PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python

Related tags

Cryptographypythonsecurityjwtcryptographyencryptionsignaturersajoseed25519ecdsablake2btokeneddsasha384chacha20pasetopaserk
Overview

PySETO - A Python implementation of PASETO

PyPI version PyPI - Python Version Documentation Status Github CI codecov

PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python which supports all of the versions and purposes below.

  • Version 1: NIST Compatibility
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • RSASSA-PSS with 2048-bit key, SHA384 hashing and MGF1+SHA384.
  • Version 2: Sodium Original
    • Local: Symmetric Authenticated Encryption
      • XChaCha20-Poly1305 (192-bit nonce, 256-bit key, 128-bit authentication tag).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.
  • Version 3: NIST Modern
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
  • Version 4: Sodium Modern
    • Local: Symmetric Authenticated Encryption
      • XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.

See Document for details.

Installation

You can install PySETO with pip:

$ pip install pyseto

Usage

You can use it as follows:

v4.local

>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg' >>> decoded = pyseto.decode(key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> key = Key.new("v4", "local", "our-secret")
>>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg'
>>> decoded = pyseto.decode(key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

v4.public

>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----" >>> secret_key = Key.new("v4", "public", secret_key_pem) >>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg' >>> public_key = Key.new("v4", "public", public_key_pem) >>> decoded = pyseto.decode(public_key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> secret_key_pem = "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----"
>>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----"
>>> secret_key = Key.new("v4", "public", secret_key_pem)
>>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg'
>>> public_key = Key.new("v4", "public", public_key_pem)
>>> decoded = pyseto.decode(public_key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

API Reference

See Document.

Tests

You can run tests from the project root after cloning with:

$ tox
Comments
  • Avoid re-encoding and decoding output from serializer

    Avoid re-encoding and decoding output from serializer

    Is your feature request related to a problem? Please describe. When using a serializer such as orjson, a bytes object is output by default, but the serializer field expects a function that returns a str, that is immediately encoded into a bytes object.

    Describe the solution you'd like Make it so that serializer can output either a str or a bytes object. Also, the serializer field should ideally be a function and not a class, since Python functions are objects themselves and can be passed into functions (see map and filter).

    Describe alternatives you've considered Having my serializer return a str by doing orjson.dumps().decode("utf-8"), but this is inefficient.

    Additional context N/A

    enhancement 
    opened by MrAwesomeRocks 6
  • Compare MACs in constant time

    Compare MACs in constant time

    This PR replaces MAC comparisons using bytes.__eq__ with calls to hmac.compare_digest in the decryption routines for v1, v3 and v4, since the PASETO spec requires MACs to be checked in constant time. The v2 handler delegates this check to decrypt_and_verify in PyCryptoDome, which uses a randomised MAC comparison strategy instead. As such, v2 didn't require any fixes.

    Comments certainly welcome!

    opened by MatthiasValvekens 4
  • to_peer_paserk_id for k3.secret

    to_peer_paserk_id for k3.secret

    This is a feature request because to_peer_paserk_id is working as documented. Is there a technical reason why to_peer_paserk_id does not work on a V3 secret key? If Yes, can we add it to the documentation? If No, can we add support for it?

    enhancement 
    opened by Eh2406 4
  • Some (de)serializers output a datetime object when parsing

    Some (de)serializers output a datetime object when parsing

    Describe the bug I'm using cbor2 as my (de)serializer for Pyseto. When parsing a bytestring, cbor2 already outputs a datetime object, causing an error when iso8601 tries to parse the datetime. Would it be possible to add a check to see if nbf and exp are datetime objects before trying to parse them?

    To Reproduce Steps to reproduce the behavior:

    1. Set cbor2 as the Pyseto (de)serializer.
    2. Try to decode a PASETO.

    Expected behavior No error, Pyseto takes the pre-parsed datetime and uses it.

    Thanks in advance for your help! This is a really great library.

    bug 
    opened by MrAwesomeRocks 4
  • Support creating keys from bytes

    Support creating keys from bytes

    Currently Key can only be created from Paserk or PEM, which limits the interoperability of Pyseto.

    For example: If I want to create a key pair with Rust, and sign a Paseto token with Rust, I cannot then verify it with Pyseto because the Rust libraries only provide the public key as binary, meaning I'd need to convert it to either Paserk or PEM, which is just cumbersome.

    Most Paseto libraries allow importing/exporting keys as binary, so it makes sense to support it, to maximize interoperability.

    opened by not-my-profile 4
  • Typo in the Documentation

    Typo in the Documentation

    I think in

    https://pyseto.readthedocs.io/en/latest/paseto_usage.html#v4-local

    it must be "Symmetric Authenticated Encryption with XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC)" instead of "Symmetric Authenticated Encryption with AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC)"

    bug 
    opened by stsch9 2
  • Token payloads are not decoded when using `local` Keys

    Token payloads are not decoded when using `local` Keys

    Describe the bug When using a local Key, the token payload is not decoded, and so this example does not work for local keys. This is due to these lines in paseto.py that cause the function to exit early.

    To Reproduce Steps to reproduce the behavior:

    1. Go to this example: https://pyseto.readthedocs.io/en/stable/paseto_usage.html#using-serializer-deserializer-for-payload-and-footer
    2. Follow the directions, but use a local key.
    3. When running decoded.payload["data"], observe the error.

    Expected behavior The payload of the decoded token is a dictionary when deserializer is passed.

    bug 
    opened by MrAwesomeRocks 2
  • Update mypy requirement from ^0.920 to ^0.921

    Update mypy requirement from ^0.920 to ^0.921

    Updates the requirements on mypy to permit the latest version.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump tox from 4.0.16 to 4.1.1

    Bump tox from 4.0.16 to 4.1.1

    Bumps tox from 4.0.16 to 4.1.1.

    Release notes

    Sourced from tox's releases.

    4.1.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.19...4.1.0

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.1.1 (2022-12-29)

    Bugfixes - 4.1.1

    - Fix logging error with emoji in git branch name. (:issue:`2768`)

    Improved Documentation - 4.1.1

    • Add faq entry about re-use of environments - by :user:jugmac00. (:issue:2788)

    v4.1.0 (2022-12-29)

    Features - 4.1.0

    - ``-f`` can be used multiple times and on hyphenated factors (e.g. ``-f py311-django -f py39``) - by :user:`sirosen`. (:issue:`2766`)

    Improved Documentation - 4.1.0

    • Fix a grammatical typo in docs/user_guide.rst. (:issue:2787)

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.19

    Bump tox from 4.0.16 to 4.0.19

    Bumps tox from 4.0.16 to 4.0.19.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)
    • Override toxworkdir with --workdir. (:issue:2654)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.18

    Bump tox from 4.0.16 to 4.0.18

    Bumps tox from 4.0.16 to 4.0.18.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.18 (2022-12-26)

    Bugfixes - 4.0.18

    - Strip leading and trailing whitespace when parsing elements in requirement files - by :user:`gaborbernat`. (:issue:`2773`)

    v4.0.17 (2022-12-25)
    

    Features - 4.0.17

    • Suppress a report output when verbosity = 0. (:issue:2697)

    Bugfixes - 4.0.17

    - Fix ``--sdistonly`` behaviour. (:issue:`2653`)
- Override toxworkdir with --workdir. (:issue:`2654`)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
Releases(v1.7.0)
Owner
Ajitomi, Daisuke
This is a private, hobby account. Except for "HTTPS in Local Network" activity, my repositories are not related to the company to which I belong.
Ajitomi, Daisuke
GitHub Repository
A repository for voting systems using Choice Coin.

Voting This is a repository for voting software built using Choice Coin on the Algorand Network. Our voting software is centered around Decentralized

Choice Coin 633 Dec 23, 2022
Cyber Security Starter Kit Platform

Cyber Security Starter Kit Platform (CSSKP) allows to instantiate new self-assessment products such as Fit4Cybersecurity, Fit4Privacy, Fit4Contract and the like.

CASES Luxembourg 3 Oct 21, 2021
A self-contained cryptographic library for Python

PyCryptodome PyCryptodome is a self-contained Python package of low-level cryptographic primitives. It supports Python 2.7, Python 3.4 and newer, and

Helder Eijs 2.2k Jan 08, 2023
Advanced Digital Envelope System Using Cryptography Techniques (Encryption & Decryption)

Advanced-Digital-Envelope-System Advanced Digital Envelope System Using Cryptography Encryption Techniques The digital envelope system is the techniqu

NelakurthiSudheer 2 Jan 03, 2022
This is a basic encryption and decryption program made in python.

A basic encryption and decryption program to visualize how the process of protecting data works.

Junaid Chaudhry 5 Nov 15, 2021
Aza this is a text encryption software

Aza text encryptor General info Aza this is a text encryption software Help command: python aza.py --help Examples python aza.py --text "Sample text h

ToxidWorm 1 Sep 10, 2022
Bridge between L1 (Ethereum) and L2 (cheapETH)

The ETH chain and the cheapETH chain. We can assume the ETH chain has ~1000x more value than the cheapETH chain.

107 Oct 12, 2022
Version three of the Accounting Project. You can now connect multiple computers together who are on the same IP (I'm sure I could set it up so it would work on different IP's) and add to a distributed ledger verified by blockchain.

Accounting_Cycle_V3 As I talked about in the second iteration of the accoutning project, I was going to add networking capabilities to the project. Re

J. Brandon Walker 1 May 13, 2022
A simple python program to sign text using either the RSA or ISRSAC algorithm with GUI built using tkinter library.

Digital Signatures using ISRSAC Algorithm A simple python program to sign text using either the RSA or ISRSAC algorithm with GUI built using tkinter l

Vasu Mandhanya 3 Nov 15, 2022
Simple encryption/decryption utility using Pycryptodome module. Working with AES and RSA algorithms.

EncypherUtil Simple encryption/decryption utility using PyCryptodome module. Working with AES and RSA algorithms. THIS UTILITY IS NOT LICENSED AS CRYP

Egor Yakubovich 0 Jun 14, 2022
This folder contains all the assignment of the course COL759 : Cryptography & Computer Security

Cryptography This folder contains all the assignment of the course COL759 : "Cryptography & Computer Security" Assignment 1 : Encyption, Decryption &

0 Jan 21, 2022
PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python

A Python implementation of PASETO.

Ajitomi, Daisuke 33 Dec 17, 2022
Certifi: Python SSL Certificates

(Python Distribution) A carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.

Certifi 608 Jan 02, 2023
Challenge2022 - A backend of a Chia project donation platform

Overview This is a backend of a Chia project donation platform. People can publi

Kronus91 2 Feb 04, 2022
Cryptocurrency with implementet Blockchain

Cryptocurrency with implementet Blockchain

Mario 1 Mar 24, 2022
SHIBgreen is a cryptocurrency forked from Chia and uses the Proof of Space and Time consensus algorithm

SHIBgreen is a cryptocurrency forked from Chia and uses the Proof of Space and Time consensus algorithm

13 Jul 13, 2022
😈 Shining is a tool that enables engineers to remotely pull smart contract code in multi-file situations.

👑 Shining 😈 Shining is a tool that enables engineers to remotely pull smart contract code in multi-file situations. Shining is the name of one of my

xxxeyJ 15 Jun 17, 2022
Given a string or a text file with plain text , returns his encryption using SHA256 method

Encryption using SHA256 Given a string or a .txt file with plain text. Returns his encryption using SHA256 method Requirements : pip install pyperclip

yuno 3 Jan 24, 2022
Signarly is a cryptocurrency trading bot.

Signarly is a cryptocurrency trading bot.

Zakaria EL Mesaoudi 5 Oct 06, 2022
GreenDoge is a modern community-centric green cryptocurrency based on a proof-of-space-and-time consensus algorithm.

GreenDoge Blockchain Download GreenDoge blockchain GreenDoge is a modern community-centric green cryptocurrency based on a proof-of-space-and-time con

40 Sep 11, 2022