search

wbond / asn1crypto

Python ASN.1 library with a focus on performance and a pythonic API
MIT License
335 stars 140 forks source link

Generic User-Defined Key #187

Closed LucySweetWork closed 4 years ago

LucySweetWork commented 4 years ago

Sometimes, we want to interact with private keys which are stored on Hardware Security Modules with defined channels for interaction, or any other type of private key where we can't interact with the key content directly.

It would be nice if asn1crypto supported some generic key where the user can pass arguments that define what algorithm it is, and what code to run in order to handle different types of operations, such as signing content or decrypting content. This user-supplied code can then talk to the HSM or other service that holds the real key.

joernheissler commented 4 years ago

Hello! asn1crypto deals with ASN.1, not with private key operations. If the private key is on an HSM, there is no ASN.1 of it.

You might want to look into PKCS#11 instead.

Or if you prefer pure python instead of closed-source C libraries, I started a project (currently cleaning it up) which might do what you need. But it's still in an early stage and lacks important functionality, documentation, more HSM backends, etc. https://github.com/joernheissler/cryptokey

wbond commented 4 years ago

In the modularcrypto family of libraries, there are:

These would be the places where signing would be used, in combination with creating ASN.1 structures. Currently these are all hard-coded to use oscrypto, which wouldn't help you.

Some discussion of allowing the situation you have described has occurred in #6, however I don't have any HSMs, and there hasn't been anyone who seems to be pushing this forward.

Based on this info, I would presume you would need to roll your own code that worked similar to the builder libraries I linked above, but with your own signing, using tools like python-pkcs11 or https://github.com/joernheissler/cryptokey.

Since there isn't anything new actionable here, I am going to close. If you, or anyone in the future, is interested in augmenting the modularcrypto libraries for external signing, I think that #6 would be the place to discuss further.