1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
|
.. vim:tw=72
=======================================================
Cryptographic library for Python with Mbed TLS back end
=======================================================
.. image:: https://results.pre-commit.ci/badge/github/Synss/python-mbedtls/master.svg
:target: https://results.pre-commit.ci/latest/github/Synss/python-mbedtls/master
:alt: pre-commit.ci status
.. image::
https://github.com/Synss/python-mbedtls/actions/workflows/main.yml/badge.svg?branch=master
:target: https://github.com/Synss/python-mbedtls/actions/
.. image::
https://coveralls.io/repos/github/Synss/python-mbedtls/badge.svg?branch=master
:target: https://coveralls.io/github/Synss/python-mbedtls?branch=master
`python-mbedtls`_ is a free cryptographic library for Python that uses
`mbed TLS`_ for back end.
mbed TLS (formerly known as PolarSSL) makes it trivially easy for
developers to include cryptographic and SSL/TLS capabilities in their
(embedded) products, facilitating this functionality with a minimal
coding footprint.
*python-mbedtls* API follows the recommendations from:
* `PEP 272`_ -- API for Block Encryption Algorithms v1.0
* `PEP 452`_ -- API for Cryptographic Hash Functions v2.0
* `PEP 506`_ -- Adding a Secret Module to the Standard Library
* `PEP 543`_ -- A Unified TLS API for Python (`completed and modernized`_)
and therefore plays well with the `cryptographic services`_ from the
Python standard library and many other cryptography libraries as well.
.. _python-mbedtls: https://synss.github.io/python-mbedtls
.. _mbed TLS: https://tls.mbed.org
.. _PEP 272: https://www.python.org/dev/peps/pep-0272/
.. _PEP 452: https://www.python.org/dev/peps/pep-0452/
.. _PEP 506: https://www.python.org/dev/peps/pep-0506/
.. _PEP 543: https://www.python.org/dev/peps/pep-0543/
.. _cryptographic services: https://docs.python.org/3/library/crypto.html
.. _PyCrypto: https://www.dlitz.net/software/pycrypto/
.. _hashlib: https://docs.python.org/3.6/library/hashlib.html
.. _hmac: https://docs.python.org/3.6/library/hmac.html
.. _completed and modernized: https://github.com/Synss/python-mbedtls/blob/master/src/mbedtls/_tlsi.py
License
=======
*python-mbedtls* is licensed under the MIT License (see LICENSE.txt).
This enables the use of *python-mbedtls* in both open source and closed
source projects. The MIT License is compatible with both GPL and Apache
2.0 license under which mbed TLS is distributed.
API documentation
=================
https://synss.github.io/python-mbedtls/
Installation
============
The bindings are tested with mbedTLS 2.28.8 for Python 3.8,
3.9, 3.10, 3.11, and 3.12 on Linux, macOS, and Windows.
`manylinux`_ wheels are available for 64-bit Linux systems. Install
with ``pip install python-mbedtls``.
.. _manylinux: https://www.python.org/dev/peps/pep-0513/
Usage and examples
==================
Now, let us see examples using the various parts of the library.
Check which version of mbed TLS is being used by python-mbedtls
---------------------------------------------------------------
The *mbedtls.version* module shows the run-time version
information to mbed TLS.
>>> from mbedtls import version
>>> _ = version.version # "Mbed TLS 2.28.8"
>>> _ = version.version_info # (2, 28, 8)
Message digest
--------------
The *mbedtls.hashlib* module supports MD2, MD4, MD5, SHA-1, SHA-2
(in 224, 256, 384, and 512-bits), and RIPEMD-160 secure hashes
and message digests. Note that MD2 and MD4 are not included
by default and are only present if they are compiled in mbedtls.
Here are the examples from (standard) *hashlib* ported
to *python-mbedtls*:
>>> from mbedtls import hashlib
>>> m = hashlib.md5()
>>> m.update(b"Nobody inspects")
>>> m.update(b" the spammish repetition")
>>> m.digest()
b'\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9'
>>> m.digest_size
16
>>> m.block_size
64
More condensed:
>>> hashlib.sha224(b"Nobody inspects the spammish repetition").hexdigest()
'a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2'
Using ``new()``:
>>> h = hashlib.new('ripemd160')
>>> h.update(b"Nobody inspects the spammish repetition")
>>> h.hexdigest()
'cc4a5ce1b3df48aec5d22d1f16b894a0b894eccc'
HMAC algorithm
--------------
The *mbedtls.hmac* module computes HMAC.
Example:
>>> from mbedtls import hmac
>>> m = hmac.new(b"This is my secret key", digestmod="md5")
>>> m.update(b"Nobody inspects")
>>> m.update(b" the spammish repetition")
>>> m.digest()
b'\x9d-/rj\\\x98\x80\xb1rG\x87\x0f\xe9\xe4\xeb'
Warning:
The message is cleared after calculation of the digest. Only call
``mbedtls.hmac.Hmac.digest()`` or ``mbedtls.hmac.Hmac.hexdigest()``
once per message.
