PKCS11 Keys classes for cryptography
Project description
This module provide cryptography compatible proxy class for using a crypto smartcard , (such as yubi key, or PKCS#11 token) to process the actually cryptographic workload.
These are normally considered to be ‘secure’ tokens and the private key they are normally configured so the private key is not extractable from the token’s hardware. As a result you need to request the token to do any cryptographic operation for which you would normally use the private key.
In this module you will find a new abstraction of cryptography’s RSAPrivateKey class called RSAPrivateToken which instead using one the normal cryptography provided backend uses an hardware token directly.
Currently this means the PKCS#11 API, as provided on Linux by the opensc-pkcs11 [1] package. TokenCrypt uses the PyKCS11 library to wrap the opensc PKCS#11 library and needs a environment variable set so the library can be found on debian that would be
export PYKCS11LIB=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.soA use case of this library would be to use a yubikey to provide Oauth identity services to python applications which use the requests-Oauth2 library. This is quite common if you are accessing 3rd party APIs to cloud service systems.
In this case a RSAPrivateToken can be provided to the library in the place of the usual RSAPrivateKey.
Many library examples show providing an PEM encoded string, but they also work with a subclass of cryptography’s RSAPrivateKey, as shown below.
Example
import TokenCrypt
from ThierAPI import APIConection, PrivateCredentials # Not a working example.
rsa_key = TokenCrypt.RSAPrivateToken(slot = 0 , key = 0, pin = '123456' )
with rsa_key:
credentials = PrivateCredentials(args.consumer_key, rsa_key)
api = APIConection(credentials)
do_something_with(api)Current Status
This is an initial proof of concept release which is design to have enough code to support working as an Oauth client. As a result the only action currently implemented on the key is signing.
But there is a lot todo, Pull requests and bug reports welcome.
TODO
Implement RSAPublicToken .
Dynamically select the signing mechanism based to the provided padding and hash.
Implement decrypt.
Implement certificate extraction.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file tokencrypt-0.1.2.tar.gz.
File metadata
- Download URL: tokencrypt-0.1.2.tar.gz
- Upload date:
- Size: 4.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.2rc1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e008280d58bf125dbdb3892b0cd18a203a769d889afdd346c4d7e177b8e8f0a5 |
|
| MD5 | 06744e4baa9010d78524fbe2494e2c58 |
|
| BLAKE2b-256 | 70487b901bbd4ae666258fb1bf5681bbc8e2bd6032c2a0e88ea3802cfda8359b |
File details
Details for the file tokencrypt-0.1.2-py3-none-any.whl.
File metadata
- Download URL: tokencrypt-0.1.2-py3-none-any.whl
- Upload date:
- Size: 4.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.2rc1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b7b97e806c40e2bae9e671dbf4abe3a9f0561b5ceb1e84f77c76e8db1b6ab250 |
|
| MD5 | 8298cd3b2523702636e6f9d0e00a12c7 |
|
| BLAKE2b-256 | f7b1509a3ac03ec4914f47879cbc9b6ab4bf317be76f77db722f77d3183e7e4a |
