yubihsm.objects
Classes for interacting with objects on a YubiHSM.
Attributes
Classes
Data structure holding various information about an object. |
|
Base attestation extensions. |
|
Device attestation extensions. Available on YubiHSM FIPS only. |
|
Key attestation extensions. |
|
A reference to an object stored in a YubiHSM. |
|
Object used to store arbitrary data on the YubiHSM. |
|
Used to authenticate a session with the YubiHSM. |
|
Used to sign/decrypt data with the private key of an asymmetric key pair. |
|
Used to import and export other objects under wrap. |
|
Used to export other objects under wrap using the public key of an |
|
Used to calculate and verify HMAC signatures. |
|
Binary template used to validate SSH certificate requests. |
|
Decrypted OTP counter values. |
|
Used to decrypt and use a Yubico OTP AEAD for OTP decryption. |
|
Used to encrypt/decrypt data using a symmetric key. |
Module Contents
- yubihsm.objects.LABEL_LENGTH = 40
- yubihsm.objects.MAX_AES_PAYLOAD_SIZE = 2026
- yubihsm.objects.AES_BLOCK_SIZE = 16
- yubihsm.objects.RSA_PUBLIC_EXPONENT = 65537
- yubihsm.objects.RSA_SIZES = [2048, 3072, 4096]
- class yubihsm.objects.ObjectInfo[source]
Data structure holding various information about an object.
- Variables:
capabilities – The capabilities of the object.
id – The ID of the object.
size – The size of the object.
domains – The set of domains the object belongs to.
object_type – The type of the object.
algorithm – The algorithm of the object.
sequence – The sequence number of the object.
origin – How the object was created/imported.
label – The label of the object.
delegated_capabilities – The set of delegated capabilities for the object.
- capabilities: yubihsm.defs.CAPABILITY
- object_type: yubihsm.defs.OBJECT
- algorithm: yubihsm.defs.ALGORITHM
- origin: yubihsm.defs.ORIGIN
- delegated_capabilities: yubihsm.defs.CAPABILITY
- yubihsm.objects.T_AttestationExtensions
- class yubihsm.objects.AttestationExtensions[source]
Base attestation extensions.
- Variables:
firmware_version – YubiHSM firmware version.
serial – YubiHSM serial number.
- firmware_version: yubihsm.defs.Version
- classmethod parse(certificate, *args)[source]
- Parameters:
certificate (cryptography.x509.Certificate)
- Return type:
T_AttestationExtensions
- class yubihsm.objects.DeviceAttestationExtensions[source]
Bases:
AttestationExtensions
Device attestation extensions. Available on YubiHSM FIPS only.
- Variables:
fips_certificate – The FIPS certificate.
- classmethod parse(certificate, *args)[source]
- Parameters:
certificate (cryptography.x509.Certificate)
- class yubihsm.objects.KeyAttestationExtensions[source]
Bases:
AttestationExtensions
Key attestation extensions.
- Variables:
origin – The origin of the key.
domains – The set of domains assigned to the key object.
capabilities – The set of capabilities assigned to the key object.
object_id – The ID of the key object.
label – The label of the key object.
fips_approved – (available on YubiHSM FIPS >= 2.4.1 only) True if the key attestation was generated in FIPS-approved mode.
- origin: yubihsm.defs.ORIGIN
- capabilities: yubihsm.defs.CAPABILITY
- classmethod parse(certificate, *args)[source]
Extracts the attributes from an an attestation certificate.
- Parameters:
certificate (cryptography.x509.Certificate)
- yubihsm.objects.T_Object
- class yubihsm.objects.YhsmObject(session, object_id, seq=None)[source]
A reference to an object stored in a YubiHSM.
YubiHSM objects are uniquely identified by their type and ID combined.
- Variables:
session – The session to use for YubiHSM communication.
id – The ID of the object.
object_type – The type of the object.
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type: ClassVar[yubihsm.defs.OBJECT]
- session
- with_session(session)[source]
Get a copy of the object reference, using the given session.
