yubikit.securitydomain
Attributes
Classes
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
A session for managing SCP keys |
Module Contents
- yubikit.securitydomain.INS_GET_DATA = 202
- yubikit.securitydomain.INS_PUT_KEY = 216
- yubikit.securitydomain.INS_STORE_DATA = 226
- yubikit.securitydomain.INS_DELETE = 228
- yubikit.securitydomain.INS_GENERATE_KEY = 241
- yubikit.securitydomain.TAG_KEY_INFORMATION = 224
- yubikit.securitydomain.TAG_CARD_RECOGNITION_DATA = 102
- yubikit.securitydomain.TAG_CA_KLOC_IDENTIFIERS = 65331
- yubikit.securitydomain.TAG_CA_KLCC_IDENTIFIERS = 65332
- yubikit.securitydomain.TAG_CERTIFICATE_STORE = 48929
- class yubikit.securitydomain.KeyType[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- AES = 136
- ECC_PUBLIC_KEY = 176
- ECC_PRIVATE_KEY = 177
- ECC_KEY_PARAMS = 240
- class yubikit.securitydomain.Curve[source]
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- SECP256R1 = 0
- SECP384R1 = 1
- SECP521R1 = 2
- BrainpoolP256R1 = 3
- BrainpoolP384R1 = 5
- BrainpoolP512R1 = 7
- class yubikit.securitydomain.SecurityDomainSession(connection)[source]
A session for managing SCP keys
- Parameters:
connection (yubikit.core.smartcard.SmartCardConnection)
- protocol
- authenticate(key_params)[source]
Initialize SCP and authenticate the session.
SCP11b does not authenticate the OCE, and will not allow the usage of commands which require authentication of the OCE.
- Parameters:
key_params (yubikit.core.smartcard.scp.ScpKeyParams)
- Return type:
None
- get_key_information()[source]
Get information about the currently loaded keys.
- Return type:
Mapping[yubikit.core.smartcard.scp.KeyRef, Mapping[int, int]]
- get_supported_ca_identifiers(kloc=False, klcc=False)[source]
Get a list of the CA issuer Subject Key Identifiers for keys.
Setting one of kloc or klcc to True will cause only those CAs to be returned. By default, this will get both KLOC and KLCC CAs.
- Parameters:
- Return type:
Mapping[yubikit.core.smartcard.scp.KeyRef, bytes]
- get_certificate_bundle(key)[source]
Get the certificates associated with the given SCP11 private key.
Certificates are returned leaf-last.
- Parameters:
- Return type:
Sequence[cryptography.x509.Certificate]
- reset()[source]
Perform a factory reset of the Security Domain.
This will remove all keys and associated data, as well as restore the default SCP03 static keys, and generate a new (attestable) SCP11b key.
- Return type:
None
- store_data(data)[source]
Stores data in the security domain.
Requires OCE verification.
- Parameters:
data (bytes)
- Return type:
None
- store_certificate_bundle(key, certificates)[source]
Store the certificate chain for the given key.
Requires OCE verification.
Certificates should be in order, with the leaf certificate last.
- Parameters:
certificates (Sequence[cryptography.x509.Certificate])
- Return type:
None
- store_allowlist(key, serials)[source]
Store which certificate serial numbers that can be used for a given key.
Requires OCE verification.
If no allowlist is stored, any certificate signed by the CA can be used.
- Parameters:
serials (Sequence[int])
- Return type:
None
- store_ca_issuer(key, ski)[source]
Store the SKI (Subject Key Identifier) for the CA of a given key.
Requires OCE verification.
- Parameters:
ski (bytes)
- Return type:
None
- delete_key(kid=0, kvn=0, delete_last=False)[source]
Delete one (or more) keys.
Requires OCE verification.
All keys matching the given KID and/or KVN will be deleted. To delete the final key you must set delete_last = True.
- generate_ec_key(key, curve=Curve.SECP256R1, replace_kvn=0)[source]
Generate a new SCP11 key.
Requires OCE verification.
Use replace_kvn to replace an existing key.
- Parameters:
- Return type:
cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey