Message-ID: <2EF4D530-6FEB-4120-A9BE-0E281BEDF390@grumpypunk.com> Thanks Alex. I am now appreciating how good your documentation is! I am struggling to do a test for the type of public key. In the documentation it shows an example for RSA but I am too stupid to get it to work. print cert.public_key() print type( cert.public_key() ) How do I test for that? > On 21 Apr 2017, at 02:07, Alex Gaynor wrote: > > (Please reply to the full mailing lists) > > https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey describes the methods that an EllipticCurvePublicKey has for exporting the key, either to bytes or ot raw numbers. > > Alex > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at grumpypunk.com Mon Apr 24 03:23:43 2017 From: paul at grumpypunk.com (Paul King) Date: Mon, 24 Apr 2017 08:23:43 +0100 Subject: [Cryptography-dev] Processing public key algorithm 'ecdsa-with-SHA256' In-Reply-To: <2EF4D530-6FEB-4120-A9BE-0E281BEDF390@grumpypunk.com> References: <5CF70C91-3163-40AB-BB2E-A7220B7F2A96@grumpypunk.com> <36C5BADE-827B-4281-B0A8-719B15686509@grumpypunk.com> <2EF4D530-6FEB-4120-A9BE-0E281BEDF390@grumpypunk.com> Message-ID: <4712FD2B-2567-42F6-B655-CB97D7FD6DCD@grumpypunk.com> Sorry. Being very stupid. from cryptography.hazmat.primitives.asymmetric import ec print isinstance(cert.public_key(), ec.EllipticCurvePublicKey) > On 24 Apr 2017, at 08:21, Paul King via Cryptography-dev wrote: > > Thanks Alex. > > I am now appreciating how good your documentation is! > > I am struggling to do a test for the type of public key. In the documentation it shows an example for RSA but I am too stupid to get it to work. > > > print cert.public_key() > > > print type( cert.public_key() ) > > > How do I test for that? > > > >> On 21 Apr 2017, at 02:07, Alex Gaynor > wrote: >> >> (Please reply to the full mailing lists) >> >> https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey describes the methods that an EllipticCurvePublicKey has for exporting the key, either to bytes or ot raw numbers. >> >> Alex >> > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Mon Apr 24 08:03:01 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Mon, 24 Apr 2017 05:03:01 -0700 Subject: [Cryptography-dev] Processing public key algorithm 'ecdsa-with-SHA256' In-Reply-To: <4712FD2B-2567-42F6-B655-CB97D7FD6DCD@grumpypunk.com> References: <5CF70C91-3163-40AB-BB2E-A7220B7F2A96@grumpypunk.com> <36C5BADE-827B-4281-B0A8-719B15686509@grumpypunk.com> <2EF4D530-6FEB-4120-A9BE-0E281BEDF390@grumpypunk.com> <4712FD2B-2567-42F6-B655-CB97D7FD6DCD@grumpypunk.com> Message-ID: The addition of an examples section in x509 to cover common questions like this might be useful actually. If you're interested in submitting a PR adding that we'd be happy to review! -Paul On April 24, 2017 at 2:24:00 AM, Paul King via Cryptography-dev ( cryptography-dev at python.org) wrote: Sorry. Being very stupid. from cryptography.hazmat.primitives.asymmetric import ec print isinstance(cert.public_key(), ec.EllipticCurvePublicKey) On 24 Apr 2017, at 08:21, Paul King via Cryptography-dev < cryptography-dev at python.org> wrote: Thanks Alex. I am now appreciating how good your documentation is! I am struggling to do a test for the type of public key. In the documentation it shows an example for RSA but I am too stupid to get it to work. print cert.public_key() print type( cert.public_key() ) How do I test for that? On 21 Apr 2017, at 02:07, Alex Gaynor wrote: (Please reply to the full mailing lists) https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey describes the methods that an EllipticCurvePublicKey has for exporting the key, either to bytes or ot raw numbers. Alex _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: