PyPI - pybiss - Versions diffs - 0.0.1__tar.gz - Mend

pybiss 0.0.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

pybiss-0.0.1/PKG-INFO +6 -0
pybiss-0.0.1/Readme.md +0 -0
pybiss-0.0.1/pyproject.toml +13 -0
pybiss-0.0.1/setup.cfg +4 -0
pybiss-0.0.1/src/app.py +286 -0
pybiss-0.0.1/src/cert_parser.py +193 -0
pybiss-0.0.1/src/config.py +68 -0
pybiss-0.0.1/src/desktop_ui.py +444 -0
pybiss-0.0.1/src/detector.py +191 -0
pybiss-0.0.1/src/hardware.py +522 -0
pybiss-0.0.1/src/locale.py +117 -0
pybiss-0.0.1/src/pkcs11_funcs.py +99 -0
pybiss-0.0.1/src/pkcs11_types.py +102 -0
pybiss-0.0.1/src/pybiss.egg-info/PKG-INFO +6 -0
pybiss-0.0.1/src/pybiss.egg-info/SOURCES.txt +31 -0
pybiss-0.0.1/src/pybiss.egg-info/dependency_links.txt +1 -0
pybiss-0.0.1/src/pybiss.egg-info/top_level.txt +16 -0
pybiss-0.0.1/src/server.py +160 -0
pybiss-0.0.1/src/server_ui.py +206 -0
pybiss-0.0.1/src/service.py +87 -0
pybiss-0.0.1/src/spkac.py +68 -0
pybiss-0.0.1/src/tkinter_mods.py +438 -0
pybiss-0.0.1/src/tui.py +285 -0
pybiss-0.0.1/src/verifier.py +41 -0
pybiss-0.0.1/tests/test_cert_parser.py +128 -0
pybiss-0.0.1/tests/test_detector.py +140 -0
pybiss-0.0.1/tests/test_hardware.py +304 -0
pybiss-0.0.1/tests/test_pkcs11_funcs.py +66 -0
pybiss-0.0.1/tests/test_pkcs11_types.py +83 -0
pybiss-0.0.1/tests/test_server.py +218 -0
pybiss-0.0.1/tests/test_service.py +158 -0
pybiss-0.0.1/tests/test_spkac.py +86 -0
pybiss-0.0.1/tests/test_verifier.py +127 -0

pybiss-0.0.1/PKG-INFO ADDED Viewed

@@ -0,0 +1,6 @@
+Metadata-Version: 2.4
+Name: pybiss
+Version: 0.0.1
+Summary: Unofficial BISS implementation in Python. Fast, modern, self contained
+Requires-Python: >=3.13
+Description-Content-Type: text/markdown

pybiss-0.0.1/Readme.md ADDED Viewed

File without changes

pybiss-0.0.1/pyproject.toml ADDED Viewed

@@ -0,0 +1,13 @@
+[project]
+name = "pybiss"
+version = "0.0.1"
+description = "Unofficial BISS implementation in Python. Fast, modern, self contained"
+readme = "Readme.md"
+requires-python = ">=3.13"
+dependencies = []
+[project.scripts]
+# pybiss-server = "src.app:app.run"
+# pybiss-tui = "src.tui:run_tui"
+# pybiss-gui = "src.desktop_ui:main"

pybiss-0.0.1/setup.cfg ADDED Viewed

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build =
+tag_date = 0

pybiss-0.0.1/src/app.py ADDED Viewed

@@ -0,0 +1,286 @@
+import base64, sys
+sys.path.append(__file__.rsplit('/', 1)[0])
+from src.server import MiniServer
+import src.detector as detector
+import src.hardware as hardware
+import src.service as service
+import src.server_ui as ui
+# -- Endpoints
+app = MiniServer()
+@app.get('/version')
+def get_version(req):
+    return {
+        'version': 'pybiss-1.0.0',
+        'httpMethods': 'GET, POST',
+        'contentTypes': 'data, digest',
+        'signatureTypes': 'signature',
+        'selectorAvailable': True,
+        'hashAlgorithms': 'SHA1, SHA256, SHA384, SHA512'
+    }
+@app.get('/status')
+def get_status(req):
+    atrs = detector.get_connected_atrs()
+    lib_path = detector.auto_detect_library()
+    return {
+        'status': 'ok' if atrs else 'no_cards_detected',
+        'readers': atrs,
+        'driver': lib_path
+    }
+@app.post('/getsigner')
+def get_signer(req):
+    data = req.json
+    selector = data.get('selector')
+    show_valid_certs = data.get('showValidCerts', True)
+    lib_path = detector.auto_detect_library()
+    if not lib_path:
+        raise Exception('No supported smart cards detected')
+    funcs = hardware.load_pkcs11(lib_path)
+    slots = hardware.get_slots(funcs, token_present=True)
+    if not slots:
+        raise Exception('No token present in smart card reader')
+    ui_provider = ui.get_ui_provider()
+    pin = ui_provider.prompt_pin()
+    if not pin:
+        return {'chain': [], 'status': 'error', 'reasonCode': 401, 'reasonText': 'PIN canceled'}
+    all_certs = []
+    for slot_id in slots:
+        try:
+            certs = hardware.get_certificates(funcs, slot_id, pin)
+            for c in certs:
+                c['slot_id'] = slot_id
+                c['pin'] = pin
+                all_certs.append(c)
+        except Exception:
+            continue
+    filtered_certs = service.filter_certificates(all_certs, selector=selector, show_valid_certs=show_valid_certs)
+    if not filtered_certs:
+        return {'chain': [], 'status': 'error', 'reasonCode': 404, 'reasonText': 'No matching certificates'}
+    choice_idx = ui_provider.choose_certificate(filtered_certs)
+    if choice_idx == -1:
+        return {'chain': [], 'status': 'error', 'reasonCode': 400, 'reasonText': 'Canceled'}
+    selected_cert = filtered_certs[choice_idx]
+    cert_b64 = base64.b64encode(selected_cert['der']).decode('utf-8')
+    return {'chain': [cert_b64], 'status': 'ok', 'reasonCode': 200, 'reasonText': 'Success'}
+@app.post('/sign')
+def sign(req):
+    data = req.json
+    # Extract fields from the raw JSON payload
+    contents = data.get('contents', [])
+    signed_contents = data.get('signedContents', [])
+    signed_contents_cert = data.get('signedContentsCert', [])
+    hash_algorithm = data.get('hashAlgorithm', 'SHA256')
+    confirm_text = data.get('confirmText', [])
+    signer_cert_b64 = data.get('signerCertificateB64')
+    # Verification of Server Signature
+    if len(contents) != len(signed_contents) or not contents:
+        return {'signatures': [], 'status': 'error', 'reasonCode': 400, 'reasonText': 'Contents and signature length mismatch/empty'}
+    try:
+        if not signed_contents_cert:
+            raise ValueError('Server certificate missing')
+        server_cert_der = base64.b64decode(signed_contents_cert[0])
+    except Exception:
+        return {'signatures': [], 'status': 'error', 'reasonCode': 400, 'reasonText': 'Invalid server certificate encoding'}
+    # Verify each content piece against the server signature
+    for i in range(len(contents)):
+        try:
+            payload = base64.b64decode(contents[i])
+            srv_sig = base64.b64decode(signed_contents[i])
+        except Exception:
+            return {'signatures': [], 'status': 'error', 'reasonCode': 400, 'reasonText': 'Invalid payload/signature base64 encoding'}
+        verified = service.verify_server_signature(
+            payload=payload,
+            signature=srv_sig,
+            server_cert_der=server_cert_der,
+            hash_alg=hash_algorithm
+        )
+        if not verified:
+            return {'signatures': [], 'status': 'error', 'reasonCode': 403, 'reasonText': 'Server signature verification failed'}
+    # Confirm signature request with the user
+    ui_provider = ui.get_ui_provider()
+    confirm_msg = confirm_text[0] if confirm_text else 'Authorize signature request from banking portal?'
+    confirmed = ui_provider.confirm_sign(confirm_msg)
+    if not confirmed:
+        return {'signatures': [], 'status': 'error', 'reasonCode': 400, 'reasonText': 'User rejected signature request'}
+    # Locate card PKCS11 library
+    lib_path = detector.auto_detect_library()
+    if not lib_path:
+        return {'signatures': [], 'status': 'error', 'reasonCode': 400, 'reasonText': 'No supported smart cards detected'}
+    try:
+        funcs = hardware.load_pkcs11(lib_path)
+    except Exception as e:
+        return {'signatures': [], 'status': 'error', 'reasonCode': 500, 'reasonText': f'Failed to load PKCS11 driver: {e}'}
+    # Search and identify which slot contains the requested signer certificate
+    try:
+        if not signer_cert_b64:
+            raise ValueError('Signer certificate missing')
+        signer_cert_der = base64.b64decode(signer_cert_b64)
+    except Exception:
+         return {'signatures': [], 'status': 'error', 'reasonCode': 400, 'reasonText': 'Invalid signer certificate encoding'}
+    slots = hardware.get_slots(funcs, token_present=True)
+    target_slot = None
+    target_cert_id = None
+    target_pin = None
+    # Prompt user for PIN to search card
+    pin = ui_provider.prompt_pin()
+    if not pin:
+        return {'signatures': [], 'status': 'error', 'reasonCode': 401, 'reasonText': 'PIN required'}
+    for slot_id in slots:
+        try:
+            certs = hardware.get_certificates(funcs, slot_id, pin)
+            for c in certs:
+                if c['der'] == signer_cert_der:
+                    target_slot = slot_id
+                    target_cert_id = c['id']
+                    target_pin = pin
+                    break
+            if target_slot is not None:
+                break
+        except Exception:
+            continue
+    if target_slot is None:
+        return {'signatures': [], 'status': 'error', 'reasonCode': 404, 'reasonText': 'Requested signing certificate not found on smart card'}
+    # Perform PKCS#11 signing
+    generated_signatures = []
+    for payload_b64 in contents:
+        try:
+            payload_bytes = base64.b64decode(payload_b64)
+            sig = hardware.sign_payload(
+                funcs=funcs,
+                slot_id=target_slot,
+                pin=target_pin,
+                payload=payload_bytes,
+                key_id=target_cert_id
+            )
+            generated_signatures.append(base64.b64encode(sig).decode('utf-8'))
+        except Exception as e:
+            return {'signatures': [], 'status': 'error', 'reasonCode': 500, 'reasonText': f'Signing failed: {e}'}
+    return {'signatures': generated_signatures, 'status': 'ok', 'reasonCode': 200, 'reasonText': 'Success'}
+@app.get('/getSerialNumber')
+def get_serial_number(req):
+    lib_path = detector.auto_detect_library()
+    if not lib_path:
+        return {'status': 'error', 'reasonCode': 400, 'reasonText': 'No supported smart cards detected'}
+    try:
+        funcs = hardware.load_pkcs11(lib_path)
+        slots = hardware.get_slots(funcs, token_present=True)
+        if not slots:
+            return {'status': 'error', 'reasonCode': 404, 'reasonText': 'No token present'}
+        serial = hardware.get_token_serial_number(funcs, slots[0])
+        # The Java app returns keysize and vendor too, but serial is the most critical
+        return {'serialNumber': serial, 'status': 'ok', 'reasonCode': 200, 'reasonText': 'Success'}
+    except Exception as e:
+        return {'status': 'error', 'reasonCode': 500, 'reasonText': str(e)}
+@app.post('/setPIN')
+def set_pin(req):
+    data = req.json
+    old_pin = data.get('oldPIN')
+    new_pin = data.get('newPIN')
+    if not old_pin or not new_pin:
+        return {'status': 'error', 'reasonCode': 400, 'reasonText': 'Missing PIN data'}
+    lib_path = detector.auto_detect_library()
+    try:
+        funcs = hardware.load_pkcs11(lib_path)
+        slots = hardware.get_slots(funcs, token_present=True)
+        hardware.change_card_pin(funcs, slots[0], old_pin, new_pin)
+        return {'status': 'ok', 'reasonCode': 200, 'reasonText': 'PIN successfully changed'}
+    except Exception as e:
+        return {'status': 'error', 'reasonCode': 500, 'reasonText': str(e)}
+@app.post('/unblockPIN')
+def unblock_pin(req):
+    data = req.json
+    puk = data.get('puk')
+    new_pin = data.get('newPIN')
+    if not puk or not new_pin:
+        return {'status': 'error', 'reasonCode': 400, 'reasonText': 'Missing PUK or new PIN'}
+    lib_path = detector.auto_detect_library()
+    try:
+        funcs = hardware.load_pkcs11(lib_path)
+        slots = hardware.get_slots(funcs, token_present=True)
+        hardware.unblock_card_pin(funcs, slots[0], puk, new_pin)
+        return {'status': 'ok', 'reasonCode': 200, 'reasonText': 'PIN successfully unblocked'}
+    except Exception as e:
+        return {'status': 'error', 'reasonCode': 403, 'reasonText': str(e)}
+@app.post('/writeCertSC')
+def write_cert_sc(req):
+    data = req.json
+    cert_b64 = data.get('certificate')
+    if not cert_b64:
+        return {'status': 'error', 'reasonCode': 400, 'reasonText': 'Missing certificate data'}
+    ui_provider = ui.get_ui_provider()
+    pin = ui_provider.prompt_pin()
+    if not pin:
+        return {'status': 'error', 'reasonCode': 401, 'reasonText': 'PIN canceled'}
+    lib_path = detector.auto_detect_library()
+    try:
+        cert_der = base64.b64decode(cert_b64)
+        funcs = hardware.load_pkcs11(lib_path)
+        slots = hardware.get_slots(funcs, token_present=True)
+        hardware.write_certificate(funcs, slots[0], pin, cert_der, label="B-Trust Certificate")
+        return {'status': 'ok', 'reasonCode': 200, 'reasonText': 'Certificate successfully written to card'}
+    except Exception as e:
+        return {'status': 'error', 'reasonCode': 500, 'reasonText': str(e)}
+if __name__ == '__main__':
+    app.run(host='127.0.0.1', port=4843)

