rwn64 1.0.0__tar.gz

rwn64-1.0.0/PKG-INFO

@@ -0,0 +1,63 @@
+Metadata-Version: 2.4
+Name: rwn64
+Version: 1.0.0
+Summary: AES-256-GCM token encryption — interoperable with Node.js rwn64
+License: MIT
+Project-URL: Homepage, https://github.com/hen76d/rwn64
+Keywords: encryption,aes-256-gcm,crypto,token
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+
+# rwn64
+
+AES-256-GCM token encryption for Python. Zero dependencies. Tokens are fully interoperable with the [Node.js rwn64 package](https://www.npmjs.com/package/rwn64).
+
+```sh
+pip install rwn64
+```
+
+---
+
+## Usage
+
+```python
+import rwn64
+
+token = rwn64.encrypt("my secret", "mypassword")
+text  = rwn64.decrypt(token, "mypassword")
+ok    = rwn64.verify(token, "mypassword")
+fp    = rwn64.fingerprint("hello", "secret")
+pw    = rwn64.generate(32)
+meta  = rwn64.inspect(token)
+```
+
+## Expiry
+
+```python
+token = rwn64.encrypt("temporary", "mypassword", expires="1h")
+token = rwn64.encrypt("temporary", "mypassword", expires="30m")
+token = rwn64.encrypt("temporary", "mypassword", expires="7d")
+```
+
+## Node.js interoperability
+
+```python
+# decrypt a token generated by Node.js rwn64 (v1 tokens)
+text = rwn64.decrypt("rwn64:v1:...", "mypassword")
+
+# generate in Python, decrypt in Node.js
+token = rwn64.encrypt("hello", "mypassword")
+# → rwn64 denc 'token' -sw mypassword
+```
+
+## Security
+
+- AES-256-GCM authenticated encryption
+- scrypt key derivation (N=16384, r=8, p=1)
+- Random salt + nonce per token
+- Auth tag detects tampering before decryption
+- Zero external dependencies
+
+## License
+
+MIT

rwn64-1.0.0/README.md

@@ -0,0 +1,53 @@
+# rwn64
+
+AES-256-GCM token encryption for Python. Zero dependencies. Tokens are fully interoperable with the [Node.js rwn64 package](https://www.npmjs.com/package/rwn64).
+
+```sh
+pip install rwn64
+```
+
+---
+
+## Usage
+
+```python
+import rwn64
+
+token = rwn64.encrypt("my secret", "mypassword")
+text  = rwn64.decrypt(token, "mypassword")
+ok    = rwn64.verify(token, "mypassword")
+fp    = rwn64.fingerprint("hello", "secret")
+pw    = rwn64.generate(32)
+meta  = rwn64.inspect(token)
+```
+
+## Expiry
+
+```python
+token = rwn64.encrypt("temporary", "mypassword", expires="1h")
+token = rwn64.encrypt("temporary", "mypassword", expires="30m")
+token = rwn64.encrypt("temporary", "mypassword", expires="7d")
+```
+
+## Node.js interoperability
+
+```python
+# decrypt a token generated by Node.js rwn64 (v1 tokens)
+text = rwn64.decrypt("rwn64:v1:...", "mypassword")
+
+# generate in Python, decrypt in Node.js
+token = rwn64.encrypt("hello", "mypassword")
+# → rwn64 denc 'token' -sw mypassword
+```
+
+## Security
+
+- AES-256-GCM authenticated encryption
+- scrypt key derivation (N=16384, r=8, p=1)
+- Random salt + nonce per token
+- Auth tag detects tampering before decryption
+- Zero external dependencies
+
+## License
+
+MIT

rwn64-1.0.0/pyproject.toml

@@ -0,0 +1,20 @@
+[build-system]
+requires      = ["setuptools>=68","wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name            = "rwn64"
+version         = "1.0.0"
+description     = "AES-256-GCM token encryption — interoperable with Node.js rwn64"
+readme          = "README.md"
+license         = {text="MIT"}
+requires-python = ">=3.6"
+dependencies    = []
+keywords        = ["encryption","aes-256-gcm","crypto","token"]
+
+[project.urls]
+Homepage = "https://github.com/hen76d/rwn64"
+
+[tool.setuptools.packages.find]
+where   = ["."]
+include = ["rwn64*"]

rwn64-1.0.0/rwn64/__init__.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+from ._crypto import encrypt as _enc,decrypt as _dec
+from ._util   import fingerprint as _fp,generate as _gen,parse_expiry,inspect as _ins
+
+__version__  = "1.0.0"
+__all__      = ["encrypt","decrypt","verify","fingerprint","generate","inspect","parse_expiry"]
+TOKEN_PREFIX = "rwn64:v1:"
+
+def encrypt(text:str,password:str,*,expires:str|None=None,expires_ms:int|None=None)->str:
+    if not password: raise TypeError("password must be non-empty")
+    exp=parse_expiry(expires) if expires else expires_ms
+    return _enc(text,password,expires_ms=exp)
+
+def decrypt(token:str,password:str)->str:
+    if not token:    raise TypeError("token must be non-empty")
+    if not password: raise TypeError("password must be non-empty")
+    return _dec(token,password)[0]
+
+def verify(token:str,password:str)->bool:
+    try: _dec(token,password); return True
+    except: return False
+
+def fingerprint(text:str,secret:str)->str: return _fp(text,secret)
+def generate(nbytes:int=24)->str:          return _gen(nbytes)
+def inspect(token:str)->dict:              return _ins(token)

rwn64-1.0.0/rwn64/_crypto.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+import ctypes as _c, hashlib as _h, os as _o, struct as _s, time as _t, base64 as _b64
+
+_lib   = _c.CDLL("libcrypto.so.3")
+_ci    = _c.c_int
+_cv    = _c.c_void_p
+_cc    = _c.c_char_p
+
+_lib.EVP_CIPHER_CTX_new.restype       = _cv
+_lib.EVP_aes_256_gcm.restype          = _cv
+_lib.EVP_EncryptInit_ex.argtypes      = [_cv,_cv,_cv,_cc,_cc];  _lib.EVP_EncryptInit_ex.restype  = _ci
+_lib.EVP_DecryptInit_ex.argtypes      = [_cv,_cv,_cv,_cc,_cc];  _lib.EVP_DecryptInit_ex.restype  = _ci
+_lib.EVP_CIPHER_CTX_ctrl.argtypes     = [_cv,_ci,_ci,_cv];      _lib.EVP_CIPHER_CTX_ctrl.restype = _ci
+_lib.EVP_EncryptUpdate.argtypes       = [_cv,_cc,_c.POINTER(_ci),_cc,_ci]; _lib.EVP_EncryptUpdate.restype  = _ci
+_lib.EVP_DecryptUpdate.argtypes       = [_cv,_cc,_c.POINTER(_ci),_cc,_ci]; _lib.EVP_DecryptUpdate.restype  = _ci
+_lib.EVP_EncryptFinal_ex.argtypes     = [_cv,_cc,_c.POINTER(_ci)]; _lib.EVP_EncryptFinal_ex.restype = _ci
+_lib.EVP_DecryptFinal_ex.argtypes     = [_cv,_cc,_c.POINTER(_ci)]; _lib.EVP_DecryptFinal_ex.restype = _ci
+_lib.EVP_CIPHER_CTX_free.argtypes     = [_cv]
+
+_GCM_SIVLEN = 0x9
+_GCM_GTAG   = 0x10
+_GCM_STAG   = 0x11
+_SL,_NL,_TL,_KL = 16,12,16,32
+_N,_R,_P         = 16384,8,1
+_PX1             = b"rwn64:v1:"
+
+def _kdf(pw:bytes,salt:bytes)->bytes:
+    return _h.scrypt(pw,salt=salt,n=_N,r=_R,p=_P,dklen=_KL)
+
+def _enc(key:bytes,nonce:bytes,pt:bytes)->tuple[bytes,bytes]:
+    x=_lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_EncryptInit_ex(x,_lib.EVP_aes_256_gcm(),None,None,None)
+    _lib.EVP_CIPHER_CTX_ctrl(x,_GCM_SIVLEN,len(nonce),None)
+    _lib.EVP_EncryptInit_ex(x,None,None,key,nonce)
+    buf=_c.create_string_buffer(len(pt)+16); l=_ci(0)
+    _lib.EVP_EncryptUpdate(x,buf,_c.byref(l),pt,len(pt))
+    ct=buf.raw[:l.value]
+    _lib.EVP_EncryptFinal_ex(x,buf,_c.byref(l))
+    tag=_c.create_string_buffer(16)
+    _lib.EVP_CIPHER_CTX_ctrl(x,_GCM_GTAG,16,tag)
+    _lib.EVP_CIPHER_CTX_free(x)
+    return ct,tag.raw
+
+def _dec(key:bytes,nonce:bytes,ct:bytes,tag:bytes)->bytes:
+    x=_lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_DecryptInit_ex(x,_lib.EVP_aes_256_gcm(),None,None,None)
+    _lib.EVP_CIPHER_CTX_ctrl(x,_GCM_SIVLEN,len(nonce),None)
+    _lib.EVP_DecryptInit_ex(x,None,None,key,nonce)
+    buf=_c.create_string_buffer(len(ct)+16); l=_ci(0)
+    _lib.EVP_DecryptUpdate(x,buf,_c.byref(l),ct,len(ct))
+    pt=buf.raw[:l.value]
+    _lib.EVP_CIPHER_CTX_ctrl(x,_GCM_STAG,16,_c.c_char_p(tag))
+    fin=_c.create_string_buffer(16)
+    ok=_lib.EVP_DecryptFinal_ex(x,fin,_c.byref(l))
+    _lib.EVP_CIPHER_CTX_free(x)
+    if ok<=0: raise ValueError("wrong password or corrupted token")
+    return pt
+
+def _b64e(b:bytes)->bytes: return _b64.urlsafe_b64encode(b).rstrip(b"=")
+def _b64d(b:bytes)->bytes:
+    p=4-len(b)%4
+    return _b64.urlsafe_b64decode(b+(b"="*p if p!=4 else b""))
+
+def _eexp(ms:int)->bytes:
+    return _s.pack(">II",ms>>32,ms&0xFFFFFFFF)
+
+def _dexp(b:bytes)->int:
+    hi,lo=_s.unpack(">II",b); return(hi<<32)|lo
+
+def encrypt(plaintext:str,password:str,*,expires_ms:int|None=None)->str:
+    salt=_o.urandom(_SL); nonce=_o.urandom(_NL)
+    key=_kdf(password.encode(),salt)
+    hx=expires_ms is not None
+    inner=(b"\x01"+_eexp(expires_ms) if hx else b"\x00")+plaintext.encode()
+    ct,tag=_enc(key,nonce,inner)
+    return(_PX1+_b64e(salt+nonce+tag+ct)).decode()
+
+def decrypt(token:str,password:str)->tuple[str,int|None]:
+    tb=token.encode()
+    if not tb.startswith(_PX1): raise ValueError("invalid token format")
+    raw=_b64d(tb[len(_PX1):])
+    if len(raw)<_SL+_NL+_TL+2: raise ValueError("token is too short or malformed")
+    salt=raw[:_SL]; nonce=raw[_SL:_SL+_NL]; tag=raw[_SL+_NL:_SL+_NL+_TL]; ct=raw[_SL+_NL+_TL:]
+    key=_kdf(password.encode(),salt)
+    inner=_dec(key,nonce,ct,tag)
+    if inner[0]==1:
+        exp=_dexp(inner[1:9])
+        if int(_t.time()*1000)>exp: raise ValueError(f"token expired at {exp}")
+        return inner[9:].decode(),exp
+    return inner[1:].decode(),None

rwn64-1.0.0/rwn64/_util.py

@@ -0,0 +1,27 @@
+from __future__ import annotations
+import base64 as _b,hashlib as _h,hmac as _m,os as _o,re as _r,time as _t
+
+def _b64e(b:bytes)->bytes: return _b.urlsafe_b64encode(b).rstrip(b"=")
+def _b64d(b:bytes)->bytes:
+    p=4-len(b)%4; return _b.urlsafe_b64decode(b+(b"="*p if p!=4 else b""))
+
+def fingerprint(text:str,secret:str)->str:
+    return _m.new(secret.encode(),text.encode(),_h.sha256).hexdigest()[:16]
+
+def generate(nbytes:int=24)->str:
+    return _b64e(_o.urandom(nbytes)).decode()
+
+def parse_expiry(raw:str)->int:
+    m=_r.fullmatch(r"(\d+)(s|m|h|d)",raw.strip())
+    if not m: raise ValueError(f'invalid expiry: "{raw}" — use 30s 5m 2h 7d')
+    return int(_t.time()*1000)+int(m.group(1))*{"s":1000,"m":60000,"h":3600000,"d":86400000}[m.group(2)]
+
+def inspect(token:str)->dict:
+    from ._crypto import _b64d,_SL,_NL,_PX1
+    tb=token.encode()
+    if tb.startswith(_PX1):   pfx,ver,algo=_PX1,"v1","AES-256-GCM"
+    elif tb.startswith(b"rwn64:v2:"): pfx,ver,algo=b"rwn64:v2:","v2","ChaCha20-Poly1305"
+    else: raise ValueError("invalid token format")
+    raw=_b64d(tb[len(pfx):])
+    return {"prefix":pfx.decode(),"version":ver,"algo":algo,"kdf":"scrypt (N=16384,r=8,p=1)",
+            "salt_hex":raw[:16].hex(),"nonce_hex":raw[16:28].hex(),"payload_bytes":len(raw)}

