tessl/pypi-oscrypto
Cross-platform cryptographic library providing TLS sockets, asymmetric/symmetric encryption, and key operations using OS-native crypto libraries
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-oscrypto@1.3.0index.mddocs/
oscrypto
A compilation-free, always up-to-date Python cryptographic library that works on Windows, macOS, Linux and BSD. oscrypto leverages the operating system's native crypto libraries to provide TLS sockets, asymmetric and symmetric encryption, key generation, signing and verification, and key derivation functions without requiring a compiler.
Package Information
- Package Name: oscrypto
- Language: Python
- Installation:
pip install oscrypto
Core Imports
import oscryptoCommon imports for specific functionality:
from oscrypto import asymmetric, symmetric, tls
from oscrypto.asymmetric import PrivateKey, PublicKey, Certificate
from oscrypto.tls import TLSSocket
from oscrypto.kdf import pbkdf2Basic Usage
import oscrypto
from oscrypto import asymmetric, tls
# Check which backend is being used
backend = oscrypto.backend()
print(f"Using {backend} backend")
# Generate an RSA key pair
public_key, private_key = asymmetric.generate_pair('rsa', bit_size=2048)
# Create a self-signed certificate
certificate = asymmetric.load_certificate(cert_data)
# Establish a TLS connection
socket = tls.TLSSocket('example.com', 443)
socket.write(b'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n')
response = socket.read(1024)
socket.close()
# Symmetric encryption
from oscrypto.symmetric import aes_cbc_pkcs7_encrypt, aes_cbc_pkcs7_decrypt
key = b'sixteen byte key' # 16 bytes for AES-128
plaintext = b'This is a secret message'
ciphertext = aes_cbc_pkcs7_encrypt(key, plaintext)
decrypted = aes_cbc_pkcs7_decrypt(key, ciphertext)Architecture
oscrypto automatically selects the appropriate cryptographic backend based on the operating system:
- Windows: Uses CNG (Vista+) or legacy CryptoAPI (XP) with Secure Channel for TLS
- macOS: Uses Security.framework with Secure Transport for TLS, CommonCrypto for PBKDF2
- Linux/BSD: Uses OpenSSL or LibreSSL for all operations
The library provides a unified API that abstracts platform differences while ensuring all operations use OS-native, automatically-updated crypto implementations.
Capabilities
Backend Configuration
Core system configuration for selecting cryptographic backends and FFI libraries. This allows forcing specific implementations when needed for testing or compatibility.
def backend() -> str: ...
def ffi() -> str: ...
def use_openssl(libcrypto_path: str, libssl_path: str, trust_list_path: str = None) -> None: ...
def use_winlegacy() -> None: ...
def use_ctypes() -> None: ...Asymmetric Cryptography
Comprehensive support for RSA, DSA, and ECDSA operations including key generation, loading, signing, verification, encryption, and decryption. Handles multiple key formats and certificate operations.
def generate_pair(algorithm: str, bit_size: int = None, curve: str = None) -> Tuple[PublicKey, PrivateKey]: ...
def load_private_key(source: Union[str, bytes], password: bytes = None) -> PrivateKey: ...
def load_certificate(source: Union[str, bytes]) -> Certificate: ...
def rsa_pkcs1v15_encrypt(certificate_or_public_key: Union[Certificate, PublicKey], data: bytes) -> bytes: ...
def rsa_pkcs1v15_sign(private_key: PrivateKey, data: bytes, hash_algorithm: str) -> bytes: ...Symmetric Cryptography
Symmetric encryption and decryption using AES, DES, 3DES, RC2, and RC4 algorithms with various modes and padding schemes. All operations use OS-native implementations.
def aes_cbc_pkcs7_encrypt(key: bytes, data: bytes, iv: bytes = None) -> bytes: ...
def aes_cbc_pkcs7_decrypt(key: bytes, data: bytes, iv: bytes = None) -> bytes: ...
def des_cbc_pkcs5_encrypt(key: bytes, data: bytes, iv: bytes = None) -> bytes: ...
def rc4_encrypt(key: bytes, data: bytes) -> bytes: ...TLS Support
Modern TLS socket implementation with certificate verification using OS trust stores, SNI support, session reuse, and strong cipher suites. Provides secure network communications.
class TLSSocket:
def __init__(self, hostname: str, port: int, session: TLSSession = None): ...
def read(self, max_length: int) -> bytes: ...
def write(self, data: bytes) -> None: ...
def close() -> None: ...
class TLSSession:
def __init__(self, protocol: str = None, manual_validation: bool = False): ...Key Derivation Functions
Password-based key derivation using PBKDF1, PBKDF2, and PKCS#12 KDF. Includes automatic iteration calculation for target computation times.
def pbkdf2(hash_algorithm: str, password: bytes, salt: bytes, iterations: int, key_length: int) -> bytes: ...
def pbkdf2_iteration_calculator(hash_algorithm: str, key_length: int, target_ms: int = 100, quiet: bool = False) -> int: ...
def pkcs12_kdf(hash_algorithm: str, password: bytes, salt: bytes, iterations: int, key_length: int, id_: int) -> bytes: ...Trust Store Management
Access and export OS trust store certificates for use with OpenSSL-based code. Provides CA certificate bundles in PEM format.
def get_list() -> List[Certificate]: ...
def get_path() -> str: ...
def clear_cache() -> None: ...Utility Functions
Cryptographic utilities including secure random number generation and constant-time comparison for security-critical operations.
def rand_bytes(length: int) -> bytes: ...
def constant_compare(a: bytes, b: bytes) -> bool: ...Key Management
Parsing and handling of keys and certificates from various formats including DER, PEM, PKCS#8, and PKCS#12.
def parse_certificate(data: bytes) -> Certificate: ...
def parse_private(data: bytes) -> PrivateKey: ...
def parse_public(data: bytes) -> PublicKey: ...
def parse_pkcs12(data: bytes, password: bytes = None) -> Tuple[Certificate, PrivateKey, List[Certificate]]: ...Types
class Certificate:
"""X.509 certificate wrapper with validation and inspection methods."""
class PrivateKey:
"""Private key wrapper supporting RSA, DSA, and ECDSA with signing and decryption methods."""
class PublicKey:
"""Public key wrapper supporting RSA, DSA, and ECDSA with verification and encryption methods."""
class TLSSocket:
"""TLS socket wrapper providing secure network communication."""
class TLSSession:
"""TLS session manager for connection reuse and configuration."""Exceptions
class LibraryNotFoundError(Exception):
"""Raised when trying to find a shared library."""
class SignatureError(Exception):
"""Raised when validating a signature fails."""
class AsymmetricKeyError(Exception):
"""Raised when a key is invalid or unsupported."""
class IncompleteAsymmetricKeyError(AsymmetricKeyError):
"""Raised when a key is missing necessary information."""
class CACertsError(Exception):
"""Raised when exporting CA certs from the OS trust store fails."""
class TLSError(Exception):
"""Base exception for TLS functionality."""
class TLSConnectionError(TLSError):
"""TLS connection error."""
class TLSDisconnectError(TLSConnectionError):
"""TLS disconnect error."""
class TLSGracefulDisconnectError(TLSDisconnectError):
"""TLS graceful disconnect."""
class TLSVerificationError(TLSError):
"""Server certificate verification error during TLS handshake."""