vantage6.common.encryption.RSACryptor¶

class RSACryptor(private_key_file)¶

Bases: CryptorBase

Wrapper class for the cryptography package.

It loads the private key, and has an interface to encrypt en decrypt messages. If no private key is found, it can generate one, and store it at the default location. The encrpytion can be done via a public key from another organization, make sure the key is in the right data-type.

Communication between node and server requires serialization (and deserialization) of the encrypted messages (which are in bytes). The API can not communicate bytes, therefore a base64 conversion needs to be executed (and also a utf-8 encoding needs to be applied because of the way python implemented base64). The same goes for sending and receiving the public_key.

Parameters:: private_key_file (Path) – The path to the private key file.

__init__(private_key_file)¶

Create a new RSACryptor instance.

Parameters:: private_key_file (Path) – The path to the private key file.

Methods

`__init__`(private_key_file)	Create a new RSACryptor instance.
`bytes_to_str`(data)	Encode bytes as base64 encoded string.
`create_new_rsa_key`(path)	Creates a new RSA key for E2EE.
`create_public_key_bytes`(private_key)	Create a public key from a private key.
`decrypt`(data)	Decrypt run data that was encrypted using hybrid RSA/AES encryption.
`decrypt_bytes_blob_storage`(data)	Decrypt bytes data coming from blob storage.
`decrypt_str_to_bytes`(data)	Decrypt base64 encoded string data.
`decrypt_stream`(stream[, chunk_size])	Decrypt a stream that was encrypted using hybrid RSA/AES encryption.
`encrypt_bytes_to_str`(data, pubkey_base64s[, ...])	Encrypt bytes in data using a (base64 encoded) public key.
`encrypt_stream`(stream, pubkey_base64s[, ...])	Encrypt a stream using hybrid RSA/AES encryption.
`str_to_bytes`(data)	Decode base64 encoded string to bytes.
`verify_public_key`(pubkey_base64)	Verifies the public key.

Attributes

`public_key_bytes`	Returns the public key bytes from the organization.
`public_key_str`	Returns a JSON safe public key, used for the API.

static bytes_to_str(data)¶

Encode bytes as base64 encoded string.

Parameters:: data (bytes) – The data to encode.
Returns:: The base64 encoded string.
Return type:: str

static create_new_rsa_key(path)¶

Creates a new RSA key for E2EE.

Parameters:: path (Path) – The path to the private key file.
Returns:: The newly created private key.
Return type:: RSAPrivateKey

static create_public_key_bytes(private_key)¶

Create a public key from a private key.

Parameters:: private_key (RSAPrivateKey) – The private key to use.
Returns:: The public key as bytes.
Return type:: bytes

decrypt(data)¶

Decrypt run data that was encrypted using hybrid RSA/AES encryption.

Parameters:: data (str | bytes) – The data to decrypt. Can be either a string or bytes, depending on whether the data comes from blob storage or not.
Returns:: The decrypted data.
Return type:: bytes

decrypt_bytes_blob_storage(data)¶

Decrypt bytes data coming from blob storage. This function expects the data to be in the format: <encrypted_key>$<iv>$<encrypted_msg>

where: - <encrypted_key> is the base64 encoded encrypted AES key, - <iv> is the base64 encoded initialization vector, - <encrypted_msg> is the encrypted message in raw bytes.

Parameters:: data (bytes) – The data to decrypt.
Returns:: The decrypted data.
Return type:: bytes

decrypt_str_to_bytes(data)¶

Decrypt base64 encoded string data.

Parameters:

data (str) –

The data to decrypt. This function expects the data to be in the format: <encrypted_key>$<iv>$<encrypted_msg>

where: - <encrypted_key> is the base64 encoded encrypted AES key, - <iv> is the base64 encoded initialization vector, - <encrypted_msg> is the encrypted message in base64 encoded string.

Returns:

The decrypted data.

Return type:

bytes

decrypt_stream(stream, chunk_size=1048576)¶

Decrypt a stream that was encrypted using hybrid RSA/AES encryption.

Parameters:

stream (file-like) – The input stream to decrypt (must support .read()).
chunk_size (int) – The size of chunks to read and decrypt.

Yields:

bytes – Decrypted data chunks.

encrypt_bytes_to_str(data, pubkey_base64s, skip_base64_encoding_of_msg=False)¶

Encrypt bytes in data using a (base64 encoded) public key.

Parameters:

data (bytes) – The data to encrypt.
pubkey_base64s (str) – The public key to use for encryption.
skip_base64_encoding_of_msg (bool) – If True, the encrypted message will not be base64 encoded. This is useful when the data is already in bytes format and does not need further encoding (e.g., when uploading to blob storage).

Returns:

The encrypted data encoded as base64 string.

Return type:

str

encrypt_stream(stream, pubkey_base64s, chunk_size=1048576)¶

Encrypt a stream using hybrid RSA/AES encryption.

A 32-byte (256-bit) random key is generated for AES-256 encryption.

Parameters:

stream (file-like) – The input stream to encrypt (must support .read()).
pubkey_base64s (str) – The public key to use for encryption (PEM format, base64 string).
chunk_size (int) – The size of chunks to read and encrypt.

Yields:

bytes – Header followed by encrypted data chunks.

property public_key_bytes: bytes¶

Returns the public key bytes from the organization.

Returns:: The public key as bytes.
Return type:: bytes

property public_key_str: str¶

Returns a JSON safe public key, used for the API.

Returns:: The public key as base64 encoded string.
Return type:: str

static str_to_bytes(data)¶

Decode base64 encoded string to bytes.

Parameters:: data (str) – The base64 encoded string.
Returns:: The encoded string converted to bytes.
Return type:: bytes

verify_public_key(pubkey_base64)¶

Verifies the public key.

Compare a public key with the generated public key from the private key that is stored in this instance. This is usefull for verifying that the public key stored on the server is derived from the currently used private key.

Parameters:: pubkey_base64 (str) – The public key to verify as returned from the server.
Returns:: True if the public key is valid, False otherwise.
Return type:: bool