rwn64-1.0.0/rwn64.egg-info/PKG-INFO

@@ -0,0 +1,63 @@
+Metadata-Version: 2.4
+Name: rwn64
+Version: 1.0.0
+Summary: AES-256-GCM token encryption — interoperable with Node.js rwn64
+License: MIT
+Project-URL: Homepage, https://github.com/hen76d/rwn64
+Keywords: encryption,aes-256-gcm,crypto,token
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+
+# rwn64
+
+AES-256-GCM token encryption for Python. Zero dependencies. Tokens are fully interoperable with the [Node.js rwn64 package](https://www.npmjs.com/package/rwn64).
+
+```sh
+pip install rwn64
+```
+
+---
+
+## Usage
+
+```python
+import rwn64
+
+token = rwn64.encrypt("my secret", "mypassword")
+text  = rwn64.decrypt(token, "mypassword")
+ok    = rwn64.verify(token, "mypassword")
+fp    = rwn64.fingerprint("hello", "secret")
+pw    = rwn64.generate(32)
+meta  = rwn64.inspect(token)
+```
+
+## Expiry
+
+```python
+token = rwn64.encrypt("temporary", "mypassword", expires="1h")
+token = rwn64.encrypt("temporary", "mypassword", expires="30m")
+token = rwn64.encrypt("temporary", "mypassword", expires="7d")
+```
+
+## Node.js interoperability
+
+```python
+# decrypt a token generated by Node.js rwn64 (v1 tokens)
+text = rwn64.decrypt("rwn64:v1:...", "mypassword")
+
+# generate in Python, decrypt in Node.js
+token = rwn64.encrypt("hello", "mypassword")
+# → rwn64 denc 'token' -sw mypassword
+```
+
+## Security
+
+- AES-256-GCM authenticated encryption
+- scrypt key derivation (N=16384, r=8, p=1)
+- Random salt + nonce per token
+- Auth tag detects tampering before decryption
+- Zero external dependencies
+
+## License
+
+MIT

rwn64-1.0.0/rwn64.egg-info/SOURCES.txt

@@ -0,0 +1,10 @@
+README.md
+pyproject.toml
+rwn64/__init__.py
+rwn64/_crypto.py
+rwn64/_util.py
+rwn64.egg-info/PKG-INFO
+rwn64.egg-info/SOURCES.txt
+rwn64.egg-info/dependency_links.txt
+rwn64.egg-info/top_level.txt
+tests/test_rwn64.py

