From 23f99b603ee6c304748f2807c92f606e90a5fa26 Mon Sep 17 00:00:00 2001
From: Steffen Klemer <klemer@dfn.de>
Date: Mon, 3 Sep 2018 12:57:54 +0200
Subject: [PATCH] Quick, hacky fix for #47 "Private Key might leak"

I restored the old crypt-lib behaviour which
never exported the private key but set cert_pem=None.

'Right' solution might be a better differentiation of private,
public key and certs inside the XMlSecCrypto-Class.
---
 src/xmlsec/crypto.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/xmlsec/crypto.py b/src/xmlsec/crypto.py
index 1d6350fe..c012edfd 100644
--- a/src/xmlsec/crypto.py
+++ b/src/xmlsec/crypto.py
@@ -130,11 +130,13 @@ def __init__(self, filename, private):
                 if not isinstance(self.key, rsa.RSAPrivateKey):
                     raise XMLSigException("We don't support non-RSA private keys at the moment.")
 
-                # XXX now we could implement encrypted-PEM-support
-                self.cert_pem = self.key.private_bytes(
-                    encoding=serialization.Encoding.PEM,
-                    format=serialization.PrivateFormat.PKCS8,
-                    encryption_algorithm=serialization.NoEncryption())
+                # XXX Do not leak private key -- is there any situation
+                # where we might need this pem?
+                self.cert_pem = None
+                # self.cert_pem = self.key.private_bytes(
+                #     encoding=serialization.Encoding.PEM,
+                #     format=serialization.PrivateFormat.PKCS8,
+                #     encryption_algorithm=serialization.NoEncryption())
 
                 self.keysize = self.key.key_size
             else: