ykman package
Subpackages
Submodules
ykman.base module
ykman.device module
- ykman.device.scan_devices()[source]
Scan USB for attached YubiKeys, without opening any connections.
- ykman.device.list_all_devices(connection_types=dict_keys([<class 'yubikit.core.smartcard.SmartCardConnection'>, <class 'yubikit.core.otp.OtpConnection'>, <class 'fido2.ctap.CtapDevice'>]))[source]
Connect to all attached YubiKeys and read device info from them.
- Parameters:
connection_types (
Iterable
[Type
[Connection
]]) – An iterable of YubiKey connection types.- Return type:
- Returns:
A list of (device, info) tuples for each connected device.
ykman.diagnostics module
ykman.fido module
- ykman.fido.is_in_fips_mode(fido_connection)[source]
Check if a YubiKey 4 FIPS is in FIPS approved mode.
- Parameters:
fido_connection (
CtapDevice
) – A FIDO connection.- Return type:
- ykman.fido.fips_change_pin(fido_connection, old_pin, new_pin)[source]
Change the PIN on a YubiKey 4 FIPS.
If no PIN is set, pass None or an empty string as old_pin.
- ykman.fido.fips_verify_pin(fido_connection, pin)[source]
Unlock the YubiKey 4 FIPS U2F module for credential creation.
- Parameters:
fido_connection (
CtapDevice
) – A FIDO connection.pin (
str
) – The FIDO PIN.
- ykman.fido.fips_reset(fido_connection)[source]
Reset the FIDO module of a YubiKey 4 FIPS.
Note: This action is only permitted immediately after YubiKey power-up. It also requires the user to touch the flashing button on the YubiKey, and will halt until that happens, or the command times out.
- Parameters:
fido_connection (
CtapDevice
) – A FIDO connection.
ykman.hsmauth module
ykman.logging module
ykman.logging_setup module
ykman.oath module
Check if OATH credential is hidden.
- Return type:
- ykman.oath.calculate_steam(app, credential, timestamp=None)[source]
Calculate steam codes.
- Return type:
ykman.openpgp module
- ykman.openpgp.safe_reset(connection)[source]
Performs an OpenPGP factory reset while avoiding any unneccessary commands.
If any data is unreadable preventing the OpenPgpSession from initializing, then OpenPgpSession.reset() will not be able to be called. This function can instead be used to reset the application into a fresh state.
- Return type:
- ykman.openpgp.get_openpgp_info(session)[source]
Get human readable information about the OpenPGP configuration.
- Parameters:
session (
OpenPgpSession
) – The OpenPGP session.
ykman.otp module
- ykman.otp.is_in_fips_mode(session)[source]
Check if the OTP application of a FIPS YubiKey is in FIPS approved mode.
- Parameters:
session (
YubiOtpSession
) – The YubiOTP session.- Return type:
- ykman.otp.generate_static_pw(length, keyboard_layout=KEYBOARD_LAYOUT.MODHEX, blocklist=['\\t', '\\n', ' '])[source]
Generate a random password.
- ykman.otp.time_challenge(timestamp, period=30)[source]
Format a HMAC-SHA1 challenge based on an OATH timestamp and period.
ykman.piv module
- ykman.piv.derive_management_key(pin, salt)[source]
Derive a management key from the users PIN and a salt.
NOTE: This method of derivation is deprecated! Protect the management key using PivmanProtectedData instead.
- ykman.piv.generate_random_management_key(algorithm)[source]
Generate a new random management key.
- Parameters:
algorithm (
MANAGEMENT_KEY_TYPE
) – The algorithm for the management key.- Return type:
- ykman.piv.get_pivman_data(session)[source]
Read out the Pivman data from a YubiKey.
- Parameters:
session (
PivSession
) – The PIV session.- Return type:
- ykman.piv.get_pivman_protected_data(session)[source]
Read out the Pivman protected data from a YubiKey.
This function requires PIN verification prior to being called.
- Parameters:
session (
PivSession
) – The PIV session.- Return type:
- ykman.piv.pivman_set_mgm_key(session, new_key, algorithm, touch=False, store_on_device=False)[source]
Set a new management key, while keeping PivmanData in sync.
- Parameters:
session (
PivSession
) – The PIV session.new_key (
bytes
) – The new management key.algorithm (
MANAGEMENT_KEY_TYPE
) – The algorithm for the management key.touch (
bool
) – If set, touch is required.store_on_device (
bool
) – If set, the management key is stored on device.
- Return type:
- ykman.piv.pivman_change_pin(session, old_pin, new_pin)[source]
Change the PIN, while keeping PivmanData in sync.
- Parameters:
session (
PivSession
) – The PIV session.old_pin (
str
) – The old PIN.new_pin (
str
) – The new PIN.
- Return type:
- ykman.piv.pivman_set_pin_attempts(session, pin_attempts, puk_attempts)[source]
Set the number of PIN and PUK retry attempts, while keeping PivmanData in sync.
- Parameters:
session (
PivSession
) – The PIV session.pin_attempts (
int
) – The PIN attempts.puk_attempts (
int
) – The PUK attempts.
- Return type:
- ykman.piv.list_certificates(session)[source]
Read out and parse stored certificates.
Only certificates which are successfully parsed are returned.
- Parameters:
session (
PivSession
) – The PIV session.- Return type:
- ykman.piv.check_key(session, slot, public_key)[source]
Check that a given public key corresponds to the private key in a slot.
This will create a signature using the private key, so the PIN must be verified prior to calling this function if the PIN policy requires it.
- Parameters:
session (
PivSession
) – The PIV session.slot (
SLOT
) – The slot.public_key (
Union
[RSAPublicKey
,EllipticCurvePublicKey
]) – The public key.
- Return type:
- ykman.piv.get_piv_info(session)[source]
Get human readable information about the PIV configuration.
- Parameters:
session (
PivSession
) – The PIV session.
- ykman.piv.sign_certificate_builder(session, slot, key_type, builder, hash_algorithm=<class 'cryptography.hazmat.primitives.hashes.SHA256'>)[source]
Sign a Certificate.
- Parameters:
session (
PivSession
) – The PIV session.slot (
SLOT
) – The slot.key_type (
KEY_TYPE
) – The key type.builder (
CertificateBuilder
) – The x509 certificate builder object.hash_algorithm (
Type
[Union
[SHA224
,SHA256
,SHA384
,SHA512
,SHA3_224
,SHA3_256
,SHA3_384
,SHA3_512
]]) – The hash algorithm, ignored for Curve 25519.
- Return type:
- ykman.piv.sign_csr_builder(session, slot, public_key, builder, hash_algorithm=<class 'cryptography.hazmat.primitives.hashes.SHA256'>)[source]
Sign a CSR.
- Parameters:
session (
PivSession
) – The PIV session.slot (
SLOT
) – The slot.public_key (
Union
[RSAPublicKey
,EllipticCurvePublicKey
]) – The public key.builder (
CertificateSigningRequestBuilder
) – The x509 certificate signing request builder object.hash_algorithm (
Type
[Union
[SHA224
,SHA256
,SHA384
,SHA512
,SHA3_224
,SHA3_256
,SHA3_384
,SHA3_512
]]) – The hash algorithm, ignored for Curve 25519.
- Return type:
- ykman.piv.generate_self_signed_certificate(session, slot, public_key, subject_str, valid_from, valid_to, hash_algorithm=<class 'cryptography.hazmat.primitives.hashes.SHA256'>)[source]
Generate a self-signed certificate using a private key in a slot.
- Parameters:
session (
PivSession
) – The PIV session.slot (
SLOT
) – The slot.public_key (
Union
[RSAPublicKey
,EllipticCurvePublicKey
]) – The public key.subject_str (
str
) – The subject RFC 4514 string.valid_from (
datetime
) – The date from when the certificate is valid.valid_to (
datetime
) – The date when the certificate expires.hash_algorithm (
Type
[Union
[SHA224
,SHA256
,SHA384
,SHA512
,SHA3_224
,SHA3_256
,SHA3_384
,SHA3_512
]]) – The hash algorithm.
- Return type:
- ykman.piv.generate_csr(session, slot, public_key, subject_str, hash_algorithm=<class 'cryptography.hazmat.primitives.hashes.SHA256'>)[source]
Generate a CSR using a private key in a slot.
- Parameters:
session (
PivSession
) – The PIV session.slot (
SLOT
) – The slot.public_key (
Union
[RSAPublicKey
,EllipticCurvePublicKey
]) – The public key.subject_str (
str
) – The subject RFC 4514 string.hash_algorithm (
Type
[Union
[SHA224
,SHA256
,SHA384
,SHA512
,SHA3_224
,SHA3_256
,SHA3_384
,SHA3_512
]]) – The hash algorithm.
- Return type:
ykman.scripting module
- class ykman.scripting.ScriptingDevice(wrapped, info)[source]
Bases:
object
Scripting-friendly proxy for YkmanDevice.
This wrapper adds some helpful utility methods useful for scripting.
- property info: DeviceInfo
- ykman.scripting.single(*, prompt=True)[source]
Connect to a YubiKey.
- Parameters:
prompt – When set, you will be prompted to insert a YubiKey.
- Return type:
- ykman.scripting.multi(*, ignore_duplicates=True, allow_initial=False, prompt=True)[source]
Connect to multiple YubiKeys.
- ykman.scripting.single_nfc(reader='', *, prompt=True)[source]
Connect to a YubiKey over NFC.
- Parameters:
reader – The name of the NFC reader.
prompt – When set, you will prompted to place a YubiKey on NFC reader.
- Return type:
- ykman.scripting.multi_nfc(reader='', *, ignore_duplicates=True, allow_initial=False, prompt=True)[source]
Connect to multiple YubiKeys over NFC.
- Parameters:
reader – The name of the NFC reader.
ignore_duplicates – When set, duplicates are ignored.
allow_initial – When set, YubiKeys can be connected at the start of the function call.
prompt – When set, you will be prompted to place YubiKeys on the NFC reader.
- Return type:
ykman.settings module
ykman.util module
- exception ykman.util.InvalidPasswordError[source]
Bases:
Exception
Raised when parsing key/certificate and the password might be wrong/missing.
- ykman.util.parse_private_key(data, password)[source]
Identify, decrypt and return a cryptography private key object.
- Parameters:
data – The private key in bytes.
password – The password to decrypt the private key (if it is encrypted).
- ykman.util.parse_certificates(data, password)[source]
Identify, decrypt and return a list of cryptography x509 certificates.
- Parameters:
data – The certificate(s) in bytes.
password – The password to decrypt the certificate(s).
- ykman.util.get_leaf_certificates(certs)[source]
Extract the leaf certificates from a list of certificates.
Leaf certificates are ones whose subject does not appear as issuer among the others.
- Parameters:
certs – The list of cryptography x509 certificate objects.
- ykman.util.is_pkcs12(data)[source]
Tries to identify a PKCS12 container. The PFX PDU version is assumed to be v3. See: https://tools.ietf.org/html/rfc7292.
- ykman.util.display_serial(serial)[source]
Displays an x509 certificate serial number in a readable format.
- Return type:
- class ykman.util.OSVERSIONINFOW[source]
Bases:
Structure
- dwBuildNumber
Structure/Union member
- dwMajorVersion
Structure/Union member
- dwMinorVersion
Structure/Union member
- dwOSVersionInfoSize
Structure/Union member
- dwPlatformId
Structure/Union member
- szCSDVersion
Structure/Union member