Pixseal 1.0.0__pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Pixseal/imageValidator.py

@@ -0,0 +1,399 @@
+import hashlib
+import json
+from typing import TYPE_CHECKING, Sequence
+import base64
+
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+
+from .imageSigner import (
+    BinaryProvider,
+    addHiddenBit,
+    _build_payload_json,
+    make_channel_key,
+    _choose_channel,
+)
+from .keyInput import PublicKeyInput, resolve_public_key
+
+# profiler check
+try:
+    from line_profiler import profile
+except ImportError:
+
+    def profile(func):
+        return func
+
+
+# Dynamic typing
+from .simpleImage import (
+    ImageInput as _RuntimeImageInput,
+    SimpleImage as _RuntimeSimpleImage,
+)
+
+if TYPE_CHECKING:
+    from .simpleImage_py import ImageInput, SimpleImage
+else:
+    ImageInput = _RuntimeImageInput
+    SimpleImage = _RuntimeSimpleImage
+
+# JSON field names
+PAYLOAD_FIELD: str = "payload"
+PAYLOAD_SIG_FIELD: str = "payloadSig"
+IMAGE_HASH_FIELD: str = "imageHash"
+IMAGE_HASH_SIG_FIELD: str = "imageHashSig"
+
+# Sentinel
+START_SENTINEL: str = "START-VALIDATION"
+END_SENTINEL: str = "END-VALIDATION"
+
+# Report print option
+TAIL_HEAD_LEN = 20
+TAIL_SUFFIX_LEN = 10
+FULL_TAIL_EXTRA_LEN = 20
+
+
+def _is_json_like(value: str) -> bool:
+    return value.lstrip().startswith("{")
+
+
+def _extract_payload_json(
+    deduplicated: list[str],
+) -> dict:
+    for value in deduplicated:
+        if not _is_json_like(value):
+            continue
+        if not value.rstrip().endswith("}"):
+            continue
+        try:
+            payload_obj = json.loads(value)
+        except json.JSONDecodeError:
+            continue
+        if not isinstance(payload_obj, dict):
+            continue
+        if not all(
+            key in payload_obj
+            for key in (
+                PAYLOAD_FIELD,
+                PAYLOAD_SIG_FIELD,
+                IMAGE_HASH_FIELD,
+                IMAGE_HASH_SIG_FIELD,
+            )
+        ):
+            continue
+        return payload_obj
+    return {}
+
+
+def binaryToString(binaryCode):
+    string = []
+    for i in range(0, len(binaryCode), 8):
+        byte = binaryCode[i : i + 8]
+        decimal = int(byte, 2)
+        character = chr(decimal)
+        string.append(character)
+    return "".join(string)
+
+
+@profile
+def readHiddenBit(imageInput: ImageInput, channel_key: bytes | None = None):
+    img = (
+        imageInput
+        if isinstance(imageInput, SimpleImage)
+        else SimpleImage.open(imageInput)
+    )
+    width, height = img.size
+    pixels = img._pixels  # direct buffer access for performance
+    total = width * height
+    bits = []
+    append_bit = bits.append
+
+    if channel_key is None:
+        for idx in range(total):
+            # Progress Check
+            # print("readHiddenBit Current : ", idx, "/", total)
+
+            base = idx * 3
+            r = pixels[base]
+            g = pixels[base + 1]
+            b = pixels[base + 2]
+
+            diffR = r - 127
+            if diffR < 0:
+                diffR = -diffR
+            diffG = g - 127
+            if diffG < 0:
+                diffG = -diffG
+            diffB = b - 127
+            if diffB < 0:
+                diffB = -diffB
+
+            maxDiff = diffR
+            if diffG > maxDiff:
+                maxDiff = diffG
+            if diffB > maxDiff:
+                maxDiff = diffB
+
+            bit = "1" if maxDiff % 2 == 0 else "0"
+            append_bit(bit)
+    else:
+        for idx in range(total):
+            base = idx * 3
+            channel = _choose_channel(idx, channel_key)
+            bit = pixels[base + channel] & 1
+            append_bit("1" if bit else "0")
+
+    return "".join(bits)
+
+
+def deduplicate(arr: Sequence[str]) -> tuple[list[str], str]:
+    deduplicated = []
+    freq = {}
+    most_common = ""
+    most_count = 0
+
+    for i, value in enumerate(arr):
+        freq[value] = freq.get(value, 0) + 1
+        if freq[value] > most_count:
+            most_count = freq[value]
+            most_common = value
+
+        if i == 0 or value != arr[i - 1]:
+            deduplicated.append(value)
+
+    return deduplicated, most_common
+
+
+# Check functions
+def lengthCheck(arr: list[str]):
+    return len(arr) in (3, 4)
+
+
+def tailCheck(arr: list[str]):
+    if len(arr) != 4:
+        return None  # Not required
+
+    full_cipher = arr[1]  # complete ciphertext
+    truncated_cipher = arr[2]  # incomplete ciphertext
+
+    return full_cipher.startswith(truncated_cipher)
+
+
+def verifySigniture(original: str, sig: str, publicKey: RSAPublicKey) -> bool:
+    try:
+        publicKey.verify(
+            data=original.encode("utf-8"),
+            signature=base64.b64decode(sig, validate=True),
+            padding=padding.PSS(
+                mgf=padding.MGF1(hashes.SHA256()),
+                salt_length=padding.PSS.MAX_LENGTH,
+            ),
+            algorithm=hashes.SHA256(),
+        )
+    except InvalidSignature:
+        return False
+    return True
+
+
+# def buildValidationReport(
+#     decrypted, tailCheck: bool, skipPlain: bool = False, hashCheck=None
+# ):
+#     # Length after deduplication/decryption
+#     arrayLength = len(decrypted)
+
+#     # 1. Check that the deduplicated sequence length is valid
+#     lengthCheck = arrayLength in (3, 4)
+
+#     # 2. Validate start/end markers
+#     startCheck = decrypted[0] == "START-VALIDATION" if decrypted else False
+#     endCheck = decrypted[-1] == "END-VALIDATION" if decrypted else False
+
+#     # 4. Determine whether payload was successfully decrypted
+#     decryptedPayload = decrypted[1] if len(decrypted) > 1 else ""
+#     isDecrypted = bool(decryptedPayload) and not decryptedPayload.endswith("==")
+
+#     checkList = [lengthCheck, startCheck, endCheck, isDecrypted]
+#     # 5. Parse tailCheck result
+#     if tailCheck is None:
+#         tailCheckResult = "Not Required"
+#     else:
+#         tailCheckResult = tailCheck
+#         checkList.append(tailCheckResult)
+
+#     if hashCheck is None:
+#         hashCheckResult = "Not Checked"
+#     else:
+#         hashCheckResult = hashCheck
+#         checkList.append(hashCheckResult)
+
+#     # Overall verdict requires every check to pass
+#     verdict = all(checkList)
+
+#     result = {
+#         "arrayLength": arrayLength,
+#         "lengthCheck": lengthCheck,
+#         "startCheck": startCheck,
+#         "endCheck": endCheck,
+#         "isDecrypted": isDecrypted,
+#         "tailCheckResult": tailCheckResult,
+#         "hashCheckResult": hashCheckResult,
+#         "verdict": verdict,
+#     }
+
+#     if skipPlain:
+#         result["decryptSkipMessage"] = (
+#             "Skip decrypt: payload was plain or corrupted text despite decrypt request."
+#         )
+
+#     return result
+
+
+# main
+def validateImage(imageInput: ImageInput, publicKey: PublicKeyInput):
+    """
+    Extract the embedded payload from an image and optionally decrypt it.
+
+    Args:
+        imageInput: File path, bytes, or file-like object accepted by SimpleImage.
+        publicKey: RSA public key or certificate (object, bytes, or path).
+
+    Returns:
+        Dict with the most common extracted string, decrypted sequence, and
+        a validation report describing the sentinel checks and verdict.
+    """
+
+    publicKey = resolve_public_key(publicKey)
+    channel_key = make_channel_key(publicKey)
+    resultBinary = readHiddenBit(imageInput, channel_key=channel_key)
+    resultString = binaryToString(resultBinary)
+    splitted = resultString.split("\n")
+
+    deduplicated, most_common = deduplicate(splitted)
+    if not deduplicated or most_common == "":
+        print("deduplicate : \n", deduplicated)
+        print("most_common : \n", most_common)
+        raise ValueError("deduplication failed!")
+
+    lengthCheckResult = lengthCheck(deduplicated)
+    tailCheckResult = tailCheck(deduplicated)
+
+    payload_obj = _extract_payload_json(deduplicated)
+    if not payload_obj:
+        raise ValueError("json extraction from payload failed!")
+
+    payload_text = payload_obj[PAYLOAD_FIELD]
+    payload_sig = payload_obj[PAYLOAD_SIG_FIELD]
+    image_hash = payload_obj[IMAGE_HASH_FIELD]
+    image_hash_sig = payload_obj[IMAGE_HASH_SIG_FIELD]
+    if (
+        not isinstance(payload_text, str)
+        or not isinstance(payload_sig, str)
+        or not isinstance(image_hash, str)
+        or not isinstance(image_hash_sig, str)
+    ):
+        raise TypeError("Essenstial value missing!")
+    imageHashVerifyResult = verifySigniture(
+        original=image_hash, sig=image_hash_sig, publicKey=publicKey
+    )
+    payloadVerifyResult = verifySigniture(
+        original=payload_text, sig=payload_sig, publicKey=publicKey
+    )
+    start_sig = deduplicated[0]
+    end_sig = deduplicated[-1]
+    startVerifyResult = verifySigniture(
+        original=START_SENTINEL, sig=start_sig, publicKey=publicKey
+    )
+    endVerifyResult = verifySigniture(
+        original=END_SENTINEL, sig=end_sig, publicKey=publicKey
+    )
+
+    image_hash_placeholder = "0" * len(image_hash)
+    image_hash_sig_placeholder = "0" * len(image_hash_sig)
+
+    payload_placeholder = _build_payload_json(
+        payload_text,
+        payload_sig,
+        image_hash_placeholder,
+        image_hash_sig_placeholder,
+    )
+
+    hiddenBinary = BinaryProvider(
+        payload=payload_placeholder + "\n",
+        startString=start_sig + "\n",
+        endString="\n" + end_sig,
+    )
+
+    placeholder_image = addHiddenBit(
+        imageInput,
+        hiddenBinary,
+        channel_key=channel_key,
+    )
+    computed_hash = hashlib.sha256(placeholder_image._pixels).hexdigest()
+    imageHashCompareCheckResult = image_hash == computed_hash
+
+    verdict = all(
+        [
+            lengthCheckResult,
+            tailCheckResult,
+            startVerifyResult,
+            endVerifyResult,
+            payloadVerifyResult,
+            imageHashVerifyResult,
+            imageHashCompareCheckResult,
+        ]
+    )
+
+    length_report = {
+        "length": len(deduplicated),
+        "result": lengthCheckResult,
+    }
+
+    if len(deduplicated) == 4:
+        full_value = deduplicated[1]
+        tail_value = deduplicated[2]
+        tail_min_len = TAIL_HEAD_LEN + TAIL_SUFFIX_LEN + 3
+        if len(tail_value) > tail_min_len:
+            tail_display = (
+                tail_value[:TAIL_HEAD_LEN] + "..." + tail_value[-TAIL_SUFFIX_LEN:]
+            )
+        else:
+            tail_display = tail_value
+        if len(full_value) > tail_min_len:
+            start = len(tail_value) - TAIL_SUFFIX_LEN
+            if start < 0:
+                start = 0
+            end = len(tail_value) + FULL_TAIL_EXTRA_LEN
+            if end > len(full_value):
+                end = len(full_value)
+            snippet = full_value[start:end]
+            if end < len(full_value):
+                snippet = snippet + "..."
+            full_display = full_value[:TAIL_HEAD_LEN] + "..." + snippet
+        else:
+            full_display = full_value
+        tail_report = {
+            "full": full_display,
+            "tail": tail_display,
+            "result": tailCheckResult,
+        }
+    else:
+        tail_report = {"result": "Not Required"}
+    hash_report = {
+        "extractedHash": image_hash,
+        "computedHash": computed_hash,
+        "result": imageHashCompareCheckResult,
+    }
+
+    report = {
+        "lengthCheck": length_report,
+        "tailCheck": tail_report,
+        "startVerify": startVerifyResult,
+        "endtVerify": endVerifyResult,
+        "payloadVerify": payloadVerifyResult,
+        "imageHashVerify": imageHashVerifyResult,
+        "imageHashCompareCheck": hash_report,
+        "verdict": verdict,
+    }
+
+    return report

Pixseal/keyInput.py

@@ -0,0 +1,91 @@
+from pathlib import Path
+from typing import TypeAlias
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
+
+PublicKeyInput: TypeAlias = (
+    RSAPublicKey | x509.Certificate | bytes | bytearray | memoryview | str | Path
+)
+
+PrivateKeyInput: TypeAlias = RSAPrivateKey | bytes | bytearray | memoryview | str | Path
+
+
+def _load_public_key_bytes(
+    public_key_input: bytes | bytearray | memoryview | str | Path,
+) -> bytes:
+    if isinstance(public_key_input, (bytes, bytearray, memoryview)):
