pkcs 11(cryptoki)对python的支持
python-pkcs11的Python项目详细描述
PKCS 11(Cryptoki)标准的高级“更像Python”接口 在python中支持hsm和智能卡设备。
接口的设计遵循HSM的逻辑结构,具有 对于文档不清晰的参数来说,是有用的默认值。许多api可以选择 接受iterables并充当生成器,允许您传输大数据 用于对称加密的块。
python-pkcs11还包含许多在pkc之间转换的实用函数 #11数据结构和通用交换格式,包括pkcs 1和x.509。
Python-PKCS11有完整的文档记录,并为所有人提供了完整的集成测试套件 具有针对多个HSM平台的持续集成功能,包括:
- 泰勒斯·恩西弗
- OpenCryptoki TPM
- OpenSC/智能卡HSM/Nitrokey HSM
来源:https://github.com/danni/python-pkcs11
文档:http://python-pkcs11.readthedocs.io/en/latest/
开始
从PIP安装:
pip install python-pkcs11
或从源代码生成:
python setup.py build
假设您的pkcs 11库设置为pkcs11_模块并包含
名为demo的令牌
aes
import pkcs11
# Initialise our PKCS#11 library
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
data = b'INPUT DATA'
# Open a session on our token
with token.open(user_pin='1234') as session:
# Generate an AES key in this session
key = session.generate_key(pkcs11.KeyType.AES, 256)
# Get an initialisation vector
iv = session.generate_random(128) # AES blocks are fixed at 128 bits
# Encrypt our data
crypttext = key.encrypt(data, mechanism_param=iv)
3des
import pkcs11
# Initialise our PKCS#11 library
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
data = b'INPUT DATA'
# Open a session on our token
with token.open(user_pin='1234') as session:
# Generate a DES key in this session
key = session.generate_key(pkcs11.KeyType.DES3)
# Get an initialisation vector
iv = session.generate_random(64) # DES blocks are fixed at 64 bits
# Encrypt our data
crypttext = key.encrypt(data, mechanism_param=iv)
rsa
import pkcs11
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
data = b'INPUT DATA'
# Open a session on our token
with token.open(user_pin='1234') as session:
# Generate an RSA keypair in this session
pub, priv = session.generate_keypair(pkcs11.KeyType.RSA, 2048)
# Encrypt as one block
crypttext = pub.encrypt(data)
数字减影血管造影
import pkcs11
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
data = b'INPUT DATA'
# Open a session on our token
with token.open(user_pin='1234') as session:
# Generate an DSA keypair in this session
pub, priv = session.generate_keypair(pkcs11.KeyType.DSA, 1024)
# Sign
signature = priv.sign(data)
ecdsa
import pkcs11
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
data = b'INPUT DATA'
# Open a session on our token
with token.open(user_pin='1234') as session:
# Generate an EC keypair in this session from a named curve
ecparams = session.create_domain_parameters(
pkcs11.KeyType.EC, {
pkcs11.Attribute: pkcs11.util.ec.encode_named_curve_parameters('prime256v1'),
}, local=True)
pub, priv = ecparams.generate_keypair()
# Sign
signature = priv.sign(data)
迪菲·赫尔曼
import pkcs11
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
with token.open() as session:
# Given shared Diffie-Hellman parameters
parameters = session.create_domain_parameters(KeyType.DH, {
Attribute.PRIME: prime, # Diffie-Hellman parameters
Attribute.BASE: base,
})
# Generate a DH key pair from the public parameters
public, private = parameters.generate_keypair()
# Share the public half of it with our other party.
_network_.write(public[Attribute.VALUE])
# And get their shared value
other_value = _network_.read()
# Derive a shared session key with perfect forward secrecy
session_key = private.derive_key(
KeyType.AES, 128,
mechanism_param=other_value)
椭圆曲线diffie-hellman
import pkcs11
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
with token.open() as session:
# Given DER encocded EC parameters, e.g. from
# openssl ecparam -outform der -name <named curve>
parameters = session.create_domain_parameters(KeyType.EC, {
Attribute.EC_PARAMS: ecparams,
})
# Generate a DH key pair from the public parameters
public, private = parameters.generate_keypair()
# Share the public half of it with our other party.
_network_.write(public[Attribute.EC_POINT])
# And get their shared value
other_value = _network_.read()
# Derive a shared session key
session_key = private.derive_key(
KeyType.AES, 128,
mechanism_param=(KDF.NULL, None, other_value))
测试兼容性
Functionality | SoftHSMv2 | Thales nCipher | Opencryptoki | OpenSC (Nitrokey) | |
---|---|---|---|---|---|
Get Slots/Tokens | Works | Works | Works | Works | |
Get Mechanisms | Works | Works | Works | Works | |
Initialize token | Not implemented | ||||
Slot events | Not implemented | ||||
Alternative authentication path | Not implemented | ||||
Always authenticate keys | Not implemented | ||||
Create/Copy | Keys | Works | Works | Errors | Create |
Certificates | Caveats [1] | Caveats [1] | Caveats [1] | ? | |
Domain Params | Caveats [1] | Caveats [1] | ? | N/A | |
Destroy Object | Works | N/A | Works | Works | |
Generate Random | Works | Works | Works | Works | |
Seed Random | Works | N/A | N/A | N/A | |
Digest (Data & Keys) | Works | Caveats [2] | Works | Works | |
AES | Generate key | Works | Works | Works | N/A |
Encrypt/Decrypt | Works | Works | Works | ||
Wrap/Unwrap | ? [3] | Works | Errors | ||
Sign/Verify | Works | Works [4] | N/A | ||
DES2/ DES3 | Generate key | Works | Works | Works | N/A |
Encrypt/Decrypt | Works | Works | Works | ||
Wrap/Unwrap | ? | ? | ? | ||
Sign/Verify | ? | ? | ? | ||
RSA | Generate key pair | Works | Works | Works | Works [4][8] |
Encrypt/Decrypt | Works | Works | Works | Decrypt only [9] | |
Wrap/Unwrap | Works | Works | Works | N/A | |
Sign/Verify | Works | Works | Works | Works | |
DSA | Generate parameters | Works | Error | N/A | N/A |
Generate key pair | Works | Caveats [5] | |||
Sign/Verify | Works | Works [4] | |||
DH | Generate parameters | Works | N/A | N/A | N/A |
Generate key pair | Works | Caveats [6] | |||
Derive Key | Works | Caveats [7] | |||
EC | Generate key pair | Caveats [6] | ? [3] | N/A | Works |
Sign/Verify (ECDSA) | Works [4] | ? [3] | Sign only [9] | ||
Derive key (ECDH) | Works | ? [3] | ? | ||
Proprietary extensions | N/A | Not implemented | N/A | N/A |
[1] | (1, 2, 3, 4, 5) Device supports limited set of attributes. |
[2] | Digesting keys is not supported. |
[3] | (1, 2, 3, 4) Untested: requires support in device. |
[4] | (1, 2, 3, 4) Default mechanism not supported, must specify a mechanism. |
[5] | From existing domain parameters. |
[6] | (1, 2) Local domain parameters only. |
[7] | Generates security warnings about the derived key. |
[8] | store parameter is ignored, all keys are stored. |
[9] | (1, 2) Encryption/verify not supported, extract the public key |
python版本:
- 3.4(使用AENUM)
- 3.5(含AENUM)
- 3.6
PKCS 11版本:
- 2.11
- 2.20
- 2.40
对于任何未公开的功能,都可以随意发送pull请求。这个 代码设计为可读,并在 一直往前走。
如果您想支持您的设备,请与我们联系!
关于pkcs 11的更多信息
最新版本的PKCS 11规范可从OASIS获得:
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
您还应该参考pkcs 11实现的文档。 许多实现公开了可在 环境,包括可选功能、模式和调试 信息。
许可证
麻省理工学院许可证
版权所有(c)2017 Danielle Madeley
兹免费准许任何人取得副本 本软件和相关文档文件(“软件”)的 在软件中不受限制,包括但不限于 使用、复制、修改、合并、发布、分发、再授权和/或出售 软件的副本,并允许软件的用户 在满足以下条件的情况下,可以这样做:
上述版权公告及本许可公告须包括在 软件的拷贝或大部分。
本软件按“原样”提供,无任何形式的保证,明示或 默示的,包括但不限于适销性保证, 适合特定目的和不侵权。在任何情况下 作者或版权所有者应对任何索赔、损害或其他 责任,无论是在合同诉讼、侵权诉讼或其他诉讼中, 不属于或与本软件有关,或使用或与本软件的其他交易有关。 软件。