[Pyxmlsec-devel] xmlsec in python

Dolf Andringa dolfandringa at gmail.com
Wed Feb 22 11:42:26 CET 2012

I also tried this,

key=xmlsec.cryptoAppKeyLoad(private_key_file,  xmlsec.KeyDataFormatPem,
None, None, None)

enc_ctx = xmlsec.EncCtx(None)


with the following error:

is not found:
library function failed:
library function failed:



On 22 February 2012 11:29, Dolf Andringa <dolfandringa at gmail.com> wrote:

> Hey Dieter (and everyone else):
> I tried converting the private key to DER format, but to no avail. I tried
> the following two approaches, on the same machine as I am running python
> (i386 linux machine).
> On the commandline:
> openssl rsa -inform PEM -outform DER -in private_key_file.pem -out
> private_key_file.der
> I Python:
> key=M2Crypto.RSA.load_key(private_key_file)
> key.save_key_der('%s.der'%private_key_file)
> key=xmlsec.keyReadBinaryFile(xmlsec.keyDataRsaId(),'%s.der'%private_key_file)
> I tried both methods, and always got the error:
> func=xmlSecKeyDataBinRead:file=keysdata.c:line=349:obj=unknown:subj=id->binRead
> != NULL:error=100:assertion:
> func=xmlSecKeyReadBuffer:file=keys.c:line=1190:obj=rsa:subj=xmlSecKeyDataBinRead:error=1:xmlsec
> library function failed:
> func=xmlSecKeyReadBinaryFile:file=keys.c:line=1247:obj=rsa:subj=xmlSecKeyReadBuffer:error=1:xmlsec
> library function
> failed:filename=testclient1.Proigia.eic.proigia.nl.insecure.der
> when reading DER version of the keyfile.
> I did all of this on the same machine, so the problem of amd64 vs i386
> shouldn't be a problem right?
> Cheers,
> Dolf.
> On 22 February 2012 09:44, Dolf Andringa <dolfandringa at gmail.com> wrote:
>> Hi Dieter,
>> Thanks a lot. I know the DER format, just didn't know it is a binary
>> format. Ik know how to convert to the DER format using openssl. I might
>> also be able to do it on the fly using M2Crypto. We'll see. Thanks a lot
>> for the help! I'll check if it work in a few minutes, and post the solution
>> to the list for posterity.
>> Cheers,
>> Dolf.
>> On 22 February 2012 09:27, Dieter Maurer <dieter at handshake.de> wrote:
>>> Dear Dolf,
>>> Dolf Andringa wrote at 2012-2-22 08:36 +0100:
>>> >Thanks a lot for the help. Yeah, I am not fluent in C, but I next time I
>>> >will first take a look. The keyfile is indeed in PEM format. I was
>>> indeed
>>> >confused about the "Binary" part in xmlSecReadBinaryFile. I have never
>>> >heard of binary key files. Do you have any tips on how to convert a PEM
>>> >encoded file to a binary key file?
>>> Under "*nix", the "openssl" command is able to perform all kinds
>>> of operations related to keys and certificates. When I remember
>>> right, it can also convert between different formats
>>> (using the options "-inform" and "-outform"). However,
>>> the set of its subcommands and their options is huge. It may take
>>> some time before you find the correct way to perform the conversion
>>> (I do not have the details at hand).
>>> The binary format is called "Der" format.
>>> An easier alternative could be to use a different way to load the key.
>>> I, for examle, use:
>>> import xmlsec
>>> xmlsec.cryptoAppKeyLoad('key.pem',  xmlsec.KeyDataFormatPem, None, None,
>>> None)
>>> I am not sure that it will work for encryption keys (I tried only
>>> with signature keys). The information that the key is
>>> an RSA key (and not something else) will need to come from a
>>> different place. In the signature case, it comes from the
>>> "Algorithm" attribute of the "ds:Signature" node.
>>> When I have read the "xml-encryption" standard (some years ago)
>>> I have found some similarities with "xml-signature".
>>> Therefore, I am quite confident that there are ways to
>>> specify the algorithm to use with XML. However, your
>>> example might not use them.
>>> >Is it just a matter of base64 unencoding
>>> >the PEM encoded data and reading that using xmlsec.KeyReadBuffer? Or is
>>> >there an openssl or other way to convert the keyfile?
>>> The PEM has at least an additional envelope around the base64 encode
>>> binary data. I do not know the format sufficiently to confirm
>>> that this is the only difference. Use an "official" way to
>>> convert (if necessary).
>>> --
>>> Dieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.labs.libre-entreprise.org/pipermail/pyxmlsec-devel/attachments/20120222/b6d78dc4/attachment.html>

More information about the Pyxmlsec-devel mailing list