PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python

Related tags

Cryptographypythonsecurityjwtcryptographyencryptionsignaturersajoseed25519ecdsablake2btokeneddsasha384chacha20pasetopaserk
Overview

PySETO - A Python implementation of PASETO

PyPI version PyPI - Python Version Documentation Status Github CI codecov

PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python which supports all of the versions and purposes below.

  • Version 1: NIST Compatibility
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • RSASSA-PSS with 2048-bit key, SHA384 hashing and MGF1+SHA384.
  • Version 2: Sodium Original
    • Local: Symmetric Authenticated Encryption
      • XChaCha20-Poly1305 (192-bit nonce, 256-bit key, 128-bit authentication tag).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.
  • Version 3: NIST Modern
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
  • Version 4: Sodium Modern
    • Local: Symmetric Authenticated Encryption
      • XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.

See Document for details.

Installation

You can install PySETO with pip:

$ pip install pyseto

Usage

You can use it as follows:

v4.local

>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg' >>> decoded = pyseto.decode(key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> key = Key.new("v4", "local", "our-secret")
>>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg'
>>> decoded = pyseto.decode(key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

v4.public

>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----" >>> secret_key = Key.new("v4", "public", secret_key_pem) >>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg' >>> public_key = Key.new("v4", "public", public_key_pem) >>> decoded = pyseto.decode(public_key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> secret_key_pem = "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----"
>>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----"
>>> secret_key = Key.new("v4", "public", secret_key_pem)
>>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg'
>>> public_key = Key.new("v4", "public", public_key_pem)
>>> decoded = pyseto.decode(public_key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

API Reference

See Document.

Tests

You can run tests from the project root after cloning with:

$ tox
Comments
  • Avoid re-encoding and decoding output from serializer

    Avoid re-encoding and decoding output from serializer

    Is your feature request related to a problem? Please describe. When using a serializer such as orjson, a bytes object is output by default, but the serializer field expects a function that returns a str, that is immediately encoded into a bytes object.

    Describe the solution you'd like Make it so that serializer can output either a str or a bytes object. Also, the serializer field should ideally be a function and not a class, since Python functions are objects themselves and can be passed into functions (see map and filter).

    Describe alternatives you've considered Having my serializer return a str by doing orjson.dumps().decode("utf-8"), but this is inefficient.

    Additional context N/A

    enhancement 
    opened by MrAwesomeRocks 6
  • Compare MACs in constant time

    Compare MACs in constant time

    This PR replaces MAC comparisons using bytes.__eq__ with calls to hmac.compare_digest in the decryption routines for v1, v3 and v4, since the PASETO spec requires MACs to be checked in constant time. The v2 handler delegates this check to decrypt_and_verify in PyCryptoDome, which uses a randomised MAC comparison strategy instead. As such, v2 didn't require any fixes.

    Comments certainly welcome!

    opened by MatthiasValvekens 4
  • to_peer_paserk_id for k3.secret

    to_peer_paserk_id for k3.secret

    This is a feature request because to_peer_paserk_id is working as documented. Is there a technical reason why to_peer_paserk_id does not work on a V3 secret key? If Yes, can we add it to the documentation? If No, can we add support for it?

    enhancement 
    opened by Eh2406 4
  • Some (de)serializers output a datetime object when parsing

    Some (de)serializers output a datetime object when parsing

    Describe the bug I'm using cbor2 as my (de)serializer for Pyseto. When parsing a bytestring, cbor2 already outputs a datetime object, causing an error when iso8601 tries to parse the datetime. Would it be possible to add a check to see if nbf and exp are datetime objects before trying to parse them?

    To Reproduce Steps to reproduce the behavior:

    1. Set cbor2 as the Pyseto (de)serializer.
    2. Try to decode a PASETO.

    Expected behavior No error, Pyseto takes the pre-parsed datetime and uses it.

    Thanks in advance for your help! This is a really great library.

    bug 
    opened by MrAwesomeRocks 4
  • Support creating keys from bytes

    Support creating keys from bytes

    Currently Key can only be created from Paserk or PEM, which limits the interoperability of Pyseto.