- Parameters:
session (yubihsm.core.AuthSession) – The session to use for the created reference.
- Returns:
A new reference to the object, associated wth the given session.
- Return type:
T_Object
- class yubihsm.objects.Opaque(session, object_id, seq=None)[source]
Bases:
YhsmObject
Object used to store arbitrary data on the YubiHSM.
- Supported algorithms:
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod put(session, object_id, label, domains, capabilities, algorithm, data)[source]
Import an Opaque object into the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the object.
data (bytes) – The binary data to store.
- Returns:
A reference to the newly created object.
- Return type:
- get()[source]
Read the data of an Opaque object from the YubiHSM.
- Returns:
The data stored for the object.
- Return type:
- classmethod put_certificate(session, object_id, label, domains, capabilities, certificate, compress=False)[source]
Import an X509 certificate into the YubiHSM as an Opaque.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
certificate (cryptography.x509.Certificate) – A certificate to import.
compress (bool) – (optional) Compress the certificate.
- Returns:
A reference to the newly created object.
- Return type:
- class yubihsm.objects.AuthenticationKey(session, object_id, seq=None)[source]
Bases:
YhsmObject
Used to authenticate a session with the YubiHSM.
AuthenticationKeys use two separate keys to mutually authenticate and set up a secure session with a YubiHSM. These two keys can either be given explicitly, or be derived from a password.
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod put_derived(session, object_id, label, domains, capabilities, delegated_capabilities, password)[source]
Create an AuthenticationKey derived from a password.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
delegated_capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities that the AuthenticationKey can give to objects created when authenticated using it.
password (str) – The password to derive raw keys from.
- Returns:
A reference to the newly created object.
- Return type:
- classmethod put(session, object_id, label, domains, capabilities, delegated_capabilities, key_enc, key_mac)[source]
Create an AuthenticationKey by providing raw keys.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
delegated_capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities that the AuthenticationKey can give to objects created when authenticated using it.
key_enc (bytes) – The raw encryption key.
key_mac (bytes) – The raw MAC key.
- Returns:
A reference to the newly created object.
- Return type:
- classmethod put_public_key(session, object_id, label, domains, capabilities, delegated_capabilities, public_key)[source]
Create an asymmetric AuthenticationKey by providing a public key
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
delegated_capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities that the AuthenticationKey can give to objects created when authenticated using it.
public_key (cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey) – The public key to import.
- Returns:
A reference to the newly created object.
- Return type:
- change_password(password)[source]
Change the password used to authenticate a session.
Changes the raw keys used for authentication, by deriving them from a password.
- Parameters:
password (str) – The password to derive raw keys from.
- Return type:
None
- change_public_key(public_key)[source]
Change an asymmetric AuthenticationKey’s public key
- Parameters:
public_key (cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey) – The new public key.
- Return type:
None
- class yubihsm.objects.AsymmetricKey(session, object_id, seq=None)[source]
Bases:
YhsmObject
Used to sign/decrypt data with the private key of an asymmetric key pair.
- Supported algorithms:
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod put(session, object_id, label, domains, capabilities, key)[source]
Import a private key into the YubiHSM.
RSA and EC keys can be created by using the cryptography APIs. You can then pass either a
RSAPrivateKey
, aEllipticCurvePrivateKey
, or aEd25519PrivateKey
as key.- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
key – The private key to import.
- Returns:
A reference to the newly created object.
- Return type:
- classmethod generate(session, object_id, label, domains, capabilities, algorithm)[source]
Generate a new private key in the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the private key.
- Returns:
A reference to the newly created object.
- Return type:
- get_public_key()[source]
Get the public key of the key pair.
This will return either a
RSAPublicKey
or aEllipticCurvePublicKey
depending on the algorithm of the key.Ed25519 keys will be returned as a Cryptography
Ed25519PublicKey
object if possible (requires Cryptography 2.6 or later), or an internal representation if not, either which can be serialized using theserialize_ed25519_public_key()
function.- Returns:
The public key of the key pair.
- get_certificate()[source]
Get the X509 certificate associated with the key.
An X509 certificate is associated with an asymmetric key if it is stored as an Opaque object with the same object ID as the key, and it has the
OPAQUE_X509_CERTIFICATE
algorithm set.Equivalent to calling Opaque(session, key_id).get_certificate().
- Returns:
The certificate stored for the object.
- Return type:
- put_certificate(label, domains, capabilities, certificate)[source]
Store an X509 certificate associated with this key.
Equivalent to calling Opaque.put_certificate(session, key_id, …).
- Parameters:
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
certificate (cryptography.x509.Certificate) – A certificate to import.
- Returns:
A reference to the newly created object.
- Return type:
- sign_ecdsa(data, hash=hashes.SHA256(), length=0)[source]
Sign data using ECDSA.
- Parameters:
data (bytes) – The data to sign.
hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The algorithm to use when hashing the data.
length (int) – (optional) length to pad/truncate the hash to.
- Returns:
The resulting signature.
- Return type:
- derive_ecdh(public_key)[source]
Perform an ECDH key exchange as specified in SP 800-56A.
- Parameters:
public_key (cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey) – The public key to use for the key exchange.
- Returns:
The resulting shared key.
- Return type:
- sign_pkcs1v1_5(data, hash=hashes.SHA256())[source]
Sign data using RSASSA-PKCS1-v1_5.
- Parameters:
data (bytes) – The data to sign.
hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The algorithm to use when hashing the data.
- Returns:
The resulting signature.
- Return type:
- sign_pss(data, salt_len, hash=hashes.SHA256(), mgf_hash=hashes.SHA256())[source]
Sign data using RSASSA-PSS with MGF1.
- Parameters:
data (bytes) – The data to sign.
salt_len (int) – The length of the salt to use.
hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The algorithm to use when hashing the data.
mgf_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The algorithm to use for MGF1.
- Returns:
The resulting signature.
- Return type:
- decrypt_oaep(data, label=b'', hash=hashes.SHA256(), mgf_hash=hashes.SHA256())[source]
Decrypt data encrypted with RSAES-OAEP.
- Parameters:
data (bytes) – The ciphertext to decrypt.
label (bytes) – (optional) OAEP label.
hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The algorithm to use when hashing the data.
mgf_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The algorithm to use for MGF1.
- Returns:
The decrypted plaintext.
- Return type:
- attest(attesting_key_id=0)[source]
Attest this asymmetric key.
Creates an X509 certificate containing this key pair’s public key, signed by the asymmetric key identified by the given ID. You also need a X509 certificate stored with the same ID as the attesting key in the YubiHSM, to be used as a template.
- Parameters:
attesting_key_id (int) – (optional) The ID of the asymmetric key used to attest. If omitted, the built-in Yubico attestation key is used.
- Returns:
The attestation certificate.
- Return type:
- sign_ssh_certificate(template_id, request, algorithm=ALGORITHM.RSA_PKCS1_SHA1)[source]
Sign an SSH certificate request.
- Parameters:
template_id (int) – The ID of the SSH TEMPLATE to use.
request (bytes) – The SSH certificate request.
algorithm (yubihsm.defs.ALGORITHM)
- Returns:
The SSH certificate signature.
- Return type:
- class yubihsm.objects.WrapKey(session, object_id, seq=None)[source]
Bases:
YhsmObject
Used to import and export other objects under wrap.
Asymmetric wrapkeys are only used for importing wrapped objects. To export objects under asymmetric wrap, use
PublicWrapKey
.- Supported algorithms:
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod generate(session, object_id, label, domains, capabilities, algorithm, delegated_capabilities)[source]
Generate a new wrap key in the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the wrap key.
delegated_capabilities (yubihsm.defs.CAPABILITY)
- Returns:
A reference to the newly created object.
- Return type:
- classmethod put(session, object_id, label, domains, capabilities, algorithm, delegated_capabilities, key)[source]
Import a wrap key into the YubiHSM.
