tessl/pypi-oscrypto
Cross-platform cryptographic library providing TLS sockets, asymmetric/symmetric encryption, and key operations using OS-native crypto libraries
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-oscrypto@1.3.00
# oscrypto
1
2
A compilation-free, always up-to-date Python cryptographic library that works on Windows, macOS, Linux and BSD. oscrypto leverages the operating system's native crypto libraries to provide TLS sockets, asymmetric and symmetric encryption, key generation, signing and verification, and key derivation functions without requiring a compiler.
3
4
## Package Information
5
6
- **Package Name**: oscrypto
7
- **Language**: Python
8
- **Installation**: `pip install oscrypto`
9
10
## Core Imports
11
12
```python
13
import oscrypto
14
```
15
16
Common imports for specific functionality:
17
18
```python
19
from oscrypto import asymmetric, symmetric, tls
20
from oscrypto.asymmetric import PrivateKey, PublicKey, Certificate
21
from oscrypto.tls import TLSSocket
22
from oscrypto.kdf import pbkdf2
23
```
24
25
## Basic Usage
26
27
```python
28
import oscrypto
29
from oscrypto import asymmetric, tls
30
31
# Check which backend is being used
32
backend = oscrypto.backend()
33
print(f"Using {backend} backend")
34
35
# Generate an RSA key pair
36
public_key, private_key = asymmetric.generate_pair('rsa', bit_size=2048)
37
38
# Create a self-signed certificate
39
certificate = asymmetric.load_certificate(cert_data)
40
41
# Establish a TLS connection
42
socket = tls.TLSSocket('example.com', 443)
43
socket.write(b'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n')
44
response = socket.read(1024)
45
socket.close()
46
47
# Symmetric encryption
48
from oscrypto.symmetric import aes_cbc_pkcs7_encrypt, aes_cbc_pkcs7_decrypt
49
50
key = b'sixteen byte key' # 16 bytes for AES-128
51
plaintext = b'This is a secret message'
52
ciphertext = aes_cbc_pkcs7_encrypt(key, plaintext)
53
decrypted = aes_cbc_pkcs7_decrypt(key, ciphertext)
54
```
55
56
## Architecture
57
58
oscrypto automatically selects the appropriate cryptographic backend based on the operating system:
59
60
- **Windows**: Uses CNG (Vista+) or legacy CryptoAPI (XP) with Secure Channel for TLS
61
- **macOS**: Uses Security.framework with Secure Transport for TLS, CommonCrypto for PBKDF2
62
- **Linux/BSD**: Uses OpenSSL or LibreSSL for all operations
63
64
The library provides a unified API that abstracts platform differences while ensuring all operations use OS-native, automatically-updated crypto implementations.
65
66
## Capabilities
67
68
### Backend Configuration
69
70
Core system configuration for selecting cryptographic backends and FFI libraries. This allows forcing specific implementations when needed for testing or compatibility.
71
72
```python { .api }
73
def backend() -> str: ...
74
def ffi() -> str: ...
75
def use_openssl(libcrypto_path: str, libssl_path: str, trust_list_path: str = None) -> None: ...
76
def use_winlegacy() -> None: ...
77
def use_ctypes() -> None: ...
78
```
79
80
[Backend Configuration](./backend.md)
81
82
### Asymmetric Cryptography
83
84
Comprehensive support for RSA, DSA, and ECDSA operations including key generation, loading, signing, verification, encryption, and decryption. Handles multiple key formats and certificate operations.
85
86
```python { .api }
87
def generate_pair(algorithm: str, bit_size: int = None, curve: str = None) -> Tuple[PublicKey, PrivateKey]: ...
88
def load_private_key(source: Union[str, bytes], password: bytes = None) -> PrivateKey: ...
89
def load_certificate(source: Union[str, bytes]) -> Certificate: ...
90
def rsa_pkcs1v15_encrypt(certificate_or_public_key: Union[Certificate, PublicKey], data: bytes) -> bytes: ...
91
def rsa_pkcs1v15_sign(private_key: PrivateKey, data: bytes, hash_algorithm: str) -> bytes: ...
92
```
93
94
[Asymmetric Cryptography](./asymmetric.md)
95
96
### Symmetric Cryptography
97
98
Symmetric encryption and decryption using AES, DES, 3DES, RC2, and RC4 algorithms with various modes and padding schemes. All operations use OS-native implementations.
99
100
```python { .api }
101
def aes_cbc_pkcs7_encrypt(key: bytes, data: bytes, iv: bytes = None) -> bytes: ...
102
def aes_cbc_pkcs7_decrypt(key: bytes, data: bytes, iv: bytes = None) -> bytes: ...
103
def des_cbc_pkcs5_encrypt(key: bytes, data: bytes, iv: bytes = None) -> bytes: ...
104
def rc4_encrypt(key: bytes, data: bytes) -> bytes: ...
105
```
106
107
[Symmetric Cryptography](./symmetric.md)
108
109
### TLS Support
110
111
Modern TLS socket implementation with certificate verification using OS trust stores, SNI support, session reuse, and strong cipher suites. Provides secure network communications.
112
113
```python { .api }
114
class TLSSocket:
115
def __init__(self, hostname: str, port: int, session: TLSSession = None): ...
116
def read(self, max_length: int) -> bytes: ...
117
def write(self, data: bytes) -> None: ...
118
def close() -> None: ...
119
120
class TLSSession:
121
def __init__(self, protocol: str = None, manual_validation: bool = False): ...
122
```
123
124
[TLS Support](./tls.md)
125
126
### Key Derivation Functions
127
128
Password-based key derivation using PBKDF1, PBKDF2, and PKCS#12 KDF. Includes automatic iteration calculation for target computation times.
129
130
```python { .api }
131
def pbkdf2(hash_algorithm: str, password: bytes, salt: bytes, iterations: int, key_length: int) -> bytes: ...
132
def pbkdf2_iteration_calculator(hash_algorithm: str, key_length: int, target_ms: int = 100, quiet: bool = False) -> int: ...
133
def pkcs12_kdf(hash_algorithm: str, password: bytes, salt: bytes, iterations: int, key_length: int, id_: int) -> bytes: ...
134
```
135
136
[Key Derivation Functions](./kdf.md)
137
138
### Trust Store Management
139
140
Access and export OS trust store certificates for use with OpenSSL-based code. Provides CA certificate bundles in PEM format.
141
142
```python { .api }
143
def get_list() -> List[Certificate]: ...
144
def get_path() -> str: ...
145
def clear_cache() -> None: ...
146
```
147
148
[Trust Store Management](./trust-store.md)
149
150
### Utility Functions
151
152
Cryptographic utilities including secure random number generation and constant-time comparison for security-critical operations.
153
154
```python { .api }
155
def rand_bytes(length: int) -> bytes: ...
156
def constant_compare(a: bytes, b: bytes) -> bool: ...
157
```
158
159
[Utility Functions](./utility.md)
160
161
### Key Management
162
163
Parsing and handling of keys and certificates from various formats including DER, PEM, PKCS#8, and PKCS#12.
164
165
```python { .api }
166
def parse_certificate(data: bytes) -> Certificate: ...
167
def parse_private(data: bytes) -> PrivateKey: ...
168
def parse_public(data: bytes) -> PublicKey: ...
169
def parse_pkcs12(data: bytes, password: bytes = None) -> Tuple[Certificate, PrivateKey, List[Certificate]]: ...
170
```
171
172
[Key Management](./keys.md)
173
174
## Types
175
176
```python { .api }
177
class Certificate:
178
"""X.509 certificate wrapper with validation and inspection methods."""
179
180
class PrivateKey:
181
"""Private key wrapper supporting RSA, DSA, and ECDSA with signing and decryption methods."""
182
183
class PublicKey:
184
"""Public key wrapper supporting RSA, DSA, and ECDSA with verification and encryption methods."""
185
186
class TLSSocket:
187
"""TLS socket wrapper providing secure network communication."""
188
189
class TLSSession:
190
"""TLS session manager for connection reuse and configuration."""
191
```
192
193
## Exceptions
194
195
```python { .api }
196
class LibraryNotFoundError(Exception):
197
"""Raised when trying to find a shared library."""
198
199
class SignatureError(Exception):
200
"""Raised when validating a signature fails."""
201
202
class AsymmetricKeyError(Exception):
203
"""Raised when a key is invalid or unsupported."""
204
205
class IncompleteAsymmetricKeyError(AsymmetricKeyError):
206
"""Raised when a key is missing necessary information."""
207
208
class CACertsError(Exception):
209
"""Raised when exporting CA certs from the OS trust store fails."""
210
211
class TLSError(Exception):
212
"""Base exception for TLS functionality."""
213
214
class TLSConnectionError(TLSError):
215
"""TLS connection error."""
216
217
class TLSDisconnectError(TLSConnectionError):
218
"""TLS disconnect error."""
219
220
class TLSGracefulDisconnectError(TLSDisconnectError):
221
"""TLS graceful disconnect."""
222
223
class TLSVerificationError(TLSError):
224
"""Server certificate verification error during TLS handshake."""
225
```