+        return bytes(public_key_input)
+    public_key_path = Path(public_key_input)
+    if not public_key_path.is_file():
+        raise FileNotFoundError(
+            f"Public key/certificate file not found: {public_key_path}"
+        )
+    return public_key_path.read_bytes()
+
+
+def _public_key_from_cert(cert: x509.Certificate) -> RSAPublicKey:
+    public_key = cert.public_key()
+    if not isinstance(public_key, RSAPublicKey):
+        raise TypeError("Certificate does not contain an RSA public key")
+
+    print("[Cert] Certificate loaded")
+    return public_key
+
+
+def resolve_public_key(public_key_input: PublicKeyInput) -> RSAPublicKey:
+    if isinstance(public_key_input, RSAPublicKey):
+        return public_key_input
+    if isinstance(public_key_input, x509.Certificate):
+        return _public_key_from_cert(public_key_input)
+
+    key_data = _load_public_key_bytes(public_key_input)
+    if b"BEGIN CERTIFICATE" in key_data:
+        cert = x509.load_pem_x509_certificate(key_data)
+        return _public_key_from_cert(cert)
+    if b"BEGIN PUBLIC KEY" in key_data or b"BEGIN RSA PUBLIC KEY" in key_data:
+        public_key = serialization.load_pem_public_key(key_data)
+        if not isinstance(public_key, RSAPublicKey):
+            raise TypeError("Provided file is not an RSA public key")
+        return public_key
+
+    try:
+        cert = x509.load_der_x509_certificate(key_data)
+    except ValueError:
+        public_key = serialization.load_der_public_key(key_data)
+        if not isinstance(public_key, RSAPublicKey):
+            raise TypeError("Provided file is not an RSA public key")
+        return public_key
+
+    return _public_key_from_cert(cert)
+
+
+def _load_private_key_bytes(
+    private_key_input: bytes | bytearray | memoryview | str | Path,
+) -> bytes:
+    if isinstance(private_key_input, (bytes, bytearray, memoryview)):
+        return bytes(private_key_input)
+    private_key_path = Path(private_key_input)
+    if not private_key_path.is_file():
+        raise FileNotFoundError(f"Private key file not found: {private_key_path}")
+    return private_key_path.read_bytes()
+
+
+def resolve_private_key(private_key_input: PrivateKeyInput) -> RSAPrivateKey:
+    if isinstance(private_key_input, RSAPrivateKey):
+        return private_key_input
+
+    key_data = _load_private_key_bytes(private_key_input)
+    if b"BEGIN" in key_data:
+        if b"PRIVATE KEY" not in key_data:
+            raise ValueError("Provided file does not contain a private key")
+        if b"ENCRYPTED PRIVATE KEY" in key_data:
+            raise ValueError("Encrypted private keys require a password")
+        private_key = serialization.load_pem_private_key(key_data, password=None)
+    else:
+        private_key = serialization.load_der_private_key(key_data, password=None)
+
+    if not isinstance(private_key, RSAPrivateKey):
+        raise TypeError("Provided file is not an RSA private key")
+    return private_key

Pixseal/simpleImage.py

@@ -0,0 +1,35 @@
+"""
+Loader that prefers the Cython implementation and falls back to pure Python.
+Use environment variable PIXSEAL_SIMPLEIMAGE_BACKEND to force a backend:
+  - "cython": require compiled extension
+  - "python": force pure Python implementation
+"""
+
+from os import getenv
+
+_backend = getenv("PIXSEAL_SIMPLEIMAGE_BACKEND", "auto").lower()
+_loaded_module = "Pixseal.simpleImage_py"
+
+if _backend == "python":
+    from . import simpleImage_py as _impl  # type: ignore
+elif _backend == "cython":
+    try:
+        from . import simpleImage_ext as _impl  # type: ignore
+    except ImportError as exc:  # pragma: no cover
+        raise ImportError(
+            "Cython backend requested but Pixseal.simpleImage_ext is not available. "
+            "Build the extension or choose the python backend."
+        ) from exc
+else:
+    try:  # pragma: no cover
+        from . import simpleImage_ext as _impl  # type: ignore
+    except ImportError:  # pragma: no cover
+        from . import simpleImage_py as _impl  # type: ignore
+
+SimpleImage = _impl.SimpleImage  # type: ignore
+ImageInput = _impl.ImageInput  # type: ignore
+_loaded_module = _impl.__name__
+
+print(f"[SimpleImage] Loaded from: {_loaded_module}")
+
+__all__ = ["SimpleImage", "ImageInput"]