Allow dumping private keys in PKCS#5

[adiroiban]

This is an enhancement proposal not a bug

I am still using pyopenssl 0.13 on Ubuntu 14.04 but looking at the latest documentation https://pythonhosted.org/pyOpenSSL/api/crypto.html I don't see any reference about pkcs5 or pkcs8 formats.

The private keys are exported using pkcs8 format.

Formats are described here https://github.com/kjur/jsrsasign/wiki/Tutorial-for-PKCS5-and-PKCS8-PEM-private-key-formats-differences

It would be nice to provide the option to export them in pcks5 format.

The format only make sense for PEM exports

The API could be

OpenSSL.crypto.dump_privatekey_pem(pkey[, cipher, passphrase, pem_type])

Where pem_type would be a constant like OpenSSL.crypto.PKCS5Type or OpenSSL.crypto.PKCS8Type

Thanks!

[exarkun]

Does OpenSSL have PKCS#5 APIs?

[adiroiban]

I don't know if it has dedicated PCKS#5 dedicated API but this command will generate PKCS#5
openssl genrsa -des3 -out privkey.pem 2048

as documented here https://www.openssl.org/docs/HOWTO/keys.txt

---

I think that the method is PEM_write_bio_RSAPrivateKey and is listed here https://www.openssl.org/docs/crypto/pem.html

$ ltrace openssl genrsa -out privkey.pem 2048 2>&1 | grep ivate
BIO_printf(0x1dc4010, 0x467730, 2048, 0Generating RSA private key, 2048 bit long modulus
PEM_write_bio_RSAPrivateKey(0x1de0a40, 0x1de0dd0, 0, 0) = 1

there is a PKCS8 method PEM_write_bio_PKCS8PrivateKey

[alex]

We're not going to be expanding these APIs. People wishing to do crypto should use cryptography for this sort of thing.

[ngaya-ll]

@alex So you're saying people wishing to use OpenSSL in Python should not use PyOpenSSL?

[exarkun]

pyOpenSSL depends on cryptography for basically all of the hard parts. @alex is essentially suggesting that folks who want additional functionality not provided by pyOpenSSL should look at cryptography - not push for expansions to the pyOpenSSL API (which would just be wrappers around cryptography APIs anyway).

[reaperhulk]

pyca/cryptography has the OpenSSL bindings that pyOpenSSL itself uses. If you need pyOpenSSL (which should really only be used for TLS, cryptography's APIs for X509 are significantly better and more complete) then you can still convert a pyOpenSSL key to a cryptography key via PKey.to_cryptography_key and then serialize it from there via something like RSAPrivateKeyWithSerialiation.private_bytes

[reaperhulk]

Also just to remove some confusion, PKCS5 isn't really the name for the format in question. It's typically called PKCS1, but isn't really even that (which is why cryptography names it TraditionalOpenSSL)

[reaperhulk]

Ah, to correct myself a bit: PKCS5 is a PKCS1/Traditional OpenSSL key but with PEM encryption applied because PBES was defined in PKCS5. Quasi-standard naming is fun! So okay, PKCS5 is not wrong (and we should perhaps update the cryptography docs to note this nuance since we do support that)

[adiroiban]

Many thanks for all the clarification!

+1 for less duplication and for having more stuff just in cryptography.

Keep up the wonderful stuff :)