Crypto Module API

Crypto Module provides basic key’s and certificate’s operations.

Crypto module general information

Module for crypto operations (certificate and key management).

Moreover, it includes SignatureProvider as an Interface for all potential signature providers.

It provides following functionality:

  1. for the key management:

  • generating RSA private key (size and exponent as parameter)

  • generating RSA public key

  • saving RSA private key to the file

  • saving RSA public key to the file

  • generating ECC private key (curve name as parameter)

  • generating ECC public key

  • saving ECC private key to the file

  • saving ECC public key to the file

  1. for certificate management:

  • generating the x.509 certificate

  • validating of a certificate

  • validating of a chain of certificates

  • returning public key from the given certificate

  • converting a certificate into bytes

  • saving a certificate into file

  1. for general purpose:

  • loading the public key from file

  • loading the private key from file

  • loading the x.509 certificate from file

Crypto module key generation

Module for key generation and saving keys to file (RSA and ECC).

spsdk.crypto.keys_management.generate_ecc_private_key(curve_name='secp256r1')

Generate ECC private key.

Parameters

curve_name (str) – name of curve

Return type

EllipticCurvePrivateKey

Returns

ECC private key

spsdk.crypto.keys_management.generate_ecc_public_key(private_key)

Generate ECC private key.

Parameters

private_key (EllipticCurvePrivateKey) –

Return type

EllipticCurvePublicKey

Returns

ECC public key

spsdk.crypto.keys_management.generate_rsa_private_key(key_size=2048, exponent=65537)

Generate RSA private key.

Parameters

  • key_size (int) – key size in bits; must be >= 512

  • exponent (int) – public exponent; must be >= 3 and odd

Return type

RSAPrivateKey

Returns

RSA private key with serialization

spsdk.crypto.keys_management.generate_rsa_public_key(private_key)

Generate RSA public key.

Parameters

private_key (RSAPrivateKey) – private key used for public key generation

Return type

RSAPublicKey

Returns

RSA public key

spsdk.crypto.keys_management.get_ec_curve_object(name)

Get the EC curve object by its name.

Parameters

name (str) – Name of EC curve.

Return type

EllipticCurve

Returns

EC curve object.

Raises

SPSDKValueError – Invalid EC curve name.

spsdk.crypto.keys_management.save_ecc_private_key(ec_private_key, file_path, password=None, encoding=<Encoding.PEM: 'PEM'>)

Save the ECC private key to the given file.

Parameters

  • ec_private_key (EllipticCurvePrivateKey) – ECC private key to be saved

  • file_path (str) – path to the file, where the key will be stored

  • password (Optional[str]) – password to private key; None to store without password

  • encoding (Encoding) – encoding type, default is PEM

Return type

None

spsdk.crypto.keys_management.save_ecc_public_key(ec_public_key, file_path, encoding=<Encoding.PEM: 'PEM'>)

Save the ECC public key to the file.

Parameters

  • ec_public_key (EllipticCurvePublicKey) – public key to be saved

  • file_path (str) – path to the file, where the key will be stored

  • encoding (Encoding) – encoding type, default is PEM

Return type

None

spsdk.crypto.keys_management.save_rsa_private_key(private_key, file_path, password=None, encoding=<Encoding.PEM: 'PEM'>)

Save the RSA private key to the given file.

Parameters

  • private_key (RSAPrivateKey) – RSA private key to be saved

  • file_path (str) – path to the file, where the key will be stored

  • password (Optional[str]) – password to private key; None to store without password

  • encoding (Encoding) – encoding type, default is PEM

Return type

None

spsdk.crypto.keys_management.save_rsa_public_key(public_key, file_path, encoding=<Encoding.PEM: 'PEM'>)

Save the RSA public key to the file.

Parameters

  • public_key (RSAPublicKey) – public key to be saved

  • file_path (str) – path to the file, where the key will be stored

  • encoding (Encoding) – encoding type, default is PEM

Return type

None

Crypto module certificate generation

Module for certificate management (generating certificate, validating certificate, chains).

spsdk.crypto.certificate_management.convert_certificate_into_bytes(certificate, encoding=<Encoding.PEM: 'PEM'>)

Convert certificates into bytes.

Parameters

  • certificate (Certificate) – certificate item

  • encoding (Encoding) – encoding type

Return type

bytes

Returns

certificate in bytes form

spsdk.crypto.certificate_management.generate_certificate(subject, issuer, subject_public_key, issuer_private_key, serial_number=None, if_ca=True, duration=3650, path_length=2)

Generate certificate.

Parameters

  • subject (Name) – subject name that the CA issues the certificate to

  • issuer (Name) – issuer name that issued the certificate

  • subject_public_key (Union[EllipticCurvePublicKey, RSAPublicKey]) – RSA public key of subject

  • issuer_private_key (Union[EllipticCurvePrivateKey, RSAPrivateKey]) – RSA private key of issuer

  • serial_number (Optional[int]) – certificate serial number, if not specified, random serial number will be set

  • if_ca (bool) – true if the certificate can sign certificates, none otherwise

  • duration (int) – how long the certificate will be valid (in days)

  • path_length (int) – The maximum path length for certificates subordinate to this certificate.

Return type

Certificate

Returns

certificate

spsdk.crypto.certificate_management.generate_name_struct(common_name, country)

Set the issuer/subject distinguished name.

