envelope_crypto

rethink-public/envelope_crypto

Fork 0

Commit Graph

Author	SHA1	Message	Date
disqualifier	5de8b5d736	fix: OpenSSH private-key fingerprint fallback + clean error on missing password get_rsa_key_fingerprint(is_private=True) only loaded PEM private keys, so an OpenSSH-format private key raised — unlike decrypt_aes_key_with_rsa, which already had the fallback. mirrored it: on a PEM load failure, an OPENSSH-marked key is loaded via load_ssh_private_key. also normalized the encrypted-key-without-password case: cryptography raises TypeError there, which now becomes a clear ValueError('private key is encrypted but no password was provided') in both methods instead of leaking the raw TypeError. Signed-off-by: disqualifier <dev@disqualifier.me>	2026-06-29 01:39:21 -04:00
disqualifier	313b0c7d56	fix: forward password to private-key fingerprinting (v0.1.1) get_rsa_key_fingerprint(is_private=True) called load_pem_private_key(password=None), so an encrypted private key raised a raw TypeError. add an optional password param forwarded to the load; unencrypted keys ignore it. verified: encrypted private key fingerprints with its password and matches the public key's fingerprint; missing password still raises. Signed-off-by: disqualifier <dev@disqualifier.me>	2026-06-28 15:53:04 -04:00
disqualifier	659aa7849d	add package: pyproject + src EnvelopeCrypto: hybrid envelope encryption for dict records — a random AES-256-GCM data key (DEK) encrypts the data, wrapped per-system via RSA-OAEP (SHA-256) for distribution. config-free (DEK + key paths injected), storage-agnostic, object-only. covers bootstrap/self_test, authorize/deauthorize, rotate + reencrypt, and record-level decrypt. src/ layout, hatchling build, cryptography backend. Signed-off-by: disqualifier <dev@disqualifier.me>	2026-06-24 21:36:43 -04:00

Author

SHA1

Message

Date

disqualifier

5de8b5d736

fix: OpenSSH private-key fingerprint fallback + clean error on missing password

get_rsa_key_fingerprint(is_private=True) only loaded PEM private keys, so an OpenSSH-format private key raised — unlike decrypt_aes_key_with_rsa, which already had the fallback. mirrored it: on a PEM load failure, an OPENSSH-marked key is loaded via load_ssh_private_key. also normalized the encrypted-key-without-password case: cryptography raises TypeError there, which now becomes a clear ValueError('private key is encrypted but no password was provided') in both methods instead of leaking the raw TypeError.

Signed-off-by: disqualifier <dev@disqualifier.me>

2026-06-29 01:39:21 -04:00

disqualifier

313b0c7d56

fix: forward password to private-key fingerprinting (v0.1.1)

get_rsa_key_fingerprint(is_private=True) called load_pem_private_key(password=None),
so an encrypted private key raised a raw TypeError. add an optional password param
forwarded to the load; unencrypted keys ignore it.

verified: encrypted private key fingerprints with its password and matches the
public key's fingerprint; missing password still raises.

Signed-off-by: disqualifier <dev@disqualifier.me>

2026-06-28 15:53:04 -04:00

disqualifier

659aa7849d

add package: pyproject + src

EnvelopeCrypto: hybrid envelope encryption for dict records — a random
AES-256-GCM data key (DEK) encrypts the data, wrapped per-system via
RSA-OAEP (SHA-256) for distribution. config-free (DEK + key paths
injected), storage-agnostic, object-only. covers bootstrap/self_test,
authorize/deauthorize, rotate + reencrypt, and record-level decrypt.
src/ layout, hatchling build, cryptography backend.

Signed-off-by: disqualifier <dev@disqualifier.me>

2026-06-24 21:36:43 -04:00

3 Commits