PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python

Related tags

Cryptographypythonsecurityjwtcryptographyencryptionsignaturersajoseed25519ecdsablake2btokeneddsasha384chacha20pasetopaserk
Overview

PySETO - A Python implementation of PASETO

PyPI version PyPI - Python Version Documentation Status Github CI codecov

PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python which supports all of the versions and purposes below.

  • Version 1: NIST Compatibility
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • RSASSA-PSS with 2048-bit key, SHA384 hashing and MGF1+SHA384.
  • Version 2: Sodium Original
    • Local: Symmetric Authenticated Encryption
      • XChaCha20-Poly1305 (192-bit nonce, 256-bit key, 128-bit authentication tag).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.
  • Version 3: NIST Modern
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
  • Version 4: Sodium Modern
    • Local: Symmetric Authenticated Encryption
      • XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.

See Document for details.

Installation

You can install PySETO with pip:

$ pip install pyseto

Usage

You can use it as follows:

v4.local

>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg' >>> decoded = pyseto.decode(key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> key = Key.new("v4", "local", "our-secret")
>>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg'
>>> decoded = pyseto.decode(key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

v4.public

>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----" >>> secret_key = Key.new("v4", "public", secret_key_pem) >>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg' >>> public_key = Key.new("v4", "public", public_key_pem) >>> decoded = pyseto.decode(public_key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> secret_key_pem = "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----"
>>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----"
>>> secret_key = Key.new("v4", "public", secret_key_pem)
>>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg'
>>> public_key = Key.new("v4", "public", public_key_pem)
>>> decoded = pyseto.decode(public_key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

API Reference

See Document.

Tests

You can run tests from the project root after cloning with:

$ tox
Comments
  • Avoid re-encoding and decoding output from serializer

    Avoid re-encoding and decoding output from serializer

    Is your feature request related to a problem? Please describe. When using a serializer such as orjson, a bytes object is output by default, but the serializer field expects a function that returns a str, that is immediately encoded into a bytes object.

    Describe the solution you'd like Make it so that serializer can output either a str or a bytes object. Also, the serializer field should ideally be a function and not a class, since Python functions are objects themselves and can be passed into functions (see map and filter).

    Describe alternatives you've considered Having my serializer return a str by doing orjson.dumps().decode("utf-8"), but this is inefficient.

    Additional context N/A

    enhancement 
    opened by MrAwesomeRocks 6
  • Compare MACs in constant time

    Compare MACs in constant time

    This PR replaces MAC comparisons using bytes.__eq__ with calls to hmac.compare_digest in the decryption routines for v1, v3 and v4, since the PASETO spec requires MACs to be checked in constant time. The v2 handler delegates this check to decrypt_and_verify in PyCryptoDome, which uses a randomised MAC comparison strategy instead. As such, v2 didn't require any fixes.

    Comments certainly welcome!

    opened by MatthiasValvekens 4
  • to_peer_paserk_id for k3.secret

    to_peer_paserk_id for k3.secret

    This is a feature request because to_peer_paserk_id is working as documented. Is there a technical reason why to_peer_paserk_id does not work on a V3 secret key? If Yes, can we add it to the documentation? If No, can we add support for it?

    enhancement 
    opened by Eh2406 4
  • Some (de)serializers output a datetime object when parsing

    Some (de)serializers output a datetime object when parsing

    Describe the bug I'm using cbor2 as my (de)serializer for Pyseto. When parsing a bytestring, cbor2 already outputs a datetime object, causing an error when iso8601 tries to parse the datetime. Would it be possible to add a check to see if nbf and exp are datetime objects before trying to parse them?

    To Reproduce Steps to reproduce the behavior:

    1. Set cbor2 as the Pyseto (de)serializer.
    2. Try to decode a PASETO.

    Expected behavior No error, Pyseto takes the pre-parsed datetime and uses it.

    Thanks in advance for your help! This is a really great library.

    bug 
    opened by MrAwesomeRocks 4
  • Support creating keys from bytes

    Support creating keys from bytes

    Currently Key can only be created from Paserk or PEM, which limits the interoperability of Pyseto.

