Trustee

This module provides base classes and utilities for trustee actors.

API for trustee services

class wacryptolib.trustee.TrusteeApi(keystore)

Bases: object

This is the API meant to be exposed by trustee webservices, to allow end users to create safely encrypted cryptainers.

Subclasses must add their own permission checking, especially so that no decryption with private keys can occur outside the scope of a well defined legal procedure.

decrypt_with_private_key(*, keychain_uid, cipher_algo, cipherdict, passphrases=None, cryptainer_metadata=None)

Return the message (probably a symmetric key) decrypted with the corresponding key, as bytestring. Here again passphrases and cryptainer_metadata can be provided.

Raises if key existence, authorization or passphrase errors occur.

Return type:

bytes

fetch_public_key(*, keychain_uid, key_algo, must_exist=False)

Return a public key in PEM format bytestring, that caller shall use to encrypt its own symmetric keys, or to check a signature.

If must_exist is True, key is not autogenerated, and a KeyDoesNotExist might be raised.

Return type:

bytes

get_message_signature(*, message, keychain_uid, signature_algo)

Return a signature structure corresponding to the provided key and signature types.

Return type:

dict

request_decryption_authorization(keypair_identifiers, request_message, passphrases=None, cryptainer_metadata=None)

Send a list of keypairs for which decryption access is requested, with the reason why.

If request is immediately denied, an exception is raised, else the status of the authorization process (process which might involve several steps, including live encounters) is returned.

Parameters:

  • keypair_identifiers (Sequence) -- list of dicts with (keychain_uid, key_algo) indices to authorize

  • request_message (str) -- user text explaining the reasons for the decryption (and the legal procedures involved)

  • passphrases (Optional[Sequence]) -- optional list of passphrases to be tried on private keys

  • cryptainer_metadata (Optional[dict]) -- metadata of the concerned cryptainer

Return type:

dict

Returns:

a dict with at least a string field "response_message" detailing the status of the request.

class wacryptolib.trustee.ReadonlyTrusteeApi(keystore)

Bases: TrusteeApi

Alternative Trustee API which relies on a fixed set of keys (e.g. imported from a key-device).

This version never generates keys by itself, whatever the values of method parameters like must_exist.