asn1crypto

A fast, pure Python library for parsing and serializing ASN.1 structures.

• Features
• Why Another Python ASN.1 Library?
• Related Crypto Libraries
• Current Release
• Dependencies
• Installation
• License
• Documentation
• Continuous Integration
• Testing
• Development

Features

In addition to an ASN.1 BER/DER decoder and DER serializer, the project includes a bunch of ASN.1 structures for use with various common cryptography standards:

Standard	Module	Source
X.509	asn1crypto.x509	RFC 5280
CRL	asn1crypto.crl	RFC 5280
CSR	asn1crypto.csr	RFC 2986, RFC 2985
OCSP	asn1crypto.ocsp	RFC 6960
PKCS#12	asn1crypto.pkcs12	RFC 7292
PKCS#8	asn1crypto.keys	RFC 5208
PKCS#1 v2.1 (RSA keys)	asn1crypto.keys	RFC 3447
DSA keys	asn1crypto.keys	RFC 3279
Elliptic curve keys	asn1crypto.keys	SECG SEC1 V2
PKCS#3 v1.4	asn1crypto.algos	PKCS#3 v1.4
PKCS#5 v2.1	asn1crypto.algos	PKCS#5 v2.1
CMS (and PKCS#7)	asn1crypto.cms	RFC 5652, RFC 2315
TSP	asn1crypto.tsp	RFC 3161
PDF signatures	asn1crypto.pdf	PDF 1.7

Why Another Python ASN.1 Library?

Python has long had the pyasn1 and pyasn1_modules available for parsing and serializing ASN.1 structures. While the project does include a comprehensive set of tools for parsing and serializing, the performance of the library can be very poor, especially when dealing with bit fields and parsing large structures such as CRLs.

After spending extensive time using pyasn1, the following issues were identified:

1. Poor performance
2. Verbose, non-pythonic API
3. Out-dated and incomplete definitions in pyasn1-modules
4. No simple way to map data to native Python data structures
5. No mechanism for overridden universal ASN.1 types

The pyasn1 API is largely method driven, and uses extensive configuration objects and lowerCamelCase names. There were no consistent options for converting types of native Python data structures. Since the project supports out-dated versions of Python, many newer language features are unavailable for use.

Time was spent trying to profile issues with the performance, however the architecture made it hard to pin down the primary source of the poor performance. Attempts were made to improve performance by utilizing unreleased patches and delaying parsing using the Any type. Even with such changes, the performance was still unacceptably slow.

Finally, a number of structures in the cryptographic space use universal data types such as BitString and OctetString, but interpret the data as other types. For instance, signatures are really byte strings, but are encoded as BitString. Elliptic curve keys use both BitString and OctetString to represent integers. Parsing these structures as the base universal types and then re-interpreting them wastes computation.

asn1crypto uses the following techniques to improve performance, especially when extracting one or two fields from large, complex structures:

• Delayed parsing of byte string values
• Persistence of original ASN.1 encoded data until a value is changed
• Lazy loading of child fields
• Utilization of high-level Python stdlib modules

While there is no extensive performance test suite, the CRLTests.test_parse_crl test case was used to parse a 21MB CRL file on a late 2013 rMBP. asn1crypto parsed the certificate serial numbers in just under 8 seconds. With pyasn1, using definitions from pyasn1-modules, the same parsing took over 4,100 seconds.

For smaller structures the performance difference can range from a few times faster to an order of magnitude of more.

Related Crypto Libraries

asn1crypto is part of the modularcrypto family of Python packages:

• asn1crypto
• oscrypto
• csrbuilder
• certbuilder
• crlbuilder
• ocspbuilder
• certvalidator

Current Release

0.17.1 - changelog

Dependencies

Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, pypy or pypy3. No third-party packages required.

Installation

pip install asn1crypto

License

asn1crypto is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Documentation

The documentation for asn1crypto is composed of tutorials on basic usage and links to the source for the various pre-defined type classes.

Tutorials

• Universal Types with BER/DER Decoder and DER Encoder
• PEM Encoder and Decoder

Reference

• Universal types, asn1crypto.core
• Digest, HMAC, signed digest and encryption algorithms, asn1crypto.algos
• Private and public keys, asn1crypto.keys
• X509 certificates, asn1crypto.x509
• Certificate revocation lists (CRLs), asn1crypto.crl
• Online certificate status protocol (OCSP), asn1crypto.ocsp
• Certificate signing requests (CSRs), asn1crypto.csr
• Private key/certificate containers (PKCS#12), asn1crypto.pkcs12
• Cryptographic message syntax (CMS, PKCS#7), asn1crypto.cms
• Time stamp protocol (TSP), asn1crypto.tsp
• PDF signatures, asn1crypto.pdf

Continuous Integration

• Windows via AppVeyor
• OS X & Linux via Travis CI

Testing

Tests are written using unittest and require no third-party packages:

python run.py tests

To run only some tests, pass a regular expression as a parameter to tests.

python run.py tests ocsp

Development

To install required development dependencies, execute:

pip install -r dev-requirements.txt

The following commands will run the linter and test coverage:

python run.py lint
python run.py coverage

After creating a semver git tag, a .tar.gz and .whl of the package can be created and uploaded to PyPi by executing:

python run.py release