Merge PR #72

elibon99 · elibon99 · commit 09a33515ee39 · 2025-07-09T16:01:04.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -36,7 +36,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
-          enable-cache: true
+          enable-cache: false
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -70,7 +70,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
-          enable-cache: true
+          enable-cache: false
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -112,7 +112,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
-          enable-cache: true
+          enable-cache: false
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -138,7 +138,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
-          enable-cache: true
+          enable-cache: false
 
       - name: Set up Python
         uses: actions/setup-python@v5
diff --git a/NEWS b/NEWS
@@ -1,3 +1,10 @@
+* Version 3.1.1 (released 2025-06-24)
+ ** Support for compressing X509 certificates before import.
+ ** Simplified parsing of extensions in attestation certificates.
+ ** Changes relevant to maintainers
+ *** Switched package manager to uv.
+ *** Replaced Black, flake8 and bandit with ruff, and added pyright.
+
 * Version 3.1.0 (released 2024-09-09)
  ** Support for asymmetric wrap (for FW 2.4+).
  ** Support for wrapping ed25519 keys with seed (for FW 2.4+).
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "yubihsm"
-version = "3.1.1.dev0"
+version = "3.1.2-dev.0"
 description = "Library for communication with a YubiHSM 2 over HTTP or USB."
 authors = [{ name = "Dain Nilsson", email = "<dain@yubico.com>" }]
 readme = "README.adoc"
diff --git a/tests/device/test_wrap.py b/tests/device/test_wrap.py
@@ -664,30 +664,51 @@ def test_export_using_private_wrapkey(self, session):
         private_wrapkey.delete()
 
     def test_get_public_key(self, session):
-        key = rsa.generate_private_key(
+        import_key = rsa.generate_private_key(
+            public_exponent=0x10001, key_size=2048, backend=default_backend()
+        )
+        export_key = rsa.generate_private_key(
             public_exponent=0x10001, key_size=2048, backend=default_backend()
         )
 
-        wrapkey = WrapKey.put(
+        export_wrapkey = PublicWrapKey.put(
+            session,
+            0,
+            "Test Get Public Key (PublicWrapKey)",
+            1,
+            CAPABILITY.EXPORT_WRAPPED,
+            CAPABILITY.EXPORTABLE_UNDER_WRAP,
+            export_key.public_key(),
+        )
+        import_wrapkey = WrapKey.put(
             session,
             0,
-            "Test Get Public Key",
+            "Test Get Public Key (WrapKey)",
             1,
             CAPABILITY.EXPORT_WRAPPED,
             ALGORITHM.RSA_2048,
             CAPABILITY.NONE,
-            key,
+            import_key,
         )
 
-        pub = wrapkey.get_public_key()
-        assert pub.public_bytes(
+        import_pub = import_wrapkey.get_public_key()
+        export_pub = export_wrapkey.get_public_key()
+        assert import_pub.public_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PublicFormat.SubjectPublicKeyInfo,
-        ) == key.public_key().public_bytes(
+        ) == import_key.public_key().public_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PublicFormat.SubjectPublicKeyInfo,
         )
-        wrapkey.delete()
+        assert export_pub.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
+        ) == export_key.public_key().public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
+        import_wrapkey.delete()
+        export_wrapkey.delete()
 
     def test_export_ed25519(self, session):
         wrapkey = WrapKey.put(
diff --git a/yubihsm/__init__.py b/yubihsm/__init__.py
@@ -27,4 +27,4 @@
 from .core import YubiHsm  # noqa F401
 
 
-__version__ = "3.1.1.dev0"
+__version__ = "3.1.2-dev.0"
diff --git a/yubihsm/objects.py b/yubihsm/objects.py
@@ -135,6 +135,12 @@ def _get_int(c: x509.Certificate, oid: int) -> int:
 
 @dataclass
 class AttestationExtensions:
+    """Base attestation extensions.
+
+    :ivar firmware_version: YubiHSM firmware version.
+    :ivar serial: YubiHSM serial number.
+    """
+
     firmware_version: Version
     serial: int
 
@@ -157,6 +163,11 @@ def parse(
 
 @dataclass
 class DeviceAttestationExtensions(AttestationExtensions):
+    """Device attestation extensions. Available on YubiHSM FIPS only.
+
+    :ivar fips_certificate: The FIPS certificate.
+    """
+
     fips_certificate: Optional[int]
 
     @classmethod
@@ -174,6 +185,17 @@ def parse(cls, certificate: x509.Certificate, *args):
 
 @dataclass
 class KeyAttestationExtensions(AttestationExtensions):
+    """Key attestation extensions.
+
+    :ivar origin: The origin of the key.
+    :ivar domains: The set of domains assigned to the key object.
+    :ivar capabilities: The set of capabilities assigned to the key object.
+    :ivar object_id: The ID of the key object.
+    :ivar label: The label of the key object.
+    :ivar fips_approved: (available on YubiHSM FIPS >= 2.4.1 only) True if
+        the key attestation was generated in FIPS-approved mode.
+    """
+
     origin: ORIGIN
     domains: int
     capabilities: CAPABILITY
@@ -1250,6 +1272,16 @@ def put(
 
         return cls._from_command(session, COMMAND.PUT_PUBLIC_WRAP_KEY, msg)
 
+    def get_public_key(self) -> rsa.RSAPublicKey:
+        """Get the public wrapkey."""
+        msg = struct.pack("!HB", self.id, self.object_type)
+        ret = self.session.send_secure_cmd(COMMAND.GET_PUBLIC_KEY, msg)
+        raw_key = ret[1:]
+        num = int.from_bytes(raw_key, "big")
+        return rsa.RSAPublicNumbers(e=RSA_PUBLIC_EXPONENT, n=num).public_key(
+            backend=default_backend()
+        )
+
     def _rsa_wrap_cmd_data(
         self,
         obj: YhsmObject,

Original file line number	Diff line number	Diff line change
`@@ -27,4 +27,4 @@`
`27`	`27`	`from .core import YubiHsm # noqa F401`
`28`	`28`
`29`	`29`
`30`		`-__version__ = "3.1.1.dev0"`
	`30`	`+__version__ = "3.1.2-dev.0"`