5

I'm working within the Google App Engine (GAE) python 2.7 runtime.

I need sign (and potentially also generate) an X509 certificate (.csr)

I found several guides, that rely on PyOpenSSL.

As I understand it, PyOpenSSL is is wrapper around OpenSSL and not available in App Engine.
Pycrypto is available, but does not have a clear pre-built signing method for X509.

How can I sign an X509 .csr using only python?

Dan O'Boyle
  • 3,676
  • 5
  • 28
  • 44
  • 1
    https://www.dlitz.net/software/pycrypto/api/current/Crypto.Signature.PKCS1_v1_5-module.html might be what you are looking for? ... im not sure if this is the same as x509 ... but it looks like the implementation specs are publicly available so you could implement it... but its gonna be painful – Joran Beasley Jun 25 '16 at 19:21
  • Does this helps you in any way ? http://stackoverflow.com/questions/23103878/sign-csr-from-client-using-ca-root-certificate-in-python – Saurabh Chaturvedi Jul 01 '16 at 06:00
  • 1
    Python supports Go lang environment and you can create a module that uses https://golang.org/pkg/crypto/x509/ - and call it via REST API. – Alexander Trakhimenok Jul 01 '16 at 09:22
  • 1
    Run the signing code in the flexible runtime and keep that as seperate service that your normal appengine front-ends consume. – Tim Hoffman Jul 02 '16 at 07:42
  • A separate module seems to be the way to go (either in go or a custom runtime). I'm happy to award a bounty to someone willing to compile the comments into an authoritative answer. – Dan O'Boyle Jul 02 '16 at 17:08
  • 1
    Looking through the GAE docs, it doesn't actually say anywhere that you can't use PyOpenSSL, just that they won't install it for you. Can you not just include the relevant `.so` or `.dll` file somewhere in the `PYTHONPATH` for your project code, and import it from there? – Aya Jul 04 '16 at 16:50
  • 1
    If not, have a look at [oscrypto](https://github.com/wbond/oscrypto) which claims to to able to do it. – Aya Jul 04 '16 at 19:56
  • 1
    Related: http://stackoverflow.com/q/12911373/172176 – Aya Jul 04 '16 at 19:59

3 Answers3

4

Can I sign an X509 certificate entirely in Python?

Almost certainly, but I don't think there are any existing pure Python implementations available. The closest I could find is oscrypto, but being able to sign an X509 certificate depends on having the ctypes module available.

The author has also written a module called certbuilder, which claims to be a "Python library for generating and signing X.509 certificates", but it depends on the oscrypto module.

However, the real question sounds more like...

Can I sign an X509 certificate on a Google App Engine Python Standard Environment?

In this case, the oscrypto module probably won't help, since, according to the docs, the environment doesn't allow usage of the ctypes module.

You do have access to the PyCrypto module, and although there is a Python example of reading an X509 certificate using it, and a C++ example of verifying an X509 certificate, the Python bindings don't seem to have complete support for encoding and decoding ASN.1. You might be able to combine PyCrypto with asn1crypto by the same author as oscrypto for full ASN.1 support.

If none of these solutions are of any use, then either a GAE Python Flexible Environment or a GAE Custom Runtime ought to let you install the PyOpenSSL package, but you'd have to contact their tech support team to find out.

Community
  • 1
  • 1
Aya
  • 39,884
  • 6
  • 55
  • 55
  • 1
    oscrypto will use either ctypes or cffi to call the operating system's crypto library for encryption, decryption, signing and verification. It does not provide pure-Python cryptographic primitives. – wbond Jul 06 '16 at 09:44
  • @wbond It seemed unlikely that it would provide a pure Python implementation for signing an X509, but thanks for the confirmation. Have updated the answer. – Aya Jul 06 '16 at 12:06
2

I may have found a solution:

Cryptography.io is entirely python based and even offers a tutorial on how to self sign a cert.

Happy to hear other answers.

Dan O'Boyle
  • 3,676
  • 5
  • 28
  • 44
  • As I dig deeper.. it looks like they rely on OpenSSL as a backend. I'll leave this answer here as a breadcrum, but at present it looks like this will not work. – Dan O'Boyle Jun 25 '16 at 19:39
  • More Breadcrumbs - Looks like M2crypto can do it, but I'm not sure if it relies on OpenSSL https://gist.github.com/eskil/2338529 – Dan O'Boyle Jun 28 '16 at 17:25
  • 1
    M2Crypto is the most complete Python wrapper for OpenSSL, so no - he rely on openssl too. I'm really don't think, that in the world exists so mad man, which will port openssl to pure python, can't see any sense. In you case, you can create cert sign service on normal host and use him from GAE – Reishin Jul 02 '16 at 01:18
1

That will not be the direct answer, because I never use C and Cython, but maybe it is possible to use some C library for this task.

From Cython site:

All of this makes Cython the ideal language for wrapping external C libraries, embedding CPython into existing applications, and for fast C modules that speed up the execution of Python code.

Seems like not the simplest and not the best solutions but who is know :)

MartinP
  • 527
  • 5
  • 17