def __init__(self):
# detects the operating system
if os.uname()[0] == "Darwin": # MAC
if os.path.isfile(self.PKCS11_LIB_MAC):
self.PKCS11_LIB = self.PKCS11_LIB_MAC
else:
print("PKCS11 library doesn't exist on OSX!")
elif platform.uname()[0] == "Windows":
if os.path.isfile(self.PKCS11_LIB_WINDOWS):
self.PKCS11_LIB = self.PKCS11_LIB_WINDOWS
else:
print("PKCS11 library doesn't exist on Windows!")
else:
if os.path.isfile(self.PKCS11_LIB_LINUX):
self.PKCS11_LIB = self.PKCS11_LIB_LINUX
else:
print("PKCS11 library doesn't exist on Linux!")
self.lib = pkcs11.lib(self.PKCS11_LIB) # lib to use
self.token = None
# select the desired token
tokens = self.lib.get_tokens()
for t in tokens:
self.token = t
break
def get_slots(self, filter=[]):
slots = None
try:
if self.lib is None:
self.lib = pkcs11.lib(self.get_module_lib())
slots = self.lib.get_slots()
if filter:
slots = [slot for slot in slots if slot.slot_id in filter]
self.error_show_message = 0
except Exception as e:
if self.error_show_message < self.settings.number_requests_before_fail:
signals.send(
'notify',
signals.SignalObject(
signals.NOTIFTY_ERROR, {
'message':
"La biblioteca instalada no funciona para leer "
"las tarjetas, porque no ha instalado las "
"bibliotecas necesarias o porque el sistema "
"operativo no está soportado"
}))
self.error_show_message += 1
logger.error("Error abriendo dispositivos PKCS11 %r" % (e, ))
if not slots:
raise SlotNotFound("PKCS11: Slot not found")
return slots
def __init__(self, cfg_file=None):
common_util.assert_in_error(
cfg_file, "PKCS11 HSM manager requires a configuration file")
self.session = None
with open(cfg_file, "r") as read_file:
self.j_data = json.load(read_file)
j_data = self.j_data
lib = pkcs11.lib(j_data["lib_path"])
common_util.assert_in_error(
j_data["library_version"] == list(lib.library_version),
"PKCS11 HSM manager library version mismatch",
)
common_util.assert_in_error(
j_data["cryptoki_version"] == list(lib.cryptoki_version),
"PKCS11 HSM manager cryptoki version mismatch",
)
token = lib.get_token(token_label=j_data["token"]["label"])
self.session = token.open(user_pin=j_data["token"]["user_password"])
self.curve = j_data["curve"]
self.ecparams = self.session.create_domain_parameters(
pkcs11.KeyType.EC,
{
pkcs11.Attribute:
pkcs11.util.ec.encode_named_curve_parameters(self.curve)
},
local=True,
)
def __init__(self, pin=None):
lib = pkcs11.lib(
os.getenv('PKCS11_MODULE', "/usr/local/lib/opensc-pkcs11.dylib"))
slots = lib.get_slots(token_present=True)
print("Available slots:")
for i in range(0, int(len(slots) / 3)):
# for each slot, get tokens
slot = slots[i * 3]
tokens = lib.get_tokens()
token_label = "Auth PIN (CARTAO DE CIDADAO)"
for token in tokens:
if token_label == token.label and slot == token.slot:
self.token = token
name = self.get_cc_name()
print("%d %s" % (i, name))
break
slot_select = input("Select slot: ")
slot = slots[int(slot_select) * 3]
tokens = lib.get_tokens()
token_label = "Auth PIN (CARTAO DE CIDADAO)"
for token in tokens:
if token_label == token.label and slot == token.slot:
self.token = token
break
if pin is None:
self.pin = getpass.getpass("Auth PIN (CARTAO DE CIDADAO): ")
else:
self.pin = pin
def test_get_tokens(self):
lib = pkcs11.lib(LIB)
tokens = lib.get_tokens(token_flags=pkcs11.TokenFlag.RNG)
self.assertEqual(len(list(tokens)), 2)
tokens = lib.get_tokens(token_label=TOKEN)
self.assertEqual(len(list(tokens)), 1)
def test():
lib = pkcs11.lib("C:/Windows/System32/eps2003csp11v2.dll")
token = lib.get_token(token_label='ePass2003-Palagiris')
for slot in lib.get_slots():
token = slot.get_token()
print(token)
if token.label == 'ePass2003-Palagiris':
print(token)
def test_get_token(self):
lib = pkcs11.lib(LIB)
slot, *_ = lib.get_slots()
token = slot.get_token()
self.assertIsInstance(token, pkcs11.Token)
self.assertEqual(token.label, TOKEN)
self.assertIn(pkcs11.TokenFlag.TOKEN_INITIALIZED, token.flags)
self.assertIn(pkcs11.TokenFlag.LOGIN_REQUIRED, token.flags)
def test_get_slots(self):
lib = pkcs11.lib(LIB)
slots = lib.get_slots()
self.assertEqual(len(slots), 2)
slot1, slot2 = slots
self.assertIsInstance(slot1, pkcs11.Slot)
self.assertEqual(slot1.flags, pkcs11.SlotFlag.TOKEN_PRESENT)
def __init__(self, pkcs11library, label, pin):
self.pkcs11library = pkcs11library
self.label = label
self.pin = pin
lib = pkcs11.lib(pkcs11library)
self.token = lib.get_token(token_label=self.label)
self.session = self.token.open(rw=True, user_pin=self.pin)
self.order = int(
"115792089210356248762697446949407573529996955224135760342422259061068512044369"
)
self.half_order = self.order >> 1
def __post_init__(
self,
types: Dict[KeyType, pkcs11.KeyType],
approved_hashes: Dict[KeyType, Dict[HashType,
Union[hashes.HashAlgorithm,
pkcs11.Mechanism]]],
):
"""Load token for SoftHSM operations."""
lib = pkcs11.lib(self.so_file)
self.token = lib.get_token(token_label=self.token_label)
self.pkcs11_key_type = types[self.key_type]
self.pkcs11_hash_type = approved_hashes[self.key_type][self.hash_type]
def __init__(self):
"""init members using os.environ
"""
logging.info(f"KMS_LIB_PATH : {os.environ['KMS_LIB_PATH']}")
# 환경 변수 설정
os.environ['PKCS11_MODULE'] = os.environ[
'KMS_LIB_PATH'] + "/libsgkms_cryptoki.so"
# Load PKCS11 module
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
# Get token
self.__token = lib.get_token(token_label='SG-KMS TOKEN')
self.__agent_pin = None
def __init__(self, store: str, token, user_pin, label: str = ''):
lib = pkcs11.lib(store)
try:
self.token = lib.get_token(token_label=token)
except pkcs11.MultipleTokensReturned:
raise RuntimeError(
f"Multiple tokens returned for token {token}, label {label}"
) from None
self.user_pin = user_pin
self.label = label or "bridge_key"
self._address = None
self.public_key = None
if self.label:
self._load_key()
def __init__(self,
lib_path=os.environ['PKCS11_LIBRARY_PATH'],
token_label='larry',
pin='1234'):
"""
Session constructor.
@param lib_path: P11 library path.
@param token_label: Label of p11 token.
@param pin: Pin corresponding to our p11 token.
"""
self.__lib_path = lib_path
self.__token_label = token_label
self.__pin = pin
self.lib = pkcs11.lib(self.__lib_path)
self.token = self.lib.get_token(token_label=self.__token_label)
self.p11 = self.token.open(user_pin=self.__pin, rw=True)
def __init__(self, lib_location = None):
"""
Cartao de Cidadao constructor, starts by initialising PKCS#11 library and class variables
"""
if not lib_location:
if os.path.isfile('/usr/local/lib/libpteidpkcs11.so'):
lib_location = '/usr/local/lib/libpteidpkcs11.so'
elif os.path.isfile('/usr/lib/libpteidpkcs11.so'):
lib_location = '/usr/lib/libpteidpkcs11.so'
elif os.path.isfile('/usr/local/lib64/libpteidpkcs11.so'):
lib_location = '/usr/local/lib64/libpteidpkcs11.so'
else:
print("ERROR: libpteidpkcs11 not found!")
quit()
self.lib = pkcs11.lib( lib_location ) # Initialise PKCS#11 library
self.session = None
def __init__(self, key, algorithm, p11: P11Params = P11Key_params):
super().__init__(key, algorithm)
#self._key = key
self._algorithm = algorithm
self._public_key = None
self._private_key = None
self._mechanism = None
self.p11 = p11
logger.debug(f'Initialising PKCS#11 module: {self.p11.module}')
self.lib = pkcs11.lib(self.p11.module)
for _slot in self.lib.get_slots():
logger.debug(f'Slot: {_slot}')
logger.debug(f'Looking for token {repr(self.p11.token_label)}')
self.token = self.lib.get_token(token_label=self.p11.token_label)
logger.debug(f'Loaded module {self.lib} (key {key}, alg {algorithm})')
def __init__(self, key_name):
# load pkcs11 lib
self.lib = pkcs11.lib(os.environ['PKCS11_LIB'])
self.user_pin = os.environ['USER_PIN']
self.token = next(self.lib.get_tokens()) # get any token
self.key_name = key_name
# initiate session via pkcs11
start = time.time()
self.session = self.token.open(user_pin=self.user_pin)
print("time (connect) {}s".format(time.time() - start))
start = time.time()
# get key returns >1 key for some reason
# key = session.get_key(object_class=ObjectClass.PRIVATE_KEY,
# key_type=KeyType.EC,
# label=self.key_name)
# get key by iterating through all session objects instead
iterator = self.session.get_objects({
Attribute.KEY_TYPE: KeyType.EC,
Attribute.CLASS: ObjectClass.PRIVATE_KEY,
Attribute.LABEL: self.key_name
})
self.key = next(iterator)
print(self.key)
print("time (get private key) {}s".format(time.time() - start))
start = time.time()
_ = next(iterator) # test get_objects() still returns > 1
iterator._finalize()
iterator = self.session.get_objects({
Attribute.KEY_TYPE: KeyType.EC,
Attribute.CLASS: ObjectClass.PUBLIC_KEY,
Attribute.LABEL: self.key_name
})
pub = next(iterator)
print(pub)
pubder = ec.encode_ec_public_key(pub)
self.pubcrypto = serialization.load_der_public_key(
pubder, default_backend())
print("time (get public key) {}s".format(time.time() - start))
_ = next(iterator) # test get_objects() still returns > 1
iterator._finalize()
def sign_p11(sigin, alg, lib_path, slot, key_label, pin):
lib = pkcs11.lib(lib_path)
slot = lib.get_slots()[slot]
token = slot.get_token()
with token.open(user_pin=pin) as session:
for priv in session.get_objects({
Attribute.CLASS: ObjectClass.PRIVATE_KEY,
Attribute.LABEL: key_label
}):
if alg == 'RS256':
MECHANISM = Mechanism.SHA256_RSA_PKCS
elif alg == 'RS384':
MECHANISM = Mechanism.SHA384_RSA_PKCS
elif alg == 'RS512':
MECHANISM = Mechanism.SHA512_RSA_PKCS
else:
raise Exception('Unsupported algorithm')
signature = priv.sign(sigin, mechanism=MECHANISM)
return signature
def getCCToken():
try:
lib = pkcs11.lib('/usr/local/lib/libpteidpkcs11.so')
token = None
slots = lib.get_slots()
if len(slots) == 0:
log(logging.ERROR, "Could not find Portuguese Citizen Card")
return
for slot in slots:
token = slot.get_token()
break
except Exception as e:
print(e)
log(logging.ERROR, "Could not find Portuguese Citizen Card")
return
return token
def __init__(self):
super(CC_Interaction, self).__init__()
try:
print("Reading CC...")
self.lib = pkcs11.lib("/usr/lib/opensc-pkcs11.so")
self.token = self.lib.get_token(token_label="Auth PIN (CARTAO DE CIDADAO)")
self.user_pin = getpass.getpass("CC Authentication PIN? ")
self.cert = Certificate(self.get_my_cert())
with self.token.open(user_pin = str(self.user_pin)) as session:
pass
except (TokenNotPresent, NoSuchToken, IndexError):
print("Please insert the Citizen Card!\nExiting...")
sys.exit(-1)
except (PinIncorrect):
print("\nExiting...")
sys.exit(-1)
except (PKCS11Error):
print("Invalid PIN!\nExiting...")
sys.exit(-1)
except Exception as e:
raise e
def get_LIB():
global LIB
if LIB:
return LIB
for path in pkcs_module_path:
try:
logger.info("Loading library from " + path)
LIB = pkcs11.lib(path)
logger.info("Library loading success")
break
except:
logger.info("Library loading failed")
if not LIB:
raise DevicePKCS11Error(
"Cannot load library from {path}. ".format(path=pkcs_module_path) +
"Check path and its format (bitness, endianness, compiler).")
logger.info("Library information: {} {} {}".format(LIB.library_description,
LIB.library_version,
LIB.manufacturer_id))
if LIB.library_version[1] < 17 and "OpenSC" in LIB.manufacturer_id:
logger.warning(
"Issues may occur with this version of library - OpenSC 0.16.")
return LIB
def get_LIB():
global LIB
if LIB:
return LIB
for path in pkcs_module_path:
try:
log.info('Loading library from ' + path)
LIB = pkcs11.lib(path)
log.info('Library loading success')
break
except:
log.info('Library loading failed')
if not LIB:
raise RuntimeError(
'Cannot load library from {path}. '.format(path=pkcs_module_path) +
'Check path and its format (bitness, endianness, compiler).')
log.info('Library information: {} {} {}'.format(LIB.library_description,
LIB.library_version,
LIB.manufacturer_id))
if LIB.library_version[1] < 17 and 'OpenSC' in LIB.manufacturer_id:
log.warning(
'Issues may occur with this version of library - OpenSC 0.16.')
return LIB
import sys
from typing import List, cast
from pkcs11 import PublicKey, lib, Token, Session
from pkcs11.util.rsa import encode_rsa_public_key
from Crypto.PublicKey import RSA
lib = lib('/Library/OpenSC/lib/opensc-pkcs11.so')
def get_tokens() -> List[Token]:
return list(lib.get_tokens())
def get_auth_pubkey(session: Session) -> PublicKey:
return cast(PublicKey, session.get_key(PublicKey.object_class, id=b'\x01'))
def main():
token = get_tokens()[0]
session = token.open()
print(token.label, file=sys.stderr)
pubkey = get_auth_pubkey(session)
der = encode_rsa_public_key(pubkey)
rsa = RSA.importKey(der)
print(pubkey.label, file=sys.stderr)
print(rsa.export_key('OpenSSH').decode())
session.close()
from log import logger
from pkcs11.constants import Attribute
from pkcs11.constants import ObjectClass
from OpenSSL import crypto
from termcolor import colored
import logging
import pkcs11
import getpass
import os
import sys
logger.log(logging.DEBUG, "Initializing CC module...")
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = None
try:
for t in lib.get_tokens():
token = t
break
except:
print(colored('ERROR: CC device not connected', 'red'))
sys.exit(0)
def get_correct_pin():
pin = getpass.getpass(colored("CC Authentication PIN: ", 'blue'))
# Get correct pin
text = "\nIncorrect PIN. Please type the correct PIN: "
while not test_pin(pin):
pin = getpass.getpass(colored(text, 'red'))
#!/usr/bin/env python3
import os
import traceback
import pkcs11
from pkcs11 import KeyType, ObjectClass, Mechanism, MechanismFlag, Attribute, PKCS11Error
from pkcs11.util import ec
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
# load pkcs11 lib
lib = pkcs11.lib(os.environ['PKCS11_LIB'])
tokens = lib.get_tokens()
token = next(tokens) # get any token
try:
# connect to hsm via pkcs11 token and pin
with token.open(user_pin=os.environ['USER_PIN'], rw=True) as session:
# ec curve params
ecparams = session.create_domain_parameters(
KeyType.EC,
{
# hardcoded curve name for secp256k1 taken from https://www.flexiprovider.de/CurveOIDs.html
# asn1crypto python library currently missing the secp256k1 named curve parameters
Attribute.EC_PARAMS:
ec.encode_named_curve_parameters('1.3.132.0.10'),
},
local=True)
try:
#!/usr/bin/env python3
import pkcs11
import codecs
import sys
import os
lib = pkcs11.lib(os.getenv('PKCS_MODULE'))
token = lib.get_token(token_label=os.getenv('SECURITY_MODULE_SLOT_LABEL'))
session = token.open(user_pin=os.getenv('SECURITY_MODULE_USER_PIN'))
wanted = int(sys.argv[1])
rand = session.generate_random(wanted * 8)
if len(rand) == wanted:
print(codecs.encode(rand, 'hex').decode('ascii'))
sys.exit(0)
print("ERROR_RANDOM_BYTES_LENGTH")
sys.exit(-1)
def setUp(self):
self.lib = pkcs11.lib('python-pkcs11-provider.so')
#!/usr/bin/python3
import os
import binascii
import textwrap
import pkcs11
import pkcs11.util.rsa
import cryptography
import cryptography.hazmat.backends
import cryptography.hazmat.primitives
import cryptography.hazmat.primitives.serialization
import cryptography.hazmat.primitives.asymmetric
import cryptography.hazmat.primitives.asymmetric.padding
lib = pkcs11.lib(os.environ['TEST_PKCS11_LIBRARY_PATH'])
token_label = os.environ[
'TEST_PKCS11_TOKEN_LABEL'] # pkcs11-tool --module opensc-pkcs11.so --list-slots
key_label = os.environ[
'TEST_PKCS11_KEY_LABEL'] # pkcs11-tool --module opensc-pkcs11.so --list-slots --list-objects
user_pin = os.environ['TEST_PKCS11_USER_PIN']
# list supported mechanisms.
for slot in lib.get_slots():
token = slot.get_token()
if not token.flags & pkcs11.TokenFlag.TOKEN_INITIALIZED:
continue
print(f'token-label: {token.label}')
for m in slot.get_mechanisms():
info = slot.get_mechanism_info(m)
print(f'mechanism: {m.name}')
print(textwrap.indent(str(info), len('mechanism: ') * 2 * ' '))
import PyKCS11.LowLevel
import sys
import PyKCS11
import pkcs11
# Initialise our PKCS#11 library
lib = pkcs11.lib("C:/Windows/System32/eps2003csp11v2.dll")
token = lib.get_token(token_label='ePass2003-Palagiris')
pkcs11 = PyKCS11.PyKCS11Lib()
PyKCS11.CK_TOKEN_INFO()
i = PyKCS11.CK_SLOT_INFO()
PyKCS11.CK_SESSION_INFO()
#i = pkcs11.getSlotInfo(0)
#pkcs11.openSession(0)
#print("Library manufacturerID: ") + info.manufacturerID
for slots in lib.get_slots():
token = slots.get_token()
if token.label == 'ePass2003-Palagiris':
break
slots = pkcs11.getSlotList()
print("Available Slots:"), len(slots)
for s in slots:
try:
i = pkcs11.getSlotInfo(s)
print("Slot no:"), s
print(format_normal % ("slotDescription", i.slotDescription.strip()))
print(format_normal % ("manufacturerID", i.manufacturerID.strip()))
t = pkcs11.getTokenInfo(s)
def load_pkcs11_keys(provider,
pin=None,
*,
load_certs=True,
token_label=None,
token_serial=None,
key_label=None,
key_id=None):
"""Load PIV keys and X.509 certificates from a PKCS#11 token
This function loads a list of SSH keypairs with optional X.509
cerificates from attached PKCS#11 security tokens. The PKCS#11
provider must be specified, along with a user PIN if the
tokens are set to require one.
By default, this function loads both private key handles
and the X.509 certificates associated with them, allowing for
X.509 certificate based auth to SSH servers that support it.
To disable loading of these certificates and perform only
key-based authentication, load_certs may be set to `False`.
If token_label and/or token_serial are specified, only tokens
matching those values will be accessed.
If key_label and/or key_id are specified, only keys matching
those values will be loaded. Key IDs can be specified as
either raw bytes or a string containing hex digits.
.. note:: If you have an active asyncio event loop at
the time you call this function, you may want
to consider running it via a call to
:meth:`asyncio.AbstractEventLoop.run_in_executor`.
While retrieving the keys generally takes only a
fraction of a second, calling this function
directly could block asyncio event processing
until it completes.
:param provider:
The path to the PKCS#11 provider's shared library.
:param pin: (optional)
The PIN to use when accessing tokens, if needed.
:param load_certs: (optional)
Whether or not to load X.509 certificates from the
security tokens.
:param token_label: (optional)
A token label to match against. If set, only security
tokens with this label will be accessed.
:param token_serial: (optional)
A token serial number to match against. If set, only
security tokens with this serial number will be accessed.
:param key_label: (optional)
A key label to match against. If set, only keys with this
label will be loaded.
:param key_id: (optional)
A key ID to match against. If set, only keys with this ID
will be loaded.
:type provider: `str`
:type pin: `str`
:type load_certs: `bool`
:type token_label: `str`
:type token_serial: `bytes` or `str`
:type key_label: `str`
:type key_id: `bytes` or `str`
"""
lib = pkcs11.lib(provider)
keys = []
if isinstance(token_serial, str):
token_serial = token_serial.encode('utf-8')
for token in lib.get_tokens(token_label=token_label,
token_serial=token_serial):
with SSHPKCS11Session.open(token, pin) as session:
keys.extend(session.get_keys(load_certs, key_label, key_id))
return keys
def setUpClass(cls):
super().setUpClass()
cls.lib = lib = pkcs11.lib(LIB)
if cls.with_token or cls.with_session:
cls.token = lib.get_token(token_label=TOKEN)
