-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow dumping private keys in PKCS#5 #206
Comments
Does OpenSSL have PKCS#5 APIs? |
I don't know if it has dedicated PCKS#5 dedicated API but this command will generate PKCS#5 as documented here https://www.openssl.org/docs/HOWTO/keys.txt I think that the method is PEM_write_bio_RSAPrivateKey and is listed here https://www.openssl.org/docs/crypto/pem.html
there is a PKCS8 method PEM_write_bio_PKCS8PrivateKey |
We're not going to be expanding these APIs. People wishing to do crypto should use cryptography for this sort of thing. |
@alex So you're saying people wishing to use OpenSSL in Python should not use PyOpenSSL? |
pyOpenSSL depends on cryptography for basically all of the hard parts. @alex is essentially suggesting that folks who want additional functionality not provided by pyOpenSSL should look at cryptography - not push for expansions to the pyOpenSSL API (which would just be wrappers around cryptography APIs anyway). |
pyca/cryptography has the OpenSSL bindings that pyOpenSSL itself uses. If you need pyOpenSSL (which should really only be used for TLS, cryptography's APIs for X509 are significantly better and more complete) then you can still convert a pyOpenSSL key to a cryptography key via PKey.to_cryptography_key and then serialize it from there via something like RSAPrivateKeyWithSerialiation.private_bytes |
Also just to remove some confusion, PKCS5 isn't really the name for the format in question. It's typically called PKCS1, but isn't really even that (which is why |
Ah, to correct myself a bit: PKCS5 is a PKCS1/Traditional OpenSSL key but with PEM encryption applied because PBES was defined in PKCS5. Quasi-standard naming is fun! So okay, PKCS5 is not wrong (and we should perhaps update the cryptography docs to note this nuance since we do support that) |
Many thanks for all the clarification! +1 for less duplication and for having more stuff just in cryptography. Keep up the wonderful stuff :) |
This is an enhancement proposal not a bug
I am still using pyopenssl 0.13 on Ubuntu 14.04 but looking at the latest documentation https://pythonhosted.org/pyOpenSSL/api/crypto.html I don't see any reference about pkcs5 or pkcs8 formats.
The private keys are exported using pkcs8 format.
Formats are described here https://github.com/kjur/jsrsasign/wiki/Tutorial-for-PKCS5-and-PKCS8-PEM-private-key-formats-differences
It would be nice to provide the option to export them in pcks5 format.
The format only make sense for PEM exports
The API could be
OpenSSL.crypto.dump_privatekey_pem(pkey[, cipher, passphrase, pem_type])
Where pem_type would be a constant like OpenSSL.crypto.PKCS5Type or OpenSSL.crypto.PKCS8Type
Thanks!
The text was updated successfully, but these errors were encountered: