The pskc module implements a simple and efficient API for parsing PSKC files. The PSKC class is used to access the file as a whole which provides access to a list of Key instances which contain most of the useful information from the PSKC file.
Importing data from a PSKC file can be done by instantiating a PSKC class:
>>> from pskc import PSKC
>>> pskc = PSKC('somefile.pskcxml')
>>> pskc.version
'1.0'
The PSKC class is used as a wrapper to access information from a PSKC file.
The whole file is parsed in one go. Instances of this class provide the following attributes: If parsing the PSKC file fails, a ParseError exception is raised.
The PSKC format version used. Only version 1.0 is currently specified in RFC 6030 and supported.
A unique identifier for the container.
Encryption instance that handles PSKC file encryption.
The keys attribute of a PSKC instance provides access to a list of keys contained in the PSKC file. Key instances provide access to a number of attributes that provide information on the transmitted keys:
>>> pskc = PSKC('somefile.pskcxml')
>>> first_key = pskc.keys[0]
>>> first_key.id
'some-id'
>>> first_key.algorithm
'urn:ietf:params:xml:ns:keyprov:pskc:hotp'
>>> first_key.secret
'SOME_SECRET_VALUE'
Attribute values will be None if it the value is not present in the PSKC file. If any of the secret, counter, time_offset, time_interval or time_drift values are accessed while they are encrypted and decryption is unsuccessful a DecryptionError exception is raised.
A unique identifier for the key. If there are multiple interactions with the same key in multiple instances of PSKC files the id is supposed to remain the same.
A URI that identifies the PSKC algorithm profile. The algorithm profile associates specific semantics to the key. Some known profiles are:
The binary value of the transported secret key. If the key information is encrypted in the PSKC file it is transparently decrypted if possible. Accessing the value may raise DecryptionError if decryption fails.
The event counter for event-based OTP algorithms. Will also be transparently decrypted and may also raise DecryptionError.
The time offset offset for time-based OTP algorithms. If time intervals are used it carries the number of time intervals passed from an algorithm-dependent start point. Will also be transparently decrypted and may also raise DecryptionError.
The time interval in seconds for time-based OTP algorithms (usually 30 or 60). Will also be transparently decrypted and may also raise DecryptionError.
For time-based OTP algorithms this contains the device clock drift in number of intervals. Will also be transparently decrypted and may also raise DecryptionError.
The name of the party that issued the key. This may be different from the manufacturer of the device.
A reference to a pre-shared key profile agreed upon between the sending and receiving parties. The profile information itself is not transmitted within the container. See RFC 6030.
A reference to an external key that is not contained within the PSKC file (e.g., a PKCS #11 key label). If this attribute is present, the secret attribute will generally be missing.
A human-readable name for the secret key.
The distinguished name of the user associated with the key. Also see device_userid.
The name of the manufacturer of the device to which the key is provisioned. RFC 6030 prescribes that the value is of the form oath.prefix for OATH Manufacturer Prefixes or iana.organisation for IANA Private Enterprise Numbers however, it is generally just a string. The value may be different from the issuer of the key on the device.
The serial number of the device to which the key is provisioned. Together with manufacturer (and possibly issue_no) this should uniquely identify the device.
A manufacturer specific description of the model of the device.
The issue number in case there are devices with the same serial number so that they can be distinguished by different issue numbers.
Reference to a device identifier (e.g. IMEI) that allows a provisioning server to ensure that the key is going to be loaded into a specific device.
datetime.datetime value that indicates that the device should only be used after this date.
datetime.datetime value that indicates that the device should only be used before this date. Systems should not rely upon the device to enforce key usage date restrictions, as some devices do not have an internal clock.
The distinguished name of the user associated with the device. Also see key_userid.
Implementation specific unique identifier of the cryptographic module on the device to which the keys have been (or will be) provisioned.
Additional algorithm specific characteristics. For example, in an HMAC-based algorithm it could designate the hash algorithm used (SHA1 or SHA256).
Encoding of the challenge accepted by the device for challenge-response authentication. One of:
The minimum size of the challenge accepted by the device.
The maximum size of the challenge accepted by the device.
Boolean that indicates whether the device will check an embedded Luhn check digit contained in the challenge.
Format of the response that is generated by the device. If must be one of the values as described under challenge_encoding.
The length of the response generated by the device.
Boolean that indicates whether the device will append a Luhn check digit to the response.
Policy instance that provides key and PIN policy information. See Key usage policy.
Check if any MACs in the key data embedded in the PSKC file are valid. This will return None if there is no MAC to be checked. It will return True if all the MACs match. If any MAC fails a DecryptionError exception is raised.