Key storage
This module provides classes for the storage of asymmetric key pairs.
Keystore
Each of these key storages theoretically belongs to a single user.
- wacryptolib.keystore.load_keystore_metadata(keystore_dir)
Return the authenticator metadata dict stored in the given folder, after validating its format.
Raises KeystoreMetadataDoesNotExist if no metadata file is present.
Raises SchemaValidationError if keystore appears initialized, but has corrupted metadata.
- Return type:
dict
- class wacryptolib.keystore.InMemoryKeystore
Bases:
KeystoreReadWriteBase
Dummy key storage for use in tests, where keys are kepts only process-locally.
NOT MEANT TO BE THREAD-SAFE
- add_free_keypair(*, key_algo, public_key, private_key)
Store a pair of asymmetric keys into storage, free for subsequent attachment to an UUID.
- Parameters:
key_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOSpublic_key (
bytes
) -- public key in clear PEM formatprivate_key (
bytes
) -- private key in PEM format (potentially encrypted)
- Return type:
None
- attach_free_keypair_to_uuid(*, keychain_uid, key_algo)
Fetch one of the free keypairs of storage of type key_algo, and attach it to UUID keychain_uid.
If no free keypair is available, a KeyDoesNotExist is raised.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
- Return type:
None
- Returns:
public key of the keypair, in clear PEM format
- get_free_keypairs_count(key_algo)
Calculate the count of keypairs of type key_algo which are free for subsequent attachment to an UUID.
- Parameters:
key_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS- Return type:
int
- Returns:
count of free keypairs of said type
- get_private_key(*, keychain_uid, key_algo)
Fetch a private key from persistent storage.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
- Return type:
bytes
- Returns:
private key in PEM format (potentially passphrase-protected), or raise KeyDoesNotExist
- get_public_key(*, keychain_uid, key_algo)
Fetch a public key from persistent storage.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
- Return type:
bytes
- Returns:
public key in clear PEM format, or raise KeyDoesNotExist
- list_keypair_identifiers()
List identifiers of PUBLIC keys present in the storage, along with their potential private key existence.
Might raise an OperationNotSupported exception if not supported by this keystore.
- Return type:
list
- Returns:
a SORTED list of key information dicts with standard fields "keychain_uid" and "key_algo", as well as a boolean "private_key_present" which is True if the related private key exists in storage. Sorting is done by keychain_uid and then key_algo.
- set_keypair(*, keychain_uid, key_algo, public_key, private_key)
Store a pair of asymmetric keys into storage, attached to a specific UUID.
Must raise a KeyAlreadyExists exception if a public/private key already exists for these uid/type identifiers.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOSpublic_key (
bytes
) -- public key in clear PEM formatprivate_key (
bytes
) -- private key in PEM format (potentially encrypted)
- Return type:
None
- set_private_key(*, keychain_uid, key_algo, private_key)
Store a private key, which must not already exist - else a KeyAlreadyExists is raised.
Important : the PUBLIC key for this private key must already exist in the keystore, else KeyDoesNotExist is raised.
- Parameters:
keychain_uid -- unique ID of the keychain
key_algo -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
private_key (
bytes
) -- private key in PEM format (potentially encrypted)
- Return type:
None
- set_public_key(*, keychain_uid, key_algo, public_key)
Store a public key, which must not already exist - else KeyAlreadyExists is raised.
- Parameters:
keychain_uid -- unique ID of the keychain
key_algo -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
public_key (
bytes
) -- public key in clear PEM format
- Return type:
None
- class wacryptolib.keystore.FilesystemKeystore(keys_dir)
Bases:
ReadonlyFilesystemKeystore
,KeystoreReadWriteBase
Filesystem-based key storage.
Protected by a process-wide lock, but not safe to use in multiprocessing environment, or in a process which can be brutally shutdown. To prevent corruption, caller should only persist UUIDs when the key storage operation is successfully finished.
- add_free_keypair(*, key_algo, public_key, private_key)
Store a pair of asymmetric keys into storage, free for subsequent attachment to an UUID.
- Parameters:
key_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOSpublic_key (
bytes
) -- public key in clear PEM formatprivate_key (
bytes
) -- private key in PEM format (potentially encrypted)
- Return type:
None
- attach_free_keypair_to_uuid(*, keychain_uid, key_algo)
Fetch one of the free keypairs of storage of type key_algo, and attach it to UUID keychain_uid.
If no free keypair is available, a KeyDoesNotExist is raised.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
- Return type:
None
- Returns:
public key of the keypair, in clear PEM format
- export_to_keystore_tree(include_private_keys=True)
Export keystore metadata and keys (public and, if include_private_keys is true, private) to a data tree.
- get_free_keypairs_count(key_algo)
Calculate the count of keypairs of type key_algo which are free for subsequent attachment to an UUID.
- Parameters:
key_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS- Return type:
int
- Returns:
count of free keypairs of said type
- get_keystore_metadata(include_keypair_identifiers=False)
Return a metadata dict for the filesystem keystore, or raise KeystoreMetadataDoesNotExist.
- get_private_key(*, keychain_uid, key_algo)
Fetch a private key from persistent storage.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
- Return type:
bytes
- Returns:
private key in PEM format (potentially passphrase-protected), or raise KeyDoesNotExist
- get_public_key(*, keychain_uid, key_algo)
Fetch a public key from persistent storage.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
- Return type:
bytes
- Returns:
public key in clear PEM format, or raise KeyDoesNotExist
- import_from_keystore_tree(keystore_tree)
Import keystore metadata and keys (public and, if included, private) fom a data tree.
If keystore already exists, it is completed with new keys, but metadata are untouched.
Returns True if and only if keystore was updated instead of created.
- Return type:
bool
- list_keypair_identifiers()
List identifiers of PUBLIC keys present in the storage, along with their potential private key existence.
Might raise an OperationNotSupported exception if not supported by this keystore.
- Return type:
list
- Returns:
a SORTED list of key information dicts with standard fields "keychain_uid" and "key_algo", as well as a boolean "private_key_present" which is True if the related private key exists in storage. Sorting is done by keychain_uid and then key_algo.
- set_keypair(*, keychain_uid, key_algo, public_key, private_key)
Store a pair of asymmetric keys into storage, attached to a specific UUID.
Must raise a KeyAlreadyExists exception if a public/private key already exists for these uid/type identifiers.
- Parameters:
keychain_uid (
UUID
) -- unique ID of the keychainkey_algo (
str
) -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOSpublic_key (
bytes
) -- public key in clear PEM formatprivate_key (
bytes
) -- private key in PEM format (potentially encrypted)
- Return type:
None
- set_private_key(*, keychain_uid, key_algo, private_key)
Store a private key, which must not already exist - else a KeyAlreadyExists is raised.
Important : the PUBLIC key for this private key must already exist in the keystore, else KeyDoesNotExist is raised.
- Parameters:
keychain_uid -- unique ID of the keychain
key_algo -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
private_key (
bytes
) -- private key in PEM format (potentially encrypted)
- Return type:
None
- set_public_key(*, keychain_uid, key_algo, public_key)
Store a public key, which must not already exist - else KeyAlreadyExists is raised.
- Parameters:
keychain_uid -- unique ID of the keychain
key_algo -- one of SUPPORTED_ASYMMETRIC_KEY_ALGOS
public_key (
bytes
) -- public key in clear PEM format
- Return type:
None
Keystore pools
These combine local and imported key storages under a single interface.
- class wacryptolib.keystore.InMemoryKeystorePool
Bases:
KeystorePoolBase
Dummy key storage pool for use in tests, where keys are kepts only process-locally.
NOT MEANT TO BE THREAD-SAFE
- class wacryptolib.keystore.FilesystemKeystorePool(root_dir)
Bases:
KeystorePoolBase
This class handles a set of locally stored key storages.
The local storage represents the current device/owner, and is expected to be used by read-write trustees, whereas imported key storages are supposed to be readonly, and only filled with keypairs imported from key-devices.
- export_foreign_keystore_to_keystore_tree(keystore_uid, include_private_keys=True)
Exports data tree from the keystore targeted by keystore_uid.
- get_all_foreign_keystore_metadata(include_keypair_identifiers=False)
Return a dict mapping key storage UUIDs to the dicts of their metadata.
Raises if any metadata loading fails.
- Return type:
dict
- get_foreign_keystore(keystore_uid, writable=False)
The selected storage MUST exist, else a KeystoreDoesNotExist is raised.
- get_foreign_keystore_metadata(keystore_uid, include_keypair_identifiers=False)
Return a metadata dict for the keystore keystore_uid.
- get_local_keyfactory()
Storage automatically created if unexisting.
- import_foreign_keystore_from_keystore_tree(keystore_tree)
Imports/updates data tree into the keystore targeted by keystore_uid.
- Return type:
bool
- list_foreign_keystore_uids()
Return a sorted list of UUIDs of key storages, corresponding to the keystore_uid of their origin authentication devices.
- Return type:
list