HMAC-based key derivation function (HKDF)
-----------------------------------------
The *mbedtls.hkdf* module exposes extract-and-expand key derivation
functions. The main function is ``hkdf()`` but ``extract()`` and
``expand()`` may be used as well.
Example:
>>> from mbedtls import hkdf
>>> hkdf.hkdf(
... b"my secret key",
... length=42,
... info=b"my cool app",
... salt=b"and pepper",
... digestmod=hmac.sha256
... )
b'v,\xef\x90\xccU\x1d\x1b\xd7\\a\xaf\x92\xac\n\x90\xf9q\xf4)\xcd"\xf7\x1a\x94p\x03.\xa8e\x1e\xfb\x92\xe8l\x0cc\xf8e\rvj'
where *info*, *salt*, and *digestmod* are optional, although providing
(at least) *info* is highly recommended.
Symmetric cipher
----------------
The *mbedtls.cipher* module provides symmetric encryption. The API
follows the recommendations from PEP 272 so that it can be used as a
drop-in replacement to other libraries.
*python-mbedtls* provides the following algorithms:
- AES encryption/decryption (128, 192, and 256 bits) in ECB, CBC, CFB128,
CTR, OFB, or XTS mode;
- AES AEAD (128, 192, and 256 bits) in GCM or CCM mode;
- ARC4 encryption/decryption;
- ARIA encryption/decryption (128, 192, and 256 bits) in ECB, CBC,
CTR, or GCM modes;
- Blowfish encryption/decryption in ECB, CBC, CFB64, or CTR mode;
- Camellia encryption/decryption (128, 192, and 256 bits) in ECB, CBC,
CFB128, CTR, or GCM mode;
- DES, DES3, and double DES3 encryption/decryption in ECB or CBC mode;
- CHACHA20 and CHACHA20/POLY1305 encryption/decryption.
Example:
>>> from mbedtls import cipher
>>> c = cipher.AES.new(b"My 16-bytes key.", cipher.MODE_CBC, b"CBC needs an IV.")
>>> enc = c.encrypt(b"This is a super-secret message!!")
>>> enc
b"*`k6\x98\x97=[\xdf\x7f\x88\x96\xf5\t\x19J\xf62h\xf4n\xca\xe8\xfe\xf5\xd7X'\xb1\x8c\xc9\x85"
>>> c.decrypt(enc)
b'This is a super-secret message!!'
RSA public key
--------------
The *mbedtls.pk* module provides the RSA cryptosystem. This includes:
- Public-private key generation and key import/export in PEM and DER
formats;
- asymmetric encryption and decryption;
- message signature and verification.
Key generation, the default size is 2048 bits:
>>> from mbedtls import pk
>>> rsa = pk.RSA()
>>> prv = rsa.generate()
>>> rsa.key_size
256
Message encryption and decryption:
>>> enc = rsa.encrypt(b"secret message")
>>> rsa.decrypt(enc)
b'secret message'
Message signature and verification:
>>> sig = rsa.sign(b"Please sign here.")
>>> rsa.verify(b"Please sign here.", sig)
True
>>> rsa.verify(b"Sorry, wrong message.", sig)
False
>>> pub = rsa.export_public_key(format="DER")
>>> other = pk.RSA.from_buffer(pub)
>>> other.verify(b"Please sign here.", sig)
True
Static and ephemeral elliptic curve Diffie-Hellman
--------------------------------------------------
The *mbedtls.pk* module provides the ECC cryptosystem. This includes:
- Public-private key generation and key import/export in the PEM and DER
formats;
- asymmetric encrypt and decryption;
- message signature and verification;
- ephemeral ECDH key exchange.
``get_supported_curves()`` returns the list of supported curves.
The API of the ECC class is the same as the API of the RSA class
but ciphering (``encrypt()`` and ``decrypt()`` is not supported by
Mbed TLS).
Message signature and verification using elliptic a curve digital
signature algorithm (ECDSA):
>>> from mbedtls import pk
>>> ecdsa = pk.ECC()
>>> prv = ecdsa.generate()
>>> sig = ecdsa.sign(b"Please sign here.")
