PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python

Related tags

Cryptographypythonsecurityjwtcryptographyencryptionsignaturersajoseed25519ecdsablake2btokeneddsasha384chacha20pasetopaserk
Overview

PySETO - A Python implementation of PASETO

PyPI version PyPI - Python Version Documentation Status Github CI codecov

PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python which supports all of the versions and purposes below.

  • Version 1: NIST Compatibility
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • RSASSA-PSS with 2048-bit key, SHA384 hashing and MGF1+SHA384.
  • Version 2: Sodium Original
    • Local: Symmetric Authenticated Encryption
      • XChaCha20-Poly1305 (192-bit nonce, 256-bit key, 128-bit authentication tag).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.
  • Version 3: NIST Modern
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
  • Version 4: Sodium Modern
    • Local: Symmetric Authenticated Encryption
      • XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.

See Document for details.

Installation

You can install PySETO with pip:

$ pip install pyseto

Usage

You can use it as follows:

v4.local

>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg' >>> decoded = pyseto.decode(key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> key = Key.new("v4", "local", "our-secret")
>>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg'
>>> decoded = pyseto.decode(key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

v4.public

>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----" >>> secret_key = Key.new("v4", "public", secret_key_pem) >>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg' >>> public_key = Key.new("v4", "public", public_key_pem) >>> decoded = pyseto.decode(public_key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> secret_key_pem = "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----"
>>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----"
>>> secret_key = Key.new("v4", "public", secret_key_pem)
>>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg'
>>> public_key = Key.new("v4", "public", public_key_pem)
>>> decoded = pyseto.decode(public_key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

API Reference

See Document.

Tests

You can run tests from the project root after cloning with:

$ tox
Comments
  • Avoid re-encoding and decoding output from serializer

    Avoid re-encoding and decoding output from serializer

    Is your feature request related to a problem? Please describe. When using a serializer such as orjson, a bytes object is output by default, but the serializer field expects a function that returns a str, that is immediately encoded into a bytes object.

    Describe the solution you'd like Make it so that serializer can output either a str or a bytes object. Also, the serializer field should ideally be a function and not a class, since Python functions are objects themselves and can be passed into functions (see map and filter).

    Describe alternatives you've considered Having my serializer return a str by doing orjson.dumps().decode("utf-8"), but this is inefficient.

    Additional context N/A

    enhancement 
    opened by MrAwesomeRocks 6
  • Compare MACs in constant time

    Compare MACs in constant time

    This PR replaces MAC comparisons using bytes.__eq__ with calls to hmac.compare_digest in the decryption routines for v1, v3 and v4, since the PASETO spec requires MACs to be checked in constant time. The v2 handler delegates this check to decrypt_and_verify in PyCryptoDome, which uses a randomised MAC comparison strategy instead. As such, v2 didn't require any fixes.

    Comments certainly welcome!

    opened by MatthiasValvekens 4
  • to_peer_paserk_id for k3.secret

    to_peer_paserk_id for k3.secret

    This is a feature request because to_peer_paserk_id is working as documented. Is there a technical reason why to_peer_paserk_id does not work on a V3 secret key? If Yes, can we add it to the documentation? If No, can we add support for it?

    enhancement 
    opened by Eh2406 4
  • Some (de)serializers output a datetime object when parsing

    Some (de)serializers output a datetime object when parsing

    Describe the bug I'm using cbor2 as my (de)serializer for Pyseto. When parsing a bytestring, cbor2 already outputs a datetime object, causing an error when iso8601 tries to parse the datetime. Would it be possible to add a check to see if nbf and exp are datetime objects before trying to parse them?

    To Reproduce Steps to reproduce the behavior:

    1. Set cbor2 as the Pyseto (de)serializer.
    2. Try to decode a PASETO.

    Expected behavior No error, Pyseto takes the pre-parsed datetime and uses it.

    Thanks in advance for your help! This is a really great library.

    bug 
    opened by MrAwesomeRocks 4
  • Support creating keys from bytes

    Support creating keys from bytes

    Currently Key can only be created from Paserk or PEM, which limits the interoperability of Pyseto.

    For example: If I want to create a key pair with Rust, and sign a Paseto token with Rust, I cannot then verify it with Pyseto because the Rust libraries only provide the public key as binary, meaning I'd need to convert it to either Paserk or PEM, which is just cumbersome.

    Most Paseto libraries allow importing/exporting keys as binary, so it makes sense to support it, to maximize interoperability.

    opened by not-my-profile 4
  • Typo in the Documentation

    Typo in the Documentation

    I think in

    https://pyseto.readthedocs.io/en/latest/paseto_usage.html#v4-local

    it must be "Symmetric Authenticated Encryption with XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC)" instead of "Symmetric Authenticated Encryption with AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC)"

    bug 
    opened by stsch9 2
  • Token payloads are not decoded when using `local` Keys

    Token payloads are not decoded when using `local` Keys

    Describe the bug When using a local Key, the token payload is not decoded, and so this example does not work for local keys. This is due to these lines in paseto.py that cause the function to exit early.

    To Reproduce Steps to reproduce the behavior:

    1. Go to this example: https://pyseto.readthedocs.io/en/stable/paseto_usage.html#using-serializer-deserializer-for-payload-and-footer
    2. Follow the directions, but use a local key.
    3. When running decoded.payload["data"], observe the error.

    Expected behavior The payload of the decoded token is a dictionary when deserializer is passed.

    bug 
    opened by MrAwesomeRocks 2
  • Update mypy requirement from ^0.920 to ^0.921

    Update mypy requirement from ^0.920 to ^0.921

    Updates the requirements on mypy to permit the latest version.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump tox from 4.0.16 to 4.1.1

    Bump tox from 4.0.16 to 4.1.1

    Bumps tox from 4.0.16 to 4.1.1.

    Release notes

    Sourced from tox's releases.

    4.1.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.19...4.1.0

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.1.1 (2022-12-29)

    Bugfixes - 4.1.1

    - Fix logging error with emoji in git branch name. (:issue:`2768`)

    Improved Documentation - 4.1.1

    • Add faq entry about re-use of environments - by :user:jugmac00. (:issue:2788)

    v4.1.0 (2022-12-29)

    Features - 4.1.0

    - ``-f`` can be used multiple times and on hyphenated factors (e.g. ``-f py311-django -f py39``) - by :user:`sirosen`. (:issue:`2766`)

    Improved Documentation - 4.1.0

    • Fix a grammatical typo in docs/user_guide.rst. (:issue:2787)

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.19

    Bump tox from 4.0.16 to 4.0.19

    Bumps tox from 4.0.16 to 4.0.19.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)
    • Override toxworkdir with --workdir. (:issue:2654)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.18

    Bump tox from 4.0.16 to 4.0.18

    Bumps tox from 4.0.16 to 4.0.18.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.18 (2022-12-26)

    Bugfixes - 4.0.18

    - Strip leading and trailing whitespace when parsing elements in requirement files - by :user:`gaborbernat`. (:issue:`2773`)

    v4.0.17 (2022-12-25)
    

    Features - 4.0.17

    • Suppress a report output when verbosity = 0. (:issue:2697)

    Bugfixes - 4.0.17

    - Fix ``--sdistonly`` behaviour. (:issue:`2653`)
- Override toxworkdir with --workdir. (:issue:`2654`)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
Releases(v1.7.0)
Owner
Ajitomi, Daisuke
This is a private, hobby account. Except for "HTTPS in Local Network" activity, my repositories are not related to the company to which I belong.
Ajitomi, Daisuke
GitHub Repository
A Python module to encrypt and decrypt data with AES-128 CFB mode.

cryptocfb A Python module to encrypt and decrypt data with AES-128 CFB mode. This module supports 8/64/128-bit CFB mode. It can encrypt and decrypt la

Quan Lin 2 Sep 23, 2022
This program can encrypt/ decrypt any string

Ceasar_cipher Hey this is J0ey, this program is a very basic Caesar cipher encoder/decoder. In order to use this program, you will need to have Python

1 Jan 11, 2022
PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password !

PyCrypter PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password ! Requirements pyfiglet And colorama Usage First Clone The

1 Nov 12, 2021
Django-based Crypto Portfolio Tracker – keep an eye on Shiba Inu and other Crypto

Crypto Tracker 🐍 📈 – Central Portfolio Tracking Easy asset tracking – at a glance 🚀 Dashboard to centrally monitor current crypto portfolio develop

65 Jan 08, 2023
Algorand-app - This tutorial is designed to get you started with Algorand development in a step by step process

Getting Started This tutorial is designed to get you started with Algorand devel

Connor 1 Jan 06, 2022
Um sistema de Criptografia RSA feito totalmente em Python

Um sistema de Criptografia RSA feito totalmente em Python

Luis Müdder 3 Nov 23, 2021
Encrypt decrypt files - Programmed in Python | PySimpleGUI

Crypter Programmed in Python | PySimpleGUI If you like it give it a star How it works Crypter program use Fernet for encryption. Fernet guarantees tha

Adrijan 11 Jun 18, 2022
Gearbox-vyper-contracts - Auxillary contracts for the Gearbox Protocol written in Vyper

Gearbox Vyper Contracts Auxillary contracts for the Gearbox Protocol written in

Edward Amor 4 Jan 07, 2022
Amazing CryptoWAF was a CTF challenge for ALLES! CTF 2021

ctf-cryptowaf The AmazingCryptoWAF ™️ is used by the "noter" web app, to offer automagically military encryption for any user data. Even if an attacke

32 Jan 02, 2023
Pool funds to bootstrap a Uniswap pair

Seed liquidity A contract to pool funds which are then used to boostrap a new Uniswap liquidity pair. Specification A new SeedLiquidity contract is de

66 Dec 09, 2022
Bitcoin Wallet Address Generator

Bitcoin Wallet Address Generator This is a simple Bitcoin non-deterministic wallet address generator coded in Python 3. It generates a Private Key in different formats (hex, wif and compressed wif) a

11 Dec 29, 2022
This python module can analyse cryptocurrency news for any number of coins given and return a sentiment. Can be easily integrated with a Trading bot to keep an eye on the news.

Python script that analyses news headline or body sentiment and returns the overall media sentiment of any given coin. It can take multiple coins an

185 Dec 22, 2022
Meraki-apiv0-audit - CLI application that will export all Meraki Dashboard v0 API calls for one, multiple, or all Meraki Dashboard Organizations

Meraki Audit v0 API Requests (v0audit.py) (Note: this API key belongs to the Mer

Zach Brewer 1 Feb 18, 2022
Signarly is a cryptocurrency trading bot.

Signarly is a cryptocurrency trading bot.

Zakaria EL Mesaoudi 5 Oct 06, 2022
Gold(Gold) is a modern cryptocurrency built from scratch, designed to be efficient, decentralized, and secure

gold-blockchain (Gold) Gold(Gold) is a modern cryptocurrency built from scratch, designed to be efficient, decentralized, and secure. Here are some of

zcomputerwiz 3 Mar 09, 2022
A Python implementation of CWT/COSE.

Python CWT - A Python implementation of CWT/COSE Python CWT is a CBOR Web Token (CWT) and CBOR Object Signing and Encryption (COSE) implementation com

Ajitomi Daisuke 13 Dec 14, 2022
Stor is a community-driven green cryptocurrency based on a proof of space and time consensus algorithm.

Stor Blockchain Stor is a community-driven green cryptocurrency based on a proof of space and time consensus algorithm. For more information, see our

Stor Network 15 May 18, 2022
SVSHI - Secure and Verified Smart Home Infrastructure

The SVSHI (Secure and Verified Smart Home Infrastructure) (pronounced like "sushi") project is a platform/runtime/toolchain for developing and running formally verified smart infrastructures, such as

Dependable Systems Laboratory 3 Oct 28, 2022
Connects to an active BitCoin Peer and communicates in order to locate a specific block number (height)

BitCoin-Peer-Client Connects to an active BitCoin Peer, and locates a predetermined block number (height) by downloading block headers. Once required

Henry Song 1 Jan 16, 2022
Простой шифратор работающий по ключам.

deCryptor Что это такое? Простой шифратор работающий по ключам и без них. Как пользоваться? СМОТРЕТЬ ИЗОБРАЖЕНИЕ Разработчики Роман Слабицкий - написа

Romanin 2 May 31, 2022