    For example: If I want to create a key pair with Rust, and sign a Paseto token with Rust, I cannot then verify it with Pyseto because the Rust libraries only provide the public key as binary, meaning I'd need to convert it to either Paserk or PEM, which is just cumbersome.

    Most Paseto libraries allow importing/exporting keys as binary, so it makes sense to support it, to maximize interoperability.

    opened by not-my-profile 4
  • Typo in the Documentation

    Typo in the Documentation

    I think in

    https://pyseto.readthedocs.io/en/latest/paseto_usage.html#v4-local

    it must be "Symmetric Authenticated Encryption with XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC)" instead of "Symmetric Authenticated Encryption with AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC)"

    bug 
    opened by stsch9 2
  • Token payloads are not decoded when using `local` Keys

    Token payloads are not decoded when using `local` Keys

    Describe the bug When using a local Key, the token payload is not decoded, and so this example does not work for local keys. This is due to these lines in paseto.py that cause the function to exit early.

    To Reproduce Steps to reproduce the behavior:

    1. Go to this example: https://pyseto.readthedocs.io/en/stable/paseto_usage.html#using-serializer-deserializer-for-payload-and-footer
    2. Follow the directions, but use a local key.
    3. When running decoded.payload["data"], observe the error.

    Expected behavior The payload of the decoded token is a dictionary when deserializer is passed.

    bug 
    opened by MrAwesomeRocks 2
  • Update mypy requirement from ^0.920 to ^0.921

    Update mypy requirement from ^0.920 to ^0.921

    Updates the requirements on mypy to permit the latest version.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump tox from 4.0.16 to 4.1.1

    Bump tox from 4.0.16 to 4.1.1

    Bumps tox from 4.0.16 to 4.1.1.

    Release notes

    Sourced from tox's releases.

    4.1.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.19...4.1.0

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.1.1 (2022-12-29)

    Bugfixes - 4.1.1

    - Fix logging error with emoji in git branch name. (:issue:`2768`)

    Improved Documentation - 4.1.1

    • Add faq entry about re-use of environments - by :user:jugmac00. (:issue:2788)

    v4.1.0 (2022-12-29)

    Features - 4.1.0

    - ``-f`` can be used multiple times and on hyphenated factors (e.g. ``-f py311-django -f py39``) - by :user:`sirosen`. (:issue:`2766`)

    Improved Documentation - 4.1.0

    • Fix a grammatical typo in docs/user_guide.rst. (:issue:2787)

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.19

    Bump tox from 4.0.16 to 4.0.19

    Bumps tox from 4.0.16 to 4.0.19.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)
    • Override toxworkdir with --workdir. (:issue:2654)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.18

    Bump tox from 4.0.16 to 4.0.18

    Bumps tox from 4.0.16 to 4.0.18.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.18 (2022-12-26)

    Bugfixes - 4.0.18

    - Strip leading and trailing whitespace when parsing elements in requirement files - by :user:`gaborbernat`. (:issue:`2773`)

    v4.0.17 (2022-12-25)
    

    Features - 4.0.17

    • Suppress a report output when verbosity = 0. (:issue:2697)

    Bugfixes - 4.0.17

    - Fix ``--sdistonly`` behaviour. (:issue:`2653`)
- Override toxworkdir with --workdir. (:issue:`2654`)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
Releases(v1.7.0)
Owner
Ajitomi, Daisuke
This is a private, hobby account. Except for "HTTPS in Local Network" activity, my repositories are not related to the company to which I belong.
Ajitomi, Daisuke
GitHub Repository
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

pyca/cryptography cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "c

Python Cryptographic Authority 5.2k Dec 30, 2022
PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password !

PyCrypter PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password ! Requirements pyfiglet And colorama Usage First Clone The

1 Nov 12, 2021
Generate simple encrypted messages!

Premio's Shift is a very simple text encryption, you can use it to send secret messages to your friends. Table of Content Table of Content How it work

Peterson Adami Candido 3 Aug 06, 2021
Python Cryptocurrency with stealth addresses

Python Cryptocurrency with stealth addresses. Goal is to have create a cryptocurency that hides transactions totally. I.E. Cant see ammount sent, to who, or from who.

3 Aug 04, 2022
Blockchain with crypto transaction feature

python script that asks users for their name, who they are sending J2 coin too(fictional cryptocurrency) and how much they're sending. it then prints the transaction detail in words and prints the ha

Joshua Stojkovic 2 Jan 10, 2022
Token drop template on Tezos blockchain, based on Merkle Tree Distribution mechanism.

🛬 Token Drop Template This is a template to perform token drops efficiently on Tezos blockchain. The drop is handled using Merkle Tree Distribution m

Anshu Jalan 5 Oct 11, 2022
Crypto Portfolio Clustering with and without optimization techniques (elbow method, PCA).

Crypto Portfolio Clustering Crypto Portfolio Clustering with and without optimization techniques (elbow method, PCA). Analysis This is an anlysis of c

David L 0 Feb 18, 2022
Stenography encryption script

ImageCrypt Project description Installation Usage Project description Project AlexGyver on Python by TheK4n Design by Пашушка Byte packing in decimal

Kan 5 Dec 14, 2022
The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications

The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications, as well, other protocols and algorithms, built using IBM’s open-source Software Development Kit for

Qiskrypt 14 Oct 31, 2022
cairo_kernel is a simple Jupyter kernel for Cairo a smart contract programing language for STARKs.

cairo_kernel cairo_kernel is a simple Jupyter kernel for Cairo a smart contract programing language for STARKs. Installation Install virtualenv virtua

Ankit Chiplunkar 29 Sep 21, 2022
This is a fully functioning Binance trading bot that takes into account the news sentiment for the top 100 crypto feeds.

This is a fully functioning Binance trading bot that takes into account the news sentiment for the top 100 crypto feeds.

Andrei 1.5k Jan 04, 2023
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Google 12.9k Jan 05, 2023
Pool funds to bootstrap a Uniswap pair

Seed liquidity A contract to pool funds which are then used to boostrap a new Uniswap liquidity pair. Specification A new SeedLiquidity contract is de

66 Dec 09, 2022
In this repository there are two types of code files

encryption-decryption In this repository there are two types of code files Me Friend Code in the 'Me' file can use for encryption and Code in the 'Fri

Vicksura Dulhan Perera 1 Nov 22, 2021
A discord bot to crop an NFT image living on the Solana blockchain.

NFT Discord Cropper This discord bot crops an NFT in your set measures by getting it through the .cache file which has been used to make a candy machi

Rude Golems 7 Mar 21, 2022
How to setup a multi-client ethereum Eth1-Eth2 merge testnet

Mergenet tutorial Let's set up a local eth1-eth2 merge testnet! Preparing the setup environment In this tutorial, we use a series of scripts to genera

Diederik Loerakker 24 Jun 17, 2022
Freqtrade is a free and open source crypto trading bot written in Python

Freqtrade is a free and open source crypto trading bot written in Python. It is designed to support all major exchanges and be controlled via Telegram. It contains backtesting, plotting and money man

20.2k Jan 07, 2023
Ceres is a combine harvester designed to harvest plots for Chia blockchain and its forks using proof-of-space-and-time(PoST) consensus algorithm.

Ceres Combine-Harvester Ceres is a combine harvester designed to harvest plots for Chia blockchain and its forks using proof-of-space-and-time(PoST) c

38 Nov 14, 2022
Tron Wallet (TRX) Crack Finder With Python Just 64 Line

TRXGEN Tron Wallet Finder and Crack With Python Tron Wallet (TRX) Crack Finder With Python Just 64 Line My tools [pycharm + anaconda3 + python3.8 + vi

MMDRZA 6 Dec 18, 2022
Deriving RSA public keys from message-signature pairs

The repository contains: Experimental code to calculate RSA public keys based on two known message-signature pairs

Silent Signal 120 Dec 31, 2022