    For example: If I want to create a key pair with Rust, and sign a Paseto token with Rust, I cannot then verify it with Pyseto because the Rust libraries only provide the public key as binary, meaning I'd need to convert it to either Paserk or PEM, which is just cumbersome.

    Most Paseto libraries allow importing/exporting keys as binary, so it makes sense to support it, to maximize interoperability.

    opened by not-my-profile 4
  • Typo in the Documentation

    Typo in the Documentation

    I think in

    https://pyseto.readthedocs.io/en/latest/paseto_usage.html#v4-local

    it must be "Symmetric Authenticated Encryption with XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC)" instead of "Symmetric Authenticated Encryption with AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC)"

    bug 
    opened by stsch9 2
  • Token payloads are not decoded when using `local` Keys

    Token payloads are not decoded when using `local` Keys

    Describe the bug When using a local Key, the token payload is not decoded, and so this example does not work for local keys. This is due to these lines in paseto.py that cause the function to exit early.

    To Reproduce Steps to reproduce the behavior:

    1. Go to this example: https://pyseto.readthedocs.io/en/stable/paseto_usage.html#using-serializer-deserializer-for-payload-and-footer
    2. Follow the directions, but use a local key.
    3. When running decoded.payload["data"], observe the error.

    Expected behavior The payload of the decoded token is a dictionary when deserializer is passed.

    bug 
    opened by MrAwesomeRocks 2
  • Update mypy requirement from ^0.920 to ^0.921

    Update mypy requirement from ^0.920 to ^0.921

    Updates the requirements on mypy to permit the latest version.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump tox from 4.0.16 to 4.1.1

    Bump tox from 4.0.16 to 4.1.1

    Bumps tox from 4.0.16 to 4.1.1.

    Release notes

    Sourced from tox's releases.

    4.1.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.19...4.1.0

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.1.1 (2022-12-29)

    Bugfixes - 4.1.1

    - Fix logging error with emoji in git branch name. (:issue:`2768`)

    Improved Documentation - 4.1.1

    • Add faq entry about re-use of environments - by :user:jugmac00. (:issue:2788)

    v4.1.0 (2022-12-29)

    Features - 4.1.0

    - ``-f`` can be used multiple times and on hyphenated factors (e.g. ``-f py311-django -f py39``) - by :user:`sirosen`. (:issue:`2766`)

    Improved Documentation - 4.1.0

    • Fix a grammatical typo in docs/user_guide.rst. (:issue:2787)

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.19

    Bump tox from 4.0.16 to 4.0.19

    Bumps tox from 4.0.16 to 4.0.19.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)
    • Override toxworkdir with --workdir. (:issue:2654)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.18

    Bump tox from 4.0.16 to 4.0.18

    Bumps tox from 4.0.16 to 4.0.18.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.18 (2022-12-26)

    Bugfixes - 4.0.18

    - Strip leading and trailing whitespace when parsing elements in requirement files - by :user:`gaborbernat`. (:issue:`2773`)

    v4.0.17 (2022-12-25)
    

    Features - 4.0.17

    • Suppress a report output when verbosity = 0. (:issue:2697)

    Bugfixes - 4.0.17

    - Fix ``--sdistonly`` behaviour. (:issue:`2653`)
- Override toxworkdir with --workdir. (:issue:`2654`)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
Releases(v1.7.0)
Owner
Ajitomi, Daisuke
This is a private, hobby account. Except for "HTTPS in Local Network" activity, my repositories are not related to the company to which I belong.
Ajitomi, Daisuke
GitHub Repository
Calculate your taxes from cryptocurrency gains

CoinTaxman helps you to bring your income from crypto trading, lending, ... into your tax declaration.

Jeppy 118 Dec 26, 2022
Ceres is a combine harvester designed to harvest plots for Chia blockchain and its forks using proof-of-space-and-time(PoST) consensus algorithm.

Ceres Combine-Harvester Ceres is a combine harvester designed to harvest plots for Chia blockchain and its forks using proof-of-space-and-time(PoST) c

38 Nov 14, 2022
O BiscoitoDaSorte foi criado com o objetivo de estudar desenvolvimento de bots para Discord.

BiscoitoDaSorteBOT O BiscoitoDaSorte foi criado com o objetivo de estudar desenvolvimento de bots para Discord. BOT online e com o comando =sorte Requ

Jonas Carvalho 5 Mar 17, 2022
SimpleWallet - Simple wallet for Bitcoin

Simple Wallet This is a basic python starter package to be used as a template fo

Mystic 1 Jan 08, 2022
Bitcoin Clipper malware made in Python.

a BTC Clipper or a "Bitcoin Clipper" is a type of malware designed to target cryptocurrency transactions.

Nightfall 96 Dec 30, 2022
Deriving RSA public keys from message-signature pairs

The repository contains: Experimental code to calculate RSA public keys based on two known message-signature pairs

Silent Signal 120 Dec 31, 2022
一个关于摩斯密码解密与加密的库 / A library about encoding and decoding Morse code.

Morsecoder By Lemonix 介绍 一个关于摩斯密码解密与加密的库

Heat Studio 10 Jun 28, 2022
offline half-random brute force script for Ethereum private keys

eth200swinger offline half-random brute force script for Ethereum private keys, goes from the beginning to end of range and vice versa, saves any foun

2 Oct 06, 2022
Stor is a community-driven green cryptocurrency based on a proof of space and time consensus algorithm.

Stor Blockchain Stor is a community-driven green cryptocurrency based on a proof of space and time consensus algorithm. For more information, see our

Stor Network 15 May 18, 2022
A repository for Algogenous Smart Contracts created on the Algorand Blockchain.

Smart Contacts Alogrand Smart Contracts using Choice Coin. Read Docs for how to implement Algogenous Smart Contracts for your own applications. Smart

Choice Coin 3 Dec 20, 2022
A tool that can encrypt python2 or python3 code with the given password and can reuse with that password

A tool that can encrypt python2 or python3 code with the given password and can reuse with that password

Md Rasel Bhuyan 3 Feb 28, 2022
G-Research-Crypto-Competition - Project for passing the ML exam. Dataset took from the competition on the kaggle

G-Research-Crypto-Competition Project for passing the ML exam. Dataset took from

5 Jan 09, 2022
💰 An Alfred Workflow that provides current price of cryptocurrency

Coin Ticker for Alfred Workflow An Alfred Workflow that provides current price and status about cryptocurrency from cryptocompare.com. Supports Alfred

Bumsoo Kim (Ian) 14 Nov 17, 2022
I coded the sha256 algorithm into python without using any modules.

sha256.py I coded the sha256 algorithm in python without using any modules. The purpose of the code was to better understand the algorithm and learn h

4 Dec 12, 2022
This is a simple Bitcoin non-deterministic wallet address generator coded in Python 3.

This is a simple Bitcoin non-deterministic wallet address generator coded in Python 3. It generates a Private Key in different formats (hex, wif and compressed wif) and corresponding Public Addresses

7 Dec 22, 2022
This is a simple application to generate HD wallet addresses for cryptocurrency coins.

HD-Wallet-Address This is a mini service to generate addresses in the master HD-Wallet. It will use py_crypto_hd_wallet package as a base. Prerequisit

Amin Abbasi 1 Dec 16, 2021
Distributed, blockchain based hashtables middleware for deduplication of file uploads to the cloud

distributed-blockchain-based-secure-file-dedupe Searching is Distributed, Block and Access List for each upload is unique and it is stored in a single

Abhishek Tangod 1 Dec 02, 2021
ETHGreen blockchain is a fork from STAI and Chia blockchain including features implemented by Covid blockchain.

Welcome to ETHGreen Blockchain ETHGreen blockchain is a fork from STAI and Chia blockchain including features implemented by Covid blockchain. About t

11 Dec 23, 2022
Python FFI bindings for libsecp256k1 (maintained)

secp256k1-py Python FFI bindings for libsecp256k1 (an experimental and optimized C library for EC operations on curve secp256k1). Previously maintaine

Rusty Russell 29 Dec 29, 2022
This is a basic encryption and decryption program made in python.

A basic encryption and decryption program to visualize how the process of protecting data works.

Junaid Chaudhry 5 Nov 15, 2021