tessl/pypi-oscrypto
Cross-platform cryptographic library providing TLS sockets, asymmetric/symmetric encryption, and key operations using OS-native crypto libraries
—
Pending
asymmetric.mddocs/
Asymmetric Cryptography
Comprehensive asymmetric cryptographic operations including key generation, loading, signing, verification, encryption, and decryption using RSA, DSA, and ECDSA algorithms. All operations use OS-native crypto libraries for security and performance.
from oscrypto import asymmetric
from oscrypto.errors import SignatureError, AsymmetricKeyErrorCapabilities
Key Generation
Generate new asymmetric key pairs for RSA, DSA, and ECDSA algorithms with configurable parameters.
def generate_pair(algorithm: str, bit_size: int = None, curve: str = None) -> Tuple[PublicKey, PrivateKey]:
"""
Generate an asymmetric key pair.
Parameters:
- algorithm: str - 'rsa', 'dsa', or 'ec'
- bit_size: int - Key size in bits (RSA: 1024-4096, DSA: 1024-3072)
- curve: str - Curve name for EC keys ('secp256r1', 'secp384r1', 'secp521r1')
Returns:
Tuple of (PublicKey, PrivateKey) objects
"""
def generate_dh_parameters(bit_size: int) -> bytes:
"""
Generate Diffie-Hellman parameters.
Parameters:
- bit_size: int - Parameter size in bits (1024-4096)
Returns:
DER-encoded DH parameters
"""Key and Certificate Loading
Load keys and certificates from various sources and formats including DER, PEM, PKCS#8, and PKCS#12.
def load_private_key(source: Union[str, bytes], password: bytes = None) -> PrivateKey:
"""
Load a private key from various sources.
Parameters:
- source: Union[str, bytes] - File path, DER bytes, or PEM string
- password: bytes - Password for encrypted keys
Returns:
PrivateKey object
"""
def load_public_key(source: Union[str, bytes]) -> PublicKey:
"""
Load a public key from various sources.
Parameters:
- source: Union[str, bytes] - File path, DER bytes, or PEM string
Returns:
PublicKey object
"""
def load_certificate(source: Union[str, bytes]) -> Certificate:
"""
Load an X.509 certificate from various sources.
Parameters:
- source: Union[str, bytes] - File path, DER bytes, or PEM string
Returns:
Certificate object
"""
def load_pkcs12(source: Union[str, bytes], password: bytes = None) -> Tuple[Certificate, PrivateKey, List[Certificate]]:
"""
Load a PKCS#12 bundle containing certificate and private key.
Parameters:
- source: Union[str, bytes] - File path or PKCS#12 bytes
- password: bytes - Password for the PKCS#12 bundle
Returns:
Tuple of (Certificate, PrivateKey, [intermediate_certificates])
"""Key and Certificate Export
Export keys and certificates to various formats for storage or transmission.
def dump_private_key(private_key: PrivateKey, passphrase: bytes = None, target_ms: int = 200) -> bytes:
"""
Export a private key to PKCS#8 DER format.
Parameters:
- private_key: PrivateKey - Key to export
- passphrase: bytes - Optional passphrase for encryption
- target_ms: int - Target milliseconds for PBKDF2 (if encrypting)
Returns:
DER-encoded PKCS#8 private key
"""
def dump_public_key(public_key: PublicKey) -> bytes:
"""
Export a public key to DER format.
Parameters:
- public_key: PublicKey - Key to export
Returns:
DER-encoded public key
"""
def dump_certificate(certificate: Certificate) -> bytes:
"""
Export a certificate to DER format.
Parameters:
- certificate: Certificate - Certificate to export
Returns:
DER-encoded X.509 certificate
"""
def dump_openssl_private_key(private_key: PrivateKey, passphrase: bytes = None) -> bytes:
"""
Export a private key in OpenSSL format.
Parameters:
- private_key: PrivateKey - Key to export
- passphrase: bytes - Optional passphrase for encryption
Returns:
OpenSSL-format private key bytes
"""
def dump_dh_parameters(dh_parameters: bytes) -> bytes:
"""
Export DH parameters to DER format.
Parameters:
- dh_parameters: bytes - DH parameters to export
Returns:
DER-encoded DH parameters
"""RSA Operations
RSA encryption, decryption, signing, and verification with PKCS#1 v1.5 and PSS padding.
def rsa_pkcs1v15_encrypt(certificate_or_public_key: Union[Certificate, PublicKey], data: bytes) -> bytes:
"""
Encrypt data using RSA PKCS#1 v1.5 padding.
Parameters:
- certificate_or_public_key: Union[Certificate, PublicKey] - RSA key for encryption
- data: bytes - Data to encrypt (max length depends on key size)
Returns:
Encrypted data bytes
"""
def rsa_pkcs1v15_decrypt(private_key: PrivateKey, ciphertext: bytes) -> bytes:
"""
Decrypt data using RSA PKCS#1 v1.5 padding.
Parameters:
- private_key: PrivateKey - RSA private key for decryption
- ciphertext: bytes - Encrypted data to decrypt
Returns:
Decrypted plaintext bytes
"""
def rsa_oaep_encrypt(certificate_or_public_key: Union[Certificate, PublicKey], data: bytes,
hash_algorithm: str = 'sha1', mgf_hash_algorithm: str = 'sha1', label: bytes = b'') -> bytes:
"""
Encrypt data using RSA OAEP padding.
Parameters:
- certificate_or_public_key: Union[Certificate, PublicKey] - RSA key for encryption
- data: bytes - Data to encrypt
- hash_algorithm: str - Hash algorithm ('sha1', 'sha224', 'sha256', 'sha384', 'sha512')
- mgf_hash_algorithm: str - MGF hash algorithm
- label: bytes - Optional label
Returns:
Encrypted data bytes
"""
def rsa_oaep_decrypt(private_key: PrivateKey, ciphertext: bytes,
hash_algorithm: str = 'sha1', mgf_hash_algorithm: str = 'sha1', label: bytes = b'') -> bytes:
"""
Decrypt data using RSA OAEP padding.
Parameters:
- private_key: PrivateKey - RSA private key for decryption
- ciphertext: bytes - Encrypted data to decrypt
- hash_algorithm: str - Hash algorithm used during encryption
- mgf_hash_algorithm: str - MGF hash algorithm used during encryption
- label: bytes - Label used during encryption
Returns:
Decrypted plaintext bytes
"""
def rsa_pkcs1v15_sign(private_key: PrivateKey, data: bytes, hash_algorithm: str) -> bytes:
"""
Sign data using RSA PKCS#1 v1.5 padding.
Parameters:
- private_key: PrivateKey - RSA private key for signing
- data: bytes - Data to sign
- hash_algorithm: str - Hash algorithm ('sha1', 'sha224', 'sha256', 'sha384', 'sha512')
Returns:
Signature bytes
"""
def rsa_pkcs1v15_verify(certificate_or_public_key: Union[Certificate, PublicKey], signature: bytes,
data: bytes, hash_algorithm: str) -> None:
"""
Verify RSA PKCS#1 v1.5 signature.
Parameters:
- certificate_or_public_key: Union[Certificate, PublicKey] - RSA key for verification
- signature: bytes - Signature to verify
- data: bytes - Original data that was signed
- hash_algorithm: str - Hash algorithm used during signing
Raises:
SignatureError if verification fails
"""
def rsa_pss_sign(private_key: PrivateKey, data: bytes, hash_algorithm: str) -> bytes:
"""
Sign data using RSA PSS padding.
Parameters:
- private_key: PrivateKey - RSA private key for signing
- data: bytes - Data to sign
- hash_algorithm: str - Hash algorithm ('sha1', 'sha224', 'sha256', 'sha384', 'sha512')
Returns:
Signature bytes
"""
def rsa_pss_verify(certificate_or_public_key: Union[Certificate, PublicKey], signature: bytes,
data: bytes, hash_algorithm: str) -> None:
"""
Verify RSA PSS signature.
Parameters:
- certificate_or_public_key: Union[Certificate, PublicKey] - RSA key for verification
- signature: bytes - Signature to verify
- data: bytes - Original data that was signed
- hash_algorithm: str - Hash algorithm used during signing
Raises:
SignatureError if verification fails
"""DSA Operations
DSA signing and verification operations.
def dsa_sign(private_key: PrivateKey, data: bytes, hash_algorithm: str) -> bytes:
"""
Sign data using DSA.
Parameters:
- private_key: PrivateKey - DSA private key for signing
- data: bytes - Data to sign
- hash_algorithm: str - Hash algorithm ('sha1', 'sha224', 'sha256')
Returns:
Signature bytes
"""
def dsa_verify(certificate_or_public_key: Union[Certificate, PublicKey], signature: bytes,
data: bytes, hash_algorithm: str) -> None:
"""
Verify DSA signature.
Parameters:
- certificate_or_public_key: Union[Certificate, PublicKey] - DSA key for verification
- signature: bytes - Signature to verify
- data: bytes - Original data that was signed
- hash_algorithm: str - Hash algorithm used during signing
Raises:
SignatureError if verification fails
"""ECDSA Operations
ECDSA signing and verification operations for elliptic curve cryptography.
def ecdsa_sign(private_key: PrivateKey, data: bytes, hash_algorithm: str) -> bytes:
"""
Sign data using ECDSA.
Parameters:
- private_key: PrivateKey - ECDSA private key for signing
- data: bytes - Data to sign
- hash_algorithm: str - Hash algorithm ('sha1', 'sha224', 'sha256', 'sha384', 'sha512')
Returns:
Signature bytes
"""
def ecdsa_verify(certificate_or_public_key: Union[Certificate, PublicKey], signature: bytes,
data: bytes, hash_algorithm: str) -> None:
"""
Verify ECDSA signature.
Parameters:
- certificate_or_public_key: Union[Certificate, PublicKey] - ECDSA key for verification
- signature: bytes - Signature to verify
- data: bytes - Original data that was signed
- hash_algorithm: str - Hash algorithm used during signing
Raises:
SignatureError if verification fails
"""Usage Examples
Generating and Using RSA Keys
from oscrypto import asymmetric
# Generate RSA key pair
public_key, private_key = asymmetric.generate_pair('rsa', bit_size=2048)
# Encrypt data
plaintext = b"Secret message"
ciphertext = asymmetric.rsa_pkcs1v15_encrypt(public_key, plaintext)
# Decrypt data
decrypted = asymmetric.rsa_pkcs1v15_decrypt(private_key, ciphertext)
# Sign data
signature = asymmetric.rsa_pkcs1v15_sign(private_key, plaintext, 'sha256')
# Verify signature
try:
asymmetric.rsa_pkcs1v15_verify(public_key, signature, plaintext, 'sha256')
print("Signature valid")
except asymmetric.SignatureError:
print("Signature invalid")Loading Keys from Files
from oscrypto import asymmetric
# Load private key from PEM file
with open('private_key.pem', 'rb') as f:
private_key = asymmetric.load_private_key(f.read())
# Load certificate from PEM file
with open('certificate.pem', 'rb') as f:
certificate = asymmetric.load_certificate(f.read())
# Load PKCS#12 bundle
with open('bundle.p12', 'rb') as f:
cert, key, intermediates = asymmetric.load_pkcs12(f.read(), b'password')Install with Tessl CLI
npx tessl i tessl/pypi-oscrypto