From 313b0c7d56b0ad710fdb690c5d9bd94e0dfc5fcd Mon Sep 17 00:00:00 2001 From: disqualifier Date: Sun, 28 Jun 2026 15:53:04 -0400 Subject: [PATCH] fix: forward password to private-key fingerprinting (v0.1.1) get_rsa_key_fingerprint(is_private=True) called load_pem_private_key(password=None), so an encrypted private key raised a raw TypeError. add an optional password param forwarded to the load; unencrypted keys ignore it. verified: encrypted private key fingerprints with its password and matches the public key's fingerprint; missing password still raises. Signed-off-by: disqualifier --- pyproject.toml | 2 +- src/envelope_crypto/envelope_crypto.py | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index e38238c..dea367e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "envelope_crypto" -version = "0.1.0" +version = "0.1.1" description = "Envelope encryption (RSA-OAEP wrapped AES-256-GCM) for dict records — config-free, storage-agnostic, installable." requires-python = ">=3.10" dependencies = [ diff --git a/src/envelope_crypto/envelope_crypto.py b/src/envelope_crypto/envelope_crypto.py index 43127cf..70f36a8 100644 --- a/src/envelope_crypto/envelope_crypto.py +++ b/src/envelope_crypto/envelope_crypto.py @@ -147,9 +147,15 @@ class EnvelopeCrypto: return key def get_rsa_key_fingerprint( - self, key_path_or_data: str, is_private: bool = False, is_file: bool = True + self, key_path_or_data: str, is_private: bool = False, is_file: bool = True, + password: Optional[str] = None, ) -> str: - """return a base64 SHA-256 fingerprint of an RSA key for identification""" + """return a base64 SHA-256 fingerprint of an RSA key for identification + + for an encrypted private key (is_private=True), pass its `password`; an + unencrypted key ignores it. fingerprinting always uses the public half, so a + private and its public key produce the same fingerprint. + """ if is_file: with open(key_path_or_data, "rb") as key_file: key_data = key_file.read() @@ -161,7 +167,9 @@ class EnvelopeCrypto: ) if is_private: - private_key = serialization.load_pem_private_key(key_data, password=None) + private_key = serialization.load_pem_private_key( + key_data, password=password.encode() if password else None + ) public_key = private_key.public_key() else: try: