From wbourque at secureops.com Thu Nov 28 21:40:24 2013 From: wbourque at secureops.com (William Bourque) Date: Thu, 28 Nov 2013 15:40:24 -0500 Subject: [pyOpenSSL-Users] Support for various PEM format Message-ID: Hello I'm working for a security firm called SecureOps in Montreal; we are using PyOpenSSL to generate certificates/keys automatically for servers. It works nicely and it really speed up the bring up of new servers for us. However, the PEM returned by crypto.dump_privatekey() has a limitation that sometime cause us problem. Some services (*cough MySQL cough*) expect their certificate to use the old RSA PEM format (I believe it is PKCS#1) and will refuse newer X509 PEM format (PKCS#8). Sadly, PyOpenSSL always does the right thing and only return PKCS#8 PEM format, so we sometime have to convert certificates we'd like to pass to services (usually using "openssl rsa -in key -out newkey"). So, 2 questions: 1- Is there a workaround for this behavior, i.e. a way to get an "old" RSA PKCS#1 format instead of the default X509 PKCS#8? 2- If not, does a patch adding this functionality would have any chance getting accepted? About #2, my idea would be to add an optional parameters "PEM_FORMAT_XXX" to crypto_dump_XXX in "OpenSSL/crypto/crypto.c". The internal could then use the right call to OpenSSL accordingly (i.e. calling "PEM_write_bio_RSAPrivateKey()" instead of "PEM_write_bio_PrivateKey()" and so on). Default would stay as it is, so it would be backward compatible. The "PEM_FORMAT" themselves would be int constant like "X509_FILETYPE_PEM", extracted from OpenSSL (in that case from openssl/pem.h). Thanks, William Bourque -------------- next part -------------- An HTML attachment was scrubbed... URL: