Python async library for signing x509 using keys in a pkcs11 device such as an HSM.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for kushaldas from gravatar.com kushaldas Avatar for masv from gravatar.com masv

Unverified details

These details have not been verified by PyPI
Project links
Meta

Project description

workflow ubuntu workflow centos workflow debian

python_x509_pkcs11

Seamless async signing x509 using PKCS11 device for key storage

Currently supports

  • Creating root CAs and generating their keys in the PKCS11 device.
  • Using the keys in the PKCS11 device to sign certificates or Intermediate CAs.
  • Creating certificates, CSRs, CRLs, OCSPs with the PKCS11 device keys enabling a full PKI infrastructure.
  • 'Advanced' handling of fragile persistent PKCS11 sessions, including recreating the session if PKCS11 operation timeout.
  • This package is heavily uses python-pkcs11 and asn1crypto.
  • Package is async but python-pkcs11 is unfortunately still sync, probably due to the fragile nature of PKCS11.
  • Tested with SoftHSM and LUNAHSM.

Setup

# Install libs and add your user to the softhsm group
# You should probably replace softhsm when using this in production, any PKCS11 device should work

if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    # Ubuntu / Debian
    sudo apt-get install python3-dev python3-pip softhsm2
    sudo usermod -a -G softhsm $USER
else
    # Redhat / Centos / Fedora
    sudo dnf install python3-devel python3-pip softhsm gcc 
    sudo usermod -a -G ods $USER
fi

# Update your softhsm group membership
exec sudo su -l $USER

# Install this package
pip3 install python_x509_pkcs11

# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
    export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"

# Initialize the token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN

Usage

Look at the documentation for quick examples to begin.

The tests are also a good starting point

Here is the basic, create a root CA and then use its key in the PKCS11 device to sign a csr:

# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
    export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"


# Delete the previous token if exists
softhsm2-util --delete-token --token $PKCS11_TOKEN

# Initialize a new fresh PKCS11 token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN

import asyncio
from python_x509_pkcs11.ca import create


async def my_func() -> None:
    root_ca_name_dict = {
        "country_name": "SE",
        "state_or_province_name": "Stockholm",
        "locality_name": "Stockholm",
        "organization_name": "SUNET",
        "organizational_unit_name": "SUNET Infrastructure",
        "common_name": "ca-test.sunet.se",
        "email_address": "soc@sunet.se",
    }

    # key_type must be:
    # [ed25519](https://en.wikipedia.org/wiki/EdDSA). This is default.
    # ed448
    # secp256r1
    # secp384r1
    # secp521r1
    # rsa_2048
    # rsa_4096

    csr_pem, root_cert_pem = await create("my_ed25519_key", root_ca_name_dict, key_type="ed25519")

    print("CSR which was self-signed into root CA")
    print(csr_pem)

    print("root CA")
    print(root_cert_pem)


asyncio.run(my_func())

Contributing / Tests

# install
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    # Ubuntu / Debian
    sudo apt-get install flit python3-mypy black pylint
else
    # Redhat / Centos / Fedora
    sudo dnf install epel-release
    sudo dnf install python3-flit python3-mypy python3-black pylint
fi


# Make your code changes
# Then in the root folder, where this README is
bash deploy.sh

# Build the package with flit
flit build

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for kushaldas from gravatar.com kushaldas Avatar for masv from gravatar.com masv

Unverified details

These details have not been verified by PyPI
Project links
Meta

Release history Release notifications | RSS feed

This version

0.9.0

0.8.4

0.8.3

0.8.2

0.8.1

0.8.0

0.7.1

0.7.0

0.6.37

0.6.34

0.6.33

0.6.31

0.6.3

0.6.2

0.6.1

0.6.0

0.5.1

0.5.0

0.4.43

0.4.41

0.4.3

0.3.22

0.3.21

0.3.0

0.2.33

0.2.32

0.2.31

0.2.30

0.2.29

0.2.28

0.2.27

0.2.26

0.2.25

0.2.24

0.2.23

0.2.22

0.2.2

0.2.1

0.2.0

0.1.90

0.1.88

0.1.87

0.1.85

0.1.84

0.1.83

0.1.82

0.1.81

0.1.8

0.1.7

0.1.6

0.1.5

0.1.3

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

python_x509_pkcs11-0.9.0.tar.gz (75.1 kB view hashes)

Uploaded Source

Built Distribution

python_x509_pkcs11-0.9.0-py3-none-any.whl (27.6 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page