nucypher.crypto

Submodules

class Keypair(private_key=None, public_key=None, generate_keys_if_needed=True)

Bases: object

A parent Keypair class for all types of Keypairs.

fingerprint()

Hashes the key using keccak-256 and returns the hexdigest in bytes.

Returns

Hexdigest fingerprint of key (keccak-256) in bytes

class DecryptingKeypair(*args, **kwargs)

Bases: nucypher.crypto.keypairs.Keypair

A keypair for Umbral

exception DecryptionFailed

Bases: Exception

Raised when decryption fails.

decrypt(message_kit: nucypher.core.MessageKit)bytes

Decrypt data encrypted with Umbral.

Returns

bytes

decrypt_treasure_map(encrypted_treasure_map: nucypher.core.EncryptedTreasureMap, publisher_verifyng_key: umbral.keys.PublicKey)nucypher.core.TreasureMap
class SigningKeypair(*args, **kwargs)

Bases: nucypher.crypto.keypairs.Keypair

A SigningKeypair that uses ECDSA.

sign(message: bytes) → umbral.signing.Signature

Signs the given message and returns a signature.

Parameters

message – The message to sign

Returns

Signature

get_signature_stamp()
class HostingKeypair(host: str, checksum_address: str = None, private_key: Union[umbral.keys.SecretKey, umbral.keys.PublicKey] = None, certificate=None, certificate_filepath: Optional[pathlib.Path] = None, generate_certificate=False)

Bases: nucypher.crypto.keypairs.Keypair

A keypair for TLS’ing.

get_deployer(rest_app, port)
exception InvalidPassword

Bases: ValueError

generate_keystore_filepath(parent: pathlib.Path, id: str)pathlib.Path
validate_keystore_password(password: str) → List

NOTICE: Do not raise inside this function.

validate_keystore_filename(path: pathlib.Path)None
class Keystore(keystore_path: pathlib.Path)

Bases: object

exception Exists

Bases: FileExistsError

exception Invalid

Bases: Exception

exception NotFound

Bases: FileNotFoundError

exception Locked

Bases: RuntimeError

exception AuthenticationFailed

Bases: RuntimeError

classmethod load(id: str, keystore_dir: pathlib.Path = PosixPath('/home/docs/.local/share/nucypher/keystore'))nucypher.crypto.keystore.Keystore
classmethod import_secure(key_material: bytes, password: str, keystore_dir: Optional[pathlib.Path] = None)nucypher.crypto.keystore.Keystore

Generate a Keystore using a a custom pre-secured entropy blob. This method of keystore creation does not generate a mnemonic phrase - it is assumed that the provided blob is recoverable and secure.

classmethod restore(words: str, password: str, keystore_dir: Optional[pathlib.Path] = None)nucypher.crypto.keystore.Keystore

Restore a keystore from seed words

classmethod generate(password: str, keystore_dir: Optional[pathlib.Path] = None, interactive: bool = True)nucypher.crypto.keystore.Keystore

Generate a new nucypher keystore for use with characters

property id
property is_unlocked
lock()None
unlock(password: str)None
derive_crypto_power(power_class: ClassVar[nucypher.crypto.powers.CryptoPowerUp], *power_args, **power_kwargs) → Union[nucypher.crypto.powers.KeyPairBasedPower, nucypher.crypto.powers.DerivedKeyBasedPower]
derive_key_material_from_password(password: bytes, salt: bytes)bytes

Derives a symmetric encryption key seed from a pair of password and salt.

This is secure, but takes a long time. So only call it once, and use the resulting key material as a seed for specific keys (e.g by passing it to derive_wrapping_key_from_key_material, secret_box_encrypt or secret_box_decrypt)

Parameters
  • password – byte-encoded password used to derive a symmetric key

  • salt – cryptographic salt added during key derivation

Returns

derive_wrapping_key_from_key_material(key_material: bytes, salt: bytes)bytes

Uses HKDF to derive a 32 byte wrapping key to encrypt key material with.

exception SecretBoxAuthenticationError

Bases: Exception

secret_box_encrypt(key_material: bytes, salt: bytes, plaintext: bytes)bytes
secret_box_decrypt(key_material: bytes, salt: bytes, ciphertext: bytes)bytes
exception PowerUpError

Bases: TypeError

exception NoSigningPower

Bases: nucypher.crypto.powers.PowerUpError

exception NoDecryptingPower

Bases: nucypher.crypto.powers.PowerUpError

exception NoTransactingPower

Bases: nucypher.crypto.powers.PowerUpError

class CryptoPower(power_ups: list = None)

Bases: object

consume_power_up(power_up, *args, **kwargs)
power_ups(power_up_class)
class CryptoPowerUp

Bases: object

Gives you MORE CryptoPower!

confers_public_key = False
activate(*args, **kwargs)
class TransactingPower(account: NewType.<locals>.new_type, signer: nucypher.blockchain.eth.signers.base.Signer, password: str = None, cache: bool = False)

Bases: nucypher.crypto.powers.CryptoPowerUp

The power to sign ethereum transactions as the custodian of a private key through a signing backend.

