[python-win32] Use TPM from Crypto API
Antoine FERRON
antoine.ferron at bitlogik.fr
Sun Nov 22 07:16:09 EST 2020
Hello pywin32 maintainers and enthusiasts,
I intend to use a TPM on Windows to generate, store and sign, through the win32 CNG API (NCryptCreatePersistedKey (https://docs.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptcreatepersistedkey) and NCryptSignHash) but within a Python program. When creating a key, one have to provide the hProvider (handle the Key Storage Provider) parameter as "Microsoft Platform Crypto Provider" to select the TPM target.
My first guess was that pywin32 can be the way to go. But going deeper in the docs (http://timgolden.me.uk/pywin32-docs/win32crypt.html) and in the code, I now think that it can only use the "legacy" Crypto API ("CAPI") and not the New Generation ("CNG"), and the TPM "Microsoft Platform Crypto Provider" looks to be only available from the NG interface.
I did the following in Python 3.6.8 :
import win32crypt
print(win32crypt.CryptEnumProviders())
and there only appears legacy key providers, not the new "Microsoft Platform Crypto Provider" needed to select the TPM target. There are missing "NG" providers from those listed from the "certutil -csplist" command.
Can you confirm that TPM "Microsoft Platform Crypto Provider" requires "CNG", and pywin32 is only "CAPI" capable ? Anyway, do you have some ideas in mind to reach my goal ?
_____________________________________
Antoine FERRON
Président — BitLogiK
bitlogik.fr (https://bitlogik.fr) — PGP Key ID#22F95B31 (https://pgp.key-server.io/0xE353957C22F95B31)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-win32/attachments/20201122/819c0ec6/attachment.html>
More information about the python-win32
mailing list