nucypher.crypto¶

Submodules¶

class Keypair(private_key=None, public_key=None, generate_keys_if_needed=True)¶

Bases: object

A parent Keypair class for all types of Keypairs.

fingerprint()¶

Hashes the key using keccak-256 and returns the hexdigest in bytes.

Returns: Hexdigest fingerprint of key (keccak-256) in bytes

class DecryptingKeypair(*args, **kwargs)¶

Bases: nucypher.crypto.keypairs.Keypair

A keypair for Umbral

exception DecryptionFailed¶

Bases: Exception

Raised when decryption fails.

decrypt(message_kit: nucypher.core.MessageKit) → bytes ¶

Decrypt data encrypted with Umbral.

Returns: bytes

decrypt_treasure_map(encrypted_treasure_map: nucypher.core.EncryptedTreasureMap, publisher_verifyng_key: umbral.keys.PublicKey) → nucypher.core.TreasureMap ¶

class SigningKeypair(*args, **kwargs)¶

Bases: nucypher.crypto.keypairs.Keypair

A SigningKeypair that uses ECDSA.

sign(message: bytes) → umbral.signing.Signature¶

Signs the given message and returns a signature.

Parameters: message – The message to sign
Returns: Signature

get_signature_stamp()¶

class HostingKeypair(host: str, checksum_address: str = None, private_key: Union[umbral.keys.SecretKey, umbral.keys.PublicKey] = None, certificate=None, certificate_filepath: Optional[pathlib.Path] = None, generate_certificate=False)¶

Bases: nucypher.crypto.keypairs.Keypair

A keypair for TLS’ing.

get_deployer(rest_app, port)¶

exception InvalidPassword¶: Bases: ValueError

generate_keystore_filepath(parent: pathlib.Path, id: str) → pathlib.Path ¶

validate_keystore_password(password: str) → List¶: NOTICE: Do not raise inside this function.

validate_keystore_filename(path: pathlib.Path) → None ¶

class Keystore(keystore_path: pathlib.Path)¶

Bases: object

exception Exists¶: Bases: FileExistsError

exception Invalid¶: Bases: Exception

exception NotFound¶: Bases: FileNotFoundError

exception Locked¶: Bases: RuntimeError

exception AuthenticationFailed¶: Bases: RuntimeError

classmethod load(id: str, keystore_dir: pathlib.Path = PosixPath('/home/docs/.local/share/nucypher/keystore')) → nucypher.crypto.keystore.Keystore ¶

classmethod import_secure(key_material: bytes, password: str, keystore_dir: Optional[pathlib.Path] = None) → nucypher.crypto.keystore.Keystore ¶: Generate a Keystore using a a custom pre-secured entropy blob. This method of keystore creation does not generate a mnemonic phrase - it is assumed that the provided blob is recoverable and secure.

classmethod restore(words: str, password: str, keystore_dir: Optional[pathlib.Path] = None) → nucypher.crypto.keystore.Keystore ¶: Restore a keystore from seed words

classmethod generate(password: str, keystore_dir: Optional[pathlib.Path] = None, interactive: bool = True) → nucypher.crypto.keystore.Keystore ¶: Generate a new nucypher keystore for use with characters

property id¶

property is_unlocked¶

lock() → None ¶

unlock(password: str) → None ¶

derive_crypto_power(power_class: ClassVar[nucypher.crypto.powers.CryptoPowerUp], *power_args, **power_kwargs) → Union[nucypher.crypto.powers.KeyPairBasedPower, nucypher.crypto.powers.DerivedKeyBasedPower]¶

derive_key_material_from_password(password: bytes, salt: bytes) → bytes ¶

Derives a symmetric encryption key seed from a pair of password and salt.

This is secure, but takes a long time. So only call it once, and use the resulting key material as a seed for specific keys (e.g by passing it to derive_wrapping_key_from_key_material, secret_box_encrypt or secret_box_decrypt)

Parameters

password – byte-encoded password used to derive a symmetric key
salt – cryptographic salt added during key derivation

Returns

derive_wrapping_key_from_key_material(key_material: bytes, salt: bytes) → bytes ¶: Uses HKDF to derive a 32 byte wrapping key to encrypt key material with.

exception SecretBoxAuthenticationError¶: Bases: Exception

secret_box_encrypt(key_material: bytes, salt: bytes, plaintext: bytes) → bytes ¶

secret_box_decrypt(key_material: bytes, salt: bytes, ciphertext: bytes) → bytes ¶

exception PowerUpError¶: Bases: TypeError

exception NoSigningPower¶: Bases: nucypher.crypto.powers.PowerUpError

exception NoDecryptingPower¶: Bases: nucypher.crypto.powers.PowerUpError

exception NoTransactingPower¶: Bases: nucypher.crypto.powers.PowerUpError

class CryptoPower(power_ups: list = None)¶

Bases: object

consume_power_up(power_up, *args, **kwargs)¶

power_ups(power_up_class)¶

class CryptoPowerUp¶

Bases: object

Gives you MORE CryptoPower!

confers_public_key = False¶

activate(*args, **kwargs)¶

class TransactingPower(account: NewType.<locals>.new_type, signer: nucypher.blockchain.eth.signers.base.Signer, password: str = None, cache: bool = False)¶

