rethink-public/envelope_crypto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: forward password to private-key fingerprinting (v0.1.1)

Browse Source 
get_rsa_key_fingerprint(is_private=True) called load_pem_private_key(password=None),
so an encrypted private key raised a raw TypeError. add an optional password param
forwarded to the load; unencrypted keys ignore it.

verified: encrypted private key fingerprints with its password and matches the
public key's fingerprint; missing password still raises.

Signed-off-by: disqualifier <dev@disqualifier.me>
This commit is contained in:
disqualifier 2026-06-28 15:53:04 -04:00
parent 659aa7849d
commit 313b0c7d56
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pyproject.toml
View File

@ -4,7 +4,7 @@ build-backend = "hatchling.build"
[project]
name = "envelope_crypto"
version = "0.1.0"
version = "0.1.1"
description = "Envelope encryption (RSA-OAEP wrapped AES-256-GCM) for dict records — config-free, storage-agnostic, installable."
requires-python = ">=3.10"
dependencies = [

14
src/envelope_crypto/envelope_crypto.py
View File

@ -147,9 +147,15 @@ class EnvelopeCrypto:
return key
def get_rsa_key_fingerprint(
self, key_path_or_data: str, is_private: bool = False, is_file: bool = True
self, key_path_or_data: str, is_private: bool = False, is_file: bool = True,
password: Optional[str] = None,
) -> str:
"""return a base64 SHA-256 fingerprint of an RSA key for identification"""
"""return a base64 SHA-256 fingerprint of an RSA key for identification
for an encrypted private key (is_private=True), pass its `password`; an
unencrypted key ignores it. fingerprinting always uses the public half, so a
private and its public key produce the same fingerprint.
"""
if is_file:
with open(key_path_or_data, "rb") as key_file:
key_data = key_file.read()
@ -161,7 +167,9 @@ class EnvelopeCrypto:
)
if is_private:
private_key = serialization.load_pem_private_key(key_data, password=None)
private_key = serialization.load_pem_private_key(
key_data, password=password.encode() if password else None
)
public_key = private_key.public_key()
else:
try: