PyKCS11 | PKCS # 11 Wrapper for Python | TLS library

by LudovicRousseau Python Version: 1.5.15 License: GPL-2.0

X-Ray Key Features Code Snippets Community Discussions(2)Vulnerabilities Install Support

kandi X-RAY | PyKCS11 Summary

PyKCS11 is a Python library typically used in Security, TLS applications. PyKCS11 has no bugs, it has no vulnerabilities, it has build file available, it has a Strong Copyleft License and it has low support. You can install using 'pip install PyKCS11' or download it from GitHub, PyPI.

PKCS#11 Wrapper for Python

Support

Quality

Security

License

Reuse

Support

PyKCS11 has a low active ecosystem.

It has 77 star(s) with 30 fork(s). There are 10 watchers for this library.

There were 3 major release(s) in the last 6 months.

There are 3 open issues and 78 have been closed. On average issues are closed in 57 days. There are no pull requests.

It has a neutral sentiment in the developer community.

The latest version of PyKCS11 is 1.5.15

Quality

PyKCS11 has 0 bugs and 0 code smells.

Security

PyKCS11 has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

PyKCS11 code analysis shows 0 unresolved vulnerabilities.

There are 0 security hotspots that need review.

License

PyKCS11 is licensed under the GPL-2.0 License. This license is Strong Copyleft.

Strong Copyleft licenses enforce sharing, and you can use them when creating open source projects.

Reuse

PyKCS11 releases are available to install and integrate.

Deployable package is available in PyPI.

Build file is available. You can build the component from source.

Installation instructions, examples and code snippets are available.

PyKCS11 saves you 1468 person hours of effort in developing the same functionality from scratch.

It has 3285 lines of code, 167 functions and 39 files.

It has medium code complexity. Code complexity directly impacts maintainability of the code.

Top functions reviewed by kandi - BETA

kandi has reviewed PyKCS11 and discovered the below as its top functions. This is intended to give you an instant insight into PyKCS11 implemented functionality, and help decide if they suit your requirements.

Get the value of an attribute
Gets the attribute value of an object
Get information about a specific token
Return a list of objects matching the specified template
Convert a template from a template template
Check if the given type is an attribute list
Return True if type is a binary type
Decrypt data using the specified key
Encrypt data with specified key
Calculates a signature of the data
Verify the signature
Generate a key pair pair
Return information about a slot
Returns a list of slots
Get information about the device
Generate a random string
Load a PKCS11 library
Create a session
Get information about the session
Open a session
Login a pin
Wait for a slot event
Dump bytes to string
Login a user
Convert flags to text format
Print information about the mechanism
Convert flags to text

Get all kandi verified functions for this library.

PyKCS11 Key Features

No Key Features are available at this moment for PyKCS11.

PyKCS11 Examples and Code Snippets

No Code Snippets are available at this moment for PyKCS11.

Community Discussions

Trending Discussions on PyKCS11

Signing a Certificate Signing Request using a CA stored on a Yubikey

Will PKCS11 always find objects in the same order?

QUESTION

Signing a Certificate Signing Request using a CA stored on a Yubikey

Asked 2019-Nov-12 at 01:24

I want to sign a Certificate Signing Request using the private key & the certificate stored in the PIV Digital Signature slot.

I'm using the latest release of OpenSC for MacOS(https://github.com/OpenSC/OpenSC/releases/tag/0.19.0).

I have tried the pkcs11-tool, pkcs15-tool & yubikey-piv-tool. All three tools provide a --sign API but they sign a digest generated from the data.

My requirement is to sign the Certificate Signing Request to generate a certificate.

The only option I have is to use the PKCS#11 engine for OpenSSL. PKCS#11 engine: brew install engine_pkcs11 PKCS#11 Module: opensc-pkcs11.so

I will sign the CSR using the regular OpenSSL commands giving the key & the cert stored on the Yubikey using the engine option.(Probably using the PKCS#11 URI)

Using OpenSSL 1.0.2, I tried the following command.

...

ANSWER

Answered 2019-Nov-12 at 01:24

Your -CAkey 02 should be -CAkey slot_0-id_2 for slot 9c / index 02 on the yubikey, everything else there looks okay (though note there is an issue with pin requirements on slot 9c which may effect you).

For a working example of yubikeys with pkcs#11 you might like to check out https://github.com/ryankurte/pki

Good luck!

Source https://stackoverflow.com/questions/57141247

QUESTION

Will PKCS11 always find objects in the same order?

Asked 2019-Sep-20 at 21:20

I have observed that both the bash command and what is probably a corresponding method from the Python PyKCS11 library seem to always find objects in the same order. My code relies on this being true, but have not read it anywhere, just observed it.

In the terminal:

...

ANSWER

Answered 2019-Sep-20 at 21:20

(Wanted to write a comment, but it got quite long...)

PKCS#11 does not guarantee any specific order of returned object handles so it is up to the particular implementation.

Even though your implementation might seem to be consistently giving the same order of objects there are some examples when this could unexpectedly change:

key renewal (keys do not last forever. You will need to generate some new keys in the future)
middleware upgrade (newer implementations might return objects in a different order)
HSM firmware upgrade (major upgrades might change the way objects are stored and change object enumeration order)
HSM recovery from backup (object order can change after HSM restore)
host OS data recovery (some implementatins store HSM objects encrypted in external folders and object search order might be the same as directory listing order which could change without a warning)
HSM change (are you sure that you will be using the same device for the whole lifetime of your application)

Relying on an undefined behaviour in general is a bad practice. Especially in security you should be very cautious.

It is definitely worth the time to stay on the safe side.

I would recommend to perform a separate search for each required object (using some strong identifier -- e.g. label) -- this way you can perform additional checks (e.g. enforce expected object type, ensure that object is unique etc.).

A similar example is Cryptoki object handle re-use. PKCS#11 states that object handle is bound to particular session (i.e. if you obtained object handle in session A you should not use it in session B -- even if both sessions are running in the same application).

There are implementations that preserve object handle for the same object across sessions. There are even implementations that preserve the same object handle in different applications (i.e. if you get object handle 123 in application A you will get object handle 123 in application B for the same object).

This behaviour is even described in the respective developer manual. But if you ask the vendor if you can rely on it you are told that there are some corner cases for some setups and that you must perform additional checks to be 100% sure that it will work as expected...

Good luck with your project!

Source https://stackoverflow.com/questions/58027462

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install PyKCS11

You can get (untested) Windows binaries from https://ci.appveyor.com/project/LudovicRousseau/pykcs11 in "artifacts".

Support

For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .

Find more information at: