otdf-python 0.3.4__py3-none-any.whl → 0.4.0__py3-none-any.whl

otdf_python/asym_crypto.py

@@ -2,6 +2,9 @@
 Asymmetric encryption and decryption utilities for RSA keys in PEM format.
 """
 
+import base64
+import re
+
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding, rsa
@@ -13,18 +16,68 @@ from .sdk_exceptions import SDKException
 class AsymDecryption:
     """
     Provides functionality for asymmetric decryption using an RSA private key.
+
+    Supports both PEM string and key object initialization for flexibility.
     """
 
-    def __init__(self, private_key_pem: str):
-        try:
-            self.private_key = serialization.load_pem_private_key(
-                private_key_pem.encode(), password=None, backend=default_backend()
-            )
-        except Exception as e:
-            raise SDKException(f"Failed to load private key: {e}")
+    CIPHER_TRANSFORM = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding"
+    PRIVATE_KEY_HEADER = "-----BEGIN PRIVATE KEY-----"
+    PRIVATE_KEY_FOOTER = "-----END PRIVATE KEY-----"
+
+    def __init__(self, private_key_pem: str | None = None, private_key_obj=None):
+        """
+        Initialize with either a PEM string or a key object.
+
+        Args:
+            private_key_pem: Private key in PEM format (with or without headers)
+            private_key_obj: Pre-loaded private key object from cryptography library
+
+        Raises:
+            SDKException: If key loading fails
+        """
+        if private_key_obj is not None:
+            self.private_key = private_key_obj
+        elif private_key_pem is not None:
+            try:
+                # Try direct PEM loading first (most common case)
+                try:
+                    self.private_key = serialization.load_pem_private_key(
+                        private_key_pem.encode(),
+                        password=None,
+                        backend=default_backend(),
+                    )
+                except Exception:
+                    # Fallback: strip headers and load as DER (for base64-only keys)
+                    private_key_pem = (
+                        private_key_pem.replace(self.PRIVATE_KEY_HEADER, "")
+                        .replace(self.PRIVATE_KEY_FOOTER, "")
+                        .replace("\n", "")
+                        .replace("\r", "")
+                        .replace(" ", "")
+                    )
+                    decoded = base64.b64decode(private_key_pem)
+                    self.private_key = serialization.load_der_private_key(
+                        decoded, password=None, backend=default_backend()
+                    )
+            except Exception as e:
+                raise SDKException(f"Failed to load private key: {e}")
+        else:
+            self.private_key = None
 
     def decrypt(self, data: bytes) -> bytes:
-        if not self.private_key:
+        """
+        Decrypt data using RSA OAEP with SHA-1.
+
+        Args:
+            data: Encrypted bytes to decrypt
+
+        Returns:
+            Decrypted bytes
+
+        Raises:
+            SDKException: If decryption fails or key is not set
+        """
+        if self.private_key is None:
             raise SDKException("Failed to decrypt, private key is empty")
         try:
             return self.private_key.decrypt(
@@ -42,26 +95,77 @@ class AsymDecryption:
 class AsymEncryption:
     """
     Provides functionality for asymmetric encryption using an RSA public key or certificate in PEM format.
+
+    Supports PEM public keys, X.509 certificates, and pre-loaded key objects.
+    Also handles base64-encoded keys without PEM headers.
     """
 
-    def __init__(self, public_key_pem: str):
-        try:
-            if "BEGIN CERTIFICATE" in public_key_pem:
-                cert = load_pem_x509_certificate(
-                    public_key_pem.encode(), default_backend()
-                )
-                self.public_key = cert.public_key()
-            else:
-                self.public_key = serialization.load_pem_public_key(
-                    public_key_pem.encode(), backend=default_backend()
-                )
-        except Exception as e:
-            raise SDKException(f"Failed to load public key: {e}")
+    PUBLIC_KEY_HEADER = "-----BEGIN PUBLIC KEY-----"
+    PUBLIC_KEY_FOOTER = "-----END PUBLIC KEY-----"
+    CIPHER_TRANSFORM = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding"
+
+    def __init__(self, public_key_pem: str | None = None, public_key_obj=None):
+        """
+        Initialize with either a PEM string or a key object.
+
+        Args:
+            public_key_pem: Public key in PEM format, X.509 certificate, or base64 string
+            public_key_obj: Pre-loaded public key object from cryptography library
+
+        Raises:
+            SDKException: If key loading fails or key is not RSA
+        """
+        if public_key_obj is not None:
+            self.public_key = public_key_obj
+        elif public_key_pem is not None:
+            try:
+                if "BEGIN CERTIFICATE" in public_key_pem:
+                    # Load from X.509 certificate
+                    cert = load_pem_x509_certificate(
+                        public_key_pem.encode(), default_backend()
+                    )
+                    self.public_key = cert.public_key()
+                else:
+                    # Try direct PEM loading first (most common case)
+                    try:
+                        self.public_key = serialization.load_pem_public_key(
+                            public_key_pem.encode(), backend=default_backend()
+                        )
+                    except Exception:
+                        # Fallback: strip headers and load as DER (for base64-only keys)
+                        pem_body = re.sub(r"-----BEGIN (.*)-----", "", public_key_pem)
+                        pem_body = re.sub(r"-----END (.*)-----", "", pem_body)
+                        pem_body = re.sub(r"\s", "", pem_body)
+                        decoded = base64.b64decode(pem_body)
+                        self.public_key = serialization.load_der_public_key(
+                            decoded, backend=default_backend()
+                        )
+            except Exception as e:
+                raise SDKException(f"Failed to load public key: {e}")
+        else:
+            self.public_key = None
 
-        if not isinstance(self.public_key, rsa.RSAPublicKey):
+        # Validate that it's an RSA key
+        if self.public_key is not None and not isinstance(
+            self.public_key, rsa.RSAPublicKey
+        ):
             raise SDKException("Not an RSA PEM formatted public key")
 
     def encrypt(self, data: bytes) -> bytes:
+        """
+        Encrypt data using RSA OAEP with SHA-1.
+
+        Args:
+            data: Plaintext bytes to encrypt
+
+        Returns:
+            Encrypted bytes
+
+        Raises:
+            SDKException: If encryption fails or key is not set
+        """
+        if self.public_key is None:
+            raise SDKException("Failed to encrypt, public key is empty")
         try:
             return self.public_key.encrypt(
                 data,
@@ -75,6 +179,15 @@ class AsymEncryption:
             raise SDKException(f"Error performing encryption: {e}")
 
     def public_key_in_pem_format(self) -> str:
+        """
+        Export the public key to PEM format.
+
+        Returns:
+            Public key as PEM-encoded string
+
+        Raises:
+            SDKException: If export fails
+        """
         try:
             pem = self.public_key.public_bytes(
                 encoding=serialization.Encoding.PEM,

otdf_python/cli.py

@@ -201,6 +201,13 @@ def create_nano_tdf_config(sdk: SDK, args) -> NanoTDFConfig:
         kas_endpoints = parse_kas_endpoints(args.kas_endpoint)
         kas_info_list = [KASInfo(url=kas_url) for kas_url in kas_endpoints]
         config.kas_info_list.extend(kas_info_list)
+    elif args.platform_url:
+        # If no explicit KAS endpoint provided, derive from platform URL
+        # This matches the default KAS path convention
+        kas_url = args.platform_url.rstrip("/") + "/kas"
+        logger.debug(f"Deriving KAS endpoint from platform URL: {kas_url}")
+        kas_info = KASInfo(url=kas_url)
+        config.kas_info_list.append(kas_info)
 
     if hasattr(args, "policy_binding") and args.policy_binding:
         if args.policy_binding.lower() == "ecdsa":
@@ -554,7 +561,7 @@ def main():
         sys.exit(1)
     except Exception as e:
         logger.error(f"Unexpected error: {e}")
-        logger.debug("", exc_info=True)
+        logger.error("", exc_info=True)  # Always print traceback for unexpected errors
         sys.exit(1)
 
