Encode PKCS7 in Google App Engine (python, passbook)

Question

This question pertains to Passbook which is under NDA for the next few days, but this is a generic PKCS7 question.

I have a .p12 file that is exported from my keychain. I am able to separate this into 2 pems using the following commands

openssl pkcs12 -in "mycert.p12" -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in "mycert.p12" -nocerts -out key.pem

The next step is to use this key and certificate to create a signed PKCS7 file. This is easy to do with openssl:

openssl smime -binary -sign \
    -signer certificate.pem -inkey key.pem \
    -in <datafile> -out signature \
    -outform DER

The question is, what is the best way to do this in Google App Engine, assuming I have the certificate and key? Unfortunately I'm a little new to cryptography, but I've been googling around and found PyCrypto and keyczar. Is there an accepted way to do this on App Engine, or will I need to write something? Any recommendations on which package to start with?
I know that openssl is not available on AppEngine, but PyCrypto is if you use python 2.7, right? And I've seen posts of people getting keyczar to work with it. I have not been able to find a simple way of generating PKCS7-encoded data given the key and certificate, though.

Thanks in advance for any guidance.

Answer 1

Here's a way using M2Crypto taken from https://github.com/devartis/passbook

def passwordCallback(*args, **kwds):
    return password

smime = SMIME.SMIME()
smime.load_key('key.pem', 'certificate.pem', callback=passwordCallback)        
pk7 = smime.sign(SMIME.BIO.MemoryBuffer(manifest), flags=SMIME.PKCS7_DETACHED | SMIME.PKCS7_BINARY)                
pem = SMIME.BIO.MemoryBuffer()
pk7.write(pem)
# convert pem to der
der = ''.join(l.strip() for l in pem.read().split('-----')[2].splitlines()).decode('base64')        

open('signature', 'w').write(der)