Home

Awesome

asn1crypto

A fast, pure Python library for parsing and serializing ASN.1 structures.

GitHub Actions CI CircleCI PyPI

Sponsorship

A quick thank you to all of the sponsors who donate to support the asn1crypto project:

Corporate

Personal

Features

In addition to an ASN.1 BER/DER decoder and DER serializer, the project includes a bunch of ASN.1 structures for use with various common cryptography standards:

StandardModuleSource
X.509asn1crypto.x509RFC 5280
CRLasn1crypto.crlRFC 5280
CSRasn1crypto.csrRFC 2986, RFC 2985
OCSPasn1crypto.ocspRFC 6960
PKCS#12asn1crypto.pkcs12RFC 7292
PKCS#8asn1crypto.keysRFC 5208
PKCS#1 v2.1 (RSA keys)asn1crypto.keysRFC 3447
DSA keysasn1crypto.keysRFC 3279
Elliptic curve keysasn1crypto.keysSECG SEC1 V2
PKCS#3 v1.4asn1crypto.algosPKCS#3 v1.4
PKCS#5 v2.1asn1crypto.algosPKCS#5 v2.1
CMS (and PKCS#7)asn1crypto.cmsRFC 5652, RFC 2315
TSPasn1crypto.tspRFC 3161
PDF signaturesasn1crypto.pdfPDF 1.7

Why Another Python ASN.1 Library?

Python has long had the pyasn1 and pyasn1_modules available for parsing and serializing ASN.1 structures. While the project does include a comprehensive set of tools for parsing and serializing, the performance of the library can be very poor, especially when dealing with bit fields and parsing large structures such as CRLs.

After spending extensive time using pyasn1, the following issues were identified:

  1. Poor performance
  2. Verbose, non-pythonic API
  3. Out-dated and incomplete definitions in pyasn1-modules
  4. No simple way to map data to native Python data structures
  5. No mechanism for overridden universal ASN.1 types

The pyasn1 API is largely method driven, and uses extensive configuration objects and lowerCamelCase names. There were no consistent options for converting types of native Python data structures. Since the project supports out-dated versions of Python, many newer language features are unavailable for use.

Time was spent trying to profile issues with the performance, however the architecture made it hard to pin down the primary source of the poor performance. Attempts were made to improve performance by utilizing unreleased patches and delaying parsing using the Any type. Even with such changes, the performance was still unacceptably slow.

Finally, a number of structures in the cryptographic space use universal data types such as BitString and OctetString, but interpret the data as other types. For instance, signatures are really byte strings, but are encoded as BitString. Elliptic curve keys use both BitString and OctetString to represent integers. Parsing these structures as the base universal types and then re-interpreting them wastes computation.

asn1crypto uses the following techniques to improve performance, especially when extracting one or two fields from large, complex structures:

While there is no extensive performance test suite, the CRLTests.test_parse_crl test case was used to parse a 21MB CRL file on a late 2013 rMBP. asn1crypto parsed the certificate serial numbers in just under 8 seconds. With pyasn1, using definitions from pyasn1-modules, the same parsing took over 4,100 seconds.

For smaller structures the performance difference can range from a few times faster to an order of magnitude or more.

Related Crypto Libraries

asn1crypto is part of the modularcrypto family of Python packages:

Current Release

1.5.1 - changelog

Dependencies

Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12 or pypy. No third-party packages required.

Installation

pip install asn1crypto

License

asn1crypto is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Security Policy

The security policies for this project are covered in SECURITY.md.

Documentation

The documentation for asn1crypto is composed of tutorials on basic usage and links to the source for the various pre-defined type classes.

Tutorials

Reference

Continuous Integration

Various combinations of platforms and versions of Python are tested via:

Testing

Tests are written using unittest and require no third-party packages.

Depending on what type of source is available for the package, the following commands can be used to run the test suite.

Git Repository

When working within a Git working copy, or an archive of the Git repository, the full test suite is run via:

python run.py tests

To run only some tests, pass a regular expression as a parameter to tests.

python run.py tests ocsp

PyPi Source Distribution

When working within an extracted source distribution (aka .tar.gz) from PyPi, the full test suite is run via:

python setup.py test

Package

When the package has been installed via pip (or another method), the package asn1crypto_tests may be installed and invoked to run the full test suite:

pip install asn1crypto_tests
python -m asn1crypto_tests

Development

To install the package used for linting, execute:

pip install --user -r requires/lint

The following command will run the linter:

python run.py lint

Support for code coverage can be installed via:

pip install --user -r requires/coverage

Coverage is measured by running:

python run.py coverage

To change the version number of the package, run:

python run.py version {pep440_version}

To install the necessary packages for releasing a new version on PyPI, run:

pip install --user -r requires/release

Releases are created by:

Existing releases can be found at https://pypi.org/project/asn1crypto/.

CI Tasks

A task named deps exists to download and stage all necessary testing dependencies. On posix platforms, curl is used for downloads and on Windows PowerShell with Net.WebClient is used. This configuration sidesteps issues related to getting pip to work properly and messing with site-packages for the version of Python being used.

The ci task runs lint (if flake8 is available for the version of Python) and coverage (or tests if coverage is not available for the version of Python). If the current directory is a clean git working copy, the coverage data is submitted to codecov.io.

python run.py deps
python run.py ci