yubikit.openpgp
Attributes
Classes
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
OpenPGP Application Identifier (AID) |
|
Support for integer-based Flags |
|
Support for integer-based Flags |
|
Control Reference Template values. |
|
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
OpenPGP key algorithm attributes. |
|
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
OpenPGP key algorithm attributes. |
|
bytes(iterable_of_ints) -> bytes |
|
bytes(iterable_of_ints) -> bytes |
|
Enum where members are also (and must be) ints |
|
OpenPGP key algorithm attributes. |
|
OpenPGP related data. |
|
Helper class that provides a standard way to create an ABC using |
|
Helper class that provides a standard way to create an ABC using |
|
Enum where members are also (and must be) ints |
|
Helper class that provides a standard way to create an ABC using |
|
Helper class that provides a standard way to create an ABC using |
|
Helper class that provides a standard way to create an ABC using |
|
Helper class that provides a standard way to create an ABC using |
|
Helper class that provides a standard way to create an ABC using |
|
A session with the OpenPGP application. |
Module Contents
- yubikit.openpgp.DEFAULT_USER_PIN = '123456'
- yubikit.openpgp.DEFAULT_ADMIN_PIN = '12345678'
- class yubikit.openpgp.UIF[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- OFF = 0
- ON = 1
- FIXED = 2
- CACHED = 3
- CACHED_FIXED = 4
- class yubikit.openpgp.PIN_POLICY[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- ALWAYS = 0
- ONCE = 1
- class yubikit.openpgp.INS[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- VERIFY = 32
- CHANGE_PIN = 36
- RESET_RETRY_COUNTER = 44
- PSO = 42
- ACTIVATE = 68
- GENERATE_ASYM = 71
- GET_CHALLENGE = 132
- INTERNAL_AUTHENTICATE = 136
- SELECT_DATA = 165
- GET_DATA = 202
- PUT_DATA = 218
- PUT_DATA_ODD = 219
- TERMINATE = 230
- GET_VERSION = 241
- SET_PIN_RETRIES = 242
- GET_ATTESTATION = 251
- yubikit.openpgp.TAG_DISCRETIONARY = 115
- yubikit.openpgp.TAG_EXTENDED_CAPABILITIES = 192
- yubikit.openpgp.TAG_FINGERPRINTS = 197
- yubikit.openpgp.TAG_CA_FINGERPRINTS = 198
- yubikit.openpgp.TAG_GENERATION_TIMES = 205
- yubikit.openpgp.TAG_SIGNATURE_COUNTER = 147
- yubikit.openpgp.TAG_KEY_INFORMATION = 222
- yubikit.openpgp.TAG_PUBLIC_KEY = 32585
- class yubikit.openpgp.PW[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- USER = 129
- RESET = 130
- ADMIN = 131
- class yubikit.openpgp.DO[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- PRIVATE_USE_1 = 257
- PRIVATE_USE_2 = 258
- PRIVATE_USE_3 = 259
- PRIVATE_USE_4 = 260
- AID = 79
- NAME = 91
- LOGIN_DATA = 94
- LANGUAGE = 61229
- SEX = 24373
- URL = 24400
- HISTORICAL_BYTES = 24402
- EXTENDED_LENGTH_INFO = 32614
- GENERAL_FEATURE_MANAGEMENT = 32628
- CARDHOLDER_RELATED_DATA = 101
- APPLICATION_RELATED_DATA = 110
- ALGORITHM_ATTRIBUTES_SIG = 193
- ALGORITHM_ATTRIBUTES_DEC = 194
- ALGORITHM_ATTRIBUTES_AUT = 195
- ALGORITHM_ATTRIBUTES_ATT = 218
- PW_STATUS_BYTES = 196
- FINGERPRINT_SIG = 199
- FINGERPRINT_DEC = 200
- FINGERPRINT_AUT = 201
- FINGERPRINT_ATT = 219
- CA_FINGERPRINT_1 = 202
- CA_FINGERPRINT_2 = 203
- CA_FINGERPRINT_3 = 204
- CA_FINGERPRINT_4 = 220
- GENERATION_TIME_SIG = 206
- GENERATION_TIME_DEC = 207
- GENERATION_TIME_AUT = 208
- GENERATION_TIME_ATT = 221
- RESETTING_CODE = 211
- UIF_SIG = 214
- UIF_DEC = 215
- UIF_AUT = 216
- UIF_ATT = 217
- SECURITY_SUPPORT_TEMPLATE = 122
- CARDHOLDER_CERTIFICATE = 32545
- KDF = 249
- ALGORITHM_INFORMATION = 250
- ATT_CERTIFICATE = 252
- class yubikit.openpgp.OpenPgpAid[source]
Bases:
bytesOpenPGP Application Identifier (AID)
The OpenPGP AID is a string of bytes identifying the OpenPGP application. It also embeds some values which are accessible though properties.
- property version: tuple[int, int]
OpenPGP version (tuple of 2 integers: main version, secondary version).
- class yubikit.openpgp.EXTENDED_CAPABILITY_FLAGS[source]
Bases:
enum.IntFlagSupport for integer-based Flags
- KDF = 1
- PSO_DEC_ENC_AES = 2
- ALGORITHM_ATTRIBUTES_CHANGEABLE = 4
- PRIVATE_USE = 8
- PW_STATUS_CHANGEABLE = 16
- KEY_IMPORT = 32
- GET_CHALLENGE = 64
- SECURE_MESSAGING = 128
- class yubikit.openpgp.CardholderRelatedData[source]
- class yubikit.openpgp.GENERAL_FEATURE_MANAGEMENT[source]
Bases:
enum.IntFlagSupport for integer-based Flags
- TOUCHSCREEN = 1
- MICROPHONE = 2
- LOUDSPEAKER = 4
- LED = 8
- KEYPAD = 16
- BUTTON = 32
- BIOMETRIC = 64
- DISPLAY = 128
- class yubikit.openpgp.ExtendedCapabilities[source]
- flags: EXTENDED_CAPABILITY_FLAGS
- class yubikit.openpgp.PwStatus[source]
- pin_policy_user: PIN_POLICY
- class yubikit.openpgp.KEY_REF[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- SIG = 1
- DEC = 2
- AUT = 3
- ATT = 129
- class yubikit.openpgp.KEY_STATUS[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- NONE = 0
- GENERATED = 1
- IMPORTED = 2
- yubikit.openpgp.KeyInformation
- yubikit.openpgp.Fingerprints
- yubikit.openpgp.GenerationTimes
- yubikit.openpgp.EcPublicKey
- yubikit.openpgp.PublicKey
- yubikit.openpgp.EcPrivateKey
- yubikit.openpgp.PrivateKey
- class yubikit.openpgp.AlgorithmAttributes[source]
Bases:
abc.ABCOpenPGP key algorithm attributes.
- class yubikit.openpgp.RSA_SIZE[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- RSA2048 = 2048
- RSA3072 = 3072
- RSA4096 = 4096
- class yubikit.openpgp.RSA_IMPORT_FORMAT[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- STANDARD = 0
- STANDARD_W_MOD = 1
- CRT = 2
- CRT_W_MOD = 3
- class yubikit.openpgp.RsaAttributes[source]
Bases:
AlgorithmAttributesOpenPGP key algorithm attributes.
- import_format: RSA_IMPORT_FORMAT
- classmethod create(n_len, import_format=RSA_IMPORT_FORMAT.STANDARD)[source]
- Parameters:
n_len (RSA_SIZE)
import_format (RSA_IMPORT_FORMAT)
- Return type:
- class yubikit.openpgp.CurveOid[source]
Bases:
bytesbytes(iterable_of_ints) -> bytes bytes(string, encoding[, errors]) -> bytes bytes(bytes_or_buffer) -> immutable copy of bytes_or_buffer bytes(int) -> bytes object of size given by the parameter initialized with null bytes bytes() -> empty bytes object
- Construct an immutable array of bytes from:
an iterable yielding integers in range(256)
a text string encoded using the specified encoding
any object implementing the buffer API.
an integer
- class yubikit.openpgp.OID[source]
-
bytes(iterable_of_ints) -> bytes bytes(string, encoding[, errors]) -> bytes bytes(bytes_or_buffer) -> immutable copy of bytes_or_buffer bytes(int) -> bytes object of size given by the parameter initialized with null bytes bytes() -> empty bytes object
- Construct an immutable array of bytes from:
an iterable yielding integers in range(256)
a text string encoded using the specified encoding
any object implementing the buffer API.
an integer
- SECP256R1
- SECP256K1
- SECP384R1
- SECP521R1
- BrainpoolP256R1
- BrainpoolP384R1
- BrainpoolP512R1
- X25519
- Ed25519
- class yubikit.openpgp.EC_IMPORT_FORMAT[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- STANDARD = 0
- STANDARD_W_PUBKEY = 255
- class yubikit.openpgp.EcAttributes[source]
Bases:
AlgorithmAttributesOpenPGP key algorithm attributes.
- import_format: EC_IMPORT_FORMAT
- class yubikit.openpgp.DiscretionaryDataObjects[source]
- extended_capabilities: ExtendedCapabilities
- attributes_sig: AlgorithmAttributes
- attributes_dec: AlgorithmAttributes
- attributes_aut: AlgorithmAttributes
- attributes_att: AlgorithmAttributes | None
- fingerprints: Fingerprints
- ca_fingerprints: Fingerprints
- generation_times: GenerationTimes
- key_information: KeyInformation
- class yubikit.openpgp.ApplicationRelatedData[source]
OpenPGP related data.
- aid: OpenPgpAid
- extended_length_info: ExtendedLengthInfo | None
- general_feature_management: GENERAL_FEATURE_MANAGEMENT | None
- discretionary: DiscretionaryDataObjects
- class yubikit.openpgp.SecuritySupportTemplate[source]
- class yubikit.openpgp.Kdf[source]
Bases:
abc.ABCHelper class that provides a standard way to create an ABC using inheritance.
- class yubikit.openpgp.KdfNone[source]
Bases:
KdfHelper class that provides a standard way to create an ABC using inheritance.
- algorithm = 0
- class yubikit.openpgp.HASH_ALGORITHM[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- SHA256 = 8
- SHA512 = 10
- class yubikit.openpgp.KdfIterSaltedS2k[source]
Bases:
KdfHelper class that provides a standard way to create an ABC using inheritance.
- algorithm = 3
- hash_algorithm: HASH_ALGORITHM
- classmethod create(hash_algorithm=HASH_ALGORITHM.SHA256, iteration_count=7864320)[source]
- Parameters:
hash_algorithm (HASH_ALGORITHM)
iteration_count (int)
- Return type:
- class yubikit.openpgp.PrivateKeyTemplate[source]
Bases:
abc.ABCHelper class that provides a standard way to create an ABC using inheritance.
- class yubikit.openpgp.RsaKeyTemplate[source]
Bases:
PrivateKeyTemplateHelper class that provides a standard way to create an ABC using inheritance.
- class yubikit.openpgp.RsaCrtKeyTemplate[source]
Bases:
RsaKeyTemplateHelper class that provides a standard way to create an ABC using inheritance.
- class yubikit.openpgp.EcKeyTemplate[source]
Bases:
PrivateKeyTemplateHelper class that provides a standard way to create an ABC using inheritance.
- class yubikit.openpgp.OpenPgpSession(connection, scp_key_params=None)[source]
A session with the OpenPGP application.
- Parameters:
connection (yubikit.core.smartcard.SmartCardConnection)
scp_key_params (Optional[yubikit.core.smartcard.ScpKeyParams])
- protocol
- property aid: OpenPgpAid
Get the AID used to select the applet.
- Return type:
- property version: yubikit.core.Version
Get the firmware version of the key.
For YubiKey NEO this is the PGP applet version.
- Return type:
- property extended_capabilities: ExtendedCapabilities
Get the Extended Capabilities from the YubiKey.
- Return type:
- get_signature_counter()[source]
Get the number of times the signature key has been used.
- Return type:
Read the Application Related Data.
- Return type:
- set_signature_pin_policy(pin_policy)[source]
Set signature PIN policy.
Requires Admin PIN verification.
- Parameters:
pin_policy (PIN_POLICY) – The PIN policy.
- Return type:
None
- reset()[source]
Perform a factory reset on the OpenPGP application.
WARNING: This will delete all stored keys, certificates and other data.
- Return type:
None
- set_pin_attempts(user_attempts, reset_attempts, admin_attempts)[source]
Set the number of PIN attempts to allow before blocking.
WARNING: On YubiKey NEO this will reset the PINs to their default values.
Requires Admin PIN verification.
- set_kdf(kdf)[source]
Set up a PIN Key Derivation Function.
This enables (or disables) the use of a KDF for PIN verification, as well as resetting the User and Admin PINs to their default (initial) values.
If a Reset Code is present, it will be invalidated.
This command requires Admin PIN verification.
- Parameters:
kdf (Kdf) – The key derivation function.
- Return type:
None
- verify_pin(pin, extended=False)[source]
Verify the User PIN.
This will unlock functionality that requires User PIN verification. Note that with extended=False (default) only sign operations are allowed. Inversely, with extended=True sign operations are NOT allowed.
- Parameters:
pin – The User PIN.
extended (bool) – If False only sign operations are allowed, otherwise sign operations are NOT allowed.
- verify_admin(admin_pin)[source]
Verify the Admin PIN.
This will unlock functionality that requires Admin PIN verification.
