Trustee
This module provides base classes and utilities for trustee actors.
API for trustee services
- class wacryptolib.trustee.TrusteeApi(keystore)
Bases:
object
This is the API meant to be exposed by trustee webservices, to allow end users to create safely encrypted cryptainers.
Subclasses must add their own permission checking, especially so that no decryption with private keys can occur outside the scope of a well defined legal procedure.
- decrypt_with_private_key(*, keychain_uid, cipher_algo, cipherdict, passphrases=None, cryptainer_metadata=None)
Return the message (probably a symmetric key) decrypted with the corresponding key, as bytestring. Here again passphrases and cryptainer_metadata can be provided.
Raises if key existence, authorization or passphrase errors occur.
- Return type:
bytes
- fetch_public_key(*, keychain_uid, key_algo, must_exist=False)
Return a public key in PEM format bytestring, that caller shall use to encrypt its own symmetric keys, or to check a signature.
If must_exist is True, key is not autogenerated, and a KeyDoesNotExist might be raised.
- Return type:
bytes
- get_message_signature(*, message, keychain_uid, signature_algo)
Return a signature structure corresponding to the provided key and signature types.
- Return type:
dict
- request_decryption_authorization(keypair_identifiers, request_message, passphrases=None, cryptainer_metadata=None)
Send a list of keypairs for which decryption access is requested, with the reason why.
If request is immediately denied, an exception is raised, else the status of the authorization process (process which might involve several steps, including live encounters) is returned.
- Parameters:
keypair_identifiers (
Sequence
) -- list of dicts with (keychain_uid, key_algo) indices to authorizerequest_message (
str
) -- user text explaining the reasons for the decryption (and the legal procedures involved)passphrases (
Optional
[Sequence
]) -- optional list of passphrases to be tried on private keyscryptainer_metadata (
Optional
[dict
]) -- metadata of the concerned cryptainer
- Return type:
dict
- Returns:
a dict with at least a string field "response_message" detailing the status of the request.
- class wacryptolib.trustee.ReadonlyTrusteeApi(keystore)
Bases:
TrusteeApi
Alternative Trustee API which relies on a fixed set of keys (e.g. imported from a key-device).
This version never generates keys by itself, whatever the values of method parameters like must_exist.