Crypto Module API
Crypto Module provides basic key’s and certificate’s operations.
Crypto module general information
Module for crypto operations (certificate and key management).
Moreover, it includes SignatureProvider as an Interface for all potential signature providers.
It provides following functionality:
for the key management:
generating RSA private key (size and exponent as parameter)
generating RSA public key
saving RSA private key to the file
saving RSA public key to the file
generating ECC private key (curve name as parameter)
generating ECC public key
saving ECC private key to the file
saving ECC public key to the file
for certificate management:
generating the x.509 certificate
validating of a certificate
validating of a chain of certificates
returning public key from the given certificate
converting a certificate into bytes
saving a certificate into file
for general purpose:
loading the public key from file
loading the private key from file
loading the x.509 certificate from file
Crypto module key generation
Module for key generation and saving keys to file (RSA and ECC).
- class spsdk.crypto.keys_management.CurveName(value)
Bases:
str
,enum.Enum
Supported ecc key types.
- BrainpoolP256R1 = 'brainpoolP256r1'
- BrainpoolP384R1 = 'brainpoolP384r1'
- BrainpoolP512R1 = 'brainpoolP512r1'
- PRIME192V1 = 'prime192v1'
- PRIME256V1 = 'prime256v1'
- SECP192R1 = 'secp192r1'
- SECP224R1 = 'secp224r1'
- SECP256K1 = 'secp256k1'
- SECP256R1 = 'secp256r1'
- SECP384R1 = 'secp384r1'
- SECP521R1 = 'secp521r1'
- SECT163K1 = 'sect163k1'
- SECT163R2 = 'sect163r2'
- SECT233K1 = 'sect233k1'
- SECT233R1 = 'sect233r1'
- SECT283K1 = 'sect283k1'
- SECT283R1 = 'sect283r1'
- SECT409K1 = 'sect409k1'
- SECT409R1 = 'sect409r1'
- SECT571K1 = 'sect571k1'
- SECT571R1 = 'sect571r1'
- spsdk.crypto.keys_management.generate_ecc_private_key(curve_name)
Generate ECC private key.
- Parameters
curve_name (
str
) – name of curve- Return type
EllipticCurvePrivateKey
- Returns
ECC private key
- spsdk.crypto.keys_management.generate_ecc_public_key(private_key)
Generate ECC private key.
- Parameters
private_key (
EllipticCurvePrivateKey
) –- Return type
EllipticCurvePublicKey
- Returns
ECC public key
- spsdk.crypto.keys_management.generate_rsa_private_key(key_size=2048, exponent=65537)
Generate RSA private key.
- Parameters
key_size (
int
) – key size in bits; must be >= 512exponent (
int
) – public exponent; must be >= 3 and odd
- Return type
RSAPrivateKey
- Returns
RSA private key with serialization
- spsdk.crypto.keys_management.generate_rsa_public_key(private_key)
Generate RSA public key.
- Parameters
private_key (
RSAPrivateKey
) – private key used for public key generation- Return type
RSAPublicKey
- Returns
RSA public key
- spsdk.crypto.keys_management.get_ec_curve_object(name)
Get the EC curve object by its name.
- Parameters
name (
str
) – Name of EC curve.- Return type
EllipticCurve
- Returns
EC curve object.
- Raises
SPSDKValueError – Invalid EC curve name.
- spsdk.crypto.keys_management.save_ecc_private_key(ec_private_key, file_path, password=None, encoding=Encoding.PEM)
Save the ECC private key to the given file.
- Parameters
ec_private_key (
EllipticCurvePrivateKey
) – ECC private key to be savedfile_path (
str
) – path to the file, where the key will be storedpassword (
Optional
[str
]) – password to private key; None to store without passwordencoding (
Encoding
) – encoding type, default is PEM
- Return type
None
- spsdk.crypto.keys_management.save_ecc_public_key(ec_public_key, file_path, encoding=Encoding.PEM)
Save the ECC public key to the file.
- Parameters
ec_public_key (
EllipticCurvePublicKey
) – public key to be savedfile_path (
str
) – path to the file, where the key will be storedencoding (
Encoding
) – encoding type, default is PEM
- Return type
None
- spsdk.crypto.keys_management.save_rsa_private_key(private_key, file_path, password=None, encoding=Encoding.PEM)
Save the RSA private key to the given file.
- Parameters
private_key (
RSAPrivateKey
) – RSA private key to be savedfile_path (
str
) – path to the file, where the key will be storedpassword (
Optional
[str
]) – password to private key; None to store without passwordencoding (
Encoding
) – encoding type, default is PEM
- Return type
None
- spsdk.crypto.keys_management.save_rsa_public_key(public_key, file_path, encoding=Encoding.PEM)
Save the RSA public key to the file.
- Parameters
public_key (
RSAPublicKey
) – public key to be savedfile_path (
str
) – path to the file, where the key will be storedencoding (
Encoding
) – encoding type, default is PEM
- Return type
None
Crypto module certificate generation
Module for certificate management (generating certificate, validating certificate, chains).
- spsdk.crypto.certificate_management.convert_certificate_into_bytes(certificate, encoding=Encoding.PEM)
Convert certificates into bytes.
- Parameters
certificate (
Certificate
) – certificate itemencoding (
Encoding
) – encoding type
- Return type
bytes
- Returns
certificate in bytes form
- spsdk.crypto.certificate_management.generate_certificate(subject, issuer, subject_public_key, issuer_private_key, serial_number=None, if_ca=True, duration=3650, path_length=2)
Generate certificate.
- Parameters
subject (
Name
) – subject name that the CA issues the certificate toissuer (
Name
) – issuer name that issued the certificatesubject_public_key (
Union
[RSAPublicKey
,EllipticCurvePublicKey
]) – RSA public key of subjectissuer_private_key (
Union
[RSAPrivateKey
,EllipticCurvePrivateKey
]) – RSA private key of issuerserial_number (
Optional
[int
]) – certificate serial number, if not specified, random serial number will be setif_ca (
bool
) – true if the certificate can sign certificates, none otherwiseduration (
int
) – how long the certificate will be valid (in days)path_length (
int
) – The maximum path length for certificates subordinate to this certificate.
- Return type
Certificate
- Returns
certificate
- spsdk.crypto.certificate_management.generate_name(config)
Generate x509 Name.
- Parameters
config (
Union
[List
[Dict
[str
,str
]],Dict
[str
,Union
[str
,List
[str
]]]]) – subject/issuer description- Return type
Name
- Returns
x509.Name
- spsdk.crypto.certificate_management.get_public_key_from_certificate(certificate)
Get public keys from certificate.
- Parameters
certificate (
Certificate
) – certificate item- Return type
Union
[RSAPublicKey
,EllipticCurvePublicKey
]- Returns
RSA public key
- spsdk.crypto.certificate_management.is_ca_flag_set(certificate)
Check if CA flag is set in certificate.
- Parameters
certificate (
Certificate
) – Certificate to be checked- Return type
bool
- Returns
true/false depending whether ca flag is set or not
- spsdk.crypto.certificate_management.save_crypto_item(item, file_path, encoding_type=Encoding.PEM)
Save the certificate/CSR into file.
- Parameters
item (
Union
[Certificate
,CertificateSigningRequest
]) – certificate or certificate signing requestfile_path (
str
) – path to the file where item will be storedencoding_type (
Encoding
) – encoding type (PEM or DER)
- Return type
None
- spsdk.crypto.certificate_management.validate_ca_flag_in_cert_chain(chain_list)
Validate CA flag in certification chain.
- Parameters
chain_list (
List
[Certificate
]) – list of certificates in the chain- Return type
bool
- Returns
true/false depending whether ca flag is set or not
- spsdk.crypto.certificate_management.validate_certificate(subject_certificate, issuer_certificate)
Validate certificate.
- Parameters
subject_certificate (
Certificate
) – subject’s certificateissuer_certificate (
Certificate
) – issuer’s certificate
- Raises
SPSDKError – Unsupported key type in Certificate
- Return type
bool
- Returns
true/false whether certificate is valid or not
- spsdk.crypto.certificate_management.validate_certificate_chain(chain_list)
Validate chain of certificates.
- Parameters
chain_list (
list
) – list of certificates in chain- Return type
list
- Returns
list of boolean values, which corresponds to the certificate validation in chain
- Raises
SPSDKError – When chain has less than two certificates
Interface for all potential signature providers
SignatureProvider is an Interface for all potential signature providers.
Each concrete signature provider needs to implement: - sign(data: bytes) -> bytes - into() -> str
- class spsdk.crypto.signature_provider.PlainFileSP(file_path, password='', encoding='PEM', hash_alg=None)
Bases:
spsdk.crypto.signature_provider.SignatureProvider
PlainFileSP is a SignatureProvider implementation that uses plain local files.
Initialize the plain file signature provider.
- Parameters
file_path (
str
) – Path to private filepassword (
str
) – Password in case of encrypted private file, defaults to ‘’encoding (
str
) – Private file encoding, defaults to ‘PEM’hash_alg (
Optional
[str
]) – Hash for the signature, defaults to ‘sha256’
- info()
Return basic into about the signature provider.
- Return type
str
- sign(data)
Return the signature for data.
- Return type
Optional
[bytes
]
- property signature_length: int
Return length of the signature.
- Return type
int
- sp_type = 'file'
- class spsdk.crypto.signature_provider.SignatureProvider
Bases:
abc.ABC
Abstract class (Interface) for all signature providers.
- classmethod create(create_params)
Creates an concrete instance of signature provider.
- Return type
Optional
[SignatureProvider
]
- classmethod get_types()
Returns a list of all available signature provider types.
- Return type
List
[str
]
- abstract info()
Provide information about the Signature provide.
- Return type
str
- abstract sign(data)
Return signature for data.
- Return type
Optional
[bytes
]
- abstract property signature_length: int
Return length of the signature.
- Return type
int
- sp_type = 'INVALID'
Crypto module loading helper functions
Loading methods for keys/certificates/CSR.
- spsdk.crypto.loaders.extract_public_key(file_path, password)
Extract any kind of public key from a file that contains Certificate, Private Key or Public Key.
- Raises
SPSDKError – Raised when file can not be loaded
- Return type
Union
[RSAPublicKey
,EllipticCurvePublicKey
]- Returns
private key of any type
- spsdk.crypto.loaders.extract_public_keys(secret_files, password)
Extract any kind of public key from files that contain Certificate, Private Key or Public Key.
- Return type
List
[Union
[RSAPublicKey
,EllipticCurvePublicKey
]]
- spsdk.crypto.loaders.generic_load(file_path, inner_fun)
General loading of item.
- Parameters
file_path (
str
) – path to file, where item is storedinner_fun (
Callable
) – function, which distinguish what will be loaded
- Return type
Any
- Returns
data, which are stored under file
- spsdk.crypto.loaders.load_certificate(file_path, encoding=None)
Load the certificate from file.
- Parameters
file_path (
str
) – path to file, where certificate is storedencoding (
Optional
[Encoding
]) – type of encoding
- Return type
Certificate
- Returns
Certificate (from cryptography library)
- spsdk.crypto.loaders.load_certificate_as_bytes(file_path)
Load certificate from file in PEM/DER format.
Converts the certificate into DER format and serializes it into bytes.
- Parameters
file_path (
str
) – path to certificate file.- Return type
bytes
- Returns
certificate in der format serialized into bytes.
- spsdk.crypto.loaders.load_private_key(file_path, password=None, encoding=None)
Load private key from file.
- Parameters
file_path (
str
) – path to file, where private key is storedpassword (
Optional
[bytes
]) – password for keyencoding (
Optional
[Encoding
]) – encoding type of key
- Return type
Union
[RSAPrivateKey
,EllipticCurvePrivateKey
]- Returns
RSA private key
- spsdk.crypto.loaders.load_public_key(file_path, encoding=None)
Load the public key from file.
- Parameters
file_path (
str
) – path to file, where public key is storedencoding (
Optional
[Encoding
]) – encoding type of key
- Return type
Union
[RSAPublicKey
,EllipticCurvePublicKey
]- Returns
RSA public key