>>> ecdsa.verify(b"Please sign here.", sig)
True
>>> ecdsa.verify(b"Sorry, wrong message.", sig)
False
>>> pub = ecdsa.export_public_key(format="DER")
>>> other = pk.ECC.from_buffer(pub)
>>> other.verify(b"Please sign here.", sig)
True
The classes ``ECDHServer`` and ``ECDHClient`` may be used for ephemeral
ECDH. The key exchange is as follows:
>>> ecdh_key = pk.ECC()
>>> ecdh_key.generate()
>>> ecdh_srv = pk.ECDHServer(ecdh_key)
>>> ecdh_cli = pk.ECDHClient(ecdh_key)
The server generates the ServerKeyExchange encrypted payload and
passes it to the client:
>>> ske = ecdh_srv.generate()
>>> ecdh_cli.import_SKE(ske)
then the client generates the ClientKeyExchange encrypted payload and
passes it back to the server:
>>> cke = ecdh_cli.generate()
>>> ecdh_srv.import_CKE(cke)
Now, client and server may generate their shared secret:
>>> secret = ecdh_srv.generate_secret()
>>> ecdh_cli.generate_secret() == secret
True
>>> ecdh_srv.shared_secret == ecdh_cli.shared_secret
True
Diffie-Hellman-Merkle key exchange
----------------------------------
The classes ``DHServer`` and ``DHClient`` may be used for DH Key
exchange. The classes have the same API as ``ECDHServer``
and ``ECDHClient``, respectively.
The key exchange is as follow:
>>> from mbedtls.mpi import MPI
>>> from mbedtls import pk
>>> dh_srv = pk.DHServer(MPI.prime(128), MPI.prime(96))
>>> dh_cli = pk.DHClient(MPI.prime(128), MPI.prime(96))
The 128-bytes prime and the 96-bytes prime are the modulus ``P``
and the generator ``G``.
The server generates the ServerKeyExchange payload:
>>> ske = dh_srv.generate()
>>> dh_cli.import_SKE(ske)
The payload ends with ``G^X mod P`` where ``X`` is the secret value of
the server.
>>> cke = dh_cli.generate()
>>> dh_srv.import_CKE(cke)
``cke`` is ``G^Y mod P`` (with ``Y`` the secret value from the client)
returned as its representation in bytes so that it can be readily
transported over the network.
As in ECDH, client and server may now generate their shared secret:
>>> secret = dh_srv.generate_secret()
>>> dh_cli.generate_secret() == secret
True
>>> dh_srv.shared_secret == dh_cli.shared_secret
True
X.509 certificate writing and parsing
-------------------------------------
The *mbedtls.x509* module can be used to parse X.509 certificates
or create and verify a certificate chain.
Here, the trusted root is a self-signed CA certificate
``ca0_crt`` signed by ``ca0_key``.
>>> import datetime as dt
>>>
>>> from mbedtls import hashlib
>>> from mbedtls import pk
>>> from mbedtls import x509
>>>
>>> now = dt.datetime.utcnow()
>>> ca0_key = pk.RSA()
>>> _ = ca0_key.generate()
>>> ca0_csr = x509.CSR.new(ca0_key, "CN=Trusted CA", hashlib.sha256())
>>> ca0_crt = x509.CRT.selfsign(
... ca0_csr, ca0_key,
... not_before=now, not_after=now + dt.timedelta(days=90),
... serial_number=0x123456,
... basic_constraints=x509.BasicConstraints(True, 1))
...
An intermediate then issues a Certificate Singing Request (CSR) that the
root CA signs:
>>> ca1_key = pk.ECC()
>>> _ = ca1_key.generate()
>>> ca1_csr = x509.CSR.new(ca1_key, "CN=Intermediate CA", hashlib.sha256())
>>>
>>> ca1_crt = ca0_crt.sign(
... ca1_csr, ca0_key, now, now + dt.timedelta(days=90), 0x123456,
... basic_constraints=x509.BasicConstraints(ca=True, max_path_length=3))
...
And finally, the intermediate CA signs a certificate for the
End Entity on the basis of a new CSR:
>>> ee0_key = pk.ECC()
>>> _ = ee0_key.generate()
>>> ee0_csr = x509.CSR.new(ee0_key, "CN=End Entity", hashlib.sha256())
>>>
>>> ee0_crt = ca1_crt.sign(
... ee0_csr, ca1_key, now, now + dt.timedelta(days=90), 0x987654)
...
The emitting certificate can be used to verify the next certificate in
the chain:
>>> ca1_crt.verify(ee0_crt)
True
>>> ca0_crt.verify(ca1_crt)
True
Note, however, that this verification is only one step in a private key
infrastructure and does not take CRLs, path length, etc. into account.
TLS and DTLS client and server
------------------------------
The *mbedtls.tls* module provides TLS clients and servers. The API
follows the recommendations of `PEP 543`_. Note, however, that the
Python standard SSL library does not follow the PEP so that this
library may not be a drop-in replacement.
.. _PEP 543: https://www.python.org/dev/peps/pep-0543/
Connectionless DTLS is supported as well.
See examples in the `programs/`_ directory of the repository
and `tests/test_tls.py`_.
.. _programs/: https://github.com/Synss/python-mbedtls/tree/master/programs
.. _tests/test_tls.py: https://github.com/Synss/python-mbedtls/blob/master/tests/test_tls.py
|