not_found_error

alias of NoTransactingPower

exception AccountLocked

Bases: nucypher.crypto.powers.PowerUpError

Raised when signing cannot be performed due to a locked account

property account
property is_device
activate(password: str = None)None

Called during power consumption

lock_account()None
unlock(password: str = None, duration: int = None)bool

Unlocks the account with provided or cached password.

sign_message(message: bytes)bytes

Signs the message with the private key of the TransactingPower.

sign_transaction(transaction_dict: dict) → hexbytes.main.HexBytes

Signs the transaction with the private key of the TransactingPower.

class KeyPairBasedPower(public_key: umbral.keys.PublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)

Bases: nucypher.crypto.powers.CryptoPowerUp

confers_public_key = True
public_key() → umbral.keys.PublicKey
class SigningPower(public_key: umbral.keys.PublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)

Bases: nucypher.crypto.powers.KeyPairBasedPower

not_found_error

alias of NoSigningPower

provides = ('sign', 'get_signature_stamp')
class DecryptingPower(public_key: umbral.keys.PublicKey = None, keypair: nucypher.crypto.keypairs.Keypair = None)

Bases: nucypher.crypto.powers.KeyPairBasedPower

not_found_error

alias of NoDecryptingPower

provides = ('decrypt', 'decrypt_treasure_map')
class DerivedKeyBasedPower

Bases: nucypher.crypto.powers.CryptoPowerUp

Rather than rely on an established KeyPair, this type of power derives a key at moments defined by the user.

class DelegatingPower(secret_key_factory: Optional[umbral.keys.SecretKeyFactory] = None)

Bases: nucypher.crypto.powers.DerivedKeyBasedPower

get_pubkey_from_label(label)
generate_kfrags(bob_pubkey_enc, signer, label: bytes, threshold: int, shares: int) → Tuple[umbral.keys.PublicKey, List]

Generates re-encryption key frags (“KFrags”) and returns them.

These KFrags can be used by Ursula to re-encrypt a Capsule for Bob so that he can activate the Capsule. :param bob_pubkey_enc: Bob’s public key :param threshold: Minimum number of KFrags needed to rebuild ciphertext :param shares: Total number of KFrags to generate

get_decrypting_power_from_label(label)
class TLSHostingPower(host: str, public_certificate=None, public_certificate_filepath=None, *args, **kwargs)

Bases: nucypher.crypto.powers.KeyPairBasedPower

provides = ('get_deployer',)
exception NoHostingPower

Bases: nucypher.crypto.powers.PowerUpError

not_found_error

alias of TLSHostingPower.NoHostingPower

class SignatureStamp(verifying_key, signer: umbral.signing.Signer = None)

Bases: object

Can be called to sign something or used to express the signing public key as bytes.

as_umbral_signer()
as_umbral_pubkey()
fingerprint()

Hashes the key using keccak-256 and returns the hexdigest in bytes.

Returns

Hexdigest fingerprint of key (keccak-256) in bytes

class StrangerStamp(verifying_key, signer: umbral.signing.Signer = None)

Bases: nucypher.crypto.signing.SignatureStamp

SignatureStamp of a stranger (ie, can only be used to glean public key, not to sign)

exception InvalidSignature

Bases: Exception

Raised when a Signature is not valid.

generate_self_signed_certificate(host: str, private_key: umbral.keys.SecretKey = None, days_valid: int = 365, curve: ClassVar[cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve] = <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP384R1'>) → Tuple[cryptography.x509.base.Certificate, cryptography.hazmat.backends.openssl.ec._EllipticCurvePrivateKey]
canonical_address_from_umbral_key(public_key: Union[umbral.keys.PublicKey, nucypher.crypto.signing.SignatureStamp])bytes
secure_random(num_bytes: int)bytes

Returns an amount num_bytes of data from the OS’s random device. If a randomness source isn’t found, returns a NotImplementedError. In this case, a secure random source most likely doesn’t exist and randomness will have to found elsewhere.

Parameters

num_bytes – Number of bytes to return.

Returns

bytes

secure_random_range(min: int, max: int)int

Returns a number from a secure random source betwee the range of min and max - 1.

Parameters
  • min – Minimum number in the range

  • max – Maximum number in the range

Returns

int

keccak_digest(*messages: bytes)bytes

Accepts an iterable containing bytes and digests it returning a Keccak digest of 32 bytes (keccak_256).

Although we use SHA256 in many cases, we keep keccak handy in order to provide compatibility with the Ethereum blockchain.

Parameters

bytes – Data to hash

Return type

bytes

Returns

bytestring of digested data

sha256_digest(*messages: bytes)bytes

Accepts an iterable containing bytes and digests it returning a SHA256 digest of 32 bytes

Parameters

bytes – Data to hash

Return type

bytes

Returns

bytestring of digested data

recover_address_eip_191(message: bytes, signature: bytes)str

Recover checksum address from EIP-191 signature

verify_eip_191(address: str, message: bytes, signature: bytes)bool

EIP-191 Compatible signature verification for usage with w3.eth.sign.