PKCS11 Keys classes for cryptography

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for rgammans from gravatar.com rgammans

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Roger Gammans

Tags pkcs11, security, cryptography

Requires: Python >3.6.0

Classifiers

Project description

This module provide cryptography compatible proxy class for using a crypto smartcard , (such as yubi key, or PKCS#11 token) to process the actually cryptographic workload.

These are normally considered to be ‘secure’ tokens and the private key they are normally configured so the private key is not extractable from the token’s hardware. As a result you need to request the token to do any cryptographic operation for which you would normally use the private key.

In this module you will find a new abstraction of cryptography’s RSAPrivateKey class called RSAPrivateToken which instead using one the normal cryptography provided backend uses an hardware token directly.

Currently this means the PKCS#11 API, as provided on Linux by the opensc-pkcs11 [1] package. TokenCrypt uses the PyKCS11 library to wrap the opensc PKCS#11 library and needs a environment variable set so the library can be found on debian that would be

export PYKCS11LIB=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

A use case of this library would be to use a yubikey to provide Oauth identity services to python applications which use the requests-Oauth2 library. This is quite common if you are accessing 3rd party APIs to cloud service systems.

In this case a RSAPrivateToken can be provided to the library in the place of the usual RSAPrivateKey.

Many library examples show providing an PEM encoded string, but they also work with a subclass of cryptography’s RSAPrivateKey, as shown below.

Example

import TokenCrypt
from ThierAPI import APIConection, PrivateCredentials # Not a working example.

rsa_key = TokenCrypt.RSAPrivateToken(slot = 0 , key = 0, pin = '123456' )
with rsa_key:
    credentials = PrivateCredentials(args.consumer_key, rsa_key)
    api = APIConection(credentials)

    do_something_with(api)

Current Status

This is an initial proof of concept release which is design to have enough code to support working as an Oauth client. As a result the only action currently implemented on the key is signing.

But there is a lot todo, Pull requests and bug reports welcome.

TODO

  • Implement RSAPublicToken .

  • Dynamically select the signing mechanism based to the provided padding and hash.

  • Implement decrypt.

  • Implement certificate extraction.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for rgammans from gravatar.com rgammans

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Roger Gammans

Tags pkcs11, security, cryptography

Requires: Python >3.6.0

Classifiers

Release history Release notifications | RSS feed

This version

0.1.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tokencrypt-0.1.2.tar.gz (4.0 kB view hashes)

Uploaded Source

Built Distribution

tokencrypt-0.1.2-py3-none-any.whl (4.0 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page