otdf-python 0.3.3__tar.gz → 0.3.5__tar.gz

{otdf_python-0.3.3 → otdf_python-0.3.5}/.github/check_entitlements.sh

@@ -17,7 +17,6 @@ echo ""
 
 get_token() {
     curl -k --location "$TOKEN_URL" \
-    --header "X-VirtruPubKey;" \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data-urlencode "grant_type=client_credentials" \
     --data-urlencode "client_id=$OTDF_CLIENT" \

{otdf_python-0.3.3 → otdf_python-0.3.5}/.pre-commit-config.yaml

@@ -34,7 +34,7 @@ repos:
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.12.12
+    rev: v0.13.3
     hooks:
       # Run the linter.
       - id: ruff-check

otdf_python-0.3.5/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+    ".": "0.3.5"
+}

{otdf_python-0.3.3 → otdf_python-0.3.5}/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [0.3.5](https://github.com/b-long/opentdf-python-sdk/compare/otdf-python-v0.3.4...otdf-python-v0.3.5) (2025-11-10)
+
+
+### Bug Fixes
+
+* NanoTDF support ([#114](https://github.com/b-long/opentdf-python-sdk/issues/114)) ([8f09297](https://github.com/b-long/opentdf-python-sdk/commit/8f092976f6473db7738a86d7ec30dc9ebbcb6a3a))
+
+## [0.3.4](https://github.com/b-long/opentdf-python-sdk/compare/otdf-python-v0.3.3...otdf-python-v0.3.4) (2025-10-04)
+
+### Chores
+
+* chore: remove placeholders  ([#110](https://github.com/b-long/opentdf-python-sdk/issues/110)) 
+
+
+### Bug Fixes
+
+* update ruff ([#108](https://github.com/b-long/opentdf-python-sdk/issues/108)) ([5e4c796](https://github.com/b-long/opentdf-python-sdk/commit/5e4c796a8c1fc10b206cd2769f7c8548903ad3c1))
+
 ## [0.3.3](https://github.com/b-long/opentdf-python-sdk/compare/otdf-python-v0.3.2...otdf-python-v0.3.3) (2025-09-17)
 
 

{otdf_python-0.3.3 → otdf_python-0.3.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: otdf-python
-Version: 0.3.3
+Version: 0.3.5
 Summary: Unofficial OpenTDF SDK for Python
 Author-email: b-long <b-long@users.noreply.github.com>
 License-File: LICENSE
@@ -114,8 +114,6 @@ decrypted_data = tdf_reader.payload
 with open("decrypted.txt", "wb") as f:
     f.write(decrypted_data)
 
-# Don't forget to close the SDK when done
-sdk.close()
 ```
 
 ## Project Structure

{otdf_python-0.3.3 → otdf_python-0.3.5}/README.md

@@ -95,8 +95,6 @@ decrypted_data = tdf_reader.payload
 with open("decrypted.txt", "wb") as f:
     f.write(decrypted_data)
 
-# Don't forget to close the SDK when done
-sdk.close()
 ```
 
 ## Project Structure

{otdf_python-0.3.3 → otdf_python-0.3.5}/otdf-python-proto/README.md

@@ -17,7 +17,7 @@ See [CONNECT_RPC.md](../docs/CONNECT_RPC.md) for additional information.
 ## Structure
 
 - `proto-files/`: Contains the raw .proto files downloaded from the OpenTDF platform
-- `generated/`: Contains the generated Python protobuf and Connect RPC client files
+- `src/otdf_python_proto/`: Contains the generated Python protobuf and Connect RPC client files
 - `scripts/`: Contains build scripts for generating protobuf and Connect RPC files
 - `buf.yaml`: Buf configuration for proto validation and management
 - `buf.gen.yaml`: Buf generation configuration for Connect RPC and protobuf
@@ -40,10 +40,10 @@ Or use the convenience script:
 ```
 
 This generates:
-- `generated/*_connect.py` - Connect RPC clients (preferred)
-- `generated/*_pb2.py` - Standard protobuf classes
-- `generated/*_pb2.pyi` - Type stubs for better IDE support
-- `generated/legacy_grpc/*_pb2_grpc.py` - Legacy gRPC clients (backward compatibility)
+- `src/otdf_python_proto/**/*_connect.py` - Connect RPC clients (preferred)
+- `src/otdf_python_proto/**/*_pb2.py` - Standard protobuf classes
+- `src/otdf_python_proto/**/*_pb2.pyi` - Type stubs for better IDE support
+- `src/otdf_python_proto/legacy_grpc/**/*_pb2_grpc.py` - Legacy gRPC clients (backward compatibility)
 
 ### Legacy gRPC Generation
 

{otdf_python-0.3.3 → otdf_python-0.3.5}/otdf-python-proto/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "otdf-python-proto"
-version = "0.3.3"
+version = "0.3.5"
 description = "Generated protobuf files for OpenTDF Python SDK"
 readme = "README.md"
 authors = [

{otdf_python-0.3.3 → otdf_python-0.3.5}/otdf-python-proto/scripts/generate_connect_proto.py

@@ -96,10 +96,10 @@ def copy_opentdf_proto_files(proto_gen_dir: Path) -> bool:
                     print(f"  Copying {relative_path}...")
 
                     # Copy the file content
-                    with open(proto_file) as src:
+                    with proto_file.open() as src:
                         content = src.read()
 
-                    with open(dest_path, "w") as dst:
+                    with dest_path.open("w") as dst:
                         dst.write(content)
 
                     copied_files += 1
@@ -155,7 +155,7 @@ def run_buf_generate(proto_gen_dir: Path) -> bool:
 
         # Update buf.gen.yaml with the correct path
         buf_gen_path = proto_gen_dir / "buf.gen.yaml"
-        with open(buf_gen_path) as f:
+        with buf_gen_path.open() as f:
             content = f.read()
 
         # Replace the local plugin path
@@ -163,7 +163,7 @@ def run_buf_generate(proto_gen_dir: Path) -> bool:
             "- local: protoc-gen-connect_python", f"- local: {connect_plugin_path}"
         )
 
-        with open(buf_gen_path, "w") as f:
+        with buf_gen_path.open("w") as f:
             f.write(updated_content)
 
         # Run buf generate
@@ -221,7 +221,7 @@ def _fix_ignore_if_default_value(proto_files_dir):
     # Iterate all .proto files in the directory
     for proto_file in proto_files_dir.glob("**/*.proto"):
         try:
-            with open(proto_file, "r") as file:  # noqa: UP015
+            with proto_file.open("r") as file:
                 content = file.read()
 
             # Replace the old enum value with the new one
@@ -230,7 +230,7 @@ def _fix_ignore_if_default_value(proto_files_dir):
             )
 
             # Write the updated content back to the file
-            with open(proto_file, "w") as file:
+            with proto_file.open("w") as file:
                 file.write(updated_content)
 
             print(f"Updated {proto_file.name} to use IGNORE_IF_ZERO_VALUE")

{otdf_python-0.3.3 → otdf_python-0.3.5}/otdf-python-proto/uv.lock

@@ -481,7 +481,7 @@ wheels = [
 
 [[package]]
 name = "otdf-python-proto"
-version = "0.3.3"
+version = "0.3.5"
 source = { editable = "." }
 dependencies = [
     { name = "connect-python", extra = ["compiler"] },

{otdf_python-0.3.3 → otdf_python-0.3.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "otdf-python"
-version = "0.3.3"
+version = "0.3.5"
 description = "Unofficial OpenTDF SDK for Python"
 readme = "README.md"
 authors = [
@@ -73,6 +73,7 @@ lint.select = [
     "I",
     # Performance-related rules
     "PERF",      # Ruff's performance rules
+    "PTH",       # pathlib (path handling)
     # Additional useful rules
     "UP",        # pyupgrade (modern Python features)
     "SIM",       # flake8-simplify (simplifications)

otdf_python-0.3.5/src/otdf_python/asym_crypto.py

@@ -0,0 +1,198 @@
+"""
+Asymmetric encryption and decryption utilities for RSA keys in PEM format.
+"""
+
+import base64
+import re
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
+from cryptography.x509 import load_pem_x509_certificate
+
+from .sdk_exceptions import SDKException
+
+
+class AsymDecryption:
+    """
+    Provides functionality for asymmetric decryption using an RSA private key.
+
+    Supports both PEM string and key object initialization for flexibility.
+    """
+
+    CIPHER_TRANSFORM = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding"
+    PRIVATE_KEY_HEADER = "-----BEGIN PRIVATE KEY-----"
+    PRIVATE_KEY_FOOTER = "-----END PRIVATE KEY-----"
+
+    def __init__(self, private_key_pem: str | None = None, private_key_obj=None):
+        """
+        Initialize with either a PEM string or a key object.
+
+        Args:
+            private_key_pem: Private key in PEM format (with or without headers)
+            private_key_obj: Pre-loaded private key object from cryptography library
+
+        Raises:
+            SDKException: If key loading fails
+        """
+        if private_key_obj is not None:
+            self.private_key = private_key_obj
+        elif private_key_pem is not None:
+            try:
+                # Try direct PEM loading first (most common case)
+                try:
+                    self.private_key = serialization.load_pem_private_key(
+                        private_key_pem.encode(),
+                        password=None,
+                        backend=default_backend(),
+                    )
+                except Exception:
+                    # Fallback: strip headers and load as DER (for base64-only keys)
+                    private_key_pem = (
+                        private_key_pem.replace(self.PRIVATE_KEY_HEADER, "")
+                        .replace(self.PRIVATE_KEY_FOOTER, "")
+                        .replace("\n", "")
+                        .replace("\r", "")
+                        .replace(" ", "")
+                    )
+                    decoded = base64.b64decode(private_key_pem)
+                    self.private_key = serialization.load_der_private_key(
+                        decoded, password=None, backend=default_backend()
+                    )
+            except Exception as e:
+                raise SDKException(f"Failed to load private key: {e}")
+        else:
+            self.private_key = None
+
+    def decrypt(self, data: bytes) -> bytes:
+        """
+        Decrypt data using RSA OAEP with SHA-1.
+
+        Args:
+            data: Encrypted bytes to decrypt
+
+        Returns:
+            Decrypted bytes
+
+        Raises:
+            SDKException: If decryption fails or key is not set
+        """
+        if self.private_key is None:
+            raise SDKException("Failed to decrypt, private key is empty")
+        try:
+            return self.private_key.decrypt(
+                data,
+                padding.OAEP(
+                    mgf=padding.MGF1(algorithm=hashes.SHA1()),
+                    algorithm=hashes.SHA1(),
+                    label=None,
+                ),
+            )
+        except Exception as e:
+            raise SDKException(f"Error performing decryption: {e}")
+
+
+class AsymEncryption:
+    """
+    Provides functionality for asymmetric encryption using an RSA public key or certificate in PEM format.
+
+    Supports PEM public keys, X.509 certificates, and pre-loaded key objects.
+    Also handles base64-encoded keys without PEM headers.
+    """
+
+    PUBLIC_KEY_HEADER = "-----BEGIN PUBLIC KEY-----"
+    PUBLIC_KEY_FOOTER = "-----END PUBLIC KEY-----"
+    CIPHER_TRANSFORM = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding"
+
+    def __init__(self, public_key_pem: str | None = None, public_key_obj=None):
+        """
+        Initialize with either a PEM string or a key object.
+
+        Args:
+            public_key_pem: Public key in PEM format, X.509 certificate, or base64 string
+            public_key_obj: Pre-loaded public key object from cryptography library
+
+        Raises:
+            SDKException: If key loading fails or key is not RSA
+        """
+        if public_key_obj is not None:
+            self.public_key = public_key_obj
+        elif public_key_pem is not None:
+            try:
+                if "BEGIN CERTIFICATE" in public_key_pem:
+                    # Load from X.509 certificate