 

otdf_python/ecc_constants.py

@@ -0,0 +1,176 @@
+"""
+Elliptic Curve Constants for NanoTDF.
+
+This module defines shared constants for elliptic curve operations used across
+the SDK, particularly for NanoTDF encryption/decryption.
+
+All supported curves follow the NanoTDF specification which uses compressed
+public key encoding (X9.62 format) to minimize header size.
+"""
+
+from typing import ClassVar
+
+from cryptography.hazmat.primitives.asymmetric import ec
+
+
+class ECCConstants:
+    """
+    Centralized constants for elliptic curve cryptography operations.
+
+    This class provides mappings between curve names, curve type integers,
+    cryptography curve objects, and compressed public key sizes.
+    """
+
+    # Mapping from curve names (strings) to curve type integers (per NanoTDF spec)
+    # These integer values are encoded in the NanoTDF header's ECC mode byte
+    CURVE_NAME_TO_TYPE: ClassVar[dict[str, int]] = {
+        "secp256r1": 0,  # NIST P-256 (most common)
+        "secp384r1": 1,  # NIST P-384
+        "secp521r1": 2,  # NIST P-521
+        "secp256k1": 3,  # Bitcoin curve (secp256k1)
+    }
+
+    # Mapping from curve type integers to curve names
+    # Inverse of CURVE_NAME_TO_TYPE for reverse lookups
+    CURVE_TYPE_TO_NAME: ClassVar[dict[int, str]] = {
+        0: "secp256r1",
+        1: "secp384r1",
+        2: "secp521r1",
+        3: "secp256k1",
+    }
+
+    # Compressed public key sizes (in bytes) for each curve
+    # Format: 1 byte prefix (0x02 or 0x03) + x-coordinate bytes
+    # Used by both ecc_mode.py (indexed by int) and ecdh.py (indexed by string)
+    COMPRESSED_KEY_SIZE_BY_TYPE: ClassVar[dict[int, int]] = {
+        0: 33,  # secp256r1: 1 byte prefix + 32 bytes x-coordinate
+        1: 49,  # secp384r1: 1 byte prefix + 48 bytes x-coordinate
+        2: 67,  # secp521r1: 1 byte prefix + 66 bytes x-coordinate
+        3: 33,  # secp256k1: 1 byte prefix + 32 bytes x-coordinate (same as secp256r1)
+    }
+
+    COMPRESSED_KEY_SIZE_BY_NAME: ClassVar[dict[str, int]] = {
+        "secp256r1": 33,  # 1 byte prefix + 32 bytes
+        "secp384r1": 49,  # 1 byte prefix + 48 bytes
+        "secp521r1": 67,  # 1 byte prefix + 66 bytes
+        "secp256k1": 33,  # 1 byte prefix + 32 bytes
+    }
+
+    # Mapping from curve names to cryptography library curve objects
+    # Used by ecdh.py for key generation and ECDH operations
+    CURVE_OBJECTS: ClassVar[dict[str, ec.EllipticCurve]] = {
+        "secp256r1": ec.SECP256R1(),
+        "secp384r1": ec.SECP384R1(),
+        "secp521r1": ec.SECP521R1(),
+        "secp256k1": ec.SECP256K1(),
+    }
+
+    @classmethod
+    def get_curve_name(cls, curve_type: int) -> str:
+        """
+        Get curve name from curve type integer.
+
+        Args:
+            curve_type: Curve type (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Curve name as string (e.g., "secp256r1")
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        name = cls.CURVE_TYPE_TO_NAME.get(curve_type)
+        if name is None:
+            raise ValueError(
+                f"Unsupported curve type: {curve_type}. "
+                f"Supported types: {list(cls.CURVE_TYPE_TO_NAME.keys())}"
+            )
+        return name
+
+    @classmethod
+    def get_curve_type(cls, curve_name: str) -> int:
+        """
+        Get curve type integer from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Curve type as integer (0-3)
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        curve_type = cls.CURVE_NAME_TO_TYPE.get(curve_name.lower())
+        if curve_type is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.CURVE_NAME_TO_TYPE.keys())}"
+            )
+        return curve_type
+
+    @classmethod
+    def get_compressed_key_size_by_type(cls, curve_type: int) -> int:
+        """
+        Get compressed public key size from curve type integer.
+
+        Args:
+            curve_type: Curve type (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        size = cls.COMPRESSED_KEY_SIZE_BY_TYPE.get(curve_type)
+        if size is None:
+            raise ValueError(
+                f"Unsupported curve type: {curve_type}. "
+                f"Supported types: {list(cls.COMPRESSED_KEY_SIZE_BY_TYPE.keys())}"
+            )
+        return size
+
+    @classmethod
+    def get_compressed_key_size_by_name(cls, curve_name: str) -> int:
+        """
+        Get compressed public key size from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        size = cls.COMPRESSED_KEY_SIZE_BY_NAME.get(curve_name.lower())
+        if size is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.COMPRESSED_KEY_SIZE_BY_NAME.keys())}"
+            )
+        return size
+
+    @classmethod
+    def get_curve_object(cls, curve_name: str) -> ec.EllipticCurve:
+        """
+        Get cryptography library curve object from curve name.
+
+        Args:
+            curve_name: Curve name (e.g., "secp256r1")
+
+        Returns:
+            Cryptography library EllipticCurve object
+
+        Raises:
+            ValueError: If curve_name is not supported
+        """
+        curve = cls.CURVE_OBJECTS.get(curve_name.lower())
+        if curve is None:
+            raise ValueError(
+                f"Unsupported curve name: '{curve_name}'. "
+                f"Supported curves: {list(cls.CURVE_OBJECTS.keys())}"
+            )
+        return curve

otdf_python/ecc_mode.py

@@ -1,4 +1,15 @@
+from otdf_python.ecc_constants import ECCConstants
+
+
 class ECCMode:
+    """
+    ECC (Elliptic Curve Cryptography) mode configuration for NanoTDF.
+
+    This class encapsulates the curve type and policy binding mode (GMAC vs ECDSA)
+    that are encoded in the NanoTDF header. It delegates to ECCConstants for
+    curve-related lookups to maintain a single source of truth.
+    """
+
     def __init__(self, curve_mode: int = 0, use_ecdsa_binding: bool = False):
         self.curve_mode = curve_mode
         self.use_ecdsa_binding = use_ecdsa_binding
@@ -15,18 +26,58 @@ class ECCMode:
     def get_elliptic_curve_type(self) -> int:
         return self.curve_mode
 
+    def get_curve_name(self) -> str:
+        """Get the curve name as a string (e.g., 'secp256r1').
+
+        Returns:
+            Curve name corresponding to the current curve_mode
+
+        Raises:
+            ValueError: If curve_mode is not supported
+        """
+        # Delegate to ECCConstants for the authoritative mapping
+        return ECCConstants.get_curve_name(self.curve_mode)
+
     @staticmethod
     def get_ec_compressed_pubkey_size(curve_type: int) -> int:
-        # 0: secp256r1, 1: secp384r1, 2: secp521r1
-        if curve_type == 0:
-            return 33
-        elif curve_type == 1:
-            return 49
-        elif curve_type == 2:
-            return 67
-        else:
-            raise ValueError("Unsupported ECC algorithm.")
+        """Get the compressed public key size for a given curve type.
+
+        Args:
+            curve_type: Curve type identifier (0=secp256r1, 1=secp384r1, 2=secp521r1, 3=secp256k1)
+
+        Returns:
+            Size in bytes of the compressed public key
+
+        Raises:
+            ValueError: If curve_type is not supported
+        """
+        # Delegate to ECCConstants for the authoritative mapping
+        return ECCConstants.get_compressed_key_size_by_type(curve_type)
 
     def get_ecc_mode_as_byte(self) -> int:
         # Most significant bit: use_ecdsa_binding, lower 3 bits: curve_mode
         return ((1 if self.use_ecdsa_binding else 0) << 7) | (self.curve_mode & 0x07)
+
+    @staticmethod
+    def from_string(curve_str: str) -> "ECCMode":
+        """Create ECCMode from curve string or policy binding type.
+
+        Args:
+            curve_str: Either a curve name ('secp256r1', 'secp384r1', 'secp521r1', 'secp256k1')
+                      or a policy binding type ('gmac', 'ecdsa')
+
+        Returns:
+            ECCMode instance configured with the appropriate curve and binding mode
+
+        Raises:
+            ValueError: If curve_str is not a supported curve or binding type
+        """
+        # Handle policy binding types (always use secp256r1 as default curve)
+        if curve_str.lower() == "gmac":
+            return ECCMode(0, False)  # GMAC binding with default secp256r1 curve
+        elif curve_str.lower() == "ecdsa":
+            return ECCMode(0, True)  # ECDSA binding with default secp256r1 curve
+
+        # Handle curve names - delegate to ECCConstants for the authoritative mapping
+        curve_mode = ECCConstants.get_curve_type(curve_str)
+        return ECCMode(curve_mode, False)