ucryptography

Lightweight porting of cryptography to Micropython based on ARM Mbed TLS

Tip

If you find ucryptography useful, consider ⭐ this project and why not ... Buy me a coffee 😄

Basic usage

try:
    from cryptography import hashes, rsa, padding
except ImportError:
    from cryptography.hazmat.primitives import hashes
    from cryptography.hazmat.primitives.asymmetric import rsa
    from cryptography.hazmat.primitives.asymmetric import padding

message = b"A message I want to sign"
chosen_hash = hashes.SHA256()

private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
signature = private_key.sign(
    message,
    padding.PSS(
        mgf=padding.MGF1(chosen_hash), salt_length=chosen_hash.digest_size
    ),
    chosen_hash,
)
public_key = private_key.public_key()
public_key.verify(
    signature,
    message,
    padding.PSS(
        mgf=padding.MGF1(chosen_hash), salt_length=chosen_hash.digest_size
    ),
    chosen_hash,
)

More examples

• tests/cryptography

How to build

Important

Currently needs a patch to the file extmod/mbedtls/mbedtls_config_common.h to enable all its functionality.

diff

diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h
index db1562f27..d938c829a 100644
--- a/extmod/mbedtls/mbedtls_config_common.h
+++ b/extmod/mbedtls/mbedtls_config_common.h
@@ -46,9 +46,11 @@
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define MBEDTLS_BASE64_C
 #define MBEDTLS_CAN_ECDH
 #define MBEDTLS_PK_CAN_ECDSA_SIGN
 #define MBEDTLS_PKCS1_V15
+#define MBEDTLS_PKCS1_V21
 #define MBEDTLS_SHA256_SMALLER
 #define MBEDTLS_SSL_PROTO_TLS1
 #define MBEDTLS_SSL_PROTO_TLS1_1
@@ -67,17 +69,23 @@
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_CIPHER_C
 #define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_DES_C
 #define MBEDTLS_ECDH_C
 #define MBEDTLS_ECDSA_C
 #define MBEDTLS_ECP_C
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_ERROR_C
+#define MBEDTLS_GCM_C
+#define MBEDTLS_GENPRIME
 #define MBEDTLS_MD_C
 #define MBEDTLS_MD5_C
 #define MBEDTLS_OID_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_PEM_WRITE_C
 #define MBEDTLS_PKCS5_C
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
 #define MBEDTLS_PLATFORM_C
 #define MBEDTLS_RSA_C
 #define MBEDTLS_SHA1_C

---

UNIX port (coverage)

$ git clone https://github.com/micropython/micropython.git
$ cd micropython
micropython$ git submodule update --init --depth 1
micropython$ git clone https://github.com/dmazzella/ucryptography.git usercmodule/ucryptography
micropython$ git apply usercmodule/ucryptography/patches/extmod__mbedtls__mbedtls_config_common.h.patch
micropython$ cd usercmodule/ucryptography
ucryptography$ git submodule update --init --depth 1
ucryptography$ cd ../../
micropython$ make -j2 -C mpy-cross/
micropython$ make -j2 -C ports/unix/ VARIANT="coverage" MICROPY_SSL_AXTLS=0 MICROPY_SSL_MBEDTLS=1 USER_C_MODULES="$(pwd)/usercmodule"

ESP32 port (ESP32_GENERIC_C3)

$ git clone https://github.com/micropython/micropython.git
$ cd micropython
micropython$ git submodule update --init --depth 1
micropython$ git clone https://github.com/dmazzella/ucryptography.git usercmodule/ucryptography
micropython$ git apply usercmodule/ucryptography/patches/extmod__mbedtls__mbedtls_config_common.h.patch
micropython$ cd usercmodule/ucryptography
ucryptography$ git submodule update --init --depth 1
ucryptography$ cd ../../
micropython$ make -j2 -C mpy-cross/
micropython$ make -C ports/esp32 BOARD=ESP32_GENERIC_C3 USER_C_MODULES="$(pwd)/usercmodule/ucryptography/micropython.cmake"

STM32 port (ARDUINO_PORTENTA_H7)

$ git clone https://github.com/micropython/micropython.git
$ cd micropython
micropython$ git submodule update --init --depth 1
micropython$ git clone https://github.com/dmazzella/ucryptography.git usercmodule/ucryptography
micropython$ git apply usercmodule/ucryptography/patches/extmod__mbedtls__mbedtls_config_common.h.patch
micropython$ cd usercmodule/ucryptography
ucryptography$ git submodule update --init --depth 1
ucryptography$ cd ../../
micropython$ make -j2 -C mpy-cross/
micropython$ make -C ports/stm32 BOARD=ARDUINO_PORTENTA_H7 USER_C_MODULES="$(pwd)/usercmodule"

Goals

• ciphers
  • AESGCM
  • Cipher
  • algorithms
    • AES
    • TripleDES
  • modes
    • CBC
    • ECB
    • GCM
• ec
  • ECDH
  • ECDSA
  • SECP256R1
  • SECP384R1
  • SECP521R1
  • EllipticCurvePublicKey
    • from_encoded_point
  • EllipticCurvePublicNumbers
  • EllipticCurvePrivateKey
  • EllipticCurvePrivateNumbers
  • generate_private_key
  • derive_private_key
• ed25519
  • Ed25519PrivateKey
  • Ed25519PublicKey
• exceptions
  • InvalidSignature
  • AlreadyFinalized
  • UnsupportedAlgorithm
  • InvalidKey
  • InvalidToken
• hashes
  • SHA1
  • SHA256
  • SHA384
  • SHA512
  • BLAKE2s
  • Hash
• hmac
  • HMAC
• padding
  • PKCS1v15
  • PSS
  • OAEP
  • MGF1
  • calculate_max_pss_salt_length
• rsa
  • RSAPublicKey
  • RSAPublicNumbers
  • RSAPrivateKey
  • RSAPrivateNumbers
  • rsa_crt_iqmp
  • rsa_crt_dmp1
  • rsa_crt_dmq1
  • rsa_recover_prime_factors
  • generate_private_key
• serialization
  • load_der_public_key
  • load_der_private_key
  • NoEncryption
  • Encoding
    • DER
    • PEM
    • X962
    • Raw
  • PublicFormat
    • SubjectPublicKeyInfo
    • UncompressedPoint
    • Raw
  • PrivateFormat
    • TraditionalOpenSSL
    • Raw
• twofactor
  • HOTP
  • TOTP
• utils
  • RFC6979
  • Prehashed
  • constant_time_bytes_eq
  • bit_length
  • encode_dss_signature
  • decode_dss_signature
  • rsa_deduce_private_exponent
• x509
  • load_der_x509_certificate
  • Certificate