Native Python implementation of SESAME, the proposed SCTE 130-9 security layer for the ESAM interface (HMAC auth, channel-scoped authorization, AES-256-GCM payload encryption).
Project description
sesame-esam (Python)
A native Python implementation of SESAME (Secure ESAM Authentication and
Message Encryption), the proposed SCTE 130-9 security layer for the ESAM
interface. A sibling of the Rust crate and C++ SDK in this repo, proven against
the same golden vectors (../test-vectors/), so a Python signer and a Rust,
C++, or rust-pois verifier interoperate byte-for-byte.
- Three tiers over a Tier-0 baseline: HMAC-SHA256 auth (1), channel-scoped authorization (2), AES-256-GCM payload encryption (3), plus signed responses.
- One dependency:
cryptographyfor AES-256-GCM (hmac/hashlibfrom the stdlib cover the rest). - Pythonic API:
verify_request/sign_response; failures raiseSesameError(with.codeand.http_status, Appendix A.7).
PyPI package: sesame-esam; import name: sesame. See
../SESAME.md for the byte-exact wire format (draft v0.5).
Install
pip install sesame-esam
Quick start
Verify an inbound request (the POIS side):
from sesame import (verify_request, RequestContext, SesameConfig, SesameHeaders,
StaticKeyProvider, ChannelScope, InMemoryReplayCache, Tier, SesameError)
import time
keys = StaticKeyProvider().with_signing_key(
"sas-east-01", b"shared-secret", ChannelScope.list(["SportsFeed-East"]))
replay = InMemoryReplayCache(300)
headers = SesameHeaders.from_lookup(lambda name: request_headers.get(name))
ctx = RequestContext("POST", "/esam", target_channel=None)
try:
v = verify_request(SesameConfig(), keys, replay, ctx, headers, body,
int(time.time()), Tier.ONE)
# v.plaintext is the ESAM XML; v.achieved_tier / v.key_id / v.scope_channel
except SesameError as e:
# e.code (SesameErrorCode), e.http_status
...
Sign an outbound response (the POIS side):
from sesame import sign_response, ResponseParams, SesameConfig, Tier
import time
params = ResponseParams(signing_key_id="pois-primary",
correlation="ap-1:sigid-20260224-001", tier=Tier.ONE)
resp = sign_response(SesameConfig(), keys, params, xml, int(time.time()))
# attach resp.headers (list of (name, value)), send resp.body with resp.content_type
Development
python -m venv .venv && . .venv/bin/activate
pip install -e ".[dev]"
pytest -q # conformance (golden vectors) + unit (KATs + negative matrix)
python examples/sign_request.py 3
License
Dual-licensed under MIT or Apache-2.0.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sesame_esam-0.1.0.tar.gz.
File metadata
- Download URL: sesame_esam-0.1.0.tar.gz
- Upload date:
- Size: 10.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e872304abc7186f2c82b42659c79675314eede5948ccc445cca5300d1a07a149
|
|
| MD5 |
50e80bb2259492bf533e6b53f3a68437
|
|
| BLAKE2b-256 |
40eefcba7503b92f89ff5f90e906f4fc9e69d58320bfc64d560fc164eada2825
|
File details
Details for the file sesame_esam-0.1.0-py3-none-any.whl.
File metadata
- Download URL: sesame_esam-0.1.0-py3-none-any.whl
- Upload date:
- Size: 10.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
15480809a9e0f35bfb96da615b13271a5f20111e40363d730713d5808ef91ca6
|
|
| MD5 |
fe72838b81de1aa85fd9a606ef56834e
|
|
| BLAKE2b-256 |
71a1676f825716f82460731f5cdb0ba7c6e2f3fdabbaf0f576677cc43b9fe21a
|