otdf-python 0.1.10__py3-none-any.whl → 0.3.5__py3-none-any.whl

otdf_python/constants.py

@@ -0,0 +1 @@
+MAGIC_NUMBER_AND_VERSION = bytes([0x4C, 0x31, 0x4C])

otdf_python/crypto_utils.py

@@ -0,0 +1,78 @@
+import hashlib
+import hmac
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ec, rsa
+
+
+class CryptoUtils:
+    KEYPAIR_SIZE = 2048
+
+    @staticmethod
+    def calculate_sha256_hmac(key: bytes, data: bytes) -> bytes:
+        return hmac.new(key, data, hashlib.sha256).digest()
+
+    @staticmethod
+    def generate_rsa_keypair() -> tuple[rsa.RSAPrivateKey, rsa.RSAPublicKey]:
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=CryptoUtils.KEYPAIR_SIZE,
+            backend=default_backend(),
+        )
+        return private_key, private_key.public_key()
+
+    @staticmethod
+    def generate_ec_keypair(
+        curve=None,
+    ) -> tuple[ec.EllipticCurvePrivateKey, ec.EllipticCurvePublicKey]:
+        if curve is None:
+            curve = ec.SECP256R1()
+        private_key = ec.generate_private_key(curve, default_backend())
+        return private_key, private_key.public_key()
+
+    @staticmethod
+    def get_public_key_pem(public_key) -> str:
+        return public_key.public_bytes(
+            serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo
+        ).decode()
+
+    @staticmethod
+    def get_private_key_pem(private_key) -> str:
+        return private_key.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.PKCS8,
+            serialization.NoEncryption(),
+        ).decode()
+
+    @staticmethod
+    def get_rsa_public_key_pem(public_key) -> str:
+        if public_key.__class__.__name__ != "RSAPublicKey":
+            raise ValueError("Not an RSA public key")
+        return CryptoUtils.get_public_key_pem(public_key)
+
+    @staticmethod
+    def get_rsa_private_key_pem(private_key) -> str:
+        if private_key.__class__.__name__ != "RSAPrivateKey":
+            raise ValueError("Not an RSA private key")
+        return CryptoUtils.get_private_key_pem(private_key)
+
+    @staticmethod
+    def get_rsa_public_key_from_pem(pem_data: str) -> rsa.RSAPublicKey:
+        """Load RSA public key from PEM string."""
+        public_key = serialization.load_pem_public_key(
+            pem_data.encode(), backend=default_backend()
+        )
+        if not isinstance(public_key, rsa.RSAPublicKey):
+            raise ValueError("Not an RSA public key")
+        return public_key
+
+    @staticmethod
+    def get_rsa_private_key_from_pem(pem_data: str) -> rsa.RSAPrivateKey:
+        """Load RSA private key from PEM string."""
+        private_key = serialization.load_pem_private_key(
+            pem_data.encode(), password=None, backend=default_backend()
+        )
+        if not isinstance(private_key, rsa.RSAPrivateKey):
+            raise ValueError("Not an RSA private key")
+        return private_key

otdf_python/dpop.py

@@ -0,0 +1,81 @@
+"""
+DPoP (Demonstration of Proof-of-Possession) token generation utilities.
+"""
+
+import base64
+import hashlib
+import time
+
+import jwt
+
+from .crypto_utils import CryptoUtils
+
+
+def create_dpop_token(
+    private_key_pem: str,
+    public_key_pem: str,
+    url: str,
+    method: str = "POST",
+    access_token: str | None = None,
+) -> str:
+    """
+    Create a DPoP (Demonstration of Proof-of-Possession) token.
+
+    Args:
+        private_key_pem: RSA private key in PEM format for signing
+        public_key_pem: RSA public key in PEM format for JWK
+        url: The URL being accessed
+        method: HTTP method (default: POST)
+        access_token: Optional access token for ath claim
+
+    Returns:
+        DPoP token as a string
+    """
+    # Parse the RSA public key to extract modulus and exponent
+    public_key_obj = CryptoUtils.get_rsa_public_key_from_pem(public_key_pem)
+    public_numbers = public_key_obj.public_numbers()
+
+    # Convert to base64url encoded values
+    def int_to_base64url(value):
+        # Convert integer to bytes, then to base64url
+        byte_length = (value.bit_length() + 7) // 8
+        value_bytes = value.to_bytes(byte_length, byteorder="big")
+        return base64.urlsafe_b64encode(value_bytes).decode("ascii").rstrip("=")
+
+    # Create JWK (JSON Web Key) representation
+    jwk = {
+        "kty": "RSA",
+        "n": int_to_base64url(public_numbers.n),
+        "e": int_to_base64url(public_numbers.e),
+    }
+
+    # Create DPoP header
+    now = int(time.time())
+
+    # Create JWT header with JWK
+    header = {"typ": "dpop+jwt", "alg": "RS256", "jwk": jwk}
+
+    # Create JWT payload
+    payload = {
+        "jti": base64.urlsafe_b64encode(
+            hashlib.sha256(f"{url}{method}{now}".encode()).digest()
+        )
+        .decode("ascii")
+        .rstrip("="),
+        "htm": method,
+        "htu": url,
+        "iat": now,
+    }
+
+    # Add access token hash if provided
+    if access_token:
+        # Create SHA-256 hash of access token
+        token_hash = hashlib.sha256(access_token.encode()).digest()
+        payload["ath"] = (
+            base64.urlsafe_b64encode(token_hash).decode("ascii").rstrip("=")
+        )
+
+    # Sign the DPoP token
+    dpop_token = jwt.encode(payload, private_key_pem, algorithm="RS256", headers=header)
+
+    return dpop_token

otdf_python/ecc_constants.py

@@ -0,0 +1,176 @@
+"""
+Elliptic Curve Constants for NanoTDF.
+
+This module defines shared constants for elliptic curve operations used across
+the SDK, particularly for NanoTDF encryption/decryption.
+
+All supported curves follow the NanoTDF specification which uses compressed
+public key encoding (X9.62 format) to minimize header size.
+"""
+
+from typing import ClassVar
+
+from cryptography.hazmat.primitives.asymmetric import ec
+
+
+class ECCConstants:
+    """
+    Centralized constants for elliptic curve cryptography operations.
+
+    This class provides mappings between curve names, curve type integers,
+    cryptography curve objects, and compressed public key sizes.
+    """
+
+    # Mapping from curve names (strings) to curve type integers (per NanoTDF spec)
+    # These integer values are encoded in the NanoTDF header's ECC mode byte
+    CURVE_NAME_TO_TYPE: ClassVar[dict[str, int]] = {
+        "secp256r1": 0,  # NIST P-256 (most common)
+        "secp384r1": 1,  # NIST P-384
+        "secp521r1": 2,  # NIST P-521
+        "secp256k1": 3,  # Bitcoin curve (secp256k1)
+    }
+
+    # Mapping from curve type integers to curve names
+    # Inverse of CURVE_NAME_TO_TYPE for reverse lookups
+    CURVE_TYPE_TO_NAME: ClassVar[dict[int, str]] = {
+        0: "secp256r1",
+        1: "secp384r1",
+        2: "secp521r1",
+        3: "secp256k1",
+    }
+
+    # Compressed public key sizes (in bytes) for each curve
+    # Format: 1 byte prefix (0x02 or 0x03) + x-coordinate bytes
+    # Used by both ecc_mode.py (indexed by int) and ecdh.py (indexed by string)
+    COMPRESSED_KEY_SIZE_BY_TYPE: ClassVar[dict[int, int]] = {
+        0: 33,  # secp256r1: 1 byte prefix + 32 bytes x-coordinate
+        1: 49,  # secp384r1: 1 byte prefix + 48 bytes x-coordinate
+        2: 67,  # secp521r1: 1 byte prefix + 66 bytes x-coordinate
+        3: 33,  # secp256k1: 1 byte prefix + 32 bytes x-coordinate (same as secp256r1)
+    }
+
+    COMPRESSED_KEY_SIZE_BY_NAME: ClassVar[dict[str, int]] = {
+        "secp256r1": 33,  # 1 byte prefix + 32 bytes
+        "secp384r1": 49,  # 1 byte prefix + 48 bytes
+        "secp521r1": 67,  # 1 byte prefix + 66 bytes
+        "secp256k1": 33,  # 1 byte prefix + 32 bytes
+    }
+
+    # Mapping from curve names to cryptography library curve objects
+    # Used by ecdh.py for key generation and ECDH operations
+    CURVE_OBJECTS: ClassVar[dict[str, ec.EllipticCurve]] = {
+        "secp256r1": ec.SECP256R1(),
+        "secp384r1": ec.SECP384R1(),
+        "secp521r1": ec.SECP521R1(),
+        "secp256k1": ec.SECP256K1(),
+    }
+
+    @classmethod
+    def get_curve_name(cls, curve_type: int) -> str:
+        """
+        Get curve name from curve type integer.
+
+        Args:
+            curve_type: Curve type (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Curve name as string (e.g., "secp256r1")
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        name = cls.CURVE_TYPE_TO_NAME.get(curve_type)
+        if name is None:
+            raise ValueError(
+                f"Unsupported curve type: {curve_type}. "
+                f"Supported types: {list(cls.CURVE_TYPE_TO_NAME.keys())}"
+            )
+        return name
+
+    @classmethod
+    def get_curve_type(cls, curve_name: str) -> int:
+        """
+        Get curve type integer from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Curve type as integer (0-3)
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        curve_type = cls.CURVE_NAME_TO_TYPE.get(curve_name.lower())
+        if curve_type is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.CURVE_NAME_TO_TYPE.keys())}"
+            )
+        return curve_type
+
+    @classmethod
+    def get_compressed_key_size_by_type(cls, curve_type: int) -> int:
+        """
+        Get compressed public key size from curve type integer.
+
+        Args:
+            curve_type: Curve type (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        size = cls.COMPRESSED_KEY_SIZE_BY_TYPE.get(curve_type)
+        if size is None:
+            raise ValueError(
+                f"Unsupported curve type: {curve_type}. "
+                f"Supported types: {list(cls.COMPRESSED_KEY_SIZE_BY_TYPE.keys())}"
+            )
+        return size
+
+    @classmethod
+    def get_compressed_key_size_by_name(cls, curve_name: str) -> int:
+        """
+        Get compressed public key size from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        size = cls.COMPRESSED_KEY_SIZE_BY_NAME.get(curve_name.lower())
+        if size is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.COMPRESSED_KEY_SIZE_BY_NAME.keys())}"
+            )
+        return size
+
+    @classmethod
+    def get_curve_object(cls, curve_name: str) -> ec.EllipticCurve:
+        """
+        Get cryptography library curve object from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Cryptography library EllipticCurve object
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        curve = cls.CURVE_OBJECTS.get(curve_name.lower())
+        if curve is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.CURVE_OBJECTS.keys())}"
+            )
+        return curve

otdf_python/ecc_mode.py

@@ -0,0 +1,83 @@
+from otdf_python.ecc_constants import ECCConstants
+
+
+class ECCMode:
+    """
+    ECC (Elliptic Curve Cryptography) mode configuration for NanoTDF.
+
+    This class encapsulates the curve type and policy binding mode (GMAC vs ECDSA)
+    that are encoded in the NanoTDF header. It delegates to ECCConstants for
+    curve-related lookups to maintain a single source of truth.
+    """
+
+    def __init__(self, curve_mode: int = 0, use_ecdsa_binding: bool = False):
+        self.curve_mode = curve_mode
+        self.use_ecdsa_binding = use_ecdsa_binding
+
+    def set_ecdsa_binding(self, flag: bool):
+        self.use_ecdsa_binding = flag
+
+    def is_ecdsa_binding_enabled(self) -> bool:
+        return self.use_ecdsa_binding
+
+    def set_elliptic_curve(self, curve_mode: int):
+        self.curve_mode = curve_mode
+
+    def get_elliptic_curve_type(self) -> int:
+        return self.curve_mode
+
+    def get_curve_name(self) -> str:
+        """Get the curve name as a string (e.g., 'secp256r1').
+
+        Returns:
+            Curve name corresponding to the current curve_mode
+
+        Raises:
+            ValueError: If curve_mode is not supported
+        """
+        # Delegate to ECCConstants for the authoritative mapping
+        return ECCConstants.get_curve_name(self.curve_mode)
+
+    @staticmethod
+    def get_ec_compressed_pubkey_size(curve_type: int) -> int:
+        """Get the compressed public key size for a given curve type.
+
+        Args:
+            curve_type: Curve type identifier (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        # Delegate to ECCConstants for the authoritative mapping
+        return ECCConstants.get_compressed_key_size_by_type(curve_type)
+
+    def get_ecc_mode_as_byte(self) -> int:
+        # Most significant bit: use_ecdsa_binding, lower 3 bits: curve_mode
+        return ((1 if self.use_ecdsa_binding else 0) << 7) | (self.curve_mode & 0x07)
+
+    @staticmethod
+    def from_string(curve_str: str) -> "ECCMode":
+        """Create ECCMode from curve string or policy binding type.
+
+        Args:
+            curve_str: Either a curve name ('secp256r1', 'secp384r1', 'secp521r1', 'secp256k1')
+                      or a policy binding type ('gmac', 'ecdsa')
+
+        Returns:
+            ECCMode instance configured with the appropriate curve and binding mode
+
+        Raises:
+            ValueError: If curve_str is not a supported curve or binding type
+        """
+        # Handle policy binding types (always use secp256r1 as default curve)
+        if curve_str.lower() == "gmac":
+            return ECCMode(0, False)  # GMAC binding with default secp256r1 curve
+        elif curve_str.lower() == "ecdsa":
+            return ECCMode(0, True)  # ECDSA binding with default secp256r1 curve
+
+        # Handle curve names - delegate to ECCConstants for the authoritative mapping
+        curve_mode = ECCConstants.get_curve_type(curve_str)
+        return ECCMode(curve_mode, False)