- Parameters:
admin_pin – The Admin PIN.
- unverify_pin(pw)[source]
Reset verification for PIN.
- Parameters:
pw (PW) – The User, Admin or Reset PIN
- Return type:
None
- set_reset_code(reset_code)[source]
Set the Reset Code for User PIN.
The Reset Code can be used to set a new User PIN if it is lost or becomes blocked, using the reset_pin method.
This command requires Admin PIN verification.
- Parameters:
reset_code (str) – The Reset Code for User PIN.
- Return type:
None
- reset_pin(new_pin, reset_code=None)[source]
Reset the User PIN to a new value.
This command requires Admin PIN verification, or the Reset Code.
- get_algorithm_attributes(key_ref)[source]
Get the algorithm attributes for one of the key slots.
- Parameters:
key_ref (KEY_REF) – The key slot.
- Return type:
- get_algorithm_information()[source]
Get the list of supported algorithm attributes for each key.
The return value is a mapping of KEY_REF to a list of supported algorithm attributes, which can be set using set_algorithm_attributes.
- Return type:
Mapping[KEY_REF, Sequence[AlgorithmAttributes]]
- set_algorithm_attributes(key_ref, attributes)[source]
Set the algorithm attributes for a key slot.
WARNING: This will delete any key already stored in the slot if the attributes are changed!
This command requires Admin PIN verification.
- Parameters:
key_ref (KEY_REF) – The key slot.
attributes (AlgorithmAttributes) – The algorithm attributes to set.
- Return type:
None
- set_uif(key_ref, uif)[source]
Set the User Interaction Flag (touch requirement) for a key.
Requires Admin PIN verification.
- get_generation_times()[source]
Get timestamps for when keys were generated.
- Return type:
GenerationTimes
- set_generation_time(key_ref, timestamp)[source]
Set the generation timestamp for a key.
Requires Admin PIN verification.
- set_fingerprint(key_ref, fingerprint)[source]
Set the fingerprint for a key.
Requires Admin PIN verification.
- get_public_key(key_ref)[source]
Get the public key from a slot.
- Parameters:
key_ref (KEY_REF) – The key slot.
- Return type:
PublicKey
- generate_rsa_key(key_ref, key_size)[source]
Generate an RSA key in the given slot.
Requires Admin PIN verification.
- Parameters:
- Return type:
- generate_ec_key(key_ref, curve_oid)[source]
Generate an EC key in the given slot.
Requires Admin PIN verification.
- put_key(key_ref, private_key)[source]
Import a private key into the given slot.
Requires Admin PIN verification.
- Parameters:
key_ref (KEY_REF) – The key slot.
private_key (PrivateKey) – The private key to import.
- Return type:
None
- delete_key(key_ref)[source]
Delete the contents of a key slot.
Requires Admin PIN verification.
- Parameters:
key_ref (KEY_REF) – The key slot.
- Return type:
None
- get_certificate(key_ref)[source]
Get a certificate from a slot.
- Parameters:
key_ref (KEY_REF) – The slot.
- Return type:
- put_certificate(key_ref, certificate)[source]
Import a certificate into a slot.
Requires Admin PIN verification.
- Parameters:
key_ref (KEY_REF) – The slot.
certificate (cryptography.x509.Certificate) – The X.509 certificate to import.
- Return type:
None
- delete_certificate(key_ref)[source]
Delete a certificate in a slot.
Requires Admin PIN verification.
- Parameters:
key_ref (KEY_REF) – The slot.
- Return type:
None
- attest_key(key_ref)[source]
Create an attestation certificate for a key.
The certificate is written to the certificate slot for the key, and its content is returned.
Requires User PIN verification.
- Parameters:
key_ref (KEY_REF) – The key slot.
- Return type:
- sign(message, hash_algorithm)[source]
Sign a message using the SIG key.
Requires User PIN verification.
- Parameters:
message (bytes) – The message to sign.
hash_algorithm (cryptography.hazmat.primitives.hashes.HashAlgorithm) – The pre-signature hash algorithm.
- Return type:
- decrypt(value)[source]
Decrypt a value using the DEC key.
For RSA the value should be an encrypted block. For ECDH the value should be a peer public-key to perform the key exchange with, and the result will be the derived shared secret.
Requires (extended) User PIN verification.
- authenticate(message, hash_algorithm)[source]
Authenticate a message using the AUT key.
Requires User PIN verification.
- Parameters:
message (bytes) – The message to authenticate.
hash_algorithm (cryptography.hazmat.primitives.hashes.HashAlgorithm) – The pre-authentication hash algorithm.
- Return type: