Class swarmauri_core.mre_crypto.IMreCrypto.IMreCrypto
swarmauri_core.mre_crypto.IMreCrypto.IMreCrypto
Bases: ABC
supports
abstractmethod
supports()
Return a capability map describing supported algorithms, modes, and features. Providers SHOULD list only what they actually implement.
Keys (omit any you do not support): - "payload": iterable[str] of AEAD algorithms usable for the shared payload. (Only relevant for modes that use a shared AEAD.) - "recipient": iterable[str] of recipient protection algorithms (e.g., "OpenPGP", "X25519-SEAL", "RSA-OAEP-SHA256", "AES-KW"). - "modes": iterable[MreMode|str] of supported composition modes. - "features": iterable[str] of optional features (e.g., "aad", "threshold", "rewrap_without_reencrypt").
Example
return { "payload": ("AES-256-GCM", "XCHACHA20-POLY1305"), "recipient": ("OpenPGP", "X25519-SEAL"), "modes": (MreMode.ENC_ONCE_HEADERS, MreMode.SEALED_CEK_AEAD), "features": ("aad", "rewrap_without_reencrypt"), }
Source code in swarmauri_core/mre_crypto/IMreCrypto.py
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
|
encrypt_for_many
abstractmethod
async
encrypt_for_many(
recipients,
pt,
*,
payload_alg=None,
recipient_alg=None,
mode=None,
aad=None,
shared=None,
opts=None,
)
Encrypt 'pt' for all 'recipients' and return a single MultiRecipientEnvelope.
PARAMETER | DESCRIPTION |
---|---|
recipients
|
public-key KeyRefs (or handles) for each recipient.
|
pt
|
plaintext bytes.
|
payload_alg
|
AEAD for the shared payload (if required by the mode).
|
recipient_alg
|
per‑recipient protection algorithm (wrap/seal).
|
mode
|
MRE composition mode (see supports()["modes"]).
|
aad
|
Additional Authenticated Data (supported only by AEAD modes).
|
shared
|
optional map of app-defined fields to bind/version with envelope.
|
opts
|
provider hints (e.g., {"threshold_k": 2}).
|
RETURNS | DESCRIPTION |
---|---|
MultiRecipientEnvelope
|
MultiRecipientEnvelope with: - top-level metadata (mode, payload_alg, recipient_alg, etc.), - either a shared AEAD payload or per‑recipient sealed payloads, - recipient header list with the material needed to open. |
Source code in swarmauri_core/mre_crypto/IMreCrypto.py
73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
|
open_for
abstractmethod
async
open_for(my_identity, env, *, aad=None, opts=None)
Open 'env' using a single private identity.
PARAMETER | DESCRIPTION |
---|---|
my_identity
|
private-key KeyRef (or HSM handle) corresponding to one recipient.
|
env
|
envelope produced by encrypt_for_many.
|
aad
|
AAD value (must match for AEAD modes).
|
opts
|
optional hints (e.g., {"prefer_handle": True}).
|
RETURNS | DESCRIPTION |
---|---|
bytes
|
plaintext bytes. |
Raises on authentication failure, unsupported mode/alg, or identity mismatch.
Source code in swarmauri_core/mre_crypto/IMreCrypto.py
109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 |
|
open_for_many
abstractmethod
async
open_for_many(my_identities, env, *, aad=None, opts=None)
Attempt to open 'env' with any of the provided identities. Useful when a service has multiple keys/slots or when a scheme requires multiple partial openings.
PARAMETER | DESCRIPTION |
---|---|
my_identities
|
sequence of private-key KeyRefs / handles.
|
env
|
envelope to open.
|
aad
|
AAD (if required by the mode).
|
opts
|
optional hints (e.g., {"threshold_parts": {...}}).
|
RETURNS | DESCRIPTION |
---|---|
bytes
|
plaintext bytes on success. |
Raises on failure to satisfy the scheme (e.g., threshold unmet).
Source code in swarmauri_core/mre_crypto/IMreCrypto.py
134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
|
rewrap
abstractmethod
async
rewrap(
env,
*,
add=None,
remove=None,
recipient_alg=None,
opts=None,
)
Modify the recipient set, re‑wrapping headers without re‑encrypting the payload when the mode permits.
PARAMETER | DESCRIPTION |
---|---|
env
|
existing envelope.
|
add
|
recipients to grant (append headers).
|
remove
|
recipient IDs to revoke (drop headers).
|
recipient_alg
|
optionally switch the per‑recipient protection algorithm.
|
opts
|
hints (e.g., {"rotate_payload_on_revoke": True}).
|
RETURNS | DESCRIPTION |
---|---|
MultiRecipientEnvelope
|
Updated MultiRecipientEnvelope. |
Notes
- If safe header removal is not possible for the mode (e.g., sealed-per-recipient payload), providers SHOULD rotate the payload key and re‑encrypt.
- Providers SHOULD document complexity: header‑only O(1) vs payload re‑encrypt O(N).
Source code in swarmauri_core/mre_crypto/IMreCrypto.py
162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 |
|