PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python

Related tags

Cryptographypythonsecurityjwtcryptographyencryptionsignaturersajoseed25519ecdsablake2btokeneddsasha384chacha20pasetopaserk
Overview

PySETO - A Python implementation of PASETO

PyPI version PyPI - Python Version Documentation Status Github CI codecov

PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python which supports all of the versions and purposes below.

  • Version 1: NIST Compatibility
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • RSASSA-PSS with 2048-bit key, SHA384 hashing and MGF1+SHA384.
  • Version 2: Sodium Original
    • Local: Symmetric Authenticated Encryption
      • XChaCha20-Poly1305 (192-bit nonce, 256-bit key, 128-bit authentication tag).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.
  • Version 3: NIST Modern
    • Local: Symmetric Authenticated Encryption
      • AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
  • Version 4: Sodium Modern
    • Local: Symmetric Authenticated Encryption
      • XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC).
    • Public: Asymmetric Authentication (Public-Key Signatures)
      • EdDSA over Curve25519.

See Document for details.

Installation

You can install PySETO with pip:

$ pip install pyseto

Usage

You can use it as follows:

v4.local

>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg' >>> decoded = pyseto.decode(key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> key = Key.new("v4", "local", "our-secret")
>>> token = pyseto.encode(key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.local.VXJUUePf8zL1670zhOmbO7eRdccapuXlf76fRCkntiRauk2qQFOaBQOk4ISSRXQZvcGG2C5H74ShLzoU3YorK4xdfjHBj4ESoRB5mt1FWf8MEXoDQiIHQ4WDyMR57ferhaKJM6FwgcwM2xINWy1xCSFz5f7al0c8RUnd4xO_42beR83ye0jRYg'
>>> decoded = pyseto.decode(key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

v4.public

>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----" >>> secret_key = Key.new("v4", "public", secret_key_pem) >>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}') >>> token b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg' >>> public_key = Key.new("v4", "public", public_key_pem) >>> decoded = pyseto.decode(public_key, token) >>> decoded.payload b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}' "> 
>>> import pyseto
>>> from pyseto import Key
>>> secret_key_pem = "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEILTL+0PfTOIQcn2VPkpxMwf6Gbt9n4UEFDjZ4RuUKjd0\n-----END PRIVATE KEY-----"
>>> public_key_pem = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAHrnbu7wEfAP9cGBOAHHwmH4Wsot1ciXBHwBBXQ4gsaI=\n-----END PUBLIC KEY-----"
>>> secret_key = Key.new("v4", "public", secret_key_pem)
>>> token = pyseto.encode(secret_key, '{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}')
>>> token
b'v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSIsICJleHAiOiAiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9l1YiKei2FESvHBSGPkn70eFO1hv3tXH0jph1IfZyEfgm3t1DjkYqD5r4aHWZm1eZs_3_bZ9pBQlZGp0DPSdzDg'
>>> public_key = Key.new("v4", "public", public_key_pem)
>>> decoded = pyseto.decode(public_key, token)
>>> decoded.payload
b'{"data": "this is a signed message", "exp": "2022-01-01T00:00:00+00:00"}'

API Reference

See Document.

Tests

You can run tests from the project root after cloning with:

$ tox
Comments
  • Avoid re-encoding and decoding output from serializer

    Avoid re-encoding and decoding output from serializer

    Is your feature request related to a problem? Please describe. When using a serializer such as orjson, a bytes object is output by default, but the serializer field expects a function that returns a str, that is immediately encoded into a bytes object.

    Describe the solution you'd like Make it so that serializer can output either a str or a bytes object. Also, the serializer field should ideally be a function and not a class, since Python functions are objects themselves and can be passed into functions (see map and filter).

    Describe alternatives you've considered Having my serializer return a str by doing orjson.dumps().decode("utf-8"), but this is inefficient.

    Additional context N/A

    enhancement 
    opened by MrAwesomeRocks 6
  • Compare MACs in constant time

    Compare MACs in constant time

    This PR replaces MAC comparisons using bytes.__eq__ with calls to hmac.compare_digest in the decryption routines for v1, v3 and v4, since the PASETO spec requires MACs to be checked in constant time. The v2 handler delegates this check to decrypt_and_verify in PyCryptoDome, which uses a randomised MAC comparison strategy instead. As such, v2 didn't require any fixes.

    Comments certainly welcome!

    opened by MatthiasValvekens 4
  • to_peer_paserk_id for k3.secret

    to_peer_paserk_id for k3.secret

    This is a feature request because to_peer_paserk_id is working as documented. Is there a technical reason why to_peer_paserk_id does not work on a V3 secret key? If Yes, can we add it to the documentation? If No, can we add support for it?

    enhancement 
    opened by Eh2406 4
  • Some (de)serializers output a datetime object when parsing

    Some (de)serializers output a datetime object when parsing

    Describe the bug I'm using cbor2 as my (de)serializer for Pyseto. When parsing a bytestring, cbor2 already outputs a datetime object, causing an error when iso8601 tries to parse the datetime. Would it be possible to add a check to see if nbf and exp are datetime objects before trying to parse them?

    To Reproduce Steps to reproduce the behavior:

    1. Set cbor2 as the Pyseto (de)serializer.
    2. Try to decode a PASETO.

    Expected behavior No error, Pyseto takes the pre-parsed datetime and uses it.

    Thanks in advance for your help! This is a really great library.

    bug 
    opened by MrAwesomeRocks 4
  • Support creating keys from bytes

    Support creating keys from bytes

    Currently Key can only be created from Paserk or PEM, which limits the interoperability of Pyseto.

    For example: If I want to create a key pair with Rust, and sign a Paseto token with Rust, I cannot then verify it with Pyseto because the Rust libraries only provide the public key as binary, meaning I'd need to convert it to either Paserk or PEM, which is just cumbersome.

    Most Paseto libraries allow importing/exporting keys as binary, so it makes sense to support it, to maximize interoperability.

    opened by not-my-profile 4
  • Typo in the Documentation

    Typo in the Documentation

    I think in

    https://pyseto.readthedocs.io/en/latest/paseto_usage.html#v4-local

    it must be "Symmetric Authenticated Encryption with XChaCha20 + BLAKE2b-MAC (Encrypt-then-MAC)" instead of "Symmetric Authenticated Encryption with AES-256-CTR + HMAC-SHA384 (Encrypt-then-MAC)"

    bug 
    opened by stsch9 2
  • Token payloads are not decoded when using `local` Keys

    Token payloads are not decoded when using `local` Keys

    Describe the bug When using a local Key, the token payload is not decoded, and so this example does not work for local keys. This is due to these lines in paseto.py that cause the function to exit early.

    To Reproduce Steps to reproduce the behavior:

    1. Go to this example: https://pyseto.readthedocs.io/en/stable/paseto_usage.html#using-serializer-deserializer-for-payload-and-footer
    2. Follow the directions, but use a local key.
    3. When running decoded.payload["data"], observe the error.

    Expected behavior The payload of the decoded token is a dictionary when deserializer is passed.

    bug 
    opened by MrAwesomeRocks 2
  • Update mypy requirement from ^0.920 to ^0.921

    Update mypy requirement from ^0.920 to ^0.921

    Updates the requirements on mypy to permit the latest version.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump tox from 4.0.16 to 4.1.1

    Bump tox from 4.0.16 to 4.1.1

    Bumps tox from 4.0.16 to 4.1.1.

    Release notes

    Sourced from tox's releases.

    4.1.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.19...4.1.0

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.1.1 (2022-12-29)

    Bugfixes - 4.1.1

    - Fix logging error with emoji in git branch name. (:issue:`2768`)

    Improved Documentation - 4.1.1

    • Add faq entry about re-use of environments - by :user:jugmac00. (:issue:2788)

    v4.1.0 (2022-12-29)

    Features - 4.1.0

    - ``-f`` can be used multiple times and on hyphenated factors (e.g. ``-f py311-django -f py39``) - by :user:`sirosen`. (:issue:`2766`)

    Improved Documentation - 4.1.0

    • Fix a grammatical typo in docs/user_guide.rst. (:issue:2787)

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.19

    Bump tox from 4.0.16 to 4.0.19

    Bumps tox from 4.0.16 to 4.0.19.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.19 (2022-12-28)

    Bugfixes - 4.0.19

    - Create temp_dir if not exists - by :user:`q0w`. (:issue:`2770`)

    v4.0.18 (2022-12-26)
    

    Bugfixes - 4.0.18

    • Strip leading and trailing whitespace when parsing elements in requirement files - by :user:gaborbernat. (:issue:2773)

    v4.0.17 (2022-12-25)

    Features - 4.0.17

    - Suppress a report output when verbosity = 0. (:issue:`2697`)

    Bugfixes - 4.0.17

    • Fix --sdistonly behaviour. (:issue:2653)
    • Override toxworkdir with --workdir. (:issue:2654)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump tox from 4.0.16 to 4.0.18

    Bump tox from 4.0.16 to 4.0.18

    Bumps tox from 4.0.16 to 4.0.18.

    Release notes

    Sourced from tox's releases.

    4.0.18

    What's Changed

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.17...4.0.18

    4.0.17

    What's Changed

    New Contributors

    Full Changelog: https://github.com/tox-dev/tox/compare/4.0.16...4.0.17

    Changelog

    Sourced from tox's changelog.

    v4.0.18 (2022-12-26)

    Bugfixes - 4.0.18

    - Strip leading and trailing whitespace when parsing elements in requirement files - by :user:`gaborbernat`. (:issue:`2773`)

    v4.0.17 (2022-12-25)
    

    Features - 4.0.17

    • Suppress a report output when verbosity = 0. (:issue:2697)

