KSeF Authentication library
Project description
Python KSeF Authentication Library (for PKCS#11 and local private keys)
[!NOTE]
PL: Biblioteka do języka Python obsługująca logowanie do KSeF z użyciem dowolnego klucza prywatnego obsługującego interfejs PKCS#11 – kwalifikowane podpisy i pieczęci elektroniczne (na karcie, tokenie USB lub w formie HSM), a także certyfikaty wydane przez KSeF, do których klucze prywatne przechowywane są na HSMie (np. YubiHSM, YubiKey, Google Cloud KMS). Obsługuje również klasyczne uwierzytelnianie kluczem przechowywanym lokalnie na dysku twardym w pliku.key(format PEM).
Supported features:
- Authentication using private keys available through PKCS#11 interface:
- Qualified signature or qualified seal issued on a physical device,
- KSeF Certificate hosted on a HSM (e.g. YubiHSM, YubiKey, Google Cloud KMS).
- Authentication using certificate and private key stored as PEM files on local hard disk.
Installation
Library available on PyPi: pyksef
pip3 install pyksef
CLI Usage
List available PKCS#11 tokens
Command:
p11_list_tokens \
--pkcs11-dll "C:\Program Files\Krajowa Izba Rozliczeniowa S.A\Szafir 2.0\bin\CCGraphiteP11p.x64.dll"
Output:
TokenRecord(slot=<Slot (slotID=2 flags=7)>, label='PKI Token 1 (Primary)', serial='31333132303030313233343536373839', manufacturer_id='CryptoTech P.S.A.', model='CCGraphitePro', hardware_version=(0, 0), firmware_version=(0, 0), flags=<TokenFlag.LOGIN_REQUIRED|USER_PIN_INITIALIZED|TOKEN_INITIALIZED: 1036>)
TokenRecord(slot=<Slot (slotID=3 flags=7)>, label='PKI Token 2 (QSCD)', serial='31333132303030313233343536373839', manufacturer_id='CryptoTech P.S.A.', model='CCGraphitePro', hardware_version=(0, 0), firmware_version=(0, 0), flags=<TokenFlag.WRITE_PROTECTED|LOGIN_REQUIRED|USER_PIN_INITIALIZED|TOKEN_INITIALIZED: 1038>)
List available private keys/certificates for PKCS#11 token
Command:
p11_list_objects \
--pkcs11-dll "C:\Program Files\Krajowa Izba Rozliczeniowa S.A\Szafir 2.0\bin\CCGraphiteP11p.x64.dll" \
--token-label "PKI Token 2 (QSCD)" \
--token-serial "31333132303030313233343536373839" \
--user-pin 123456
Output:
CertificateRecord(x509_cert=<Certificate(subject=<Name(C=PL,2.5.4.5=PNOPL-12345678900,CN=Jan Kowalski,2.5.4.42=Jan,2.5.4.4=Kowalski)>, ...)>)
PrivateKeyRecord(label='No Friendly Name Available', id='6572df736d642974a2bab6ddba753aefb89afcce', key_type=<KeyType.RSA>)
Fetch certificates stored on a PKCS#11 token
Command:
p11_list_objects \
--pkcs11-dll "C:\Program Files\Krajowa Izba Rozliczeniowa S.A\Szafir 2.0\bin\CCGraphiteP11p.x64.dll" \
--token-label "PKI Token 2 (QSCD)" \
--token-serial "31333132303030313233343536373839" \
--user-pin 123456 \
--output certificates
Output:
-----BEGIN CERTIFICATE-----
MIIHe...
