Fast ASN.1 parser and serializer with definitions for private keys, public keys, certificates, CRL, OCSP, CMS, PKCS#3, PKCS#7, PKCS#8, PKCS#12, PKCS#5, X.509 and TSP
A fast, pure Python library for parsing and serializing ASN.1 structures.
In addition to an ASN.1 BER/DER decoder and DER serializer, the project includes a bunch of ASN.1 structures for use with various common cryptography standards:
Standard | Module | Source |
---|---|---|
X.509 | asn1crypto.x509 |
RFC 5280 |
CRL | asn1crypto.crl |
RFC 5280 |
CSR | asn1crypto.csr |
RFC 2986, RFC 2985 |
OCSP | asn1crypto.ocsp |
RFC 6960 |
PKCS#12 | asn1crypto.pkcs12 |
RFC 7292 |
PKCS#8 | asn1crypto.keys |
RFC 5208 |
PKCS#1 v2.1 (RSA keys) | asn1crypto.keys |
RFC 3447 |
DSA keys | asn1crypto.keys |
RFC 3279 |
Elliptic curve keys | asn1crypto.keys |
SECG SEC1 V2 |
PKCS#3 v1.4 | asn1crypto.algos |
PKCS#3 v1.4 |
PKCS#5 v2.1 | asn1crypto.algos |
PKCS#5 v2.1 |
CMS (and PKCS#7) | asn1crypto.cms |
RFC 5652, RFC 2315 |
TSP | asn1crypto.tsp |
RFC 3161 |
PDF signatures | asn1crypto.pdf |
PDF 1.7 |
Python has long had the pyasn1 and pyasn1_modules available for parsing and serializing ASN.1 structures. While the project does include a comprehensive set of tools for parsing and serializing, the performance of the library can be very poor, especially when dealing with bit fields and parsing large structures such as CRLs.
After spending extensive time using pyasn1, the following issues were identified:
The pyasn1 API is largely method driven, and uses extensive configuration objects and lowerCamelCase names. There were no consistent options for converting types of native Python data structures. Since the project supports out-dated versions of Python, many newer language features are unavailable for use.
Time was spent trying to profile issues with the performance, however the
architecture made it hard to pin down the primary source of the poor
performance. Attempts were made to improve performance by utilizing unreleased
patches and delaying parsing using the Any
type. Even with such changes, the
performance was still unacceptably slow.
Finally, a number of structures in the cryptographic space use universal data
types such as BitString
and OctetString
, but interpret the data as other
types. For instance, signatures are really byte strings, but are encoded as
BitString
. Elliptic curve keys use both BitString
and OctetString
to
represent integers. Parsing these structures as the base universal types and
then re-interpreting them wastes computation.
asn1crypto uses the following techniques to improve performance, especially when extracting one or two fields from large, complex structures:
While there is no extensive performance test suite, the
CRLTests.test_parse_crl
test case was used to parse a 21MB CRL file on a
late 2013 rMBP. asn1crypto parsed the certificate serial numbers in just
under 8 seconds. With pyasn1, using definitions from pyasn1-modules, the
same parsing took over 4,100 seconds.
For smaller structures the performance difference can range from a few times faster to an order of magnitude or more.
asn1crypto is part of the modularcrypto family of Python packages:
1.5.0 - changelog
Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10 or pypy. No third-party packages required.
pip install asn1crypto
asn1crypto is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.
The security policies for this project are covered in SECURITY.md.
The documentation for asn1crypto is composed of tutorials on basic usage and links to the source for the various pre-defined type classes.
asn1crypto.core
asn1crypto.algos
asn1crypto.keys
asn1crypto.x509
asn1crypto.crl
asn1crypto.ocsp
asn1crypto.csr
asn1crypto.pkcs12
asn1crypto.cms
asn1crypto.tsp
asn1crypto.pdf
Various combinations of platforms and versions of Python are tested via:
Tests are written using unittest
and require no third-party packages.
Depending on what type of source is available for the package, the following commands can be used to run the test suite.
When working within a Git working copy, or an archive of the Git repository, the full test suite is run via:
python run.py tests
To run only some tests, pass a regular expression as a parameter to tests
.
python run.py tests ocsp
When working within an extracted source distribution (aka .tar.gz
) from
PyPi, the full test suite is run via:
python setup.py test
When the package has been installed via pip (or another method), the package
asn1crypto_tests
may be installed and invoked to run the full test suite:
pip install asn1crypto_tests
python -m asn1crypto_tests
To install the package used for linting, execute:
pip install --user -r requires/lint
The following command will run the linter:
python run.py lint
Support for code coverage can be installed via:
pip install --user -r requires/coverage
Coverage is measured by running:
python run.py coverage
To change the version number of the package, run:
python run.py version {pep440_version}
To install the necessary packages for releasing a new version on PyPI, run:
pip install --user -r requires/release
Releases are created by:
Making a git tag in PEP 440 format
Running the command:
python run.py release
Existing releases can be found at https://pypi.org/project/asn1crypto/.
A task named deps
exists to download and stage all necessary testing
dependencies. On posix platforms, curl
is used for downloads and on Windows
PowerShell with Net.WebClient
is used. This configuration sidesteps issues
related to getting pip to work properly and messing with site-packages
for
the version of Python being used.
The ci
task runs lint
(if flake8 is available for the version of Python) and
coverage
(or tests
if coverage is not available for the version of Python).
If the current directory is a clean git working copy, the coverage data is
submitted to codecov.io.
python run.py deps
python run.py ci