pybiss-0.0.1/src/cert_parser.py ADDED Viewed

@@ -0,0 +1,193 @@
+from datetime import datetime, timezone
+class DerReader:
+    def __init__(self, data: bytes):
+        self.data = data
+        self.pos = 0
+    def is_empty(self) -> bool:
+        return self.pos >= len(self.data)
+    def read_seq(self):
+        ''' Expects a sequence and returns a new reader for its contents '''
+        tag, val = self.read_tlv()
+        if tag != 0x30:
+            raise ValueError(f'Expected SEQUENCE (0x30), got {hex(tag)}')
+        return DerReader(val)
+    def read_tlv(self) -> tuple[int, bytes]:
+        ''' Reads a Tag-Length-Value block and advances the pointer '''
+        if self.pos >= len(self.data):
+            raise ValueError("Unexpected EOF reading tag")
+        tag = self.data[self.pos]
+        self.pos += 1
+        if self.pos >= len(self.data):
+            raise ValueError("Unexpected EOF reading length")
+        length = self.data[self.pos]
+        self.pos += 1
+        # Handle multi-byte lengths (e.g. > 127 bytes)
+        if length & 0x80:
+            num_bytes = length & 0x7F
+            if self.pos + num_bytes > len(self.data):
+                raise ValueError("Unexpected EOF reading multi-byte length")
+            length = int.from_bytes(self.data[self.pos:self.pos + num_bytes], 'big')
+            self.pos += num_bytes
+        # Strict bounds check before slicing
+        if self.pos + length > len(self.data):
+            raise ValueError(f"Unexpected EOF reading value. Needs {length} bytes, but only {len(self.data) - self.pos} left.")
+        val = self.data[self.pos:self.pos + length]
+        self.pos += length
+        return tag, val
+def _decode_string(tag: int, val: bytes) -> str:
+    if tag == 0x1E:  # BMPString (Microsoft AD CS often uses this)
+        return val.decode('utf-16-be')
+    return val.decode('utf-8', errors='ignore')
+def _parse_name(name_der: bytes) -> str:
+    ''' Extracts the X.509 distinguished name (DN) into a standard format '''
+    parts = []
+    outer = DerReader(name_der)
+    while not outer.is_empty():
+        _, set_val = outer.read_tlv()
+        set_r = DerReader(set_val)
+        while not set_r.is_empty():
+            seq_r = DerReader(set_r.read_tlv()[1])
+            oid = seq_r.read_tlv()[1]
+            str_tag, str_val = seq_r.read_tlv()
+            label = {
+                b'\x55\x04\x03': 'CN',
+                b'\x55\x04\x06': 'C',
+                b'\x55\x04\x0a': 'O',
+                b'\x55\x04\x0b': 'OU'
+            }.get(oid, 'Unknown')
+            parts.append(f'{label}={_decode_string(str_tag, str_val)}')
+    parts.reverse() # Reverse to match RFC4514 representation
+    return ','.join(parts)
+def _parse_time(tag: int, val: bytes) -> int:
+    s = val.decode('ascii')
+    if tag == 0x17:  # UTCTime (YYMMDDHHMMSSZ)
+        y = int(s[:2])
+        y += 2000 if y < 50 else 1900
+        s = f'{y}{s[2:]}'
+    # GeneralizedTime is already YYYYMMDDHHMMSSZ
+    dt = datetime.strptime(s[:14], '%Y%m%d%H%M%S')
+    return int(dt.replace(tzinfo=timezone.utc).timestamp())
+def parse_certificate(der_bytes: bytes) -> dict:
+    ''' Parses an X.509 DER certificate to extract B-Trust metadata '''
+    cert = DerReader(der_bytes).read_seq()
+    tbs = cert.read_seq()
+    # Version (Optional [0])
+    tag, val = tbs.read_tlv()
+    if tag == 0xA0:
+        tag, val = tbs.read_tlv() # Move to Serial
+    # Serial Number
+    serial = str(int.from_bytes(val, 'big'))
+    # Signature Algorithm (Skip)
+    tbs.read_tlv()
+    # Issuer Name
+    _, issuer_val = tbs.read_tlv()
+    issuer = _parse_name(issuer_val)
+    # Validity Timestamps
+    validity = DerReader(tbs.read_tlv()[1])
+    not_before = _parse_time(*validity.read_tlv())
+    not_after = _parse_time(*validity.read_tlv())
+    # Subject Name
+    _, subject_val = tbs.read_tlv()
+    subject = _parse_name(subject_val)
+    # SubjectPublicKeyInfo (SPKI) -> RSA Modulus and Exponent
+    _, spki_val = tbs.read_tlv()
+    spki = DerReader(spki_val)
+    spki.read_tlv() # Skip AlgorithmIdentifier
+    bit_string = spki.read_tlv()[1]
+    pkcs1 = DerReader(bit_string[1:]).read_seq()
+    n = int.from_bytes(pkcs1.read_tlv()[1], 'big')
+    e = int.from_bytes(pkcs1.read_tlv()[1], 'big')
+    # Extract Key Usages and AKI from Extensions
+    usages, aki = [], ''
+    while not tbs.is_empty():
+        ext_tag, ext_val = tbs.read_tlv()
+        if ext_tag == 0xA3: # Extensions [3]
+            ext_seq = DerReader(ext_val).read_seq()
+            while not ext_seq.is_empty():
+                ext = DerReader(ext_seq.read_tlv()[1])
+                oid = ext.read_tlv()[1]
+                e_tag, e_val = ext.read_tlv()
+                if e_tag == 0x01: # Skip Boolean CRITICAL flag
+                    e_tag, e_val = ext.read_tlv()
+                if oid == b'\x55\x1d\x0f': # Key Usage
+                    bits = DerReader(e_val).read_tlv()[1]
+                    if len(bits) > 1:
+                        b = bits[1]
+                        if b & 0x80: usages.append('digitalSignature')
+                        if b & 0x40: usages.append('nonRepudiation')
+                        if b & 0x20: usages.append('keyEncipherment')
+                elif oid == b'\x55\x1d\x23': # Authority Key Identifier (AKI)
+                    inner = DerReader(e_val).read_seq()
+                    if not inner.is_empty():
+                        a_tag, a_val = inner.read_tlv()
+                        if a_tag == 0x80: # [0] KeyIdentifier
+                            aki = a_val.hex().upper()
+    return {
+        'serial': serial, 'issuer': issuer, 'subject': subject,
+        'not_before': not_before, 'not_after': not_after,
+        'key_usages': usages, 'aki': aki, 'n': n, 'e': e
+    }
+def get_x509_subject(der_bytes: bytes) -> str:
+    subject_str = parse_certificate(der_bytes)['subject']
+    for part in subject_str.split(','):
+        if part.startswith('CN='): return part[3:]
+    return 'Unknown Subject'
+def get_x509_metadata(der_bytes: bytes) -> dict:
+    return parse_certificate(der_bytes)
+def get_rsa_public_key(der_bytes: bytes) -> tuple[int, int]:
+    cert = parse_certificate(der_bytes)
+    return cert['n'], cert['e']

pybiss-0.0.1/src/config.py ADDED Viewed

@@ -0,0 +1,68 @@
+import os, sys, configparser
+from pathlib import Path
+class ConfigManager:
+    ''' Manages persistent user settings in a local .ini file '''
+    def __init__(self, app_name='PyBISS', config_file_name='settings.ini'):
+        self.config_dir = self._get_config_dir(app_name)
+        self.config_file = self.config_dir / config_file_name
+        self.parser = configparser.ConfigParser()
+        # Prevent configparser from converting keys to lowercase
+        self.parser.optionxform = str
+        # Define the baseline defaults
+        self.parser['Settings'] = {
+            'signAPI': 'PKCS11',
+            'pkcs11Path': '',
+            'pfxPath': '',
+            'language': 'en',
+            'osStarted': 'True',
+            'newSacRequired': 'True'
+        }
+        self.load()
+    def _get_config_dir(self, app_name: str) -> Path:
+        if os.name == 'nt':
+            base = os.getenv('APPDATA', str(Path.home() / 'AppData' / 'Roaming'))
+            return Path(base) / app_name
+        elif sys.platform == 'darwin':
+            return Path.home() / 'Library' / 'Application Support' / app_name
+        else:
+            base = os.getenv('XDG_CONFIG_HOME', str(Path.home() / '.config'))
+            return Path(base) / app_name
+    def load(self):
+        ''' Reads the .ini file. Missing keys will fall back to the defaults above '''
+        if self.config_file.exists():
+            self.parser.read(self.config_file, encoding='utf-8')
+        else:
+            self.save()
+    def save(self):
+        ''' Writes the current state to the .ini file '''
+        self.config_dir.mkdir(parents=True, exist_ok=True)
+        try:
+            with open(self.config_file, 'w', encoding='utf-8') as f:
+                self.parser.write(f)
+        except Exception as e:
+            print(f'[!] Error saving config: {e}')
+    def get(self, key: str, fallback=None) -> str:
+        return self.parser.get('Settings', key, fallback=fallback)
+    def get_bool(self, key: str, fallback=False) -> bool:
+        return self.parser.getboolean('Settings', key, fallback=fallback)
+    def set(self, key: str, value):
+        self.parser.set('Settings', key, str(value))
+        self.save()
+config = ConfigManager()