Name | python-x509-pkcs11 JSON |
Version |
0.9.0
JSON |
| download |
home_page | None |
Summary | Python async library for signing x509 using keys in a pkcs11 device such as an HSM. |
upload_time | 2024-04-03 13:44:25 |
maintainer | None |
docs_url | None |
author | None |
requires_python | >=3.8 |
license | None |
keywords |
|
VCS |
|
bugtrack_url |
|
requirements |
No requirements were recorded.
|
Travis-CI |
No Travis.
|
coveralls test coverage |
No coveralls.
|
![workflow ubuntu](https://github.com/SUNET/python_x509_pkcs11/actions/workflows/ubuntu.yaml/badge.svg)
![workflow centos](https://github.com/SUNET/python_x509_pkcs11/actions/workflows/centos.yaml/badge.svg)
![workflow debian](https://github.com/SUNET/python_x509_pkcs11/actions/workflows/debian.yaml/badge.svg)
## python_x509_pkcs11
Seamless async signing x509 using PKCS11 device for key storage
Currently supports
* Creating root CAs and generating their keys in the PKCS11 device.
* Using the keys in the PKCS11 device to sign certificates or Intermediate CAs.
* Creating certificates, CSRs, CRLs, OCSPs with the PKCS11 device keys enabling a full PKI infrastructure.
* 'Advanced' handling of fragile persistent PKCS11 sessions, including recreating the session if PKCS11 operation timeout.
* This package is heavily uses python-pkcs11 and asn1crypto.
* Package is async but python-pkcs11 is unfortunately still sync, probably due to the fragile nature of PKCS11.
* Tested with SoftHSM and LUNAHSM.
## Setup
```bash
# Install libs and add your user to the softhsm group
# You should probably replace softhsm when using this in production, any PKCS11 device should work
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
# Ubuntu / Debian
sudo apt-get install python3-dev python3-pip softhsm2
sudo usermod -a -G softhsm $USER
else
# Redhat / Centos / Fedora
sudo dnf install python3-devel python3-pip softhsm gcc
sudo usermod -a -G ods $USER
fi
# Update your softhsm group membership
exec sudo su -l $USER
# Install this package
pip3 install python_x509_pkcs11
# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"
# Initialize the token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN
```
## Usage
Look at the [documentation](https://github.com/SUNET/python_x509_pkcs11/blob/main/docs/README.md) for quick examples to begin.
The [tests](https://github.com/SUNET/python_x509_pkcs11/tree/main/tests) are also a good starting point
Here is the basic, create a root CA and then use its key in the PKCS11 device to sign a csr:
```bash
# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"
# Delete the previous token if exists
softhsm2-util --delete-token --token $PKCS11_TOKEN
# Initialize a new fresh PKCS11 token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN
```
```python
import asyncio
from python_x509_pkcs11.ca import create
async def my_func() -> None:
root_ca_name_dict = {
"country_name": "SE",
"state_or_province_name": "Stockholm",
"locality_name": "Stockholm",
"organization_name": "SUNET",
"organizational_unit_name": "SUNET Infrastructure",
"common_name": "ca-test.sunet.se",
"email_address": "soc@sunet.se",
}
# key_type must be:
# [ed25519](https://en.wikipedia.org/wiki/EdDSA). This is default.
# ed448
# secp256r1
# secp384r1
# secp521r1
# rsa_2048
# rsa_4096
csr_pem, root_cert_pem = await create("my_ed25519_key", root_ca_name_dict, key_type="ed25519")
print("CSR which was self-signed into root CA")
print(csr_pem)
print("root CA")
print(root_cert_pem)
asyncio.run(my_func())
```
## Contributing / Tests
```bash
# install
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
# Ubuntu / Debian
sudo apt-get install flit python3-mypy black pylint
else
# Redhat / Centos / Fedora
sudo dnf install epel-release
sudo dnf install python3-flit python3-mypy python3-black pylint
fi
# Make your code changes
# Then in the root folder, where this README is
bash deploy.sh
# Build the package with flit
flit build
```
Raw data
{
"_id": null,
"home_page": null,
"name": "python-x509-pkcs11",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": null,
"author": null,
"author_email": "Victor N\u00e4slund <victor@sunet.se>, Magnus Svensson <masv@sunet.se>, Kushal Das <kushal@sunet.se>",
"download_url": "https://files.pythonhosted.org/packages/2e/9b/28694cbc389026b174890cced83fb034fa26ef3a55c46535c6a5d7ac2ab0/python_x509_pkcs11-0.9.0.tar.gz",
"platform": null,
"description": "![workflow ubuntu](https://github.com/SUNET/python_x509_pkcs11/actions/workflows/ubuntu.yaml/badge.svg)\n![workflow centos](https://github.com/SUNET/python_x509_pkcs11/actions/workflows/centos.yaml/badge.svg)\n![workflow debian](https://github.com/SUNET/python_x509_pkcs11/actions/workflows/debian.yaml/badge.svg)\n\n## python_x509_pkcs11\n\nSeamless async signing x509 using PKCS11 device for key storage\n\nCurrently supports\n* Creating root CAs and generating their keys in the PKCS11 device.\n* Using the keys in the PKCS11 device to sign certificates or Intermediate CAs.\n* Creating certificates, CSRs, CRLs, OCSPs with the PKCS11 device keys enabling a full PKI infrastructure.\n* 'Advanced' handling of fragile persistent PKCS11 sessions, including recreating the session if PKCS11 operation timeout.\n* This package is heavily uses python-pkcs11 and asn1crypto.\n* Package is async but python-pkcs11 is unfortunately still sync, probably due to the fragile nature of PKCS11.\n* Tested with SoftHSM and LUNAHSM.\n\n\n## Setup\n\n```bash\n# Install libs and add your user to the softhsm group\n# You should probably replace softhsm when using this in production, any PKCS11 device should work\n\nif awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i \"debian\\|ubuntu\"\nthen\n # Ubuntu / Debian\n sudo apt-get install python3-dev python3-pip softhsm2\n sudo usermod -a -G softhsm $USER\nelse\n # Redhat / Centos / Fedora\n sudo dnf install python3-devel python3-pip softhsm gcc \n sudo usermod -a -G ods $USER\nfi\n\n# Update your softhsm group membership\nexec sudo su -l $USER\n\n# Install this package\npip3 install python_x509_pkcs11\n\n# export env values the code will use\nif awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i \"debian\\|ubuntu\"\nthen\n export PKCS11_MODULE=\"/usr/lib/softhsm/libsofthsm2.so\"\nelse\n export PKCS11_MODULE=\"/usr/lib64/softhsm/libsofthsm.so\"\nfi\nexport PKCS11_PIN=\"1234\"\nexport PKCS11_TOKEN=\"my_test_token_1\"\n\n# Initialize the token\nsofthsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN\n\n```\n\n## Usage\n\nLook at the [documentation](https://github.com/SUNET/python_x509_pkcs11/blob/main/docs/README.md) for quick examples to begin.