+                    cert = load_pem_x509_certificate(
+                        public_key_pem.encode(), default_backend()
+                    )
+                    self.public_key = cert.public_key()
+                else:
+                    # Try direct PEM loading first (most common case)
+                    try:
+                        self.public_key = serialization.load_pem_public_key(
+                            public_key_pem.encode(), backend=default_backend()
+                        )
+                    except Exception:
+                        # Fallback: strip headers and load as DER (for base64-only keys)
+                        pem_body = re.sub(r"-----BEGIN (.*)-----", "", public_key_pem)
+                        pem_body = re.sub(r"-----END (.*)-----", "", pem_body)
+                        pem_body = re.sub(r"\s", "", pem_body)
+                        decoded = base64.b64decode(pem_body)
+                        self.public_key = serialization.load_der_public_key(
+                            decoded, backend=default_backend()
+                        )
+            except Exception as e:
+                raise SDKException(f"Failed to load public key: {e}")
+        else:
+            self.public_key = None
+
+        # Validate that it's an RSA key
+        if self.public_key is not None and not isinstance(
+            self.public_key, rsa.RSAPublicKey
+        ):
+            raise SDKException("Not an RSA PEM formatted public key")
+
+    def encrypt(self, data: bytes) -> bytes:
+        """
+        Encrypt data using RSA OAEP with SHA-1.
+
+        Args:
+            data: Plaintext bytes to encrypt
+
+        Returns:
+            Encrypted bytes
+
+        Raises:
+            SDKException: If encryption fails or key is not set
+        """
+        if self.public_key is None:
+            raise SDKException("Failed to encrypt, public key is empty")
+        try:
+            return self.public_key.encrypt(
+                data,
+                padding.OAEP(
+                    mgf=padding.MGF1(algorithm=hashes.SHA1()),
+                    algorithm=hashes.SHA1(),
+                    label=None,
+                ),
+            )
+        except Exception as e:
+            raise SDKException(f"Error performing encryption: {e}")
+
+    def public_key_in_pem_format(self) -> str:
+        """
+        Export the public key to PEM format.
+
+        Returns:
+            Public key as PEM-encoded string
+
+        Raises:
+            SDKException: If export fails
+        """
+        try:
+            pem = self.public_key.public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo,
+            )
+            return pem.decode()
+        except Exception as e:
+            raise SDKException(f"Error exporting public key to PEM: {e}")

{otdf_python-0.3.3 → otdf_python-0.3.5}/src/otdf_python/auth_headers.py

@@ -10,7 +10,7 @@ class AuthHeaders:
     """
 
     auth_header: str
-    dpop_header: str
+    dpop_header: str = ""
 
     def get_auth_header(self) -> str:
         """Returns the authorization header."""
@@ -19,3 +19,15 @@ class AuthHeaders:
     def get_dpop_header(self) -> str:
         """Returns the DPoP header."""
         return self.dpop_header
+
+    def to_dict(self) -> dict[str, str]:
+        """
+        Convert authentication headers to a dictionary for use with HTTP clients.
+
+        Returns:
+            Dictionary with 'Authorization' header and optionally 'DPoP' header
+        """
+        headers = {"Authorization": self.auth_header}
+        if self.dpop_header:
+            headers["DPoP"] = self.dpop_header
+        return headers

{otdf_python-0.3.3 → otdf_python-0.3.5}/src/otdf_python/cli.py

@@ -88,7 +88,7 @@ def load_client_credentials(creds_file_path: str) -> tuple[str, str]:
                 "CRITICAL", f"Credentials file does not exist: {creds_file_path}"
             )
 
-        with open(creds_path) as f:
+        with creds_path.open() as f:
             creds = json.load(f)
 
         client_id = creds.get("clientId")
@@ -201,6 +201,13 @@ def create_nano_tdf_config(sdk: SDK, args) -> NanoTDFConfig:
         kas_endpoints = parse_kas_endpoints(args.kas_endpoint)
         kas_info_list = [KASInfo(url=kas_url) for kas_url in kas_endpoints]
         config.kas_info_list.extend(kas_info_list)
+    elif args.platform_url:
+        # If no explicit KAS endpoint provided, derive from platform URL
+        # This matches the default KAS path convention
+        kas_url = args.platform_url.rstrip("/") + "/kas"
+        logger.debug(f"Deriving KAS endpoint from platform URL: {kas_url}")
+        kas_info = KASInfo(url=kas_url)
+        config.kas_info_list.append(kas_info)
 
     if hasattr(args, "policy_binding") and args.policy_binding:
         if args.policy_binding.lower() == "ecdsa":
@@ -223,13 +230,13 @@ def cmd_encrypt(args):
 
     try:
         # Read input file
-        with open(input_path, "rb") as input_file:
+        with input_path.open("rb") as input_file:
             payload = input_file.read()
 
         # Determine output
         if args.output:
             output_path = Path(args.output)
-            with open(output_path, "wb") as output_file:
+            with output_path.open("wb") as output_file:
                 try:
                     # Create appropriate config based on container type
                     container_type = getattr(args, "container_type", "tdf")
@@ -247,7 +254,7 @@ def cmd_encrypt(args):
                         logger.debug("Creating TDF")
                         config = create_tdf_config(sdk, args)
                         output_stream = BytesIO()
-                        manifest, size, _ = sdk.create_tdf(
+                        _manifest, size, _ = sdk.create_tdf(
                             BytesIO(payload), config, output_stream
                         )
                         output_file.write(output_stream.getvalue())
@@ -274,7 +281,7 @@ def cmd_encrypt(args):
                 logger.debug("Creating TDF")
                 config = create_tdf_config(sdk, args)
                 output_stream = BytesIO()
-                manifest, size, _ = sdk.create_tdf(
+                _manifest, size, _ = sdk.create_tdf(
                     BytesIO(payload), config, output_stream
                 )
                 output_file.write(output_stream.getvalue())
@@ -296,13 +303,13 @@ def cmd_decrypt(args):
 
     try:
         # Read encrypted file
-        with open(input_path, "rb") as input_file:
+        with input_path.open("rb") as input_file:
             encrypted_data = input_file.read()
 
         # Determine output
         if args.output:
             output_path = Path(args.output)
-            with open(output_path, "wb") as output_file:
+            with output_path.open("wb") as output_file:
                 try:
                     # Try to determine if it's a NanoTDF or regular TDF
                     # NanoTDFs have a specific header format, regular TDFs are ZIP files
@@ -359,7 +366,7 @@ def cmd_inspect(args):
 
         try:
             # Read encrypted file
-            with open(input_path, "rb") as input_file:
+            with input_path.open("rb") as input_file:
                 encrypted_data = input_file.read()
 
             if encrypted_data.startswith(b"PK"):
@@ -400,7 +407,7 @@ def cmd_inspect(args):
     except Exception as e:
         # If we can't inspect due to auth issues, show what we can
         logger.warning(f"Limited inspection due to: {e}")
-        with open(input_path, "rb") as input_file:
+        with input_path.open("rb") as input_file:
             encrypted_data = input_file.read()
 
         file_type = "TDF" if encrypted_data.startswith(b"PK") else "NanoTDF"
@@ -554,7 +561,7 @@ def main():
         sys.exit(1)
     except Exception as e:
         logger.error(f"Unexpected error: {e}")
-        logger.debug("", exc_info=True)
+        logger.error("", exc_info=True)  # Always print traceback for unexpected errors
         sys.exit(1)
 
 

otdf_python-0.3.5/src/otdf_python/ecc_constants.py

@@ -0,0 +1,176 @@
+"""
+Elliptic Curve Constants for NanoTDF.
+
+This module defines shared constants for elliptic curve operations used across
+the SDK, particularly for NanoTDF encryption/decryption.
+
+All supported curves follow the NanoTDF specification which uses compressed
+public key encoding (X9.62 format) to minimize header size.
+"""
+
+from typing import ClassVar
+
+from cryptography.hazmat.primitives.asymmetric import ec
+
+
+class ECCConstants:
+    """
+    Centralized constants for elliptic curve cryptography operations.
+
+    This class provides mappings between curve names, curve type integers,
+    cryptography curve objects, and compressed public key sizes.
+    """
+
+    # Mapping from curve names (strings) to curve type integers (per NanoTDF spec)
+    # These integer values are encoded in the NanoTDF header's ECC mode byte
+    CURVE_NAME_TO_TYPE: ClassVar[dict[str, int]] = {
+        "secp256r1": 0,  # NIST P-256 (most common)
+        "secp384r1": 1,  # NIST P-384
+        "secp521r1": 2,  # NIST P-521
+        "secp256k1": 3,  # Bitcoin curve (secp256k1)
+    }
+
+    # Mapping from curve type integers to curve names
+    # Inverse of CURVE_NAME_TO_TYPE for reverse lookups
+    CURVE_TYPE_TO_NAME: ClassVar[dict[int, str]] = {
+        0: "secp256r1",
+        1: "secp384r1",
+        2: "secp521r1",
+        3: "secp256k1",
+    }
+
+    # Compressed public key sizes (in bytes) for each curve
+    # Format: 1 byte prefix (0x02 or 0x03) + x-coordinate bytes
+    # Used by both ecc_mode.py (indexed by int) and ecdh.py (indexed by string)
+    COMPRESSED_KEY_SIZE_BY_TYPE: ClassVar[dict[int, int]] = {
+        0: 33,  # secp256r1: 1 byte prefix + 32 bytes x-coordinate
+        1: 49,  # secp384r1: 1 byte prefix + 48 bytes x-coordinate
+        2: 67,  # secp521r1: 1 byte prefix + 66 bytes x-coordinate
+        3: 33,  # secp256k1: 1 byte prefix + 32 bytes x-coordinate (same as secp256r1)
+    }
+
+    COMPRESSED_KEY_SIZE_BY_NAME: ClassVar[dict[str, int]] = {
+        "secp256r1": 33,  # 1 byte prefix + 32 bytes
+        "secp384r1": 49,  # 1 byte prefix + 48 bytes
+        "secp521r1": 67,  # 1 byte prefix + 66 bytes
+        "secp256k1": 33,  # 1 byte prefix + 32 bytes
+    }
+
+    # Mapping from curve names to cryptography library curve objects
+    # Used by ecdh.py for key generation and ECDH operations
+    CURVE_OBJECTS: ClassVar[dict[str, ec.EllipticCurve]] = {
+        "secp256r1": ec.SECP256R1(),
+        "secp384r1": ec.SECP384R1(),
+        "secp521r1": ec.SECP521R1(),
+        "secp256k1": ec.SECP256K1(),
+    }
+
+    @classmethod
+    def get_curve_name(cls, curve_type: int) -> str:
+        """
+        Get curve name from curve type integer.
+
+        Args:
+            curve_type: Curve type (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Curve name as string (e.g., "secp256r1")
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        name = cls.CURVE_TYPE_TO_NAME.get(curve_type)
+        if name is None:
+            raise ValueError(
+                f"Unsupported curve type: {curve_type}. "
+                f"Supported types: {list(cls.CURVE_TYPE_TO_NAME.keys())}"
+            )
+        return name
+
+    @classmethod
+    def get_curve_type(cls, curve_name: str) -> int:
+        """
+        Get curve type integer from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Curve type as integer (0-3)
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        curve_type = cls.CURVE_NAME_TO_TYPE.get(curve_name.lower())
+        if curve_type is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.CURVE_NAME_TO_TYPE.keys())}"
+            )
+        return curve_type
+
+    @classmethod
+    def get_compressed_key_size_by_type(cls, curve_type: int) -> int:
+        """
+        Get compressed public key size from curve type integer.
+
+        Args:
+            curve_type: Curve type (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        size = cls.COMPRESSED_KEY_SIZE_BY_TYPE.get(curve_type)
+        if size is None:
+            raise ValueError(
+                f"Unsupported curve type: {curve_type}. "
+                f"Supported types: {list(cls.COMPRESSED_KEY_SIZE_BY_TYPE.keys())}"
+            )
+        return size
+
+    @classmethod
+    def get_compressed_key_size_by_name(cls, curve_name: str) -> int:
+        """
+        Get compressed public key size from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        size = cls.COMPRESSED_KEY_SIZE_BY_NAME.get(curve_name.lower())
+        if size is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.COMPRESSED_KEY_SIZE_BY_NAME.keys())}"
+            )
+        return size
+
+    @classmethod
+    def get_curve_object(cls, curve_name: str) -> ec.EllipticCurve:
+        """
+        Get cryptography library curve object from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Cryptography library EllipticCurve object
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        curve = cls.CURVE_OBJECTS.get(curve_name.lower())
+        if curve is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.CURVE_OBJECTS.keys())}"
+            )
+        return curve