Search code examples
pythonopensslpipecsr

Python subprocess problem


I'm writing a script to generate a CSR in Python. The script is very simple. I generate an RSA private key by using the following:

keycmd = "openssl genrsa -out mykey.pem 2048"
keyprocess = Popen(keycmd, shell=True, stdout=PIPE)

csrcmd = "openssl req -new -key mykey.pem -subj "+ subj + " -out mycsr.csr"
reqprocess = Popen(csrcmd, shell=True, stdout=PIPE)

However, I want to add the functionality to encrypt the private key with a password is the user desires. This is normally done by including the option "-des3" in the genrsa command, but I don't know how to pipe a string from Python standard input to the OpenSSL process. Any help would be appreciated.

What I want to do is:

keycmd = "openssl genrsa -des3 -out mykey.pem 2048"
keyprocess = Popen(keycmd, shell=True, stdin=PIPE, stdout=PIPE)
keyprocess.communicate("password")
keyprocess.communicate("password")

It's not working however, the script just freezes and never gets past the first communicate statement.


Solution

  • Add the option -passout stdin to the openssl genrsa command, and it will read the passphrase from standard input. That should allow you to send it in via communicate.

    There are several other values you can provide to the -passout option to obtain the passphrase from another source. See the OpenSSL man page for details.