otdf-python 0.1.9__py3-none-any.whl → 0.3.0__py3-none-any.whl

otdf_python/constants.py

@@ -0,0 +1 @@
+MAGIC_NUMBER_AND_VERSION = bytes([0x4C, 0x31, 0x4C])

otdf_python/crypto_utils.py

@@ -0,0 +1,78 @@
+import hashlib
+import hmac
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ec, rsa
+
+
+class CryptoUtils:
+    KEYPAIR_SIZE = 2048
+
+    @staticmethod
+    def calculate_sha256_hmac(key: bytes, data: bytes) -> bytes:
+        return hmac.new(key, data, hashlib.sha256).digest()
+
+    @staticmethod
+    def generate_rsa_keypair() -> tuple[rsa.RSAPrivateKey, rsa.RSAPublicKey]:
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=CryptoUtils.KEYPAIR_SIZE,
+            backend=default_backend(),
+        )
+        return private_key, private_key.public_key()
+
+    @staticmethod
+    def generate_ec_keypair(
+        curve=None,
+    ) -> tuple[ec.EllipticCurvePrivateKey, ec.EllipticCurvePublicKey]:
+        if curve is None:
+            curve = ec.SECP256R1()
+        private_key = ec.generate_private_key(curve, default_backend())
+        return private_key, private_key.public_key()
+
+    @staticmethod
+    def get_public_key_pem(public_key) -> str:
+        return public_key.public_bytes(
+            serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo
+        ).decode()
+
+    @staticmethod
+    def get_private_key_pem(private_key) -> str:
+        return private_key.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.PKCS8,
+            serialization.NoEncryption(),
+        ).decode()
+
+    @staticmethod
+    def get_rsa_public_key_pem(public_key) -> str:
+        if public_key.__class__.__name__ != "RSAPublicKey":
+            raise ValueError("Not an RSA public key")
+        return CryptoUtils.get_public_key_pem(public_key)
+
+    @staticmethod
+    def get_rsa_private_key_pem(private_key) -> str:
+        if private_key.__class__.__name__ != "RSAPrivateKey":
+            raise ValueError("Not an RSA private key")
+        return CryptoUtils.get_private_key_pem(private_key)
+
+    @staticmethod
+    def get_rsa_public_key_from_pem(pem_data: str) -> rsa.RSAPublicKey:
+        """Load RSA public key from PEM string."""
+        public_key = serialization.load_pem_public_key(
+            pem_data.encode(), backend=default_backend()
+        )
+        if not isinstance(public_key, rsa.RSAPublicKey):
+            raise ValueError("Not an RSA public key")
+        return public_key
+
+    @staticmethod
+    def get_rsa_private_key_from_pem(pem_data: str) -> rsa.RSAPrivateKey:
+        """Load RSA private key from PEM string."""
+        private_key = serialization.load_pem_private_key(
+            pem_data.encode(), password=None, backend=default_backend()
+        )
+        if not isinstance(private_key, rsa.RSAPrivateKey):
+            raise ValueError("Not an RSA private key")
+        return private_key

otdf_python/dpop.py

@@ -0,0 +1,81 @@
+"""
+DPoP (Demonstration of Proof-of-Possession) token generation utilities.
+"""
+
+import base64
+import hashlib
+import time
+
+import jwt
+
+from .crypto_utils import CryptoUtils
+
+
+def create_dpop_token(
+    private_key_pem: str,
+    public_key_pem: str,
+    url: str,
+    method: str = "POST",
+    access_token: str | None = None,
+) -> str:
+    """
+    Create a DPoP (Demonstration of Proof-of-Possession) token.
+
+    Args:
+        private_key_pem: RSA private key in PEM format for signing
+        public_key_pem: RSA public key in PEM format for JWK
+        url: The URL being accessed
+        method: HTTP method (default: POST)
+        access_token: Optional access token for ath claim
+
+    Returns:
+        DPoP token as a string
+    """
+    # Parse the RSA public key to extract modulus and exponent
+    public_key_obj = CryptoUtils.get_rsa_public_key_from_pem(public_key_pem)
+    public_numbers = public_key_obj.public_numbers()
+
+    # Convert to base64url encoded values
+    def int_to_base64url(value):
+        # Convert integer to bytes, then to base64url
+        byte_length = (value.bit_length() + 7) // 8
+        value_bytes = value.to_bytes(byte_length, byteorder="big")
+        return base64.urlsafe_b64encode(value_bytes).decode("ascii").rstrip("=")
+
+    # Create JWK (JSON Web Key) representation
+    jwk = {
+        "kty": "RSA",
+        "n": int_to_base64url(public_numbers.n),
+        "e": int_to_base64url(public_numbers.e),
+    }
+
+    # Create DPoP header
+    now = int(time.time())
+
+    # Create JWT header with JWK
+    header = {"typ": "dpop+jwt", "alg": "RS256", "jwk": jwk}
+
+    # Create JWT payload
+    payload = {
+        "jti": base64.urlsafe_b64encode(
+            hashlib.sha256(f"{url}{method}{now}".encode()).digest()
+        )
+        .decode("ascii")
+        .rstrip("="),
+        "htm": method,
+        "htu": url,
+        "iat": now,
+    }
+
+    # Add access token hash if provided
+    if access_token:
+        # Create SHA-256 hash of access token
+        token_hash = hashlib.sha256(access_token.encode()).digest()
+        payload["ath"] = (
+            base64.urlsafe_b64encode(token_hash).decode("ascii").rstrip("=")
+        )
+
+    # Sign the DPoP token
+    dpop_token = jwt.encode(payload, private_key_pem, algorithm="RS256", headers=header)
+
+    return dpop_token

otdf_python/ecc_mode.py

@@ -0,0 +1,32 @@
+class ECCMode:
+    def __init__(self, curve_mode: int = 0, use_ecdsa_binding: bool = False):
+        self.curve_mode = curve_mode
+        self.use_ecdsa_binding = use_ecdsa_binding
+
+    def set_ecdsa_binding(self, flag: bool):
+        self.use_ecdsa_binding = flag
+
+    def is_ecdsa_binding_enabled(self) -> bool:
+        return self.use_ecdsa_binding
+
+    def set_elliptic_curve(self, curve_mode: int):
+        self.curve_mode = curve_mode
+
+    def get_elliptic_curve_type(self) -> int:
+        return self.curve_mode
+
+    @staticmethod
+    def get_ec_compressed_pubkey_size(curve_type: int) -> int:
+        # 0: secp256r1, 1: secp384r1, 2: secp521r1
+        if curve_type == 0:
+            return 33
+        elif curve_type == 1:
+            return 49
+        elif curve_type == 2:
+            return 67
+        else:
+            raise ValueError("Unsupported ECC algorithm.")
+
+    def get_ecc_mode_as_byte(self) -> int:
+        # Most significant bit: use_ecdsa_binding, lower 3 bits: curve_mode
+        return ((1 if self.use_ecdsa_binding else 0) << 7) | (self.curve_mode & 0x07)

otdf_python/eckeypair.py

@@ -0,0 +1,75 @@
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from cryptography.hazmat.primitives.serialization import (
+    Encoding,
+    NoEncryption,
+    PrivateFormat,
+    PublicFormat,
+)
+
+
+class ECKeyPair:
+    def __init__(self, curve=None):
+        if curve is None:
+            curve = ec.SECP256R1()
+        self.private_key = ec.generate_private_key(curve, default_backend())
+        self.public_key = self.private_key.public_key()
+        self.curve = curve
+
+    def public_key_pem(self):
+        return self.public_key.public_bytes(
+            Encoding.PEM, PublicFormat.SubjectPublicKeyInfo
+        ).decode()
+
+    def private_key_pem(self):
+        return self.private_key.private_bytes(
+            Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()
+        ).decode()
+
+    def key_size(self):
+        return self.private_key.key_size
+
+    def compress_public_key(self):
+        return self.public_key.public_bytes(Encoding.X962, PublicFormat.CompressedPoint)
+
+    @staticmethod
+    def public_key_from_pem(pem):
+        return serialization.load_pem_public_key(
+            pem.encode(), backend=default_backend()
+        )
+
+    @staticmethod
+    def private_key_from_pem(pem):
+        return serialization.load_pem_private_key(
+            pem.encode(), password=None, backend=default_backend()
+        )
+
+    @staticmethod
+    def compute_ecdh_key(public_key, private_key):
+        return private_key.exchange(ec.ECDH(), public_key)
+
+    @staticmethod
+    def calculate_hkdf(salt, secret, length=32):
+        hkdf = HKDF(
+            algorithm=hashes.SHA256(),
+            length=length,
+            salt=salt,
+            info=None,
+            backend=default_backend(),
+        )
+        return hkdf.derive(secret)
+
+    @staticmethod
+    def sign_ecdsa(data, private_key):
+        return private_key.sign(data, ec.ECDSA(hashes.SHA256()))
+
+    @staticmethod
+    def verify_ecdsa(data, signature, public_key):
+        try:
+            public_key.verify(signature, data, ec.ECDSA(hashes.SHA256()))
+            return True
+        except InvalidSignature:
+            return False

otdf_python/header.py

@@ -0,0 +1,143 @@
+from otdf_python.constants import MAGIC_NUMBER_AND_VERSION
+from otdf_python.ecc_mode import ECCMode
+from otdf_python.policy_info import PolicyInfo
+from otdf_python.resource_locator import ResourceLocator
+from otdf_python.symmetric_and_payload_config import SymmetricAndPayloadConfig
+
+
+class Header:
+    def __init__(self):
+        self.kas_locator: ResourceLocator | None = None
+        self.ecc_mode: ECCMode | None = None
+        self.payload_config: SymmetricAndPayloadConfig | None = None
+        self.policy_info: PolicyInfo | None = None
+        self.ephemeral_key: bytes | None = None
+
+    @classmethod
+    def from_bytes(cls, buffer: bytes):
+        # Parse header from bytes, validate magic/version
+        offset = 0
+        magic = buffer[offset : offset + 3]
+        if magic != MAGIC_NUMBER_AND_VERSION:
+            raise ValueError("Invalid magic number and version in nano tdf.")
+        offset += 3
+        kas_locator, kas_size = ResourceLocator.from_bytes_with_size(buffer[offset:])
+        offset += kas_size
+        ecc_mode = ECCMode(buffer[offset])
+        offset += 1
+        payload_config = SymmetricAndPayloadConfig(buffer[offset])
+        offset += 1
+        policy_info, policy_size = PolicyInfo.from_bytes_with_size(
+            buffer[offset:], ecc_mode
+        )
+        offset += policy_size
+        compressed_pubkey_size = ECCMode.get_ec_compressed_pubkey_size(
+            ecc_mode.get_elliptic_curve_type()
+        )
+        ephemeral_key = buffer[offset : offset + compressed_pubkey_size]
+        if len(ephemeral_key) != compressed_pubkey_size:
+            raise ValueError("Failed to read ephemeral key - invalid buffer size.")
+        obj = cls()
+        obj.kas_locator = kas_locator
+        obj.ecc_mode = ecc_mode
+        obj.payload_config = payload_config
+        obj.policy_info = policy_info
+        obj.ephemeral_key = ephemeral_key
+        return obj
+
+    @staticmethod
+    def peek_length(buffer: bytes) -> int:
+        offset = 0
+        # MAGIC_NUMBER_AND_VERSION (3 bytes)
+        offset += 3
+        # ResourceLocator
+        kas_locator, kas_size = ResourceLocator.from_bytes_with_size(buffer[offset:])
+        offset += kas_size
+        # ECC mode (1 byte)
+        ecc_mode = ECCMode(buffer[offset])
+        offset += 1
+        # Payload config (1 byte)
+        offset += 1
+        # PolicyInfo
+        policy_info, policy_size = PolicyInfo.from_bytes_with_size(
+            buffer[offset:], ecc_mode
+        )
+        offset += policy_size
+        # Ephemeral key (size depends on curve)
+        compressed_pubkey_size = ECCMode.get_ec_compressed_pubkey_size(
+            ecc_mode.get_elliptic_curve_type()
+        )
+        offset += compressed_pubkey_size
+        return offset
+
+    def set_kas_locator(self, kas_locator: ResourceLocator):
+        self.kas_locator = kas_locator
+
+    def get_kas_locator(self) -> ResourceLocator | None:
+        return self.kas_locator
+
+    def set_ecc_mode(self, ecc_mode: ECCMode):
+        self.ecc_mode = ecc_mode
+
+    def get_ecc_mode(self) -> ECCMode | None:
+        return self.ecc_mode
+
+    def set_payload_config(self, payload_config: SymmetricAndPayloadConfig):
+        self.payload_config = payload_config
+
+    def get_payload_config(self) -> SymmetricAndPayloadConfig | None:
+        return self.payload_config
+
+    def set_policy_info(self, policy_info: PolicyInfo):
+        self.policy_info = policy_info
+
+    def get_policy_info(self) -> PolicyInfo | None:
+        return self.policy_info
+
+    def set_ephemeral_key(self, ephemeral_key: bytes):
+        if self.ecc_mode is not None:
+            expected_size = ECCMode.get_ec_compressed_pubkey_size(
+                self.ecc_mode.get_elliptic_curve_type()
+            )
+            if len(ephemeral_key) != expected_size:
+                raise ValueError("Failed to read ephemeral key - invalid buffer size.")
+        self.ephemeral_key = ephemeral_key
+
+    def get_ephemeral_key(self) -> bytes | None:
+        return self.ephemeral_key
+
+    def get_total_size(self) -> int:
+        total = 0
+        total += self.kas_locator.get_total_size() if self.kas_locator else 0
+        total += 1  # ECC mode
+        total += 1  # payload config
+        total += self.policy_info.get_total_size() if self.policy_info else 0
+        total += len(self.ephemeral_key) if self.ephemeral_key else 0
+        return total
+
+    def write_into_buffer(self, buffer: bytearray) -> int:
+        total_size = self.get_total_size()
+        if len(buffer) < total_size:
+            raise ValueError("Failed to write header - invalid buffer size.")
+        offset = 0
+        # ResourceLocator
+        n = self.kas_locator.write_into_buffer(buffer, offset)
+        offset += n
+        # ECCMode (1 byte)
+        buffer[offset] = self.ecc_mode.get_ecc_mode_as_byte()
+        offset += 1
+        # SymmetricAndPayloadConfig (1 byte)
+        buffer[offset] = self.payload_config.get_symmetric_and_payload_config_as_byte()
+        offset += 1
+        # PolicyInfo
+        n = self.policy_info.write_into_buffer(buffer, offset)
+        offset += n
+        # Ephemeral key
+        buffer[offset : offset + len(self.ephemeral_key)] = self.ephemeral_key
+        offset += len(self.ephemeral_key)
+        return offset
+
+    def to_bytes(self):
+        buf = bytearray(self.get_total_size())
+        self.write_into_buffer(buf)
+        return bytes(buf)

otdf_python/invalid_zip_exception.py

@@ -0,0 +1,8 @@
+class InvalidZipException(Exception):
+    """
+    Raised when a ZIP file is invalid or corrupted.
+    Based on Java implementation.
+    """
+
+    def __init__(self, message: str):
+        super().__init__(message)