-----END CERTIFICATE-----
Perform KSeF authentication using private key available through PKCS#11
Command:
ksef_auth_pkcs11 \
--pkcs11-dll "C:\Program Files\Krajowa Izba Rozliczeniowa S.A\Szafir 2.0\bin\CCGraphiteP11p.x64.dll" \
--token-label "PKI Token 2 (QSCD)" \
--key-id 6572df736d642974a2bab6ddba753aefb89afcce \
--user-pin 123456 \
--target-nip 5421234567
Output:
{"referenceNumber": "XXXXXXXX-XX-XXXXXXXXXX-XXXXXXXXXX-XX", "authenticationToken": {"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "validUntil": "2026-02-04T15:20:15.6254824+00:00"}}
Perform KSeF authentication using certificate/private key file pair stored on disk
Command:
ksef_auth_file \
--cert-file ksef.crt \
--key-file ksf.key \
--key-passphrase "MyPassword54321!!" \
--target-nip 5421234567
Output:
{"referenceNumber": "XXXXXXXX-XX-XXXXXXXXXX-XXXXXXXXXX-XX", "authenticationToken": {"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "validUntil": "2026-02-04T15:20:15.6254824+00:00"}}
Usage via Python
PKCS#11 Authentication
import binascii
from pyksef import ksef_auth_xades, SubjectIdentifierType
from pyksef.p11 import PKCS11Lib, get_leaf_certificate, create_p11_private_key
PROD_API_BASE_URL = "https://api.ksef.mf.gov.pl/v2"
# load PKCS#11 library for CryptoCard Graphite (note that any qualified signature/seal issuer is supported)
lib = PKCS11Lib("C:\\Program Files\\Krajowa Izba Rozliczeniowa S.A\\Szafir 2.0\\bin\\CCGraphiteP11p.x64.dll")
# set token label and PIN; if you don't know your token_label, check it using cli_p11_list_tokens.py tool
# or invoke `lib.get_tokens()` programmatically
lib.set_token(token_label="PKI Token 2 (QSCD)", user_pin="123456")
# set private key ID; if you don't know your key_id, check it using cli_p11_list_objects.py tool
# or invoke `lib.get_private_keys()` programmatically
lib.set_private_key(key_id=binascii.unhexlify("6572df736d642974a2bab6ddba753aefb89afcce"))
# download the signer's certificate from the signer device directly
cert = get_leaf_certificate(o.x509_cert for o in lib.get_certificates())
# alternatively, you may just read the signer's certificate from file
# ---
# with open("ksef.crt", "rb") as f:
# cert = load_pem_x509_certificate(cert_pem_bytes)
# ---
res = ksef_auth_xades(
api_base_url=PROD_API_BASE_URL,
cert=cert,
key=create_p11_private_key(lib, cert),
target_nip="5421234567",
identifier_type=SubjectIdentifierType.certificateSubject
)
print(res)
Authentication with private key on local disk
from pyksef import ksef_auth_xades, PEMPrivateKey, SubjectIdentifierType
from pyksef.x509 import load_pem_x509_certificate
PROD_API_BASE_URL = "https://api.ksef.mf.gov.pl/v2"
# load X.509 certificate from file
with open('_private/ksef.crt', 'rb') as f:
cert = load_pem_x509_certificate(f.read())
# load X.509 key from file
with open('_private/ksef.key', 'rb') as f:
key_pem = f.read()
# construct PEMPrivateKey object with file contents and passphrase to decrypt the key
key = PEMPrivateKey(key_pem, b"MyPassword54321!!")
# perform KSeF authentication
res = ksef_auth_xades(
api_base_url=PROD_API_BASE_URL,
cert=cert,
key=key,
target_nip="5421234567",
identifier_type=SubjectIdentifierType.certificateSubject
)
print(res)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pyksef-0.1.3.tar.gz
(13.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
pyksef-0.1.3-py3-none-any.whl
(15.9 kB
view details)
File details
Details for the file pyksef-0.1.3.tar.gz.
File metadata
- Download URL: pyksef-0.1.3.tar.gz
- Upload date:
- Size: 13.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
65527ee4ea6459342f3a559ebcf1cc6c68cc6daa1f47b5fc0b7815754690183c
|
|
| MD5 |
d84941a4c4ffa04c52a17c82a11a8777
|
|
| BLAKE2b-256 |
b048253a45414dd281b7757056693dd3e4f9ca9929abbd1018f43ee2efdf06e8
|
Provenance
The following attestation bundles were made for pyksef-0.1.3.tar.gz:
Publisher:
publish.yml on icedevml/pyksef
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pyksef-0.1.3.tar.gz -
Subject digest:
65527ee4ea6459342f3a559ebcf1cc6c68cc6daa1f47b5fc0b7815754690183c - Sigstore transparency entry: 929270186
- Sigstore integration time:
-
Permalink:
icedevml/pyksef@8436a155f4f27159321b92f9fd870fc9847ffe77 -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/icedevml
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@8436a155f4f27159321b92f9fd870fc9847ffe77 -
Trigger Event:
release
-
Statement type:
File details
Details for the file pyksef-0.1.3-py3-none-any.whl.
File metadata
- Download URL: pyksef-0.1.3-py3-none-any.whl
- Upload date:
- Size: 15.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
89ccf37d2d22dc87a75fa24eeb62d3cc23a19e92355158e9eb3ea342d7f8fc82
|
|
| MD5 |
af8ebca2264694e201d9b61919cdfc0e
|
|
| BLAKE2b-256 |
ceea837152905b6a3721b389a9655dbc309bab1bf508aa314517cd220009fb9b
|
Provenance
The following attestation bundles were made for pyksef-0.1.3-py3-none-any.whl:
Publisher:
publish.yml on icedevml/pyksef
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pyksef-0.1.3-py3-none-any.whl -
Subject digest:
89ccf37d2d22dc87a75fa24eeb62d3cc23a19e92355158e9eb3ea342d7f8fc82 - Sigstore transparency entry: 929270206
- Sigstore integration time:
-
Permalink:
icedevml/pyksef@8436a155f4f27159321b92f9fd870fc9847ffe77 -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/icedevml
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@8436a155f4f27159321b92f9fd870fc9847ffe77 -
Trigger Event:
release
-
Statement type:
