[Pyxmlsec-devel] xmlsec in python

Dolf Andringa dolfandringa at gmail.com
Wed Feb 22 11:29:44 CET 2012


Hey Dieter (and everyone else):

I tried converting the private key to DER format, but to no avail. I tried
the following two approaches, on the same machine as I am running python
(i386 linux machine).

On the commandline:
openssl rsa -inform PEM -outform DER -in private_key_file.pem -out
private_key_file.der

I Python:

key=M2Crypto.RSA.load_key(private_key_file)
key.save_key_der('%s.der'%private_key_file)
key=xmlsec.keyReadBinaryFile(xmlsec.keyDataRsaId(),'%s.der'%private_key_file)

I tried both methods, and always got the error:
func=xmlSecKeyDataBinRead:file=keysdata.c:line=349:obj=unknown:subj=id->binRead
!= NULL:error=100:assertion:
func=xmlSecKeyReadBuffer:file=keys.c:line=1190:obj=rsa:subj=xmlSecKeyDataBinRead:error=1:xmlsec
library function failed:
func=xmlSecKeyReadBinaryFile:file=keys.c:line=1247:obj=rsa:subj=xmlSecKeyReadBuffer:error=1:xmlsec
library function
failed:filename=testclient1.Proigia.eic.proigia.nl.insecure.der

when reading DER version of the keyfile.

I did all of this on the same machine, so the problem of amd64 vs i386
shouldn't be a problem right?

Cheers,

Dolf.


On 22 February 2012 09:44, Dolf Andringa <dolfandringa at gmail.com> wrote:

> Hi Dieter,
>
> Thanks a lot. I know the DER format, just didn't know it is a binary
> format. Ik know how to convert to the DER format using openssl. I might
> also be able to do it on the fly using M2Crypto. We'll see. Thanks a lot
> for the help! I'll check if it work in a few minutes, and post the solution
> to the list for posterity.
>
> Cheers,
>
> Dolf.
>
>
>
> On 22 February 2012 09:27, Dieter Maurer <dieter at handshake.de> wrote:
>
>> Dear Dolf,
>>
>> Dolf Andringa wrote at 2012-2-22 08:36 +0100:
>> >Thanks a lot for the help. Yeah, I am not fluent in C, but I next time I
>> >will first take a look. The keyfile is indeed in PEM format. I was indeed
>> >confused about the "Binary" part in xmlSecReadBinaryFile. I have never
>> >heard of binary key files. Do you have any tips on how to convert a PEM
>> >encoded file to a binary key file?
>>
>> Under "*nix", the "openssl" command is able to perform all kinds
>> of operations related to keys and certificates. When I remember
>> right, it can also convert between different formats
>> (using the options "-inform" and "-outform"). However,
>> the set of its subcommands and their options is huge. It may take
>> some time before you find the correct way to perform the conversion
>> (I do not have the details at hand).
>>
>> The binary format is called "Der" format.
>>
>>
>> An easier alternative could be to use a different way to load the key.
>> I, for examle, use:
>>
>> import xmlsec
>> xmlsec.cryptoAppKeyLoad('key.pem',  xmlsec.KeyDataFormatPem, None, None,
>> None)
>>
>> I am not sure that it will work for encryption keys (I tried only
>> with signature keys). The information that the key is
>> an RSA key (and not something else) will need to come from a
>> different place. In the signature case, it comes from the
>> "Algorithm" attribute of the "ds:Signature" node.
>>
>> When I have read the "xml-encryption" standard (some years ago)
>> I have found some similarities with "xml-signature".
>> Therefore, I am quite confident that there are ways to
>> specify the algorithm to use with XML. However, your
>> example might not use them.
>>
>> >Is it just a matter of base64 unencoding
>> >the PEM encoded data and reading that using xmlsec.KeyReadBuffer? Or is
>> >there an openssl or other way to convert the keyfile?
>>
>> The PEM has at least an additional envelope around the base64 encode
>> binary data. I do not know the format sufficiently to confirm
>> that this is the only difference. Use an "official" way to
>> convert (if necessary).
>>
>>
>>
>> --
>> Dieter
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.labs.libre-entreprise.org/pipermail/pyxmlsec-devel/attachments/20120222/b1bbc6e6/attachment-0001.html>


More information about the Pyxmlsec-devel mailing list