python-x509-pkcs11

Python library for signing x509 using keys in an pkcs11 device such as a HSM.

Project description

python_x509_pkcs11

Seamless signing x509 using PKCS11 device for key storage

Currently supports

Creating a root CA and generating its RSA key in the PKCS11 device
Using the key in the PKCS11 device to sign certificates (or Intermediate CAs)
Creating CRLs with the PKCS11 device key
Store multiple keys in the PKCS11 device enabling a full PKI infrastructure
'Advanced' handling of fragile persistent PKCS11 sessions, including recreating the session if PKCS11 operation timeout

This package is pretty much a wrapper around python-pkcs11 and asn1crypto

Setup

# Install libs and add your user to the softhsm group

if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    # Ubuntu / Debian
    sudo apt-get install python3-dev python3-pip softhsm2
    sudo usermod -a -G softhsm $USER
else
    # Redhat / Centos / Fedora
    sudo dnf install python3-devel python3-pip softhsm gcc 
    sudo usermod -a -G ods $USER
fi

# Or reboot, just make sure your shell now has the new group	
echo "logout and login again now"

# Install this package
pip3 install python_x509_pkcs11

# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
    export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"

# Initialize the token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN

Usage

Look at the documentation for quick examples to begin.

The tests are also a good starting point

Here is the basic, create a root CA and then use its key in the PKCS11 device to sign a csr:

# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
    export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"


# Delete the previous token if exists
softhsm2-util --delete-token --token $PKCS11_TOKEN

# Initialize a new fresh PKCS11 token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN

from python_x509_pkcs11.root_ca import create

root_ca_name_dict = {"country_name": "SE",
             "state_or_province_name": "Stockholm",
             "locality_name": "Stockholm",
             "organization_name": "SUNET",
             "organizational_unit_name": "SUNET Infrastructure",
             "common_name": "ca-test.sunet.se",
             "email_address": "soc@sunet.se"}

csr_pem, root_cert_pem = create("my_rsa_key", root_ca_name_dict)
print("CSR which was selfsigned into root CA")
print(csr_pem)

print("root CA")
print(root_cert_pem)

Contributing / Tests

# install
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    # Ubuntu / Debian
    sudo apt-get install flit python3-mypy black
else
    # Redhat / Centos / Fedora
    sudo dnf install python3-flit python3-mypy python3-black
fi


# Make your code changes
# Then in the root folder, where this README is
bash dev-run.sh

# Build the package with flit
flit build

Project details

Release history Release notifications | RSS feed

0.9.0

Apr 3, 2024

0.8.4

Jan 22, 2024

0.8.3

Dec 11, 2023

0.8.2

Dec 11, 2023

0.8.1

Dec 10, 2023

0.8.0

Dec 10, 2023

0.7.1

Dec 5, 2023

0.7.0

May 17, 2023

0.6.37

Mar 30, 2023

0.6.34

Mar 30, 2023

0.6.33

Mar 30, 2023

0.6.31

Mar 7, 2023

0.6.3

Feb 2, 2023

0.6.2

Feb 1, 2023

0.6.1

Feb 1, 2023

0.6.0

Dec 3, 2022

0.5.1

Nov 25, 2022

0.5.0

Nov 24, 2022

0.4.43

Nov 3, 2022

0.4.41

Oct 18, 2022

0.4.3

Oct 7, 2022

0.3.22

Oct 2, 2022

0.3.21

Sep 28, 2022

0.3.0

Sep 28, 2022

0.2.33

Sep 17, 2022

0.2.32

Sep 17, 2022

0.2.31

Sep 16, 2022

0.2.30

Aug 28, 2022

0.2.29

Jul 27, 2022

0.2.28

Jul 26, 2022

This version

0.2.27

Jul 15, 2022

0.2.26

Jul 15, 2022

0.2.25

Jul 14, 2022

0.2.24

Jul 13, 2022

0.2.23

Jul 13, 2022

0.2.22

Jul 13, 2022

0.2.2

Jul 11, 2022

0.2.1

Jul 11, 2022

0.2.0

Jul 10, 2022

0.1.90

Jul 9, 2022

0.1.88

Jul 8, 2022

0.1.87

Jul 8, 2022

0.1.85

Jul 7, 2022

0.1.84

Jul 7, 2022

0.1.83

Jul 7, 2022

0.1.82

Jul 6, 2022

0.1.81

Jul 6, 2022

0.1.8

Jul 6, 2022

0.1.7

Jul 5, 2022

0.1.6

Jul 5, 2022

0.1.5

Jul 4, 2022

0.1.3

Jul 4, 2022

0.1.1

Jul 3, 2022

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

python_x509_pkcs11-0.2.27.tar.gz (22.4 kB view details)

Uploaded Jul 15, 2022 Source

Built Distribution

python_x509_pkcs11-0.2.27-py3-none-any.whl (12.5 kB view details)

Uploaded Jul 15, 2022 Python 3

File details

Details for the file python_x509_pkcs11-0.2.27.tar.gz.

File metadata

Download URL: python_x509_pkcs11-0.2.27.tar.gz
Upload date: Jul 15, 2022
Size: 22.4 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/4.0.1 CPython/3.9.2

File hashes

Hashes for python_x509_pkcs11-0.2.27.tar.gz
Algorithm	Hash digest
SHA256	`c3be0e59d1889ed37b838839066ac683515b588d8ceb6cb8bf8f70b826e52e81`
MD5	`a47a1e491da7f2f13d7df1ed7575a5a1`
BLAKE2b-256	`41f1477ddffcd472429a4fbe012981210b9d24a95cc11472b31dc5045218fb85`

See more details on using hashes here.

File details

Details for the file python_x509_pkcs11-0.2.27-py3-none-any.whl.

File metadata

Download URL: python_x509_pkcs11-0.2.27-py3-none-any.whl
Upload date: Jul 15, 2022
Size: 12.5 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/4.0.1 CPython/3.9.2

File hashes

Hashes for python_x509_pkcs11-0.2.27-py3-none-any.whl
Algorithm	Hash digest
SHA256	`746d6fdef8c951b2d8b121a5f9b376368c15e702653826b0f8bac4d734502d82`
MD5	`10eea291ae04d860a13ce31996420824`
BLAKE2b-256	`dcc3ce9fdb64297b268af2e0630dc374dc20907fe9d0d4b383eb6881931bb896`