Skip to main content

Native Python implementation of SESAME, the proposed SCTE 130-9 security layer for the ESAM interface (HMAC auth, channel-scoped authorization, AES-256-GCM payload encryption).

Project description

sesame-esam (Python)

A native Python implementation of SESAME (Secure ESAM Authentication and Message Encryption), the proposed SCTE 130-9 security layer for the ESAM interface. A sibling of the Rust crate and C++ SDK in this repo, proven against the same golden vectors (../test-vectors/), so a Python signer and a Rust, C++, or rust-pois verifier interoperate byte-for-byte.

  • Three tiers over a Tier-0 baseline: HMAC-SHA256 auth (1), channel-scoped authorization (2), AES-256-GCM payload encryption (3), plus signed responses.
  • One dependency: cryptography for AES-256-GCM (hmac/hashlib from the stdlib cover the rest).
  • Pythonic API: verify_request / sign_response; failures raise SesameError (with .code and .http_status, Appendix A.7).

PyPI package: sesame-esam; import name: sesame. See ../SESAME.md for the byte-exact wire format (draft v0.5).

Install

pip install sesame-esam

Quick start

Verify an inbound request (the POIS side):

from sesame import (verify_request, RequestContext, SesameConfig, SesameHeaders,
                    StaticKeyProvider, ChannelScope, InMemoryReplayCache, Tier, SesameError)
import time

keys = StaticKeyProvider().with_signing_key(
    "sas-east-01", b"shared-secret", ChannelScope.list(["SportsFeed-East"]))
replay = InMemoryReplayCache(300)

headers = SesameHeaders.from_lookup(lambda name: request_headers.get(name))
ctx = RequestContext("POST", "/esam", target_channel=None)
try:
    v = verify_request(SesameConfig(), keys, replay, ctx, headers, body,
                       int(time.time()), Tier.ONE)
    # v.plaintext is the ESAM XML; v.achieved_tier / v.key_id / v.scope_channel
except SesameError as e:
    # e.code (SesameErrorCode), e.http_status
    ...

Sign an outbound response (the POIS side):

from sesame import sign_response, ResponseParams, SesameConfig, Tier
import time

params = ResponseParams(signing_key_id="pois-primary",
                        correlation="ap-1:sigid-20260224-001", tier=Tier.ONE)
resp = sign_response(SesameConfig(), keys, params, xml, int(time.time()))
# attach resp.headers (list of (name, value)), send resp.body with resp.content_type

Development

python -m venv .venv && . .venv/bin/activate
pip install -e ".[dev]"
pytest -q          # conformance (golden vectors) + unit (KATs + negative matrix)
python examples/sign_request.py 3

License

Dual-licensed under MIT or Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sesame_esam-0.1.0.tar.gz (10.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sesame_esam-0.1.0-py3-none-any.whl (10.3 kB view details)

Uploaded Python 3

File details

Details for the file sesame_esam-0.1.0.tar.gz.

File metadata

  • Download URL: sesame_esam-0.1.0.tar.gz
  • Upload date:
  • Size: 10.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for sesame_esam-0.1.0.tar.gz
Algorithm Hash digest
SHA256 e872304abc7186f2c82b42659c79675314eede5948ccc445cca5300d1a07a149
MD5 50e80bb2259492bf533e6b53f3a68437
BLAKE2b-256 40eefcba7503b92f89ff5f90e906f4fc9e69d58320bfc64d560fc164eada2825

See more details on using hashes here.

File details

Details for the file sesame_esam-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: sesame_esam-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 10.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for sesame_esam-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 15480809a9e0f35bfb96da615b13271a5f20111e40363d730713d5808ef91ca6
MD5 fe72838b81de1aa85fd9a606ef56834e
BLAKE2b-256 71a1676f825716f82460731f5cdb0ba7c6e2f3fdabbaf0f576677cc43b9fe21a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page