• Stars
    star
    321
  • Rank 130,752 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created over 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Compiler-free Python crypto library backed by the OS, supporting CPython and PyPy

oscrypto

A compilation-free, always up-to-date encryption library for Python that works on Windows, OS X, Linux and BSD. Supports the following versions of Python: 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10 and pypy.

GitHub Actions CI CircleCI PyPI

Supported Operating Systems

The library integrates with the encryption library that is part of the operating system. This means that a compiler is never needed, and OS security updates take care of patching vulnerabilities. Supported operating systems include:

  • Windows XP or newer
  • OS X 10.7 or newer
    • Uses:
    • Tested on:
      • OS X 10.7
      • OS X 10.8
      • OS X 10.9
      • OS X 10.10
      • OS X 10.11
      • OS X 10.11 with OpenSSL 1.1.0
      • macOS 10.12
      • macOS 10.13 with LibreSSL 2.2.7
      • macOS 10.14
      • macOS 10.15
      • macOS 10.15 with OpenSSL 3.0
      • macOS 11
      • macOS 12
  • Linux or BSD
    • Uses one of:
    • Tested on:
      • Arch Linux with OpenSSL 1.0.2
      • OpenBSD 5.7 with LibreSSL
      • Ubuntu 10.04 with OpenSSL 0.9.8
      • Ubuntu 12.04 with OpenSSL 1.0.1
      • Ubuntu 15.04 with OpenSSL 1.0.1
      • Ubuntu 16.04 with OpenSSL 1.0.2 on Raspberry Pi 3 (armhf)
      • Ubuntu 18.04 with OpenSSL 1.1.x (amd64, arm64, ppc64el)
      • Ubuntu 22.04 with OpenSSL 3.0 (amd64)

OS X 10.6 will not be supported due to a lack of available cryptographic primitives and due to lack of vendor support.

Features

Currently the following features are implemented. Many of these should only be used for integration with existing/legacy systems. If you don't know which you should, or should not use, please see Learning.

  • TLSv1.x socket wrappers
    • Certificate verification performed by OS trust roots
    • Custom CA certificate support
    • SNI support (except Windows XP)
    • Session reuse via IDs/tickets
    • Modern cipher suites (RC4, DES, anon and NULL ciphers disabled)
    • Weak DH parameters and certificate signatures rejected
    • SSLv3 disabled by default, SSLv2 unimplemented
    • CRL/OCSP revocation checks consistenty disabled
  • Exporting OS trust roots
    • PEM-formatted CA certs from the OS for OpenSSL-based code
  • Encryption/decryption
    • AES (128, 192, 256), CBC mode, PKCS7 padding
    • AES (128, 192, 256), CBC mode, no padding
    • TripleDES 3-key, CBC mode, PKCS5 padding
    • TripleDes 2-key, CBC mode, PKCS5 padding
    • DES, CBC mode, PKCS5 padding
    • RC2 (40-128), CBC mode, PKCS5 padding
    • RC4 (40-128)
    • RSA PKCSv1.5
    • RSA OAEP (SHA1 only)
  • Generating public/private key pairs
    • RSA (1024, 2048, 3072, 4096 bit)
    • DSA (1024 bit on all platforms - 2048, 3072 bit with OpenSSL 1.x or Windows 8)
    • EC (secp256r1, secp384r1, secp521r1 curves)
  • Generating DH parameters
  • Signing and verification
    • RSA PKCSv1.5
    • RSA PSS
    • DSA
    • EC
  • Loading and normalizing DER and PEM formatted keys
    • RSA public and private keys
    • DSA public and private keys
    • EC public and private keys
    • X.509 Certificates
    • PKCS#12 archives (.pfx/.p12)
  • Key derivation
    • PBKDF2
    • PBKDF1
    • PKCS#12 KDF
  • Random byte generation

The feature set was largely driven by the technologies used related to generating and validating X.509 certificates. The various CBC encryption schemes and KDFs are used to load encrypted private keys, and the various RSA padding schemes are part of X.509 signatures.

For modern cryptography not tied to an existing system, please see the Modern Cryptography section of the docs.

Please note that this library does not include modern block modes such as CTR and GCM due to lack of support from both OS X and OpenSSL 0.9.8.

Why Another Python Crypto Library?

In short, the existing cryptography libraries for Python didn't fit the needs of a couple of projects I was working on. Primarily these are applications distributed to end-users who aren't programmers, that need to handle TLS and various technologies related to X.509 certificates.

If your system is not tied to AES, TLS, X.509, or related technologies, you probably want more modern cryptography.

Depending on your needs, the cryptography package may be a good (or better) fit.