Bases: nucypher.crypto.powers.CryptoPowerUp

The power to sign ethereum transactions as the custodian of a private key through a signing backend.

not_found_error¶: alias of NoTransactingPower

exception AccountLocked¶

Bases: nucypher.crypto.powers.PowerUpError

Raised when signing cannot be performed due to a locked account

property account¶

property is_device¶

activate(password: str = None) → None ¶: Called during power consumption

lock_account() → None ¶

unlock(password: str = None, duration: int = None) → bool ¶: Unlocks the account with provided or cached password.

sign_message(message: bytes) → bytes ¶: Signs the message with the private key of the TransactingPower.

sign_transaction(transaction_dict: dict) → hexbytes.main.HexBytes¶: Signs the transaction with the private key of the TransactingPower.

class KeyPairBasedPower(public_key: umbral.keys.PublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)¶

Bases: nucypher.crypto.powers.CryptoPowerUp

confers_public_key = True¶

public_key() → umbral.keys.PublicKey¶

class SigningPower(public_key: umbral.keys.PublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)¶

Bases: nucypher.crypto.powers.KeyPairBasedPower

not_found_error¶: alias of NoSigningPower

provides = ('sign', 'get_signature_stamp')¶

class DecryptingPower(public_key: umbral.keys.PublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)¶

Bases: nucypher.crypto.powers.KeyPairBasedPower

not_found_error¶: alias of NoDecryptingPower

provides = ('decrypt', 'decrypt_treasure_map')¶

class DerivedKeyBasedPower¶

Bases: nucypher.crypto.powers.CryptoPowerUp

Rather than rely on an established KeyPair, this type of power derives a key at moments defined by the user.

class DelegatingPower(secret_key_factory: Optional[umbral.keys.SecretKeyFactory] = None)¶

Bases: nucypher.crypto.powers.DerivedKeyBasedPower

get_pubkey_from_label(label)¶

generate_kfrags(bob_pubkey_enc, signer, label: bytes, threshold: int, shares: int) → Tuple[umbral.keys.PublicKey, List]¶

Generates re-encryption key frags (“KFrags”) and returns them.

These KFrags can be used by Ursula to re-encrypt a Capsule for Bob so that he can activate the Capsule. :param bob_pubkey_enc: Bob’s public key :param threshold: Minimum number of KFrags needed to rebuild ciphertext :param shares: Total number of KFrags to generate

get_decrypting_power_from_label(label)¶

class TLSHostingPower(host: str, public_certificate=None, public_certificate_filepath=None, *args, **kwargs)¶

Bases: nucypher.crypto.powers.KeyPairBasedPower

provides = ('get_deployer',)¶

exception NoHostingPower¶: Bases: nucypher.crypto.powers.PowerUpError

not_found_error¶: alias of TLSHostingPower.NoHostingPower

class SignatureStamp(verifying_key, signer: umbral.signing.Signer = None)¶

Bases: object

Can be called to sign something or used to express the signing public key as bytes.

as_umbral_signer()¶

as_umbral_pubkey()¶

fingerprint()¶

Hashes the key using keccak-256 and returns the hexdigest in bytes.

Returns: Hexdigest fingerprint of key (keccak-256) in bytes

class StrangerStamp(verifying_key, signer: umbral.signing.Signer = None)¶

Bases: nucypher.crypto.signing.SignatureStamp

SignatureStamp of a stranger (ie, can only be used to glean public key, not to sign)

exception InvalidSignature¶

Bases: Exception

Raised when a Signature is not valid.

generate_self_signed_certificate(host: str, private_key: umbral.keys.SecretKey = None, days_valid: int = 365, curve: ClassVar[cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve] = <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP384R1'>) → Tuple[cryptography.x509.base.Certificate, cryptography.hazmat.backends.openssl.ec._EllipticCurvePrivateKey]¶

canonical_address_from_umbral_key(public_key: Union[umbral.keys.PublicKey, nucypher.crypto.signing.SignatureStamp]) → bytes ¶

secure_random(num_bytes: int) → bytes ¶

Returns an amount num_bytes of data from the OS’s random device. If a randomness source isn’t found, returns a NotImplementedError. In this case, a secure random source most likely doesn’t exist and randomness will have to found elsewhere.

Parameters: num_bytes – Number of bytes to return.
Returns: bytes

secure_random_range(min: int, max: int) → int ¶

Returns a number from a secure random source betwee the range of min and max - 1.

Parameters

min – Minimum number in the range
max – Maximum number in the range

Returns

int

keccak_digest(*messages: bytes) → bytes ¶

Accepts an iterable containing bytes and digests it returning a Keccak digest of 32 bytes (keccak_256).

Although we use SHA256 in many cases, we keep keccak handy in order to provide compatibility with the Ethereum blockchain.

Parameters: bytes – Data to hash
Return type: bytes
Returns: bytestring of digested data

sha256_digest(*messages: bytes) → bytes ¶

Accepts an iterable containing bytes and digests it returning a SHA256 digest of 32 bytes

Parameters: bytes – Data to hash
Return type: bytes
Returns: bytestring of digested data

recover_address_eip_191(message: bytes, signature: bytes) → str ¶: Recover checksum address from EIP-191 signature

verify_eip_191(address: str, message: bytes, signature: bytes) → bool ¶: EIP-191 Compatible signature verification for usage with w3.eth.sign.