views:

415

answers:

3

I'm using Python (under Google App Engine), and I have some RSA private keys that I need to export in PKCS#12 format. Is there anything out there that will assist me with this? I'm using PyCrypto/KeyCzar, and I've figured out how to import/export RSA keys in PKCS8 format, but I really need it in PKCS12.

Can anybody point me in the right direction? If it helps, the reason I need them in PKCS12 format is so that I can import them on the iPhone, which seems to only allow key-import in that format.

A: 

The standard tool for the job is typically OpenSSL.

See the openssl pkcs12 command.

Justice
GAE won't run openSSL binaries.
Paul McMillan
You have some RSA private keys. You need to export them. But why do you need to export them using GAE? Why not just export them with OpenSSL and then send the exported pkcs12 files to your GAE app?
Justice
Each user has his own RSA keypair, created upon signup. While I *could* theoretically generate a whole slew of keypairs and assign them to users as they sign up, this seems like a fantastically terrible idea.
Dave Watson
If worse comes to worst, you could run an Amazon EC2 instance devoted solely to exporting pkcs8 to pkcs12.
Justice
A: 

This mailing list posting tends to suggest that PKCS12 is not planned for a future feature of that package, and is not currently implemented.

http://lists.dlitz.net/pipermail/pycrypto/2009q2/000104.html

Paul McMillan
If you look at the *original* message, that comment (about PKCS12) has a "Just Kidding!" footnote at the bottom.http://lists.dlitz.net/pipermail/pycrypto/2009q2/000100.html
Dave Watson
The comment is slightly unclear, but I agree, it appears that PKCS12 is not on the horizon for this package.
Paul McMillan
+1  A: 

If you can handle some ASN.1 generation, you can relatively easily convert a PKCS#8-file into a PKCS#12-file. A PKCS#12-file is basically a wrapper around a PKCS#8 and a certificate, so to make a PKCS#12-file, you just have to add some additional data around your PKCS#8-file and your certificate.

Usually a PKCS#12-file will contain the certificate(s) in an encrypted structure, but all compliant parsers should be able to read it from an unencrypted structure. Also, PKCS#12-files will usually contain a MacData-structure for integrity-check, but this is optional and a compliant parser should work fine without it.

Rasmus Faber
I think this is going to be my path. KeyCzar includes an ASN1 parser/creator, which is where I'm getting the PKCS#8 file from. I had not known that PKCS#12 is just another wrapper around a PKCS#8 file. (Unfortunately this stuff is incredibly difficult to untangle, with all the extremely-similar acronyms containing special characters, confusing even Google at times).I'll most likely be contributing the fruits of my labor as a patch or at least some type of contrib module to KeyCzar, so that others will have some place to go from if they want to do something similar.
Dave Watson