    Bugfixes - 4.0.17

    - Fix ``--sdistonly`` behaviour. (:issue:`2653`)
- Override toxworkdir with --workdir. (:issue:`2654`)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
Releases(v1.7.0)
Owner
Ajitomi, Daisuke
This is a private, hobby account. Except for "HTTPS in Local Network" activity, my repositories are not related to the company to which I belong.
Ajitomi, Daisuke
GitHub Repository
A web app to scan crypto markets based on candlestick pattern recognition from

Crypto_Scanner A web app to scan crypto markets based on candlestick pattern recognition from "Japanese Candlestick Charting Techniques: A Contemporar

Chris Qi 27 Jan 01, 2023
Smart-contracts - open sourcing our upcoming smart contracts for better security and transparency

Smart-contracts - open sourcing our upcoming smart contracts for better security and transparency

Rand Gallery 16 Jul 10, 2022
A simple web application with tools of cryptography, made with Flask and Cryptography.

Crypto Tools A web application made with Flask that allows the use of some cryptography tools like message digest, RSA key pair generation and a decip

Felipe Valentin 0 Jan 20, 2022
Simple python program to encrypt files with AES-256 encryption

simple-enc Simple python program to encrypt files with AES-256 encryption Setup First install "pyAesCrypt" using pip. Thats it! Optionally you can add

Hashm 2 Jan 19, 2022
BTCRecover is an open source wallet password and seed recovery tool.

BTCRecover is an open source wallet password and seed recovery tool. For seed based recovery, this is primarily useful in situations where you have lost/forgotten parts of your mnemonic, or have made

2 Aug 18, 2022
Simple encryption/decryption utility using Pycryptodome module. Working with AES and RSA algorithms.

EncypherUtil Simple encryption/decryption utility using PyCryptodome module. Working with AES and RSA algorithms. THIS UTILITY IS NOT LICENSED AS CRYP

Egor Yakubovich 0 Jun 14, 2022
PySETO is a PASETO (Platform-Agnostic SEcurity TOkens) implementation written in Python

A Python implementation of PASETO.

Ajitomi, Daisuke 33 Dec 17, 2022
A discord bot to crop an NFT image living on the Solana blockchain.

NFT Discord Cropper This discord bot crops an NFT in your set measures by getting it through the .cache file which has been used to make a candy machi

Rude Golems 7 Mar 21, 2022
Bot to trade crypto trading ranges

crypto-trading-bot Crypto bot with DCA or GRID trading strategy Sends notifictions to telegram chat Crypto bot with webhook feature which can be used

3 Jun 18, 2021
Get the length of the Instagram encrypted password

instagram-weak-encryption Get the length of the Instagram encrypted password Introduction Instagram and Facebook encrypt the password submitted at log

Giuseppe Criscione 19 Dec 09, 2022
PytoPrice is an automation program to fetch the latest price of a cryptocurrency of your choice at a user-customizable update interval.

PyToPrice (Python Crypto Price) PytoPrice is an automation program to fetch the latest price of a cryptocurrency of your choice at a user-customizable

Peter 1 Jun 16, 2022
A community effort to bring back Duino-Coin

Duino-Coin-Revived A community effort to bring back Duino-Coin! Along with reviving the cryptocurrency, we will add many improvements to it, including

1 Dec 22, 2021
In this repository there are two types of code files

encryption-decryption In this repository there are two types of code files Me Friend Code in the 'Me' file can use for encryption and Code in the 'Fri

Vicksura Dulhan Perera 1 Nov 22, 2021
Privfiles - Encrypted file storage using Fernet with zero Javascript

Privfiles - Encrypted file storage using Fernet with zero Javascript Source code for the onion service: l3n6v6dm63frml22tlmzacnasvp7co7wylu4hhcs34ukxe

Ward 5 Jul 30, 2022
RSI Algorithmic Trading with Python

In this repository you can see my first algorithhmic trading script. I use 5 cryptocurrencies: Bitcoin (BTC), Ethereum (ETH), Bitcoin Cash (BCH), Litecoin (LTC) and Chainlink (LINK).

Jon Aldekoa 4 Mar 16, 2022
The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications

The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications, as well, other protocols and algorithms, built using IBM’s open-source Software Development Kit for

Qiskrypt 14 Oct 31, 2022
C0mptCrypt - An object-oriented, minamalistic, simple encryption library in Python

C0mptCrypt allows you to encrypt strings of text. It can only be decrypted using C0mptCrypt and not by random online tools. You can use this for a variety of things from creating passwords, to encryp

c0mpt0 4 Aug 22, 2022
Modern(-ish) password hashing for your software and your servers

bcrypt Good password hashing for your software and your servers Installation To install bcrypt, simply: $ pip install bcrypt Note that bcrypt should b

Python Cryptographic Authority 947 Dec 28, 2022
Address Validator (Bitcoin & Monero)

The Bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1, 3 or bc1. 0, O, I, l are removed to avoid visual a

0 Mar 29, 2022
offline half-random brute force script for Ethereum private keys

eth200swinger offline half-random brute force script for Ethereum private keys, goes from the beginning to end of range and vice versa, saves any foun

2 Oct 06, 2022