3

I am trying to implement Google Identity Toolkit (gitkitv3) in GAE Python. After a user signs in on the website, I get the following errors: 

'PKCS12 format is not supported by the PyCrpto library. '
NotImplementedError: PKCS12 format is not supported by the PyCrpto library. Try converting to a "PEM" (openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) or using PyOpenSSL if native code is an option.

Based on a SO reply, I ran the following commands on my x.p12 file and used the generated privatekey.pem file instead: 

openssl pkcs12 -passin pass:notasecret -in x.p12 -nocerts -passout pass:notasecret -out key.pem 
openssl pkcs8 -nocrypt -in key.pem -passin pass:notasecret -topk8 -out privatekey.pem

Now, I am getting the following error: 

'X509 certs are not supported by the PyCrypto library. '
NotImplementedError: X509 certs are not supported by the PyCrypto library. Try using PyOpenSSL if native code is an option.

I had downloaded the x.p12 from Google Developer Console. How to fix this error? Please help

ANY WORKAROUND?

Do I necessarily need this file .p12 file or can I copy its contents to a global variable and use it (as a workaround)? Could someone please explain me the actual use of this file?

UPDATE
Looks like PyCrypto library provided by Google is extremely limited and lacks capability to support X509.

Community
  • 1
  • 1
gsinha
  • 1,165
  • 2
  • 18
  • 43
  • 1
    http://stackoverflow.com/questions/17993604/signedjwtassertioncredentials-on-appengine-doesnt-recognize-pem-key – Ryan Aug 29 '14 at 16:40
  • @Bruyere Thanks but I have already tried that and it did not work. – gsinha Aug 29 '14 at 18:39
  • Including removing the hearder "-----BEGIN PRIVATE KEY-----" ? – Ryan Aug 29 '14 at 18:45
  • @Bruyere I tried that now and I am got the first error mentioned above `NotImplementedError: PKCS12 format is not supported by the PyCrpto library.. ` – gsinha Aug 30 '14 at 04:34
  • PyCrypto does not support X.509 certs at all. You can still load them as indicated here: http://stackoverflow.com/questions/12911373/how-do-i-use-a-x509-certificate-with-pycrypto. Mind that a private key is not an x.509 cert (which includes the public key). It is not clear what your code needs though. – SquareRootOfTwentyThree Aug 31 '14 at 08:54
  • @SquareRootOfTwentyThree Thanks for your suggestion. I went through the question and your answer. I am not able to figure out at which all places and what all to change myself since I am not comfortable with code in [oauth2client/crypt.py](https://code.google.com/p/google-api-python-client/downloads/detail?name=google-api-python-client-gae-1.2.zip&can=2&q=). – gsinha Aug 31 '14 at 16:34
  • @SquareRootOfTwentyThree I tried your solution but am getting some [new errors](http://pastebin.com/hcWgnXYn) – gsinha Sep 01 '14 at 15:38
  • @gsinha Have you extracted the X509 cert with a command like `openssl pkcs12 -clcerts -nokeys -in mycert.p12 -out usercert.pem`? Can you post the cert somewhere? – SquareRootOfTwentyThree Sep 01 '14 at 18:17
  • @SquareRootOfTwentyThree I got present .pem by: `openssl pkcs12 -in -nocerts -passin pass:notasecret -nodes -out ` key.pem: `Bag Attributes friendlyName: privatekey localKeyID: 54 69 6D 65 20 31 34 30 31 32 33 34 35 36 37 38 39 30 Key Attributes: -----BEGIN PRIVATE KEY----- lots_of_characters_present_here_replaced_for_this_post= -----END PRIVATE KEY----- ` Next, I deleted first 4 lines of .pem file. Final .pem looks like: `-----BEGIN PRIVATE KEY----- lots_of_characters_are_present_here_which_i_have_replaced_for_this_post= -----END PRIVATE KEY-----` – gsinha Sep 02 '14 at 02:27
  • @gsinha The code that fails performs a verification, and for that you need a public key, not a private key. Could you try the command from my previous comment? That gives you a public key (inside an X.509 cert). – SquareRootOfTwentyThree Sep 02 '14 at 10:11
  • @SquareRootOfTwentyThree I generated the new certificate using `openssl pkcs12 -clcerts -nokeys -in myapp-36.p12 -out usercert.pem`. The generated certificate could be seen [here](http://pastebin.com/RGtfGdiy) (replaced sensitive data). I tried and got [this error](http://pastebin.com/zKpYyg0F). Then I removed everything before "-----BEGIN PRIVATE KEY-----" and tried again. The new certificate is [here](http://pastebin.com/R0tv1wBj). This time, I got [this error](http://pastebin.com/yfsFYJ1q). – gsinha Sep 02 '14 at 15:22
  • Hi gsinha, i've been having the same problem. Can you tell me how you managed to work arround it ? – MayK Oct 24 '14 at 14:00
  • @user3824957 The experimental version of PyCrypto had the fix. It has also been incorporated in GAE Production some time ago. [This](https://groups.google.com/forum/embed/?place=forum/google-identity-toolkit&showsearch=true&showpopout=true&parenturl=https%3A%2F%2Fdevelopers.google.com%2Fidentity-toolkit%2Fforum#!topic/google-identity-toolkit/fvPwCd1Dhjs) is the Gitkit discussion thread. I had raised [an issue](https://code.google.com/p/googleappengine/issues/detail?id=11257&can=4&colspec=ID%20Type%20Component%20Status%20Stars%20Summary%20Language%20Priority%20Owner%20Log) with GAE too. – gsinha Oct 25 '14 at 15:19
  • @gsinha : I am facing the same issue. Did you get any work around ? If yes please share. – Kartik Domadiya May 08 '15 at 05:06
  • @Kartik This issue had been fixed by Google a few months ago. – gsinha May 20 '15 at 18:05
  • @gsinha : yeah. Its working now though I didn't change anything. – Kartik Domadiya May 21 '15 at 03:35

1 Answers1

8

Installing pyopenssl fixed the issue for me:

pip install pyopenssl
Undo
  • 25,519
  • 37
  • 106
  • 129
Sushil
  • 390
  • 2
  • 15
  • Where do I run this command? On my mac/local machine and then include the pyopenssl package in the app.yaml before uploading to GAE? – Smart Home Nov 26 '15 at 22:10