[Pyxmlsec-devel] xmlsec in python

Dieter Maurer dieter at handshake.de
Wed Feb 22 09:27:50 CET 2012


Dear Dolf,

Dolf Andringa wrote at 2012-2-22 08:36 +0100:
>Thanks a lot for the help. Yeah, I am not fluent in C, but I next time I
>will first take a look. The keyfile is indeed in PEM format. I was indeed
>confused about the "Binary" part in xmlSecReadBinaryFile. I have never
>heard of binary key files. Do you have any tips on how to convert a PEM
>encoded file to a binary key file?

Under "*nix", the "openssl" command is able to perform all kinds
of operations related to keys and certificates. When I remember
right, it can also convert between different formats
(using the options "-inform" and "-outform"). However,
the set of its subcommands and their options is huge. It may take
some time before you find the correct way to perform the conversion
(I do not have the details at hand).

The binary format is called "Der" format.


An easier alternative could be to use a different way to load the key.
I, for examle, use:

import xmlsec
xmlsec.cryptoAppKeyLoad('key.pem',  xmlsec.KeyDataFormatPem, None, None, None)

I am not sure that it will work for encryption keys (I tried only
with signature keys). The information that the key is
an RSA key (and not something else) will need to come from a
different place. In the signature case, it comes from the
"Algorithm" attribute of the "ds:Signature" node.

When I have read the "xml-encryption" standard (some years ago)
I have found some similarities with "xml-signature".
Therefore, I am quite confident that there are ways to
specify the algorithm to use with XML. However, your
example might not use them.

>Is it just a matter of base64 unencoding
>the PEM encoded data and reading that using xmlsec.KeyReadBuffer? Or is
>there an openssl or other way to convert the keyfile?

The PEM has at least an additional envelope around the base64 encode
binary data. I do not know the format sufficiently to confirm
that this is the only difference. Use an "official" way to
convert (if necessary).



--
Dieter


More information about the Pyxmlsec-devel mailing list