I'm using Python (under Google App Engine), and I have some RSA private keys that I need to export in PKCS#12 format. Is there anything out there that will assist me with this? I'm using PyCrypto/KeyCzar, and I've figured out how to import/export RSA keys in PKCS8 format, but I really need it in PKCS12.
Can anybody point me in the right direction? If it helps, the reason I need them in PKCS12 format is so that I can import them on the iPhone, which seems to only allow key-import in that format.
If you can handle some ASN.1 generation, you can relatively easily convert a PKCS#8-file into a PKCS#12-file. A PKCS#12-file is basically a wrapper around a PKCS#8 and a certificate, so to make a PKCS#12-file, you just have to add some additional data around your PKCS#8-file and your certificate.
Usually a PKCS#12-file will contain the certificate(s) in an encrypted structure, but all compliant parsers should be able to read it from an unencrypted structure. Also, PKCS#12-files will usually contain a MacData-structure for integrity-check, but this is optional and a compliant parser should work fine without it.
The standard tool for the job is typically OpenSSL.
See the openssl pkcs12 command.
This mailing list posting tends to suggest that PKCS12 is not planned for a future feature of that package, and is not currently implemented.
http://lists.dlitz.net/pipermail/pycrypto/2009q2/000104.html
Related
Currently I started working with the cryptography framework on python. I'm trying to build a SSH Suit by my own but I ran into some problem with the library. I'm trying to build my own Elliptic Curve Key Exchange Init Packet (with scapy).
I'm trying to do an Elliptic Curve Diffie-Hellman key exchange with the curve secp256r1. I'm able to generate the key-pair on my client with out any problem. But after I created the public key object im kinda confused how to get the 32-byte public key for exchange via network packets.
my code so far (which doesn't work for me):
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import serilization
curve = SECP256R1()
peer_private_key = ec.generate_private_key(curve)
peer_public_key = peer_private_key.public_key()
peer_public_pkt = peer_public_key.public_bytes(encoding=serilization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo)
But this peer_public_pkt is not 32 Byte long.
Another Problem is when i get like an ECDH Public Key Value via Scapy or Wireshark from a Server via Network i cant translate the value back with
srv_public_key = ec.EllipticCurvePublicKey.from_encoded_point(curve, data_from_wireshark)
I think I'm missing some crucial steps here but I looked at the documentation for two hours and into some older examples on different sites but I can't find help (or see the solution).
Hopefully you can help me :). If something about my problem is not clear just ask.
EllipticCurvePublicKey.from_encoded_point takes compressed/uncompressed points. You can obtain those from public_bytes via a format of PublicFormat.CompressedPoint and format of Encoding.X962. SubjectPublicKeyInfo DER serialization is an ASN.1 format with additional structure.
Your assumption of 32 bytes on a secp256r1 key is also incorrect, as a compressed public point adds one byte defining the sign for unambiguous point reconstruction.
I already tried to utilize openssl ciphers, but the format is different and I have to match them with a given set of ciphers. I also tried to translate the OpenSSL cipher suite format into the one I need, but that's a mess.
Hence, I'm searching for a way to retreive an up-to-date TLS cipher suite list with python in the appropriate format. Maybe there's even some Web-Interface?
Here are some examples:
The Format I need OpenSSL Format
--------------------------------- ---------------------
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
I do have a private RSAKey (in XML format) that was generated by a .NET class. Those keys, are regularly used to sign parts of a URL. I am trying to sign these URLs with the existing keys via Python, because I am working now in a Linux based environment. The structure of the RSAKey looks like so:
RSAKeyValue,Modulus,Exponent,P,Q,DP,InverseQ,D represented in XML format.
Using C#, I simply instantiate a RSACryptoServiceProvider object and call SignData(bytes, new SHA1CryptoServiceProvider()), and I am done.
I have tried for several days now to replicate this process using Python in a Linux environment without any luck. I extracted modulus, and exponent, base64 decoded, and created byte arrays from them. I also changed the byte order. I was under the assumption that I could use M2Crypto and call RSA.new_pub_key((e,n)) and use that key to sign but no matter what I do I either can't create a proper key, or the signing process doesn't work.
My questions are:
-Is it possible to use an RSAKey in XML format that was generated via .NET, and sign data via Python (M2Crypto or any other lib will do) with the exact same result as in .NET ?
If so, what are the exact steps to do so?
My apologies for the long question. Thanks for any help.
I am trying to use M2Crypto to extract the signing certificates from a Windows PE file. According to the MS specification the data is stored in a PKCS#7 SignedData structure (stored in ASN.1 format, not the base64). I can't seem to get the binary format to load since it is not in PEM.
Pardon my ignorance with the crypto suites involved here, but if someone can show me the basics of how to get the signing certs out of a SignedData block I'd be most thankful!
If it helps, i found another solution for my problem but it is in C... how to Read the certificates file from the PKCS7.p7b certificate file usind openssl? If i could convert that to m2crpyto i'd be set.
I think there's more to this than just reading the certificate in PKCS7, unless you know absolutely what the offset & struct are.
You might want to take a look at either:
http://msdn.microsoft.com/en-us/library/aa380395(v=VS.85).aspx for the extraction process
Or possibly
http://msdn.microsoft.com/en-us/library/system.reflection.assemblyname.getpublickey%28VS.80%29.aspx
Additionally, it looks like Microsoft signs with a 'PFX' formatted file (I'd never heard of it before..)
But, I was able to find instructions on converting PFX back to a PEM, which should be a cakewalk to extract.
http://support.citrix.com/article/CTX106028
Where we work we need to remember about 10 long passwords which need to change every so often. I would like to create a utility which can potentially save these passwords in an encrypted file so that we can keep track of them.
I can think of some sort of dictionary passwd = {'host1':'pass1', 'host2':'pass2'}, etc, but I don't know what to do about encryption (absolutely zero experience in the topic).
So, my question is really two questions:
Is there a Linux-based utility which lets you do that?
If you were to program it in Python, how would you go about it?
A perk of approach two, would be for the software to update the ssh public keys after the password has been changed (you know the pain of updating ~15 tokens once you change your password).
As it can be expected, I have zero control over the actual network configuration and the management of scp keys. I can only hope to provide a simple utility to me an my very few coworkers so that, if we need to, we can retrieve a password on demand.
Cheers.
Answers to your questions:
Yes. Take a look at KeePass.
I wouldn't program a utility like this in Python, because there are available open source tools already. Furthermore, I would have concerns about protecting the unencrypted passwords as they were processed by a Python program.
Hope that helps.
You might want to checkout ecryptfs. It should be available for any Linux OS.
On Ubuntu, setting it up is as easy as
sudo apt-get install ecryptfs-utils
ecryptfs-setup-private
This creates a directory for encrypted files, typically called ~/.Private.
To use it:
mount -t ecryptfs ~/.Private ~/Private
This mounts the encrypted files from ~/.Private at the mount point ~/Private.
You can read/write the plain text files in ~/Private.
umount ~/Private
updates the encrypted files in ~/.Private and removes ~/Private.
See these links
home page
linux journal
tutorial
another tutorial
for more information.
On first i think you can change passwords on md5 of this passwords..
it will give more safety.
You could use TrueCrypt or AxCrypt -- both are Open Source solutions. I'll echo Mox's concerns about the unencrypted PWs.
Of course you could also follow Bruce Schneier's advice about password protection...