Asymmetric keys can be imported using the cryptography API. You can then pass a
RSAPrivateKey
as key.- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the wrap key.
delegated_capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities that the WrapKey can give to objects that it imports.
key (Union[bytes, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey]) – The encryption key corresponding to the algorithm.
- Returns:
A reference to the newly created object.
- Return type:
- export_wrapped(obj, seed=False)[source]
Export an object under wrap.
- Parameters:
obj (YhsmObject) – The object to export.
seed (bool) – (optional) Export key with seed. Only applicable for ed25519 key objects.
- Returns:
The encrypted object data.
- Return type:
- import_wrapped(wrapped_obj)[source]
Import an object previously exported under wrap.
- Parameters:
wraped_obj – The encrypted object data.
wrapped_obj (bytes)
- Returns:
A reference to the imported object.
- Return type:
- import_wrapped_rsa(wrapped_obj, oaep_hash=hashes.SHA256(), mgf_hash=hashes.SHA256(), oaep_label=b'')[source]
Import an object previously exported under asymmetric wrap.
- Parameters:
wrapped_obj (bytes) – The encrypted object data.
oaep_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for OAEP label.
mgf_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for MGF1.
oaep_label (bytes) – (optional) OAEP label.
- Returns:
A reference to the imported object.
- Return type:
- import_raw_key(object_id, object_type, label, domains, capabilities, algorithm, wrapped, oaep_hash=hashes.SHA256(), mgf_hash=hashes.SHA256(), oaep_label=b'')[source]
Import an (a)symmetric key previously exported under asymmetric wrap.
Asymmetric keys are expected to have been serialized as PKCS#8.
- Parameters:
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
object_type (yubihsm.defs.OBJECT) – The key object type (OBJECT.ASYMMETRIC_KEY or OBJECT.SYMMETRIC_KEY).
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm of the key.
wrapped (bytes) – The wrapped key object.
oaep_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for OAEP label.
mgf_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for MGF1.
oaep_label (bytes) – (optional) OAEP label.
- Returns:
A reference to the imported key object.
- Return type:
- class yubihsm.objects.PublicWrapKey(session, object_id, seq=None)[source]
Bases:
YhsmObject
Used to export other objects under wrap using the public key of an asymmetric key pair.
The algorithm used for wrapping is CKM_RSA_AES_KEY_WRAP, as specified in PKCS#11.
Supported algorithms: -
RSA_2048
-RSA_3072
-RSA_4096
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod put(session, object_id, label, domains, capabilities, delegated_capabilities, public_key)[source]
Import a public RSA wrapkey into the YubiHSM.
The RSA public key can be supplied using the cryptography API. You can then pass a
RSAPublicKey
as public_key.- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
delegated_capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities that the WrapKey can give to objects that it imports.
public_key (cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey) – The public key to import.
- Returns:
A reference to the newly created object.
- Return type:
- export_wrapped_rsa(obj, algorithm=ALGORITHM.AES256, oaep_hash=hashes.SHA256(), mgf_hash=hashes.SHA256(), oaep_label=b'')[source]
Export an object under asymmetric wrap.
- Parameters:
obj (YhsmObject) – The object to export.
algorithm (yubihsm.defs.ALGORITHM) – (optional) The algorithm to use for the ephemeral key.
oaep_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for OAEP label.
mgf_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for MGF1.
oaep_label (bytes) – (optional) OAEP label.
- Returns:
The encrypted object data.
- Return type:
- export_raw_key(key, algorithm=ALGORITHM.AES256, oaep_hash=hashes.SHA256(), mgf_hash=hashes.SHA256(), oaep_label=b'')[source]
Export an (a)symmetric key object under asymmetric wrap.
This command wraps only the raw key material of the key object. Asymmetric keys are serialized as PKCS#8.
- Parameters:
key (Union[AsymmetricKey, SymmetricKey]) – The (a)symmetric key object to wrap.
algorithm (yubihsm.defs.ALGORITHM) – (optional) The algorithm for the ephemeral key.
oaep_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for OAEP label.
mgf_hash (cryptography.hazmat.primitives.hashes.HashAlgorithm) – (optional) The hash algorithm to use for MGF1.
oaep_label (bytes) – (optional) OAEP label.
- Returns:
The encrypted key.
- Return type:
- class yubihsm.objects.HmacKey(session, object_id, seq=None)[source]
Bases:
YhsmObject
Used to calculate and verify HMAC signatures.
- Supported algorithms:
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod generate(session, object_id, label, domains, capabilities, algorithm=ALGORITHM.HMAC_SHA256)[source]
Generate a new HMAC key in the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – (optional) The algorithm to use for the HMAC key.
- Returns:
A reference to the newly created object.
- Return type:
- classmethod put(session, object_id, label, domains, capabilities, key, algorithm=ALGORITHM.HMAC_SHA256)[source]
Import an HMAC key into the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
key (bytes) – The raw key corresponding to the algorithm.
algorithm – (optional) The algorithm to use for the HMAC key.
- Returns:
A reference to the newly created object.
- Return type:
- class yubihsm.objects.Template(session, object_id, seq=None)[source]
Bases:
YhsmObject
Binary template used to validate SSH certificate requests.
- Supported algorithms:
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod put(session, object_id, label, domains, capabilities, algorithm, data)[source]
Import a Template into the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the template.
data (bytes) – The template data.
- Returns:
A reference to the newly created object.
- Return type:
- class yubihsm.objects.OtpData[source]
Bases:
NamedTuple
Decrypted OTP counter values.
- Parameters:
use_counter – 16 bit counter incremented on each power cycle.
session_counter – 8 bit counter incremented on each touch.
timestamp_high – 8 bit high part of the timestamp.
timestamp_low – 16 bit low part of the timestamp.
- class yubihsm.objects.OtpAeadKey(session, object_id, seq=None)[source]
Bases:
YhsmObject
Used to decrypt and use a Yubico OTP AEAD for OTP decryption.
- Supported algorithms:
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod put(session, object_id, label, domains, capabilities, algorithm, nonce_id, key)[source]
Import an OTP AEAD key into the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the key.
nonce_id (int) – The nonce ID used for AEADs.
key (bytes) – The key to import, corresponding to the algorithm.
- Returns:
A reference to the newly created object.
- Return type:
- classmethod generate(session, object_id, label, domains, capabilities, algorithm, nonce_id)[source]
Generate a new OTP AEAD key in the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the key.
nonce_id (int) – The nonce ID used for AEADs.
- Returns:
A reference to the newly created object.
- Return type:
- randomize_otp_aead()[source]
Create a new Yubico OTP credential AEAD using random data.
- Returns:
A new AEAD.
- Return type:
- class yubihsm.objects.SymmetricKey(session, object_id, seq=None)[source]
Bases:
YhsmObject
Used to encrypt/decrypt data using a symmetric key.
- Parameters:
session (yubihsm.core.AuthSession)
object_id (int)
seq (Optional[int])
- object_type
- classmethod put(session, object_id, label, domains, capabilities, algorithm, key)[source]
Import a symmetric key into the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the symmetric key.
key (bytes) – The raw encryption key corresponding to the algorithm.
- Returns:
A reference to the newly created object.
- Return type:
- classmethod generate(session, object_id, label, domains, capabilities, algorithm)[source]
Generate a new symmetric key in the YubiHSM.
- Parameters:
session (yubihsm.core.AuthSession) – The session to import via.
object_id (int) – The ID to set for the object. Set to 0 to let the YubiHSM designate an ID.
label (str) – A text label to give the object.
domains (int) – The set of domains to assign the object to.
capabilities (yubihsm.defs.CAPABILITY) – The set of capabilities to give the object.
algorithm (yubihsm.defs.ALGORITHM) – The algorithm to use for the symmetric key.
- Returns:
A reference to the newly created object.
- Return type: