def encrypt(self, key_password):
"""
Encrypts the private key, so that it can be saved to a keystore.
This will make it necessary to decrypt it again if it is going to be used later.
Has no effect if the entry is already encrypted.
:param str key_password: The password to encrypt the entry with.
"""
if not self.is_decrypted():
return
encrypted_private_key = sun_crypto.jks_pkey_encrypt(
self.pkey_pkcs8, key_password)
a = AlgorithmIdentifier()
a.setComponentByName('algorithm', sun_crypto.SUN_JKS_ALGO_ID)
a.setComponentByName('parameters', '\x05\x00')
epki = rfc5208.EncryptedPrivateKeyInfo()
epki.setComponentByName('encryptionAlgorithm', a)
epki.setComponentByName('encryptedData', encrypted_private_key)
self._encrypted = encoder.encode(epki)
self._pkey = None
self._pkey_pkcs8 = None
self._algorithm_oid = None
def new(cls, alias, certs, key, key_format='pkcs8'):
"""
Helper function to create a new PrivateKeyEntry.
:param str alias: The alias for the Private Key Entry
:param list certs: An list of certificates, as byte strings.
The first one should be the one belonging to the private key,
the others the chain (in correct order).
:param str key: A byte string containing the private key in the
format specified in the key_format parameter (default pkcs8).
:param str key_format: The format of the provided private key.
Valid options are pkcs8 or rsa_raw. Defaults to pkcs8.
:returns: A loaded :class:`PrivateKeyEntry` instance, ready
to be placed in a keystore.
:raises UnsupportedKeyFormatException: If the key format is
unsupported.
"""
timestamp = int(time.time()) * 1000
cert_chain = []
for cert in certs:
cert_chain.append(('X.509', cert))
pke = cls(
timestamp=timestamp,
# Alias must be lower case or it will corrupt the keystore for Java Keytool and Keytool Explorer
alias=alias.lower(),
cert_chain=cert_chain)
if key_format == 'pkcs8':
private_key_info = decoder.decode(
key, asn1Spec=rfc5208.PrivateKeyInfo())[0]
pke._algorithm_oid = private_key_info['privateKeyAlgorithm'][
'algorithm'].asTuple()
pke.pkey = private_key_info['privateKey'].asOctets()
pke.pkey_pkcs8 = key
elif key_format == 'rsa_raw':
pke._algorithm_oid = RSA_ENCRYPTION_OID
# We must encode it to pkcs8
private_key_info = rfc5208.PrivateKeyInfo()
private_key_info.setComponentByName('version', 'v1')
a = AlgorithmIdentifier()
a.setComponentByName('algorithm', pke._algorithm_oid)
a.setComponentByName('parameters', '\x05\x00')
private_key_info.setComponentByName('privateKeyAlgorithm', a)
private_key_info.setComponentByName('privateKey', key)
pke.pkey_pkcs8 = encoder.encode(private_key_info, ifNotEmpty=True)
pke.pkey = key
else:
raise UnsupportedKeyFormatException(
"Key Format '%s' is not supported" % key_format)
return pke