Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Support for PKCS#8 encoding of private keys #32
The main goal of this set of patches is to introduce support for password-based PKCS#8 encoding of private keys (only RSA for now, but PKCS#8 is also applicable to DSA, etc). Today, the only way to encrypt a private key relies on the old PEM encryption, which is not very widespread, it uses weak ciphers, and it is in general under-specified.
With these changes, one can do:
rsaKey.exportKey('DER', 'my_password', pkcs=8)
rsaKey.exportKey('PEM', 'my_password', pkcs=8, 'PBKDF2WithHMAC-SHA1AndAES128-CBC')
And obtain a solid PBKDF2-based PKCS#8 container. Ideally, it would have been nice to have PKCS#8 encryption as the new default over PEM encryption, but in this way the interface remains backward compatible. The following password based encryption schemes are supported:
The first group of patches are actually a refactoring of the asn1 module. Now I think it is much easier to write code that parses DER, plus I added the relevant documentation.
Finally, by having separate modules for PEM and PKCS8, the code in RSA.py becomes much more compact,
Re-opening again after another round of refactoring.
Hopefully the code now is easier to review, as it is split across the following 4 modules:
Thanks. I'm not sure if I'm completely happy with the API yet (seems odd to me that DSA.exportKey takes
I reserve the right to complain about this in the future. ;-)
In the meantime, I've rebased and applied this to master:
I also needed this patch to make it work in Python 3.2: