Python异步库,用于使用PKCS11设备(如HSM)中的密钥进行x509签名。
项目描述
python_x509_pkcs11
使用PKCS11设备(用于密钥存储)无缝进行异步x509签名
当前支持
- 在PKCS11设备中创建根CA及其密钥。
- 使用PKCS11设备中的密钥对证书或中间CA进行签名。
- 使用PKCS11设备密钥创建证书、CSR、CRLs、OCSP,实现完整的PKI基础设施。
- 对脆弱的持久PKCS11会话进行“高级”处理,包括在PKCS11操作超时时重新创建会话。
- 此包大量使用python-pkcs11和asn1crypto。
- 包是异步的,但遗憾的是python-pkcs11仍然是同步的,这可能是由于PKCS11的脆弱性质。
- 已使用SoftHSM和LUNAHSM进行测试。
设置
# Install libs and add your user to the softhsm group
# You should probably replace softhsm when using this in production, any PKCS11 device should work
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
# Ubuntu / Debian
sudo apt-get install python3-dev python3-pip softhsm2
sudo usermod -a -G softhsm $USER
else
# Redhat / Centos / Fedora
sudo dnf install python3-devel python3-pip softhsm gcc
sudo usermod -a -G ods $USER
fi
# Update your softhsm group membership
exec sudo su -l $USER
# Install this package
pip3 install python_x509_pkcs11
# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"
# Initialize the token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN
使用方法
查看文档以获取快速示例以开始。
测试也是一个好的起点
以下是基本示例:创建根CA,然后使用PKCS11设备中的密钥签名csr
# export env values the code will use
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
export PKCS11_MODULE="/usr/lib/softhsm/libsofthsm2.so"
else
export PKCS11_MODULE="/usr/lib64/softhsm/libsofthsm.so"
fi
export PKCS11_PIN="1234"
export PKCS11_TOKEN="my_test_token_1"
# Delete the previous token if exists
softhsm2-util --delete-token --token $PKCS11_TOKEN
# Initialize a new fresh PKCS11 token
softhsm2-util --init-token --slot 0 --label $PKCS11_TOKEN --pin $PKCS11_PIN --so-pin $PKCS11_PIN
import asyncio
from python_x509_pkcs11.ca import create
async def my_func() -> None:
root_ca_name_dict = {
"country_name": "SE",
"state_or_province_name": "Stockholm",
"locality_name": "Stockholm",
"organization_name": "SUNET",
"organizational_unit_name": "SUNET Infrastructure",
"common_name": "ca-test.sunet.se",
"email_address": "soc@sunet.se",
}
# key_type must be:
# [ed25519](https://en.wikipedia.org/wiki/EdDSA). This is default.
# ed448
# secp256r1
# secp384r1
# secp521r1
# rsa_2048
# rsa_4096
csr_pem, root_cert_pem = await create("my_ed25519_key", root_ca_name_dict, key_type="ed25519")
print("CSR which was self-signed into root CA")
print(csr_pem)
print("root CA")
print(root_cert_pem)
asyncio.run(my_func())
贡献/测试
# install
if awk -F= '/^NAME/{print $2}' /etc/os-release | grep -i "debian\|ubuntu"
then
# Ubuntu / Debian
sudo apt-get install flit python3-mypy black pylint
else
# Redhat / Centos / Fedora
sudo dnf install epel-release
sudo dnf install python3-flit python3-mypy python3-black pylint
fi
# Make your code changes
# Then in the root folder, where this README is
bash deploy.sh
# Build the package with flit
flit build
下载文件
下载适用于您平台的文件。如果您不确定选择哪个,请了解更多关于安装包的信息。
源代码分发
python_x509_pkcs11-0.9.0.tar.gz (75.1 kB 查看哈希值)