Some things that make oscrypto unique:

  • No compiler needed, ever. No need to pre-compile shared libraries. Just distribute the Python source files, any way you want.
  • Uses the operating system's crypto library - does not require OpenSSL on Windows or OS X.
  • Relies on the operating system for security patching. You don't need to rebuild all of your apps every time there is a new TLS vulnerability.
  • Intentionally limited in scope to crypto primitives. Other libraries built upon it deal with certificate path validation, creating certificates and CSRs, constructing CMS structures.
  • Built on top of a fast, pure-Python ASN.1 parser, asn1crypto.
  • TLS functionality uses the operating system's trust list/CA certs and is pre-configured with sane defaults
  • Public APIs are simple and use strict type checks to avoid errors

Some downsides include:

  • Does not currently implement:
    • standalone DH key exchange
    • various encryption modes such as GCM, CCM, CTR, CFB, OFB, ECB
    • key wrapping
    • CMAC
    • HKDF
  • Non-TLS functionality is architected for dealing with data that fits in memory and is available all at once
  • Developed by a single developer

Related Crypto Libraries

oscrypto is part of the modularcrypto family of Python packages:

Current Release

1.3.0 - changelog

Dependencies

  • asn1crypto
  • Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10 or pypy
  • OpenSSL/LibreSSL if on LinuxΒΉ

ΒΉ On Linux, ctypes.util.find_library() is used to located OpenSSL. Alpine Linux does not have an appropriate install by default for find_library() to work properly. Instead, oscrypto.use_openssl() must be called with the path to the OpenSSL shared libraries.

Installation

pip install oscrypto

License

oscrypto is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Documentation

oscrypto documentation

Continuous Integration

Various combinations of platforms and versions of Python are tested via:

Testing

Tests are written using unittest and require no third-party packages.

Depending on what type of source is available for the package, the following commands can be used to run the test suite.

Git Repository

When working within a Git working copy, or an archive of the Git repository, the full test suite is run via:

python run.py tests

To run only some tests, pass a regular expression as a parameter to tests.

python run.py tests aes

To run tests multiple times, in order to catch edge-case bugs, pass an integer to tests. If combined with a regular expression for filtering, pass the repeat count after the regular expression.

python run.py tests 20
python run.py tests aes 20

Backend Options

To run tests using a custom build of OpenSSL, or to use OpenSSL on Windows or Mac, add use_openssl after run.py, like:

python run.py use_openssl=/path/to/libcrypto.so,/path/to/libssl.so tests

To run tests forcing the use of ctypes, even if cffi is installed, add use_ctypes after run.py:

python run.py use_ctypes=true tests

To run tests using the legacy Windows crypto functions on Windows 7+, add use_winlegacy after run.py:

python run.py use_winlegacy=true tests

Internet Tests

To skip tests that require an internet connection, add skip_internet after run.py:

python run.py skip_internet=true tests

PyPi Source Distribution

When working within an extracted source distribution (aka .tar.gz) from PyPi, the full test suite is run via:

python setup.py test

Test Options

The following env vars can control aspects of running tests:

Force OpenSSL Shared Library Paths

Setting the env var OSCRYPTO_USE_OPENSSL to a string in the form:

/path/to/libcrypto.so,/path/to/libssl.so

will force use of specific OpenSSL shared libraries.

This also works on Mac and Windows to force use of OpenSSL instead of using native crypto libraries.

Force Use of ctypes

By default, oscrypto will use the cffi module for FFI if it is installed.

To use the slightly slower, but more widely-tested, ctypes FFI layer, set the env var OPENSSL_USE_CTYPES=true.

Force Use of Legacy Windows Crypto APIs

On Windows 7 and newer, oscrypto will use the CNG backend by default.

To force use of the older CryptoAPI, set the env var OPENSSL_USE_WINLEGACY=true.

Skip Tests Requiring an Internet Connection

Some of the TLS tests require an active internet connection to ensure that various "bad" server certificates are rejected.

To skip tests requiring an internet connection, set the env var OPENSSL_SKIP_INTERNET_TESTS=true.

Package

When the package has been installed via pip (or another method), the package oscrypto_tests may be installed and invoked to run the full test suite:

pip install oscrypto_tests
python -m oscrypto_tests

Development

To install the package used for linting, execute:

pip install --user -r requires/lint

The following command will run the linter:

python run.py lint

Support for code coverage can be installed via:

pip install --user -r requires/coverage

Coverage is measured by running:

python run.py coverage

To install the packages requires to generate the API documentation, run:

pip install --user -r requires/api_docs

The documentation can then be generated by running:

python run.py api_docs

To install the necessary packages for releasing a new version on PyPI, run:

pip install --user -r requires/release

Releases are created by:

  • Making a git tag in semver format

  • Running the command:

    python run.py release

Existing releases can be found at https://pypi.python.org/pypi/oscrypto.

CI Tasks

A task named deps exists to download and stage all necessary testing dependencies. On posix platforms, curl is used for downloads and on Windows PowerShell with Net.WebClient is used. This configuration sidesteps issues related to getting pip to work properly and messing with site-packages for the version of Python being used.

The ci task runs lint (if flake8 is available for the version of Python) and coverage (or tests if coverage is not available for the version of Python). If the current directory is a clean git working copy, the coverage data is submitted to codecov.io.

python run.py deps
python run.py ci

More Repositories

1

package_control

The Sublime Text package manager
Python
4,781
star
2

package_control_channel

Default channel file for Package Control. Follow the directions at:
Python
1,243
star
3

sublime_terminal

Launch terminals from the current file or the root project folder
Python
596
star
4

sublime_alignment

Easy alignment of multiple selections and multi-line selections
Python
521
star
5

asn1crypto

Python ASN.1 library with a focus on performance and a pythonic API
Python
329
star
6

sublime_prefixr

A Sublime Text 2 plugin that runs CSS through the Prefixr API
Python
199
star
7

pybars3

Handlebars.js template support for Python 3 and 2
Python
175
star
8

packagecontrol.io

The Package Control website
Python
110
star
9

certvalidator

Python library for validating X.509 certificates and paths
Python
106
star
10

md5-js

A modification of Joseph Myers's high-preformance javascript md5 function that hashes unicode characters by first converting to UTF-8. http://jsperf.com/md5-shootout
JavaScript
98
star
11

vat_moss-python

A Python library for dealing with VAT MOSS and Norway VAT on digital services. Includes VAT ID validation, rate calculation based on place of supply, exchange rate and currency tools for invoices.
Python
65
star
12

mtmux

A script that uses tmux for multi-server administration with a tiling interface and synchronized keyboard input along the lines of terminator, clusterssh, multi-gnome-terminal, pconsole, etc.
Shell
51
star
13

vat-moss.js

A Javascript library for dealing with VAT MOSS and Norway VAT on digital services. Includes VAT ID checking, rate calculation based on place of supply, exchange rate and currency tools for invoices.
JavaScript
51
star
14

puremagic

A pure lua module for detecting the mime type of a file based on the contents - inspired by libmagic
Lua
38
star
15

certbuilder

Python library for generating and signing X.509 certificates
Python
34
star
16

ocspbuilder

Python library for generating OCSP requests and responses
Python
32
star
17

badtls.io

Keys, certificates, scripts and configuration for badtls.io
Python
27
star
18

sublime_tortoise

Keyboard shortcuts and menu entries to execute TortoiseSVN, TortoiseHg and TortoiseGit commands
Python
26
star
19

pi-github-runner

Docker config to easily enable arm and arm64 GitHub Actions via the self-hosted runner mechanism
Shell
24
star
20

pymeta3

A Python 3 compatible fork of https://launchpad.net/pymeta
Python
18
star
21

csrbuilder

Python library for generating certificate signing requests (CSRs)
Python
18
star
22

crc32-js-php

A javascript function and PHP snippet that produce identical crc32 checksums
JavaScript
17
star
23

crlbuilder

Python library for creating and signing certificate revocation lists (CRLs)
Python
16
star
24

swift-for-sublime

A modern Swift (5.6) syntax definition for Sublime Text 4
Swift
15
star
25

ChannelRepositoryTools

A Sublime Text package for working with channels and repositories
Python
11
star
26

sublime-sql-tmlanguage

A fork of the default SQL.tmLanguage with support for SQL Server data types and functions
9
star
27

shadow_password_crypt

A python script that generates sha512 password hashes suitable for use with useradd(8)
Python
5
star
28

wbond

4
star
29

SublimeSyntaxHTMLColorizer

Python
4
star
30

unittest_data

A pair of decorators to add data providers/test generators to unittest in Python 2.6, 2.7, 3.3 and 3.4
Python
3
star
31

subversion-cross-compile

Scripts to cross-compile Subversion 1.6, 1.7 and 1.8 from Linux/OS X to Windows
C
2
star
32

handlebars.py

MIT-licensed port of Handlebars.js to Python
Python
2
star
33

package_control-json

A repo to host repository and channel JSON files for testing Package Control
2
star
34

subversion

A fork of subversion that handle localization of dates on windows by only using numbers
C
2
star
35

gears-libsass

Python
1
star