wirekx 0.1.0__tar.gz

wirekx-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,27 @@
+name: Publish to PyPI
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with: { python-version: "3.12" }
+      - run: pip install build
+      - run: python -m build
+      - uses: actions/upload-artifact@v4
+        with: { name: dist, path: dist/ }
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write        # required for OIDC trusted publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with: { name: dist, path: dist/ }
+      - uses: pypa/gh-action-pypi-publish@release/v1

wirekx-0.1.0/.github/workflows/tests.yml

@@ -0,0 +1,26 @@
+name: tests
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+
+jobs:
+  pytest:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install
+        run: python -m pip install -e ".[dev]"
+
+      - name: Test
+        run: python -m pytest

wirekx-0.1.0/.gitignore

@@ -0,0 +1,11 @@
+__pycache__/
+*.py[cod]
+.venv/
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+dist/
+build/
+*.egg-info/
+.DS_Store
+pub_pypi/

wirekx-0.1.0/CONTRIBUTING.md

@@ -0,0 +1,26 @@
+# Contributing
+
+Thanks for considering a contribution to wirekx.
+
+## Development setup
+
+```bash
+python3 -m venv .venv
+.venv/bin/python -m pip install -e ".[dev]"
+```
+
+## Tests
+
+```bash
+.venv/bin/python -m pytest
+```
+
+## Security scope
+
+wirekx v1 anonymous mode is experimental and opportunistic. It does not
+authenticate peers and is not production-ready. Please do not submit changes
+that describe v1 anonymous mode as a replacement for TLS, mTLS, service mesh
+security, or audited production cryptography.
+
+Security improvements are welcome, especially authenticated modes, replay
+protection, and well-tested payload encryption APIs.

wirekx-0.1.0/LICENSE

@@ -0,0 +1,185 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form,
+made available under the License, as indicated by a copyright notice that is
+included in or attached to the work (an example is provided in the Appendix
+below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work
+by the copyright owner or by an individual or Legal Entity authorized to submit
+on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor for
+the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of this
+License, each Contributor hereby grants to You a perpetual, worldwide,
+non-exclusive, no-charge, royalty-free, irrevocable copyright license to
+reproduce, prepare Derivative Works of, publicly display, publicly perform,
+sublicense, and distribute the Work and such Derivative Works in Source or
+Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of this License,
+each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section) patent
+license to make, have made, use, offer to sell, sell, import, and otherwise
+transfer the Work, where such license applies only to those patent claims
+licensable by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s) with the Work
+to which such Contribution(s) was submitted. If You institute patent litigation
+against any entity (including a cross-claim or counterclaim in a lawsuit)
+alleging that the Work or a Contribution incorporated within the Work
+constitutes direct or contributory patent infringement, then any patent licenses
+granted to You under this License for that Work shall terminate as of the date
+such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the Work or
+Derivative Works thereof in any medium, with or without modifications, and in
+Source or Object form, provided that You meet the following conditions:
+
+   (a) You must give any other recipients of the Work or Derivative Works a copy
+       of this License; and
+
+   (b) You must cause any modified files to carry prominent notices stating that
+       You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works that You
+       distribute, all copyright, patent, trademark, and attribution notices
+       from the Source form of the Work, excluding those notices that do not
+       pertain to any part of the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its distribution,
+       then any Derivative Works that You distribute must include a readable copy
+       of the attribution notices contained within such NOTICE file, excluding
+       those notices that do not pertain to any part of the Derivative Works, in
+       at least one of the following places: within a NOTICE text file
+       distributed as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or, within a
+       display generated by the Derivative Works, if and wherever such
+       third-party notices normally appear. The contents of the NOTICE file are
+       for informational purposes only and do not modify the License. You may add
+       Your own attribution notices within Derivative Works that You distribute,
+       alongside or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed as modifying
+       the License.
+
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise, any
+Contribution intentionally submitted for inclusion in the Work by You to the
+Licensor shall be under the terms and conditions of this License, without any
+additional terms or conditions. Notwithstanding the above, nothing herein shall
+supersede or modify the terms of any separate license agreement you may have
+executed with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade names,
+trademarks, service marks, or product names of the Licensor, except as required
+for reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or agreed to in
+writing, Licensor provides the Work (and each Contributor provides its
+Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied, including, without limitation, any warranties or
+conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any risks
+associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory, whether in
+tort (including negligence), contract, or otherwise, unless required by
+applicable law (such as deliberate and grossly negligent acts) or agreed to in
+writing, shall any Contributor be liable to You for damages, including any
+direct, indirect, special, incidental, or consequential damages of any character
+arising as a result of this License or out of the use or inability to use the
+Work (including but not limited to damages for loss of goodwill, work stoppage,
+computer failure or malfunction, or any and all other commercial damages or
+losses), even if such Contributor has been advised of the possibility of such
+damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing the Work or
+Derivative Works thereof, You may choose to offer, and charge a fee for,
+acceptance of support, warranty, indemnity, or other liability obligations
+and/or rights consistent with this License. However, in accepting such
+obligations, You may act only on Your own behalf and on Your sole
+responsibility, not on behalf of any other Contributor, and only if You agree to
+indemnify, defend, and hold each Contributor harmless for any liability incurred
+by, or claims asserted against, such Contributor by reason of your accepting any
+such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following boilerplate
+notice, with the fields enclosed by brackets "[]" replaced with your own
+identifying information. Do not include the brackets. The text should be
+enclosed in the appropriate comment syntax for the file format. We also
+recommend that a file or class name and description of purpose be included on
+the same "printed page" as the copyright notice for easier identification
+within third-party archives.
+
+   Copyright 2026 wirekx contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+   License for the specific language governing permissions and limitations under
+   the License.

