[pyOpenSSL] Tracking down a change in private key format
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Wed Oct 12 00:03:43 CEST 2011
I am trying to track down a change in private key format that exists
between RHEL 5 and RHEL 6 systems and I believe that pyOpenSSL may be
responsible, though I am not sure.
RHEL 5 uses pyOpenSSL-0.6-2.el5
RHEL 6 uses pyOpenSSL-0.10-2.el6.x86_64
It appears that in RHEL 5 private keys were stored in OpenSSL's default
PEM format, e.g. starting with:
----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
In RHEL 6 this seems to have changed (using the same code to call) and
the format now appears to use PKCS#8 (for the code call it is an
unencrypted key):
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
>From OpenSSL's documentation it appears that PKCS#8 is still not the
default, so I am unsure as to why this is the format being output. The
code in question comes from certmaster: https://fedorahosted.org/certmaster/
The code (identical on RHEL 5 and RHEL 6):
def make_keypair(dest=None):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
if dest:
destfd = os.open(dest, os.O_RDWR|os.O_CREAT, 0600)
os.write(destfd, (crypto.dump_privatekey(crypto.FILETYPE_PEM,
pkey)))
os.close(destfd)
return pkey
Was this formatting change intentional or did it just happen due to some
change in OpenSSL? Just trying to nail down how this change came about,
because it ultimately lead to the syslog daemon core dumping as it tried
to load the private key.
Thanks,
-Erinn
More information about the pyopenssl-users
mailing list