[Pyxmlsec-devel] xmlsec in python

Dolf Andringa dolfandringa at gmail.com
Wed Feb 22 11:42:26 CET 2012


I also tried this,

key=xmlsec.cryptoAppKeyLoad(private_key_file,  xmlsec.KeyDataFormatPem,
None, None, None)
key.isValid()
1

node=xmlsec.findNode(doc.getRootElement(),xmlsec.NodeEncryptedData,xmlsec.EncNs)
enc_ctx = xmlsec.EncCtx(None)
enc_ctx.encKey=key

enc_ctx.decrypt(node)

with the following error:

func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=957:obj=unknown:subj=unknown:error=45:key
is not found:
func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=715:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec
library function failed:
func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=623:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec
library function failed:
-1

Cheers,

Dolf.


On 22 February 2012 11:29, Dolf Andringa <dolfandringa at gmail.com> wrote:

> Hey Dieter (and everyone else):
>
> I tried converting the private key to DER format, but to no avail. I tried
> the following two approaches, on the same machine as I am running python
> (i386 linux machine).
>
> On the commandline:
> openssl rsa -inform PEM -outform DER -in private_key_file.pem -out
> private_key_file.der
>
> I Python:
>
> key=M2Crypto.RSA.load_key(private_key_file)
> key.save_key_der('%s.der'%private_key_file)
>
> key=xmlsec.keyReadBinaryFile(xmlsec.keyDataRsaId(),'%s.der'%private_key_file)
>
> I tried both methods, and always got the error:
>
> func=xmlSecKeyDataBinRead:file=keysdata.c:line=349:obj=unknown:subj=id->binRead
> != NULL:error=100:assertion:
> func=xmlSecKeyReadBuffer:file=keys.c:line=1190:obj=rsa:subj=xmlSecKeyDataBinRead:error=1:xmlsec
> library function failed:
> func=xmlSecKeyReadBinaryFile:file=keys.c:line=1247:obj=rsa:subj=xmlSecKeyReadBuffer:error=1:xmlsec
> library function
> failed:filename=testclient1.Proigia.eic.proigia.nl.insecure.der
>
> when reading DER version of the keyfile.
>
> I did all of this on the same machine, so the problem of amd64 vs i386
> shouldn't be a problem right?
>
> Cheers,
>
> Dolf.
>
>
>
> On 22 February 2012 09:44, Dolf Andringa <dolfandringa at gmail.com> wrote:
>
>> Hi Dieter,
>>
>> Thanks a lot. I know the DER format, just didn't know it is a binary
>> format. Ik know how to convert to the DER format using openssl. I might
>> also be able to do it on the fly using M2Crypto. We'll see. Thanks a lot
>> for the help! I'll check if it work in a few minutes, and post the solution
>> to the list for posterity.
>>
>> Cheers,
>>
>> Dolf.
>>
>>
>>
>> On 22 February 2012 09:27, Dieter Maurer <dieter at handshake.de> wrote:
>>
>>> Dear Dolf,
>>>
>>> Dolf Andringa wrote at 2012-2-22 08:36 +0100:
>>> >Thanks a lot for the help. Yeah, I am not fluent in C, but I next time I
>>> >will first take a look. The keyfile is indeed in PEM format. I was
>>> indeed
>>> >confused about the "Binary" part in xmlSecReadBinaryFile. I have never
>>> >heard of binary key files. Do you have any tips on how to convert a PEM
>>> >encoded file to a binary key file?
>>>
>>> Under "*nix", the "openssl" command is able to perform all kinds
>>> of operations related to keys and certificates. When I remember
>>> right, it can also convert between different formats
>>> (using the options "-inform" and "-outform"). However,
>>> the set of its subcommands and their options is huge. It may take
>>> some time before you find the correct way to perform the conversion
>>> (I do not have the details at hand).
>>>
>>> The binary format is called "Der" format.
>>>
>>>
>>> An easier alternative could be to use a different way to load the key.
>>> I, for examle, use:
>>>
>>> import xmlsec
>>> xmlsec.cryptoAppKeyLoad('key.pem',  xmlsec.KeyDataFormatPem, None, None,
>>> None)
>>>
>>> I am not sure that it will work for encryption keys (I tried only
>>> with signature keys). The information that the key is
>>> an RSA key (and not something else) will need to come from a
>>> different place. In the signature case, it comes from the
>>> "Algorithm" attribute of the "ds:Signature" node.
>>>
>>> When I have read the "xml-encryption" standard (some years ago)
>>> I have found some similarities with "xml-signature".
>>> Therefore, I am quite confident that there are ways to
>>> specify the algorithm to use with XML. However, your
>>> example might not use them.
>>>
>>> >Is it just a matter of base64 unencoding
>>> >the PEM encoded data and reading that using xmlsec.KeyReadBuffer? Or is
>>> >there an openssl or other way to convert the keyfile?
>>>
>>> The PEM has at least an additional envelope around the base64 encode
>>> binary data. I do not know the format sufficiently to confirm
>>> that this is the only difference. Use an "official" way to
>>> convert (if necessary).
>>>
>>>
>>>
>>> --
>>> Dieter
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.labs.libre-entreprise.org/pipermail/pyxmlsec-devel/attachments/20120222/b6d78dc4/attachment.html>


More information about the Pyxmlsec-devel mailing list