Miscellaneous ¶

Contents

Miscellaneous

RNG, Digest, Creating Objects ¶

PKCS11 Interface to the following functions:

c_generate_random
c_seed_random
c_digest
c_digestkey
c_create_object
c_set_ped_id (CA_ function)
c_get_ped_id (CA_ function)

pycryptoki.misc.c_generate_random(h_session, length)[source]¶

Generates a sequence of random numbers

Parameters:	h_session (int) – Session handle length (int) – The length in bytes of the random number sequence
Returns:	(retcode, A string of random data)
Return type:	tuple

pycryptoki.misc.c_generate_random_ex(h_session, length)¶

Executes c_generate_random(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.misc.c_seed_random(h_session, seed)[source]¶

Seeds the random number generator

Parameters:	h_session (int) – Session handle seed (bytes) – A python string of some seed
Returns:	retcode
Return type:	int

pycryptoki.misc.c_seed_random_ex(h_session, seed)¶

Executes c_seed_random(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.misc.c_digest(h_session, data_to_digest, digest_flavor, mechanism=None, output_buffer=None)[source]¶

Digests some data

Parameters:	h_session (int) – Session handle data_to_digest (bytes) – The data to digest, either a string or a list of strings. If this is a list a multipart operation will be used digest_flavor (int) – The flavour of the mechanism to digest (MD2, SHA-1, HAS-160, SHA224, SHA256, SHA384, SHA512) mechanism – See the `parse_mechanism()` function for possible values. If None will use digest flavor. output_buffer (list\|int) – Integer or list of integers that specify a size of output buffer to use for an operation. By default will query with NULL pointer buffer to get required size of buffer.
Returns:	(retcode, a python string of the digested data)
Return type:	tuple

pycryptoki.misc.c_digest_ex(h_session, data_to_digest, digest_flavor, mechanism=None, output_buffer=None)¶

Executes c_digest(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.misc.c_digestkey(h_session, h_key, digest_flavor, mechanism=None)[source]¶

Digest a key

Parameters:	h_session (int) – Session handle h_key (int) – Key to digest digest_flavor (int) – Digest flavor mechanism – See the `parse_mechanism()` function for possible values. If None will use digest flavor.

pycryptoki.misc.c_digestkey_ex(h_session, h_key, digest_flavor, mechanism=None)¶

Executes c_digestkey(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.misc.c_create_object(h_session, template)[source]¶

Creates an object based on a given python template

Parameters:	h_session (int) – Session handle template (dict) – The python template which the object will be based on
Returns:	(retcode, the handle of the object)
Return type:	tuple

pycryptoki.misc.c_create_object_ex(h_session, template)¶

Executes c_create_object(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.misc.c_set_ped_id(slot, id)[source]¶

Set the PED ID for the given slot.

Parameters:	slot – slot number id – PED ID to use
Returns:	The result code

pycryptoki.misc.c_set_ped_id_ex(slot, id)¶

Executes c_set_ped_id(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.misc.c_get_ped_id(slot)[source]¶

Get the PED ID for the given slot.

Parameters:	slot – slot number
Returns:	The result code and ID

pycryptoki.misc.c_get_ped_id_ex(slot)¶

Executes c_get_ped_id(), and checks the retcode; raising an exception if the return code is not CKR_OK.

Find Objects, Attribute Setting/Getting ¶

Functions for dealing with object attributes

pycryptoki.object_attr_lookup.c_find_objects(h_session, template, num_entries)[source]¶

Calls c_find_objects and c_find_objects_init to get a python dictionary of the objects found.

Parameters:	h_session (int) – Session handle template – A python dictionary of the object template to look for num_entries – The max number of entries to return
Returns:	Returns a list of handles of objects found

pycryptoki.object_attr_lookup.c_find_objects_ex(h_session, template, num_entries)¶

Executes c_find_objects(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.object_attr_lookup.c_get_attribute_value(h_session, h_object, template)[source]¶

Calls C_GetAttrributeValue to get an attribute value based on a python template

Parameters:	h_session (int) – Session handle h_object – The handle of the object to get attributes for template – A python dictionary representing the template of the attributes to be retrieved
Returns:	A python dictionary representing the attributes returned from the HSM/library

pycryptoki.object_attr_lookup.c_get_attribute_value_ex(h_session, h_object, template)¶

Executes c_get_attribute_value(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.object_attr_lookup.c_set_attribute_value(h_session, h_object, template)[source]¶

Calls C_SetAttributeValue to set an attribute value based on a python template

Parameters:	h_session (int) – Session handle h_object – The handle of the object to get attributes for template – A python dictionary representing the template of the attributes to be written
Returns:	A python dictionary representing the attributes returned from the HSM/library

pycryptoki.object_attr_lookup.c_set_attribute_value_ex(h_session, h_object, template)¶

Executes c_set_attribute_value(), and checks the retcode; raising an exception if the return code is not CKR_OK.

HSM Management ¶

Methods responsible for pycryptoki ‘hsm management’ set of commands.

pycryptoki.hsm_management.c_performselftest(slot, test_type, input_data, input_data_len)[source]¶

Test: Performs a self test for specified test type on a given slot.

Parameters:

slot – slot number
test_type – type of test CK_ULONG
input_data – pointer to input data CK_BYTE_PTR
input_data_len – input data length CK_ULONG

Returns:

the result code

[CK_SLOT_ID, CK_ULONG, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR]

pycryptoki.hsm_management.c_performselftest_ex(slot, test_type, input_data, input_data_len)¶

Executes c_performselftest(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_settokencertificatesignature(h_session, access_level, customer_id, pub_template, signature, signature_len)[source]¶

Completes the installation of a certificate on a token. The caller must supply a public key and a signature for token certificate. The public key is provided through the template; it must contain a key type, a modulus and a public exponent.

Parameters:	h_session (int) – Session handle access_level – the access level customer_id – the customer ID pub_template – the public template signature – the signature signature_len – the length in bytes of the signature
Returns:	the result code

pycryptoki.hsm_management.ca_settokencertificatesignature_ex(h_session, access_level, customer_id, pub_template, signature, signature_len)¶

Executes ca_settokencertificatesignature(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_hainit(h_session, h_key)[source]¶

Creates a login key pair on the primary token.

Parameters:	h_session (int) – Session handle h_key – the login private key
Returns:	the result code

pycryptoki.hsm_management.ca_hainit_ex(h_session, h_key)¶

Executes ca_hainit(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_createloginchallenge(h_session, user_type, challenge)[source]¶

Creates a login challenge for the given user.

Parameters:	h_session (int) – Session handle user_type – user type challenge – challenge
Returns:	the result code

pycryptoki.hsm_management.ca_createloginchallenge_ex(h_session, user_type, challenge)¶

Executes ca_createloginchallenge(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_initializeremotepedvector(h_session)[source]¶

Initializes a remote PED vector

Parameters:	h_session (int) – Session handle
Returns:	the result code

pycryptoki.hsm_management.ca_initializeremotepedvector_ex(h_session)¶

Executes ca_initializeremotepedvector(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_deleteremotepedvector(h_session)[source]¶

Deletes a remote PED vector

Parameters:	h_session (int) – Session handle
Returns:	the result code

pycryptoki.hsm_management.ca_deleteremotepedvector_ex(h_session)¶

Executes ca_deleteremotepedvector(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_mtkrestore(slot)[source]¶

Restore the MTK

Parameters:	slot – slot number
Returns:	the result code

pycryptoki.hsm_management.ca_mtkrestore_ex(slot)¶

Executes ca_mtkrestore(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_mtkresplit(slot)[source]¶

Resplit the MTK

Parameters:	slot – slot number
Returns:	the result code

pycryptoki.hsm_management.ca_mtkresplit_ex(slot)¶

Executes ca_mtkresplit(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_mtkzeroize(slot)[source]¶

Zeroize the MTK

Parameters:	slot – slot number
Returns:	the result code

pycryptoki.hsm_management.ca_mtkzeroize_ex(slot)¶

Executes ca_mtkzeroize(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_set_hsm_policy(h_session, policy_id, policy_val)[source]¶

Sets the HSM policies by calling CA_SetHSMPolicy

Parameters:	h_session (int) – Session handle policy_id – The ID of the policy being set policy_val – The value of the policy being set
Returns:	The result code

pycryptoki.hsm_management.ca_set_hsm_policy_ex(h_session, policy_id, policy_val)¶

Executes ca_set_hsm_policy(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_set_hsm_policies(h_session, policies)[source]¶

Set multiple HSM policies.

Parameters:	h_session (int) – Session handle policies – dict of policy ID ints and value ints
Returns:	result code

pycryptoki.hsm_management.ca_set_hsm_policies_ex(h_session, policies)¶

Executes ca_set_hsm_policies(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_set_destructive_hsm_policy(h_session, policy_id, policy_val)[source]¶

Sets the destructive HSM policies by calling CA_SetDestructiveHSMPolicy

Parameters:	h_session (int) – Session handle policy_id – The ID of the policy being set policy_val – The value of the policy being set
Returns:	The result code

pycryptoki.hsm_management.ca_set_destructive_hsm_policy_ex(h_session, policy_id, policy_val)¶

Executes ca_set_destructive_hsm_policy(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_set_destructive_hsm_policies(h_session, policies)[source]¶

Set multiple HSM policies.

Parameters:	h_session (int) – Session handle policies – dict of policy ID ints and value ints
Returns:	result code

pycryptoki.hsm_management.ca_set_destructive_hsm_policies_ex(h_session, policies)¶

Executes ca_set_destructive_hsm_policies(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_get_hsm_capability_set(slot)[source]¶

Get the capabilities of the given slot.

Parameters:	slot (int) – Target slot number
Returns:	retcode, {id: val} dict of capabilities (None if command failed)

pycryptoki.hsm_management.ca_get_hsm_capability_set_ex(slot)¶

Executes ca_get_hsm_capability_set(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_get_hsm_capability_setting(slot, capability_id)[source]¶

Get the value of a single capability

Parameters:	slot – slot ID of slot to query capability_id – capability ID
Returns:	result code, CK_ULONG representing capability active or not

pycryptoki.hsm_management.ca_get_hsm_capability_setting_ex(slot, capability_id)¶

Executes ca_get_hsm_capability_setting(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_get_hsm_policy_set(slot)[source]¶

Get the policies of the given slot.

Parameters:	slot (int) – Target slot number
Returns:	retcode, {id: val} dict of policies (None if command failed)

pycryptoki.hsm_management.ca_get_hsm_policy_set_ex(slot)¶

Executes ca_get_hsm_policy_set(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.hsm_management.ca_get_hsm_policy_setting(slot, policy_id)[source]¶

Get the value of a single policy

Parameters:	slot – slot ID of slot to query policy_id – policy ID
Returns:	result code, CK_ULONG representing policy active or not

pycryptoki.hsm_management.ca_get_hsm_policy_setting_ex(slot, policy_id)¶

Executes ca_get_hsm_policy_setting(), and checks the retcode; raising an exception if the return code is not CKR_OK.

Audit Functions ¶

Methods responsible for managing a user’s session and login/c_logout

pycryptoki.audit_handling.ca_init_audit(slot, audit_pin, audit_label)[source]¶

Parameters:	slot – audit_pin – audit_label –

pycryptoki.audit_handling.ca_init_audit_ex(slot, audit_pin, audit_label)¶

Executes ca_init_audit(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.audit_handling.ca_time_sync(h_session, ultime)[source]¶

Parameters:	h_session (int) – Session handle ultime –

pycryptoki.audit_handling.ca_time_sync_ex(h_session, ultime)¶

Executes ca_time_sync(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.audit_handling.ca_get_time(h_session)[source]¶

Parameters:	h_session (int) – Session handle

pycryptoki.audit_handling.ca_get_time_ex(h_session)¶

Executes ca_get_time(), and checks the retcode; raising an exception if the return code is not CKR_OK.

Backup Functions ¶

Backup related commands

pycryptoki.backup.ca_open_secure_token(h_session, storage_path, dev_ID, mode)[source]¶

Parameters:	h_session (int) – Session handle storage_path – dev_ID – mode –

pycryptoki.backup.ca_open_secure_token_ex(h_session, storage_path, dev_ID, mode)¶

Executes ca_open_secure_token(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.backup.ca_close_secure_token(h_session, h_ID)[source]¶

Parameters:	h_session (int) – Session handle h_ID –

pycryptoki.backup.ca_close_secure_token_ex(h_session, h_ID)¶

Executes ca_close_secure_token(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.backup.ca_extract(h_session, mechanism)[source]¶

Parameters:	h_session (int) – Session handle mechanism – See the `parse_mechanism()` function for possible values.

pycryptoki.backup.ca_extract_ex(h_session, mechanism)¶

Executes ca_extract(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.backup.ca_insert(h_session, mechanism)[source]¶

Parameters:	h_session (int) – Session handle mechanism – See the `parse_mechanism()` function for possible values.

pycryptoki.backup.ca_insert_ex(h_session, mechanism)¶

Executes ca_insert(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.backup.ca_sim_extract(h_session, key_handles, authform, auth_secrets=None, subset_size=0, delete_after_extract=False)[source]¶

Extract multiple keys to a wrapped blob. The returned blob can then be written into a file.

Parameters:

h_session (int) – Session handle
key_handles (list[int]) – List of key handles to extract
authform (int) – Type of authentication to use. See pycryptoki.backup.SIM_AUTH for details
auth_secrets (list(str)) – Authorization secrets to use (Length will correspond to the N value in ckdemo)
subset_size (int) – Subset size required for key use (Corresponds to the M value in ckdemo)
delete_after_extract (bool) – If true, will destroy the original keys after they have been extracted.

Returns:

retcode, blob_data tuple.

pycryptoki.backup.ca_sim_extract_ex(h_session, key_handles, authform, auth_secrets=None, subset_size=0, delete_after_extract=False)¶

Executes ca_sim_extract(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.backup.ca_sim_insert(h_session, blob_data, authform, auth_secrets=None)[source]¶

Insert keys into the HSM from blob data that was wrapped off using SIM.

Parameters:	h_session (int) – Session handle blob_data (str) – Read in raw wrapped data. Typically read in from a file. authform (int) – Type of authentication to use. See `pycryptoki.backup.SIM_AUTH` for details auth_secrets (list[str]) – Authorization secrets to use (Length will correspond to the `N` value in ckdemo)
Returns:	retcode, keys tuple, where `keys` is a list of integers.

pycryptoki.backup.ca_sim_insert_ex(h_session, blob_data, authform, auth_secrets=None)¶

Executes ca_sim_insert(), and checks the retcode; raising an exception if the return code is not CKR_OK.

pycryptoki.backup.ca_sim_multisign(h_session, blob_data, data_to_sign, mechanism, authform, auth_secrets=None)[source]¶

Sign data using keys that were extracted to a SIM blob.

Parameters:

h_session (int) – Session handle
blob_data (str) – Read in raw wrapped key data. Typically read in from a file.
data_to_sign – List of bytestring data to sign
mechanism – Mechanism to use with the Sign operation
authform (int) – Type of authentication to use. See pycryptoki.backup.SIM_AUTH for details
auth_secrets (list[str]) – Authorization secrets to use (Length will correspond to the N value in ckdemo)

Returns:

retcode, signature list

pycryptoki.backup.ca_sim_multisign_ex(h_session, blob_data, data_to_sign, mechanism, authform, auth_secrets=None)¶

Executes ca_sim_multisign(), and checks the retcode; raising an exception if the return code is not CKR_OK.

Miscellaneous¶

RNG, Digest, Creating Objects¶

Find Objects, Attribute Setting/Getting¶

HSM Management¶

Audit Functions¶

Backup Functions¶

Miscellaneous ¶

RNG, Digest, Creating Objects ¶

Find Objects, Attribute Setting/Getting ¶

HSM Management ¶

Audit Functions ¶

Backup Functions ¶