\n\nThe [tests](https://github.com/SUNET/python_x509_pkcs11/tree/main/tests) are also a good starting point\n\nHere is the basic, create a root CA and then use its key in the PKCS11 device to sign a csr:\n\n```bash\n# export env values the code will use\nif awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i \"debian\\|ubuntu\"\nthen\n export PKCS11_MODULE=\"/usr/lib/softhsm/libsofthsm2.so\"\nelse\n export PKCS11_MODULE=\"/usr/lib64/softhsm/libsofthsm.so\"\nfi\nexport PKCS11_PIN=\"1234\"\nexport PKCS11_TOKEN=\"my_test_token_1\"\n\n\n# Delete the previous token if exists\nsofthsm2-util --delete-token --token $PKCS11_TOKEN\n\n# Initialize a new fresh PKCS11 token\nsofthsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN\n```\n\n```python\nimport asyncio\nfrom python_x509_pkcs11.ca import create\n\n\nasync def my_func() -> None:\n root_ca_name_dict = {\n \"country_name\": \"SE\",\n \"state_or_province_name\": \"Stockholm\",\n \"locality_name\": \"Stockholm\",\n \"organization_name\": \"SUNET\",\n \"organizational_unit_name\": \"SUNET Infrastructure\",\n \"common_name\": \"ca-test.sunet.se\",\n \"email_address\": \"soc@sunet.se\",\n }\n\n # key_type must be:\n # [ed25519](https://en.wikipedia.org/wiki/EdDSA). This is default.\n # ed448\n # secp256r1\n # secp384r1\n # secp521r1\n # rsa_2048\n # rsa_4096\n\n csr_pem, root_cert_pem = await create(\"my_ed25519_key\", root_ca_name_dict, key_type=\"ed25519\")\n\n print(\"CSR which was self-signed into root CA\")\n print(csr_pem)\n\n print(\"root CA\")\n print(root_cert_pem)\n\n\nasyncio.run(my_func())\n```\n\n## Contributing / Tests\n```bash\n\n# install\nif awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i \"debian\\|ubuntu\"\nthen\n # Ubuntu / Debian\n sudo apt-get install flit python3-mypy black pylint\nelse\n # Redhat / Centos / Fedora\n sudo dnf install epel-release\n sudo dnf install python3-flit python3-mypy python3-black pylint\nfi\n\n\n# Make your code changes\n# Then in the root folder, where this README is\nbash deploy.sh\n\n# Build the package with flit\nflit build\n```\n\n",
"bugtrack_url": null,
"license": null,
"summary": "Python async library for signing x509 using keys in a pkcs11 device such as an HSM.",
"version": "0.9.0",
"project_urls": {
"Source": "https://github.com/SUNET/python_x509_pkcs11"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1ade541c6e853502888d76d5b1fecbdd0ee3d21076f73a32ab211f3f17f3632b",
"md5": "554b6b7b6b00bd2d88ec63d6ba76e4b6",
"sha256": "68db5aa48f1dcc85214af4a7cf23c359df3df4f39e7222a6ddfe6772f81f78dd"
},
"downloads": -1,
"filename": "python_x509_pkcs11-0.9.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "554b6b7b6b00bd2d88ec63d6ba76e4b6",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 27595,
"upload_time": "2024-04-03T13:44:23",
"upload_time_iso_8601": "2024-04-03T13:44:23.202615Z",
"url": "https://files.pythonhosted.org/packages/1a/de/541c6e853502888d76d5b1fecbdd0ee3d21076f73a32ab211f3f17f3632b/python_x509_pkcs11-0.9.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "2e9b28694cbc389026b174890cced83fb034fa26ef3a55c46535c6a5d7ac2ab0",
"md5": "f2c1683ebc29025c7d30c0c5e8f1782f",
"sha256": "b3738572db3f28a99831bf1293896804e6b12138ee438dc95bf8b378810a2433"
},
"downloads": -1,
"filename": "python_x509_pkcs11-0.9.0.tar.gz",
"has_sig": false,
"md5_digest": "f2c1683ebc29025c7d30c0c5e8f1782f",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 75125,
"upload_time": "2024-04-03T13:44:25",
"upload_time_iso_8601": "2024-04-03T13:44:25.365856Z",
"url": "https://files.pythonhosted.org/packages/2e/9b/28694cbc389026b174890cced83fb034fa26ef3a55c46535c6a5d7ac2ab0/python_x509_pkcs11-0.9.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-03 13:44:25",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "SUNET",
"github_project": "python_x509_pkcs11",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"test_requirements": [],
"lcname": "python-x509-pkcs11"
}