I have an Autobahn-Python app that currently uses WAMP-Ticket and I would like to use WAMP-Cryptosign (which seems to be both easier and more secure), but I need to figure out the best way for my Python client to generate a ed25519 public/private key pair. It appears that PyNaCl can do it but that is a pretty heavy dependency to add to my client just to generate a key pair! Does anyone know of a lighter-weight package or module that can do it (preferably pure python – since all it is doing is generating the key pair one time, performance is not really an issue).

You can simply grab 32 bytes of random data from /dev/urandom e.g. by os.urandom(32) in Python.

PyNaCl does have a pure-python fallback if I recall? (And if you’re using wamp-cryptosign in your client you’ll end up with that dependency anyway, I think?)

Oh, to clarify: the 32 bytes of random data would be a suitable private key. You’ll need PyNaCl or similar to spit out the public key. You can also use crossbar keygen to spit out a public+private keypair in hex.

Thanks, meejah, that’s very useful! Right now I’m looking at cryptography so see if I can use that in the client to generate the keypair.
The scenario I’m hoping to implement is:

  1. send a new user a one-time password via email
  2. user uses the client to generate public+private keypair, then uses the one-time password to log into crossbar and send the public key
  3. a service stores the userid and public key in a local (to crossbar) credential “database” (a file or db of some kind).

I am leery of having crossbar generate the keypair because that would mean having to send the private key over the wire to the client – not so good – or else some other cumbersome process like put it on a thumb drive and give it to the user.

Thanks again for the input!

Yes, the client-side should generate the keypair; otherwise the server could retain the private key. The crossbar keygen thing is more for convenience if you’re e.g. provisioning your own machines or so.