Skip to main content

Python async library for signing x509 using keys in an pkcs11 device such as a HSM.

Project description

python_x509_pkcs11

Seamless async signing x509 using PKCS11 device for key storage

Currently supports

  • Creating a root CA and generating its RSA key in the PKCS11 device
  • Using the key in the PKCS11 device to sign certificates (or Intermediate CAs)
  • Creating CRLs with the PKCS11 device key
  • Store multiple keys in the PKCS11 device enabling a full PKI infrastructure
  • 'Advanced' handling of fragile persistent PKCS11 sessions, including recreating the session if PKCS11 operation timeout
  • This package is heavily uses python-pkcs11 and asn1crypto.
  • Package is async but python-pkcs11 is unfortunately still sync, probably due to the fragile nature of PKCS11

Setup

# Install libs and add your user to the softhsm group

if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    # Ubuntu / Debian
    sudo apt-get install python3-dev python3-pip softhsm2
    sudo usermod -a -G softhsm $USER
else
    # Redhat / Centos / Fedora
    sudo dnf install python3-devel python3-pip softhsm gcc 
    sudo usermod -a -G ods $USER
fi

# Or reboot, just make sure your shell now has the new group	
echo "logout and login again now"

# Install this package
pip3 install python_x509_pkcs11

# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
    export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"

# Initialize the token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN

Usage

Look at the documentation for quick examples to begin.

The tests are also a good starting point

Here is the basic, create a root CA and then use its key in the PKCS11 device to sign a csr:

# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
    export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"


# Delete the previous token if exists
softhsm2-util --delete-token --token $PKCS11_TOKEN

# Initialize a new fresh PKCS11 token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN
import asyncio
from python_x509_pkcs11.ca import create


async def my_func() -> None:
    root_ca_name_dict = {
        "country_name": "SE",
        "state_or_province_name": "Stockholm",
        "locality_name": "Stockholm",
        "organization_name": "SUNET",
        "organizational_unit_name": "SUNET Infrastructure",
        "common_name": "ca-test.sunet.se",
        "email_address": "soc@sunet.se",
    }
    csr_pem, root_cert_pem = await create("my_rsa_key", root_ca_name_dict)

    print("CSR which was selfsigned into root CA")
    print(csr_pem)

    print("root CA")
    print(root_cert_pem)


asyncio.run(my_func())

Contributing / Tests

# install
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
    # Ubuntu / Debian
    sudo apt-get install flit python3-mypy black
else
    # Redhat / Centos / Fedora
    sudo dnf install python3-flit python3-mypy python3-black
fi


# Make your code changes
# Then in the root folder, where this README is
bash dev-run.sh

# Build the package with flit
flit build

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

python_x509_pkcs11-0.2.30.tar.gz (22.8 kB view details)

Uploaded Source

Built Distribution

python_x509_pkcs11-0.2.30-py3-none-any.whl (13.0 kB view details)

Uploaded Python 3

File details

Details for the file python_x509_pkcs11-0.2.30.tar.gz.

File metadata

  • Download URL: python_x509_pkcs11-0.2.30.tar.gz
  • Upload date:
  • Size: 22.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.9.2

File hashes

Hashes for python_x509_pkcs11-0.2.30.tar.gz
Algorithm Hash digest
SHA256 3e69f6739f6fe72929ca7e201f4c21d3f9a79f16fdf5abf8f0e5581cc746bc0c
MD5 3b1cea9384d4193e1abaa7ea5072cb13
BLAKE2b-256 2a173f438409bae83d31c815574a89df9824fbb5c4c2be86b881313b73ab3ab8

See more details on using hashes here.

File details

Details for the file python_x509_pkcs11-0.2.30-py3-none-any.whl.

File metadata

File hashes

Hashes for python_x509_pkcs11-0.2.30-py3-none-any.whl
Algorithm Hash digest
SHA256 c03242d515e1611c27df5f10e9aa3c4d4a1dfb5db2da7d8bd099ef97ec2c44cd
MD5 709e6221598c892ec0eb208ce2b17d92
BLAKE2b-256 d4d7cc2d307ecdbb75909430f2d7ca5f40a378407ec0fb1ea6916d0ab4e65c1b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page