wirekx-0.1.0/NOTICE

@@ -0,0 +1,7 @@
+wirekx
+Copyright 2026 wirekx contributors
+
+This product includes wirekx, an anonymous X25519 key exchange
+library and wire format.
+
+Project: https://github.com/wirekx/wirekx

wirekx-0.1.0/PKG-INFO

@@ -0,0 +1,202 @@
+Metadata-Version: 2.4
+Name: wirekx
+Version: 0.1.0
+Summary: Experimental anonymous X25519 key exchange wire format.
+Project-URL: Homepage, https://github.com/wirekx/wirekx
+Project-URL: Repository, https://github.com/wirekx/wirekx
+Project-URL: Issues, https://github.com/wirekx/wirekx/issues
+Author: wirekx contributors
+License: Apache-2.0
+License-File: LICENSE
+License-File: NOTICE
+Keywords: cryptography,experimental,key-exchange,x25519
+Classifier: Development Status :: 2 - Pre-Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security :: Cryptography
+Requires-Python: >=3.11
+Requires-Dist: cryptography>=49.0.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+```text
+  *   *      __        __  ___  ____   _____  _  __ __  __
+   \ /       \ \      / / |_ _||  _ \ | ____|| |/ / \ \/ /
+ ^/ | \^      \ \ /\ / /   | | | |_) ||  _|  | ' /   \  /
+ | o:1 |       \ V  V /    | | |  _ < | |___ | . \   /  \
+-| 1:o |-       \_/\_/    |___||_| \_\|_____||_|\_\ /_/\_\
+/ \_|_/ \
+```
+
+Python library and wire format for anonymous X25519 key exchange.
+
+> **wirekx v1 performs the following:**
+>
+> - Opportunistic key agreement for anonymous handshake
+>
+> **V1 caveat:** Since this is an anonymous handshake, MITM is undetectable.
+>
+> **Use cases:**
+>
+> - Derive symmetric key for payload encryption between trusted services
+>
+> **Future releases:**
+>
+> - publicCA validation for anonymous handshake
+> - Pre-shared fingerprint validation
+> - Quantum-safe encryption
+
+## Install for development
+
+```bash
+python3 -m venv .venv
+.venv/bin/python -m pip install -e ".[dev]"
+```
+
+Run the manual example:
+
+```bash
+.venv/bin/python testrun.py
+```
+
+Run tests:
+
+```bash
+.venv/bin/python -m pytest
+```
+
+Use as a library:
+
+```python
+from wirekx import InitiatorHandshake, ResponderHandshake
+
+initiator = InitiatorHandshake()
+responder = ResponderHandshake()
+
+hello = initiator.create_hello()
+responder.receive_hello(hello)
+
+hello_back = responder.create_hello_back()
+initiator.receive_hello_back(hello_back)
+
+initiator_confirm = initiator.create_confirm()
+responder.receive_confirm(initiator_confirm)
+
+responder_confirm = responder.create_confirm()
+initiator.receive_confirm(responder_confirm)
+
+result = initiator.result()
+print(result.symmetric_key.hex())
+```
+
+## Open source contribution flow
+
+1. Fork the repository on GitHub.
+2. Create a branch for your change.
+3. Install development dependencies with `.venv/bin/python -m pip install -e ".[dev]"`.
+4. Add or update tests in `tests/`.
+5. Run `.venv/bin/python -m pytest`.
+6. Open a pull request.
+
+## License
+
+wirekx is licensed under the Apache License, Version 2.0. See `LICENSE`.
+
+Redistributions should preserve the attribution notices in `NOTICE`. If you use
+wirekx in a public project, a README or documentation mention is appreciated.
+
+## wirekx wire format (v1, anonymous mode)
+
+Two parties run a handshake and end up holding the same 32-byte symmetric key.
+This document specifies the bytes that go on the wire.
+
+## Envelope
+
+Every message starts with a 4-byte header followed by its payload.
+
+```
+┌─────────┬──────────┬─────────────┬──────────────┐
+│ version │ msg_type │ payload_len │   payload    │
+│ 1 byte  │  1 byte  │  2 bytes BE │ payload_len  │
+└─────────┴──────────┴─────────────┴──────────────┘
+```
+
+`version` = `0x01`. Multi-byte integers are big-endian.
+
+## Messages
+
+| Code   | Name         | From      | Payload                           |
+|--------|--------------|-----------|-----------------------------------|
+| `0x01` | `HELLO`      | initiator | `eph_pub_a` (32) + `nonce_a` (32) |
+| `0x02` | `HELLO_BACK` | responder | `eph_pub_b` (32) + `nonce_b` (32) |
+| `0x03` | `CONFIRM`    | both      | `verify_data` (32)                |
+
+`eph_pub_*` is an X25519 public key. `nonce_*` is 32 random bytes.
+
+## Cryptography
+
+```
+shared_secret  = X25519(own_eph_priv, peer_eph_pub)
+
+symmetric_key  = HKDF-SHA256(
+    ikm    = shared_secret,
+    salt   = nonce_a || nonce_b,
+    info   = "wirekx v1 session key",
+    length = 32)
+
+transcript     = SHA-256(HELLO_bytes || HELLO_BACK_bytes)
+
+verify_data    = HMAC-SHA256(
+    key  = symmetric_key,
+    data = "wirekx v1 <role> confirm" || transcript)
+```
+
+`<role>` is `initiator` or `responder` depending on who sent the `CONFIRM`.
+Compare received `verify_data` with constant-time equality. Mismatch = abort.
+
+## Flow
+
+```
+initiator                              responder
+    │                                       │
+    │   HELLO  (eph_pub_a, nonce_a)         │
+    │ ────────────────────────────────────► │
+    │                                       │
+    │   HELLO_BACK  (eph_pub_b, nonce_b)    │
+    │ ◄──────────────────────────────────── │
+    │                                       │
+    │   derive symmetric_key, transcript    │
+    │   CONFIRM  (verify_data_initiator)    │
+    │ ────────────────────────────────────► │
+    │                                       │
+    │                                       │   verify, then:
+    │   CONFIRM  (verify_data_responder)    │
+    │ ◄──────────────────────────────────── │
+    │                                       │
+    │   verify                              │
+    │   COMPLETE                            │   COMPLETE
+```
+
+On any malformed message, unexpected type, or verification mismatch: abort,
+discard state, do not return the key.
+
+## Output
+
+After both `CONFIRM` messages verify, return to the caller:
+
+- `symmetric_key` — 32 bytes
+- `transcript_hash` — 32 bytes
+- `protection_level` = `"opportunistic"`
+- `peer_identity` = `null`
+
+## Notes
+
+- `transcript_hash` is unique per handshake.
+- Possible values for `protection_level` are `"opportunistic"` and `"authenticated"`. Opportunistic means anonymous players, active MITM is undetectable. Authenticated means you have verified peer's identity by exchanging certificate via an external channel.
+- Ephemeral keys are fresh per handshake and discarded after use.
+- No version negotiation. Different versions cannot interoperate.
+- Authenticated modes (`fingerprint`, `shared`, `publicCA`) will be built in future.

wirekx-0.1.0/README.md

@@ -0,0 +1,177 @@
+```text
+  *   *      __        __  ___  ____   _____  _  __ __  __
+   \ /       \ \      / / |_ _||  _ \ | ____|| |/ / \ \/ /
+ ^/ | \^      \ \ /\ / /   | | | |_) ||  _|  | ' /   \  /
+ | o:1 |       \ V  V /    | | |  _ < | |___ | . \   /  \
+-| 1:o |-       \_/\_/    |___||_| \_\|_____||_|\_\ /_/\_\
+/ \_|_/ \
+```
+
+Python library and wire format for anonymous X25519 key exchange.
+
+> **wirekx v1 performs the following:**
+>
+> - Opportunistic key agreement for anonymous handshake
+>
+> **V1 caveat:** Since this is an anonymous handshake, MITM is undetectable.
+>
+> **Use cases:**
+>
+> - Derive symmetric key for payload encryption between trusted services
+>
+> **Future releases:**
+>
+> - publicCA validation for anonymous handshake
+> - Pre-shared fingerprint validation
+> - Quantum-safe encryption
+
+## Install for development
+
+```bash
+python3 -m venv .venv
+.venv/bin/python -m pip install -e ".[dev]"
+```
+
+Run the manual example:
+
+```bash
+.venv/bin/python testrun.py
+```
+
+Run tests:
+
+```bash
+.venv/bin/python -m pytest
+```
+
+Use as a library:
+
+```python
+from wirekx import InitiatorHandshake, ResponderHandshake
+
+initiator = InitiatorHandshake()
+responder = ResponderHandshake()
+
+hello = initiator.create_hello()
+responder.receive_hello(hello)
+
+hello_back = responder.create_hello_back()
+initiator.receive_hello_back(hello_back)
+
+initiator_confirm = initiator.create_confirm()
+responder.receive_confirm(initiator_confirm)
+
+responder_confirm = responder.create_confirm()
+initiator.receive_confirm(responder_confirm)
+
+result = initiator.result()
+print(result.symmetric_key.hex())
+```
+
+## Open source contribution flow
+
+1. Fork the repository on GitHub.
+2. Create a branch for your change.
+3. Install development dependencies with `.venv/bin/python -m pip install -e ".[dev]"`.
+4. Add or update tests in `tests/`.
+5. Run `.venv/bin/python -m pytest`.
+6. Open a pull request.
+
+## License
+
+wirekx is licensed under the Apache License, Version 2.0. See `LICENSE`.
+
+Redistributions should preserve the attribution notices in `NOTICE`. If you use
+wirekx in a public project, a README or documentation mention is appreciated.
+
+## wirekx wire format (v1, anonymous mode)
+
+Two parties run a handshake and end up holding the same 32-byte symmetric key.
+This document specifies the bytes that go on the wire.
+
+## Envelope
+
+Every message starts with a 4-byte header followed by its payload.
+
+```
+┌─────────┬──────────┬─────────────┬──────────────┐
+│ version │ msg_type │ payload_len │   payload    │
+│ 1 byte  │  1 byte  │  2 bytes BE │ payload_len  │
+└─────────┴──────────┴─────────────┴──────────────┘
+```
+
+`version` = `0x01`. Multi-byte integers are big-endian.
+
+## Messages
+
+| Code   | Name         | From      | Payload                           |
+|--------|--------------|-----------|-----------------------------------|
+| `0x01` | `HELLO`      | initiator | `eph_pub_a` (32) + `nonce_a` (32) |
+| `0x02` | `HELLO_BACK` | responder | `eph_pub_b` (32) + `nonce_b` (32) |
+| `0x03` | `CONFIRM`    | both      | `verify_data` (32)                |
+
+`eph_pub_*` is an X25519 public key. `nonce_*` is 32 random bytes.
+
+## Cryptography
+
+```
+shared_secret  = X25519(own_eph_priv, peer_eph_pub)
+
+symmetric_key  = HKDF-SHA256(
+    ikm    = shared_secret,
+    salt   = nonce_a || nonce_b,
+    info   = "wirekx v1 session key",
+    length = 32)
+
+transcript     = SHA-256(HELLO_bytes || HELLO_BACK_bytes)
+
+verify_data    = HMAC-SHA256(
+    key  = symmetric_key,
+    data = "wirekx v1 <role> confirm" || transcript)
+```
+
+`<role>` is `initiator` or `responder` depending on who sent the `CONFIRM`.
+Compare received `verify_data` with constant-time equality. Mismatch = abort.
+
+## Flow
+
+```
+initiator                              responder
+    │                                       │
+    │   HELLO  (eph_pub_a, nonce_a)         │
+    │ ────────────────────────────────────► │
+    │                                       │
+    │   HELLO_BACK  (eph_pub_b, nonce_b)    │
+    │ ◄──────────────────────────────────── │
+    │                                       │
+    │   derive symmetric_key, transcript    │
+    │   CONFIRM  (verify_data_initiator)    │
+    │ ────────────────────────────────────► │
+    │                                       │
+    │                                       │   verify, then:
+    │   CONFIRM  (verify_data_responder)    │
+    │ ◄──────────────────────────────────── │
+    │                                       │
+    │   verify                              │
+    │   COMPLETE                            │   COMPLETE
+```
+
+On any malformed message, unexpected type, or verification mismatch: abort,
+discard state, do not return the key.
+
+## Output
+
+After both `CONFIRM` messages verify, return to the caller:
+
+- `symmetric_key` — 32 bytes
+- `transcript_hash` — 32 bytes
+- `protection_level` = `"opportunistic"`
+- `peer_identity` = `null`
+
+## Notes
+
+- `transcript_hash` is unique per handshake.
+- Possible values for `protection_level` are `"opportunistic"` and `"authenticated"`. Opportunistic means anonymous players, active MITM is undetectable. Authenticated means you have verified peer's identity by exchanging certificate via an external channel.
+- Ephemeral keys are fresh per handshake and discarded after use.
+- No version negotiation. Different versions cannot interoperate.
+- Authenticated modes (`fingerprint`, `shared`, `publicCA`) will be built in future.