Parameters

  • common_name (str) – string representing name

  • country (str) – string representing country

Return type

Name

Returns

ordered list of attributes of certificate

spsdk.crypto.certificate_management.get_public_key_from_certificate(certificate)

Get public keys from certificate.

Parameters

certificate (Certificate) – certificate item

Return type

RSAPublicKey

Returns

RSA public key

spsdk.crypto.certificate_management.is_ca_flag_set(certificate)

Check if CA flag is set in certificate.

Parameters

certificate (Certificate) – Certificate to be checked

Return type

bool

Returns

true/false depending whether ca flag is set or not

spsdk.crypto.certificate_management.save_crypto_item(item, file_path, encoding_type=<Encoding.PEM: 'PEM'>)

Save the certificate/CSR into file.

Parameters

  • item (Union[Certificate, CertificateSigningRequest]) – certificate or certificate signing request

  • file_path (str) – path to the file where item will be stored

  • encoding_type (Encoding) – encoding type (PEM or DER)

Return type

None

spsdk.crypto.certificate_management.validate_ca_flag_in_cert_chain(chain_list)

Validate CA flag in certification chain.

Parameters

chain_list (List[Certificate]) – list of certificates in the chain

Return type

bool

Returns

true/false depending whether ca flag is set or not

spsdk.crypto.certificate_management.validate_certificate(subject_certificate, issuer_certificate)

Validate certificate.

Parameters

  • subject_certificate (Certificate) – subject’s certificate

  • issuer_certificate (Certificate) – issuer’s certificate

Return type

bool

Returns

true/false whether certificate is valid or not

spsdk.crypto.certificate_management.validate_certificate_chain(chain_list)

Validate chain of certificates.

Parameters

chain_list (list) – list of certificates in chain

Return type

list

Returns

list of boolean values, which corresponds to the certificate validation in chain

Raises

SPSDKError – When chain has less than two certificates

Interface for all potential signature providers

SignatureProvider is an Interface for all potential signature providers.

Each concrete signature provider needs to implement: - sign(data: bytes) -> bytes - into() -> str

class spsdk.crypto.signature_provider.PlainFileSP(file_path, password='', encoding='PEM', hash_alg=None)

Bases: spsdk.crypto.signature_provider.SignatureProvider

PlainFileSP is a SignatureProvider implementation that uses plain local files.

Initialize the plain file signature provider.

Parameters

  • file_path (str) – Path to private file

  • password (str) – Password in case of encrypted private file, defaults to ‘’

  • encoding (str) – Private file encoding, defaults to ‘PEM’

  • hash_alg (Optional[str]) – Hash for the signature, defaults to ‘sha256’

info()

Return basic into about the signature provider.

Return type

str

sign(data)

Return the signature for data.

Return type

Optional[bytes]

property signature_length

Return length of the signature.

Return type

int

sp_type = 'file'
class spsdk.crypto.signature_provider.SignatureProvider

Bases: abc.ABC

Abstract class (Interface) for all signature providers.

classmethod create(create_params)

Creates an concrete instance of signature provider.

Return type

Optional[SignatureProvider]

classmethod get_types()

Returns a list of all available signature provider types.

Return type

List[str]

abstract info()

Provide information about the Signature provide.

Return type

str

abstract sign(data)

Return signature for data.

Return type

Optional[bytes]

abstract property signature_length

Return length of the signature.

Return type

int

sp_type = 'INVALID'

Crypto module loading helper functions

Loading methods for keys/certificates/CSR.

spsdk.crypto.loaders.extract_public_key(file_path, password)

Extract any kind of public key from a file that contains Certificate, Private Key or Public Key.

Raises

SPSDKError – Raised when file can not be loaded

Return type

Union[DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey]

Returns

private key of any type

spsdk.crypto.loaders.extract_public_keys(secret_files, password)

Extract any kind of public key from files that contain Certificate, Private Key or Public Key.

Return type

List[Union[DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey]]

spsdk.crypto.loaders.generic_load(file_path, inner_fun)

General loading of item.

Parameters

  • file_path (str) – path to file, where item is stored

  • inner_fun (Callable) – function, which distinguish what will be loaded

Return type

Any

Returns

data, which are stored under file

spsdk.crypto.loaders.load_certificate(file_path, encoding=None)

Load the certificate from file.

Parameters

  • file_path (str) – path to file, where certificate is stored

  • encoding (Optional[Encoding]) – type of encoding

Return type

Certificate

Returns

Certificate (from cryptography library)

spsdk.crypto.loaders.load_certificate_as_bytes(file_path)

Load certificate from file in PEM/DER format.

Converts the certificate into DER format and serializes it into bytes.

Parameters

file_path (str) – path to certificate file.

Return type

bytes

Returns

certificate in der format serialized into bytes.

spsdk.crypto.loaders.load_private_key(file_path, password=None, encoding=None)

Load private key from file.

Parameters

  • file_path (str) – path to file, where private key is stored

  • password (Optional[bytes]) – password for key

  • encoding (Optional[Encoding]) – encoding type of key

Return type

Union[Ed25519PrivateKey, Ed448PrivateKey, RSAPrivateKey, DSAPrivateKey, EllipticCurvePrivateKey]

Returns

RSA private key

spsdk.crypto.loaders.load_public_key(file_path, encoding=None)

Load the public key from file.

Parameters

  • file_path (str) – path to file, where public key is stored

  • encoding (Optional[Encoding]) – encoding type of key

Return type

Union[DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey]

Returns

RSA public key