[pyOpenSSL-Users] Support for various PEM format
William Bourque
wbourque at secureops.com
Thu Nov 28 21:40:24 CET 2013
Hello
I'm working for a security firm called SecureOps in Montreal; we are using
PyOpenSSL to generate certificates/keys automatically for servers. It
works nicely and it really speed up the bring up of new servers for us.
However, the PEM returned by crypto.dump_privatekey() has a limitation that
sometime cause us problem.
Some services (*cough MySQL cough*) expect their certificate to use the old
RSA PEM format (I believe it is PKCS#1) and will refuse newer X509 PEM
format (PKCS#8).
Sadly, PyOpenSSL always does the right thing and only return PKCS#8 PEM
format, so we sometime have to convert certificates we'd like to pass to
services (usually using "openssl rsa -in key -out newkey").
So, 2 questions:
1- Is there a workaround for this behavior, i.e. a way to get an "old" RSA
PKCS#1 format instead of the default X509 PKCS#8?
2- If not, does a patch adding this functionality would have any chance
getting accepted?
About #2, my idea would be to add an optional parameters "PEM_FORMAT_XXX"
to crypto_dump_XXX in "OpenSSL/crypto/crypto.c".
The internal could then use the right call to OpenSSL accordingly (i.e.
calling "PEM_write_bio_RSAPrivateKey()" instead of
"PEM_write_bio_PrivateKey()" and so on). Default would stay as it is, so it
would be backward compatible.
The "PEM_FORMAT" themselves would be int constant like "X509_FILETYPE_PEM",
extracted from OpenSSL (in that case from openssl/pem.h).
Thanks,
William Bourque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pyopenssl-users/attachments/20131128/83601a96/attachment.html>
More information about the pyopenssl-users
mailing list