Skip to main content
Python Software Foundation 20th Year Anniversary Fundraiser  Donate today!

mbed TLS (PolarSSL) wrapper

Project description

https://circleci.com/gh/Synss/python-mbedtls/tree/develop.svg?style=svg https://coveralls.io/repos/github/Synss/python-mbedtls/badge.svg?branch=develop

python-mbedtls is a thin wrapper to ARM’s mbed TLS library.

According to the official mbed TLS website

mbed TLS (formerly known as PolarSSL) makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) products, facilitating this functionality with a minimal coding footprint.

License

python-mbedtls is licensed under the MIT License (see LICENSE.txt). This enables the use of python-mbedtls in both open source and closed source projects. The MIT License is compatible with both GPL and Apache 2.0 license under which mbed TLS is distributed.

Installation

The bindings are tested with Python 2.7, 3.4, 3.5, and 3.6.

mbedtls is available on Debian. Install with:

# aptitude install libmbedtls-dev

and the wrapper:

python -m pip install python-mbedtls

Hashing module (md.h)

Message digest algorithms

The mbedtls.hash module provides MD5, SHA-1, SHA-2, and RIPEMD-160 secure hashes and message digests. The API follows the recommendations from PEP 452 so that it can be used as a drop-in replacement to e.g. hashlib or PyCrypto.

Here are the examples from hashlib executed with python-mbedtls:

>>> from mbedtls import hash as hashlib
>>> m = hashlib.md5()
>>> m.update(b"Nobody inspects")
>>> m.update(b" the spammish repetition")
>>> m.digest()
b'\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9'
>>> m.digest_size
16
>>> m.block_size
64

More condensed:

>>> hashlib.sha224(b"Nobody inspects the spammish repetition").hexdigest()
'a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2'

Using new():

>>> h = hashlib.new('ripemd160')
>>> h.update(b"Nobody inspects the spammish repetition")
>>> h.hexdigest()
'cc4a5ce1b3df48aec5d22d1f16b894a0b894eccc'

HMAC algorithm

The mbedtls.hmac module computes HMAC. The API follows the recommendations from PEP 452 as well.

Example:

>>> from mbedtls import hmac
>>> m = hmac.new(b"This is my secret key", digestmod="md5")
>>> m.update(b"Nobody inspects")
>>> m.update(b" the spammish repetition")
>>> m.digest()
b'\x9d-/rj\\\x98\x80\xb1rG\x87\x0f\xe9\xe4\xeb'

Warning:

The message is cleared after calculation of the digest. Only call mbedtls.hmac.Hmac.digest() or mbedtls.hmac.Hmac.hexdigest() once per message.

Symmetric cipher module (cipher.h)

The mbedtls.cipher module provides symmetric encryption. The API follows the recommendations from PEP 272 so that it can be used as a drop-in replacement to e.g. PyCrypto.

mbedtls provides the following algorithms:

  • Aes encryption/decryption (128, 192, and 256 bits) in ECB, CBC, CFB128, CTR, GCM, or CCM mode;
  • Arc4 encryption/decryption;
  • Blowfish encryption/decryption in ECB, CBC, CFB64, or CTR mode;
  • Camellia encryption/decryption (128, 192, and 256 bits) in ECB, CBC, CFB128, CTR, GCM, or CCM mode;
  • DES encryption/decryption in ECB, or CBC mode;
Notes:
  • Tagging and padding are not wrapped.
  • The counter in CTR mode cannot be explicitly provided.

Example:

>>> from mbedtls import cipher
>>> c = cipher.AES.new(b"My 16-bytes key.", cipher.MODE_CBC, b"CBC needs an IV.")
>>> enc = c.encrypt(b"This is a super-secret message!")
>>> enc
b'*`k6\x98\x97=[\xdf\x7f\x88\x96\xf5\t\x19J7\x93\xb5\xe0~\t\x9e\x968m\xcd\x
>>> c.decrypt(enc)
b'This is a super-secret message!'

Public key module (pk.h)

The mbedtls.pk module provides the RSA cryptosystem. This includes:

  • Public-private key generation and key import/export in PEM and DER formats;
  • Asymmetric encryption and decryption;
  • Message signature and verification.

Key generation, the default size is 2048 bits:

>>> from mbedtls import pk
>>> rsa = pk.RSA()
>>> rsa.has_private()
False
>>> rsa.generate()
>>> rsa.key_size
256
>>> rsa.has_private() and rsa.has_public()
True

Message encryption and decryption:

>>> enc = rsa.encrypt(b"secret message")
>>> rsa.decrypt(enc)
b"secret message"

Message signature and verification:

>>> sig = rsa.sign(b"Please sign here.")
>>> rsa.verify(b"Please sign here.", sig)
True
>>> rsa.verify(b"Sorry, wrong message.", sig)
False
>>> prv, pub = rsa.export(format="DER")
>>> other = pk.RSA()
>>> other.import_(pub)
>>> other.has_private()
False
>>> other.verify(b"Please sign here.", sig)
True

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for python-mbedtls, version 0.7
Filename, size File type Python version Upload date Hashes
Filename, size python-mbedtls-0.7.tar.gz (29.7 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page