SignedJwtAssertionCredentials on AppEngine doesn't recognize PEM key

Question

SignedJwtAssertionCredentials on appengine (with pycrypto 2.6) doesn't support the PKCS12 format, therefore I'm trying to use PEM keys instead, as suggested everywhere..

this is my code:

  f = file(os.path.join(os.path.dirname(__file__), KEY_FILE), "r")
  key = f.read()
  f.close()

  credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key,
      scope="https://www.googleapis.com/auth/drive"
  http = httplib2.Http()
  http = credentials.authorize(http)

and the KEY_FILE is a PEM key, converted with the command:

openssl pkcs12 -in privatekey.p12 -nodes -nocerts > privatekey.pem

but I still get this error, as if it didn't recognize that's a PEM key:

NotImplementedError: PKCS12 format is not supported by the PyCrpto library. 
Try converting to a "PEM" (openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) or using PyOpenSSL if native code is an option.

same error if I pass just the filename to the constructor (without reading the contents of the file)

any idea?

Answer 1

Yeah, the error is hugely misleading. What you're doing is fine; just remove the header from the PEM file so that it begins with -----BEGIN PRIVATE KEY-----, or run the following command over it:

openssl pkcs8 -nocrypt -in privatekey.pem -passin pass:notasecret -topk8 -out pk.pem

Answer 2

for those interested, I ended up compiling a short tutorial on how to use the Google+ Domains APIs with python on App Engine, you can find it here: https://gist.github.com/vircheck/6292176

It's also applicable to other APIs based on service accounts, such as the Drive API etc..