Skip to content

reaperhulk/cryptography-pkcs11

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits

.travis

.travis

 
 

cryptography @ d7ef98b

cryptography @ d7ef98b

 
 

docs

docs

 
 

src/cryptography_pkcs11

src/cryptography_pkcs11

 
 

tests

tests

 
 

.coveragerc

.coveragerc

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

.travis.yml

.travis.yml

 
 

CHANGELOG.rst

CHANGELOG.rst

 
 

LICENSE

LICENSE

 
 

LICENSE.APACHE

LICENSE.APACHE

 
 

LICENSE.BSD

LICENSE.BSD

 
 

MANIFEST.in

MANIFEST.in

 
 

README.rst

README.rst

 
 

setup.py

setup.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

Cryptography-pkcs11

image

image

At this time this should be considered experimental software and not ready for any sort of production use.

This is an experimental backend for using PKCS11 modules with cryptography. And when I say experimental I mean "do not touch this with a ten foot pole right now".

Usage

You'll need to set more than a few environment variables:

  • CRYPTOGRAPHY_PKCS11_PATH - The path to the PKCS11 shared object
  • CRYPTOGRAPHY_PKCS11_SLOT_ID
  • CRYPTOGRAPHY_PKCS11_FLAGS
  • CRYPTOGRAPHY_PKCS11_USER_TYPE
  • CRYPTOGRAPHY_PKCS11_PASSWORD

If you want to test this with SoftHSM you'll also need SOFTHSM2_CONF.

Then, if all is well you can import the backend and use hashing, HMAC, some limited ciphers, and RSA functions from cryptography.

>>> from cryptography_pkcs11.backend import backend

Supported Interfaces

  • HashBackend (except copy)
  • HMACBackend (except copy)
  • RSABackend (skipped tests)
    • test_pss_minimum_key_size_for_digest - The test uses SHA1 MGF1 and SHA512 hash. SoftHSM doesn't allow your MGF1 hash to not match the signing hash algorithm.
    • test_pss_verify_salt_length_too_long - Errors during init when the test expects it to error during final verification.
    • test_pss_signing_salt_length_too_long - Errors during init when the test expects it to error during signing.
  • CipherBackend (AES ECB/CBC, 3DES ECB/CBC only)

Issues

  • Session management still needs improvement.
    • Acquire and init acquires a session, inits it for the operation, and sets operation_active. However, there is no finalize_and_release yet.
    • Session objects are presumed to be available to all sessions, which is only true if you don't close sessions.
    • No CKA_TOKEN False objects are ever deleted, so device memory will run out over time if you run the test suite repeatedly.
    • Sessions that generate exceptions during an active operation are destroyed and a new session is opened to take their place. This is a blocking operation.
  • Generating or loading a key with CKA_TOKEN True is not supported at all yet.
  • When adding the pkcs11 entry point for multibackend it is injected as the first element in the array. This is probably not desirable. Of course it turns out in Python 3 entry points are not ordered so...

About

PKCS11 backend for PyCA/cryptography

Resources

Readme

License

Unknown and 2 other licenses found

Licenses found

Unknown
LICENSE
Apache-2.0
LICENSE.APACHE
BSD-3-Clause
LICENSE.BSD
Activity

Stars

4 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages