nucypher.crypto¶

Submodules¶

exception InvalidNodeCertificate¶

Bases: RuntimeError

Raised when an Ursula’s certificate is not valid because it is missing the checksum address.

secure_random(num_bytes: int) → bytes ¶

Returns an amount num_bytes of data from the OS’s random device. If a randomness source isn’t found, returns a NotImplementedError. In this case, a secure random source most likely doesn’t exist and randomness will have to found elsewhere.

Parameters: num_bytes – Number of bytes to return.
Returns: bytes

secure_random_range(min: int, max: int) → int ¶

Returns a number from a secure random source betwee the range of min and max - 1.

Parameters

min – Minimum number in the range
max – Maximum number in the range

Returns

int

keccak_digest(*messages: bytes) → bytes ¶

Accepts an iterable containing bytes and digests it returning a Keccak digest of 32 bytes (keccak_256).

Although we use SHA256 in many cases, we keep keccak handy in order to provide compatibility with the Ethereum blockchain.

Parameters: bytes – Data to hash
Return type: bytes
Returns: bytestring of digested data

sha256_digest(*messages: bytes) → bytes ¶

Accepts an iterable containing bytes and digests it returning a SHA256 digest of 32 bytes

Parameters: bytes – Data to hash
Return type: bytes
Returns: bytestring of digested data

ecdsa_sign(message: bytes, private_key: umbral.keys.UmbralPrivateKey) → bytes ¶

Accepts a hashed message and signs it with the private key given.

Parameters

message – Message to hash and sign
private_key – Private key to sign with

Returns

signature

recover_address_eip_191(message: bytes, signature: bytes) → str ¶: Recover checksum address from EIP-191 signature

verify_eip_191(address: str, message: bytes, signature: bytes) → bool ¶: EIP-191 Compatible signature verification for usage with w3.eth.sign.

verify_ecdsa(message: bytes, signature: bytes, public_key: umbral.keys.UmbralPublicKey) → bool ¶

Accepts a message and signature and verifies it with the provided public key.

Parameters

message – Message to verify
signature – Signature to verify
public_key – UmbralPublicKey to verify signature with

Returns

True if valid, False if invalid.

generate_teacher_certificate(checksum_address: str, *args, **kwargs)¶

generate_self_signed_certificate(*args, **kwargs)¶

read_certificate_pseudonym(certificate: cryptography.x509.base.Certificate)¶: Return the checksum address written into a TLS certificates pseudonym field or raise an error.

encrypt_and_sign(recipient_pubkey_enc: umbral.keys.UmbralPublicKey, plaintext: bytes, signer: SignatureStamp, sign_plaintext: bool = True) → Tuple[nucypher.crypto.kits.PolicyMessageKit, umbral.signing.Signature]¶

class Keypair(private_key=None, public_key=None, generate_keys_if_needed=True)¶

Bases: object

A parent Keypair class for all types of Keypairs.

serialize_pubkey(as_b64=False) → bytes ¶

Serializes the pubkey for storage/transport in either urlsafe base64 or as a bytestring.

Parameters: as_b64 – Return the pubkey as urlsafe base64 byte string
Returns: The serialized pubkey in bytes

fingerprint()¶

Hashes the key using keccak-256 and returns the hexdigest in bytes.

Returns: Hexdigest fingerprint of key (keccak-256) in bytes

class DecryptingKeypair(*args, **kwargs)¶

Bases: nucypher.crypto.keypairs.Keypair

A keypair for Umbral

decrypt(message_kit: nucypher.crypto.kits.MessageKit) → bytes ¶

Decrypt data encrypted with Umbral.

Returns: bytes

class SigningKeypair(*args, **kwargs)¶

Bases: nucypher.crypto.keypairs.Keypair

A SigningKeypair that uses ECDSA.

sign(message: bytes) → bytes ¶

Signs a hashed message and returns a signature.

Parameters: message – The message to sign
Returns: Signature in bytes

get_signature_stamp()¶

class HostingKeypair(host: str, checksum_address: str = None, private_key: Union[umbral.keys.UmbralPrivateKey, umbral.keys.UmbralPublicKey] = None, curve=None, certificate=None, certificate_filepath: str = None, generate_certificate=True)¶

Bases: nucypher.crypto.keypairs.Keypair

A keypair for TLS’ing.

get_deployer(rest_app, port)¶

class CryptoKit¶

Bases: object

A package of discrete items, meant to be sent over the wire or saved to disk (in either case, as bytes), capable of performing a distinct cryptological function.

splitter = None¶

classmethod split_bytes(some_bytes)¶

classmethod from_bytes(some_bytes)¶

class MessageKit(capsule, sender_verifying_key=None, ciphertext=None, signature=NOT_SIGNED)¶

Bases: nucypher.crypto.kits.CryptoKit

All the components needed to transmit and verify an encrypted message.

to_bytes(include_alice_pubkey=True)¶

classmethod splitter(*args, **kwargs)¶

property signature¶

class PolicyMessageKit(*args, **kwargs)¶

Bases: nucypher.crypto.kits.MessageKit

A MessageKit which includes sufficient additional information to be retrieved on the NuCypher Network.

property sender¶

UmbralMessageKit¶: alias of nucypher.crypto.kits.PolicyMessageKit

class RevocationKit(policy: Policy, signer: SignatureStamp)¶

Bases: object

property revokable_addresses¶: Returns a Set of revokable addresses in the checksum address formatting

add_confirmation(node_id, signed_receipt)¶: Adds a signed confirmation of Ursula’s ability to revoke the arrangement.

exception PowerUpError¶: Bases: TypeError

exception NoSigningPower¶: Bases: nucypher.crypto.powers.PowerUpError

exception NoDecryptingPower¶: Bases: nucypher.crypto.powers.PowerUpError

exception NoTransactingPower¶: Bases: nucypher.crypto.powers.PowerUpError

class CryptoPower(power_ups: list = None)¶

Bases: object

consume_power_up(power_up, *args, **kwargs)¶

power_ups(power_up_class)¶

class CryptoPowerUp¶

Bases: object

Gives you MORE CryptoPower!

confers_public_key = False¶

activate(*args, **kwargs)¶

class TransactingPower(account: str, signer: nucypher.blockchain.eth.signers.base.Signer = None, password: str = None, cache: bool = False)¶

Bases: nucypher.crypto.powers.CryptoPowerUp

The power to sign ethereum transactions as the custodian of a private key through a signing backend.

not_found_error¶: alias of NoTransactingPower

exception AccountLocked¶

Bases: nucypher.crypto.powers.PowerUpError

Raised when signing cannot be performed due to a locked account

property blockchain¶: Lazy evaluation of existing connection

property is_active¶: Returns True if the blockchain currently has this transacting power attached.

property account¶

property is_unlocked¶

property is_device¶

activate(password: str = None) → None ¶: Called during power consumption

lock_account() → None ¶

unlock_account(password: str = None, duration: int = None) → bool ¶: Unlocks the account with provided or cached password.

sign_message(message: bytes) → bytes ¶: Signs the message with the private key of the TransactingPower.

sign_transaction(transaction_dict: dict) → hexbytes.main.HexBytes¶: Signs the transaction with the private key of the TransactingPower.

class KeyPairBasedPower(public_key: umbral.keys.UmbralPublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)¶

Bases: nucypher.crypto.powers.CryptoPowerUp

confers_public_key = True¶

public_key() → umbral.keys.UmbralPublicKey¶

class SigningPower(public_key: umbral.keys.UmbralPublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)¶

Bases: nucypher.crypto.powers.KeyPairBasedPower

not_found_error¶: alias of NoSigningPower

provides = ('sign', 'get_signature_stamp')¶

class DecryptingPower(public_key: umbral.keys.UmbralPublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)¶

Bases: nucypher.crypto.powers.KeyPairBasedPower

not_found_error¶: alias of NoDecryptingPower

provides = ('decrypt',)¶

class DerivedKeyBasedPower¶

Bases: nucypher.crypto.powers.CryptoPowerUp

Rather than rely on an established KeyPair, this type of power derives a key at moments defined by the user.

class DelegatingPower(keying_material: Optional[bytes] = None, password: Optional[bytes] = None)¶

Bases: nucypher.crypto.powers.DerivedKeyBasedPower

get_pubkey_from_label(label)¶

generate_kfrags(bob_pubkey_enc, signer, label: bytes, m: int, n: int) → Tuple[umbral.keys.UmbralPublicKey, List]¶

Generates re-encryption key frags (“KFrags”) and returns them.

These KFrags can be used by Ursula to re-encrypt a Capsule for Bob so that he can activate the Capsule. :param bob_pubkey_enc: Bob’s public key :param m: Minimum number of KFrags needed to rebuild ciphertext :param n: Total number of KFrags to generate

get_decrypting_power_from_label(label)¶

class SignatureStamp(verifying_key, signer: umbral.signing.Signer = None)¶

Bases: object

Can be called to sign something or used to express the signing public key as bytes.

as_umbral_pubkey()¶

fingerprint()¶

Hashes the key using keccak-256 and returns the hexdigest in bytes.

Returns: Hexdigest fingerprint of key (keccak-256) in bytes

class StrangerStamp(verifying_key, signer: umbral.signing.Signer = None)¶

Bases: nucypher.crypto.signing.SignatureStamp

SignatureStamp of a stranger (ie, can only be used to glean public key, not to sign)

exception InvalidSignature¶

Bases: Exception

Raised when a Signature is not valid.

fingerprint_from_key(public_key: Any)¶: Hashes a key using keccak-256 and returns the hexdigest in bytes. :return: Hexdigest fingerprint of key (keccak-256) in bytes

construct_policy_id(label: bytes, stamp: bytes) → bytes ¶: Forms an ID unique to the policy per label and Bob’s signing pubkey via a keccak hash of the two.

canonical_address_from_umbral_key(public_key: umbral.keys.UmbralPublicKey) → bytes ¶

recover_pubkey_from_signature(message: bytes, signature: Union[bytes, umbral.signing.Signature], v_value_to_try: int, is_prehashed: bool = False) → bytes ¶

Recovers a serialized, compressed public key from a signature. It allows to specify a potential v value, in which case it assumes the signature has the traditional (r,s) raw format. If a v value is not present, it assumes the signature has the recoverable format (r, s, v).

Parameters

message – Signed message
signature – The signature from which the pubkey is recovered
v_value_to_try – A potential v value to try
is_prehashed – True if the message is already pre-hashed. Default is False, and message will be hashed with SHA256

Returns

The compressed byte-serialized representation of the recovered public key

get_signature_recovery_value(message: bytes, signature: Union[bytes, umbral.signing.Signature], public_key: Union[bytes, umbral.keys.UmbralPublicKey], is_prehashed: bool = False) → bytes ¶

Obtains the recovery value of a standard ECDSA signature.

Parameters

message – Signed message
signature – The signature from which the pubkey is recovered
public_key – The public key for verifying the signature
is_prehashed – True if the message is already pre-hashed. Default is False, and message will be hashed with SHA256

Returns

The compressed byte-serialized representation of the recovered public key

get_coordinates_as_bytes(point: Union[umbral.point.Point, umbral.keys.UmbralPublicKey, nucypher.crypto.signing.SignatureStamp], x_coord=True, y_coord=True) → bytes ¶