Hi people.
We have some Python (CPython) code that uses openssl(1) via a subprocess at
present. I'm coming to believe this isn't terribly secure though, so I
looked for an openssl wrapper for CPython.
What I found was PyOpenSSL, which recommends using pyca/cryptography
instead for almost everyth
So the first command looks like this:
['openssl', 'rsa', '-passin', 'pass:{0}'.format(record.password)]
It's just accepting the following on stdin, formatted like:
-BEGIN RSA PRIVATE KEY-
...
-END RSA PRIVATE KEY-
...and outputting something that'll later be passed to ssh-keygen -
The second command looks like:
['openssl', 'genrsa', '-aes128', '-passout', 'stdin', '2048']
I believe this is generating a public key, that will later be used by ssh.
This one probably isn't much of a problem, but it might be better to go all
pyca/cryptography (one dependency) rather than openss
The third command looks like:
["openssl", "rsa", "-passin", "pass:{0}".format(newpassword), "-pubout"]
I think here we're obtaining a new public key.
Any suggestions as to how this could be rewritten to use pyca/cryptography?
Thanks!
___
Cryptography-d
