rethink-public/envelope_crypto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: rethink-public:8a220a8810d350d5f1f5d727d6d563748524612a
Branches Tags
rethink-public:main
rethink-public:v0.1.3
rethink-public:v0.1.2
rethink-public:v0.1.1
rethink-public:v0.1.0
...
compare: rethink-public:41859d70f8623cfd564ccb3b1bec094622fd29ee
Branches Tags
rethink-public:main
rethink-public:v0.1.3
rethink-public:v0.1.2
rethink-public:v0.1.1
rethink-public:v0.1.0

No commits in common. "8a220a8810d350d5f1f5d727d6d563748524612a" and "41859d70f8623cfd564ccb3b1bec094622fd29ee" have entirely different histories.
8a220a8810 ... 41859d70f8

2 changed files with 8 additions and 8 deletions
Show Stats Expand all files Collapse all files

8
README.md
View File

@ -37,10 +37,10 @@ openssl rsa -in local_priv.pem -pubout -out local_pub.pem
from envelope_crypto import EnvelopeCrypto from envelope_crypto import EnvelopeCrypto
# generate the DEK and wrap it for this system in one call # generate the DEK and wrap it for this system in one call
crypto, fingerprint, wrapped = EnvelopeCrypto.bootstrap(cfg.local_pub) crypto, fingerprint, wrapped = EnvelopeCrypto.bootstrap("public_key.pem")
# verify the keypair actually round-trips BEFORE storing anything # verify the keypair actually round-trips BEFORE storing anything
crypto.self_test(cfg.local_pub, cfg.local_priv) # raises if keys don't pair crypto.self_test("public_key.pem", "private_key.pem") # raises if keys don't pair
# store the wrapped key — this is now the ONLY record of the DEK # store the wrapped key — this is now the ONLY record of the DEK
await db.create_document("keys", {"_id": fingerprint, "key": wrapped}) await db.create_document("keys", {"_id": fingerprint, "key": wrapped})
@ -53,11 +53,11 @@ re-derived each boot by unwrapping. **Never persist the plaintext key.**
```python ```python
crypto = EnvelopeCrypto() crypto = EnvelopeCrypto()
fingerprint = crypto.get_rsa_key_fingerprint(cfg.local_pub) fingerprint = crypto.get_rsa_key_fingerprint("public_key.pem")
record = await db.get_document("keys", {"_id": fingerprint}) record = await db.get_document("keys", {"_id": fingerprint})
if not record: if not record:
raise RuntimeError("this system is not authorized") raise RuntimeError("this system is not authorized")
crypto.initialize(crypto.decrypt_aes_key_with_rsa(record["key"], cfg.local_priv)) crypto.initialize(crypto.decrypt_aes_key_with_rsa(record["key"], "private_key.pem"))
bot.crypto = crypto bot.crypto = crypto
``` ```

8
src/envelope_crypto/envelope_crypto.py
View File

@ -17,15 +17,15 @@ envelope-encryption pattern used by KMS-style systems.
first-time setup: generate the DEK and wrap it for the first system in one call, first-time setup: generate the DEK and wrap it for the first system in one call,
then verify the pipeline before storing anything: then verify the pipeline before storing anything:
crypto, fingerprint, wrapped = EnvelopeCrypto.bootstrap(cfg.local_pub) crypto, fingerprint, wrapped = EnvelopeCrypto.bootstrap("public_key.pem")
crypto.self_test(cfg.local_pub, cfg.local_priv) # raises if anything is wrong crypto.self_test("public_key.pem", "private_key.pem") # raises if anything is wrong
caller_store({"_id": fingerprint, "key": wrapped}) # the only record of the DEK caller_store({"_id": fingerprint, "key": wrapped}) # the only record of the DEK
boot (already set up): fingerprint own pubkey, fetch the wrapped DEK, unwrap: boot (already set up): fingerprint own pubkey, fetch the wrapped DEK, unwrap:
fp = crypto.get_rsa_key_fingerprint(cfg.local_pub) fp = crypto.get_rsa_key_fingerprint("public_key.pem")
record = caller_lookup(fp) record = caller_lookup(fp)
crypto.initialize(crypto.decrypt_aes_key_with_rsa(record["key"], cfg.local_priv)) crypto.initialize(crypto.decrypt_aes_key_with_rsa(record["key"], "private_key.pem"))
authorize another system (this instance must already hold the DEK): authorize another system (this instance must already hold the DEK):