Python library for signing x509 using keys in an pkcs11 device such as a HSM
Project description
python_x509_pkcs11
Seamless signing x509 using PKCS11 device for key storage
Currently supports
- Creating a root CA and generating its RSA key in the PKCS11 device
- Using the key in the PKCS11 device to sign certificates (or Intermediate CAs)
- Creating CRLs with the PKCS11 device key
- Store multiple keys in the PKCS11 device enabling a full PKI infrastructure
- 'Advanced' handling of fragile persistent PKCS11 sessions, including recreating the session if PKCS11 operation timeout
This package is pretty much a wrapper around python-pkcs11 and asn1crypto
Setup
# Install this package
pip install python_x509_pkcs11
# Install deps and add your user to the softhsm group
sudo apt-get install opensc softhsm2
sudo usermod -a -G softhsm $USER
sudo reboot # Yeah seem to not update your groups without a reboot
# export env values the code will use
export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"
# Initialize the token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN
Usage
Look at the documentation for quick examples to begin.
The tests are also a good starting point
Here is the basic, create a root CA and then use its key in the PKCS11 device to sign a csr
# export env values the code will use
export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"
# Initialize the token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN
from python_x509_pkcs11 import csr
from python_x509_pkcs11.root_ca import create
from python_x509_pkcs11.pkcs11_handle import PKCS11Session
csr_pem = """-----BEGIN CERTIFICATE REQUEST-----
MIICwzCCAasCAQAwfjELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTEh
MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRswGQYDVQQDDBJjYS10
ZXN0LTJAc3VuZXQuc2UxGzAZBgkqhkiG9w0BCQEWDHNvY0BzdW5ldC5zZTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDZWJtcRC/xhft4956paxXhHn95
09XqJvMGDM8ToYNIw8BIH8Id774RjLjaa2Z9UU6OSN0IoTiH/h3wq1hTH9IovkvG
/rNwieo1cvZ0Q3YJblEJ3R450t04w11fp+fOsZSA8NOoINav3b15Zd0ugYYFip+7
4/Meni73FYkrKs8ctsw1bVudDwbRwnPoWcHEEbZwOgMSifgk9k8ST+1OlfdKeUr4
LO+ss/pU516wQoVN0W0gQhahrL5plP8M1a0qo6yaNF68hXa/LmFDi7z6078S6Mpm
fUpLQJ2CiIQL5jFaXaQhp6Uwjbmm+Mnyn+Gqb8NDd5STIG1FhMurjAC+Q6MCAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBSeA9xgZSuEUenuNsYqe9pDm0xagBCuSgo
ROBkrutn/L4cP1y2ZTSkcKScezPeMcYhK3A9ktpXxVVSwjFOvCJT1Lz+JN4Vn3kG
23TCqfTOxgB+ecHKPyKA3112WdXu5B0yRDHrecumxEJDtn3H823xn1WpxzCvqvWX
IgukK0VlN7pUPKMtAx1Y+sY8z4bwgOmZRQVvYaRbsMJHyjBl/I4XU+W0nOyq6nAW
eHqaFEFZApnEybHb7JgdpW5TsnvPN1O5YC6bgbRTgLmwGe+pJ5cEtTwrSvWJra8G
grASjklC2MWbAnXculQuvhPg5F54CK9WldMvd7oYAmbdGIWiffiL
-----END CERTIFICATE REQUEST-----
"""
name_dict = {"country_name": "SE",
"state_or_province_name": "Stockholm",
"locality_name": "Stockholm",
"organization_name": "SUNET",
"organizational_unit_name": "SUNET Infrastructure",
"common_name": "ca-test.sunet.se",
"email_address": "soc@sunet.se"}
root_cert_pem = create("my_rsa_key", 4096, name_dict)
print("root CA")
print(root_cert_pem)
cert_pem = csr.sign_csr("my_rsa_key", name_dict, csr_pem)
print("Cert signed by root CA")
print(cert_pem)
Contributing / Tests
# Make your code changes
# Then in the root folder, where this README is
bash dev-run.sh
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
python_x509_pkcs11-0.1.84.tar.gz
(13.8 kB
view details)
Built Distribution
File details
Details for the file python_x509_pkcs11-0.1.84.tar.gz.
File metadata
- Download URL: python_x509_pkcs11-0.1.84.tar.gz
- Upload date:
- Size: 13.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.9.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 4b5b8d13cb01b251bba7b32c5a4596bd8da9171b1a7e26684d23e668361bd0a8 |
|
| MD5 | 528007cfcf054776b173d41fbc23a2ba |
|
| BLAKE2b-256 | c0c8d491088d4eb9b357a9d0157f422000ae50c6ddccf9b16fa82dc6281d79b9 |
File details
Details for the file python_x509_pkcs11-0.1.84-py3-none-any.whl.
File metadata
- Download URL: python_x509_pkcs11-0.1.84-py3-none-any.whl
- Upload date:
- Size: 13.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.9.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 12e918559549fc4cfa5ce78b9f8bd314218eb48f5ba901d2a984bbea94bf07b5 |
|
| MD5 | 7641769ba3fba7dc86f603a45721d200 |
|
| BLAKE2b-256 | 23a7adb446e287e8e85aef3d4d465012a7a585dffe3c7915abe75e98340932f1 |
