async def encrypt_for_many(
self,
recipients: Sequence[KeyRef],
pt: bytes,
*,
payload_alg: Optional[Alg] = None,
recipient_alg: Optional[Alg] = None,
mode: Optional[str] = None,
aad: Optional[bytes] = None,
shared: Optional[Mapping[str, bytes]] = None,
opts: Optional[Mapping[str, object]] = None,
) -> MultiRecipientEnvelope:
mode = mode or "sealed_cek+aead"
if mode != "sealed_cek+aead":
raise ValueError(
"PGPSealedCekMreCrypto only supports mode='sealed_cek+aead'."
)
payload_alg = payload_alg or "AES-256-GCM"
if payload_alg != "AES-256-GCM":
raise ValueError("Unsupported payload_alg for PGPSealedCekMreCrypto.")
recipient_alg = recipient_alg or "OpenPGP-SEAL"
if recipient_alg != "OpenPGP-SEAL":
raise ValueError(
"Unsupported recipient_alg for PGPSealedCekMreCrypto (expected 'OpenPGP-SEAL')."
)
if not recipients:
raise ValueError("At least one recipient is required.")
cek = os.urandom(32)
nonce, ct, tag = _aead_encrypt(cek, pt, aad=aad)
_ensure_pgpy()
rec_headers: List[Dict[str, Any]] = []
for rec in recipients:
rid, pub = _load_pgpy_pubkey(rec)
literal = pgpy.PGPMessage.new(cek, file=False)
enc = pub.encrypt(literal)
header_bytes = bytes(enc.__bytes__())
rec_headers.append({"id": rid, "header": header_bytes})
env: MultiRecipientEnvelope = {
"mode": "sealed_cek+aead",
"payload": {
"kind": "aead",
"alg": payload_alg,
"nonce": nonce,
"ct": ct,
"tag": tag,
"aad": aad,
},
"recipient_alg": recipient_alg,
"recipients": rec_headers,
"shared": dict(shared) if shared else None,
"version": 1,
}
return env