pykmssig

Release 0.0.8

pykmssig is a utility for signing and verifying files on AWS using the Key Management Service

Homepage PyPI Python

License
Other
Install
pip install pykmssig==0.0.8

Documentation

pykmssig

A python library inspired by https://github.com/codahale/kmssig

Build Status

Build Status

Why pykmssig?

Sometimes you need to validate a message passing multiple AWS accounts and services has not been tampered with in transit.

Let's say we have three AWS accounts Account A, Account B, and Account C.

Account A wants to publish messages to a Kinesis stream in Account B. Account B runs the Kinesis stream and some light data validation but does not modify the data.

Account C is a high security account and only allows Account B put access to a single dynamo table. In the event account B is compromised how does account C guarantee the integrity of the messages in transit?

Answer : pykmssig

pykmssig allows the owners of Account A to sign and encrypt a signature against a KMS key let's call it kms-key-alpha in order to do this kms-key-alpha needs to allow Account owner A the ability to encrypt messages. This encrypts the signature data. A second key kms-key-beta can be used to provide data at rest protection. Account A, B, and C can all be allowed decrypt for kms-key-beta but only Account C should be allowed to decrypt using kms-key-alpha to verify the message was not tampered with in transit.

Installing

git clone https://github.com/andrewkrug/pykmssig
pip install -r requirements.txt
python setup.py install

Setting up your environment

This looks for the environment variable SIGNING_KEY_ALIAS this should be a precreated alias for the KMS key you'd like to use to sign. If you've used the provided cloudformation stack template you need not change this.

Usage

# Signing a payload
from pykmssig import crypto

o = crypto.Operation()

result = o.sign(plaintext={'foo': 'bar'})

# The result of this operation will be ciphertext.

Verifying the payload:

# Verification

from pykmssig import crypto

o = crypto.Operation()

result = o.verify(
    ciphertext=ciphertext,
    plaintext={'foo': 'bar'}
)

"""Result returns a dictionary that looks as follows.""""
{
    'status': 'valid',
    'sig_b': b'U05jVK2Ewp286h3Ksr6Cc2GWMQT+9dG3Pxt0Wb5VEoPWGzTPfcNWxGFb5LHa9zyDs4rqUDc7kgzbXPKrRXCgmQ==',
    'sig_a': b'U05jVK2Ewp286h3Ksr6Cc2GWMQT+9dG3Pxt0Wb5VEoPWGzTPfcNWxGFb5LHa9zyDs4rqUDc7kgzbXPKrRXCgmQ=='
}

Stats

Dependencies
0
Dependent packages
0
Dependent repositories
1
Total releases
1
Latest release
First release
Stars
0
Forks
0
Watchers
0
Contributors
0
Repository size
28.3 KB
SourceRank
6

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.0.8

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-20 05:34:53 UTC

Login to resync this project