rwn64-1.0.0/rwn64.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

rwn64-1.0.0/rwn64.egg-info/top_level.txt

@@ -0,0 +1 @@
+rwn64

rwn64-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

rwn64-1.0.0/tests/test_rwn64.py

@@ -0,0 +1,91 @@
+import sys,os,time
+sys.path.insert(0,os.path.join(os.path.dirname(__file__),".."))
+import rwn64
+
+_G="\x1b[32m✔\x1b[0m"; _R="\x1b[31m✘\x1b[0m"
+_H="\x1b[1m\x1b[38;5;252m"; _D="\x1b[38;5;245m"; _E="\x1b[0m"
+_p=_f=0
+
+def _head(t): print(f"\n{_H}{t}{_E}")
+def _assert(c,m="assertion failed"):
+    if not c: raise AssertionError(m)
+
+def test(label,fn):
+    global _p,_f
+    try:    fn(); print(f"  {_G}  {label}"); _p+=1
+    except Exception as e: print(f"  {_R}  {label}\n     {_D}{e}{_E}"); _f+=1
+
+_head("encrypt / decrypt")
+test("returns rwn64:v1: token",          lambda:_assert(rwn64.encrypt("hi","pw").startswith("rwn64:v1:")))
+test("roundtrip plaintext",              lambda:_assert(rwn64.decrypt(rwn64.encrypt("secret","pw"),"pw")=="secret"))
+test("unique tokens per call",           lambda:_assert(rwn64.encrypt("x","pw")!=rwn64.encrypt("x","pw")))
+test("unicode roundtrip",                lambda:_assert(rwn64.decrypt(rwn64.encrypt("日本語 ñ @#$","pw"),"pw")=="日本語 ñ @#$"))
+test("10 KB roundtrip",                  lambda:_assert(rwn64.decrypt(rwn64.encrypt("x"*10240,"pw"),"pw")=="x"*10240))
+
+_head("wrong password / tampered")
+def _t6():
+    tok=rwn64.encrypt("secret","correct")
+    try: rwn64.decrypt(tok,"wrong"); raise AssertionError("should raise")
+    except ValueError: pass
+test("wrong password raises",_t6)
+
+def _t7():
+    tok=rwn64.encrypt("secret","pw")
+    try: rwn64.decrypt(tok[:-6]+"AAAAAA","pw"); raise AssertionError("should raise")
+    except Exception: pass
+test("tampered token raises",_t7)
+
+def _t8():
+    try: rwn64.decrypt("notatoken","pw"); raise AssertionError("should raise")
+    except Exception: pass
+test("invalid format raises",_t8)
+
+_head("verify")
+test("valid token → True",   lambda:_assert(rwn64.verify(rwn64.encrypt("x","pw"),"pw") is True))
+test("wrong password → False",lambda:_assert(rwn64.verify(rwn64.encrypt("x","pw"),"bad") is False))
+test("garbage → False",       lambda:_assert(rwn64.verify("garbage","pw") is False))
+
+_head("expiry")
+test("no expiry decrypts",    lambda:_assert(rwn64.decrypt(rwn64.encrypt("x","pw"),"pw")=="x"))
+test("future expiry decrypts",lambda:_assert(rwn64.decrypt(rwn64.encrypt("x","pw",expires_ms=int(time.time()*1000)+60000),"pw")=="x"))
+test("expires= string (1h)",  lambda:_assert(rwn64.decrypt(rwn64.encrypt("x","pw",expires="1h"),"pw")=="x"))
+
+def _t13():
+    tok=rwn64.encrypt("x","pw",expires_ms=int(time.time()*1000)+100)
+    time.sleep(0.2)
+    try: rwn64.decrypt(tok,"pw"); raise AssertionError("should raise")
+    except ValueError as e: _assert("expired" in str(e).lower())
+test("expired token raises",_t13)
+
+_head("fingerprint")
+test("deterministic",         lambda:_assert(rwn64.fingerprint("hi","s")==rwn64.fingerprint("hi","s")))
+test("different input differs",lambda:_assert(rwn64.fingerprint("a","s")!=rwn64.fingerprint("b","s")))
+test("16 hex chars",          lambda:_assert(len(rwn64.fingerprint("x","s"))==16))
+
+_head("generate")
+test("non-empty string",      lambda:_assert(isinstance(rwn64.generate(),str) and len(rwn64.generate())>0))
+test("unique values",         lambda:_assert(rwn64.generate()!=rwn64.generate()))
+
+_head("inspect")
+def _t_ins():
+    m=rwn64.inspect(rwn64.encrypt("x","pw"))
+    _assert(m["version"]=="v1")
+    _assert(m["algo"]=="AES-256-GCM")
+    _assert(m["prefix"]=="rwn64:v1:")
+test("inspect metadata",_t_ins)
+
+_head("node interoperability")
+_TOK ="rwn64:v1:IaQVjP7tITZRERd-MWZBpxGMdo432gsidiGNlK9vZFSt-Vqhs2ioZt4dFykhmciisVa9a07VY0M"
+_PASS="minhasenha"
+_TXT ="old v1 text"
+test("decrypt Node.js token", lambda:_assert(rwn64.decrypt(_TOK,_PASS)==_TXT))
+test("Python token is valid", lambda:_assert(rwn64.decrypt(rwn64.encrypt(_TXT,_PASS),_PASS)==_TXT))
+
+total=_p+_f
+print(f"\n{_D}{'─'*48}{_E}\n")
+print(f"  total   {total}")
+print(f"  \x1b[32mpassed  {_p}\x1b[0m")
+if _f: print(f"  \x1b[31mfailed  {_f}\x1b[0m")
+print()
+if not _f: print(f"  \x1b[32m\x1b[1mall tests passed\x1b[0m\n")
+else:      print(f"  \x1b[31m\x1b[1m{_f} test(s) failed\x1b[0m\n"); sys.exit(1)